Skip to content

feat: Add support for guarding based on request data #173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hsluoyz merged 3 commits into from
Jan 9, 2025
Merged

feat: Add support for guarding based on request data #173

hsluoyz merged 3 commits into from
Jan 9, 2025

Conversation

@Dallin343
Copy link
Contributor

@Dallin343 Dallin343 commented Jan 7, 2025

We ran into a use case for guarding endpoints based on request data instead of static data. Specifically, in our findOne(id: string) controller methods, we want to guard based on whether the requesting user can access the resource with the given id. Previously, we were required to use the AuthzService to check the user's access within the findOne function, but mixing decorators and function calls for authorization doesn't seem as clean.

This PR adds support for providing a resourceFromContext function during initialization (which acts as the default) and in the guard (which overrides the default). resourceFromContext is given the execution context of the function, so it can access data from the request, and it returns a resource to be enforced against Casbin. The resource that is returned can be a single resource or an array of resources, and a BatchApproval option determines approval behavior in the array case. With BatchApproval.ANY, as long as any of the resources returned from resourceFromContext pass enforcement, the request continues. With BatchApproval.ALL, all resources must pass enforcement.

I would like to hear thoughts on this use case, and this approach. Are there any apparent or potential problems with this feature or approach? I aimed to maintain existing behavior by default, with this "resource specific guarding" requiring intentional usage to have any effect.

@hsluoyz
Copy link
Member

hsluoyz commented Jan 7, 2025

@nodece @Shivansh-yadav13 please review

nodece
nodece approved these changes Jan 9, 2025
View reviewed changes
Copy link

@nodece nodece left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, LGTM.

@hsluoyz hsluoyz merged commit 7ea8f53 into node-casbin:master Jan 9, 2025
7 checks passed
github-actions bot pushed a commit that referenced this pull request Jan 9, 2025
@semantic-release-bot
chore(release): 2.12.0 [skip ci]
9b1d415 
# [2.12.0](v2.11.0...v2.12.0) (2025-01-09)

### Features

* Add support for guarding based on request data ([#173](#173)) ([7ea8f53](7ea8f53))
@github-actions
Copy link

github-actions bot commented Jan 9, 2025

🎉 This PR is included in version 2.12.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Shivansh-yadav13 Shivansh-yadav13 Awaiting requested review from Shivansh-yadav13

1 more reviewer

@nodece nodece nodece approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Dallin343 @hsluoyz @nodece