JSONAPI::Authorization adds authorization to the jsonapi-resources (JR) gem using Pundit.

PLEASE NOTE: This gem is still considered to be alpha quality. Make sure to test for authorization in your application, too. We should have coverage of all operations, though. If that isn't the case, please open an issue.

Add this line to your application's Gemfile:

gem 'jsonapi-authorization'

And then execute:

$ bundle

Or install it yourself as:

$ gem install jsonapi-authorization

Make sure you have a Pundit policy specified for every backing model that your JR resources use. Then hook this gem up to your application like so:

JSONAPI.configure do |config|
  config.operations_processor = :jsonapi_authorization
end

Make all your JR controllers specify the user in the context if you are using the default authorizer class (see Configuration below):

class BaseResourceController < ActionController::Base
  include JSONAPI::ActsAsResourceController

  private

  def context
    {user: current_user}
  end
end

Have your JR resources include the JSONAPI::Authorization::PunditScopedResource module.

class BaseResource < JSONAPI::Resource
  include JSONAPI::Authorization::PunditScopedResource
  abstract
end

If you want to send a custom response for unauthorized requests, add a rescue_from hook to your BaseResourceController and whitelist Pundit::NotAuthorizedError in your JR configuration.

There is a bug affecting jsonapi-resources error whitelisting, see cerebris/jsonapi-resources#573. To make your whitelisting and rescue_from to work properly, here is a potential workaround:

JSONAPI.configure do |config|
  config.exception_class_whitelist = [Pundit::NotAuthorizedError]
end

class BaseResourceController < ActionController::Base
  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized

  private

  # https://github.com/cerebris/jsonapi-resources/pull/573
  def handle_exceptions(e)
    if JSONAPI.configuration.exception_class_whitelist.any? { |k| e.class.ancestors.include?(k) }
      raise e
    else
      super
    end
  end

  def user_not_authorized
    head :forbidden
  end
end

You can use a custom authorizer class by specifying a configure block in an initializer file. If using a custom authorizer class, be sure to require them at the top of the initializer before usage.

JSONAPI::Authorization.configure do |config|
  config.authorizer = MyCustomAuthorizer
end

After checking out the repo, run bundle install to install dependencies. Then, run bundle exec rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Originally based on discussion and code samples by @barelyknown and others in cerebris/jsonapi-resources#16.

Bug reports and pull requests are welcome on GitHub at https://github.com/venuu/jsonapi-authorization.