RubyGems - model-api - Versions diffs - 0.8.5 → 0.8.6 - Mend

model-api 0.8.5 → 0.8.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/README.md +48 -8
data/lib/model-api.rb +2 -2
data/lib/model-api/base_controller.rb +170 -492
data/lib/model-api/utils.rb +425 -23
data/model-api.gemspec +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3ad27c0bbc9961da1c6b1aa4715e05f3f6af9297
-  data.tar.gz: a81ac47433b86382e72f21ae7e12113dabc3fcd5
+  metadata.gz: 95ae1633c2baa4a79b179c84be9ddd6d7b88a90b
+  data.tar.gz: d0c704c3b3da52e804d882b6f2f058990c52204a
 SHA512:
-  metadata.gz: 4b99fcc0cffd7e8d24210afab23dea9b8cec64bef71afea263738ca6e4b4169232b7792fa5f2fd33471d610cc4d406f6499724ba06e88f8aacf337e671b98dee
-  data.tar.gz: 823d85c47661c643d443f8bef2403ce22ee3f20f2a53ce6fbfe45630271a0005d76a411569573bf10d3b9dcf655d02a45d2a86b02eda11a0406f8a086ed31871
+  metadata.gz: a15c1b6b310de1fe521ed6b5ed6de3d1f3ad978b64235ed558169b28ebd206e560f85dbdd4be445936c2d4a2e17820e983deb46d46617124888ab571411745ca
+  data.tar.gz: 495bd7405fdcc08ebb437e25a19e086317744eede270a862523374add229269089a620839602bd46eec959141e58c21d17d9ec35ae9573df142f927c31571a5e

data/README.md CHANGED Viewed

@@ -17,6 +17,13 @@ Developing REST API's in a conventional manner involves many challenges.  Betwee
     sync with what your API actually supports.
   * Reduce the lines of code required to implement your Rails-based Rest API dramatically.
+## Guides
+This README file is intended to provide a brief introduction.  For more detailed information,
+the following guides are available:
+* [Guide to `api_metadata` options](doc/api_metadata.md)
+* [Guide to `model_metadata` options](doc/api_metadata.md)
+* [Managing data access in `model-api`](doc/api_metadata.md)
 ## Installation
 Put this in your Gemfile:
@@ -62,18 +69,42 @@ end
 ## Exposing a Resource
-To expose a resource, start by adding the resource routes to your `routes.rb` file:
+To expose a resource, start by defining the underlying model for that resource:
 ``` ruby
-  namespace :api do
-    namespace :v1 do
-      resource :books, except: [:new, :edit], param: :book_id
-    end
-  end
-```
+class Book < ActiveRecord::Base
+  include ModelApi::Model
+  # Valication rules are utilized by model-api to validate requests
+  validates :name, presence: true, uniqueness: true, length: { maximum: 50 }
+  validates :description, length: { maximum: 250 }
+  validates :isbn, presence: true, uniqueness: true, length: { maximum: 13 }
+  # Define the attributes exposed via the REST API.
+  api_attributes \
+      id: { filter: true, sort: true },
+      name: { filter: true, sort: true },
+      description: {},
+      isbn: { filter: true, sort: true,
+          parse: ->(v) { v.to_s.gsub(%r{[^\d]+}, '') },
+          render: ->(v) { "#{v[0..2]}-#{v[3]}-#{v[4..5]}-#{v[6..11]}-#{v[12..-1]}" }
+      },
+      created_at: { read_only: true, filter: true },
+      updated_at: { read_only: true, filter: true }
+end
+```
+An explanation of the options used in the `api_attributes` example above:
+* `filter` - Allow filtering by query string parameters (e.g. `?id=123`).
+* `sort` - Allow use of this column in the sort_by parameter.
+* `read_only` - Disallow column updates (via `POST`, `PUT`, or `PATCH`).
+* `parse` - Method name (e.g. `:to_i`) or proc / lambda for pre-processing incoming payload values.
+  *(The example lambda removes any non-digit values (such as dashes) from supplied ISBN values.)*
+* `render` - Method name or proc / lambda that formats values returned in response payloads.
+  *(The example lambda formats the 13-digit ISBN number using the typical dash convention.)*
 Next, define the base controller class that all of your API controllers will extend
 (for this example, in `app/controllers/api/v1/base_controller.rb`):
-``` ruby
+```ruby
   module Api
     module V1
       class BaseController < ActionController::Base
@@ -117,6 +148,15 @@ Next, define the base controller class that all of your API controllers will ext
   end
 ```
+Add the resource routes to your `routes.rb` file:
+```ruby
+  namespace :api do
+    namespace :v1 do
+      resource :books, except: [:new, :edit], param: :book_id
+    end
+  end
+```
 Finally, add a controller for your new resource (for this example, in
 `app/controllers/api/v1/base_controller.rb`):
 ```ruby

data/lib/model-api.rb CHANGED Viewed

@@ -25,11 +25,11 @@ module ModelApi
       end
       @model_api_global_metadata = global_metadata
     end
     def global_metadata
       @model_api_global_metadata || default_global_metadata
     end
     def default_global_metadata
       {
       }

data/lib/model-api/base_controller.rb CHANGED Viewed

@@ -4,11 +4,11 @@ module ModelApi
       def model_class
         nil
       end
       def base_api_options
         {}
       end
       def base_admin_api_options
         base_api_options.merge(admin_only: true)
       end
@@ -17,54 +17,55 @@ module ModelApi
     class << self
       def included(base)
         base.extend(ClassMethods)
         base.send(:include, InstanceMethods)
         base.send(:before_filter, :common_headers)
         base.send(:rescue_from, Exception, with: :unhandled_exception)
         base.send(:respond_to, :json, :xml)
       end
     end
     module InstanceMethods
       SIMPLE_ID_REGEX = /\A[0-9]+\Z/
       UUID_REGEX = /\A[0-9A-Za-z]{8}-?[0-9A-Za-z]{4}-?[0-9A-Za-z]{4}-?[0-9A-Za-z]{4}-?[0-9A-Za-z]\
           {12}\Z/x
       DEFAULT_PAGE_SIZE = 100
       protected
       def model_class
         self.class.model_class
       end
       def render_collection(collection, opts = {})
         return unless ensure_admin_if_admin_only(opts)
         opts = prepare_options(opts)
         opts[:operation] ||= :index
         return unless validate_read_operation(collection, opts[:operation], opts)
         coll_route = opts[:collection_route] || self
         collection_links = { self: coll_route }
-        collection = process_collection_includes(collection, opts)
+        collection = ModelApi::Utils.process_collection_includes(collection,
+            opts.merge(model_metadata: opts[:api_model_metadata] || opts[:model_metadata]))
         collection, _result_filters = filter_collection(collection, find_filter_params, opts)
         collection, _result_sorts = sort_collection(collection, find_sort_params, opts)
         collection, collection_links, opts = paginate_collection(collection,
             collection_links, opts, coll_route)
         opts[:collection_links] = collection_links.merge(opts[:collection_links] || {})
             .reverse_merge(common_response_links(opts))
         add_collection_object_route(opts)
         ModelApi::Renderer.render(self, collection, opts)
       end
       def render_object(obj, opts = {})
         return unless ensure_admin_if_admin_only(opts)
         opts = prepare_options(opts)
-        klass = Utils.find_class(obj, opts)
+        klass = ModelApi::Utils.find_class(obj, opts)
         object_route = opts[:object_route] || self
         opts[:object_links] = { self: object_route }
         if obj.is_a?(ActiveRecord::Base)
           return unless validate_read_operation(obj, opts[:operation], opts)
@@ -77,12 +78,12 @@ module ModelApi
           obj = ModelApi::Utils.ext_value(obj, opts) unless opts[:raw_output]
           opts[:object_links].merge!(opts[:links] || {})
         end
         opts[:operation] ||= :show
         opts[:object_links].reverse_merge!(common_response_links(opts))
         ModelApi::Renderer.render(self, obj, opts)
       end
       def do_create(opts = {})
         klass = opts[:model_class] || model_class
         return unless ensure_admin_if_admin_only(opts)
@@ -93,82 +94,97 @@ module ModelApi
         return bad_payload(class: klass) if opts[:bad_payload]
         create_and_render_object(obj, opts)
       end
       def prepare_object_for_create(klass, opts = {})
         opts = prepare_options(opts)
         get_updated_object(klass, get_operation(:create, opts), opts)
       end
       def create_and_render_object(obj, opts = {})
         opts = prepare_options(opts)
         object_link_options = opts[:object_link_options]
         object_link_options[:action] = :show
         save_and_render_object(obj, get_operation(:create, opts), opts.merge(location_header: true))
       end
       def do_update(obj, opts = {})
         return unless ensure_admin_if_admin_only(opts)
         obj, opts = prepare_object_for_update(obj, opts)
         return bad_payload(class: klass) if opts[:bad_payload]
         unless obj.present?
-          return not_found(opts.merge(class: Utils.find_class(obj, opts), field: :id))
+          return not_found(opts.merge(class: ModelApi::Utils.find_class(obj, opts), field: :id))
         end
         update_and_render_object(obj, opts)
       end
       def prepare_object_for_update(obj, opts = {})
         opts = prepare_options(opts)
         get_updated_object(obj, get_operation(:update, opts), opts)
       end
       def update_and_render_object(obj, opts = {})
         opts = prepare_options(opts)
         save_and_render_object(obj, get_operation(:update, opts), opts)
       end
       def save_and_render_object(obj, operation, opts = {})
+        opts = prepare_options(opts)
         status, msgs = Utils.process_updated_model_save(obj, operation, opts)
         add_hateoas_links_for_updated_object(operation, opts)
         successful = ModelApi::Utils.response_successful?(status)
         ModelApi::Renderer.render(self, successful ? obj : opts[:request_obj],
             opts.merge(status: status, operation: :show, messages: msgs))
       end
       def do_destroy(obj, opts = {})
         return unless ensure_admin_if_admin_only(opts)
         opts = prepare_options(opts)
         obj = obj.first if obj.is_a?(ActiveRecord::Relation)
         add_hateoas_links_for_update(opts)
         unless obj.present?
           return not_found(opts.merge(class: klass, field: :id))
         end
         operation = opts[:operation] = get_operation(:destroy, opts)
-        Utils.validate_operation(obj, operation, opts)
+        ModelApi::Utils.validate_operation(obj, operation,
+            opts.merge(model_metadata: opts[:api_model_metadata] || opts[:model_metadata]))
         response_status, errs_or_msgs = Utils.process_object_destroy(obj, operation, opts)
         add_hateoas_links_for_updated_object(operation, opts)
-        klass = Utils.find_class(obj, opts)
+        klass = ModelApi::Utils.find_class(obj, opts)
         ModelApi::Renderer.render(self, obj, opts.merge(status: response_status,
             root: ModelApi::Utils.model_name(klass).singular, messages: errs_or_msgs))
       end
       def common_response_links(_opts = {})
         {}
       end
-      def prepare_options(opts)
+      def initialize_options(opts)
+        return opts if opts[:options_initialized]
         opts = opts.symbolize_keys
-        opts[:user] = user = filter_by_user
-        opts[:user_id] = user.try(:id)
-        opts[:admin] = user.try(:admin_api_user?) ? true : false
-        opts[:admin_content] = admin_content?
-        opts[:collection_link_options] = opts[:object_link_options] =
-            request.query_parameters.to_h.symbolize_keys
+        opts[:model_class] ||= model_class
+        opts[:user] ||= filter_by_user
+        opts[:user_id] ||= opts[:user].try(:id)
+        opts[:admin_user] ||= admin_user?(opts)
+        opts[:admin] ||= admin?(opts)
+        unless opts.include?(:collection_link_options) && opts.include?(:object_link_options)
+          default_link_options = request.params.to_h.symbolize_keys
+          opts[:collection_link_options] ||= default_link_options
+          opts[:object_link_options] ||= default_link_options
+        end
+        opts[:options_initialized] ||= true
         opts
       end
+      # Default implementation, can be hidden by API controller classes to include any
+      # application-specific options
+      def prepare_options(opts)
+        return opts if opts[:options_initialized]
+        initialize_options(opts)
+      end
       def id_info(opts = {})
         id_info = {}
         id_info[:id_attribute] = (opts[:id_attribute] || :id).to_sym
@@ -176,13 +192,15 @@ module ModelApi
         id_info[:id_value] = (opts[:id_value] || params[id_info[:id_param]]).to_s
         id_info
       end
       def api_query(opts = {})
+        opts = prepare_options(opts)
         klass = opts[:model_class] || model_class
+        model_metadata = opts[:model_metadata] || ModelApi::Utils.model_metadata(klass)
         unless klass < ActiveRecord::Base
           fail 'Expected model class to be an ActiveRecord::Base subclass'
         end
-        query = klass.all
+        query = ModelApi::Utils.invoke_callback(model_metadata[:base_query], opts) || klass.all
         if (deleted_col = klass.columns_hash['deleted']).present?
           case deleted_col.type
           when :boolean
@@ -193,13 +211,13 @@ module ModelApi
         end
         Utils.apply_context(query, opts)
       end
       def common_object_query(opts = {})
         klass = opts[:model_class] || model_class
         coll_query = Utils.apply_context(api_query(opts), opts)
         id_info = opts[:id_info] || id_info(opts)
         query = coll_query.where(id_info[:id_attribute] => id_info[:id_value])
-        if !admin_access?
+        if !admin_user?
           unless opts.include?(:user_filter) && !opts[:user_filter]
             query = user_query(query, opts.merge(model_class: klass))
           end
@@ -217,25 +235,25 @@ module ModelApi
         end
         query
       end
       def collection_query(opts = {})
         opts = base_api_options.merge(opts)
         klass = opts[:model_class] || model_class
         query = api_query(opts)
         unless (opts.include?(:user_filter) && !opts[:user_filter]) ||
-            (admin_access? && (admin_content? || filtered_by_foreign_key?(query)))
+            (admin? || filtered_by_foreign_key?(query))
           query = user_query(query, opts.merge(model_class: klass))
         end
         query
       end
       def object_query(opts = {})
         common_object_query(base_api_options.merge(opts))
       end
       def user_query(query, opts = {})
         user = opts[:user] || filter_by_user
-        klass = opts[:model_class] || model_class
+        klass = opts[:model_class] || query.klass
         user_id_col = opts[:user_id_column] || :user_id
         user_assoc = opts[:user_association] || :user
         user_id = user.try(opts[:user_id_attribute] || :id)
@@ -251,24 +269,23 @@ module ModelApi
         end
         query
       end
       def base_api_options
         self.class.base_api_options
       end
       def base_admin_api_options
-        base_api_options.merge(admin_only: true)
+        base_api_options.merge(admin: true, admin_only: true)
       end
       def ensure_admin
-        user = current_user
-        return true if user.respond_to?(:admin_api_user?) && user.admin_api_user?
+        return true if admin_user?
         # Mask presence of endpoint if user is not authorized to access it
         not_found
         false
       end
       def unhandled_exception(err)
         return if handle_api_exceptions(err)
         return if performed?
@@ -283,7 +300,7 @@ module ModelApi
         ModelApi::Renderer.render(self, error_details, root: :error_details,
             status: :internal_server_error)
       end
       def handle_api_exceptions(err)
         if err.is_a?(ModelApi::NotFoundException)
           not_found(field: err.field, message: err.message)
@@ -294,23 +311,38 @@ module ModelApi
         end
         true
       end
       def doorkeeper_unauthorized_render_options(error: nil)
         { json: unauthorized(error: 'Not authorized to access resource', message: error.description,
             format: :json, generate_body_only: true) }
       end
       # Indicates whether user has access to data they do not own.
-      def admin_access?
-        false
+      def admin_user?(opts = {})
+        return opts[:admin_user] if opts.include?(:admin_user)
+        user = current_user
+        return nil if user.nil?
+        [:admin_api_user?, :admin_user?, :admin?].each do |method|
+          next unless user.respond_to?(method)
+          opts[:admin_user] = user.send(method) rescue next
+          break
+        end
+        opts[:admin_user] ||= false
       end
       # Indicates whether API should render administrator-only content in API responses
-      def admin_content?
-        param = request.query_parameters[:admin]
-        param.present? && param.to_i != 0 && admin_access?
+      def admin?(opts = {})
+        return opts[:admin] if opts.include?(:admin)
+        param = request.params[:admin]
+        param.present? && admin_user?(opts) &&
+            (param.to_i != 0 && params.to_s.strip.downcase != 'false')
+      end
+      # Deprecated
+      def admin_content?(opts = {})
+        admin?(opts)
       end
       def resource_parent_id(parent_model_class, opts = {})
         id_info = id_info(opts.reverse_merge(id_param: "#{parent_model_class.name.underscore}_id"))
         model_name = parent_model_class.model_name.human
@@ -331,7 +363,7 @@ module ModelApi
         end
         parent_id
       end
       def simple_error(status, error, opts = {})
         opts = opts.dup
         klass = opts[:class]
@@ -355,14 +387,14 @@ module ModelApi
         ModelApi::Renderer.render(self, opts[:request_obj], opts.merge(status: status,
             messages: errs_or_msgs))
       end
       def not_found(opts = {})
         opts = opts.dup
         opts[:message] ||= 'No resource found at the path provided or matching the criteria ' \
             'specified'
         simple_error(:not_found, opts.delete(:error) || 'No resource found', opts)
       end
       def bad_payload(opts = {})
         opts = opts.dup
         format = opts[:format] || identify_format
@@ -371,26 +403,28 @@ module ModelApi
         simple_error(:bad_request, opts.delete(:error) || 'Missing/invalid request body (payload)',
             opts)
       end
       def bad_request(error, message, opts = {})
         opts[:message] = message || 'This request is invalid for the resource in its present state'
         simple_error(:bad_request, error || 'Invalid API request', opts)
       end
       def unauthorized(opts = {})
         opts = opts.dup
         opts[:message] ||= 'Missing one or more privileges required to complete request'
         simple_error(:unauthorized, opts.delete(:error) || 'Not authorized', opts)
       end
       def not_implemented(opts = {})
         opts = opts.dup
         opts[:message] ||= 'This API feature is presently unavailable'
         simple_error(:not_implemented, opts.delete(:error) || 'Not implemented', opts)
       end
       def validate_read_operation(obj, operation, opts = {})
-        status, errors = Utils.validate_operation(obj, operation, opts)
+        opts = prepare_options(opts)
+        status, errors = ModelApi::Utils.validate_operation(obj, operation,
+            opts.merge(model_metadata: opts[:api_model_metadata] || opts[:model_metadata]))
         return true if status.nil? && errors.nil?
         if errors.nil? && (status.is_a?(Array) || status.present?)
           return true if (errors = status).blank?
@@ -405,27 +439,27 @@ module ModelApi
       def filter_by_user
         current_user
       end
       def current_user
         nil
       end
       def common_headers
         ModelApi::Utils.common_http_headers.each do |k, v|
           response.headers[k] = v
         end
       end
       def identify_format
         format = self.request.format.symbol rescue :json
         format == :xml ? :xml : :json
       end
       def ensure_admin_if_admin_only(opts = {})
         return true unless opts[:admin_only]
         ensure_admin
       end
       def get_operation(default_operation, opts = {})
         if opts.key?(:operation)
           return opts[:operation]
@@ -441,9 +475,9 @@ module ModelApi
           return default_operation
         end
       end
       def get_updated_object(obj_or_class, operation, opts = {})
-        opts = opts.symbolize_keys
+        opts = prepare_options(opts.symbolize_keys)
         opts[:operation] = operation
         req_body, format = ModelApi::Utils.parse_request_body(request)
         if obj_or_class.is_a?(Class)
@@ -465,20 +499,17 @@ module ModelApi
         verify_update_request_body(req_body, format, opts)
         root_elem = opts[:root] = ModelApi::Utils.model_name(klass).singular
         request_obj = opts[:request_obj] = Utils.object_from_req_body(root_elem, req_body, format)
-        Utils.apply_updates(obj, request_obj, operation, opts)
-        opts.freeze
+        ModelApi::Utils.apply_updates(obj, request_obj, operation, opts)
         ModelApi::Utils.invoke_callback(model_metadata[:after_initialize], obj, opts)
         [obj, opts]
       end
       private
       def find_filter_params
-        request.query_parameters.reject do |param, _value|
-          %w(access_token sort_by admin).include?(param)
-        end
+        request.params.reject { |p, _v| %w(access_token sort_by admin).include?(p) }
       end
       def find_sort_params
         sort_by = params[:sort_by]
         return {} if sort_by.blank?
@@ -489,7 +520,7 @@ module ModelApi
           process_simple_sort_params(sort_by)
         end
       end
       def process_json_sort_params(sort_by)
         sort_params = {}
         sort_json_obj = (JSON.parse(sort_by) rescue {})
@@ -508,7 +539,7 @@ module ModelApi
         end
         sort_params
       end
       def process_simple_sort_params(sort_by)
         sort_params = {}
         sort_by.split(',').each do |key|
@@ -540,26 +571,10 @@ module ModelApi
         end
         sort_params
       end
-      def process_collection_includes(collection, opts = {})
-        klass = Utils.find_class(collection, opts)
-        metadata = ModelApi::Utils.filtered_ext_attrs(klass, opts[:operation] || :index, opts)
-        model_metadata = opts[:api_model_metadata] || ModelApi::Utils.model_metadata(klass)
-        includes = []
-        if (metadata_includes = model_metadata[:collection_includes]).is_a?(Array)
-          includes += metadata_includes.map(&:to_sym)
-        end
-        metadata.each do |_attr, attr_metadata|
-          includes << attr_metadata[:key] if attr_metadata[:type] == :association
-        end
-        includes = includes.compact.uniq
-        collection = collection.includes(includes) if includes.present?
-        collection
-      end
       def filter_collection(collection, filter_params, opts = {})
         return [collection, {}] if filter_params.blank? # Don't filter if no filter params
-        klass = opts[:class] || Utils.find_class(collection, opts)
+        klass = opts[:class] || ModelApi::Utils.find_class(collection, opts)
         assoc_values, metadata, attr_values = process_filter_params(filter_params, klass, opts)
         result_filters = {}
         metadata.values.each do |attr_metadata|
@@ -576,7 +591,7 @@ module ModelApi
         end
         [collection, result_filters]
       end
       def process_filter_params(filter_params, klass, opts = {})
         assoc_values = {}
         filter_metadata = {}
@@ -596,7 +611,7 @@ module ModelApi
         end
         [assoc_values, filter_metadata, attr_values]
       end
       # rubocop:disable Metrics/ParameterLists
       def process_filter_assoc_param(attr, metadata, assoc_values, value, opts)
         attr_elems = attr.split('.')
@@ -608,7 +623,7 @@ module ModelApi
         assoc_filter_params = (assoc_values[key] ||= {})
         assoc_filter_params[attr_elems[1..-1].join('.')] = value
       end
       def process_filter_attr_param(attr, metadata, filter_metadata, attr_values, value, opts)
         attr = attr.strip.to_sym
         attr_metadata = metadata[attr] ||
@@ -618,13 +633,13 @@ module ModelApi
         filter_metadata[key] = attr_metadata
         attr_values[key] = value
       end
       # rubocop:enable Metrics/ParameterLists
       def apply_filter_param(attr_metadata, collection, opts = {})
         raw_value = (opts[:attr_values] || params)[attr_metadata[:key]]
         filter_table = opts[:filter_table]
-        klass = opts[:class] || Utils.find_class(collection, opts)
+        klass = opts[:class] || ModelApi::Utils.find_class(collection, opts)
         if raw_value.is_a?(Hash) && raw_value.include?('0')
           operator_value_pairs = filter_process_param_array(params_array(raw_value), attr_metadata,
               opts)
@@ -653,10 +668,10 @@ module ModelApi
         end
         collection
       end
       def sort_collection(collection, sort_params, opts = {})
         return [collection, {}] if sort_params.blank? # Don't filter if no filter params
-        klass = opts[:class] || Utils.find_class(collection, opts)
+        klass = opts[:class] || ModelApi::Utils.find_class(collection, opts)
         assoc_sorts, attr_sorts, result_sorts = process_sort_params(sort_params, klass,
             opts.merge(result_sorts: result_sorts))
         sort_table = opts[:sort_table]
@@ -679,7 +694,7 @@ module ModelApi
         end
         [collection, result_sorts]
       end
       def process_sort_params(sort_params, klass, opts)
         metadata = ModelApi::Utils.filtered_ext_attrs(klass, :sort, opts)
         assoc_sorts = {}
@@ -707,7 +722,7 @@ module ModelApi
         end
         [assoc_sorts, attr_sorts, result_sorts]
       end
       # Intentionally disabling parameter list length check for private / internal method
       # rubocop:disable Metrics/ParameterLists
       def process_sort_param_assoc(attr, metadata, sort_order, assoc_sorts, opts)
@@ -719,9 +734,9 @@ module ModelApi
         assoc_sort_params = (assoc_sorts[key] ||= {})
         assoc_sort_params[attr_elems[1..-1].join('.')] = sort_order
       end
       # rubocop:enable Metrics/ParameterLists
       def filter_process_param(raw_value, attr_metadata, opts)
         raw_value = raw_value.to_s.strip
         array = nil
@@ -741,7 +756,7 @@ module ModelApi
         operator, value = parse_filter_operator(raw_value)
         [[operator, ModelApi::Utils.transform_value(value, attr_metadata[:parse], opts)]]
       end
       def filter_process_param_array(array, attr_metadata, opts)
         operator_value_pairs = []
         equals_values = []
@@ -757,7 +772,7 @@ module ModelApi
         operator_value_pairs << ['=', equals_values.uniq] if equals_values.present?
         operator_value_pairs
       end
       def parse_filter_operator(value)
         value = value.to_s.strip
         if (operator = value.scan(/\A(>=|<=|!=|<>)[[:space:]]*\w/).flatten.first).present?
@@ -767,7 +782,7 @@ module ModelApi
         end
         ['=', value]
       end
       def format_value_for_query(column, value, klass)
         return value.map { |v| format_value_for_query(column, v, klass) } if value.is_a?(Array)
         column_metadata = klass.columns_hash[column.to_s]
@@ -788,7 +803,7 @@ module ModelApi
         end
         value.to_s
       end
       def params_array(raw_value)
         index = 0
         array = []
@@ -798,7 +813,7 @@ module ModelApi
         end
         array
       end
       def paginate_collection(collection, collection_links, opts, coll_route)
         collection_size = collection.count
         page_size = (params[:page_size] || DEFAULT_PAGE_SIZE).to_i
@@ -806,29 +821,29 @@ module ModelApi
         page_count = [(collection_size + page_size - 1) / page_size, 1].max
         page = page_count if page > page_count
         offset = (page - 1) * page_size
         opts = opts.dup
         opts[:count] ||= collection_size
         opts[:page] ||= page
         opts[:page_size] ||= page_size
         opts[:page_count] ||= page_count
         response.headers['X-Total-Count'] = collection_size.to_s
         opts[:collection_link_options] = (opts[:collection_link_options] || {})
             .reject { |k, _v| [:page].include?(k.to_sym) }
         opts[:object_link_options] = (opts[:object_link_options] || {})
             .reject { |k, _v| [:page, :page_size].include?(k.to_sym) }
         if collection_size > page_size
           opts[:collection_link_options][:page] = page
           Utils.add_pagination_links(collection_links, coll_route, page, page_count)
           collection = collection.limit(page_size).offset(offset)
         end
         [collection, collection_links, opts]
       end
       def resolve_key_to_column(klass, attr_metadata)
         return nil unless klass.respond_to?(:columns_hash)
         columns_hash = klass.columns_hash
@@ -839,7 +854,7 @@ module ModelApi
         return nil unless render_method.is_a?(String)
         columns_hash.include?(render_method) ? render_method : nil
       end
       def add_collection_object_route(opts)
         object_route = opts[:object_route]
         unless object_route.present?
@@ -857,31 +872,31 @@ module ModelApi
         return if object_route.blank?
         opts[:object_links] = (opts[:object_links] || {}).merge(self: object_route)
       end
       def add_hateoas_links_for_update(opts)
         object_route = opts[:object_route] || self
         links = { self: object_route }.reverse_merge(common_response_links(opts))
         opts[:links] = links.merge(opts[:links] || {})
       end
       def add_hateoas_links_for_updated_object(_operation, opts)
         object_route = opts[:object_route] || self
         object_links = { self: object_route }
         opts[:object_links] = object_links.merge(opts[:object_links] || {})
       end
       def verify_update_request_body(request_body, format, opts = {})
         if request.format.symbol.nil? && format.present?
           opts[:format] ||= format
         end
         if request_body.is_a?(Array)
           fail 'Expected object, but collection provided'
         elsif !request_body.is_a?(Hash)
           fail 'Expected object'
         end
       end
       def filtered_by_foreign_key?(query)
         fk_cache = self.class.instance_variable_get(:@foreign_key_cache)
         self.class.instance_variable_set(:@foreign_key_cache, fk_cache = {}) if fk_cache.nil?
@@ -898,14 +913,9 @@ module ModelApi
             "#{e.backtrace.join("\n")}"
       end
     end
     class Utils
       class << self
-        def find_class(obj, opts = {})
-          return nil if obj.nil?
-          opts[:class] || (obj.respond_to?(:klass) ? obj.klass : obj.class)
-        end
         def add_pagination_links(collection_links, coll_route, page, last_page)
           if page < last_page
             collection_links[:next] = [coll_route, { page: (page + 1) }]
@@ -914,7 +924,7 @@ module ModelApi
           collection_links[:first] = [coll_route, { page: 1 }]
           collection_links[:last] = [coll_route, { page: last_page }]
         end
         def object_from_req_body(root_elem, req_body, format)
           if format == :json
             request_obj = req_body
@@ -930,67 +940,21 @@ module ModelApi
           fail 'Invalid request format' unless request_obj.present?
           request_obj
         end
-        def apply_updates(obj, req_obj, operation, opts = {})
-          opts = opts.merge(object: opts[:object] || obj)
-          metadata = ModelApi::Utils.filtered_ext_attrs(opts[:api_attr_metadata] ||
-              ModelApi::Utils.filtered_attrs(obj, operation, opts), operation, opts)
-          set_context_attrs(obj, opts)
-          req_obj.each do |attr, value|
-            attr = attr.to_sym
-            attr_metadata = metadata[attr]
-            unless attr_metadata.present?
