You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Company can have multiple Clients and admins can wrote notes on different clients.
Notes can only be seen by admins.
We have api endpoint GET /clients?with=details,notes which checks if the authenticated user is admin, if not then there is a logic to remove notes from the withparam -> ?with=details which is then used in laravel responder and everything works as should.
We also have endpoint GET /companies?with=clients which returns companies with clients.
But if someone sends a request: GET /companies?with=clients.notes the it will bypass the admin check and will get access to notes as companies endpoint doesnt have any checks for notes.
So the question is, how this problem should be solved using the package:
create custom includeNotes(Client $client) on ClientTransformer function which checks if the authenticated user is admin and then return $client->notes;
Can this cause some other problems? For example if the with params is with=clients.notes.something.else
is it somehow possible to run the check on NoteTransformer if its allowed to be loaded?
For example there might be multiple Transformers which want to include notes relation. Having the logic on NoteTransformer there is no need to add the logic on other files
Any other ideas? :)
Edit:
is it possible to limit the with param in the package to exclude sub relations:
?with=relation -> load relation
?with=relation.sub -> load relation (sub is not loaded)
The text was updated successfully, but these errors were encountered:
Hello,
Lets say we have the following models:
Company can have multiple Clients and admins can wrote notes on different clients.
Notes can only be seen by admins.
We have api endpoint
GET /clients?with=details,noteswhich checks if the authenticated user is admin, if not then there is a logic to removenotesfrom thewithparam ->?with=detailswhich is then used in laravel responder and everything works as should.We also have endpoint
GET /companies?with=clientswhich returns companies with clients.But if someone sends a request:
GET /companies?with=clients.notesthe it will bypass the admin check and will get access to notes as companies endpoint doesnt have any checks for notes.So the question is, how this problem should be solved using the package:
create custom
includeNotes(Client $client)onClientTransformerfunction which checks if the authenticated user is admin and thenreturn $client->notes;Can this cause some other problems? For example if the with params is
with=clients.notes.something.elseis it somehow possible to run the check on
NoteTransformerif its allowed to be loaded?For example there might be multiple Transformers which want to include notes relation. Having the logic on
NoteTransformerthere is no need to add the logic on other filesAny other ideas? :)
Edit:
withparam in the package to exclude sub relations:?with=relation -> load relation
?with=relation.sub -> load relation (sub is not loaded)
The text was updated successfully, but these errors were encountered: