Skip to content

Instantly share code, notes, and snippets.

@oconn

oconn/pedestal_authorization.clj

Last active February 17, 2017 16:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save oconn/c38c4c6dfcfa7a98b195ac8ffe423898 to your computer and use it in GitHub Desktop.
Save oconn/c38c4c6dfcfa7a98b195ac8ffe423898 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
pedestal_authorization.clj
;; Goal
;; In this example, I want to be able to say that parent route "/users" requires the admin role. I then specify
;; on a case by case basis that a specific child route also allows additional permissions. ex: "users/:user-id" also
;; allows the user role.
;;
;; Problem
;; A user that only contains the "user" role will not be allowed to access the "user/get-user-by-id" handler because
;; the authorize interceptor at "/users" will run first.
;;
;; Proposed Solution
;; 1. Modify the authorize interceptor to add authorized roles to context.
;; 2. Have a new interceptor :authorization/check-permission inspect the allowed permission prior to passing the request
;; off to the handler.
[[["/api"
["/v1"
["/users"
^:interceptors [(authorize #{:user.roles/admin})]
{:get user/get-users}
["/:user-id"
^:interceptors [(authorize #{:user.roles/user})]
{:get user/get-user-by-id}]]]]]]
;; Current workaround
[[["/api"
["/v1"
["/users"
{:get [:get-users
user/get-users
^:interceptors [(authorize #{:user.roles/admin})]]}
["/:user-id"
{:get [:get-user
user/get-user-by-id
^:interceptors [(authorize #{:user.roles/user})]]}]]]]]]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment