Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[full-ci] Implement permission concept for handling user abilities #8431

Merged
merged 20 commits into from
Feb 17, 2023

Conversation

JammingBen
Copy link
Contributor

@JammingBen JammingBen commented Feb 14, 2023

Description

Until now, Web handles permission checks only based on role names. This PR adds support for permissions that come from the server. The lib CASL has been introduced for defining and enforcing those permissions.

The permission concept is a bit complicated because it has 2 "layers": Permissions that are only related to the user and permissions that additionally relate to a resource (like share permissions, space roles). We only care about the former here! That distinction is very important to fully understand how the permissions are structured.

They can be found in packages/web-runtime/src/services/auth/abilities.ts and consist of an action and a subject. Actions have one of two suffixes: -all (system-wide permission) or -own (restricted to the current user). E.g.:

  • { action: 'create-all', subject: 'Account' } defines the permission to read all accounts of this system
  • { action: 'read-all', subject: 'Space' } defines the permission to read all spaces on this system
  • { action: 'create-own', subject: 'Space' } defines the permission to create a personal space on this system

All available actions and subjects are defined in packages/web-pkg/src/utils/types.ts.

The PermissionManager has been removed as we don't need it anymore.

Note: Requires the latest server docker image!

Related Issue

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests

@JammingBen JammingBen self-assigned this Feb 14, 2023
@JammingBen JammingBen changed the title PoC: Use CASL Vue for handling permissions Use CASL for handling permissions Feb 14, 2023
@JammingBen JammingBen force-pushed the user-permissions branch 2 times, most recently from 57a0f52 to 009ebcf Compare February 14, 2023 16:42
@JammingBen JammingBen force-pushed the user-permissions branch 2 times, most recently from aa18463 to 6f88e92 Compare February 15, 2023 12:34
@ownclouders
Copy link
Contributor

ownclouders commented Feb 15, 2023

@JammingBen JammingBen changed the title Use CASL for handling permissions Implement permission concept for handling user abilities Feb 15, 2023
@JammingBen JammingBen marked this pull request as ready for review February 15, 2023 16:26
@JammingBen JammingBen changed the title Implement permission concept for handling user abilities [full-ci] Implement permission concept for handling user abilities Feb 15, 2023
Copy link
Member

@kulmann kulmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a changelog item. The removal of the permission manager is a breaking change for extension developers.

packages/web-runtime/src/services/auth/authService.ts Outdated Show resolved Hide resolved
packages/web-client/src/helpers/space/functions.ts Outdated Show resolved Hide resolved
packages/web-app-admin-settings/tests/unit/index.spec.ts Outdated Show resolved Hide resolved
@owncloud owncloud deleted a comment from update-docs bot Feb 17, 2023
@JammingBen
Copy link
Contributor Author

@kulmann This is in a finished state from my side (for now at least).

The permissions coming from the server still have weird names, that's going to change in the future. Also, there still seem to be bugs with the default permissions of the space admin role. I've tracked them here: owncloud/ocis#5414 (comment).

Copy link
Member

@kulmann kulmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥳 🚀

@sonarcloud
Copy link

sonarcloud bot commented Feb 17, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 1 Code Smell

66.3% 66.3% Coverage
0.0% 0.0% Duplication

@JammingBen JammingBen merged commit af53a16 into master Feb 17, 2023
This was referenced Feb 17, 2023
@micbar micbar mentioned this pull request May 3, 2023
89 tasks
@kulmann kulmann deleted the user-permissions branch September 5, 2024 19:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Web] Respect permissions of the authenticated user
3 participants