Open
Description
Tuesday Jun 12, 2018 at 18:57 GMT
Originally opened as catalogueglobal#94
While #93 deals with adding authentication in front of the GTFS API, there is currently no check on the user's feed source permissions to determine whether they are authorized to make the GraphQL request. This is a bit tricky because the namespace value, which could be present in either the GraphQL query or variables must be used to determine a user's access to feed sources. Furthermore, this namespace value might exist in one of a couple MongoDB collections: FeedVersions or Snapshots (or perhaps the FeedSource#editorNamespace value).