2024 02 01 permissions

2024-02-01 Meeting on Permissions

How it works from the frontend

This is how JWT authentication works normally

1. Enter user and password in a form, which the frontend sends to the server
2. Server checks the user/pass and issues a JWT token encoded with user permissions and server secret
3. Frontend stores the JWT
4. Frontend passes the token with each request, which the server uses to validate the request and return content based on what the user is authorized to do

Permissions

We talked about object-level permissions and eventually realized we actually needed field-level permissions where a project admin can see more project model fields than the average user

There were 2 django permissions packages talked about during the meeting, both of which haven't been updated in years. They're also both for object-level permissions, which doesn't meet our needs. They are django-guardian and django-rules. The package django-permission2 is updated recently but also object-level.

We decided that we needed a custom solution. It would need to be coded in the API endpoints

We talked about permission implementation, whether it's better to have individual having permission levels or to have actual groups. Cynthia thinks it's better to have groups internally.

For documenting permission requirements, we decided that the current way of specifying CRUD permissions per-field is fine.