jsonapi-authorization 0.6.1 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a9a2f5c4761f47b27ac197df013897413d951e18
-  data.tar.gz: 0dc90fa1572711799e1ef4e6624bda62e2a2f49a
+  metadata.gz: 746cc565a11f9da30e6d9bf9d0f3125e8dea9230
+  data.tar.gz: b7648d6d517b0b7d20f4afe57bf199cc5e62f23d
 SHA512:
-  metadata.gz: 836fef2f355f572781077c8e3900c5cd7be5fcf8daad691cf7da7a8b11279ebf333d1e0d16ed4d0799fb9706ccfec4e6db2331bac655cc764a344916f42b2d3d
-  data.tar.gz: 2412d303cce1a7c8ad4030ba1b564c7988d5622631f44151fa92553990f75537db1ca814a87caa1a5239a2d9fe8437ddc7c191a3c71c31fdf68ddc1ad19f9339
+  metadata.gz: d2eba2b987e0ff085c67428f9c73d5b5cf95674789cd51dc0ba66d6a102334e850f8fd3d28085118f46645f804f65b1480c6b712720e66241b4aff5643dbc2f8
+  data.tar.gz: 743a1b1b9639490aea94fa9bc4d1648afc21a9e6926869dcdb61ba48e40e8890d32aa8432cb28d64b508fd8f3bd17933412b7568c1d06f44b18645420524a673

data/.travis.yml

@@ -2,10 +2,8 @@ language: ruby
 cache: bundler
 sudo: false
 env:
-  - JSONAPI_RESOURCES_VERSION=0.7.0 RAILS_VERSION=4.1.0
-  - JSONAPI_RESOURCES_VERSION=0.7.0 RAILS_VERSION=4.2.0
-  - JSONAPI_RESOURCES_VERSION=0.7.1.beta1 RAILS_VERSION=4.1.0
-  - JSONAPI_RESOURCES_VERSION=0.7.1.beta1 RAILS_VERSION=4.2.0
+  - JSONAPI_RESOURCES_VERSION=0.8.0.beta1 RAILS_VERSION=4.1.0
+  - JSONAPI_RESOURCES_VERSION=0.8.0.beta1 RAILS_VERSION=4.2.0
   - JSONAPI_RESOURCES_VERSION=master RAILS_VERSION=4.2.0
   - JSONAPI_RESOURCES_VERSION=master RAILS_VERSION=4.1.0
 rvm:

data/Gemfile

@@ -21,7 +21,7 @@ case jsonapi_resources_version
 when 'master'
   gem 'jsonapi-resources', git: 'https://github.com/cerebris/jsonapi-resources.git'
 when 'default'
-  gem 'jsonapi-resources', '0.7.0'
+  gem 'jsonapi-resources', '0.8.0.beta1'
 else
   gem 'jsonapi-resources', jsonapi_resources_version
 end

data/README.md

@@ -1,14 +1,29 @@
 # JSONAPI::Authorization
 
-[![Build Status](https://travis-ci.org/venuu/jsonapi-authorization.svg?branch=master)](https://travis-ci.org/venuu/jsonapi-authorization) [![Gem Version](https://badge.fury.io/rb/jsonapi-authorization.png)](http://badge.fury.io/rb/jsonapi-authorization)
+[![Build Status](https://img.shields.io/travis/venuu/jsonapi-authorization/master.svg?style=flat&maxAge=3600)](https://travis-ci.org/venuu/jsonapi-authorization) [![Gem Version](https://img.shields.io/gem/v/jsonapi-authorization.svg?style=flat&maxAge=3600)](https://rubygems.org/gems/jsonapi-authorization)
 
-`JSONAPI::Authorization` adds authorization to the [jsonapi-resources][jr] (JR) gem using [Pundit][pundit].
+**NOTE:** This README is the documentation for `JSONAPI::Authorization`. If you are viewing this at the
+[project page on Github](https://github.com/venuu/jsonapi-authorization) you are viewing the documentation for the `master`
+branch. This may contain information that is not relevant to the release you are using. Please see the README for the
+[version](https://github.com/venuu/jsonapi-authorization/releases) you are using.
+
+ ---
 
-***PLEASE NOTE:*** This gem currently handles only a subset of operations available in JR. This gem is still considered to be ***alpha quality*** and therefore you shouldn't rely on it on production (yet).
+`JSONAPI::Authorization` adds authorization to the [jsonapi-resources][jr] (JR) gem using [Pundit][pundit].
 
   [jr]: https://github.com/cerebris/jsonapi-resources "A resource-focused Rails library for developing JSON API compliant servers."
   [pundit]: https://github.com/elabs/pundit "Minimal authorization through OO design and pure Ruby classes"
 
+## Caveats
+
+Make sure to test for authorization in your application, too. We should have coverage of all operations, though. If that isn't the case, please [open an issue][issues].
+
+This gem should work out-of-the box for simple cases. The default authorizer might be overly restrictive for [more complex cases][complex-case].
+
+The API is subject to change between minor version bumps until we reach v1.0.0.
+
+  [complex-case]: https://github.com/venuu/jsonapi-authorization/issues/15
+
 ## Installation
 
 Add this line to your application's Gemfile:
@@ -25,27 +40,43 @@ Or install it yourself as:
 
     $ gem install jsonapi-authorization
 
+## Compatibility
+
+* `v0.6.x` supports JR `v0.7.x`
+* `v0.8.x` supports JR `v0.8.x`
+
+We aim to support the same Ruby and Ruby on Rails versions as `jsonapi-resources` does. If that's not the case, please [open an issue][issues].
+
 ## Usage
 
-Make sure you have a Pundit policy specified for every backing model that your JR resources use. Then hook this gem up to your application like so:
+First make sure you have a Pundit policy specified for every backing model that your JR resources use.
+
+Hook up this gem as the default processor for JR, and optionally allow rescuing from `Pundit::NotAuthorizedError` to output better errors for unauthorized requests:
 
 ```ruby
+# config/initializers/jsonapi-resources.rb
 JSONAPI.configure do |config|
-  config.operations_processor = :jsonapi_authorization
+  config.default_processor_klass = JSONAPI::Authorization::AuthorizingProcessor
+  config.exception_class_whitelist = [Pundit::NotAuthorizedError]
 end
 ```
 
-Make all your JR controllers specify the user in the `context` if you are using the default authorizer class (see [Configuration](#configuration) below):
+Make all your JR controllers specify the user in the `context` and rescue errors thrown by unauthorized requests:
 
 ```ruby
 class BaseResourceController < ActionController::Base
   include JSONAPI::ActsAsResourceController
+  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
 
   private
 
   def context
     {user: current_user}
   end
+
+  def user_not_authorized
+    head :forbidden
+  end
 end
 ```
 
@@ -58,49 +89,28 @@ class BaseResource < JSONAPI::Resource
 end
 ```
 
-If you want to send a custom response for unauthorized requests, add a `rescue_from` hook to your `BaseResourceController` and whitelist `Pundit::NotAuthorizedError` in your JR configuration.
-
-## Known bugs
+## Configuration
 
-There is a bug affecting `jsonapi-resources` error whitelisting, see https://github.com/cerebris/jsonapi-resources/pull/573. To make your whitelisting and `rescue_from` to work properly, here is a potential workaround:
+You can use a custom authorizer class by specifying a configure block in an initializer file. If using a custom authorizer class, be sure to require them at the top of the initializer before usage.
 
 ```ruby
-JSONAPI.configure do |config|
-  config.exception_class_whitelist = [Pundit::NotAuthorizedError]
+JSONAPI::Authorization.configure do |config|
+  config.authorizer = MyCustomAuthorizer
 end
 ```
 
-```ruby
-class BaseResourceController < ActionController::Base
-  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+## Troubleshooting
 
-  private
+### "Unable to find policy" exception for a request
 
-  # https://github.com/cerebris/jsonapi-resources/pull/573
-  def handle_exceptions(e)
-    if JSONAPI.configuration.exception_class_whitelist.any? { |k| e.class.ancestors.include?(k) }
-      raise e
-    else
-      super
-    end
-  end
+The exception might look like this for resource class `ArticleResource` that is backed by `Article` model:
 
-  def user_not_authorized
-    head :forbidden
-  end
-end
 ```
-
-## Configuration
-
-You can use a custom authorizer class by specifying a configure block in an initializer file. If using a custom authorizer class, be sure to require them at the top of the initializer before usage.
-
-```ruby
-JSONAPI::Authorization.configure do |config|
-  config.authorizer = MyCustomAuthorizer
-end
+unable to find policy `ArticlePolicy` for `Article'
 ```
 
+This means that you don't have a policy class created for your model. Create one and the error should go away.
+
 ## Development
 
 After checking out the repo, run `bundle install` to install dependencies. Then, run `bundle exec rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
@@ -114,3 +124,5 @@ Originally based on discussion and code samples by [@barelyknown](https://github
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/venuu/jsonapi-authorization.
+
+  [issues]: https://github.com/venuu/jsonapi-authorization/issues

data/jsonapi-authorization.gemspec

@@ -17,7 +17,7 @@ Gem::Specification.new do |spec|
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "jsonapi-resources", "~> 0.7.0"
+  spec.add_dependency "jsonapi-resources", "~> 0.8.0.beta1"
   spec.add_dependency "pundit", "~> 1.0"
 
   spec.add_development_dependency "bundler", "~> 1.11"

data/lib/jsonapi/authorization.rb

@@ -1,5 +1,5 @@
 require "jsonapi-resources"
-require "jsonapi/authorization/authorizing_operations_processor"
+require "jsonapi/authorization/authorizing_processor"
 require "jsonapi/authorization/configuration"
 require "jsonapi/authorization/default_pundit_authorizer"
 require "jsonapi/authorization/pundit_scoped_resource"
@@ -12,4 +12,4 @@ module JSONAPI
 end
 
 # Allows JSONAPI configuration of operations_processor using the symbol :jsonapi_authorization
-JsonapiAuthorizationOperationsProcessor = JSONAPI::Authorization::AuthorizingOperationsProcessor
+JsonapiAuthorizationProcessor = JSONAPI::Authorization::AuthorizingProcessor

data/lib/jsonapi/authorization/{authorizing_operations_processor.rb → authorizing_processor.rb}

@@ -2,39 +2,39 @@ require 'pundit'
 
 module JSONAPI
   module Authorization
-    class AuthorizingOperationsProcessor < ::ActiveRecordOperationsProcessor
-      set_callback :find_operation, :before, :authorize_find
-      set_callback :show_operation, :before, :authorize_show
-      set_callback :show_relationship_operation, :before, :authorize_show_relationship
-      set_callback :show_related_resource_operation, :before, :authorize_show_related_resource
-      set_callback :show_related_resources_operation, :before, :authorize_show_related_resources
-      set_callback :create_resource_operation, :before, :authorize_create_resource
-      set_callback :remove_resource_operation, :before, :authorize_remove_resource
-      set_callback :replace_fields_operation, :before, :authorize_replace_fields
-      set_callback :replace_to_one_relationship_operation, :before, :authorize_replace_to_one_relationship
-      set_callback :create_to_many_relationship_operation, :before, :authorize_create_to_many_relationship
-      set_callback :replace_to_many_relationship_operation, :before, :authorize_replace_to_many_relationship
-      set_callback :remove_to_many_relationship_operation, :before, :authorize_remove_to_many_relationship
-      set_callback :remove_to_one_relationship_operation, :before, :authorize_remove_to_one_relationship
+    class AuthorizingProcessor < JSONAPI::Processor
+      set_callback :find, :before, :authorize_find
+      set_callback :show, :before, :authorize_show
+      set_callback :show_relationship, :before, :authorize_show_relationship
+      set_callback :show_related_resource, :before, :authorize_show_related_resource
+      set_callback :show_related_resources, :before, :authorize_show_related_resources
+      set_callback :create_resource, :before, :authorize_create_resource
+      set_callback :remove_resource, :before, :authorize_remove_resource
+      set_callback :replace_fields, :before, :authorize_replace_fields
+      set_callback :replace_to_one_relationship, :before, :authorize_replace_to_one_relationship
+      set_callback :create_to_many_relationship, :before, :authorize_create_to_many_relationship
+      set_callback :replace_to_many_relationship, :before, :authorize_replace_to_many_relationship
+      set_callback :remove_to_many_relationship, :before, :authorize_remove_to_many_relationship
+      set_callback :remove_to_one_relationship, :before, :authorize_remove_to_one_relationship
 
       [
-        :find_operation,
-        :show_operation,
-        :show_related_resource_operation,
-        :show_related_resources_operation,
-        :create_resource_operation,
-        :replace_fields_operation
+        :find,
+        :show,
+        :show_related_resource,
+        :show_related_resources,
+        :create_resource,
+        :replace_fields
       ].each do |op_name|
         set_callback op_name, :after, :authorize_include_directive
       end
 
       def authorize_include_directive
-        return if @result.is_a?(::JSONAPI::ErrorsOperationResult)
+        return if result.is_a?(::JSONAPI::ErrorsOperationResult)
         resources = Array.wrap(
-          if @result.respond_to?(:resources)
-            @result.resources
-          elsif @result.respond_to?(:resource)
-            @result.resource
+          if result.respond_to?(:resources)
+            result.resources
+          elsif result.respond_to?(:resource)
+            result.resource
           end
         )
 
@@ -44,30 +44,30 @@ module JSONAPI
       end
 
       def authorize_find
-        authorizer.find(@operation.resource_klass._model_class)
+        authorizer.find(@resource_klass._model_class)
       end
 
       def authorize_show
-        record = @operation.resource_klass.find_by_key(
+        record = @resource_klass.find_by_key(
           operation_resource_id,
-          context: operation_context
+          context: context
         )._model
 
         authorizer.show(record)
       end
 
       def authorize_show_relationship
-        parent_resource = @operation.resource_klass.find_by_key(
-          @operation.parent_key,
-          context: operation_context
+        parent_resource = @resource_klass.find_by_key(
+          params[:parent_key],
+          context: context
         )
 
-        relationship = @operation.resource_klass._relationship(@operation.relationship_type)
+        relationship = @resource_klass._relationship(params[:relationship_type].to_sym)
 
         related_resource =
           case relationship
           when JSONAPI::Relationship::ToOne
-            parent_resource.public_send(@operation.relationship_type)
+            parent_resource.public_send(params[:relationship_type].to_sym)
           when JSONAPI::Relationship::ToMany
             # Do nothing — already covered by policy scopes
           else
@@ -80,12 +80,13 @@ module JSONAPI
       end
 
       def authorize_show_related_resource
-        source_resource = @operation.source_klass.find_by_key(
-          @operation.source_id,
-          context: operation_context
-        )
+        source_klass = params[:source_klass]
+        source_id = params[:source_id]
+        relationship_type = params[:relationship_type].to_sym
+
+        source_resource = source_klass.find_by_key(source_id, context: context)
 
-        related_resource = source_resource.public_send(@operation.relationship_type)
+        related_resource = source_resource.public_send(relationship_type)
 
         source_record = source_resource._model
         related_record = related_resource._model unless related_resource.nil?
@@ -93,50 +94,50 @@ module JSONAPI
       end
 
       def authorize_show_related_resources
-        source_record = @operation.source_klass.find_by_key(
-          @operation.source_id,
-          context: operation_context
+        source_record = params[:source_klass].find_by_key(
+          params[:source_id],
+          context: context
         )._model
 
         authorizer.show_related_resources(source_record)
       end
 
       def authorize_replace_fields
-        source_record = @operation.resource_klass.find_by_key(
-          @operation.resource_id,
-          context: operation_context
+        source_record = @resource_klass.find_by_key(
+          params[:resource_id],
+          context: context
         )._model
 
         authorizer.replace_fields(source_record, related_models)
       end
 
       def authorize_create_resource
