Skip to content

Backward compat: Take care for permission exclusions

Migrating privileges to the Eliatra Suite naming works by several methods:

  • Via static action groups: If static (predefined) action groups are used in the privilege definition, the new names will be automatically picked up.
  • As a fallback: Via trial and error: If in the config, explicit action names are used instead of action groups, the user will notice this, as they get a 403 error. Thus, the config can be adjusted then.

However, trial and error does not work for permission exclusions, as these won't lead to an error message if they are not migrated. This gets worsened by the fact that SG API auth tokens will be supported indefinitely by Eliatra Suite - and that these auth tokens hardcode an action name inclusion inside the JWT token.

Thus, we need to give legacy action names in exclusions a special treatment. These shall also automatically cause modern actions to be excluded.