:roles for authorization are static from authentication time #21

Closed
xeqi opened this Issue Sep 1, 2012 · 2 comments

Comments

Projects
None yet
2 participants
@xeqi

xeqi commented Sep 1, 2012

From my Using friend in clojars writeup:

While exploring friend, a downside was noted with the authorization. When a user is authenticated, the :roles are added into the session. If the user gets a new role it will not take effect without a login/logout. Using derive to produce a in memory role hierarchy can work with this, as suggested in the friend readme.

This seemed like a bad idea for clojars. The direct mapping of groups to roles would require trying to keep the roles in sync with the database, and reinitialized on a restart. Instead clojars uses its own mechanism for authorization wrapping (friend/throw-unauthorized friend/*identity*).

It would be nice to have a mechanism to update a user's :roles, or allow querying them at authorization time.

@cemerick

This comment has been minimized.

Show comment Hide comment
@cemerick

cemerick Mar 12, 2013

Owner

Thinking of making it possible for :roles to be a function that returns a collection of the user's current roles. That fn could then do all the database checking + caching it wants.

Does this sound sane / useful / sufficient?

Owner

cemerick commented Mar 12, 2013

Thinking of making it possible for :roles to be a function that returns a collection of the user's current roles. That fn could then do all the database checking + caching it wants.

Does this sound sane / useful / sufficient?

@xeqi

This comment has been minimized.

Show comment Hide comment
@xeqi

xeqi Mar 15, 2013

Using a fn was the first thing I thought of. It would work for me.

xeqi commented Mar 15, 2013

Using a fn was the first thing I thought of. It would work for me.

lynaghk added a commit to lynaghk/friend that referenced this issue Mar 25, 2013

Allow :roles to be a function returning a collection, which will be e…
…xceuted each time user authorizations are checked.

This allows, e.g., promoting a user to a new role without forcing a logout+login.

Closes #21.

@cemerick cemerick closed this in 683bacc Mar 29, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment