jsonapi-authorization 0.6.1 → 0.8.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: a9a2f5c4761f47b27ac197df013897413d951e18
4
- data.tar.gz: 0dc90fa1572711799e1ef4e6624bda62e2a2f49a
3
+ metadata.gz: 746cc565a11f9da30e6d9bf9d0f3125e8dea9230
4
+ data.tar.gz: b7648d6d517b0b7d20f4afe57bf199cc5e62f23d
5
5
  SHA512:
6
- metadata.gz: 836fef2f355f572781077c8e3900c5cd7be5fcf8daad691cf7da7a8b11279ebf333d1e0d16ed4d0799fb9706ccfec4e6db2331bac655cc764a344916f42b2d3d
7
- data.tar.gz: 2412d303cce1a7c8ad4030ba1b564c7988d5622631f44151fa92553990f75537db1ca814a87caa1a5239a2d9fe8437ddc7c191a3c71c31fdf68ddc1ad19f9339
6
+ metadata.gz: d2eba2b987e0ff085c67428f9c73d5b5cf95674789cd51dc0ba66d6a102334e850f8fd3d28085118f46645f804f65b1480c6b712720e66241b4aff5643dbc2f8
7
+ data.tar.gz: 743a1b1b9639490aea94fa9bc4d1648afc21a9e6926869dcdb61ba48e40e8890d32aa8432cb28d64b508fd8f3bd17933412b7568c1d06f44b18645420524a673
data/.travis.yml CHANGED
@@ -2,10 +2,8 @@ language: ruby
2
2
  cache: bundler
3
3
  sudo: false
4
4
  env:
5
- - JSONAPI_RESOURCES_VERSION=0.7.0 RAILS_VERSION=4.1.0
6
- - JSONAPI_RESOURCES_VERSION=0.7.0 RAILS_VERSION=4.2.0
7
- - JSONAPI_RESOURCES_VERSION=0.7.1.beta1 RAILS_VERSION=4.1.0
8
- - JSONAPI_RESOURCES_VERSION=0.7.1.beta1 RAILS_VERSION=4.2.0
5
+ - JSONAPI_RESOURCES_VERSION=0.8.0.beta1 RAILS_VERSION=4.1.0
6
+ - JSONAPI_RESOURCES_VERSION=0.8.0.beta1 RAILS_VERSION=4.2.0
9
7
  - JSONAPI_RESOURCES_VERSION=master RAILS_VERSION=4.2.0
10
8
  - JSONAPI_RESOURCES_VERSION=master RAILS_VERSION=4.1.0
11
9
  rvm:
data/Gemfile CHANGED
@@ -21,7 +21,7 @@ case jsonapi_resources_version
21
21
  when 'master'
22
22
  gem 'jsonapi-resources', git: 'https://github.com/cerebris/jsonapi-resources.git'
23
23
  when 'default'
24
- gem 'jsonapi-resources', '0.7.0'
24
+ gem 'jsonapi-resources', '0.8.0.beta1'
25
25
  else
26
26
  gem 'jsonapi-resources', jsonapi_resources_version
27
27
  end
data/README.md CHANGED
@@ -1,14 +1,29 @@
1
1
  # JSONAPI::Authorization
2
2
 
3
- [![Build Status](https://travis-ci.org/venuu/jsonapi-authorization.svg?branch=master)](https://travis-ci.org/venuu/jsonapi-authorization) [![Gem Version](https://badge.fury.io/rb/jsonapi-authorization.png)](http://badge.fury.io/rb/jsonapi-authorization)
3
+ [![Build Status](https://img.shields.io/travis/venuu/jsonapi-authorization/master.svg?style=flat&maxAge=3600)](https://travis-ci.org/venuu/jsonapi-authorization) [![Gem Version](https://img.shields.io/gem/v/jsonapi-authorization.svg?style=flat&maxAge=3600)](https://rubygems.org/gems/jsonapi-authorization)
4
4
 
5
- `JSONAPI::Authorization` adds authorization to the [jsonapi-resources][jr] (JR) gem using [Pundit][pundit].
5
+ **NOTE:** This README is the documentation for `JSONAPI::Authorization`. If you are viewing this at the
6
+ [project page on Github](https://github.com/venuu/jsonapi-authorization) you are viewing the documentation for the `master`
7
+ branch. This may contain information that is not relevant to the release you are using. Please see the README for the
8
+ [version](https://github.com/venuu/jsonapi-authorization/releases) you are using.
9
+
10
+ ---
6
11
 
7
- ***PLEASE NOTE:*** This gem currently handles only a subset of operations available in JR. This gem is still considered to be ***alpha quality*** and therefore you shouldn't rely on it on production (yet).
12
+ `JSONAPI::Authorization` adds authorization to the [jsonapi-resources][jr] (JR) gem using [Pundit][pundit].
8
13
 
9
14
  [jr]: https://github.com/cerebris/jsonapi-resources "A resource-focused Rails library for developing JSON API compliant servers."
10
15
  [pundit]: https://github.com/elabs/pundit "Minimal authorization through OO design and pure Ruby classes"
11
16
 
17
+ ## Caveats
18
+
19
+ Make sure to test for authorization in your application, too. We should have coverage of all operations, though. If that isn't the case, please [open an issue][issues].
20
+
21
+ This gem should work out-of-the box for simple cases. The default authorizer might be overly restrictive for [more complex cases][complex-case].
22
+
23
+ The API is subject to change between minor version bumps until we reach v1.0.0.
24
+
25
+ [complex-case]: https://github.com/venuu/jsonapi-authorization/issues/15
26
+
12
27
  ## Installation
13
28
 
14
29
  Add this line to your application's Gemfile:
@@ -25,27 +40,43 @@ Or install it yourself as:
25
40
 
26
41
  $ gem install jsonapi-authorization
27
42
 
43
+ ## Compatibility
44
+
45
+ * `v0.6.x` supports JR `v0.7.x`
46
+ * `v0.8.x` supports JR `v0.8.x`
47
+
48
+ We aim to support the same Ruby and Ruby on Rails versions as `jsonapi-resources` does. If that's not the case, please [open an issue][issues].
49
+
28
50
  ## Usage
29
51
 
30
- Make sure you have a Pundit policy specified for every backing model that your JR resources use. Then hook this gem up to your application like so:
52
+ First make sure you have a Pundit policy specified for every backing model that your JR resources use.
53
+
54
+ Hook up this gem as the default processor for JR, and optionally allow rescuing from `Pundit::NotAuthorizedError` to output better errors for unauthorized requests:
31
55
 
32
56
  ```ruby
57
+ # config/initializers/jsonapi-resources.rb
33
58
  JSONAPI.configure do |config|
34
- config.operations_processor = :jsonapi_authorization
59
+ config.default_processor_klass = JSONAPI::Authorization::AuthorizingProcessor
60
+ config.exception_class_whitelist = [Pundit::NotAuthorizedError]
35
61
  end
36
62
  ```
37
63
 
38
- Make all your JR controllers specify the user in the `context` if you are using the default authorizer class (see [Configuration](#configuration) below):
64
+ Make all your JR controllers specify the user in the `context` and rescue errors thrown by unauthorized requests:
39
65
 
40
66
  ```ruby
41
67
  class BaseResourceController < ActionController::Base
42
68
  include JSONAPI::ActsAsResourceController
69
+ rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
43
70
 
44
71
  private
45
72
 
46
73
  def context
47
74
  {user: current_user}
48
75
  end
76
+
77
+ def user_not_authorized
78
+ head :forbidden
79
+ end
49
80
  end
50
81
  ```
51
82
 
@@ -58,49 +89,28 @@ class BaseResource < JSONAPI::Resource
58
89
  end
59
90
  ```
60
91
 
61
- If you want to send a custom response for unauthorized requests, add a `rescue_from` hook to your `BaseResourceController` and whitelist `Pundit::NotAuthorizedError` in your JR configuration.
62
-
63
- ## Known bugs
92
+ ## Configuration
64
93
 
65
- There is a bug affecting `jsonapi-resources` error whitelisting, see https://github.com/cerebris/jsonapi-resources/pull/573. To make your whitelisting and `rescue_from` to work properly, here is a potential workaround:
94
+ You can use a custom authorizer class by specifying a configure block in an initializer file. If using a custom authorizer class, be sure to require them at the top of the initializer before usage.
66
95
 
67
96
  ```ruby
68
- JSONAPI.configure do |config|
69
- config.exception_class_whitelist = [Pundit::NotAuthorizedError]
97
+ JSONAPI::Authorization.configure do |config|
98
+ config.authorizer = MyCustomAuthorizer
70
99
  end
71
100
  ```
72
101
 
73
- ```ruby
74
- class BaseResourceController < ActionController::Base
75
- rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
102
+ ## Troubleshooting
76
103
 
77
- private
104
+ ### "Unable to find policy" exception for a request
78
105
 
79
- # https://github.com/cerebris/jsonapi-resources/pull/573
80
- def handle_exceptions(e)
81
- if JSONAPI.configuration.exception_class_whitelist.any? { |k| e.class.ancestors.include?(k) }
82
- raise e
83
- else
84
- super
85
- end
86
- end
106
+ The exception might look like this for resource class `ArticleResource` that is backed by `Article` model:
87
107
 
88
- def user_not_authorized
89
- head :forbidden
90
- end
91
- end
92
108
  ```
93
-
94
- ## Configuration
95
-
96
- You can use a custom authorizer class by specifying a configure block in an initializer file. If using a custom authorizer class, be sure to require them at the top of the initializer before usage.
97
-
98
- ```ruby
99
- JSONAPI::Authorization.configure do |config|
100
- config.authorizer = MyCustomAuthorizer
101
- end
109
+ unable to find policy `ArticlePolicy` for `Article'
102
110
  ```
103
111
 
112
+ This means that you don't have a policy class created for your model. Create one and the error should go away.
113
+
104
114
  ## Development
105
115
 
106
116
  After checking out the repo, run `bundle install` to install dependencies. Then, run `bundle exec rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
@@ -114,3 +124,5 @@ Originally based on discussion and code samples by [@barelyknown](https://github
114
124
  ## Contributing
115
125
 
116
126
  Bug reports and pull requests are welcome on GitHub at https://github.com/venuu/jsonapi-authorization.
127
+
128
+ [issues]: https://github.com/venuu/jsonapi-authorization/issues
@@ -17,7 +17,7 @@ Gem::Specification.new do |spec|
17
17
  spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
18
18
  spec.require_paths = ["lib"]
19
19
 
20
- spec.add_dependency "jsonapi-resources", "~> 0.7.0"
20
+ spec.add_dependency "jsonapi-resources", "~> 0.8.0.beta1"
21
21
  spec.add_dependency "pundit", "~> 1.0"
22
22
 
23
23
  spec.add_development_dependency "bundler", "~> 1.11"
@@ -1,5 +1,5 @@
1
1
  require "jsonapi-resources"
2
- require "jsonapi/authorization/authorizing_operations_processor"
2
+ require "jsonapi/authorization/authorizing_processor"
3
3
  require "jsonapi/authorization/configuration"
4
4
  require "jsonapi/authorization/default_pundit_authorizer"
5
5
  require "jsonapi/authorization/pundit_scoped_resource"
@@ -12,4 +12,4 @@ module JSONAPI
12
12
  end
13
13
 
14
14
  # Allows JSONAPI configuration of operations_processor using the symbol :jsonapi_authorization
15
- JsonapiAuthorizationOperationsProcessor = JSONAPI::Authorization::AuthorizingOperationsProcessor
15
+ JsonapiAuthorizationProcessor = JSONAPI::Authorization::AuthorizingProcessor
@@ -2,39 +2,39 @@ require 'pundit'
2
2
 
3
3
  module JSONAPI
4
4
  module Authorization
5
- class AuthorizingOperationsProcessor < ::ActiveRecordOperationsProcessor
6
- set_callback :find_operation, :before, :authorize_find
7
- set_callback :show_operation, :before, :authorize_show
8
- set_callback :show_relationship_operation, :before, :authorize_show_relationship
9
- set_callback :show_related_resource_operation, :before, :authorize_show_related_resource
10
- set_callback :show_related_resources_operation, :before, :authorize_show_related_resources
11
- set_callback :create_resource_operation, :before, :authorize_create_resource
12
- set_callback :remove_resource_operation, :before, :authorize_remove_resource
13
- set_callback :replace_fields_operation, :before, :authorize_replace_fields
14
- set_callback :replace_to_one_relationship_operation, :before, :authorize_replace_to_one_relationship
15
- set_callback :create_to_many_relationship_operation, :before, :authorize_create_to_many_relationship
16
- set_callback :replace_to_many_relationship_operation, :before, :authorize_replace_to_many_relationship
17
- set_callback :remove_to_many_relationship_operation, :before, :authorize_remove_to_many_relationship
18
- set_callback :remove_to_one_relationship_operation, :before, :authorize_remove_to_one_relationship
5
+ class AuthorizingProcessor < JSONAPI::Processor
6
+ set_callback :find, :before, :authorize_find
7
+ set_callback :show, :before, :authorize_show
8
+ set_callback :show_relationship, :before, :authorize_show_relationship
9
+ set_callback :show_related_resource, :before, :authorize_show_related_resource
10
+ set_callback :show_related_resources, :before, :authorize_show_related_resources
11
+ set_callback :create_resource, :before, :authorize_create_resource
12
+ set_callback :remove_resource, :before, :authorize_remove_resource
13
+ set_callback :replace_fields, :before, :authorize_replace_fields
14
+ set_callback :replace_to_one_relationship, :before, :authorize_replace_to_one_relationship
15
+ set_callback :create_to_many_relationship, :before, :authorize_create_to_many_relationship
16
+ set_callback :replace_to_many_relationship, :before, :authorize_replace_to_many_relationship
17
+ set_callback :remove_to_many_relationship, :before, :authorize_remove_to_many_relationship
18
+ set_callback :remove_to_one_relationship, :before, :authorize_remove_to_one_relationship
19
19
 
20
20
  [
21
- :find_operation,
22
- :show_operation,
23
- :show_related_resource_operation,
24
- :show_related_resources_operation,
25
- :create_resource_operation,
26
- :replace_fields_operation
21
+ :find,
22
+ :show,
23
+ :show_related_resource,
24
+ :show_related_resources,
25
+ :create_resource,
26
+ :replace_fields
27
27
  ].each do |op_name|
28
28
  set_callback op_name, :after, :authorize_include_directive
29
29
  end
30
30
 
31
31
  def authorize_include_directive
32
- return if @result.is_a?(::JSONAPI::ErrorsOperationResult)
32
+ return if result.is_a?(::JSONAPI::ErrorsOperationResult)
33
33
  resources = Array.wrap(
34
- if @result.respond_to?(:resources)
35
- @result.resources
36
- elsif @result.respond_to?(:resource)
37
- @result.resource
34
+ if result.respond_to?(:resources)
35
+ result.resources
36
+ elsif result.respond_to?(:resource)
37
+ result.resource
38
38
  end
39
39
  )
40
40
 
@@ -44,30 +44,30 @@ module JSONAPI
44
44
  end
45
45
 
46
46
  def authorize_find
47
- authorizer.find(@operation.resource_klass._model_class)
47
+ authorizer.find(@resource_klass._model_class)
48
48
  end
49
49
 
50
50
  def authorize_show
51
- record = @operation.resource_klass.find_by_key(
51
+ record = @resource_klass.find_by_key(
52
52
  operation_resource_id,
53
- context: operation_context
53
+ context: context
54
54
  )._model
55
55
 
56
56
  authorizer.show(record)
57
57
  end
58
58
 
59
59
  def authorize_show_relationship
60
- parent_resource = @operation.resource_klass.find_by_key(
61
- @operation.parent_key,
62
- context: operation_context
60
+ parent_resource = @resource_klass.find_by_key(
61
+ params[:parent_key],
62
+ context: context
63
63
  )
64
64
 
65
- relationship = @operation.resource_klass._relationship(@operation.relationship_type)
65
+ relationship = @resource_klass._relationship(params[:relationship_type].to_sym)
66
66
 
67
67
  related_resource =
68
68
  case relationship
69
69
  when JSONAPI::Relationship::ToOne
70
- parent_resource.public_send(@operation.relationship_type)
70
+ parent_resource.public_send(params[:relationship_type].to_sym)
71
71
  when JSONAPI::Relationship::ToMany
72
72
  # Do nothing — already covered by policy scopes
73
73
  else
@@ -80,12 +80,13 @@ module JSONAPI
80
80
  end
81
81
 
82
82
  def authorize_show_related_resource
83
- source_resource = @operation.source_klass.find_by_key(
84
- @operation.source_id,
85
- context: operation_context
86
- )
83
+ source_klass = params[:source_klass]
84
+ source_id = params[:source_id]
85
+ relationship_type = params[:relationship_type].to_sym
86
+
87
+ source_resource = source_klass.find_by_key(source_id, context: context)
87
88
 
88
- related_resource = source_resource.public_send(@operation.relationship_type)
89
+ related_resource = source_resource.public_send(relationship_type)
89
90
 
90
91
  source_record = source_resource._model
91
92
  related_record = related_resource._model unless related_resource.nil?
@@ -93,50 +94,50 @@ module JSONAPI
93
94
  end
94
95
 
95
96
  def authorize_show_related_resources
96
- source_record = @operation.source_klass.find_by_key(
97
- @operation.source_id,
98
- context: operation_context
97
+ source_record = params[:source_klass].find_by_key(
98
+ params[:source_id],
99
+ context: context
99
100
  )._model
100
101
 
101
102
  authorizer.show_related_resources(source_record)
102
103
  end
103
104
 
104
105
  def authorize_replace_fields
105
- source_record = @operation.resource_klass.find_by_key(
106
- @operation.resource_id,
107
- context: operation_context
106
+ source_record = @resource_klass.find_by_key(
107
+ params[:resource_id],
108
+ context: context
108
109
  )._model
109
110
 
110
111
  authorizer.replace_fields(source_record, related_models)
111
112
  end
112
113
 
113
114
  def authorize_create_resource
114
- source_class = @operation.resource_klass._model_class
115
+ source_class = @resource_klass._model_class
115
116
 
116
117
  authorizer.create_resource(source_class, related_models)
117
118
  end
118
119
 
119
120
  def authorize_remove_resource
120
- record = @operation.resource_klass.find_by_key(
121
+ record = @resource_klass.find_by_key(
121
122
  operation_resource_id,
122
- context: operation_context
123
+ context: context
123
124
  )._model
124
125
 
125
126
  authorizer.remove_resource(record)
126
127
  end
127
128
 
128
129
  def authorize_replace_to_one_relationship
129
- source_resource = @operation.resource_klass.find_by_key(
130
- @operation.resource_id,
131
- context: operation_context
130
+ source_resource = @resource_klass.find_by_key(
131
+ params[:resource_id],
132
+ context: context
132
133
  )
133
134
  source_record = source_resource._model
134
135
 
135
- old_related_record = source_resource.records_for(@operation.relationship_type)
136
- unless @operation.key_value.nil?
137
- new_related_resource = @operation.resource_klass._relationship(@operation.relationship_type).resource_klass.find_by_key(
138
- @operation.key_value,
139
- context: operation_context
136
+ old_related_record = source_resource.records_for(params[:relationship_type].to_sym)
137
+ unless params[:key_value].nil?
138
+ new_related_resource = @resource_klass._relationship(params[:relationship_type].to_sym).resource_klass.find_by_key(
139
+ params[:key_value],
140
+ context: context
140
141
  )
141
142
  new_related_record = new_related_resource._model unless new_related_resource.nil?
142
143
  end
@@ -149,25 +150,25 @@ module JSONAPI
149
150
  end
150
151
 
151
152
  def authorize_create_to_many_relationship
152
- source_record = @operation.resource_klass.find_by_key(
153
- @operation.resource_id,
154
- context: operation_context
153
+ source_record = @resource_klass.find_by_key(
154
+ params[:resource_id],
155
+ context: context
155
156
  )._model
156
157
 
157
158
  related_models =
158
- model_class_for_relationship(@operation.relationship_type).find(@operation.data)
159
+ model_class_for_relationship(params[:relationship_type].to_sym).find(params[:data])
159
160
 
160
161
  authorizer.create_to_many_relationship(source_record, related_models)
161
162
  end
162
163
 
163
164
  def authorize_replace_to_many_relationship
164
- source_resource = @operation.resource_klass.find_by_key(
165
- @operation.resource_id,
166
- context: operation_context
165
+ source_resource = @resource_klass.find_by_key(
166
+ params[:resource_id],
167
+ context: context
167
168
  )
168
169
  source_record = source_resource._model
169
170
 
170
- related_records = source_resource.records_for(@operation.relationship_type)
171
+ related_records = source_resource.records_for(params[:relationship_type].to_sym)
171
172
 
172
173
  authorizer.replace_to_many_relationship(
173
174
  source_record,
@@ -176,15 +177,15 @@ module JSONAPI
176
177
  end
177
178
 
178
179
  def authorize_remove_to_many_relationship
179
- source_resource = @operation.resource_klass.find_by_key(
180
- @operation.resource_id,
181
- context: operation_context
180
+ source_resource = @resource_klass.find_by_key(
181
+ params[:resource_id],
182
+ context: context
182
183
  )
183
184
  source_record = source_resource._model
184
185
 
185
- related_resource = @operation.resource_klass._relationship(@operation.relationship_type).resource_klass.find_by_key(
186
- @operation.associated_key,
187
- context: operation_context
186
+ related_resource = @resource_klass._relationship(params[:relationship_type].to_sym).resource_klass.find_by_key(
187
+ params[:associated_key],
188
+ context: context
188
189
  )
189
190
  related_record = related_resource._model unless related_resource.nil?
190
191
 
@@ -195,12 +196,12 @@ module JSONAPI
195
196
  end
196
197
 
197
198
  def authorize_remove_to_one_relationship
198
- source_resource = @operation.resource_klass.find_by_key(
199
- @operation.resource_id,
200
- context: operation_context
199
+ source_resource = @resource_klass.find_by_key(
200
+ params[:resource_id],
201
+ context: context
201
202
  )
202
203
 
203
- related_resource = source_resource.public_send(@operation.relationship_type)
204
+ related_resource = source_resource.public_send(params[:relationship_type].to_sym)
204
205
 
205
206
  source_record = source_resource._model
206
207
  related_record = related_resource._model unless related_resource.nil?
@@ -210,33 +211,23 @@ module JSONAPI
210
211
  private
211
212
 
212
213
  def authorizer
213
- @authorizer ||= ::JSONAPI::Authorization.configuration.authorizer.new(operation_context)
214
- end
215
-
216
- # TODO: Communicate with upstream to fix this nasty hack
217
- def operation_context
218
- case @operation
219
- when JSONAPI::ShowRelatedResourcesOperation
220
- @operation.instance_variable_get('@options')[:context]
221
- else
222
- @operation.options[:context]
223
- end
214
+ @authorizer ||= ::JSONAPI::Authorization.configuration.authorizer.new(context)
224
215
  end
225
216
 
226
217
  # TODO: Communicate with upstream to fix this nasty hack
227
218
  def operation_resource_id
228
- case @operation
229
- when JSONAPI::ShowOperation
230
- @operation.id
231
- when JSONAPI::ShowRelatedResourcesOperation
232
- @operation.source_id
219
+ case operation_type
220
+ when :show
221
+ params[:id]
222
+ when :show_related_resources
223
+ params[:source_id]
233
224
  else
234
- @operation.resource_id
225
+ params[:resource_id]
235
226
  end
236
227
  end
237
228
 
238
229
  def resource_class_for_relationship(assoc_name)
239
- @operation.resource_klass._relationship(assoc_name).resource_klass
230
+ @resource_klass._relationship(assoc_name).resource_klass
240
231
  end
241
232
 
242
233
  def model_class_for_relationship(assoc_name)
@@ -244,15 +235,15 @@ module JSONAPI
244
235
  end
245
236
 
246
237
  def related_models
247
- data = @operation.options[:data]
238
+ data = params[:data]
248
239
  return [] if data.nil?
249
240
 
250
241
  [:to_one, :to_many].flat_map do |rel_type|
251
242
  data[rel_type].flat_map do |assoc_name, assoc_value|
252
243
  case assoc_value
253
244
  when Hash # polymorphic relationship
254
- resource_class = @operation.resource_klass.resource_for(assoc_value[:type].to_s)
255
- resource_class.find_by_key(assoc_value[:id], context: @operation.options[:context])._model
245
+ resource_class = @resource_klass.resource_for(assoc_value[:type].to_s)
246
+ resource_class.find_by_key(assoc_value[:id], context: context)._model
256
247
  else
257
248
  resource_class = resource_class_for_relationship(assoc_name)
258
249
  primary_key = resource_class._primary_key
@@ -263,9 +254,9 @@ module JSONAPI
263
254
  end
264
255
 
265
256
  def authorize_model_includes(source_record)
266
- if @request.include_directives
267
- @request.include_directives.model_includes.each do |include_item|
268
- authorize_include_item(@operation.resource_klass, source_record, include_item)
257
+ if params[:include_directives]
258
+ params[:include_directives].model_includes.each do |include_item|
259
+ authorize_include_item(@resource_klass, source_record, include_item)
269
260
  end
270
261
  end
271
262
  end
@@ -280,7 +271,7 @@ module JSONAPI
280
271
  next_resource_klass = relationship.resource_klass
281
272
  Array.wrap(
282
273
  source_record.public_send(
283
- relationship.relation_name(@operation.options[:context])
274
+ relationship.relation_name(context)
284
275
  )
285
276
  ).each do |next_source_record|
286
277
  deep.each do |next_include_item|
@@ -297,7 +288,7 @@ module JSONAPI
297
288
  case relationship
298
289
  when JSONAPI::Relationship::ToOne
299
290
  related_record = source_record.public_send(
300
- relationship.relation_name(@operation.options[:context])
291
+ relationship.relation_name(context)
301
292
  )
302
293
  return if related_record.nil?
303
294
  authorizer.include_has_one_resource(source_record, related_record)
@@ -1,5 +1,5 @@
1
1
  module JSONAPI
2
2
  module Authorization
3
- VERSION = "0.6.1".freeze
3
+ VERSION = "0.8.0".freeze
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: jsonapi-authorization
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.6.1
4
+ version: 0.8.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Vesa Laakso
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2016-04-25 00:00:00.000000000 Z
12
+ date: 2016-08-04 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: jsonapi-resources
@@ -17,14 +17,14 @@ dependencies:
17
17
  requirements:
18
18
  - - "~>"
19
19
  - !ruby/object:Gem::Version
20
- version: 0.7.0
20
+ version: 0.8.0.beta1
21
21
  type: :runtime
22
22
  prerelease: false
23
23
  version_requirements: !ruby/object:Gem::Requirement
24
24
  requirements:
25
25
  - - "~>"
26
26
  - !ruby/object:Gem::Version
27
- version: 0.7.0
27
+ version: 0.8.0.beta1
28
28
  - !ruby/object:Gem::Dependency
29
29
  name: pundit
30
30
  requirement: !ruby/object:Gem::Requirement
@@ -174,7 +174,7 @@ files:
174
174
  - jsonapi-authorization.gemspec
175
175
  - lib/jsonapi-authorization.rb
176
176
  - lib/jsonapi/authorization.rb
177
- - lib/jsonapi/authorization/authorizing_operations_processor.rb
177
+ - lib/jsonapi/authorization/authorizing_processor.rb
178
178
  - lib/jsonapi/authorization/configuration.rb
179
179
  - lib/jsonapi/authorization/default_pundit_authorizer.rb
180
180
  - lib/jsonapi/authorization/pundit_scoped_resource.rb