-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scopes passed to #find not honored for #update_attributes or #destroy #74
Comments
The important thing here is persistence operations should account for sideposting, ie not having an override in the endpoint. If you need this override logic, you probably need it in the Resource itself to account for this, which makes me think Or am I wrong? What's the scenario where you'd want an override for an endpoint, but not sideposts? Alternatively, maybe this should be |
Show sequenceController
Database Hits
Destroy sequenceController
Database Hits
Note that for the destroy it never verified that the record belonged to the tenant in the query. I'm trying to avoid writing controller-specific code in the resources like this:
Perhaps I'm doing something wrong in the context of an API? |
Wouldn't you want this logic to apply for every action, and in that case use And if not, would code like this work? before_save do |model|
unless context.current_user.can_update?(model) # or whatever
raise 'not allowed'
end
end |
You are absolutely correct. It has just taken me too long to understand what you were suggesting and how to code it, but I have come up with the following changes to my resource objects that actually appears to do what I was hoping. class AssetResource < MMApiResource
before_attributes do |attrs|
attrs[:tenant_id] = current_tenant.id
end
before_attributes only: :create do |attrs|
attrs[:added_by_id] = current_user.id
end
def base_scope
current_tenant.assets
end
# ...
end Up until now I was concerned about the I believe this code will handle automatically applying the tenant data for new records as well as ensuring that reads and deletes are properly filtered as well. Does this code need the |
Cool, glad we figured it out 🎉 ! You're right - they key here is The There might eventually be some work to do in this area, but looks like the original issue is solved. Thanks for your patience @elDub ! |
The passed in scope as the second argument to
Graphiti::Resource#find
works for the actual render of a resource, however is not used/honored for the#update_attributes
or#destroy
methods.The text was updated successfully, but these errors were encountered: