Skip to content
This repository has been archived by the owner on Feb 24, 2024. It is now read-only.

Feat buffalo Plugin : Authorization & Access Control / library #1850

Closed
hubyhuby opened this issue Nov 24, 2019 · 3 comments
Closed

Feat buffalo Plugin : Authorization & Access Control / library #1850

hubyhuby opened this issue Nov 24, 2019 · 3 comments

Comments

@hubyhuby
Copy link

hubyhuby commented Nov 24, 2019

Description

Before running a buffalo project in production, most of the developers will have to implement an access control policy. "Who can access what resource and read, write, create it. "

  1. This task is quite time consuming today with buffalo. One must create a "scoping" middle ware function for each resource. You will need to repeat yourself for every new buffalo project.

  2. Developing such middle-ware is prone to error and mistakes ( as any development). Also making an error in security is a big deal; and is a big concern nowadays.

  3. We could gain a lot in agility concerning the AC. Think adding a "marketing role" means scanning your scope function(s) and re compiling the binary.

An Access control with a plugin would be a great feature that would standardize, provide a kind of "security by design" and remove the pain of redoing the same code. Moreover this common task could have support & improvments from the community.

Steps to Reproduce the Problem

Create a new project today and you will need in 2 months to set a AC system.

Please give your ideas in comments.

@hubyhuby
Copy link
Author

hubyhuby commented Nov 24, 2019

An idea of implementation :

We could be using a library like this one : https://github.com/casbin/casbin
We would call the plugin "accesscontrol"
Which would do the following taks:

  1. Import the casbin lib
  2. Create a default CONF file based on the PERM metamodel (Policy, Effect, Request, Matchers). https://github.com/casbin/casbin#how-it-works
  3. Create a scoping function ( ressource + user + rights). Call this function in each resource.
  4. If the buffalo-auth OR buffalo-goth + users plugin is activated :
  • get the user UUID for the scoping function.
  • Create a default func in the login call back when a new user is created . This function will modify the CONF file to add this user
    PS: could be done after plugins are stabilized : Proposal: Plug-ins v2 and Thin Buffalo Binary #1791

@hsluoyz
Copy link

hsluoyz commented Nov 24, 2019

FYI, there's already a Casbin middleware for Buffalo: https://github.com/kgosse/buffalo-mw-rbac

@markbates
Copy link
Member

This would be best achieved through a 3rd party package or plugin. It is outside the scope of Buffalo core.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants