Comments (6)
colymba
commented on July 30, 2024
Sounds like a great idea! Shouldn't be hard to serialize, but do you have an idea on how to detect those relation in SilverStripe?
from silverstripe-restfulapi.
bummzack
commented on July 30, 2024
Since somebody might not want "polymorphic" output, while still having polymorphism in SilverStripe, I'd say it should be configurable.
Say you have the following class hierarchy in SilverStripe:
Shape extends DataObject
Rectangle extends Shape
Triangle extends Shape
From what I've seen, it's enough to enable API access for all three classes by adding the following config:
Shape:
api_access: true
So I would make the polymorphism just another flag in the config. Eg.
Shape:
api_access: true
polymorphic: true
I haven't looked into the code that much to see if this is sufficient.. I guess the serializer would have to check the relation, then see if the relation is polymorphic and switch to the polymorphic output mode instead.
from silverstripe-restfulapi.
colymba
commented on July 30, 2024
First, are you sure giving api access to the parent class gives access to all classes that extend it? I never really tested this and am a bit worried of the security issue here...
For the polymorphic relation | think it would be better to have either a 'polymorphic' property on the class with the value being an array with the relation name, or a 'polymorphic' Boolean for each relation.
Shape:
polymorphic:
- Owner
- Other
Or
Shape:
RelationName:
polymorphic: true
I'll have to see what makes most sense when implementing....
from silverstripe-restfulapi.
bummzack
commented on July 30, 2024
Hm I haven't tested it extensively, but I just noticed that giving access to the base-class enables access on the subclasses. Why do you think it's an issue? Subclasses should inherit permissions from base-classes, unless explicitly declared otherwise.
Setting it on a relation might also be a good approach. Is probably more flexible.
from silverstripe-restfulapi.
colymba
commented on July 30, 2024
To me access should be explicitly declared, to avoid giving permissions without realising it. So it works a bit like controllers $allow_actions
from silverstripe-restfulapi.
bummzack
commented on July 30, 2024
My line of thought was that it would work the same way as permissions in SilverStripe. If your base-class has canView, canEdit etc. implemented, the permissions will carry over to subclasses. But since your API also allows "config-only" checks, it might actually be better to force permission-settings on every accessible class.
from silverstripe-restfulapi.
Related Issues (20)
- Embedded Records not working as expected, or at all HOT 2
- Pagination for the Json
- The full configuration for BlogCategories & FeaturedImage
- Setting tokenOwnerClass HOT 2
- password with special characters HOT 1
- Response code 100 when post object has more than 3 relations
- CORS not working - Question really HOT 1
- api/auth/lostPassword -> BadMethodCallException
- New release? HOT 1
- Created, LastEdited never seem to be returned HOT 3
- Specify fields to be returned HOT 2
- default limit? HOT 1
- Access to token on dataobjects HOT 2
- Why convert properties and model names by "lcfirst"? HOT 1
- Lost password existing account disclosure HOT 4
- Can I call multiple dataobject in one api request and response in one json object?
- How to prevent POST requests specifying ID HOT 1
- SilverStripe 4 Support HOT 1
- model_permission_check instanceof Member not namespaced HOT 1
- Getting error: Call to undefined method SilverStripe\Config\Collections\CachedConfigCollection::set()
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from silverstripe-restfulapi.