standardapi 6.1.0 → 7.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7134ec77418da381ff4cb9aa8717f797784ab1f4d45faefde89261e6e7a82ad9
-  data.tar.gz: 83e924e7fd2ded8c5d4239f9d775ef232fa985a4daa838aec374105eed65df2e
+  metadata.gz: 88dd56c94d20d8649c5f755509be1aee880f7dff0133602a4fe46c0408c4e65b
+  data.tar.gz: 3f14301f672ac171f9e2a39620de9f1913300572164978857ea12fcb1bb008de
 SHA512:
-  metadata.gz: 6e477baa763d068d112a29a9539145b75edf47be726c21e679fc4842ae63157914c8b2753f0f7e338c43fe2e328cbe85c4cb3681958113b5533af478bcb43fc3
-  data.tar.gz: 551a57b70b62f0f6c27f97aba97930b220a40b80799058a7c1a35d0d4a0afa787dd760ac01d42110d050a4d0d0f1387d6b00d63629c523c96e0b49a6910b77c1
+  metadata.gz: e3c282a6b8898d1c1451e381dea4cf57c3cd58b65bccfba6a0b5f9d302242287bb233dd43b4a078c51f1711a32a449d47c157626a92cc752939d8040ef704534
+  data.tar.gz: 56d90b5dc3d5d04924b7bd5e5fe6a98cfe9cf4f6fa79d30c933abff3e5c6f6b69a6718a699bb5199183f05372f99d8038f99dc7e5ff1b011dca4da978ee4d5ae

data/README.md

@@ -1,36 +1,27 @@
 # StandardAPI
 
-StandardAPI makes it easy to expost a [REST](https://en.wikipedia.org/wiki/Representational_state_transfer)
+StandardAPI makes it easy to expose a [REST](https://en.wikipedia.org/wiki/Representational_state_transfer)
 interface to your Rails models.
 
 # Installation
 
     gem install standardapi
 
-In your Gemfile:
+In your `Gemfile`:
 
     gem 'standardapi', require: 'standard_api'
 
-In `config/application.rb:
+Optionally in `config/application.rb`:
 
-    require_relative 'boot'
-
-    require 'rails/all'
-    require 'standard_api/middleware/query_encoding'
-
-    # Require the gems listed in Gemfile, including any gems
-    # you've limited to :test, :development, or :production.
-    Bundler.require(*Rails.groups)
-
-    module Tester
+    module MyApplication
       class Application < Rails::Application
         # Initialize configuration defaults for originally generated Rails version.
-        config.load_defaults 5.2
+        config.load_defaults 7.0
 
-        # Settings in config/environments/* take precedence over those specified here.
-        # Application configuration can go into files in config/initializers
-        # -- all .rb files in that directory are automatically loaded after loading
-        # the framework and any gems in your application.
+        # QueryEncoding middleware intercepts and parses the query string
+        # as MessagePack if the `Query-Encoding` header is set to `application/msgpack`
+        # which allows GET request with types as opposed to all values being interpeted
+        # as strings
         config.middleware.insert_after Rack::MethodOverride, StandardAPI::Middleware::QueryEncoding
       end
     end
@@ -41,66 +32,96 @@ StandardAPI is a module that can be included into any controller to expose a API
 for. Alternatly, it can be included into `ApplicationController`, giving all
 inherited controllers an exposed API.
 
-    class ApplicationController < ActiveController::Base
-        include StandardAPI::Controller
-
-    end
-
-By default any paramaters passed to update and create are whitelisted with by
-the method named after the model the controller represents. For example, the
-following will only allow the `caption` attribute of the `Photo` model to be
-updated.
-
     class PhotosController < ApplicationController
       include StandardAPI
       
+      # Allowed paramaters
+      # By default any paramaters passed to update and create are whitelisted by
+      # the method named after the model the controller represents. For example,
+      # the following will only allow the `caption` attribute of the `Photo`
+      # model to be set on update or create.
       def photo_params
         [:caption]
       end
+      
+      # Allowed orderings
+      # The ordering is whitelisted as well, you will mostly likely want to
+      # ensure indexes have been created on these columns. In this example the
+      # response can be ordered by any permutation of `id`, `created_at`, and
+      # `updated_at`.
+      def photo_orders
+        [:id, :created_at, :updated_at]
+      end
+      
+      # Allowed includes
+      # Similarly, the includes (including of relationships in the reponse) are
+      # whitelisted. Note how includes can also support nested includes. In this
+      # case when including the author, the photos that the author took can also
+      # be included.
+      def photo_includes
+        { author: [:photos] }
+      end
     end
 
