model_driven_api 3.7.1 → 3.7.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ad2abbdb4e4fd783d5e4fadde50593be43e265aa857a0077655513b4e73f522e
-  data.tar.gz: 323ffab731877ae6c4f8adb6b75bb358e12319a7b2d55ccc77aadd5e6e52d41d
+  metadata.gz: 83a93641c80f4714d3979c54cc931a039a2e7fce13f19064c2383d17dfd2a1ff
+  data.tar.gz: 2252a0af2913ead1b23bcb80e3c0207a8fffd07df9a24de027f2066e93f4603a
 SHA512:
-  metadata.gz: 17322346aef3972a55db2fce8703abfe9b2148076509c3a14aa465c0d34e4d5ec41294366496a77fc7dc44c5dd324fe9513f77961338591ae035ac5d03e8575d
-  data.tar.gz: f11a3a215784201aa30fb20b45b29a1df75ef8d1e8f045d2d15c6b8f45425487d40a9ba6315db679a827dabd2e54846ef78ee9950f5533861befb6342d59b150
+  metadata.gz: 5715f08361af0fef0b53916ee097d97592afe15932f61379b62014dd1850afed334eedb22163e1b3952b66d5ca5209ac3fc5af10127433951640901eda190860
+  data.tar.gz: d20f2cf91888026f26c76cb6053169f0e57b91cbf20d84c6ad37001fd9914f2eec485eb3f6314f3b3446e9fb8edeafbf64eaeee8ad50f7c75d4f186d0950fffa

data/app/controllers/api/v2/application_controller.rb

@@ -13,7 +13,7 @@ class Api::V2::ApplicationController < ActionController::API
 
   # GET :controller/
   def index
-    authorize! :index, @model unless public_custom_action?
+    authorize! :index, @model unless custom_action?
 
     # Custom Action
     status, result, status_number = check_for_custom_action
@@ -53,7 +53,7 @@ class Api::V2::ApplicationController < ActionController::API
   end
 
   def show
-    authorize! :show, @record_id.presence || @model
+    authorize! :show, @record_id.presence || @model unless custom_action?
 
     # Custom Show Action
     status, result, status_number = check_for_custom_action
@@ -67,7 +67,7 @@ class Api::V2::ApplicationController < ActionController::API
   def create
     # Normal Create Action
     Rails.logger.debug("Creating a new record #{@record}")
-    authorize! :create, @record.presence || @model unless public_custom_action?
+    authorize! :create, @record.presence || @model unless custom_action?
     # Custom Action
     status, result, status_number = check_for_custom_action
     return render json: result, status: (status_number.presence || 200) if status == true
@@ -80,7 +80,7 @@ class Api::V2::ApplicationController < ActionController::API
   end
 
   def update
-    authorize! :update, @record.presence || @model
+    authorize! :update, @record.presence || @model unless custom_action?
 
     # Custom Action
     status, result, status_number = check_for_custom_action
@@ -105,7 +105,7 @@ class Api::V2::ApplicationController < ActionController::API
   end
 
   def destroy
-    authorize! :destroy, @record.presence || @model
+    authorize! :destroy, @record.presence || @model unless custom_action?
 
     # Custom Action
     status, result, status_number = check_for_custom_action
@@ -127,12 +127,18 @@ class Api::V2::ApplicationController < ActionController::API
 
   private
 
-  # Returns true if the current request is for a NonCrudEndpoints custom action
-  # that has been declared as public (no authentication required).
+  # Returns true for any custom action request (public or authenticated).
+  # Custom actions are self-contained and handle their own authorization logic;
+  # the generic CanCan model-level check is not applicable to them.
+  def custom_action?
+    params[:action_name].present?
+  end
+
+  # Returns true only for custom actions declared as public (no JWT required).
   # Forces autoloading of the Endpoints::<Model> class so the public_action_registry
   # is populated before authenticate_request checks it.
   def public_custom_action?
-    return false unless request.url.include?("/custom_action/")
+    return false unless custom_action?
     model_name = params[:ctrl].to_s.classify
     action_name = params[:action_name].to_s
     # Ensure the endpoint class is loaded so its public_action declarations are registered.

data/app/controllers/api/v3/application_controller.rb

@@ -2,7 +2,7 @@ class Api::V3::ApplicationController < Api::V2::ApplicationController
   include Pagy::Backend
 
   def index
-    authorize! :index, @model unless public_custom_action?
+    authorize! :index, @model unless custom_action?
 
     status, result, status_number = check_for_custom_action
     return render json: result, status: (status_number.presence || 200) if status == true
@@ -18,7 +18,7 @@ class Api::V3::ApplicationController < Api::V2::ApplicationController
   end
 
   def show
-    authorize! :show, @record
+    authorize! :show, @record unless custom_action?
 
     status, result, status_number = check_for_custom_action
     return render json: result, status: (status_number.presence || 200) if status == true
@@ -28,7 +28,7 @@ class Api::V3::ApplicationController < Api::V2::ApplicationController
   end
 
   def create
-    authorize! :create, @model
+    authorize! :create, @model unless custom_action?
 
     status, result, status_number = check_for_custom_action
     return render json: result, status: (status_number.presence || 200) if status == true
@@ -40,7 +40,7 @@ class Api::V3::ApplicationController < Api::V2::ApplicationController
   end
 
   def update
-    authorize! :update, @record
+    authorize! :update, @record unless custom_action?
 
     status, result, status_number = check_for_custom_action
     return render json: result, status: (status_number.presence || 200) if status == true
@@ -53,7 +53,7 @@ class Api::V3::ApplicationController < Api::V2::ApplicationController
   alias_method :patch, :update
 
   def destroy
-    authorize! :destroy, @record
+    authorize! :destroy, @record unless custom_action?
 
     status, result, status_number = check_for_custom_action
     return render json: result, status: (status_number.presence || 200) if status == true

data/lib/model_driven_api/version.rb

@@ -1,3 +1,3 @@
 module ModelDrivenApi
-  VERSION = "3.7.1".freeze
+  VERSION = "3.7.2".freeze
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: model_driven_api
 version: !ruby/object:Gem::Version
-  version: 3.7.1
+  version: 3.7.2
 platform: ruby
 authors:
 - Gabriele Tassoni