Class: Rhino::ResourcesController

Inherits:
ActionController::API
  • Object
show all
Includes:
Pundit::Authorization
Defined in:
lib/rhino/controllers/resources_controller.rb

Overview

Global CRUD controller that handles all registered models. Mirrors the Laravel GlobalController exactly.

Routes pass the model slug via route defaults, and this controller resolves the appropriate ActiveRecord class to operate on.

Constant Summary collapse

@@organization_path_cache =

Cache for auto-detected organization paths (class-level, survives across requests)

{}

Instance Method Summary collapse

Instance Method Details

#destroyObject

DELETE /api/slug/:id



152
153
154
155
156
157
158
159
160
161
162
163
 
# File 'lib/rhino/controllers/resources_controller.rb', line 152

def destroy
  record = find_record
  authorize record, :destroy?, policy_class: policy_for(record)

  if record.respond_to?(:discard!)
    record.discard!
  else
    record.destroy!
  end

  head :no_content
end

#force_deleteObject

DELETE /api/slug/:id/force-delete



201
202
203
204
205
206
207
208
 
# File 'lib/rhino/controllers/resources_controller.rb', line 201

def force_delete
  record = model_class.discarded.find(params[:id])
  authorize record, :force_delete?, policy_class: policy_for(record)

  record.destroy!

  head :no_content
end

#indexObject

GET /api/slug



38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
# File 'lib/rhino/controllers/resources_controller.rb', line 38

def index
  authorize model_class, :index?, policy_class: policy_for(model_class)

  builder = QueryBuilder.new(model_class, params: params)
  apply_organization_scope(builder)
  builder.build

  per_page = params[:per_page]
  pagination_enabled = model_class.try(:pagination_enabled) || false

  if per_page.present? || pagination_enabled
    result = builder.paginate
    set_pagination_headers(result[:pagination])
    render json: { data: serialize_collection(result[:items]) }
  else
    render json: { data: serialize_collection(builder.to_scope) }
  end
end

#nestedObject

POST /api/nested



215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
 
# File 'lib/rhino/controllers/resources_controller.rb', line 215

def nested
  operations = validate_nested_structure
  return if performed?

  nested_config = Rhino.config.nested
  max_ops = nested_config[:max_operations]

  if max_ops && operations.length > max_ops
    return render json: {
      message: "Too many operations.",
      errors: { operations: ["Maximum #{max_ops} operations allowed."] }
    }, status: :unprocessable_entity
  end

  allowed_models = nested_config[:allowed_models]
  if allowed_models.is_a?(Array)
    operations.each_with_index do |op, index|
      unless allowed_models.include?(op["model"])
        return render json: {
          message: "Operation not allowed.",
          errors: { "operations.#{index}.model" => ["Model \"#{op['model']}\" is not allowed for nested operations."] }
        }, status: :unprocessable_entity
      end
    end
  end

  # Validate and authorize each operation
  validated_per_op = []
  auth_results = []

  operations.each_with_index do |operation, index|
    validated = validate_nested_operation(operation, index)
    return if performed?
    validated_per_op << validated

    auth_result = authorize_nested_operation(operation, validated, index)
    return if performed?
    auth_results << auth_result
  end

  # Execute all operations in a transaction
  results = execute_nested_operations(operations, validated_per_op, auth_results)
  render json: { results: results }
end

#restoreObject

POST /api/slug/:id/restore



190
191
192
193
194
195
196
197
198
 
# File 'lib/rhino/controllers/resources_controller.rb', line 190

def restore
  record = model_class.discarded.find(params[:id])
  authorize record, :restore?, policy_class: policy_for(record)

  record.undiscard!
  record.reload

  render json: serialize_record(record)
end

#showObject

GET /api/slug/:id



93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
 
# File 'lib/rhino/controllers/resources_controller.rb', line 93

def show
  record = find_record
  authorize record, :show?, policy_class: policy_for(record)

  # Apply includes if requested
  if params[:include].present?
    auth_response = authorize_includes
    return auth_response if auth_response

    builder = QueryBuilder.new(model_class, params: params)
    builder.instance_variable_set(:@scope, model_class.where(id: record.id))
    apply_organization_scope(builder)
    builder.build
    record = builder.to_scope.first!
  end

  render json: serialize_record(record)
end

#storeObject

POST /api/slug



58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
 
# File 'lib/rhino/controllers/resources_controller.rb', line 58

def store
  authorize model_class, :create?, policy_class: policy_for(model_class)

  data = params_hash

  # Strip organization_id — it's auto-set by the framework
  data.delete("organization_id") if current_organization

  permitted_fields = resolve_permitted_fields(current_user, "create")

  # Check for forbidden fields → 403
  forbidden = find_forbidden_fields(data, permitted_fields)
  if forbidden.any?
    return render json: {
      message: "You are not allowed to set the following field(s): #{forbidden.join(', ')}"
    }, status: :forbidden
  end

  model_instance = model_class.new
  validation = model_instance.validate_for_action(
    data, permitted_fields: permitted_fields, organization: current_organization
  )

  unless validation[:valid]
    return render json: { errors: validation[:errors] }, status: :unprocessable_entity
  end

  validated = validation[:validated]
  add_organization_to_data(validated)

  record = model_class.create!(validated)
  render json: serialize_record(record), status: :created
end

#trashedObject

GET /api/slug/trashed



170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
 
# File 'lib/rhino/controllers/resources_controller.rb', line 170

def trashed
  authorize model_class, :view_trashed?, policy_class: policy_for(model_class)

  builder = QueryBuilder.new(model_class.discarded, params: params)
  apply_organization_scope(builder)
  builder.build

  per_page = params[:per_page]
  pagination_enabled = model_class.try(:pagination_enabled) || false

  if per_page.present? || pagination_enabled
    result = builder.paginate
    set_pagination_headers(result[:pagination])
    render json: { data: serialize_collection(result[:items]) }
  else
    render json: { data: serialize_collection(builder.to_scope) }
  end
end

#updateObject

PUT /api/slug/:id



113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
 
# File 'lib/rhino/controllers/resources_controller.rb', line 113

def update
  record = find_record
  authorize record, :update?, policy_class: policy_for(record)

  data = params_hash

  # Reject organization_id changes — cross-tenant reassignment is not allowed
  if current_organization && data.key?("organization_id")
    return render json: {
      message: "You are not allowed to change the organization_id."
    }, status: :forbidden
  end

  permitted_fields = resolve_permitted_fields(current_user, "update")

  # Check for forbidden fields → 403
  forbidden = find_forbidden_fields(data, permitted_fields)
  if forbidden.any?
    return render json: {
      message: "You are not allowed to set the following field(s): #{forbidden.join(', ')}"
    }, status: :forbidden
  end

  model_instance = model_class.new
  validation = model_instance.validate_for_action(
    data, permitted_fields: permitted_fields, organization: current_organization
  )

  unless validation[:valid]
    return render json: { errors: validation[:errors] }, status: :unprocessable_entity
  end

  record.update!(validation[:validated])
  record.reload

  render json: serialize_record(record)
end