Make include path (and other query parameters) authorization easier

[seankndy]

If an API user has permission to read/view an Account model and that model also has child Contact models which can be associated to it, yet the user does not have permission to read/view the Contact, then how does one enforce that the API user cannot read Contacts through an 'include' like so:

GET /api/v1/accounts?include=contacts

It appears that during this request, the readRelationship() method is never called within my DefaultAuthorizer.

Thank you.

[lindyhopchris]

Hi! The authorizer method names relate to the defined JSON API HTTP requests - so readRelationship would only be called when the relationship is being read i.e. /api/v1/accounts/relationships/contacts.

For this scenario the read method would be called on the authorizer, so you would need to check the include paths then - and reject the request then if it had an include path that was not allowed.

[lindyhopchris]

Sidenote for me - the plan is to split the query and resource into two different request forms, which would make this kind of specific query parameter authorization a lot easier.

See #411

[lindyhopchris]

Closing as new implementation exists in the new laravel-json-api/laravel package:
https://laraveljsonapi.io/docs/1.0/requests/query-parameters.html