Class: JSONAPI::Authorization::DefaultPunditAuthorizer
- Inherits:
-
Object
- Object
- JSONAPI::Authorization::DefaultPunditAuthorizer
- Defined in:
- lib/jsonapi/authorization/default_pundit_authorizer.rb
Overview
An authorizer is a class responsible for linking JSONAPI operations to your choice of authorization mechanism.
This class uses Pundit for authorization. You can use your own authorizer class instead if you have different needs. See the README.md for configuration information.
Fetching records is the concern of PunditScopedResource
which in turn affects which records end up being passed here.
Instance Attribute Summary collapse
-
#user ⇒ Object
readonly
Returns the value of attribute user.
Instance Method Summary collapse
-
#create_resource(source_class:, related_records_with_context:) ⇒ Object
POST /resources
. -
#create_to_many_relationship(source_record:, new_related_records:, relationship_type:) ⇒ Object
POST /resources/:id/relationships/other-resources
. -
#find(source_class:) ⇒ Object
GET /resources
. -
#include_has_many_resource(source_record:, record_class:) ⇒ Object
Any request including
?include=other-resources
. -
#include_has_one_resource(source_record:, related_record:) ⇒ Object
Any request including
?include=another-resource
. -
#initialize(context:) ⇒ DefaultPunditAuthorizer
constructor
Creates a new DefaultPunditAuthorizer instance.
-
#remove_resource(source_record:) ⇒ Object
DELETE /resources/:id
. -
#remove_to_many_relationship(source_record:, related_records:, relationship_type:) ⇒ Object
DELETE /resources/:id/relationships/other-resources
. -
#remove_to_one_relationship(source_record:, relationship_type:) ⇒ Object
DELETE /resources/:id/relationships/another-resource
. -
#replace_fields(source_record:, related_records_with_context:) ⇒ Object
PATCH /resources/:id
. -
#replace_to_many_relationship(source_record:, new_related_records:, relationship_type:) ⇒ Object
PATCH /resources/:id/relationships/other-resources
. -
#replace_to_one_relationship(source_record:, new_related_record:, relationship_type:) ⇒ Object
PATCH /resources/:id/relationships/another-resource
. -
#show(source_record:) ⇒ Object
GET /resources/:id
. -
#show_related_resource(source_record:, related_record:) ⇒ Object
GET /resources/:id/another-resource
. -
#show_related_resources(source_record:, related_record_class:) ⇒ Object
GET /resources/:id/other-resources
. -
#show_relationship(source_record:, related_record:) ⇒ Object
GET /resources/:id/relationships/other-resources
GET /resources/:id/relationships/another-resource
.
Constructor Details
#initialize(context:) ⇒ DefaultPunditAuthorizer
Creates a new DefaultPunditAuthorizer instance
Parameters
-
context
- The context passed down from the controller layer
20 21 22 |
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 20 def initialize(context:) @user = JSONAPI::Authorization.configuration.user_context(context) end |
Instance Attribute Details
#user ⇒ Object (readonly)
Returns the value of attribute user.
13 14 15 |
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 13 def user @user end |
Instance Method Details
#create_resource(source_class:, related_records_with_context:) ⇒ Object
POST /resources
Parameters
-
source_class
- The class of the record to be created -
related_records_with_context
- A has with the association type,
the relationship name, and an Array of new related records.
107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 |
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 107 def create_resource(source_class:, related_records_with_context:) ::Pundit.(user, source_class, 'create?') .each do |data| relation_name = data[:relation_name] records = data[:records] relationship_method = "create_with_#{relation_name}?" policy = ::Pundit.policy(user, source_class) if policy.respond_to?(relationship_method) unless policy.public_send(relationship_method, records) raise ::Pundit::NotAuthorizedError, query: relationship_method, record: source_class, policy: policy end else Array(records).each do |record| ::Pundit.(user, record, 'update?') end end end end |
#create_to_many_relationship(source_record:, new_related_records:, relationship_type:) ⇒ Object
POST /resources/:id/relationships/other-resources
A request for adding to a has_many
association
Parameters
-
source_record
- The record whose relationship is modified -
new_related_records
- The new records to be added to the association -
relationship_type
- The relationship type
165 166 167 168 169 170 171 172 |
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 165 def create_to_many_relationship(source_record:, new_related_records:, relationship_type:) relationship_method = "add_to_#{relationship_type}?" ( source_record: source_record, relationship_method: relationship_method, related_record_or_records: ) end |
#find(source_class:) ⇒ Object
GET /resources
Parameters
-
source_class
- The source class (e.g.Article
forArticleResource
)
29 30 31 |
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 29 def find(source_class:) ::Pundit.(user, source_class, 'index?') end |
#include_has_many_resource(source_record:, record_class:) ⇒ Object
Any request including ?include=other-resources
This will be called for each has_many relationship if the include goes deeper than one level until some authorization fails or the include directive has been travelled completely.
We can’t pass all the records of a has_many
association here due to performance reasons, so the class is passed instead.
Parameters
-
source_record
— The source relationship record, e.g. an Article inarticle.comments check
-
record_class
- The underlying record class for the relationshipsresource.
rubocop:disable Lint/UnusedMethodArgument
243 244 245 |
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 243 def include_has_many_resource(source_record:, record_class:) ::Pundit.(user, record_class, 'index?') end |
#include_has_one_resource(source_record:, related_record:) ⇒ Object
Any request including ?include=another-resource
This will be called for each has_one relationship if the include goes deeper than one level until some authorization fails or the include directive has been travelled completely.
Parameters
-
source_record
— The source relationship record, e.g. an Article inarticle. check
-
related_record
- The associated record to return
rubocop:disable Lint/UnusedMethodArgument
260 261 262 |
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 260 def include_has_one_resource(source_record:, related_record:) ::Pundit.(user, , 'show?') end |
#remove_resource(source_record:) ⇒ Object
DELETE /resources/:id
Parameters
-
source_record
- The record to be removed
134 135 136 |
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 134 def remove_resource(source_record:) ::Pundit.(user, source_record, 'destroy?') end |
#remove_to_many_relationship(source_record:, related_records:, relationship_type:) ⇒ Object
DELETE /resources/:id/relationships/other-resources
A request to disassociate elements of a has_many
association
Parameters
-
source_record
- The record whose relationship is modified -
related_records
- The records which will be disassociated fromsource_record
-
relationship_type
- The relationship type
202 203 204 205 206 207 208 209 |
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 202 def remove_to_many_relationship(source_record:, related_records:, relationship_type:) relationship_method = "remove_from_#{relationship_type}?" ( source_record: source_record, relationship_method: relationship_method, related_record_or_records: ) end |
#remove_to_one_relationship(source_record:, relationship_type:) ⇒ Object
DELETE /resources/:id/relationships/another-resource
A request to disassociate a has_one
association
Parameters
-
source_record
- The record whose relationship is modified -
relationship_type
- The relationship type
219 220 221 222 223 224 225 |
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 219 def remove_to_one_relationship(source_record:, relationship_type:) relationship_method = "remove_#{relationship_type}?" ( source_record: source_record, relationship_method: relationship_method ) end |
#replace_fields(source_record:, related_records_with_context:) ⇒ Object
PATCH /resources/:id
Parameters
-
source_record
- The record to be modified -
related_records_with_context
- A hash with the association type,
the relationship name, an Array of new related records.
92 93 94 95 96 97 98 |
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 92 def replace_fields(source_record:, related_records_with_context:) ::Pundit.(user, source_record, 'update?') ( source_record: source_record, related_records_with_context: ) end |
#replace_to_many_relationship(source_record:, new_related_records:, relationship_type:) ⇒ Object
PATCH /resources/:id/relationships/other-resources
A replace request for a has_many
association
Parameters
-
source_record
- The record whose relationship is modified -
new_related_records
- The new records replacing the entirehas_many
association -
relationship_type
- The relationship type
184 185 186 187 188 189 190 191 |
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 184 def replace_to_many_relationship(source_record:, new_related_records:, relationship_type:) relationship_method = "replace_#{relationship_type}?" ( source_record: source_record, relationship_method: relationship_method, related_record_or_records: ) end |
#replace_to_one_relationship(source_record:, new_related_record:, relationship_type:) ⇒ Object
PATCH /resources/:id/relationships/another-resource
A replace request for a has_one
association
Parameters
-
source_record
- The record whose relationship is modified -
new_related_record
- The new record replacing the old record -
relationship_type
- The relationship type
147 148 149 150 151 152 153 154 |
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 147 def replace_to_one_relationship(source_record:, new_related_record:, relationship_type:) relationship_method = "replace_#{relationship_type}?" ( source_record: source_record, relationship_method: relationship_method, related_record_or_records: ) end |
#show(source_record:) ⇒ Object
GET /resources/:id
Parameters
-
source_record
- The record to show
38 39 40 |
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 38 def show(source_record:) ::Pundit.(user, source_record, 'show?') end |
#show_related_resource(source_record:, related_record:) ⇒ Object
GET /resources/:id/another-resource
A query for a record through a has_one
association
Parameters
-
source_record
- The record whose relationship is queried -
related_record
- The associated record to show ornil
if the associated record was not found
67 68 69 70 |
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 67 def (source_record:, related_record:) ::Pundit.(user, source_record, 'show?') ::Pundit.(user, , 'show?') unless .nil? end |
#show_related_resources(source_record:, related_record_class:) ⇒ Object
GET /resources/:id/other-resources
A query for records through a has_many
association
Parameters
-
source_record
- The record whose relationship is queried -
related_record_class
- The associated record class to show
80 81 82 83 |
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 80 def (source_record:, related_record_class:) ::Pundit.(user, source_record, 'show?') ::Pundit.(user, , 'index?') end |
#show_relationship(source_record:, related_record:) ⇒ Object
GET /resources/:id/relationships/other-resources
GET /resources/:id/relationships/another-resource
A query for a has_one
or a has_many
association
Parameters
-
source_record
- The record whose relationship is queried -
related_record
- The associatedhas_one
record to show ornil
if the associated record was not found. For ahas_many
association, this will always benil
53 54 55 56 |
# File 'lib/jsonapi/authorization/default_pundit_authorizer.rb', line 53 def show_relationship(source_record:, related_record:) ::Pundit.(user, source_record, 'show?') ::Pundit.(user, , 'show?') unless .nil? end |