This thread concerns integrating the new feathers-permissions with the new populate++, serialize, etc.
Here are my thoughts.
(1) Populate: Let's take Purchase Requests as an example. Accounting UIs want to show things like invoices and general ledger numbers along with the PR. Purchasing UIs want to show things like receiving slips along with the PR. I would argue that the app decides what type of populate it needs and the hooks have almost no decisions to make.
We can't of course allow a curl command to get whatever it wants, even if another curl was first used to authenticate to a random user. So perhaps populate++ can ensure an Accounting PR populate is at least requested by a user/API/IoT that has Accounting permissions.
So maybe we can have
const populations = {
favorites: {
// alternative syntax
permissions: 'acct',
permissions: ['aaa', 'bbb'],
permissions: (hook) => true,
include: {
Do we allow permissions
just at the base record, or do we allow them on every include
'd table? I would like populate structures to be composable though I'm not sure how effective that would be in practice. permissions
at every table would be needed.
(2) Serialize: Let's take Payroll as an example, and that we have a populated Employee item. The Payroll Manager is allowed to see the salaries of other department heads, while Payroll Clerks are not. The situation can grow into something more complicated.
I think the server has to decide on the proper serialization and call hook.serialize(serializers.employee_manager)
with the correct serialization schema from
const serializers = {
employee_manager: { ... },
employee_clerk: { ... },
We can standardize this with something like
const serializerPermissions = {
employee : [
{ permissions: ['payroll-mgr'], serializer: serializers.employee_manager },
{ permissions: 'payroll-clerk', serializer: serializers.employee_clerk },
]
}
hooks.serializeWithPermissions((hook) => serializers.employee_manager)
// or
hooks.serializeWithPermissions(serializerPermissions.employee)
The serializer decision occurs only at the base record.
(3) If populate and serialize do have different permission needs, then @ekryski 's proposal to separate the hooks was even more smart.
(4) Concerns
- We are allowing only
or
s on the permissions.
- I need to read up on feathers-permissions (sic).