jason-rails 0.7.0 → 0.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a0bfff0c4de046d090ba0c1708fcd4692da2cccc2caf0911d6ae752310a7a8ee
-  data.tar.gz: 8851a0bfdbd521426f3650cbfa44eeea25a4e4bc0bceb8fac3bad7a667563a9c
+  metadata.gz: 0e0d37099f467ff5bd4ab868732ce57c53bf055e6ecb8d0f0506bb14ee723d77
+  data.tar.gz: 6912d141317dbc95edb96bc11ed29235a90fc6dd8575a4dcba18017b81a9964f
 SHA512:
-  metadata.gz: 47cc3c7df9c3a4c9fedef6899a3948ba78d44a6a507f830c1f7a50dd920794654777d5a5a3c98f6431d2ef2edef3c1d104222bc06abccc39937f5d55fcd3d33e
-  data.tar.gz: b6305008dd05be63e8fa1dbfa785179129ecf4554877a801dbe44b979906997ce44761d2978ffd7a1129ab1ed4ce44e83e4464ab8566c3fccb9a137516dd48e7
+  metadata.gz: 3cce0310a94bba9c73237d3d18bcd7aa949fb35905b7dd76c69c05b6d8259f1fc6d0b79da2a01b3db34b372cf438ea96777c14d2bd3bdbfacf9ba27578e81f19
+  data.tar.gz: f2460fea5f459d24966741cce29855b97b9361a900a848e8655ccdfb4cbaa03aa4d47135b2fa661961f7c8d46d37f5e9bc821ff97a6f5cdd22265f7a8d755758

data/CHANGELOG.md

@@ -1,3 +1,6 @@
+## v0.7.1
+- Added: Authorization for REST endpoints. Previously these just inherited logic from ApplicationController. Pass a `update_authorization_service` option to the Jason initializer to use this.
+
 ## v0.7.0
 - Added: New forms of conditional subscription. You can now add conditions on fields other than the primary key.
 E.g.

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    jason-rails (0.6.8)
+    jason-rails (0.7.0)
       connection_pool (>= 2.2.3)
       jsondiff
       rails (>= 5)
@@ -89,7 +89,8 @@ GEM
     marcel (0.3.3)
       mimemagic (~> 0.3.2)
     method_source (1.0.0)
-    mimemagic (0.3.5)
+    mimemagic (0.3.8)
+      nokogiri (~> 1)
     mini_mime (1.0.2)
     mini_portile2 (2.5.0)
     minitest (5.14.3)

data/README.md

@@ -152,13 +152,15 @@ export default function Comment({ id }) {
 
 ## Authorization
 
-By default all models can be subscribed to and updated without authentication or authorization. Probably you want to lock down access.
+By default all models can be subscribed to and updated without authentication or authorization. Probably you want to lock down access. At the moment Jason has no opinion on how to handle authorization, it simply forwards parameters to a service that you provide - so the implementation can be as simple or as complex as you need.
 
 ### Authorizing subscriptions
 You can do this by providing an class to Jason in the initializer under the `subscription_authorization_service` key. This must be a class receiving a message `call` with the parameters `user`, `model`, `conditions`, `sub_models` and return true or false for whether the user is allowed to access a subscription with those parameters. You can decide the implementation details of this to be as simple or complex as your app requires.
 
 ### Authorizing updates
-Similarly to authorizing subscriptions, you can do this by providing an class to Jason in the initializer under the `update_authorization_service` key. This must be a class receiving a message `call` with the parameters `user`, `model`, `instance`, `update`, `remove` and return true or false for whether the user is allowed to access a subscription with those parameters.
+Similarly to authorizing subscriptions, you can do this by providing an class to Jason in the initializer under the `update_authorization_service` key. This must be a class receiving a message `call` with the parameters `user`, `model`, `action`, `instance`, `params`  and return true or false for whether the user is allowed to make this update.
+
+See the specs for some examples of this.
 
 ## Roadmap
 
@@ -169,9 +171,10 @@ Development is primarily driven by the needs of projects we're using Jason in. I
 - Utilities for "Draft editing" - both storing client-side copies of model trees which can be committed or discarded, as well as persisting a shadow copy to the database (to allow resumable editing, or possibly collaborative editing features)
 - Benchmark and migrate if necessary ConnectionPool::Wrapper vs ConnectionPool
 - Assess using RedisGraph for the graph diffing functionality, to see if this would provide a performance boost
+- Improve the Typescript definitions (ie remove the abundant `any` typing currently used)
 
 ## License
 
-The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+The gem, npm package and source code in the git repository are available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
 
 

data/app/controllers/jason/jason_controller.rb

@@ -21,14 +21,17 @@ class Jason::JasonController < ::ApplicationController
   def action
     type = params[:type]
     entity = type.split('/')[0].underscore
-    api_model = Jason::ApiModel.new(entity.singularize)
-    model = entity.singularize.camelize.constantize
+    model_name = entity.singularize
+    api_model = Jason::ApiModel.new(model_name)
+    model = model_name.camelize.constantize
     action = type.split('/')[1].underscore
 
     if action == 'move_priority'
       id, priority = params[:payload].values_at(:id, :priority)
 
       instance = model.find(id)
+
+      return head :forbidden if !action_permitted?(model_name, action, instance, params)
       priority_filter = instance.as_json.with_indifferent_access.slice(*api_model.priority_scope)
 
       all_instance_ids = model.send(api_model.scope || :all).where(priority_filter).where.not(id: instance.id).order(:priority).pluck(:id)
@@ -40,10 +43,24 @@ class Jason::JasonController < ::ApplicationController
 
       model.find(all_instance_ids).each(&:force_publish_json)
     elsif action == 'upsert' || action == 'add'
+      id = params[:payload][:id]
       payload = api_model.permit(params)
-      return render json: model.find_or_create_by_id!(payload).as_json(api_model.as_json_config)
+
+      instance = model.find_by(id: id)
+      return head :forbidden if !action_permitted?(model_name, action, instance, params)
+
+      if instance.present?
+        instance.update!(payload)
+      else
+        instance = model.create!(payload)
+      end
+
+      return render json: instance.as_json(api_model.as_json_config)
     elsif action == 'remove'
-      model.find(params[:payload]).destroy!
+      instance = model.find(params[:payload])
+      return head :forbidden if !action_permitted?(model_name, action, instance, params)
+
+      instance.destroy!
     end
 
     return head :ok
@@ -75,4 +92,9 @@ class Jason::JasonController < ::ApplicationController
       return head :forbidden
     end
   end
+
+  def action_permitted?(model_name, action, instance, params)
+    return true if Jason.update_authorization_service.blank?
+    Jason.update_authorization_service.call(current_user, model_name, action, instance, params)
+  end
 end

data/client/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jamesr2323/jason",
-  "version": "0.7.0",
+  "version": "0.7.1",
   "module": "./lib/index.js",
   "types": "./lib/index.d.ts",
   "scripts": {

data/lib/jason.rb

@@ -25,7 +25,8 @@ module Jason
   self.mattr_accessor :pusher_key
   self.mattr_accessor :pusher_region
   self.mattr_accessor :pusher_channel_prefix
-  self.mattr_accessor :authorization_service
+  self.mattr_accessor :subscription_authorization_service
+  self.mattr_accessor :update_authorization_service
   self.mattr_accessor :sidekiq_queue
 
   self.schema = {}

data/lib/jason/publisher.rb

@@ -150,35 +150,6 @@ module Jason::Publisher
       self.after_commit :force_publish_json, on: [:create, :destroy]
       self.after_commit :publish_json_if_changed, on: [:update]
     end
-
-    def find_or_create_by_id(params)
-      object = find_by(id: params[:id])
-
-      if object
-        object.update(params)
-      elsif params[:hidden]
-        return false ## If an object is passed with hidden = true but didn't already exist, it's safe to never create it
-      else
-        object = create!(params)
-      end
-
-      object
-    end
-
-    def find_or_create_by_id!(params)
-      object = find_by(id: params[:id])
-
-      if object
-        object.update!(params)
-      elsif params[:hidden]
-        ## TODO: We're diverging from semantics of the Rails bang! methods here, which would normally either raise or return an object. Find a way to make this better.
-        return false ## If an object is passed with hidden = true but didn't already exist, it's safe to never create it
-      else
-        object = create!(params)
-      end
-
-      object
-    end
   end
 
   included do

data/lib/jason/subscription.rb

@@ -390,8 +390,8 @@ class Jason::Subscription
 
   def user_can_access?(user)
     # td: implement the authorization logic here
-    return true if Jason.authorization_service.blank?
-    Jason.authorization_service.call(user, model, conditions, includes_helper.all_models - [model])
+    return true if Jason.subscription_authorization_service.blank?
+    Jason.subscription_authorization_service.call(user, model, conditions, includes_helper.all_models - [model])
   end
 
   def get

data/lib/jason/version.rb

@@ -1,3 +1,3 @@
 module Jason
-  VERSION = "0.7.0"
+  VERSION = "0.7.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jason-rails
 version: !ruby/object:Gem::Version
-  version: 0.7.0
+  version: 0.7.1
 platform: ruby
 authors:
 - James Rees
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-04-02 00:00:00.000000000 Z
+date: 2021-04-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -238,9 +238,7 @@ files:
 - lib/jason/includes_helper.rb
 - lib/jason/lua_generator.rb
 - lib/jason/publisher.rb
-- lib/jason/publisher_old.rb
 - lib/jason/subscription.rb
-- lib/jason/subscription_old.rb
 - lib/jason/version.rb
 homepage: https://github.com/jamesr2323/jason
 licenses:

