Thursday, 5 February 2015

keystone more deeper -- authorization (Q&A)



Q: A question from webteckle:

https://github.com/keystonejs/keystone/issues/899


webteckie commented 8 hours ago
@wangpingsx interesting! I should try your solution in my project as an intermittent solution and see how it goes. Regarding the roles, I'm assuming a rules.js can be created and then imported. Regarding the roles field in the User can that be a relationship reference to a Roles list? Can you think of any drawbacks your solution may have? Thanks!





A:

Hi @webteckie ,
"a rules.js", is a good idea. Then supper admin users can create new roles or delete roles by admin-ui. Then, in user management view, supper admin can select roles instead of typing the role name (a plain String).
This is defiantly a good idea!!!!
Adding multi-roles could be an issue, but you can get some clue from :
http://demo.keystonejs.com/keystone/things/
image
Regarding drawbacks:
The only drawback I can see is the UE, when users click a restricted link, system will show the 500 page.
Hiding restricted links would be the best solution, but without changing keystonejs's source code, I think that is impossible.
Thanks,
Peter





A2:


Hi @webteckie ,
Sorry I found a problem of your "a roles.js model" solution. Actually it is no problem at all if you know how to query mongodb from a middleware (I don't know, I am a new starter of Nodejs and mongoose).
The reason is Keystonejs currently doesn't support embed object. the "roles" in your solution is a group of references of roles. The references are IDs, which means your req.user has a list of role IDs, you can't use IDs to verify current user's role, because they are meaningless numbers, you need anther query to mongodb to translate these role IDs to role names, then you can match roles with your authorisation rules.
Again, if you and make the query in middleware, it is not a big issue.
By the way, as i mentioned above, keystonejs currently doesn't support embed objects, I have anther blog to introduce my solution for that:
However, my solution only support strings and numbers for sub objects' fields.
Thanks,
Peter




A3:

I find some bugs of my solution, and I have fixed them:
The latest code of my github project has fixed all of them.
Thanks,
Peter


A4:

@webteckie I have two auth control models:
  1. On the list view. If you use this model, users cannot see the list view. (that can solve the issue you raise above)
  2. On the item view. if you use this model, users still can see the list view, but not able to click to see detail (the item view).
You don't need keystone core. All bugs were fixed.
Thanks,
Peter


A5:

@webteckie I think what your concern is the second bug which i mentioned here: 
http://baiduhix.blogspot.co.uk/2015/02/keystone-more-deeper-authorization-bugs.html
I was wrong, it is not an issue, xxxxx/keystone/object/1223456634 will be blocked anyway.
BTW, please check my latest code from github, I have changed a little.
To try my project, the easiest way is using my json below for user table. After you checkout my code, run npm install. then you can run my project without changing anything. (otherwise you need define roles and auth rule.)
below json created user@keystonejs.com as a admin, userxx@keystonejs.com as a supper admin.
password is "admin".
/* 0 */
{
    "_id" : ObjectId("54d1e0160899fc3a05a3d14f"),
    "isSupperAdmin" : false,
    "isAdmin" : true,
    "password" : "$2a$10$pi12AcBRDoIRUdyY.co9QuS5OmAE0UzUGFY3OhLIBwxOo7964uKLG",
    "email" : "user@keystonejs.com",
    "name" : {
        "last" : "User aa1zzzzz",
        "first" : "Admin"
    },
    "__v" : 1,
    "roles" : [ 
        "aa", 
        "bb"
    ]
}

/* 1 */
{
    "_id" : ObjectId("54d1e0170899fc3a05a3d151"),
    "isSupperAdmin" : true,
    "isAdmin" : true,
    "password" : "$2a$10$RgZUFZUWcy5bD0zOuMbs6eUOAmdSsyXMzDG0iEG99V/r/dD7q.fdC",
    "email" : "userxx@keystonejs.com",
    "name" : {
        "last" : "Userxx1",
        "first" : "Adminxx"
    },
    "__v" : 1,
    "roles" : [ 
        "aa", 
        "cc"
    ]
}

/* 2 */
{
    "_id" : ObjectId("54d366f48414997408c4726b"),
    "password" : "$2a$10$LkjeKvdEM4mB1wcdKq3am.N94trUeFeUNlqIgVV4P/8rozGDExfM.",
    "email" : "aa@aa.com",
    "roles" : [],
    "name" : {
        "first" : "supperAdmin",
        "last" : ""
    },
    "__v" : 0,
    "isAdmin" : true,
    "isSupperAdmin" : true
}













xx

No comments:

Post a comment