渲染JSON包含字段上的Rails Pundit policy_scope

Question

在以下位置繼續我的上一個問題： Active Model Serializer和Pundit在Show CRUD操作期間刪除記錄

我遇到的情況是， User不應該查看屬於作者創建的Story的其他用戶未發布的章節。

例如，如果UserA創建了一個名為Targon的故事，並提供了2個已發布的章節和2個未發布的章節，則UserB應該只看到Targon故事的已發布章節。

通常，在Pundit策略作用域范圍內，它對index CRUD操作的作用范圍。

但是，我需要確定的范圍是在render json行中屬於Story Chapters ：

render json: story, include: [:user, :chapters], status: :ok

我努力了：

# ---------------------------------------------------------------------------
# ActiveRecord auto-save will kick in and delete all unpublished chapters
# ---------------------------------------------------------------------------
story.chapters = policy_scope(story.chapters)

render json: story, include: [:user, :chapters], status: :ok

根據https://gist.github.com/demisx/9896113（has_many部分），以上代碼將在我重新分配story.chapters時刪除屬於Targon所有未發布的章節：

story.chapters = policy_scope(story.chapters) # BAD

我希望有某種方法可以執行以下操作 ：

render json: story, include: [:user, policy_scope(:chapters)], status: :ok

目前，在沒有對story.chapters進行范圍界定的story.chapters任何獲取ID為16 （Targon）的Story的用戶都將獲得JSONAPI：

{
    "data": {
        "id": "16",
        "type": "stories",
        "attributes": {
            "title": "Mount Targon",
            "summary": "Mount Targon is the mightiest peak in Runeterra, a towering peak of sun-baked rock amid a range of summits unmatched in scale anywhere else in the world. Located far from civilization, Mount Targon is utterly remote and all but impossible to reach save by the most determined seeker. Many legends cling to Mount Targon, and, like any place of myth, it is a beacon to dreamers, madmen and questors of adventure. Some of these brave souls attempt to scale the impossible mountain, perhaps seeking wisdom or enlightenment, perhaps chasing glory or some soul-deep yearning to witness its summit. The ascent is all but impossible, and those hardy few who somehow survive to reach the top almost never speak of what they have seen. Some return with a haunted, empty look in their eyes, others changed beyond all recognition, imbued by an Aspect of unearthly, inhuman power with a destiny few mortals can comprehend.",
            "published": true,
            "published-date": "2017-11-02T10:35:33.184Z",
            "created-at": "2017-11-02T10:35:33.184Z",
            "updated-at": "2017-11-04T07:35:04.083Z",
            "cover": {
                "url": "http://res.cloudinary.com/chewedon/image/upload/v1509780931/c8ubn3tfivxziyxwynsa.png",
                "standard": {
                    "url": "http://res.cloudinary.com/chewedon/image/upload/c_fill,g_north,h_300,w_200/c8ubn3tfivxziyxwynsa.png"
                }
            }
        },
        "relationships": {
            "user": {
                "data": {
                    "id": "1",
                    "type": "users"
                }
            },
            "chapters": {
                "data": [{
                    "id": "26",
                    "type": "chapters"
                }, {
                    "id": "27",
                    "type": "chapters"
                }, {
                    "id": "37",
                    "type": "chapters"
                }, {
                    "id": "38",
                    "type": "chapters"
                }]
            }
        }
    },
    "included": [{
        "id": "1",
        "type": "users",
        "attributes": {
            "username": "Chewedon",
            "photo": {
                "url": "http://res.cloudinary.com/chewedon/image/upload/v1509857442/nx1tqlcdxrhz6r3kjx87.jpg",
                "standard": {
                    "url": "http://res.cloudinary.com/chewedon/image/upload/c_fill,g_north,h_150,w_150/nx1tqlcdxrhz6r3kjx87.jpg"
                }
            }
        },
        "relationships": {
            "stories": {
                "data": [{
                    "id": "1",
                    "type": "stories"
                }, {
                    "id": "2",
                    "type": "stories"
                }, {
                    "id": "3",
                    "type": "stories"
                }, {
                    "id": "4",
                    "type": "stories"
                }, {
                    "id": "5",
                    "type": "stories"
                }, {
                    "id": "6",
                    "type": "stories"
                }, {
                    "id": "8",
                    "type": "stories"
                }, {
                    "id": "9",
                    "type": "stories"
                }, {
                    "id": "10",
                    "type": "stories"
                }, {
                    "id": "11",
                    "type": "stories"
                }, {
                    "id": "12",
                    "type": "stories"
                }, {
                    "id": "13",
                    "type": "stories"
                }, {
                    "id": "14",
                    "type": "stories"
                }, {
                    "id": "15",
                    "type": "stories"
                }, {
                    "id": "16",
                    "type": "stories"
                }]
            }
        }
    }]
}

在“關系”部分中，第37和38章未發布，導致在我的Ember前端上出現403 Forbidden。

理想情況下，服務器應該在返回記錄之前先對它們進行范圍划分，但是由於我上面所述的錯誤以及我之前的Stackoverflow問題中的問題，我一直在限制如何使用Pundit對包含的字段進行范圍划分。

有任何想法嗎？

Answer 1

感謝上一個鏈接問題中的用戶oowowaee，他建議覆蓋Story序列化程序的“ chapters字段（我不知道您可以做到這一點），代碼現在可以正常工作，並且記錄也不會從數據庫中刪除。

class StorySerializer < ActiveModel::Serializer
  include Pundit

  attributes :id, :title, :summary, :published, :published_date, :created_at, :updated_at, :cover

  belongs_to :user
  has_many :chapters

  # ------------------------------------------------------------------------
  # Note: need to use 'object.chapters' not 'self.chapters` below.
  # ------------------------------------------------------------------------
  def chapters
    policy_scope(object.chapters)
  end
end