Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Data access questions #438

Closed
bguban opened this issue Oct 6, 2022 · 1 comment
Closed

Data access questions #438

bguban opened this issue Oct 6, 2022 · 1 comment

Comments

@bguban
Copy link

bguban commented Oct 6, 2022

Hey. I have a few conceptual questions.

Create a comment that belongs to the current user

Working on a simple case, I faced an interesting problem. I have 2 models User(id, email), Comment(id, user_id, content) and an endpoint per model (flat graph). By design, a logged-in user can create their comments. It means that comment.user_id must be equal to context.current_user.id. In case somebody tries to send another user's id we must reject the request.

The first thing I tried was to add writable: owner? to the user_id attribute where I was going to check that the assigned user_id is equal to the current_user.id but it appeared that "writable" doesn't have access to the model_instance.

I can add a hook to the resource and raise an exception that will be handled later in the controller. Or I can override the save method and add a validation error to the model. Or I can even pass the current_user into the model as a custom attribute to be able to check the access by the model validation but it looks like a hack. Is there a proper way to solve this issue by design? What are the reasons not to set attributes to the model and run the "writable" checks after having a model with data?

Working with public models

I have a publically accessible model Country(id, name). Every user can read the records but only admins can create/delete/update the countries. Things are that anybody can delete a country. There are no checks like deletable in the resource by design. I can check that the current user is an admin on the controller level but it looks like a part of the logic will be in the controller and another part in the resource (if the record can be deleted via sidepost it will not help).
Another case. If the country model allows creation with a blank name everybody can create a country via sidepost even if I restrict the countries#create action in the controller. I can override the save and delete methods but maybe there is a more correct way? What do you think about creatable and deletable checks for the entire resource?
@bguban
Copy link
Author

bguban commented Dec 9, 2022

I made a small extension https://gist.github.com/bguban/c18aa0e625d1962fd79ed7980e808268 to solve the problems I wrote about above. I hope it will be helpful for somebody.

@bguban bguban closed this as completed Dec 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bguban