Authorising updates needs access to what the client sent
lindyhopchris opened this issue · comments
Christopher Gammie commented
When authorising update requests from the client, the authoriser requires access to what the client has sent (i.e. what the client is attempting to change). E.g. when authorising an update of a resource, the authorisation might be dependent on which resource attributes are being changed, as per this issue:
cloudcreativity/laravel-json-api#14
Two modifications are required to the AuthorizerInterface
:
canUpdate
needs to receive aResourceInterface
object as its second parameter.canModifyRelationship
needs to receive aRelationshipInterface
object as its third parameter.
This is a breaking change so will have to be in v0.6
Christopher Gammie commented
Closing as this is available via Componser on the v0.6.x-dev
release