keth on Hacker News

since authorization is important to me as a beginner, I want to ask what are the best practices for web applications at the moment if one needs more fine grained authorization rules than simple roles or permissions for a sideproject (which will probably never turn into something profitable, nor is it planned at the moment)?

Until now I've seen role based authorization which works for simple sites but can easily get out of hand for more complex websites (e.g checks like these: user.hasRole("Superadmin") || user.hasRole("Admin") || user.hasRole("YetAnotherRole") || ... ). If I handle it like in the example, I would need to recompile the application if I give roles access to methods for which they were previously not authorized (if it is not possible to just assign the user to a higher role).

In previous hobby projects I solved this with permission/activity based authorization, where users are assigned roles, and permissions are assigned to roles. The checks within the application are against the permissions not the roles, and can be changed without recompiling the application. If a role needs new permissions just assign it in the backend, if a specific user needs new permissions it's possible to create a new role with appropriate permissions etc.

But how do I handle more complex permissions like this? - Superadmin can delete everyone except himself. - Admins can delete all users but not themself or other admins. - Manager can only delete users that he manages but not himself.

75keth10y ago56

keth

Recent submissions

AMD’s Epyc is a major advance in security (opens in new tab)

Imagination's New PowerVR Furian GPU Architecture (opens in new tab)

AMD Collaborates with Microsoft to Advance Open Source Cloud Hardware (opens in new tab)

Intel Is Trying to Manipulate AMD Ryzen Launch? (opens in new tab)

First AMD Zen (Ryzen) cpu benchmarks leaked by french magazine (opens in new tab)

Ask HN: What are the best practices for web authorization at the moment?