When implementing role-based access control (RBAC), ensure you use the correct permission verification method based on the security context. Distinguish between:
When implementing role-based access control (RBAC), ensure you use the correct permission verification method based on the security context. Distinguish between:
User-level permissions: Use hasPermission() when checking if the current user has a specific permission, regardless of the object being accessed.
Object-specific permissions: Use hasPermissionInMetadata() when verifying if access is allowed for a specific object based on its metadata.
Using the wrong permission check can lead to security vulnerabilities or overly restrictive access. Always confirm which level of permission verification is required for your use case.
Example:
// For user-level permission check
if (!contextSrv.hasPermission(AccessControlAction.PluginsWrite)) {
// Handle unauthorized access
}
// For object-specific permission check
if (!contextSrv.hasPermissionInMetadata(AccessControlAction.PluginsWrite, plugin)) {
// Handle unauthorized access
}
Enter the URL of a public GitHub repository