data/lib/jason/publisher_old.rb

@@ -1,112 +0,0 @@
-module Jason::PublisherOld
-  extend ActiveSupport::Concern
-
-  def cache_json
-    as_json_config = api_model.as_json_config
-    scope = api_model.scope
-
-    if self.persisted? && (scope.blank? || self.class.unscoped.send(scope).exists?(self.id))
-      payload = self.reload.as_json(as_json_config)
-      $redis_jason.hset("jason:#{self.class.name.underscore}:cache", self.id, payload.to_json)
-    else
-      $redis_jason.hdel("jason:#{self.class.name.underscore}:cache", self.id)
-    end
-  end
-
-  def publish_json
-    cache_json
-    return if skip_publish_json
-
-    self.class.jason_subscriptions.each do |id, config_json|
-      config = JSON.parse(config_json)
-
-      if (config['conditions'] || {}).all? { |field, value| self.send(field) == value }
-        Jason::Subscription.new(id: id).update(self.class.name.underscore)
-      end
-    end
-  end
-
-  def publish_json_if_changed
-    subscribed_fields = api_model.subscribed_fields
-    publish_json if (self.previous_changes.keys.map(&:to_sym) & subscribed_fields).present? || !self.persisted?
-  end
-
-  class_methods do
-    def subscriptions
-      $redis_jason.hgetall("jason:#{self.name.underscore}:subscriptions")
-    end
-
-    def jason_subscriptions
-      $redis_jason.hgetall("jason:#{self.name.underscore}:subscriptions")
-    end
-
-    def publish_all(instances)
-      instances.each(&:cache_json)
-
-      subscriptions.each do |id, config_json|
-        Jason::Subscription.new(id: id).update(self.name.underscore)
-      end
-    end
-
-    def flush_cache
-      $redis_jason.del("jason:#{self.name.underscore}:cache")
-    end
-
-    def setup_json
-      self.after_initialize -> {
-        @api_model = Jason::ApiModel.new(self.class.name.underscore)
-      }
-      self.after_commit :publish_json_if_changed
-
-      include_models = Jason::ApiModel.new(self.name.underscore).include_models
-
-      include_models.map do |assoc|
-        puts assoc
-        reflection = self.reflect_on_association(assoc.to_sym)
-        reflection.klass.after_commit -> {
-          subscribed_fields = Jason::ApiModel.new(self.class.name.underscore).subscribed_fields
-          puts subscribed_fields.inspect
-
-          if (self.previous_changes.keys.map(&:to_sym) & subscribed_fields).present?
-            self.send(reflection.inverse_of.name)&.publish_json
-          end
-        }
-      end
-    end
-
-    def find_or_create_by_id(params)
-      object = find_by(id: params[:id])
-
-      if object
-        object.update(params)
-      elsif params[:hidden]
-        return false ## If an object is passed with hidden = true but didn't already exist, it's safe to never create it
-      else
-        object = create!(params)
-      end
-
-      object
-    end
-
-    def find_or_create_by_id!(params)
-      object = find_by(id: params[:id])
-
-      if object
-        object.update!(params)
-      elsif params[:hidden]
-        ## TODO: We're diverging from semantics of the Rails bang! methods here, which would normally either raise or return an object. Find a way to make this better.
-        return false ## If an object is passed with hidden = true but didn't already exist, it's safe to never create it
-      else
-        object = create!(params)
-      end
-
-      object
-    end
-  end
-
-  included do
-    attr_accessor :skip_publish_json, :api_model
-
-    setup_json
-  end
-end

