jsonapi-authorization 1.0.0.alpha2 → 1.0.0.alpha3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c83ed79758b58af1eb5f2682278d59811be7eb20
-  data.tar.gz: 8dad69ca7b2bad76f4508c735a1be23f9dd60ad7
+  metadata.gz: d9773e11d98a5ff7baeb184627737a96e541de98
+  data.tar.gz: a1a9417f8aa7ff48e9f093ee62f6501552d5418d
 SHA512:
-  metadata.gz: a9f9793f5d9a6972e1a5bba3ea7d22d92368c8a8e7e37378dd0a09be44c3b5190df899393b1a76dedef1a6ff0d2515a6ebda8e95bff4d6e2568a72c6561629e1
-  data.tar.gz: 2b20f5bd2a639304a0e25b31bb861dbfc9426e4a221afc1be7b70c7f83ba07ccdddc89ac9aef2dd3c5d7c6ca98a3a47db09d27e41a86f374442fac148e9d940d
+  metadata.gz: 5e51a01324b0475819785e26823ba0c958982a6a86a97386d4f93862fcdf98e9d0448cc3041e675eb4c29bae107ebaaee775d629eeb734d2ce3448cd4e033fdb
+  data.tar.gz: e2f191527644e59f161574e4bb232696dad12ecb7d03645fa9b35157b7063ad8d9bb8f04daf5bbe8c7470c3a09b5a156e18729e8a1c1dd2d130a6f72e8cd69ba

data/lib/jsonapi/authorization/authorizing_processor.rb

@@ -112,7 +112,7 @@ module JSONAPI
 
       def authorize_create_resource
         source_class = resource_klass._model_class
-        authorizer.create_resource(source_class, related_models)
+        authorizer.create_resource(source_class, related_models_with_context)
       end
 
       def authorize_remove_resource

data/lib/jsonapi/authorization/default_pundit_authorizer.rb

@@ -98,14 +98,27 @@ module JSONAPI
       # ==== Parameters
       #
       # * +source_class+ - The class of the record to be created
-      # * +related_records+ - An array of records to be associated to the new
-      #   record. This will contain the records specified in the
-      #   "relationships" key in the request
-      def create_resource(source_class, related_records)
+      # * +related_records_with_context+ - A has with the association type,
+      # the relationship name, and an Array of new related records.
+      def create_resource(source_class, related_records_with_context)
         ::Pundit.authorize(user, source_class, 'create?')
-
-        related_records.each do |record|
-          ::Pundit.authorize(user, record, 'update?')
+        related_records_with_context.each do |data|
+          relation_name = data[:relation_name]
+          records = data[:records]
+          relationship_method = "create_with_#{relation_name}?"
+          policy = ::Pundit.policy(user, source_class)
+          if policy.respond_to?(relationship_method)
+            unless policy.public_send(relationship_method, records)
+              raise ::Pundit::NotAuthorizedError,
+                    query: relationship_method,
+                    record: source_class,
+                    policy: policy
+            end
+          else
+            Array(records).each do |record|
+              ::Pundit.authorize(user, record, 'update?')
+            end
+          end
         end
       end
 

data/lib/jsonapi/authorization/version.rb

@@ -1,5 +1,5 @@
 module JSONAPI
   module Authorization
-    VERSION = "1.0.0.alpha2".freeze
+    VERSION = "1.0.0.alpha3".freeze
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: jsonapi-authorization
 version: !ruby/object:Gem::Version
-  version: 1.0.0.alpha2
+  version: 1.0.0.alpha3
 platform: ruby
 authors:
 - Vesa Laakso
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-04-12 00:00:00.000000000 Z
+date: 2017-05-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jsonapi-resources