jpie 0.4.5 → 1.0.0

data/lib/json_api/controllers/concerns/resource_actions.rb

@@ -0,0 +1,657 @@
+# frozen_string_literal: true
+
+module JSONAPI
+  module ResourceActions
+    extend ActiveSupport::Concern
+    include ActiveStorageSupport
+
+    included do
+      before_action :load_jsonapi_resource
+      before_action :validate_fields_param, only: %i[index show]
+      before_action :validate_filter_param, only: [:index]
+      before_action :validate_sort_param, only: [:index]
+      before_action :validate_include_param, only: %i[index show]
+      before_action :validate_resource_type!, only: %i[create update]
+      before_action :validate_resource_id!, only: [:update]
+      before_action :preload_includes, only: %i[index show]
+    end
+
+    def index
+      initial_scope = @preloaded_resources || model_class.all
+      scoped = apply_authorization_scope(initial_scope, action: :index)
+
+      query = JSONAPI::CollectionQuery.new(
+        scoped,
+        definition: @resource_class,
+        model_class: model_class,
+        filter_params: parse_filter_param,
+        sort_params: parse_sort_param,
+        page_params: parse_page_param
+      ).execute
+
+      @total_count = query.total_count
+      @pagination_applied = query.pagination_applied
+
+      render json: serialize_collection(query.scope), status: :ok
+    end
+
+    def show
+      resource = @preloaded_resource || @resource
+      authorize_resource_action!(resource, action: :show)
+      render json: serialize_resource(resource), status: :ok
+    end
+
+    def create
+      # Determine STI class from type in payload
+      sti_class = determine_sti_class_for_create
+
+      # Use subtype model class for deserialization so it finds the correct resource class
+      params_hash = deserialize_params(:create, model_class: sti_class)
+      attachment_params = extract_active_storage_params_from_hash(params_hash, sti_class)
+      # Remove attachment params from regular params
+      attachment_params.each_key { |key| params_hash.delete(key.to_s) }
+
+      # Remove type from params_hash if present - STI handles type automatically
+      params_hash.delete("type")
+      params_hash.delete(:type)
+
+      # For STI base class, ensure type is set explicitly (Rails STI doesn't always set it for base class)
+      # Only set type if this is actually an STI base class (has type column and base_class == class)
+      if sti_class.respond_to?(:base_class) &&
+         sti_class.base_class == sti_class &&
+         sti_class.column_names.include?("type")
+        params_hash["type"] = sti_class.name
+      end
+
+      resource = sti_class.new(params_hash)
+      authorize_resource_action!(resource, action: :create)
+
+      # Attach files before saving so validation can check files.attached?
+      # ActiveStorage allows attaching to unsaved records and will persist attachments when the record is saved
+      sti_resource_class = determine_sti_resource_class_for_create
+      attach_active_storage_files(resource, attachment_params, resource_class: sti_resource_class)
+
+      if resource.save
+        emit_resource_event(:created, resource)
+        render json: serialize_resource(resource), status: :created, location: resource_url(resource)
+      else
+        render_validation_errors(resource)
+      end
+    rescue ArgumentError => e
+      if e.message.match?(/invalid.*subtype/i)
+        render_invalid_subtype_error(e)
+      else
+        render_invalid_relationship_error(e)
+      end
+    rescue ActiveSupport::MessageVerifier::InvalidSignature => e
+      render_invalid_signed_id_error(e)
+    end
+
+    def update
+      authorize_resource_action!(@resource, action: :update)
+      params_hash = deserialize_params(:update)
+      attachment_params = extract_active_storage_params_from_hash(params_hash, model_class)
+      # Remove attachment params from regular params
+      attachment_params.each_key { |key| params_hash.delete(key.to_s) }
+
+      if @resource.update(params_hash)
+        attach_active_storage_files(@resource, attachment_params, resource_class: @resource_class)
+        emit_resource_event(:updated, @resource)
+        render json: serialize_resource(@resource), status: :ok
+      else
+        render_validation_errors(@resource)
+      end
+    rescue ArgumentError => e
+      render_invalid_relationship_error(e)
+    rescue JSONAPI::Exceptions::ParameterNotAllowed => e
+      render_parameter_not_allowed_error(e)
+    rescue ActiveSupport::MessageVerifier::InvalidSignature => e
+      render_invalid_signed_id_error(e)
+    end
+
+    def destroy
+      authorize_resource_action!(@resource, action: :destroy)
+      resource_id = @resource.id
+      resource_type_name = resource_type
+      if @resource.destroy
+        emit_resource_event(:deleted, @resource, resource_id:, resource_type: resource_type_name)
+        head :no_content
+      else
+        render_validation_errors(@resource)
+      end
+    end
+
+    def build_resource_from_params
+      params_hash = deserialize_params(:create)
+      attachment_params = extract_active_storage_params_from_hash(params_hash, model_class)
+      # Remove attachment params from regular params
+      attachment_params.each_key { |key| params_hash.delete(key.to_s) }
+      model_class.new(params_hash)
+    end
+
+    def deserialize_params(action = :update, model_class: nil)
+      params_hash = raw_jsonapi_data
+      target_model_class = model_class || self.model_class
+      deserializer = JSONAPI::Deserializer.new(params_hash, model_class: target_model_class, action:)
+      deserializer.to_model_attributes
+    end
+
+    def render_invalid_signed_id_error(error)
+      render_jsonapi_error(
+        status: 400,
+        title: "Invalid Signed ID",
+        detail: "Invalid signed blob ID provided: #{error.message}"
+      )
+    end
+
+    def determine_sti_class_for_create(_subtype = nil)
+      # Check the type directly from the payload
+      type_from_payload = raw_jsonapi_data&.dig(:type)
+
+      return model_class unless type_from_payload
+
+      # If the payload type differs from the controller's type,
+      # resolve the class for the specific type.
+      if type_from_payload == params[:resource_type]
+        model_class
+      else
+        resource_class = JSONAPI::ResourceLoader.find(type_from_payload)
+        resource_class.model_class
+      end
+    rescue JSONAPI::ResourceLoader::MissingResourceClass
+      model_class
+    end
+
+    def determine_sti_resource_class_for_create(_subtype = nil)
+      type_from_payload = raw_jsonapi_data&.dig(:type)
+      return @resource_class unless type_from_payload
+
+      if type_from_payload == params[:resource_type]
+        @resource_class
+      else
+        JSONAPI::ResourceLoader.find(type_from_payload)
+      end
+    rescue JSONAPI::ResourceLoader::MissingResourceClass
+      @resource_class
+    end
+
+    private
+
+    def load_jsonapi_resource
+      return unless params[:resource_type].present?
+
+      set_resource_name
+      set_resource_class
+      set_resource if %i[show update destroy].include?(action_name.to_sym)
+    end
+
+    def raw_jsonapi_data
+      # Access raw params to get relationships and meta before permit filters them
+      raw_data = params[:data] || params["data"]
+      return {} unless raw_data
+
+      # Convert to hash with symbolized keys, preserving nested structure including meta
+      # Use to_unsafe_h to get all params including unpermitted ones like meta
+      if raw_data.is_a?(ActionController::Parameters)
+        JSONAPI::ParamHelpers.deep_symbolize_params(raw_data.to_unsafe_h)
+      else
+        JSONAPI::ParamHelpers.deep_symbolize_params(raw_data)
+      end
+    end
+
+    def validate_filter_param
+      filters = parse_filter_param
+      return if filters.empty?
+
+      invalid_filters = find_invalid_filter_fields(filters)
+      return if invalid_filters.empty?
+
+      render_parameter_errors(
+        invalid_filters,
+        title: "Invalid Filter",
+        detail_proc: ->(filter_name) { "Invalid filter requested: #{filter_name}" },
+        source_proc: ->(filter_name) { { parameter: "filter[#{filter_name}]" } }
+      )
+    end
+
+    def find_invalid_filter_fields(filters)
+      filters.keys.reject do |filter_name|
+        valid_filter_path?(filter_name.to_s, @resource_class, model_class)
+      end
+    end
+
+    def valid_filter_path?(filter_name, resource_cls, model_cls)
+      path_parts = filter_name.split(".")
+      validate_filter_parts(path_parts, resource_cls, model_cls)
+    end
+
+    def validate_filter_parts(path_parts, resource_cls, model_cls, allow_related_columns: false)
+      return false if path_parts.empty?
+
+      if path_parts.length == 1
+        filter_name = path_parts.first
+        return true if resource_cls.permitted_filters.map(&:to_s).include?(filter_name)
+
+        if allow_related_columns
+          column_filter = parse_column_filter_name(filter_name)
+          return true if column_filter && model_cls.column_for_attribute(column_filter[:column])
+
+          return true if model_cls.column_names.include?(filter_name)
+          return true if model_cls.respond_to?(filter_name.to_sym)
+        end
+
+        return false
+      end
+
+      relationship_name, *remaining_parts = path_parts
+      return false unless relationship_allowed_for_filtering?(resource_cls, relationship_name)
+
+      association = model_cls.reflect_on_association(relationship_name.to_sym)
+      return false unless association
+
+      return valid_polymorphic_filter_parts?(remaining_parts) if association.polymorphic?
