Now that we have defined a policy that permits or denies the ability to create a game based on the email address of the person creating the game, we will modify the rule so that any user can create a game, but only those with real email addresses can create games with invitees. This section demonstrates how a policy can take an action based on data in the request body.
To review, the Meme Game API offers a game creation endpoint that looks like this:
POST /api/v1/games
{
"data": {
"type": "game",
"attributes": {
"invitees": ["friend@example.com"]
}
}
}
The requester specifies one or more invitees using the
data.attributes.invitees
field. We will update our policy with
a second rule that disallows a new game if anybody else is invited to it.