is_owner condition for custom action

[morrisson]

If developers want to restrict using action for some resources to those owner, developers want to write is_owner condition for this custom action policy. However, currently it does not work. This is because owner is checked in GET/PUT/POST/DELETE action by adding tenant_id to (pre)fetch some resource, but there is no this kind of logic in ActionResource.

[marcin-ptaszynski]

In order to enforce this policy, we'd need to prefetch the subject resource. What do you think about it, @nati?

[nati]

I think we should prefetch resource and apply policy for also action.
But this could be backward incompatible change, so I wanna know how side effect this for existing projects.

[morrisson]

Thanks. Ok, prefetch resource is a good option.

As far as I can think of, side effect is that, for example, admin action to some users' resource might be prohibited without modifying policy condition to allow tenant_id: <admin_tenant_id> access.

[morrisson]

I think we can check by policy.Check same as checking 'create' policy (line 407-411 in resource_management.go)

//Apply policy for api input
err = policy.Check(schema.ActionCreate, auth, dataMap)
if err != nil {
    return ResourceError{err, err.Error(), Unauthorized}
}

Is there a reason that we should use prefetching?

[nati]

It is because any action may performed after we crated a resource, and parameters for action won't have a resource information except ID.