lib/kojac/kojac_rails.rb in kojac-0.16.0 vs lib/kojac/kojac_rails.rb in kojac-0.17.0

@@ -1,6 +1,7 @@
 require 'pundit'
+require 'standard_exceptions'
 
 Kernel.class_eval do
   def key_join(aResource,aId=nil,aAssoc=nil)
     result = aResource
     if aId
@@ -195,10 +196,12 @@
 	class NotFoundError < StandardError
 	end
 
 	module ControllerOpMethods
 
+		include ::StandardExceptions::Methods
+
 		def self.included(aClass)
 	    #aClass.send :extend, ClassMethods
 	    # aClass.send :include, ActiveSupport::Callbacks
 	    # aClass.send :define_callbacks, :update_op, :scope => [:kind, :name]
 	  end
@@ -305,17 +308,21 @@
 							status: "Forbidden",
 							message: "User does not have permission for #{op[:verb]} operation on #{model_class.to_s}.#{assoc}"
 						}
 					end
 				else    # create operation on a resource eg. {verb: "CREATE", key: "order_items"} but may have embedded association values
-					if model_class.ring_can?(:create,ring)
+					if model_class.ring_can?(ring,:create)
 						policy = Pundit.policy!(current_user,model_class)
 						p_fields = policy.permitted_fields(:write)
 
-						p_fields = op[:value].permit( *p_fields )
+						# see the 20171213-Permissions branch for work here
+						p_fields = op[:value].reverse_merge!(policy.defaults).permit( *p_fields )
 						model_class.write_op_filter(current_user,p_fields,op[:value]) if model_class.respond_to? :write_op_filter
-						item = model_class.create!(p_fields)
+						item = model_class.new(p_fields)
+						policy = Pundit.policy!(current_user,item)
+						forbidden! unless policy.create?
+						item.save!
 
 						options_include = options['include'] || []
 						included_assocs = []
 						p_assocs = policy.permitted_associations(:write)
 						if p_assocs
@@ -323,9 +330,10 @@
 								next unless (a_value = op[:value][a]) || options_include.include?(a.to_s)
 								create_on_association(item,a,a_value,ring)
 								included_assocs << a.to_sym
 							end
 						end
+						forbidden! unless policy.create?
 						item.save!
 						result_key = op[:result_key] || item.kojac_key
 						merge_model_into_results(item,result_key,:include => included_assocs)
 					else
 						error = {
\ No newline at end of file