send batch of related records to authorizer instead of iterating

plantfansam · plantfansam · commit 7280547d6cf5 · 2017-03-20T14:35:30.000-04:00
diff --git a/lib/jsonapi/authorization/authorizing_processor.rb b/lib/jsonapi/authorization/authorizing_processor.rb
@@ -208,13 +208,11 @@ def authorize_remove_to_many_relationships
           related_records = related_resources.map { |resource| resource._model }
         end
 
-        related_records.each do |related_record|
-          authorizer.remove_to_many_relationship(
-            source_record,
-            related_record,
-            params[:relationship_type]
-          )
-        end
+        authorizer.remove_to_many_relationship(
+          source_record,
+          related_records,
+          params[:relationship_type]
+        )
       end
 
       def authorize_remove_to_one_relationship
diff --git a/lib/jsonapi/authorization/default_pundit_authorizer.rb b/lib/jsonapi/authorization/default_pundit_authorizer.rb
@@ -178,9 +178,9 @@ def replace_to_many_relationship(source_record, new_related_records, relationshi
       # * +source_record+ - The record whose relationship is modified
       # * +related_record+ - The record which will be disassociated from +source_record+
       # * +relationship_type+ - The relationship type
-      def remove_to_many_relationship(source_record, related_record, relationship_type)
+      def remove_to_many_relationship(source_record, related_records, relationship_type)
         relationship_method = "remove_from_#{relationship_type}?"
-        authorize_relationship_operation(source_record, relationship_method, related_record)
+        authorize_relationship_operation(source_record, relationship_method, related_records)
       end
 
       # <tt>DELETE /resources/:id/relationships/another-resource</tt>
diff --git a/spec/requests/relationship_operations_spec.rb b/spec/requests/relationship_operations_spec.rb
@@ -282,7 +282,7 @@
 
     context 'unauthorized for remove_to_many_relationship' do
       before do
-        disallow_operation('remove_to_many_relationship', article, kind_of(Comment), "comments")
+        disallow_operation('remove_to_many_relationship', article, kind_of(Array), "comments")
       end
 
       it { is_expected.to be_forbidden }
@@ -291,7 +291,7 @@
     context 'authorized for remove_to_many_relationship' do
       context 'not limited by policy scopes' do
         before do
-          allow_operation('remove_to_many_relationship', article, kind_of(Comment), "comments")
+          allow_operation('remove_to_many_relationship', article, kind_of(Array), "comments")
         end
 
         it { is_expected.to be_successful }
@@ -306,7 +306,7 @@
       # behaviour in that case anyway, as it might be surprising.
       context 'limited by policy scope on articles' do
         before do
-          allow_operation('remove_to_many_relationship', article, kind_of(Comment), :comments)
+          allow_operation('remove_to_many_relationship', article, kind_of(Array), :comments)
         end
         let(:policy_scope) { Article.where.not(id: article.id) }
         it { is_expected.to be_not_found }
