HomeUniteUs icon indicating copy to clipboard operation
HomeUniteUs copied to clipboard

Published 20 hours ago verified publisher icon hackforla

Complete implementation of scopes and roles for user types in AWS Cognito

Open tylerthome opened this issue 4 years ago • 8 comments

Overview

Create remaining scopes applicable to each user type within AWS Cognito, and add API route protection in Flask application

Resources/Instructions

Given these resource types:

  • Guest Questions (and associated response types/values)
  • Host Questions (and associated response types/values)
  • Guest Details
  • Host Details
  • Guest Responses
  • Host Responses
  • Restrictions
  • Matches

Create the appropriate scopes in Auth0 and assign appropriate permissions to each role:

  • User Types
    • Guest
      • READ ONLY
        • Guest Questions
        • Match Results for current user
        • Host Details (for matched hosts only)
      • READ/WRITE
        • Guest Response Values
        • Guest Details
    • Host
      • READ ONLY
        • Host Questions
        • Match Results for current user
        • Guest Details (for matched guests only)
      • READ/WRITE
        • Host Response Values for current user
        • Host Details for current user
    • Case Worker / Org Employee (or "admin")
      • READ ONLY
        • Match Results for assigned Guests
        • Host Details
        • Host Questions and Responses
      • READ/WRITE
        • Match Results for assigned Guests (to manipulate status values for manual business processes)
    • Organization Administrator (or "super admin")
      • READ ONLY
        • Host and Guest Details
        • Host and Guest Responses
      • READ/WRITE
        • Host and Guest Questions (and associated response types/values)
        • Match Results (status)
        • (proposed) Permissions of Case Workers / Org Employees to access system resources

tylerthome avatar Jun 11 '20 16:06 tylerthome

Please provide update

  1. Progress
  2. Blocker
  3. Availability
  4. ETA

JRHutson avatar Mar 23 '22 01:03 JRHutson

Need to complete user flows before defining.

JRHutson avatar May 10 '22 00:05 JRHutson

Hi @tylerthome, is this issue still in progress? If not, can you move this issue to the appropriate status column? Thanks!

randelbrot avatar Jan 12 '23 02:01 randelbrot

Hey @tylerthome,

I've done some research into role based endpoint access, and I think I can begin putting together a design to achieve this.

Would it be possible to take over this issue? Thanks

Joshua-Douglas avatar Aug 16 '23 05:08 Joshua-Douglas

@Joshua-Douglas here's a link to discussion regarding this topic from a little while ago in case it's any help: https://github.com/hackforla/HomeUniteUs/discussions/535

erikguntner avatar Aug 16 '23 23:08 erikguntner

We can't effectively add role based access until we begin authenticating our endpoints. In order to determine if user has the correct role, you first need to verify their identity. This is what authentication helps us achieve.

We can start this issue after #577

Joshua-Douglas avatar Aug 24 '23 02:08 Joshua-Douglas

Moving this to the dev team, @Joshua-Douglas @erikguntner @paulespinosa completed design and implementation for basic access control and user roles. This sounds like a good issue for someone ready to work with AWS and/or Terraform as we look toward setting up HUU in the incubator

tylerthome avatar Apr 09 '24 19:04 tylerthome

@tylerthome, The user roles PR has been merged. Now each of the endpoints have access to the user's role, and it is easy to implement role-based access control, using naive approaches (e.g. add if user.role != Guest and user.role != Admin: return "invalid user access", 403).

I can add middleware to encapsulate user access role checks, but that'll take some research. I'm planning to focus on #462, but let me know if more work is required on this issue. Thanks!

Joshua-Douglas avatar Apr 15 '24 02:04 Joshua-Douglas