server-side authorizations

[ahdinosaur]

we haven't even started this. :unamused:

TODO @ahdinosaur: update this ticket with details about how to "harden" (setup authorization checks) on back-end.

• [ ] dogstack-agents
  • [ ] agents
  • [ ] profiles
  • [ ] credentials
  • [ ] relationships
• [ ] orders
• [ ] products
• [ ] resourceTypes
• [ ] priceSpecs
• [ ] intents

depends on #166

[sarah-arrrgh]

[ahdinosaur]

i'll start working on the dogstack-agents part of this ticket.

[iainkirkpatrick]

@ahdinosaur - for the non-dogstack-agents services here, my guess is this is just having appropriate hooks on the various services to prevent finds / gets / updates / patches / removes from agents who shouldn't be able to?

in which case, my first plan at it would be:

• orders:
  • only order admin may update, patch, or remove
  • only group members may find, get
• products:
  • only related group admins may update, patch, or remove? (less certainty about this one)
  • only related group members may find, get?
• resourceTypes / priceSpecs:
  • same as products
• intents
  • only 'owner' agent may update, patch, or remove
  • only group members may find, get

i can see some of these we might want to change further down the road (i.e. admins can edit other members intents) but how is this for now?

[ahdinosaur]

prevent finds / gets / updates / patches / removes from agents who shouldn't be able to?

yep!

this might be a good time to split up the services by topic:

• agents
  • profiles
  • credentials
  • relationships
• tasks
  • recipes
  • plans
  • works
• products
  • resourceTypes
  • priceSpecs
  • facets
• orders
  • intents
  • plans
  • accounts (or some other name for accounting data)

your rough outline looks good. 😄