php-crud-api icon indicating copy to clipboard operation
php-crud-api copied to clipboard

Published 20 hours ago verified publisher icon mevdschee

Custom responses for authorization.tableHandler

Open jankocian opened this issue 2 years ago • 6 comments

Hi all, I'd like to return a custom error message for failed authorization.tableHandler. Now it gets me "table not found" only, but I want to differentiate between several states.

One of the use cases for me is to check the current date&time to asses whether the submission can be accepted. I found the tableHandler to be the best place for that, cause the validation middleware works only on fields basis...

Thanks a lot in advance, Jan

jankocian avatar Jun 01 '23 12:06 jankocian

The authorization handler just returns true or false depending if current user is authorized to access a table. I don't fully get the use case yet (need sample or further description) but it seems the validation handler is better fit for your requirement.

The idea is to validate the submission date/time vs your preferred date/time. Validation middleware can include checking of the tableName, columnName, as well as the current operation,and can return custom message if the validation rule is not met.

apps-caraga avatar Jun 03 '23 13:06 apps-caraga

Not sure if this is still needed, seeing there's no response yet from @jankocian

But just a quick sample. Let's say you want to check the submission time vs some pre-determined time. ($banned_until in this example) . In the example, $banned_until is hard-coded but you can also put it in a session variable. The name of the table is sampleTable. We'll also use unix timestamp so you need to convert the time to that format. This is to simplify the computation of the difference between the dates/time, but you can also use DateTime object, date_dif or whatever way to complicate your life. 😁✌

		'validation.handler' => function ($operation, $tableName, $column, $value, $context) {
			$submission_time = time();
			$banned_until = 1686484800;// June 11, 2023 12:20:00 PM GMT+08:00
			$dif  = $banned_until - $submission_time;
			return ($tableName == 'sampleTable' && $column['name'] == 'sampleColumn' && $dif >= 1) ? "Operation not yet allowed, try again in ". round($dif/60,2) ." minutes": true;
		},

Assuming your submission is before the sample date, you'll get the following response:

{
    "code": 1013,
    "message": "Input validation failed for 'sampleTable'",
    "details": {
        "sampleColumn": "Operation not yet allowed, try again in 4.13 minutes"
    }
}

You need to specify at least one column name (e.g.&& $column['name'] == 'sampleColumn' ) in the condition, otherwise, you'll get the error message for each columns, like the following:

{
    "code": 1013,
    "message": "Input validation failed for 'sampleTable'",
    "details": {
        "sampleColumn1": "Operation not yet allowed, try again in 4.13 minutes",
        "sampleColumn2": "Operation not yet allowed, try again in 4.13 minutes",
        "sampleColumn3": "Operation not yet allowed, try again in 4.13 minutes".
    }
}

apps-caraga avatar Jun 11 '23 04:06 apps-caraga

@jankocian any update?

mevdschee avatar Jun 21 '23 20:06 mevdschee

Hey guys, thanks a lot for such a response!

My point was, that the validation I want to perform does not relate to any of the fields/columns. It technically is not an input validation anyway, right?

And as I process (and show) the input validation on the frontend, I'd much prefer to have a different way of returning such an error back - not associated to any field. Is there a preferred way to do it?

jankocian avatar Jun 22 '23 08:06 jankocian

Hey guys, thanks a lot for such a response!

You are welcome, thank you for filing the issue and helping to improve the software.

I'd like to return a custom error message for failed authorization.tableHandler. Now it gets me "table not found" only

If you don't have access you can also not be sure that the table exists, that's why the error is what it is.

It technically is not an input validation anyway, right? And as I process (and show) the input validation on the frontend...

Why would you even want to show the form on the front-end if you don't meet the conditions to fill it?

Is there a preferred way to do it?

I think the suggested solutions work on the server side of things. Not being allowed to submit a form should IMHO be handled before the form is shown, thus on the front-end and not by the back-end. Why fill a form that you can't submit?

I hope this helps.

Kind regards,

Maurits

mevdschee avatar Jun 22 '23 08:06 mevdschee

Admittedly, my proposed solution does not answer the question which is specifically about authorization.tableHandler. It is more of a possible solution to the mentioned use case which is to

check the current date&time to asses whether the submission can be accepted

Anyway, if you don't want to process server-side a user input for some reason, it would seem more sensible to not show the form to the user at all. You can use the /openapi end-point to know which tables and operations are allowed in the current session.

It technically is not an input validation anyway, right?

I assume that the submission date/time can actually be considered as some kind of input ( from the system, not from the user) which you can validate.

apps-caraga avatar Jun 22 '23 09:06 apps-caraga