jsonapi-authorization 1.0.0 → 3.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9964c80bda556e297a4e6fc123a35d213debefa7d418ab60d627f9eb3401f334
-  data.tar.gz: 64e0146d4b454e7417b7e4afd2ee6c9b4d365a7c62d3a2993e44f2c006711542
+  metadata.gz: eca7bc758c4afda473090e94e6774b61bb708807817abb5961ca597a404605d6
+  data.tar.gz: 610d8c4508699047d991cf18c17a31dfd59938a5b63f9a8df741c16e28030c3c
 SHA512:
-  metadata.gz: f729a9f5b558008f1baa2c7760f4f31ce59b06e86d2d9bf56894a0e3f648eb985e05e998f3d8718b39f6d3b0d913757ff48ace6ae399cbd2519fa0f72afccad6
-  data.tar.gz: 68925bea3461cea96c3538b76c85b222e43bb8565e401a881f021d40a1a4c9ecc37021c0487d25efbdc66b339e17b2bb042d2c29da41a544a86416bc37c57b38
+  metadata.gz: 8a36bbf5c7685f976dab29924e6b736548c62058e965ae12287f747897fb2933dd9dbe842135d93ad03994ab6e3899ec6feeea57041944dff034b381c57fa8a4
+  data.tar.gz: cf13d084a0618608cb3f2af6bd9d43ba03c73bf217f33dd4ba12b7bfa10544d23d2d7bab51aab858460127d69758ac10f6ce890df4361188d25d9ddb62005066

data/.all-contributorsrc

@@ -126,7 +126,30 @@
         "test",
         "infra"
       ]
+    },
+    {
+      "login": "Matthijsy",
+      "name": "Matthijsy",
+      "avatar_url": "https://avatars2.githubusercontent.com/u/5302372?v=4",
+      "profile": "https://github.com/Matthijsy",
+      "contributions": [
+        "bug",
+        "test",
+        "code"
+      ]
+    },
+    {
+      "login": "brianswko",
+      "name": "brianswko",
+      "avatar_url": "https://avatars0.githubusercontent.com/u/3952486?v=4",
+      "profile": "https://github.com/brianswko",
+      "contributions": [
+        "bug",
+        "test",
+        "code"
+      ]
     }
   ],
-  "repoType": "github"
+  "repoType": "github",
+  "contributorsPerLine": 7
 }

data/.gitignore

@@ -11,3 +11,4 @@
 *.orig
 .ruby-version
 /gemfiles/*.gemfile.lock
+/gemfiles/.bundle/

data/.travis.yml

@@ -1,4 +1,7 @@
 language: ruby
+branches:
+  only:
+    - master
 rvm:
   - 2.3
 gemfile:
@@ -11,7 +14,6 @@ gemfile:
   - gemfiles/rails_5_1_pundit_2.gemfile
   - gemfiles/rails_5_2_pundit_2.gemfile
 before_install:
-  - rvm @global do gem uninstall bundler -a -x
   - gem install bundler -v '< 2'
 notifications:
   email: false

data/Appraisals

@@ -1,47 +1,47 @@
 appraise 'rails-4-2 pundit-1' do
   gem 'rails', '4.2.0'
-  gem 'jsonapi-resources', '~> 0.9'
+  gem 'jsonapi-resources', '~> 0.9.0'
   gem 'pundit', '~> 1.0'
 end
 
 appraise 'rails-5-0 pundit-1' do
   gem 'rails', '5.0.0'
-  gem 'jsonapi-resources', '~> 0.9'
+  gem 'jsonapi-resources', '~> 0.9.0'
   gem 'pundit', '~> 1.0'
 end
 
 appraise 'rails-5-1 pundit-1' do
   gem "rails", "5.1.0"
-  gem 'jsonapi-resources', '~> 0.9'
+  gem 'jsonapi-resources', '~> 0.9.0'
   gem 'pundit', '~> 1.0'
 end
 
 appraise 'rails-5-2 pundit-1' do
   gem 'rails', '5.2.0'
-  gem 'jsonapi-resources', '~> 0.9'
+  gem 'jsonapi-resources', '~> 0.9.0'
   gem 'pundit', '~> 1.0'
 end
 
 appraise 'rails-4-2 pundit-2' do
   gem 'rails', '4.2.0'
-  gem 'jsonapi-resources', '~> 0.9'
+  gem 'jsonapi-resources', '~> 0.9.0'
   gem 'pundit', '~> 2.0'
 end
 
