Class: AgentCode::ResourcesController

Inherits:
ActionController::API
  • Object
show all
Includes:
Pundit::Authorization
Defined in:
lib/agentcode/controllers/resources_controller.rb

Overview

Global CRUD controller that handles all registered models. Mirrors the Laravel GlobalController exactly.

Routes pass the model slug via route defaults, and this controller resolves the appropriate ActiveRecord class to operate on.

Constant Summary collapse

@@organization_path_cache =

Cache for auto-detected organization paths (class-level, survives across requests)

{}

Instance Method Summary collapse

Instance Method Details

#destroyObject

DELETE /api/slug/:id



141
142
143
144
145
146
147
148
149
150
151
152
 
# File 'lib/agentcode/controllers/resources_controller.rb', line 141

def destroy
  record = find_record
  authorize record, :destroy?, policy_class: policy_for(record)

  if record.respond_to?(:discard!)
    record.discard!
  else
    record.destroy!
  end

  head :no_content
end

#force_deleteObject

DELETE /api/slug/:id/force-delete



190
191
192
193
194
195
196
197
 
# File 'lib/agentcode/controllers/resources_controller.rb', line 190

def force_delete
  record = model_class.discarded.find(params[:id])
  authorize record, :force_delete?, policy_class: policy_for(record)

  record.destroy!

  head :no_content
end

#indexObject

GET /api/slug



27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 
# File 'lib/agentcode/controllers/resources_controller.rb', line 27

def index
  authorize model_class, :index?, policy_class: policy_for(model_class)

  builder = QueryBuilder.new(model_class, params: params)
  apply_organization_scope(builder)
  builder.build

  per_page = params[:per_page]
  pagination_enabled = model_class.try(:pagination_enabled) || false

  if per_page.present? || pagination_enabled
    result = builder.paginate
    set_pagination_headers(result[:pagination])
    render json: serialize_collection(result[:items])
  else
    render json: serialize_collection(builder.to_scope)
  end
end

#nestedObject

POST /api/nested



204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
 
# File 'lib/agentcode/controllers/resources_controller.rb', line 204

def nested
  operations = validate_nested_structure
  return if performed?

  nested_config = AgentCode.config.nested
  max_ops = nested_config[:max_operations]

  if max_ops && operations.length > max_ops
    return render json: {
      message: "Too many operations.",
      errors: { operations: ["Maximum #{max_ops} operations allowed."] }
    }, status: :unprocessable_entity
  end

  allowed_models = nested_config[:allowed_models]
  if allowed_models.is_a?(Array)
    operations.each_with_index do |op, index|
      unless allowed_models.include?(op["model"])
        return render json: {
          message: "Operation not allowed.",
          errors: { "operations.#{index}.model" => ["Model \"#{op['model']}\" is not allowed for nested operations."] }
        }, status: :unprocessable_entity
      end
    end
  end

  # Validate and authorize each operation
  validated_per_op = []
  auth_results = []

  operations.each_with_index do |operation, index|
    validated = validate_nested_operation(operation, index)
    return if performed?
    validated_per_op << validated

    auth_result = authorize_nested_operation(operation, validated, index)
    return if performed?
    auth_results << auth_result
  end

  # Execute all operations in a transaction
  results = execute_nested_operations(operations, validated_per_op, auth_results)
  render json: { results: results }
end

#restoreObject

POST /api/slug/:id/restore



179
180
181
182
183
184
185
186
187
 
# File 'lib/agentcode/controllers/resources_controller.rb', line 179

def restore
  record = model_class.discarded.find(params[:id])
  authorize record, :restore?, policy_class: policy_for(record)

  record.undiscard!
  record.reload

  render json: serialize_record(record)
end

#showObject

GET /api/slug/:id



82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
 
# File 'lib/agentcode/controllers/resources_controller.rb', line 82

def show
  record = find_record
  authorize record, :show?, policy_class: policy_for(record)

  # Apply includes if requested
  if params[:include].present?
    auth_response = authorize_includes
    return auth_response if auth_response

    builder = QueryBuilder.new(model_class, params: params)
    builder.instance_variable_set(:@scope, model_class.where(id: record.id))
    apply_organization_scope(builder)
    builder.build
    record = builder.to_scope.first!
  end

  render json: serialize_record(record)
end

#storeObject

POST /api/slug



47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
 
# File 'lib/agentcode/controllers/resources_controller.rb', line 47

def store
  authorize model_class, :create?, policy_class: policy_for(model_class)

  data = params_hash

  # Strip organization_id — it's auto-set by the framework
  data.delete("organization_id") if current_organization

  permitted_fields = resolve_permitted_fields(current_user, "create")

  # Check for forbidden fields → 403
  forbidden = find_forbidden_fields(data, permitted_fields)
  if forbidden.any?
    return render json: {
      message: "You are not allowed to set the following field(s): #{forbidden.join(', ')}"
    }, status: :forbidden
  end

  model_instance = model_class.new
  validation = model_instance.validate_for_action(
    data, permitted_fields: permitted_fields, organization: current_organization
  )

  unless validation[:valid]
    return render json: { errors: validation[:errors] }, status: :unprocessable_entity
  end

  validated = validation[:validated]
  add_organization_to_data(validated)

  record = model_class.create!(validated)
  render json: serialize_record(record), status: :created
end

#trashedObject

GET /api/slug/trashed



159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
 
# File 'lib/agentcode/controllers/resources_controller.rb', line 159

def trashed
  authorize model_class, :view_trashed?, policy_class: policy_for(model_class)

  builder = QueryBuilder.new(model_class.discarded, params: params)
  apply_organization_scope(builder)
  builder.build

  per_page = params[:per_page]
  pagination_enabled = model_class.try(:pagination_enabled) || false

  if per_page.present? || pagination_enabled
    result = builder.paginate
    set_pagination_headers(result[:pagination])
    render json: serialize_collection(result[:items])
  else
    render json: serialize_collection(builder.to_scope)
  end
end

#updateObject

PUT /api/slug/:id



102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
 
# File 'lib/agentcode/controllers/resources_controller.rb', line 102

def update
  record = find_record
  authorize record, :update?, policy_class: policy_for(record)

  data = params_hash

  # Reject organization_id changes — cross-tenant reassignment is not allowed
  if current_organization && data.key?("organization_id")
    return render json: {
      message: "You are not allowed to change the organization_id."
    }, status: :forbidden
  end

  permitted_fields = resolve_permitted_fields(current_user, "update")

  # Check for forbidden fields → 403
  forbidden = find_forbidden_fields(data, permitted_fields)
  if forbidden.any?
    return render json: {
      message: "You are not allowed to set the following field(s): #{forbidden.join(', ')}"
    }, status: :forbidden
  end

  model_instance = model_class.new
  validation = model_instance.validate_for_action(
    data, permitted_fields: permitted_fields, organization: current_organization
  )

  unless validation[:valid]
    return render json: { errors: validation[:errors] }, status: :unprocessable_entity
  end

  record.update!(validation[:validated])
  record.reload

  render json: serialize_record(record)
end