Authorizing create/update by context of the instance of the record class being updated? #39
Description
Hi, just digging into using Pundit and jsonapi-authorization on a fairly large project and ran into an issue with authorizing the create.
My create? method receives the Class, not the instance being created:
ChainSetting(id: integer, chain_id: integer, key: string, value: string, created_at: datetime, updated_at: datetime)
In this case, I have authorized a specific user account and within the tree of my models, I can traverse from that specific user down to a specific record of a chain, validating ownership of the chain.
So what I want to do is, given the user has made a create request to create a new ChainSetting with a chain_id: 1234, I want to lookup all the user's chains (I can do this, just join some rows) and validate that 1234 is in fact one of the user's chains.
But instead the model passed to the Policy is just the raw Class, not an instance! Awwugh!
I took a quick look through the source code and it seems the Processor is responsible for deciding what to send to the authorization policies. I'm about to check out for the day so I can't dive any deeper into it.
It seems to me that there's a flaw here. If API users are authorized to blindly create, then they can create relationships for each others' records, and we don't want that at all!
You may be noticing that I'm setting a foreign key like it's an attribute. Yes, that's strange, but not disallowed in json api. We have a convoluted legacy database here with foreign key constraints and hooks and callbacks galore that make some more orthodox updates difficult.
Regardless of this breach of protocol, one should be able to say that a Red User is authorized to update "ChainSetting" with door_color: red but not door_color: black, if that's what we want to do. In normal Pundit you can pass an instance and validate just like that, but in jsonapi-authorization it's not possible.
What are your thoughts? Shouldn't the instance being authorized be passed to the Policy?