access_allow 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: a3f5b6c7372b951cf3e958813f2a5535a0e1889e646524590e10e1600106ec8d
+  data.tar.gz: abd0e5aa1f28a82206f02232ca527f84ac340364ed078d515363879d7e8de5f6
+SHA512:
+  metadata.gz: 385a3320289a1b69ddba30897996105547027520009c926cf65f7ba794a7d1c430052bab3c52bae8026c20db61b66bf3954a5d915a8c0c21c02742082907d707
+  data.tar.gz: 4b04e9507daaeac18001dc29be96f80d60039073122996eb3b2ec7a7a97a6c5eb5afa130cee417d95cb667686fed85cd02a9de2bb4d760f29f305ff686653b11

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2022 Stephen Ierodiaconou
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,374 @@
+# AccessAllow
+
+Permissions and access control gem for Rails.
+
+# Roles, Abilities and the permissions model
+
+Users should be assigned a `role` where a role is a named grouping of specific permissions (or abilities as we
+call them). Roles are configured in the application configuration.
+
+Abilities are named permissions that live inside a namespace. These are context dependant. For example we might think
+of the ability for being able to check out a shopping cart as `shopping_cart: :check_out` where `shopping_cart` is the
+ability namespace for anything to do with the shopping cart and `check_out` is the specific ability name.
+
+Thus abilities are acquired by user either through their assigned role, or an ability can be directly assign in the
+database, via the User association `permissions`.
+
+## Role and abilities utility methods
+
+`AccessAllow::Roles` provides a bunch of utility methods that
+
+* check if a given role name is for a specific user type or not
+* returns humanized versions of the role names
+
+`AccessAllow::Abilities` currently provides utility methods to convert between string and hash representations of abilities.
+
+# Configuring Roles & their abilities
+
+Schema configured in `Configuration` and should be configured to create roles with their abilities.
+
+The structure consists of:
+
+    <user_type_key>:
+      <user_role_key>:
+        <ability_namespace_key>:
+          <ability_key>: [true/false]
+
+where
+
+* `user_type_key` is determined from the model name of the user class (eg `User` => `user`)
+* `user_role_key` is the name of the user role (eg `account_owner`)
+* `ability_namespace_key` is the name of the group of abilites (eg `product_management`)
+* `ability_key` is the name of the actual ability (eg `edit_product`) and is set to a boolean
+  to indicate if the ability is available to the specific configuration or not
+
+__Note__: ability names must be defined in the correct user type, role, namespace key space otherwise
+the app will raise an exception. This is to prevent accidentally forgetting to define the default
+permissions of a role around a specific feature.
+
+## Setting a user specific ability
+
+User specific abilities are persisted in `Permission`s where the attribute `ability_name` stores the
+ability namespace and name in one combined string. The format is `/` separated. Eg `tag_management/edit_tag`. Use
+`AccessAllow::Abilities` to convert between string and hash representations of abilities.
+
+The existence of a `Permission` sets the specific ability in the above described structure of abilities.
+
+The `AbilitiesManager` handles mixing these assigned abilities into the users specific total ability list.
+
+__Note__ that an ability defined in a `Permission` __must__ also exist in the role assigned abilities. If
+it does not then it is ignored. In other words a `Permission` can only override abilities defined for the
+role that are set to `false`. This allows a user to be given a specific ability that normally their role has not got,
+but does not allow you to assign arbitrary abilities to a user, thus preventing dangerous situations where an ability
+that say is only for Admins is assigned to a User role.
+
+# Manually checking user abilities
+
+The class `AccessAllow::Check` implements ability check logic. Using this class one can check if a user has a specific ability
+and optionally raise if not.
+
+You can either build a new instance of the check class and then use `#possible?` and `#possible!` of use the class
+helper methods
+
+* `.call(user, <ability_namespace>: <ability_name>)`: checks if user has `ability_name` in `ability_namespace`. Returns
+  a boolean result
+* `.call!(user, <ability_namespace>: <ability_name>)`: checks if user has `ability_name` in `ability_namespace`. Returns
+  true or raises `AccessAllow::ViolationError`
+
+The methods exposed by `Check` are useful for checking for abilities in other objects. To define abilities checks
+around controller actions see the next section.
+
+# Controller DSL for specifying requirements and abilities needed to perform actions
+
+Much of the time permissions checks will occur in Controllers. Also many controller actions have specific checks and
+requirements around the user or other entities related to the controller action. For example, when editing a user's
+profile, one must check that the user who is trying to execute the `update` action has the ability (permission) to
+do it, but also that the user is even from the same company as the user being edited.
+
+As such a DSL exists that can be used in controllers to define sets of required checks and rules around actions that then 
+define what abilities or checks are needed to allow a specific action to execute. The rules can also define what
+should happen if the checks do not pass, or if no rules match the current situation.
+
+The DSL allows us to define 3 categories of our so called access rules:
+
+## Required check rules
+
+Many times we want to specify that certain requirements are required to allow a user to perform a certain action. These
