jsonapi-authorization 1.0.0.alpha6 → 1.0.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1740e99c89b7ed5a7872ac09f90e25de714f2b3c
-  data.tar.gz: 4c7d58578b5814ba853ff871917df33904c61eb8
+  metadata.gz: bcd1ac1cfc1372b4ffeeabb8e1ae5bab6cf48da3
+  data.tar.gz: 13de8f3337c711b0454b5f1ca953cf99bd77be8b
 SHA512:
-  metadata.gz: 5b0202b9e8f5a0fa11f594ff35f62173ae7e4c326dff6011783c4300ac0165b0be779beb1d5e8268000fa597417ebf9bd2c48fc59975eef95ecbb769a53236d1
-  data.tar.gz: 6846fa8b449885c8addfbfa11e36ab5fd4e6f4f62249bbabe70772a5ecad4d65ad5c5005b739f90812cb1e2ecd0d7e8ac39bf6b1cb4d539199083d24186ab4b6
+  metadata.gz: ba7c459632d6809cc751358a1e2943e3ef7b03c646305133eb2e7129ae59b529edfc7ced44d3d6249c34f85f38f74e70ddb6ccfe96403d709cbf22f5ed8d5e55
+  data.tar.gz: 76aa072e610ad4949ede3da5b9264bbc53a3e5c4527bf2078cf6cdd428d24dc1fb9229ed548fba7221d5cfd1b16a2b90c2cc38cbe2b21eb3a4f4c7d3e828be58

data/.all-contributorsrc

@@ -115,6 +115,18 @@
         "code",
         "test"
       ]
+    },
+    {
+      "login": "nruth",
+      "name": "Nicholas Rutherford",
+      "avatar_url": "https://avatars1.githubusercontent.com/u/26158?v=4",
+      "profile": "http://www.google.co.uk/profiles/nick.rutherford",
+      "contributions": [
+        "code",
+        "test",
+        "infra"
+      ]
     }
-  ]
+  ],
+  "repoType": "github"
 }

data/.gitignore

@@ -9,3 +9,4 @@
 /tmp/
 /spec/dummy/tmp/
 *.orig
+.ruby-version

data/.rubocop.yml

@@ -1,4 +1,5 @@
 AllCops:
+  TargetRubyVersion: 2.1
   Exclude:
     - 'bin/*'
     - 'spec/dummy/db/schema.rb'

data/.travis.yml

@@ -1,12 +1,14 @@
 language: ruby
-cache: bundler
-sudo: false
 env:
-  - JSONAPI_RESOURCES_VERSION=0.9 RAILS_VERSION=4.1.0
   - JSONAPI_RESOURCES_VERSION=0.9 RAILS_VERSION=4.2.0
+  - JSONAPI_RESOURCES_VERSION=0.9 RAILS_VERSION=5.0.0
+  - JSONAPI_RESOURCES_VERSION=0.9 RAILS_VERSION=5.1.0
+  - JSONAPI_RESOURCES_VERSION=0.9 RAILS_VERSION=5.2.0
+install:
+  - bundle install
 rvm:
-  - 2.1.2
-before_install: gem install bundler -v 1.11.2
+  - 2.3
+before_install: gem install bundler -v 1.16.2
 notifications:
   email: false
 script:

data/Gemfile

@@ -2,8 +2,6 @@ source 'https://rubygems.org'
 
 gemspec
 
-gem 'sqlite3', '1.3.10'
-
 rails_version = ENV['RAILS_VERSION'] || 'default'
 jsonapi_resources_version = ENV['JSONAPI_RESOURCES_VERSION'] || 'default'
 

data/README.md

@@ -14,17 +14,26 @@ branch. This may contain information that is not relevant to the release you are
   [jr]: https://github.com/cerebris/jsonapi-resources "A resource-focused Rails library for developing JSON API compliant servers."
   [pundit]: https://github.com/elabs/pundit "Minimal authorization through OO design and pure Ruby classes"
 
+The core design principle of `JSONAPI::Authorization` is:
+
+**Prefer being overly restrictive rather than too permissive by accident.**
+
+What follows is that we want to have:
+
+1. Whitelist over blacklist -approach for authorization
+2. Fall back on a more strict authorization
+
 ## Caveats
 
 Make sure to test for authorization in your application, too. We should have coverage of all operations, though. If that isn't the case, please [open an issue][issues].
 
 If you're using custom processors, make sure that they extend `JSONAPI::Authorization::AuthorizingProcessor`, or authorization will not be performed for that resource.
 
-This gem should work out-of-the box for simple cases. The default authorizer might be overly restrictive for [more complex cases][complex-case].
+This gem should work out-of-the box for simple cases. The default authorizer might be overly restrictive for cases where you are touching relationships.
 
-The API is subject to change between minor version bumps until we reach v1.0.0.
+**If you are modifying relationships**, you should read the [relationship authorization documentation](docs/relationship-authorization.md).
 
-  [complex-case]: https://github.com/venuu/jsonapi-authorization/issues/15
+The API is subject to change between minor version bumps until we reach v1.0.0.
 
 ## Installation
 
@@ -97,8 +106,7 @@ To check whether an action is allowed JSONAPI::Authorization calls the respectiv
 (`index?`, `show?`, `create?`, `update?`, `destroy?`).
 
 For relationship operations by default `update?` is being called for all affected resources.
-For a finer grained control you can define `add_to_<relation>?`, `replace_<relation>?`, and `remove_from_<relation>?`
-as the following example shows.
+For a finer grained control you can define methods to authorize relationship changes. For example:
 
 ```ruby
 class ArticlePolicy
@@ -120,9 +128,7 @@ class ArticlePolicy
 end
 ```
 
-Caveat: In case a relationship is modifiable through multiple ways it is your responsibility to ensure consistency.
-For example if you have a many-to-many relationship with users and projects make sure that
-`ProjectPolicy#add_to_users?(users)` and `UserPolicy#add_to_projects?(projects)` match up.
+For thorough documentation about custom policy methods, check out the [relationship authorization docs](docs/relationship-authorization.md).
 
 ## Configuration
 
@@ -177,9 +183,10 @@ Bug reports and pull requests are welcome on GitHub at https://github.com/venuu/
 Thanks goes to these wonderful people ([emoji key](https://github.com/kentcdodds/all-contributors#emoji-key)):
 
 <!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section -->
-| [<img src="https://avatars.githubusercontent.com/u/482561?v=3" width="100px;"/><br /><sub>Vesa Laakso</sub>](http://vesalaakso.com)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=valscion) [📖](https://github.com/Venuu/jsonapi-authorization/commits?author=valscion) 🚇 [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=valscion) [🐛](https://github.com/Venuu/jsonapi-authorization/issues?q=author%3Avalscion) 💬 👀 | [<img src="https://avatars.githubusercontent.com/u/562204?v=3" width="100px;"/><br /><sub>Emil Sågfors</sub>](https://github.com/lime)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=lime) [📖](https://github.com/Venuu/jsonapi-authorization/commits?author=lime) 🚇 [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=lime) [🐛](https://github.com/Venuu/jsonapi-authorization/issues?q=author%3Alime) 💬 👀 | [<img src="https://avatars.githubusercontent.com/u/1591161?v=3" width="100px;"/><br /><sub>Matthias Grundmann</sub>](https://github.com/matthias-g)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=matthias-g) [📖](https://github.com/Venuu/jsonapi-authorization/commits?author=matthias-g) [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=matthias-g) 💬 | [<img src="https://avatars.githubusercontent.com/u/1322?v=3" width="100px;"/><br /><sub>Thibaud Guillaume-Gentil</sub>](http://thibaud.gg)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=thibaudgg) | [<img src="https://avatars.githubusercontent.com/u/71660?v=3" width="100px;"/><br /><sub>Daniel Schweighöfer</sub>](http://netsteward.net)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=acid) | [<img src="https://avatars.githubusercontent.com/u/5076967?v=3" width="100px;"/><br /><sub>Bruno Sofiato</sub>](https://github.com/bsofiato)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=bsofiato) | [<img src="https://avatars.githubusercontent.com/u/1896026?v=3" width="100px;"/><br /><sub>Adam Robertson</sub>](https://github.com/arcreative)<br />[📖](https://github.com/Venuu/jsonapi-authorization/commits?author=arcreative) |
+<!-- prettier-ignore -->
+| [<img src="https://avatars.githubusercontent.com/u/482561?v=3" width="100px;"/><br /><sub><b>Vesa Laakso</b></sub>](http://vesalaakso.com)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=valscion "Code") [📖](https://github.com/Venuu/jsonapi-authorization/commits?author=valscion "Documentation") [🚇](#infra-valscion "Infrastructure (Hosting, Build-Tools, etc)") [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=valscion "Tests") [🐛](https://github.com/Venuu/jsonapi-authorization/issues?q=author%3Avalscion "Bug reports") [💬](#question-valscion "Answering Questions") [👀](#review-valscion "Reviewed Pull Requests") | [<img src="https://avatars.githubusercontent.com/u/562204?v=3" width="100px;"/><br /><sub><b>Emil Sågfors</b></sub>](https://github.com/lime)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=lime "Code") [📖](https://github.com/Venuu/jsonapi-authorization/commits?author=lime "Documentation") [🚇](#infra-lime "Infrastructure (Hosting, Build-Tools, etc)") [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=lime "Tests") [🐛](https://github.com/Venuu/jsonapi-authorization/issues?q=author%3Alime "Bug reports") [💬](#question-lime "Answering Questions") [👀](#review-lime "Reviewed Pull Requests") | [<img src="https://avatars.githubusercontent.com/u/1591161?v=3" width="100px;"/><br /><sub><b>Matthias Grundmann</b></sub>](https://github.com/matthias-g)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=matthias-g "Code") [📖](https://github.com/Venuu/jsonapi-authorization/commits?author=matthias-g "Documentation") [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=matthias-g "Tests") [💬](#question-matthias-g "Answering Questions") | [<img src="https://avatars.githubusercontent.com/u/1322?v=3" width="100px;"/><br /><sub><b>Thibaud Guillaume-Gentil</b></sub>](http://thibaud.gg)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=thibaudgg "Code") | [<img src="https://avatars.githubusercontent.com/u/71660?v=3" width="100px;"/><br /><sub><b>Daniel Schweighöfer</b></sub>](http://netsteward.net)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=acid "Code") | [<img src="https://avatars.githubusercontent.com/u/5076967?v=3" width="100px;"/><br /><sub><b>Bruno Sofiato</b></sub>](https://github.com/bsofiato)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=bsofiato "Code") | [<img src="https://avatars.githubusercontent.com/u/1896026?v=3" width="100px;"/><br /><sub><b>Adam Robertson</b></sub>](https://github.com/arcreative)<br />[📖](https://github.com/Venuu/jsonapi-authorization/commits?author=arcreative "Documentation") |
 | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
-| [<img src="https://avatars3.githubusercontent.com/u/4742306?v=3" width="100px;"/><br /><sub>Greg Fisher</sub>](https://github.com/gnfisher)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=gnfisher) [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=gnfisher) | [<img src="https://avatars3.githubusercontent.com/u/370182?v=3" width="100px;"/><br /><sub>Sam</sub>](http://samlh.com)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=handlers) [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=handlers) | [<img src="https://avatars0.githubusercontent.com/u/2738630?v=3" width="100px;"/><br /><sub>Justas Palumickas</sub>](https://jpalumickas.com)<br />[🐛](https://github.com/Venuu/jsonapi-authorization/issues?q=author%3Ajpalumickas) [💻](https://github.com/Venuu/jsonapi-authorization/commits?author=jpalumickas) [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=jpalumickas) |
+| [<img src="https://avatars3.githubusercontent.com/u/4742306?v=3" width="100px;"/><br /><sub><b>Greg Fisher</b></sub>](https://github.com/gnfisher)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=gnfisher "Code") [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=gnfisher "Tests") | [<img src="https://avatars3.githubusercontent.com/u/370182?v=3" width="100px;"/><br /><sub><b>Sam</b></sub>](http://samlh.com)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=handlers "Code") [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=handlers "Tests") | [<img src="https://avatars0.githubusercontent.com/u/2738630?v=3" width="100px;"/><br /><sub><b>Justas Palumickas</b></sub>](https://jpalumickas.com)<br />[🐛](https://github.com/Venuu/jsonapi-authorization/issues?q=author%3Ajpalumickas "Bug reports") [💻](https://github.com/Venuu/jsonapi-authorization/commits?author=jpalumickas "Code") [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=jpalumickas "Tests") | [<img src="https://avatars1.githubusercontent.com/u/26158?v=4" width="100px;"/><br /><sub><b>Nicholas Rutherford</b></sub>](http://www.google.co.uk/profiles/nick.rutherford)<br />[💻](https://github.com/Venuu/jsonapi-authorization/commits?author=nruth "Code") [⚠️](https://github.com/Venuu/jsonapi-authorization/commits?author=nruth "Tests") [🚇](#infra-nruth "Infrastructure (Hosting, Build-Tools, etc)") |
 <!-- ALL-CONTRIBUTORS-LIST:END -->
 
