Answer the question
In order to leave comments, you need to log in
How to properly check permissions in the API?
Hello.
There is an API (rails) with a specific list of methods.
And there are users with different rights.
Unregistered users can use the same list of features
Registered users have access to a larger list of features, but some of these features can only be applied to their own user.
How is it customary to organize the check of access rights? It is necessary to check in each method (well, or in before_action), or somehow differently in one place, for example, in ApplicationController all this should be checked?
Thanks in advance.
Answer the question
In order to leave comments, you need to log in
I usually hang authentication on before_action, I specify authorization with handles for each method of each controller. it is easier. I also usually edit scaffolding templates for the current project so that the authorization code is generated automatically.
Whether when using pundit it is possible to hang up on after_action check whether authorization was carried out (see docks). Together with tests that cover all controller actions, this check helps you remember to log in.
You can also write tests for pundit policies, sometimes it is justified if the policies have complex logic.
I also saw projects where controller tests for checking authorization were performed under different roles, but this, it seems to me, is a bad approach. a lot depends on manual work to bring the code and tests in line.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question