Add an option to allow include on a relationship

[blmundie]

Add an option to each relationship to allow including in json. The default is to allow include.

[fotinakis]

I think that if we end up implementing a lightweight "permission system" for what can be included or not, it probably needs to be dynamic and not static like this. Ie. someone might want to "allow_include" true for admin users for certain relationships, and allow_include false for the same relationships for other users. Unfortunately this implementation is a bit too static for that world.

Also, there is probably a case where you would want to allow includes when starting at certain root elements but not others, ie. allow include of post.user on posts but not category.posts.user on categories, or something like that. In my mind these kinds of includes might expose a security vulnerabilities which I haven't fully thought through, so until we can really enumerate more cases I'd like to leave permission handling up to individual implementations rather than baking in something incomplete.

Would be interested to hear your and other comments on this and what the right strategy could be.

[blmundie]

I can change the code to allow a method name or proc to be passed to it as well as true or false. The proc or method could be passed passthrough_options or passthrough_options[:context] to get the current_user info.

For situations like post.user vs category.posts.user it might make more sense to handle the permissions in the relationship vs the include. You could use something like Pundit scopes to limit the category's posts to only the ones the user is permitted to view.

The scenario I need fix is including a parent then it's children. Something like post.category.posts or user.organization.users. I would much rather handle this in the serializer than having to parse the include string separately and checking permissions before serialize.