-
Notifications
You must be signed in to change notification settings - Fork 182
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Built-in get_allowed_permissions
-style method to retrieve all allowed (action, resource) pairs for a given actor
#1098
Comments
Thanks for opening the issue @asyncee! I agree this would be a nice feature to have — I'm imagining an API in the same vein as It should be possible to get around the N+1 issue by setting up your policy like so: has_role("Abhi", "writer");
role_allow("writer", "write", "Post 1");
role_allow("writer", "write", "Post 2");
allow(user, action, resource) if
has_role(user, role) and
role_allow(role, action, resource); And then querying for: abhi = "Abhi"
permissions = oso.query_rule("allow", abhi, Variable("action"), Variable("resource"), accept_expression=True)
for p in permissions:
print(p) |
Great news, thanks, i'll try it! |
It works great, not sure why this elegant solution missed my head :) |
In fairness, it also missed mine while I was talking to you on Slack before you opened this issue haha. I re-read the issue and had an "aha" moment 😆 FWIW I still think we could ultimately add a built-in |
get_allowed_permissions
-style method to retrieve all allowed (action, resource) pairs for a given actor
@asyncee does the new issue title look good? Feel free to adjust |
Very accurate, looks good. |
This seems like, from an implementation perspective, it would pair well with #1427 as a pull request in one go |
Hello!
We are creating an RBAC implementation based on OSO and it is working fine.
Currently the library provides a way to retrieve actions for a single resource using
oso.get_allowed_actions()
.For example, John can
"read"
a"Post 1"
. By askingoso.get_allowed_actions("Josh", "Post 1")
we can get following result: ["read"].Unfortunately, our project has a complex UI so it is not possible to ask backend for available actions per resource on the page because it may cause:
Is it possible to somehow get result like
[("read", "Post 1")]
in a single query? We are trying to feed UI with all available permissions using one HTTP query.We managed to get almost desired results using following python code:
Provided solution
Expression
to figure out which instance (object) is described in resultsIt would be great to have a way to achieve this task in more readable and performant way.
Thanks!
The text was updated successfully, but these errors were encountered: