Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DashboardLayout] Add roles to navigation #4490

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

[DashboardLayout] Add roles to navigation #4490

wants to merge 5 commits into from
+166 −21

Conversation

bharatkashyap
Copy link
Member

  • Closes [core] Support RBAC in AppProvider #4120
  • Add a roles: string[] to NavigationPageItem
  • Add groups?: string[] and roles?: string[] to Session
  • Check if user.groups or user.roles has a matching role in hasMatchingRole
  • Remove pages from navigation and render a 404 on navigation to pages for which there is no access
  • Remains agnostic to the method of providing the roles or groups on the session object

@bharatkashyap bharatkashyap added the new feature New feature or request label Nov 28, 2024
@Janpot
Copy link
Member

Janpot commented Nov 28, 2024
edited
Loading

I'm hesitant building anything RBAC before we have the CRUD features and have set up a pro version.

instead I think we could add a way to disable items through a callback, just like how it's done with treeview or datagrid. that way it and other use cases can be built in userland. use cases which can be then used to validate an RFC.

@bharatkashyap
Copy link
Member Author

bharatkashyap commented Nov 28, 2024
edited
Loading

I'm hesitant building anything RBAC before we have the CRUD features and have set up a pro version.

We discussed this week that given #4120 is the most upvoted (and fastest growing in upvotes) issue, does it make sense to keep a minimal version of the roles feature blocked till the entirety of CRUD has landed?

Once we have CRUD and the pro version, we can integrate the roles we define here with the ability to restrict some CRUD actions on some resources.

Wdyt?

@github-actions github-actions bot added the PR: out-of-date The pull request has merge conflicts and can't be merged label Nov 28, 2024
@github-actions github-actions bot removed the PR: out-of-date The pull request has merge conflicts and can't be merged label Dec 3, 2024
@Janpot
Copy link
Member

Janpot commented Dec 3, 2024

My thinking was that there are more ways to do authorization than RBAC. Some users may only need a very simple setup , such as checking against an email address. We could serve more kinds of users with a less opinionated API. Then see which usage parents emerge and provide convenience APIs for the most used ones. I feel like now we're locking every use case into RBAC.

@github-actions github-actions bot added the PR: out-of-date The pull request has merge conflicts and can't be merged label Dec 6, 2024
@JuR-0
Copy link

JuR-0 commented Jan 17, 2025
edited
Loading

As @Janpot mentioned, adding a simple callback driving the display of navigation items could solve any RBAC needs as well as many other. (discussed in #4607 )

Then RBAC would just be:

  • A custom session
  • A callback leveraging roles/groups as needed

The availability of content can be tackled at the page level by the user as a first approach
Is it the goal we are pursuing ? if yes I could work on a draft

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
new feature New feature or request PR: out-of-date The pull request has merge conflicts and can't be merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[core] Support RBAC in AppProvider
3 participants
@bharatkashyap @Janpot @JuR-0