Title: Create an authorization framework · Issue #35 · JSONAPIdotNET/JSONAPI.NET · GitHub
Open Graph Title: Create an authorization framework · Issue #35 · JSONAPIdotNET/JSONAPI.NET
X Title: Create an authorization framework · Issue #35 · JSONAPIdotNET/JSONAPI.NET
Description: This is something I had attempted the oft-mentioned original version of this library, but it ended up very very cumbersome and error prone--I'm not sure this will be practical The "Dream" of JSONAPI.EntityFramework.Http.ApiController and...
Open Graph Description: This is something I had attempted the oft-mentioned original version of this library, but it ended up very very cumbersome and error prone--I'm not sure this will be practical The "Dream" of JSONAP...
X Description: This is something I had attempted the oft-mentioned original version of this library, but it ended up very very cumbersome and error prone--I'm not sure this will be practical The "Dream&q...
Opengraph URL: https://github.com/JSONAPIdotNET/JSONAPI.NET/issues/35
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Create an authorization framework","articleBody":"_This is something I had attempted the oft-mentioned original version of this library, but it ended up very very cumbersome and error prone--I'm not sure this will be practical_\n\nThe \"Dream\" of `JSONAPI.EntityFramework.Http.ApiController` and really of `JSONAPI.Http.ApiController` and `IMaterializer` is to be able to provide an almost completely canned JSON API compliant service broker--all you have to do is to override/implement a few interface points to integrate with your persistence layer and you're done. However, especially in the case of the EF `ApiController`, this has turned out to be more _pipe_ dream so far, as I usually have to override the verb methods and it's hard to reuse the super-method.\n\nOne of the main reasons I find myself having to throw away the default verb implementations (particularly `Put`, `Post`, and `Delete` is to insert authorization controls, for example to make sure users can only edit their own records. Additionally, I often need to control things at the _property_ level, e.g. a user can't change the `Owner` of a record to someone else (but an admin user may be able to do this).\n\nIn the current architecture, the separation of the deserialization from the `IMaterializer` provides a good place to inject a reusable authorization layer. We could add an `IAuthorizationProvider` property to the `IMaterializer`, and have some API for the `IMaterializer` to ask the `IAuthorizationProvider` whether any given property update should be allowed. This in theory would be good from a separation of concerns perspective, because it would encourage encapsulation of security logic from other business logic.\n\nGotchas (from previous experience):\n- My previous attempt at this involved a bunch of attributes on model classes and properties, the goals of which were to define the default behavior from which to allow overrides (think Apache's `Order Deny,Allow; Deny from All`). This sounded good, but led to the definition of more exceptions than rules--possibly not the best way to go.\n- Sometimes separation of the authorization logic from the business logic was a bad thing. Specifically, if both authorization decisions and other business logic depended on making the same expensive calculation--I'd find myself pushed into making the calculation twice.\n- My earlier attempt also provided separate tiers of control for the object and the property, with callbacks that could be defined to allow/deny access to read/modify the object, and then also to allow/deny read/write access to the property. This theoretically would improve performance--if the user was denied writes to the object, there was no need to make callbacks to ask about the properties. In practice though, this led again to a lot of duplication of logic and computation because the same queries or calculations had to be made in both tiers.\n","author":{"url":"https://github.com/SphtKr","@type":"Person","name":"SphtKr"},"datePublished":"2015-01-29T06:59:57.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":2},"url":"https://github.com/35/JSONAPI.NET/issues/35"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:9be15b49-1b8d-34f6-123c-65ebd0a53c52 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | D1E8:16DE6C:52AD22:729338:6A506F2F |
| html-safe-nonce | 84b0a70ba725bfc8f46c306d8f330440c2c812e7de91ecb02f90ef620b3e3323 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJEMUU4OjE2REU2Qzo1MkFEMjI6NzI5MzM4OjZBNTA2RjJGIiwidmlzaXRvcl9pZCI6Ijc1MDQ1OTE5ODE1MTI3ODE2MTUiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | caae407b4f864c7457c9545f60cdf953205d344fc0165e6396bfb35a587619a2 |
| hovercard-subject-tag | issue:55864165 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/JSONAPIdotNET/JSONAPI.NET/35/issue_layout |
| twitter:image | https://opengraph.githubassets.com/de6d843fc7ac13cb2f7d9138220093ba189148235fa8ea8d9982367d3f35a758/JSONAPIdotNET/JSONAPI.NET/issues/35 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/de6d843fc7ac13cb2f7d9138220093ba189148235fa8ea8d9982367d3f35a758/JSONAPIdotNET/JSONAPI.NET/issues/35 |
| og:image:alt | This is something I had attempted the oft-mentioned original version of this library, but it ended up very very cumbersome and error prone--I'm not sure this will be practical The "Dream" of JSONAP... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | SphtKr |
| hostname | github.com |
| expected-hostname | github.com |
| None | d6dc8294eb500fa36bbc57472d61fe87c522f9c3c1d64f70f4926f66a66a7efb |
| turbo-cache-control | no-preview |
| go-import | github.com/JSONAPIdotNET/JSONAPI.NET git https://github.com/JSONAPIdotNET/JSONAPI.NET.git |
| octolytics-dimension-user_id | 16112275 |
| octolytics-dimension-user_login | JSONAPIdotNET |
| octolytics-dimension-repository_id | 27474358 |
| octolytics-dimension-repository_nwo | JSONAPIdotNET/JSONAPI.NET |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 27474358 |
| octolytics-dimension-repository_network_root_nwo | JSONAPIdotNET/JSONAPI.NET |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 7ac0ad2f2c7e4b9056617355fd9e33e22b0c8df9 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width