MultiTenant OpenApi

[pavelsr]

Is there any way to do OpenAPI requests multi-tenant?

Sample Yancy app: https://gist.github.com/pavelsr/95666361e8f8c2f32b67c4eb2786a5bc

Steps to reproduce: 1) Login as user-user (user_id : 2) 2) Make GET /notes with user_id: 1 or id: 1 param 3) You will get note with id = 1, which owned by user_id = 1. That is security problem.

Desired behaviour: get at step 3 { "items": [], "offset": 0, "total": 0 } or 403 Forbidden

[preaction]

To enforce that you would need a controller that knows to check the current logged-in user and restrict to just that user's content, like in this example: https://github.com/preaction/Yancy-App-Blog/blob/master/myapp.pl#L206-L219

In that example, I create a second editor instance that uses the Yancy::Controller::Yancy::MultiTenant controller. That controller needs two stash values: user_id, the ID of the user whose content we are looking at, and user_id_field (the field in the other schemas that has the value from the user_id). So, in that case, the current user ID comes from the login_user (which is an alias to yancy->auth->current_user) and the blog_posts schema has a username field (so I set user_id_field to username).