v3.0.0 — Check for authorization against related records
·
17 commits
to master
since this release
By @brianswko in #119:
Fixes PATCH and POST requests to check if the user has the correct permissions for every given object in a has-many relationship
For example:
If a user does not have access to (meaning the pundit scope does not include) the author with ID 2
i.e. AuthorPolicy::Scope.new(user, Author).resolve.include?(Author.find(2)) # => false
And the following request is called:
PATCH /books/1
"data": {
"type": "books",
"id": "1",
"attributes": {...},
"relationships": {
"authors": {
"data": [
{ "type": "authors", "id": "1" },
{ "type": "authors", "id": "2" }
]
}
}
}
Previously: Would return a 20x and update the book to include author 2
Now: Will return a 404 and not update the book since the user is unable to find author 2
In some scenarios, this will cause a 404 to be returned where a 403 used to be returned.