Comments (11)
@SimonLab good question. Thank you for opening this issue for us to capture the discussion/research.
Short/Quick Answer
Yes, we are going to have RBAC system built-in to Auth as "auth" stands for both "authentication" and "authorisation" which is synonymous for permission.
We don't need to over-think it, we just need the concept of Roles, Content Types and levels of Permissions.
Longer Answer
The best way of thinking about Auth is in the context of an Example Application: "Blog".
Let's consider a typical publishing platform like Medium. https://en.wikipedia.org/wiki/Medium_(website)
It has four Content Types:
- Post which typically include:
- Title - e.g: "The Arctic is Melting"
- Slug -
/arctic-melting
- Tags/Categories:
arctic
,melting
,climate change
https://medium.com/tag/climate-change - Body see:
- Images (zero or more)
- Comment - Anyone who is authenticated (and not blocked) can comment on Posts where commenting is enabled. (Medium calls comments Response ...)
- Reaction - In the case of Medium there is now only a "clap" which can be clicked multiple times.
(a variety of Reaction Emojis and one "unit" of each reaction per person would be my pref.) - Highlight - A highlight is where a person drags their cursor over a section of text and saves it as a highlight. See: https://help.medium.com/hc/en-us/articles/214406358-Highlights
Don't worry, we aren't going to build a blogging platform, the space is way too crowded.
However, we are going to build a basic CMS so that we can publish our own content for our Learning Platform which will use the Auth (Login, Roles, Permissions and Notifications Systems).
By default we should have at least 7 Roles in the Roles table/schema:
role_id |
role_name |
description |
created_at |
created_by |
---|---|---|---|---|
0 |
Unauthenticated | Anyone who is not logged in. Can view public content but cannot perform any action on content until they authenticate. |
1541609554 | - |
1 |
Super Admin | Can CREATE new roles. Can CREATE , UPDATE and DELETE Any content. Can PURGE deleted items. Can "ban" any user including people with "Admin" Role. |
1541609554 | - |
2 |
Admin | Can create roles. Can CREATE , UPDATE and DELETE Any content. Can "ban" any user except people with "Admin" Role. Can see deleted content and un-delete it. Cannot purge deleted. This guarantees audit-trail. |
1541609554 | - |
3 |
Editor | Can CREATE and UPDATE Any content. Can "DELETE " content. Cannot see deleted content. |
1541609554 | - |
4 |
Content Creator | Can CREATE content. Can UPDATE their own content. Can DELETE their own content. |
1541609554 | - |
5 |
Commenter | Can COMMENT on content that has commenting enabled. |
1541609554 | - |
6 |
Banned | Can login and see their past content. Cannot create any new content. Can see the reason for their banning (which the Admin has to write when performing the "ban user" action. usually linked to a specific action the person performed like a particularly unacceptable comment.) | 1541609554 | - |
from auth.
Given that we need the concept of roles, privileges and grants in order to regulate access to doors @home dwyl/smart-home-auth-server#1 I'm going to focus on this today.
I have closed all other browser tabs and applications and will be focussing on RBAC exclusively until it's finished.
I will still check my notifications 3 times per day, so if anyone needs me for something else
I will still respond.
But until further notice this is my highest priority: #31
from auth.
Taking a little detour to refresh my knowledge of testing as I want to add the helper function to the ConnCase
file.
See: https://github.com/phoenixframework/phoenix/blob/master/guides/testing/testing.md
from auth.
@SimonLab given that you opened this issue, if you want to take a look at #85 your feedback is very welcome.
from auth.
If you google for "rbac database schema": https://www.google.com/search?q=rbac+database+schema&tbm=isch
There are several hundred examples you can get inspiration from:
Some are more complex than others.
This is what I've distilled from my reading:
Let's create the Database Schemas (Tables) to store our RBAC data,
starting with Roles
:
mix phx.gen.html Ctx Role roles name:string desc:string person_id:references:people
Next
mix phx.gen.html Ctx Permission permissions name:string desc:string person_id:references:people
Next create the many-to-many
relationship between roles and permissions.
mix ecto.gen.migration create_role_permissions
Now create the many-to-many
relationship between people and roles:
mix ecto.gen.migration create_people_roles
from auth.
By putting the roles and permissions resources in an auth
pipeline, none of the tests pass.
Just need to write a helper function that sets up the JWT/session. BRB.
from auth.
Didn't learn anything new from reading the official docs. Going to keep searching.
from auth.
https://stackoverflow.com/questions/58902019/phoenix-exunit-where-should-i-define-global-helpers
from auth.
Before:
Finished in 74.9 seconds
1 property, 79 tests, 17 failures
After:
Finished in 8.9 seconds
1 property, 79 tests, 0 failures
With 100% coverage.
Next: create associations between the Roles and Permissions Schemas.
from auth.
Default roles summarised in: #82 (comment) included in next PR.
from auth.
Roles deployed to https://dwylauth.herokuapp.com/roles
RBAC for controlling access in apps: https://github.com/dwyl/rbac
The original question of this issue is answered:
https://github.com/dwyl/auth/blob/master/role-based-access-control.md
Closing.
Any further questions: please open new issues. (thanks!)
from auth.
Related Issues (20)
- Groups UI/UX HOT 1
- Phoenix.Template.UndefinedError Could not render "live.html" for AuthWeb.LayoutView HOT 1
- Chore: Fix Failing Auth Tests HOT 3
- Review how auth application works
- Chore: Sample `people` for testing `groups` on `localhost` HOT 3
- Chore: Use `statuses` [in-memory] in `auth`
- Auth: Deploy Demo Version to Fly.io HOT 11
- Bug: GitHub Username Not Returned by Auth ... 🤦♂️ HOT 7
- BLOCKER: Internal Server Error when Registering with Email Address! HOT 5
- Error `expected a binary but got: nil` HOT 7
- Technical Question: should we use a `JWT` for `AUTH_API_KEY`? HOT 8
- Feat: Auth Setup Wizard `#discuss`
- Feat: Use `Gmail` to send Email!! 📧 🤯
- Tech Question: Do we even Need an `AUTH_API_KEY`? 💭 🤷♂️ HOT 5
- Feat: Copy `AUTH_URL` to clipboard
- Feat: Allowed List of URLs for each `AUTH_API_KEY`
- Chore: Generate ERD for `mix phx.gen.auth` HOT 2
- Chore: Update the `people.email` to use `Fields.EmailEncrypted` HOT 4
- Feat: Re-create Login Screen Using Tailwind CSS HOT 2
- Feat: Delegated Auth
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from auth.