Giters

curiosum-dev / permit

An uniform authorization library for Elixir. Supports Plug and Phoenix LiveView, aims for much more.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Define permissions for users, not roles

vincentvanbush opened this issue · comments

commented

Right now permissions are defined this way:

def can(%{role: :owner} = role) do
  grant(role)
  |> all(Record, fn subject, object -> object.owner_id == subject.id end)
end

This is based on an expectation that a struct of our app's user (%User{} for instance) has a :role key, under which there is a map of whatever constitutes data of a user's role. It will not always be convenient to have to look into user.role for everyting, since we might for example want to load records owned by a user - in the example above we can read the user's ID inside the anonymous fn, but we cannot do all(Record, owner_id: subject.id) because the subject is not available.

Because we want to construct queries as described in #2, it would be better to put the subject in the argument and not its role struct:

def can(%User{id: id, role: %{role: owner}} = subject) do
  grant(subject)
  |> all(Record, owner_id: subject.id)
end