access-granted 1.1.2 → 1.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: b6d400982e35b05842762be3929a3bfb9d1a9de6
-  data.tar.gz: 3825d04d00c581e55b21339c92e6b8b3b5e90672
+SHA256:
+  metadata.gz: 115b6ed416c4bfa4b6d94d53520388c382b65966aa8ce7c4072d9991a630d1d3
+  data.tar.gz: 0af1baa07da37953f292b4bb8d24680cbebdf70c1495203d7a4312d4735584bb
 SHA512:
-  metadata.gz: f1fa9bad01415dc1642a0d7d4c6396f4db625f88f87c81f59649fb230547da4f32cbbcb01bb3362a4716cdfba702ed97719afc2eecee688a8383c05901e2f9b6
-  data.tar.gz: bc6346e03d9d8502f4e42fce4ec0eba1939fd5e3c01846380f480c1e0feb4936af16840d2caf507f8b75e4b66f9e7b9b03841e42cac2c34200d512d409d2e738
+  metadata.gz: 6554c68a9ddd5f04866afef389d59d48ddbd63fc6173c6955b39075fb9f23ac5c8d1036f13cc8f7ac9fed997217d1d69b725c5f6e0dc83550a1e8eea293e6e6d
+  data.tar.gz: 162efc4e19ad3fa554778b00dfd46d28f951ac90a65d94c2f3037f554dc590f9822eb7db6a19c792f65eeaba78adcc77386f9956e88c7f00f9127a2a231141e9

data/.travis.yml

@@ -1,9 +1,11 @@
 language: ruby
 sudo: false
 rvm:
-  - 1.9.3
   - 2.0
   - 2.1
   - 2.2
+  - 2.3
+  - 2.4
+  - 2.5
   - jruby-1
   - jruby

data/CHANGELOG.md

@@ -1,3 +1,42 @@
+# 1.3.3
+
+- Fix compatibility with Rails 6.0 and Zeitwerk ([PR #53](https://github.com/chaps-io/access-granted/pull/53)), thanks [jraqula](https://github.com/dmorehouse)!
+
+# 1.3.2
+
+- Expose `applicable_roles` method on the policy instance. This allows insight into what roles actually apply to a given user.
+
+# 1.3.1
+
+- Add information about action and subject when raising AccessDenied exception ([PR #46](https://github.com/chaps-io/access-granted/pull/46)), thanks [jraqula](https://github.com/jraqula)!
+
+# 1.3.0
+
+- Drop support for Ruby 1.9.3, it might still work but we are no longer testing against it.
+- Start testing against Rubies 2.3-2.5 in CI
+- Move Rails integration into Railties, this fixes some load order issues ([PR #45](https://github.com/chaps-io/access-granted/pull/45)), thanks [jraqula](https://github.com/jraqula)!
+
+# 1.2.0
+
+- Cache whole blocks of identical permissions when one of them is checked.
+  For example, assuming we have a given permissions set:
+
+  ```ruby
+  can [:update, :destroy, :archive], Post do |post, user|
+     post.user_id == user.id
+  end
+  ```
+
+  When resolving one of them like this:
+
+  ```ruby
+  can? :update, @post
+  ```
+
+  Access Granted will cache the result for each of the remaining actions, too.
+  So next time when checking permissions `:destroy` or `:archive`, AG will serve the result from cache instead of running the block again.
+
+
 # 1.1.2
 
 - Expose internal `block` instance variable in Permission class

data/README.md

@@ -19,11 +19,13 @@ Run the bundle command to install it. Then run the generator:
 
 Add the `policies` (and `roles` if you're using it to split up your roles into files) directories to your autoload paths in `application.rb`:
     
-    config.autoload_paths += %W(#{config.root}/app/policies #{config.root}/app/roles)
+```ruby
+config.autoload_paths += %W(#{config.root}/app/policies #{config.root}/app/roles)
+```
 
 ### Supported Ruby versions
 
-Because it has **zero** runtime dependencies it is guaranteed to work on all major Ruby versions MRI 1.9.3-2.2, Rubinius >= 2.X and JRuby >= 1.7.
+Because it has **zero** runtime dependencies it is guaranteed to work on all major Ruby versions MRI `2.0` - `2.5`, Rubinius `>= 2.X` and JRuby `>= 1.7`.
 
 ## Summary
 
@@ -31,26 +33,26 @@ AccessGranted is meant as a replacement for CanCan to solve major problems:
 
 1. Performance
 
-  On average AccessGranted is **20 times faster** in resolving identical permissions and takes less memory.
-  See [benchmarks](https://github.com/chaps-io/access-granted/blob/master/benchmarks).
+    On average AccessGranted is **20 times faster** in resolving identical permissions and takes less memory.
+    See [benchmarks](https://github.com/chaps-io/access-granted/blob/master/benchmarks).
 
 2. Roles
 
-  Adds support for roles, so no more `if`s and `else`s in your Policy file. This makes it extremely easy to maintain and read the code.
+    Adds support for roles, so no more `if`s and `else`s in your Policy file. This makes it extremely easy to maintain and    read the code.
 
 3. Whitelists
 
-  This means that you define what the user can do, which results in clean, readable policies regardless of application complexity.
-  You don't have to worry about juggling `can`s and `cannot`s in a very convoluted way!
+    This means that you define what the user can do, which results in clean, readable policies regardless of application complexity.
+    You don't have to worry about juggling `can`s and `cannot`s in a very convoluted way!
 
-  _Note_: `cannot` is still available, but has a very specifc use. See [Usage](#usage) below.
+    _Note_: `cannot` is still available, but has a very specifc use. See [Usage](#usage) below.
 
 4. Framework agnostic
 
-  Permissions can work on basically any object and AccessGranted is framework-agnostic,
-  but it has Rails support out of the box. :)
-  It does not depend on any libraries, pure and clean Ruby code. Guaranteed to always work,
-  even when software around changes.
+    Permissions can work on basically any object and AccessGranted is framework-agnostic,
+    but it has Rails support out of the box. :)
+    It does not depend on any libraries, pure and clean Ruby code. Guaranteed to always work,
+    even when software around changes.
 
 ## Usage
 
@@ -210,6 +212,41 @@ class ApplicationController < ActionController::Base
 end
 ```
 
+You can also extract the action and subject which raised the error,
+if you want to handle authorization errors differently for some cases:
+```ruby
+  rescue_from "AccessGranted::AccessDenied" do |exception|
+    status = case exception.action
+      when :read # invocation like `authorize! :read, @something`
+        403
+      else
+        404
+      end
+
+    body = case exception.subject
+      when Post # invocation like `authorize! @some_action, Post`
+        "failed to access a post"
+      else
+        "failed to access something else"
+      end
+  end
+```
+
+You can also have a custom exception message while authorizing a request.
+This message will be associated with the exception object thrown.
+
+```ruby
+class PostsController
+  def show
+    @post = Post.find(params[:id])
+    authorize! :read, @post, 'You do not have access to this post'
+    render json: { post: @post }
+  rescue AccessGranted::AccessDenied => e
+    render json: { error: e.message }, status: :forbidden
+  end
+end
+```
+
 #### Checking permissions in controllers
 
 To check if the user has a permission to perform an action, use the `can?` and `cannot?` methods.
@@ -280,7 +317,7 @@ or with `cannot?`:
 
 ```ruby
 policy.cannot?(:create, Post) #=> false
-policy.cannot?(:update, @ost) #=> true
+policy.cannot?(:update, @post) #=> true
 ```
 
 ## Common examples

data/access-granted.gemspec

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |spec|
   spec.name          = "access-granted"
-  spec.version       = "1.1.2"
+  spec.version       = "1.3.3"
   spec.authors       = ["Piotrek Okoński"]
   spec.email         = ["piotrek@okonski.org"]
   spec.description   = %q{Role based authorization gem}

data/benchmarks/README.md

@@ -1,24 +1,24 @@
 # Benchmark results
 
-Benchmarks ran on Ubuntu 15.04 64bit, i5 2500k @ 4.4Ghz, 16 GB RAM with Ruby 2.2.
+Benchmarks ran on Ubuntu 17.04 64bit, i7 6700k @ 4.0Ghz, 32 GB RAM with Ruby 2.3.
 
 ## permissions.rb
 
 This benchmark runs `can?` method for the 3 user roles for 20 seconds each, for both CanCan and AccessGranted.
 
 ```
+Warming up --------------------------------------
+            ag-admin   158.815k i/100ms
+        ag-moderator   161.055k i/100ms
+             ag-user   161.670k i/100ms
+        cancan-admin    14.865k i/100ms
+    cancan-moderator    13.181k i/100ms
+         cancan-user    18.907k i/100ms
 Calculating -------------------------------------
-            ag-admin    21.361k i/100ms
-        cancan-admin    13.631k i/100ms
-        ag-moderator    22.328k i/100ms
-    cancan-moderator    11.679k i/100ms
-             ag-user    25.860k i/100ms
-         cancan-user    16.308k i/100ms
--------------------------------------------------
-            ag-admin    283.174k (± 1.1%) i/s -      5.682M
-        cancan-admin    160.450k (± 1.0%) i/s -      3.217M
-        ag-moderator    301.290k (± 1.1%) i/s -      6.029M
-    cancan-moderator    134.591k (± 1.3%) i/s -      2.698M
-             ag-user    353.259k (± 0.9%) i/s -      7.086M
-         cancan-user    198.579k (± 1.6%) i/s -      3.979M
+            ag-admin      2.141M (± 3.9%) i/s -     10.799M in   5.052573s
+        ag-moderator      2.180M (± 2.1%) i/s -     10.952M in   5.025727s
+             ag-user      2.206M (± 0.4%) i/s -     11.155M in   5.056550s
+        cancan-admin    158.288k (± 2.4%) i/s -    802.710k in   5.074299s
+    cancan-moderator    142.573k (± 2.1%) i/s -    724.955k in   5.087277s
+         cancan-user    204.783k (± 2.2%) i/s -      1.040M in   5.080488s
 ```

data/lib/access-granted.rb

@@ -3,19 +3,9 @@ require "access-granted/policy"
 require "access-granted/permission"
 require "access-granted/role"
 require "access-granted/rails/controller_methods"
+require "access-granted/railtie" if defined?(Rails)
 
 module AccessGranted
 
 end
 
-if defined? ActionController::Base
-  ActionController::Base.class_eval do
-    include AccessGranted::Rails::ControllerMethods
-  end
-end
-
-if defined? ActionController::API
-  ActionController::API.class_eval do
-    include AccessGranted::Rails::ControllerMethods
-  end
-end

data/lib/access-granted/exceptions.rb

@@ -3,5 +3,12 @@ module AccessGranted
 
   class DuplicatePermission < Error; end;
   class DuplicateRole < Error; end;
-  class AccessDenied < Error; end;
+  class AccessDenied < Error
+    attr_reader :action, :subject, :message
+    def initialize(action = nil, subject = nil, message = nil)
+      @action = action
+      @subject = subject
+      @message = message
+    end
+  end
 end

data/lib/access-granted/permission.rb

@@ -1,13 +1,14 @@
 module AccessGranted
   class Permission
-    attr_reader :action, :subject, :granted, :conditions, :block
+    attr_reader :action, :subject, :granted, :conditions, :actions, :block
 
-    def initialize(granted, action, subject, user = nil, conditions = {}, block = nil)
+    def initialize(granted, action, subject, user = nil, conditions = {}, actions = [], block = nil)
       @action     = action
       @user       = user
       @granted    = granted
       @subject    = subject
       @conditions = conditions
+      @actions    = actions
       @block      = block
     end
 
@@ -20,10 +21,12 @@ module AccessGranted
     end
 
     def matches_conditions?(subject)
-      if @block && !subject.is_a?(Class)
+      if @block
         @block.call(subject, @user)
-      else
+      elsif !@conditions.empty?
         matches_hash_conditions?(subject)
+      else
+        true
       end
     end
 

data/lib/access-granted/policy.rb

@@ -29,31 +29,40 @@ module AccessGranted
 
     def can?(action, subject = nil)
       cache[action] ||= {}
-      cache[action][subject] ||= check_permission(action, subject)
+
+      if cache[action][subject]
+        cache[action][subject]
+      else
+        granted, actions = check_permission(action, subject)
+        actions.each do |a|
+          cache[a] ||= {}
+          cache[a][subject] ||= granted
+        end
+
+        granted
+      end
     end
 
     def check_permission(action, subject)
       applicable_roles.each do |role|
         permission = role.find_permission(action, subject)
-        return permission.granted if permission
+        return [permission.granted, permission.actions] if permission
       end
 
-      false
+      [false, []]
     end
 
     def cannot?(*args)
       !can?(*args)
     end
 
-    def authorize!(action, subject)
+    def authorize!(action, subject, message = 'Access Denied')
       if cannot?(action, subject)
-        raise AccessDenied
+        raise AccessDenied.new(action, subject, message)
       end
       subject
     end
 
-    private
-
     def applicable_roles
       @applicable_roles ||= roles.select do |role|
         role.applies_to?(user)

data/lib/access-granted/railtie.rb

@@ -0,0 +1,29 @@
+require 'rails/railtie'
+
+module AccessGranted
+  class Railtie < ::Rails::Railtie
+    initializer :access_granted do
+      if ::Rails::VERSION::MAJOR >= 6
+        ActiveSupport.on_load(:action_controller_base) do |base|
+          base.include AccessGranted::Rails::ControllerMethods
+        end
+
+        ActiveSupport.on_load(:action_controller_api) do |base|
+          base.include AccessGranted::Rails::ControllerMethods
+        end
+      else
+        if defined? ActionController::Base
+          ActionController::Base.class_eval do
+            include AccessGranted::Rails::ControllerMethods
+          end
+        end
+
+        if defined? ActionController::API
+          ActionController::API.class_eval do
+            include AccessGranted::Rails::ControllerMethods
+          end
+        end
+      end
+    end
+  end
+end

data/lib/access-granted/role.rb

@@ -53,9 +53,10 @@ module AccessGranted
     end
 
     def add_permission(granted, action, subject, conditions, block)
-      prepare_actions(action).each do |a|
+      prepared_actions = prepare_actions(action)
+      prepared_actions.each do |a|
         raise DuplicatePermission, "Permission `#{a}` is already defined for #{subject} in role `#{name}`" if find_permission(a, subject)
-        permissions << Permission.new(granted, a, subject, @user, conditions, block)
+        permissions << Permission.new(granted, a, subject, @user, conditions, prepared_actions, block)
       end
     end
 
@@ -68,11 +69,8 @@ module AccessGranted
     end
 
     def prepare_actions(action)
-      if action == :manage
-        actions = [:read, :create, :update, :destroy]
-      else
-        actions = Array(*[action])
-      end
+      actions = Array(*[action])
+      actions.flat_map { |a| a == :manage ? [:create, :read, :update, :destroy ] : [a] }
     end
   end
 end

data/spec/controller_methods_spec.rb

@@ -21,7 +21,11 @@ describe AccessGranted::Rails::ControllerMethods do
 
   describe "#authorize!" do
     it "raises exception when authorization fails" do
-      expect { @controller.authorize!(:read, String) }.to raise_error(AccessGranted::AccessDenied)
+      expect { @controller.authorize!(:read, String) }.to raise_error do |err|
+        expect(err).to be_a(AccessGranted::AccessDenied)
+        expect(err.action).to eq(:read)
+        expect(err.subject).to eq(String)
+      end
     end
 
     it "returns subject if authorization succeeds" do

data/spec/permission_spec.rb

@@ -3,30 +3,23 @@ require 'spec_helper'
 describe AccessGranted::Permission do
   subject { AccessGranted::Permission }
 
-  describe "#matches_conditions?" do
-    it "matches when no conditions given" do
-      perm = subject.new(true, :read, String)
-      expect(perm.matches_conditions?(String)).to eq(true)
-    end
+  describe "#matches_proc_conditions?" do
 
-    it "matches proc conditions" do
+    it "matches proc conditions when true" do
       sub = double("Element", published?: true)
-      perm = subject.new(true, :read, sub.class, nil, {}, proc {|el| el.published? })
+      perm = subject.new(true, :read, sub, nil, {}, [], proc {true})
       expect(perm.matches_conditions?(sub)).to eq(true)
     end
 
-    it "does not match proc conditions when given a class instead of an instance" do
+    it "does not match proc conditions false" do
       sub = double("Element", published?: true)
-      perm = subject.new(true, :read, sub.class, nil, {}, proc {|el| el.published? })
-      expect(perm.matches_conditions?(sub.class)).to eq(true)
+      perm = subject.new(true, :read, sub, nil, {}, [], proc {false})
+      expect(perm.matches_conditions?(sub)).to eq(false)
     end
+
   end
 
   describe "#matches_hash_conditions?" do
-    it "matches condition hash is empty" do
-      perm = subject.new(true, :read, String)
-      expect(perm.matches_hash_conditions?(String)).to eq(true)
-    end
 
     it "matches when conditions given" do
       sub = double("Element", published: true)
@@ -39,6 +32,7 @@ describe AccessGranted::Permission do
       perm = subject.new(true, :read, sub, nil, { published: true, readable: true })
       expect(perm.matches_hash_conditions?(sub)).to eq(false)
     end
+
   end
 
   describe "#matches_action?" do
@@ -46,6 +40,7 @@ describe AccessGranted::Permission do
       perm = subject.new(true, :read, String)
       expect(perm.matches_action?(:read)).to_not be_nil
     end
+
   end
 
   describe "#matches_subject?" do
@@ -73,5 +68,15 @@ describe AccessGranted::Permission do
       perm = subject.new(true, :read, String)
       expect(perm.matches_subject? Object.new).to eq(false)
     end
+
   end
+
+  describe "#matches_empty_conditions?" do
+    it "matches when no conditions given" do
+      perm = subject.new(true, :read, String)
+      expect(perm.matches_conditions?(String)).to eq(true)
+    end
+
+  end
+
 end

data/spec/policy_spec.rb

@@ -136,7 +136,21 @@ describe AccessGranted::Policy do
       end
 
       it "raises AccessDenied if action is not allowed" do
-        expect { klass.new(@member).authorize!(:create, Integer) }.to raise_error AccessGranted::AccessDenied
+        expect { klass.new(@member).authorize!(:create, Integer) }.to raise_error do |err|
+          expect(err).to be_a(AccessGranted::AccessDenied)
+          expect(err.action).to eq(:create)
+          expect(err.subject).to eq(Integer)
+        end
+      end
+
+      it "raises AccessDenied with supplied message if action is not allowed" do
+        message = 'You are not allowed to create Integer'
+        expect { klass.new(@member).authorize!(:create, Integer, message) }.to raise_error do |err|
+          expect(err).to be_a(AccessGranted::AccessDenied)
+          expect(err.action).to eq(:create)
+          expect(err.subject).to eq(Integer)
+          expect(err.message).to eq(message)
+        end
       end
 
       it "returns the subject if allowed" do
@@ -184,8 +198,9 @@ describe AccessGranted::Policy do
     end
   end
 
-  describe "#matching_roles" do
+  describe "#applicable_roles" do
     let(:user) { double("User", is_moderator: true, is_admin: true) }
+    subject(:policy) { klass.new(user) }
 
     before do
       policy.role(:administrator, { is_admin:     true })
@@ -193,9 +208,17 @@ describe AccessGranted::Policy do
       policy.role(:member)
     end
 
-    shared_examples 'role matcher' do
+    context "user matches all roles" do
       it "returns all matching roles in the order of priority" do
-        expect(subject.map(&:name)).to eq([:administrator, :moderator, :member])
+        expect(policy.applicable_roles.map(&:name)).to eq([:administrator, :moderator, :member])
+      end
+    end
+
+    context "user is just an admin" do
+      let(:user) { double("User", is_moderator: false, is_admin: true) }
+
+      it 'returns array with admin and member roles' do
+        expect(policy.applicable_roles.map(&:name)).to eq([:administrator, :member])
       end
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: access-granted
 version: !ruby/object:Gem::Version
-  version: 1.1.2
+  version: 1.3.3
 platform: ruby
 authors:
 - Piotrek Okoński
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-01-02 00:00:00.000000000 Z
+date: 2021-08-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -62,6 +62,7 @@ files:
 - lib/access-granted/permission.rb
 - lib/access-granted/policy.rb
 - lib/access-granted/rails/controller_methods.rb
+- lib/access-granted/railtie.rb
 - lib/access-granted/role.rb
 - lib/generators/access_granted/policy_generator.rb
 - lib/generators/templates/access_policy.rb
@@ -89,8 +90,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Elegant whitelist and role based authorization with ability to prioritize
@@ -101,4 +101,3 @@ test_files:
 - spec/policy_spec.rb
 - spec/role_spec.rb
 - spec/spec_helper.rb
-has_rdoc: