Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Finer grained permissions #101

Closed
Natim opened this issue Jul 1, 2015 · 2 comments
Closed

Finer grained permissions #101

Natim opened this issue Jul 1, 2015 · 2 comments
Labels
protocol scope: permissions

Comments

@Natim
Copy link
Member

Natim commented Jul 1, 2015

Today, when we give the collection:write permission it implies the right to share this collection to anyone.

When you are logging in some application, you might want to refrain it to share your data.

A good way to do that is to explicitly ask for permission using scopes.

My proposal is to not give any permission with the kinto scope but to only allow permission to what defines in the scope:

  • todo:tasks:write
  • todo:tasks:permission
  • todo:tasks:schema
@Natim Natim added the question label Jul 1, 2015
@leplatrem leplatrem changed the title Define a way to restrain an app from updating permissions Finer grained permissions May 27, 2016
@leplatrem
Copy link
Contributor

Use-case exposed by @almet and @Natim :

A collection has a schema. A formbuilder needs to read that schema to render the form. In order to read that collection object, we currently need to set read on the collection, which also gives the permissions to read every records! If the form is a poll for example, we only want to give record:create, but certainly not the permission to read every record.

Workaround: use two collections: one for the schema, one for the records.

@leplatrem leplatrem mentioned this issue May 27, 2016
Closed
@Natim
Copy link
Member Author

Natim commented May 27, 2016

Workaround: use two collections: one for the schema, one for the records.

This means that you need to create a collection with a JSONSchema validator to validate that the schema you enter in the form list is valid.

This was referenced Sep 28, 2016
Closed
Merged
leplatrem added a commit that referenced this issue Oct 4, 2016
@leplatrem
Merge pull request #828 from Kinto/803-parent-metadata-with-child-cre…
bb8e66d 
…ation

Parent metadata with child creation (fixes #803, #101)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
protocol scope: permissions
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Natim @leplatrem