feat: authorization #814
feat: authorization #814
Conversation
|
|
ojeytonwilliams
force-pushed
the
feat/authorization
branch
from
af4c347
to
77f49f0
Compare
ojeytonwilliams
force-pushed
the
feat/authorization
branch
from
77f49f0
to
761238a
Compare
👇 Click on the image for a new way to code review
Legend |
ojeytonwilliams
force-pushed
the
feat/authorization
branch
2 times, most recently
from
fce36c1
to
3b67c87
Compare
|
TODO
|
ojeytonwilliams
force-pushed
the
feat/authorization
branch
2 times, most recently
from
4b3ae6b
to
94404e6
Compare
This gives consistency with other requests and allows auth to differentiate between requests
This reverts commit 761238a.
A user with an instance role, one with a chapter role and third with an event role
Rather than requiring a second db request during authorization
ojeytonwilliams
force-pushed
the
feat/authorization
branch
from
94404e6
to
fd3d989
Compare
|
A bit of side-question - is it planned to use this as a check if user is logged in? After passing any permission check it is implicit that user is logged in, so in theory some logged-in permission could be used for authorizing access where no more specific permission exists. |
|
@gikf I hadn't planned to, but it's definitely possible if we want to. What you can do is simply add an Did you have something in mind where we'd want to do that? If you do, I'll add that logic in. |
|
Also, I might need to drop the variable validation. I thought it would be useful to make sure that a request comes with, say, |
|
Nothing specific, just a general idea, that I'm now not sure if it's even needed... |
|
No worries. If we come up with a use case for it, it's easy enough to add in, but let's leave it until we do. |
|
Thanks @gikf I like these changes a lot. The only one I'd change is What I'll do is commit all your changes and rename that separately. |
Co-authored-by: Krzysztof G. <60067306+gikf@users.noreply.github.com>
It does not seem necessary, since invalid variables will be ignored and so should never grant permission incorrectly. Invalid requests will be denied without explanation, so we can revisit this approach if that happens too often.
|
@gikf let me know if there's anything else that doesn't look right. |
|
I considered Otherwise I'm not seeing anything sticking out 👍 |
|
Ah, yes, good point. How about this? We validate that the number of permissions is 1, call it After all, the intention is that each resolver would only need a single permission. e.g. the |
|
Yeah, that sounds sensible. |
Very preliminary draft of the authorization implementation.
Key point: all authorization logic is the responsibility of
authorizationChecker.This determines if a given user has a right to see or interact with a given field or resolver. To my knowledge the main weakness of this approach is that it cannot filter a resolver's output. So, if we wanted a public event feed and a private one, those would have to be implemented as separate resolvers.
We cannot (well, should not) put any authorization logic in resolvers, but we can make different queries through the client based on the information about the user (are they logged in, what role do they have etc.).