Policy checks on related resources
I have been looking for quite some time so this may be a noob ish question. I have a couple answers potentially but I'd like to know kind of the standard way to write a policy for a resource where the relationship to that resource is how I would authorize the actor.
For example
Let's say I have a GroupRequest resource which represents a users request to join a group (contains a group_id and user_id)
I also have a Group that has a group_admin relationship which belongs to a user.
I'd only like actions occuring on a GroupRequest to be performed by the group_admin
(and other similar resources such as GroupUser or GroupMembership)
So the way I'd like to authorize the actor is via
which I believe is giving me what I want.
but I can't seem to figure out how to write a policy for a create_action in the same way.
Lets say for a create action I'd like to "destroy" or "update" a group_request and then create the group_membership, but I'm not sure how to write a policy that does this. A simple check seems correct but how do I pass the group_id from the create action into the check? Did I go about this the wrong way?
I also read I could potentially do a calculations field on any "group" related resource which loads the admin and then I do a check with the actor against that? What's the best scenario here?
For example
Let's say I have a GroupRequest resource which represents a users request to join a group (contains a group_id and user_id)
I also have a Group that has a group_admin relationship which belongs to a user.
I'd only like actions occuring on a GroupRequest to be performed by the group_admin
(and other similar resources such as GroupUser or GroupMembership)
So the way I'd like to authorize the actor is via
which I believe is giving me what I want.
but I can't seem to figure out how to write a policy for a create_action in the same way.
Lets say for a create action I'd like to "destroy" or "update" a group_request and then create the group_membership, but I'm not sure how to write a policy that does this. A simple check seems correct but how do I pass the group_id from the create action into the check? Did I go about this the wrong way?
I also read I could potentially do a calculations field on any "group" related resource which loads the admin and then I do a check with the actor against that? What's the best scenario here?
