How to properly organize access to user resources?

M

mybiz2014-10-15 17:39:42

API

mybiz, 2014-10-15 17:39:42

Here is an example:
For example, there is a certain DB table article with the following fields:
article_id
user_id
title
content
There is a certain API
/api/article/1
/api/article/2
/api/article/3
For example,
GET /api/article/2
POST / api/article/update/3 title=newtitle&content=newcontent
turns out we have to glue user_id
SELECT * FROM article where article_id = 2 AND user_id = 111
UPDATE article SET ..... WHERE article_id = 3 AND user_id = 111
to all requests make the code redundant, perhaps there is some kind of algorithm that will allow you to determine whether the current user has the right to execute like sql

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

K

Kir, 2014-10-15
@angry_bender

Wind up the authorization and look at the access rules.

G

Glueon, 2014-10-15
@Glueon

You can write a CanI function that will be called before the request is executed. It will somehow check whether the user has the right to perform this operation and if not, throw some AccessViaolationException. Then in SQL it will not be necessary to provide it.

X

xmoonlight, 2014-10-16
@xmoonlight

First, we check for access:

SELECT COUNT(*) FROM article where article_id = 2 AND user_id = 111 limit 1

If not 0, we perform all the necessary operations on this publication without specifying the user in requests.

M

Mybiz, 2014-10-16
@Mybiz

and if to get before each request a certain nabo of records. of type SELECT arcticle_id FROM article where user_id=111; SELECT post_id FROM posts WHERE user_id=111.
form an array $resourses = [ "arcticles" => [2,5,8], "posts"=>[20,19] ] etc. what do you think?
I am very interested in how to implement it as competently as possible and this is implemented in well-known projects