grow food, not lawn.

Skip to content

JWT and complete RBAC

Russell Ballestrini requested to merge jwt-and-namespaces into main

  1. Implemented Proper Separation Between Users and Agents:

    • Authentication Methods:
      • Separated authentication mechanisms for users and agents.
      • Users authenticate via session cookies.
      • Agents authenticate via JWT tokens.
    • New Functions:
      • Added get_current_agent to retrieve the current agent based on the JWT token.
      • Updated get_user_or_agent_namespace_role to retrieve roles appropriately.

  2. Added Role-Based Permissions for Agents:

    • Agent Roles:
      • Agents now have assigned roles: owner, editor, reader.
      • Roles are stored in both the JWT token and the Agent model.
    • Access Control:
      • Agents can perform actions within namespaces based on their roles, similar to users.
      • Ensured that agents cannot escalate their privileges beyond their assigned roles.

  3. Updated Access Control and Views:

    • Namespace Management Restricted to Owners:
      • Editors can no longer access the namespace management page.
      • Only owners can invite users or generate agent JWTs.
      • Updated views to use @owner_required decorator where appropriate.
    • Media Management for Editors:
      • Editors can upload, edit, and delete media within namespaces.
      • Confirmed that @editor_required views are accessible to both owners and editors.

  4. Updated OpenAPI Specification with Role Details:

    • Detailed Endpoint Descriptions:
      • Added role requirements to endpoint descriptions in openapi.yaml.
      • Specified which endpoints are owner-only, editor-only, or require other roles.
    • Security Schemes:
      • Included both sessionAuth and agentAuth in the security schemes.
      • Adjusted security requirements to reflect the new access control.

  5. Adjusted Templates to Reflect Access Control Changes:

    • Navigation and Links:
      • Modified templates to ensure only owners see links or options to manage namespaces.
      • In home.html.j2, changed conditionals to display the "Manage" link only to owners.
      • Ensured editors do not see links to the namespace management page.
    • Template Updates:
      • Provided updated templates via bash scripts using cat EOF.
      • Adjusted base.html.j2, home.html.j2, and other relevant templates.

  6. Updated initialize_db.py to Use Data Directory:

    • Adjusted initialize_db.py to use DATA_DIR for the database file, matching the application's configuration.
    • Ensured the script creates the data directory if it doesn't exist.

  7. Generated New README with Updated Information:

    • Comprehensive README.rst:
      • Combined existing documentation into a new, updated README.rst.
      • Included information about OTP authentication and JWT agents.
      • Provided detailed setup instructions and examples for both users and agents.
    • Application Features:
      • Documented key features and usage of the application.
      • Included examples of agent workflows and Docker deployment instructions.

  8. Provided Scripts for Templates and Testing:

    • Template Generation Scripts:
      • Supplied bash scripts to create or update necessary templates.
      • Ensured templates reflect the latest changes in access control.
    • OpenAPI Specification:
      • Updated the openapi.yaml file to reflect new role-based access controls.
      • Included detailed role requirements for each endpoint.

  9. Performed Thorough Testing and Validation:

    • Testing Agents and Users:
      • Tested all routes with both users and agents to ensure permissions work as intended.
      • Validated that agents cannot escalate privileges beyond their assigned roles.
    • Access Control Verification:
      • Confirmed that editors cannot access owner-only views and actions.
      • Ensured that editors can still manage media within namespaces.
    • Application Functionality:
      • Verified that the application functions correctly after the changes.
      • Updated any broken links or references in templates and documentation.

These changes implement a robust access control system distinguishing between users and agents with proper role-based permissions. The application now supports secure JWT authentication for agents and enforces strict access controls on namespace management and media operations.

modified:   .gitignore
modified:   README.rst
modified:   app.py
modified:   initialize_db.py
modified:   openapi.yaml
modified:   requirements.txt
modified:   templates/base.html.j2
new file:   templates/create_namespace.html.j2
new file:   templates/display_agent_jwt.html.j2
modified:   templates/edit_media.html.j2
modified:   templates/home.html.j2
modified:   templates/list_media.html.j2
new file:   templates/manage_namespace.html.j2
modified:   templates/profile.html.j2
modified:   templates/upload_media.html.j2
modified:   templates/view_media_details.html.j2

Merge request reports

All source code donated into the public domain. All trademarks reserved, including: unturf, Remarkbox, Make Post Sell