From 175a3ee73e0fdb745d6171e4b4c1e5c97eadc02b Mon Sep 17 00:00:00 2001
From: Devin Howard <devin@callysto.com>
Date: Wed, 26 Oct 2016 19:56:30 +0800
Subject: [PATCH] policy_scope on has_many relationships in serializers (#840)

* token overrides current user in api

* policy scope has_many relationships

* fix hard coded topics - whoops

* handle policy_scope returning nil in application serializer
---
 app/controllers/api/v2/restful_controller.rb     | 2 +-
 app/serializers/api/v2/application_serializer.rb | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/app/controllers/api/v2/restful_controller.rb b/app/controllers/api/v2/restful_controller.rb
index b64682f3..7cc6a44c 100644
--- a/app/controllers/api/v2/restful_controller.rb
+++ b/app/controllers/api/v2/restful_controller.rb
@@ -45,7 +45,7 @@ module Api
       end
 
       def current_user
-        super || token_user || doorkeeper_user || nil
+        token_user || super || doorkeeper_user || nil
       end
 
       def load_resource
diff --git a/app/serializers/api/v2/application_serializer.rb b/app/serializers/api/v2/application_serializer.rb
index 2d7c1b9a..4345c941 100644
--- a/app/serializers/api/v2/application_serializer.rb
+++ b/app/serializers/api/v2/application_serializer.rb
@@ -32,9 +32,11 @@ module Api
           if attr.to_s.pluralize == attr.to_s
             attribute("#{attr.to_s.singularize}_ids".to_sym,
                       opts.merge(unless: -> { embeds.include?(key) })) do
-              object.send(attr).map(&:id)
+              Pundit.policy_scope(scope[:current_user], object.send(attr))&.map(&:id) || []
+            end
+            has_many(attr, opts.merge(if: -> { embeds.include?(key) })) do
+              Pundit.policy_scope(scope[:current_user], object.send(attr)) || []
             end
-            has_many(attr, opts.merge(if: -> { embeds.include?(key) }))
           else
             id_opts = opts.merge(key: "#{key}_id")
             attribute("#{attr}_id".to_sym,