Petar Mrdalj
11/14/2022, 11:20 AMprincipal: {
id: userData.userId,
roles: userData.roles,
},
resource: {
kind: cerbosObject,
id: "1",
},
action: host.getHandler().name,
While looking into these examples https://github.com/cerbos/demo-graphql/blob/main/src/resolvers/Expenses.queries.ts it makes sense to actually call the db and compare the id's.
How would you handle the permission check for creating or deleting a certain object from the db in which case you only need to check for the role and you do not need the id in the resource object? It is a required value in the request.
Thanks in advance πAlex Olivier (Cerbos)
11/14/2022, 11:24 AMPetar Mrdalj
11/14/2022, 11:33 AMAndrew Haines (Cerbos)
11/15/2022, 11:28 AMfolder
and file
, it might make sense to have a createFile
action on the folder
resource policy rather than a create
action on the file
, because the logic of who is allowed to create a file is mainly determined by on their permissions on the containing folder.
This might not be the case for every resource but it's worth considering in the context of your domain πPetar Mrdalj
11/15/2022, 11:35 AMAndrew Haines (Cerbos)
11/15/2022, 11:37 AM