+requirements maybe certain checks on the user, or they maybe related to their role or abilities.
+
+These checks must all pass to allow the user to continue. They are checked before any other access checks are executed.
+If the checks do not pass then a 'violation' is returned, which is then handled by the controller accordingly.
+
+These rules consist of a 'check', an optional set of required abilities, and optionally what violation type to raised
+if the check does not pass.
+
+## Action allow rules
+
+Action allow rules are defined to provide specific rules which allow a user to perform a specific controller action. 
+
+Note that AccessAllow prevents an action from being executed unless it is explicitly allowed for the given user trying to
+execute it.
+
+For a user to be allowed to perform a given controller action, there must be a matching "action allow" rule for that
+action for which the check passes and permissions requirements are met. Any matching rule will allow the user to execute
+the action. Note if no rules match successfully then the no-match behaviour is executed.
+
+These rules consist of a check, an optional set of required abilities, a set of action names to which the rule applies
+and optionally a name to alias the check as a "named check" rule (see below).
+
+## Named check rule
+
+These are named checks that can then be referenced by name in action logic or in views to say perform some conditional
+logic. The method provided for checking if any named check rule is valid for the current context is `access_allowed?`.
+There is more details below on this.
+
+Say for example you want a user to be `approved` and have the ability `company_profile/edit` to edit the company
+profile, and want to conditionally display a "Edit" button in the view. You could define a named check, say
+`:approved_can_edit` (that checks `approved` and that the user has the ability) and use it in the view to conditionally 
+display the button:
+
+    <% if access_allowed? :approved_can_edit %>
+      The button...
+    <% end %>
+
+Note that when you define an "action allow" rule it is automatically also added to these 'named checks' by the action
+name, for example, if there is action allow rule for `:create` then we can use `access_allowed? :create`. 
+
+Also note that it is possible to specify a custom 'named check' name for the "action allow" rule (see more below).
+
+## No-match behaviour
+
+The DSL also allows us to define what should happen when executing an action and no rule matches the current situation.
+
+What should happen is defined using one of a set of predefined 'violations' which are handled in specific ways. See
+the discussion below on violations.
+
+## Violations
+
+The behaviour when a "required check" or an action has no matching "allow rule" is defined with so called "violation"
+configuration. These violations are handled in a standardised way by the controller callback that performs the rule
+checks.
+
+The violation types are:
+
+* `severe`:
+  this violation is considered something unusual and is logged. The end user will simply see a 404 page to avoid exposing 
+  to them that there is in fact an actionable endpoint at the route they tried to access.
+* `hidden`:
+  this violation type is considered less severe, but still aims to avoid leaking information to the end user
+  about the actual available routes on the app. If this violation is raised the user will see a 404 page and
+  the violation is logged to the app logs.
+* `not_permitted`:
+  this violation is used when a user can know that an action and route exists but that they do not
+  have the assigned 'abilities' to perform the action. The end user will see a 403 (forbidden) page
+  and the violation is simply logged to the app logs.
+* `redirect`:
+  this violation type is used when we want to perform a redirect if the user does not have the necessary
+  permissions. By default it will redirect to `root_path` but you can use a block to specify the destination path.
+  The block must return a string or other structure that is accepted by `redirect_to`.
+
+## The DSL & defining checks
+
+The methods are as follows:
+
+### `access_require(check, with:, violation: :severe, &block)`
+
+Used to define a "required check rule".
+
+Takes a check name (a symbol or array of symbols) (see details below), an optional `violation` type (defaults to
+`severe`) for when the check does not pass, and a block for when the violation type is `redirect` and you want to
+specify custom logic to determine the redirection destination. Also can take an an optional set of abilities (a hash)
+passed to `with:` to check against the user.
+
+### `access_allow(check, with: nil, to:, as: nil)`
+
+Used to define an "action allow rule" with optional named check alias.
+
+Takes a check name (a symbol or array of symbols) (see details below), an optional set of abilities (a hash) passed to
+`with:` to check against the user, and an optional name (symbol) passed with `as:` to allow the rule to be used as a
+"named check". The controller actions the rule applies to is passed to `to:` (symbol or array of symbols).
+
+### `access_allow(check, with: nil, as:)`
+
+Used to define a "named check rule".
+
+Similar to the "action allow rule" but without the actions. This rule is thus only available to be used as a "named
+check".
+
+### `access_no_match(violation, &block)`
+
+Used to define the "no match" behaviour, ie what happens when an action is trying to be executed by no access rule
+matches or passes for the given user and action.
+
+Takes a `violation` type and optionally a block for when the violation type is `redirect` and you want to specify
+custom logic to determine the redirection destination.
+
+### Defining abilities needed
+
+Permissions requirements are specified for the rule with `with:`.
+
+The permissions are defined as a hash containing keys representing the ability namespaces and associated values
+representing the required abilities.
+
+For example, `{tag_management: [:add_new, :edit_existing], product_management: :edit_variants}` would mean that the
+user must have all 3 of the abilities, `tag_management: :add_new`, `tag_management: :edit_existing` and
+`product_management: :edit_variants`.
+
+### Defining Checks & predefined checks
+
+Access rules must specify one or more 'checks' as part of their rule definition.
+
+'Checks' are basically controller methods which return a boolean to determine if the check 'passed' or 'failed'. Checks
+are normally custom code written for the given context of the feature. Note that checks do not need to perform the
+abilities checks specified by `with:`, these are performed by the gem logic for you.
+
+Checks are specified by providing an instance method on the controller named `allow_(name)?`, where `name` is the check
+name, and which returns a boolean.
+
+For example, if defining a check for an action allow rule where the user must be approved on the platform, and
+have a specific ability assigned to them, then the 'check' part (named say `approved_user`) is "user must be approved
+on the platform" part of the rule, and would be defined on the controller as an instance method `allow_approved_user?`.
+
+There are some predefined 'common' checks, where you do not need to define the `allow_(name)?` method. These are:
+
+* `:public`: anyone, logged in or not
+* `:authenticated_user`: any logged in user  (uses `current_user` or whatever is set as the `current_user_method` in the config)
+
+# View helper to check permissions of user for conditional view sections
+
+It is also possible to check `access` rules from inside views using the `access_allowed?` view helper, which takes
+a list of "named check" names. If any of those check names passes the method returns `true`.
+
+Note that check names also include the actions for which rules exists, as described earlier.
+
+```erb
+    # in controller
+    allow_access :admin, to: :new
+
+    # in view
+    <% if access_allowed? :new %>
+      Only 'admin' users who are allowed to execute action `:new` can see this
+    <% end %>
+```
+
+and
+
+```erb
+    # in controller
+    allow_access :my_check, as: named_rule
+
+    # in view
+    <% if access_allowed? :named_rule %>
+      Only users for whom the `named_rule` check passes can see this
+    <% end %>
+```
+
+# Example
+
+Consider the following view fragment, and then the controller heirarchy defined below:
+
+`tags_controller.rb`
+
+```ruby
+class TagsController < AdminController
+  # Allow any admin to access the :index and :show actions
+  access_allow :admin, to: [:index, :show]
+  # Only let admins with the ability `tag_management: :manage` to execute other actions.
+  # Also in our view we can use the check name `tag_management` to conditionally add say an "Add new Tag" button
+  access_allow :admin, with: {tag_management: :manage}, to: :all, as: :tag_management
+  # On the index page we also conditionally show some statistics about Tag usage, but only to admins with the right
+  # ability. This is done with the named check `:view_usage_stats`
+  access_allow :admin, with: {tag_management: :usage_stats}, as: :view_usage_stats
+  # Admins with a special flag called "im_magic" can also access the :magic action
+  access_allow :magic_admin, to: :magic
+  
+  def allow_admin?
+    current_user.admin?
+  end
+  
+  def allow_magic_admin?
+    current_user.im_magic? && allow_admin?
+  end
+  
+  # ...
+end
+
+class AdminController < AuthenticatedController
+  # Only admins can access actions on this controller or its sub controllers. Any authenticated user who is not an
+  # admin user will generate a severe access violation. They will see a 404 but the violation will be logged.
+  access_require :admin, violation: :severe
+  # Once we have verified the user is an admin we can 403 them instead of 404 when they try to access a page they
+  # dont have permission for. We don't need to hide the existence of the action from them.
+  access_no_match :not_permitted
+  # ...
+end
+
+class AuthenticatedController < ApplicationController
+  # Any action requires an authenticated user. The defined behaviour is that if the user trying to access the action
+  # is not authenticated they are redirected to the sign-in page.
+  access_require :authenticated_user, violation: :redirect do
+    sign_in_path
+  end
+
+  # ...
+end
+
+class ApplicationController < ActionController::Base
+  # By default, if no access rules match when executing an action then show the user a 404 to prevent leaking the
+  # existence of the end point
+  access_no_match :hidden
+  # ...
+end
+
+```
+
+`tags/index.html.erb`
+
+```erb
+    <p>Tags Index</p>
+    <% if access_allowed? :tag_management %>
+      <button>Add new tag</button>
+    <% end %>
+    <% if access_allowed? :view_usage_stats %>
+      <div> ... </div>
+    <% end %>
+    <ul> ... </ul>
+```
+
+## Usage
+
+Add this to your `ApplicationController`
+
+```ruby
+class ApplicationController < ActionController::Base
+  include AccessAllow::ControllerAccessDsl
+end
+```
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem "access_allow"
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+```bash
+$ gem install access_allow
+```
+
+Then run the **generator to add the initializer**
+
+    rails g access_allow:install
+
+
+## Contributing
+Contribution directions go here.
+
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,3 @@
+require "bundler/setup"
+
+require "bundler/gem_tasks"

data/lib/access_allow/abilities.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module AccessAllow
+  class Abilities
+    class << self
+      def qualified_name(ability_namespace, ability_name)
+        raise StandardError, "You can't have blank ability names" if ability_namespace.blank? || ability_name.blank?
+        "#{ability_namespace}/#{ability_name}"
+      end
+
+      def parse_qualified_name(name)
+        parts = name.split("/").map do |part|
+          raise StandardError "Ability namespaces or names cannot be blank" if part.blank?
+          part.to_sym
+        end
+        return parts if parts.size == 2
+        raise StandardError "Ability name must have a namespace and name (was #{name})"
+      end
+
+      def humanized_name(type, ability_namespace, ability_name)
+        I18n.t("abilities.#{type}.abilities.#{ability_namespace}.#{ability_name}")
+      end
+    end
+  end
+end

data/lib/access_allow/abilities_manager.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+module AccessAllow
+  class AbilitiesManager
+    def initialize(user)
+      @user = user
+    end
+
+    def has?(ability_namespace, ability_name)
+      namespace = namespaced_context(ability_namespace)
+      namespace[ability_name]
+    end
+
+    def to_a
+      @to_a ||=
+        combined_role_and_user_assigned.flat_map do |namespace, abilities|
+          abilities
+            .to_a
+            .each_with_object([]) do |config, arr|
+              ability, permitted = config
+              arr << [namespace, ability.to_sym] if permitted
+            end
+        end
+    end
+
+    private
+
+    attr_reader :user
+
+    def namespaced_context(ability_namespace)
+      context = combined_role_and_user_assigned[ability_namespace]
+      raise StandardError, "Permission namespace unknown: #{ability_namespace}" unless context
+      context
+    end
+
+    def combined_role_and_user_assigned
+      @combined_role_and_user_assigned ||=
+        begin
+          base_perms = role_assigned.deep_dup
+          user.send(AccessAllow.configuration.permissions_association_name).each do |perm|
+            namespace, name = AccessAllow::Abilities.parse_qualified_name(perm.ability_name)
+
+            # We only assign if the permission already exists in the base role based configs
+            next if base_perms.dig(namespace, name).nil?
+            base_perms[namespace][name] = true
+          end
+          base_perms
+        end
+    end
+
+    def role_assigned
+      unless role_based_abilities[user_type_key]
+        raise(StandardError, "User type (#{user_type_key}) has no permissions defined")
+      end
+      unless role_based_abilities[user_type_key][user_role_key]
+        raise(
+          StandardError,
+          "Role (#{user_role_key}) for user type (#{user_type_key}) has no permissions defined"
+        )
+      end
+      role_based_abilities[user_type_key][user_role_key]
+    end
+
+    def role_based_abilities
+      AccessAllow.configuration.roles_and_permissions
+    end
+
+    def user_type_key
+      user.class.name.underscore.to_sym
+    end
+
+    def user_role_key
+      role = user.send(AccessAllow.configuration.role_method_name)
+      (role.presence || "primary").to_sym
+    end
+
+    def about_user
+      "#{user.class} with ID #{user.id}"
+    end
+  end
+end

data/lib/access_allow/access_manager.rb

@@ -0,0 +1,237 @@
+# frozen_string_literal: true
+
+module AccessAllow
+  class AccessManager
+    VIOLATION_TYPES = %i[severe hidden redirect not_permitted].freeze
+
+    def initialize
+      @required_rules = []
+      @action_rules = []
+      @named_rules_map = {}
+      @all_actions_rules = []
+      @no_match_rule = {violation: :severe}
+    end
+
+    # When initialising an access manager for a controller make sure to clone the current parent controllers rules
+    def initialize_clone(parent_manager)
+      @required_rules = parent_manager.required_rules.deep_dup
+      @action_rules = parent_manager.action_rules.deep_dup
+      @named_rules_map = parent_manager.named_rules_map.deep_dup
+      @all_actions_rules = parent_manager.all_actions_rules.deep_dup
+      @no_match_rule = parent_manager.no_match_rule.deep_dup
+    end
+
+    def add_allow_rule(rule, to, with = nil, as = nil)
+      insert_access_rule(parse_rule(rule, to: to, with: with, as: as))
+    end
+
+    def add_required_rule(rule, violation, with = nil, handler = nil)
+      unless VIOLATION_TYPES.include?(violation)
+        raise StandardError, "You must provide a valid violation type"
+      end
+      insert_required_rule(rule, with, violation, handler)
+    end
+
+    def configure_no_match(violation_type, &block)
+      rule = {violation: violation_type}
+      rule[:handler] = block if block
+      @no_match_rule = rule
+    end
+
+    # Rule is applied like this:
+    #
+    # First apply any required rules, ie all must pass to allow user to progress
+    #
+    # Then apply allow rules, where any pass will allow user to progress:
+    # * if there is a constraint on an action name, check that
+    # * if it has user type requirement, then apply that next
+    # * if it has a perms requirement, apply that after
+    # * if it has custom rules, apply those
+
+    # Compare against all configured rules which have actions
+    def allow_action?(user, controller, current_action)
+      # Required checks must all pass
+      required_rules.each do |config|
+        permitted_or_violation = execute_required_rule(config, user, controller, current_action)
+        return permitted_or_violation unless permitted_or_violation == true
+      end
+
+      # Check action rules
+      allowed =
+        action_rules.any? { |config| execute_rule(config, user, controller, current_action) }
+      return true if allowed
+
+      # return no-match
+      no_match_rule
+    end
+
+    # Evaluate specific rules. Ie we dont check action match, we just find if there are any checks that pass
+    # for the current context. Used in view helper. The rules are defined with access_allow and a name or alias.
+    def allow?(rules, user, current_controller)
+      Array
+        .wrap(rules)
+        .any? do |rule|
+          rule_configs = named_rules_map[rule]
+          rule_configs&.any? { |config| execute_rule(config, user, current_controller) }
+        end
+    end
+
+    # Introspection methods
+
+    def no_match_violation
+      no_match_rule[:violation]
+    end
+
+    def named_rule_exists?(name)
+      !named_rules_map[name].nil?
+    end
+
+    def required_check_exists?(name)
+      required_rules.any? do |r|
+        r[:rules_set][:all]&.include?(name) || r[:rules_set][:any]&.include?(name)
+      end
+    end
+
+    protected
+
+    attr_reader :required_rules, :action_rules, :named_rules_map, :all_actions_rules, :no_match_rule
+
+    private
+
+    def parse_rule(rule, with: nil, as: nil, to: nil)
+      # If rule is a hash then its rules + perms - one key is single rule, multiple considered AND
+      # If an array then AND condition on the rules
+      actions = Array.wrap(to)
+      given_names = Array.wrap(as)
+      if actions.empty? && given_names.empty?
+        raise StandardError,
+          "You must specify the actions which the rule applies to or if a check must have a name"
+      end
+      {
+        aliases: given_names.presence || actions,
+        rules_set: prepare_rule_set(rule),
+        perms: parse_permissions(with),
+        actions: actions
+      }
+    end
+
+    # Parse the (optional) permissions configuration for the rule, defined with the `with:` option
+    def parse_permissions(perm_config)
+      return if perm_config.blank?
+
+      # A permission comprises of a namespace key, and with a single or array of permission names.
+      # If multiple are specified they all must apply
+      perm_config.to_a.flat_map do |c|
+        namespace, perm_name = c
+        if perm_name.is_a?(Array)
+          perm_name.map { |n| {namespace => n} }
+        else
+          {namespace => perm_name}
+        end
+      end
+    end
+
+    def insert_required_rule(rule, with, violation, handler)
+      config = {
+        rules_set: prepare_rule_set(rule),
+        perms: parse_permissions(with),
+        violation: violation
+      }
+      config[:handler] = handler if handler
+      required_rules << config
+    end
+
+    def prepare_rule_set(rules)
+      return rules if rules.is_a?(Hash) && (rules[:any] || rules[:all])
+      {all: Array.wrap(rules)}
+    end
+
+    def insert_access_rule(parsed_rule)
+      # Or add alias and/or action rule
+      aliased_as = parsed_rule[:aliases]
+      aliased_as&.each do |alias_name|
+        named_rules_map[alias_name] = [] if named_rules_map[alias_name].nil?
+        named_rules_map[alias_name] << parsed_rule
+      end
+      return if parsed_rule[:actions].blank?
+      all_actions_rules << parsed_rule if parsed_rule[:actions].include?(:all)
+      action_rules << parsed_rule
+    end
+
+    # To execute a rule:
+    # - check that the action is valid if specified
+    # - check that the user has required abilities if specified
+    # - apply the rules (all rules for the given allow config) to check if it passes for the current context
+    def execute_rule(config, user, controller, action_name = nil)
+      return if action_name && !allowed_action?(config[:actions], action_name)
+      execute_rules_set(config[:rules_set], config[:perms], user, controller, action_name)
+    end
+
+    # Required rules either pass or return their configured violation state
+    def execute_required_rule(config, user, controller, action_name)
+      if execute_rules_set(config[:rules_set], config[:perms], user, controller, action_name)
+        return true
+      end
+      config.slice(:violation, :handler)
+    end
+
+    def execute_rules_set(rules_set, perms, user, controller, action_name)
+      return unless user_has_perms?(user, perms)
+      if rules_set[:all]
+        rules_set[:all].all? do |rule|
+          Array.wrap(rule).all? { |r| apply_rule(r, user, controller, action_name) }
+        end
+      elsif rules_set[:any]
+        rules_set[:any].any? do |rule|
+          Array.wrap(rule).all? { |r| apply_rule(r, user, controller, action_name) }
+        end
+      else
+        raise NotImplementedError, "Unknown rule set"
+      end
+    end
+
+    # Check specified action is even got a rule to apply to it
+    def allowed_action?(actions, action_name)
+      actions.include?(:all) || actions.include?(action_name)
+    end
+
+    # Check if the user has permissions defined in the rule
+    def user_has_perms?(user, perms)
+      return true if perms.blank?
+      perms.all? { |perm| AccessAllow::Check.call(user, perm) }
+    end
+
+    # Some rules are predefined, otherwise apply the rule by calling the methods on the controller
+    # which the rule defines, which are named after the rule with a `allow_` prefix
+    def apply_rule(rule, user, controller, action_name)
+      case rule
+      when :public
+        true
+      when :authenticated_user
+        user.present?
+      else
+        apply_custom_rule(rule, user, controller, action_name)
+      end
+    end
+
+    # Apply the rule by calling the appropriate `allow_#{name}` instance method on the controller
+    # The method can be optionally called with the current user being tested against the rule, and optionally
+    # the rule configuration itself.
+    def apply_custom_rule(rule, user, controller, action_name)
+      controller.instance_exec(user, rule: rule, action_name: action_name) do |uut, rule_info|
+        check_name = "allow_#{rule}?".to_sym
+        unless respond_to?(check_name)
+          raise NotImplementedError, "Check #{check_name} not implemented!"
+        end
+        case method(check_name).arity
+        when 1
+          send(check_name, uut)
+        when 2
+          send(check_name, uut, rule_info)
+        else
+          send(check_name)
+        end
+      end
+    end
+  end
+end

data/lib/access_allow/check.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module AccessAllow
+  class Check
+    class << self
+      def call(user, config)
+        build_perms_checker(user, config).possible?
+      end
+
+      def call!(user, config)
+        build_perms_checker(user, config).possible!
+      end
+
+      private
+
+      def build_perms_checker(user, config)
+        perm_namespace, perm_name = config.to_a.first
+        new(user, perm_namespace, perm_name)
+      end
+    end
+
+    def initialize(user, ability_namespace, ability_name)
+      @user = user
+      @ability_manager = user ? AccessAllow::AbilitiesManager.new(user) : nil
+      @ability_namespace = ability_namespace.to_sym
+      @ability_name = ability_name.to_sym
+    end
+
+    def possible?
+      unless user
+        Rails.logger.info error_message(false)
+        return false
+      end
+      ability_manager.has?(ability_namespace, ability_name).tap { |can| Rails.logger.info error_message(can) }
+    end
+
+    def possible!
+      possible? || raise(AccessAllow::ViolationError, error_message(false))
+    end
+
+    private
+
+    attr_reader :user, :ability_namespace, :ability_name, :ability_manager
+
+    # Error messages
+
+    def about_user
+      user ? "#{user.class} with ID #{user.id}" : "Unauthenticated user"
+    end
+
+    def error_message(can)
+      "#{about_user} #{can ? "can" : "cannot"} do '#{ability_name}'"
+    end
+  end
+end

