0

For my API, I have a database of items and users. API calls follow the format of

POST(GET, DELETE, etc.) http://example.com/api/items/4

When a user calls an API, I'd like to be able to get the id of the item to make sure that the user actually has permission to modify the item. I'm able to get the user ID without any problem (extracting it from the OAuth2 token), but what's the best way to get the item ID, in this case 4? I would prefer to do this in the __isAllowed() function in the iAuthenticate class to keep my code clean. Is this possible?

zongweil
  • 2,031
  • 2
  • 21
  • 30

1 Answers1

1

Although it is possible, it will complicate the process to reject the user based on the resource at the auth class level.

I always prefer to do this at the api method level, we can still throw 401 Unauthorized from the api method once we find the requested resource does not belong to the user

Arul Kumaran
  • 983
  • 7
  • 23
  • Ahh that makes sense. So would you recommend just manually throwing a 401 exception? – zongweil Mar 07 '14 at 04:19
  • And what's the best way to pass the user id associated with the access token to the API method? It was simple to do in the __isAllowed() function; is there an easy way to pass it along? – zongweil Mar 07 '14 at 05:13
  • Yes manual 401 is just fine. Your auth class should store the user id to a user class that is using iIdentifyUser interface. You can then access unique identifier from the user class from anywhere including api method – Arul Kumaran Mar 07 '14 at 16:24
  • Please note that `iIdentifyUser` is the new name for `iUser` starting from RC5. You may simply use the `Luracast\Restler\User` or create your own class implementing the interface. If you use your own, make sure you update `Defaults::$userIdentifierClass` – Arul Kumaran Mar 07 '14 at 16:30