Suggestion: Collect array of applied policies against resource #78
Description
Hi.
Firstly, thanks so much for this gem!!
I've been hacking away at helpers to be able to write and run flexible Resource testing from resource_specs, rather than request_specs, because it makes testing a lot cleaner and easier. (Unfortunately, the mostly excellent jsonapi-resources seem to largely miss out describing how to work with resources and resource operations directly)
One thing that occurred to me in the process (now that I have nice JSONAPI::OperationResults to work with in my specs) is:
If jsonapi-authorization could somehow tag the resource (or the OperationResult, or something related and accessible) with the names/symbols of the various Pundit policy methods (relationship_method) and scopes that were applied during the authorization phase, this would make for really nice linking to the policy_specs, and assurance that all the right rules are being applied, without having to repeat some of the the auth-test-logic again further up the stack.
e.g. things like if policy.respond_to?(relationship_method) which mean a typo could result in a well tested policy method not actually being used by jsonapi-authorization when expected.
It'd be so nice to be able to check something like:
expect(resource.policy_authorizations).to include(:create_with_widget) in a resource spec.
NB: (just top-of-head rambling from here on) Taken to the extreme, if could go a couple of levels deeper:
resource.policy_authorizations ==
{
comment: {
create: :passed,
create_with_article: :not_found,
create_with_user: :passed
}
article: {
scope: :empty,
update: passed
}
}
Something like this might also make it a lot quicker for newcomers to get up to speed with the Rails jsonapi/pundit suite - I know it would have helped me a lot to get that insight into what was going on, when I was struggling to get to grips with JR (and, less awkwardly, Pundit) at the same time.