pokonski
commented
6 years ago Great addition, thanks again! I will test the compatibility with my projects to make sure and merge it :)
Would you mind updating the README to describe this feature?
Closed ships closed 6 years ago
pokonski
commented
6 years ago Great addition, thanks again! I will test the compatibility with my projects to make sure and merge it :)
Would you mind updating the README to describe this feature?
ships
commented
6 years ago added an example of using this feature to readme. jury still out on my choice of example :)
pokonski
commented
6 years ago A solid example, thanks for adding it!
pokonski
commented
6 years ago @jraqula this is now released as 1.3.1 :)
ships
commented
6 years ago hoo rah!
As recommended in your Readme, I have a catch-all for AccessDenied errors that come up from an
authorize!method.However, this has made all my permissions errors to result in the same error. This is a problem for my API design, because I need to be able to distinguish in a single controller method whether the rejection was "you are not allowed to view this resource" vs "you are not allowed to know whether this resource exists".
There are workarounds to arrange this probably, but they involve diverging from AccessGranted and therefore permissions/access control becomes fragmented.
This PR addresses this by permitting the catch-all to know what action and subject were requested when the error was thrown. In my case, across all subjects I use consistent action names (
:findrejections always throw 404,:showalways throw 403); this suggests there is room for further work as well in the realm of "inheritance" of actions (i.e., any validation of:showmust first pass a check on:find), but this is enough to be getting on with.