-If greater control of the allowed paramaters is required, the `model_params`
-method can be overridden. It simply returns a set of `StrongParameters`.
+##### Access Control List
 
-    class PhotosController < ApplicationController
-      include StandardAPI
-      
-      def model_params
-        if @photo.author == current_user
-          [:caption]
-        else
-          [:comment]
-        end
-      end
+For greater control of the allowed paramaters and nesting of paramaters
+`StandardAPI::AccessControlList` is available. To use it include it in your base
+controller:
+
+    class ApplicationController
+        include StandardAPI::Control
+        include StandardAPI::AccessControlList
     end
 
-Similarly, the ordering and includes (including of relationships in the reponse)
-is whitelisted as well.
+Then create an ACL file for each model you want in `app/controllers/acl`.
 
-Full Example:
+Taking the above example we would remove the `photo_*` methods and create the
+following files:
 
-    class PhotosController < ApplicationController
-      including StandardAPI
+`app/controllers/acl/photo_acl.rb`:
 
-      # Allowed paramaters
-      def photo_params
-        [:caption]
+    module PhotoACL
+      # Allowed attributes
+      def attributes
+        [ :caption ]
       end
-
-      # Allowed orderings
-      def photo_orders
-        [:id, :created_at, :updated_at]
+      
+      # Allowed saving / creating nested attributes
+      def nested
+        [ :camera ]
       end
-
+      
+      # Allowed orders
+      def orders
+        [ :id, :created_at, :updated_at ]
+      end
+      
       # Allowed includes
-      def photo_includes
-        { author: [:photos] }
+      def includes
+        [ :author ]
       end
+    end
 
+`app/controllers/acl/author_acl.rb`:
+
+    module AuthorACL
+      def includes
+        [ :photos ]
+      end
     end
 
-Note how includes can also support nested includes. So in this case when
-including the author, the photos that the author took can also be included.
+All of these methods are optional and will be included in ApplicationController
+for StandardAPI to determine allowed attributes, nested attributes, orders and
+includes.
+
+`includes` now returns a shallow Array, StandardAPI can how determine including
+an `author` and the author's `photos` is allowed by looking at what includes are
+allowed on photo and author.
+
+The `nested` function tells StandardAPI what relations on `Photo` are allowed to
+be set with the API and will determine what attributes are allowed by looking
+for a `camera_acl` file.
 
 # API Usage
 Resources can be queried via REST style end points
@@ -208,7 +229,7 @@ And example contoller and it's tests.
         # The mask is then applyed to all actions when querring ActiveRecord
         # Will only allow photos that have id one. For more on the syntax see
         # the activerecord-filter gem.
-        def current_mask
+        def mask_for(table_name)
             { id: 1 }
         end
 
@@ -231,3 +252,4 @@ StandardAPI Resource Interface
 | `/models?where[id][]=1&where[id][]=2` | `{ where: { id: [1,2] } }` | `SELECT * FROM models WHERE id IN (1, 2)` | `[{ id: 1 }, { id: 2 }]` |
 
 
+

data/lib/standard_api/access_control_list.rb

@@ -56,7 +56,7 @@ module StandardAPI
     end
 
     def filter_model_params(model_params, model, id: nil, allow_id: nil)
-      permitted_params = if self.respond_to?("#{model_name(model)}_attributes", true)
+      permitted_params = if model_params && self.respond_to?("#{model_name(model)}_attributes", true)
         permits = self.send("#{model_name(model)}_attributes")
 
         allow_id ? model_params.permit(permits, :id) : model_params.permit(permits)
@@ -67,7 +67,7 @@ module StandardAPI
       if self.respond_to?("nested_#{model_name(model)}_attributes", true)
         self.send("nested_#{model_name(model)}_attributes").each do |relation|
           relation = model.reflect_on_association(relation)
-          attributes_key = "#{relation.name}_attributes"
+          attributes_key = "#{relation.name}"
 
           if model_params.has_key?(attributes_key)
             filter_method = "filter_#{relation.klass.base_class.model_name.singular}_params"
@@ -77,15 +77,49 @@ module StandardAPI
               permitted_params["#{relation.name.to_s.singularize}_ids"] = model_params[attributes_key].map{|a| a['id']}
             elsif self.respond_to?(filter_method, true)
               permitted_params[attributes_key] = if model_params[attributes_key].is_a?(Array)
-                model_params[attributes_key].map { |i| self.send(filter_method, i, allow_id: true) }
+                models = relation.klass.find(model_params[attributes_key].map { |i| i['id'] }.compact)
+                model_params[attributes_key].map { |i|
+                  i_params = self.send(filter_method, i, allow_id: true)
+                  if i_params['id']
+                    r = models.find { |r| r.id == i_params['id'] }
+                    r.assign_attributes(i_params)
+                    r
+                  else
+                    relation.klass.new(i_params)
+                  end
+                }
               else
-                self.send(filter_method, model_params[attributes_key], allow_id: true)
+                i_params = self.send(filter_method, model_params[attributes_key], allow_id: true)
+                if i_params['id']
+                  r = relation.klass.find(i_params['id'])
+                  r.assign_attributes(i_params)
+                  r
+                else
+                  relation.klass.new(i_params)
+                end
               end
             else
               permitted_params[attributes_key] = if model_params[attributes_key].is_a?(Array)
-                model_params[attributes_key].map { |i| filter_model_params(i, relation.klass.base_class, allow_id: true) }
+                models = relation.klass.find(model_params[attributes_key].map { |i| i['id'] }.compact)
+                model_params[attributes_key].map { |i|
+                  i_params = filter_model_params(i, relation.klass.base_class, allow_id: true)
+                  if i_params['id']
+                    r = models.find { |r| r.id == i_params['id'] }
+                    r.assign_attributes(i_params)
+                    r
+                  else
+                    relation.klass.new(i_params)
+                  end
+                }
               else
-                filter_model_params(model_params[attributes_key], relation.klass.base_class, allow_id: true)
+                i_params = filter_model_params(model_params[attributes_key], relation.klass.base_class, allow_id: true)
+                if i_params['id']
+                  r = relation.klass.find(i_params['id'])
+                  r.assign_attributes(i_params)
+                  r
+                else
+                  relation.klass.new(i_params)
+                end
               end
             end
           elsif relation.collection? && model_params.has_key?("#{relation.name.to_s.singularize}_ids")

data/lib/standard_api/controller.rb

@@ -1,12 +1,13 @@
 module StandardAPI
   module Controller
 
-    delegate :preloadables, to: :helpers
+    delegate :preloadables, :model_partial, to: :helpers
 
     def self.included(klass)
       klass.helper_method :includes, :orders, :model, :models, :resource_limit,
         :default_limit
       klass.before_action :set_standardapi_headers
+      klass.before_action :includes, except: [:destroy, :add_resource, :remove_resource]
       klass.rescue_from StandardAPI::ParameterMissing, with: :bad_request
       klass.rescue_from StandardAPI::UnpermittedParameters, with: :bad_request
       klass.append_view_path(File.join(File.dirname(__FILE__), 'views'))
@@ -73,7 +74,7 @@ module StandardAPI
         end
       else
         if request.format == :html
-          render :edit, status: :bad_request
+          render :new, status: :bad_request
         else
           render :show, status: :bad_request
         end
@@ -96,53 +97,97 @@ module StandardAPI
           render :show, status: :ok
         end
       else
-        render :show, status: :bad_request
+        if request.format == :html
+          render :edit, status: :bad_request
+        else
+          render :show, status: :bad_request
+        end
       end
     end
 
     def destroy
-      resources.find(params[:id]).destroy!
+      records = resources.find(params[:id].split(','))
+      model.transaction { records.each(&:destroy!) }
+
       head :no_content
     end
 
     def remove_resource
       resource = resources.find(params[:id])
       association = resource.association(params[:relationship])
-      subresource = association.klass.find_by_id(params[:resource_id])
 
-      if(subresource)
-        if association.is_a? ActiveRecord::Associations::HasManyAssociation
-          resource.send(params[:relationship]).delete(subresource)
-        else
-          resource.send("#{params[:relationship]}=", nil)
+      result = case association
+      when ActiveRecord::Associations::CollectionAssociation
+        association.delete(association.klass.find(params[:resource_id]))
+      when ActiveRecord::Associations::SingularAssociation
+        if resource.send(params[:relationship])&.id&.to_s == params[:resource_id]
+          resource.update(params[:relationship] => nil)
         end
-        head :no_content
-      else
-        head :not_found
       end
+      head result ? :no_content : :not_found
     end
 
     def add_resource
       resource = resources.find(params[:id])
       association = resource.association(params[:relationship])
-      subresource = association.klass.find_by_id(params[:resource_id])
+      subresource = association.klass.find(params[:resource_id])
 
-      if(subresource)
-        if association.is_a? ActiveRecord::Associations::HasManyAssociation
-          result = resource.send(params[:relationship]) << subresource
-        else
-          result = resource.send("#{params[:relationship]}=", subresource)
-        end
-        head result ? :created : :bad_request
+      result = case association
+      when ActiveRecord::Associations::CollectionAssociation
+        association.concat(subresource)
+      when ActiveRecord::Associations::SingularAssociation
+        resource.update(params[:relationship] => subresource)
+      end
+      head result ? :created : :bad_request
+    rescue ActiveRecord::RecordNotUnique
+      render json: {errors: [
+        "Relationship between #{resource.class.name} and #{subresource.class.name} violates unique constraints"
+      ]}, status: :bad_request
+    end
+    
+    def create_resource
+      resource = resources.find(params[:id])
+      association = resource.association(params[:relationship])
+    
+      subresource_params = if self.respond_to?("filter_#{model_name(association.klass)}_params", true)
+        self.send("filter_#{model_name(association.klass)}_params", params[model_name(association.klass)], id: params[:id])
+      elsif self.respond_to?("#{association.klass.model_name.singular}_params", true)
+        params.require(association.klass.model_name.singular).permit(self.send("#{association.klass.model_name.singular}_params"))
+      elsif self.respond_to?("filter_model_params", true)
+        filter_model_params(params[model_name(association.klass)], association.klass.base_class)
       else
-        head :not_found
+        ActionController::Parameters.new
+      end
+    
+      subresource = association.klass.new(subresource_params)
+    
+      result = case association
+      when ActiveRecord::Associations::CollectionAssociation
+        association.concat(subresource)
+      when ActiveRecord::Associations::SingularAssociation
+        resource.update(params[:relationship] => subresource)
       end
 
+      partial = model_partial(subresource)
+      partial_record_name = partial.split('/').last.to_sym
+      if result
+        render partial: partial, locals: {partial_record_name => subresource}, status: :created
+      else
+        render partial: partial, locals: {partial_record_name => subresource}, status: :bad_request
+      end
     end
 
+    def mask
+      @mask ||= Hash.new do |hash, key|
+        hash[key] = mask_for(key)
+      end
+    end
+    
     # Override if you want to support masking
-    def current_mask
-      @current_mask ||= {}
+    def mask_for(table_name)
+      # case table_name
+      # when 'accounts'
+      # end
     end
 
     module ClassMethods
@@ -165,7 +210,11 @@ module StandardAPI
     end
 
     def model
-      self.class.model
+      if action_name&.end_with?('_resource')
+        self.class.model.reflect_on_association(params[:relationship]).klass
+      else
+        self.class.model
+      end
     end
 
     def models
@@ -215,8 +264,7 @@ module StandardAPI
     end
 
     def resources
-      mask = current_mask[model.table_name] || current_mask[model.table_name.to_sym]
-      query = model.filter(params['where']).filter(mask)
+      query = self.class.model.filter(params['where']).filter(mask[self.class.model.table_name.to_sym])
 
       if params[:distinct_on]
         query = query.distinct_on(params[:distinct_on])
@@ -234,9 +282,29 @@ module StandardAPI
 
       query
     end
+    
+    def nested_includes(model, attributes)
+      includes = {}
+      attributes&.each do |key, value|
+        if association = model.reflect_on_association(key)
+          includes[key] = nested_includes(association.klass, value)
+        end
+      end
+      includes
+    end
 
     def includes
-      @includes ||= StandardAPI::Includes.sanitize(params[:include], model_includes)
+      @includes ||= if params[:include]
+        StandardAPI::Includes.sanitize(params[:include], model_includes)
+      else
+        {}
+      end
+      
+      if (action_name == 'create' || action_name == 'update') && model && params.has_key?(model.model_name.singular)
+        @includes.reverse_merge!(nested_includes(model, params[model.model_name.singular].to_unsafe_h))
+      end
+      
+      @includes
     end
 
     def required_orders

data/lib/standard_api/helpers.rb

@@ -1,5 +1,11 @@
 module StandardAPI
   module Helpers
+    
+    def serialize_attribute(json, record, name, type)
+      value = record.send(name)
+      
+      json.set! name, type == :binary ? value&.unpack1('H*') : value
+    end
 
     def preloadables(record, includes)
       preloads = {}
@@ -97,13 +103,13 @@ module StandardAPI
 
       case association = record.class.reflect_on_association(relation)
       when ActiveRecord::Reflection::HasManyReflection, ActiveRecord::Reflection::HasAndBelongsToManyReflection, ActiveRecord::Reflection::HasOneReflection, ActiveRecord::Reflection::ThroughReflection
-        "#{record.model_name.cache_key}/#{record.id}/#{includes_to_cache_key(relation, subincludes)}-#{timestamp.utc.to_s(record.cache_timestamp_format)}"
+        "#{record.model_name.cache_key}/#{record.id}/#{includes_to_cache_key(relation, subincludes)}-#{timestamp.utc.to_fs(record.cache_timestamp_format)}"
       when ActiveRecord::Reflection::BelongsToReflection
         klass = association.options[:polymorphic] ? record.send(association.foreign_type).constantize : association.klass
         if subincludes.empty?
-          "#{klass.model_name.cache_key}/#{record.send(association.foreign_key)}-#{timestamp.utc.to_s(klass.cache_timestamp_format)}"
+          "#{klass.model_name.cache_key}/#{record.send(association.foreign_key)}-#{timestamp.utc.to_fs(klass.cache_timestamp_format)}"
         else
-          "#{klass.model_name.cache_key}/#{record.send(association.foreign_key)}/#{digest_hash(sort_hash(subincludes))}-#{timestamp.utc.to_s(klass.cache_timestamp_format)}"
+          "#{klass.model_name.cache_key}/#{record.send(association.foreign_key)}/#{digest_hash(sort_hash(subincludes))}-#{timestamp.utc.to_fs(klass.cache_timestamp_format)}"
         end
       else
         raise ArgumentError, 'Unkown association type'
@@ -156,7 +162,9 @@ module StandardAPI
 
     def json_column_type(sql_type)
       case sql_type
-      when 'timestamp without time zone'
+      when 'binary', 'bytea'
+        'binary'
+      when /timestamp(\(\d+\))? without time zone/
         'datetime'
       when 'time without time zone'
         'datetime'
@@ -164,9 +172,7 @@ module StandardAPI
         'string'
       when 'json'
         'hash'
-      when 'bigint'
-        'integer'
-      when 'integer'
+      when 'smallint', 'bigint', 'integer'
         'integer'
       when 'jsonb'
         'hash'

data/lib/standard_api/middleware.rb

@@ -0,0 +1,5 @@
+module StandardAPI
+  module Middleware
+    autoload :QueryEncoding, 'standard_api/middleware/query_encoding'
+  end
+end

data/lib/standard_api/railtie.rb

@@ -20,4 +20,21 @@ module StandardAPI
     end
 
   end
+  
+  module AutosaveByDefault
+    def self.included base
+      base.class_eval do
+        class <<self  
+          alias_method :standard_build, :build
+        end
+      
+        def self.build(model, name, scope, options, &block)
+          options[:autosave] = true
+          standard_build(model, name, scope, options, &block)
+        end
+      end
+    end
+  end
+
+  ::ActiveRecord::Associations::Builder::Association.include(AutosaveByDefault)
 end

