Compatibility with jsonapi-resources 0.10

[valscion]

Seems like we will have to do some work in the future to be compatible with upcoming JR version, 0.10, where resources being closely coupled to ActiveRecord is being worked on.

@hidde-jan in #48 (comment)

Are there any thoughts on how (or if) to incorporate cerebris/jsonapi-resources#1006 and cerebris/jsonapi-resources#977?

From JA:R 0.10 onward, the idea is to delegate record fetching to a RecordAccessor.

In the future, the logic in PunditScopedResource might need to be moved into such a class.

---

EDIT:

• See Fix a bug for checking JSONAPI::Relationship::ToOne authorization #82 for a case where a new upcoming release caused compatibility issues with upstream

[valscion]

Ok JR 0.10 has been released now. It seems that the major changes done are things concerning jsonapi-authorization, so it will take quite an effort to get us compatible with it.

https://jsonapi-resources.com/v0.10/guide/whats_new.html

We should update this gem to be compatible with JR 0.10 and release a new major version to support only that version. People on older versions could use older versions of jsonapi-authorization.

Any help is appreciated. I don't have time any time soon to look into this and neither is this a priority on our team any time soon.

[rpbaltazar]

@valscion do you have any sort of tasklist of things that need to be touched ?
I could possibly have some time to try to push this forward.

[valscion]

Not really, sorry.

One thing I'd really like to see here would be a new approach to tests where we would assert on user visible functionality — so going from a full request to an expected authorization error without relying on any stubbing.

Some of the current tests have gotten so complex due to the authorization stubbing going on that I have a lack of trust on any big changes done to the existing tests.

These new types of tests could first start small and test only a subset of the authorization logic. I'd like them to be in a totally different directory than the existing RSpec tests, and as self-contained as possible. Meaning that the resources, controllers and policies needed for the tests would all be in one file, even if it would make for a longer file.

This type of tests could be done with minitest instead of RSpec, too.

[romikoops]

Hello, any progress with supporting 0.10? 4 months since issue opening.

[valscion]

Does not seem like it. Feel free to offer help if you need JR 0.10 support.

[lgebhardt]

I'm sorry the JR 0.10 changes have broken this project. I'm interested in helping to get this resolved, though I have a few concerns about efficiency in addition to the compatibility issues with the new way JR v0.10 works. I have spent very little time looking at it so far, but I think most of the issues should be fairly easily solvable.

[valscion]

Thank you for offering to help, @lgebhardt ☺️. I haven't looked into the compatibility differences much either — I merely know that the way we've used to hook into the processor pipeline needs to be changed to accommodate JR 0.10.

This code: https://github.com/venuu/jsonapi-authorization/blob/v3.0.2/lib/jsonapi/authorization/authorizing_processor.rb

The way we've previously tied into JR has been like so (copied from current readme):

Usage

First make sure you have a Pundit policy specified for every backing model that your JR resources use.

Hook up this gem as the default processor for JR, and optionally allow rescuing from Pundit::NotAuthorizedError to output better errors for unauthorized requests:

# config/initializers/jsonapi-resources.rb
JSONAPI.configure do |config|
  config.default_processor_klass = JSONAPI::Authorization::AuthorizingProcessor
  config.exception_class_whitelist = [Pundit::NotAuthorizedError]
end

Make all your JR controllers specify the user in the context and rescue errors thrown by unauthorized requests:

class BaseResourceController < ActionController::Base
  include JSONAPI::ActsAsResourceController
  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized

  private

  def context
    {user: current_user}
  end

  def user_not_authorized
    head :forbidden
  end
end

Have your JR resources include the JSONAPI::Authorization::PunditScopedResource module.

class BaseResource < JSONAPI::Resource
  include JSONAPI::Authorization::PunditScopedResource
  abstract
end

[valscion]

We never managed to fix the compatibility with jsonapi-resources v0.10. In the end, we decided to no longer support this gem. Discussion here:

• jsonapi-authorization is no longer supported #151