jpie 0.1.0 → 0.3.0

data/lib/json_api/controllers/concerns/resource_actions.rb

@@ -1,657 +0,0 @@
-# frozen_string_literal: true
-
-module JSONAPI
-  module ResourceActions
-    extend ActiveSupport::Concern
-    include ActiveStorageSupport
-
-    included do
-      before_action :load_jsonapi_resource
-      before_action :validate_fields_param, only: %i[index show]
-      before_action :validate_filter_param, only: [:index]
-      before_action :validate_sort_param, only: [:index]
-      before_action :validate_include_param, only: %i[index show]
-      before_action :validate_resource_type!, only: %i[create update]
-      before_action :validate_resource_id!, only: [:update]
-      before_action :preload_includes, only: %i[index show]
-    end
-
-    def index
-      initial_scope = @preloaded_resources || model_class.all
-      scoped = apply_authorization_scope(initial_scope, action: :index)
-
-      query = JSONAPI::CollectionQuery.new(
-        scoped,
-        definition: @resource_class,
-        model_class: model_class,
-        filter_params: parse_filter_param,
-        sort_params: parse_sort_param,
-        page_params: parse_page_param
-      ).execute
-
-      @total_count = query.total_count
-      @pagination_applied = query.pagination_applied
-
-      render json: serialize_collection(query.scope), status: :ok
-    end
-
-    def show
-      resource = @preloaded_resource || @resource
-      authorize_resource_action!(resource, action: :show)
-      render json: serialize_resource(resource), status: :ok
-    end
-
-    def create
-      # Determine STI class from type in payload
-      sti_class = determine_sti_class_for_create
-
-      # Use subtype model class for deserialization so it finds the correct resource class
-      params_hash = deserialize_params(:create, model_class: sti_class)
-      attachment_params = extract_active_storage_params_from_hash(params_hash, sti_class)
-      # Remove attachment params from regular params
-      attachment_params.each_key { |key| params_hash.delete(key.to_s) }
-
-      # Remove type from params_hash if present - STI handles type automatically
-      params_hash.delete("type")
-      params_hash.delete(:type)
-
-      # For STI base class, ensure type is set explicitly (Rails STI doesn't always set it for base class)
-      # Only set type if this is actually an STI base class (has type column and base_class == class)
-      if sti_class.respond_to?(:base_class) &&
-         sti_class.base_class == sti_class &&
-         sti_class.column_names.include?("type")
-        params_hash["type"] = sti_class.name
-      end
-
-      resource = sti_class.new(params_hash)
-      authorize_resource_action!(resource, action: :create)
-
-      # Attach files before saving so validation can check files.attached?
-      # ActiveStorage allows attaching to unsaved records and will persist attachments when the record is saved
-      sti_resource_class = determine_sti_resource_class_for_create
-      attach_active_storage_files(resource, attachment_params, resource_class: sti_resource_class)
-
-      if resource.save
-        emit_resource_event(:created, resource)
-        render json: serialize_resource(resource), status: :created, location: resource_url(resource)
-      else
-        render_validation_errors(resource)
-      end
-    rescue ArgumentError => e
-      if e.message.match?(/invalid.*subtype/i)
-        render_invalid_subtype_error(e)
-      else
-        render_invalid_relationship_error(e)
-      end
-    rescue ActiveSupport::MessageVerifier::InvalidSignature => e
-      render_invalid_signed_id_error(e)
-    end
-
-    def update
-      authorize_resource_action!(@resource, action: :update)
-      params_hash = deserialize_params(:update)
-      attachment_params = extract_active_storage_params_from_hash(params_hash, model_class)
-      # Remove attachment params from regular params
-      attachment_params.each_key { |key| params_hash.delete(key.to_s) }
-
-      if @resource.update(params_hash)
-        attach_active_storage_files(@resource, attachment_params, resource_class: @resource_class)
-        emit_resource_event(:updated, @resource)
-        render json: serialize_resource(@resource), status: :ok
-      else
-        render_validation_errors(@resource)
-      end
-    rescue ArgumentError => e
-      render_invalid_relationship_error(e)
-    rescue JSONAPI::Exceptions::ParameterNotAllowed => e
-      render_parameter_not_allowed_error(e)
-    rescue ActiveSupport::MessageVerifier::InvalidSignature => e
-      render_invalid_signed_id_error(e)
-    end
-
-    def destroy
-      authorize_resource_action!(@resource, action: :destroy)
-      resource_id = @resource.id
-      resource_type_name = resource_type
-      if @resource.destroy
-        emit_resource_event(:deleted, @resource, resource_id:, resource_type: resource_type_name)
