0

I'm developing an APP that has a API and a database that holds user permissions and user projects, among other things.

Certain stored procedures must be protected, and for that I have to check the scopes available for the user.

Should I check the user permissions inside the stored procedures (calling a second proc or function that would check if the user has a certain scope) or should I do two database calls from my endpoint, one to check if the user has the necessary scopes and a different one to execute the protected procedure?

Improve this question

1 Answer 1

Reset to default
1

There are different mechanisms that you can use to implement this, but let me answer the question generically first:

Practice Defense in Depth

In this context, not only do you want to make sure that the caller isn't granted permissions at the database level, you want to double check within your stored procedure. The reason being, if one layer of security fails your stored procedure is still protected.

This has the additional benefit that you are making one call instead of two, saving network traffic and improving your time to response.

Improve this answer
0

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.