Giters

graphiti-api / graphiti

Stylish Graph APIs

Home Page:https://www.graphiti.dev/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Data access questions

bguban opened this issue · comments

commented

Hey. I have a few conceptual questions.

Create a comment that belongs to the current user

Working on a simple case, I faced an interesting problem. I have 2 models User(id, email), Comment(id, user_id, content) and an endpoint per model (flat graph). By design, a logged-in user can create their comments. It means that comment.user_id must be equal to context.current_user.id. In case somebody tries to send another user's id we must reject the request.

The first thing I tried was to add writable: owner? to the user_id attribute where I was going to check that the assigned user_id is equal to the current_user.id but it appeared that "writable" doesn't have access to the model_instance.

I can add a hook to the resource and raise an exception that will be handled later in the controller. Or I can override the save method and add a validation error to the model. Or I can even pass the current_user into the model as a custom attribute to be able to check the access by the model validation but it looks like a hack. Is there a proper way to solve this issue by design? What are the reasons not to set attributes to the model and run the "writable" checks after having a model with data?

Working with public models

I have a publically accessible model Country(id, name). Every user can read the records but only admins can create/delete/update the countries. Things are that anybody can delete a country. There are no checks like deletable in the resource by design. I can check that the current user is an admin on the controller level but it looks like a part of the logic will be in the controller and another part in the resource (if the record can be deleted via sidepost it will not help).
Another case. If the country model allows creation with a blank name everybody can create a country via sidepost even if I restrict the countries#create action in the controller. I can override the save and delete methods but maybe there is a more correct way? What do you think about creatable and deletable checks for the entire resource?

commented

I made a small extension https://gist.github.com/bguban/c18aa0e625d1962fd79ed7980e808268 to solve the problems I wrote about above. I hope it will be helpful for somebody.