Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

access control on metadata #6

Open
btsimonh opened this issue Apr 12, 2017 · 3 comments
Open

access control on metadata #6

btsimonh opened this issue Apr 12, 2017 · 3 comments

Comments

@btsimonh
Copy link
Contributor

One challenge we have is restricting user access to the metadata......
I'm toying with the idea of adding an entry to each metadata defn containing a set of required capabilities (maybe an entry for read, entry for write), and a check with 'current_user_can' against these for data read and data write.
Any thoughts/plans on this?

@rilwis
Copy link
Member

rilwis commented Apr 12, 2017

Yeah, it's a good idea. I'm not sure if we can just use current_user_can. Probably authentication?

@btsimonh
Copy link
Contributor Author

If authentication is in place, then we are already authenticated here, and current user is set. (I've used both Oauth1 and a home-brew JWT in this project).
If current user is unset, then the current user is zero; for people who do not allow un-authenticated access to rest, it would not get to these functions unless the user is valid.
What I'm unsure of is what current_user_can([]) would return if there is no current user, and also what it will DO - I think it may try to check authorisation every time; not very efficient.

@rilwis
Copy link
Member

rilwis commented Apr 13, 2017

If so, I think current_user_can is enough. It checks if no user is set and will return false for any capability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants