Remove Sideload#to_hash

Lee Richmond · Lee Richmond · commit 6bf00fa1b307 · 2017-10-03T09:19:18.000-04:00
This hash of all possible sideloads could get huge when dealing with
recursive tree structures. Instead, we'll validate the requested
sideloads at runtime instead of comparing against all possible
sideloads. This moves "what are the possible sideloads" logic to
jsonapi_swagger_helpers, and "prevent non-whitelisted sideloads" to the
Query object, both of which simplify the internals of this project and
improve performance.

There is one breaking change - instead of

```ruby
jsonapi resource: MyResource do
  sideload_whitelist({ index: [:foo] })
end
```

This now (correctly) moves to the controller:

```ruby
jsonapi resource: MyResource

sideload_whitelist({ index: [:foo] })
```
diff --git a/lib/jsonapi_compliable/base.rb b/lib/jsonapi_compliable/base.rb
@@ -7,12 +7,13 @@ module Base
 
     included do
       class << self
-        attr_accessor :_jsonapi_compliable
+        attr_accessor :_jsonapi_compliable, :_sideload_whitelist
       end
 
       def self.inherited(klass)
         super
         klass._jsonapi_compliable = Class.new(_jsonapi_compliable)
+        klass._sideload_whitelist = _sideload_whitelist.dup if _sideload_whitelist
       end
     end
 
@@ -52,6 +53,47 @@ def jsonapi(foo = 'bar', resource: nil, &blk)
 
         self._jsonapi_compliable.class_eval(&blk) if blk
       end
+
+      # Set the sideload whitelist. You may want to omit sideloads for
+      # security or performance reasons.
+      #
+      # Uses JSONAPI::IncludeDirective from {{http://jsonapi-rb.org jsonapi-rb}}
+      #
+      # @example Whitelisting Relationships
+      #   # Given the following whitelist
+      #   class PostsController < ApplicationResource
+      #     jsonapi resource: MyResource
+      #
+      #     sideload_whitelist({
+      #       index: [:blog],
+      #       show: [:blog, { comments: :author }]
+      #     })
+      #
+      #     # ... code ...
+      #   end
+      #
+      #   # A request to sideload 'tags'
+      #   #
+      #   # GET /posts/1?include=tags
+      #   #
+      #   # ...will silently fail.
+      #   #
+      #   # A request for comments and tags:
+      #   #
+      #   # GET /posts/1?include=tags,comments
+      #   #
+      #   # ...will only sideload comments
+      #
+      # @param [Hash, Array, Symbol] whitelist
+      # @see Query#include_hash
+      def sideload_whitelist(hash)
+        self._sideload_whitelist = JSONAPI::IncludeDirective.new(hash).to_hash
+      end
+    end
+
+    # @api private
+    def sideload_whitelist
+      self.class._sideload_whitelist || {}
     end
 
     # Returns an instance of the associated Resource
diff --git a/lib/jsonapi_compliable/query.rb b/lib/jsonapi_compliable/query.rb
@@ -49,12 +49,15 @@ def include_directive
     # @return [Hash] the scrubbed include directive as a hash
     def include_hash
       @include_hash ||= begin
-        requested     = include_directive.to_hash
-        all_allowed   = resource.sideloading.to_hash[:base]
-        whitelist     = resource.sideload_whitelist.values.reduce(:merge)
-        allowed       = whitelist ? Util::IncludeParams.scrub(all_allowed, whitelist) : all_allowed
+        requested = include_directive.to_hash
 
-        Util::IncludeParams.scrub(requested, allowed)
+        whitelist = nil
+        if resource.context
+          whitelist = resource.context.sideload_whitelist
+          whitelist = whitelist[resource.context_namespace] if whitelist
+        end
+
+        whitelist ? Util::IncludeParams.scrub(requested, whitelist) : requested
       end
     end
 
diff --git a/lib/jsonapi_compliable/resource.rb b/lib/jsonapi_compliable/resource.rb
@@ -132,36 +132,6 @@ def self.sideloading
       @sideloading ||= Sideload.new(:base, resource: self)
     end
 
-    # Set the sideload whitelist. You may want to omit sideloads for
-    # security or performance reasons.
-    #
-    # Uses JSONAPI::IncludeDirective from {{http://jsonapi-rb.org jsonapi-rb}}
-    #
-    # @example Whitelisting Relationships
-    #   # Given the following whitelist
-    #   class PostResource < ApplicationResource
-    #     # ... code ...
-    #     sideload_whitelist([:blog, { comments: :author }])
-    #   end
-    #
-    #   # A request to sideload 'tags'
-    #   #
-    #   # GET /posts?include=tags
-    #   #
-    #   # ...will silently fail.
-    #   #
-    #   # A request for comments and tags:
-    #   #
-    #   # GET /posts?include=tags,comments
-    #   #
-    #   # ...will only sideload comments
-    #
-    # @param [Hash, Array, Symbol] whitelist
-    # @see Query#include_hash
-    def self.sideload_whitelist(whitelist)
-      config[:sideload_whitelist] = JSONAPI::IncludeDirective.new(whitelist).to_hash
-    end
-
     # Whitelist a filter
     #
     # @example Basic Filtering
@@ -413,7 +383,6 @@ def self.default_page_size(val)
     def self.config
       @config ||= begin
         {
-          sideload_whitelist: {},
           filters: {},
           default_filters: {},
           extra_fields: {},
@@ -568,60 +537,9 @@ def persist_with_relationships(meta, attributes, relationships, caller_model = n
       persistence.run
     end
 
-    # All possible sideload names, including nested names
-    #
-    #   { comments: { author: {} } }
-    #
-    # Becomes
-    #
-    #   [:comments, :author]
-    #
-    # @see Sideload#to_hash
-    # @return [Array<Symbol>] the list of association names
+    # @see Sideload#association_names
     def association_names
-      @association_names ||= begin
-        if sideloading
-          Util::Hash.keys(sideloading.to_hash[:base])
-        else
-          []
-        end
-      end
-    end
-
-    # An Include Directive Hash of all possible sideloads for the current
-    # context namespace, taking into account the sideload whitelist.
-    #
-    # In other words, say we have this resource:
-    #
-    #   class PostResource < ApplicationResource
-    #     sideload_whitelist({
-    #       index: :comments,
-    #       show: { comments: :author }
-    #     })
-    #   end
-    #
-    # Expected behavior:
-    #
-    #   allowed_sideloads(:index) # => { comments: {} }
-    #   allowed_sideloads(:show) # => { comments: { author: {} }
-    #
-    #   instance.with_context({}, :index) do
-    #     instance.allowed_sideloads # => { comments: {} }
-    #   end
-    #
-    # @see Util::IncludeParams.scrub
-    # @see #with_context
-    # @param [Symbol] namespace Can be :index/:show/etc - The current context namespace will be used by default.
-    # @return [Hash] the scrubbed include directive
-    def allowed_sideloads(namespace = nil)
-      return {} unless sideloading
-
-      namespace ||= context_namespace
-      sideloads = sideloading.to_hash[:base]
-      if !sideload_whitelist.empty? && namespace
-        sideloads = Util::IncludeParams.scrub(sideloads, sideload_whitelist[namespace])
-      end
-      sideloads
+      sideloading.association_names
     end
 
     # The relevant proc for the given attribute and calculation.
@@ -710,12 +628,6 @@ def extra_fields
       self.class.config[:extra_fields]
     end
 
-    # @see .sideload_whitelist
-    # @api private
-    def sideload_whitelist
-      self.class.config[:sideload_whitelist]
-    end
-
     # @see .default_filter
     # @api private
     def default_filters
diff --git a/lib/jsonapi_compliable/scope.rb b/lib/jsonapi_compliable/scope.rb
@@ -80,10 +80,8 @@ def sideload(results, includes)
       return if results == []
 
       includes.each_pair do |name, nested|
-        if @resource.allowed_sideloads.has_key?(name)
-          sideload = @resource.sideload(name)
-          sideload.resolve(results, @query)
-        end
+        sideload = @resource.sideload(name)
+        sideload.resolve(results, @query)
       end
     end
 
diff --git a/lib/jsonapi_compliable/sideload.rb b/lib/jsonapi_compliable/sideload.rb
@@ -359,44 +359,15 @@ def all_sideloads
       end
     end
 
-    # Looks at all nested sideload, and all nested sideloads for the
-    # corresponding Resources, and returns an Include Directive hash
-    #
-    # For instance, this configuration:
-    #
-    #   class BarResource < ApplicationResource
-    #     allow_sideload :baz do
-    #     end
-    #   end
-    #
-    #   class PostResource < ApplicationResource
-    #     allow_sideload :foo do
-    #       allow_sideload :bar, resource: BarResource do
-    #       end
-    #     end
-    #   end
-    #
-    # +post_resource.sideloading.to_hash+ would return
-    #
-    #   { base: { foo: { bar: { baz: {} } } } }
-    #
-    # @return [Hash] The nested include hash
-    # @api private
-    def to_hash(recursion_chain = [], parent = nil)
-      recursing = ->(arr) { arr == [parent.object_id, self.object_id] }
-      recursions = recursion_chain.select(&recursing).length
-      return {} if recursions >= self.class.max_recursion
-
-      unless (parent && parent.name == :base) || name == :base
-        recursion_chain += [[parent.object_id, self.object_id]]
-      end
-
-      { name => {} }.tap do |hash|
-        all_sideloads.each_pair do |key, sl|
-          sideload_hash = sl.to_hash(recursion_chain, self)
-          hash[name].merge!(sideload_hash)
+    def association_names(memo = [])
+      all_sideloads.each_pair do |name, sl|
+        unless memo.include?(sl.name)
+          memo << sl.name
+          memo |= sl.association_names(memo)
         end
       end
+
+      memo
     end
 
     # @api private
@@ -417,14 +388,6 @@ def fire_hooks!(parent, objects, method)
 
     private
 
-    def nested_sideload_hash(sideload, processed)
-      {}.tap do |hash|
-        if sideloading = sideload.resource_class.sideloading
-          hash.merge!(sideloading.to_hash(processed)[:base])
-        end
-      end
-    end
-
     def polymorphic_grouper(grouping_field)
       lambda do |record|
         if record.is_a?(Hash)
diff --git a/spec/extra_fields_spec.rb b/spec/extra_fields_spec.rb
@@ -59,7 +59,7 @@ def include_foo!
     end
 
     it 'does not include the extra field in the response' do
-      ctx = double(allow_net_worth?: false)
+      ctx = double(allow_net_worth?: false).as_null_object
       resource.with_context ctx do
         expect(json['data'][0]['attributes'].keys).to match_array(%w(first_name last_name))
       end
diff --git a/spec/fields_spec.rb b/spec/fields_spec.rb
@@ -37,7 +37,7 @@ def json
 
   it 'disallows fields guarded by :if, even if specified' do
     params[:fields] = { authors: 'first_name,salary' }
-    ctx = double(current_user: 'non-admin')
+    ctx = double(current_user: 'non-admin').as_null_object
     resource.with_context ctx do
       expect(json['data'][0]['attributes'].keys).to_not include('salary')
     end
diff --git a/spec/filtering_spec.rb b/spec/filtering_spec.rb
@@ -92,7 +92,7 @@
 
   context 'when the filter is guarded' do
     let(:can_filter) { true }
-    let(:ctx) { double(can_filter_first_name?: can_filter) }
+    let(:ctx) { double(can_filter_first_name?: can_filter).as_null_object }
 
     before do
       params[:filter] = { first_name_guarded: 'Stephen' }
diff --git a/spec/integration/rails/sideload_whitelist_spec.rb b/spec/integration/rails/sideload_whitelist_spec.rb
@@ -0,0 +1,86 @@
+if ENV["APPRAISAL_INITIALIZED"]
+  require 'rails_spec_helper'
+
+  RSpec.describe 'integrated resources and adapters', type: :controller do
+    let(:genre_resource) do
+      Class.new(JsonapiCompliable::Resource) do
+        type :genres
+        use_adapter JsonapiCompliable::Adapters::ActiveRecord
+      end
+    end
+
+    let(:book_resource) do
+      Class.new(JsonapiCompliable::Resource) do
+        type :books
+        use_adapter JsonapiCompliable::Adapters::ActiveRecord
+        allow_filter :id
+
+        belongs_to :genre,
+          scope: -> { Genre.all },
+          foreign_key: :genre_id,
+          resource: GenreResource
+      end
+    end
+
+    let(:author_resource) do
+      Class.new(JsonapiCompliable::Resource) do
+        type :authors
+        use_adapter JsonapiCompliable::Adapters::ActiveRecord
+
+        has_many :books,
+          scope: -> { Book.all },
+          foreign_key: :author_id,
+          resource: BookResource
+      end
+    end
+
+    before do
+      stub_const('GenreResource', genre_resource)
+      stub_const('BookResource', book_resource)
+      stub_const('AuthorResource', author_resource)
+
+      controller.class.jsonapi resource: AuthorResource
+    end
+
+    controller(ApplicationController) do
+      def index
+        render_jsonapi(Author.all)
+      end
+    end
+
+    def json
+      JSON.parse(response.body)
+    end
+
+    def json_includes(type)
+      json['included'].select { |i| i['type'] == type }
+    end
+
+    let!(:author) { Author.create!(first_name: 'Stephen') }
+    let!(:book) { Book.create!(title: 'The Shining', author: author, genre: genre) }
+    let!(:genre) { Genre.create!(name: 'Horror') }
+
+    context 'when no sideload whitelist' do
+      it 'allows loading all relationships' do
+        get :index, params: { include: 'books.genre' }
+        expect(json_includes('books')).to_not be_blank
+        expect(json_includes('genres')).to_not be_blank
+      end
+    end
+
+    context 'when a sideload whitelist' do
+      before do
+        controller.class.sideload_whitelist({
+          index: [:books],
+          show: { books: :genre }
+        })
+      end
+
+      it 'restricts what sideloads can be loaded' do
+        get :index, params: { include: 'books.genre' }
+        expect(json_includes('books')).to_not be_blank
+        expect(json_includes('genres')).to be_blank
+      end
+    end
+  end
+end
diff --git a/spec/query_spec.rb b/spec/query_spec.rb
diff --git a/spec/resource_spec.rb b/spec/resource_spec.rb
diff --git a/spec/scope_spec.rb b/spec/scope_spec.rb
diff --git a/spec/sideload_spec.rb b/spec/sideload_spec.rb
