jsonapi-authorization icon indicating copy to clipboard operation
jsonapi-authorization copied to clipboard

Published 20 hours ago verified publisher icon venuu

Compatibility with jsonapi-resources 0.10

Open valscion opened this issue 7 years ago • 7 comments

Seems like we will have to do some work in the future to be compatible with upcoming JR version, 0.10, where resources being closely coupled to ActiveRecord is being worked on.

@hidde-jan in https://github.com/venuu/jsonapi-authorization/issues/48#issuecomment-293917276

Are there any thoughts on how (or if) to incorporate https://github.com/cerebris/jsonapi-resources/issues/1006 and https://github.com/cerebris/jsonapi-resources/pull/977?

From JA:R 0.10 onward, the idea is to delegate record fetching to a RecordAccessor.

In the future, the logic in PunditScopedResource might need to be moved into such a class.

EDIT:

  • See #82 for a case where a new upcoming release caused compatibility issues with upstream

valscion avatar Apr 15 '17 09:04 valscion

Ok JR 0.10 has been released now. It seems that the major changes done are things concerning jsonapi-authorization, so it will take quite an effort to get us compatible with it.

https://jsonapi-resources.com/v0.10/guide/whats_new.html

We should update this gem to be compatible with JR 0.10 and release a new major version to support only that version. People on older versions could use older versions of jsonapi-authorization.

Any help is appreciated. I don't have time any time soon to look into this and neither is this a priority on our team any time soon.

valscion avatar Oct 02 '19 06:10 valscion

@valscion do you have any sort of tasklist of things that need to be touched ? I could possibly have some time to try to push this forward.

rpbaltazar avatar Dec 06 '19 06:12 rpbaltazar

Not really, sorry.

One thing I'd really like to see here would be a new approach to tests where we would assert on user visible functionality — so going from a full request to an expected authorization error without relying on any stubbing.

Some of the current tests have gotten so complex due to the authorization stubbing going on that I have a lack of trust on any big changes done to the existing tests.

These new types of tests could first start small and test only a subset of the authorization logic. I'd like them to be in a totally different directory than the existing RSpec tests, and as self-contained as possible. Meaning that the resources, controllers and policies needed for the tests would all be in one file, even if it would make for a longer file.

This type of tests could be done with minitest instead of RSpec, too.

valscion avatar Dec 06 '19 07:12 valscion

Hello, any progress with supporting 0.10? 4 months since issue opening.

romikoops avatar Dec 23 '19 17:12 romikoops

Does not seem like it. Feel free to offer help if you need JR 0.10 support.

valscion avatar Dec 27 '19 15:12 valscion

I'm sorry the JR 0.10 changes have broken this project. I'm interested in helping to get this resolved, though I have a few concerns about efficiency in addition to the compatibility issues with the new way JR v0.10 works. I have spent very little time looking at it so far, but I think most of the issues should be fairly easily solvable.

lgebhardt avatar Dec 28 '19 21:12 lgebhardt

Thank you for offering to help, @lgebhardt ☺️. I haven't looked into the compatibility differences much either — I merely know that the way we've used to hook into the processor pipeline needs to be changed to accommodate JR 0.10.

This code: https://github.com/venuu/jsonapi-authorization/blob/v3.0.2/lib/jsonapi/authorization/authorizing_processor.rb

The way we've previously tied into JR has been like so (copied from current readme):

Usage

First make sure you have a Pundit policy specified for every backing model that your JR resources use.

Hook up this gem as the default processor for JR, and optionally allow rescuing from Pundit::NotAuthorizedError to output better errors for unauthorized requests:

# config/initializers/jsonapi-resources.rb
JSONAPI.configure do |config|
  config.default_processor_klass = JSONAPI::Authorization::AuthorizingProcessor
  config.exception_class_whitelist = [Pundit::NotAuthorizedError]
end

Make all your JR controllers specify the user in the context and rescue errors thrown by unauthorized requests:

class BaseResourceController < ActionController::Base
  include JSONAPI::ActsAsResourceController
  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized

  private

  def context
    {user: current_user}
  end

  def user_not_authorized
    head :forbidden
  end
end

Have your JR resources include the JSONAPI::Authorization::PunditScopedResource module.

class BaseResource < JSONAPI::Resource
  include JSONAPI::Authorization::PunditScopedResource
  abstract
end

valscion avatar Jan 02 '20 08:01 valscion

We never managed to fix the compatibility with jsonapi-resources v0.10. In the end, we decided to no longer support this gem. Discussion here:

  • https://github.com/venuu/jsonapi-authorization/issues/151

valscion avatar Jun 26 '23 09:06 valscion