<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>authorization on krtffl.dev</title>
    <link>https://krtffl.dev/tags/authorization/</link>
    <description>Recent content in authorization on krtffl.dev</description>
    <generator>Hugo -- gohugo.io</generator>
    <language>en</language>
    <copyright>© [krtffl](https://krtffl.dev)</copyright>
    <lastBuildDate>Mon, 23 Dec 2024 00:00:00 +0000</lastBuildDate><atom:link href="https://krtffl.dev/tags/authorization/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>owner-scoped rbac: enforcing &#39;you can only see your own&#39;</title>
      <link>https://krtffl.dev/posts/owner-scoped-rbac-go/</link>
      <pubDate>Mon, 23 Dec 2024 00:00:00 +0000</pubDate>
      
      <guid>https://krtffl.dev/posts/owner-scoped-rbac-go/</guid>
      <description>&lt;p&gt;two users hit &lt;code&gt;GET /dojos&lt;/code&gt;. same route, same handler, same line of sql underneath. the admin gets back every dojo in the database. the dojo owner gets back exactly one — theirs. nobody wrote a second endpoint, nobody passed a flag. the query just quietly narrowed itself on the way down, and the owner never learns the other rows exist.&lt;/p&gt;
&lt;p&gt;the first time that worked in mojodojo i felt clever. &amp;ldquo;you can only see your own&amp;rdquo; is the whole ballgame in a multi-tenant app, and here it was falling out of the architecture for free. then i went looking for &lt;em&gt;where&lt;/em&gt; it happened, and the answer was: two different files, in two different layers, that don&amp;rsquo;t fully agree with each other. one of them has a hole you could drive a truck through.&lt;/p&gt;</description>
    </item>
    
  </channel>
</rss>
