fun_with_json_api 0.0.5 → 0.0.6.pre.alpha.1

data/spec/fun_with_json_api/deserializer_spec.rb

@@ -458,7 +458,7 @@ describe FunWithJsonApi::Deserializer do
           expect(payload.status).to eq '404'
           expect(payload.code).to eq 'missing_relationship'
           expect(payload.title).to eq 'Unable to find the requested relationship'
-          expect(payload.pointer).to eq '/data/relationships/example/id'
+          expect(payload.pointer).to eq '/data/relationships/example/data/id'
           expect(payload.detail).to eq "Unable to find 'persons' with matching id: \"foobar\""
         end
       end
@@ -495,12 +495,54 @@ describe FunWithJsonApi::Deserializer do
         end.create
       end
 
-      it 'finds a resource by the defined id_param and returns the resource id' do
-        author_a = ARModels::Author.create(id: 1, code: 'foobar')
-        author_b = ARModels::Author.create(id: 2, code: 'blargh')
-        expect(deserializer.parse_example_ids(%w(foobar blargh))).to eq(
-          [author_a.id, author_b.id]
-        )
+      context 'with multiple resources' do
+        let!(:author_a) { ARModels::Author.create(id: 1, code: 'foobar') }
+        let!(:author_b) { ARModels::Author.create(id: 2, code: 'blargh') }
+
+        context 'when all resources are authorised' do
+          before do
+            resource_authorizer = double(:resource_authorizer)
+            allow(resource_authorizer).to receive(:call).and_return(true)
+            allow(deserializer.relationship_for(:examples).deserializer).to(
+              receive(:resource_authorizer).and_return(resource_authorizer)
+            )
+          end
+
+          it 'finds a resource by the defined id_param and returns the resource id' do
+            expect(deserializer.parse_example_ids(%w(foobar blargh))).to eq(
+              [author_a.id, author_b.id]
+            )
+          end
+        end
+
+        context 'when a resource is not authorised' do
+          before do
+            resource_authorizer = double(:resource_authorizer)
+            allow(resource_authorizer).to receive(:call).and_return(false)
+            allow(resource_authorizer).to receive(:call).with(author_b).and_return(false)
+            allow(resource_authorizer).to receive(:call).with(author_a).and_return(true)
+            allow(deserializer.relationship_for(:examples).deserializer).to(
+              receive(:resource_authorizer).and_return(resource_authorizer)
+            )
+          end
+
+          it 'raises a UnauthorisedResource when unable to find a single resource' do
+            expect do
+              deserializer.parse_example_ids %w(foobar blargh)
+            end.to raise_error(FunWithJsonApi::Exceptions::UnauthorisedResource) do |e|
+              expect(e.payload.size).to eq 1
+
+              payload = e.payload.first
+              expect(payload.status).to eq '403'
+              expect(payload.code).to eq 'unauthorized_resource'
+              expect(payload.title).to eq 'Unable to access the requested resource'
+              expect(payload.pointer).to eq '/data/relationships/examples/data/1/id'
+              expect(payload.detail).to eq(
+                "Unable to assign the requested 'persons' (blargh) to the current resource"
+              )
+            end
+          end
+        end
       end
 
       it 'raises a MissingRelationship when unable to find a single resource' do
@@ -516,7 +558,7 @@ describe FunWithJsonApi::Deserializer do
           expect(payload.status).to eq '404'
           expect(payload.code).to eq 'missing_relationship'
           expect(payload.title).to eq 'Unable to find the requested relationship'
-          expect(payload.pointer).to eq '/data/relationships/examples/1/id'
+          expect(payload.pointer).to eq '/data/relationships/examples/data/1/id'
           expect(payload.detail).to eq "Unable to find 'persons' with matching id: \"blargh\""
         end
       end
@@ -534,14 +576,14 @@ describe FunWithJsonApi::Deserializer do
           expect(payload_a.status).to eq '404'
           expect(payload_a.code).to eq 'missing_relationship'
           expect(payload_a.title).to eq 'Unable to find the requested relationship'
-          expect(payload_a.pointer).to eq '/data/relationships/examples/0/id'
+          expect(payload_a.pointer).to eq '/data/relationships/examples/data/0/id'
           expect(payload_a.detail).to eq "Unable to find 'persons' with matching id: \"foobar\""
 
           payload_b = e.payload.last
           expect(payload_b.status).to eq '404'
           expect(payload_b.code).to eq 'missing_relationship'
           expect(payload_b.title).to eq 'Unable to find the requested relationship'
-          expect(payload_b.pointer).to eq '/data/relationships/examples/1/id'
+          expect(payload_b.pointer).to eq '/data/relationships/examples/data/1/id'
           expect(payload_b.detail).to eq "Unable to find 'persons' with matching id: \"blargh\""
         end
       end

data/spec/fun_with_json_api/find_collection_from_document_spec.rb

@@ -19,8 +19,41 @@ describe FunWithJsonApi::FindCollectionFromDocument do
               .and_return([resource])
           end
 
