v3.0.2

Enforces that jsonapi-authorization does not support jsonapi-resources v0.10.x in the gemspec: #127

If you'd want jsonapi-authorization to support jsonapi-resources v0.10.x, check out #64 and try to write a pull request to get us compatible with JR v0.10.

v3.0.1

• Fix a bug with has-one relationship authorizers. Thanks to @brianswko for #124

v3.0.0 — Check for authorization against related records

By @brianswko in #119:

Fixes PATCH and POST requests to check if the user has the correct permissions for every given object in a has-many relationship

For example:
If a user does not have access to (meaning the pundit scope does not include) the author with ID 2
i.e. AuthorPolicy::Scope.new(user, Author).resolve.include?(Author.find(2)) # => false
And the following request is called:

PATCH /books/1

"data": {
  "type": "books",
  "id": "1",
  "attributes": {...},
  "relationships": {
    "authors": {
      "data": [
        { "type": "authors", "id": "1" },
        { "type": "authors", "id": "2" }
      ]
    }
  }
}

Previously: Would return a 20x and update the book to include author 2
Now: Will return a 404 and not update the book since the user is unable to find author 2

In some scenarios, this will cause a 404 to be returned where a 403 used to be returned.

v2.0.0 — Bugfix that is a breaking change

@Matthijsy found out about a missing policy check in #111 and later on contributed a quality fix for it #113

This bugfix can break your application as we now authorize for more cases, so as a precaution, we're bumping the major version to indicate a backwards incompatible change:

Breaking change: Update of relationship endpoints

This version introduces a change in the checking when accessing a relationship endpoint (for example GET /users/1/addresses).

In the previous version only the source_record.show? was checked and the relationship was scoped:

UserPolicy.new(current_user, User.find(1)).show?

addresses_returned =
  AddressPolicy::Scope.new(current_user, User.find(1).addresses).resolve

Starting with this version also the relationship.index? method is checked to verify if a user is allowed to view this relationship at all:

UserPolicy.new(current_user, User.find(1)).show?

# This is the breaking change!
AddressPolicy.new(current_user, Address).index?

addresses_returned =
  AddressPolicy::Scope.new(current_user, User.find(1).addresses).resolve

v1.0.0

Hooray, after a long wait, we're finally at v1.0.0!

Big changes since v0.8.2

• Authorization of operations touching relationships
  • Discussion happened in #30
  • Huge thanks for @matthias-g and @gnfisher for doing most of the code here! 🚀
• [#52] Compatibility for jsonapi-resources v0.9
  • Thanks @plantfansam! 🎉
• [#95] DefaultPunditAuthorizer uses keyword arguments
  • Thanks goes to @nruth 💞
  • If you had subclassed the default authorizer in the past, you will need to update your code to use these keyword arguments.
• Compatible with jsonapi-resources v0.9 — thanks @plantfansam!
• Compatible with pundit v2.x — thanks @jpalumickas!

More details

See the "Roadmap for version 1.0" issue

v1.0.0.beta2

This is the second beta release of upcoming v1.0.0 version. If this beta does not have any issues, this version will be bumped as the actual v1.0.0 version.

Big changes since v0.8.2

• Authorization of operations touching relationships
  • Discussion happened in #30
  • Huge thanks for @matthias-g and @gnfisher for doing most of the code here! 🚀
• [#52] Compatibility for jsonapi-resources v0.9
  • Thanks @plantfansam! 🎉
• [#95] DefaultPunditAuthorizer uses keyword arguments
  • Thanks goes to @nruth 💞
  • If you had subclassed the default authorizer in the past, you will need to update your code to use these keyword arguments.
• Compatible with jsonapi-resources v0.9 — thanks @plantfansam!
• Compatible with pundit v2.x — thanks @jpalumickas!

More details

See the "Roadmap for version 1.0" issue

v1.0.0.beta1

This is the first beta release of upcoming v1.0.0 version. If this beta does not have any issues, this version will be bumped as the actual v1.0.0 version.

Big changes since v0.8.2

• Authorization of operations touching relationships
  • Discussion happened in #30
  • Huge thanks for @matthias-g and @gnfisher for doing most of the code here! 🚀
• [#52] Compatibility for jsonapi-resources v0.9
  • Thanks @plantfansam! 🎉
• [#95] DefaultPunditAuthorizer uses keyword arguments
  • Thanks goes to @nruth 💞
  • If you had subclassed the default authorizer in the past, you will need to update your code to use these keyword arguments.
• Compatible with jsonapi-resources v0.9 — thanks @plantfansam!

More details

See the "Roadmap for version 1.0" issue

v1.0.0.alpha6

• Authorize replacing of polymorphic has-one relationship, #75
• Properly fetch relationships for a resource, similar to how jsonapi-resources does: #80 (comment) and #81

v1.0.0.alpha5

Adds back fallback to authorizing update? on related records. See #48 (comment) for more details.

v1.0.0.alpha4

Fixes a PATCH request to save a resource with a has_one relationship being nullified. #54 (comment)

Thanks to @jpalumickas for the PR! (#54)

There is also a problem when we have has_one relationship and trying to save it with parent but sending null

class User
  belongs_to :nationality, class_name: 'Country'
end

PATCH /users/1

"data": {
  "type": "users",
  "id": "1",
  "relationships": {
    "nationality": null
    }
  }
}

So we need to add same functionality (when nil) to related_models_with_context also in 1.0.0.alpha3

now we have an error:

{
  "errors": [
    {
      "title": "Record not found",
      "detail": "The record identified by  could not be found.",
      "code": "404",
      "status": "404"
    }
  ]
}