Identify the scope of access control needed for this sprint and implement just enough

Question

Identify the scope of access control needed for this sprint and implement just enough

Closed this issue 3 years ago · 1 comments

dennyabrain commented 3 years ago

In its current scope, access control would mean the following categories of checks :

Role Check :

Users with role of uploader or viewer should not be able to access endpoints meant for admin user. This would involve any endpoint for /index

Ownership Check :

Ensuring that uploaders or tokens associated with them can only be used to read/write/update media belonging to datasets they have created.

Answer 1 · 2021-12-14T08:48:10.000Z

In the current state when there is no caching and only limited number of datasets and owners, I wonder if its worth attempting loading and retaining user and dataset data in memory at server startup. This way ownership checks and role checks should not need database calls.