Authorization of included resources

[thibaudgg]

Hey, I went through https://github.com/cerebris/jsonapi-resources/issues/16 and found your gem, looks nice.
I have one question though, does the operations_processor approach take care of authorizing the included resources? Let me give you an example:

class PostResource < JSONAPI::Resource
  # read authorized for current_user
  has_many :comments 
end

class CommentResource < JSONAPI::Resource
  # read authorized for current_user
  has_one :user 
end

class UserResource < JSONAPI::Resource
  # read authorized ONLY when user == current_user
  has_many :comments 
end

If you try to get a post with the following request: GET /posts/1?include=comments.user we need to ensure that all comments and users relationships are authorized as well and not only the Post 1.

I think that @barelyknown's approach take care of that by overwriting the JSONAPI::Resource#records_for method but I'm not sure with your approach.

What do you think? Thanks for your gem!

[valscion]

Thanks for chiming in! We do override the JSONAPI::Resource#records_for method, within the PunditScopedResource module intended to be mixed in to your resources via

class MyResource < JSONAPI::Resource
  include JSONAPI::Authorization::PunditScopedResource
end

It should protect you against the has_many relationship but looking at our code, it seems like it's not applying the scope protection on the has_one relationship. Yikes!

We have a few request specs where we test these sorts of authorizations. We haven't yet written a proper test for included resource authorization, and we'd be very happy with a test proving that we indeed have a bug with the has_one relationship.

This gem is split between the operations processor and the module for your resource which takes care of loading only policy scoped resources. The operations processor only handles authorization calls which can raise an authorization errors and the resource module only handles finding the correct resources through pundit policy scopes.

If you try to get a post with the following request: GET /posts/1?include=comments.user we need to ensure that all comments and users relationships are authorized as well and not only the Post 1.

Do you think that in this case, it would make sense to only return the comments and users resources which the user can see, or should it raise an error and stop the entire request instead?

[thibaudgg]

Hei @valscion, thanks for the quick response.

I missed PunditScopedResource, nice!
I've the feeling that only using the policy scope on records_for could not be enough, we should maybe reuse the find_operation/show_operation authorizations for the ToMany/ToOne relationships, not sure. Maybe if policy scope are well defined (using none scope when not authorized at all) it could be enough, assuming that we protect the ToOne case as well.

If you try to get a post with the following request: GET /posts/1?include=comments.user we need to ensure that all comments and users relationships are authorized as well and not only the Post 1.

Do you think that in this case, it would make sense to only return the comments and users resources which the user can see, or should it raise an error and stop the entire request instead?

Good question, that one is tricky. I think still showing the authorized resource would be better, maybe using the policy scope on the ToOne relationship would be enough then.

I'll try to use your gem in our quite complex JR API and I'll give some feedback here. Thanks!

[valscion]

I've the feeling that only using the policy scope on records_for could not be enough, we should maybe reuse the find_operation/show_operation authorizations for the ToMany/ToOne relationships, not sure.

The problem is, records_for should return an ActiveRecord::Relation compatible results, which the user can e.g. paginate on later. We can't really run it through all the records, testing show_operation like we do on the operations processor side.

A similar case we test for is the show_relationship action (GET /posts/1/relationships/comments) where the policy scope limits the returned records: https://github.com/venuu/jsonapi-authorization/blob/v0.5.0/spec/requests/relationship_operations_spec.rb#L47-L50 — that one passes precisely because we have the PunditScopedResource in place for the has_many operation.

We didn't need the test for GET /posts/1/relationships/has-one-associated-resource through policies as in this case the operations processor has all the necessary information. The test case we're missing here is indeed the normal show_resource with an include query.

We also could have extended the GET /articles/:id/relationships/author test to return null data as per the spec, if the policy scope limits us. I guess that would've given us the coverage for the has_one relationship.

[thibaudgg]

After re-reading the Inclusion of Related Resources JSONAPI spec I've the returning null or an empty array because you aren't authorized to access the info sounds wrong, a forbidden response seems more adequate in this case.
Pundit::Scope seems more useful to filter data (e.g. only show public articles to guest) that prevent access. I think both check (authorize & scope) are required here.

[valscion]

Yeah I have a feeling that you're right. What about performance, though..? If we have to fetch all the records when we're querying for a has_many relation in order to authorize show? (or some other action) for them, and there are hundreds of records, won't that be an issue?

It would be great if we could delegate that authorization logic to the Authorizer class — that way, the authorizer can be in control whether the entire query is authorized or not. If we'd pass in the resources to be included as a separate parameter, then the Authorizer could decide whether the entire query should be forbidden or not.

We could also just pass the relationship names there, or the record classes underneath the relationships to that class.

I think both check (authorize & scope) are required here.

Yeah, I guess so, too. As I said above, would it be good enough if the authorization check would have only the related record classes (such as Comment) available for authorization checks? This way we wouldn't have to fetch all the possible related records in a relationship (think a Post having thousands of Comments via has_many :comments) and we'd still know what the user is trying to query (GET /articles/1/?includes=comments) and stop right there.

[thibaudgg]

Yeah, I think that just checking at first the authorization on all resources in theinclude_directives options in each operation would be enough and then only use the Pundit::Scope where it make sense (records_for).

I guess we could inject that in the AuthorizingOperationsProcessor and then iterate on each included resources and authorize them with the Authorizer class.

That would cover all the case I think. Sounds great!

[valscion]

Yeah, I think that just checking at first the authorization on all resources in the include_directives options in each operation would be enough

Just to clarify, do you want the exact records (loaded instances of ActiveRecord models) to be passed to the Authorizer class? If so, what do you think of the performance implications? What if we'd end up loading thousands of records because we'd loop through every record?

It might be possible to delay loading the relation (what you get by running e.g. Post.where(author: User.first)) by just passing that to the Authorizer class. Then it would be the responsibility of the Authorizer class to handle relation -> record loading, if needed.

[thibaudgg]

Just to clarify, do you want the exact records (loaded instances of ActiveRecord models) to be passed to the Authorizer class? If so, what do you think of the performance implications? What if we'd end up loading thousands of records because we'd loop through every record?

No, I think that just checking the access on the class name would be enough for ToMany, as we apply the Pundit::Scope anyway.

What about doing the following:

• ToOne: authorize the record instance
• ToMany: authorize the records class and apply Pundit::Scope

both would be applied at the resource level. I don't think it would impact too much the performance.

It might be possible to delay loading the relation (what you get by running e.g. Post.where(author: User.first)) by just passing that to the Authorizer class. Then it would be the responsibility of the Authorizer class to handle relation -> record loading, if needed.

Mmm I've the feeling that loading AR relation is not the role of this gem and should be let to JR.

[valscion]

What about doing the following:

• ToOne: authorize the record instance
• ToMany: authorize the records class and apply Pundit::Scope

Yeah, I figured so, too 😄 Good to hear we're on the same page 👍

[valscion]

• ToOne: authorize the record instance
• ToMany: authorize the records class and apply Pundit::Scope

This difference might actually complicate your policy class method if we'd use the same check for both. Which we might not want to do.

As you might know, we already map jsonapi specific operations by default to normal policy show?, create? etc. methods. In this case, my first reaction was to test for show? on both cases, but that might not really be a good default mapping, as in the show? method you might really expect the passed in record to be an instance and not the class.

So I think I'll go with the following default mapping for include_directives:

• ToOne: Pundit.authorize(user, included_record, 'show?')
• ToMany: Pundit.authorize(user, included_record_class, 'index?')

Do you think it makes sense? If you want to block users from indexing Vehicle resources, the default check for has_many :vehicles would have you covered by using the index? check. And when there is only a has_one :vehicle check, you can be more granular and use the record within the show? check.

[thibaudgg]

So I think I'll go with the following default mapping for include_directives:

• ToOne: Pundit.authorize(user, included_record, 'show?')
• ToMany: Pundit.authorize(user, included_record_class, 'index?')

Do you think it makes sense? If you want to block users from indexing Vehicle resources, the default check for has_many :vehicles would have you covered by using the index? check. And when there is only a has_one :vehicle check, you can be more granular and use the record within the show? check.

I add that in mind too, that seems like the most logical to me. 👍