-          it 'returns the resource in a array' do
-            expect(subject).to eq [resource]
+          context 'when the resource is authorised' do
+            before do
+              resource_authorizer = double(:resource_authorizer)
+              allow(resource_authorizer).to receive(:call).with(resource).and_return(true)
+              allow(deserializer).to receive(:resource_authorizer).and_return(resource_authorizer)
+            end
+
+            it 'returns the resource in a array' do
+              expect(subject).to eq [resource]
+            end
+          end
+
+          context 'when the resource is unauthorised' do
+            before do
+              resource_authorizer = double(:resource_authorizer)
+              allow(resource_authorizer).to receive(:call).with(resource).and_return(false)
+              allow(deserializer).to receive(:resource_authorizer).and_return(resource_authorizer)
+            end
+
+            it 'raises a UnauthorisedResource error' do
+              expect do
+                subject
+              end.to raise_error(FunWithJsonApi::Exceptions::UnauthorisedResource) do |e|
+                expect(e.payload.size).to eq 1
+
+                payload = e.payload.first
+                expect(payload.status).to eq '403'
+                expect(payload.code).to eq 'unauthorized_resource'
+                expect(payload.title).to eq 'Unable to access the requested resource'
+                expect(payload.detail).to eq(
+                  "Unable to assign the requested 'person' (42) to the current resource"
+                )
+                expect(payload.pointer).to eq '/data/0/id'
+              end
+            end
           end
         end
 
@@ -74,8 +107,53 @@ describe FunWithJsonApi::FindCollectionFromDocument do
               .and_return([resource_a, resource_b, resource_c])
           end
 
-          it 'returns all resources in a array' do
-            expect(subject).to eq [resource_a, resource_b, resource_c]
+          context 'when all resources are authorised' do
+            before do
+              resource_authorizer = double(:resource_authorizer)
+              [resource_a, resource_b, resource_c].each do |resource|
+                allow(resource_authorizer).to receive(:call).with(resource).and_return(true)
+              end
+              allow(deserializer).to receive(:resource_authorizer).and_return(resource_authorizer)
+            end
+
+            it 'returns all resources in a array' do
+              expect(subject).to eq [resource_a, resource_b, resource_c]
+            end
+          end
+
+          context 'when there are unauthorised resources' do
+            before do
+              resource_authorizer = double(:resource_authorizer)
+              allow(resource_authorizer).to receive(:call).and_return(false)
+              allow(resource_authorizer).to receive(:call).with(resource_b).and_return(true)
+              allow(deserializer).to receive(:resource_authorizer).and_return(resource_authorizer)
+            end
+
+            it 'raises a UnauthorisedResource error' do
+              expect do
+                subject
+              end.to raise_error(FunWithJsonApi::Exceptions::UnauthorisedResource) do |e|
+                expect(e.payload.size).to eq 2
+
+                payload = e.payload.first
+                expect(payload.status).to eq '403'
+                expect(payload.code).to eq 'unauthorized_resource'
+                expect(payload.title).to eq 'Unable to access the requested resource'
+                expect(payload.detail).to eq(
+                  "Unable to assign the requested 'person' (42) to the current resource"
+                )
+                expect(payload.pointer).to eq '/data/0/id'
+
+                payload = e.payload.second
+                expect(payload.status).to eq '403'
+                expect(payload.code).to eq 'unauthorized_resource'
+                expect(payload.title).to eq 'Unable to access the requested resource'
+                expect(payload.detail).to eq(
+                  "Unable to assign the requested 'person' (44) to the current resource"
+                )
+                expect(payload.pointer).to eq '/data/2/id'
+              end
+            end
           end
         end
 

data/spec/fun_with_json_api/find_resource_from_document_spec.rb

@@ -19,10 +19,44 @@ describe FunWithJsonApi::FindResourceFromDocument do
               .and_return(resource)
           end
 
-          it 'returns the resource' do
-            expect(subject).to eq resource
+          context 'when the resource is authorised' do
+            before do
+              resource_authorizer = double(:resource_authorizer)
+              allow(resource_authorizer).to receive(:call).with(resource).and_return(true)
+              allow(deserializer).to receive(:resource_authorizer).and_return(resource_authorizer)
+            end
+
+            it 'returns the resource' do
+              expect(subject).to eq resource
+            end
+          end
+
+          context 'when the resource is unauthorised' do
+            before do
+              resource_authorizer = double(:resource_authorizer)
+              allow(resource_authorizer).to receive(:call).with(resource).and_return(false)
+              allow(deserializer).to receive(:resource_authorizer).and_return(resource_authorizer)
+            end
+
+            it 'raises a UnauthorisedResource error' do
+              expect do
+                subject
+              end.to raise_error(FunWithJsonApi::Exceptions::UnauthorisedResource) do |e|
+                expect(e.payload.size).to eq 1
+
+                payload = e.payload.first
+                expect(payload.status).to eq '403'
+                expect(payload.code).to eq 'unauthorized_resource'
+                expect(payload.title).to eq 'Unable to access the requested resource'
+                expect(payload.detail).to eq(
+                  "Unable to assign the requested 'person' (42) to the current resource"
+                )
+                expect(payload.pointer).to eq '/data/id'
+              end
+            end
           end
         end
+
         context 'when a resource cannot be found' do
           let!(:resource) { double('resource') }
           before do

