Implement permission policies in the API #22384
Conversation
Co-authored-by: Daniel Biegler <[email protected]>
Co-authored-by: Daniel Biegler <[email protected]>
…dmin policy and add on delete trigger.
to be fair: unit test is also testing implementation details but thats a problem there in general and for future us
…e might missbehave with the permissions obtained from PermissionsService.readByQuery so it better to go the source of the problem
| router.search('/', validateBatch('read'), readHandler, respond); | ||
|
|
||
| router.get( | ||
| '/me/flags', |
There was a problem hiding this comment.
Anyone have a better name for this? Since in the future it might not only be flags. Should it follow the naming of the libs and maybe be called /me/global? The idea behind this endpoint is to accumulate any properties that are derived when taking all policies of a user into account, like global access and currently the enfore_tfa flag.
There was a problem hiding this comment.
Mhh agreed /me/globals sounds better than flags to me too.
The idea behind this endpoint is to accumulate any properties
Mhh so maybe /me/properties ? 😄
If we dont expand on it /me/access sounds pretty fitting for right now, but yeah that might become less good in the future.
There was a problem hiding this comment.
Hmm, I personally dislike just /me because the endpoint does not return any policies, but some aggregation of all policies of the user, and we might end up with an actual /me endpoint that returns all policies at some point? wdyt?
There was a problem hiding this comment.
Can you give an quick example of how the current response looks like?
There was a problem hiding this comment.
It is effectively a condensed version of whatever flags we have on policies right now, that apply to a user.
{ "app_access": true, "admin_access": false, "enforce_tfa": false }There was a problem hiding this comment.
Okay, I think global(s) sounds more appropriate, that's ultimately what we're retrieving here: global flags/properties/whatever.
but some aggregation of all policies of the user, and we might end up with an actual
/meendpoint that returns all policies at some point? wdyt?
You mean at a later point or is that something you'd like to look into now?
There was a problem hiding this comment.
At a later point. Currently I don't see the need of retrieving all the policies of a user efficiently, as the app does not need to know them to work. But maybe that need arises at some point in the future, so I'd like to keep that option alive.
…tiple permissions for collection+action
…ccess) and policy updates (directus_policies) and permissions updates (directus_permissions)
| throw new ForbiddenError({ | ||
| reason: `You don't have permission to access collection "${collection}" or it does not exist. Queried in ${pathSuffix}.`, | ||
| }); |
There was a problem hiding this comment.
Even though this, and the other errors are really helpful, they do expose that the collection + field exists, as it differs from the standard ForbiddenError in case of a non-existent collection.
…imilar to /users/me
| vi.mock('./middleware/check-ip', () => ({ | ||
| checkIP: Router(), | ||
| })); | ||
|
|
There was a problem hiding this comment.
The mocking for ./middleware/get-permissions below should be removed too
| id: roleID, | ||
| ...defaultAdminRole, | ||
| }); | ||
| await db('directus_roles').insert({ ...defaultAdminRole, id: roleID }); |
There was a problem hiding this comment.
A new policy should be created
| await db('directus_roles').insert({ ...defaultAdminRole, id: roleID }); | |
| await db('directus_roles').insert({ ...defaultAdminRole, id: roleID }); | |
| await db('directus_policies').insert({ ...defaultAdminPolicy, id: policyID }); | |
| await db('directus_access').insert({ policy: policyID, role: roleID }); |
| router.search('/', validateBatch('read'), readHandler, respond); | ||
|
|
||
| router.get( | ||
| '/me/flags', |
api/src/controllers/roles.ts
Outdated
| const query = { ...req.sanitizedQuery, limit: -1 }; | ||
|
|
||
| const roles = await service.readMany(req.accountability.roles, query); |
There was a problem hiding this comment.
Should we add the same comment as per other usages of this limit: -1 query?
| const query = { ...req.sanitizedQuery, limit: -1 }; | |
| const roles = await service.readMany(req.accountability.roles, query); | |
| // TODO fix this at the service level | |
| const temporaryQuery = { ...req.sanitizedQuery, limit: -1 }; | |
| const roles = await service.readMany(req.accountability.roles, temporaryQuery); |
| if (this.accountability?.admin) { | ||
| return mapValues(this.schema.collections, () => | ||
| Object.fromEntries( | ||
| ['create', 'read', 'update', 'delete', 'share'].map((action) => [ |
There was a problem hiding this comment.
Could we extract this array as a constant? This array will be used in the App as well.
| const query = { ...req.sanitizedQuery, limit: -1 }; | ||
|
|
||
| try { | ||
| const roles = await service.readMany(req.accountability.roles, query); |
There was a problem hiding this comment.
Should we include this comment about it being temporary to be consistent with other usages?
| const query = { ...req.sanitizedQuery, limit: -1 }; | |
| try { | |
| const roles = await service.readMany(req.accountability.roles, query); | |
| // TODO fix this at the service level | |
| const temporaryQuery = { ...req.sanitizedQuery, limit: -1 }; | |
| try { | |
| const roles = await service.readMany(req.accountability.roles, temporaryQuery); |
Co-authored-by: Hannes Küttner <[email protected]>
Scope
What's changed:
api/src/permissionsfolderrolesflag to accountability object. This is an ordered array of all the parent roles of the current userget-ast-from-queryby splitting it into multiple filescasesandwhenCase. This allows us to dynamically generate the case/when SQL to have dynamic field output per item.run-astby splitting it up into smaller filesPotential Risks / Drawbacks
Review Notes / Questions
Todos
whenCasesinrun-astclearmethod in memory/cache/permissionsendpointdirectus_accesschangesdirectus_roleschangesdirectus_permissionschangesdirectus_policieschangesdownmigrationwithCacheto the known keysCloses #21778, closes #21765, closes #22163, closes #21769, closes #21768, closes #21767, closes #21766
Footnotes
Eg check to make sure there's still >=1 admin left after the mutation is done ↩