WIP Update for jsonapi-resources v0.10

lgebhardt · lgebhardt · commit 3cbf7f7b347c · 2020-01-05T10:00:06.000-05:00
Note this will break with earlier versions of JR
diff --git a/jsonapi-authorization.gemspec b/jsonapi-authorization.gemspec
@@ -31,5 +31,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "pry-rails"
   spec.add_development_dependency "rubocop", "~> 0.36.0"
   spec.add_development_dependency "phare", "~> 0.7.1"
-  spec.add_development_dependency "sqlite3", "~> 1.3.6"
+  spec.add_development_dependency "sqlite3", "~> 1.4.0"
 end
diff --git a/lib/jsonapi/authorization/authorizing_processor.rb b/lib/jsonapi/authorization/authorizing_processor.rb
@@ -72,7 +72,7 @@ def authorize_show_relationship
         related_resource =
           case relationship
           when JSONAPI::Relationship::ToOne
-            parent_resource.public_send(params[:relationship_type].to_sym)
+            resources_from_relationship(source_klass, source_id, relationship.type, context).first
           when JSONAPI::Relationship::ToMany
             # Do nothing — already covered by policy scopes
           else
@@ -91,7 +91,7 @@ def authorize_show_related_resource
 
         source_resource = source_klass.find_by_key(source_id, context: context)
 
-        related_resource = source_resource.public_send(relationship_type)
+        related_resource = resources_from_relationship(source_klass, source_id, relationship_type, context).first
 
         source_record = source_resource._model
         related_record = related_resource._model unless related_resource.nil?
@@ -282,6 +282,14 @@ def authorizer
         @authorizer ||= ::JSONAPI::Authorization.configuration.authorizer.new(context: context)
       end
 
+      def resources_from_relationship(source_klass, source_id, relationship_type, context)
+        rid = source_klass.find_related_fragments([JSONAPI::ResourceIdentity.new(source_klass, source_id)],
+                                                  relationship_type,
+                                                  context: context).keys.first
+
+        rid.resource_klass.find_to_populate_by_keys(rid.id)
+      end
+
       # TODO: Communicate with upstream to fix this nasty hack
       def operation_resource_id
         case operation_type
diff --git a/lib/jsonapi/authorization/pundit_scoped_resource.rb b/lib/jsonapi/authorization/pundit_scoped_resource.rb
@@ -1,42 +1,85 @@
 require 'pundit'
 
 module JSONAPI
+
+  module ActiveRelation
+
+    # Stores relationship paths starting from the resource_klass, consolidating duplicate paths from
+    # relationships, filters and sorts. When joins are made the table aliases are tracked in join_details
+    class JoinManager
+      def perform_joins(records, options)
+        join_array = flatten_join_tree_by_depth
+
+        join_array.each do |level_joins|
+          level_joins.each do |join_details|
+            relationship = join_details[:relationship]
+            relationship_details = join_details[:relationship_details]
+            related_resource_klass = join_details[:related_resource_klass]
+            join_type = relationship_details[:join_type]
+
+            join_options = {
+              relationship: relationship,
+              relationship_details: relationship_details,
+              related_resource_klass: related_resource_klass,
+            }
+
+            if relationship == :root
+              unless source_relationship
+                add_join_details('', {alias: resource_klass._table_name, join_type: :root, join_options: join_options})
+              end
+              next
+            end
+
+            records, join_node = self.class.get_join_arel_node(records, options) {|records, options|
+              related_resource_klass.join_relationship(
+                records: records,
+                resource_type: related_resource_klass._type,
+                join_type: join_type,
+                relationship: relationship,
+                options: options)
+            }
+
+            details = {alias: self.class.alias_from_arel_node(join_node), join_type: join_type, join_options: join_options}
+
+            if relationship == source_relationship
+              if relationship.polymorphic? && relationship.belongs_to?
+                add_join_details("##{related_resource_klass._type}", details)
+              else
+                add_join_details('', details)
+              end
+            end
+
+            # We're adding the source alias with two keys. We only want the check for duplicate aliases once.
+            # See the note in `add_join_details`.
+            check_for_duplicate_alias = !(relationship == source_relationship)
+            add_join_details(PathSegment::Relationship.new(relationship: relationship, resource_klass: related_resource_klass), details, check_for_duplicate_alias)
+          end
+        end
+        records
+      end
+    end
+  end
+
   module Authorization
     module PunditScopedResource
       extend ActiveSupport::Concern
 
       module ClassMethods
         def records(options = {})
           user_context = JSONAPI::Authorization.configuration.user_context(options[:context])
-          ::Pundit.policy_scope!(user_context, _model_class)
-        end
-      end
-
-      def records_for(association_name)
-        record_or_records = @model.public_send(association_name)
-        relationship = fetch_relationship(association_name)
-
-        case relationship
-        when JSONAPI::Relationship::ToOne
-          record_or_records
-        when JSONAPI::Relationship::ToMany
-          user_context = JSONAPI::Authorization.configuration.user_context(context)
-          ::Pundit.policy_scope!(user_context, record_or_records)
-        else
-          raise "Unknown relationship type #{relationship.inspect}"
+          ::Pundit.policy_scope!(user_context, super)
         end
-      end
 
-      private
-
-      def fetch_relationship(association_name)
-        relationships = self.class._relationships.select do |_k, v|
-          v.relation_name(context: context) == association_name
-        end
-        if relationships.empty?
-          nil
-        else
-          relationships.values.first
+        def apply_joins(records, join_manager, options)
+          records = super
+          join_manager.join_details.each do |k, v|
+            next if k == '' || v[:join_type] == :root
+            v[:join_options][:relationship_details][:resource_klasses].each_key do |klass|
+              next unless klass.included_modules.include?(PunditScopedResource)
+              records = records.where(v[:alias] => { klass._primary_key => klass.records(options)})
+            end
+          end
+          records
         end
       end
     end
