Add a handle_authorize hook which is executed on all actions (before anything).

This way I can simply add authorization on the record that's properly
loaded and scoped by ja_resource for all routes at once.

Show, delete and update will call the method with the actual model to be
operated on (but before anything is done to the model!). index and create
actions will pass in the model() module instead (since we're operating
on a collection/adding a record not yet in the db).

This was intended for integration with bodyguard. I had to do the
following:

  def records(conn) do
    scope(conn, model())
  end

  # this solves the auth for show, update and delete (but not index or create)
  def record(conn, id) do
    r = super(conn, id)
    authorize!(conn, r, policy: Midori.Bot.Policy)
    r
  end

  def handle_index(conn, attributes) do
    authorize!(conn, Bot)
    super(conn, attributes)
  end

  def handle_create(conn, attributes) do
    authorize!(conn, Bot)
    super(conn, attributes)
  end

I wanted a solution that would take care of index and create as well,
because having to do it manually action by action is error-prone.

Author: archseer

lib/ja_resource/authorize.ex

@@ -0,0 +1,24 @@
+defmodule JaResource.Authorize do
+  use Behaviour
+
+  @moduledoc """
+  Provides the `handle_authorize/0` callback used to authorize the resource.
+
+  This behaviour is used by all JaResource actions.
+  """
+
+  @doc """
+  Called before all the actions with the model. Useful for authorizing.
+  """
+  @callback handle_authorize(Plug.Conn.t, JaResource.record) :: any
+
+  defmacro __using__(_) do
+    quote do
+      @behaviour JaResource.Authorize
+
+      def handle_authorize(model, _conn), do: model
+
+      defoverridable [handle_authorize: 2]
+    end
+  end
+end

lib/ja_resource/create.ex

@@ -65,6 +65,9 @@ defmodule JaResource.Create do
   def call(controller, conn) do
     merged = JaResource.Attributes.from_params(conn.params)
     attributes = controller.permitted_attributes(conn, merged, :create)
+
+    controller.handle_authorize(controller.model(), conn)
+
     conn
     |> controller.handle_create(attributes)
     |> JaResource.Create.insert(controller)

lib/ja_resource/delete.ex

@@ -59,6 +59,8 @@ defmodule JaResource.Delete do
   def call(controller, conn) do
     model = controller.record(conn, conn.params["id"])
 
+    controller.handle_authorize(model, conn)
+
     conn
     |> controller.handle_delete(model)
     |> JaResource.Delete.respond(conn)

lib/ja_resource/index.ex

@@ -119,6 +119,8 @@ defmodule JaResource.Index do
   Execute the index action on a given module implementing Index behaviour and conn.
   """
   def call(controller, conn) do
+    controller.handle_authorize(controller.model(), conn)
+
     conn
     |> controller.handle_index(conn.params)
     |> JaResource.Index.filter(conn, controller)

lib/ja_resource/model.ex

@@ -25,6 +25,7 @@ defmodule JaResource.Model do
   defmacro __using__(_) do
     quote do
       @behaviour JaResource.Model
+      use JaResource.Authorize
 
       @inferred_model JaResource.Model.model_from_controller(__MODULE__)
       def model(), do: @inferred_model

lib/ja_resource/show.ex

@@ -57,9 +57,11 @@ defmodule JaResource.Show do
   Execute the show action on a given module implementing Show behaviour and conn.
   """
   def call(controller, conn) do
-    conn
-    |> controller.handle_show(conn.params["id"])
-    |> JaResource.Show.respond(conn, controller)
+    model = controller.handle_show(conn.params["id"])
+
+    controller.handle_authorize(model, conn)
+
+    JaResource.Show.respond(model, conn, controller)
   end
 
   @doc false

lib/ja_resource/update.ex

@@ -72,6 +72,8 @@ defmodule JaResource.Update do
     merged     = JaResource.Attributes.from_params(conn.params)
     attributes = controller.permitted_attributes(conn, merged, :update)
 
+    controller.handle_authorize(model, conn)
+
     conn
     |> controller.handle_update(model, attributes)
     |> JaResource.Update.update(controller)