Fix authorize_show_related_resource

valscion · valscion · commit 4ca3de1d2688 · 2022-08-05T10:23:57.000+03:00
diff --git a/lib/jsonapi/authorization/authorizing_processor.rb b/lib/jsonapi/authorization/authorizing_processor.rb
@@ -85,16 +85,49 @@ def authorize_show_relationship
       end
 
       def authorize_show_related_resource
+        # 1. Load the related resource like jsonapi-resources loads them.
+        #    This code is copy-pasted from jsonapi-resources `Processor#related_resource`
+        #    so that we get to loading the resources the same way as JR does.
+        include_directives = params[:include_directives]
         source_klass = params[:source_klass]
         source_id = params[:source_id]
-        relationship_type = params[:relationship_type].to_sym
+        relationship_type = params[:relationship_type]
+        serializer = params[:serializer]
+        fields = params[:fields]
+
+        find_options = {
+            context: context,
+            fields: fields,
+            filters: {},
+            include_directives: include_directives
+        }
+
+        source_resource = source_klass.find_by_key(source_id, context: context, fields: fields)
+
+        resource_set = find_related_resource_set(source_resource,
+                                                 relationship_type,
+                                                 include_directives,
+                                                 find_options)
+
+        resource_set.populate!(serializer, context, find_options)
 
-        source_resource = source_klass.find_by_key(source_id, context: context)
+        # 2. Authorize the showing of related resources. This code is specific to jsonapi-authorization.
 
-        related_resource = source_resource.public_send(relationship_type)
+        # TODO: Figure out better names for the variables used when looping.
+        #       The reason they have bad names is that we don't know what they are.
+        related_resources = resource_set.resource_klasses.flat_map do |_resource_klass, inner_thing|
+          inner_thing.map { |_resource_id, lower_level_thing| lower_level_thing[:resource] }
+        end
+
+        if related_resources.size > 1
+          raise "Unexpectedly more than one related resource in a show_related_resource operation!"
+        end
+
+        related_resource = related_resources.first
 
         source_record = source_resource._model
         related_record = related_resource._model unless related_resource.nil?
+
         authorizer.show_related_resource(
           source_record: source_record, related_record: related_record
         )
diff --git a/spec/requests/included_resources_spec.rb b/spec/requests/included_resources_spec.rb
@@ -200,7 +200,7 @@
     end
 
     describe 'a deep relationship with empty relations' do
-      context 'first level has_one is nil' do
+      context 'first level has_one is nil', pending: false do
         let(:include_query) { 'non-existing-article.comments' }
 
         it { is_expected.to be_successful }
@@ -215,7 +215,7 @@
           it { is_expected.to be_forbidden }
         end
 
-        context 'authorized for first relationship' do
+        context 'authorized for first relationship', pending: false do
           before { allow_operation('include_has_many_resource', source_record: an_instance_of(Article), record_class: Article, authorizer: chained_authorizer) }
 
           it { is_expected.to be_successful }
diff --git a/spec/requests/related_resources_operations_spec.rb b/spec/requests/related_resources_operations_spec.rb
@@ -58,14 +58,20 @@
     subject(:last_response) { get("/articles/#{article.external_id}/author") }
     let(:article) { articles(:article_with_author) }
     let(:policy_scope) { Article.all }
+    let(:user_policy_scope) { User.all }
 
-    context 'unauthorized for show_related_resource', pending: 'Compatibility with JR 0.10' do
+    before do
+      allow_any_instance_of(UserPolicy::Scope).to receive(:resolve).and_return(user_policy_scope)
+    end
+
+    context 'unauthorized for show_related_resource' do
       before { disallow_operation('show_related_resource', source_record: article, related_record: article.author) }
       it { is_expected.to be_forbidden }
     end
 
     context 'authorized for show_related_resource' do
       before { allow_operation('show_related_resource', source_record: article, related_record: article.author) }
+      it { is_expected.to be_ok }
 
       # If this happens in real life, it's mostly a bug. We want to document the
       # behaviour in that case anyway, as it might be surprising.
@@ -74,5 +80,13 @@
         it { is_expected.to be_not_found }
       end
     end
+
+    context 'authorized for show_related_resource while related resource is limited by policy scope' do
+      before { allow_operation('show_related_resource', source_record: article, related_record: nil) }
+
+      let(:user_policy_scope) { User.where.not(id: article.author.id) }
+
+      it { is_expected.to be_ok }
+    end
   end
 end
