search

fortunejs / fortune-json-api

JSON API serializer for Fortune.
MIT License
63 stars 28 forks source link

`allowLevel` confusion #56

Closed allthesignals closed 6 years ago

allthesignals commented 6 years ago

I'm a little confused on how these two options work. I see uriTemplate has a link to a specification, and I can probably follow that. But changes allowLevel does not seem to be doing anything.

For example, I do not want /projects to accept GET methods, so I try to configure that by removing 'GET' from the second array, which according to the source refers to the collection:

  serializers: [
    [
      jsonApiSerializer,
      {
        uriTemplate: '{/type,ids,relatedField,relationship}{?query*}',
        allowLevel: [
          ['GET'], // Index
          ['POST'], // Collection
          ['GET', 'PATCH', 'DELETE'], // Records
          ['GET'], // Related
          ['GET', 'POST', 'PATCH', 'DELETE'], // Relationship
        ],
      },
    ],
],

Yet, GET requests to /projects returns the full lookup. Am I thinking of this wrong?

Thank you for this great adapter!

gr0uch commented 6 years ago

You shouldn't have to configure it at all unless you also make changes to the URI template. From the doc:

HTTP methods to allow ordered by appearance in URI template.

This is only relevant to how it should respond to an OPTIONS request. It actually has nothing to do with permissions.

For example, if you had somehow blocked HTTP requests to GET /projects but still left it wide open for other protocols like WebSocket, it would be a pretty flawed design.

A proper approach to not allow the project type to be listed is to check if the underlying request is for project and has ids in it. I suggest extending the request method rather than doing it in an output hook, to prevent a database lookup at all:

const originalRequest = store.request
const { BadRequestError } = fortune.errors

store.request = function (options) {
  if (options.type === 'project' && !options.ids)
    return Promise.reject(
      new BadRequestError('Sorry, projects can not be listed.'))

  return originalRequest.call(this, options)
}
allthesignals commented 6 years ago

For example, if you had somehow blocked HTTP requests to GET /projects but still left it wide open for other protocols like WebSocket, it would be a pretty flawed design.

Ah, of course - that makes sense, thank you.

I don't understand enough about the URI template spec to grasp how this is useful, but it sounds like it only applies to when I need to change the URI template. For example, if certain ordering in the template were modified, I would need to update allowLevel accordingly.

Thanks @daliwali!