-        head :no_content
-      else
-        render_validation_errors(@resource)
-      end
-    end
-
-    def build_resource_from_params
-      params_hash = deserialize_params(:create)
-      attachment_params = extract_active_storage_params_from_hash(params_hash, model_class)
-      # Remove attachment params from regular params
-      attachment_params.each_key { |key| params_hash.delete(key.to_s) }
-      model_class.new(params_hash)
-    end
-
-    def deserialize_params(action = :update, model_class: nil)
-      params_hash = raw_jsonapi_data
-      target_model_class = model_class || self.model_class
-      deserializer = JSONAPI::Deserializer.new(params_hash, model_class: target_model_class, action:)
-      deserializer.to_model_attributes
-    end
-
-    def render_invalid_signed_id_error(error)
-      render_jsonapi_error(
-        status: 400,
-        title: "Invalid Signed ID",
-        detail: "Invalid signed blob ID provided: #{error.message}"
-      )
-    end
-
-    def determine_sti_class_for_create(_subtype = nil)
-      # Check the type directly from the payload
-      type_from_payload = raw_jsonapi_data&.dig(:type)
-
-      return model_class unless type_from_payload
-
-      # If the payload type differs from the controller's type,
-      # resolve the class for the specific type.
-      if type_from_payload == params[:resource_type]
-        model_class
-      else
-        resource_class = JSONAPI::ResourceLoader.find(type_from_payload)
-        resource_class.model_class
-      end
-    rescue JSONAPI::ResourceLoader::MissingResourceClass
-      model_class
-    end
-
-    def determine_sti_resource_class_for_create(_subtype = nil)
-      type_from_payload = raw_jsonapi_data&.dig(:type)
-      return @resource_class unless type_from_payload
-
-      if type_from_payload == params[:resource_type]
-        @resource_class
-      else
-        JSONAPI::ResourceLoader.find(type_from_payload)
-      end
-    rescue JSONAPI::ResourceLoader::MissingResourceClass
-      @resource_class
-    end
-
-    private
-
-    def load_jsonapi_resource
-      return unless params[:resource_type].present?
-
-      set_resource_name
-      set_resource_class
-      set_resource if %i[show update destroy].include?(action_name.to_sym)
-    end
-
-    def raw_jsonapi_data
-      # Access raw params to get relationships and meta before permit filters them
-      raw_data = params[:data] || params["data"]
-      return {} unless raw_data
-
-      # Convert to hash with symbolized keys, preserving nested structure including meta
-      # Use to_unsafe_h to get all params including unpermitted ones like meta
-      if raw_data.is_a?(ActionController::Parameters)
-        JSONAPI::ParamHelpers.deep_symbolize_params(raw_data.to_unsafe_h)
-      else
-        JSONAPI::ParamHelpers.deep_symbolize_params(raw_data)
-      end
-    end
-
-    def validate_filter_param
-      filters = parse_filter_param
-      return if filters.empty?
-
-      invalid_filters = find_invalid_filter_fields(filters)
-      return if invalid_filters.empty?
-
-      render_parameter_errors(
-        invalid_filters,
-        title: "Invalid Filter",
-        detail_proc: ->(filter_name) { "Invalid filter requested: #{filter_name}" },
-        source_proc: ->(filter_name) { { parameter: "filter[#{filter_name}]" } }
-      )
-    end
-
-    def find_invalid_filter_fields(filters)
-      filters.keys.reject do |filter_name|
-        valid_filter_path?(filter_name.to_s, @resource_class, model_class)
-      end
-    end
-
-    def valid_filter_path?(filter_name, resource_cls, model_cls)
-      path_parts = filter_name.split(".")
-      validate_filter_parts(path_parts, resource_cls, model_cls)
-    end
-
-    def validate_filter_parts(path_parts, resource_cls, model_cls, allow_related_columns: false)
-      return false if path_parts.empty?
-
-      if path_parts.length == 1
-        filter_name = path_parts.first
-        return true if resource_cls.permitted_filters.map(&:to_s).include?(filter_name)
-
-        if allow_related_columns
-          column_filter = parse_column_filter_name(filter_name)
-          return true if column_filter && model_cls.column_for_attribute(column_filter[:column])
-
-          return true if model_cls.column_names.include?(filter_name)
-          return true if model_cls.respond_to?(filter_name.to_sym)
-        end
-
-        return false
-      end
-
-      relationship_name, *remaining_parts = path_parts
-      return false unless relationship_allowed_for_filtering?(resource_cls, relationship_name)
-
-      association = model_cls.reflect_on_association(relationship_name.to_sym)
-      return false unless association
-
-      return valid_polymorphic_filter_parts?(remaining_parts) if association.polymorphic?
-
-      related_model = association.klass
-      related_resource_cls = JSONAPI::Resource.resource_for_model(related_model)
-      return false unless related_resource_cls
-
-      validate_filter_parts(
-        remaining_parts,
-        related_resource_cls,
-        related_model,
-        allow_related_columns: true
-      )
-    end
-
-    def relationship_allowed_for_filtering?(resource_cls, relationship_name)
-      permitted_through = resource_cls.permitted_filters_through
-      permitted_through.include?(relationship_name.to_sym) ||
-        permitted_through.map(&:to_s).include?(relationship_name.to_s)
-    end
-
-    def valid_polymorphic_filter_parts?(parts)
-      return false if parts.empty? || parts.length > 1
-
-      attribute_name = parts.first
-      match = attribute_name.match(/\A(.+)_(eq|match|lt|lte|gt|gte)\z/)
-      base_name = match ? match[1] : attribute_name
-
-      %w[id type].include?(base_name)
-    end
-
-    def parse_column_filter_name(filter_name)
-      match = filter_name.match(/\A(.+)_(eq|match|lt|lte|gt|gte)\z/)
-      return nil unless match
-
-      { column: match[1], operator: match[2].to_sym }
-    end
-
-    def validate_sort_param
-      sorts = parse_sort_param
-      return if sorts.empty?
-
-      valid_fields = valid_sort_fields_for_resource(@resource_class, model_class)
-      invalid_fields = invalid_sort_fields_for_columns(sorts, valid_fields)
-      return if invalid_fields.empty?
-
-      render_parameter_errors(
-        invalid_fields,
-        title: "Invalid Sort Field",
-        detail_proc: ->(field) { "Invalid sort field requested: #{field}" },
-        source_proc: ->(_field) { { parameter: "sort" } }
-      )
-    end
-
-    def validate_include_param
-      includes = parse_include_param
-      return if includes.empty?
-
-      invalid_paths = find_invalid_include_paths(includes)
-      return if invalid_paths.empty?
-
-      render_parameter_errors(
-        invalid_paths,
-        title: "Invalid Include Path",
-        detail_proc: ->(path) { "Invalid include path requested: #{path}" },
-        source_proc: ->(_path) { { parameter: "include" } }
-      )
-    end
-
-    def find_invalid_include_paths(includes)
-      permitted_relationships = @resource_class.relationship_names.map(&:to_s)
-      invalid_paths = []
-
-      includes.each do |include_path|
-        invalid_paths << include_path unless valid_include_path?(include_path, permitted_relationships)
-      end
-
-      invalid_paths
-    end
-
-    def valid_include_path?(include_path, permitted_relationships)
-      path_parts = include_path.split(".")
-      first_association = path_parts.first
-
-      return false unless permitted_relationships.include?(first_association)
-
-      valid_nested_path?(path_parts)
-    end
-
-    def valid_nested_path?(path_parts)
-      current_class = model_class
-
-      path_parts.each do |association_name|
-        # Check for ActiveStorage attachments
-        if self.class.active_storage_attachment?(association_name, current_class)
-          # ActiveStorage attachments point to ActiveStorage::Blob, which is a terminal relationship
-          return true
-        end
-
-        association = current_class.reflect_on_association(association_name.to_sym)
-        return false unless association
-
-        break if association.polymorphic?
-
-        current_class = association.klass
-      end
-
-      true
-    end
-
-    def preload_includes
-      includes = parse_include_param
-      return if includes.empty?
-
-      includes_hash = build_includes_hash(includes)
-      preload_resources(includes_hash)
-    rescue ActiveRecord::RecordNotFound
-      # Will be handled by set_resource
-    end
-
-    def build_includes_hash(includes)
-      includes_hash = {}
-      includes.each { |include_path| merge_include_path(includes_hash, include_path) }
-      includes_hash
-    end
-
-    def merge_include_path(includes_hash, include_path)
-      path_parts = include_path.split(".")
