Proposal: Adapt authorisation system to new requirements
There's a few issues that users are finding with the current authorisation system. I'll list them here for reference and also submit a proposal on how to address them.
authsome#2 (closed)
1.It's not possible to have fine-grained property-level permission support, since there isn't a way to know which properties have changed.
https://gitlab.coko.foundation/pubsweet/pubsweet-server/issues/27
2.Filtering the results that the API returns, e.g. GET /api/collections/:id/fragments to only return fragments the authenticated user can read, should be possible.
https://gitlab.coko.foundation/editoria/editoria/merge_requests/3
3.There is no clear best practice on how to use the authorization system from the frontend. E.g. in the case of authorization-based loading of components (a user can see the manage component), do you pass in component name strings as the object
in Authsome.can(user, action, object), urls, what?