From 936072612bd094fefdee336a16559453f5d05aa5 Mon Sep 17 00:00:00 2001 From: brian-west-ingedata Date: Mon, 13 Jul 2026 14:09:13 +0700 Subject: [PATCH] auth_context.mark_as_checked extension.rb --- lib/verse/json_rpc/exposition/extension.rb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/verse/json_rpc/exposition/extension.rb b/lib/verse/json_rpc/exposition/extension.rb index edebe33..64ab46d 100644 --- a/lib/verse/json_rpc/exposition/extension.rb +++ b/lib/verse/json_rpc/exposition/extension.rb @@ -50,6 +50,14 @@ def json_rpc( end define_method(base_method) do + # the outer, request-level auth-checked + # gate is redundant for JSON-RPC — real per-action authorization is already + # enforced independently by each method's own repository call + # (scoped()/can!). The outer gate should stop trying to infer "was auth + # checked" from whether any item happened to reach business logic, and instead + # just be marked satisfied up front for JSON-RPC requests, since the inner, + # per-item mechanism is what's actually doing the enforcement. + auth_context.mark_as_checked! self.class.__json_rpc_controller__.handle(self, batch_failure:) end