Skip to content

Commit 3a3583d

Browse files
committed
update api v1.md to explain authorization
1 parent 6d3979d commit 3a3583d

1 file changed

Lines changed: 55 additions & 5 deletions

File tree

doc/API/V1.md

Lines changed: 55 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -161,8 +161,58 @@ This searches across `hostname`, `sysName`, and `os` for devices.
161161

162162
## Access Control
163163

164-
- **Devices and Ports** Users with global read access see all resources. Other users only see resources they have been granted access to.
165-
- **Alert Templates** Users with global read access can view. Only admins can create, update, or delete.
166-
- **Alert Rules** Users with global read access can view. Only admins can create, update, or delete. Results are scoped to devices the user has access to.
167-
- **Device Groups** Users with global read access can view. Only admins can create, update, or delete. Results are scoped to groups the user has access to.
168-
- **Users** Only admins can list all users. Non-admin users can only view their own profile.
164+
### Authorization flow
165+
166+
Every request runs through the same four stages. It must clear **all** of them or it is
167+
rejected with the status shown:
168+
169+
```
170+
Request + Bearer token
171+
172+
1. Authentication ............... valid Sanctum token? no → 401 Unauthenticated
173+
│ yes (token → user)
174+
2. API access permission ........ user has `api.access`? no → 403 Forbidden
175+
│ yes
176+
3. Per-action authorization ..... policy allows this verb? no → 403 Forbidden
177+
│ yes (viewAny / view / create / update / delete)
178+
4. Result scoping ............... record(s) within user's scope? out of scope → filtered
179+
│ (a single show → 404)
180+
181+
Response
182+
```
183+
184+
1. **Authentication** the `auth:sanctum` middleware resolves the token to a user. See [Authentication](#authentication).
185+
2. **API access permission** the user must hold the `api.access` permission. It is granted to the **admin** and **global-read** roles out of the box; other roles need it added explicitly. Without it, no v1 endpoint is reachable.
186+
3. **Per-action authorization** each HTTP verb maps to a Laravel policy method on the resource's model: `index → viewAny`, `show → view`, `POST → create`, `PATCH/PUT → update`, `DELETE → delete` (Restify also checks `allowRestify`). Two shortcuts apply: **admins** pass every check, and **global-read** users pass every *read* check (`view*` / `show`).
187+
4. **Result scoping** even when a user may use an endpoint, the rows they get back are filtered to what they're allowed to see. How that filter works depends on the repository's *flavor* (below). A `show` for an out-of-scope id returns `404`.
188+
189+
### Roles at a glance
190+
191+
| Role | API access | Can read | Can write (create/update/delete) |
192+
|------|:---:|---|---|
193+
| **admin** || everything | everything |
194+
| **global-read** || everything (read-only) | no (unless a policy allows it) |
195+
| **user** / custom | only if `api.access` is granted | only resources they're scoped to | only where a policy allows |
196+
197+
### Repository scoping flavors
198+
199+
Stage 4 is implemented per repository. Most resources fall into one of these flavors:
200+
201+
| Flavor | How results are filtered | Example resources |
202+
|--------|--------------------------|-------------------|
203+
| **Device-scoped** | To devices the user has access to. | `devices`, `sensors`, `processors`, `storage`, `mempools`, `alerts`, `alert-rules`, `device-groups`, `locations`, `bills`, `inventory`, BGP/OSPF/MPLS peers & tunnels, … (~44 resources) |
204+
| **Port-scoped** | To ports the user is granted **plus** every port on a device they can see (broader than device access). | `ports`, `port-statistics`, `transceivers`, `ipv4-addresses`, `ipv6-addresses`, `routes`, `port-vlans`, `pseudowires`, … (~19 resources) |
205+
| **Global** | Not filtered per record visible to anyone who clears stages 1–3 (typically global-read or admin). | `alert-templates`, `poller-groups`, `poller-clusters`, `ipv4-networks`, `ipv6-networks`, `auth-logs`, … |
206+
| **Owner-scoped** | To the caller's own records. | `users` (admins see all; everyone else sees only their own profile) |
207+
208+
For how a new repository opts into a flavor (the `DeviceScopedRepository` / `PortScopedRepository`
209+
traits and the `DeviceRelatedModel` / `PortRelatedModel` base models), see
210+
[Creating API v1 Resources › Access Control Patterns](../Developing/Creating-API-Resources.md#access-control-patterns).
211+
212+
### Per-resource notes
213+
214+
- **Devices and Ports** Global-read users see all; others see only the devices/ports they've been granted.
215+
- **Alert Templates** Global-read users can view; only admins can create, update, or delete.
216+
- **Alert Rules** Viewable with global read; only admins can create, update, or delete. Results are scoped to devices the user has access to.
217+
- **Device Groups** Viewable with global read; only admins can create, update, or delete. Results are scoped to the groups the user can access.
218+
- **Users** Only admins can list all users; non-admin users can only view their own profile.

0 commit comments

Comments
 (0)