Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report required permission(s) when authorization fails #8224

Open
arielshaqed opened this issue Sep 25, 2024 · 0 comments
Open

Report required permission(s) when authorization fails #8224

arielshaqed opened this issue Sep 25, 2024 · 0 comments
Labels
area/API Improvements or additions to the API area/auth IAM, authorization, authentication, audit, AAA, and integrations with all those area/UI Improvements or additions to UI good first issue Good for newcomers P3

Comments

@arielshaqed
Copy link
Contributor

Currently authorization simply fails the request. Add to this response the missing permission(s).

Why do this?

We see that users who fail to perform some action are unsure what to do. This is an easy response.

Is this safe?

  • This is an authenticated user - they can know their permissions simply by trying to do stuff.
  • Required permissions are known to attackers - even if our docs are out of date, pkg/api/controller.go is the open source of truth.

Alternatives

  • Report only the first missing permission. This is slightly easier to code.
  • Report all required permissions. This avoids giving the user any information about their permissions.
@arielshaqed arielshaqed added area/API Improvements or additions to the API area/UI Improvements or additions to UI area/auth IAM, authorization, authentication, audit, AAA, and integrations with all those labels Sep 25, 2024
@arielshaqed arielshaqed added the good first issue Good for newcomers label Oct 2, 2024
@talSofer talSofer added the P3 label Oct 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/API Improvements or additions to the API area/auth IAM, authorization, authentication, audit, AAA, and integrations with all those area/UI Improvements or additions to UI good first issue Good for newcomers P3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arielshaqed @talSofer