data/spec/fun_with_json_api/schema_validators/check_relationships_spec.rb

@@ -45,7 +45,7 @@ describe FunWithJsonApi::SchemaValidators::CheckRelationships do
 
               payload = e.payload.first
               expect(payload.code).to eq 'invalid_relationship_type'
-              expect(payload.pointer).to eq '/data/relationships/foobar/type'
+              expect(payload.pointer).to eq '/data/relationships/foobar/data/type'
               expect(payload.title).to eq(
                 'Request json_api relationship type does not match expected resource'
               )
@@ -97,7 +97,7 @@ describe FunWithJsonApi::SchemaValidators::CheckRelationships do
 
               payload = e.payload.first
               expect(payload.code).to eq 'invalid_relationship_type'
-              expect(payload.pointer).to eq '/data/relationships/foobar/0/type'
+              expect(payload.pointer).to eq '/data/relationships/foobar/data/0/type'
               expect(payload.title).to eq(
                 'Request json_api relationship type does not match expected resource'
               )

data/spec/fun_with_json_api_spec.rb

@@ -127,6 +127,74 @@ describe FunWithJsonApi do
           comment_ids: [5, 12]
         )
       end
+      it 'allows for a relationship resource to be authorized' do
+        post = ARModels::Post.create(id: 1)
+        ARModels::Author.create(id: 9)
+
+        post_json = {
+          'data': {
+            'type': 'posts',
+            'id': '1',
+            'relationships': {
+              'author': {
+                'data': { 'type': 'person', 'id': '9' }
+              }
+            }
+          }
+        }
+
+        expect do
+          described_class.deserialize(
+            post_json,
+            ARModels::PostDeserializer,
+            post,
+            author: { resource_authorizer: ->(author) { author.id != 9 } }
+          )
+        end.to raise_error(FunWithJsonApi::Exceptions::UnauthorisedResource) do |e|
+          expect(e.payload.size).to eq 1
+          expect(e.payload.first.pointer).to eq '/data/relationships/author/data/id'
+        end
+      end
+      it 'allows for relationship collections to be authorized' do
+        post = ARModels::Post.create(id: 1)
+        ARModels::Author.create(id: 9)
+        ARModels::Comment.create(id: 5, contents: 'Blargh')
+        ARModels::Comment.create(id: 12, contents: 'Foobar')
+
+        post_json = {
+          'data': {
+            'type': 'posts',
+            'id': '1',
+            'attributes': {
+              'title': 'Rails is Omakase',
+              'body': 'This is my post body'
+            },
+            'relationships': {
+              'author': {
+                'data': { 'type': 'person', 'id': '9' }
+              },
+              'comments': {
+                'data': [
+                  { 'type': 'comments', 'id': '5' },
+                  { 'type': 'comments', 'id': '12' }
+                ]
+              }
+            }
+          }
+        }
+
+        expect do
+          described_class.deserialize(
+            post_json,
+            ARModels::PostDeserializer,
+            post,
+            comments: { resource_authorizer: ->(comment) { comment.contents == 'Foobar' } }
+          )
+        end.to raise_error(FunWithJsonApi::Exceptions::UnauthorisedResource) do |e|
+          expect(e.payload.size).to eq 1
+          expect(e.payload.first.pointer).to eq '/data/relationships/comments/data/0/id'
+        end
+      end
     end
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fun_with_json_api
 version: !ruby/object:Gem::Version
-  version: 0.0.5
+  version: 0.0.6.pre.alpha.1
 platform: ruby
 authors:
 - Ben Morrall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-03-29 00:00:00.000000000 Z
+date: 2016-03-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -178,6 +178,7 @@ files:
 - lib/fun_with_json_api/exceptions/invalid_relationship_type.rb
 - lib/fun_with_json_api/exceptions/missing_relationship.rb
 - lib/fun_with_json_api/exceptions/missing_resource.rb
+- lib/fun_with_json_api/exceptions/unauthorized_resource.rb
 - lib/fun_with_json_api/exceptions/unknown_attribute.rb
 - lib/fun_with_json_api/exceptions/unknown_relationship.rb
 - lib/fun_with_json_api/find_collection_from_document.rb
@@ -186,9 +187,12 @@ files:
 - lib/fun_with_json_api/railtie.rb
 - lib/fun_with_json_api/schema_validator.rb
 - lib/fun_with_json_api/schema_validators/check_attributes.rb
+- lib/fun_with_json_api/schema_validators/check_collection_has_all_members.rb
+- lib/fun_with_json_api/schema_validators/check_collection_is_authorized.rb
 - lib/fun_with_json_api/schema_validators/check_document_id_matches_resource.rb
 - lib/fun_with_json_api/schema_validators/check_document_type_matches_resource.rb
 - lib/fun_with_json_api/schema_validators/check_relationships.rb
+- lib/fun_with_json_api/schema_validators/check_resource_is_authorized.rb
 - lib/fun_with_json_api/version.rb
 - lib/tasks/fun_with_json_api_tasks.rake
 - spec/dummy/README.rdoc
@@ -257,9 +261,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.5.2