Story #7227
closed
Permission checking
0%
Description
Ticket moved to GitHub: "pulp/pulpcore/1918":https://github.com/pulp/pulpcore/issues/1918
We need a way to check the permissions that a user has before they perform a given action. This is necessary for building UIs where some elements on the page (such as administrator functions) need to be turned off if a user.
The current RBAC implementation can provide a list of permissions for the current user and the current access policy, but this is insufficient for applications such as UIs because DRF Access Policy contains conditionals that are evaluated on the backend and can't be evaluated on the UI.
My proposed solution for this problem is to create an endpoint where the user can pass in an API path and a set of actions, and get back a whether or not the user has permission to perform the given actions. So, for example:
Request:
{
"url": "/api/automation-hub/v3/namespaces/"
"actions": [
"delete",
"update",
"create",
"view"
]
}
Response:
{
"permissions": {
"delete": false,
"create": true,
"view": true,
"update": true
}
}
.