search

limoncello-php / app

Quick start JSON API application
MIT License
83 stars 7 forks source link

Controller readRelationship #52

Closed dreamsbond closed 6 years ago

dreamsbond commented 6 years ago

having read the readRelationship, to my understanding. looks like it get relationship data directly without pass through the api authorization.

    protected static function readRelationship(
        string $index,
        string $modelRelName,
        string $queryValRulesClass,
        ContainerInterface $container,
        ServerRequestInterface $request
    ): ResponseInterface {
        static::assertClassValueDefined(static::API_CLASS);
        static::assertClassValueDefined(static::SCHEMA_CLASS);

        $api     = static::defaultCreateApi($container, static::API_CLASS);
        $handler = function () use ($api, $index, $modelRelName) {
            return $api->readRelationship($index, $modelRelName);
        };

        return static::defaultReadRelationshipWithClosureHandler(
            $handler,
            $request->getQueryParams(),
            $request->getUri(),
            static::defaultCreateQueryParser($container, $queryValRulesClass),
            static::defaultCreateParameterMapper($container, static::SCHEMA_CLASS),
            $api,
            $container->get(SettingsProviderInterface::class),
            $container->get(JsonSchemasInterface::class),
            $container->get(EncoderInterface::class)
        );
    }

if i got to restrict the access of a resource, how do i make it?

neomerx commented 6 years ago

Default low level API methods do not call auth by themselves. You as a developer to decide where you need auth and what kind of and where you don't.

I recommend adding a method to API such as readPutYourRelationshipNameHere and add auth check there. Here is an example

dreamsbond commented 6 years ago

Yes but seems authorizer there does not have effect

neomerx commented 6 years ago

It depends on how you implement the actual auth logic. In this example it allows the action for all, but in this one only logged in users are allowed and this one requires the user to have specific OAuth scope (permission).

dreamsbond commented 6 years ago

Yes. I did. But the authroizer does not have effect in fork

neomerx commented 6 years ago

Can you please provide an example?

neomerx commented 6 years ago

Add a breakpoint in the policy to make sure you actually call it and try to return false.