-      current_hash = includes_hash
-
-      path_parts.each_with_index do |part, index|
-        part_sym = part.to_sym
-        current_hash[part_sym] ||= {}
-        current_hash = current_hash[part_sym] if index < path_parts.length - 1
-      end
-    end
-
-    def preload_resources(includes_hash)
-      # Filter out ActiveStorage attachments and polymorphic associations from includes_hash
-      filtered_includes = filter_active_storage_from_includes(includes_hash, model_class)
-      filtered_includes = filter_polymorphic_from_includes(filtered_includes, model_class)
-
-      case action_name
-      when "index"
-        @preloaded_resources = filtered_includes.empty? ? model_class.all : model_class.all.includes(filtered_includes)
-      when "show"
-        @preloaded_resource = filtered_includes.empty? ? model_class.find(params[:id]) : model_class.includes(filtered_includes).find(params[:id])
-      end
-    end
-
-    def serialize_resource(resource)
-      serializer = JSONAPI::Serializer.new(resource)
-      serializer.to_hash(
-        include: parse_include_param,
-        fields: parse_fields_param,
-        document_meta: jsonapi_document_meta
-      )
-    end
-
-    def serialize_collection(resources)
-      includes = parse_include_param
-      fields = parse_fields_param
-      all_included = []
-      processed = Set.new
-
-      data = serialize_resources(resources, includes, fields, all_included, processed)
-
-      build_collection_response(data, all_included)
-    end
-
-    def serialize_resources(resources, includes, fields, all_included, processed)
-      resources.map do |resource|
-        result = serialize_single_resource(resource, includes, fields)
-        collect_included_resources(result, all_included, processed)
-        result[:data]
-      end
-    end
-
-    def serialize_single_resource(resource, includes, fields)
-      serializer = JSONAPI::Serializer.new(resource)
-      serializer.to_hash(include: includes, fields:, document_meta: nil)
-    end
-
-    def collect_included_resources(result, all_included, processed)
-      included_resources = result[:included] || []
-      included_resources.each do |included_resource|
-        add_unique_included_resource(included_resource, all_included, processed)
-      end
-    end
-
-    def add_unique_included_resource(included_resource, all_included, processed)
-      resource_key = "#{included_resource[:type]}-#{included_resource[:id]}"
-      return if processed.include?(resource_key)
-
-      all_included << included_resource
-      processed.add(resource_key)
-    end
-
-    def build_collection_response(data, all_included)
-      result = {
-        jsonapi: JSONAPI::Serializer.jsonapi_object,
-        data:
-      }
-      result[:included] = all_included if all_included.any?
-
-      pagination_meta = {}
-
-      if @pagination_applied
-        result[:links] = build_pagination_links
-        pagination_meta = build_pagination_meta
-      end
-
-      result[:meta] = jsonapi_document_meta(pagination_meta)
-
-      result
-    end
-
-    def build_pagination_links
-      page_params = parse_page_param
-      current_page = page_params["number"]&.to_i || 1
-      page_size = calculate_page_size(page_params)
-      total_pages = calculate_total_pages(page_size)
-
-      links = {
-        self: build_pagination_url(current_page, page_size),
-        first: build_pagination_url(1, page_size),
-        last: build_pagination_url(total_pages, page_size)
-      }
-      links[:prev] = build_pagination_url(current_page - 1, page_size) if current_page > 1
-      links[:next] = build_pagination_url(current_page + 1, page_size) if current_page < total_pages
-
-      links
-    end
-
-    def calculate_page_size(page_params)
-      size = page_params["size"]&.to_i || JSONAPI.configuration.default_page_size
-      [size, JSONAPI.configuration.max_page_size].min
-    end
-
-    def calculate_total_pages(page_size)
-      total_pages = (@total_count.to_f / page_size).ceil
-      total_pages.zero? ? 1 : total_pages
-    end
-
-    def build_pagination_url(page_number, page_size)
-      base_url = request.path
-      query_params = request.query_parameters.dup
-      query_params["page"] = { "number" => page_number, "size" => page_size }
-
-      query_string = build_query_string(query_params)
-      query_string.present? ? "#{base_url}?#{query_string}" : base_url
-    end
-
-    def build_query_string(query_params)
-      JSONAPI::ParamHelpers.build_query_string(query_params)
-    end
-
-    def build_pagination_meta
-      { total: @total_count }
-    end
-
-    def validate_resource_type!
-      # Skip validation if resource loading was skipped
-      return unless @resource_class
-      # Relationship endpoints carry related resource identifiers, so skip type
-      # validation for relationship requests.
