Pode icon indicating copy to clipboard operation
Pode copied to clipboard
verified publisher icon Badgerati

Add -Group/-Scope property for routes, to further restrict access to routes for authenticated users

Open Badgerati opened this issue 4 years ago • 0 comments

Describe the Change

At present you can restrict access to routes by adding authentication - for some, like AD, you can also restrict this further by allowing certain groups. You can do this for other auths, though it has to be manually implemented.

But, that restricts access to any user that can authenticate; if you allowed Developer and Operations groups, they'd all be able to access that route. The plan here is to add new -Group/-Scope parameters to Add-PodeRoute/Add-PodeStaticRoute, so Pode will automatically check for groups/scopes on an authenticated user. This would allow you to restrict access to routes to just Developers or Operations, while the main authentication allows both.

ie:

New-PodeAuthScheme -Form | Add-PodeAuthWindowsAd -Name 'Login' -Groups Developer, Operations

# only operations allowed, developers will be 403'd
Add-PodeRoute -Method Get -Path '/config' -Group Operations -Authentication Login -ScriptBlock {
    # logic
}

We could also have a -GroupProperty/-ScopeProperty to check for custom properties on the user (default is Groups and Scope)

Badgerati avatar Apr 09 '21 17:04 Badgerati