Resolve "Gestion des accès utilisateur." (!24) · Merge requests · Decidim / VocaCity / voca

Hadrien Froger requested to merge 9-gestion-des-acces-utilisateur into main Apr 14, 2022

chore: add a policy to limit access to account's members
chore: limit access to instance model.

This MR create a new flexible policies for account membership checking. As we already know we will need guest accounts, we prepared the policies to be able to handle membership of administrators in a flexible way. Closes #9

Creates a policy api::account.account-team that require a configuration object to be changed.
Make an example with limiting access/update of api::instance.instance model.

Documentation of the policy

This is a generic policy for restricting an API access to an account member.

Use case

A model is managed by an account, and account members can only access their instance. Account members can have different permissions models, likes administrators, guests, etc.

Configuration

scope: the field name of Account we need to look at (optional, default: administrators) the designed field should be a relationship to user-permissions.
model: the strapi uid for the model to query. For example: "api::instance.instance" (required, default: undefined)
foreignKey: the model's foreignKey to link to account. support one-to-one relationship only. (optional, default: "account")

Example: restrict update

# /src/api/instance/graphql/resolvers.js
const onlyAdmins = {
  name: "api::account.account-team",
  config: {
    model: "api::instance.instance",
    foreignKey: "account",
    scope: "administrators",
  },
};
module.exports = {
  resolversConfig: {
    "Mutation.updateInstance": {
      policies: [onlyAdmins],
    }
  }
}

Inspired by https://github.com/strapi/documentation/issues/600

Edited Apr 14, 2022 by Hadrien Froger

Resolve "Gestion des accès utilisateur."

Documentation of the policy

Use case

Configuration

Example: restrict update

Merge request reports