Allow to return `{:ok, data}` from authorize callbacks?

Question

Allow to return `{:ok, data}` from authorize callbacks?

ssbb opened this issue 2 years ago · comments

Sviatoslav Bulbakha commented 2 years ago

Hi!

I am thinking about about possibility to provide some extra context for permissions. Like not the just fact that user can do something but also why. Something like this:

def authorize(:edit_post, user, post) do
  cond do
    user.is_admin -> {:ok, :admin}
    post.user_id == user.id -> {:ok, :author}
    true -> {:error, "Only adminisrators and authors can edit posts."}
  end
end

I am thinking about preparing PR but does not make sense if you think it don't fit into lib scope etc.

Josh Чернов · Answer 1 · Sun Jan 08 2023 22:44:37 GMT+0800 (China Standard Time)

Not saying you should not do this, but honestly I would keep the "why" closer to the surface. Like the controller. The reason is you may want to responds according to your interface later.

Rockwell Schrock · Answer 2 · Sat Mar 16 2024 10:15:21 GMT+0800 (China Standard Time)

This would unfortunately break the core API specification and would require a major version bump per SemVer, which is just not in the cards right now. And also I agree with @joshchernoff that this is solving an issue different from authorization. Thank you for the proposal.