Handle permissions in new JS client
Permissions are an important part of the cubicweb framework.
Using the new client/data-provider, it is currently not possible easily handle relations.
We need to know the current user role and the different permissions for each relation/user.
Should we export all permissions? => security issue Should we create a route to query permissions for a relation/entity? => slower
Example issue:
Lets say we have an entity Museum, with relation name
and security_code
.
name
can be fetched by anyone, but security_code
only by admins.
For regular users, we want to only display name
.
For admins, we want to also display the relation security_code
.
Issue is, we cannot easily know the role of the user, nor the permissions on the relations right now.