module JSONAPI
module Authorization
# An authorizer is a class responsible for linking JSONAPI operations to
# your choice of authorization mechanism.
#
# This class uses Pundit for authorization. It does not yet support all
# the available operations — you can use your own authorizer class instead
# if you have different needs. See the README.md for configuration
# information.
#
# Fetching records is the concern of +PunditScopedResource+ which in turn
# affects which records end up being passed here.
class DefaultPunditAuthorizer
attr_reader :user
# Creates a new DefaultPunditAuthorizer instance
#
# ==== Parameters
#
# * +context+ - The context passed down from the controller layer
def initialize(context)
@user = JSONAPI::Authorization.configuration.user_context(context)
end
# GET /resources
#
# ==== Parameters
#
# * +source_class+ - The source class (e.g. +Article+ for +ArticleResource+)
def find(source_class)
::Pundit.authorize(user, source_class, 'index?')
end
# GET /resources/:id
#
# ==== Parameters
#
# * +source_record+ - The record to show
def show(source_record)
::Pundit.authorize(user, source_record, 'show?')
end
# GET /resources/:id/relationships/other-resources
# GET /resources/:id/relationships/another-resource
#
# A query for a +has_one+ or a +has_many+ association
#
# ==== Parameters
#
# * +source_record+ - The record whose relationship is queried
# * +related_record+ - The associated +has_one+ record to show or +nil+
# if the associated record was not found. For a +has_many+ association,
# this will always be +nil+
def show_relationship(source_record, related_record)
::Pundit.authorize(user, source_record, 'show?')
::Pundit.authorize(user, related_record, 'show?') unless related_record.nil?
end
# GET /resources/:id/another-resource
#
# A query for a record through a +has_one+ association
#
# ==== Parameters
#
# * +source_record+ - The record whose relationship is queried
# * +related_record+ - The associated record to show or +nil+ if the
# associated record was not found
def show_related_resource(source_record, related_record)
::Pundit.authorize(user, source_record, 'show?')
::Pundit.authorize(user, related_record, 'show?') unless related_record.nil?
end
# GET /resources/:id/other-resources
#
# A query for records through a +has_many+ association
#
# ==== Parameters
#
# * +source_record+ - The record whose relationship is queried
def show_related_resources(source_record)
::Pundit.authorize(user, source_record, 'show?')
end
# PATCH /resources/:id
#
# ==== Parameters
#
# * +source_record+ - The record to be modified
# * +new_related_records+ - An array of records to be associated to the
# +source_record+. This will contain the records specified in the
# "relationships" key in the request
#--
# TODO: Should probably take old records as well
def replace_fields(source_record, new_related_records)
::Pundit.authorize(user, source_record, 'update?')
new_related_records.each do |record|
::Pundit.authorize(user, record, 'update?')
end
end
# POST /resources
#
# ==== Parameters
#
# * +source_class+ - The class of the record to be created
# * +related_records+ - An array of records to be associated to the new
# record. This will contain the records specified in the
# "relationships" key in the request
def create_resource(source_class, related_records)
::Pundit.authorize(user, source_class, 'create?')
related_records.each do |record|
::Pundit.authorize(user, record, 'update?')
end
end
# DELETE /resources/:id
#
# ==== Parameters
#
# * +source_record+ - The record to be removed
def remove_resource(source_record)
::Pundit.authorize(user, source_record, 'destroy?')
end
# PATCH /resources/:id/relationships/another-resource
#
# A replace request for a +has_one+ association
#
# ==== Parameters
#
# * +source_record+ - The record whose relationship is modified
# * +old_related_record+ - The current associated record
# * +new_related_record+ - The new record replacing the +old_record+
# association, or +nil+ if the association is to be cleared
def replace_to_one_relationship(source_record, old_related_record, new_related_record)
raise NotImplementedError
end
# POST /resources/:id/relationships/other-resources
#
# A request for adding to a +has_many+ association
#
# ==== Parameters
#
# * +source_record+ - The record whose relationship is modified
# * +new_related_records+ - The new records to be added to the association
def create_to_many_relationship(source_record, new_related_records)
raise NotImplementedError
end
# PATCH /resources/:id/relationships/other-resources
#
# A replace request for a +has_many+ association
#
# ==== Parameters
#
# * +source_record+ - The record whose relationship is modified
# * +new_related_records+ - The new records replacing the entire +has_many+
# association
#--
# TODO: Should probably take old records as well
def replace_to_many_relationship(source_record, new_related_records)
raise NotImplementedError
end
# DELETE /resources/:id/relationships/other-resources
#
# A request to deassociate elements of a +has_many+ association
#
# NOTE: this is called once per related record, not all at once
#
# ==== Parameters
#
# * +source_record+ - The record whose relationship is modified
# * +related_record+ - The record which will be deassociatied from +source_record+
def remove_to_many_relationship(source_record, related_record)
raise NotImplementedError
end
# DELETE /resources/:id/relationships/another-resource
#
# A request to deassociate a +has_one+ association
#
# ==== Parameters
#
# * +source_record+ - The record whose relationship is modified
# * +related_record+ - The record which will be deassociatied from +source_record+
def remove_to_one_relationship(source_record, related_record)
raise NotImplementedError
end
# Any request including ?include=other-resources
#
# This will be called for each has_many relationship if the include goes
# deeper than one level until some authorization fails or the include
# directive has been travelled completely.
#
# We can't pass all the records of a +has_many+ association here due to
# performance reasons, so the class is passed instead.
#
# ==== Parameters
#
# * +source_record+ — The source relationship record, e.g. an Article in
# article.comments check
# * +record_class+ - The underlying record class for the relationships
# resource.
def include_has_many_resource(source_record, record_class)
::Pundit.authorize(user, record_class, 'index?')
end
# Any request including ?include=another-resource
#
# This will be called for each has_one relationship if the include goes
# deeper than one level until some authorization fails or the include
# directive has been travelled completely.
#
# ==== Parameters
#
# * +source_record+ — The source relationship record, e.g. an Article in
# article.author check
# * +related_record+ - The associated record to return
def include_has_one_resource(source_record, related_record)
::Pundit.authorize(user, related_record, 'show?')
end
end
end
end