mario-nt
commented
1 month ago @josecelano Maybe we can still use the user_id extractor in the handler or move that logic to the service:
Also we need to find a way to not allow those policies as they break the expected behavior of the app and might even lead to a security risk.
Actually, right now, the authorization policy is coupled with the logic in the handlers and services, maybe we should not allow end user to modify Casbin policies directly, only certain things like users and roles, and then persist those settings into the Casbin policy. All those customization options should be constrained and decided before hand.
josecelano
There are several unwraps that lack error handling in the authorization logic when unwrapping the maybe_user_id variable, this PR fix that by handling the errors.