-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
66, 9, 44 role based access management & authorization #76
Conversation
location: Type.Optional(Type.Union([LocationSchema, Type.Null()])), | ||
organizationUrl: Type.Optional(Type.Union([Type.String(), Type.Null()])), | ||
verifiableCredentials: Type.Optional(Type.Union([Type.Array(VerifiableCredentialSchema), Type.Null()])), | ||
role: Type.Optional(Type.Union([Type.String(), Type.Null()])) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible that a user will have multiple roles? Maybe it is reasonable to change it into a list or a map with key:value pairs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for now it is only these roles, we don't have really requirements here I just needed some mechanism to be able to delete other user as an admin via api
|
||
export interface UserPersistence extends OmittedUser { | ||
role?: UserRoles; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
role
reads like a single role, while UserRoles
is a plural
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes because UserRoles is an enum which is mainly written in plural :/
isAuthorizedToRevoke = async (kci: LinkedKeyCollectionIdentityPersistence, requestUser: User): Promise<AuthorizationCheck> => { | ||
const isAuthorizedUser = this.authorizationService.isAuthorizedUser(requestUser.userId, kci.linkedIdentity); | ||
const isAuthorizedInitiator = this.authorizationService.isAuthorizedUser(requestUser.userId, kci.initiatorId); | ||
if (!isAuthorizedUser && !isAuthorizedInitiator) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should the condition resolve if both variables are false
at the same time, or just if one of them is false?
Also, should it be &&
or ||
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes only if the requester is not the user itself or the initiator it shall go into the admin check. This avoids to query the db everytime an authorization check will be done. By thinking about that I could also add some package which does memorization for function calls to avoid unnecessary db calls... I will add an issue for that.
return { isAuthorized: true, error: null }; | ||
}; | ||
|
||
isAuthorizedUser = (requestUserId: string, userId: string): boolean => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This function doesn't really makes sense. On line 14 you can simply verify const isAuthorizedUser = requestUser.userId === userId
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh yes, this were refactored and is now kind of obsolete I would keep it but make it less crowded
isAuthorizedUser = (requestUserId: string, userId: string): boolean => {
return requestUserId === userId;
};
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this ok?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, it's ok
Authorization for channels, users and verification/revocation and adding role based access management. Using role based access management admin users are able to delete other users or channels and also revoke/verify credentials of other organizations.
This PR is including the following PRs that's why they are abandoned:
#74
#68