Note: This documentation is a DRAFT.
- Authorization is per default built up as a blacklist - if there're now restrictions on a class you can perform all operations on it.
- Quino supports role-based configurations
- They can be statically configured like metadata in the code and remain the same.
- The Security Module can be used to store the users and roles in the database.
- The infrastructure can be extended to support claims and other authorization scenarios.
A quick overview of the most important interfaces can be found here:
The main interface for authorization is the
IAuthorizer which offers support for quickly query the current user for roles and claims.
The method of interest is called
Authorize which takes an
AuthorizationContext as a parameter. Quino calls this method for various scenarios:
- A user tries to read a meta class from the database.
- A user tries to perform a CUD operation on an
- A user tries to execute an
- It's also possible that someone manually calls the
Generally there are the following steps when setting up authorization:
- Decide where the users are stored and retrieved from.
- Decide where the roles are stored and retrieved from.
- Decide whether the authorization needs to be configurable when the application is running or if a static set of roles is sufficient enough.
This form of authorization can be configured directly in the Metadata. Each
IMetaClass can be decorated with an
ISecurityRoleAspect that can contain roles and rights. The
MetaAspectAuthorizer can be registered to enforce those permissions. Make sure your users have the roles assigned. If a class does not contain any annotations it's considered open for every authenticated user.
MetaClass.AddRole(new Role("Administrator", StandardRights.Read, StandardRights.Edit))
It's the responsibility of the
IAuthenticator to make sure the impersonated user has the roles assigned correctly.
As already mentioned this set of permissions is not editable after the application has been deployed. Dependent on how the users are loaded it might be sufficient to assign new roles there and work with the static set of roles.