standardapi 6.0.0.32 → 7.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6f8e9f6eee237614e9c303c8fe9e2e624b081272627f9a7aa3f680276872c1a9
-  data.tar.gz: 73ede0c9b6229117b4781071441ac0581a06b16592f95f04959932c010ecb8f0
+  metadata.gz: 88dd56c94d20d8649c5f755509be1aee880f7dff0133602a4fe46c0408c4e65b
+  data.tar.gz: 3f14301f672ac171f9e2a39620de9f1913300572164978857ea12fcb1bb008de
 SHA512:
-  metadata.gz: 904192ff81007b628b672e094dfaad19f4b2c49a0e4119631dd46c320a85d0e2c06200b5570d29d3b70ded73046b843dfd28ce3e40358d3b2294bbf9bb7b50f6
-  data.tar.gz: f9ed735aabd0830d6b2c7a390d4f2bca3bf8bcc1d8b806b615a76462404f58c9b65241c75e7b7e62abe84539705249ed10c82f9f5dcc4cc1ee4911e51513200f
+  metadata.gz: e3c282a6b8898d1c1451e381dea4cf57c3cd58b65bccfba6a0b5f9d302242287bb233dd43b4a078c51f1711a32a449d47c157626a92cc752939d8040ef704534
+  data.tar.gz: 56d90b5dc3d5d04924b7bd5e5fe6a98cfe9cf4f6fa79d30c933abff3e5c6f6b69a6718a699bb5199183f05372f99d8038f99dc7e5ff1b011dca4da978ee4d5ae

data/README.md

@@ -1,36 +1,27 @@
 # StandardAPI
 
-StandardAPI makes it easy to expost a [REST](https://en.wikipedia.org/wiki/Representational_state_transfer)
+StandardAPI makes it easy to expose a [REST](https://en.wikipedia.org/wiki/Representational_state_transfer)
 interface to your Rails models.
 
 # Installation
 
     gem install standardapi
 
-In your Gemfile:
+In your `Gemfile`:
 
     gem 'standardapi', require: 'standard_api'
 
-In `config/application.rb:
+Optionally in `config/application.rb`:
 
-    require_relative 'boot'
-
-    require 'rails/all'
-    require 'standard_api/middleware/query_encoding'
-
-    # Require the gems listed in Gemfile, including any gems
-    # you've limited to :test, :development, or :production.
-    Bundler.require(*Rails.groups)
-
-    module Tester
+    module MyApplication
       class Application < Rails::Application
         # Initialize configuration defaults for originally generated Rails version.
-        config.load_defaults 5.2
+        config.load_defaults 7.0
 
-        # Settings in config/environments/* take precedence over those specified here.
-        # Application configuration can go into files in config/initializers
-        # -- all .rb files in that directory are automatically loaded after loading
-        # the framework and any gems in your application.
+        # QueryEncoding middleware intercepts and parses the query string
+        # as MessagePack if the `Query-Encoding` header is set to `application/msgpack`
+        # which allows GET request with types as opposed to all values being interpeted
+        # as strings
         config.middleware.insert_after Rack::MethodOverride, StandardAPI::Middleware::QueryEncoding
       end
     end
@@ -41,66 +32,96 @@ StandardAPI is a module that can be included into any controller to expose a API
 for. Alternatly, it can be included into `ApplicationController`, giving all
 inherited controllers an exposed API.
 
-    class ApplicationController < ActiveController::Base
-        include StandardAPI::Controller
-
-    end
-
-By default any paramaters passed to update and create are whitelisted with by
-the method named after the model the controller represents. For example, the
-following will only allow the `caption` attribute of the `Photo` model to be
-updated.
-
     class PhotosController < ApplicationController
       include StandardAPI
       
+      # Allowed paramaters
+      # By default any paramaters passed to update and create are whitelisted by
+      # the method named after the model the controller represents. For example,
+      # the following will only allow the `caption` attribute of the `Photo`
+      # model to be set on update or create.
       def photo_params
         [:caption]
       end
+      
+      # Allowed orderings
+      # The ordering is whitelisted as well, you will mostly likely want to
+      # ensure indexes have been created on these columns. In this example the
+      # response can be ordered by any permutation of `id`, `created_at`, and
+      # `updated_at`.
+      def photo_orders
+        [:id, :created_at, :updated_at]
+      end
+      
+      # Allowed includes
+      # Similarly, the includes (including of relationships in the reponse) are
+      # whitelisted. Note how includes can also support nested includes. In this
+      # case when including the author, the photos that the author took can also
+      # be included.
+      def photo_includes
+        { author: [:photos] }
+      end
     end
 
