Object-level ACL's #141
Comments
|
+1 |
|
Hi @jesperbruunhansen, thank you for opening this issue. Object/instance-level ACLs make a lot of sense to me. I think this is one of the reasons we decided for a complete rewrite in loopback.next - adding generic object/instance-level ACLs was simply too difficult in the old codebase. @ritch @raymondfeng @superkhau what's your opinion?
Offer accepted :) Right now, we are trying to figure out how to design LoopBack.next in such way that ACL checks like the one you are described can be easily contributed by components/plugins, it's probably too early to start the actual work on implementing such component. |
|
Hi @bajtos, and thank you for your explanation.
Sure of course, let me know when the time is right and I'll see where I can help! |
|
@bajtos 100% agree with Object/instance ACLs and even model property ACLs. |
|
If you're doing ACL support at object level then extend it to field level also. Similar to Salesforce data model where users have ability to define roles to field levels too. |
|
I think about it in several projects. And... |
+1 for more real-world use cases in both REST and GraphQL. I would like to hear more about why it is really a bad idea for RESTful APIs. |
Every URI like:
It is about proxy and cache. On the other hand, we needs in javascripted read/write permissions on client with minimal DB requests. IMHO it is not good practice to send unnecessary (unwanted) requests which will be rejected by api server. Full ACL-set request will generate unwanted http-traffic. PS |
|
ACL should be enforced at different tiers based on how much knowledge we acquire about the request (who wants to do what). For APIs, I see the following:
|
|
Hi guys, and thanks for nice discussion regarding this issue.
My inspiration and need for this feature comes from the time when I worked on a project, using the Parse-server . When they open-sourced, I basically copied what they did here in order to make the same functionality in Loopback. Their overall approach to ACL's can be seen here, whereas I like to compare Loopbacks current ACL implementation as the "Class-level" ACL's of Parse. I like the idea of even more granularity with field-level ACL's as well, as @superkhau and @kesavkolla mentioned. |
|
@jesperbruunhansen I'm with you. Coincidentally, I have been thinking about the possibility to mix conditions into the |
|
@raymondfeng instead of property level ACLs... |
|
This issue has been marked stale because it has not seen activity within six months. If you believe this to be in error, please contact one of the code owners, listed in the |
|
not stale. post-MVP |
|
This involves ACL at the controller level and model instance level. |
|
This issue has been marked stale because it has not seen activity within six months. If you believe this to be in error, please contact one of the code owners, listed in the |
|
This issue has been closed due to continued inactivity. Thank you for your understanding. If you believe this to be in error, please contact one of the code owners, listed in the |
I would like to see an even more advanced ACL implementation in Loopback.next, that supports ACL's on a object-level.
LB v.2/3 has great ways of applying ACL's to an entire model and it's methods, but in many use-cases I want objects/instances only to be accessible to specific users, which has been explicitly granted permission by the client upon creation (pending issue at Loopback repo here).
When the client requests an authenticated
GETrequest, the response will only contain objects that the client has permission to read.I've made my own mixin to add this feature, which basically manipulates the query at every 'access' event of the datasource.
I'd be happy to help implement this feature into native Loopback.next, should it be considered beneficial for the framework.
The text was updated successfully, but these errors were encountered: