RubyGems - fun_with_json_api - Versions diffs - 0.0.5 → 0.0.6.pre.alpha.1 - Mend

fun_with_json_api 0.0.5 → 0.0.6.pre.alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1fac056055f69ea77d7b0b856c4902c84eb3ecec
-  data.tar.gz: 3642e68cfa8a87c5aef220af9a11ad9064a58802
+  metadata.gz: aa43a36433dec9d40e3a4afaad17becacfad028f
+  data.tar.gz: 468d6bda13144854fa1771a0e113e3d906a223f2
 SHA512:
-  metadata.gz: c8524bd26b6d0caa63b5ea4d5345e5e7ae9dd3a0f19a4cf51435e6332bf56886719c19dc2d45d9e84466567924990298caa40b33de2c0dfcbf186304a0003193
-  data.tar.gz: 6b021fc4bdaddabdc0b2d0df83032118fd50c092b39a2be541616654673732692351d59666bfbdaebeae7b6d25333df21aec6e4ca2d3149eeda771f5dfdc8b92
+  metadata.gz: 028179ff069e5a7130e78ca19208113d29b3c93fff1c437e56cf1355e76f53efd465800716502a1c5f1f580a51c4556f45855ed3d0925649d1436270043138c5
+  data.tar.gz: 5f17c1140f3ce92040c395f5f0f303b9ab5eeaac98c1b4bca61f1295aeffb6986f4cf5292b593cadaa8adbaa17d43985e95b353e9b82e4b376ff7151b790f5bf

data/config/locales/fun_with_json_api.en.yml CHANGED

@@ -7,6 +7,7 @@ en:
       illegal_client_generated_identifier: 'Request json_api attempted to set an unsupported client-generated id'
       invalid_document_type: 'Request json_api data type does not match endpoint'
       missing_resource: 'Unable to find the requested resource'
+      unauthorized_resource: 'Unable to access the requested resource'
       invalid_attribute: 'Request json_api attribute data is invalid'
       unknown_attribute: 'Request json_api attribute is unsupported by the current endpoint'
       invalid_relationship: 'Request json_api relationship data is invalid'
@@ -34,7 +35,9 @@ en:
       invalid_document: "Expected data to be a Hash or null"
       invalid_document_type: "Expected data type to be a '%{resource}' resource"
       missing_resource: "Unable to find '%{resource}' with matching id: '%{resource_id}'"
+      unauthorized_resource: "Unable to assign the requested '%{resource}' (%{resource_id}) to the current resource"
     find_collection_from_document:
       invalid_document: "Expected data to be a Array of '%{resource}' resources"
       invalid_document_type: "Expected '%{type}' to be a '%{resource}' resource"
       missing_resource: "Unable to find '%{resource}' with matching id: '%{resource_id}'"
+      unauthorized_resource: "Unable to assign the requested '%{resource}' (%{resource_id}) to the current resource"

data/lib/fun_with_json_api/attributes/relationship.rb CHANGED

@@ -29,9 +29,11 @@ module FunWithJsonApi
         end
         resource = deserializer.load_resource_from_id_value(id_value)
-        return resource.id if resource
+        raise build_missing_relationship_error(id_value) if resource.nil?
-        raise build_missing_relationship_error(id_value)
+        check_resource_is_authorized!(resource, id_value)
+        resource.id
       end
       # rubocop:disable Style/PredicateName
@@ -52,6 +54,12 @@ module FunWithJsonApi
       private
+      def check_resource_is_authorized!(resource, id_value)
+        SchemaValidators::CheckResourceIsAuthorised.call(
+          resource, id_value, deserializer, prefix: "/data/relationships/#{name}/data"
+        )
+      end
       def build_deserializer_from_options
         if @deserializer_class.respond_to?(:call)
           @deserializer_class.call
@@ -72,7 +80,7 @@ module FunWithJsonApi
       def build_missing_relationship_error(id_value, message = nil)
         message ||= missing_resource_debug_message(id_value)
         payload = ExceptionPayload.new
-        payload.pointer = "/data/relationships/#{name}/id"
+        payload.pointer = "/data/relationships/#{name}/data/id"
         payload.detail = "Unable to find '#{deserializer.type}' with matching id"\
                          ": #{id_value.inspect}"
         Exceptions::MissingRelationship.new(message, payload)

data/lib/fun_with_json_api/attributes/relationship_collection.rb CHANGED

@@ -1,3 +1,5 @@
+require 'fun_with_json_api/schema_validators/check_collection_is_authorized'
 module FunWithJsonApi
   module Attributes
     class RelationshipCollection < FunWithJsonApi::Attribute
@@ -29,11 +31,10 @@ module FunWithJsonApi
         collection = deserializer.load_collection_from_id_values(values)
         # Ensure the collection size matches
-        expected_size = values.size
-        result_size = collection.size
-        if result_size != expected_size
-          raise build_missing_relationship_error_from_collection(collection, values)
-        end
+        check_collection_matches_values!(collection, values)
+        # Ensure the user is authorized to access the collection
+        check_collection_is_authorized!(collection, values)
         # Call ActiceRecord#pluck if it is available
         convert_collection_to_ids(collection)
@@ -72,6 +73,20 @@ module FunWithJsonApi
         end
       end
+      def check_collection_matches_values!(collection, values)
+        expected_size = values.size
+        result_size = collection.size
+        if result_size != expected_size
+          raise build_missing_relationship_error_from_collection(collection, values)
+        end
+      end
+      def check_collection_is_authorized!(collection, values)
+        SchemaValidators::CheckCollectionIsAuthorised.call(
+          collection, values, deserializer, prefix: "/data/relationships/#{name}/data"
+        )
+      end
       def convert_collection_to_ids(collection)
         if collection.respond_to? :pluck
           # Well... pluck+arel doesn't work with SQLite, but select at least is safe
@@ -105,7 +120,7 @@ module FunWithJsonApi
           next if collection_ids.include?(resource_id)
           ExceptionPayload.new.tap do |payload|
-            payload.pointer = "/data/relationships/#{name}/#{index}/id"
+            payload.pointer = "/data/relationships/#{name}/data/#{index}/id"
             payload.detail = "Unable to find '#{deserializer.type}' with matching id"\
                              ": \"#{resource_id}\""
           end

data/lib/fun_with_json_api/deserializer.rb CHANGED

@@ -6,6 +6,13 @@ module FunWithJsonApi
   class Deserializer
     extend FunWithJsonApi::DeserializerClassMethods
+    # Fake resource_authorizer that always returns 'authorised'
+    class ResourceAuthorizerDummy
+      def call(_)
+        true
+      end
+    end
     # Creates a new instance of a
     def self.create(options = {})
       new(options)
@@ -16,7 +23,6 @@ module FunWithJsonApi
     attr_reader :id_param
     attr_reader :type
-    attr_reader :resource_class
     attr_reader :attributes
@@ -25,6 +31,7 @@ module FunWithJsonApi
       @type = options.fetch(:type) { self.class.type }
       @resource_class = options[:resource_class]
       @resource_collection = options[:resource_collection] if @type
+      @resource_authorizer = options[:resource_authorizer]
       load_attributes_from_options(options)
       load_relationships_from_options(options)
     end
@@ -59,6 +66,10 @@ module FunWithJsonApi
       @resource_collection ||= resource_class
     end
+    def resource_authorizer
+      @resource_authorizer ||= ResourceAuthorizerDummy.new
+    end
     def relationships
       relationship_lookup.values
     end

data/lib/fun_with_json_api/deserializer_class_methods.rb CHANGED

@@ -25,9 +25,11 @@ module FunWithJsonApi
     # Attributes
     def attribute(name, options = {})
-      Attribute.create(name, options).tap do |attribute|
-        add_parse_attribute_method(attribute)
-        attributes << attribute
+      lock.synchronize do
+        Attribute.create(name, options).tap do |attribute|
+          add_parse_attribute_method(attribute)
+          attributes << attribute
+        end
       end
     end
@@ -38,26 +40,30 @@ module FunWithJsonApi
     # Relationships
     def belongs_to(name, deserializer_class_or_callable, options = {})
-      Attributes::Relationship.create(
-        name,
-        deserializer_class_or_callable,
-        options
-      ).tap do |relationship|
-        add_parse_resource_method(relationship)
-        relationships << relationship
+      lock.synchronize do
+        Attributes::Relationship.create(
+          name,
+          deserializer_class_or_callable,
+          options
+        ).tap do |relationship|
+          add_parse_resource_method(relationship)
+          relationships << relationship
+        end
       end
     end
     # rubocop:disable Style/PredicateName
     def has_many(name, deserializer_class_or_callable, options = {})
-      Attributes::RelationshipCollection.create(
-        name,
-        deserializer_class_or_callable,
-        options
-      ).tap do |relationship|
-        add_parse_resource_method(relationship)
-        relationships << relationship
+      lock.synchronize do
+        Attributes::RelationshipCollection.create(
+          name,
+          deserializer_class_or_callable,
+          options
+        ).tap do |relationship|
+          add_parse_resource_method(relationship)
+          relationships << relationship
+        end
       end
     end
@@ -80,6 +86,10 @@ module FunWithJsonApi
     private
+    def lock
+      @lock ||= Mutex.new
+    end
     def relationships
       @relationships ||= []
     end

data/lib/fun_with_json_api/exceptions/unauthorized_resource.rb ADDED

@@ -0,0 +1,16 @@
+module FunWithJsonApi
+  module Exceptions
+    # Indicates a Resource or Collection item not authorized
+    class UnauthorisedResource < FunWithJsonApi::Exception
+      def initialize(message, payload = ExceptionPayload.new)
+        payload = Array.wrap(payload).each do |unauthorized|
+          unauthorized.code ||= 'unauthorized_resource'
+          unauthorized.title ||=
+            I18n.t('unauthorized_resource', scope: 'fun_with_json_api.exceptions')
+          unauthorized.status ||= '403'
+        end
+        super
+      end
+    end
+  end
+end

data/lib/fun_with_json_api/find_collection_from_document.rb CHANGED

@@ -1,3 +1,6 @@
+require 'fun_with_json_api/schema_validators/check_collection_is_authorized'
+require 'fun_with_json_api/schema_validators/check_collection_has_all_members'
 module FunWithJsonApi
   class FindCollectionFromDocument
     def self.find(*args)
@@ -27,6 +30,7 @@ module FunWithJsonApi
       # Load resource from id value
       deserializer.load_collection_from_id_values(document_ids).tap do |collection|
         check_collection_contains_all_requested_resources!(collection)
+        check_collection_is_authorised!(collection)
       end
     end
@@ -49,10 +53,11 @@ module FunWithJsonApi
     private
     def check_collection_contains_all_requested_resources!(collection)
-      if collection.size != document_ids.size
-        collection_ids = deserializer.format_collection_ids(collection)
-        raise build_missing_resources_error(collection_ids)
-      end
+      SchemaValidators::CheckCollectionHasAllMembers.call(collection, document_ids, deserializer)
+    end
+    def check_collection_is_authorised!(collection)
+      SchemaValidators::CheckCollectionIsAuthorised.call(collection, document_ids, deserializer)
     end
     def check_document_types_match_deserializer!
@@ -83,26 +88,6 @@ module FunWithJsonApi
       Exceptions::InvalidDocumentType.new(message, payload)
     end
-    def build_missing_resources_error(collection_ids)
-      payload = document_ids.each_with_index.map do |resource_id, index|
-        build_missing_resource_payload(collection_ids, resource_id, index)
-      end.reject(&:nil?)
-      missing_values = document_ids.reject { |value| collection_ids.include?(value.to_s) }
-      message = "Couldn't find #{resource_class} items with "\
-                "#{id_param} in #{missing_values.inspect}"
-      Exceptions::MissingResource.new(message, payload)
-    end
-    def build_missing_resource_payload(collection_ids, resource_id, index)
-      unless collection_ids.include?(resource_id)
-        ExceptionPayload.new(
-          pointer: "/data/#{index}/id",
-          detail: missing_resource_message(resource_id)
-        )
-      end
-    end
     def document_type_does_not_match_endpoint_message(type)
       I18n.t(
         :invalid_document_type,
@@ -111,14 +96,5 @@ module FunWithJsonApi
         scope: 'fun_with_json_api.find_collection_from_document'
       )
     end
-    def missing_resource_message(resource_id)
-      I18n.t(
-        :missing_resource,
-        resource: resource_type,
-        resource_id: resource_id,
-        scope: 'fun_with_json_api.find_collection_from_document'
-      )
-    end
   end
 end

data/lib/fun_with_json_api/find_resource_from_document.rb CHANGED

@@ -24,9 +24,7 @@ module FunWithJsonApi
       raise build_invalid_document_type_error unless document_matches_resource_type?
       # Load resource from id value
-      deserializer.load_resource_from_id_value(document_id).tap do |resource|
-        raise build_missing_resource_error if resource.nil?
-      end
+      load_resource_and_check!
     end
     def document_id
@@ -57,6 +55,15 @@ module FunWithJsonApi
     private
+    def load_resource_and_check!
+      deserializer.load_resource_from_id_value(document_id).tap do |resource|
+        raise build_missing_resource_error if resource.nil?
+        FunWithJsonApi::SchemaValidators::CheckResourceIsAuthorised.call(
+          resource, document_id, deserializer
+        )
+      end
+    end
     def build_invalid_document_error
       payload = ExceptionPayload.new
       payload.pointer = '/data'

data/lib/fun_with_json_api/schema_validators/check_collection_has_all_members.rb ADDED

@@ -0,0 +1,67 @@
+require 'fun_with_json_api/exception'
+module FunWithJsonApi
+  module SchemaValidators
+    class CheckCollectionHasAllMembers
+      def self.call(*args)
+        new(*args).call
+      end
+      attr_reader :collection
+      attr_reader :document_ids
+      attr_reader :deserializer
+      attr_reader :prefix
+      delegate :id_param, :resource_class, to: :deserializer
+      def initialize(collection, document_ids, deserializer, prefix: '/data')
+        @collection = collection
+        @document_ids = document_ids
+        @deserializer = deserializer
+        @prefix = prefix
+      end
+      def call
+        if collection.size != document_ids.size
+          collection_ids = deserializer.format_collection_ids(collection)
+          raise build_missing_resources_error(collection_ids)
+        end
+      end
+      def resource_type
+        deserializer.type
+      end
+      private
+      def build_missing_resources_error(collection_ids)
+        payload = document_ids.each_with_index.map do |resource_id, index|
+          build_missing_resource_payload(collection_ids, resource_id, index)
+        end.reject(&:nil?)
+        missing_values = document_ids.reject { |value| collection_ids.include?(value.to_s) }
+        message = "Couldn't find #{resource_class} items with "\
+                  "#{id_param} in #{missing_values.inspect}"
+        Exceptions::MissingResource.new(message, payload)
+      end
+      def build_missing_resource_payload(collection_ids, resource_id, index)
+        unless collection_ids.include?(resource_id)
+          ExceptionPayload.new(
+            pointer: "#{prefix}/#{index}/id",
+            detail: missing_resource_message(resource_id)
+          )
+        end
+      end
+      def missing_resource_message(resource_id)
+        I18n.t(
+          :missing_resource,
+          resource: resource_type,
+          resource_id: resource_id,
+          scope: 'fun_with_json_api.find_collection_from_document'
+        )
+      end
+    end
+  end
+end

data/lib/fun_with_json_api/schema_validators/check_collection_is_authorized.rb ADDED

@@ -0,0 +1,63 @@
+require 'fun_with_json_api/exception'
+module FunWithJsonApi
+  module SchemaValidators
+    class CheckCollectionIsAuthorised
+      def self.call(*args)
+        new(*args).call
+      end
+      attr_reader :collection
+      attr_reader :collection_ids
+      attr_reader :deserializer
+      attr_reader :prefix
+      delegate :resource_class,
+               to: :deserializer
+      def initialize(collection, collection_ids, deserializer, prefix: '/data')
+        @collection = collection
+        @collection_ids = collection_ids
+        @deserializer = deserializer
+        @prefix = prefix
+      end
+      def call
+        payload = collection.each_with_index.map do |resource, index|
+          build_unauthorized_resource_payload(resource, index)
+        end.reject(&:nil?)
+        return if payload.empty?
+        raise Exceptions::UnauthorisedResource.new(
+          "resource_authorizer method for one or more '#{deserializer.type}' items returned false",
+          payload
+        )
+      end
+      def resource_type
+        deserializer.type
+      end
+      private
+      def build_unauthorized_resource_payload(resource, index)
+        unless deserializer.resource_authorizer.call(resource)
+          ExceptionPayload.new(
+            pointer: "#{prefix}/#{index}/id",
+            detail: unauthorized_resource_message(collection_ids[index])
+          )
+        end
+      end
+      def unauthorized_resource_message(resource_id)
+        I18n.t(
+          :unauthorized_resource,
+          resource: resource_type,
+          resource_id: resource_id,
+          scope: 'fun_with_json_api.find_collection_from_document'
+        )
+      end
+    end
+  end
+end