Bug #13212
open
APIs for "taxed" objects only accept the full list of taxonomies
Description
The --organizations option only works when the full set of organizations is specified. If just a single org is named, all other orgs are removed. This will not work for users with a reduced role since they cannot specify (or even know) all the orgs necessary to merely update the template.
Updated by Stephen Benjamin about 8 years ago
- Project changed from Foreman Remote Execution to Foreman
- Subject changed from 'hammer job-template update --organizations' only accepts the full list of orgs to APIs for "taxed" objects only accept the full list of taxonomies
This is how all Foreman API's with taxonomies work, we just include the Taxonomy concerns. Moving to Foreman project.
Updated by Stephen Benjamin about 8 years ago
- Category changed from Usability to API
Updated by
Updated by Shimon Shtein about 8 years ago
- Assignee set to Shimon Shtein
I am thinking to introduce json-patch mechanism in order to do proper partial changes to all of our resources. Good point to start the discussion: http://williamdurand.fr/2014/02/14/please-do-not-patch-like-an-idiot/
Updated by Tomáš Strachota over 6 years ago
Per discussion with Marek Hulan this issue can be solved without modifying the API. The API controllers need to check parameters for has_many relationships and always glue the data sent in the update request with ids that are already assigned to the resource but not readable by the user.
Example:
Having:
user_a
org_1 (id: 1) <-- visible to user_a
org_2 (id: 2) <-- visible to user_a
org_3 (id: 3)
domain_1 (id: 1, organization_ids: [1, 3])
Then if an API call is performed as user_a to add org_2 to the domain_1:
PUT /api/domains/1/ {organization_ids: [1, 2]}
The controller needs to:
for has_many relationship_parameters.each do |param_name|:
params[param_name] = params[param_name] + relationships_not_readable_to_user(@domain, param_name)
# in thies case: [1, 2] + [3]
end
There's another issue around handling parameters for has many relationships in controllers: http://projects.theforeman.org/issues/20888
It's already in Marek's team's iteration so I expect the implementation will start soon. Fix for this bug could be implemented in the layer created for the foreign key constraint error handling.
I like the json-patch format and we will need to add some kind of a patch method in future (probably either json-patch or the jsonapi.org style). On the other hand I feel that adding this would be probably more of an API V3 thing and the update actions should work correctly anyway.
Updated by Shimon Shtein over 6 years ago
Since PATCH method is not implemented right now, we can argue whether addition of methods is a good reason to update API version or not.
Anyway I agree that this is better than nothing.