-      return if params[:relationship_name].present?
-
-      requested_type = jsonapi_type
-      expected_type = resource_type
-
-      return if requested_type == expected_type
-
-      # Allow STI subtypes if posting to base endpoint
-      if model_class.respond_to?(:base_class)
-        # Check if requested type corresponds to a valid subclass
-        begin
-          requested_resource_class = JSONAPI::ResourceLoader.find(requested_type)
-          requested_model_class = requested_resource_class.model_class
-
-          # Allow if requested class is a subclass of the endpoint's class
-          return if requested_model_class < model_class
-        rescue JSONAPI::ResourceLoader::MissingResourceClass, NameError
-          # Fall through to error rendering
-        end
-      end
-
-      render_type_mismatch_error(expected_type, requested_type) and return
-    end
-
-    def validate_resource_id!
-      # Skip validation if resource loading was skipped
-      return unless @resource_class
-
-      requested_id = jsonapi_id
-      expected_id = params[:id].to_s
-
-      return if requested_id == expected_id
-
-      render_id_mismatch_error(expected_id, requested_id) and return
-    end
-
-    def render_type_mismatch_error(expected_type, requested_type)
-      detail = requested_type.nil? ? "Missing type member. Expected '#{expected_type}'" : "Type mismatch: expected '#{expected_type}', got '#{requested_type}'"
-
-      render json: {
-        errors: [
-          {
-            status: "409",
-            title: "Type Mismatch",
-            detail:,
-            source: { pointer: "/data/type" }
-          }
-        ]
-      }, status: :conflict
-    end
-
-    def render_id_mismatch_error(expected_id, requested_id)
-      render json: {
-        errors: [
-          {
-            status: "409",
-            title: "ID Mismatch",
-            detail: "ID mismatch: expected '#{expected_id}', got '#{requested_id}'",
-            source: { pointer: "/data/id" }
-          }
-        ]
-      }, status: :conflict
-    end
-
-    def resource_url(resource)
-      "/#{resource_type}/#{resource.id}"
-    end
-
-    def resource_type
-      params[:resource_type] || @resource_name.pluralize
-    end
-
-    def validate_fields_param
-      fields = parse_fields_param
-      return if fields.empty?
-
-      fields.each do |type, type_fields|
-        next if type_fields.nil? || type_fields.empty?
-
-        # Handle active_storage_blobs specially
-        if type.to_s == "active_storage_blobs"
-          invalid_fields = find_invalid_blob_fields(type_fields)
-          if invalid_fields.any?
-            render_parameter_errors(
-              invalid_fields,
-              title: "Invalid Field",
-              detail_proc: ->(field) { "Invalid field requested for active_storage_blobs: #{field}" },
-              source_proc: ->(_field) { { parameter: "fields[active_storage_blobs]" } }
-            )
-            return
-          end
-        else
-          # Only validate fields for the current resource type
-          next unless type.to_s == resource_type.to_s
-
-          invalid_fields = find_invalid_fields(type_fields)
-          if invalid_fields.any?
-            current_type = resource_type.to_s
-            render_parameter_errors(
-              invalid_fields,
-              title: "Invalid Field",
-              detail_proc: ->(field) { "Invalid field requested for #{current_type}: #{field}" },
-              source_proc: ->(_field) { { parameter: "fields[#{current_type}]" } }
-            )
-            return
-          end
-        end
-      end
-    end
-
-    def find_invalid_fields(resource_fields)
-      permitted_attributes = @resource_class.permitted_attributes.map(&:to_s)
-      resource_fields.reject { |field| permitted_attributes.include?(field.to_s) }
-    end
-
-    def find_invalid_blob_fields(blob_fields)
-      return [] unless defined?(::ActiveStorage)
-
-      permitted_attributes = JSONAPI::ActiveStorageBlobResource.permitted_attributes.map(&:to_s)
-      blob_fields.reject { |field| permitted_attributes.include?(field.to_s) }
-    end
-
-    def emit_resource_event(action, resource, resource_id: nil, resource_type: nil)
-      resource_id ||= resource.id
-      resource_type_name = resource_type || self.resource_type
-
-      changes = if action == :updated && resource.respond_to?(:previous_changes)
-                  resource.previous_changes.except("updated_at", "created_at")
-                else
-                  {}
-                end
-
-      JSONAPI::Instrumentation.resource_event(
-        action:,
-        resource_type: resource_type_name,
-        resource_id:,
-        changes:
-      )
-    end
-  end
-end