ACL for Apps

[ErisDS]

As per the explanation here: https://github.com/TryGhost/Ghost/wiki/App-Ideas-Permissions#wiki-permissions

We want to make it possible for Apps to register for permissions in the same way that users have permissions. Those permissions are enforced in various places, most importantly in the API.

Apps need to make internal requests to the API methods via the proxy object.

Therefore we need a way to:

1. Determine or define which app is making the request.
   • This should probably be an extension of the apiContext (see ACL & the API: Current user everywhere #2058) as we still need to know on behalf of which user the request is being made.
2. Determine what permissions the app has.
   • This should probably be done by fetching those permissions from the correct app's config
3. Provide a way to ask if the current app and the current user have permission to perform the action they are trying to perform
   • This should likely be an extension of canThis, which takes a more complex context than a single user. `canThis({app: 'my-app', user: 1}).edit.post(2);

It's important to deal with permissions for both the app and the user, as otherwise in future it could be possible for a less privileged user to use an app to do things they shouldn't be able to.

[jgable]

I am currently working towards 1 and 3. And 2 should be handled by #2179.

I think for 1, we should refactor the app proxy to be a class instead of a shared instance across all apps. It will be passed the app name when instantiated and add some more wrapping around the original api methods. It will also be in charge of passing along the app id or name to the apiContext.

For 3 I'm refactoring canThis to also allow passing in app name along with user information while still maintaining the easy way of just passing a user model or user id for existing cases. I'm pretty close on this and should have something by Friday.

[sebgie]

I would like to play the devils advocate for a moment and ask why we need canThis() to support apps? I think that the combination of checking app permissions in app proxy and canThis() as it is are able to do what we need?

Examples:

• App wants to access post.edit (user allowed/app allowed)
  • app calls post.edit()
  • app proxy checks app permission -> OK
  • post.edit checks user permission -> OK
  • post is edited
• App wants to access post.edit (user not allowed/app allowed)
  • app calls post.edit()
  • app proxy checks app permission -> OK
  • post.edit checks user permission -> NOK
  • post not edited
• App wants to access post.edit (user allowed/app not allowed)
  • app calls post.edit()
  • app proxy checks app permission -> NOK
  • post not edited
• App wants to access post.edit when doing a timed task where user is the user who installed the app (user allowed/app allowed)
  • app calls post.edit()
  • app proxy checks app permission -> OK
  • post.edit checks user permission -> OK
  • post is edited

Did I overlook anything important?

[jgable]

@sebgie I think you've got a good point. That's the way I originally thought of doing it but I saw a lot of references to updating canThis in the different issues around apps and ACL.

The only thing I can think of in defense is that canThis already does some of that logic for checking permissions to objects by action, so if it isn't too much work it would be nice to have it done in one place. From what little looks I did for it last night I put together the beginning of it without any unit tests yet. Just removing some of the user specific variable names and making it a little more generic.

[ErisDS]

I have a few concerns with doing it in the proxy, the first is as @jgable said, that it is duplication of logic, I'd like to have all permissions look roughtly the same, and I think the handling needs to be done at the api level.

The second, is that (and I don't necessarily have a use case for this) Apps which make requests over the JSON API are then only making those requests with user-level permissions, rather than app-level permissions. Not sure how that might matter at all, but it highlights that the entry points would in this case have different behaviours and explains why I feel that the permissions should be handled by the api.

The third, moving on from that, is the tentative idea that there might be other sorts of contexts, and how/where their permissions might be handled.

[sebgie]

Ok, I see the point of having validation of permissions in one place. But as long as there is no use case I'm not 100 % sold on the idea ;-).

If we use canThis() for app permissions I think that it would be consistent with user permissions if app permissions are stored in the database during installation. This is contrary to what I thought permissions would be handled (#2095 (comment)).

[jgable]

My current status on this is trying to add a new apps table and model and get the permissions into the database on app installation. After that I'll be able to add some unit tests for the canThis work I've done and verify it works. ETA is sometime this weekend hopefully.

[jgable]

Ok, trying to nail down what my next task is for this. Seems like 1-3 are completed, but we still need to refactor the App proxy to use canThis and pass app id as context.

Is that related to this issue, or should we close this and track it as #2095?

[sebgie]

@jgable If you are looking for the next thing to do and have time, I think you would probably be the best person to have a look at #2434? :squirrel: