access-granted 0.2.1 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d6d610eeb4a1e57538d942c6f1cd0bfe6958a852
-  data.tar.gz: 50ce2232aa01528cb8478a38e578a8424ca0e801
+  metadata.gz: 1655a3217918c74b918dc7f52cf474a554fe3857
+  data.tar.gz: e589678196a86628ae844a6fa920824311a4025a
 SHA512:
-  metadata.gz: 0768c9dd24d77292180d8574f9155312c3a4028b2259d8125d8db36754e8a26c7bb448f88452f2b7588fa72edd9e46d68522ea1a3eb6e3a2b185ef766ecc292d
-  data.tar.gz: 7852d05613d5afa58e5cf6aa23a0432efab48ba0b7badc812047a107543e1c9784492ed591547e5f3cb649a0f58e2f53f75b8c1f964741451053eaea72111c49
+  metadata.gz: e4091466b976765cd9486124cc1daff3339918c985e02c76fe33093456c98cf41e842444e000a591b2262dc9210c0ae828f3f7bd6078b7a875462cb00ab9400b
+  data.tar.gz: c984daf5257a27d91c025b9b5e6955b1442da76f452f3344fa7d9d9f7036ebb6c4e25aab3c6cf3230ccd5fe61f02a0174e42d04aca0024516608c33668d583f3

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2013 Piotrek Okoński
+Copyright (c) 2015 Chaps sp. z o.o.
 
 MIT License
 

data/README.md

@@ -26,7 +26,7 @@ AccessGranted is meant as a replacement for CanCan to solve major problems:
 2. Roles
 
   Adds support for roles, so no more `if`'s and `else`'s in your Policy file. This makes it extremely easy to maintain and read the code.
-  
+
 3. white-lists
 
   This means that you define what the user **can** do, which results in clean, readable policies regardless of app complexity.
@@ -58,8 +58,7 @@ Let's start with a complete example of what can be achieved:
 class AccessPolicy
   include AccessGranted::Policy
 
-  def configure(user)
-
+  def configure
     # The most important admin role, gets checked first
 
     role :admin, { is_admin: true } do
@@ -77,8 +76,8 @@ class AccessPolicy
     role :member do
       can :create, Post
 
-      can [:update, :destroy], Post do |post|
-        post.user_id == user.id && post.comments.empty?
+      can [:update, :destroy], Post do |post, user|
+        post.author == user && post.comments.empty?
       end
     end
   end
@@ -133,12 +132,12 @@ end
 
 #### Block conditions
 
-"But wait! User should also be able to edit his posts, and only his posts!", you are wondering.
-This can be done using a block condition in `can` method, like so:
+Sometimes you may need to dynamically check for ownership or other conditions,
+this can be done using a block condition in `can` method, like so:
 
 ```ruby
 role :member do
-  can :update, Post do |post|
+  can :update, Post do |post, user|
     post.author_id == user.id
   end
 end
@@ -157,7 +156,7 @@ role :admin, { is_admin: true } do
 end
 
 role :member do
-  can :update, Post do |post|
+  can :update, Post do |post, user|
     post.author_id == user.id
   end
 end
@@ -284,7 +283,7 @@ Below you can see an extracted `:member` role:
 class AccessPolicy
   include AccessGranted::Policy
 
-  def configure(user)
+  def configure
     role :administrator, is_admin: true do
       can :manage, User
     end
@@ -301,9 +300,9 @@ And roles should look like this
 # app/roles/member_role.rb
 
 class MemberRole < AccessGranted::Role
-  def configure(user)
+  def configure
     can :create, Post
-    can :destroy, Post do |post|
+    can :destroy, Post do |post, user|
       post.author == user
     end
   end

data/access-granted.gemspec

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |spec|
   spec.name          = "access-granted"
-  spec.version       = "0.2.1"
+  spec.version       = "1.0.1"
   spec.authors       = ["Piotrek Okoński"]
   spec.email         = ["piotrek@okonski.org"]
   spec.description   = %q{Role based authorization gem}

data/lib/access-granted/permission.rb

@@ -2,8 +2,9 @@ module AccessGranted
   class Permission
     attr_reader :action, :subject, :granted, :conditions
 
-    def initialize(granted, action, subject, conditions = {}, block = nil)
+    def initialize(granted, action, subject, user = nil, conditions = {}, block = nil)
       @action     = action
+      @user       = user
       @granted    = granted
       @subject    = subject
       @conditions = conditions
@@ -20,7 +21,7 @@ module AccessGranted
 
     def matches_conditions?(subject)
       if @block
-        @block.call(subject)
+        @block.call(subject, @user)
       else
         matches_hash_conditions?(subject)
       end

data/lib/access-granted/policy.rb

@@ -5,10 +5,10 @@ module AccessGranted
     def initialize(user)
       @user          = user
       @roles         = []
-      configure(@user)
+      configure
     end
 
-    def configure(user)
+    def configure
     end
 
     def role(name, conditions_or_klass = nil, conditions = nil, &block)
@@ -25,7 +25,7 @@ module AccessGranted
       r
     end
 
-    def can?(action, subject)
+    def can?(action, subject = nil)
       roles.each do |role|
         next unless role.applies_to?(@user)
         permission = role.find_permission(action, subject)

data/lib/access-granted/role.rb

@@ -12,14 +12,14 @@ module AccessGranted
       if @block
         instance_eval(&@block)
       else
-        configure(@user)
+        configure
       end
     end
 
-    def configure(user)
+    def configure
     end
 
-    def can(action, subject, conditions = {}, &block)
+    def can(action, subject = nil, conditions = {}, &block)
       add_permission(true, action, subject, conditions, block)
     end
 
@@ -53,7 +53,7 @@ module AccessGranted
     def add_permission(granted, action, subject, conditions, block)
       prepare_actions(action).each do |a|
         raise DuplicatePermission if permission_exists?(a, subject)
-        @permissions << Permission.new(granted, a, subject, conditions, block)
+        @permissions << Permission.new(granted, a, subject, @user, conditions, block)
         @permissions_by_action[a] ||= []
         @permissions_by_action[a]  << @permissions.size - 1
       end

data/lib/generators/access_granted/policy_generator.rb

@@ -0,0 +1,16 @@
+require 'rails/generators/base'
+
+module Accessgranted
+  module Generators
+    class PolicyGenerator < Rails::Generators::Base
+      source_root File.expand_path("../../templates", __FILE__)
+
+      namespace "access_granted:policy"
+      desc "Creates an Access Granted policy."
+
+      def copy_policy
+        template "access_policy.rb", "app/policies/access_policy.rb"
+      end
+    end
+  end
+end

data/lib/generators/templates/access_policy.rb

@@ -0,0 +1,40 @@
+class AccessPolicy
+  include AccessGranted::Policy
+
+  def configure(user)
+    # Example policy for AccessGranted.
+    # For more details check the README at
+    #
+    # https://github.com/chaps-io/access-granted/blob/master/README.md
+    #
+    # Roles inherit from less important roles, so:
+    # - :admin has permissions defined in :member, :guest and himself
+    # - :member has permissions from :guest and himself
+    # - :guest has only its own permissions since it's the first role.
+    #
+    # The most important role should be at the top.
+    # In this case an administrator.
+    #
+    # role :admin, proc { |user| user.admin? } do
+    #   can :destroy, User
+    # end
+
+    # More privileged role, applies to registered users.
+    #
+    # role :member, proc { |user| user.registered? } do
+    #   can :create, Post
+    #   can :create, Comment
+    #   can [:update, :destroy], Post do |post|
+    #     post.author == user
+    #   end
+    # end
+
+    # The base role with no additional conditions.
+    # Applies to every user.
+    #
+    # role :guest do
+    #  can :read, Post
+    #  can :read, Comment
+    # end
+  end
+end

data/spec/controller_methods_spec.rb

@@ -28,7 +28,7 @@ describe AccessGranted::Rails::ControllerMethods do
       klass = Class.new do
         include AccessGranted::Policy
 
-        def configure(user)
+        def configure
           role :member, 1 do
             can :read, String
           end

data/spec/permission_spec.rb

@@ -11,7 +11,7 @@ describe AccessGranted::Permission do
 
     it "matches proc conditions" do
       sub = double("Element", published?: true)
-      perm = subject.new(true, :read, sub.class, {}, proc {|el| el.published? })
+      perm = subject.new(true, :read, sub.class, nil, {}, proc {|el| el.published? })
       expect(perm.matches_conditions?(sub)).to eq(true)
     end
   end
@@ -24,13 +24,13 @@ describe AccessGranted::Permission do
 
     it "matches when conditions given" do
       sub = double("Element", published: true)
-      perm = subject.new(true, :read, sub, { published: true })
+      perm = subject.new(true, :read, sub, nil, { published: true })
       expect(perm.matches_hash_conditions?(sub)).to eq(true)
     end
 
     it "does not match if one of the conditions mismatches" do
       sub = double("Element", published: true, readable: false)
-      perm = subject.new(true, :read, sub, { published: true, readable: true })
+      perm = subject.new(true, :read, sub, nil, { published: true, readable: true })
       expect(perm.matches_hash_conditions?(sub)).to eq(false)
     end
   end

data/spec/policy_spec.rb

@@ -12,11 +12,32 @@ describe AccessGranted::Policy do
       @banned = double("banned",        id: 4, is_moderator: false, is_admin: true,  is_banned: true)
     end
 
+    it "passes user object to permission block" do
+      post_owner = double(id: 123)
+      other_user = double(id: 5)
+      post = FakePost.new(post_owner.id)
+
+      klass = Class.new do
+        include AccessGranted::Policy
+
+        def configure
+          role :member do
+            can :destroy, FakePost do |post, user|
+              post.user_id == user.id
+            end
+          end
+        end
+      end
+
+      expect(klass.new(post_owner).can?(:destroy, post)).to     eq(true)
+      expect(klass.new(other_user).can?(:destroy, post)).to     eq(false)
+    end
+
     it "selects permission based on role priority" do
       klass = Class.new do
         include AccessGranted::Policy
 
-        def configure(user)
+        def configure
           role :administrator, { is_admin: true } do
             can :destroy, String
           end
@@ -48,28 +69,47 @@ describe AccessGranted::Policy do
         klass = Class.new do
           include AccessGranted::Policy
 
-          def configure(user)
+          def configure
             role :administrator, { is_admin: true } do
               can :destroy, FakePost
             end
 
             role :member do
-              can :destroy, FakePost, user_id: user.id
+              can :destroy, FakePost do |post, user|
+                post.user_id == user.id
+              end
             end
           end
         end
 
-       expect(klass.new(@admin).can?(:destroy, user_post)).to eq(true)
-       expect(klass.new(@member).can?(:destroy, user_post)).to eq(true)
-       expect(klass.new(@member).cannot?(:destroy, other_post)).to eq(true)
+       expect(klass.new(@admin).can?(:destroy, user_post)).to       eq(true)
+       expect(klass.new(@admin).can?(:destroy, other_post)).to      eq(true)
+
+       expect(klass.new(@member).can?(:destroy, user_post)).to      eq(true)
+       expect(klass.new(@member).cannot?(:destroy, other_post)).to  eq(true)
+      end
+    end
+
+    it "resolves permissions without subject" do
+      klass = Class.new do
+        include AccessGranted::Policy
+
+        def configure
+          role :member do
+            can :vague_action
+          end
+        end
       end
+
+      expect(klass.new(@member).can?(:vague_action)).to eq(true)
     end
+
     describe "#cannot" do
       it "forbids action when used in superior role" do
         klass = Class.new do
           include AccessGranted::Policy
 
-          def configure(user)
+          def configure
             role :banned, { is_banned: true } do
               cannot :create, String
             end
@@ -89,13 +129,13 @@ describe AccessGranted::Policy do
         Class.new do
           include AccessGranted::Policy
 
-          def configure(user)
+          def configure
             role(:member) { can :create, String }
           end
         end
       end
 
-      it "raises AccessDenied if actions is not allowed" do
+      it "raises AccessDenied if action is not allowed" do
         expect { klass.new(@member).authorize!(:create, Integer) }.to raise_error AccessGranted::AccessDenied
       end
 
@@ -108,7 +148,7 @@ describe AccessGranted::Policy do
   describe "#role" do
     it "allows passing role class" do
       klass_role = Class.new AccessGranted::Role do
-        def configure(user)
+        def configure
           can :read, String
         end
       end

data/spec/role_spec.rb

@@ -42,6 +42,11 @@ describe AccessGranted::Role do
       @role = AccessGranted::Role.new(:member)
     end
 
+    it "allows adding permission without subject" do
+      @role.can :vague_action
+      expect(@role.find_permission(:vague_action, nil)).to_not be_nil
+    end
+
     it "forbids creating actions with the same name" do
       @role.can :read, String
       expect { @role.can :read, String }.to raise_error AccessGranted::DuplicatePermission

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: access-granted
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 1.0.1
 platform: ruby
 authors:
 - Piotrek Okoński
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-08-13 00:00:00.000000000 Z
+date: 2015-11-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -62,6 +62,8 @@ files:
 - lib/access-granted/policy.rb
 - lib/access-granted/rails/controller_methods.rb
 - lib/access-granted/role.rb
+- lib/generators/access_granted/policy_generator.rb
+- lib/generators/templates/access_policy.rb
 - spec/controller_methods_spec.rb
 - spec/permission_spec.rb
 - spec/policy_spec.rb