-If greater control of the allowed paramaters is required, the `model_params`
-method can be overridden. It simply returns a set of `StrongParameters`.
+##### Access Control List
 
-    class PhotosController < ApplicationController
-      include StandardAPI
-      
-      def model_params
-        if @photo.author == current_user
-          [:caption]
-        else
-          [:comment]
-        end
-      end
+For greater control of the allowed paramaters and nesting of paramaters
+`StandardAPI::AccessControlList` is available. To use it include it in your base
+controller:
+
+    class ApplicationController
+        include StandardAPI::Control
+        include StandardAPI::AccessControlList
     end
 
-Similarly, the ordering and includes (including of relationships in the reponse)
-is whitelisted as well.
+Then create an ACL file for each model you want in `app/controllers/acl`.
 
-Full Example:
+Taking the above example we would remove the `photo_*` methods and create the
+following files:
 
-    class PhotosController < ApplicationController
-      including StandardAPI
+`app/controllers/acl/photo_acl.rb`:
 
-      # Allowed paramaters
-      def photo_params
-        [:caption]
+    module PhotoACL
+      # Allowed attributes
+      def attributes
+        [ :caption ]
       end
-
-      # Allowed orderings
-      def photo_orders
-        [:id, :created_at, :updated_at]
+      
+      # Allowed saving / creating nested attributes
+      def nested
+        [ :camera ]
       end
-
+      
+      # Allowed orders
+      def orders
+        [ :id, :created_at, :updated_at ]
+      end
+      
       # Allowed includes
-      def photo_includes
-        { author: [:photos] }
+      def includes
+        [ :author ]
       end
+    end
 
+`app/controllers/acl/author_acl.rb`:
+
+    module AuthorACL
+      def includes
+        [ :photos ]
+      end
     end
 
-Note how includes can also support nested includes. So in this case when
-including the author, the photos that the author took can also be included.
+All of these methods are optional and will be included in ApplicationController
+for StandardAPI to determine allowed attributes, nested attributes, orders and
+includes.
+
+`includes` now returns a shallow Array, StandardAPI can how determine including
+an `author` and the author's `photos` is allowed by looking at what includes are
+allowed on photo and author.
+
+The `nested` function tells StandardAPI what relations on `Photo` are allowed to
+be set with the API and will determine what attributes are allowed by looking
+for a `camera_acl` file.
 
 # API Usage
 Resources can be queried via REST style end points
@@ -208,7 +229,7 @@ And example contoller and it's tests.
         # The mask is then applyed to all actions when querring ActiveRecord
         # Will only allow photos that have id one. For more on the syntax see
         # the activerecord-filter gem.
-        def current_mask
+        def mask_for(table_name)
             { id: 1 }
         end
 
@@ -231,3 +252,4 @@ StandardAPI Resource Interface
 | `/models?where[id][]=1&where[id][]=2` | `{ where: { id: [1,2] } }` | `SELECT * FROM models WHERE id IN (1, 2)` | `[{ id: 1 }, { id: 2 }]` |
 
 
+

data/lib/standard_api/access_control_list.rb

@@ -0,0 +1,148 @@
+module StandardAPI
+  module AccessControlList
+
+    def self.traverse(path, prefix: nil, &block)
+      path.children.each do |child|
+        if child.file? && child.basename('.rb').to_s.ends_with?('_acl')
+          block.call([prefix, child.basename('.rb').to_s].compact.join('/'))
+        elsif child.directory?
+          traverse(child, prefix: [prefix, child.basename.to_s].compact.join('/'), &block)
+        end
+      end
+    end
+
+    def self.included(application_controller)
+      acl_dir = Rails.application.root.join('app', 'controllers', 'acl')
+      return if !acl_dir.exist?
+
+      traverse(acl_dir) do |child|
+        mod = child.classify.constantize
+        prefix = child.delete_suffix('_acl').gsub('/', '_')
+
+        [:orders, :includes, :attributes].each do |m|
+          next if !mod.instance_methods.include?(m)
+          mod.send :alias_method, "#{prefix}_#{m}".to_sym, m
+          mod.send :remove_method, m
+        end
+
+        if mod.instance_methods.include?(:nested)
+          mod.send :alias_method, "nested_#{prefix}_attributes".to_sym, :nested
+          mod.send :remove_method, :nested
+        end
+
+        if mod.instance_methods.include?(:filter)
+          mod.send :alias_method, "filter_#{prefix}_params".to_sym, :filter
+          mod.send :remove_method, :filter
+        end
+
+        application_controller.include mod
+      end
+    end
+
+    def model_orders
+      if self.respond_to?("#{model.model_name.singular}_orders", true)
+        self.send("#{model.model_name.singular}_orders")
+      else
+        []
+      end
+    end
+
+    def model_params
+      if self.respond_to?("filter_#{model_name(model)}_params", true)
+        self.send("filter_#{model_name(model)}_params", params[model_name(model)], id: params[:id])
+      else
+        filter_model_params(params[model_name(model)], model.base_class)
+      end
+    end
+
+    def filter_model_params(model_params, model, id: nil, allow_id: nil)
+      permitted_params = if model_params && self.respond_to?("#{model_name(model)}_attributes", true)
+        permits = self.send("#{model_name(model)}_attributes")
+
+        allow_id ? model_params.permit(permits, :id) : model_params.permit(permits)
+      else
+        ActionController::Parameters.new
+      end
+
+      if self.respond_to?("nested_#{model_name(model)}_attributes", true)
+        self.send("nested_#{model_name(model)}_attributes").each do |relation|
+          relation = model.reflect_on_association(relation)
+          attributes_key = "#{relation.name}"
+
+          if model_params.has_key?(attributes_key)
+            filter_method = "filter_#{relation.klass.base_class.model_name.singular}_params"
+            if model_params[attributes_key].nil?
+              permitted_params[attributes_key] = nil
+            elsif model_params[attributes_key].is_a?(Array) && model_params[attributes_key].all? { |a| a.keys.map(&:to_sym) == [:id] }
+              permitted_params["#{relation.name.to_s.singularize}_ids"] = model_params[attributes_key].map{|a| a['id']}
+            elsif self.respond_to?(filter_method, true)
+              permitted_params[attributes_key] = if model_params[attributes_key].is_a?(Array)
+                models = relation.klass.find(model_params[attributes_key].map { |i| i['id'] }.compact)
+                model_params[attributes_key].map { |i|
+                  i_params = self.send(filter_method, i, allow_id: true)
+                  if i_params['id']
+                    r = models.find { |r| r.id == i_params['id'] }
+                    r.assign_attributes(i_params)
+                    r
+                  else
+                    relation.klass.new(i_params)
+                  end
+                }
+              else
+                i_params = self.send(filter_method, model_params[attributes_key], allow_id: true)
+                if i_params['id']
+                  r = relation.klass.find(i_params['id'])
+                  r.assign_attributes(i_params)
+                  r
+                else
+                  relation.klass.new(i_params)
+                end
+              end
+            else
+              permitted_params[attributes_key] = if model_params[attributes_key].is_a?(Array)
+                models = relation.klass.find(model_params[attributes_key].map { |i| i['id'] }.compact)
+                model_params[attributes_key].map { |i|
+                  i_params = filter_model_params(i, relation.klass.base_class, allow_id: true)
+                  if i_params['id']
+                    r = models.find { |r| r.id == i_params['id'] }
+                    r.assign_attributes(i_params)
+                    r
+                  else
+                    relation.klass.new(i_params)
+                  end
+                }
+              else
+                i_params = filter_model_params(model_params[attributes_key], relation.klass.base_class, allow_id: true)
+                if i_params['id']
+                  r = relation.klass.find(i_params['id'])
+                  r.assign_attributes(i_params)
+                  r
+                else
+                  relation.klass.new(i_params)
+                end
+              end
+            end
+          elsif relation.collection? && model_params.has_key?("#{relation.name.to_s.singularize}_ids")
+            permitted_params["#{relation.name.to_s.singularize}_ids"] = model_params["#{relation.name.to_s.singularize}_ids"]
+          elsif model_params.has_key?(relation.foreign_key)
+            permitted_params[relation.foreign_key] = model_params[relation.foreign_key]
+            permitted_params[relation.foreign_type] = model_params[relation.foreign_type] if relation.polymorphic?
+          end
+
+          permitted_params.permit!
+        end
+      end
+
+      permitted_params
+    end
+
+    def model_name(model)
+      if model.model_name.singular.starts_with?('habtm_')
+        model.reflect_on_all_associations.map { |a| a.klass.base_class.model_name.singular }.sort.join('_')
+      else
+        model.model_name.singular
+      end
+    end
+
+  end
+end

data/lib/standard_api/controller.rb

@@ -1,12 +1,13 @@
 module StandardAPI
   module Controller
 
-    delegate :preloadables, to: :helpers
+    delegate :preloadables, :model_partial, to: :helpers
 
     def self.included(klass)
       klass.helper_method :includes, :orders, :model, :models, :resource_limit,
         :default_limit
       klass.before_action :set_standardapi_headers
+      klass.before_action :includes, except: [:destroy, :add_resource, :remove_resource]
       klass.rescue_from StandardAPI::ParameterMissing, with: :bad_request
       klass.rescue_from StandardAPI::UnpermittedParameters, with: :bad_request
       klass.append_view_path(File.join(File.dirname(__FILE__), 'views'))
@@ -73,7 +74,7 @@ module StandardAPI
         end
       else
         if request.format == :html
-          render :edit, status: :bad_request
+          render :new, status: :bad_request
         else
           render :show, status: :bad_request
         end
@@ -96,45 +97,97 @@ module StandardAPI
           render :show, status: :ok
         end
       else
-        render :show, status: :bad_request
+        if request.format == :html
+          render :edit, status: :bad_request
+        else
+          render :show, status: :bad_request
+        end
       end
     end
 
     def destroy
-      resources.find(params[:id]).destroy!
+      records = resources.find(params[:id].split(','))
+      model.transaction { records.each(&:destroy!) }
+
       head :no_content
     end
 
     def remove_resource
       resource = resources.find(params[:id])
-      subresource_class = resource.association(params[:relationship]).klass
-      subresource = subresource_class.find_by_id(params[:resource_id])
-
-      if(subresource)
-        result = resource.send(params[:relationship]).delete(subresource)
-        head result ? :no_content : :bad_request
-      else
-        head :not_found
+      association = resource.association(params[:relationship])
+
+      result = case association
+      when ActiveRecord::Associations::CollectionAssociation
+        association.delete(association.klass.find(params[:resource_id]))
+      when ActiveRecord::Associations::SingularAssociation
+        if resource.send(params[:relationship])&.id&.to_s == params[:resource_id]
+          resource.update(params[:relationship] => nil)
+        end
       end
+      head result ? :no_content : :not_found
     end
 
     def add_resource
       resource = resources.find(params[:id])
-
-      subresource_class = resource.association(params[:relationship]).klass
-      subresource = subresource_class.find_by_id(params[:resource_id])
-      if(subresource)
-        result = resource.send(params[:relationship]) << subresource
-        head result ? :created : :bad_request
+      association = resource.association(params[:relationship])
+      subresource = association.klass.find(params[:resource_id])
+
+      result = case association
+      when ActiveRecord::Associations::CollectionAssociation
+        association.concat(subresource)
+      when ActiveRecord::Associations::SingularAssociation
+        resource.update(params[:relationship] => subresource)
+      end
+      head result ? :created : :bad_request
+    rescue ActiveRecord::RecordNotUnique
+      render json: {errors: [
+        "Relationship between #{resource.class.name} and #{subresource.class.name} violates unique constraints"
+      ]}, status: :bad_request
+    end
+    
+    def create_resource
+      resource = resources.find(params[:id])
+      association = resource.association(params[:relationship])
+    
+      subresource_params = if self.respond_to?("filter_#{model_name(association.klass)}_params", true)
+        self.send("filter_#{model_name(association.klass)}_params", params[model_name(association.klass)], id: params[:id])
+      elsif self.respond_to?("#{association.klass.model_name.singular}_params", true)
+        params.require(association.klass.model_name.singular).permit(self.send("#{association.klass.model_name.singular}_params"))
+      elsif self.respond_to?("filter_model_params", true)
+        filter_model_params(params[model_name(association.klass)], association.klass.base_class)
       else
-        head :not_found
+        ActionController::Parameters.new
+      end
+    
+      subresource = association.klass.new(subresource_params)
+    
+      result = case association
+      when ActiveRecord::Associations::CollectionAssociation
+        association.concat(subresource)
+      when ActiveRecord::Associations::SingularAssociation
+        resource.update(params[:relationship] => subresource)
       end
 
+      partial = model_partial(subresource)
+      partial_record_name = partial.split('/').last.to_sym
+      if result
+        render partial: partial, locals: {partial_record_name => subresource}, status: :created
+      else
+        render partial: partial, locals: {partial_record_name => subresource}, status: :bad_request
+      end
     end
 
+    def mask
+      @mask ||= Hash.new do |hash, key|
+        hash[key] = mask_for(key)
+      end
+    end
+    
     # Override if you want to support masking
-    def current_mask
-      @current_mask ||= {}
+    def mask_for(table_name)
+      # case table_name
+      # when 'accounts'
+      # end
     end
 
     module ClassMethods
@@ -157,7 +210,11 @@ module StandardAPI
     end
 
     def model
-      self.class.model
+      if action_name&.end_with?('_resource')
+        self.class.model.reflect_on_association(params[:relationship]).klass
+      else
+        self.class.model
+      end
     end
 
     def models
@@ -189,7 +246,7 @@ module StandardAPI
       if self.respond_to?("#{model.model_name.singular}_params", true)
         params.require(model.model_name.singular).permit(self.send("#{model.model_name.singular}_params"))
       else
-        []
+        ActionController::Parameters.new
       end
     end
 
@@ -207,7 +264,7 @@ module StandardAPI
     end
 
     def resources
-      query = model.filter(params['where']).filter(current_mask[model.table_name])
+      query = self.class.model.filter(params['where']).filter(mask[self.class.model.table_name.to_sym])
 
       if params[:distinct_on]
         query = query.distinct_on(params[:distinct_on])
@@ -225,9 +282,29 @@ module StandardAPI
 
       query
     end
+    
+    def nested_includes(model, attributes)
+      includes = {}
+      attributes&.each do |key, value|
+        if association = model.reflect_on_association(key)
+          includes[key] = nested_includes(association.klass, value)
+        end
+      end
+      includes
+    end
 
     def includes
-      @includes ||= StandardAPI::Includes.sanitize(params[:include], model_includes)
+      @includes ||= if params[:include]
+        StandardAPI::Includes.sanitize(params[:include], model_includes)
+      else
+        {}
+      end
+      
+      if (action_name == 'create' || action_name == 'update') && model && params.has_key?(model.model_name.singular)
+        @includes.reverse_merge!(nested_includes(model, params[model.model_name.singular].to_unsafe_h))
+      end
+      
+      @includes
     end
 
     def required_orders
@@ -309,7 +386,19 @@ module StandardAPI
       @selects = []
       @selects << params[:group_by] if params[:group_by]
       Array(params[:select]).each do |select|
-        select.each do |func, column|
+        select.each do |func, value|
+          distinct = false
+
+          column = case value
+          when ActionController::Parameters
+            # TODO: Add support for other aggregate expressions
+            # https://www.postgresql.org/docs/current/sql-expressions.html#SYNTAX-AGGREGATES
+            distinct = !value[:distinct].nil?
+            value[:distinct]
+          else
+            value
+          end
+
           if (parts = column.split(".")).length > 1
             @model = parts[0].singularize.camelize.constantize
             column = parts[1]
@@ -318,7 +407,7 @@ module StandardAPI
           column = column == '*' ? Arel.star : column.to_sym
           if functions.include?(func.to_s.downcase)
             node = (defined?(@model) ? @model : model).arel_table[column].send(func)
-            node.distinct = true if params[:distinct]
+            node.distinct = distinct
             @selects << node
           end
         end

data/lib/standard_api/helpers.rb

@@ -1,5 +1,11 @@
 module StandardAPI
   module Helpers
+    
+    def serialize_attribute(json, record, name, type)
+      value = record.send(name)
+      
+      json.set! name, type == :binary ? value&.unpack1('H*') : value
+    end
 
     def preloadables(record, includes)
       preloads = {}
@@ -80,9 +86,10 @@ module StandardAPI
       end
     end
 
-    def can_cache_relation?(klass, relation, subincludes)
+    def can_cache_relation?(record, relation, subincludes)
+      return false if record.new_record?
       cache_columns = ["#{relation}_cached_at"] + cached_at_columns_for_includes(subincludes).map {|c| "#{relation}_#{c}"}
-      if (cache_columns - klass.column_names).empty?
+      if (cache_columns - record.class.column_names).empty?
         true
       else
         false
@@ -91,18 +98,18 @@ module StandardAPI
 
     def association_cache_key(record, relation, subincludes)
       timestamp = ["#{relation}_cached_at"] + cached_at_columns_for_includes(subincludes).map {|c| "#{relation}_#{c}"}
-      timestamp.map! { |col| record.send(col) }
+      timestamp = (timestamp & record.class.column_names).map! { |col| record.send(col) }
       timestamp = timestamp.max
 
       case association = record.class.reflect_on_association(relation)
       when ActiveRecord::Reflection::HasManyReflection, ActiveRecord::Reflection::HasAndBelongsToManyReflection, ActiveRecord::Reflection::HasOneReflection, ActiveRecord::Reflection::ThroughReflection
-        "#{record.model_name.cache_key}/#{record.id}/#{includes_to_cache_key(relation, subincludes)}-#{timestamp.utc.to_s(record.cache_timestamp_format)}"
+        "#{record.model_name.cache_key}/#{record.id}/#{includes_to_cache_key(relation, subincludes)}-#{timestamp.utc.to_fs(record.cache_timestamp_format)}"
       when ActiveRecord::Reflection::BelongsToReflection
         klass = association.options[:polymorphic] ? record.send(association.foreign_type).constantize : association.klass
         if subincludes.empty?
-          "#{klass.model_name.cache_key}/#{record.send(association.foreign_key)}-#{timestamp.utc.to_s(klass.cache_timestamp_format)}"
+          "#{klass.model_name.cache_key}/#{record.send(association.foreign_key)}-#{timestamp.utc.to_fs(klass.cache_timestamp_format)}"
         else
-          "#{klass.model_name.cache_key}/#{record.send(association.foreign_key)}/#{digest_hash(sort_hash(subincludes))}-#{timestamp.utc.to_s(klass.cache_timestamp_format)}"
+          "#{klass.model_name.cache_key}/#{record.send(association.foreign_key)}/#{digest_hash(sort_hash(subincludes))}-#{timestamp.utc.to_fs(klass.cache_timestamp_format)}"
         end
       else
         raise ArgumentError, 'Unkown association type'
@@ -155,7 +162,9 @@ module StandardAPI
 
     def json_column_type(sql_type)
       case sql_type
-      when 'timestamp without time zone'
+      when 'binary', 'bytea'
+        'binary'
+      when /timestamp(\(\d+\))? without time zone/
         'datetime'
       when 'time without time zone'
         'datetime'
@@ -163,9 +172,7 @@ module StandardAPI
         'string'
       when 'json'
         'hash'
-      when 'bigint'
-        'integer'
-      when 'integer'
+      when 'smallint', 'bigint', 'integer'
         'integer'
       when 'jsonb'
         'hash'

data/lib/standard_api/includes.rb

@@ -20,6 +20,15 @@ module StandardAPI
           normalized[k] = case k.to_s
           when 'when', 'where', 'order'
             case v
+            when Array
+              v.map do |x|
+                case x
+                when Hash then x.to_h
+                when ActionController::Parameters then x.to_unsafe_h
+                else
+                  x
+                end
+              end
             when Hash then v.to_h
             when ActionController::Parameters then v.to_unsafe_h
             end