on 04-27-2023 1:11 PM
Hi together,
I was just implementing a sample CAP project with bound actions and associated exemplary http requests. At this point I noticed that apparently bound actions are executable on entries, that are not visible to the user.
I've created this Github repo for you to test. I think that the last request ("cannotSubmitOtherOrder") in the ./test/requests.http file should not work.
I've read the docs about restricting actions, but I think it should not be possible to execute actions on entities which you're not supposed to see, no?
But maybe I'm missing something 😉
Best Regards
Tom
Hi truloff ,
@restrict.where is currently not supported for bound actions/ functions. It is in our backlog, but without a timeline.
You can add the test yourself rather easily via our Querying API like this:
this.on('submit', Orders, async function (req) {
const orders = await this.read(req.subject)
if (orders.length === 0) req.reject(403)
// here, the user may see the order
})
Best,
Sebastian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sebastian,
thank you four your quick answer. It would definitely be nice to have such kind of restrict.where annotation for actions. I'm just thinking of an implementation I did, where the Orders entity itself is an external source, so it would add a lot of delay in form of http requests to this authentication. Not to mention the readability improvement.
But nevertheless thank you for your solution, I'll go ahead and try it out!
Best Regards
Tom
User | Count |
---|---|
72 | |
9 | |
8 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.