 appraise 'rails-5-0 pundit-2' do
   gem 'rails', '5.0.0'
-  gem 'jsonapi-resources', '~> 0.9'
+  gem 'jsonapi-resources', '~> 0.9.0'
   gem 'pundit', '~> 2.0'
 end
 
 appraise 'rails-5-1 pundit-2' do
   gem 'rails', '5.1.0'
-  gem 'jsonapi-resources', '~> 0.9'
+  gem 'jsonapi-resources', '~> 0.9.0'
   gem 'pundit', '~> 2.0'
 end
 
 appraise 'rails-5-2 pundit-2' do
   gem 'rails', '5.2.0'
-  gem 'jsonapi-resources', '~> 0.9'
+  gem 'jsonapi-resources', '~> 0.9.0'
   gem 'pundit', '~> 2.0'
 end

data/README.md

@@ -33,8 +33,6 @@ This gem should work out-of-the box for simple cases. The default authorizer mig
 
 **If you are modifying relationships**, you should read the [relationship authorization documentation](docs/relationship-authorization.md).
 
-The API is subject to change between minor version bumps until we reach v1.0.0.
-
 ## Installation
 
 Add this line to your application's Gemfile:
@@ -55,10 +53,19 @@ Or install it yourself as:
 
 * `v0.6.x` supports JR `v0.7.x`
 * `v0.8.x` supports JR `v0.8.x`
-* `v1.0.0` alpha and beta releases support JR `v0.9.x`
+* Later releases support JR `v0.9.x`
+* **JR `v0.10.x` is NOT SUPPORTED.** See https://github.com/venuu/jsonapi-authorization/issues/64 for more details and to offer help.
 
 We aim to support the same Ruby and Ruby on Rails versions as `jsonapi-resources` does. If that's not the case, please [open an issue][issues].
 
+## Versioning and changelog
+
+`jsonapi-authorization` follows [Semantic Versioning](https://semver.org/). We prefer to make more major version bumps when we do changes that are likely to be backwards incompatible. That holds true even when it's likely the changes would be backwards compatible for a majority of our users.
+
+Given the nature of an authorization library, it is likely that most changes are major version bumps.
+
+Whenever we do changes, we strive to write good changelogs in the [GitHub releases page](https://github.com/venuu/jsonapi-authorization/releases).
+
 ## Usage
 
 First make sure you have a Pundit policy specified for every backing model that your JR resources use.
@@ -185,9 +192,8 @@ Thanks goes to these wonderful people ([emoji key](https://github.com/kentcdodds
 
 <!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section -->
 <!-- prettier-ignore -->
-| [<img src="https://avatars.githubusercontent.com/u/482561?v=3" width="100px;"/><br /><sub><b>Vesa Laakso</b></sub>](http://vesalaakso.com)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=valscion "Code") [📖](https://github.com/Venuu/jsonapi-authorization/commits?author=valscion "Documentation") [🚇](#infra-valscion "Infrastructure (Hosting, Build-Tools, etc)") [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=valscion "Tests") [🐛](https://github.com/Venuu/jsonapi-authorization/issues?q=author%3Avalscion "Bug reports") [💬](#question-valscion "Answering Questions") [👀](#review-valscion "Reviewed Pull Requests") | [<img src="https://avatars.githubusercontent.com/u/562204?v=3" width="100px;"/><br /><sub><b>Emil Sågfors</b></sub>](https://github.com/lime)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=lime "Code") [📖](https://github.com/Venuu/jsonapi-authorization/commits?author=lime "Documentation") [🚇](#infra-lime "Infrastructure (Hosting, Build-Tools, etc)") [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=lime "Tests") [🐛](https://github.com/Venuu/jsonapi-authorization/issues?q=author%3Alime "Bug reports") [💬](#question-lime "Answering Questions") [👀](#review-lime "Reviewed Pull Requests") | [<img src="https://avatars.githubusercontent.com/u/1591161?v=3" width="100px;"/><br /><sub><b>Matthias Grundmann</b></sub>](https://github.com/matthias-g)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=matthias-g "Code") [📖](https://github.com/Venuu/jsonapi-authorization/commits?author=matthias-g "Documentation") [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=matthias-g "Tests") [💬](#question-matthias-g "Answering Questions") | [<img src="https://avatars.githubusercontent.com/u/1322?v=3" width="100px;"/><br /><sub><b>Thibaud Guillaume-Gentil</b></sub>](http://thibaud.gg)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=thibaudgg "Code") | [<img src="https://avatars.githubusercontent.com/u/71660?v=3" width="100px;"/><br /><sub><b>Daniel Schweighöfer</b></sub>](http://netsteward.net)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=acid "Code") | [<img src="https://avatars.githubusercontent.com/u/5076967?v=3" width="100px;"/><br /><sub><b>Bruno Sofiato</b></sub>](https://github.com/bsofiato)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=bsofiato "Code") | [<img src="https://avatars.githubusercontent.com/u/1896026?v=3" width="100px;"/><br /><sub><b>Adam Robertson</b></sub>](https://github.com/arcreative)<br />[📖](https://github.com/Venuu/jsonapi-authorization/commits?author=arcreative "Documentation") |
-| :---: | :---: | :---: | :---: | :---: | :---: | :---: |
-| [<img src="https://avatars3.githubusercontent.com/u/4742306?v=3" width="100px;"/><br /><sub><b>Greg Fisher</b></sub>](https://github.com/gnfisher)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=gnfisher "Code") [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=gnfisher "Tests") | [<img src="https://avatars3.githubusercontent.com/u/370182?v=3" width="100px;"/><br /><sub><b>Sam</b></sub>](http://samlh.com)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=handlers "Code") [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=handlers "Tests") | [<img src="https://avatars0.githubusercontent.com/u/2738630?v=3" width="100px;"/><br /><sub><b>Justas Palumickas</b></sub>](https://jpalumickas.com)<br />[🐛](https://github.com/Venuu/jsonapi-authorization/issues?q=author%3Ajpalumickas "Bug reports") [💻](https://github.com/Venuu/jsonapi-authorization/commits?author=jpalumickas "Code") [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=jpalumickas "Tests") | [<img src="https://avatars1.githubusercontent.com/u/26158?v=4" width="100px;"/><br /><sub><b>Nicholas Rutherford</b></sub>](http://www.google.co.uk/profiles/nick.rutherford)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=nruth "Code") [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=nruth "Tests") [🚇](#infra-nruth "Infrastructure (Hosting, Build-Tools, etc)") |
+<table><tr><td align="center"><a href="http://vesalaakso.com"><img src="https://avatars.githubusercontent.com/u/482561?v=3" width="100px;" alt="Vesa Laakso"/><br /><sub><b>Vesa Laakso</b></sub></a><br /><a href="https://github.com/Venuu/jsonapi-authorization/commits?author=valscion" title="Code">💻</a> <a href="https://github.com/Venuu/jsonapi-authorization/commits?author=valscion" title="Documentation">📖</a> <a href="#infra-valscion" title="Infrastructure (Hosting, Build-Tools, etc)">🚇</a> <a href="https://github.com/Venuu/jsonapi-authorization/commits?author=valscion" title="Tests">⚠️</a> <a href="https://github.com/Venuu/jsonapi-authorization/issues?q=author%3Avalscion" title="Bug reports">🐛</a> <a href="#question-valscion" title="Answering Questions">💬</a> <a href="#review-valscion" title="Reviewed Pull Requests">👀</a></td><td align="center"><a href="https://github.com/lime"><img src="https://avatars.githubusercontent.com/u/562204?v=3" width="100px;" alt="Emil Sågfors"/><br /><sub><b>Emil Sågfors</b></sub></a><br /><a href="https://github.com/Venuu/jsonapi-authorization/commits?author=lime" title="Code">💻</a> <a href="https://github.com/Venuu/jsonapi-authorization/commits?author=lime" title="Documentation">📖</a> <a href="#infra-lime" title="Infrastructure (Hosting, Build-Tools, etc)">🚇</a> <a href="https://github.com/Venuu/jsonapi-authorization/commits?author=lime" title="Tests">⚠️</a> <a href="https://github.com/Venuu/jsonapi-authorization/issues?q=author%3Alime" title="Bug reports">🐛</a> <a href="#question-lime" title="Answering Questions">💬</a> <a href="#review-lime" title="Reviewed Pull Requests">👀</a></td><td align="center"><a href="https://github.com/matthias-g"><img src="https://avatars.githubusercontent.com/u/1591161?v=3" width="100px;" alt="Matthias Grundmann"/><br /><sub><b>Matthias Grundmann</b></sub></a><br /><a href="https://github.com/Venuu/jsonapi-authorization/commits?author=matthias-g" title="Code">💻</a> <a href="https://github.com/Venuu/jsonapi-authorization/commits?author=matthias-g" title="Documentation">📖</a> <a href="https://github.com/Venuu/jsonapi-authorization/commits?author=matthias-g" title="Tests">⚠️</a> <a href="#question-matthias-g" title="Answering Questions">💬</a></td><td align="center"><a href="http://thibaud.gg"><img src="https://avatars.githubusercontent.com/u/1322?v=3" width="100px;" alt="Thibaud Guillaume-Gentil"/><br /><sub><b>Thibaud Guillaume-Gentil</b></sub></a><br /><a href="https://github.com/Venuu/jsonapi-authorization/commits?author=thibaudgg" title="Code">💻</a></td><td align="center"><a href="http://netsteward.net"><img src="https://avatars.githubusercontent.com/u/71660?v=3" width="100px;" alt="Daniel Schweighöfer"/><br /><sub><b>Daniel Schweighöfer</b></sub></a><br /><a href="https://github.com/Venuu/jsonapi-authorization/commits?author=acid" title="Code">💻</a></td><td align="center"><a href="https://github.com/bsofiato"><img src="https://avatars.githubusercontent.com/u/5076967?v=3" width="100px;" alt="Bruno Sofiato"/><br /><sub><b>Bruno Sofiato</b></sub></a><br /><a href="https://github.com/Venuu/jsonapi-authorization/commits?author=bsofiato" title="Code">💻</a></td><td align="center"><a href="https://github.com/arcreative"><img src="https://avatars.githubusercontent.com/u/1896026?v=3" width="100px;" alt="Adam Robertson"/><br /><sub><b>Adam Robertson</b></sub></a><br /><a href="https://github.com/Venuu/jsonapi-authorization/commits?author=arcreative" title="Documentation">📖</a></td></tr><tr><td align="center"><a href="https://github.com/gnfisher"><img src="https://avatars3.githubusercontent.com/u/4742306?v=3" width="100px;" alt="Greg Fisher"/><br /><sub><b>Greg Fisher</b></sub></a><br /><a href="https://github.com/Venuu/jsonapi-authorization/commits?author=gnfisher" title="Code">💻</a> <a href="https://github.com/Venuu/jsonapi-authorization/commits?author=gnfisher" title="Tests">⚠️</a></td><td align="center"><a href="http://samlh.com"><img src="https://avatars3.githubusercontent.com/u/370182?v=3" width="100px;" alt="Sam"/><br /><sub><b>Sam</b></sub></a><br /><a href="https://github.com/Venuu/jsonapi-authorization/commits?author=handlers" title="Code">💻</a> <a href="https://github.com/Venuu/jsonapi-authorization/commits?author=handlers" title="Tests">⚠️</a></td><td align="center"><a href="https://jpalumickas.com"><img src="https://avatars0.githubusercontent.com/u/2738630?v=3" width="100px;" alt="Justas Palumickas"/><br /><sub><b>Justas Palumickas</b></sub></a><br /><a href="https://github.com/Venuu/jsonapi-authorization/issues?q=author%3Ajpalumickas" title="Bug reports">🐛</a> <a href="https://github.com/Venuu/jsonapi-authorization/commits?author=jpalumickas" title="Code">💻</a> <a href="https://github.com/Venuu/jsonapi-authorization/commits?author=jpalumickas" title="Tests">⚠️</a></td><td align="center"><a href="http://www.google.co.uk/profiles/nick.rutherford"><img src="https://avatars1.githubusercontent.com/u/26158?v=4" width="100px;" alt="Nicholas Rutherford"/><br /><sub><b>Nicholas Rutherford</b></sub></a><br /><a href="https://github.com/Venuu/jsonapi-authorization/commits?author=nruth" title="Code">💻</a> <a href="https://github.com/Venuu/jsonapi-authorization/commits?author=nruth" title="Tests">⚠️</a> <a href="#infra-nruth" title="Infrastructure (Hosting, Build-Tools, etc)">🚇</a></td><td align="center"><a href="https://github.com/Matthijsy"><img src="https://avatars2.githubusercontent.com/u/5302372?v=4" width="100px;" alt="Matthijsy"/><br /><sub><b>Matthijsy</b></sub></a><br /><a href="https://github.com/Venuu/jsonapi-authorization/issues?q=author%3AMatthijsy" title="Bug reports">🐛</a> <a href="https://github.com/Venuu/jsonapi-authorization/commits?author=Matthijsy" title="Tests">⚠️</a> <a href="https://github.com/Venuu/jsonapi-authorization/commits?author=Matthijsy" title="Code">💻</a></td><td align="center"><a href="https://github.com/brianswko"><img src="https://avatars0.githubusercontent.com/u/3952486?v=4" width="100px;" alt="brianswko"/><br /><sub><b>brianswko</b></sub></a><br /><a href="https://github.com/Venuu/jsonapi-authorization/issues?q=author%3Abrianswko" title="Bug reports">🐛</a> <a href="https://github.com/Venuu/jsonapi-authorization/commits?author=brianswko" title="Tests">⚠️</a> <a href="https://github.com/Venuu/jsonapi-authorization/commits?author=brianswko" title="Code">💻</a></td></tr></table>
+
 <!-- ALL-CONTRIBUTORS-LIST:END -->
 
 This project follows the [all-contributors](https://github.com/kentcdodds/all-contributors) specification. Contributions of any kind welcome!

data/gemfiles/rails_4_2_pundit_1.gemfile

@@ -3,7 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", "4.2.0"
-gem "jsonapi-resources", "~> 0.9"
+gem "jsonapi-resources", "~> 0.9.0"
 gem "pundit", "~> 1.0"
 
 gemspec path: "../"

data/gemfiles/rails_4_2_pundit_2.gemfile

@@ -3,7 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", "4.2.0"
-gem "jsonapi-resources", "~> 0.9"
+gem "jsonapi-resources", "~> 0.9.0"
 gem "pundit", "~> 2.0"
 
 gemspec path: "../"

data/gemfiles/rails_5_0_pundit_1.gemfile

@@ -3,7 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", "5.0.0"
-gem "jsonapi-resources", "~> 0.9"
+gem "jsonapi-resources", "~> 0.9.0"
 gem "pundit", "~> 1.0"
 
 gemspec path: "../"

data/gemfiles/rails_5_0_pundit_2.gemfile

@@ -3,7 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", "5.0.0"
-gem "jsonapi-resources", "~> 0.9"
+gem "jsonapi-resources", "~> 0.9.0"
 gem "pundit", "~> 2.0"
 
 gemspec path: "../"

data/gemfiles/rails_5_1_pundit_1.gemfile

@@ -3,7 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", "5.1.0"
-gem "jsonapi-resources", "~> 0.9"
+gem "jsonapi-resources", "~> 0.9.0"
 gem "pundit", "~> 1.0"
 
 gemspec path: "../"

data/gemfiles/rails_5_1_pundit_2.gemfile

@@ -3,7 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", "5.1.0"
-gem "jsonapi-resources", "~> 0.9"
+gem "jsonapi-resources", "~> 0.9.0"
 gem "pundit", "~> 2.0"
 
 gemspec path: "../"

data/gemfiles/rails_5_2_pundit_1.gemfile

@@ -3,7 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", "5.2.0"
-gem "jsonapi-resources", "~> 0.9"
+gem "jsonapi-resources", "~> 0.9.0"
 gem "pundit", "~> 1.0"
 
 gemspec path: "../"

data/gemfiles/rails_5_2_pundit_2.gemfile

@@ -3,7 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", "5.2.0"
-gem "jsonapi-resources", "~> 0.9"
+gem "jsonapi-resources", "~> 0.9.0"
 gem "pundit", "~> 2.0"
 
 gemspec path: "../"

data/jsonapi-authorization.gemspec

@@ -17,7 +17,7 @@ Gem::Specification.new do |spec|
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "jsonapi-resources", "~> 0.9"
+  spec.add_dependency "jsonapi-resources", "~> 0.9.0"
   spec.add_dependency "pundit", ">= 1.0.0", "< 3.0.0"
 
   spec.add_development_dependency "appraisal"
@@ -31,5 +31,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "pry-rails"
   spec.add_development_dependency "rubocop", "~> 0.36.0"
   spec.add_development_dependency "phare", "~> 0.7.1"
-  spec.add_development_dependency "sqlite3"
+  spec.add_development_dependency "sqlite3", "~> 1.3.6"
 end

data/lib/jsonapi/authorization/authorizing_processor.rb

@@ -101,12 +101,16 @@ module JSONAPI
       end
 
       def authorize_show_related_resources
-        source_record = params[:source_klass].find_by_key(
+        source_resource = params[:source_klass].find_by_key(
           params[:source_id],
           context: context
-        )._model
+        )
+
+        source_record = source_resource._model
 
-        authorizer.show_related_resources(source_record: source_record)
+        authorizer.show_related_resources(
+          source_record: source_record, related_record_class: @resource_klass._model_class
+        )
       end
 
       def authorize_replace_fields
@@ -215,6 +219,10 @@ module JSONAPI
 
         related_records = related_resources.map(&:_model)
 
+        if related_records.size != params[:associated_keys].uniq.size
+          fail JSONAPI::Exceptions::RecordNotFound, params[:associated_keys]
+        end
+
         authorizer.remove_to_many_relationship(
           source_record: source_record,
           related_records: related_records,
@@ -294,25 +302,6 @@ module JSONAPI
         resource_class_for_relationship(assoc_name)._model_class
       end
 
-      def related_models
-        data = params[:data]
-        return [] if data.nil?
-
-        [:to_one, :to_many].flat_map do |rel_type|
-          data[rel_type].flat_map do |assoc_name, assoc_value|
-            case assoc_value
-            when Hash # polymorphic relationship
-              resource_class = @resource_klass.resource_for(assoc_value[:type].to_s)
-              resource_class.find_by_key(assoc_value[:id], context: context)._model
-            else
-              resource_class = resource_class_for_relationship(assoc_name)
-              primary_key = resource_class._primary_key
-              resource_class._model_class.where(primary_key => assoc_value)
-            end
-          end
-        end
-      end
-
       def related_models_with_context
         data = params[:data]
         return { relationship: nil, relation_name: nil, records: nil } if data.nil?
@@ -328,7 +317,13 @@ module JSONAPI
                 resource_class.find_by_key(assoc_value[:id], context: context)._model
               when Array
                 resource_class = resource_class_for_relationship(assoc_name)
-                resource_class.find_by_keys(assoc_value, context: context).map(&:_model)
+                resources = resource_class.find_by_keys(assoc_value, context: context)
+                resources.map(&:_model).tap do |scoped_records|
+                  related_ids = Array.wrap(assoc_value).uniq
+                  if scoped_records.count != related_ids.count
+                    fail JSONAPI::Exceptions::RecordNotFound, related_ids
+                  end
+                end
               else
                 resource_class = resource_class_for_relationship(assoc_name)
                 resource_class.find_by_key(assoc_value, context: context)._model

data/lib/jsonapi/authorization/default_pundit_authorizer.rb

@@ -3,10 +3,9 @@ module JSONAPI
     # An authorizer is a class responsible for linking JSONAPI operations to
     # your choice of authorization mechanism.
     #
-    # This class uses Pundit for authorization. It does not yet support all
-    # the available operations — you can use your own authorizer class instead
-    # if you have different needs. See the README.md for configuration
-    # information.
+    # This class uses Pundit for authorization. You can use your own authorizer
+    # class instead if you have different needs. See the README.md for
+    # configuration information.
     #
     # Fetching records is the concern of +PunditScopedResource+ which in turn
     # affects which records end up being passed here.
@@ -77,8 +76,10 @@ module JSONAPI
       # ==== Parameters
       #
       # * +source_record+ - The record whose relationship is queried
-      def show_related_resources(source_record:)
+      # * +related_record_class+ - The associated record class to show
+      def show_related_resources(source_record:, related_record_class:)
         ::Pundit.authorize(user, source_record, 'show?')
+        ::Pundit.authorize(user, related_record_class, 'index?')
       end
 
       # <tt>PATCH /resources/:id</tt>

data/lib/jsonapi/authorization/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module JSONAPI
   module Authorization
-    VERSION = "1.0.0".freeze
+    VERSION = "3.0.2".freeze
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: jsonapi-authorization
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 3.0.2
 platform: ruby
 authors:
 - Vesa Laakso
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-01-22 00:00:00.000000000 Z
+date: 2019-10-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jsonapi-resources
@@ -17,14 +17,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.9'
+        version: 0.9.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.9'
+        version: 0.9.0
 - !ruby/object:Gem::Dependency
   name: pundit
   requirement: !ruby/object:Gem::Requirement
@@ -203,16 +203,16 @@ dependencies:
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.3.6
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.3.6
 description: Adds generic authorization to the jsonapi-resources gem using Pundit.
 email:
 - laakso.vesa@gmail.com