Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filters authorization #130

Open
arcreative opened this issue Oct 3, 2019 · 3 comments
Open

Filters authorization #130

arcreative opened this issue Oct 3, 2019 · 3 comments
Labels
Type: Discussion

Comments

@arcreative
Copy link
Contributor

arcreative commented Oct 3, 2019
edited
Loading

We have several situations where we would like to provide filter functionality, but only for certain users, e.g. admins. We're currently doing this by implementing a custom filter in JR and raising an invalid filter error if they're not allowed to use it based on the current context. It would be great, and seemingly more appropriate, if we could reject this based on our policy, probably as a pundit method that has access to the context.

And while we're at it, maybe this is a decent place to implement fetchable/creatable/updatable attributes as well, since this is more of a policy concern than a resource concern?
@valscion
Copy link
Member

valscion commented Oct 4, 2019
edited
Loading

Seems like a feature that would allow validating incoming parameters somehow (be it fields to update or filters that are allowed to be used) could be useful.

Some previous issues that have been partially about this case: #33, #39, #68, #86

I would be interested to see how it would look like from the end result point of view — what policies would be called and with what parameters? Will we be able to do this kind of feature following the core principle of jsonapi-authorization: "Prefer being overly restrictive rather than too permissive by accident."

Even better if this could be implemented in a different gem that would merely tie into jsonapi-authorization. This way we would not have to worry about maintenance burden on this new code, as we already have limited time to do maintenance.

@arcreative
Copy link
Contributor Author

arcreative commented Oct 4, 2019
edited
Loading

Sounds reasonable. A couple of use cases we're currently needing this for / implementing via resources:

  • An overall system admin should be able to filter on other admins (we call this filter has_elevated_access), but normal users should not
  • A regional admin should be able to filter on certain attributes, say, performance-based metrics that are otherwise unavailable to normal users

I would imagine the filters access could, for the current version, allow all filters by default, but there could be either an allowed_filters method on the policy that could optionally be implemented, or alternatively, filter_on_has_elevated_access? (filter_on_<filter_name>?) that would be true by default, or optionally return false depending on the context. For future major versions, it could reasonably prevent filters by default, but I'm not sure that I feel this feature should be restrictive by default. I think "all filters for everyone" is the most common use case, but "all actions for everyone" is not.

@valscion
Copy link
Member

valscion commented Oct 7, 2019

I think preventing filters (and maybe even fields/attributes) by default could be a good option -- if developers would use this feature. That way it's either "no new restrictions" or an allowlist

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Discussion
Milestone
No milestone
Development

No branches or pull requests
2 participants
@valscion @arcreative