+ @object.save!
+ show
+ end
+
+ def create
+ # Note: the user could specify a owner_uuid for a different user, which on
+ # the surface appears to be a security hole. However, the record will be
+ # rejected before being saved to the database by the ApiClientAuthorization
+ # model which enforces that user_id == current user or the user is an
+ # admin.
+
+ if resource_attrs[:owner_uuid]
+ # The model has an owner_id attribute instead of owner_uuid, but
+ # we can't expect the client to know the local numeric ID. We
+ # translate UUID to numeric ID here.
+ resource_attrs[:user_id] =
+ User.where(uuid: resource_attrs.delete(:owner_uuid)).first.andand.id
+ elsif not resource_attrs[:user_id]
+ resource_attrs[:user_id] = current_user.id
+ end
+ resource_attrs[:api_client_id] = Thread.current[:api_client].id
+ super