Closed ahmadabdelhalim closed 3 years ago
valscion
commented
3 years ago Sorry, I don't really understand what you mean by "still want each resource to be authorized separately". Can you give some examples of what you'd like to authorize in some scenarios?
ahmadabdelhalim
commented
3 years ago @valscion for example when I do the following "/trips?include=driver" I don't want the driver resource to be authorized. However; if I did "/drivers" I want it to be authorized. So basically I want to skip authorization for relationships when I include them
valscion
commented
3 years ago Not that I really understand why you'd want to do it, it's still possible :smile:.
You can implement a custom authorizer class that subclasses from the JSONAPI::Authorization::DefaultPunditAuthorizer and then override the include_has_many_resource or include_has_one_resource depending on which one you'd need to act differently:
Then configure JSONAPI::Authorization to use your custom authorizer class as documented in the readme: https://github.com/venuu/jsonapi-authorization#configuration
That will not stop the AuthorizingProcessor from running authorization codepath, so models will still be loaded for authorization purposes. You might want to consider the #83 issue if that's a concern for you. If it is, you can use your own processor in favor of the built-in one to skip this code:
Note that these approaches will require careful review if we at some point get to do a new release of jsonapi-authorization to maintain compatibility.
ahmadabdelhalim
commented
3 years ago @valscion I want some fields from the relationships just for displaying information on a certain page, but I want to restrict the resource itself. Thank you so much, will try it out.
valscion
commented
3 years ago :+1: I'll close this issue now as the discussion seems settled to me.
Hey!
I'm trying to skip authorization for the included resources, but still, I want each resource to be authorized separately. Does that make sense? and is that even possible?