feat: support hierarchical permission wildcards#1327
Conversation
Add hierarchical wildcard matching for Shield permissions. - Support nested trailing wildcards like forum.posts.* - Support middle-segment wildcards like forum.*.create - Share wildcard matching between user and group permission checks - Document wildcard semantics and direct user wildcard assignment - Cover matcher behavior and public authorization paths Co-authored-by: bgeneto <bgeneto@duck.com> Co-authored-by: christianberkman <christianberkman@users.noreply.github.com> Signed-off-by: memleakd <121398829+memleakd@users.noreply.github.com>
michalsn
left a comment
michalsn
left a comment
There was a problem hiding this comment.
I would like to make wildcards simpler: trailing wildcards match children only, never the parent. So forum.posts.* would match forum.posts.create but NOT forum.posts.
The current "parent matching" feels like hidden privilege escalation. If someone sets up forum.posts.* thinking "all actions on posts", they probably don't expect it also grants the bare forum.posts scope - which could be used as a different kind of gate elsewhere in their app. Current behavior is non-intuitive to me.
|
@michalsn I agree, and I think this is the direction we should standardize on as a team. The overall goal of supporting deeper hierarchical wildcard permissions still seems valid, but I do not think trailing wildcards should also grant the parent scope itself. Allowing The clearer contract, in my view, is: 1- That keeps permission grants explicit, avoids hidden coupling between namespace-like labels and actual permission checks, and gives us simpler semantics to document and test consistently across both group-level and direct user permissions. So my preference would be to keep the feature, but adjust the trailing-wildcard semantics to follow this rule before merging. |
Signed-off-by: memleakd <121398829+memleakd@users.noreply.github.com>
3 participants
This PR intends to finalize the hierarchical permissions work from #1253 and #1309, which had stalled for some time.
Shield already supports wildcard permissions, but the current behavior is limited when permissions are organized into deeper namespaces.
In larger, real-world applications, permissions often grow beyond two segments. The flat/single-level wildcard behavior makes those permission sets harder to express and maintain cleanly, often requiring custom workarounds.
This PR makes wildcard permissions work with deeper structures while keeping the existing
$user->can()and$group->can()APIs unchanged.A trailing wildcard now matches descendant permissions:
'forum.posts.*'matches
forum.posts.createandforum.posts.comments.delete, but notforum.posts.Wildcards can also be used in the middle of a permission, so
forum.*.creatematchesforum.posts.createandforum.comments.create, but notforum.posts.comments.create.I tried to address the concerns and review feedback from the earlier attempts:
Config\AuthGroups::$permissionsbefore assignment;*must be a complete segment;*cannot be the first segment;*does not grant everything;$user->can()/$group->can()paths.I’d appreciate any feedback. Hopefully this can help move this long-standing and requested feature forward.