Authorisation
Authorisation happens during various restricted processes or routes within the Web Application, we would like to limit who gets to see or do what.
When those part of the code has been invoked, we would need to check who is the user. This means that it needs to receive an authenticated session token.
Once we have a user, we would then query if the required permission is available.
There are different classes of permission.
1. Accessing specific resource.
In this example, it will only retrieved the active user information.
if user.notPermittedTo("service-get-my-user-name") {
// error handling and returns.
return;
}
// continue to retrieve and return result
2. Accessing specific resource granted to the user.
const requiredPermission = `resource-get-${resourceId}`;
if user.notPermittedTo(requiredPermission) {
// error handling and returns.
return;
}
// continue to retrieve and return result
const requiredPermission = `resourceGroup-get-${resourceGroupId}`;
if user.notPermittedTo(requiredPermission) {
// error handling and returns.
return;
}
// continue to retrieve and return result
3. Accessing every resource granted to the user. This is for admin only.
const requiredPermission = `resourceGroup-get-${resourceId}`;
if user.notPermittedTo(requiredPermission) {
// error handling and returns.
return;
}
// continue to retrieve and return result
There is a Role called basic-user.
Role is implemented as a ResourceGroup
It has
- permission to read basic information from his own account.
- permission to respond to group invites or request to join groups.
All newly signed in User will be granted this role.
Resource
| Document ID | Descriptor | Description |
|---|---|---|
| R001 | service-get-my-user-name | Your own name |
| R002 | service-get-my-user-profile-picture | Your own profile picture |
| R003 | service-list-my-received-group-invite | List received group invitations |
| R004 | service-create-my-join-group-requests | Submit request to join a group |
| R005 | service-list-my-available-apps | List assigned apps |
| R006 | service-super-admin | Do anything. LCRUD on all available routes. |
| R007 | application-super-admin | Access all available applications. |
ResourceGroup
| Document ID | Descriptor | List of resources | Description |
|---|---|---|---|
| RG001 | role-basic-user | R001,R002,R003,R004 | Default role after user logged in for the first time. |
| RG002 | role-super-admin | R006,R007 | Super admin. |
UserGroup
AccessControlList
| Document ID | Description |
|---|---|
| ACL001 | Description |
Application
| Document ID | Name | Description |
|---|---|---|
| A001 | Database Admin | Database administration console. |