as mentioned in #248 we can generate additional per-route middleware for each operation. Currently, RBAC is implemented by generating this huge interface from which the implementation maps operations to either a permission, a rather obscure "this route is permissioned but it's implemented elsewhere due to ownership rules etc" and "no permission required".
It could also make sense to include the permissions even of operations that aren't explicitly checked at the middleware layer but are checked later based on data queried (such as ownership)
/threads:
patch:
x-storyden-rbac:
permission: UPDATE_THREAD
checked_internally: true # skips checking at middleware, assumes it will be checked at service layer
as mentioned in #248 we can generate additional per-route middleware for each operation. Currently, RBAC is implemented by generating this huge interface from which the implementation maps operations to either a permission, a rather obscure "this route is permissioned but it's implemented elsewhere due to ownership rules etc" and "no permission required".
This can be better expressed in OpenAPI:
It could also make sense to include the permissions even of operations that aren't explicitly checked at the middleware layer but are checked later based on data queried (such as ownership)