Conversation
Now we can go from article to comments to their author
This reverts commit b93d536.
This works for at least two levels.
Why would it be impossible? We actually have that case where we want to create an object and get related resources in the response. Something like: Thanks for working on this! |
The record itself isn't created by by the time the operation processor runs for The policy scoping will be applied still for the We can always tackle that issue on a follow-up PR. This risks getting too large and difficult to review. |
Yes, but we'd first have to go through the author and use The way the include directives are parsed is by going up the hash tree available to operations processor via |
|
I think what we discussed in #7 was to authorize all included resource from inside the |
Yeah you're right. I wanted to see what kinds of requests trigger that I think that my approach here, which relies on I'd like to keep the authorizing logic inside the operations processor if at all possible, and if we do get proper insight to requests on resource level callbacks and methods, we might want to look into moving every authorization inside it. |
|
Ok it makes sense to keep all the authorization logic inside the operations processor, in that case the |
We have to use complex before/after tests for checking authorizing calls, as the resource in question might not be available until the request has been made
Discussed on venuu#10 (comment) 08985
Discussed on venuu#10 (comment) 08985
This can be used to test that authorization works even when there are validation errors
This allows the Authorizer to be fine-tuned to check for different policies based on the source of the relation.
|
Ok the functionality seems to be complete now, alongside with passing the relationship source record to the authorizer. Phew. The specs are a bit messy right now, but at least they should be complete. |
| Array.wrap( | ||
| source_record.public_send( | ||
| relationship.relation_name(@operation.options[:context]) | ||
| ) |
There was a problem hiding this comment.
This public_send straight to the record will short-circuit policy scoping on the resource level. And that's bad.
The specs are so involved that it's difficult enough to follow along with what happens. The benefit from very exact before-after stub checks becomes questionable.
Discussed on venuu#10 (comment) 08985
|
Great stuff, both of you! 👍 There is most definitely still work that could be done here, Currently |
|
Fixed the merge conflicts here after #11 was merged :) |
|
Just tested that branch and everything still green for us. I'll use that one until it's merged. |
|
We discussed this with @lime today. Sorry about the delay, I'll merge this now and release a new version soon after — I'll put up an issue about the |
|
v0.6.0 pushed out :) feel free to use that one @thibaudgg, it should contain all the necessary bits :) |
Actually, I think that currently we are doing the right thing when fetching the relationships directly from the record instead of going through resource classes. If we hit a case for trying to sideload a record we're not allowed to see with include directive, we should authorize for them even if we'd get a 404 when we'd try to show that resource via a normal show operation. |
|
👍 using 0.6 now! Thanks! |
Closes #7
Logics to implement:
has_manyrelationship (?include=other-resources) logichas_onerelationship (?include=another-resource) logic?include=other-resources,another-resource) logic?include=author.comments)Attach those logics to all the end points which return records:
GET /resourcesGET /resources/1PATCH /resources/1POST /resourcesGET /resources/other-resourcesGET /resources/another-resourceReview notes:
Don't usepublic_sendon the model level as it bypasses restrictions imposed on the resource levelan_instance_of(Article)style logic everywhere. It's not worth it to test for exact records, as we aren't able to do that on POST requests anyway.