The Second Iteration: Cancelling orders (a minimal scope-based authorization)

[nabdelgadir]

Description

Step 4 from #1035 (comment).

Let's add a new Order property called state with the following values: new (set for all newly created orders), delivered, canceled. Implement a new REST API for cancelling orders: POST /orders/{orderId}/cancel.

Let's define two kinds of users in our Shopping app:

• customers can see and cancel their own orders only (scope: orders:my)
• admins can see and cancel all orders in the system (scope: orders:all)

As part of this iteration, we need to figure out how to implement scopes, how to decorate controller methods like cancel to enforce a certain scope, but also how to push the access restriction down to repository level, so that a request to list all orders returns only orders accessible to the current user.

Ideally, there should be a documentation and/or a blog-post and/or a reference implementation to make it easier for LB4 users to implement similar functionality in their project.

Previous step: #1998
Next step: #2000

[stale]

This issue has been marked stale because it has not seen activity within six months. If you believe this to be in error, please contact one of the code owners, listed in the CODEOWNERS file at the top-level of this repository. This issue will be closed within 30 days of being stale.

[stale]

This issue has been closed due to continued inactivity. Thank you for your understanding. If you believe this to be in error, please contact one of the code owners, listed in the CODEOWNERS file at the top-level of this repository.