[review] Security Guide #2321
[review] Security Guide #2321
Conversation
Remote AuthenticationThat guide is based on a Java sample only, right? Are there plans for Node.js as well? |
|
|
||
| > <sup>1</sup>For bound actions and functions that are not bound against a collection, Node.js supports instance-based authorization at the entity level. For example, you can use `where` clauses that *contain references to the model*, such as `where: CreatedBy = $user`. For all bound actions and functions, Node.js supports simple static expressions at the entity level that *don't have any reference to the model*, such as `where: $user.level = 2`. | ||
| > <sup>1</sup>For bound actions and functions that are not bound against a collection, Node.js supports instance-based authorization at the entity level, see [link] (somewhere in Node.js docs)<br> | ||
| > <sup>2</sup> For unbound actions and functions, Node.js supports simple static expressions that *don't have any reference to the model*, such as `where: $user.level = 2`. |
There was a problem hiding this comment.
Should it say "bound and unbound actions and functions"? In consequence we should add <sup>2</sup> also in the table for entity.
See:
| > <sup>2</sup> For unbound actions and functions, Node.js supports simple static expressions that *don't have any reference to the model*, such as `where: $user.level = 2`. | |
| > <sup>2</sup> For bound and unbound actions and functions, Node.js supports simple static expressions that *don't have any reference to the model*, such as `where: $user.level = 2`. |
| ::: warning | ||
| If you switch off CAP authentication, make sure that the internal communication channels are secured by the given infrastructure. | ||
| ::: |
There was a problem hiding this comment.
@BraunMatthias How about moving this note into the java div with the hint how to turn off authentication? If there's is no equivalent in Node.js then we could move it into the Java div as it doesn't apply to Node.js at all. Right?
@sjvans How would you see that? Is there something to fill from the Node.js perspective? |
@renejeglinsky the same concepts apply, but configs (e.g., |
Co-authored-by: Paul <paul.erlenwein@gmail.com>
Removed unsupported privilege properties example from authorization documentation.
Please do so in a new PR. I think it would add value. Matthias was not so sure, that's why I asked you. |
added to our backlog |
3 participants
General remarks on: