What do you mean separate authorization logic? There are many layers to auth and... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		bfeynman on Aug 17, 2023 \| parent \| context \| favorite \| on: Policy Engines: Open Policy Agent vs. AWS Cedar vs... What do you mean separate authorization logic? There are many layers to auth and usually they act as interceptors in request that go very fast. If you have blanket permissions to list, you are able to list resources you have access to... that's trivial. However `Blog` resources might have explicit deny policies on them as well, so yes those are also evaluated. Not sure how else you'd expect it to work sans caching like current state of resources and access.

ahoka on Aug 17, 2023 [–]

Yes, you need to consider authorization at every layer. You can blanket deny a lot of things in a midlayer, but sooner or later you need to start interpreting business logic to do the rest.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact