Protect "transactions" endpoint
thevahidal opened this issue · comments
Is your feature request related to a problem? Please describe.
Right now that we introduced authentication and authorization we need to protect transactions endpoint as well, as it has all the privileges on database.
Describe the solution you'd like
Transactions endpoint should be used only by superusers.
Describe alternatives you've considered
We can get rid of this endpoint since there's no obvious usage for it.
Additional context
N/A
I'd quite like something more subtle than superusers. What if we also add a flag in Role
or User
that indicates that the role can submit transactions?
There could be sense in your alternative. We could Archive the end-point until someone has a requirement for it. Then we re-implement it, including protection.
Yeah, I agree to archive / delete it for now.
Hmm, I've just thought of a half-way house. How about it is only enabled if auth
is off? If it is called with auth
on, we could return an error indicating that The transactions end-point is not currently compatible with Soul authentication
.
That's actually a good idea, though from the beginning of Soul I was really concerned about this endpoint as the power it has is too much.