Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs(auth): Mention 403 pitfall + Java specifics #1463

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

docs(auth): Mention 403 pitfall + Java specifics #1463

wants to merge 9 commits into from

Conversation

bugwelle
Copy link
Contributor

No description provided.

BraunMatthias
BraunMatthias reviewed Nov 26, 2024
View reviewed changes
guides/security/authorization.md
TODO: But in Java, it also works for custom events? And in Node as well, right?

> <sup>1</sup> Node.js supports _static expressions_ that *don't have any reference to the model* such as `where: $user.level = 2` for all events.
> <sup>2</sup> CAP Java uses a filter condition by default.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

whether the filter applies as result filter or reject condition now depends on the the query (selection or not). I think we should mention this explicitly.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You refer to my TODO for custom events?

Something like:

  • custom event (as reject condition if it selects an entity)

It seems that Node.js assumes that bound actins/functions trigger read events (SELECTs), but I could be mistaken.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment was:

TODO: But in Java, it also works for custom events? And in Node as well, right?

guides/security/authorization.md Outdated Show resolved Hide resolved
guides/security/authorization.md Outdated
@@ -518,6 +521,16 @@ Supported features are:
* [Exists predicate](#exists-predicate) based on subselects.


<div class="impl java">

CAP Java 3.5.0 introduced an option to enable rejection conditions for `UPDATE`, `DELETE` and custom events. Enable it via <Config java keyOnly>cds.security.authorization.instance-based.reject-selected-unauthorized-entity.enabled: true</Config>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the reject condition also works with READ, doesn't it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reject condition is only implemented for write-events (+ custom events). For read events, it remains 404, i.e. filtering.

guides/security/authorization.md Outdated Show resolved Hide resolved
guides/security/authorization.md Outdated Show resolved Hide resolved
bugwelle
bugwelle commented Dec 2, 2024
View reviewed changes
guides/security/authorization.md
TODO: But in Java, it also works for custom events? And in Node as well, right?

> <sup>1</sup> Node.js supports _static expressions_ that *don't have any reference to the model* such as `where: $user.level = 2` for all events.
> <sup>2</sup> CAP Java uses a filter condition by default.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment was:

TODO: But in Java, it also works for custom events? And in Node as well, right?

guides/security/authorization.md Outdated Show resolved Hide resolved
@bugwelle bugwelle marked this pull request as ready for review December 2, 2024 06:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@renejeglinsky renejeglinsky renejeglinsky approved these changes

@BraunMatthias BraunMatthias Awaiting requested review from BraunMatthias

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bugwelle @renejeglinsky @BraunMatthias