Breaking: Removed access-control action filter attributes such as HttpReadOnly, NoHttpPost etc. because they interfere with relationship endpoints. For example, blocking POST would block creating resources, as well as adding to to-many relationships, which is not very useful. The replacement is to inject just the subset of exposed services, or simply use the Command/Query controllers. When an endpoint is not exposed, we now return HTTP 403 Forbidden instead of 404 or 405.

Author: Bart Koelman

docs/usage/extensibility/controllers.md

@@ -13,83 +13,49 @@ public class ArticlesController : JsonApiController<Article, Guid>
 }
 ```
 
+If you want to setup routes yourself, you can instead inherit from `BaseJsonApiController<TResource, TId>` and override its methods with your own `[HttpGet]`, `[HttpHead]`, `[HttpPost]`, `[HttpPatch]` and `[HttpDelete]` attributes added on them. Don't forget to add `[FromBody]` on parameters where needed.
+
 ## Resource Access Control
 
-It is often desirable to limit what methods are exposed on your controller. The first way you can do this, is to simply inherit from `BaseJsonApiController` and explicitly declare what methods are available.
+It is often desirable to limit which routes are exposed on your controller.
 
-In this example, if a client attempts to do anything other than GET a resource, an HTTP 404 Not Found response will be returned since no other methods are exposed.
+To provide read-only access, inherit from `JsonApiQueryController` instead, which blocks all POST, PATCH and DELETE requests.
+Likewise, to provide write-only access, inherit from `JsonApiCommandController`, which blocks all GET and HEAD requests.
 
-This approach is ok, but introduces some boilerplate that can easily be avoided.
+You can even make your own mix of allowed routes by calling the alternate constructor of `JsonApiController` and injecting the set of service implementations available.
+In some cases, resources may be an aggregation of entities or a view on top of the underlying entities. In these cases, there may not be a writable `IResourceService` implementation, so simply inject the implementation that is available.
 
 ```c#
-public class ArticlesController : BaseJsonApiController<Article, int>
+public class ReportsController : JsonApiController<Report, int>
 {
-    public ArticlesController(IJsonApiOptions options, IResourceGraph resourceGraph,
-        ILoggerFactory loggerFactory, IResourceService<Article, int> resourceService)
-        : base(options, resourceGraph, loggerFactory, resourceService)
-    {
-    }
-
-    [HttpGet]
-    public override async Task<IActionResult> GetAsync(CancellationToken cancellationToken)
-    {
-        return await base.GetAsync(cancellationToken);
-    }
-
-    [HttpGet("{id}")]
-    public override async Task<IActionResult> GetAsync(int id,
-        CancellationToken cancellationToken)
+    public ReportsController(IJsonApiOptions options, IResourceGraph resourceGraph,
+        ILoggerFactory loggerFactory, IGetAllService<Report, int> getAllService)
+        : base(options, resourceGraph, loggerFactory, getAll: getAllService)
     {
-        return await base.GetAsync(id, cancellationToken);
     }
 }
 ```
 
-## Using ActionFilterAttributes
-
-The next option is to use the ActionFilter attributes that ship with the library. The available attributes are:
-
-- `NoHttpPost`: disallow POST requests
-- `NoHttpPatch`: disallow PATCH requests
-- `NoHttpDelete`: disallow DELETE requests
-- `HttpReadOnly`: all of the above
+For more information about resource service injection, see [Replacing injected services](~/usage/extensibility/layer-overview.md#replacing-injected-services) and [Resource Services](~/usage/extensibility/services.md).
 
-Not only does this reduce boilerplate, but it also provides a more meaningful HTTP response code.
-An attempt to use one of the blacklisted methods will result in a HTTP 405 Method Not Allowed response.
+When a route is blocked, an HTTP 403 Forbidden response is returned.
 
-```c#
-[HttpReadOnly]
-public class ArticlesController : BaseJsonApiController<Article, int>
-{
-    public ArticlesController(IJsonApiOptions options, IResourceGraph resourceGraph,
-        ILoggerFactory loggerFactory, IResourceService<Article, int> resourceService)
-        : base(options, resourceGraph, loggerFactory, resourceService)
-    {
-    }
-}
+```http
+DELETE http://localhost:14140/people/1 HTTP/1.1
 ```
 
-## Implicit Access By Service Injection
-
-Finally, you can control the allowed methods by supplying only the available service implementations. In some cases, resources may be an aggregation of entities or a view on top of the underlying entities. In these cases, there may not be a writable `IResourceService` implementation, so simply inject the implementation that is available.
-
-As with the ActionFilter attributes, if a service implementation is not available to service a request, HTTP 405 Method Not Allowed will be returned.
-
-For more information about resource service injection, see [Replacing injected services](~/usage/extensibility/layer-overview.md#replacing-injected-services) and [Resource Services](~/usage/extensibility/services.md).
-
-```c#
-public class ReportsController : BaseJsonApiController<Report, int>
+```json
 {
-    public ReportsController(IJsonApiOptions options, IResourceGraph resourceGraph,
-        ILoggerFactory loggerFactory, IGetAllService<Report, int> getAllService)
-        : base(options, resourceGraph, loggerFactory, getAllService)
-    {
-    }
-
-    [HttpGet]
-    public override async Task<IActionResult> GetAsync(CancellationToken cancellationToken)
+  "links": {
+    "self": "/api/v1/people"
+  },
+  "errors": [
     {
-        return await base.GetAsync(cancellationToken);
+      "id": "dde7f219-2274-4473-97ef-baac3e7c1487",
+      "status": "403",
+      "title": "The requested endpoint is not accessible.",
+      "detail": "Endpoint '/people/1' is not accessible for DELETE requests."
     }
+  ]
 }
 ```

docs/usage/extensibility/services.md

@@ -152,30 +152,16 @@ public class Startup
 }
 ```
 
-Then in the controller, you should inherit from the base controller and pass the services into the named, optional base parameters:
+Then in the controller, you should inherit from the JSON:API controller and pass the services into the named, optional base parameters:
 
 ```c#
-public class ArticlesController : BaseJsonApiController<Article, int>
+public class ArticlesController : JsonApiController<Article, int>
 {
     public ArticlesController(IJsonApiOptions options, IResourceGraph resourceGraph,
         ILoggerFactory loggerFactory, ICreateService<Article, int> create,
         IDeleteService<Article, int> delete)
         : base(options, resourceGraph, loggerFactory, create: create, delete: delete)
     {
     }
-
-    [HttpPost]
-    public override async Task<IActionResult> PostAsync([FromBody] Article resource,
-        CancellationToken cancellationToken)
-    {
-        return await base.PostAsync(resource, cancellationToken);
-    }
-
-    [HttpDelete("{id}")]
-    public override async Task<IActionResult>DeleteAsync(int id,
-        CancellationToken cancellationToken)
-    {
-        return await base.DeleteAsync(id, cancellationToken);
-    }
 }
 ```

src/JsonApiDotNetCore/Controllers/Annotations/HttpReadOnlyAttribute.cs

@@ -95,7 +95,7 @@ public virtual async Task<IActionResult> GetAsync(CancellationToken cancellation
 
             if (_getAll == null)
             {
-                throw new RequestMethodNotAllowedException(HttpMethod.Get);
+                throw new RouteNotAvailableException(HttpMethod.Get, Request.Path);
             }
 
             IReadOnlyCollection<TResource> resources = await _getAll.GetAsync(cancellationToken);
@@ -115,7 +115,7 @@ public virtual async Task<IActionResult> GetAsync(TId id, CancellationToken canc
 
             if (_getById == null)
             {
-                throw new RequestMethodNotAllowedException(HttpMethod.Get);
+                throw new RouteNotAvailableException(HttpMethod.Get, Request.Path);
             }
 
             TResource resource = await _getById.GetAsync(id, cancellationToken);
@@ -138,7 +138,7 @@ public virtual async Task<IActionResult> GetSecondaryAsync(TId id, string relati
 
             if (_getSecondary == null)
             {
-                throw new RequestMethodNotAllowedException(HttpMethod.Get);
+                throw new RouteNotAvailableException(HttpMethod.Get, Request.Path);
             }
 
             object? rightValue = await _getSecondary.GetSecondaryAsync(id, relationshipName, cancellationToken);
@@ -161,7 +161,7 @@ public virtual async Task<IActionResult> GetRelationshipAsync(TId id, string rel
 
             if (_getRelationship == null)
             {
-                throw new RequestMethodNotAllowedException(HttpMethod.Get);
+                throw new RouteNotAvailableException(HttpMethod.Get, Request.Path);
             }
 
             object? rightValue = await _getRelationship.GetRelationshipAsync(id, relationshipName, cancellationToken);
@@ -183,7 +183,7 @@ public virtual async Task<IActionResult> PostAsync([FromBody] TResource resource
 
             if (_create == null)
             {
-                throw new RequestMethodNotAllowedException(HttpMethod.Post);
+                throw new RouteNotAvailableException(HttpMethod.Post, Request.Path);
             }
 
             if (_options.ValidateModelState && !ModelState.IsValid)
@@ -235,7 +235,7 @@ public virtual async Task<IActionResult> PostRelationshipAsync(TId id, string re
 
             if (_addToRelationship == null)
             {
-                throw new RequestMethodNotAllowedException(HttpMethod.Post);
+                throw new RouteNotAvailableException(HttpMethod.Post, Request.Path);
             }
 
             await _addToRelationship.AddToToManyRelationshipAsync(id, relationshipName, rightResourceIds, cancellationToken);
@@ -259,7 +259,7 @@ public virtual async Task<IActionResult> PatchAsync(TId id, [FromBody] TResource
 
             if (_update == null)
             {
-                throw new RequestMethodNotAllowedException(HttpMethod.Patch);
+                throw new RouteNotAvailableException(HttpMethod.Patch, Request.Path);
             }
 
             if (_options.ValidateModelState && !ModelState.IsValid)
@@ -301,7 +301,7 @@ public virtual async Task<IActionResult> PatchRelationshipAsync(TId id, string r
 
             if (_setRelationship == null)
             {
-                throw new RequestMethodNotAllowedException(HttpMethod.Patch);
+                throw new RouteNotAvailableException(HttpMethod.Patch, Request.Path);
             }
 
             await _setRelationship.SetRelationshipAsync(id, relationshipName, rightValue, cancellationToken);
@@ -321,7 +321,7 @@ public virtual async Task<IActionResult> DeleteAsync(TId id, CancellationToken c
 
             if (_delete == null)
             {
-                throw new RequestMethodNotAllowedException(HttpMethod.Delete);
+                throw new RouteNotAvailableException(HttpMethod.Delete, Request.Path);
             }
 
             await _delete.DeleteAsync(id, cancellationToken);
@@ -359,7 +359,7 @@ public virtual async Task<IActionResult> DeleteRelationshipAsync(TId id, string
 
             if (_removeFromRelationship == null)
             {
-                throw new RequestMethodNotAllowedException(HttpMethod.Delete);
+                throw new RouteNotAvailableException(HttpMethod.Delete, Request.Path);
             }
 
             await _removeFromRelationship.RemoveFromToManyRelationshipAsync(id, relationshipName, rightResourceIds, cancellationToken);