-              add_ignored_field(opts[:ignored_fields], attr, value, attr_metadata)
-              next
-            end
-            update_api_attr(obj, attr, value, opts.merge(attr_metadata: attr_metadata))
-          end
-        end
-        def set_context_attrs(obj, opts = {})
-          klass = (obj.class < ActiveRecord::Base ? obj.class : nil)
-          (opts[:context] || {}).each do |key, value|
-            begin
-              setter = "#{key}="
-              next unless obj.respond_to?(setter)
-              if (column = klass.try(:columns_hash).try(:[], key.to_s)).present?
-                case column.type
-                when :integer, :primary_key then
-                  obj.send("#{key}=", value.to_i)
-                when :decimal, :float then
-                  obj.send("#{key}=", value.to_f)
-                else
-                  obj.send(setter, value.to_s)
-                end
-              else
-                obj.send(setter, value.to_s)
-              end
-            rescue Exception => e
-              Rails.logger.warn "Error encountered assigning context parameter #{key} to " \
-              "'#{value}' (skipping): \"#{e.message}\")."
-            end
-          end
-        end
         def process_updated_model_save(obj, operation, opts = {})
           opts = opts.dup
           opts[:operation] = operation
-          metadata = opts.delete(:api_attr_metadata) ||
-              ModelApi::Utils.filtered_attrs(obj, operation, opts)
-          model_metadata = opts.delete(:api_model_metadata) ||
-              ModelApi::Utils.model_metadata(obj.class)
-          ModelApi::Utils.invoke_callback(model_metadata[:before_validate], obj, opts.dup)
-          validate_operation(obj, operation, opts)
-          validate_preserving_existing_errors(obj)
-          ModelApi::Utils.invoke_callback(model_metadata[:before_save], obj, opts.dup)
-          obj.instance_variable_set(:@readonly, false) if obj.instance_variable_get(:@readonly)
-          successful = obj.save unless obj.errors.present?
+          successful = ModelApi::Utils.save_obj(obj,
+              opts.merge(model_metadata: opts[:api_model_metadata]))
           if successful
             suggested_response_status = :ok
             object_errors = []
           else
             suggested_response_status = :bad_request
-            object_errors = extract_msgs_for_error(obj, opts.merge(api_attr_metadata: metadata))
+            attr_metadata = opts.delete(:api_attr_metadata) ||
+                ModelApi::Utils.filtered_attrs(obj, operation, opts)
+            object_errors = ModelApi::Utils.extract_error_msgs(obj,
+                opts.merge(api_attr_metadata: attr_metadata))
             unless object_errors.present?
               object_errors << {
                   error: 'Unspecified error',
@@ -1001,87 +965,15 @@ module ModelApi
           end
           [suggested_response_status, object_errors]
         end
-        def extract_msgs_for_error(obj, opts = {})
-          object_errors = []
-          attr_prefix = opts[:attr_prefix] || ''
-          api_metadata = opts[:api_attr_metadata] || ModelApi::Utils.api_attrs(obj.class)
-          obj.errors.each do |attr, attr_errors|
-            attr_errors = [attr_errors] unless attr_errors.is_a?(Array)
-            attr_errors.each do |error|
-              attr_metadata = api_metadata[attr] || {}
-              qualified_attr = "#{attr_prefix}#{ModelApi::Utils.ext_attr(attr, attr_metadata)}"
-              assoc_errors = nil
-              if attr_metadata[:type] == :association
-                assoc_errors = extract_assoc_error_msgs(obj, attr, opts.merge(
-                    attr_metadata: attr_metadata))
-              end
-              if assoc_errors.present?
-                object_errors += assoc_errors
-              else
-                error_hash = {}
-                error_hash[:object] = attr_prefix if attr_prefix.present?
-                error_hash[:attribute] = qualified_attr unless attr == :base
-                object_errors << error_hash.merge(error: error,
-                    message: (attr == :base ? error : "#{qualified_attr} #{error}"))
-              end
-            end
-          end
-          object_errors
-        end
-        # rubocop:disable Metrics/MethodLength
-        def extract_assoc_error_msgs(obj, attr, opts)
-          object_errors = []
-          attr_metadata = opts[:attr_metadata] || {}
-          processed_assoc_objects = {}
-          assoc = attr_metadata[:association]
-          assoc_class = assoc.class_name.constantize
-          external_attr = ModelApi::Utils.ext_attr(attr, attr_metadata)
-          attr_metadata_create = attr_metadata_update = nil
-          if assoc.macro == :has_many
-            obj.send(attr).each_with_index do |assoc_obj, index|
-              next if processed_assoc_objects[assoc_obj]
-              processed_assoc_objects[assoc_obj] = true
-              attr_prefix = "#{external_attr}[#{index}]."
-              if assoc_obj.new_record?
-                attr_metadata_create ||= ModelApi::Utils.filtered_attrs(assoc_class, :create, opts)
-                object_errors += extract_msgs_for_error(assoc_obj, opts.merge(
-                    attr_prefix: attr_prefix, api_attr_metadata: attr_metadata_create))
-              else
-                attr_metadata_update ||= ModelApi::Utils.filtered_attrs(assoc_class, :update, opts)
-                object_errors += extract_msgs_for_error(assoc_obj, opts.merge(
-                    attr_prefix: attr_prefix, api_attr_metadata: attr_metadata_update))
-              end
-            end
-          else
-            assoc_obj = obj.send(attr)
-            return object_errors unless assoc_obj.present? && !processed_assoc_objects[assoc_obj]
-            processed_assoc_objects[assoc_obj] = true
-            attr_prefix = "#{external_attr}->"
-            if assoc_obj.new_record?
-              attr_metadata_create ||= ModelApi::Utils.filtered_attrs(assoc_class, :create, opts)
-              object_errors += extract_msgs_for_error(assoc_obj, opts.merge(
-                  attr_prefix: attr_prefix, api_attr_metadata: attr_metadata_create))
-            else
-              attr_metadata_update ||= ModelApi::Utils.filtered_attrs(assoc_class, :update, opts)
-              object_errors += extract_msgs_for_error(assoc_obj, opts.merge(
-                  attr_prefix: attr_prefix, api_attr_metadata: attr_metadata_update))
-            end
-          end
-          object_errors
-        end
-        # rubocop:enable Metrics/MethodLength
         def process_object_destroy(obj, operation, opts)
           soft_delete = obj.errors.present? ? false : object_destroy(obj, opts)
           if obj.errors.blank? && (soft_delete || obj.destroyed?)
             response_status = :ok
             object_errors = []
           else
-            object_errors = extract_msgs_for_error(obj, opts)
+            object_errors = ModelApi::Utils.extract_error_msgs(obj, opts)
             if object_errors.present?
               response_status = :bad_request
             else
@@ -1093,12 +985,12 @@ module ModelApi
               }
             end
           end
           [response_status, object_errors]
         end
         def object_destroy(obj, opts = {})
-          klass = find_class(obj)
+          klass = ModelApi::Utils.find_class(obj)
           object_id = obj.send(opts[:id_attribute] || :id)
           obj.instance_variable_set(:@readonly, false) if obj.instance_variable_get(:@readonly)
           if (deleted_col = klass.columns_hash['deleted']).present?
@@ -1120,168 +1012,7 @@ module ModelApi
           Rails.logger.warn "Error destroying #{klass.name} \"#{object_id}\": \"#{e.message}\")."
           false
         end
-        def set_api_attr(obj, attr, value, opts)
-          attr_metadata = opts[:attr_metadata]
-          internal_field = attr_metadata[:key] || attr
-          setter = attr_metadata[:setter] || "#{(internal_field)}="
-          unless obj.respond_to?(setter)
-            Rails.logger.warn "Error encountered assigning API input for attribute \"#{attr}\" " \
-                  '(setter not found): skipping.'
-            add_ignored_field(opts[:ignored_fields], attr, value, attr_metadata)
-            return
-          end
-          obj.send(setter, value)
-        end
-        def update_api_attr(obj, attr, value, opts = {})
-          attr_metadata = opts[:attr_metadata]
-          begin
-            value = ModelApi::Utils.transform_value(value, attr_metadata[:parse], opts)
-          rescue Exception => e
-            Rails.logger.warn "Error encountered parsing API input for attribute \"#{attr}\" " \
-                  "(\"#{e.message}\"): \"#{value.to_s.first(1000)}\" ... using raw value instead."
-          end
-          begin
-            if attr_metadata[:type] == :association && attr_metadata[:parse].blank?
-              attr_metadata = opts[:attr_metadata]
-              assoc = attr_metadata[:association]
-              if assoc.macro == :has_many
-                update_has_many_assoc(obj, attr, value, opts)
-              elsif assoc.macro == :belongs_to
-                update_belongs_to_assoc(obj, attr, value, opts)
-              else
-                add_ignored_field(opts[:ignored_fields], attr, value, attr_metadata)
-              end
-            else
-              set_api_attr(obj, attr, value, opts)
-            end
-          rescue Exception => e
-            handle_api_setter_exception(e, obj, attr_metadata, opts)
-          end
-        end
-        def update_has_many_assoc(obj, attr, value, opts = {})
-          attr_metadata = opts[:attr_metadata]
-          assoc = attr_metadata[:association]
-          assoc_class = assoc.class_name.constantize
-          model_metadata = ModelApi::Utils.model_metadata(assoc_class)
-          value_array = value.to_a rescue nil
-          unless value_array.is_a?(Array)
-            obj.errors.add(attr, 'must be supplied as an array of objects')
-            return
-          end
-          opts = opts.merge(model_metadata: model_metadata)
-          opts[:ignored_fields] = [] if opts.include?(:ignored_fields)
-          assoc_objs = []
-          value_array.each_with_index do |assoc_payload, index|
-            opts[:ignored_fields].clear if opts.include?(:ignored_fields)
-            assoc_objs << update_has_many_assoc_obj(obj, assoc, assoc_class, assoc_payload,
-                opts.merge(model_metadata: model_metadata))
-            if opts[:ignored_fields].present?
-              external_attr = ModelApi::Utils.ext_attr(attr, attr_metadata)
-              opts[:ignored_fields] << { "#{external_attr}[#{index}]" => opts[:ignored_fields] }
-            end
-          end
-          set_api_attr(obj, attr, assoc_objs, opts)
-        end
-        def update_has_many_assoc_obj(parent_obj, assoc, assoc_class, assoc_payload, opts = {})
-          model_metadata = opts[:model_metadata] || ModelApi::Utils.model_metadata(assoc_class)
-          assoc_obj, assoc_oper, assoc_opts = resolve_has_many_assoc_obj(model_metadata, assoc,
-              assoc_class, assoc_payload, parent_obj, opts)
-          if (inverse_assoc = assoc.options[:inverse_of]).present? &&
-              assoc_obj.respond_to?("#{inverse_assoc}=")
-            assoc_obj.send("#{inverse_assoc}=", parent_obj)
-          elsif !parent_obj.new_record? && assoc_obj.respond_to?("#{assoc.foreign_key}=")
-            assoc_obj.send("#{assoc.foreign_key}=", obj.id)
-          end
-          apply_updates(assoc_obj, assoc_payload, assoc_oper, assoc_opts)
-          ModelApi::Utils.invoke_callback(model_metadata[:after_initialize], assoc_obj,
-              assoc_opts.merge(operation: assoc_oper).freeze)
-          assoc_obj
-        end
-        def resolve_has_many_assoc_obj(model_metadata, assoc, assoc_class, assoc_payload,
-            parent_obj, opts = {})
-          assoc_obj = resolve_assoc_obj(model_metadata, assoc, assoc_class, assoc_payload,
-              parent_obj, opts)
-          if assoc_obj.new_record?
-            assoc_oper = :create
-            opts[:create_opts] ||= opts.merge(api_attr_metadata: ModelApi::Utils.filtered_attrs(
-                assoc_class, :create, opts))
-            assoc_opts = opts[:create_opts]
-          else
-            assoc_oper = :update
-            opts[:update_opts] ||= opts.merge(api_attr_metadata: ModelApi::Utils.filtered_attrs(
-                assoc_class, :update, opts))
-            assoc_opts = opts[:update_opts]
-          end
-          [assoc_obj, assoc_oper, assoc_opts]
-        end
-        def update_belongs_to_assoc(parent_obj, attr, assoc_payload, opts = {})
-          unless assoc_payload.is_a?(Hash)
-            parent_obj.errors.add(attr, 'must be supplied as an object')
-            return
-          end
-          attr_metadata = opts[:attr_metadata]
-          assoc = attr_metadata[:association]
-          assoc_class = assoc.class_name.constantize
-          model_metadata = ModelApi::Utils.model_metadata(assoc_class)
-          assoc_obj, assoc_oper, assoc_opts = resolve_belongs_to_assoc_obj(model_metadata, assoc,
-              assoc_class, assoc_payload, parent_obj, opts)
-          apply_updates(assoc_obj, assoc_payload, assoc_oper, assoc_opts)
-          ModelApi::Utils.invoke_callback(model_metadata[:after_initialize], assoc_obj,
-              opts.merge(operation: assoc_oper).freeze)
-          if assoc_opts[:ignored_fields].present?
-            external_attr = ModelApi::Utils.ext_attr(attr, attr_metadata)
-            opts[:ignored_fields] << { external_attr.to_s => assoc_opts[:ignored_fields] }
-          end
-          set_api_attr(parent_obj, attr, assoc_obj, opts)
-        end
-        def resolve_belongs_to_assoc_obj(model_metadata, assoc, assoc_class, assoc_payload,
-            parent_obj, opts = {})
-          assoc_opts = opts[:ignored_fields].is_a?(Array) ? opts.merge(ignored_fields: []) : opts
-          assoc_obj = resolve_assoc_obj(model_metadata, assoc, assoc_class, assoc_payload,
-              parent_obj, opts)
-          assoc_oper = assoc_obj.new_record? ? :create : :update
-          assoc_opts = assoc_opts.merge(
-              api_attr_metadata: ModelApi::Utils.filtered_attrs(assoc_class, assoc_oper, opts))
-          return [assoc_obj, assoc_oper, assoc_opts]
-        end
-        def resolve_assoc_obj(model_metadata, assoc, assoc_class, assoc_payload, parent_obj,
-            opts = {})
-          if opts[:resolve].try(:respond_to?, :call)
-            assoc_obj = ModelApi::Utils.invoke_callback(opts[:resolve], assoc_payload, opts.merge(
-                parent: parent_obj, association: assoc, association_metadata: model_metadata))
-          else
-            assoc_obj = find_by_id_attrs(model_metadata[:id_attributes], assoc_class, assoc_payload)
-            assoc_obj = assoc_obj.first unless assoc_obj.nil? || assoc_obj.count != 1
-            assoc_obj ||= assoc_class.new
-          end
-          assoc_obj
-        end
-        def find_by_id_attrs(id_attributes, assoc_class, assoc_payload)
-          return nil unless id_attributes.present?
-          id_attributes.each do |id_attr_set|
-            query = nil
-            id_attr_set.each do |id_attr|
-              unless assoc_payload.include?(id_attr.to_s)
-                query = nil
-                break
-              end
-              query = (query || assoc_class).where(id_attr => assoc_payload[id_attr.to_s])
-            end
-            return query unless query.nil?
-          end
-          nil
-        end
         def apply_context(query, opts = {})
           context = opts[:context]
           return query if context.nil?
@@ -1292,60 +1023,7 @@ module ModelApi
           end
           query
         end
-        def handle_api_setter_exception(e, obj, attr_metadata, opts = {})
-          return unless attr_metadata.is_a?(Hash)
-          on_exception = attr_metadata[:on_exception]
-          fail e unless on_exception.present?
-          on_exception = { Exception => on_exception } unless on_exception.is_a?(Hash)
-          opts = opts.frozen? ? opts : opts.dup.freeze
-          on_exception.each do |klass, handler|
-            klass = klass.to_s.constantize rescue nil unless klass.is_a?(Class)
-            next unless klass.is_a?(Class) && e.is_a?(klass)
-            if handler.respond_to?(:call)
-              ModelApi::Utils.invoke_callback(handler, obj, e, opts)
-            elsif handler.present?
-              # Presume handler is an error message in this case
-              obj.errors.add(attr_metadata[:key], handler.to_s)
-            else
-              add_ignored_field(opts[:ignored_fields], nil, opts[:value], attr_metadata)
-            end
-            break
-          end
-        end
-        def add_ignored_field(ignored_fields, attr, value, attr_metadata)
-          return unless ignored_fields.is_a?(Array)
-          attr_metadata ||= {}
-          external_attr = ModelApi::Utils.ext_attr(attr, attr_metadata)
-          return unless external_attr.present?
-          ignored_fields << { external_attr => value }
-        end
-        def validate_operation(obj, operation, opts = {})
-          klass = find_class(obj, opts)
-          model_metadata = opts[:api_model_metadata] || ModelApi::Utils.model_metadata(klass)
-          return nil unless operation.present?
-          opts = opts.frozen? ? opts : opts.dup.freeze
-          if obj.nil?
-            ModelApi::Utils.invoke_callback(model_metadata[:"validate_#{operation}"], opts)
-          else
-            ModelApi::Utils.invoke_callback(model_metadata[:"validate_#{operation}"], obj, opts)
-          end
-        end
-        def validate_preserving_existing_errors(obj)
-          if obj.errors.present?
-            errors = obj.errors.messages.dup
-            obj.valid?
-            errors = obj.errors.messages.merge(errors)
-            obj.errors.clear
-            errors.each { |field, error| obj.errors.add(field, error) }
-          else
-            obj.valid?
-          end
-        end
         def class_or_sti_subclass(klass, req_body, operation, opts = {})
           metadata = ModelApi::Utils.filtered_attrs(klass, :create, opts)
           if operation == :create && (attr_metadata = metadata[:type]).is_a?(Hash) &&