oso icon indicating copy to clipboard operation
oso copied to clipboard

Published 20 hours ago verified publisher icon osohq

Authorization-Dependent UI Elements (from backend)

Open gneray opened this issue 3 years ago • 3 comments

This is an external tracking issue to:

  1. Gauge interest from the community for this feature
  2. Learn about what you'd want to see out of it if we worked on it.

So please:

  1. Upvote the issue if it's important to you, and
  2. Comment with any relevant info on your requirements use cases, etc.

Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.

gneray avatar Dec 18 '20 20:12 gneray

We currently have limited checks in our UI for these use cases (one has just been looking at global user permissions), but if we expanded to take advantage of the full oso policies for our python+django solution, we'd probably just be serializing a list of authorized actions along with the model or list of models (json) - I can see the list getting slow though, but just a hunch. If we run into scaling issues, we may adopt a more on-demand REST API to query valid authorized actions for a particular resource though. Our front-end is currently JS+Marionette/Backbone.

As an update:

  • In my Python (Django/DRF) solution, I did end up implementing a custom REST API to specifically query to see if a user was allowed to perform an explicit list of actions. I pass a model name, model PK, and one or more actions to check. It has to query the DB individually right now as is_allowed type checks, but returns the results of those checks as a dictionary like: { 'action1': true, 'action2': false } to save on HTTP requests at least.
  • I can see adapting the API if the Django (ORM) Oso get_allowed_actions API is expanded to streamline this process (i.e. if it can use the DB filters to end up querying for the list of permissions a user has on a resource, then perhaps further constrain the DB by filtering like queryset.filter(permissions__in=actions_from_restapi) or some alternative...

In some cases, it may make sense to try to serialize these allowed actions with the normal model serializer (Django Rest Framework) anyway. In other cases, wait until the UI explicitly queries the REST API for allowable actions, so if the UI doesn't care in that view/page, we don't take the performance hit on the initial JSON request.

devmonkey22 avatar Jan 11 '21 22:01 devmonkey22

Just an update here: last cycle we published a guide on this topic that takes advantage of a new library method (currently only implemented in the Oso Python package) to get an actor's allowed actions as @devmonkey22 mentioned.

A front-end Oso integration is a separate issue (#589) that we may address in the future based on community interest.

leina05 avatar Feb 03 '21 16:02 leina05

@leina05 is there a chance that this authorized_actions method will be ported to NodeJS, Java, and C#?

And in the interim, is there a REST API that provides the authorized functionality?

If there is an endpoint that does the heavy lifting, I’m happy to PR the NodeJS SDK (once and if our company elects to use Oso).

dgreene1 avatar Mar 31 '23 23:03 dgreene1