S
ssouthwe
Guest
> I’m not sure we want too much creativity in authorization … I think you should return what roles the current user has, after they're logged-in, and have the UI respond to that. The UI knows what roles it can react to; the user knows which roles they have. I'd think that's enough info to do the right thing in the UI. The problem is that UI doesn't know what resources are available to what roles. It's trivial to send the UI a list of the user's roles. But at some point if you end up with hundreds of secured resources/tasks and dozens of roles, you don't want code in the front end with conditionals like "display this if the user has role xyz or abc or qrs". I'm hoping for a single source of truth that can be maintained independently.
Continue reading...
Continue reading...