Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move authorization logic to the backend #455

Open
PragTob opened this issue Nov 3, 2024 · 1 comment
Open

Move authorization logic to the backend #455

PragTob opened this issue Nov 3, 2024 · 1 comment
Labels
type-enhancement New feature or request

Comments

@PragTob
Copy link
Collaborator

PragTob commented Nov 3, 2024

Right now some authorization/permission related logic lives in the "frontend"/"web" part of the application.

It should be moved to the backend, maybe/probably into its own context Permissions or something similar. Theoretically every context can also provide functions to check its own permissions (as one context that depends on all others, is quite big) but permissions may often be cross cutting and in general an approach that centralizes these rules can often be good for the overview it provides.

This should also including scoping (i.e. taking a collection and scoping it down to the accessible records).

Why to the Backend?

  • The logic isn't entirely tied to the frontend/LiveView - if we had another way into the system, the logic would likely be the same
  • you should also never trust the FE as users can send whatever, so permissions should always be double checked on the backend side
    • generally speaking, the BE should also not depend on the FE, the FE should depend on the BE
  • at their core these are pure functions well suited for the BE

Where are the permissions now?

They might be more scattered but right now a lot of them live in idea live:

mindwendel/lib/mindwendel_web/live/live_helpers.ex

Lines 6 to 21 in aaa88c0

def has_move_permission(brainstorming, current_user) do
brainstorming.option_allow_manual_ordering or
has_moderating_permission(brainstorming, current_user)
end
def has_moderating_permission(brainstorming, current_user) do
Enum.member?(brainstorming.moderating_users |> Enum.map(& &1.id), current_user.id)
end
def has_ownership(idea, current_user) do
idea.user_id == current_user.id
end
def has_moderating_or_ownership_permission(brainstorming, idea, current_user) do
has_ownership(idea, current_user) or has_moderating_permission(brainstorming, current_user)
end

Libraries

There's a ton of libraries out there right now and I'm not entirely sure which one is best. A lot of them use more DSLs than I like but 🤷
@PragTob PragTob added the type-enhancement New feature or request label Nov 3, 2024
@JannikStreek
Copy link
Member

I don't think we need external libraries for that as our authorization logic is very very simple. I like the idea to move / extract the code in an own context though 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type-enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PragTob @JannikStreek