data/lib/access_allow/controller_access_dsl.rb

@@ -0,0 +1,113 @@
+# frozen_string_literal: true
+
+module AccessAllow
+  # Setup rules and configuration to specify access for a controller. Either specific actions or all actions.
+  module ControllerAccessDsl
+    extend ActiveSupport::Concern
+
+    included do
+      helper_method :access_allowed?
+
+      # Add a before action to check `allow` permissions rules. Note this is a 'prepend' as we
+      # want to try to ensure this happens before anything else.
+      prepend_before_action do |controller|
+        ensure_authenticated_before_perms_check if respond_to?(:ensure_authenticated_before_perms_check)
+        access_result = self.class.access_manager.allow_action?(
+          send(AccessAllow.configuration.current_user_method),
+          controller,
+          controller.action_name.to_sym
+        )
+        next true if access_result == true
+        Rails.logger.info("Blocked access for #{access_log_user_info} to access '#{access_log_action_tried}'")
+        handle_access_violation(access_result)
+      end
+    end
+
+    # The DSL of the access rule configuration is defined below
+    class_methods do
+      # The access controls are inherited to controller subclasses
+      def inherited(subclass)
+        subclass.instance_variable_set(:@access_manager, @access_manager.clone)
+        super
+      end
+
+      # Configure what should happen when no access rule matches the action being executed
+      def access_no_match(violation, &block)
+        access_manager.configure_no_match(violation, &block)
+      end
+
+      # TODO: consider a `if:` conditional allowed on rules
+      # Specify an access requirement, that must pass for any other action access checks to pass
+      # The default violation level is :severe
+      def access_require(check, with: nil, violation: :severe, &block)
+        access_manager.add_required_rule(check, violation, with, block)
+      end
+
+      # Specify an access rule requirement for a specific action or set of actions. You can optionally
+      # also specify what abilities are required to match the rule. Using `as:` and no `to:` actions you can also
+      # specify an access rule which is not used when actions are executed but instead can be checked by the given name,
+      # thus allowing one to define a check that is used inside the processing of an action rather than before it.
+      # You can also specify an action rule with `to:` and then alias it to a named check with `as:`
+      def access_allow(check, with: nil, to: nil, as: nil)
+        access_manager.add_allow_rule(check, to, with, as)
+      end
+
+      # Create a new manager instance for this particular controller
+      def access_manager
+        @access_manager ||= AccessAllow::AccessManager.new
+      end
+    end
+
+    # `access_allowed?` is exposed as a view helper to execute checks or allow rules and return if they
+    # passed or not. Useful for doing conditional work in the view or a controller action
+    def access_allowed?(*check_rules)
+      self.class.access_manager.allow?(
+        check_rules,
+        send(AccessAllow.configuration.current_user_method),
+        self
+      )
+    end
+
+    protected
+
+    # When required access rules are violated, or when no match on an action occurs, the result from the access
+    # manager is processed here.
+    def handle_access_violation(access_result)
+      case access_result[:violation]
+      when :redirect
+        redirect_destination = access_result[:handler] ? instance_exec(&access_result[:handler]) : root_path
+        raise ::AccessAllow::ResponseForbiddenError, "Not permitted" unless redirect_destination
+        Rails.logger.info("#{access_log_user_info} tried to access a page that they can't access and they were " \
+          "redirected to '#{redirect_destination}'. (#{access_log_action_tried})")
+        redirect_to redirect_destination
+      when :not_permitted
+        Rails.logger.info("#{access_log_user_info} tried to access a page that they can't access and they were " \
+          "told about it. (#{access_log_action_tried})")
+        raise ::AccessAllow::ResponseForbiddenError, "Not permitted"
+      when :hidden
+        Rails.logger.info("#{access_log_user_info} tried to access a page that they can't access and they won't " \
+          "know exists (#{access_log_action_tried})")
+        raise ActionController::RoutingError, "Not Found"
+      else
+        log_severe_access_violation_and_not_found
+      end
+    end
+
+    def log_severe_access_violation_and_not_found
+      Rails.logger.error(
+        "#{access_log_user_info} tried to access a page that they can't access and" \
+          " it is considered suspicious they should attempt to see it. The action was: #{access_log_action_tried}"
+      )
+      raise ActionController::RoutingError, "Not Found"
+    end
+
+    def access_log_user_info
+      user = send(AccessAllow.configuration.current_user_method)
+      user ? "User #{user.id}" : "An unauthenticated user"
+    end
+
+    def access_log_action_tried
+      "#{controller_name}##{action_name}"
+    end
+  end
+end

data/lib/access_allow/railtie.rb

@@ -0,0 +1,4 @@
+module AccessAllow
+  class Railtie < ::Rails::Railtie
+  end
+end

data/lib/access_allow/roles.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module AccessAllow
+  class Roles
+    class << self
+      # Get a human readable version of the role key
+      def humanized_name(type, role)
+        I18n.t("abilities.#{type}.roles.#{role}")
+      end
+
+      # Check roles are valid for specific user types
+
+      def for?(type, role)
+        roles_for(type).include?(role.to_sym)
+      end
+
+      def roles_for(type)
+        configuration[type.to_sym]&.keys || []
+      end
+
+      private
+
+      def configuration
+        AccessAllow.configuration.roles_and_permissions
+      end
+    end
+  end
+end

data/lib/access_allow/version.rb

@@ -0,0 +1,3 @@
+module AccessAllow
+  VERSION = "0.1.0"
+end

data/lib/access_allow.rb

@@ -0,0 +1,36 @@
+require "access_allow/version"
+require "access_allow/railtie"
+require "access_allow/abilities"
+require "access_allow/abilities_manager"
+require "access_allow/access_manager"
+require "access_allow/check"
+require "access_allow/controller_access_dsl"
+require "access_allow/roles"
+
+module AccessAllow
+  class ViolationError < StandardError; end
+
+  class ResponseForbiddenError < StandardError; end
+
+  class << self
+    def configuration
+      @configuration ||= Configuration.new
+    end
+
+    def configure
+      yield(configuration) if block_given?
+      configuration
+    end
+  end
+
+  class Configuration
+    attr_accessor :roles_and_permissions, :current_user_method, :permissions_association_name, :role_method_name
+
+    def initialize
+      @roles_and_permissions = {}
+      @current_user_method = :current_user
+      @permissions_association_name = :permissions
+      @role_method_name = :role
+    end
+  end
+end

data/lib/generators/access_allow/USAGE

@@ -0,0 +1,3 @@
+Creates an initial configuration, an initializer and copies in the Permission migration & model
+
+    rails generate access_allow:install

data/lib/generators/access_allow/install_generator.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require "rails/generators/base"
+require "rails/generators/active_record/migration"
+
+module AccessAllow
+  module Generators
+    # The Install generator `access_allow:install`
+    class InstallGenerator < ::Rails::Generators::Base
+      include ::ActiveRecord::Generators::Migration
+
+      source_root File.expand_path(__dir__)
+
+      desc "Creates an initial configuration, an initializer and copies in the Permission migration & model."
+
+      def copy_tasks
+        template "templates/access_allow.rb", "config/initializers/access_allow.rb"
+        migration_template "templates/migration.rb.erb", "db/migrate/access_allow_create_permissions.rb", migration_version: migration_version
+      end
+
+      def migration_version
+        "[#{Rails::VERSION::MAJOR}.#{Rails::VERSION::MINOR}]"
+      end
+    end
+  end
+end

data/lib/generators/access_allow/templates/access_allow.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+AccessAllow.configure do |config|
+  # Roles and permissions associated with each role (you might want to store this in a YAML file and load it here)
+  config.roles_and_permissions = {}
+
+  # config.current_user_method = :current_user
+  # config.permissions_association_name = :permissions
+  # config.role_method_name = :role
+end

data/lib/generators/access_allow/templates/migration.rb.erb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class AccessAllowCreatePermissions < ActiveRecord::Migration<%= migration_version %>
+  def change
+    create_table :permissions do |t|
+      t.string :ability_name
+      t.references :user, foreign_key: true, null: false
+      t.timestamps
+    end
+  end
+end

data/lib/tasks/access_allow_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :access_allow do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,76 @@
+--- !ruby/object:Gem::Specification
+name: access_allow
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Stephen Ierodiaconou
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2022-11-22 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.0.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.0.4
+description: Permissions and access control gem for Rails.
+email:
+- stevegeek@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- lib/access_allow.rb
+- lib/access_allow/abilities.rb
+- lib/access_allow/abilities_manager.rb
+- lib/access_allow/access_manager.rb
+- lib/access_allow/check.rb
+- lib/access_allow/controller_access_dsl.rb
+- lib/access_allow/railtie.rb
+- lib/access_allow/roles.rb
+- lib/access_allow/version.rb
+- lib/generators/access_allow/USAGE
+- lib/generators/access_allow/install_generator.rb
+- lib/generators/access_allow/templates/access_allow.rb
+- lib/generators/access_allow/templates/migration.rb.erb
+- lib/tasks/access_allow_tasks.rake
+homepage: https://github.com/stevegeek/access_allow
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/stevegeek/access_allow
+  source_code_uri: https://github.com/stevegeek/access_allow
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.7
+signing_key:
+specification_version: 4
+summary: Permissions and access control gem for Rails.
+test_files: []