Fix authorize_show_related_resource

valscion · valscion · commit 0022e8fa5ada · 2022-08-24T19:49:30.000+03:00
diff --git a/lib/jsonapi/authorization/authorizing_processor.rb b/lib/jsonapi/authorization/authorizing_processor.rb
@@ -72,7 +72,7 @@ def authorize_show_relationship
         related_resource =
           case relationship
           when JSONAPI::Relationship::ToOne
-            parent_resource.public_send(params[:relationship_type].to_sym)
+            resources_from_relationship(source_klass, source_id, relationship.type, context).first
           when JSONAPI::Relationship::ToMany
             # Do nothing — already covered by policy scopes
           else
@@ -91,10 +91,13 @@ def authorize_show_related_resource
 
         source_resource = source_klass.find_by_key(source_id, context: context)
 
-        related_resource = source_resource.public_send(relationship_type)
+        related_resource = resources_from_relationship(
+          source_klass, source_id, relationship_type, context
+        )&.first
 
         source_record = source_resource._model
         related_record = related_resource._model unless related_resource.nil?
+
         authorizer.show_related_resource(
           source_record: source_record, related_record: related_record
         )
@@ -282,6 +285,18 @@ def authorizer
         @authorizer ||= ::JSONAPI::Authorization.configuration.authorizer.new(context: context)
       end
 
+      def resources_from_relationship(source_klass, source_id, relationship_type, context)
+        rid = source_klass.find_related_fragments(
+          [JSONAPI::ResourceIdentity.new(source_klass, source_id)],
+          relationship_type,
+          context: context
+        ).keys.first
+
+        return nil if rid.nil?
+
+        rid.resource_klass.find_to_populate_by_keys(rid.id)
+      end
+
       # TODO: Communicate with upstream to fix this nasty hack
       def operation_resource_id
         case operation_type
diff --git a/lib/jsonapi/authorization/pundit_scoped_resource.rb b/lib/jsonapi/authorization/pundit_scoped_resource.rb
@@ -8,7 +8,7 @@ module PunditScopedResource
       module ClassMethods
         def records(options = {})
           user_context = JSONAPI::Authorization.configuration.user_context(options[:context])
-          ::Pundit.policy_scope!(user_context, _model_class)
+          ::Pundit.policy_scope!(user_context, super)
         end
       end
 
diff --git a/spec/requests/custom_name_relationship_operations_spec.rb b/spec/requests/custom_name_relationship_operations_spec.rb
@@ -1,6 +1,6 @@
 require 'spec_helper'
 
-RSpec.describe 'including custom name relationships', type: :request, pending: 'compatibility with JR 0.10' do
+RSpec.describe 'including custom name relationships', type: :request do
   include AuthorizationStubs
   fixtures :all
 
diff --git a/spec/requests/included_resources_spec.rb b/spec/requests/included_resources_spec.rb
@@ -531,7 +531,7 @@
     include_examples :scope_limited_directive_tests
   end
 
-  describe 'GET /articles/:id/article', pending: true do
+  describe 'GET /articles/:id/article' do
     let(:article) {
       Article.create(
         external_id: "indifferent_external_id",
diff --git a/spec/requests/related_resources_operations_spec.rb b/spec/requests/related_resources_operations_spec.rb
@@ -58,14 +58,20 @@
     subject(:last_response) { get("/articles/#{article.external_id}/author") }
     let(:article) { articles(:article_with_author) }
     let(:policy_scope) { Article.all }
+    let(:user_policy_scope) { User.all }
 
-    context 'unauthorized for show_related_resource', pending: 'Compatibility with JR 0.10' do
+    before do
+      allow_any_instance_of(UserPolicy::Scope).to receive(:resolve).and_return(user_policy_scope)
+    end
+
+    context 'unauthorized for show_related_resource' do
       before { disallow_operation('show_related_resource', source_record: article, related_record: article.author) }
       it { is_expected.to be_forbidden }
     end
 
     context 'authorized for show_related_resource' do
       before { allow_operation('show_related_resource', source_record: article, related_record: article.author) }
+      it { is_expected.to be_ok }
 
       # If this happens in real life, it's mostly a bug. We want to document the
       # behaviour in that case anyway, as it might be surprising.
@@ -74,5 +80,13 @@
         it { is_expected.to be_not_found }
       end
     end
+
+    context 'authorized for show_related_resource while related resource is limited by policy scope' do
+      before { allow_operation('show_related_resource', source_record: article, related_record: nil) }
+
+      let(:user_policy_scope) { User.where.not(id: article.author.id) }
+
+      it { is_expected.to be_ok }
+    end
   end
 end
