Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add roles and permission based auth #194

Merged
merged 8 commits into from
Jul 31, 2023
Merged

Conversation

eilrix
Copy link
Member

@eilrix eilrix commented Apr 21, 2022

This PR is basically a refactor of CMS authentication system to permission-based (previously role-based).

Now a user can have many or no roles. DB won't allow removing a role until it's used (foreign key constraint). But it can be removed via RoleRepository.
While it's possible to modify roles manually in DB, changes won't be reflected immediately since we don't query roles table on every request (server restart needed). Plugin authors need to use API client or RoleRepository to create/update roles.

All admin panel pages are now tied to permissions. For example, product page requires read_products permission, etc.
But note that some read permissions are not used on the server for public entities. For example, products have to be served without auth, so read_products is not required to have to get the data.

Permissions are not entity, since they aren't stored in DB. They are only stored in memory and registered dynamically. Permissions served from REST API: getRestApiClient().getPermissions()
For a plugin it's possible to register new permission via registerPermission
Permissions can be used for controllers/resolvers simply by passing a string to the decorator example
Note that a permission used in decorator must also be registered via registerPermission

Role is an entity. I haven't added admin edit page for roles, but it can be created as any other entity page. It has all basic graphql methods and can be queried via getGraphQLClient().getRoles({ pageSize: 1000 });
Permissions of a role stored as string, it's easy to modify to any value.

Custom entities now have granular permissions. For example, different users can manage only their (different) custom entities. Permission edit of custom entities aren't in admin panel, but it can be modified via plugin.
For example you can register custom entity:

registerCustomEntity({
  entityType: 'my_entity_name',
  listLabel: 'My entities',
  "permissions": {
                "read": "read_my_entity1",
                "update": "update_my_entity1"
   },
  columns: [
    {
      name: 'my_field',
      label: 'My field',
      type: 'Simple text'
    }
  ]
});

Note that by default (as before) custom entities are public to read. But if you add read permission it will be no longer public.
To update your custom entity add update_my_entity1 to permission array of a role of your user.

@eilrix eilrix merged commit 105b6bb into master Jul 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant