Handle authorization

[J0eppp]

Discussion/documentation about how we want to handle the authorization for the REST API.

[J0eppp]

Steps

1. Identify every database request.
2. Check if the user has that permission in the database.
3. If the user has the right permission, continue, else, return 401 - not authorized.

Example

1. Teacher requests GET /users/<userame/userid> with a valid session.
2. Server receives request, checks if the user has the GetUser permission.
3. Teacher has the Getuser permission. Database fetches the data from the requested user and returns it to the client.

[J0eppp]

This is an example on how we could see whether someone has the permission to perform a certain action.

Definitions

00000000 = 0 = NO PERMISSIONS
00000001 = 1 = READ OWN PROFILE
00000010 = 2 = WRITE OWN PROFILE
00000100 = 4 = READ ALL STUDENT'S PROFILES
00001000 = 8 = WRITE ALL STUDENT'S PROFILES
00010000 = 16 = READ ALL PROFILES
00100000 = 32 = WRITE ALL PROFILES
01000100 = 64 = CREATE NEW PROFILES
10000000 = 128 = DELETE PROFILES

Note: these are just examples

Calculation

To check whether a user has the permission to perform a certain action, you do the following:
USER_PERMISSION_INTEGER | PERMISSION_TO_CHECK === USER_PERMISSION_INTEGER

Example

User has the permission to read and write it's own profile
USER_PERMISSION_INTEGER = 3 = 00000011
The user requests to see it's own profile so:
PERMISSION_TO_CHECK = 1 = 00000001
USER_PERMISSION_INTEGER | PERMISSION_TO_CHECK === 3 = 00000011 | 00000001 === 00000011

[showengineer]

I approve the use of bitfields.