New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement permission policies in the API #22384
base: auditus
Are you sure you want to change the base?
Conversation
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
|
@DanielBiegler @hanneskuettner It'd be great if I could get a code-review while wrapping up the last todos. Once this thing is done and runs as it should, we'll involve the whole team for a good while of QA 🙂 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note
TODO: We gotta update /api/src/middleware/check-ip.ts
and use policies there.
Previously we got the ip_access
of that users role and compared it with their IP. Done.
Now users could have multiple policies which each have an ip_access
column.
@DanielBiegler Policies are filtered down by IP in the It's no longer a yes-or-no check in middleware; it's now filtering down the permissions for the specific request. |
Scope
What's changed:
api/src/permissions
folderroles
flag to accountability object. This is an ordered array of all the parent roles of the current userget-ast-from-query
by splitting it into multiple filescases
andwhenCase
. This allows us to dynamically generate the case/when SQL to have dynamic field output per item.run-ast
by splitting it up into smaller filesPotential Risks / Drawbacks
Review Notes / Questions
Todos
whenCases
inrun-ast
clear
method in memory/cache/permissions
endpointCloses #21778, closes #21765, closes #22163, closes #21769, closes #21768, closes #21767, closes #21766
Footnotes
Eg check to make sure there's still >=1 admin left after the mutation is done ↩