laravel-api-handler icon indicating copy to clipboard operation
laravel-api-handler copied to clipboard

Published 20 hours ago verified publisher icon marcelgwerder

Security question

Open mgralikowski opened this issue 7 years ago • 1 comments
trafficstars

Dynamic relationships are very powerfull but also bit unsecure. Any experience with securing nested resources? For example user is able to get posts posts?with=author but .. posts?with=author.privateSettings this should be able to download only for author or a supervisor. Any option to set available relations?

mgralikowski avatar Jul 28 '18 21:07 mgralikowski

Yep, there are a few design issues with the current release. This is one of them. I started working on v1.0 a few months ago. It is a complete rewrite and should allow you to have more fine-grained control over such things. With this version, you can define the nested relations that can be fetched using the expandable config and the known dot notation for nested relations. You can find the current state in the next branch. Feel free to check it out. The most basic stuff should already work but I didn't yet find the time to make it release-ready. If you could start a field-test, it would certainly help me going forward.

marcelgwerder avatar Jul 29 '18 02:07 marcelgwerder