You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Working on a simple case, I faced an interesting problem. I have 2 models User(id, email), Comment(id, user_id, content) and an endpoint per model (flat graph). By design, a logged-in user can create their comments. It means that comment.user_id must be equal to context.current_user.id. In case somebody tries to send another user's id we must reject the request.
The first thing I tried was to add writable: owner? to the user_id attribute where I was going to check that the assigned user_id is equal to the current_user.id but it appeared that "writable" doesn't have access to the model_instance.
I can add a hook to the resource and raise an exception that will be handled later in the controller. Or I can override the save method and add a validation error to the model. Or I can even pass the current_user into the model as a custom attribute to be able to check the access by the model validation but it looks like a hack. Is there a proper way to solve this issue by design? What are the reasons not to set attributes to the model and run the "writable" checks after having a model with data?
Working with public models
I have a publically accessible model Country(id, name). Every user can read the records but only admins can create/delete/update the countries. Things are that anybody can delete a country. There are no checks like deletable in the resource by design. I can check that the current user is an admin on the controller level but it looks like a part of the logic will be in the controller and another part in the resource (if the record can be deleted via sidepost it will not help).
Another case. If the country model allows creation with a blank name everybody can create a country via sidepost even if I restrict the countries#create action in the controller. I can override the save and delete methods but maybe there is a more correct way? What do you think about creatable and deletable checks for the entire resource?
The text was updated successfully, but these errors were encountered:
Hey. I have a few conceptual questions.
Create a comment that belongs to the current user
Working on a simple case, I faced an interesting problem. I have 2 models
User(id, email)
,Comment(id, user_id, content)
and an endpoint per model (flat graph). By design, a logged-in user can create their comments. It means thatcomment.user_id
must be equal tocontext.current_user.id
. In case somebody tries to send another user'sid
we must reject the request.The first thing I tried was to add
writable: owner?
to theuser_id
attribute where I was going to check that the assigneduser_id
is equal to thecurrent_user.id
but it appeared that "writable
" doesn't have access to the model_instance.I can add a hook to the resource and raise an exception that will be handled later in the controller. Or I can override the
save
method and add a validation error to the model. Or I can even pass thecurrent_user
into the model as a custom attribute to be able to check the access by the model validation but it looks like a hack. Is there a proper way to solve this issue by design? What are the reasons not to set attributes to the model and run the "writable" checks after having a model with data?Working with public models
I have a publically accessible model
Country(id, name)
. Every user can read the records but only admins can create/delete/update the countries. Things are that anybody can delete acountry
. There are no checks likedeletable
in the resource by design. I can check that the current user is an admin on the controller level but it looks like a part of the logic will be in the controller and another part in the resource (if the record can be deleted via sidepost it will not help).Another case. If the
country
model allows creation with a blank name everybody can create a country via sidepost even if I restrict thecountries#create
action in the controller. I can override thesave
anddelete
methods but maybe there is a more correct way? What do you think aboutcreatable
anddeletable
checks for the entire resource?The text was updated successfully, but these errors were encountered: