Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Permisions claim check field with multiple values? #284

Open
KK7NZY opened this issue Mar 2, 2023 · 2 comments
Open

Permisions claim check field with multiple values? #284

KK7NZY opened this issue Mar 2, 2023 · 2 comments

Comments

@KK7NZY
Copy link

KK7NZY commented Mar 2, 2023

Hello,

I am currently trying to setup a permissions-profile and was hoping to get some feedback on how to handle permissions for referenced entities and/or suggestions on model design.

For example I have something similar to the following:

type Gallery @rootEntity(permissionProfile: “gallery”) {
	name: String!
	portfolios: [Portfolio!] @relation
	gallery: !ID @accessField
}
type Portfolio @rootEntity {
	name: String!
	images: [Image!] @relation(inverseOf: “portfolio”)
}
type Image @rootEntity {
	name: String!
	url: String!
	portfolio: Portfolio! @relation
}
permissionProfile:
  gallery:
    - access: read
      roles:
        - viewer
      restrictions:
        - field: gallery
          claims: galleries

A user with read permissions would be able to access the name field but would get “Not authorized to read Portfolio objects (in Gallery.portfolios)“ when trying to access porfolios of the gallery . The only way I can think to get around this is to add a Ctx extension to each entity and update the permissions-profile to reference the new context field / or create seperate permission for each entity with the correct feld, claim combination.

type Ctx @entityExtension {
	galleryId: ID @accessField
	portfolioId: ID @accessField
	ownerId: ID @accessField
}
type Gallery @rootEntity(permissionProfile: “gallery”) {
	name: String!
	portfolios: [Portfolio!] @relation
	ctx: @accessField
}
type Portfolio @rootEntity(permissionProfile: “portfolio”) {
	...
	ctx: Ctx @accessField
}
type Image @rootEntity {
	...
	ctx: Ctx @accessField
}
permissionProfile:
  gallery:
    - access: read
      roles:
        - viewer
      restrictions:
        - field: ctx.gallery
          claims: galleries
  portfolio:	 
     - access: read
        roles:
          - viewer
       restrictions:
         - field: ctx.gallery
           claim: galleries
         - field: ctx.portfolio
           claim: portfolios

Adding Ctx entity solved the authentication issue but a Portfolio in the example can be referenced by many Gallery entities. A a user with access to one gallery and not the another would get access denied when trying to access portfolio in current setup unless ctx.gallery was an array.

I know it is not possible to to have an array as a field value. Is there something I can do that would resolve the scenario mentioned above. Something like any([claim in field for claim in claims]) if isinstance(field, list) else field in claims

Do I need Ctx or is there a better way to handle this use case ?

I am still learning my way around so any help would be appreciated.

Regards,
John

@KK7NZY KK7NZY changed the title Permisions claim with multiple field values ? Permisions claim and field with multiple values? Mar 2, 2023
@KK7NZY KK7NZY changed the title Permisions claim and field with multiple values? Permisions claim check field with multiple values? Mar 2, 2023
@mfusser
Copy link
Contributor

mfusser commented Mar 7, 2023

I am not sure if I fully understand what you are trying to achieve but I don't think there is a good way to handle this situation at the moment.
There is no way to define something like "allow access to a portfolio if the user has access to any gallery that includes this portfolio".
The permissions have to be defined for each rootEntity separately so I think the only way is to give each rootEntity its own profile and make sure from outside that whenever a user gets access to a gallery that they also get access to all necessary portfolio. This will come with some other problems (as I wrote in your other issue ).
It seems that your use case does not really fit the way permission profiles work in cruddl.

@KK7NZY
Copy link
Author

KK7NZY commented Mar 7, 2023

Thank you for the response. That makes sense to have to write a permissions profile for each Root Entity.

In the example above I was also curious having restriction with a field value that is a list of items. For example If I wanted to store a separate field on the entity that had all the gallery IDs. Then have my restriction compare the values of field list to the claim list.

For example:

{ "claims": { "gallery": [5, 6]  } }
{
  id: "<portfolio_id_1>"
  "ctx": {
    "gallery": [6]
  }
},
{
  id: "<portfolio_id_2>"
  "ctx": {
    "gallery": [42, 73]
  }
},
{
  id: "<portfolio_id_3>"
  "ctx": {
    "gallery": [5]
  }
},

In this example i would expect the user to get response of two portfolios since he has claim of [5, 6].

I created a draft PR here (
#287) for example above. Any feedback on this would be much appreciated.

For my current project I need to check value of claim/and or role to a field that is list of values.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants