access-granted 1.0.4 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9d05f9e124c62d1c23281ac49ed7c482b8751698
-  data.tar.gz: 7eb253b29b09538e3cef0f6f7d8f3cf217589c86
+  metadata.gz: 62c9307deb8d9c208a9934214e56999b093c017b
+  data.tar.gz: 74049e46c543d0015f565c96236ddc7b7fd7bea6
 SHA512:
-  metadata.gz: 93bb115a1c3868245441187628a7d59fd603208f445c59b519837be4ad492ff76179e42b087af7d72dc845e9989bd133467d57dd4e8c184a1e923ca57450abdc
-  data.tar.gz: 56d85a6e5dc4b4f71fe8755d2e635d24b36e14d5d96f7a2912d0ede6915c0f0edcfad46d0cb032ca21cc2f76706af40962871b1aec50d9f8f506c95154046222
+  metadata.gz: c15fffc2c35008b3e0dee3b758827c483ea12bcacc3eb0f9fabfec61004dd1929c92210846bb6a1ec0c0c66dab1b78c0d087f2d096d822f48f50519661f5a558
+  data.tar.gz: 70d741d7ed4606a3b1309e6a1b1a8ffdf84c0624c6040cb7e56cc6882c1dfbccbc533e65ac035b99ee695f33392059865e07fa694dc480e19913a4a25dd671d2

data/.travis.yml

@@ -5,6 +5,7 @@ rvm:
   - 2.0
   - 2.1
   - 2.2
+  - 2.3
   - rbx-2
   - rbx
   - jruby-1

data/README.md

@@ -3,12 +3,19 @@
 ## [![](http://i.imgur.com/ya8Wnyl.png)](https://chaps.io) proudly made by [Chaps](https://chaps.io)
 
 
-Multi-role and whitelist based authorization gem for Rails. And it's lightweight (~300 lines of code)!
+AccessGranted is a multi-role and whitelist based authorization gem for Rails. And it's lightweight (~300 lines of code)!
 
 
 ## Installation
 
-    gem 'access-granted'
+Add the gem to your gemfile:
+
+```ruby
+gem 'access-granted', '~> 1.0.0'
+```
+Run the bundle command to install it. Then run the generator:
+
+    rails generate access_granted:policy
 
 ### Supported Ruby versions
 
@@ -20,37 +27,37 @@ AccessGranted is meant as a replacement for CanCan to solve major problems:
 
 1. Performance
 
-  On average AccessGranted is 50-60% faster in resolving identical permissions and takes less memory.
+  On average AccessGranted is **20 times faster** in resolving identical permissions and takes less memory.
   See [benchmarks](https://github.com/chaps-io/access-granted/blob/master/benchmarks).
 
 2. Roles
 
-  Adds support for roles, so no more `if`'s and `else`'s in your Policy file. This makes it extremely easy to maintain and read the code.
+  Adds support for roles, so no more `if`s and `else`s in your Policy file. This makes it extremely easy to maintain and read the code.
 
-3. white-lists
+3. Whitelists
 
-  This means that you define what the user **can** do, which results in clean, readable policies regardless of app complexity.
+  This means that you define what the user can do, which results in clean, readable policies regardless of application complexity.
   You don't have to worry about juggling `can`s and `cannot`s in a very convoluted way!
 
   _Note_: `cannot` is still available, but has a very specifc use. See [Usage](#usage) below.
 
-4. framework agnostic
+4. Framework agnostic
 
   Permissions can work on basically any object and AccessGranted is framework-agnostic,
-  but it has Rails support out of the box :)
-  It **does not depend on any libraries**, pure and clean Ruby code. Guaranteed to always work,
+  but it has Rails support out of the box. :)
+  It does not depend on any libraries, pure and clean Ruby code. Guaranteed to always work,
   even when software around changes.
 
 ## Usage
 
 Roles are defined using blocks (or by passing custom classes to keep things tidy).
 
-**Order of the roles is VERY important**, because they are being traversed in the top-to-bottom order.
-At the top you must have an admin or other important role giving the user top permissions, and as you go down you define less-privileged roles.
+**Order of the roles is VERY important**, because they are being traversed in top-to-bottom order.
+At the top you must have an admin or some other important role giving the user top permissions, and as you go down you define less-privileged roles.
 
 **I recommend starting your adventure by reading my [blog post about AccessGranted](http://blog.chaps.io/2015/11/13/role-based-authorization-in-rails.html), where I demonstrate its abilities on a real life example.**
 
-### 1. Defining access policy
+### Defining an access policy
 
 Let's start with a complete example of what can be achieved:
 
@@ -89,7 +96,7 @@ end
 #### Defining roles
 
 Each `role` method accepts the name of the role you're creating and an optional matcher.
-Matchers are used to check if user belongs to that role and if the permissions inside should be executed against it.
+Matchers are used to check if the user belongs to that role and if the permissions inside should be executed against it.
 
 The simplest role can be defined as follows:
 
@@ -123,7 +130,7 @@ So, if the user has an attribute `is_admin` set to `true`, then the role will be
 
 #### Hash conditions
 
-Hashes can be used as matchers as a check if action is permitted.
+Hashes can be used as matchers to check if an action is permitted.
 For example, we may allow users to only see published posts, like this:
 
 ```ruby
@@ -145,7 +152,7 @@ role :member do
 end
 ```
 
-When the given block evaluates to `true`, then user is given the permission to update the post.
+When the given block evaluates to `true`, then `user` is given the permission to update the post.
 
 #### Roles in order of importance
 
@@ -168,7 +175,7 @@ As stated before: **`:admin` role takes precedence over `:member`** role, so whe
 
 That way you can keep a tidy and readable policy file which is basically human readable.
 
-### Using in Rails
+### Usage with Rails
 
 AccessGranted comes with a set of helpers available in Ruby on Rails apps:
 
@@ -188,20 +195,20 @@ class PostsController
 end
 ```
 
-`authorize!` throws an exception when current user doesn't have a given permission.
+`authorize!` throws an exception when `current_user` doesn't have a given permission.
 You can rescue from it using `rescue_from`:
 
 ```ruby
 class ApplicationController < ActionController::Base
   rescue_from "AccessGranted::AccessDenied" do |exception|
-    redirect_to root_path, alert: "You don't have permissions to access this page."
+    redirect_to root_path, alert: "You don't have permission to access this page."
   end
 end
 ```
 
 #### Checking permissions in controllers
 
-To check if the user has a permission to perform an action, use `can?` and `cannot?` methods.
+To check if the user has a permission to perform an action, use the `can?` and `cannot?` methods.
 
 **Example:**
 
@@ -244,16 +251,15 @@ By default, AccessGranted adds this method to your controllers:
   end
 ```
 
-If you have a different policy class or if your user is not stored in `current_user` variable, then you can override it in any controller and modify the logic as you please.
+If you have a different policy class or if your user is not stored in the `current_user` variable, then you can override it in any controller and modify the logic as you please.
 
 You can even have different policies for different controllers!
 
-### Using in pure Ruby
+### Usage with pure Ruby
 
 Initialize the Policy class:
 
 ```ruby
-
 policy = AccessPolicy.new(current_user)
 ```
 
@@ -296,7 +302,7 @@ end
 
 ```
 
-And roles should look like this
+And roles should look like this:
 
 ```ruby
 # app/roles/member_role.rb
@@ -326,8 +332,8 @@ This gem has been created as a replacement for CanCan and therefore it requires
    The only change you have to make is to replace all `can? :manage, Class` with the exact action to check against.
    `can :manage` is still available for **defining** methods and serves as a shortcut for defining `:create`, `:read`, `:update`, `:destroy` all in one line.
 
-3. Syntax for defining permissions in AccessPolicy file (Ability in CanCan) is exactly the same,
-   with roles added on top. See [Usage](#usage) below.
+3. Syntax for defining permissions in the AccessPolicy file (Ability in CanCan) is exactly the same,
+   with roles added on top. See [Usage](#usage) above.
 
 
 ## Contributing
@@ -336,4 +342,4 @@ This gem has been created as a replacement for CanCan and therefore it requires
 2. Create your feature branch (`git checkout -b my-new-feature`)
 3. Commit your changes (`git commit -am 'Add some feature'`)
 4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Pull Request
+5. Create new pull request

data/access-granted.gemspec

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |spec|
   spec.name          = "access-granted"
-  spec.version       = "1.0.4"
+  spec.version       = "1.1.0"
   spec.authors       = ["Piotrek Okoński"]
   spec.email         = ["piotrek@okonski.org"]
   spec.description   = %q{Role based authorization gem}

data/benchmarks/config.rb

@@ -2,35 +2,45 @@ class Ability
   include CanCan::Ability
 
   def initialize(user)
-    if user.is_admin == true
+    if user.is_admin
       can :destroy, String
+      can :foo, Integer
     end
 
-    if user.is_moderator == true
+    if user.is_moderator
       can :update, String
+      can :bar, String
     end
 
     can :read, String
+    can :zoom, Integer
+    can :boom, Hash
+    can :rub, Fixnum
   end
 end
 
 class AccessPolicy
   include AccessGranted::Policy
 
-  def configure(user)
+  def configure
     role :administrator, { is_admin: true } do
       can :destroy, String
+      can :foo, Integer
     end
 
     role :moderator, { is_moderator: true } do
       can :update, String
+      can :bar, String
     end
 
     role :member do
       can :read, String
+      can :zoom, Integer
+      can :boom, Hash
+      can :rub, Fixnum
     end
   end
 end
 
-class User < Struct.new(:is_admin, :is_moderator)
+class User < Struct.new(:id, :is_admin, :is_moderator)
 end

data/benchmarks/permissions.rb

@@ -3,9 +3,9 @@ require 'access-granted'
 require 'cancan'
 require_relative './config'
 
-admin        = User.new(true, false)
-mod          = User.new(false, true)
-user         = User.new(false, false)
+admin        = User.new(1, true, false)
+mod          = User.new(2, false, true)
+user         = User.new(3, false, false)
 
 user_policy  = AccessPolicy.new(user)
 admin_policy = AccessPolicy.new(admin)
@@ -16,18 +16,18 @@ admin_ability = Ability.new(admin)
 mod_ability   = Ability.new(mod)
 
 Benchmark.ips do |x|
-  x.config(time: 20, warmup: 2)
+  x.config(time: 5, warmup: 1)
 
   x.report("ag-admin") do
     admin_policy.can?(:read, String)
   end
 
   x.report("ag-moderator") do
-    mod_policy.can?(:read, String)
+    mod_policy.can?(:bar, String)
   end
 
   x.report("ag-user") do
-    user_policy.can?(:read, String)
+    user_policy.can?(:zoom, Integer)
   end
 
   x.report("cancan-admin") do
@@ -35,11 +35,10 @@ Benchmark.ips do |x|
   end
 
   x.report("cancan-moderator") do
-    mod_ability.can?(:read, String)
+    mod_ability.can?(:bar, String)
   end
 
   x.report("cancan-user") do
-    user_ability.can?(:read, String)
+    user_ability.can?(:zoom, Integer)
   end
-
 end

data/lib/access-granted.rb

@@ -2,7 +2,7 @@ require "access-granted/exceptions"
 require "access-granted/policy"
 require "access-granted/permission"
 require "access-granted/role"
-require 'access-granted/rails/controller_methods'
+require "access-granted/rails/controller_methods"
 
 module AccessGranted
 

data/lib/access-granted/policy.rb

@@ -1,10 +1,12 @@
 module AccessGranted
   module Policy
-    attr_accessor :roles
+    attr_accessor :roles, :cache
+    attr_reader :user
 
-    def initialize(user)
+    def initialize(user, cache_enabled = true)
       @user          = user
       @roles         = []
+      @cache         = {}
       configure
     end
 
@@ -17,20 +19,25 @@ module AccessGranted
         raise DuplicateRole, "Role '#{name}' already defined"
       end
       r = if conditions_or_klass.is_a?(Class) && conditions_or_klass <= AccessGranted::Role
-        conditions_or_klass.new(name, conditions, @user, block)
+        conditions_or_klass.new(name, conditions, user, block)
       else
-        Role.new(name, conditions_or_klass, @user, block)
+        Role.new(name, conditions_or_klass, user, block)
       end
       roles << r
       r
     end
 
     def can?(action, subject = nil)
-      roles.each do |role|
-        next unless role.applies_to?(@user)
+      cache[action] ||= {}
+      cache[action][subject] ||= check_permission(action, subject)
+    end
+
+    def check_permission(action, subject)
+      applicable_roles.each do |role|
         permission = role.find_permission(action, subject)
         return permission.granted if permission
       end
+
       false
     end
 
@@ -44,5 +51,13 @@ module AccessGranted
       end
       subject
     end
+
+    private
+
+    def applicable_roles
+      @applicable_roles ||= roles.select do |role|
+        role.applies_to?(user)
+      end
+    end
   end
 end

data/lib/access-granted/role.rb

@@ -8,7 +8,7 @@ module AccessGranted
       @conditions   = conditions
       @block        = block
       @permissions  = []
-      @permissions_by_action = {}
+
       if @block
         instance_eval(&@block)
       else
@@ -28,8 +28,10 @@ module AccessGranted
     end
 
     def find_permission(action, subject)
-      permissions_by_action(action).detect do |permission|
-        permission.matches_subject?(subject) && permission.matches_conditions?(subject)
+      permissions.detect do |permission|
+        permission.action == action &&
+          permission.matches_subject?(subject) &&
+            permission.matches_conditions?(subject)
       end
     end
 
@@ -52,17 +54,15 @@ module AccessGranted
 
     def add_permission(granted, action, subject, conditions, block)
       prepare_actions(action).each do |a|
-        raise DuplicatePermission if permission_exists?(a, subject)
-        @permissions << Permission.new(granted, a, subject, @user, conditions, block)
-        @permissions_by_action[a] ||= []
-        @permissions_by_action[a]  << @permissions.size - 1
+        raise DuplicatePermission if find_permission(a, subject)
+        permissions << Permission.new(granted, a, subject, @user, conditions, block)
       end
     end
 
     private
 
     def permission_exists?(action, subject)
-      permissions_by_action(action).any? do |permission|
+      permissions.any? do |permission|
         permission.matches_subject?(subject)
       end
     end
@@ -74,11 +74,5 @@ module AccessGranted
         actions = Array(*[action])
       end
     end
-
-    def permissions_by_action(action)
-      (@permissions_by_action[action] || []).map do |index|
-        @permissions[index]
-      end
-    end
   end
 end

data/spec/policy_spec.rb

@@ -6,16 +6,16 @@ describe AccessGranted::Policy do
 
   describe "#configure" do
     before :each do
-      @member = double("member",        id: 1, is_moderator: false, is_admin: false, is_banned: false)
-      @mod    = double("moderator",     id: 2, is_moderator: true,  is_admin: false, is_banned: false)
-      @admin  = double("administrator", id: 3, is_moderator: false, is_admin: true,  is_banned: false)
-      @banned = double("banned",        id: 4, is_moderator: false, is_admin: true,  is_banned: true)
+      @member = FakeUser.new(1, false, false, false)
+      @mod    = FakeUser.new(2, true, false, false)
+      @admin  = FakeUser.new(3, false, true, false)
+      @banned = FakeUser.new(4, false, true, true)
     end
 
     it "passes user object to permission block" do
       post_owner = double(id: 123)
       other_user = double(id: 5)
-      post = FakePost.new(post_owner.id)
+      post = FakePost.new(1, post_owner.id)
 
       klass = Class.new do
         include AccessGranted::Policy
@@ -63,8 +63,8 @@ describe AccessGranted::Policy do
 
     context "when multiple roles define the same permission" do
       it "checks all roles until conditions are met" do
-        user_post = FakePost.new(@member.id)
-        other_post = FakePost.new(66)
+        user_post = FakePost.new(1, @member.id)
+        other_post = FakePost.new(2, 66)
 
         klass = Class.new do
           include AccessGranted::Policy
@@ -120,7 +120,7 @@ describe AccessGranted::Policy do
           end
         end
         expect(klass.new(@member).can?(:create, String)).to    eq(true)
-        expect(klass.new(@banned).cannot?(:create, String)).to eq(true)
+        expect(klass.new(@banned).can?(:create, String)).to    eq(false)
       end
     end
 

data/spec/spec_helper.rb

@@ -23,10 +23,12 @@ end
 
 require 'access-granted'
 
-class FakePost < Struct.new(:user_id)
+class FakeUser < Struct.new(:id, :is_moderator, :is_admin, :is_banned)
+end
+
+class FakePost < Struct.new(:id, :user_id)
 end
 
 class AccessPolicy
   include AccessGranted::Policy
 end
-

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: access-granted
 version: !ruby/object:Gem::Version
-  version: 1.0.4
+  version: 1.1.0
 platform: ruby
 authors:
 - Piotrek Okoński
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-11-26 00:00:00.000000000 Z
+date: 2016-07-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -89,7 +89,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5
+rubygems_version: 2.4.5.1
 signing_key: 
 specification_version: 4
 summary: Elegant whitelist and role based authorization with ability to prioritize
@@ -100,4 +100,3 @@ test_files:
 - spec/policy_spec.rb
 - spec/role_spec.rb
 - spec/spec_helper.rb
-has_rdoc: