Enforce resource listability

Author: tobyzerner

src/Endpoint/Index.php

@@ -19,6 +19,7 @@
 use Psr\Http\Message\ServerRequestInterface as Request;
 use Tobyz\JsonApiServer\Adapter\AdapterInterface;
 use Tobyz\JsonApiServer\Exception\BadRequestException;
+use Tobyz\JsonApiServer\Exception\ForbiddenException;
 use Tobyz\JsonApiServer\JsonApi;
 use Tobyz\JsonApiServer\ResourceType;
 use Tobyz\JsonApiServer\Schema\Attribute;
@@ -51,6 +52,10 @@ public function handle(Context $context): ResponseInterface
         $adapter = $this->resource->getAdapter();
         $schema = $this->resource->getSchema();
 
+        if (! evaluate($schema->isListable(), [$context])) {
+            throw new ForbiddenException;
+        }
+
         $query = $adapter->newQuery();
 
         run_callbacks($schema->getListeners('listing'), [$query, $context]);