Class: JSONAPI::Authorization::DefaultPunditAuthorizer

Inherits:
Object
  • Object
show all
Defined in:
lib/jsonapi/authorization/default_pundit_authorizer.rb

Overview

An authorizer is a class responsible for linking JSONAPI operations to your choice of authorization mechanism.

This class uses Pundit for authorization. It does not yet support all the available operations — you can use your own authorizer class instead if you have different needs. See the README.md for configuration information.

Fetching records is the concern of PunditScopedResource which in turn affects which records end up being passed here.

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(context) ⇒ DefaultPunditAuthorizer

Creates a new DefaultPunditAuthorizer instance

Parameters

  • context - The context passed down from the controller layer



21
22
23
 
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 21

def initialize(context)
  @user = JSONAPI::Authorization.configuration.user_context(context)
end

Instance Attribute Details

#userObject (readonly)

Returns the value of attribute user.



14
15
16
 
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 14

def user
  @user
end

Instance Method Details

#create_resource(source_class, related_records) ⇒ Object

POST /resources

Parameters

  • source_class - The class of the record to be created

  • related_records - An array of records to be associated to the new record. This will contain the records specified in the “relationships” key in the request



110
111
112
113
114
115
116
 
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 110

def create_resource(source_class, related_records)
  ::Pundit.authorize(user, source_class, 'create?')

  related_records.each do |record|
    ::Pundit.authorize(user, record, 'update?')
  end
end

#create_to_many_relationship(source_record, new_related_records) ⇒ Object

POST /resources/:id/relationships/other-resources

A request for adding to a has_many association

Parameters

  • source_record - The record whose relationship is modified

  • new_related_records - The new records to be added to the association

Raises:

  • (NotImplementedError) 


149
150
151
 
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 149

def create_to_many_relationship(source_record, new_related_records)
  raise NotImplementedError
end

#find(source_class) ⇒ Object

GET /resources

Parameters

  • source_class - The source class (e.g. Article for ArticleResource)



30
31
32
 
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 30

def find(source_class)
  ::Pundit.authorize(user, source_class, 'index?')
end

#include_has_many_resource(source_record, record_class) ⇒ Object

Any request including ?include=other-resources

This will be called for each has_many relationship if the include goes deeper than one level until some authorization fails or the include directive has been travelled completely.

We can’t pass all the records of a has_many association here due to performance reasons, so the class is passed instead.

Parameters

  • source_record — The source relationship record, e.g. an Article in

    article.comments check

  • record_class - The underlying record class for the relationships

    resource.



209
210
211
 
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 209

def include_has_many_resource(source_record, record_class)
  ::Pundit.authorize(user, record_class, 'index?')
end

#include_has_one_resource(source_record, related_record) ⇒ Object

Any request including ?include=another-resource

This will be called for each has_one relationship if the include goes deeper than one level until some authorization fails or the include directive has been travelled completely.

Parameters

  • source_record — The source relationship record, e.g. an Article in

    article.author check

  • related_record - The associated record to return



224
225
226
 
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 224

def include_has_one_resource(source_record, related_record)
  ::Pundit.authorize(user, related_record, 'show?')
end

#remove_resource(source_record) ⇒ Object

DELETE /resources/:id

Parameters

  • source_record - The record to be removed



123
124
125
 
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 123

def remove_resource(source_record)
  ::Pundit.authorize(user, source_record, 'destroy?')
end

#remove_to_many_relationship(source_record, related_record) ⇒ Object

DELETE /resources/:id/relationships/other-resources

A request to deassociate elements of a has_many association

NOTE: this is called once per related record, not all at once

Parameters

  • source_record - The record whose relationship is modified

  • related_record - The record which will be deassociatied from source_record

Raises:

  • (NotImplementedError) 


178
179
180
 
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 178

def remove_to_many_relationship(source_record, related_record)
  raise NotImplementedError
end

#remove_to_one_relationship(source_record, related_record) ⇒ Object

DELETE /resources/:id/relationships/another-resource

A request to deassociate a has_one association

Parameters

  • source_record - The record whose relationship is modified

  • related_record - The record which will be deassociatied from source_record

Raises:

  • (NotImplementedError) 


190
191
192
 
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 190

def remove_to_one_relationship(source_record, related_record)
  raise NotImplementedError
end

#replace_fields(source_record, new_related_records) ⇒ Object

PATCH /resources/:id

Parameters

  • source_record - The record to be modified

  • new_related_records - An array of records to be associated to the source_record. This will contain the records specified in the “relationships” key in the request

– TODO: Should probably take old records as well



94
95
96
97
98
99
100
 
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 94

def replace_fields(source_record, new_related_records)
  ::Pundit.authorize(user, source_record, 'update?')

  new_related_records.each do |record|
    ::Pundit.authorize(user, record, 'update?')
  end
end

#replace_to_many_relationship(source_record, new_related_records) ⇒ Object

PATCH /resources/:id/relationships/other-resources

A replace request for a has_many association

Parameters

  • source_record - The record whose relationship is modified

  • new_related_records - The new records replacing the entire has_many association

– TODO: Should probably take old records as well

Raises:

  • (NotImplementedError) 


164
165
166
 
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 164

def replace_to_many_relationship(source_record, new_related_records)
  raise NotImplementedError
end

#replace_to_one_relationship(source_record, old_related_record, new_related_record) ⇒ Object

PATCH /resources/:id/relationships/another-resource

A replace request for a has_one association

Parameters

  • source_record - The record whose relationship is modified

  • old_related_record - The current associated record

  • new_related_record - The new record replacing the old_record association, or nil if the association is to be cleared

Raises:

  • (NotImplementedError) 


137
138
139
 
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 137

def replace_to_one_relationship(source_record, old_related_record, new_related_record)
  raise NotImplementedError
end

#show(source_record) ⇒ Object

GET /resources/:id

Parameters

  • source_record - The record to show



39
40
41
 
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 39

def show(source_record)
  ::Pundit.authorize(user, source_record, 'show?')
end

#show_related_resource(source_record, related_record) ⇒ Object

GET /resources/:id/another-resource

A query for a record through a has_one association

Parameters

  • source_record - The record whose relationship is queried

  • related_record - The associated record to show or nil if the associated record was not found



68
69
70
71
 
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 68

def show_related_resource(source_record, related_record)
  ::Pundit.authorize(user, source_record, 'show?')
  ::Pundit.authorize(user, related_record, 'show?') unless related_record.nil?
end

#show_related_resources(source_record) ⇒ Object

GET /resources/:id/other-resources

A query for records through a has_many association

Parameters

  • source_record - The record whose relationship is queried



80
81
82
 
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 80

def show_related_resources(source_record)
  ::Pundit.authorize(user, source_record, 'show?')
end

#show_relationship(source_record, related_record) ⇒ Object

GET /resources/:id/relationships/other-resources GET /resources/:id/relationships/another-resource

A query for a has_one or a has_many association

Parameters

  • source_record - The record whose relationship is queried

  • related_record - The associated has_one record to show or nil if the associated record was not found. For a has_many association, this will always be nil



54
55
56
57
 
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 54

def show_relationship(source_record, related_record)
  ::Pundit.authorize(user, source_record, 'show?')
  ::Pundit.authorize(user, related_record, 'show?') unless related_record.nil?
end