Company can have multiple Clients and admins can wrote notes on different clients.
Notes can only be seen by admins.
We have api endpoint GET /clients?with=details,notes which checks if the authenticated user is admin, if not then there is a logic to remove notes from the withparam -> ?with=details which is then used in laravel responder and everything works as should.
We also have endpoint GET /companies?with=clients which returns companies with clients.
But if someone sends a request: GET /companies?with=clients.notes the it will bypass the admin check and will get access to notes as companies endpoint doesnt have any checks for notes.
So the question is, how this problem should be solved using the package:
1) create custom includeNotes(Client $client) on ClientTransformer function which checks if the authenticated user is admin and then return $client->notes;
Can this cause some other problems? For example if the with params is with=clients.notes.something.else
2) is it somehow possible to run the check on NoteTransformer if its allowed to be loaded?
For example there might be multiple Transformers which want to include notes relation. Having the logic on NoteTransformer there is no need to add the logic on other files
3) Any other ideas? :)
Edit:
4) is it possible to limit the with param in the package to exclude sub relations:
?with=relation -> load relation
?with=relation.sub -> load relation (sub is not loaded)
Hello,
Lets say we have the following models:
Company can have multiple Clients and admins can wrote notes on different clients.
Notes can only be seen by admins.
We have api endpoint
GET /clients?with=details,notes
which checks if the authenticated user is admin, if not then there is a logic to removenotes
from thewith
param ->?with=details
which is then used in laravel responder and everything works as should.We also have endpoint
GET /companies?with=clients
which returns companies with clients. But if someone sends a request:GET /companies?with=clients.notes
the it will bypass the admin check and will get access to notes as companies endpoint doesnt have any checks for notes.So the question is, how this problem should be solved using the package:
1) create custom
includeNotes(Client $client)
onClientTransformer
function which checks if the authenticated user is admin and thenreturn $client->notes;
Can this cause some other problems? For example if the with params iswith=clients.notes.something.else
2) is it somehow possible to run the check on
NoteTransformer
if its allowed to be loaded? For example there might be multiple Transformers which want to include notes relation. Having the logic onNoteTransformer
there is no need to add the logic on other files3) Any other ideas? :)
Edit:
4) is it possible to limit the
with
param in the package to exclude sub relations: ?with=relation -> load relation ?with=relation.sub -> load relation (sub is not loaded)