Thoughts on scope/4
abitdodgy opened this issue · comments
The signature of scope/4
has user
as the second argument and the description states:
Filter a query down to user-accessible items.
What about cases where we need to filter a query on a resource other than the current user, like a current account, for example?
I suppose we can pass in the account in place of the user:
def scope(query, account) do
from invitation in query,
where: invitation.account_id == ^account.id
end
def list_invitations(%Account{} = account) do
Invitation
|> Bodyguard.scope(account)
|> Repo.all()
end
I haven't really tested this and it brings some additional mental overhead. I'm not sure if the scope of scope/4
(no pun intended) includes this use case. Thoughts?
Yeesh, sorry I am getting back to this over a year later.
I'm not 100% on your intentions here… Bodyguard doesn't really know what you mean by "user", i.e. it can be whatever model or data structure you want. It's just a placeholder for "actor who we want to authorize actions against".
In fact you could even pattern-match on it, so you could accept %Account{}
structs in some cases, and %User{}
structs in others, depending on what you need to authorize. Or you could make a higher-level struct that encapsulates one or both of those structs.
In practice I wish I hadn't even put scope/4
in there at all. It really doesn't add anything to the lib overall.