Deprecates and replaces the allow_include config option

Replaces `allow_includes` with `default_allow_include_to_one` and `default_allow_include_to_many` configuration options.
Adds support for `allow_include` option on Relationships to override the config settings.

Author: lgebhardt

lib/jsonapi/configuration.rb

@@ -10,7 +10,8 @@ class Configuration
                 :route_format,
                 :raise_if_parameters_not_allowed,
                 :warn_on_route_setup_issues,
-                :allow_include,
+                :default_allow_include_to_one,
+                :default_allow_include_to_many,
                 :allow_sort,
                 :allow_filter,
                 :default_paginator,
@@ -50,7 +51,8 @@ def initialize
       self.resource_key_type = :integer
 
       # optional request features
-      self.allow_include = true
+      self.default_allow_include_to_one = true
+      self.default_allow_include_to_many = true
       self.allow_sort = true
       self.allow_filter = true
 
@@ -227,7 +229,13 @@ def resource_finder=(resource_finder)
       @resource_finder = resource_finder
     end
 
-    attr_writer :allow_include, :allow_sort, :allow_filter
+    def allow_include=(allow_include)
+      ActiveSupport::Deprecation.warn('`allow_include` has been replaced by `default_allow_include_to_one` and `default_allow_include_to_many` options.')
+      @default_allow_include_to_one = allow_include
+      @default_allow_include_to_many = allow_include
+    end
+
+    attr_writer :allow_sort, :allow_filter, :default_allow_include_to_one, :default_allow_include_to_many
 
     attr_writer :default_paginator
 

lib/jsonapi/exceptions.rb

@@ -342,7 +342,7 @@ def errors
                              title: I18n.translate('jsonapi-resources.exceptions.invalid_include.title',
                                                    default: 'Invalid field'),
                              detail: I18n.translate('jsonapi-resources.exceptions.invalid_include.detail',
-                                                    default: "#{relationship} is not a valid relationship of #{resource}",
+                                                    default: "#{relationship} is not a valid includable relationship of #{resource}",
                                                     relationship: relationship, resource: resource))]
       end
     end

lib/jsonapi/relationship.rb

@@ -3,7 +3,7 @@ class Relationship
     attr_reader :acts_as_set, :foreign_key, :options, :name,
                 :class_name, :polymorphic, :always_include_linkage_data,
                 :parent_resource, :eager_load_on_include, :custom_methods,
-                :inverse_relationship
+                :inverse_relationship, :allow_include
 
     def initialize(name, options = {})
       @name = name.to_s
@@ -17,6 +17,7 @@ def initialize(name, options = {})
       @polymorphic_relations = options[:polymorphic_relations]
       @always_include_linkage_data = options.fetch(:always_include_linkage_data, false) == true
       @eager_load_on_include = options.fetch(:eager_load_on_include, true) == true
+      @allow_include = options[:allow_include]
     end
 
     alias_method :polymorphic?, :polymorphic
@@ -100,6 +101,14 @@ def belongs_to?
       def polymorphic_type
         "#{name}_type" if polymorphic?
       end
+
+      def allow_include?
+        if @allow_include.nil?
+          JSONAPI.configuration.default_allow_include_to_one
+        else
+          @allow_include
+        end
+      end
     end
 
     class ToMany < Relationship
@@ -114,6 +123,14 @@ def initialize(name, options = {})
           @inverse_relationship = options.fetch(:inverse_relationship, parent_resource._type.to_s.singularize.to_sym)
         end
       end
+
+      def allow_include?
+        if @allow_include.nil?
+          JSONAPI.configuration.default_allow_include_to_one
+        else
+          @allow_include
+        end
+      end
     end
   end
 end

lib/jsonapi/request_parser.rb

@@ -330,6 +330,10 @@ def check_include(resource_klass, include_parts)
 
       relationship = resource_klass._relationship(relationship_name)
       if relationship && format_key(relationship_name) == include_parts.first
+        unless relationship.allow_include?
+          fail JSONAPI::Exceptions::InvalidInclude.new(format_key(resource_klass._type), include_parts.first)
+        end
+
         unless include_parts.last.empty?
           check_include(Resource.resource_klass_for(resource_klass.module_path + relationship.class_name.to_s.underscore),
                         include_parts.last.partition('.'))
@@ -342,10 +346,6 @@ def check_include(resource_klass, include_parts)
     def parse_include_directives(resource_klass, raw_include)
       return unless raw_include
 
-      unless JSONAPI.configuration.allow_include
-        fail JSONAPI::Exceptions::ParameterNotAllowed.new(:include)
-      end
-
       included_resources = []
       begin
         included_resources += raw_include.is_a?(Array) ? raw_include : CSV.parse_line(raw_include) || []

locales/en.yml

@@ -48,7 +48,7 @@ en:
         detail: "%{field} is not a valid field for %{type}."
       invalid_include:
         title: 'Invalid include'
-        detail: "%{relationship} is not a valid relationship of %{resource}"
+        detail: "%{relationship} is not a valid includable relationship of %{resource}"
       invalid_sort_criteria:
         title: 'Invalid sort criteria'
         detail: "%{sort_criteria} is not a valid sort criteria for %{resource}"

test/controllers/controller_test.rb

@@ -551,11 +551,12 @@ def test_show_single_with_includes
   end
 
   def test_show_single_with_include_disallowed
+    original_config = JSONAPI.configuration.dup
     JSONAPI.configuration.allow_include = false
     assert_cacheable_get :show, params: {id: '1', include: 'comments'}
     assert_response :bad_request
   ensure
-    JSONAPI.configuration.allow_include = true
+    JSONAPI.configuration = original_config
   end
 
   def test_show_single_with_fields
@@ -2122,25 +2123,25 @@ def test_expense_entries_show_include
   def test_expense_entries_show_bad_include_missing_relationship
     assert_cacheable_get :show, params: {id: 1, include: 'isoCurrencies,employees'}
     assert_response :bad_request
-    assert_match /isoCurrencies is not a valid relationship of expenseEntries/, json_response['errors'][0]['detail']
+    assert_match /isoCurrencies is not a valid includable relationship of expenseEntries/, json_response['errors'][0]['detail']
   end
 
   def test_expense_entries_show_bad_include_missing_sub_relationship
     assert_cacheable_get :show, params: {id: 1, include: 'isoCurrency,employee.post'}
     assert_response :bad_request
-    assert_match /post is not a valid relationship of employees/, json_response['errors'][0]['detail']
+    assert_match /post is not a valid includable relationship of employees/, json_response['errors'][0]['detail']
   end
 
   def test_invalid_include
     assert_cacheable_get :index, params: {include: 'invalid../../../../'}
     assert_response :bad_request
-    assert_match /invalid is not a valid relationship of expenseEntries/, json_response['errors'][0]['detail']
+    assert_match /invalid is not a valid includable relationship of expenseEntries/, json_response['errors'][0]['detail']
   end
 
   def test_invalid_include_long_garbage_string
     assert_cacheable_get :index, params: {include: 'invalid.foo.bar.dfsdfs,dfsdfs.sdfwe.ewrerw.erwrewrew'}
     assert_response :bad_request
-    assert_match /invalid is not a valid relationship of expenseEntries/, json_response['errors'][0]['detail']
+    assert_match /invalid is not a valid includable relationship of expenseEntries/, json_response['errors'][0]['detail']
   end
 
   def test_expense_entries_show_fields

test/integration/requests/request_test.rb

@@ -1125,14 +1125,53 @@ def test_include_parameter_allowed
     assert_cacheable_jsonapi_get '/api/v2/books/1/book_comments?include=author'
   end
 
-  def test_include_parameter_not_allowed
+  def test_deprecated_include_parameter_not_allowed
+    original_config = JSONAPI.configuration.dup
     JSONAPI.configuration.allow_include = false
     get '/api/v2/books/1/book_comments?include=author', headers: {
       'Accept' => JSONAPI::MEDIA_TYPE
     }
     assert_jsonapi_response 400
   ensure
-    JSONAPI.configuration.allow_include = true
+    JSONAPI.configuration = original_config
+  end
+
+  def test_deprecated_include_message
+    ActiveSupport::Deprecation.silenced = false
+    original_config = JSONAPI.configuration.dup
+    _out, err = capture_io do
+      eval <<-CODE
+        JSONAPI.configuration.allow_include = false
+      CODE
+    end
+    assert_match /DEPRECATION WARNING: `allow_include` has been replaced by `default_allow_include_to_one` and `default_allow_include_to_many` options./, err
+  ensure
+    JSONAPI.configuration = original_config
+    ActiveSupport::Deprecation.silenced = true
+  end
+
+
+  def test_to_one_include_parameter_not_allowed
+    original_config = JSONAPI.configuration.dup
+    JSONAPI.configuration.default_allow_include_to_one = false
+    get '/api/v2/books/1/book_comments?include=author', headers: {
+        'Accept' => JSONAPI::MEDIA_TYPE
+    }
+    assert_jsonapi_response 400
+  ensure
+    JSONAPI.configuration = original_config
+  end
+
+  def test_to_one_include_parameter_allowed
+    original_config = JSONAPI.configuration.dup
+    JSONAPI.configuration.default_allow_include_to_one = true
+    get '/api/v2/books/1/book_comments?include=author', headers: {
+        'Accept' => JSONAPI::MEDIA_TYPE
+    }
+    assert_jsonapi_response 200
+    assert_equal 1, json_response['included'].size
+  ensure
+    JSONAPI.configuration = original_config
   end
 
   def test_filter_parameter_not_allowed

test/unit/jsonapi_request/jsonapi_request_test.rb

@@ -87,7 +87,7 @@ def test_parse_dasherized_with_underscored_include
 
     request.parse_include_directives(ExpenseEntryResource, params[:include])
     refute request.errors.empty?
-    assert_equal 'iso_currency is not a valid relationship of expense-entries', request.errors[0].detail
+    assert_equal 'iso_currency is not a valid includable relationship of expense-entries', request.errors[0].detail
   end
 
   def test_parse_fields_underscored

test/unit/resource/relationship_test.rb

@@ -9,4 +9,67 @@ def test_polymorphic_type
     assert_equal(relationship.polymorphic_type, "imageable_type")
   end
 
+  def test_allow_include_not_set_defaults_to_config_to_one
+    original_config = JSONAPI.configuration.dup
+
+    JSONAPI.configuration.default_allow_include_to_one = true
+    relationship = JSONAPI::Relationship::ToOne.new("foo")
+    assert(relationship.allow_include?)
+
+    JSONAPI.configuration.default_allow_include_to_one = false
+    relationship = JSONAPI::Relationship::ToOne.new("foo")
+    refute(relationship.allow_include?)
+
+  ensure
+    JSONAPI.configuration = original_config
+  end
+
+  def test_allow_include_not_set_defaults_to_config_to_many
+    original_config = JSONAPI.configuration.dup
+
+    JSONAPI.configuration.default_allow_include_to_many = true
+    relationship = JSONAPI::Relationship::ToMany.new("foobar")
+    assert(relationship.allow_include?)
+
+    JSONAPI.configuration.default_allow_include_to_one = false
+    relationship = JSONAPI::Relationship::ToOne.new("foobar")
+    refute(relationship.allow_include?)
+
+  ensure
+    JSONAPI.configuration = original_config
+  end
+
+  def test_allow_include_set_overrides_to_config_to_one
+    original_config = JSONAPI.configuration.dup
+
+    JSONAPI.configuration.default_allow_include_to_one = true
+    relationship1 = JSONAPI::Relationship::ToOne.new("foo1", allow_include: false)
+    relationship2 = JSONAPI::Relationship::ToOne.new("foo2", allow_include: true)
+    refute(relationship1.allow_include?)
+    assert(relationship2.allow_include?)
+
+    JSONAPI.configuration.default_allow_include_to_one = false
+    refute(relationship1.allow_include?)
+    assert(relationship2.allow_include?)
+
+  ensure
+    JSONAPI.configuration = original_config
+  end
+
+  def test_allow_include_set_overrides_to_config_to_many
+    original_config = JSONAPI.configuration.dup
+
+    JSONAPI.configuration.default_allow_include_to_one = true
+    relationship1 = JSONAPI::Relationship::ToMany.new("foobar1", allow_include: false)
+    relationship2 = JSONAPI::Relationship::ToMany.new("foobar2", allow_include: true)
+    refute(relationship1.allow_include?)
+    assert(relationship2.allow_include?)
+
+    JSONAPI.configuration.default_allow_include_to_one = false
+    refute(relationship1.allow_include?)
+    assert(relationship2.allow_include?)
+
+  ensure
+    JSONAPI.configuration = original_config
+  end
 end