Working on a legacy XML-RPC api, i found in almost any update action, some extra validation to make sure, that the XML being submit by the update action contains the same object pointed by the resource. So It means, it tries to ensure that the following never happens:
# route /products/:category/:name
PUT the following XML to /products/foo/bar
<products>
<product name="baz" category="fooz">
<state>sold</sold>
</product>
</products>
then the wrong product was updated, a clear authentication vs authorization problem.
My question is: how is the standard way to control it in the controller level? use something like pundit (please examples)? some clever super generic before_action filter (please examples) ?
Aucun commentaire:
Enregistrer un commentaire