Comments (5)
kellysutton
commented on July 29, 2024
I've been running into this question of authorization a bit with some of my own applications as well.
However, I think authorization squarely lies in the responsibilities of the controller and not at the model/resource level. Thus, I subclass the JSONAPI::ResourceController and make sure it does the short-circuiting.
This duplicates the efforts a little bit when policies are model-dependent, i.e. "This model can only be seen if the current user was the author." This results in issuing a find request twice, but I find that's acceptable tradeoff when it comes to code cleanliness.
Here's a little example:
class ModelController < JSONAPI::ResourceController
def show
keys = parse_key_array(params[resource_klass._primary_key])
resources = if keys.length > 1
resource_klass.find_by_keys(keys, context: context)
else
resource_klass.find_by_key(keys[0], context: context)
end
Array(resources).each do |resource|
unless resource.user == current_user
# Raise your 403
end
end
super
rescue => e
handle_exceptions(e)
end
endfrom jsonapi-resources.
barelyknown
commented on July 29, 2024
I don't see the resource being as coupled to the model as you do, and I also don't think your proposed solution works for the other actions (create, update...).
Am I missing something? How do you handle the authorization of create and update actions using your approach?
from jsonapi-resources.
lgebhardt
commented on July 29, 2024
@barelyknown, I don't fully understand your business case. However I think it sounds like an issue if the after action callbacks aren't being called in the event of an error. So I'd be interested in a change that allows them to be called and have access to the errors collection. I haven't looked into what that would take, and what else will be affected.
from jsonapi-resources.
barelyknown
commented on July 29, 2024
What about adding an error to the errors collection when ArgumentError is raised because of an invalid enum instead of raising JSONAPI::Exceptions::InvalidFieldValue?
from jsonapi-resources.
lgebhardt
commented on July 29, 2024
@barelyknown, I think that sounds good. It should probably be treated more like a validation error.
from jsonapi-resources.
Related Issues (20)
- or
- Resource option `always_include_linkage_data: true` not working HOT 5
- Repeating the same sort attribute with reverse direction overwrites the previous direction for that attribute
- Documentation for ResourceSerializer with includes is incorrect HOT 3
- What's the status of version 0.11.0?? IS THIS PROJECT DEAD? HOT 1
- Alternative to ActiveRelationResource which does not produce extra DB queries HOT 2
- Adopt the `frozen_string_literal` magic comment to optimize string storage
- sort by country that is related to resource not directly but through the third relation is not work properly HOT 3
- Rails Namespace Conflict with jsonapi.rb
- unable to build w/o specifying rails version in ENV
- add support for rubocop
- Test for missing inverse relationships HOT 4
- Change ResourceIdentity <=> to take resource_klass into account when sorting.
- Class caching is too aggressive in dev HOT 1
- Aliased Attribute Names Are Not Used In Error Responses
- get_join_arel_node fails with include_optional_linkage_data if there is already a join
- RFC: Guide for handling generic filter/fieldset errors, such as empty inputs and 'undefined'
- Polymorphic Relationships Not Found On Aliased Resource HOT 1
- Basic Usage guide includes deprecated Faker method HOT 1
- Problem with deprecated config value: `default_processor_klass`. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jsonapi-resources.