Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#615: Authorization for public handlers #662

Merged
merged 36 commits into from
Aug 5, 2024
Merged

#615: Authorization for public handlers #662

merged 36 commits into from
Aug 5, 2024

Conversation

mario-nt
Copy link
Contributor

@mario-nt mario-nt commented Jul 3, 2024

Parent issue: #615

@mario-nt mario-nt mentioned this pull request Jul 3, 2024
Closed
5 tasks
@mario-nt mario-nt force-pushed the 615-public-handlers-authorization branch from fa88449 to 0f72b2b Compare July 7, 2024 16:17
@mario-nt mario-nt force-pushed the 615-public-handlers-authorization branch from 71a368e to 27fa27d Compare July 12, 2024 20:45
@da2ce7 da2ce7 self-requested a review July 16, 2024 16:20
@mario-nt mario-nt force-pushed the 615-public-handlers-authorization branch from 29232e0 to 70f3c2a Compare July 17, 2024 12:25
@mario-nt mario-nt force-pushed the 615-public-handlers-authorization branch from 51316d1 to e527867 Compare August 3, 2024 15:10
@mario-nt mario-nt force-pushed the 615-public-handlers-authorization branch from 2df5448 to dbcd0e1 Compare August 3, 2024 16:41
@mario-nt mario-nt requested a review from josecelano August 4, 2024 21:13
@mario-nt mario-nt marked this pull request as ready for review August 4, 2024 21:13
@josecelano josecelano added this to the v3.0.0 milestone Aug 5, 2024
@josecelano josecelano self-assigned this Aug 5, 2024
josecelano
josecelano requested changes Aug 5, 2024
View reviewed changes
Copy link
Member

@josecelano josecelano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @mario-nt, the PR is good, however I'm missing something we had discussed some days ago.

When the user is not authorized because is not authenticated I would keep returning a 401, instead of changing the API.

I would add a new service error for the case when guest user is not authorized. The error name could be one of these:

  • ServiceError::UnauthorizedActiognForGuests
  • ServiceError::GuestUnauthorized
  • ServiceError::MissingCredentials
  • ServiceError::Unauthorized
  • ServiceError::AuthenticationRequired
  • ServiceError::UserCredentialsRequired

We already have a similar error for that:

ServiceError::LoggedInUserNotFound => StatusCode::UNAUTHORIZED, // 401

But I suppose we don't need the ExtractLoggedInUser extractor anymore. I would use:

ServiceError::UnauthorizedActiognForGuests => StatusCode::UNAUTHORIZED, // 401

In general, I prefer to be explicit about the error that has happened instead of how to solve it. The error message can contain instructions to fix it. For example:

"Unauthorized actions for guest. Try logging in to check if you have permission to perform the action"

And I would change this method:

pub async fn authorize(&self, action: ACTION, maybe_user_id: Option<UserId>) -> std::result::Result<(), ServiceError> {
    let role = self.get_role(maybe_user_id).await;

    let enforcer = self.casbin_enforcer.enforcer.read().await;

    let authorize = enforcer
        .enforce((role, action))
        .map_err(|_| ServiceError::UnauthorizedAction)?;

    if authorize {
        Ok(())
    } else {
        Err(ServiceError::UnauthorizedAction)
    }
}

To:

pub async fn authorize(&self, action: ACTION, maybe_user_id: Option<UserId>) -> std::result::Result<(), ServiceError> {
    let role = self.get_role(maybe_user_id).await;

    let enforcer = self.casbin_enforcer.enforcer.read().await;

    let authorized = enforcer
        .enforce((role, action))
        .map_err(|_| ServiceError::UnauthorizedAction)?;

    if authorized {
        Ok(())
    } else {
        if role == Role::guest {
            Err(ApiError::UserCredentialsRequired) // Guest users are not authorized for this action
        } else {
            Err(ServiceError::UnauthorizedAction) // Authenticated user lacks necessary permissions
        }
    }
}

@mario-nt mario-nt force-pushed the 615-public-handlers-authorization branch from 8e85f51 to f38b628 Compare August 5, 2024 16:02
@josecelano
Copy link
Member

ACK f38b628

@josecelano josecelano merged commit a39ad21 into torrust:develop Aug 5, 2024
10 of 13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@josecelano josecelano josecelano approved these changes

@da2ce7 da2ce7 Awaiting requested review from da2ce7

Assignees

@josecelano josecelano

Labels
None yet
Projects
None yet
Milestone
v3.0.0
Development

Successfully merging this pull request may close these issues.
2 participants
@mario-nt @josecelano