Dynamic (non-hardcoded) Permission Structure #3286
Comments
|
It's actually possible to build a detailed ACL with the current implementation. The idea is that the authProvider return an object including the full permissions for the current user, and use an helper to build de resource / views tree. I might write an example here, if @Luwangel doesn't any time soon. Would be great to have a recipe or a documentation on that! |
|
Hi, and thanks for your suggestion. We want to keep the library small to be able to cope with the codebase in an efficient manner, so we decided to leave some features out. Providing specific authProviders is outside the scope of react-admin. We couldn't maintain them anyway. Members of the community (like you) are invited to write custom auth providers for their own use case, and share them in the Ecosystem documentation. That implies that react-admin already provides everything you need to let you implement what you described with a custom authProvider. If you've tried but hit a block, please provide a sample of the code you wrote and the limits you've met. I'll then consider reopening this issue. |
|
Hey, I was in the train so, I had time to prepare the few helpers I got from @Luwangel and I wrap them up in a package. https://github.com/marmelab/ra-auth-acl Feel free to try it and let me know about the API and stuff! |
|
This is excellent looks like it would actually do what we need. Thanks a lot @Kmaschta |
The current authentication model is solid as it gives complete control, but I would like to see a more dynamic version so we can have flexible permissions.
Describe the solution you'd like
I quite liked the Laravel method of structuring permissions based upon dotted strings. So I was thinking that for each Resource and each type of view you could have a permission e.g.
If you didn't have that permission structure you would not have access. If you simply had "Recipes" you would have full permission over that Resource. The same could then stem down to Fields etc.
The individual Views would then be able to self authenticate and return a 404 if failed, without the need for explicit definition in the source files.
My thoughts are currently you decide a permissions model which either provides role-based granular permission; user-based granular permission or (as currently) role-based explicit permission.
Describe alternatives you've considered
I've just found the current method time consuming to code and also it is not dynamic so we cannot build permission control into the CMS itself
Additional context
We may have enough drive internally to complete such a development if we had some backing and guidance as to a preferred route
The text was updated successfully, but these errors were encountered: