-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
General permission methods #346
Comments
Agreed with all the points and plan to improve permissions overall. I have suggestion for specifying the permission rule for user being a project member without being too wordy. We can have a constant |
You mean instead of suggested |
No, I meant:
So, we don't need any new config field for saying all project members and we don't have to specify/update the project member roles every where. |
Got you. The reason for such option like We already have several places where we specify permissions inside DB:
So if define inside DB value as:
Later, if we add a new project role we would have to update all the records in the DB. |
Hmm, I think we should keep it simple for now and specify each role in |
During working on the Workstreams we had to check permissions based on
allowRule
anddenyRule
as was described in this comment #315 (comment). And it was implemented during the challenge in workManagementForTemplate permission middleware.As we are going to have more and more places where we would have to restrict permissions based on various set of rules and to avoid issues like this one #332 I've moved the logic for checking permissions into general util methods:
matchPermissionRule
hasPermission
hasPermissionForProject
See implementation: https://github.com/topcoder-platform/tc-project-service/blob/dev-next/src/util.js#L596-L748
For proof of concept I've refactored two methods for testing permissions using these general methods:
The most general method is
hasPermissionForProject: (permission, user, projectId)
:projectId
is project id we should check permission foruser
is the user we should check permissions for, usually we would use the current user from the request objectuser = req.authUser
permission
I suggest to be able to define the
permission
in two ways:Full when permission is defined with
allowRule
anddenyRule
:Simplified if we don't need
denyRule
we can deifne directly the inner part ofallowRule
without explicit propertyallowRule
:This simplified permission is equal to a full permission:
I guess this should cover most of our needs for permissions checking. And after some time we can refactor exitent code to use these methods instead of reimplementing this logic, for example many of these methods could be rewritten reusing the general methods.
Also, we can create constants with predefined reusable permissions, see example, same like we started to do in Connect app. Eventually, we should end up having the same or similar set of rules in Connect app and Project Service.
So far what I see can be done to improve them:
projectRoles
which is too wordy, also when adding a new role we would have to update all permission rules. So far I see two possible ways:isProjectMember
so the rule would look like:isProjectMember
andprojectRoles
to check if user is a member and has a particular role.projectRoles
property to define all roles at once. Possible ways:projectRoles = []
- empty array, feels like areally bad ideaprojectRoles = true
- booleantrue
is nice, the only small disadvantage I see, the wordtrue
doesn't exmplains what it meansprojectRoels = 'any'
- stringany
, is good that it explains what does it mean, but it feels a little bit "hardcoded". We can introduce a new constantANY = 'any'
, but then we would be required to always import this constant which feels not that comfortable.projectRoles
we don't have to retrieveprojectMembers
from the DB, to make it faster in such case.Joi
to validate possible shapes ofpermission
to provide detailed feedback to the developer about possible method misusing.projectRoles
we should throw error ifprojectMembers
orprojectId
is not defined.projectMembers
may be still an empty array or evennull
.@vikasrohit Let me know what you think. If you see any ways we can adjust these methods to cover more cases or to be more comfortable or reliable.
The text was updated successfully, but these errors were encountered: