Behavior Enhancement Proposal
When configuration is validated for entity permissions: fail validation and require a developer to define the system role authenticated if the entity's configuration defines more than one non-system roles.
Given the following configuration:
"entities": {
"Publisher": {
"permissions": [
{
"role": "roleA",
"actions": [ "create", "read", "update" ]
},
{
"role": "roleB",
"actions": [ "create", "read", "update" ]
}
]
}
}Fail validation and require the developer to define:
"entities": {
"Publisher": {
"permissions": [
{
"role": "authenticated",
"actions": [ "create", "read", "update" ]
},
{
"role": "roleA",
"actions": [ "create", "read", "update" ]
},
{
"role": "roleB",
"actions": [ "create", "read", "update" ]
}
]
}
}Justification
When users do not include the X-MS-API-ROLE client role header, they can still be authenticated. In this case, without the system role authenticated, the user would receive a 403 unauthorized.
Edge Case
If a configuration only defines 1 non system role:
"entities": {
"Publisher": {
"permissions": [
{
"role": "roleA",
"actions": [ "create", "read", "update" ]
}
]
}
}the proposed behavior would not take effect because we may auto infer what the client role header value should be if a user is only a member of one role (proposal #110). If only 1 non system role is defined and the user is a member of multiple roles, fail with 403 unauthorized because we wouldn't know what role to infer for injecting a client role header.
Possible open questions
- If developer wants to specifically lock down entity/action to a specific role and not allow basic authenticated users access.. what should happen?
- Should we require at least one or two of system roles
anonymous or authenticated to be defined?
Behavior Enhancement Proposal
When configuration is validated for entity permissions: fail validation and require a developer to define the system role
authenticatedif the entity's configuration defines more than one non-system roles.Given the following configuration:
Fail validation and require the developer to define:
Justification
When users do not include the
X-MS-API-ROLEclient role header, they can still be authenticated. In this case, without the system roleauthenticated, the user would receive a 403 unauthorized.Edge Case
If a configuration only defines 1 non system role:
the proposed behavior would not take effect because we may auto infer what the client role header value should be if a user is only a member of one role (proposal #110). If only 1 non system role is defined and the user is a member of multiple roles, fail with 403 unauthorized because we wouldn't know what role to infer for injecting a client role header.
Possible open questions
anonymousorauthenticatedto be defined?