New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Advanced authorization per resource #14
Comments
Thanks for your contribution. Did you check the latest development changelog? I think most of your ideas are already there in one form or another:
|
838ca5f adds customizable role-based access control, which will allow for implementation of auth.user.id-like scenarios. The idea originated while brainstorming about your proposal so thank you! |
PS: look at the examples/security folder for some code snippets. |
Wow thanks for that! Roles is really a good idea and seems better suited for REST (no need add custom logic per view) |
I really like how the "automatic" mode settings is set up and would love to see authorization implemented in the same manner.
For example:
Basically I'd add 2 security areas (private/public) where one requires authentication and the other doesn't.
Each area could define a "base" query which will be concatenated with the rest of the queries before execution, thus making sure the user can access only the permitted resources.
Furthermore I'd let the user modify which methods are allowed per resource, thus forcing an authorization flow for each request:
Notice the use of auth.user.id, this of course takes for granted our ability to expose the currently authenticated user (which is a story of it's own)...
The text was updated successfully, but these errors were encountered: