Support setting error messages from ACL #38
Comments
|
Can you please describe more on how exactly this feature should work? |
|
Sure thing, so right now I'm defining my ACL like this in JSON and instantiating the {
"user": {
"grants": [
{
"resource": "User",
"action": "update",
"attributes": [
"*",
"!id",
"!role"
],
"condition": {
"Fn": "EQUALS",
"args": {
"id": "$.id"
}
}
}
]
}
}At the moment, I can't say "your request failed because you tried to edit someone else's profile" or "your request failed because you tried to edit your user id". For that matter, I can't even differentiate between those two failure points. So it would be nice if I could do something like this: {
"user": {
"grants": [
{
"resource": "User",
"action": "update",
"attributes": [
"*",
"!id",
"!role"
],
"condition": {
"Fn": "EQUALS",
"args": {
"id": "$.id"
},
"message": "You can only edit your own profile!"
}
}
]
}
}And then when I check an invalid request (say I violate both the ["Cannot edit id or role", "You can only edit your own profile!"] |
|
There might be many grants which are either granting or non granting for particular acl.can query. What should happen if there 2 granting and 1 non granting. Also why message are part of conditions only? Should message be displayed when resource and action are matching but condition is failing?
Thanks,
Dilip
Tensult
…________________________________
From: Sungil Ahn <[email protected]>
Sent: Sunday, October 20, 2019 11:44:31 PM
To: tensult/role-acl <[email protected]>
Cc: Dilip Kola <[email protected]>; Comment <[email protected]>
Subject: Re: [tensult/role-acl] Support setting error messages from ACL (#38)
Sure thing, so right now I'm defining my ACL like this in JSON and instantiating the role-acl instance like this (very simple example - basically says a user can only edit his own profile, and they can't edit the id or the role):
{
"user": {
"grants": [
{
"resource": "User",
"action": "update",
"attributes": [
"*",
"!id",
"!role"
],
"condition": {
"Fn": "EQUALS",
"args": {
"id": "$.id"
}
}
}
]
}
}
At the moment, I can't say "your request failed because you tried to edit someone else's profile" or "your request failed because you tried to edit your user id". For that matter, I can't even differentiate between those two failure points.
So it would be nice if I could do something like this:
{
"user": {
"grants": [
{
"resource": "User",
"action": "update",
"attributes": [
"*",
"!id",
"!role"
],
"condition": {
"Fn": "EQUALS",
"args": {
"id": "$.id"
},
"message": "You can only edit your own profile!"
}
}
]
}
}
And then when I check an invalid request (say I violate both the attributes and the condition) with the ACL, it returns a list of error messages as a property, maybe like
["Cannot edit id or role", "You can only edit your own profile!"]
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#38?email_source=notifications&email_token=AH4MMH6DFMMABBTRFE7VIRLQPSNYPA5CNFSM4JCT2V72YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBYQFLI#issuecomment-544277165>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AH4MMH6Y5WXKF4IFNWPLWGTQPSNYPANCNFSM4JCT2V7Q>.
|
|
Any updates? |
|
@koladilip sorry, I've been busy with work (who isn't haha) but I was basically thinking of something akin to this: https://stalniy.github.io/casl/abilities/2017/07/20/define-abilities.html#forbidden-reasons |
Hi, so I've dug thru the source code and found that the only "attributes" of a grant allowed are the role, resource, action, attributes, and condition.
However, I'd like to specify the error message when defining the ACL. I know this isn't possible now, but could you please add this feature? Thank you!
The text was updated successfully, but these errors were encountered: