Closed samselikoff closed 4 years ago
Yeah it is indeed the intended behavior. I'm afraid I don't have time to answer the usage question now, so I'll leave this issue open for ~week before closing in case someone has more time and has had the same kind of situation.
We do not have this same situation in our code so I don't have experience with your situation. For us, show?
authorization is what we want. Policy scopes would be unnecessarily large to check if a single record was authorized to show
No problem, makes sense but wasn't super clear from the docs. Thanks for the quick response!
Hi! I think this is a question (rather than a bug).
We found a situation in our app where our policy's
scope
wasn't being applied to aToOne
relationship. (i.e.def show?
was getting called without going through our scope'sresolve
).After some digging we found this issue as well as this code which seems to suggest this is the intended behavior:
https://github.com/venuu/jsonapi-authorization/blob/14d126a4ebed92c04635088e8e1da7eec7a560f5/lib/jsonapi/authorization/pundit_scoped_resource.rb#L20-L24
We're curious (1) if this is indeed intended behavior, and (2) if so, what is the suggested way to apply the logic from our scope's
resolve
method to ourshow?
methods? (Our previous mental model was that our scope restrictions applied to all actions, which was convenient.)Also, could you point us to any docs or examples showing proper using of scope + resolve?
Thanks!