Spec that GET for a has-one related resource doesn't use policy scopes (#146)

This can be a surprising behavior in jsonapi-authorization version that
supports JR 0.9. It will likely change when JR 0.10 is supported at some
point, if that time comes.

Author: valscion

spec/requests/related_resources_operations_spec.rb

@@ -7,6 +7,11 @@
   let(:article) { Article.all.sample }
   let(:authorizations) { {} }
   let(:policy_scope) { Article.none }
+  let(:user_policy_scope) { User.all }
+
+  before do
+    allow_any_instance_of(UserPolicy::Scope).to receive(:resolve).and_return(user_policy_scope)
+  end
 
   let(:json_data) { JSON.parse(last_response.body)["data"] }
 
@@ -75,5 +80,16 @@
         it { is_expected.to be_not_found }
       end
     end
+
+    context 'authorized for show_related_resource while related resource is limited by policy scope' do
+      # It might be surprising that with jsonapi-authorization that supports JR 0.9, the `related_record`
+      # is indeed a real record here and not `nil`. If the policy scope was used, then the `related_record`
+      # should be `nil` but alas, that is not the case.
+      before { allow_operation('show_related_resource', source_record: article, related_record: article.author) }
+
+      let(:user_policy_scope) { User.where.not(id: article.author.id) }
+
+      it { is_expected.to be_ok }
+    end
   end
 end