Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

New Hook `getPermission()`

See original GitHub issue

As discussed in #12 we want to offer an option to harden the security of telefunctions. CC @redbar0n.

// server.js
// Enviroment: Node.js

import { telefuncConfig } from 'telefunc'
telefuncConfig.enforcePermissions = true

When enforcePermissions is set to true, all telefunctions need to use a hook called getPermission().

// *.telefunc.ts
// Enviroment: Node.js

import { getPermission } from 'telefunc'
import { allowEveryone, allowAuthor, allowAdmin } from './permissions'

export function hello() {
  getPermission(allowEveryone)
  // ...
}

export function updateTodo(id: string) {
  getPermission(() => allowAuthor(id))
  // ...
}

export function deleteUser(id: string) {
  getPermission(() => allowAdmin())
  // ...
}

// permissions.ts
// Enviroment: Node.js

// Permissions defined by the user.

export function allowEveryone() {
  // ...
}
export function allowAuthor(rowId: string) {
  // ...
}
export function allowAdmin() {
  // ...
}

@louwers thoughts?

Issue Analytics

State:
Created a year ago
Comments:6 (5 by maintainers)

Top GitHub Comments

1reaction

brilloutcommented, Apr 27, 2022

Hmm, don’t like that a function called getPermission returns a todo.

It seems weird at first, but I think it does make sense. Not only practically, but also semantically: the permission function validates the object and returns it. One way to think of it is that whatever is returned by getPermission() is safe.

This is not type safe

Yes and the official recommendation is to return someValue instead, see https://telefunc.com/permissions. But there are some uses cases where throw Abort('someValue') is convenient and justifies its existence (e.g. to globally define authorization).

Note that throw Abort() (without arguments) is semantically correct though.

We could check all return statements in a telefunction. At least one of them must be PermissionDenied. We can add this value to Telefunc or let the user define it.

That’s an interesting idea and I do like it. Problem though: it’s not trivial to get all return statements for all stacks (Vite, Parcel, Webpack, …).

OR one of the call expressions must return never.

Neat idea. I like it. Also because our shieldGenrator already provides us with a TS AST. I wonder if TypeScript provides us with that information though:

// Can TS differentiate them?

async function telefunction1(): Promise<string> {
  return 'hello'
}

async function telefunction2(): Promise<string> {
  if (someCondition) {
    throw Abort()
  }
  return 'hello'
}

I’m not sure if I think a permission enforcement system even makes sense. Telefunctions are by default safe… If you don’t put any code in them. 😂

Maybe you’re right, seeing all the problems it causes, I’m thinking it may not be worth it.

How about we deprioritize this? We’ll see if users will push more on this 😃.

I still think enforcing permission functions to be a neat feature, but I’m coming to the conclusion there is no easy way to do a enforePermission thing.

We can leave it to the getContext() wrapper trick for the time being https://telefunc.com/permissions#getcontext-wrappers.

0reactions

brilloutcommented, Apr 27, 2022

👍 Closing this in the meantime. Thanks for the neat discussion 😃.

Top Results From Across the Web

reactjs - How do I configure the getPermissions() method in ...

But when I call the useFetchPermissions() method inside the login() method, then it complains about "hook cannot be called from a function or ......

usePermissions - React-admin

That's the purpose of the usePermissions() hook, which calls the authProvider.getPermissions() method on mount, and returns the result when available.

Implementing React Check Permissions: the Hook

The hook is actually the place where the logic of obtaining current permissions can be ... export type GetPermissions = () => string[];....

[Question] Get permission from AbilityContext to use it in state ...

I want to set a form to readonly by wrapping it in a tag. Now I wonder if I can use the AbilityContext...

hook_permission | system.api.php | Drupal 7.x

This hook can supply permissions that the module defines, so that they can be ... This should be wrapped in the t() function...