SecurityProvider - SecurityRestrict on different table

alexey · September 27, 2019, 8:21am

I’m trying to use SecurityProvider (Database type) and SecurityRestrict in order to restrict ServerConnect action.

My DB is following
users (id, email, password) - list of users
accounts (id, title) - list of companies.
account_users (id, account_id, user_id, access) - this is user to company memberships and his role in the company. access is enum with 4 different roles (READ_ONLY, READ_WRITE, ADMIN or OWNER)

In other words, one user can belong to many companies. in every company he can play different role, and has different access - READ_ONLY, READ_WRITE, ADMIN or OWNER.

I’m trying to set up Security provider, please see screenshot. Questions:

Under every role there is a possibility to have a list of conditions. Are they grouped as AND or OR?
I want to put a variable in one of the conditions from DB query result.

I want to implement the following flow: user put’s his credentials on the login page, we fetch his list of accounts and take first one, then check his permission against this account and redirect to the page /accounts/{{account_id}}.
If he manually puts url with /accounts/{{account_id}} where he puts others account number he is redirected to his accounts page (I know this part is done on client side, but server side also should be protected).

alexey · October 1, 2019, 9:17am

Ok, I made several tests and it looks like the following set up works:

So answering my questions:

Looks like this rules are executed as AND in the SQL query.
Although there are no picker in the “Value” field, i put manually GET parameter {{$_GET.account_id}} and seem to work.

I would love to get confirmation from Wappler product owners that my setup is correct. Authentication and Authorisation is a very sensitive topic, where you must be sure 100%.

@wappler_ambassadors, can you check this please?

Hyperbytes · October 1, 2019, 1:53pm

Does this help?

alexey · October 2, 2019, 6:55am

Thanks, @Hyperbytes. I saw this movie when researching teh forum.
In my situation is a bit more complex.

Actually I just want to confirm 2 things that I found experimentally - 1) that i can pass GET value as a parameter to permission condition (in the GUI there are no picker), and 2) that 2 different conditions in the list executed as AND not OR, which seems working like this.

Hyperbytes · October 2, 2019, 9:06am

Am on the road in france at present so cant access a computer but I think I would be taking a look at the actual security file (json file) where I suspect your answers will reside. On the face of it this could well be a viable solution