Does using clientside integration expose policies? #197
Comments
|
Yes, it exposes user abilities inside your system. I don’t think this is a security risk because anyway users know what they can do in your system. otherwise how can they use it? |
|
Also you don’t need to share all permissions but only user specific or role specific. So, each user knows only his own permissions |
I was going through another similar library and found this comment: onury/accesscontrol#62 (comment) That's why I raised this question.
I have a shared package in a monorepo that holds all of the policy definitions. Importing that exposes all of defined abilities. |
|
Don’t share package (in this case you really expose a lot of info)! Instead you need to share permissions via API call. Some time ago I wrote an example of how to share permissions between ruby and js: Someday you will need to allow admins to change permissions for different roles or users. And on that day, you will need to change both client and server. If you keep permissions logic on server, then you will not need to change client. |
|
Thanks for the link! I left a comment with my opinion on this topic in that thread :) |
|
Sorry for the delay! I just went through your article and it looks cool! I wasn't a fan of providing permissions via an API call. But I will look into it! Thank you very much! |
|
If you share permissions (i.e., user actions, not roles) for a particular user then you don’t expose any sensitive info to client. You expose what client already knows about himself in the system. Also this allows to keep UX at the good level. I think this issue may be closed now. Thanks for using CASL! |
I'm building a role based permission model with CASL to authorize endpoints in the server side. So if I integrate with the client side, would that expose all of my policies to the public?
If that's the case, wouldn't it be a security risk?
The text was updated successfully, but these errors were encountered: