Error when creating models that require a parent to authorize

[zdavis]

Both texts and resource_collections require a parent project. When these models are created through resource_collections#create and texts#create, which are currently unused API endpoints, the authorization checks happen before the model is hydrated with the parent project by the updater. This means that it's currently impossible to create new child models of projects via the API. This problem is not apparent in the client because 1) texts are never created through a texts_controllers#show endpoint, and 2) other project child models are created through controller endpoints that are namespaced under the project, and that manually assign the project to the model before it's created.

We should improve our updaters to handle this problem so that we can expose the direct endpoints.

We should also remove the texts_controller#create endpoint.

[zdavis]

Thank you for taking the time to report this bug. We've reviewed the issue and agree that this should be fixed. We’re adding a “planned” label to indicate that we consider this bug as part of our current work plan.

This was an automated message, but please don't hesitate to reply. Our team watches these issues closely and will respond as soon as we're able to!

[zdavis]

One work around for this is to adjust the scope in the controller if it's a create method. For example, on the texts_controller, we could add this scope:

      def scope_for_texts
        if action_name == "create"
          project_id = params.dig(:data, :relationships, :project, :data, :id)
          return Project.find(project_id).texts
        end
        Text.friendly
      end

We might want to do this more globally. If there's a project param, we scope the child object to that association on the project.