#615: Authorization for public handlers by mario-nt · Pull Request #662 · torrust/torrust-index

mario-nt · 2024-07-03T20:35:06Z

Parent issue: #615

…ser id

…optional user id

josecelano

Hi @mario-nt, the PR is good, however I'm missing something we had discussed some days ago.

When the user is not authorized because is not authenticated I would keep returning a 401, instead of changing the API.

I would add a new service error for the case when guest user is not authorized. The error name could be one of these:

ServiceError::UnauthorizedActiognForGuests
ServiceError::GuestUnauthorized
ServiceError::MissingCredentials
ServiceError::Unauthorized
ServiceError::AuthenticationRequired
ServiceError::UserCredentialsRequired

We already have a similar error for that:

ServiceError::LoggedInUserNotFound => StatusCode::UNAUTHORIZED, // 401

But I suppose we don't need the ExtractLoggedInUser extractor anymore. I would use:

ServiceError::UnauthorizedActiognForGuests => StatusCode::UNAUTHORIZED, // 401

In general, I prefer to be explicit about the error that has happened instead of how to solve it. The error message can contain instructions to fix it. For example:

"Unauthorized actions for guest. Try logging in to check if you have permission to perform the action"

And I would change this method:

pub async fn authorize(&self, action: ACTION, maybe_user_id: Option<UserId>) -> std::result::Result<(), ServiceError> {
    let role = self.get_role(maybe_user_id).await;

    let enforcer = self.casbin_enforcer.enforcer.read().await;

    let authorize = enforcer
        .enforce((role, action))
        .map_err(|_| ServiceError::UnauthorizedAction)?;

    if authorize {
        Ok(())
    } else {
        Err(ServiceError::UnauthorizedAction)
    }
}

To:

pub async fn authorize(&self, action: ACTION, maybe_user_id: Option<UserId>) -> std::result::Result<(), ServiceError> {
    let role = self.get_role(maybe_user_id).await;

    let enforcer = self.casbin_enforcer.enforcer.read().await;

    let authorized = enforcer
        .enforce((role, action))
        .map_err(|_| ServiceError::UnauthorizedAction)?;

    if authorized {
        Ok(())
    } else {
        if role == Role::guest {
            Err(ApiError::UserCredentialsRequired) // Guest users are not authorized for this action
        } else {
            Err(ServiceError::UnauthorizedAction) // Authenticated user lacks necessary permissions
        }
    }
}

josecelano · 2024-08-05T16:10:31Z

ACK f38b628

mario-nt temporarily deployed to coverage July 3, 2024 20:35 — with GitHub Actions Inactive

mario-nt mentioned this pull request Jul 3, 2024

Use Casbin for the authorization layer #615

Closed

5 tasks

mario-nt temporarily deployed to coverage July 6, 2024 15:07 — with GitHub Actions Inactive

mario-nt temporarily deployed to coverage July 6, 2024 22:15 — with GitHub Actions Inactive

mario-nt had a problem deploying to coverage July 7, 2024 16:15 — with GitHub Actions Failure

mario-nt force-pushed the 615-public-handlers-authorization branch from fa88449 to 0f72b2b Compare July 7, 2024 16:17

mario-nt temporarily deployed to coverage July 7, 2024 16:17 — with GitHub Actions Inactive

mario-nt temporarily deployed to coverage July 7, 2024 16:45 — with GitHub Actions Inactive

mario-nt temporarily deployed to coverage July 10, 2024 11:47 — with GitHub Actions Inactive

mario-nt temporarily deployed to coverage July 10, 2024 11:53 — with GitHub Actions Inactive

mario-nt temporarily deployed to coverage July 10, 2024 11:56 — with GitHub Actions Inactive

mario-nt temporarily deployed to coverage July 10, 2024 15:00 — with GitHub Actions Inactive

mario-nt temporarily deployed to coverage July 12, 2024 15:37 — with GitHub Actions Inactive

mario-nt temporarily deployed to coverage July 12, 2024 15:57 — with GitHub Actions Inactive

mario-nt temporarily deployed to coverage July 12, 2024 20:19 — with GitHub Actions Inactive

mario-nt force-pushed the 615-public-handlers-authorization branch from 71a368e to 27fa27d Compare July 12, 2024 20:45

mario-nt had a problem deploying to coverage July 12, 2024 20:45 — with GitHub Actions Failure

mario-nt had a problem deploying to coverage July 13, 2024 13:42 — with GitHub Actions Failure

mario-nt had a problem deploying to coverage July 14, 2024 17:39 — with GitHub Actions Failure

da2ce7 self-requested a review July 16, 2024 16:20

mario-nt had a problem deploying to coverage July 17, 2024 12:09 — with GitHub Actions Failure

mario-nt force-pushed the 615-public-handlers-authorization branch from 29232e0 to 70f3c2a Compare July 17, 2024 12:25

mario-nt temporarily deployed to coverage July 17, 2024 12:25 — with GitHub Actions Inactive

mario-nt temporarily deployed to coverage July 17, 2024 12:56 — with GitHub Actions Inactive

mario-nt temporarily deployed to coverage July 17, 2024 14:53 — with GitHub Actions Inactive

mario-nt temporarily deployed to coverage July 17, 2024 21:18 — with GitHub Actions Inactive

mario-nt temporarily deployed to coverage July 17, 2024 21:51 — with GitHub Actions Inactive

mario-nt had a problem deploying to coverage July 21, 2024 14:27 — with GitHub Actions Failure

mario-nt had a problem deploying to coverage July 22, 2024 18:06 — with GitHub Actions Failure

mario-nt had a problem deploying to coverage July 22, 2024 21:48 — with GitHub Actions Failure

mario-nt added 3 commits August 3, 2024 16:33

refactor: [torrust#615] upload torrent handler now uses an optional u…

836c94d

…ser id

refactor: [torrust#615] renamed error to be more human friendly

42fb031

fix: [torrust#615] adjusted http error code for test so it pass

e527867

mario-nt force-pushed the 615-public-handlers-authorization branch from 51316d1 to e527867 Compare August 3, 2024 15:10

mario-nt had a problem deploying to coverage August 3, 2024 15:10 — with GitHub Actions Failure

mario-nt had a problem deploying to coverage August 3, 2024 16:22 — with GitHub Actions Failure

mario-nt added 2 commits August 3, 2024 18:40

refactor: [torrust#615] added missing error to function comments

00c293c

refactor: [torrust#615] added missing error to handler comments

dbcd0e1

mario-nt force-pushed the 615-public-handlers-authorization branch from 2df5448 to dbcd0e1 Compare August 3, 2024 16:41

mario-nt had a problem deploying to coverage August 3, 2024 16:41 — with GitHub Actions Failure

refactor: [torrust#615] change password handler and function now use …

c22c919

…optional user id

mario-nt had a problem deploying to coverage August 4, 2024 10:57 — with GitHub Actions Failure

refactor: [torrust#615] handlers and functions now use optional user id

6010155

mario-nt had a problem deploying to coverage August 4, 2024 15:54 — with GitHub Actions Failure

refactor: [torrust#615] changed status code so tests pass

0360517

mario-nt had a problem deploying to coverage August 4, 2024 17:40 — with GitHub Actions Failure

refactor: [torrust#615] change test http return code

d8b3ee2

mario-nt had a problem deploying to coverage August 4, 2024 20:56 — with GitHub Actions Failure

mario-nt requested a review from josecelano August 4, 2024 21:13

mario-nt marked this pull request as ready for review August 4, 2024 21:13

josecelano added this to the v3.0.0 milestone Aug 5, 2024

josecelano self-assigned this Aug 5, 2024

josecelano requested changes Aug 5, 2024

View reviewed changes

mario-nt had a problem deploying to coverage August 5, 2024 15:41 — with GitHub Actions Failure

refactor: [torrust#615] new authorization error for guest users

f38b628

mario-nt force-pushed the 615-public-handlers-authorization branch from 8e85f51 to f38b628 Compare August 5, 2024 16:02

mario-nt had a problem deploying to coverage August 5, 2024 16:03 — with GitHub Actions Failure

josecelano approved these changes Aug 5, 2024

View reviewed changes

josecelano merged commit a39ad21 into torrust:develop Aug 5, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

#615: Authorization for public handlers#662

#615: Authorization for public handlers#662
josecelano merged 36 commits intotorrust:developfrom
mario-nt:615-public-handlers-authorization

mario-nt commented Jul 3, 2024

Uh oh!

josecelano left a comment

Uh oh!

josecelano commented Aug 5, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

mario-nt commented Jul 3, 2024

Uh oh!

josecelano left a comment

Choose a reason for hiding this comment

Uh oh!

josecelano commented Aug 5, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants