fun_with_json_api 0.0.5 → 0.0.6.pre.alpha.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1fac056055f69ea77d7b0b856c4902c84eb3ecec
-  data.tar.gz: 3642e68cfa8a87c5aef220af9a11ad9064a58802
+  metadata.gz: aa43a36433dec9d40e3a4afaad17becacfad028f
+  data.tar.gz: 468d6bda13144854fa1771a0e113e3d906a223f2
 SHA512:
-  metadata.gz: c8524bd26b6d0caa63b5ea4d5345e5e7ae9dd3a0f19a4cf51435e6332bf56886719c19dc2d45d9e84466567924990298caa40b33de2c0dfcbf186304a0003193
-  data.tar.gz: 6b021fc4bdaddabdc0b2d0df83032118fd50c092b39a2be541616654673732692351d59666bfbdaebeae7b6d25333df21aec6e4ca2d3149eeda771f5dfdc8b92
+  metadata.gz: 028179ff069e5a7130e78ca19208113d29b3c93fff1c437e56cf1355e76f53efd465800716502a1c5f1f580a51c4556f45855ed3d0925649d1436270043138c5
+  data.tar.gz: 5f17c1140f3ce92040c395f5f0f303b9ab5eeaac98c1b4bca61f1295aeffb6986f4cf5292b593cadaa8adbaa17d43985e95b353e9b82e4b376ff7151b790f5bf

data/config/locales/fun_with_json_api.en.yml

@@ -7,6 +7,7 @@ en:
       illegal_client_generated_identifier: 'Request json_api attempted to set an unsupported client-generated id'
       invalid_document_type: 'Request json_api data type does not match endpoint'
       missing_resource: 'Unable to find the requested resource'
+      unauthorized_resource: 'Unable to access the requested resource'
       invalid_attribute: 'Request json_api attribute data is invalid'
       unknown_attribute: 'Request json_api attribute is unsupported by the current endpoint'
       invalid_relationship: 'Request json_api relationship data is invalid'
@@ -34,7 +35,9 @@ en:
       invalid_document: "Expected data to be a Hash or null"
       invalid_document_type: "Expected data type to be a '%{resource}' resource"
       missing_resource: "Unable to find '%{resource}' with matching id: '%{resource_id}'"
+      unauthorized_resource: "Unable to assign the requested '%{resource}' (%{resource_id}) to the current resource"
     find_collection_from_document:
       invalid_document: "Expected data to be a Array of '%{resource}' resources"
       invalid_document_type: "Expected '%{type}' to be a '%{resource}' resource"
       missing_resource: "Unable to find '%{resource}' with matching id: '%{resource_id}'"
+      unauthorized_resource: "Unable to assign the requested '%{resource}' (%{resource_id}) to the current resource"

data/lib/fun_with_json_api/attributes/relationship.rb

@@ -29,9 +29,11 @@ module FunWithJsonApi
         end
 
         resource = deserializer.load_resource_from_id_value(id_value)
-        return resource.id if resource
+        raise build_missing_relationship_error(id_value) if resource.nil?
 
-        raise build_missing_relationship_error(id_value)
+        check_resource_is_authorized!(resource, id_value)
+
+        resource.id
       end
 
       # rubocop:disable Style/PredicateName
@@ -52,6 +54,12 @@ module FunWithJsonApi
 
       private
 
+      def check_resource_is_authorized!(resource, id_value)
+        SchemaValidators::CheckResourceIsAuthorised.call(
+          resource, id_value, deserializer, prefix: "/data/relationships/#{name}/data"
+        )
+      end
+
       def build_deserializer_from_options
         if @deserializer_class.respond_to?(:call)
           @deserializer_class.call
@@ -72,7 +80,7 @@ module FunWithJsonApi
       def build_missing_relationship_error(id_value, message = nil)
         message ||= missing_resource_debug_message(id_value)
         payload = ExceptionPayload.new
-        payload.pointer = "/data/relationships/#{name}/id"
+        payload.pointer = "/data/relationships/#{name}/data/id"
         payload.detail = "Unable to find '#{deserializer.type}' with matching id"\
                          ": #{id_value.inspect}"
         Exceptions::MissingRelationship.new(message, payload)

data/lib/fun_with_json_api/attributes/relationship_collection.rb

@@ -1,3 +1,5 @@
+require 'fun_with_json_api/schema_validators/check_collection_is_authorized'
+
 module FunWithJsonApi
   module Attributes
     class RelationshipCollection < FunWithJsonApi::Attribute
@@ -29,11 +31,10 @@ module FunWithJsonApi
         collection = deserializer.load_collection_from_id_values(values)
 
         # Ensure the collection size matches
-        expected_size = values.size
-        result_size = collection.size
-        if result_size != expected_size
-          raise build_missing_relationship_error_from_collection(collection, values)
-        end
+        check_collection_matches_values!(collection, values)
+
+        # Ensure the user is authorized to access the collection
+        check_collection_is_authorized!(collection, values)
 
         # Call ActiceRecord#pluck if it is available
         convert_collection_to_ids(collection)
@@ -72,6 +73,20 @@ module FunWithJsonApi
         end
       end
 
+      def check_collection_matches_values!(collection, values)
+        expected_size = values.size
+        result_size = collection.size
+        if result_size != expected_size
+          raise build_missing_relationship_error_from_collection(collection, values)
+        end
+      end
+
+      def check_collection_is_authorized!(collection, values)
+        SchemaValidators::CheckCollectionIsAuthorised.call(
+          collection, values, deserializer, prefix: "/data/relationships/#{name}/data"
+        )
+      end
+
       def convert_collection_to_ids(collection)
         if collection.respond_to? :pluck
           # Well... pluck+arel doesn't work with SQLite, but select at least is safe
@@ -105,7 +120,7 @@ module FunWithJsonApi
           next if collection_ids.include?(resource_id)
 
           ExceptionPayload.new.tap do |payload|
-            payload.pointer = "/data/relationships/#{name}/#{index}/id"
+            payload.pointer = "/data/relationships/#{name}/data/#{index}/id"
             payload.detail = "Unable to find '#{deserializer.type}' with matching id"\
                              ": \"#{resource_id}\""
           end

data/lib/fun_with_json_api/deserializer.rb

@@ -6,6 +6,13 @@ module FunWithJsonApi
   class Deserializer
     extend FunWithJsonApi::DeserializerClassMethods
 
+    # Fake resource_authorizer that always returns 'authorised'
+    class ResourceAuthorizerDummy
+      def call(_)
+        true
+      end
+    end
+
     # Creates a new instance of a
     def self.create(options = {})
       new(options)
@@ -16,7 +23,6 @@ module FunWithJsonApi
 
     attr_reader :id_param
     attr_reader :type
-    attr_reader :resource_class
 
     attr_reader :attributes
 
@@ -25,6 +31,7 @@ module FunWithJsonApi
       @type = options.fetch(:type) { self.class.type }
       @resource_class = options[:resource_class]
       @resource_collection = options[:resource_collection] if @type
+      @resource_authorizer = options[:resource_authorizer]
       load_attributes_from_options(options)
       load_relationships_from_options(options)
     end
@@ -59,6 +66,10 @@ module FunWithJsonApi
       @resource_collection ||= resource_class
     end
 
+    def resource_authorizer
+      @resource_authorizer ||= ResourceAuthorizerDummy.new
+    end
+
     def relationships
       relationship_lookup.values
     end

data/lib/fun_with_json_api/deserializer_class_methods.rb

@@ -25,9 +25,11 @@ module FunWithJsonApi
     # Attributes
 
     def attribute(name, options = {})
-      Attribute.create(name, options).tap do |attribute|
-        add_parse_attribute_method(attribute)
-        attributes << attribute
+      lock.synchronize do
+        Attribute.create(name, options).tap do |attribute|
+          add_parse_attribute_method(attribute)
+          attributes << attribute
+        end
       end
     end
 
@@ -38,26 +40,30 @@ module FunWithJsonApi
     # Relationships
 
     def belongs_to(name, deserializer_class_or_callable, options = {})
-      Attributes::Relationship.create(
-        name,
-        deserializer_class_or_callable,
-        options
-      ).tap do |relationship|
-        add_parse_resource_method(relationship)
-        relationships << relationship
+      lock.synchronize do
+        Attributes::Relationship.create(
+          name,
+          deserializer_class_or_callable,
+          options
+        ).tap do |relationship|
+          add_parse_resource_method(relationship)
+          relationships << relationship
+        end
       end
     end
 
     # rubocop:disable Style/PredicateName
 
     def has_many(name, deserializer_class_or_callable, options = {})
-      Attributes::RelationshipCollection.create(
-        name,
-        deserializer_class_or_callable,
-        options
-      ).tap do |relationship|
-        add_parse_resource_method(relationship)
-        relationships << relationship
+      lock.synchronize do
+        Attributes::RelationshipCollection.create(
+          name,
+          deserializer_class_or_callable,
+          options
+        ).tap do |relationship|
+          add_parse_resource_method(relationship)
+          relationships << relationship
+        end
       end
     end
 
@@ -80,6 +86,10 @@ module FunWithJsonApi
 
     private
 
+    def lock
+      @lock ||= Mutex.new
+    end
+
     def relationships
       @relationships ||= []
     end

data/lib/fun_with_json_api/exceptions/unauthorized_resource.rb

@@ -0,0 +1,16 @@
+module FunWithJsonApi
+  module Exceptions
+    # Indicates a Resource or Collection item not authorized
+    class UnauthorisedResource < FunWithJsonApi::Exception
+      def initialize(message, payload = ExceptionPayload.new)
+        payload = Array.wrap(payload).each do |unauthorized|
+          unauthorized.code ||= 'unauthorized_resource'
+          unauthorized.title ||=
+            I18n.t('unauthorized_resource', scope: 'fun_with_json_api.exceptions')
+          unauthorized.status ||= '403'
+        end
+        super
+      end
+    end
+  end
+end

data/lib/fun_with_json_api/find_collection_from_document.rb

@@ -1,3 +1,6 @@
+require 'fun_with_json_api/schema_validators/check_collection_is_authorized'
+require 'fun_with_json_api/schema_validators/check_collection_has_all_members'
+
 module FunWithJsonApi
   class FindCollectionFromDocument
     def self.find(*args)
@@ -27,6 +30,7 @@ module FunWithJsonApi
       # Load resource from id value
       deserializer.load_collection_from_id_values(document_ids).tap do |collection|
         check_collection_contains_all_requested_resources!(collection)
+        check_collection_is_authorised!(collection)
       end
     end
 
@@ -49,10 +53,11 @@ module FunWithJsonApi
     private
 
     def check_collection_contains_all_requested_resources!(collection)
-      if collection.size != document_ids.size
-        collection_ids = deserializer.format_collection_ids(collection)
-        raise build_missing_resources_error(collection_ids)
-      end
+      SchemaValidators::CheckCollectionHasAllMembers.call(collection, document_ids, deserializer)
+    end
+
+    def check_collection_is_authorised!(collection)
+      SchemaValidators::CheckCollectionIsAuthorised.call(collection, document_ids, deserializer)
     end
 
     def check_document_types_match_deserializer!
@@ -83,26 +88,6 @@ module FunWithJsonApi
       Exceptions::InvalidDocumentType.new(message, payload)
     end
 
-    def build_missing_resources_error(collection_ids)
-      payload = document_ids.each_with_index.map do |resource_id, index|
-        build_missing_resource_payload(collection_ids, resource_id, index)
-      end.reject(&:nil?)
-
-      missing_values = document_ids.reject { |value| collection_ids.include?(value.to_s) }
-      message = "Couldn't find #{resource_class} items with "\
-                "#{id_param} in #{missing_values.inspect}"
-      Exceptions::MissingResource.new(message, payload)
-    end
-
-    def build_missing_resource_payload(collection_ids, resource_id, index)
-      unless collection_ids.include?(resource_id)
-        ExceptionPayload.new(
-          pointer: "/data/#{index}/id",
-          detail: missing_resource_message(resource_id)
-        )
-      end
-    end
-
     def document_type_does_not_match_endpoint_message(type)
       I18n.t(
         :invalid_document_type,
@@ -111,14 +96,5 @@ module FunWithJsonApi
         scope: 'fun_with_json_api.find_collection_from_document'
       )
     end
-
-    def missing_resource_message(resource_id)
-      I18n.t(
-        :missing_resource,
-        resource: resource_type,
-        resource_id: resource_id,
-        scope: 'fun_with_json_api.find_collection_from_document'
-      )
-    end
   end
 end

data/lib/fun_with_json_api/find_resource_from_document.rb

@@ -24,9 +24,7 @@ module FunWithJsonApi
       raise build_invalid_document_type_error unless document_matches_resource_type?
 
       # Load resource from id value
-      deserializer.load_resource_from_id_value(document_id).tap do |resource|
-        raise build_missing_resource_error if resource.nil?
-      end
+      load_resource_and_check!
     end
 
     def document_id
@@ -57,6 +55,15 @@ module FunWithJsonApi
 
     private
 
+    def load_resource_and_check!
+      deserializer.load_resource_from_id_value(document_id).tap do |resource|
+        raise build_missing_resource_error if resource.nil?
+        FunWithJsonApi::SchemaValidators::CheckResourceIsAuthorised.call(
+          resource, document_id, deserializer
+        )
+      end
+    end
+
     def build_invalid_document_error
       payload = ExceptionPayload.new
       payload.pointer = '/data'

data/lib/fun_with_json_api/schema_validators/check_collection_has_all_members.rb

@@ -0,0 +1,67 @@
+require 'fun_with_json_api/exception'
+
+module FunWithJsonApi
+  module SchemaValidators
+    class CheckCollectionHasAllMembers
+      def self.call(*args)
+        new(*args).call
+      end
+
+      attr_reader :collection
+      attr_reader :document_ids
+      attr_reader :deserializer
+      attr_reader :prefix
+
+      delegate :id_param, :resource_class, to: :deserializer
+
+      def initialize(collection, document_ids, deserializer, prefix: '/data')
+        @collection = collection
+        @document_ids = document_ids
+        @deserializer = deserializer
+        @prefix = prefix
+      end
+
+      def call
+        if collection.size != document_ids.size
+          collection_ids = deserializer.format_collection_ids(collection)
+          raise build_missing_resources_error(collection_ids)
+        end
+      end
+
+      def resource_type
+        deserializer.type
+      end
+
+      private
+
+      def build_missing_resources_error(collection_ids)
+        payload = document_ids.each_with_index.map do |resource_id, index|
+          build_missing_resource_payload(collection_ids, resource_id, index)
+        end.reject(&:nil?)
+
+        missing_values = document_ids.reject { |value| collection_ids.include?(value.to_s) }
+        message = "Couldn't find #{resource_class} items with "\
+                  "#{id_param} in #{missing_values.inspect}"
+        Exceptions::MissingResource.new(message, payload)
+      end
+
+      def build_missing_resource_payload(collection_ids, resource_id, index)
+        unless collection_ids.include?(resource_id)
+          ExceptionPayload.new(
+            pointer: "#{prefix}/#{index}/id",
+            detail: missing_resource_message(resource_id)
+          )
+        end
+      end
+
+      def missing_resource_message(resource_id)
+        I18n.t(
+          :missing_resource,
+          resource: resource_type,
+          resource_id: resource_id,
+          scope: 'fun_with_json_api.find_collection_from_document'
+        )
+      end
+    end
+  end
+end

data/lib/fun_with_json_api/schema_validators/check_collection_is_authorized.rb

@@ -0,0 +1,63 @@
+require 'fun_with_json_api/exception'
+
+module FunWithJsonApi
+  module SchemaValidators
+    class CheckCollectionIsAuthorised
+      def self.call(*args)
+        new(*args).call
+      end
+
+      attr_reader :collection
+      attr_reader :collection_ids
+      attr_reader :deserializer
+      attr_reader :prefix
+
+      delegate :resource_class,
+               to: :deserializer
+
+      def initialize(collection, collection_ids, deserializer, prefix: '/data')
+        @collection = collection
+        @collection_ids = collection_ids
+        @deserializer = deserializer
+        @prefix = prefix
+      end
+
+      def call
+        payload = collection.each_with_index.map do |resource, index|
+          build_unauthorized_resource_payload(resource, index)
+        end.reject(&:nil?)
+
+        return if payload.empty?
+
+        raise Exceptions::UnauthorisedResource.new(
+          "resource_authorizer method for one or more '#{deserializer.type}' items returned false",
+          payload
+        )
+      end
+
+      def resource_type
+        deserializer.type
+      end
+
+      private
+
+      def build_unauthorized_resource_payload(resource, index)
+        unless deserializer.resource_authorizer.call(resource)
+          ExceptionPayload.new(
+            pointer: "#{prefix}/#{index}/id",
+            detail: unauthorized_resource_message(collection_ids[index])
+          )
+        end
+      end
+
+      def unauthorized_resource_message(resource_id)
+        I18n.t(
+          :unauthorized_resource,
+          resource: resource_type,
+          resource_id: resource_id,
+          scope: 'fun_with_json_api.find_collection_from_document'
+        )
+      end
+    end
+  end
+end