Monday, 13 May 2013

Best Practice for Xataface Permissions : NO ACCESS Unless ....

Xataface has a rich permissions system that offers quite a bit of flexibility in how you implement permissions.  A typical pattern for implementing permissions in Xataface is to add a "role" field to the users table to specify the user's role, and use this inside your getPermissions() methods to help determine what permissions should be granted to the user.

Many developers will take this pattern and then implement a getPermissions() method in their application delegate class similar to the following:

To summarize this strategy, it entails:

  1. Returning the permissions assigned to the current user's role (which would be defined in the permissions.ini file).
  2. Returning no permissions if either the user isn't logged in or they don't have value in their 'role' field.
While this approach may work, it could open up some security holes if you're not very careful.  Since you have defined the permissions in the application delegate class, these will be used as the default permissions for every table in the database.  If you have some tables that include private information (which will likely be the majority of your tables), you would need to explicitly provide more limited permissions on each of those tables individually by implementing getPermissions() methods in their respective delegate classes.

A Better Approach : Default NO ACCESS; Grant More As Needed

A better approach would be to grant NO ACCESS to all users, except for administrative users, at the application level.  Then you can grant additional permissions as needed at the table level.  E.g.
This grants users with a role of 'ADMIN', all permissions in the system, and no access to anyone else.

2 comments:

  1. I have two tables. One a users table and one I want anyone to see at anytime regardless of whether they are logged in or not.

    We have interns, I gave them edit permissions but I don't want them to have access to the users table. And I don't want anyone who isn't logged in to see the users table.

    SO I am following your best practices am not sure how to proceed once am ready to work in the tables directory.

    I have been through a lot of the website today and have come close to getting what I need but am about three feet from my goal.

    Can you give me a link to the part that talks about setting up permissions under the table directory?

    Thanks.

    ReplyDelete
    Replies
    1. Never mind. I just needed rest. Nailed it!

      Delete