-
-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature: implicit authorization #3292
base: main
Are you sure you want to change the base?
Conversation
Code Climate has analyzed commit 5e84d00 and detected 0 issues on this pull request. View more on Code Climate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job!
I can't wait to have this merged!
Some feedback and thoughts.
- I would remove the
raise_error_on_missing_policy_method
as we want most apps to use the new default with whitelisting. - rename the new config from
whitelisting_authorization
toimplicit_authorization
? - when
implicit_authorization
is set to true, thenraise_error_on_missing_policy
becomes obsolete and the result would befalse
. What do you think about this approach? I would advise our users to set the defaultApplicationPolicy
to have all methods returnfalse
and then just override the new ones.
This all goes towards having new apps with the new implicit_authorization
option turned on and slowly have it the default in Avo 4.
So this code will be much more simplified when we do the switch.
What do you think?
I think we're looking at
I used
Yes, it's easy to write/spell.
I've also used both ( The idea of overriding If we look from a production environment perspective
If PSLet's keep this simple and remove
Still thinking that this is limiting some use cases, WDYT about letting each user to decide how they want to use this combination of configurations. |
Ok. I see what you mean to use it as a development helper. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's add those methods.
Description
Fixes #2125
avo-pro PR
Addraise_error_on_missing_policy_method
that behaves the same as the existingraise_error_on_missing_policy
but for methods.whitelisting_authorization
that is false per default (true on new apps by template). This option enables a more strict authorization control where the action is granted only if is explicitly defined. If policy class is missing OR if method for action is missing, action will be unpermitted.TODO:
Checklist: