Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggestion: Collect array of applied policies against resource #78

Open
Justin-Maxwell opened this issue Aug 28, 2017 · 1 comment
Open

Suggestion: Collect array of applied policies against resource #78

Justin-Maxwell opened this issue Aug 28, 2017 · 1 comment
Labels
Type: Discussion

Comments

@Justin-Maxwell
Copy link

Hi.

Firstly, thanks so much for this gem!!

I've been hacking away at helpers to be able to write and run flexible Resource testing from resource_specs, rather than request_specs, because it makes testing a lot cleaner and easier. (Unfortunately, the mostly excellent jsonapi-resources seem to largely miss out describing how to work with resources and resource operations directly)

One thing that occurred to me in the process (now that I have nice JSONAPI::OperationResults to work with in my specs) is:

If jsonapi-authorization could somehow tag the resource (or the OperationResult, or something related and accessible) with the names/symbols of the various Pundit policy methods (relationship_method) and scopes that were applied during the authorization phase, this would make for really nice linking to the policy_specs, and assurance that all the right rules are being applied, without having to repeat some of the the auth-test-logic again further up the stack.

e.g. things like if policy.respond_to?(relationship_method) which mean a typo could result in a well tested policy method not actually being used by jsonapi-authorization when expected.

It'd be so nice to be able to check something like:
expect(resource.policy_authorizations).to include(:create_with_widget) in a resource spec.

NB: (just top-of-head rambling from here on) Taken to the extreme, if could go a couple of levels deeper:

resource.policy_authorizations ==
{
comment: {
  create: :passed, 
  create_with_article: :not_found,
  create_with_user: :passed
  }
article: {
  scope: :empty,
  update: passed
  }
}

Something like this might also make it a lot quicker for newcomers to get up to speed with the Rails jsonapi/pundit suite - I know it would have helped me a lot to get that insight into what was going on, when I was struggling to get to grips with JR (and, less awkwardly, Pundit) at the same time.
@valscion
Copy link
Member

Thanks for the idea! I can't really grasp how an implementation for this could look like, but if you'd be OK to give this some time and hack on a proof-of-concept of how this would look like in jsonapi-authorization, I think I'd be able to form an opinion on that. Don't get your hopes up on it getting merged, though — implementing this might be too difficult or complex, and supporting it might not be easy. I'll be very happy if I'm proven wrong, though 😉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Discussion
Milestone
No milestone
Development

No branches or pull requests
2 participants
@valscion @Justin-Maxwell