Policies for `create` upsert actions
I have a
create do upsert? true end type of action that I'd like to put a policy on. However, I get a warning that says I can't add policies to create actions, basically because the data doesn't exist yet to be able to authorize against. So this is a two part question.
Question 1:
When upserting, there is data. Is there a way to authorize that? Maybe I'm relying too heavily on upserts.
Question 2:
In this case, I actually want to do authz that corresponds to the resource's parent's owner. I.e.
User has_many Site
Site has_many Page
I want to make it so that only the site's owner can create/upsert pages for that site, which does exist.
Is the solution here to create a generic add_page action on the Site, and put the policy on that?3 Replies
Solution
You can make it an update action on
Siteand use an after action hook on that update to upsert
Thats Question 2
For question 1, its actually really important:
an upsert is not the combination of a create and a read/update.
Upserting logic happens in the database
From your app's perspective, there is no data to begin with, and something in the data layer interprets your instructions to make it so.
If you know that something exists already, then that should be an update action, not an upsert
You can use bulk updates to update data that you do not yet have loaded into memory
This is extremely helpful, thank you.
I remember trying to get around using an upsert before - can't remember whether it was impossible or just seemed inelegant without the upsert