In swagger.yaml - note use of x-mojo-privilege
key under the route method, leave this blank for routes that don't require a privilege to access:
paths:
/foo:
get:
x-mojo-controller: "MyApp::API::Foo"
x-mojo-around-action: "MyApp::API::check_api_priv"
x-mojo-privilege: "get:foo"
operationId: get
summary: |
The details of foo
parameters:
tags:
- Foo
responses:
200:
description:.
In MyApp::API, requires Mojolicious::Plugin::Authorization to get at has_priv helper:
sub check_api_priv {
my ( $next,$c,$action_spec ) = @_;
if ( my $privilege = $action_spec->{"x-mojo-privilege"} ) {
if ( ! $c->has_priv( $privilege ) ) {
$c->app->log->debug( "API call but $privilege priv missing" );
return $c->render_swagger(
{ errors => [{ message => "Denied ($privilege)" }] },
{},
401,
);
}
}
return $next->( $c );
}