Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
The AuthorizationContext exposes getUserPrincipal to the plugin, but it does not allow the plugin to interrogate the request for isUserInRole. If we trust the request enough to get a principal from it, then we should trust it enough to ask about roles, as those could have been defined and verified by an authentication plugin.
This model would be an alternative to the current model where RuleBasedAuthorizationPlugin maintains its own user->role mapping.