policy_scope on has_many relationships in serializers (#840)

* token overrides current user in api * policy scope has_many relationships * fix hard coded topics - whoops * handle policy_scope returning nil in application serializer
2016-10-26 19:56:30 +08:00 · 2016-10-26 19:56:30 +08:00 · 175a3ee73e
commit 175a3ee73e
parent b13587456d
2 changed files with 5 additions and 3 deletions
--- a/app/controllers/api/v2/restful_controller.rb
+++ b/app/controllers/api/v2/restful_controller.rb
@ -45,7 +45,7 @@ module Api
      end

      def current_user
-        super || token_user || doorkeeper_user || nil
+        token_user || super || doorkeeper_user || nil
      end

      def load_resource
--- a/app/serializers/api/v2/application_serializer.rb
+++ b/app/serializers/api/v2/application_serializer.rb
@ -32,9 +32,11 @@ module Api
          if attr.to_s.pluralize == attr.to_s
            attribute("#{attr.to_s.singularize}_ids".to_sym,
                      opts.merge(unless: -> { embeds.include?(key) })) do
-              object.send(attr).map(&:id)
+              Pundit.policy_scope(scope[:current_user], object.send(attr))&.map(&:id) || []
+            end
+            has_many(attr, opts.merge(if: -> { embeds.include?(key) })) do
+              Pundit.policy_scope(scope[:current_user], object.send(attr)) || []
            end
-            has_many(attr, opts.merge(if: -> { embeds.include?(key) }))
          else
            id_opts = opts.merge(key: "#{key}_id")
            attribute("#{attr}_id".to_sym,