You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I asked @coco98 a little bit about this in the May Community Call, but thought I should expand a little bit on some of our use cases here.
Our product is a multi-tenant application for running virtual conferences. Each virtual conference has a number of video chat rooms. A room can be public - in which case any attendee at the conference can see it - or they can be private - in which case only 'members' of that specific room can see it.
The fragment of permissions logic that implements this looks something like:
However, this permissions logic is not only needed for the Room table. It's also used for controlling access to multiple other related tables. Here are some examples from our metadata:
What concerns me at the moment is that each of these separate pieces of code implements the same 'business rule' - i.e. that everyone can access public rooms and only specific people can access non public rooms. But the implementation is simply copy-pasted across the metadata, making it quite unmaintanable.
What if the rule changes (e.g. we add a new room mode that has different business logic for access control)? Then we have to comb through the metadata looking for instances of this logic and manually updating it. This is error prone and you can probably imagine that the logic is likely to get out of sync over time, compromising application security.
What I would really like to be able to do is define this fragment of logic once, in a central place. Then I would like to just call into that logic from each place where it is needed. When the central definition changes, it is immediately reflected across every table that uses it.
Hopefully this is an illustrative example! I could definitely pull out many more from our codebase. For example, we flatten our RBAC permissions into a single view and then perform lookups against that. Rather than writing a large (and nearly identical) multi-armed _exists query for each table to look up these permissions, it would be super nice to be able to just define and call something like has_permission(PERMISSION_NAME, userId).
The text was updated successfully, but these errors were encountered:
I have the same challenge, currently a db with ~50 tables and for 90% of them I'll have to implement the same basic rule.
It would be amazing if I could either reuse a permission fragment like you describe, or simply configure that "access to table Child is granted if access to table Parent is granted", ie. you delegate the the permission check to a related entity.
I asked @coco98 a little bit about this in the May Community Call, but thought I should expand a little bit on some of our use cases here.
Our product is a multi-tenant application for running virtual conferences. Each virtual conference has a number of video chat rooms. A room can be public - in which case any attendee at the conference can see it - or they can be private - in which case only 'members' of that specific room can see it.
The fragment of permissions logic that implements this looks something like:
However, this permissions logic is not only needed for the
Room
table. It's also used for controlling access to multiple other related tables. Here are some examples from our metadata:And so on.
What concerns me at the moment is that each of these separate pieces of code implements the same 'business rule' - i.e. that everyone can access public rooms and only specific people can access non public rooms. But the implementation is simply copy-pasted across the metadata, making it quite unmaintanable.
What if the rule changes (e.g. we add a new room mode that has different business logic for access control)? Then we have to comb through the metadata looking for instances of this logic and manually updating it. This is error prone and you can probably imagine that the logic is likely to get out of sync over time, compromising application security.
What I would really like to be able to do is define this fragment of logic once, in a central place. Then I would like to just call into that logic from each place where it is needed. When the central definition changes, it is immediately reflected across every table that uses it.
Hopefully this is an illustrative example! I could definitely pull out many more from our codebase. For example, we flatten our RBAC permissions into a single view and then perform lookups against that. Rather than writing a large (and nearly identical) multi-armed
_exists
query for each table to look up these permissions, it would be super nice to be able to just define and call something likehas_permission(PERMISSION_NAME, userId)
.The text was updated successfully, but these errors were encountered: