1 files changed, 18 insertions, 8 deletions

diff --git a/bin/api b/bin/api
index 0260cd7..868d575 100755
--- a/bin/api
+++ b/bin/api
@@ -55,6 +55,10 @@ class Entity
   def to_h
     @attributes
   end
+
+  def to_gid
+    ::GlobalID.create(self, app: "example")
+  end
 end
 
 class Organization < Entity
@@ -73,11 +77,11 @@ module HTTPHelpers
     authorization = Rack::Auth::AbstractRequest.new(request.env)
     return false unless authorization.provided?
 
-    response = rpc.allowed(
+    response = rpc.allowed({
       subject: authorization.params,
       permission: permission,
-      resource: ::GlobalID.create(resource, app: "example").to_s
-    )
+      resource: resource.to_gid.to_s,
+    }, headers: { 'Authorization' => "Bearer #{authorization.params}"})
     response.error.nil? && response.data.result
   end
 
@@ -93,11 +97,11 @@ module HTTPHelpers
     http_response(code: 201, body: JSON.pretty_generate(body.to_h))
   end
 
-  def json_unauthorized(permission)
+  def json_unauthorized(permission, resource)
     http_response(code: 401, body: JSON.pretty_generate({
       error: {
         code: 401,
-        message: "`#{permission}` is required",
+        message: "`#{permission}` is required on `#{resource.to_gid}`",
       }
     }))
   end
@@ -128,15 +132,21 @@ class API
       when "/organizations", "/organizations.json"
         return json_ok(Organization.all.map(&:to_h))
       when "/projects", "/projects.json"
-        return json_ok(Project.all.map(&:to_h))
+        resource = Organization.default
+        if authorized?(request, :read_project, resource)
+          return json_ok(Project.all.map(&:to_h))
+        else
+          return json_unauthorized(:read_project, resource)
+        end
       end
     when Rack::POST
       case request.path
       when "/projects", "/projects.json"
-        if authorized?(request, :create_project, Organization.default)
+        resource = Organization.default
+        if authorized?(request, :create_project, resource)
           return json_created(Project.create!(JSON.parse(request.body.read, symbolize_names: true)))
         else
-          return json_unauthorized(:create_project)
+          return json_unauthorized(:create_project, resource)
         end
       end
     end