data/lib/jason/subscription_old.rb

@@ -1,171 +0,0 @@
-class Jason::SubscriptionOld
-  attr_accessor :id, :config
-
-  def initialize(id: nil, config: nil)
-    if id
-      @id = id
-      raw_config = $redis_jason.hgetall("jason:subscriptions:#{id}").map { |k,v| [k, JSON.parse(v)] }.to_h
-      set_config(raw_config)
-    else
-      @id = Digest::MD5.hexdigest(config.to_json)
-      configure(config)
-    end
-  end
-
-  def set_config(raw_config)
-    @config =  raw_config.with_indifferent_access.map { |k,v| [k.underscore.to_s, v] }.to_h
-  end
-
-  def configure(raw_config)
-    set_config(raw_config)
-    $redis_jason.hmset("jason:subscriptions:#{id}", *config.map { |k,v| [k, v.to_json]}.flatten)
-  end
-
-  def destroy
-    config.each do |model, value|
-      $redis_jason.srem("jason:#{model.to_s.underscore}:subscriptions", id)
-    end
-    $redis_jason.del("jason:subscriptions:#{id}")
-  end
-
-  def add_consumer(consumer_id)
-    before_consumer_count = consumer_count
-    $redis_jason.sadd("jason:subscriptions:#{id}:consumers", consumer_id)
-    $redis_jason.hset("jason:consumers", consumer_id, Time.now.utc)
-
-    add_subscriptions
-    publish_all
-  end
-
-  def remove_consumer(consumer_id)
-    $redis_jason.srem("jason:subscriptions:#{id}:consumers", consumer_id)
-    $redis_jason.hdel("jason:consumers", consumer_id)
-
-    if consumer_count == 0
-      remove_subscriptions
-    end
-  end
-
-  def consumer_count
-    $redis_jason.scard("jason:subscriptions:#{id}:consumers")
-  end
-
-  def channel
-    "jason:#{id}"
-  end
-
-  def publish_all
-    config.each do |model, model_config|
-      klass = model.to_s.classify.constantize
-      conditions = model_config['conditions'] || {}
-      klass.where(conditions).find_each(&:cache_json)
-      update(model)
-    end
-  end
-
-  def add_subscriptions
-    config.each do |model, value|
-      $redis_jason.hset("jason:#{model.to_s.underscore}:subscriptions", id, value.to_json)
-      update(model)
-    end
-  end
-
-  def remove_subscriptions
-    config.each do |model, _|
-      $redis_jason.hdel("jason:#{model.to_s.underscore}:subscriptions", id)
-    end
-  end
-
-  def self.publish_all
-    JASON_API_MODEL.each do |model, _v|
-      klass = model.to_s.classify.constantize
-      klass.publish_all(klass.all) if klass.respond_to?(:publish_all)
-    end
-  end
-
-  def get(model_name)
-    LuaGenerator.new.index_hash_by_set("jason:cache:#{model_name}", "")
-
-    value = JSON.parse($redis_jason.get("#{channel}:#{model}:value") || '[]')
-    idx = $redis_jason.get("#{channel}:#{model}:idx").to_i
-
-    {
-      type: 'payload',
-      md5Hash: id,
-      model: model,
-      value: value,
-      idx: idx
-    }
-  end
-
-  def get_diff(old_value, value)
-    JsonDiff.generate(old_value, value)
-  end
-
-  def deep_stringify(value)
-    if value.is_a?(Hash)
-      value.deep_stringify_keys
-    elsif value.is_a?(Array)
-      value.map { |x| x.deep_stringify_keys }
-    end
-  end
-
-  def get_throttle
-    if !$throttle_rate || !$throttle_timeout || Time.now.utc > $throttle_timeout
-      $throttle_timeout = Time.now.utc + 5.seconds
-      $throttle_rate = ($redis_jason.get('global_throttle_rate') || 0).to_i
-    else
-      $throttle_rate
-    end
-  end
-
-  # Atomically update and return patch
-  def update(model)
-    start_time = Time.now.utc
-    conditions = config[model]['conditions']
-
-    value = $redis_jason.hgetall("jason:#{model}:cache")
-      .values.map { |v| JSON.parse(v) }
-      .select { |v| (conditions || {}).all? { |field, value| v[field] == value } }
-      .sort_by { |v| v['id'] }
-
-    # lfsa = last finished, started at
-    # If another job that started after this one, finished before this one, skip sending this state update
-    if Time.parse($redis_jason.get("jason:#{channel}:lfsa") || '1970-01-01 00:00:00 UTC') < start_time
-      $redis_jason.set("jason:#{channel}:lfsa", start_time)
-    else
-      return
-    end
-
-    value = deep_stringify(value)
-
-    # If value has changed, return old value and new idx. Otherwise do nothing.
-    cmd = <<~LUA
-      local old_val=redis.call('get', ARGV[1] .. ':value')
-      if old_val ~= ARGV[2] then
-        redis.call('set', ARGV[1] .. ':value', ARGV[2])
-        local new_idx = redis.call('incr', ARGV[1] .. ':idx')
-        return { new_idx, old_val }
-      end
-    LUA
-
-    result = $redis_jason.eval cmd, [], ["#{channel}:#{model}", value.to_json]
-    return if result.blank?
-
-    idx = result[0]
-    old_value = JSON.parse(result[1] || '[]')
-    diff = get_diff(old_value, value)
-
-    end_time = Time.now.utc
-
-    payload = {
-      model: model,
-      md5Hash: id,
-      diff: diff,
-      idx: idx.to_i,
-      latency: ((end_time - start_time)*1000).round
-    }
-
-    ActionCable.server.broadcast("jason:#{id}", payload)
-  end
-end