+
+      related_model = association.klass
+      related_resource_cls = JSONAPI::Resource.resource_for_model(related_model)
+      return false unless related_resource_cls
+
+      validate_filter_parts(
+        remaining_parts,
+        related_resource_cls,
+        related_model,
+        allow_related_columns: true
+      )
+    end
+
+    def relationship_allowed_for_filtering?(resource_cls, relationship_name)
+      permitted_through = resource_cls.permitted_filters_through
+      permitted_through.include?(relationship_name.to_sym) ||
+        permitted_through.map(&:to_s).include?(relationship_name.to_s)
+    end
+
+    def valid_polymorphic_filter_parts?(parts)
+      return false if parts.empty? || parts.length > 1
+
+      attribute_name = parts.first
+      match = attribute_name.match(/\A(.+)_(eq|match|lt|lte|gt|gte)\z/)
+      base_name = match ? match[1] : attribute_name
+
+      %w[id type].include?(base_name)
+    end
+
+    def parse_column_filter_name(filter_name)
+      match = filter_name.match(/\A(.+)_(eq|match|lt|lte|gt|gte)\z/)
+      return nil unless match
+
+      { column: match[1], operator: match[2].to_sym }
+    end
+
+    def validate_sort_param
+      sorts = parse_sort_param
+      return if sorts.empty?
+
+      valid_fields = valid_sort_fields_for_resource(@resource_class, model_class)
+      invalid_fields = invalid_sort_fields_for_columns(sorts, valid_fields)
+      return if invalid_fields.empty?
+
+      render_parameter_errors(
+        invalid_fields,
+        title: "Invalid Sort Field",
+        detail_proc: ->(field) { "Invalid sort field requested: #{field}" },
+        source_proc: ->(_field) { { parameter: "sort" } }
+      )
+    end
+
+    def validate_include_param
+      includes = parse_include_param
+      return if includes.empty?
+
+      invalid_paths = find_invalid_include_paths(includes)
+      return if invalid_paths.empty?
+
+      render_parameter_errors(
+        invalid_paths,
+        title: "Invalid Include Path",
+        detail_proc: ->(path) { "Invalid include path requested: #{path}" },
+        source_proc: ->(_path) { { parameter: "include" } }
+      )
+    end
+
+    def find_invalid_include_paths(includes)
+      permitted_relationships = @resource_class.relationship_names.map(&:to_s)
+      invalid_paths = []
+
+      includes.each do |include_path|
+        invalid_paths << include_path unless valid_include_path?(include_path, permitted_relationships)
+      end
+
+      invalid_paths
+    end
+
+    def valid_include_path?(include_path, permitted_relationships)
+      path_parts = include_path.split(".")
+      first_association = path_parts.first
+
+      return false unless permitted_relationships.include?(first_association)
+
+      valid_nested_path?(path_parts)
+    end
+
+    def valid_nested_path?(path_parts)
+      current_class = model_class
+
+      path_parts.each do |association_name|
+        # Check for ActiveStorage attachments
+        if self.class.active_storage_attachment?(association_name, current_class)
+          # ActiveStorage attachments point to ActiveStorage::Blob, which is a terminal relationship
+          return true
+        end
+
+        association = current_class.reflect_on_association(association_name.to_sym)
+        return false unless association
+
+        break if association.polymorphic?
+
+        current_class = association.klass
+      end
+
+      true
+    end
+
+    def preload_includes
+      includes = parse_include_param
+      return if includes.empty?
+
+      includes_hash = build_includes_hash(includes)
+      preload_resources(includes_hash)
+    rescue ActiveRecord::RecordNotFound
+      # Will be handled by set_resource
+    end
+
+    def build_includes_hash(includes)
+      includes_hash = {}
+      includes.each { |include_path| merge_include_path(includes_hash, include_path) }
+      includes_hash
+    end
+
+    def merge_include_path(includes_hash, include_path)
+      path_parts = include_path.split(".")
