You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
IMO ideally, each domain should enforce its own permissions. This would require passing along some sort of context with every call, and then services enforce permissions based on the requested data and context.
Curious to hear what others are doing as well.
The text was updated successfully, but these errors were encountered:
Great question. I was having a think about this the other day. Django has a robust permissions / groups / users system and we should take advantage of that. Most API requests into a service should have a user associated to them, so I would imagine you'd want to tap into the user permissions system at the API layer, basically redoing what DRF does (which has a great permissions system IMO). As for service to service perms - you could decorate APIs and require a "request" or, like you say, a "context" object to be passed into methods.
kbyatnal
changed the title
[Question] Thoughts on where/how are permissions enforced?
[Question] Thoughts on where/how permissions are enforced?
Jul 21, 2020
I found a good example of putting authentication in business logic in the graphene-django issues here. I also found that when I implemented this, django-rules was quite useful for extending the built in django permission model. I did however need to pass in the user object to use this.
IMO ideally, each domain should enforce its own permissions. This would require passing along some sort of
context
with every call, and thenservices
enforce permissions based on the requested data andcontext
.Curious to hear what others are doing as well.
The text was updated successfully, but these errors were encountered: