Closed pavelsr closed 4 years ago
To enforce that you would need a controller that knows to check the current logged-in user and restrict to just that user's content, like in this example: https://github.com/preaction/Yancy-App-Blog/blob/master/myapp.pl#L206-L219
In that example, I create a second editor instance that uses the Yancy::Controller::Yancy::MultiTenant
controller. That controller needs two stash values: user_id
, the ID of the user whose content we are looking at, and user_id_field
(the field in the other schemas that has the value from the user_id
). So, in that case, the current user ID comes from the login_user
(which is an alias to yancy->auth->current_user
) and the blog_posts
schema has a username
field (so I set user_id_field
to username
).
Is there any way to do OpenAPI requests multi-tenant?
Sample Yancy app: https://gist.github.com/pavelsr/95666361e8f8c2f32b67c4eb2786a5bc
Steps to reproduce: 1) Login as
user-user
(user_id : 2
) 2) MakeGET /notes
withuser_id: 1
orid: 1
param 3) You will get note with id = 1, which owned by user_id = 1. That is security problem.Desired behaviour: get at step 3
{ "items": [], "offset": 0, "total": 0 }
or403 Forbidden