Merge branch 'release/1.0.0-alpha.4' into main

Author: lindyhopchris

CHANGELOG.md

@@ -3,6 +3,69 @@
 All notable changes to this project will be documented in this file. This project adheres to
 [Semantic Versioning](http://semver.org/) and [this changelog format](http://keepachangelog.com/).
 
+## [1.0.0-alpha.4] - 2021-02-27
+
+### Added
+
+- Added missing `jsonapi:authorizer` generator command.
+- The Eloquent schema now has `indexQuery` and `relatableQuery` methods. These allow filtering for authorization
+  purposes when a list of resources is being retrieved. For instance, it could filter those queries so that only models
+  belonging to the authenticated user are returned.
+- [#23](https://github.com/laravel-json-api/laravel/issues/23) The resource request class now does not need to exist for
+  the destroy controller action. Previously the implementation was expecting the resource request class to exist, even
+  though delete validation was optional.
+- [#24](https://github.com/laravel-json-api/laravel/issues/24) Controller actions will now stop executing and return a
+  response if one is returned by the *before* action hooks: i.e. `searching`, `reading`, `saving`, `creating`,
+  `updating`, `deleting`, `readingRelated<Name>`, `reading<Name>`, `updating<Name>`, `attaching<Name>` and
+  `detaching<Name>`.
+- [#37](https://github.com/laravel-json-api/laravel/issues/37) Can now use constructor dependency injection in `Server`
+  classes.
+- [#40](https://github.com/laravel-json-api/laravel/issues/40) There is now a new `MetaResponse` class that can be used
+  when returning meta-only responses. In addition, response classes have been updated to add a `withServer` method. This
+  can be used to specify the named server the response should use to encode the JSON:API document. This has to be used
+  when returning responses from routes that have not run the JSON:API middleware (i.e. there is no default server
+  available via the service container).
+- [#9](https://github.com/laravel-json-api/laravel/issues/9) The Laravel route registrar is now passed through to
+  the `resources`, `relationships` and `actions` callbacks as the second function argument.
+- [#36](https://github.com/laravel-json-api/laravel/issues/36) Eloquent schemas now support complex singular filter
+  logic, via the `Schema::isSingular()` method.
+- [#33](https://github.com/laravel-json-api/laravel/issues/33) Specification compliance will now reject an incorrect
+  resource type in a relationship. For example, if a relationship expects `tags` but the client sends `posts`, the
+  request will be rejected with an error message that `posts` are not supported.
+
+### Changed
+
+- [#22](https://github.com/laravel-json-api/laravel/issues/22) **BREAKING** The `index` and `store` methods on the
+  authorizer contract now receive the model class as their second argument. This is useful for authorizers that are used
+  for multiple resource types.
+- **BREAKING** When querying or modifying models via the schema repository or store, calls to `using()` must be replaced
+  with `withRequest()`. This change was made to make it clearer that the request class can be passed into query
+  builders.
+- [#28](https://github.com/laravel-json-api/laravel/issues/28) The sparse field sets validation rule will now reject
+  with a specific message identifying any resource types in the parameter that do not exist.
+- [#35](https://github.com/laravel-json-api/laravel/issues/35) The `Relation::type()` method must now be used when
+  setting the inverse resource type for the relation.
+
+### Fixed
+
+- Optional parameters to generator commands that require values now work correctly. Previously these were incorrectly
+  set up as optional parameters that expected no values.
+- [#25](https://github.com/laravel-json-api/laravel/issues/25) The encoder now correctly handles conditional fields when
+  iterating over a resource's relationships.
+- [#26](https://github.com/laravel-json-api/laravel/issues/26) Fix parsing the `fields` query parameter to field set
+  value objects.
+- [#34](https://github.com/laravel-json-api/laravel/issues/34) Do not require server option when generating a generic
+  authorizer with multiple servers present.
+- [#29](https://github.com/laravel-json-api/laravel/issues/29) Do not reject delete requests without a `Content-Type`
+  header.
+- [#11](https://github.com/laravel-json-api/laravel/issues/11) Fixed iterating over an empty *to-many* generator twice
+  in the underlying compound document encoder.
+
+### Deprecated
+
+- The `Relation::inverseType()` method is deprecated and will be removed in `1.0-stable`. Use `Relation::type()`
+  instead.
+
 ## [1.0.0-alpha.3] - 2021-02-09
 
 ### Added

composer.json

@@ -25,12 +25,12 @@
     "require": {
         "php": "^7.4|^8.0",
         "ext-json": "*",
-        "laravel-json-api/core": "^1.0.0-alpha.3",
-        "laravel-json-api/eloquent": "^1.0.0-alpha.3",
-        "laravel-json-api/encoder-neomerx": "^1.0.0-alpha.3",
+        "laravel-json-api/core": "^1.0.0-alpha.4",
+        "laravel-json-api/eloquent": "^1.0.0-alpha.4",
+        "laravel-json-api/encoder-neomerx": "^1.0.0-alpha.4",
         "laravel-json-api/exceptions": "^1.0.0-alpha.2",
-        "laravel-json-api/spec": "^1.0.0-alpha.3",
-        "laravel-json-api/validation": "^1.0.0-alpha.3",
+        "laravel-json-api/spec": "^1.0.0-alpha.4",
+        "laravel-json-api/validation": "^1.0.0-alpha.4",
         "laravel/framework": "^8.0"
     },
     "require-dev": {
@@ -65,7 +65,7 @@
             ]
         }
     },
-    "minimum-stability": "stable",
+    "minimum-stability": "dev",
     "prefer-stable": true,
     "config": {
         "sort-packages": true

phpunit.xml

@@ -26,7 +26,10 @@
     <testsuite name="Integration">
       <directory suffix="Test.php">./tests/lib/Integration/</directory>
     </testsuite>
-    <testsuite name="Acceptance">
+      <testsuite name="Acceptance">
+          <directory suffix="Test.php">./tests/lib/Acceptance/</directory>
+      </testsuite>
+    <testsuite name="Dummy">
       <directory suffix="Test.php">./tests/dummy/tests/</directory>
     </testsuite>
   </testsuites>

src/Console/GeneratorCommand.php

@@ -40,12 +40,14 @@ abstract class GeneratorCommand extends BaseGeneratorCommand
      */
     public function handle()
     {
-        if (!$server = $this->getServerInput()) {
+        $server = $this->getServerInput();
+
+        if ($this->doesRequireServer() && empty($server)) {
             $this->error('You must use the server option when you have more than one API.');
             return 1;
         }
 
-        if (is_null($this->getServerNamespace($server))) {
+        if (!empty($server) && is_null($this->getServerNamespace($server))) {
             $this->error("Server {$server} does not exist in your jsonapi.servers configuration.");
             return 1;
         }
@@ -136,6 +138,18 @@ protected function getClassType(): string
         return $this->classType;
     }
 
+    /**
+     * Does the generator require a server to be specified?
+     *
+     * Child classes can overload this method if a server is not required.
+     *
+     * @return bool
+     */
+    protected function doesRequireServer(): bool
+    {
+        return true;
+    }
+
     /**
      * Get the console command arguments.
      *

src/Console/MakeAuthorizer.php

@@ -0,0 +1,90 @@
+<?php
+/*
+ * Copyright 2021 Cloud Creativity Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+declare(strict_types=1);
+
+namespace LaravelJsonApi\Laravel\Console;
+
+use Symfony\Component\Console\Input\InputOption;
+
+class MakeAuthorizer extends GeneratorCommand
+{
+
+    /**
+     * @var string
+     */
+    protected $name = 'jsonapi:authorizer';
+
+    /**
+     * @var string
+     */
+    protected $description = 'Create a new JSON:API authorizer.';
+
+    /**
+     * @var string
+     */
+    protected $type = 'JSON:API authorizer';
+
+    /**
+     * @var string
+     */
+    protected $classType = 'Authorizer';
+
+    /**
+     * @inheritDoc
+     */
+    protected function getStub()
+    {
+        return $this->resolveStubPath('authorizer.stub');
+    }
+
+    /**
+     * @param string $rootNamespace
+     * @return string
+     */
+    protected function getDefaultNamespace($rootNamespace)
+    {
+        if ($this->option('resource')) {
+            return parent::getDefaultNamespace($rootNamespace);
+        }
+
+        $jsonApi = trim(config('jsonapi.namespace') ?: 'JsonApi', '\\');
+
+        return $rootNamespace . '\\' . $jsonApi . '\\' . 'Authorizers';
+    }
+
+    /**
+     * @inheritDoc
+     */
+    protected function doesRequireServer(): bool
+    {
+        return true === $this->option('resource');
+    }
+
+    /**
+     * @inheritDoc
+     */
+    protected function getOptions()
+    {
+        return [
+            ['force', null, InputOption::VALUE_NONE, 'Create the class even if the schema already exists.'],
+            ['resource', 'r', InputOption::VALUE_NONE, 'Whether the authorizer is for a specific resource type.'],
+            ['server', 's', InputOption::VALUE_REQUIRED, 'The JSON:API server the schema exists in.'],
+        ];
+    }
+
+}

src/Console/MakeQuery.php

@@ -91,7 +91,7 @@ protected function getOptions()
             ['collection', 'c', InputOption::VALUE_NONE, 'Create a query collection class.'],
             ['both', 'b', InputOption::VALUE_NONE, 'Create a query and a query collection class.'],
             ['force', null, InputOption::VALUE_NONE, 'Create the class even if the query already exists'],
-            ['server', 's', InputOption::VALUE_NONE, 'The JSON:API server the query exists in.'],
+            ['server', 's', InputOption::VALUE_REQUIRED, 'The JSON:API server the query exists in.'],
         ];
     }
 

src/Console/MakeRequest.php

@@ -59,7 +59,7 @@ protected function getOptions()
     {
         return [
             ['force', null, InputOption::VALUE_NONE, 'Create the class even if the request already exists'],
-            ['server', 's', InputOption::VALUE_NONE, 'The JSON:API server the request exists in.'],
+            ['server', 's', InputOption::VALUE_REQUIRED, 'The JSON:API server the request exists in.'],
         ];
     }
 

src/Console/MakeRequests.php

@@ -78,7 +78,7 @@ protected function getOptions()
     {
         return [
             ['force', null, InputOption::VALUE_NONE, 'Create the request classes even if they already exists'],
-            ['server', 's', InputOption::VALUE_NONE, 'The JSON:API server the requests exists in.'],
+            ['server', 's', InputOption::VALUE_REQUIRED, 'The JSON:API server the requests exists in.'],
         ];
     }
 }

src/Console/MakeResource.php

@@ -59,7 +59,7 @@ protected function getOptions()
     {
         return [
             ['force', null, InputOption::VALUE_NONE, 'Create the class even if the resource already exists'],
-            ['server', 's', InputOption::VALUE_NONE, 'The JSON:API server the resource exists in.'],
+            ['server', 's', InputOption::VALUE_REQUIRED, 'The JSON:API server the resource exists in.'],
         ];
     }
 

src/Console/MakeSchema.php

@@ -104,8 +104,8 @@ protected function getOptions()
     {
         return [
             ['force', null, InputOption::VALUE_NONE, 'Create the class even if the schema already exists'],
-            ['model', 'm', InputOption::VALUE_NONE, 'The model that the schema applies to.'],
-            ['server', 's', InputOption::VALUE_NONE, 'The JSON:API server the schema exists in.'],
+            ['model', 'm', InputOption::VALUE_REQUIRED, 'The model that the schema applies to.'],
+            ['server', 's', InputOption::VALUE_REQUIRED, 'The JSON:API server the schema exists in.'],
         ];
     }
 

src/Console/MakeServer.php

@@ -129,7 +129,7 @@ protected function getOptions()
     {
         return [
             ['force', null, InputOption::VALUE_NONE, 'Create the class even if the server already exists'],
-            ['uri', null, InputOption::VALUE_NONE, 'The base URI of the server.'],
+            ['uri', null, InputOption::VALUE_REQUIRED, 'The base URI of the server.'],
         ];
     }
 

src/Http/Controllers/Actions/AttachRelationship.php

@@ -55,18 +55,21 @@ public function attachRelationship(Route $route, StoreContract $store)
         $query = ResourceQuery::queryMany($resourceType);
 
         $model = $route->model();
+        $response = null;
 
         if (method_exists($this, $hook = 'attaching' . Str::classify($fieldName))) {
-            $this->{$hook}($model, $request, $query);
+            $response = $this->{$hook}($model, $request, $query);
+        }
+
+        if ($response) {
+            return $response;
         }
 
         $result = $store
             ->modifyToMany($resourceType, $model, $fieldName)
-            ->using($query)
+            ->withRequest($query)
             ->attach($request->validatedForRelation());
 
-        $response = null;
-
         if (method_exists($this, $hook = 'attached' . Str::classify($fieldName))) {
             $response = $this->{$hook}($model, $result, $request, $query);
         }

src/Http/Controllers/Actions/Destroy.php

@@ -19,8 +19,11 @@
 
 namespace LaravelJsonApi\Laravel\Http\Controllers\Actions;
 
+use Illuminate\Auth\Access\AuthorizationException;
+use Illuminate\Auth\AuthenticationException;
 use Illuminate\Contracts\Support\Responsable;
 use Illuminate\Http\Response;
+use Illuminate\Support\Facades\Auth;
 use LaravelJsonApi\Contracts\Routing\Route;
 use LaravelJsonApi\Contracts\Store\Store as StoreContract;
 use LaravelJsonApi\Laravel\Http\Requests\ResourceRequest;
@@ -34,26 +37,47 @@ trait Destroy
      * @param Route $route
      * @param StoreContract $store
      * @return Response|Responsable
+     * @throws AuthenticationException|AuthorizationException
      */
     public function destroy(Route $route, StoreContract $store)
     {
-        $request = ResourceRequest::forResource(
+        $request = ResourceRequest::forResourceIfExists(
             $resourceType = $route->resourceType()
         );
 
         $model = $route->model();
 
+        /**
+         * The resource request class is optional for deleting,
+         * as delete validation is optional. However, if we do not have
+         * a resource request then the action will not have been authorized.
+         * So we need to trigger authorization in this case.
+         */
+        if (!$request) {
+            $check = $route->authorizer()->destroy(
+                $request = \request(),
+                $model,
+            );
+
+            throw_if(false === $check && Auth::guest(), new AuthenticationException());
+            throw_if(false === $check, new AuthorizationException());
+        }
+
+        $response = null;
+
         if (method_exists($this, 'deleting')) {
-            $this->deleting($model, $request);
+            $response = $this->deleting($model, $request);
+        }
+
+        if ($response) {
+            return $response;
         }
 
         $store->delete(
             $resourceType,
             $route->modelOrResourceId()
         );
 
-        $response = null;
-
         if (method_exists($this, 'deleted')) {
             $response = $this->deleted($model, $request);
         }