more fine grained roles possible?

[tencherry10]

Hi,

This is more an inquiry than an actual problem. Am I correct in assuming that once a private key is granted hook::run then that private key is granted ability to run ALL hooks.

Is it possible to have a more fine-grained key? For e.g. key1 has hook::run capabilities for hook1,hook2 but not hook3 and hook4?

I may be able to work around this by using the datastore to store the matrix of permissions, but I thought I would ask first.

Thanks, Terry

[Marak]

Right now there isn't much of a public API for fine-tuning roles.

Internally I've essentially hard-coded one role for private-hook-service. Instead of this being hard-coded, users should be able to configure any of the hook::* roles to a specific hook ( as you have suggested ).

I'll need to surface a few API endpoints and implement something in the UI.

Medium priority.

[tencherry10]

Hi @Marak

Thanks for the response. That's fine. Please let me know when the new API endpoints land. I would be happy to try them out.

Thanks, Terry

[Marak]

@tencherry10 -

I've got some solutions pushed locally in development. Here is the proposed functionality as it's currently working, let me know what you think.

None of this is deployed live to production yet

• https://hook.io/keys is now a fully qualified REST API Endpoint
• keys API has now been added to hook.io-sdk
• New method keys.checkAccess has been added
• During the creation of new a key, you may now specify custom role strings to be associated with that key, like hook::custom1 for example.

Inside hook services, we now have hook.req.checkAccess(role, callback) method for performing custom role checks.

module['exports'] = function (hook) {
  hook.req.checkAccess('hook::custom1', function(err, hasAccess){
    if(err) { hook.res.end(err.message);}
    hook.res.json(hasAccess);
  });
};

The scope of this key will be whatever hook_private_key is associated with the request

In addition to request based role checks, you can also now simply call into the hook.io-sdk client with any custom hook_private_key and role variable.

module['exports'] = function (hook) {
  hook.keys.checkAccess({ hook_private_key: '025de14e-30d8-4a61-a938-b480cf600a19', role: 'hook::custom1' }, function(err, hasAccess){
    hook.res.json(hasAccess);
  });
};

I'm thinking that should be a good first step in getting better custom controls over hook.io events. This way, we can allow the users to specify their own custom role checks easily. Moving forward we can try to consider how to improve on this base functionality.

[tencherry10]

LGTM. Certainly seems general enough to support most scenario I can think up.

Let me know when this is deployed into production. I will certainly be interested in trying it out.

[Marak]

@tencherry10 - We've got custom roles deployed now.

Give it a spin and let me know if it works out.

Thanks for the feedback!