This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2019-02-27
Channels
- # beginners (113)
- # calva (39)
- # cider (18)
- # cljs-dev (19)
- # cljsrn (1)
- # clojure (80)
- # clojure-dusseldorf (1)
- # clojure-finland (1)
- # clojure-gamedev (1)
- # clojure-germany (2)
- # clojure-italy (38)
- # clojure-nl (16)
- # clojure-spec (90)
- # clojure-uk (81)
- # clojurescript (28)
- # clojutre (9)
- # cursive (47)
- # data-science (4)
- # datomic (21)
- # emacs (1)
- # events (2)
- # fulcro (11)
- # graphql (2)
- # hoplon (8)
- # hyperfiddle (23)
- # jobs (2)
- # kaocha (4)
- # lein-figwheel (1)
- # luminus (1)
- # mount (1)
- # off-topic (41)
- # pathom (5)
- # pedestal (27)
- # reitit (6)
- # remote-jobs (7)
- # ring-swagger (6)
- # shadow-cljs (42)
- # spacemacs (1)
- # sql (9)
- # tools-deps (6)
- # uncomplicate (2)
- # vim (5)
I have created a custom route metadata handler, auth-rules, for checking permissions. Sometimes
these permission checks require access to data in e.g. the response body. Accessing the data is done
before compojure-api validates and coerces the data, forcing me to validate it and thus re-implement
stuff done anyways by compojure-api.
This could be done by simply wrapping the route handler function in a permissions check, but I would
like to maintain this declarative approach to permission checking. Would it be
possible to have compojure-api run the response validation and coercion before executing this
permission handler, and also access the coerced data in the handler?
An example endpoint with custom permission handler:
(api/POST "/" {user-id :identity}
:auth-rules instrument/instrument-owner?
:summary "Create a new exercise session"
:body [exercise-session-data ::spec/exercise-session-data]
:return ::spec/exercise-session
(let [exercise-session (assoc exercise-session-data :user-id user-id)
id (db/create-exercise-session! exercise-session)]
(res/created nil (merge exercise-session id))))
(defn instrument-owner? [{user-id :identity
{:keys [instrument-id]} :body-params}]
(let [instrument (db/find-instrument-by-id {:id instrument-id})]
(= (:user-id instrument) user-id)))
auth-rules implementation:
(defn- wrap-restricted [handler rule]
(rules/restrict handler {:handler rule
:on-error on-auth-error}))
(defmethod restructure-param :auth-rules
[_ rule acc]
(update-in acc [:middleware] conj [wrap-restricted rule]))
maybe you could implement it as a :middleware instead? https://github.com/metosin/compojure-api/wiki/Middleware
The current solution is implemented as a route-specific middleware function. The problem is that I can't access the coerced params from a middleware function
in compojure-api.meta:
(defmethod restructure-param :coercion [_ coercion acc]
(-> acc
(assoc-in [:info :coercion] coercion)
(update-in [:middleware] conj [`mw/wrap-coercion coercion])))
That should work. Also, you can try to reorganize the middleware in the :auth-rules restructuring.
Great, thanks for the quick help!