Tables, permissions and more...

turrican · 2016-10-05 16:06:34

Hi,

Currently I'm developing a simple application for multiple users and database sensitive data.

So, I am using TSQLRestServerAuthenticationDefault for security and it works at expected (no HTTP server security problems at all). But I have questions about tables and users...

Imagine the next scenario.

Table Books -> On this table I will R/W the authenticated user's books. So I put permissions to User group to manage this table, but this table also contains books of another users. If user (HTTP GET /books ) returns all the books of the table and the books of the other users I don't want to show them.

So what i have to do?

Aproach MVC -> Control GET/POST actions with on a server controllers. For example GET /bookscontroller (From here I can customize the searches) slower to develop.

Now i'm completly lost... I need to clarify concepts and ideas...

Somebody help me!

Last edited by turrican (2016-10-05 16:41:17)

turrican · 2016-10-10 15:48:47

No responses to this post? I think this post is very constructive for the framework and cannot be avoided.

AOG · 2016-10-10 15:55:18

This question has been asked before.
There is no row security feature. As there is no column security feature. Only table security.

You have to write your own method to get (limit) the data you want.
I have been struggling with the same !

turrican · 2016-10-10 17:34:38

Thanks AOG for your quick response.

So... I am going to generate a Model for the Public area with the specified methods, and a private one for administration roles.

Sorry if this question is made already but I didn't find them. This gonna slow down things and redo most of my code...

Another question for the same context : How did you manage to split private methods and public methods? Have you used mORMot Auth?

warleyalex · 2016-10-10 19:56:43

I think you can use a dedicated service, it will fulfill your needs. For more complete control, you may define some interface-based services, then set the per-interface or per-method security options, to allow/disallow each service for each user or group. For instance:

 Server.ServiceRegister(TServiceCalculator,[TypeInfo(ICalculator)],sicShared).
    DenyAll.AllowAllByName(['Supervisor']);

This will allow access to the ICalculator methods only for the Supervisor group of users.

More details about interface-based-services

turrican · 2016-10-11 07:24:56

Thank you Warley.

It's a good idea. We are going to do the implementation of dedicated services and test if it works.

mORMot Open Source

#1 2016-10-05 16:06:34

Tables, permissions and more...

#2 2016-10-10 15:48:47

Re: Tables, permissions and more...

#3 2016-10-10 15:55:18

Re: Tables, permissions and more...

#4 2016-10-10 17:34:38

Re: Tables, permissions and more...

#5 2016-10-10 19:56:43

Re: Tables, permissions and more...

#6 2016-10-11 07:24:56

Re: Tables, permissions and more...

Board footer