API Key Permissions Role #8
Description
I have a use case where I think redap would be a great solution, minus some security elements. I'd like to create a role based permissions system ontop of redap.
My plan was to:
- Define endpoints with action titles as follows
- groups.get
- groups.create
- groups.delete
- groups.get_members
- groups.add_member
- groups.remove_member
- groups.update
- users.get
- users.create
- users.authenticate
- users.delete
- users.get
- users.get_groups
- users.update
- users.set_password
- users.unlock
- users.enable
- users.disable
- users.pw_never_expires
- Modify the api_key model to allow for a role parameter
- In Settings -> core.py, add a list stored as
ROLES, which contains a dict for each role with arole_titlestring and arole_permissionslist (I figured it was easier in config than in the DB) - Modify the api key creation process to allow for creating a key and selecting or assigning a role
- Write a Function to evaluate the request to see if the sent api key is a member of a particular role, and check if that role is configured to allow for the action.
- I'm thinking of something like:
@route(bp, '/', spec=many)
def get_many(_params):
check_role(`groups.get`)
return groups.get_many(**_params)I'm not sure if keys.sh is complete, or if I'm missing something. I'm lost on how keys.sh actually works so that I can modify the api_key creation process to allow for the role check.
I also wanted to see if there were any better ideas of how accomplish the same goal.