-
Notifications
You must be signed in to change notification settings - Fork 179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explicit .grant() and .deny() should override any inherited permissions #34
Comments
I'll keep this a bit detailed, as an implementation note.
Changing the algorithm (as an option or not) is not the solution here. Besides, that will make the user code prone to mistakes and hard to maintain.
Yes. When a role is extended with another or more roles; corresponding resource attributes are union'ed optimistically (meaning more privileges will win over less). So in its simplest form; when ac.grant('user')
.create('video', ['title'])
... // other grants
.grant('admin')
.extend('user')
.create('video', ['*'])
const permission = ac.can('admin').create('video');
console.log(permission.granted); // true
console.log(permission.attributes); // ['title'] UNION ['*'] => ['*']
I partially agree with this part. For instance, Now, explicit ac.grant('user').create('video')
.deny('user').create('video');
const permission = ac.can('user').create('video');
console.log(permission.granted); // false
console.log(permission.attributes); // [] ... but (currently) this is not the case for inherited grants; which are union'ed: ac.grant('user').create('video')
.grant('admin').extend('user')
.deny('admin').create('video');
const permission = ac.can('user').create('video');
console.log(permission.granted); // true
console.log(permission.attributes); // ['*'] This is intended and not a bug but; logically, I agree that explicit This may break some user code and should be implemented in a major version. |
Ok. I'm fine with your solution. I will waiting for V3 :) |
Hi, just wanted to say that this feature would be huge! Best! |
Any updates on this issue? This is a much needed fix IMO - it renders "extend" almost useless in the 2.x behavior. |
Rather than thinking about a parent/child relationship, it's advisable to think in terms of security. In OOP, inheritance means extending the capabilities of the parent, not restricting them. The example listed in this issue is the other way around (restrictive inheritance?).
Many security experts favor whitelisting as a pattern for acl, which is what this library aims to provide. The main issue with blacklisting is that you gotta think about all the possible scenarios where the root grant is permissible and there is room for mistakes. To further expand on the example provided here, a safer pattern is:
|
Currently permissions are computed with a Union when there is inheritance. Tell me if i'm wrong. :) .
It will be awesome if in V3, we could have a switch, to choose the algorithm that make the computation.
For example, I will really appreciate to have a algorithm that make the children permissions override the parents permissions.
Something like this :
Parent1 (grant, video, createOwn )
Parent2 (grant, post, createAny/Own)
Chid1 extends Parent1, Parent2 ( deny, post, createAny)
Child permissions == ( video:createOwn, post:createOwn )
The text was updated successfully, but these errors were encountered: