I'd like to ask which authorization flow is considered better or standard.
First approach (has role AND assertion is valid):
if (!isGranted(roles, permission) {
return false;
}
if (hasAssertion(permission)) {
return assert(getAssertion(permission), context);
}
return true;
Second approach (has role OR assertion is valid)
if (isGranted(roles, permission) {
return true;
}
if (hasAssertion(permission)) {
return assert(getAssertion(permission), context);
}
return false;
Edit: I'm designing the chat application, with users having different permissions in different chat rooms.