fix: ensure non-existing relation inclusion does not break requests

In case relation has a wildcard whitelisting and request contains a non-existing relation inclusion

Author: alexzarbn

src/Drivers/Standard/QueryBuilder.php

@@ -339,14 +339,17 @@ public function getQualifiedFieldName(string $field): string
      * @param string $relation
      * @return string
      */
-    public function getRelationModelClass(string $relation): string
+    public function getRelationModelClass(string $relation): ?string
     {
         $relations = collect(explode('.', $relation));
-        $relation = $relations[0];
 
-        $resourceModel = (new $this->resourceModelClass)->$relation()->getModel();
+        $resourceModel = (new $this->resourceModelClass);
+
+        foreach ($relations as $nestedRelation) {
+            if (!method_exists($resourceModel, $nestedRelation)) {
+                return null;
+            }
 
-        foreach ($relations->skip(1) as $nestedRelation) {
             $resourceModel = $resourceModel->$nestedRelation()->getModel();
         }
 
@@ -545,12 +548,16 @@ public function applyAggregatesToQuery($query, Request $request, array $aggregat
                 );
             }
 
+            if (!$relationModelClass = $this->getRelationModelClass($aggregateDescriptor['relation'])) {
+                continue;
+            }
+
             $query->withAggregate([
                 $aggregateDescriptor['relation'] => function (Builder $aggregateQuery) use (
                     $aggregateDescriptor,
-                    $request
+                    $request,
+                    $relationModelClass
                 ) {
-                    $relationModelClass = $this->getRelationModelClass($aggregateDescriptor['relation']);
                     $relationQueryBuilder = $this->clone($relationModelClass);
 
                     $relationQueryBuilder->applyFiltersToQuery(
@@ -590,9 +597,16 @@ public function applyIncludesToQuery($query, Request $request, array $includeDes
         }
 
         foreach ($includeDescriptors as $includeDescriptor) {
+            if (!$relationModelClass = $this->getRelationModelClass($includeDescriptor['relation'])) {
+                continue;
+            }
+
             $query->with([
-                $includeDescriptor['relation'] => function (Relation $includeQuery) use ($includeDescriptor, $request) {
-                    $relationModelClass = $this->getRelationModelClass($includeDescriptor['relation']);
+                $includeDescriptor['relation'] => function (Relation $includeQuery) use (
+                    $includeDescriptor,
+                    $request,
+                    $relationModelClass
+                ) {
                     $relationQueryBuilder = $this->clone($relationModelClass);
 
                     $relationQueryBuilder->applyFiltersToQuery(

tests/Feature/StandardShowOperationsTest.php

@@ -120,4 +120,16 @@ public function getting_a_single_resource_with_nested_included_relation(): void
 
         $this->assertResourceShown($response, $post->fresh('user.roles')->toArray());
     }
+
+    /** @test */
+    public function getting_a_single_resource_with_nested_non_existing_included_relation(): void
+    {
+        $post = factory(Post::class)->create(['user_id' => factory(User::class)->create()->id]);
+
+        Gate::policy(Post::class, GreenPolicy::class);
+
+        $response = $this->get("/api/posts/{$post->id}?include=image.non-existing-relation");
+
+        $this->assertResourceShown($response, $post->fresh()->toArray());
+    }
 }

tests/Fixtures/app/Http/Controllers/PostsController.php

@@ -58,6 +58,6 @@ public function exposedScopes(): array
      */
     public function includes(): array
     {
-        return ['user', 'user.roles'];
+        return ['user', 'user.roles', 'image.*'];
     }
 }