Consider whether Access Policy Checking should be part of the operation invoker.
mwadams opened this issue · 1 comments
mwadams commented
Describe the bug
At the moment, Access Checking is performed in the OperationInvoker
, but execution scope is currently in the OpenApiHost
.
It feels like the access checking (which does not depend on anything unavailable to the Host) should be moved up to the Host level.
mwadams commented
Although, looking more closely, it is possible that that access checking is fine where it is, and the scope building should be moved down into the invoker.
It depends on how we view the role of the Host as opposed to the operation invocation. I don't believe we have clarity on that - the host no longer seems to do very much at all, and delegates everything to the "invoker" - should we just roll it all up into the host?