Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorization for included relationships #57

Closed
devinfd opened this issue Mar 30, 2021 · 4 comments
Closed

Authorization for included relationships #57

devinfd opened this issue Mar 30, 2021 · 4 comments

Comments

@devinfd
Copy link

devinfd commented Mar 30, 2021

First of all this is a fantastic work! You need to turn on GitHub Sponsoring for this repo, you deserve it.

Is it possible to authorize relationship includes? ie: mysite.com/api/v1/posts?include=author
If I visit mysite.com/api/v1/posts/1/author then I can authorize the request but mysite.com/api/v1/posts?include=author seems to be a path around that authorization.
@lindyhopchris
Copy link
Contributor

Hi! Thank you, glad you're finding the package useful. Yeah, I need to look at GitHub sponsoring!

So the package doesn't handle authorizing include paths out of the box, though it's possible to do this. The reason it doesn't do it automatically is it's really down to the application logic. For example, in all the APIs I've written the logic has been that if you can read the parent resource (i.e. /api/posts/1) then you are allowed to retrieve child resources (i.e. the post's author) via either include paths or relationship endpoints. I.e. the include paths and relationships are a mechanism to grant access to a resource. Obviously that's different from the logic in your application... not that either of us is right/wrong - it just shows that these things are dependent on a specific application's logic.

In your use case. you will need to add form request authorization:
https://laraveljsonapi.io/docs/1.0/requests/authorization.html#form-request-authorization

You'll need to add that to the PostQuery and PostCollectionQuery classes. I.e. in those classes add the authorize() method and check the include paths to grant/deny access.

One thing to note is that because authorization runs before validation, you'll need to safely handle the include paths as they won't have been validated at the point you're checking them for authorization.

If this answers your question, please close the issue. Otherwise let me know what your follow up questions are!

@devinfd
Copy link
Author

devinfd commented Apr 4, 2021

OK I understand what your saying and I got it working.

Just for your reference I used Post and Author to keep the question simple. In my actual use case I have mysite.com/api/v1/donations?include=donor. I need to make sure the user is authorized to view the donor contact information. ie: privacy rights of the donor.

Also a heads up that I initially tried to do:

public function authorize(): ?bool
{
    $includes = $this->includePaths();
    ...
}

but got the Error:

Error: Call to a member function validated() on null

/vendor/laravel/framework/src/Illuminate/Foundation/Http/FormRequest.php:195
/vendor/laravel-json-api/laravel/src/Http/Requests/ResourceQuery.php:146
/app/JsonApi/V1/Donations/DonationCollectionQuery.php:27
...

@devinfd devinfd closed this as completed Apr 4, 2021
@lindyhopchris
Copy link
Contributor

Yes that won't work because authorization occurs before validation. The includePaths() method uses the validated data.

You'd need to use $this->query('include') I believe.

@devinfd
Copy link
Author

devinfd commented Apr 5, 2021

ah yes. my bad you mentioned that in the first reply. Thanks for your help!

@veneliniliev veneliniliev mentioned this issue Nov 9, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@devinfd @lindyhopchris