How to Handle Parent-Child Resource Access Control in AdonisJS Policies?

[patrickphat]

Hi AdonisJS community,

I’m working on an application where I need to manage hierarchical resources with parent-child relationships and enforce access control through policies.

Here’s my specific use case:

• I have a Site model, and each site can have multiple Page models associated with it (i.e., a site has many pages).
• Users can create and manage their own sites.
• A user with permission to edit a site should also have permission to edit all the pages of that site.

My question is about best practices for handling access control in this scenario, particularly in the context of AdonisJS policies. Should a policy for the Page model implicitly check the permissions of the Site model, or is there a better approach?

My current approach:

1. I created a SitePolicy that checks if the user can edit the site.

2. For the PagePolicy, I check if the user has permission to edit the parent site using the site() relationship inside the policy. Here’s an example of what I’m doing in the PagePolicy (in pseudo code):

   const SitePolicy = use('App/Policies/SitePolicy')
   
   class PagePolicy {
     async edit(user, page) {
       // Load the parent site
       const site = await page.site().fetch()
   
       // Check if the user has permission to edit the parent site
       const sitePolicy = new SitePolicy()
       const canEditSite = await sitePolicy.edit(user, site)
   
       // Allow editing the page if the user can edit the parent site
       return canEditSite
     }
   }

My Concerns:

• Is this a good approach to enforce cascading permissions from a parent resource (Site) to child resources (Pages)?
• Are there any performance implications for frequently loading the parent resource (Site) within the child policy (Page)?
• Is there a cleaner way to handle parent-child resource relationships in policies within AdonisJS?

I’d appreciate any guidance on best practices or alternative approaches for managing hierarchical access control with AdonisJS policies.

Thanks in advance for your help!

[patrickphat]

By the way, when define policies in async function, it seems like typescript inference is no longer work. For instance:

export default class PagePolicy extends BasePolicy {

  /**
   * Only the site owner can view the page
   */
 async view(user: User, page: Page): Promise<AuthorizerResponse> {
	const site = await Site.find(page.siteId)
  return site ? user.id === site.ownerId : false
  }

Only non async policies got type-safety