+      current_hash = includes_hash
+
+      path_parts.each_with_index do |part, index|
+        part_sym = part.to_sym
+        current_hash[part_sym] ||= {}
+        current_hash = current_hash[part_sym] if index < path_parts.length - 1
+      end
+    end
+
+    def preload_resources(includes_hash)
+      # Filter out ActiveStorage attachments and polymorphic associations from includes_hash
+      filtered_includes = filter_active_storage_from_includes(includes_hash, model_class)
+      filtered_includes = filter_polymorphic_from_includes(filtered_includes, model_class)
+
+      case action_name
+      when "index"
+        @preloaded_resources = filtered_includes.empty? ? model_class.all : model_class.all.includes(filtered_includes)
+      when "show"
+        @preloaded_resource = filtered_includes.empty? ? model_class.find(params[:id]) : model_class.includes(filtered_includes).find(params[:id])
+      end
+    end
+
+    def serialize_resource(resource)
+      serializer = JSONAPI::Serializer.new(resource)
+      serializer.to_hash(
+        include: parse_include_param,
+        fields: parse_fields_param,
+        document_meta: jsonapi_document_meta
+      )
+    end
+
+    def serialize_collection(resources)
+      includes = parse_include_param
+      fields = parse_fields_param
+      all_included = []
+      processed = Set.new
+
+      data = serialize_resources(resources, includes, fields, all_included, processed)
+
+      build_collection_response(data, all_included)
+    end
+
+    def serialize_resources(resources, includes, fields, all_included, processed)
+      resources.map do |resource|
+        result = serialize_single_resource(resource, includes, fields)
+        collect_included_resources(result, all_included, processed)
+        result[:data]
+      end
+    end
+
+    def serialize_single_resource(resource, includes, fields)
+      serializer = JSONAPI::Serializer.new(resource)
+      serializer.to_hash(include: includes, fields:, document_meta: nil)
+    end
+
+    def collect_included_resources(result, all_included, processed)
+      included_resources = result[:included] || []
+      included_resources.each do |included_resource|
+        add_unique_included_resource(included_resource, all_included, processed)
+      end
+    end
+
+    def add_unique_included_resource(included_resource, all_included, processed)
+      resource_key = "#{included_resource[:type]}-#{included_resource[:id]}"
+      return if processed.include?(resource_key)
+
+      all_included << included_resource
+      processed.add(resource_key)
+    end
+
+    def build_collection_response(data, all_included)
+      result = {
+        jsonapi: JSONAPI::Serializer.jsonapi_object,
+        data:
+      }
+      result[:included] = all_included if all_included.any?
+
+      pagination_meta = {}
+
+      if @pagination_applied
+        result[:links] = build_pagination_links
+        pagination_meta = build_pagination_meta
+      end
+
+      result[:meta] = jsonapi_document_meta(pagination_meta)
+
+      result
+    end
+
+    def build_pagination_links
+      page_params = parse_page_param
+      current_page = page_params["number"]&.to_i || 1
+      page_size = calculate_page_size(page_params)
+      total_pages = calculate_total_pages(page_size)
+
+      links = {
+        self: build_pagination_url(current_page, page_size),
+        first: build_pagination_url(1, page_size),
+        last: build_pagination_url(total_pages, page_size)
+      }
+      links[:prev] = build_pagination_url(current_page - 1, page_size) if current_page > 1
+      links[:next] = build_pagination_url(current_page + 1, page_size) if current_page < total_pages
+
+      links
+    end
+
+    def calculate_page_size(page_params)
+      size = page_params["size"]&.to_i || JSONAPI.configuration.default_page_size
+      [size, JSONAPI.configuration.max_page_size].min
+    end
+
+    def calculate_total_pages(page_size)
+      total_pages = (@total_count.to_f / page_size).ceil
+      total_pages.zero? ? 1 : total_pages
+    end
+
+    def build_pagination_url(page_number, page_size)
+      base_url = request.path
+      query_params = request.query_parameters.dup
+      query_params["page"] = { "number" => page_number, "size" => page_size }
+
+      query_string = build_query_string(query_params)
+      query_string.present? ? "#{base_url}?#{query_string}" : base_url
+    end
+
+    def build_query_string(query_params)
+      JSONAPI::ParamHelpers.build_query_string(query_params)
+    end
+
+    def build_pagination_meta
+      { total: @total_count }
+    end
+
+    def validate_resource_type!
+      # Skip validation if resource loading was skipped
+      return unless @resource_class
+      # Relationship endpoints carry related resource identifiers, so skip type
+      # validation for relationship requests.
