venuu · valscion · Apr 12, 2017 · Mar 17, 2017 · Mar 17, 2017 · Mar 17, 2017
diff --git a/.travis.yml b/.travis.yml
@@ -2,8 +2,8 @@ language: ruby
 cache: bundler
 sudo: false
 env:
-  - JSONAPI_RESOURCES_VERSION=0.8.0.beta1 RAILS_VERSION=4.1.0
-  - JSONAPI_RESOURCES_VERSION=0.8.0.beta1 RAILS_VERSION=4.2.0
+  - JSONAPI_RESOURCES_VERSION=0.9 RAILS_VERSION=4.1.0
+  - JSONAPI_RESOURCES_VERSION=0.9 RAILS_VERSION=4.2.0
 rvm:
   - 2.1.2
 before_install: gem install bundler -v 1.11.2

diff --git a/Gemfile b/Gemfile
@@ -19,7 +19,7 @@ end
 
 case jsonapi_resources_version
 when 'default'
-  gem 'jsonapi-resources', '0.8.0.beta1'
+  gem 'jsonapi-resources', '0.9'
 else
   gem 'jsonapi-resources', jsonapi_resources_version
 end
diff --git a/jsonapi-authorization.gemspec b/jsonapi-authorization.gemspec
@@ -17,7 +17,7 @@ Gem::Specification.new do |spec|
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "jsonapi-resources", "~> 0.8.0.beta1"
+  spec.add_dependency "jsonapi-resources", "~> 0.9"
   spec.add_dependency "pundit", "~> 1.0"
 
   spec.add_development_dependency "bundler", "~> 1.11"

diff --git a/lib/jsonapi/authorization/authorizing_processor.rb b/lib/jsonapi/authorization/authorizing_processor.rb
@@ -12,10 +12,10 @@ class AuthorizingProcessor < JSONAPI::Processor
       set_callback :remove_resource, :before, :authorize_remove_resource
       set_callback :replace_fields, :before, :authorize_replace_fields
       set_callback :replace_to_one_relationship, :before, :authorize_replace_to_one_relationship
-      set_callback :create_to_many_relationship, :before, :authorize_create_to_many_relationship
-      set_callback :replace_to_many_relationship, :before, :authorize_replace_to_many_relationship
-      set_callback :remove_to_many_relationship, :before, :authorize_remove_to_many_relationship
       set_callback :remove_to_one_relationship, :before, :authorize_remove_to_one_relationship
+      set_callback :create_to_many_relationships, :before, :authorize_create_to_many_relationships
+      set_callback :replace_to_many_relationships, :before, :authorize_replace_to_many_relationships
+      set_callback :remove_to_many_relationships, :before, :authorize_remove_to_many_relationships
 
       [
         :find,
@@ -150,7 +150,7 @@ def authorize_replace_to_one_relationship
         )
       end
 
-      def authorize_create_to_many_relationship
+      def authorize_create_to_many_relationships
         source_record = @resource_klass.find_by_key(
           params[:resource_id],
           context: context
@@ -162,7 +162,7 @@ def authorize_create_to_many_relationship
         authorizer.create_to_many_relationship(source_record, related_models, relationship_type)
       end
 
-      def authorize_replace_to_many_relationship
+      def authorize_replace_to_many_relationships
         source_resource = @resource_klass.find_by_key(
           params[:resource_id],
           context: context
@@ -179,26 +179,28 @@ def authorize_replace_to_many_relationship
         )
       end
 
-      def authorize_remove_to_many_relationship
+      def authorize_remove_to_many_relationships
         source_resource = @resource_klass.find_by_key(
           params[:resource_id],
           context: context
         )
         source_record = source_resource._model
 
         relationship_type = params[:relationship_type].to_sym
-        related_resource = @resource_klass
+
+        related_resources = @resource_klass
           ._relationship(relationship_type)
           .resource_klass
-          .find_by_key(
-            params[:associated_key],
+          .find_by_keys(
+            params[:associated_keys],
             context: context
           )
-        related_record = related_resource._model unless related_resource.nil?
+
+        related_records = related_resources.map(&:_model)
 
         authorizer.remove_to_many_relationship(
           source_record,
-          related_record,
+          related_records,
           relationship_type
         )
       end

diff --git a/lib/jsonapi/authorization/default_pundit_authorizer.rb b/lib/jsonapi/authorization/default_pundit_authorizer.rb
@@ -165,16 +165,14 @@ def replace_to_many_relationship(source_record, new_related_records, relationshi
       #
       # A request to disassociate elements of a +has_many+ association
       #
-      # NOTE: this is called once per related record, not all at once
-      #
       # ==== Parameters
       #
       # * +source_record+ - The record whose relationship is modified
-      # * +related_record+ - The record which will be disassociated from +source_record+
+      # * +related_records+ - The records which will be disassociated from +source_record+
       # * +relationship_type+ - The relationship type
-      def remove_to_many_relationship(source_record, related_record, relationship_type)
+      def remove_to_many_relationship(source_record, related_records, relationship_type)
         relationship_method = "remove_from_#{relationship_type}?"
-        authorize_relationship_operation(source_record, relationship_method, related_record)
+        authorize_relationship_operation(source_record, relationship_method, related_records)
       end
 
       # <tt>DELETE /resources/:id/relationships/another-resource</tt>

diff --git a/spec/dummy/app/resources/article_resource.rb b/spec/dummy/app/resources/article_resource.rb
@@ -24,4 +24,8 @@ def id=(external_id)
   # Setting this attribute is an easy way to test that authorizations work even
   # when the model has validation errors
   attributes :blank_value
+
+  def self.creatable_fields(context)
+    super + [:id]
+  end
 end
diff --git a/spec/requests/relationship_operations_spec.rb b/spec/requests/relationship_operations_spec.rb
@@ -282,7 +282,12 @@
 
     context 'unauthorized for remove_to_many_relationship' do
       before do
-        disallow_operation('remove_to_many_relationship', article, kind_of(Comment), :comments)
+        disallow_operation(
+          'remove_to_many_relationship',
+          article,
+          [comments_to_remove.first, comments_to_remove.second],
+          :comments
+        )
       end
 
       it { is_expected.to be_forbidden }
@@ -291,10 +296,12 @@
     context 'authorized for remove_to_many_relationship' do
       context 'not limited by policy scopes' do
         before do
-          allow_operations('remove_to_many_relationship', [
-            [article, comments_to_remove.first, :comments],
-            [article, comments_to_remove.second, :comments]
-          ])
+          allow_operation(
+            'remove_to_many_relationship',
+            article,
+            [comments_to_remove.first, comments_to_remove.second],
+            :comments
+          )
         end
 
         it { is_expected.to be_successful }
@@ -303,17 +310,24 @@
       context 'limited by policy scope on comments' do
         let(:comments_scope) { Comment.none }
         before do
-          allow_operation('remove_to_many_relationship', article, kind_of(Comment), :comments)
+          allow_operation('remove_to_many_relationship', article, [], :comments)
         end
 
-        it { is_expected.to be_not_found }
+        # This succeeds because the request isn't actually able to try removing any comments
+        # due to the comments-to-be-removed being an empty array
+        it { is_expected.to be_successful }
       end
 
       # If this happens in real life, it's mostly a bug. We want to document the
       # behaviour in that case anyway, as it might be surprising.
       context 'limited by policy scope on articles' do
         before do
-          allow_operation('remove_to_many_relationship', article, kind_of(Comment), :comments)
+          allow_operation(
+            'remove_to_many_relationship',
+            article,
+            [comments_to_remove.first, comments_to_remove.second],
+            :comments
+          )
         end
         let(:policy_scope) { Article.where.not(id: article.id) }
         it { is_expected.to be_not_found }