Open richardschneider opened 8 years ago
Shiro implemented by express-authorization is nice for AuthZ. I like the idea of instance-level Access Control Lists. In this scenario we use three parts - the first is the resource, the second is the action(s), and the third is the instance(s) being acted upon.
So for example you could have
printer:query:lp7200
printer:print:epsoncolor
CRUD would use the resource type
name as the first part, one of create
, view
, change
, delete
or find
for the 2nd part and finally the resource ID.
So the CRUD instance level permission
for GET /api/product/123
is api:product:view:123
. To allow a user to view
all resources simply assign api:*:view
.
A permission to view/expose/decrypt redacted information #62 is required. The redacted field is a JSON Pointer, such as /service/0/!apikey
in api/tenant/123
. How do we specify which fields can be exposed? This is called attribute level permission
.
What is the route?
GET /api/tenant/123?only=/service/0/!apikey
GET /api/tenant/123#/service/0/!apikey
The route asks for the plain-text value of the apikey
. This should return, if user is permitted to view the information, a text/plain
with the the value.
Need a req.user.isPermitted(permission)
. We assume authentication #4 creates the user with a set of claims.
Required by #70 and associated with #4 and #62
Some background