-This project follows the [all-contributors](https://github.com/kentcdodds/all-contributors) specification. Contributions of any kind welcome!
+This project follows the [all-contributors](https://github.com/kentcdodds/all-contributors) specification. Contributions of any kind welcome!

data/docs/relationship-authorization.md

@@ -0,0 +1,601 @@
+# <a name="doc-top"></a>Authorization of operations touching relationships
+
+`JSONAPI::Authorization` (JA) is unique in the way it considers relationship changes to change the underlying models. Whenever an incoming request changes associated resources, JA will authorize those operations are OK.
+
+As JA runs the authorization checks _before_ any changes are made (even to in-memory objects), Pundit policies don't have the information needed to authorize changes to relationships. This is why JA provides special hooks to authorize relationship changes and falls back to checking `#update?` on all the related records.
+
+Caveat: In case a relationship is modifiable through multiple ways it is your responsibility to ensure consistency.
+For example if you have a many-to-many relationship with users and projects make sure that
+`ProjectPolicy#add_to_users?(users)` and `UserPolicy#add_to_projects?(projects)` match up.
+
+**Table of contents**
+
+* `has-one` relationships
+  - [Example setup for `has-one` examples](#example-setup-has-one)
+  - [`PATCH /articles/article-1/relationships/author`](#change-has-one-relationship-op)
+    * Changing a `has-one` relationship
+  - [`DELETE /articles/article-1/relationships/author`](#remove-has-one-relationship-op)
+    * Removing a `has-one` relationship
+  - [`PATCH /articles/article-1/` with different `author` relationship](#change-and-replace-has-one-resource-op)
+    * Changing resource and replacing a `has-one` relationship
+  - [`PATCH /articles/article-1/` with null `author` relationship](#change-and-remove-has-one-resource-op)
+    * Changing resource and removing a `has-one` relationship
+  - [`POST /articles` with an `author` relationship](#create-has-one-resource-op)
+    * Creating a resource with a `has-one` relationship
+* `has-many` relationships
+  - [Example setup for `has-many` examples](#example-setup-has-many)
+  - [`POST /articles/article-1/relationships/comments`](#add-to-has-many-relationship-op)
+    * Adding to a `has-many` relationship
+  - [`DELETE /articles/article-1/relationships/comments`](#remove-from-has-many-relationship-op)
+    * Removing from a `has-many` relationship
+  - [`PATCH /articles/article-1/relationships/comments` with different `comments`](#replace-has-many-relationship-op)
+    * Replacing a `has-many` relationship
+  - [`PATCH /articles/article-1/relationships/comments` with empty `comments`](#remove-has-many-relationship-op)
+    * Removing a `has-many` relationship
+  - [`PATCH /articles/article-1` with different `comments` relationship](#change-and-replace-has-many-resource-op)
+    * Changing resource and replacing a `has-many` relationship
+  - [`PATCH /articles/article-1` with empty `comments` relationship](#change-and-remove-has-many-resource-op)
+    * Changing resource and removing a `has-many` relationship
+  - [`POST /articles` with a `comments` relationship](#create-has-many-resource-op)
+    * Creating a resource with a `has-many` relationship
+
+
+<a name="example-setup-has-one"></a>
+
+[back to top ↑](#doc-top)
+
+## `has-one` relationships
+
+### Example setup for `has-one` examples
+
+The examples for `has-one` relationship authorization use these models and resources:
+
+```rb
+class Article < ActiveRecord::Base
+  belongs_to :author, class_name: 'User'
+end
+
+class ArticleResource < JSONAPI::Resource
+  include JSONAPI::Authorization::PunditScopedResource
+  has_one :author, class_name: 'User'
+end
+```
+
+```rb
+class User < ActiveRecord::Base
+  has_many :articles, foreign_key: :author_id
+end
+
+class UserResource < JSONAPI::Resource
+  include JSONAPI::Authorization::PunditScopedResource
+  has_many :articles
+end
+```
+
+<a name="change-has-one-relationship-op"></a>
+
+[back to top ↑](#doc-top)
+
+### `PATCH /articles/article-1/relationships/author`
+
+_Changing a `has-one` relationship with a relationship operation_
+
+Setup:
+
+```rb
+user_1 = User.create(id: 'user-1')
