mevdschee
diff --git a/‎README.md
+30-9 b/‎README.md
+30-9
diff --git a/‎api.php
+219-121 b/‎api.php
+219-121
diff --git a/‎src/Tqdev/PhpCrudApi/Config.php
+1-1 b/‎src/Tqdev/PhpCrudApi/Config.php
+1-1
diff --git a/‎src/Tqdev/PhpCrudApi/Database/GenericDB.php
+10-10 b/‎src/Tqdev/PhpCrudApi/Database/GenericDB.php
+10-10
diff --git a/‎src/Tqdev/PhpCrudApi/Middleware/AuthorizationMiddleware.php
+20-48 b/‎src/Tqdev/PhpCrudApi/Middleware/AuthorizationMiddleware.php
+20-48
diff --git a/‎src/Tqdev/PhpCrudApi/Middleware/SanitationMiddleware.php
+21-20 b/‎src/Tqdev/PhpCrudApi/Middleware/SanitationMiddleware.php
+21-20
@@ -594,35 +594,56 @@ This example sends the signed claims:
 
 NB: The JWT implementation only supports the hash based algorithms HS256, HS384 and HS512.
 
+## Authorizing operations
+
+The Authorization model acts on "operations". The most important ones are listed here:
+
+    GET /records/{table} - list - lists records
+    POST /records/{table} - create - creates records
+    GET /records/{table}/{id} - read - reads a record by primary key
+    PUT /records/{table}/{id} - update - updates columns of a record by primary key
+    DELETE /records/{table}/{id} - delete - deletes a record by primary key
+    PATCH /records/{table}/{id} - increment - increments columns of a record by primary key
+
+The "`/openapi`" endpoint has a special "document" operation to allow you to hide tables and columns from the documentation. The OpenAPI specification will show what is allowed in your session.
+    
+For endpoints that start with "`/columns`" there are the operations "reflect" and "remodel". 
+These operations can display or change the definition of the database, table or column. 
+This functionality is disabled by default and for good reason (be careful!). 
+Add the "columns" controller in the configuration to enable this functionality.
+
 ### Authorizing tables, columns and records
 
-By default all tables are reflected. If you want to restrict access to some tables you may add the 'authorization' middleware 
+By default all tables and columns are accessible. If you want to restrict access to some tables you may add the 'authorization' middleware 
 and define a 'authorization.tableHandler' function that returns 'false' for these tables.
 
-    'authorization.tableHandler' => function ($method, $path, $databaseName, $tableName) {
+    'authorization.tableHandler' => function ($operation, $tableName) {
         return $tableName != 'license_keys';
     },
 
-The above example will restrict access to the table 'license_keys' in all API calls.
+The above example will restrict access to the table 'license_keys' for all operations.
 
-    'authorization.columnHandler' => function ($method, $path, $databaseName, $tableName, $columnName) {
+    'authorization.columnHandler' => function ($operation, $tableName, $columnName) {
         return !($tableName == 'users' && $columnName == 'password');
     },
 
-The above example will restrict access to the 'password' field from the 'users' table in all API calls.
+The above example will restrict access to the 'password' field of the 'users' table for all operations.
 
-    'authorization.recordHandler' => function ($method, $path, $databaseName, $tableName, $columnName) {
+    'authorization.recordHandler' => function ($operation, $tableName, $columnName) {
         return ($tableName == 'users') ? 'filter=username,neq,admin' : '';
     },
 
-The above example will disallow viewing the user records where the username is 'admin'. This construct adds a filter to every executed query.
+The above example will disallow access to user records where the username is 'admin'. 
+This construct adds a filter to every executed query. 
+
+NB: You need to handle the creation of invalid records with a validation (or sanitation) handler.
 
 ### Sanitizing input
 
 By default all input is accepted and sent to the database. If you want to strip (certain) HTML tags before storing you may add 
 the 'sanitation' middleware and define a 'sanitation.handler' function that returns the adjusted value.
 
-    'sanitation.handler' => function ($method, $tableName, $column, $value) {
+    'sanitation.handler' => function ($operation, $tableName, $column, $value) {
         return is_string($value) ? strip_tags($value) : $value;
     },
 
@@ -633,7 +654,7 @@ The above example will strip all HTML tags from strings in the input.
 By default all input is accepted. If you want to validate the input, you may add the 'validation' middleware and define a 
 'validation.handler' function that returns a boolean indicating whether or not the value is valid.
 
-    'validation.handler' => function ($method, $tableName, $column, $value, $context) {
+    'validation.handler' => function ($operation, $tableName, $column, $value, $context) {
         return ($column['name'] == 'post_id' && !is_numeric($value)) ? 'must be numeric' : true;
     },
 
 
@@ -11,7 +11,7 @@ class Config
         'password' => null,
         'database' => null,
         'middlewares' => 'cors',
-        'controllers' => 'records,columns,cache,openapi',
+        'controllers' => 'records,openapi',
         'cacheType' => 'TempFile',
         'cachePath' => '',
         'cacheTime' => 10,
 
@@ -98,9 +98,9 @@ public function definition(): GenericDefinition
         return $this->definition;
     }
 
-    private function addAuthorizationCondition(Condition $condition2): Condition
+    private function addAuthorizationCondition(String $tableName, Condition $condition2): Condition
     {
-        $condition1 = VariableStore::get('authorization.condition');
+        $condition1 = VariableStore::get("authorization.conditions.$tableName");
         return $condition1 ? AndCondition::fromArray([$condition1, $condition2]) : $condition2;
     }
 
@@ -131,7 +131,7 @@ public function selectSingle(ReflectedTable $table, array $columnNames, String $
         $selectColumns = $this->columns->getSelect($table, $columnNames);
         $tableName = $table->getName();
         $condition = new ColumnCondition($table->getPk(), 'eq', $id);
-        $condition = $this->addAuthorizationCondition($condition);
+        $condition = $this->addAuthorizationCondition($tableName, $condition);
         $parameters = array();
         $whereClause = $this->conditions->getWhereClause($condition, $parameters);
         $sql = 'SELECT ' . $selectColumns . ' FROM "' . $tableName . '" ' . $whereClause;
@@ -153,7 +153,7 @@ public function selectMultiple(ReflectedTable $table, array $columnNames, array
         $selectColumns = $this->columns->getSelect($table, $columnNames);
         $tableName = $table->getName();
         $condition = new ColumnCondition($table->getPk(), 'in', implode(',', $ids));
-        $condition = $this->addAuthorizationCondition($condition);
+        $condition = $this->addAuthorizationCondition($tableName, $condition);
         $parameters = array();
         $whereClause = $this->conditions->getWhereClause($condition, $parameters);
         $sql = 'SELECT ' . $selectColumns . ' FROM "' . $tableName . '" ' . $whereClause;
@@ -166,7 +166,7 @@ public function selectMultiple(ReflectedTable $table, array $columnNames, array
     public function selectCount(ReflectedTable $table, Condition $condition): int
     {
         $tableName = $table->getName();
-        $condition = $this->addAuthorizationCondition($condition);
+        $condition = $this->addAuthorizationCondition($tableName, $condition);
         $parameters = array();
         $whereClause = $this->conditions->getWhereClause($condition, $parameters);
         $sql = 'SELECT COUNT(*) FROM "' . $tableName . '"' . $whereClause;
@@ -178,7 +178,7 @@ public function selectAllUnordered(ReflectedTable $table, array $columnNames, Co
     {
         $selectColumns = $this->columns->getSelect($table, $columnNames);
         $tableName = $table->getName();
-        $condition = $this->addAuthorizationCondition($condition);
+        $condition = $this->addAuthorizationCondition($tableName, $condition);
         $parameters = array();
         $whereClause = $this->conditions->getWhereClause($condition, $parameters);
         $sql = 'SELECT ' . $selectColumns . ' FROM "' . $tableName . '"' . $whereClause;
@@ -195,7 +195,7 @@ public function selectAll(ReflectedTable $table, array $columnNames, Condition $
         }
         $selectColumns = $this->columns->getSelect($table, $columnNames);
         $tableName = $table->getName();
-        $condition = $this->addAuthorizationCondition($condition);
+        $condition = $this->addAuthorizationCondition($tableName, $condition);
         $parameters = array();
         $whereClause = $this->conditions->getWhereClause($condition, $parameters);
         $orderBy = $this->columns->getOrderBy($table, $columnOrdering);
@@ -216,7 +216,7 @@ public function updateSingle(ReflectedTable $table, array $columnValues, String
         $updateColumns = $this->columns->getUpdate($table, $columnValues);
         $tableName = $table->getName();
         $condition = new ColumnCondition($table->getPk(), 'eq', $id);
-        $condition = $this->addAuthorizationCondition($condition);
+        $condition = $this->addAuthorizationCondition($tableName, $condition);
         $parameters = array_values($columnValues);
         $whereClause = $this->conditions->getWhereClause($condition, $parameters);
         $sql = 'UPDATE "' . $tableName . '" SET ' . $updateColumns . $whereClause;
@@ -228,7 +228,7 @@ public function deleteSingle(ReflectedTable $table, String $id)
     {
         $tableName = $table->getName();
         $condition = new ColumnCondition($table->getPk(), 'eq', $id);
-        $condition = $this->addAuthorizationCondition($condition);
+        $condition = $this->addAuthorizationCondition($tableName, $condition);
         $parameters = array();
         $whereClause = $this->conditions->getWhereClause($condition, $parameters);
         $sql = 'DELETE FROM "' . $tableName . '" ' . $whereClause;
@@ -245,7 +245,7 @@ public function incrementSingle(ReflectedTable $table, array $columnValues, Stri
         $updateColumns = $this->columns->getIncrement($table, $columnValues);
         $tableName = $table->getName();
         $condition = new ColumnCondition($table->getPk(), 'eq', $id);
-        $condition = $this->addAuthorizationCondition($condition);
+        $condition = $this->addAuthorizationCondition($tableName, $condition);
         $parameters = array_values($columnValues);
         $whereClause = $this->conditions->getWhereClause($condition, $parameters);
         $sql = 'UPDATE "' . $tableName . '" SET ' . $updateColumns . $whereClause;
 
@@ -7,6 +7,7 @@
 use Tqdev\PhpCrudApi\Middleware\Communication\VariableStore;
 use Tqdev\PhpCrudApi\Middleware\Router\Router;
 use Tqdev\PhpCrudApi\Record\FilterInfo;
+use Tqdev\PhpCrudApi\Record\RequestUtils;
 use Tqdev\PhpCrudApi\Request;
 use Tqdev\PhpCrudApi\Response;
 
@@ -18,99 +19,70 @@ public function __construct(Router $router, Responder $responder, array $propert
     {
         parent::__construct($router, $responder, $properties);
         $this->reflection = $reflection;
+        $this->utils = new RequestUtils($reflection);
     }
 
-    private function handleColumns(String $method, String $path, String $databaseName, String $tableName) /*: void*/
+    private function handleColumns(String $operation, String $tableName) /*: void*/
     {
         $columnHandler = $this->getProperty('columnHandler', '');
         if ($columnHandler) {
             $table = $this->reflection->getTable($tableName);
             foreach ($table->columnNames() as $columnName) {
-                $allowed = call_user_func($columnHandler, $method, $path, $databaseName, $tableName, $columnName);
+                $allowed = call_user_func($columnHandler, $operation, $tableName, $columnName);
                 if (!$allowed) {
                     $this->reflection->removeColumn($tableName, $columnName);
                 }
             }
         }
     }
 
-    private function handleTable(String $method, String $path, String $databaseName, String $tableName) /*: void*/
+    private function handleTable(String $operation, String $tableName) /*: void*/
     {
         if (!$this->reflection->hasTable($tableName)) {
             return;
         }
         $tableHandler = $this->getProperty('tableHandler', '');
         if ($tableHandler) {
-            $allowed = call_user_func($tableHandler, $method, $path, $databaseName, $tableName);
+            $allowed = call_user_func($tableHandler, $operation, $tableName);
             if (!$allowed) {
                 $this->reflection->removeTable($tableName);
             } else {
-                $this->handleColumns($method, $path, $databaseName, $tableName);
+                $this->handleColumns($operation, $tableName);
             }
         }
     }
 
-    private function handleJoinTables(String $method, String $path, String $databaseName, array $joinParameters) /*: void*/
-    {
-        $uniqueTableNames = array();
-        foreach ($joinParameters as $joinParameter) {
-            $tableNames = explode(',', trim($joinParameter));
-            foreach ($tableNames as $tableName) {
-                $uniqueTableNames[$tableName] = true;
-            }
-        }
-        foreach (array_keys($uniqueTableNames) as $tableName) {
-            $this->handleTable($method, $path, $databaseName, trim($tableName));
-        }
-    }
-
-    private function handleAllTables(String $method, String $path, String $databaseName) /*: void*/
-    {
-        $tableNames = $this->reflection->getTableNames();
-        foreach ($tableNames as $tableName) {
-            $this->handleTable($method, $path, $databaseName, $tableName);
-        }
-    }
-
-    private function handleRecords(String $method, String $path, String $databaseName, String $tableName) /*: void*/
+    private function handleRecords(String $operation, String $tableName) /*: void*/
     {
         if (!$this->reflection->hasTable($tableName)) {
             return;
         }
         $recordHandler = $this->getProperty('recordHandler', '');
         if ($recordHandler) {
-            $query = call_user_func($recordHandler, $method, $path, $databaseName, $tableName);
+            $query = call_user_func($recordHandler, $operation, $tableName);
             $filters = new FilterInfo();
             $table = $this->reflection->getTable($tableName);
             $query = str_replace('][]=', ']=', str_replace('=', '[]=', $query));
             parse_str($query, $params);
             $condition = $filters->getCombinedConditions($table, $params);
-            VariableStore::set('authorization.condition', $condition);
+            VariableStore::set("authorization.conditions.$tableName", $condition);
         }
     }
 
     public function handle(Request $request): Response
     {
-        $method = $request->getMethod();
         $path = $request->getPathSegment(1);
-        $databaseName = $this->reflection->getDatabaseName();
-        if ($path == 'records') {
-            $tableName = $request->getPathSegment(2);
-            $this->handleTable($method, $path, $databaseName, $tableName);
-            $params = $request->getParams();
-            if (isset($params['join'])) {
-                $this->handleJoinTables($method, $path, $databaseName, $params['join']);
-            }
-            $this->handleRecords($method, $path, $databaseName, $tableName);
-        } elseif ($path == 'columns') {
-            $tableName = $request->getPathSegment(2);
-            if ($tableName) {
-                $this->handleTable($method, $path, $databaseName, $tableName);
-            } else {
-                $this->handleAllTables($method, $path, $databaseName);
+        $operation = $this->utils->getOperation($request);
+        $tableNames = $this->utils->getTableNames($request);
+        foreach ($tableNames as $tableName) {
+            $this->handleTable($operation, $tableName);
+            if ($path == 'records') {
+                $this->handleRecords($operation, $tableName);
             }
-        } elseif ($path == 'openapi') {
-            $this->handleAllTables($method, $path, $databaseName);
+        }
+        if ($path == 'openapi') {
+            VariableStore::set('authorization.tableHandler', $this->getProperty('tableHandler', ''));
+            VariableStore::set('authorization.columnHandler', $this->getProperty('columnHandler', ''));
         }
         return $this->next->handle($request);
     }
 
@@ -6,6 +6,7 @@
 use Tqdev\PhpCrudApi\Controller\Responder;
 use Tqdev\PhpCrudApi\Middleware\Base\Middleware;
 use Tqdev\PhpCrudApi\Middleware\Router\Router;
+use Tqdev\PhpCrudApi\Record\RequestUtils;
 use Tqdev\PhpCrudApi\Request;
 use Tqdev\PhpCrudApi\Response;
 
@@ -17,43 +18,43 @@ public function __construct(Router $router, Responder $responder, array $propert
     {
         parent::__construct($router, $responder, $properties);
         $this->reflection = $reflection;
+        $this->utils = new RequestUtils($reflection);
     }
 
-    private function callHandler($handler, $record, String $method, ReflectedTable $table) /*: object */
+    private function callHandler($handler, $record, String $operation, ReflectedTable $table) /*: object */
     {
         $context = (array) $record;
         $tableName = $table->getName();
         foreach ($context as $columnName => &$value) {
             if ($table->exists($columnName)) {
                 $column = $table->get($columnName);
-                $value = call_user_func($handler, $method, $tableName, $column->serialize(), $value);
+                $value = call_user_func($handler, $operation, $tableName, $column->serialize(), $value);
             }
         }
         return (object) $context;
     }
 
     public function handle(Request $request): Response
     {
-        $path = $request->getPathSegment(1);
-        $tableName = $request->getPathSegment(2);
-        $record = $request->getBody();
-        if ($path == 'records' && $this->reflection->hasTable($tableName) && $record !== null) {
-            $table = $this->reflection->getTable($tableName);
-            $method = $request->getMethod();
-            $handler = $this->getProperty('handler', '');
-            if ($handler !== '') {
-                if (is_array($record)) {
-                    foreach ($record as &$r) {
-                        $r = $this->callHandler($handler, $r, $method, $table);
+        $operation = $this->utils->getOperation($request);
+        if (in_array($operation, ['create', 'update', 'increment'])) {
+            $tableName = $request->getPathSegment(2);
+            if ($this->reflection->hasTable($tableName)) {
+                $record = $request->getBody();
+                if ($record !== null) {
+                    $handler = $this->getProperty('handler', '');
+                    if ($handler !== '') {
+                        $table = $this->reflection->getTable($tableName);
+                        if (is_array($record)) {
+                            foreach ($record as &$r) {
+                                $r = $this->callHandler($handler, $r, $operation, $table);
+                            }
+                        } else {
+                            $record = $this->callHandler($handler, $record, $operation, $table);
+                        }
+                        $request->setBody($record);
                     }
-                } else {
-                    $record = $this->callHandler($handler, $record, $method, $table);
                 }
-                $path = $request->getPath();
-                $query = urldecode(http_build_query($request->getParams()));
-                $headers = $request->getHeaders();
-                $body = json_encode($record);
-                $request = new Request($method, $path, $query, $headers, $body);
             }
         }
         return $this->next->handle($request);