jsonapi-authorization 0.4.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: af758844e145dc016dca6a62a4ff24aa6875dec6
+  data.tar.gz: c2db139f822d5715e89eb7d4765155df6f6fbb04
+SHA512:
+  metadata.gz: af34e3b306341ea6f0871f7bb56013183aa555fe7e6bb3a4d67a21ae2b6d1f3851b6d852fb5c6ae09671dba5db06f713b11ecf912cb168c0367be8f906ac1720
+  data.tar.gz: 40e7c48af85cf62f14451836c0fa2b14da5710e29beb475b625dd8df42a347b5413a49c91db0750682c8beecb1aabf767ae8d6cb28db9ec3ade26dd66165112d

data/.editorconfig

@@ -0,0 +1,12 @@
+# editorconfig.org
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.md]
+trim_trailing_whitespace = false

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.orig

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.rubocop.yml

@@ -0,0 +1,88 @@
+Metrics/LineLength:
+  Enabled: true
+  Max: 100
+
+Style/MultilineOperationIndentation:
+  EnforcedStyle: indented
+
+Metrics/ClassLength:
+  Enabled: false
+
+Style/Documentation:
+  Enabled: false
+
+Style/ExtraSpacing:
+  AllowForAlignment: true
+
+Metrics/MethodLength:
+  Enabled: false
+
+Style/Next:
+  Enabled: false
+
+Metrics/AbcSize:
+  Enabled: false
+
+Style/DoubleNegation:
+  Enabled: false
+
+Style/SignalException:
+  Enabled: false
+
+Style/StringLiterals:
+  Enabled: false
+
+Style/SpaceInsideHashLiteralBraces:
+  Enabled: false
+  EnforcedStyle: space
+
+Style/IndentHash:
+  Enabled: false
+
+Style/ClassAndModuleChildren:
+  Enabled: false
+
+Style/PercentLiteralDelimiters:
+  Enabled: false
+
+Style/BlockDelimiters:
+  Enabled: false
+
+Style/GuardClause:
+  Enabled: false
+
+Style/ClosingParenthesisIndentation:
+  Enabled: false
+
+Style/IfUnlessModifier:
+  Enabled: false
+
+Style/NumericLiterals:
+  Enabled: false
+
+Style/AsciiComments:
+  Enabled: false
+
+Style/StructInheritance:
+  Enabled: false
+
+Style/MultilineBlockChain:
+  Enabled: false
+
+Metrics/ParameterLists:
+  Enabled: false
+
+Style/WordArray:
+  MinSize: 2
+
+Metrics/ModuleLength:
+  Enabled: false
+
+Style/SingleLineBlockParams:
+  Methods:
+    - reduce:
+        - acc
+        - obj
+    - inject:
+        - acc
+        - obj

data/.ruby-version

@@ -0,0 +1 @@
+2.1.2

data/.travis.yml

@@ -0,0 +1,11 @@
+language: ruby
+cache: bundler
+sudo: false
+env:
+  - "RAILS_VERSION=4.1.0"
+  - "RAILS_VERSION=4.2.0"
+rvm:
+  - 2.1.2
+before_install: gem install bundler -v 1.11.2
+notifications:
+  email: false

data/Gemfile

@@ -0,0 +1,17 @@
+source 'https://rubygems.org'
+
+gemspec
+
+gem 'sqlite3', '1.3.10'
+
+version = ENV['RAILS_VERSION'] || 'default'
+
+case version
+when 'master'
+  gem 'rails', git: 'https://github.com/rails/rails.git'
+  gem 'arel', git: 'https://github.com/rails/arel.git'
+when 'default'
+  gem 'rails', '>= 4.2'
+else
+  gem 'rails', "~> #{version}"
+end

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2016 Vesa Laakso, Emil Sågfors
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,116 @@
+# JSONAPI::Authorization
+
+[![Build Status](https://travis-ci.org/venuu/jsonapi-authorization.svg?branch=master)](https://travis-ci.org/venuu/jsonapi-authorization) [![Gem Version](https://badge.fury.io/rb/jsonapi-authorization.png)](http://badge.fury.io/rb/jsonapi-authorization)
+
+`JSONAPI::Authorization` adds authorization to the [jsonapi-resources][jr] (JR) gem using [Pundit][pundit].
+
+***PLEASE NOTE:*** This gem currently handles only a subset of operations available in JR. This gem is still considered to be ***alpha quality*** and therefore you shouldn't rely on it on production (yet).
+
+  [jr]: https://github.com/cerebris/jsonapi-resources "A resource-focused Rails library for developing JSON API compliant servers."
+  [pundit]: https://github.com/elabs/pundit "Minimal authorization through OO design and pure Ruby classes"
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'jsonapi-authorization'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install jsonapi-authorization
+
+## Usage
+
+Make sure you have a Pundit policy specified for every backing model that your JR resources use. Then hook this gem up to your application like so:
+
+```ruby
+JSONAPI.configure do |config|
+  config.operations_processor = '::JSONAPI::Authorization::Pundit'
+end
+```
+
+Make all your JR controllers specify the following in the `context`:
+
+```ruby
+class BaseResourceController < ActionController::Base
+  include JSONAPI::ActsAsResourceController
+
+  private
+
+  def context
+    {user: current_user, action: action_name}
+  end
+end
+```
+
+Have your JR resources include the `JSONAPI::Authorization::PunditScopedResource` module.
+
+```ruby
+class BaseResource < JSONAPI::Resource
+  include JSONAPI::Authorization::PunditScopedResource
+  abstract
+end
+```
+
+If you want to send a custom response for unauthorized requests, add a `rescue_from` hook to your `BaseResourceController` and whitelist `Pundit::NotAuthorizedError` in your JR configuration.
+
+## Known bugs
+
+There is a bug affecting `jsonapi-resources` error whitelisting, see https://github.com/cerebris/jsonapi-resources/pull/573. To make your whitelisting and `rescue_from` to work properly, here is a potential workaround:
+
+```ruby
+JSONAPI.configure do |config|
+  config.exception_class_whitelist = [Pundit::NotAuthorizedError]
+end
+```
+
+```ruby
+class BaseResourceController < ActionController::Base
+  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+
+  private
+
+  # https://github.com/cerebris/jsonapi-resources/pull/573
+  def handle_exceptions(e)
+    if JSONAPI.configuration.exception_class_whitelist.any? { |k| e.class.ancestors.include?(k) }
+      raise e
+    else
+      super
+    end
+  end
+
+  def user_not_authorized
+    head :forbidden
+  end
+end
+```
+
+## Configuration
+
+You can use a custom authorizer class by specifying a configure block in an initializer file. If using a custom authorizer class, be sure to require them at the top of the initializer before usage.
+
+```ruby
+JSONAPI::Authorization.configure do |config|
+  config.authorizer = MyCustomAuthorizer
+end
+```
+
+## Development
+
+After checking out the repo, run `bundle install` to install dependencies. Then, run `bundle exec rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Credits
+
+Originally based on discussion and code samples by [@barelyknown](https://github.com/barelyknown) and others in [cerebris/jsonapi-resources#16](https://github.com/cerebris/jsonapi-resources/issues/16).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/venuu/jsonapi-authorization.

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "jsonapi/authorization"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/jsonapi-authorization.gemspec

@@ -0,0 +1,31 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'jsonapi/authorization/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "jsonapi-authorization"
+  spec.version       = JSONAPI::Authorization::VERSION
+  spec.authors       = ["Vesa Laakso", "Emil Sågfors"]
+  spec.email         = ["laakso.vesa@gmail.com", "emil.sagfors@iki.fi"]
+  spec.license       = "MIT"
+
+  spec.summary       = "Generic authorization for jsonapi-resources gem"
+  spec.description   = "Adds generic authorization to the jsonapi-resources gem using Pundit."
+  spec.homepage      = "https://github.com/venuu/jsonapi-authorization"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "jsonapi-resources", "0.7.0"
+  spec.add_dependency "pundit", "~> 1.0"
+
+  spec.add_development_dependency "bundler", "~> 1.11"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "rspec-rails", "~> 3.0"
+  spec.add_development_dependency "pry", "~> 0.10"
+  spec.add_development_dependency "pry-byebug", "~> 1.3"
+  spec.add_development_dependency "pry-doc", "~> 0.6"
+  spec.add_development_dependency "pry-rails", "~> 0.3.4"
+end

data/lib/jsonapi-authorization.rb

@@ -0,0 +1 @@
+require 'jsonapi/authorization'

data/lib/jsonapi/authorization.rb

@@ -0,0 +1,12 @@
+require "jsonapi-resources"
+require "jsonapi/authorization/configuration"
+require "jsonapi/authorization/default_pundit_authorizer"
+require "jsonapi/authorization/pundit_operations_processor"
+require "jsonapi/authorization/pundit_scoped_resource"
+require "jsonapi/authorization/version"
+
+module JSONAPI
+  module Authorization
+    # Your code goes here...
+  end
+end

data/lib/jsonapi/authorization/configuration.rb

@@ -0,0 +1,23 @@
+require 'jsonapi/authorization/default_pundit_authorizer'
+
+module JSONAPI
+  module Authorization
+    class Configuration
+      attr_accessor :authorizer
+
+      def initialize
+        self.authorizer = ::JSONAPI::Authorization::DefaultPunditAuthorizer
+      end
+    end
+
+    class << self
+      attr_accessor :configuration
+    end
+
+    @configuration ||= Configuration.new
+
+    def self.configure
+      yield(@configuration)
+    end
+  end
+end

data/lib/jsonapi/authorization/default_pundit_authorizer.rb

@@ -0,0 +1,195 @@
+module JSONAPI
+  module Authorization
+    # An authorizer is a class responsible for linking JSONAPI operations to
+    # your choice of authorization mechanism.
+    #
+    # This class uses Pundit for authorization. It does not yet support all
+    # the available operations — you can use your own authorizer class instead
+    # if you have different needs. See the README.md for configuration
+    # information.
+    #
+    # Fetching records is the concern of +PunditScopedResource+ which in turn
+    # affects which records end up being passed here.
+    class DefaultPunditAuthorizer
+      attr_reader :user
+
+      # Creates a new DefaultPunditAuthorizer instance
+      #
+      # ==== Parameters
+      #
+      # * +context+ - The context passed down from the controller layer
+      def initialize(context)
+        @user = context[:user]
+      end
+
+      # <tt>GET /resources</tt>
+      #
+      # ==== Parameters
+      #
+      # * +source_class+ - The source class (e.g. +Article+ for +ArticleResource+)
+      def find(source_class)
+        ::Pundit.authorize(user, source_class, 'index?')
+      end
+
+      # <tt>GET /resources/:id</tt>
+      #
+      # ==== Parameters
+      #
+      # * +source_record+ - The record to show
+      def show(source_record)
+        ::Pundit.authorize(user, source_record, 'show?')
+      end
+
+      # <tt>GET /resources/:id/relationships/other-resources</tt>
+      # <tt>GET /resources/:id/relationships/another-resource</tt>
+      #
+      # A query for a +has_one+ or a +has_many+ association
+      #
+      # ==== Parameters
+      #
+      # * +source_record+ - The record whose relationship is queried
+      # * +related_record+ - The associated +has_one+ record to show or +nil+
+      #   if the associated record was not found. For a +has_many+ association,
+      #   this will always be +nil+
+      def show_relationship(source_record, related_record)
+        ::Pundit.authorize(user, source_record, 'show?')
+        ::Pundit.authorize(user, related_record, 'show?') unless related_record.nil?
+      end
+
+      # <tt>GET /resources/:id/another-resource</tt>
+      #
+      # A query for a record through a +has_one+ association
+      #
+      # ==== Parameters
+      #
+      # * +source_record+ - The record whose relationship is queried
+      # * +related_record+ - The associated record to show or +nil+ if the
+      #   associated record was not found
+      def show_related_resource(source_record, related_record)
+        ::Pundit.authorize(user, source_record, 'show?')
+        ::Pundit.authorize(user, related_record, 'show?') unless related_record.nil?
+      end
+
+      # <tt>GET /resources/:id/other-resources</tt>
+      #
+      # A query for records through a +has_many+ association
+      #
+      # ==== Parameters
+      #
+      # * +source_record+ - The record whose relationship is queried
+      def show_related_resources(source_record)
+        ::Pundit.authorize(user, source_record, 'show?')
+      end
+
+      # <tt>PATCH /resources/:id</tt>
+      #
+      # ==== Parameters
+      #
+      # * +source_record+ - The record to be modified
+      # * +new_related_records+ - An array of records to be associated to the
+      #   +source_record+. This will contain the records specified in the
+      #   "relationships" key in the request
+      #--
+      # TODO: Should probably take old records as well
+      def replace_fields(source_record, new_related_records)
+        ::Pundit.authorize(user, source_record, 'update?')
+
+        new_related_records.each do |record|
+          ::Pundit.authorize(user, record, 'update?')
+        end
+      end
+
+      # <tt>POST /resources</tt>
+      #
+      # ==== Parameters
+      #
+      # * +source_class+ - The class of the record to be created
+      # * +related_records+ - An array of records to be associated to the new
+      #   record. This will contain the records specified in the
+      #   "relationships" key in the request
+      def create_resource(source_class, related_records)
+        ::Pundit.authorize(user, source_class, 'create?')
+
+        related_records.each do |record|
+          ::Pundit.authorize(user, record, 'update?')
+        end
+      end
+
+      # <tt>DELETE /resources/:id</tt>
+      #
+      # ==== Parameters
+      #
+      # * +source_record+ - The record to be removed
+      def remove_resource(source_record)
+        ::Pundit.authorize(user, source_record, 'destroy?')
+      end
+
+      # <tt>PATCH /resources/:id/relationships/another-resource</tt>
+      #
+      # A replace request for a +has_one+ association
+      #
+      # ==== Parameters
+      #
+      # * +source_record+ - The record whose relationship is modified
+      # * +old_related_record+ - The current associated record
+      # * +new_related_record+ - The new record replacing the +old_record+
+      #   association, or +nil+ if the association is to be cleared
+      def replace_to_one_relationship(source_record, old_related_record, new_related_record)
+        raise NotImplementedError
+      end
+
+      # <tt>POST /resources/:id/relationships/other-resources</tt>
+      #
+      # A request for adding to a +has_many+ association
+      #
+      # ==== Parameters
+      #
+      # * +source_record+ - The record whose relationship is modified
+      # * +new_related_records+ - The new records to be added to the association
+      def create_to_many_relationship(source_record, new_related_records)
+        raise NotImplementedError
+      end
+
+      # <tt>PATCH /resources/:id/relationships/other-resources</tt>
+      #
+      # A replace request for a +has_many+ association
+      #
+      # ==== Parameters
+      #
+      # * +source_record+ - The record whose relationship is modified
+      # * +new_related_records+ - The new records replacing the entire +has_many+
+      #   association
+      #--
+      # TODO: Should probably take old records as well
+      def replace_to_many_relationship(source_record, new_related_records)
+        raise NotImplementedError
+      end
+
+      # <tt>DELETE /resources/:id/relationships/other-resources</tt>
+      #
+      # A request to deassociate elements of a +has_many+ association
+      #
+      # NOTE: this is called once per related record, not all at once
+      #
+      # ==== Parameters
+      #
+      # * +source_record+ - The record whose relationship is modified
+      # * +related_record+ - The record which will be deassociatied from +source_record+
+      def remove_to_many_relationship(source_record, related_record)
+        raise NotImplementedError
+      end
+
+      # <tt>DELETE /resources/:id/relationships/another-resource</tt>
+      #
+      # A request to deassociate a +has_one+ association
+      #
+      # ==== Parameters
+      #
+      # * +source_record+ - The record whose relationship is modified
+      # * +related_record+ - The record which will be deassociatied from +source_record+
+      def remove_to_one_relationship(source_record, related_record)
+        raise NotImplementedError
+      end
+    end
+  end
+end

data/lib/jsonapi/authorization/pundit_operations_processor.rb

@@ -0,0 +1,230 @@
+require 'pundit'
+
+module JSONAPI
+  module Authorization
+    class PunditOperationsProcessor < ::ActiveRecordOperationsProcessor
+      set_callback :find_operation, :before, :authorize_find
+      set_callback :show_operation, :before, :authorize_show
+      set_callback :show_relationship_operation, :before, :authorize_show_relationship
+      set_callback :show_related_resource_operation, :before, :authorize_show_related_resource
+      set_callback :show_related_resources_operation, :before, :authorize_show_related_resources
+      set_callback :create_resource_operation, :before, :authorize_create_resource
+      set_callback :remove_resource_operation, :before, :authorize_remove_resource
+      set_callback :replace_fields_operation, :before, :authorize_replace_fields
+      set_callback :replace_to_one_relationship_operation, :before, :authorize_replace_to_one_relationship
+      set_callback :create_to_many_relationship_operation, :before, :authorize_create_to_many_relationship
+      set_callback :replace_to_many_relationship_operation, :before, :authorize_replace_to_many_relationship
+      set_callback :remove_to_many_relationship_operation, :before, :authorize_remove_to_many_relationship
+      set_callback :remove_to_one_relationship_operation, :before, :authorize_remove_to_one_relationship
+
+      def authorize_find
+        authorizer.find(@operation.resource_klass._model_class)
+      end
+
+      def authorize_show
+        record = @operation.resource_klass.find_by_key(
+          operation_resource_id,
+          context: operation_context
+        )._model
+
+        authorizer.show(record)
+      end
+
+      def authorize_show_relationship
+        parent_resource = @operation.resource_klass.find_by_key(
+          @operation.parent_key,
+          context: operation_context
+        )
+
+        relationship = @operation.resource_klass._relationship(@operation.relationship_type)
+
+        related_resource =
+          case relationship
+          when JSONAPI::Relationship::ToOne
+            parent_resource.public_send(@operation.relationship_type)
+          when JSONAPI::Relationship::ToMany
+            # Do nothing — already covered by policy scopes
+          else
+            raise "Unexpected relationship type: #{relationship.inspect}"
+          end
+
+        parent_record = parent_resource._model
+        related_record = related_resource._model unless related_resource.nil?
+        authorizer.show_relationship(parent_record, related_record)
+      end
+
+      def authorize_show_related_resource
+        source_resource = @operation.source_klass.find_by_key(
+          @operation.source_id,
+          context: operation_context
+        )
+
+        related_resource = source_resource.public_send(@operation.relationship_type)
+
+        source_record = source_resource._model
+        related_record = related_resource._model unless related_resource.nil?
+        authorizer.show_related_resource(source_record, related_record)
+      end
+
+      def authorize_show_related_resources
+        source_record = @operation.source_klass.find_by_key(
+          @operation.source_id,
+          context: operation_context
+        )._model
+
+        authorizer.show_related_resources(source_record)
+      end
+
+      def authorize_replace_fields
+        source_record = @operation.resource_klass.find_by_key(
+          @operation.resource_id,
+          context: operation_context
+        )._model
+
+        authorizer.replace_fields(source_record, related_models)
+      end
+
+      def authorize_create_resource
+        source_class = @operation.resource_klass._model_class
+
+        authorizer.create_resource(source_class, related_models)
+      end
+
+      def authorize_remove_resource
+        record = @operation.resource_klass.find_by_key(
+          operation_resource_id,
+          context: operation_context
+        )._model
+
+        authorizer.remove_resource(record)
+      end
+
+      def authorize_replace_to_one_relationship
+        source_resource = @operation.resource_klass.find_by_key(
+          @operation.resource_id,
+          context: operation_context
+        )
+        source_record = source_resource._model
+
+        old_related_record = source_resource.records_for(@operation.relationship_type)
+        unless @operation.key_value.nil?
+          new_related_resource = @operation.resource_klass._relationship(@operation.relationship_type).resource_klass.find_by_key(
+            @operation.key_value,
+            context: operation_context
+          )
+          new_related_record = new_related_resource._model unless new_related_resource.nil?
+        end
+
+        authorizer.replace_to_one_relationship(
+          source_record,
+          old_related_record,
+          new_related_record
+        )
+      end
+
+      def authorize_create_to_many_relationship
+        source_record = @operation.resource_klass.find_by_key(
+          @operation.resource_id,
+          context: operation_context
+        )._model
+
+        related_models =
+          model_class_for_relationship(@operation.relationship_type).find(@operation.data)
+
+        authorizer.create_to_many_relationship(source_record, related_models)
+      end
+
+      def authorize_replace_to_many_relationship
+        source_resource = @operation.resource_klass.find_by_key(
+          @operation.resource_id,
+          context: operation_context
+        )
+        source_record = source_resource._model
+
+        related_records = source_resource.records_for(@operation.relationship_type)
+
+        authorizer.replace_to_many_relationship(
+          source_record,
+          related_records
+        )
+      end
+
+      def authorize_remove_to_many_relationship
+        source_resource = @operation.resource_klass.find_by_key(
+          @operation.resource_id,
+          context: operation_context
+        )
+        source_record = source_resource._model
+
+        related_resource = @operation.resource_klass._relationship(@operation.relationship_type).resource_klass.find_by_key(
+          @operation.associated_key,
+          context: operation_context
+        )
+        related_record = related_resource._model unless related_resource.nil?
+
+        authorizer.remove_to_many_relationship(
+          source_record,
+          related_record
+        )
+      end
+
+      def authorize_remove_to_one_relationship
+        source_resource = @operation.resource_klass.find_by_key(
+          @operation.resource_id,
+          context: operation_context
+        )
+
+        related_resource = source_resource.public_send(@operation.relationship_type)
+
+        source_record = source_resource._model
+        related_record = related_resource._model unless related_resource.nil?
+        authorizer.remove_to_one_relationship(source_record, related_record)
+      end
+
+      private
+
+      def authorizer
+        @authorizer ||= ::JSONAPI::Authorization.configuration.authorizer.new(operation_context)
+      end
+
+      # TODO: Communicate with upstream to fix this nasty hack
+      def operation_context
+        case @operation
+        when JSONAPI::ShowRelatedResourcesOperation
+          @operation.instance_variable_get('@options')[:context]
+        else
+          @operation.options[:context]
+        end
+      end
+
+      # TODO: Communicate with upstream to fix this nasty hack
+      def operation_resource_id
+        case @operation
+        when JSONAPI::ShowOperation
+          @operation.id
+        when JSONAPI::ShowRelatedResourcesOperation
+          @operation.source_id
+        else
+          @operation.resource_id
+        end
+      end
+
+      def model_class_for_relationship(assoc_name)
+        @operation.resource_klass._relationship(assoc_name).resource_klass._model_class
+      end
+
+      def related_models
+        data = @operation.options[:data]
+        return [] if data.nil?
+
+        [:to_one, :to_many].flat_map do |rel_type|
+          data[rel_type].flat_map do |assoc_name, assoc_ids|
+            assoc_klass = model_class_for_relationship(assoc_name)
+            # TODO: find_by_key?
+            assoc_klass.find(assoc_ids)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/jsonapi/authorization/pundit_scoped_resource.rb

@@ -0,0 +1,29 @@
+require 'pundit'
+
+module JSONAPI
+  module Authorization
+    module PunditScopedResource
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        def records(options = {})
+          ::Pundit.policy_scope!(options[:context][:user], _model_class)
+        end
+      end
+
+      def records_for(association_name)
+        record_or_records = @model.public_send(association_name)
+        relationship = self.class._relationships[association_name]
+
+        case relationship
+        when JSONAPI::Relationship::ToOne
+          record_or_records
+        when JSONAPI::Relationship::ToMany
+          ::Pundit.policy_scope!(context[:user], record_or_records)
+        else
+          raise "Unknown relationship type #{relationship.inspect}"
+        end
+      end
+    end
+  end
+end

data/lib/jsonapi/authorization/version.rb

@@ -0,0 +1,5 @@
+module JSONAPI
+  module Authorization
+    VERSION = "0.4.0".freeze
+  end
+end

metadata

@@ -0,0 +1,207 @@
+--- !ruby/object:Gem::Specification
+name: jsonapi-authorization
+version: !ruby/object:Gem::Version
+  version: 0.4.0
+platform: ruby
+authors:
+- Vesa Laakso
+- Emil Sågfors
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-01-28 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: jsonapi-resources
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.7.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.7.0
+- !ruby/object:Gem::Dependency
+  name: pundit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.11'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.11'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: pry-doc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+- !ruby/object:Gem::Dependency
+  name: pry-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.4
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.4
+description: Adds generic authorization to the jsonapi-resources gem using Pundit.
+email:
+- laakso.vesa@gmail.com
+- emil.sagfors@iki.fi
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".editorconfig"
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".ruby-version"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- jsonapi-authorization.gemspec
+- lib/jsonapi-authorization.rb
+- lib/jsonapi/authorization.rb
+- lib/jsonapi/authorization/configuration.rb
+- lib/jsonapi/authorization/default_pundit_authorizer.rb
+- lib/jsonapi/authorization/pundit_operations_processor.rb
+- lib/jsonapi/authorization/pundit_scoped_resource.rb
+- lib/jsonapi/authorization/version.rb
+homepage: https://github.com/venuu/jsonapi-authorization
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Generic authorization for jsonapi-resources gem
+test_files: []
+has_rdoc: