Module: Spree::Api::V3::ScopedAuthorization
- Extended by:
- ActiveSupport::Concern
- Included in:
- Admin::BaseController, Admin::ResourceController
- Defined in:
- app/controllers/concerns/spree/api/v3/scoped_authorization.rb
Overview
Per-resource scope check for Admin API requests authenticated via API key. JWT-authenticated admin users bypass this and rely on CanCanCan abilities.
Controllers declare their scope:
class Spree::Api::V3::Admin::OrdersController < ResourceController
scoped_resource :orders
end
The before_action maps the action to a ‘read_*` (index/show) or `write_*` (everything else, including custom member actions) scope and verifies the API key carries it.
See docs/plans/5.5-admin-api-key-scopes.md.
Defined Under Namespace
Classes: MissingScopedResource
Constant Summary collapse
- READ_ACTIONS =
%w[index show].freeze