access_allow 0.3.0 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +38 -0
- data/README.md +28 -0
- data/lib/access_allow/abilities.rb +2 -2
- data/lib/access_allow/abilities_manager.rb +0 -4
- data/lib/access_allow/access_manager.rb +1 -1
- data/lib/access_allow/check.rb +13 -6
- data/lib/access_allow/version.rb +1 -1
- data/lib/access_allow.rb +16 -1
- data/lib/generators/access_allow/templates/access_allow.rb +9 -0
- metadata +7 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 55a090067e35bd41ae5733616ab549afcf3b3d535ccd9b39e216b9ae07860f76
|
|
4
|
+
data.tar.gz: 43959999c68c2fd34ebfb5a0c96e19e3670270d42b398c9246c1a41f814b7d46
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a31d49e551f83ac73531d086f6c4af5cd28a915b254ecd2ae335a4aef659b1e43afd609185989e87c3cf5ace04f2e89e25df017d752880c84d488781b2ba291e
|
|
7
|
+
data.tar.gz: 07b0445358724d79cbc504dff3ef07bfe95073c16407bd4036012486c7c0073586806a76bc07666bcf1a4fe9adc3367dcee727b3dde0d6c694e0dcf8803e0246
|
data/CHANGELOG.md
ADDED
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
# Changelog
|
|
2
|
+
|
|
3
|
+
All notable changes to this project are documented in this file.
|
|
4
|
+
|
|
5
|
+
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
|
6
|
+
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
|
+
|
|
8
|
+
## [1.0.0]
|
|
9
|
+
|
|
10
|
+
First stable release. The public DSL (`access_allow`, `access_require`,
|
|
11
|
+
`access_no_match`, `access_allowed?`) is unchanged and considered stable.
|
|
12
|
+
|
|
13
|
+
### Added
|
|
14
|
+
- Configurable logging: `config.logger` (defaults to `Rails.logger`) and
|
|
15
|
+
`config.permission_check_log_level` (defaults to `:debug`).
|
|
16
|
+
|
|
17
|
+
### Changed
|
|
18
|
+
- Per-check "user cannot do X" lines now log at `:debug` instead of `:info`.
|
|
19
|
+
These fire on every failed ability check (menu visibility, record scoping)
|
|
20
|
+
and are normal control flow, not violations, so they no longer flood
|
|
21
|
+
request logs. Set `config.permission_check_log_level = nil` to silence them
|
|
22
|
+
entirely. Actual access violations remain logged at `:info`/`:error`.
|
|
23
|
+
|
|
24
|
+
### Fixed
|
|
25
|
+
- `Abilities.parse_qualified_name` raised `NoMethodError` instead of a
|
|
26
|
+
descriptive `StandardError` for blank or malformed ability names (missing
|
|
27
|
+
comma in the `raise` call).
|
|
28
|
+
|
|
29
|
+
### Removed
|
|
30
|
+
- Dead `AbilitiesManager#about_user` method.
|
|
31
|
+
|
|
32
|
+
### Internal
|
|
33
|
+
- Test coverage raised to 100% line / 98% branch; the two remaining branches
|
|
34
|
+
are unreachable defensive guards.
|
|
35
|
+
- Added a project `.standard.yml`.
|
|
36
|
+
|
|
37
|
+
## [0.3.0]
|
|
38
|
+
- Earlier releases (pre-changelog). See the git history for details.
|
data/README.md
CHANGED
|
@@ -367,6 +367,34 @@ Then run the **generator to add the initializer**
|
|
|
367
367
|
rails g access_allow:install
|
|
368
368
|
|
|
369
369
|
|
|
370
|
+
## Configuration
|
|
371
|
+
|
|
372
|
+
All configuration is done through `AccessAllow.configure` (see the generated
|
|
373
|
+
initializer):
|
|
374
|
+
|
|
375
|
+
| Option | Default | Description |
|
|
376
|
+
| --- | --- | --- |
|
|
377
|
+
| `roles_and_permissions` | `{}` | The roles/abilities schema (often loaded from YAML). |
|
|
378
|
+
| `current_user_method` | `:current_user` | Controller method returning the current user. |
|
|
379
|
+
| `permissions_association_name` | `:permissions` | Association holding a user's individually-assigned permissions. |
|
|
380
|
+
| `role_method_name` | `:role` | Method on the user returning their role name. |
|
|
381
|
+
| `logger` | `Rails.logger` | Logger used for all access logging. |
|
|
382
|
+
| `permission_check_log_level` | `:debug` | Level for per-check "user cannot do X" lines. Set to `nil` to silence them. |
|
|
383
|
+
|
|
384
|
+
### Logging
|
|
385
|
+
|
|
386
|
+
A failed ability check (`access_allowed?`, `has_perms_for?`, a `with:` ability
|
|
387
|
+
that isn't granted) is normal control flow — it decides menu visibility,
|
|
388
|
+
record scoping, and so on. These produce one log line per check, so by default
|
|
389
|
+
they are logged at `:debug` and stay out of production logs. Set
|
|
390
|
+
`config.permission_check_log_level = nil` to silence them entirely, or raise it
|
|
391
|
+
(e.g. `:info`) while debugging permission resolution.
|
|
392
|
+
|
|
393
|
+
Actual access *violations* — a blocked request, a `:severe`/`:hidden`/
|
|
394
|
+
`:not_permitted`/`:redirect` outcome — are always logged at `:info`/`:error`
|
|
395
|
+
regardless of this setting.
|
|
396
|
+
|
|
397
|
+
|
|
370
398
|
## Contributing
|
|
371
399
|
Contribution directions go here.
|
|
372
400
|
|
|
@@ -10,11 +10,11 @@ module AccessAllow
|
|
|
10
10
|
|
|
11
11
|
def parse_qualified_name(name)
|
|
12
12
|
parts = name.split("/").map do |part|
|
|
13
|
-
raise StandardError "Ability namespaces or names cannot be blank" if part.blank?
|
|
13
|
+
raise StandardError, "Ability namespaces or names cannot be blank" if part.blank?
|
|
14
14
|
part.to_sym
|
|
15
15
|
end
|
|
16
16
|
return parts if parts.size == 2
|
|
17
|
-
raise StandardError "Ability name must have a namespace and name (was #{name})"
|
|
17
|
+
raise StandardError, "Ability name must have a namespace and name (was #{name})"
|
|
18
18
|
end
|
|
19
19
|
|
|
20
20
|
def humanized_name(type, ability_namespace, ability_name)
|
|
@@ -219,7 +219,7 @@ module AccessAllow
|
|
|
219
219
|
# the rule configuration itself.
|
|
220
220
|
def apply_custom_rule(rule, user, controller, action_name)
|
|
221
221
|
controller.instance_exec(user, rule: rule, action_name: action_name) do |uut, rule_info|
|
|
222
|
-
check_name = "allow_#{rule}?"
|
|
222
|
+
check_name = :"allow_#{rule}?"
|
|
223
223
|
unless respond_to?(check_name)
|
|
224
224
|
raise NotImplementedError, "Check #{check_name} not implemented!"
|
|
225
225
|
end
|
data/lib/access_allow/check.rb
CHANGED
|
@@ -28,28 +28,35 @@ module AccessAllow
|
|
|
28
28
|
|
|
29
29
|
def possible?
|
|
30
30
|
unless user
|
|
31
|
-
|
|
31
|
+
log_failed_check
|
|
32
32
|
return false
|
|
33
33
|
end
|
|
34
|
-
ability_manager.has?(ability_namespace, ability_name).tap { |can|
|
|
34
|
+
ability_manager.has?(ability_namespace, ability_name).tap { |can| log_failed_check unless can }
|
|
35
35
|
end
|
|
36
36
|
|
|
37
37
|
def possible!
|
|
38
|
-
possible? || raise(AccessAllow::ViolationError, error_message
|
|
38
|
+
possible? || raise(AccessAllow::ViolationError, error_message)
