Remove code for authorizing replace of polymorphic associations

valscion · valscion · commit 577a8a540dfd · 2022-08-24T19:46:32.000+03:00
There is no way jsonapi-authorization can work if the code upstream
isn't fixed. The specs will fail because of the way jsonapi-resources
handles polymorphic association loading.
diff --git a/README.md b/README.md
@@ -58,6 +58,12 @@ Or install it yourself as:
 
 We aim to support the same Ruby and Ruby on Rails versions as `jsonapi-resources` does. If that's not the case, please [open an issue][issues].
 
+> ### NOTE: Replacing polymorphic associations is BROKEN
+>
+> This is because of an issue in `jsonapi-resources` gem itself: https://github.com/cerebris/jsonapi-resources/issues/1305
+>
+> This gem will always raise an error if an operation is tried which would replace a polymorphic association as allowing the operation to continue would not be possible to authorize against.
+
 ## Versioning and changelog
 
 `jsonapi-authorization` follows [Semantic Versioning](https://semver.org/). We prefer to make more major version bumps when we do changes that are likely to be backwards incompatible. That holds true even when it's likely the changes would be backwards compatible for a majority of our users.
diff --git a/lib/jsonapi/authorization/authorizing_processor.rb b/lib/jsonapi/authorization/authorizing_processor.rb
@@ -247,36 +247,7 @@ def authorize_remove_to_one_relationship
       end
 
       def authorize_replace_polymorphic_to_one_relationship
-        return authorize_remove_to_one_relationship if params[:key_value].nil?
-
-        source_resource = @resource_klass.find_by_key(
-          params[:resource_id],
-          context: context
-        )
-        source_record = source_resource._model
-
-        # Fetch the name of the new class based on the incoming polymorphic
-        # "type" value. This will fail if there is no associated resource for the
-        # incoming "type" value so this shouldn't leak constants
-        related_record_class_name = source_resource
-          .send(:_model_class_name, params[:key_type])
-
-        # Fetch the underlying Resource class for the new record to-be-associated
-        related_resource_klass = @resource_klass.resource_for(related_record_class_name)
-
-        new_related_resource = related_resource_klass
-          .find_by_key(
-            params[:key_value],
-            context: context
-          )
-        new_related_record = new_related_resource._model unless new_related_resource.nil?
-
-        relationship_type = params[:relationship_type].to_sym
-        authorizer.replace_to_one_relationship(
-          source_record: source_record,
-          new_related_record: new_related_record,
-          relationship_type: relationship_type
-        )
+        raise NotImplementedError, "Finding polymorphic associations is broken in jsonapi-resources and thus jsonapi-authorization can't work: https://github.com/cerebris/jsonapi-resources/issues/1305"
       end
 
       private
diff --git a/spec/requests/relationship_operations_spec.rb b/spec/requests/relationship_operations_spec.rb
@@ -279,7 +279,8 @@
   end
 
   # Polymorphic has-one relationship replacing
-  describe 'PATCH /tags/:id/relationships/taggable' do
+  # Polymorphic associations are broken: https://github.com/cerebris/jsonapi-resources/issues/1305
+  describe 'PATCH /tags/:id/relationships/taggable', pending: 'Broken upstream' do
     subject(:last_response) { patch("/tags/#{tag.id}/relationships/taggable", json) }
 
     let!(:old_taggable) { Comment.create }
@@ -306,7 +307,7 @@
         EOS
       end
 
-      context 'unauthorized for replace_to_one_relationship', pending: 'Compatibility with JR 0.10' do
+      context 'unauthorized for replace_to_one_relationship' do
         before {
           disallow_operation(
             'replace_to_one_relationship',
@@ -318,7 +319,7 @@
         it { is_expected.to be_forbidden }
       end
 
-      context 'authorized for replace_to_one_relationship', pending: 'Compatibility with JR 0.10' do
+      context 'authorized for replace_to_one_relationship' do
         before {
           allow_operation(
             'replace_to_one_relationship',
@@ -336,7 +337,7 @@
 
         # If this happens in real life, it's mostly a bug. We want to document the
         # behaviour in that case anyway, as it might be surprising.
-        context 'limited by policy scope on tag', pending: false do
+        context 'limited by policy scope on tag' do
           let(:tag_policy_scope) { Tag.where.not(id: tag.id) }
           it { is_expected.to be_not_found }
         end
