The power of XDATA applied to the API SecurityContestant
The XData (https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls?KEY=GOBJ_XDATA) is a powerful feature to set documentation and metadata information for classes and methods. The %CSP.REST class uses XDATA to mapping REST calls (https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls?KEY=GREST_csprest), so in this article you will see how to use XData into your apps as code, not only as documentation.
When you write XData comments/definitions, the IRIS store it into %Dictionary.ClassDefinition (for classes) %Dictionary.MethodDefinition (for methods). If you query these tables, you will be able get metadata information and write code to this metadata configuration. %CSP.REST do this when you write your REST mappings for your REST Services using ObjectScript.
I wrote an application that is using XDATA to enforce authorization rules to the class method endpoints, see:
The @security.and does not exists into IRIS. So I need to read this configuration and write code to enforce access to the users with PersonAdmin role only.
To get this @security.and, you need to read this XData. See:
With this method you be able to get any xdata content for methods.
Now, to restrict access only to the users with the PersonAdmin role is simple. You need to override AccessCheck ClassMethod from %CSP.REST class. See:
With the rule match, set pAuthorized = 1, otherwise, set 0.
Now the roles allowed is based into XData configuration to your REST Class. Great!
If you want to see this in action, get my new app: https://openexchange.intersystems.com/package/API-Security-Mediator.