-        source_class = @operation.resource_klass._model_class
+        source_class = @resource_klass._model_class
 
         authorizer.create_resource(source_class, related_models)
       end
 
       def authorize_remove_resource
-        record = @operation.resource_klass.find_by_key(
+        record = @resource_klass.find_by_key(
           operation_resource_id,
-          context: operation_context
+          context: context
         )._model
 
         authorizer.remove_resource(record)
       end
 
       def authorize_replace_to_one_relationship
-        source_resource = @operation.resource_klass.find_by_key(
-          @operation.resource_id,
-          context: operation_context
+        source_resource = @resource_klass.find_by_key(
+          params[:resource_id],
+          context: context
         )
         source_record = source_resource._model
 
-        old_related_record = source_resource.records_for(@operation.relationship_type)
-        unless @operation.key_value.nil?
-          new_related_resource = @operation.resource_klass._relationship(@operation.relationship_type).resource_klass.find_by_key(
-            @operation.key_value,
-            context: operation_context
+        old_related_record = source_resource.records_for(params[:relationship_type].to_sym)
+        unless params[:key_value].nil?
+          new_related_resource = @resource_klass._relationship(params[:relationship_type].to_sym).resource_klass.find_by_key(
+            params[:key_value],
+            context: context
           )
           new_related_record = new_related_resource._model unless new_related_resource.nil?
         end
@@ -149,25 +150,25 @@ module JSONAPI
       end
 
       def authorize_create_to_many_relationship
-        source_record = @operation.resource_klass.find_by_key(
-          @operation.resource_id,
-          context: operation_context
+        source_record = @resource_klass.find_by_key(
+          params[:resource_id],
+          context: context
         )._model
 
         related_models =
-          model_class_for_relationship(@operation.relationship_type).find(@operation.data)
+          model_class_for_relationship(params[:relationship_type].to_sym).find(params[:data])
 
         authorizer.create_to_many_relationship(source_record, related_models)
       end
 
       def authorize_replace_to_many_relationship
-        source_resource = @operation.resource_klass.find_by_key(
-          @operation.resource_id,
-          context: operation_context
+        source_resource = @resource_klass.find_by_key(
+          params[:resource_id],
+          context: context
         )
         source_record = source_resource._model
 
-        related_records = source_resource.records_for(@operation.relationship_type)
+        related_records = source_resource.records_for(params[:relationship_type].to_sym)
 
         authorizer.replace_to_many_relationship(
           source_record,
@@ -176,15 +177,15 @@ module JSONAPI
       end
 
       def authorize_remove_to_many_relationship
-        source_resource = @operation.resource_klass.find_by_key(
-          @operation.resource_id,
-          context: operation_context
+        source_resource = @resource_klass.find_by_key(
+          params[:resource_id],
+          context: context
         )
         source_record = source_resource._model
 
-        related_resource = @operation.resource_klass._relationship(@operation.relationship_type).resource_klass.find_by_key(
-          @operation.associated_key,
-          context: operation_context
+        related_resource = @resource_klass._relationship(params[:relationship_type].to_sym).resource_klass.find_by_key(
+          params[:associated_key],
+          context: context
         )
         related_record = related_resource._model unless related_resource.nil?
 
@@ -195,12 +196,12 @@ module JSONAPI
       end
 
       def authorize_remove_to_one_relationship
-        source_resource = @operation.resource_klass.find_by_key(
-          @operation.resource_id,
-          context: operation_context
+        source_resource = @resource_klass.find_by_key(
+          params[:resource_id],
+          context: context
         )
 
-        related_resource = source_resource.public_send(@operation.relationship_type)
+        related_resource = source_resource.public_send(params[:relationship_type].to_sym)
 
         source_record = source_resource._model
         related_record = related_resource._model unless related_resource.nil?
@@ -210,33 +211,23 @@ module JSONAPI
       private
 
       def authorizer
-        @authorizer ||= ::JSONAPI::Authorization.configuration.authorizer.new(operation_context)
-      end
-
-      # TODO: Communicate with upstream to fix this nasty hack
-      def operation_context
-        case @operation
-        when JSONAPI::ShowRelatedResourcesOperation
-          @operation.instance_variable_get('@options')[:context]
-        else
-          @operation.options[:context]
-        end
+        @authorizer ||= ::JSONAPI::Authorization.configuration.authorizer.new(context)
       end
 
       # TODO: Communicate with upstream to fix this nasty hack
       def operation_resource_id
-        case @operation
-        when JSONAPI::ShowOperation
-          @operation.id
-        when JSONAPI::ShowRelatedResourcesOperation
-          @operation.source_id
+        case operation_type
+        when :show
+          params[:id]
+        when :show_related_resources
+          params[:source_id]
         else
-          @operation.resource_id
+          params[:resource_id]
         end
       end
 
       def resource_class_for_relationship(assoc_name)
-        @operation.resource_klass._relationship(assoc_name).resource_klass
+        @resource_klass._relationship(assoc_name).resource_klass
       end
 
       def model_class_for_relationship(assoc_name)
@@ -244,15 +235,15 @@ module JSONAPI
       end
 
       def related_models
-        data = @operation.options[:data]
+        data = params[:data]
         return [] if data.nil?
 
         [:to_one, :to_many].flat_map do |rel_type|
           data[rel_type].flat_map do |assoc_name, assoc_value|
             case assoc_value
             when Hash # polymorphic relationship
-              resource_class = @operation.resource_klass.resource_for(assoc_value[:type].to_s)
-              resource_class.find_by_key(assoc_value[:id], context: @operation.options[:context])._model
+              resource_class = @resource_klass.resource_for(assoc_value[:type].to_s)
+              resource_class.find_by_key(assoc_value[:id], context: context)._model
             else
               resource_class = resource_class_for_relationship(assoc_name)
               primary_key = resource_class._primary_key
@@ -263,9 +254,9 @@ module JSONAPI
       end
 
       def authorize_model_includes(source_record)
-        if @request.include_directives
-          @request.include_directives.model_includes.each do |include_item|
-            authorize_include_item(@operation.resource_klass, source_record, include_item)
+        if params[:include_directives]
+          params[:include_directives].model_includes.each do |include_item|
+            authorize_include_item(@resource_klass, source_record, include_item)
           end
         end
       end
@@ -280,7 +271,7 @@ module JSONAPI
             next_resource_klass = relationship.resource_klass
             Array.wrap(
               source_record.public_send(
-                relationship.relation_name(@operation.options[:context])
+                relationship.relation_name(context)
               )
             ).each do |next_source_record|
               deep.each do |next_include_item|
@@ -297,7 +288,7 @@ module JSONAPI
           case relationship
           when JSONAPI::Relationship::ToOne
             related_record = source_record.public_send(
-              relationship.relation_name(@operation.options[:context])
+              relationship.relation_name(context)
             )
             return if related_record.nil?
             authorizer.include_has_one_resource(source_record, related_record)

data/lib/jsonapi/authorization/version.rb

@@ -1,5 +1,5 @@
 module JSONAPI
   module Authorization
-    VERSION = "0.6.1".freeze
+    VERSION = "0.8.0".freeze
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: jsonapi-authorization
 version: !ruby/object:Gem::Version
-  version: 0.6.1
+  version: 0.8.0
 platform: ruby
 authors:
 - Vesa Laakso
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-04-25 00:00:00.000000000 Z
+date: 2016-08-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jsonapi-resources
@@ -17,14 +17,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.0
+        version: 0.8.0.beta1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.0
+        version: 0.8.0.beta1
 - !ruby/object:Gem::Dependency
   name: pundit
   requirement: !ruby/object:Gem::Requirement
@@ -174,7 +174,7 @@ files:
 - jsonapi-authorization.gemspec
 - lib/jsonapi-authorization.rb
 - lib/jsonapi/authorization.rb
-- lib/jsonapi/authorization/authorizing_operations_processor.rb
+- lib/jsonapi/authorization/authorizing_processor.rb
 - lib/jsonapi/authorization/configuration.rb
 - lib/jsonapi/authorization/default_pundit_authorizer.rb
 - lib/jsonapi/authorization/pundit_scoped_resource.rb