-
Notifications
You must be signed in to change notification settings - Fork 178
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recommended way for resource-based access control #57
Comments
Hi, It's up to you how you implement the In my application, i have a datatable resource that hold the link between a role and a resource. When the user connect to the app, the resource array is put inside the generated token. |
@scandinave Thanks for your reply! Unfortunately, I'm not talking about resources owned by a given user. I mean resources created by user X which should be accessible by user Y, without |
@scandinave Oh, I guess I misunderstood your reply. Having a |
Don't forget to sign your token to avoid any modification. The other solution if you want user delegating access to another user is to use opened id connect/oauth2. |
@scandinave Sure thing. One more question: I need also to distinguish the access to the |
AccessControl supported providing attributes like this :
You can then filter wat can be return to user with the filter method In my projects, i use this method in my express route before returning the json object to purge unwanted value. |
IMO naming it I'm talking about different situation. Consider a resource like this: {
"name": "some name",
"type": "video" // this can be also be an "attachment"
} Now, using |
Yeah, |
So I'd like to restrict access to specific resource instances. I came with an idea to just use
.resource('video:id')
for grants but I'm not sure if it's a good way.To be more specific: I'm talking about a case where user X owns a resource, and user Y needs to have access to it, without having a
read:any
grant.Do you recommend any other way to handle this problem?
The text was updated successfully, but these errors were encountered: