[Feature] Use new show related method on the authorizer interface

lindyhopchris · lindyhopchris · commit 1f126027c20c · 2021-06-18T18:02:27.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,13 @@
 All notable changes to this project will be documented in this file. This project adheres to
 [Semantic Versioning](http://semver.org/) and [this changelog format](http://keepachangelog.com/).
 
+## Added
+
+- The authorizer now has separate `showRelated()` and `showRelationship()` methods. Previously both these controller
+  actions were authorized via the single `showRelationship()` method. Adding the new `showRelated` method means
+  developers can now implement separate authorization logic for these two actions if desired. Our default implementation
+  remains unchanged - both are authorized using the `view<RelationshipName>` method on the relevant policy.
+
 ## [1.0.0-beta.4] - 2021-06-02
 
 ### Fixed
diff --git a/composer.json b/composer.json
@@ -25,7 +25,7 @@
     "require": {
         "php": "^7.4|^8.0",
         "ext-json": "*",
-        "laravel-json-api/core": "^1.0.0-beta.4",
+        "laravel-json-api/core": "^1.0.0-beta.5",
         "laravel-json-api/eloquent": "^1.0.0-beta.5",
         "laravel-json-api/encoder-neomerx": "^1.0.0-beta.1",
         "laravel-json-api/exceptions": "^1.0.0-beta.2",
diff --git a/src/Http/Requests/FormRequest.php b/src/Http/Requests/FormRequest.php
@@ -23,6 +23,7 @@
 use Illuminate\Contracts\Auth\Guard;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Foundation\Http\FormRequest as BaseFormRequest;
+use Illuminate\Support\Str;
 use LaravelJsonApi\Contracts\Schema\Schema;
 use LaravelJsonApi\Core\JsonApiService;
 use LaravelJsonApi\Validation\Factory as ValidationFactory;
@@ -85,13 +86,23 @@ public function isViewingOne(): bool
     }
 
     /**
-     * Is this a request to view resources in a relationship (Read related/relationship actions.)
+     * Is this a request to view related resources in a relationship? (Show-related action.)
+     *
+     * @return bool
+     */
+    public function isViewingRelated(): bool
+    {
+        return $this->isMethod('GET') && $this->isRelationship() && !$this->urlHasRelationships();
+    }
+
+    /**
+     * Is this a request to view resource identifiers in a relationship? (Show-relationship action.)
      *
      * @return bool
      */
     public function isViewingRelationship(): bool
     {
-        return $this->isMethod('GET') && $this->isRelationship();
+        return $this->isMethod('GET') && $this->isRelationship() && $this->urlHasRelationships();
     }
 
     /**
@@ -320,4 +331,14 @@ private function doesntHaveResourceId(): bool
     {
         return !$this->hasResourceId();
     }
+
+    /**
+     * Does the URL contain the keyword "relationships".
+     *
+     * @return bool
+     */
+    private function urlHasRelationships(): bool
+    {
+        return Str::of($this->url())->contains('relationships');
+    }
 }
diff --git a/src/Http/Requests/ResourceQuery.php b/src/Http/Requests/ResourceQuery.php
@@ -126,6 +126,14 @@ public function authorizeResource(Authorizer $authorizer): bool
             return $authorizer->show($this, $this->modelOrFail());
         }
 
+        if ($this->isViewingRelated()) {
+            return $authorizer->showRelated(
+                $this,
+                $this->modelOrFail(),
+                $this->jsonApi()->route()->fieldName(),
+            );
+        }
+
         if ($this->isViewingRelationship()) {
             return $authorizer->showRelationship(
                 $this,
