1 a RESTful briefly
This article is based on RESTful descriptions and requires you to have a basic understanding of this.
What is RESTful?
Representational State Transfer, or REST, is a software architecture style developed by Dr. Roy Fielding in his doctoral thesis in 2000.
Some of the important things about REST are resources and state transitions,
The so-called “resource” is an entity on the network, or a specific information on the network. It can be a text, a picture, a song, a service, or a concrete reality.
“State transition” refers to the four verbs in the corresponding HTTP protocol that denote the operation mode corresponding to the four basic operations:
GET, browse resource POST, create resource PUT, update resource DELETE, DELETE resource.
How to design user permission control based on RESTful apis?
RESTful CURD
2 Resource classification and operations
Clear the concept of resources, and then to the classification of resources, I divided resources into the following three categories:
Private Roles Source Public Roles Source
How to design user permission control based on RESTful apis?
Sources
Private resource: a resource that belongs to a user and can only be operated by the user. For example, the user’s personal information, order, shipping address and so on.
“Persona resources” : Unlike private resources, persona resources are larger in scope. One persona can correspond to more than one person, i.e. a group of people. If permissions are assigned to a role, only users who are in that role can have those permissions. For example, only administrators can operate system resources. Common users cannot operate system resources.
“Common resource” : A resource that everyone, regardless of role, can access and manipulate.
The operation of resources can be divided into four types:
Browse add create update delete delete
3 Relationships among roles, users, and rights
The concept of roles and users, needless to say, is well understood, but the concept of permissions needs to be mentioned.
“Permission” is a combination of resources and operations. For example, “Add a user” is a permission, and “delete a user” is a permission. Therefore, there are only four permissions for a resource.
How to design user permission control based on RESTful apis?
Permissions
Relationship between roles and users: A role corresponds to a group of users, and a user can play multiple roles, so they are many-to-many relationships.
Relationship between roles and rights: A role has a number of rights, but a right belongs to only one role. Therefore, the relationship is one (role) to many (rights)
Relationship between rights and users: A user can play multiple roles and a role has multiple rights. Therefore, the relationship between users and rights is indirect many-to-many.
How to design user permission control based on RESTful apis?
Relations
Two special cases need to be noted:
The relationship between private resources and users. The four permissions corresponding to a private resource belong to only one user. In this case, the relationship between users and permissions is one (user) to many (permission). Super administrator role, this role is god general existence, can ignore all obstacles, have absolute authority to all resources, regardless of whether you are private resources or role resources.
4. Design of database tables
How should models of roles, users, and permissions be designed to satisfy their relationships?
How to design user permission control based on RESTful apis?
Models
To illustrate some of the key fields in the figure above:
Source
Name: The name of the resource, which is the name of other models, such as User, role, and so on. Identity: The unique identity of the resource, which can be strings like uUID, shortid, or the name of the model. Permissions: A resource pair has four permissions for Browse, create, Update, and delete of the resource
Permission
source : Action: The operation of the corresponding resource can only be one of the four relation: Browse, create, update, delete Used to mark whether the permission is private or role. Used by OwnerPolicy to check roles: the role that has the permission
Role
Users: specifies the user group of a role. A role can be assigned to multiple users. Permissions: Specifies the permission list
User
CreateBy: Specifies the owner of the record. In the user table, this attribute is used to identify the owner of the record. This attribute is used for OwnerPolicy checks. Roles: Roles that a user has
5 Policies/Filters
Sails, called policies under sails and filters under Java SSH, work much the same way, essentially checking an HTTP request before it accesses an action under a Controller. So at this level, we can customize some policies/filters to implement permission control.
For the sake of writing, LET me use the word strategy.
Policy (the Policy)
The following order corresponds to the running order of the Policy
SessionAuthPolicy: Checks whether the user is logged in, which is the prerequisite for the following checks. PermissionPolicy: checks the role to which the user belongs and whether the user has the permission to perform operations on the accessed resources. OwnerPolicy: Checks whether the current user is the owner of the accessed resource if the resource is private.
If all policies pass the detection, the request is forwarded to the target action.
How to design user permission control based on RESTful apis?
Policies
6 Sails under the permission control implementation
Under Sails, there is a convenient suite losa-Permissions that incorporates a permission management solution, and this article is based on the source code of that suite.
7 conclusion
The biggest challenge for programmers is not mastering which programming languages or software frameworks, but understanding the business and requirements, and then abstracting the essentials into a language that computers can understand.
Finally, I hope this article has helped you understand a little bit more about the topic of permission management. If you think this article is good, then forward attention to it! I have compiled a set of Java documentation, this paper also contains the content, need to get the click https://shimo.im/docs/pVhDCpYqdRTqWRqq/