Bypass all authorization for specific read action (including loaded relationships
I have this read action:
multitenancy :bypass_all solves the tenancy requirement issue, but the loaded relationships are still returning nil due to authorization.
Is there an equivalent to :bypass_all for authorization so that this action (and its loaded relationships) skips all authorization checks entirely?
Note: I tried writing policies on every related resource to allow an invited user to read them, but besides feeling overkill, it felt wrong that an invited user could potentially access the dashboard by being able to read those related resources, I only want to access the related metadata for this specific action, nothing more.3 Replies
you can skip authorization when you call the action, by passing the option
authorize?: false. other than that I don't think there is a way (and I don't think there really should be, same for multitenancy)Solution
I'd suggest using the
accessing_from builtin checkThat usually works but is not this time for some reason
Interesting, going to try it
accessing_from is working for direct relationships (inviter and establishment). How can I make it work for nested relationships?
Alright I solved this by adding more accessing_from policies to the nested resources, targeting their direct relationships rather than the Invitation module, that was a mistake I made before
Thanks a lot for the support!