venuu / jsonapi-authorization

Authorization for JSONAPI::Resource
http://www.rubydoc.info/github/venuu/jsonapi-authorization
MIT License
132 stars 59 forks source link

Scope not being applied to `ToOne` relationships #135

Closed samselikoff closed 4 years ago

samselikoff commented 4 years ago

Hi! I think this is a question (rather than a bug).

We found a situation in our app where our policy's scope wasn't being applied to a ToOne relationship. (i.e. def show? was getting called without going through our scope's resolve).

After some digging we found this issue as well as this code which seems to suggest this is the intended behavior:

https://github.com/venuu/jsonapi-authorization/blob/14d126a4ebed92c04635088e8e1da7eec7a560f5/lib/jsonapi/authorization/pundit_scoped_resource.rb#L20-L24

We're curious (1) if this is indeed intended behavior, and (2) if so, what is the suggested way to apply the logic from our scope's resolve method to our show? methods? (Our previous mental model was that our scope restrictions applied to all actions, which was convenient.)

Also, could you point us to any docs or examples showing proper using of scope + resolve?

Thanks!

valscion commented 4 years ago

Yeah it is indeed the intended behavior. I'm afraid I don't have time to answer the usage question now, so I'll leave this issue open for ~week before closing in case someone has more time and has had the same kind of situation.

We do not have this same situation in our code so I don't have experience with your situation. For us, show? authorization is what we want. Policy scopes would be unnecessarily large to check if a single record was authorized to show

samselikoff commented 4 years ago

No problem, makes sense but wasn't super clear from the docs. Thanks for the quick response!