Closed preaction closed 3 years ago
Did you already see the new Mojolicious::Plugin::ContextAuth? It is developed from RENEEB, who is part of our software project. We will switch to that plugin soon. The plugin is still under development. Support for more DB backend is on the way. Maybe that could be an option.
Now that we have a single standard Auth plugin API, we can have a single role-based authorization plugin that covers all authentication.
Create a Yancy::Plugin::Access::Role plugin. This plugin should take the following configuration:
collection
- The collection that stores the role to user mappinguserid_field
- The field that stores the user ID in the role collectionrole_field
- The field that stores the role nameRole collections can have other fields, like description or ancillary data. Once data relationships work in the editor, we can have the user ID and role name fields be drop-down boxes linked to the users table and a main roles table (so that users do not mistype role names).
This plugin should add a single helper:
yancy.access.require_role
. The helper should take an array reference of role names. If the current user does not have one of the given roles, the authorization check should fail and the user should be shown the Unauthorized page.Then, the editor should get a new configuration:
editor.require_role
(alongsideeditor.require_user
). This should take an array reference of roles. If this is specified, the user's role should be checked with theyancy.access.require_role
helper. If the current user does not have one of the given roles, the authorization check should fail and the user should be shown the Unauthorized page.In the future we may add other ways to restrict access (Github Org membership, LDAP groups, etc...), so our API should be simple.