|
|
39
39
|
end
|
|
40
40
|
|
|
41
41
|
private
|
|
42
42
|
|
|
43
43
|
attr_reader :user, :ability_namespace, :ability_name, :ability_manager
|
|
44
44
|
|
|
45
|
-
#
|
|
45
|
+
# A failed check is normal control flow, not a violation, so it logs at
|
|
46
|
+
# the configured level (default :debug; nil silences it). Actual access
|
|
47
|
+
# violations are logged by ControllerAccessDsl at :info/:error.
|
|
48
|
+
def log_failed_check
|
|
49
|
+
level = AccessAllow.configuration.permission_check_log_level
|
|
50
|
+
return unless level
|
|
51
|
+
AccessAllow.configuration.logger&.public_send(level) { error_message }
|
|
52
|
+
end
|
|
46
53
|
|
|
47
54
|
def about_user
|
|
48
55
|
user ? "#{user.class} with ID #{user.id}" : "Unauthenticated user"
|
|
49
56
|
end
|
|
50
57
|
|
|
51
|
-
def error_message
|
|
52
|
-
"#{about_user}
|
|
58
|
+
def error_message
|
|
59
|
+
"#{about_user} cannot do '#{ability_name}'"
|
|
53
60
|
end
|
|
54
61
|
end
|
|
55
62
|
end
|
data/lib/access_allow/version.rb
CHANGED
data/lib/access_allow.rb
CHANGED
|
@@ -24,13 +24,28 @@ module AccessAllow
|
|
|
24
24
|
end
|
|
25
25
|
|
|
26
26
|
class Configuration
|
|
27
|
-
|
|
27
|
+
attr_writer :logger
|
|
28
|
+
attr_accessor :roles_and_permissions, :current_user_method, :permissions_association_name,
|
|
29
|
+
:role_method_name, :permission_check_log_level
|
|
28
30
|
|
|
29
31
|
def initialize
|
|
30
32
|
@roles_and_permissions = {}
|
|
31
33
|
@current_user_method = :current_user
|
|
32
34
|
@permissions_association_name = :permissions
|
|
33
35
|
@role_method_name = :role
|
|
36
|
+
@logger = nil
|
|
37
|
+
# Level used for the per-check "user cannot do X" lines. These fire on
|
|
38
|
+
# every failed ability check and are normal control flow (menu
|
|
39
|
+
# visibility, scoping), not violations — so they default to :debug.
|
|
40
|
+
# Set to nil to silence them entirely. Actual access violations are
|
|
41
|
+
# logged separately by ControllerAccessDsl at :info/:error.
|
|
42
|
+
@permission_check_log_level = :debug
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
# Falls back to Rails.logger at call time (not memoised) so a logger
|
|
46
|
+
# swapped in tests or after boot is always respected.
|
|
47
|
+
def logger
|
|
48
|
+
@logger || (defined?(Rails) ? Rails.logger : nil)
|
|
34
49
|
end
|
|
35
50
|
end
|
|
36
51
|
end
|
|
@@ -7,4 +7,13 @@ AccessAllow.configure do |config|
|
|
|
7
7
|
# config.current_user_method = :current_user
|
|
8
8
|
# config.permissions_association_name = :permissions
|
|
9
9
|
# config.role_method_name = :role
|
|
10
|
+
|
|
11
|
+
# Logger used for access logging. Defaults to Rails.logger.
|
|
12
|
+
# config.logger = Rails.logger
|
|
13
|
+
|
|
14
|
+
# Level for the per-check "user cannot do X" lines. These fire on every
|
|
15
|
+
# failed ability check and are normal control flow (menu visibility,
|
|
16
|
+
# scoping), so they default to :debug. Set to nil to silence them entirely.
|
|
17
|
+
# Actual access violations are always logged at :info/:error.
|
|
18
|
+
# config.permission_check_log_level = :debug
|
|
10
19
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: access_allow
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 1.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Stephen Ierodiaconou
|
|
@@ -29,13 +29,15 @@ dependencies:
|
|
|
29
29
|
- - "<"
|
|
30
30
|
- !ruby/object:Gem::Version
|
|
31
31
|
version: '9'
|
|
32
|
-
description:
|
|
32
|
+
description: Role- and ability-based authorization for Rails controllers, with a declarative
|
|
33
|
+
DSL for allow/require rules, named checks and configurable access violations.
|
|
33
34
|
email:
|
|
34
35
|
- stevegeek@gmail.com
|
|
35
36
|
executables: []
|
|
36
37
|
extensions: []
|
|
37
38
|
extra_rdoc_files: []
|
|
38
39
|
files:
|
|
40
|
+
- CHANGELOG.md
|
|
39
41
|
- MIT-LICENSE
|
|
40
42
|
- README.md
|
|
41
43
|
- Rakefile
|
|
@@ -57,8 +59,9 @@ homepage: https://github.com/stevegeek/access_allow
|
|
|
57
59
|
licenses:
|
|
58
60
|
- MIT
|
|
59
61
|
metadata:
|
|
60
|
-
homepage_uri: https://github.com/stevegeek/access_allow
|
|
61
62
|
source_code_uri: https://github.com/stevegeek/access_allow
|
|
63
|
+
changelog_uri: https://github.com/stevegeek/access_allow/blob/main/CHANGELOG.md
|
|
64
|
+
rubygems_mfa_required: 'true'
|
|
62
65
|
rdoc_options: []
|
|
63
66
|
require_paths:
|
|
64
67
|
- lib
|
|
@@ -73,7 +76,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
73
76
|
- !ruby/object:Gem::Version
|
|
74
77
|
version: '0'
|
|
75
78
|
requirements: []
|
|
76
|
-
rubygems_version:
|
|
79
|
+
rubygems_version: 4.0.6
|
|
77
80
|
specification_version: 4
|
|
78
81
|
summary: Permissions and access control gem for Rails.
|
|
79
82
|
test_files: []
|