DEV Community

Discussion on: Authorization rules for a multi-tenant system - Google cloud platform

Collapse
rodolfosilva profile image
Rodolfo Silva • Edited on

Should we define a permission check for the project_id at storage_buckets? To avoid a user of another tenant ? Maybe I'm wrong. But i believe this implementation only check if the user has a permission to list all registry including all projects. @hasurahq_staff

Something like this

{
  "_and": [
    {
      "_exists": {
        "_table": {
          "schema": "public",
          "name": "flattened_user_project_roles"
        },
        "_where": {
          "_and": [
            {
              "user_id": {
                "_eq": "X-Hasura-User-Id"
              }
            },
            {
              "role_id": {
                "_eq": "storage_viewer"
              }
            },
            {
              "project_id": {
                "_eq": "X-Hasura-Project-ID"
              }
            }
          ]
        }
      }
    },
    {
      "project_id": {
        "_eq": "X-Hasura-Project-ID"
      }
    }
  ]
}

And:

{
  "_or": [
    {
      "_and": [
        {
          "_exists": {
            "_table": {
              "schema": "public",
              "name": "flattened_user_project_roles"
            },
            "_where": {
              "_and": [
                {
                  "user_id": {
                    "_eq": "X-Hasura-User-Id"
                  }
                },
                {
                  "role_id": {
                    "_eq": "storage_viewer"
                  }
                },
                {
                  "project_id": {
                    "_eq": "X-Hasura-Project-ID"
                  }
                }
              ]
            }
          }
        },
        {
          "project_id": {
            "_eq": "X-Hasura-Project-ID"
          }
        }
      ]
    },
    {
      "user_bucket_roles": {
        "_and": [
          {
            "user_id": {
              "_eq": "X-Hasura-User-Id"
            }
          },
          {
            "role_id": {
              "_eq": "storage_viewer"
            }
          }
        ]
      }
    }
  ]
}