jsonapi-authorization 0.5.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 29b3ceafd8c61b2dfe1d2ac684714569d8cb70a2
-  data.tar.gz: 5fc76942b71575e6cfd4b0700c0d26572d681c65
+  metadata.gz: 47495edb7695129cd3ddd577ce547db63df70b4f
+  data.tar.gz: 68f2686dfa2143ec831816e39b02a1c2170ec3a0
 SHA512:
-  metadata.gz: 037b2a7cb5a7418d18c848a0044ca1c93d81386c897253713137323221ebdfdedc9b69609d0e177299939ce0b83ce2ab541bad9a53ffa29a3a72750483ce19e8
-  data.tar.gz: 51fb54f0056bfedd6caf847cd00012cf1c45cc04897004c4e6546c78d25fa38177fcfbf1e7e02f0ff17b293679bfea85f88d9b67e490f2883c9f35a1db0b04ae
+  metadata.gz: 79314420e9e62352436beca771f31823a9fc2bfb72122deada6a4bac09941ee4593b9f468747392ddfbe0169a6737f1d7b93a3b17c486000fcf223ca8faf1f19
+  data.tar.gz: 87389fd2aa637d0233666f747fab5c8aaded2371594d09915879d70d6d6e0120327b9a2cf3bd00bea35d17036cb34705aeeea7a7338f98024a9fecb8f5d2fcc5

data/bin/console

@@ -1,6 +1,7 @@
 #!/usr/bin/env ruby
 
 require "bundler/setup"
+require "rails/all"
 require "jsonapi/authorization"
 
 # You can add fixtures and/or initialization code here to make experimenting
@@ -10,5 +11,5 @@ require "jsonapi/authorization"
 # require "pry"
 # Pry.start
 
-require "irb"
-IRB.start
+require "pry"
+Pry.start

data/lib/jsonapi/authorization/authorizing_operations_processor.rb

@@ -17,6 +17,32 @@ module JSONAPI
       set_callback :remove_to_many_relationship_operation, :before, :authorize_remove_to_many_relationship
       set_callback :remove_to_one_relationship_operation, :before, :authorize_remove_to_one_relationship
 
+      [
+        :find_operation,
+        :show_operation,
+        :show_related_resource_operation,
+        :show_related_resources_operation,
+        :create_resource_operation,
+        :replace_fields_operation
+      ].each do |op_name|
+        set_callback op_name, :after, :authorize_include_directive
+      end
+
+      def authorize_include_directive
+        return if @result.is_a?(::JSONAPI::ErrorsOperationResult)
+        resources = Array.wrap(
+          if @result.respond_to?(:resources)
+            @result.resources
+          elsif @result.respond_to?(:resource)
+            @result.resource
+          end
+        )
+
+        resources.each do |resource|
+          authorize_model_includes(resource._model)
+        end
+      end
+
       def authorize_find
         authorizer.find(@operation.resource_klass._model_class)
       end
@@ -209,8 +235,12 @@ module JSONAPI
         end
       end
 
+      def resource_class_for_relationship(assoc_name)
+        @operation.resource_klass._relationship(assoc_name).resource_klass
+      end
+
       def model_class_for_relationship(assoc_name)
-        @operation.resource_klass._relationship(assoc_name).resource_klass._model_class
+        resource_class_for_relationship(assoc_name)._model_class
       end
 
       def related_models
@@ -218,13 +248,71 @@ module JSONAPI
         return [] if data.nil?
 
         [:to_one, :to_many].flat_map do |rel_type|
-          data[rel_type].flat_map do |assoc_name, assoc_ids|
-            assoc_klass = model_class_for_relationship(assoc_name)
-            # TODO: find_by_key?
-            assoc_klass.find(assoc_ids)
+          data[rel_type].flat_map do |assoc_name, assoc_value|
+            case assoc_value
+            when Hash # polymorphic relationship
+              resource_class = @operation.resource_klass.resource_for(assoc_value[:type].to_s)
+              resource_class.find_by_key(assoc_value[:id], context: @operation.options[:context])._model
+            else
+              resource_class = resource_class_for_relationship(assoc_name)
+              primary_key = resource_class._primary_key
+              resource_class._model_class.where(primary_key => assoc_value)
+            end
           end
         end
       end
+
+      def authorize_model_includes(source_record)
+        if @request.include_directives
+          @request.include_directives.model_includes.each do |include_item|
+            authorize_include_item(@operation.resource_klass, source_record, include_item)
+          end
+        end
+      end
+
+      def authorize_include_item(resource_klass, source_record, include_item)
+        case include_item
+        when Hash
+          # e.g. {articles: [:comments, :author]} when ?include=articles.comments,articles.author
+          include_item.each do |rel_name, deep|
+            authorize_include_item(resource_klass, source_record, rel_name)
+            relationship = resource_klass._relationship(rel_name)
+            next_resource_klass = relationship.resource_klass
+            Array.wrap(
+              source_record.public_send(
+                relationship.relation_name(@operation.options[:context])
+              )
+            ).each do |next_source_record|
+              deep.each do |next_include_item|
+                authorize_include_item(
+                  next_resource_klass,
+                  next_source_record,
+                  next_include_item
+                )
+              end
+            end
+          end
+        when Symbol
+          relationship = resource_klass._relationship(include_item)
+          case relationship
+          when JSONAPI::Relationship::ToOne
+            related_record = source_record.public_send(
+              relationship.relation_name(@operation.options[:context])
+            )
+            return if related_record.nil?
+            authorizer.include_has_one_resource(source_record, related_record)
+          when JSONAPI::Relationship::ToMany
+            authorizer.include_has_many_resource(
+              source_record,
+              relationship.resource_klass._model_class
+            )
+          else
+            raise "Unexpected relationship type: #{relationship.inspect}"
+          end
+        else
+          raise "Unknown include directive: #{include_item}"
+        end
+      end
     end
   end
 end

data/lib/jsonapi/authorization/default_pundit_authorizer.rb

@@ -190,6 +190,40 @@ module JSONAPI
       def remove_to_one_relationship(source_record, related_record)
         raise NotImplementedError
       end
+
+      # Any request including <tt>?include=other-resources</tt>
+      #
+      # This will be called for each has_many relationship if the include goes
+      # deeper than one level until some authorization fails or the include
+      # directive has been travelled completely.
+      #
+      # We can't pass all the records of a +has_many+ association here due to
+      # performance reasons, so the class is passed instead.
+      #
+      # ==== Parameters
+      #
+      # * +source_record+ — The source relationship record, e.g. an Article in
+      #                     article.comments check
+      # * +record_class+ - The underlying record class for the relationships
+      #                    resource.
+      def include_has_many_resource(source_record, record_class)
+        ::Pundit.authorize(user, record_class, 'index?')
+      end
+
+      # Any request including <tt>?include=another-resource</tt>
+      #
+      # This will be called for each has_one relationship if the include goes
+      # deeper than one level until some authorization fails or the include
+      # directive has been travelled completely.
+      #
+      # ==== Parameters
+      #
+      # * +source_record+ — The source relationship record, e.g. an Article in
+      #                     article.author check
+      # * +related_record+ - The associated record to return
+      def include_has_one_resource(source_record, related_record)
+        ::Pundit.authorize(user, related_record, 'show?')
+      end
     end
   end
 end

data/lib/jsonapi/authorization/version.rb

@@ -1,5 +1,5 @@
 module JSONAPI
   module Authorization
-    VERSION = "0.5.0".freeze
+    VERSION = "0.6.0".freeze
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: jsonapi-authorization
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.6.0
 platform: ruby
 authors:
 - Vesa Laakso
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-01-28 00:00:00.000000000 Z
+date: 2016-03-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jsonapi-resources