Authorization and API endpoints permissions

Canary is course-grained only to the request level, and in many cases I need to do very fine grained checking, such as on individually returned database rows.

Guardian encodes permissions in it, if you are not using that feature then don’t use Guardian and instead just use Phoenix.Token.

Mostly I just expose a set of helper functions from my MyServer.Accounts.Perms module such as can/2, can?/2, logged_in/2, logged_in?/2 and a few others. They can take a variety of ‘environments’ (which can be a conn, socket, some other custom things) and extract the information they need out of that, then they look up the permission structure (a pre-processed structure generated from a host of database and LDAP information) in the ETS cache (lifetime of 1 minute, I’m using Cachex for this) and I use my PermissionEx library to test the individual permission I want to the overall processed structure. The ? variants return true/false, the non-? variant return either the environment that was passed in (allowing easy threading of things like conn in pipelines) or it returns an exception structure if not allowed (which is then handled by the system to set a last_path on the connection and redirect to a login).

2 Likes