I am building a REST API with Eve and using roles to protect specific endpoints, but beyond that I also need to enforce specific field-level access rules. I have a basic users endpoint with the following schema:
users = {
'schema': {
Schema.NAME: {
'type': 'string',
'minlength': 1,
'maxlength': 32,
'required': True,
'unique': True
},
Schema.PASSWORD: {
'type': 'string',
'required': True
},
Schema.ROLE: {
'type': 'string',
'allowed': ['end user', 'manager', 'admin'],
'required': True
}
},
The endpoint has public POST access, so anyone can create a user (i.e. a new user can create their own account). An end user can change their own password, a manager can change an end user's password, and an admin can change an end user's role.
I didn't see a way to do this with the standard schema definition. I also looked at Cerberus validation, but that didn't seem to support any logic across multiple documents (i.e. to validate the modification of an end user's user document by checking that the client is authenticated as an admin user).
I achieved the effect I am looking for by adding event hooks:
app.on_insert += all_users_created_equal
app.on_pre_PATCH_users += restrict_role_updates_to_admins
...
def all_users_created_equal(resource, docs):
"""Ensure that all users are created as end users.
Managers and Admins must be granted these roles by an existing
manager or admin."""
if resource == 'users':
for doc in docs:
doc['role'] = 'user'
def restrict_role_updates_to_admins(request, lookup):
if 'role' in request.json:
users = app.data.driver.db['users']
user = users.find_one({'name': request.authorization.username})
if user and user['role'] != 'admin':
# Non-admins cannot update roles. Break the lookup to fail the request.
lookup['_id'] = None
But it's hacky to muck with the request content in order to fail the request. Is there a better way to enforce field-level security? Or if not, is there a better way to use event hooks to tell the server to fail the request? Raising exceptions from the hooks did cause the requests to fail, but the exceptions were propagated up the server and also aren't ideal.
As I know, there is no mechanism in eve to support field level custom access control. You would find it if there was.
I suggest you to change your design if possible. I think it's better to separate access control mechanisms from CRUD operations that are supported by eve. I mean, you can develop a server just to control accesses. This Access Control Server gets all requests from user and play a mediator role in your architecture. Then if a request is compatible with access control rules (that you mentioned in your question), the request will be sent to CRUD Server (eve server) and can effect your database.
This architecture is simpler because it separates the user access control from your CRUD operations and extensible because you can add more access control rules in future.