Inconsinstent behaviour of query parameters on Entities #2031
Comments
|
Officially, the inconsistent ones are the GET and PATCH ones with a filter, since $filter should only be allowed for requests to EntitySets, not for requests to individual entities... Can you explain how you use those for authorization purposes? |
|
In front of FROST you can have an authorization layer that defines constraints for users using directly the same filter used in frost. I am going to provide a very simplified example that does not cover all use cases. For example: user A can access only Things about project X. For more details I can discuss in PM. |
|
That is something FROST can do itself, directly in the database, using the fine-grained authorisation options. By having FROST handle the authorisation, it takes all API feature in consideration, including expands, DataArrays and Batch processing. The Projects Plugin is the default set-up, but you can customise it with any SQL you'd like. |
|
Thank you for pointing out that page, it is indeed useful for the example I pointed out. It is something that actually I have explored but I had good reasons to keep separate the authorization layer from FROST. It is just a component of a wider solution. Focusing on the inconsistencies, do you think GET and PATCH won't support that behavior anymore or will DELETE align? |
I was investigating on query parameters on entities and I spotted the following behavior:
Assume to have in the database only on Thing with id 1.
Here the following requests:
Things(2)Things(1)?$filter=id eq 2Things(2)Things(1)?$filter=id eq 2Things(2)Things(2)?$filter=id eq 2The last request is inconsistent with the others. I find the behaviors of GET and PATCH very useful for authorization purposes and I wonder if would be possible to have the same on DELETE.
The text was updated successfully, but these errors were encountered: