-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Let Authorizers return allowed permissions #953
Comments
I think we need to return a
So technically, The
That one could remain the same IF:
Then:
Then this comparison behavior is abstracted away. Alternatively, we can use the composite pattern to create a
That would be solid/web-access-control-spec#97 (comment); let us hold off on that one for the moment; knowing that, indeed, this PR makes it easier/trivial to implement that behavior.
Someone should get the resulting
Yes; and as I wrote above (for
I don't think it couples that; we just ask the permission reader to look up permissions for things.
I'm okay at the moment; no strong opinion. Your proposal is fine with me.
I wouldn't reduce here; I don;'t think |
Done in #962 |
See #938 (comment)
The idea would be that instead of failing or succeeding to indicate if the input permissions are allowed, they instead would return an object indicating for each existing permissions which of these would be allowed.
Some considerations:
PermissionSet
or do we use different terms?RequestParser
? Or do we scrap the permission parser and let theOperationHandlers
reject based on the received permissions?WAC-Allow
header then? The main issue is that we need 2 objects there: the permissions for the current credentials AND the permissions for a public agent. We could have the authorizer return both, but this couples the behaviour closer to acl again since we're only doing this for an acl header.PermissionSet
? Currently these values are tightly coupled to theacl
predicates but perhaps we want to go to more generic terms.CombinedAuthenticationHandler
to combine the results, but we could also do this with a sequence/parallel handler that modified the input object, or create a new generic reduce handler or similar.Regarding using more generic terms, those would be read, create, write, append, delete instead of the current control, read, write, append. I personally am in favor of making that switch (although I personally think delete doesn't have that much added value when you have write). One issue here would be the
control
boolean, but perhaps we can make our acl authorizer smart enough to know it has to convert the control value to create/write/delete when the target is an acl resource.#938 is on hold until this is resolved.
Wondering if this will impact #952 😉
The text was updated successfully, but these errors were encountered: