From f53a07c143261b0452e65af5b453c4bde1c639b1 Mon Sep 17 00:00:00 2001
From: Toby Zerner <toby.zerner@gmail.com>
Date: Fri, 15 Jan 2021 08:37:49 +1030
Subject: [PATCH] Enforce resource listability

---
 src/Endpoint/Index.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/Endpoint/Index.php b/src/Endpoint/Index.php
index ba277be..e4ad427 100644
--- a/src/Endpoint/Index.php
+++ b/src/Endpoint/Index.php
@@ -19,6 +19,7 @@ use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface as Request;
 use Tobyz\JsonApiServer\Adapter\AdapterInterface;
 use Tobyz\JsonApiServer\Exception\BadRequestException;
+use Tobyz\JsonApiServer\Exception\ForbiddenException;
 use Tobyz\JsonApiServer\JsonApi;
 use Tobyz\JsonApiServer\ResourceType;
 use Tobyz\JsonApiServer\Schema\Attribute;
@@ -51,6 +52,10 @@ class Index
         $adapter = $this->resource->getAdapter();
         $schema = $this->resource->getSchema();
 
+        if (! evaluate($schema->isListable(), [$context])) {
+            throw new ForbiddenException;
+        }
+
         $query = $adapter->newQuery();
 
         run_callbacks($schema->getListeners('listing'), [$query, $context]);