data/lib/standard_api/route_helpers.rb

@@ -22,11 +22,38 @@ module StandardAPI
       options = resources.extract_options!.dup
 
       resources(*resources, options) do
-        get :schema, on: :collection
-        get :calculate, on: :collection
-        delete ':relationship/:resource_id' => :remove_resource, on: :member
-        post ':relationship/:resource_id' => :add_resource, on: :member
-        block.call if block
+        block.call if block # custom routes take precedence over standardapi routes
+
+        available_actions = if only = parent_resource.instance_variable_get(:@only)
+          Array(only).map(&:to_sym)
+        else
+          if parent_resource.instance_variable_get(:@api_only)
+            [:index, :create, :show, :update, :destroy]
+          else
+            [:index, :create, :new, :show, :update, :destroy, :edit]
+          end + [ :schema, :calculate, :add_resource, :remove_resource, :create_resource ]
+        end
+
+        actions = if except = parent_resource.instance_variable_get(:@except)
+          available_actions - Array(except).map(&:to_sym)
+        else
+          available_actions
+        end
+
+        get :schema, on: :collection if actions.include?(:schema)
+        get :calculate, on: :collection if actions.include?(:calculate)
+
+        if actions.include?(:add_resource)
+          post ':relationship/:resource_id' => :add_resource, on: :member
+        end
+        
+        if actions.include?(:create_resource)
+          post ':relationship' => :create_resource, on: :member
+        end
+
+        if actions.include?(:remove_resource)
+          delete ':relationship/:resource_id' => :remove_resource, on: :member
+        end
       end
     end
 
@@ -51,10 +78,33 @@ module StandardAPI
       options = resource.extract_options!.dup
 
       resource(*resource, options) do
-        get :schema, on: :collection
-        get :calculate, on: :collection
-        delete ':relationship/:resource_id' => :remove_resource, on: :member
-        post ':relationship/:resource_id' => :add_resource, on: :member
+        available_actions = if only = parent_resource.instance_variable_get(:@only)
+          Array(only).map(&:to_sym)
+        else
+          if parent_resource.instance_variable_get(:@api_only)
+            [:index, :create, :show, :update, :destroy]
+          else
+            [:index, :create, :new, :show, :update, :destroy, :edit]
+          end + [ :schema, :calculate, :add_resource, :remove_resource ]
+        end
+
+        actions = if except = parent_resource.instance_variable_get(:@except)
+          available_actions - Array(except).map(&:to_sym)
+        else
+          available_actions
+        end
+
+        get :schema, on: :collection if actions.include?(:schema)
+        get :calculate, on: :collection if actions.include?(:calculate)
+
+        if actions.include?(:add_resource)
+          post ':relationship/:resource_id' => :add_resource, on: :member
+        end
+
+        if actions.include?(:remove_resource)
+          delete ':relationship/:resource_id' => :remove_resource, on: :member
+        end
+
         block.call if block
       end
     end

data/lib/standard_api/test_case/calculate_tests.rb

@@ -59,22 +59,23 @@ module StandardAPI
         #   calculations
       end
 
-      test '#calculate.json mask' do
+      test '#calculate.json mask_for' do
         # This is just to instance @controller
         get resource_path(:calculate)
 
-        # If #current_mask isn't defined by StandardAPI we don't know how to
-        # test other's implementation of #current_mask. Return and don't test.
-        return if @controller.method(:current_mask).owner != StandardAPI
+        # If #mask isn't defined by StandardAPI we don't know how to
+        # test other's implementation of #mask_for. Return and don't test.
+        return if @controller.method(:mask_for).owner != StandardAPI
 
         m = create_model
 
-        @controller.current_mask[plural_name] = { id: m.id + 100 }
+        @controller.define_singleton_method(:mask_for) do |table_name|
+          { id: m.id + 100 }
+        end
         selects = [{ count: :id}, { maximum: :id }, { minimum: :id }, { average: :id }]
         get :calculate, select: selects, format: 'json'
         assert_response :ok
         assert_equal [[0, nil, nil, nil]], @controller.instance_variable_get('@calculations')
-        @controller.current_mask.delete(plural_name)
       end
 
     end