CHANGE OF IDEAS FROM DISCUSSION. DO NOT TACKLE ISSUE.
currently the RequestResourceCtx has a permission_action attribute, but it is not used anywhere.
No permission scheme is implemented. Some resources might need the record itself (which only comes into knowledge at the controller level), therefore maybe different level of permissions are needed (e.g. resource_permissions and controller_permissions).
Some ideas that came from the RFC:
Authentication will happen on the view. This means that the resource_requestctx will be populated with the user needs.
Authoritzation will happen on the controller. It is the one that has access to the record, the db, the ES indexes/filters, etc.
CHANGE OF IDEAS FROM DISCUSSION. DO NOT TACKLE ISSUE.
currently the
RequestResourceCtxhas apermission_actionattribute, but it is not used anywhere.No permission scheme is implemented. Some resources might need the record itself (which only comes into knowledge at the controller level), therefore maybe different level of permissions are needed (e.g. resource_permissions and controller_permissions).
Some ideas that came from the RFC:
resource_requestctxwill be populated with the user needs.