Authorization
Declaring Logic
Analogous to logic declarations, Developers declare filters for users' roles (role-based access control). A user can have multiple roles; a users' filters are anded together.
Roles are typically defined elsewhere (LDAP, AD, external SQL database), and accessed at runtime via the Authentication-Provider. Roles simplify administration, since there are typically many fewer roles that users, and they are less subject to change. You may elect to define the roles in your code for code completion, as shown below.
Sample
This is illustrated in the sample application security/declare_security.py
:
from security.system.security_manager import Grant, Security
from database import models
import safrs
db = safrs.DB
session = db.session
class Roles():
""" Define Roles here, so can use code completion (Roles.tenant) """
tenant = "tenant"
renter = "renter"
Grant( on_entity = models.Category, # multi-tenant example
to_role = Roles.tenant,
filter = models.Category.Client_id == Security.current_user().client_id) # User table attributes
Grant( on_entity = models.Category,
to_role = Roles.renter,
filter = models.Category.Id == 2)
You can test it via the Admin App, or via cURL.
Admin App
Click Cateogory
in the Admin App:
cURL
As shown in the first diagram above, you can also test with this cURL command:
curl -X 'GET' \
'http://localhost:5656/api/Category/?fields%5BCategory%5D=Id%2CCategoryName%2CDescription&page%5Boffset%5D=0&page%5Blimit%5D=10&sort=id' -H 'accept: application/vnd.api+json' -H 'Content-Type: application/vnd.api+json'