Report required permission(s) when authorization fails - Githubissues

treeverse / lakeFS

lakeFS - Data version control for your data lake | Git for data

https://docs.lakefs.io

Apache License 2.0

4.37k stars 349 forks source link

Report required permission(s) when authorization fails #8224

Open arielshaqed opened 2 days ago

arielshaqed commented 2 days ago

Currently authorization simply fails the request. Add to this response the missing permission(s).

Why do this?

We see that users who fail to perform some action are unsure what to do. This is an easy response.

Is this safe?

This is an authenticated user - they can know their permissions simply by trying to do stuff.
Required permissions are known to attackers - even if our docs are out of date, pkg/api/controller.go is the open source of truth.

Alternatives

Report only the first missing permission. This is slightly easier to code.
Report all required permissions. This avoids giving the user any information about their permissions.