You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, the ZAC backend checks object-level permissions (the permissions themselves are managed through authorization profiles/roles).
They are scoped on the zaak.zaaktype and zaak.vertrouwelijkheidaanduiding, mostly.
For collections, the backend (API) can filter out the results that are only relevant for the authenticated user. The same goes for retrieving an object or attempting an action on it - the backend will verify these permissions and throw a HTTP 403 error if the user does not have the appropriate permissions.
However, the frontend needs to know which permissions the user has or doesn't have, in order to be able to properly show the relevant UI controls (.e.g. don't show the "add file" button if the user doesn't have permission for this).
What's the best way to get those permissions from the backend to the frontend?
Include them in the JSON response, under a _permissions key? E.g.
Have a dedicated endpoint for permission checks: GET /api/permissions?object=https://openzaak.utrechtproeftuin.nl/...&objectType=zaak. Possibly this could include a detail-resource to check a single permission, and might be more suited to the component approach where each component checks its own permission(s).
Communicate the permissions through headers as to not polute the response body? This can get unwieldly though, and header parsing isn't particularly fun. It also doesn't account for getting the permissions for each object in a collection of objects.
Any other options?
The text was updated successfully, but these errors were encountered:
Currently, the ZAC backend checks object-level permissions (the permissions themselves are managed through authorization profiles/roles).
They are scoped on the
zaak.zaaktype
andzaak.vertrouwelijkheidaanduiding
, mostly.For collections, the backend (API) can filter out the results that are only relevant for the authenticated user. The same goes for retrieving an object or attempting an action on it - the backend will verify these permissions and throw a HTTP 403 error if the user does not have the appropriate permissions.
However, the frontend needs to know which permissions the user has or doesn't have, in order to be able to properly show the relevant UI controls (.e.g. don't show the "add file" button if the user doesn't have permission for this).
What's the best way to get those permissions from the backend to the frontend?
Include them in the JSON response, under a
_permissions
key? E.g.Have a dedicated endpoint for permission checks:
GET /api/permissions?object=https://openzaak.utrechtproeftuin.nl/...&objectType=zaak
. Possibly this could include a detail-resource to check a single permission, and might be more suited to the component approach where each component checks its own permission(s).Communicate the permissions through headers as to not polute the response body? This can get unwieldly though, and header parsing isn't particularly fun. It also doesn't account for getting the permissions for each object in a collection of objects.
Any other options?
The text was updated successfully, but these errors were encountered: