Short-term authorizations

[leio10]

This is a Feature Proposal

🎩 Description

TLDR: Support for short-term and feature related authorizations would boost reusability of Decidim modules.

Authorizations are a great feature to allow Decidim instances to relate participatory actions to custom code that allows identify users. But authorizations are intended to be executed few times and in a global context (you can't know inside the authorization handler which feature is the user dealing with).

We are facing cases very similar to those solved by authorizations (custom code to answer an authorization request related to participatory actions) but with a much smaller scope: only for a small period of time and for an specific feature. Some examples of this are related to our secure voting scenario:

• A two factor authentication based on SMS's is used every time the user wants to enter to the voting booth.
• Some votings are related to an scope. The system needs to check that the user was related to that scope at the moment of the "census closure". This could be done calling an external API that has that information.

When creating a module that implements secure votings we have two options: implement all these traits inside the module or define feature actions, that can be related to different authorizations handlers for each feature instance. The second option is more versatile and would allow us to create more reusable modules, but would require core changes on authorizations system.

These "new" authorizations would be related to a feature instance, would not be displayed in user profile page and will probably have an expiration date.

📌 Related issues

• Re-check of verification every X-months #2267

📋 Additional Data

• Decidim deployment where you found the issue:
• Browser & version:
• Screenshot:
• Error messages:
• URL to reproduce the error:

[leio10]

@xabier @josepjaume @deivid-rodriguez It would help me very much if you tell me what do you think about this proposal in terms of usefulness, effort and system complexity increase.

[deivid-rodriguez]

@leio10 Specific verification methods can already be associated with specific participatory actions. This is set in the "permissions" screen of each feature. At first sight, with the new verification API + the "expiration time" enhancements, what you want might already be possible.

[leio10]

Thanks for the response @deivid-rodriguez! That is the first solution I though, but then I found the problems that I described above. I will try to describe them again from another point of view.

At one hand, since this kind of authorizations are temporal, they should not be shown at user profile. This could be done with a hack, overriding the verifications/authorizations/index view. With this, and the "expiration time" that you commented, the SMS case would be solved.

But the other case is more complicated. Here the authorization result depends on feature information (where is the voting), so I would need a "per feature instance" authorization instead of "per user" authorization. That means that it needs to be called again on each different feature instance, even when it was previously authorized, because the results could be different (different votings would have different scopes). This could not be implemented with a very short expiration times, since would imply security issues. Also, currently there is no way to access to the feature instance that raised the authorization process from the authorization handler code.

So, I can think in two possible solutions to this:

• Change nothing in Decidim core. This would force us to implement the authorization code inside our module, reducing its reusability. Maybe this could be the first step, and improved it later with an ad-hoc hooks system, but I don't think that implementing this inside a module is a good idea.
• Adapt decidim-verifications to support this. I would do this allowing authorization handlers to be defined as "per user" or "per feature instance". Based on this, authorizations queries would be changed to hide feature authorizations in profile page and search authorizations by feature instance and user instead of only by user. Also, authorization handler code should be able to access to the feature instance that raised the authorization.

[deivid-rodriguez]

Thanks @leio10, I understand the problem now and I agree it needs more work, and that work could be done in core.

[leio10]

Actually, I've been researching this weekend to understand this better and I found that I was wrong in some points in all the authorization process. I've written this small document with what I understand: https://gist.github.com/leio10/dd45158865e440199a2dd9271142a281. I think it helps me to verify that now I am understanding this and maybe could be helpful to improve documentation.

[deivid-rodriguez]

You're definitely right in the fact the current authorizations can't be setup per resource, but only per feature and action.

You want a verification method to be required, for example, when someone wants to vote for a specific proposal (and maybe ignore it otherwise), but currently this can only be done for all proposals.

[leio10]

@deivid-rodriguez Thanks for the feedback! I'm afraid that I'm slightly changing my ideas while talking about this, but I think that I'm seeing it much more clearly now. I feel that we have two different issues here:

• Configuration in the admin zone could be done at feature instance level or at resource level. I'd keep it as it is. Maybe allowing to override it for an specific resource would be nice, but I don't see this that important, since you can create the resource in a new feature instance and change its configuration.
• Authorization handler execution should be able to be done per user, per feature instance or per resource. I would add this to the current Verifications module, allowing the authorization handler to choose one of this three levels. By default, authorization handlers would all be defined at user level, to hold compatibility with existing authorizations. Authorization handlers for other levels would be executed for each feature instance or resource, even when the same user would already be authorized for another feature instance or resource. The level would be defined by code, since it change the way that authorization handler behave, accessing to the feature instance information or to the resource information to perform its task.

[leio10]

I'm still with this 😬. While understanding the authorize call, mainly used by abilities, I created the following image that tries to represent current flow. Is not UML or similar, but I think that colors help to read it:

• Blue boxes are classes instances
• Green boxes are public methods or list of public variables
• Red shapes are private methods or variables
• Yellow boxes are instances that could be defined or modified in verifications methods
  

So, I think that this issue could be addressed if the authorization context (user, feature, action, permission, options, authorization metadata, missing or wrong fields, resource) would available to some kind of hooks defined in verification methods. Currently, there would be two hooks that I think that would be useful, but more can defined later:

• Perform advanced checks in existing authorizations, not just checking matches between verification metadata and permissions options. For example, this would have allowed us to implement verification expiration logic inside specific verification methods without touching core code.
• Include additional parameters in authorization paths, based on permission options. This would allow to adapt verification logic or views depending on permission configuration.

With this in mind, I think that we could:

• move the Adapter class instance outside the AuthorizationStatus class. This would reduce the number of layers between context and verification methods code, and would make the AuthorizationStatus class small and simple again.
• add a Hook class, with methods that could be overridden by its children classes defined in verification methods code. This base class could include part of the current status_data logic (unmmatched and missing fields, expirations?).
• add a hooks property to WorkflowManifest class. This would store a reference to a Hook child class defined within the workflow. If empty, Hook class would be used.
• modify status_data code to use hooks defined in verification methods.

If I'm not mistaken, this solution could simplify current flow (it took me some time to draw this image in my head 😄) and adapt it to present or future needs. I can prepare a PR with these changes, but I'd love to have any kind of feedback from you, @deivid-rodriguez and @josepjaume.

[deivid-rodriguez]

move the Adapter class instance outside the AuthorizationStatus class. This would reduce the number of layers between context and verification methods code, and would make the AuthorizationStatus class small and simple again.

👍 from me. I'd say you can tackle this refactoring first separately? It shouldn't change any existing functionality, right?

[leio10]

Great, I like the idea to split the change in small steps, especially considering some of my PRs 😄.
This change should just affect the class internal organization, not its behavior or external API.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. @decidim/product feel free to chime in.