Where should authorization/permissions checks happen?
Hey there π What is generally the preferred place to perform permissions checks? Using meta, within a procedure method, within the definition of the procedure via middleware, or something else?
I initially opted for performing checks within defined procedure methods, but this results in quite a bit of code duplication, so I figure using meta could be better (it does feel intuitive). Yet, this somehow feels non-standard. I haven't seen this before... in an ideal world this permissions object could be passed into a procedure as an arg alongside the handler/method as a kind of augmentation.
Currently, I am exploring the use of meta to do this:
4 Replies
One alternative that I've considered is to define a produce as a function of a permissions config. This is very elegant, but also I have not seen this before.
The use of meta to configure a middleware in the base procedure is how I do it too and itβs very pleasant to use. Definitely recommend that approach
Great, thanks! Curious, you do apply the middleware to the base procedure and not an authenticated procedure?
Up to you, my middleware can be entirely turned off by meta so I use it globally