Since 99% of data that should be publicly accessible is consolidated into Player resources, it makes sense to internalize User resources to strictly admins and the resource owners.
This pull accomplishes this by implementing a custom authorization policy. The policy checks the passed id route parameter against the user id of the incoming request. If the ids match, or if the incoming request is of an admin user or system client, the request is authorized. This allows us to maintain our usage of redirection on /me endpoints while still allowing users with elevated privileges access to any user resources.
Since 99% of data that should be publicly accessible is consolidated into
Player
resources, it makes sense to internalizeUser
resources to strictly admins and the resource owners.This pull accomplishes this by implementing a custom authorization policy. The policy checks the passed
id
route parameter against the user id of the incoming request. If the ids match, or if the incoming request is of an admin user or system client, the request is authorized. This allows us to maintain our usage of redirection on/me
endpoints while still allowing users with elevated privileges access to any user resources.