Wolkenkit:授权和用户角色的ACL [英] Wolkenkit: ACLs for authorization and user roles
问题描述
我正在尝试了解如何扩展wolkenkit身份验证层。
I am trying to understand on how to extend the wolkenkit auth layer.
说我希望用户具有不同的角色:普通,主持人和管理员。
Say i want users with different roles: normal, moderator and admin.
-
普通用户可以查看和修改自己的内容,但不能修改其他用户的内容。
normal users can see and modify their own content, but aren't allowed to modify content from other users.
主持人用户可以修改所有条目,但无权删除自己内容以外的任何内容。
moderator users are allowed to modify all entries, but don't have permission to delete anything than their own content.
admin 用户可以修改和删除所有内容。
admin users can modify and delete everything.
有也是未经身份验证的 guest 用户,他们可以阅读所有内容但不进行任何修改。
There are also unauthenticated guest users who can read everything but modify nothing.
阅读文档对于写入模型:配置授权,我可以为来宾 / 正常建模>用例编写类似以下内容的用例:
Reading the docs for Write model: Configuring authorization i can model the guest/normal use case by writing something along the lines of:
const initialState = {
isAuthorized: {
commands: {
issue: { forAuthenticated: false, forPublic: false }
},
events: {
issued: { forAuthenticated: true, forPublic: true }
}
}
};
对于我的要求,我需要在此对象中定义其他角色。像 {forModerator:true,forAdmin:true} 之类。
For my requirements i would need additional roles defined in this object. Something like { forModerator: true, forAdmin: true }.
还有授予命令访问权限在运行时更改权限,但是我不确定是否可行。
There is also Granting access from a command to change permissions at runtime, but i am not sure if that would work. Even if it does, that feels quite hacky.
这有可能吗?
推荐答案
免责声明:我是wolkenkit的开发人员之一。
简而言之:不,现在很不幸这是不可能的,但这是我们路线图上的功能。至少在今天,我无法告诉您何时可用。
To cut a long story short: No, right now unfortunately this is not possible, but this feature is on our roadmap. At least today, I can't tell you when this will be available.
您最好的选择是自己做。一种方法是使用您的身份提供程序在主持人的JWT中包含主持人声明,然后在命令处理程序中适当地处理它。
Your best option would be to do it on your own. One way to do this might be to use your identity provider to include a moderator claim in the JWTs of the moderators, and then handle this in the command handler appropriately.
在命令处理程序中,您可以通过以下命令访问令牌
In the command handler you have access to the token by
command.user.token
,因此您可以根据需要获取索赔。非常抱歉,现在没有更好的答案了:-(
so you can get the claims as needed. I'm very sorry, that there is no better answer right now :-(
这篇关于Wolkenkit:授权和用户角色的ACL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