+article_1 = Article.create(id: 'article-1', author: user_1)
+user_2 = User.create(id: 'user-2')
+```
+
+> `PATCH /articles/article-1/relationships/author`
+>
+> ```json
+> {
+>   "type": "users",
+>   "id": "user-2"
+> }
+> ```
+
+#### Custom relationship authorization method
+
+* `ArticlePolicy.new(current_user, article_1).replace_author?(user_2)`
+
+#### Fallback
+
+* `ArticlePolicy.new(current_user, article_1).update?`
+* `UserPolicy.new(current_user, user_2).update?`
+
+**Note:** Currently JA does not fallback to authorizing `UserPolicy#update?` on `user_1` that is about to be dissociated. This will likely be changed in the future.
+
+<a name="remove-has-one-relationship-op"></a>
+
+[back to top ↑](#doc-top)
+
+### `DELETE /articles/article-1/relationships/author`
+
+_Removing a `has-one` relationship with a relationship operation_
+
+Setup:
+
+```rb
+user_1 = User.create(id: 'user-1')
+article_1 = Article.create(id: 'article-1', author: user_1)
+```
+
+> `DELETE /articles/article-1/relationships/author`
+>
+> (empty body)
+
+#### Custom relationship authorization method
+
+* `ArticlePolicy.new(current_user, article_1).remove_author?`
+
+#### Fallback
+
+* `ArticlePolicy.new(current_user, article_1).update?`
+
+**Note:** Currently JA does not fallback to authorizing `UserPolicy#update?` on `user_1` that is about to be dissociated. This will likely be changed in the future.
+
+<a name="change-and-replace-has-one-resource-op"></a>
+
+[back to top ↑](#doc-top)
+
+### `PATCH /articles/article-1/` with different `author` relationship
+
+_Changing resource and replacing a `has-one` relationship_
+
+Setup:
+
+```rb
+user_1 = User.create(id: 'user-1')
+article_1 = Article.create(id: 'article-1', author: user_1)
+user_2 = User.create(id: 'user-2')
+```
+
+> `PATCH /articles/article-1`
+>
+> ```json
+> {
+>   "type": "articles",
+>   "id": "article-1",
+>   "relationships": {
+>     "author": {
+>       "data": {
+>         "type": "users",
+>         "id": "user-2"
+>       }
+>     }
+>   }
+> }
+> ```
+
+#### Always calls
+
+* `ArticlePolicy.new(current_user, article_1).update?`
+
+#### Custom relationship authorization method
+
+* `ArticlePolicy.new(current_user, article_1).replace_author?(user_2)`
+
+#### Fallback
+
+* `ArticlePolicy.new(current_user, article_1).update?`
+* `UserPolicy.new(current_user, user_2).update?`
+
+**Note:** Currently JA does not fallback to authorizing `UserPolicy#update?` on `user_1` that is about to be dissociated. This will likely be changed in the future.
+
+<a name="change-and-remove-has-one-resource-op"></a>
+
+[back to top ↑](#doc-top)
+
+### `PATCH /articles/article-1/` with null `author` relationship
+
+_Changing resource and removing a `has-one` relationship_
+
+Setup:
+
+```rb
+user_1 = User.create(id: 'user-1')
+article_1 = Article.create(id: 'article-1', author: user_1)
+```
+
+> `PATCH /articles/article-1`
+>
+> ```json
+> {
+>   "type": "articles",
+>   "id": "article-1",
+>   "relationships": {
+>     "author": {
+>       "data": null
+>     }
+>   }
+> }
+> ```
+
+#### Always calls
+
+* `ArticlePolicy.new(current_user, article_1).update?`
+
+#### Custom relationship authorization method
+
+* `ArticlePolicy.new(current_user, article_1).remove_author?`
+
+#### Fallback
+
+* `ArticlePolicy.new(current_user, article_1).update?`
+
+**Note:** Currently JA does not fallback to authorizing `UserPolicy#update?` on `user_1` that is about to be dissociated. This will likely be changed in the future.
+
+<a name="create-has-one-resource-op"></a>
+
+[back to top ↑](#doc-top)
+
+### `POST /articles` with an `author` relationship
+
+_Creating a resource with a `has-one` relationship_
+
+Setup:
+
+```rb
+user_1 = User.create(id: 'user-1')
+```
+
+> `POST /articles`
+>
+> ```json
+> {
+>   "type": "articles",
+>   "relationships": {
+>     "author": {
+>       "data": {
+>         "type": "users",
+>         "id": "user-1"
+>       }
+>     }
+>   }
+> }
+> ```
+
+#### Always calls
+
+* `ArticlePolicy.new(current_user, Article).create?`
+
+**Note:** The second parameter for the policy is the `Article` _class_, not the new record. This is because JA runs the authorization checks _before_ any changes are made, even changes to in-memory objects.
+
+#### Custom relationship authorization method
+
+* `ArticlePolicy.new(current_user, Article).create_with_author?(user_1)`
+
+#### Fallback
+
+* `UserPolicy.new(current_user, user_1).update?`
+
+
+<a name="example-setup-has-many"></a>
+
+[back to top ↑](#doc-top)
+
+## `has-many` relationships
+
+### Example setup for `has-many` examples
+
+The examples for `has-many` relationship authorization use these models and resources:
+
+```rb
+class Article < ActiveRecord::Base
+  has_many :comments
+end
+
+class ArticleResource < JSONAPI::Resource
+  include JSONAPI::Authorization::PunditScopedResource
+  # `acts_as_set` allows replacing all comments at once
+  has_many :comments, acts_as_set: true
+end
+```
+
+```rb
+class Comment < ActiveRecord::Base
+  belongs_to :article
+end
+
+class CommentResource < JSONAPI::Resource
+  include JSONAPI::Authorization::PunditScopedResource
+  has_one :article
+end
+```
+
+<a name="add-to-has-many-relationship-op"></a>
+
+[back to top ↑](#doc-top)
+
+### `POST /articles/article-1/relationships/comments`
+
+_Adding to a `has-many` relationship_
+
+Setup:
+
+```rb
+comment_1 = Comment.create(id: 'comment-1')
+article_1 = Article.create(id: 'article-1', comments: [comment_1])
+comment_2 = Comment.create(id: 'comment-2')
+comment_3 = Comment.create(id: 'comment-3')
+```
+
+> `POST /articles/article-1/relationships/comments`
+>
+> ```json
+> {
+>   "data": [
+>     { "type": "comments", "id": "comment-2" },
+>     { "type": "comments", "id": "comment-3" }
+>   ]
+> }
+> ```
+
+#### Custom relationship authorization method
+
+* `ArticlePolicy.new(current_user, article_1).add_to_comments?([comment_2, comment_3])`
+
+#### Fallback
+
+* `ArticlePolicy.new(current_user, article_1).update?`
+* `CommentPolicy.new(current_user, comment_2).update?`
+* `CommentPolicy.new(current_user, comment_3).update?`
+
+<a name="remove-from-has-many-relationship-op"></a>
+
+[back to top ↑](#doc-top)
+
+### `DELETE /articles/article-1/relationships/comments`
+
+_Removing from a `has-many` relationship_
+
+Setup:
+
+```rb
+comment_1 = Comment.create(id: 'comment-1')
+comment_2 = Comment.create(id: 'comment-2')
+comment_3 = Comment.create(id: 'comment-3')
+article_1 = Article.create(id: 'article-1', comments: [comment_1, comment_2, comment_3])
+```
+
+> `DELETE /articles/article-1/relationships/comments`
+>
+> ```json
+> {
+>   "data": [
+>     { "type": "comments", "id": "comment-1" },
+>     { "type": "comments", "id": "comment-2" }
+>   ]
+> }
+> ```
+
+#### Custom relationship authorization method
+
+* `ArticlePolicy.new(current_user, article_1).remove_from_comments?([comment_1, comment_2])`
+
+#### Fallback
+
+* `ArticlePolicy.new(current_user, article_1).update?`
+* `CommentPolicy.new(current_user, comment_1).update?`
+* `CommentPolicy.new(current_user, comment_2).update?`
+
+<a name="replace-has-many-relationship-op"></a>
+
+[back to top ↑](#doc-top)
+
+### `PATCH /articles/article-1/relationships/comments` with different `comments`
+
+_Replacing a `has-many` relationship_
+
+Setup:
+
+```rb
+comment_1 = Comment.create(id: 'comment-1')
+article_1 = Article.create(id: 'article-1', comments: [comment_1])
+comment_2 = Comment.create(id: 'comment-2')
+comment_3 = Comment.create(id: 'comment-3')
+```
+
+> `PATCH /articles/article-1/relationships/comments`
+>
+> ```json
+> {
+>   "data": [
+>     { "type": "comments", "id": "comment-2" },
+>     { "type": "comments", "id": "comment-3" }
+>   ]
+> }
+> ```
+
+#### Custom relationship authorization method
+
+* `ArticlePolicy.new(current_user, article_1).replace_comments?([comment_2, comment_3])`
+
+#### Fallback
+
+* `ArticlePolicy.new(current_user, article_1).update?`
+* `CommentPolicy.new(current_user, comment_2).update?`
+* `CommentPolicy.new(current_user, comment_3).update?`
+
+**Note:** Currently JA does not fallback to authorizing `CommentPolicy#update?` on `comment_1` that is about to be dissociated. This will likely be changed in the future.
+
+<a name="remove-has-many-relationship-op"></a>
+
+[back to top ↑](#doc-top)
+
+### `PATCH /articles/article-1/relationships/comments` with empty `comments`
+
+_Removing a `has-many` relationship_
+
+Setup:
+
+```rb
+comment_1 = Comment.create(id: 'comment-1')
+article_1 = Article.create(id: 'article-1', comments: [comment_1])
+```
+
+> `PATCH /articles/article-1/relationships/comments`
+>
+> ```json
+> {
+>   "data": []
+> }
+> ```
+
+#### Custom relationship authorization method
+
+* `ArticlePolicy.new(current_user, article_1).replace_comments?([])`
+
+**TODO:** We should probably call `remove_comments?` (with no arguments) instead. See https://github.com/venuu/jsonapi-authorization/issues/73 for more details and implementation progress.
+
+#### Fallback
+
+* `ArticlePolicy.new(current_user, article_1).update?`
+
+**Note:** Currently JA does not fallback to authorizing `CommentPolicy#update?` on `comment_1` that is about to be dissociated. This will likely be changed in the future.
+
+<a name="change-and-replace-has-many-resource-op"></a>
+
+[back to top ↑](#doc-top)
+
+### `PATCH /articles/article-1` with different `comments` relationship
+
+_Changing resource and replacing a `has-many` relationship_
+
+Setup:
+
+```rb
+comment_1 = Comment.create(id: 'comment-1')
+article_1 = Article.create(id: 'article-1', comments: [comment_1])
+comment_2 = Comment.create(id: 'comment-2')
+comment_3 = Comment.create(id: 'comment-3')
+```
+
+> `PATCH /articles/article-1`
+>
+> ```json
+> {
+>   "type": "articles",
+>   "id": "article-1",
+>   "relationships": {
+>     "comments": {
+>       "data": [
+>         { "type": "comments", "id": "comment-2" },
+>         { "type": "comments", "id": "comment-3" }
+>       ]
+>     }
+>   }
+> }
+> ```
+
+#### Always calls
+
+* `ArticlePolicy.new(current_user, article_1).update?`
+
+#### Custom relationship authorization method
+
+* `ArticlePolicy.new(current_user, article_1).replace_comments?([comment_2, comment_3])`
+
+#### Fallback
+
+* `ArticlePolicy.new(current_user, article_1).update?`
+* `CommentPolicy.new(current_user, comment_2).update?`
+* `CommentPolicy.new(current_user, comment_3).update?`
+
+**Note:** Currently JA does not fallback to authorizing `CommentPolicy#update?` on `comment_1` that is about to be dissociated. This will likely be changed in the future.
+
+<a name="change-and-remove-has-many-resource-op"></a>
+
+[back to top ↑](#doc-top)
+
+### `PATCH /articles/article-1` with empty `comments` relationship
+
+_Changing resource and removing a `has-many` relationship_
+
+Setup:
+
+```rb
+comment_1 = Comment.create(id: 'comment-1')
+article_1 = Article.create(id: 'article-1', comments: [comment_1])
+```
+
+> `PATCH /articles/article-1`
+>
+> ```json
+> {
+>   "type": "articles",
+>   "id": "article-1",
+>   "relationships": {
+>     "comments": {
+>       "data": []
+>     }
+>   }
+> }
+> ```
+
+#### Always calls
+
+* `ArticlePolicy.new(current_user, article_1).update?`
+
+#### Custom relationship authorization method
+
+* `ArticlePolicy.new(current_user, article_1).replace_comments?([])`
+
+**TODO:** We should probably call `remove_comments?` (with no arguments) instead. See https://github.com/venuu/jsonapi-authorization/issues/73 for more details and implementation progress.
+
+#### Fallback
+
+* `ArticlePolicy.new(current_user, article_1).update?`
+
+**Note:** Currently JA does not fallback to authorizing `CommentPolicy#update?` on `comment_1` that is about to be dissociated. This will likely be changed in the future.
+
+<a name="create-has-many-resource-op"></a>
+
+[back to top ↑](#doc-top)
+
+### `POST /articles` with a `comments` relationship
+
+_Creating a resource with a `has-many` relationship_
+
+Setup:
+
+```rb
+comment_1 = Comment.create(id: 'comment-1')
+comment_2 = Comment.create(id: 'comment-2')
+```
+
+> `POST /articles`
+>
+> ```json
+> {
+>   "type": "articles",
+>   "relationships": {
+>     "comments": {
+>       "data": [
+>         { "type": "comments", "id": "comment-1" },
+>         { "type": "comments", "id": "comment-2" }
+>       ]
+>     }
+>   }
+> }
+> ```
+
+#### Always calls
+
+* `ArticlePolicy.new(current_user, Article).create?`
+
+**Note:** The second parameter for the policy is the `Article` _class_, not the new record. This is because JA runs the authorization checks _before_ any changes are made, even changes to in-memory objects.
+
+#### Custom relationship authorization method
+
+* `ArticlePolicy.new(current_user, Article).create_with_comments?([comment_1, comment_2])`
+
+#### Fallback
+
+* `CommentPolicy.new(current_user, comment_1).update?`
+* `CommentPolicy.new(current_user, comment_2).update?`
+
+[back to top ↑](#doc-top)