Add group support for authorization

[mikesparr]

Often a user is a member of one or more groups, and may have permissions specific to that group that differs from others, or access to resources owned by that group. We should add support for groups and authorization based on group membership.

[barbarosso]

Hi mikesparr,
Do you have any ideas how to implement this?

I would like to help on this feature, and would like to create a pull request, but i'm not sure how to implement this.

Regards
Pascal

[mikesparr]

It's been a few months since I was working on this. There are a couple ways to do it, either leveraging the graph (bi-directional node / relation table) and adding user associations MEMBER_OF to a Group node. Then when performing the authorization check, fetch all the associations of the user of desired otype (object type), and if the resource is also member of that, then determine if isOwnerOrMember should be true.

Another way to do it is using the relational DB and add a Group entity with relations to User and similar check when authorizing the actions. I haven't decided yet which direction I wanted to take but all the pieces are in place to implement either. The key is in your DAO when you're authorizing the method, you perform a query at the top to check if they are member of the group the resource is linked to, and then set the isOwnerOrMember accordingly.

If I find time this Summer I'll revisit and implement but this was meant as a starter that anyone could then extend to their liking/needs. Hopefully those ideas help you with your project. ;-)

[barbarosso]

Hi @mikesparr ,
I'll go for the second option, the graph way is still a bit fuzzy for me.

thx