+      return if params[:relationship_name].present?
+
+      requested_type = jsonapi_type
+      expected_type = resource_type
+
+      return if requested_type == expected_type
+
+      # Allow STI subtypes if posting to base endpoint
+      if model_class.respond_to?(:base_class)
+        # Check if requested type corresponds to a valid subclass
+        begin
+          requested_resource_class = JSONAPI::ResourceLoader.find(requested_type)
+          requested_model_class = requested_resource_class.model_class
+
+          # Allow if requested class is a subclass of the endpoint's class
+          return if requested_model_class < model_class
+        rescue JSONAPI::ResourceLoader::MissingResourceClass, NameError
+          # Fall through to error rendering
+        end
+      end
+
+      render_type_mismatch_error(expected_type, requested_type) and return
+    end
+
+    def validate_resource_id!
+      # Skip validation if resource loading was skipped
+      return unless @resource_class
+
+      requested_id = jsonapi_id
+      expected_id = params[:id].to_s
+
+      return if requested_id == expected_id
+
+      render_id_mismatch_error(expected_id, requested_id) and return
+    end
+
+    def render_type_mismatch_error(expected_type, requested_type)
+      detail = requested_type.nil? ? "Missing type member. Expected '#{expected_type}'" : "Type mismatch: expected '#{expected_type}', got '#{requested_type}'"
+
+      render json: {
+        errors: [
+          {
+            status: "409",
+            title: "Type Mismatch",
+            detail:,
+            source: { pointer: "/data/type" }
+          }
+        ]
+      }, status: :conflict
+    end
+
+    def render_id_mismatch_error(expected_id, requested_id)
+      render json: {
+        errors: [
+          {
+            status: "409",
+            title: "ID Mismatch",
+            detail: "ID mismatch: expected '#{expected_id}', got '#{requested_id}'",
+            source: { pointer: "/data/id" }
+          }
+        ]
+      }, status: :conflict
+    end
+
+    def resource_url(resource)
+      "/#{resource_type}/#{resource.id}"
+    end
+
+    def resource_type
+      params[:resource_type] || @resource_name.pluralize
+    end
+
+    def validate_fields_param
+      fields = parse_fields_param
+      return if fields.empty?
+
+      fields.each do |type, type_fields|
+        next if type_fields.nil? || type_fields.empty?
+
+        # Handle active_storage_blobs specially
+        if type.to_s == "active_storage_blobs"
+          invalid_fields = find_invalid_blob_fields(type_fields)
+          if invalid_fields.any?
+            render_parameter_errors(
+              invalid_fields,
+              title: "Invalid Field",
+              detail_proc: ->(field) { "Invalid field requested for active_storage_blobs: #{field}" },
+              source_proc: ->(_field) { { parameter: "fields[active_storage_blobs]" } }
+            )
+            return
+          end
+        else
+          # Only validate fields for the current resource type
+          next unless type.to_s == resource_type.to_s
+
+          invalid_fields = find_invalid_fields(type_fields)
+          if invalid_fields.any?
+            current_type = resource_type.to_s
+            render_parameter_errors(
+              invalid_fields,
+              title: "Invalid Field",
+              detail_proc: ->(field) { "Invalid field requested for #{current_type}: #{field}" },
+              source_proc: ->(_field) { { parameter: "fields[#{current_type}]" } }
+            )
+            return
+          end
+        end
+      end
+    end
+
+    def find_invalid_fields(resource_fields)
+      permitted_attributes = @resource_class.permitted_attributes.map(&:to_s)
+      resource_fields.reject { |field| permitted_attributes.include?(field.to_s) }
+    end
+
+    def find_invalid_blob_fields(blob_fields)
+      return [] unless defined?(::ActiveStorage)
+
+      permitted_attributes = JSONAPI::ActiveStorageBlobResource.permitted_attributes.map(&:to_s)
+      blob_fields.reject { |field| permitted_attributes.include?(field.to_s) }
+    end
+
+    def emit_resource_event(action, resource, resource_id: nil, resource_type: nil)
+      resource_id ||= resource.id
+      resource_type_name = resource_type || self.resource_type
+
+      changes = if action == :updated && resource.respond_to?(:previous_changes)
+                  resource.previous_changes.except("updated_at", "created_at")
+                else
+                  {}
+                end
+
+      JSONAPI::Instrumentation.resource_event(
+        action:,
+        resource_type: resource_type_name,
+        resource_id:,
+        changes:
+      )
+    end
+  end
+end