Lets say I have a website where car dealerships manage their automobile inventory. Each car dealership has its own company_id, and their staff members use staff accounts with a staff_id.
When a staff member is at the page http://ift.tt/2wDjvHC they should see their company's car with the id jdksf9843. If they copy this url and send it to a fellow staff member, that other staff should be able to view the car. However, if the url is sent to a non-staff member, that user can NOT view the car. The car should only be accessible to staff members of that car dealership.
Taking it one step further, how can I check for permissions across a large variety of possible database queries for a variety of assets with a variety of relationships? Such as below:
http://ift.tt/2xxZ23n http://ift.tt/2wDy8uh http://ift.tt/2xxNT2e
Is there a best practice for checking view permissions in an app such as this? What should be done in the backend? Will I have to do computationally-heavy database queries to authenticate? Do I have to write custom authentication functions for each database query? Is it secure to authenticate based off staff_id or company_id?
If anyone can point me in the right direction it would be greatly appreciated!
P.S. I currently have JSON Web Token authentication in my backend, but it does not prevent staff members of differing companies from seeing eachothers inventory with just the url.
Using NodeJS and Postgres with AWS Cognito for user authentication
Aucun commentaire:
Enregistrer un commentaire