How @Allow decorator works? #1462
-
|
Would like to understand how @Allow(Permission.Owner) works? if I set this decorator for a resolver then who will have access to this resolver? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
Hi, this is a special permission which functionally is the same as "Public" but indicates that the resource should only be accessible to its owner. E.g. an Order in the Shop API should only be accessible to the customer who placed it. There is no way to enforce this since the concept of "ownership" cannot be encoded statically. So any resolver decorated with this permission needs to ensure that it includes the necessary logic to limit the response only to the owner of that resource. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the response. So in logic, I have to detect if the session user is the owner of the Resource or not before I perform the actions. One follow-up question, is there any way to detect the user in the context is Administrator (Superadmin)? i want to return a resource if the seeker is an Admin or the owner of the resource. |
Beta Was this translation helpful? Give feedback.
-
|
You could inspect the RequestContext - |
Beta Was this translation helpful? Give feedback.
-
|
Thanks! |
Beta Was this translation helpful? Give feedback.
Hi, this is a special permission which functionally is the same as "Public" but indicates that the resource should only be accessible to its owner. E.g. an Order in the Shop API should only be accessible to the customer who placed it. There is no way to enforce this since the concept of "ownership" cannot be encoded statically. So any resolver decorated with this permission needs to ensure that it includes the necessary logic to limit the response only to the owner of that resource.