Checking of action attribute has incorrect meaning

[Niki-Max-911]

To my mind: attribute name 'action' in rule definition has incorrect meaning in that project.
And as a result, we can't bind a certain rule to a certain endpoint.

Try to look up an implementation of PermissionEvaluator - AbacPermissionEvaluator in the 'access-control' maven module.
Take into account following method's signature:
boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission);
'permission' is the last param.

In 'AbacPermissionEvaluator' implementation U throw this object to the PolicyEnforcement#check method as an action object.

According to 'PermissionEvaluator' provided by Spring-boot. Here Permission is an object which claims which permits caller(User) has. So, implementation of PermissionEvaluator have to describe security rules and decides: can caller(user) with certain permissions receive an access to a targetDomainObject.

So, as a result, U define a rule target incorrectly.
Let's see an exmaple: 'subject.role.name() == 'PM' && action == 'PROJECTS_VIEW''.

I understood following: the rule is acceptable if user role - is 'PM' and its permission is 'PROJECTS_VIEW' because action attribute didn't mean action - it means permissions.
As a result, we can't bind this rule to a certain endpoint. Above rule will apply for each request of PM user with the PROJECTS_VIEW permission and a condition will be evaluated.

What is your mind about that?

[sanyarnd]

Just in case anyone else is wondering where the naming came from: https://www.axiomatics.com/blog/intro-to-attribute-based-access-control-abac/