1

I would like to implement a permission system for my API wherein the endpoints available to admins are a superset of those available to superusers, which are a superset of those of regular users. What is an elegant way to do this in Servant?

Should I use several AuthProtect combinators, each of which return a User, but only if the authenticated user's privilege level is high enough? This seems like it would perhaps require writing mostly identical code each time, so maybe it's not ideal, especially if there are many groups. Is there a better way?

nnnmmm
  • 7,964
  • 4
  • 22
  • 41
  • 1
    Hello! I have done authorization a couple of times (and different ways) with servant, you can see a summary [here](https://github.com/haskell-servant/servant-auth/issues/73#issuecomment-349737003) but long story short: I don't think authorization groups & what not belong to the API type, this is a private piece of information that only the server knows and cares about, and you can achieve what you want with a simple helper function or two. If you really want to explore adding authorization things to the API type, keep us posted, I just haven't found a nice way to make this work. – Alp Mestanogullari Jan 01 '18 at 09:47
  • maybe this would be applicable here: https://stackoverflow.com/q/35246397 – behzad.nouri Jan 01 '18 at 14:28

0 Answers0