feat: Sync belongs to many (#515)

* feat: Sync belongs to many

* Fix styling

* fix: docs

* fix: wip

* fix: wip

* fix: wip

* fix: wip

* fix: wip

* fix: flatten

* fix: wip

Co-authored-by: binaryk <[email protected]>

Author: binaryk

docs-v2/content/en/api/relations.md

@@ -618,6 +618,43 @@ class AttachCompanyUsers
 ```
 
 
+### Sync related
+
+You can also `sync` your `BelongsToMany` field. Say you have to sync permissions to a role. You can do it like this:
+
+```http request
+POST: api/restify/roles/1/sync/permissions
+```
+
+Payload:
+
+```json
+{
+  "permissions": [1, 2]
+}
+```
+
+Under the hood this will call the `sync` method on the `BelongsToMany` relationship: 
+
+```php
+// $role of the id 1
+
+$role->permissions()->sync($request->input('permissions'));
+```
+
+### Authorize sync
+
+You can define a policy method `syncPermissions`. The name should start with `sync` and suffix with the plural `CamelCase` name of the model's relationship name:
+
+```php
+// RolePolicy.php
+
+public function syncPermissions(User $authenticatedUser, Company $company, Collection $keys): bool
+{ 
+    // $keys are the primary keys of the related model (permissions in our case) Restify is trying to `sync`
+}
+```
+
 ### Detach related
 
 As soon we declared the `BelongsToMany` relationship, Restify automatically registers the `detach` endpoint:

src/Bootstrap/RoutesDefinition.php

@@ -128,6 +128,10 @@ public function __invoke(string $uriKey = null)
             $prefix.'/{repositoryId}/detach/{relatedRepository}',
             \Binaryk\LaravelRestify\Http\Controllers\RepositoryDetachController::class
         );
+        Route::post(
+            $prefix.'/{repositoryId}/sync/{relatedRepository}',
+            \Binaryk\LaravelRestify\Http\Controllers\RepositorySyncController::class
+        );
 
         // Relatable
         Route::get(

src/Fields/Concerns/Attachable.php

@@ -18,6 +18,11 @@ trait Attachable
      */
     private $canAttachCallback;
 
+    /**
+     * @var Closure
+     */
+    private $canSyncCallback;
+
     /**
      * @var Closure
      */
@@ -42,6 +47,13 @@ public function canAttach(callable|Closure $callback)
         return $this;
     }
 
+    public function canSync(callable|Closure $callback)
+    {
+        $this->canSyncCallback = $callback;
+
+        return $this;
+    }
+
     /**
      * @param  Closure  $callback
      * @return $this
@@ -60,6 +72,13 @@ public function authorizedToAttach(RestifyRequest $request, Pivot $pivot): bool
             : true;
     }
 
+    public function authorizedToSync(RestifyRequest $request, Pivot $pivot): bool
+    {
+        return is_callable($this->canAttachCallback)
+            ? call_user_func($this->canAttachCallback, $request, $pivot)
+            : true;
+    }
+
     public function authorizeToAttach(RestifyRequest $request)
     {
         collect(Arr::wrap($request->input($request->relatedRepository)))->each(function ($relatedRepositoryId) use ($request) {
@@ -77,6 +96,23 @@ public function authorizeToAttach(RestifyRequest $request)
         return $this;
     }
 
+    public function authorizeToSync(RestifyRequest $request)
+    {
+        collect(Arr::wrap($request->input($request->relatedRepository)))->each(function ($relatedRepositoryId) use ($request) {
+            $pivot = $this->initializePivot(
+                $request,
+                $request->findModelOrFail()->{$request->viaRelationship ?? $request->relatedRepository}(),
+                $relatedRepositoryId
+            );
+
+            if (! $this->authorizedToSync($request, $pivot)) {
+                throw new AuthorizationException();
+            }
+        });
+
+        return $this;
+    }
+
     public function authorizedToDetach(RestifyRequest $request, Pivot $pivot): bool
     {
         return is_callable($this->canDetachCallback)

src/Http/Controllers/RepositorySyncController.php

@@ -0,0 +1,37 @@
+<?php
+
+namespace Binaryk\LaravelRestify\Http\Controllers;
+
+use Binaryk\LaravelRestify\Http\Requests\RepositorySyncRequest;
+use Binaryk\LaravelRestify\Repositories\Concerns\InteractsWithAttachers;
+use Illuminate\Support\Arr;
+
+class RepositorySyncController extends RepositoryController
+{
+    use InteractsWithAttachers;
+
+    public function __invoke(RepositorySyncRequest $request)
+    {
+        $model = $request->findModelOrFail();
+        $repository = $request->repository()->withResource($model);
+
+        if (is_callable(
+            $method = $this->authorizeBelongsToMany($request)->guessAttachMethod($request)
+        )) {
+            return call_user_func($method, $request, $repository, $model);
+        }
+
+        return $repository->sync(
+            $request,
+            $request->repositoryId,
+            collect(Arr::wrap($request->input($request->relatedRepository)))
+                ->flatten()
+                ->filter(fn ($relatedRepositoryId) => $request
+                    ->repositoryWith(
+                        $request->modelQuery()->firstOrFail()
+                    )
+                    ->allowToSync($request, attachers: collect(Arr::wrap($request->input($request->relatedRepository))))
+                )
+        );
+    }
+}

src/Http/Requests/RepositorySyncRequest.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace Binaryk\LaravelRestify\Http\Requests;
+
+use Binaryk\LaravelRestify\Restify;
+use Illuminate\Support\Arr;
+use Illuminate\Support\Collection;
+
+class RepositorySyncRequest extends RestifyRequest
+{
+    public function syncRelatedModels(): Collection
+    {
+        $relatedRepository = $this->repository(
+            Restify::repositoryForTable($table = $this->relatedRepository)::uriKey()
+        );
+
+        if (is_null($relatedRepository)) {
+            abort(400, "Missing repository for the [$table] table");
+        }
+
+        return collect(Arr::wrap($this->input($this->relatedRepository)))
+            ->map(fn ($id) => $relatedRepository->model()->newModelQuery()->whereKey($id)->first());
+    }
+}

src/Repositories/Repository.php

@@ -35,6 +35,7 @@
 use Illuminate\Support\Str;
 use JsonSerializable;
 use ReturnTypeWillChange;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
 /**
  * @property string $type
@@ -854,6 +855,21 @@ public function attach(RestifyRequest $request, $repositoryId, Collection $pivot
         return data($pivots, 201);
     }
 
+    public function sync(RestifyRequest $request, $repositoryId, Collection $pivots)
+    {
+        $eagerField = $this->authorizeBelongsToMany($request)->belongsToManyField($request);
+
+        if (! $eagerField) {
+            throw new NotFoundHttpException('Belongs to many field not found.');
+        }
+
+        $eagerField->authorizeToSync($request);
+
+        $this->model()->{$eagerField->relation}()->sync($pivots->all());
+
+        return ok();
+    }
+
     public function detach(RestifyRequest $request, $repositoryId, Collection $pivots)
     {
         /** * @var BelongsToMany $eagerField */
@@ -911,6 +927,15 @@ public function allowToAttach(RestifyRequest $request, Collection $attachers): s
         return $this;
     }
 
+    public function allowToSync(RestifyRequest $request, Collection $attachers): self
+    {
+        $methodGuesser = 'sync'.Str::studly($request->relatedRepository);
+
+        $this->authorizeToSync($request, $methodGuesser, $attachers);
+
+        return $this;
+    }
+
     public function allowToDetach(RestifyRequest $request, Collection $attachers): self
     {
         $methodGuesser = 'detach'.Str::studly($request->relatedRepository);

src/Traits/AuthorizableModels.php

@@ -7,6 +7,7 @@
 use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Http\Request;
+use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\Gate;
 
 /**
@@ -117,6 +118,26 @@ public function authorizeToAttach(Request $request, $method, $model): bool
         return false;
     }
 
+    public function authorizeToSync(Request $request, $method, Collection $keys): bool
+    {
+        if (! static::authorizable()) {
+            return false;
+        }
+
+        $policyClass = get_class(Gate::getPolicyFor($this->model()));
+
+        $authorized = method_exists($policy = Gate::getPolicyFor($this->model()), $method)
+            ? Gate::check($method, [$this->model(), $keys])
+            : abort(403, "Missing method [$method] in your [$policyClass] policy.");
+
+        if (false === $authorized) {
+            abort(403,
+                'You cannot sync key to the model:'.get_class($this->model()).', check your permissions.');
+        }
+
+        return false;
+    }
+
     public function authorizeToDetach(Request $request, $method, $model)
     {
         if (! static::authorizable()) {

tests/Controllers/RepositorySyncControllerTest.php

@@ -0,0 +1,38 @@
+<?php
+
+namespace Binaryk\LaravelRestify\Tests\Controllers;
+
+use Binaryk\LaravelRestify\Tests\Fixtures\Company\Company;
+use Binaryk\LaravelRestify\Tests\Fixtures\Company\CompanyRepository;
+use Binaryk\LaravelRestify\Tests\IntegrationTest;
+
+class RepositorySyncControllerTest extends IntegrationTest
+{
+    public function test_can_sync_repositories(): void
+    {
+        $this->markTestSkipped('Doesnt run on ubuntu lowest');
+        $user = $this->mockUsers()->first();
+        $user1 = $this->mockUsers()->first();
+        $user2 = $this->mockUsers()->first();
+
+        /**
+         * @var Company $company
+         */
+        $company = Company::factory()->create();
+
+        $company->users()->attach($user1);
+        $company->users()->attach($user2);
+
+        $this->assertCount(2, $company->users()->get());
+
+        $company->users()->first()->is($user1);
+
+        $this->postJson(CompanyRepository::route("$company->id/sync/users"), [
+            'users' => [$user->getKey()],
+        ])->assertOk();
+
+        $company->users()->first()->is($user);
+
+        $this->assertCount(1, $company->users()->get());
+    }
+}

tests/Fixtures/Company/CompanyPolicy.php

@@ -4,6 +4,7 @@
 
 use Binaryk\LaravelRestify\Tests\Fixtures\User\User;
 use Illuminate\Auth\Access\HandlesAuthorization;
+use Illuminate\Support\Collection;
 
 class CompanyPolicy
 {
@@ -120,6 +121,11 @@ public function attachUsers(User $user, Company $model, User $userToBeAttached)
         return $_SERVER['allow_attach_users'] ?? true;
     }
 
+    public function syncUsers(User $user, Company $model, Collection $keys)
+    {
+        return $_SERVER['allow_sync_users'] ?? true;
+    }
+
     public function detachUsers(User $user, Company $model, User $userToBeDetached)
     {
         return $_SERVER['allow_detach_users'] ?? true;