RubyGems - access_policy - Versions diffs - 0.0.3 → 0.0.4 - Mend

access_policy 0.0.3 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

checksums.yaml +4 -4
data/README.md +84 -8
data/lib/access_policy/policy_check.rb +9 -9
data/lib/access_policy/policy_enforcer.rb +5 -6
data/lib/access_policy/rspec_matchers.rb +68 -40
data/lib/access_policy/version.rb +1 -1
data/lib/access_policy.rb +9 -0
data/spec/integration/lib/access_policy_spec.rb +4 -2
data/spec/unit/lib/access_policy/policy_check_spec.rb +5 -5
data/spec/unit/lib/access_policy/policy_enforcer_spec.rb +12 -3
data/spec/unit/lib/access_policy/rspec_matchers_spec.rb +83 -0
metadata +4 -4
data/spec/unit/lib/access_policy/matcher_spec.rb +0 -24

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6d6fec0043cb9fd0e0e318c74c3a123d5928373e
-  data.tar.gz: 416b4171c59eab9dd40e2235e9059cd9a9b8c914
+  metadata.gz: c13ac5c6dac57c9f9941984ef3a3cdfb41ea0a2e
+  data.tar.gz: 72b632f8163d91a4655bb8b9fdd4989402c76777
 SHA512:
-  metadata.gz: aa415b1b7d75b12278d6c0edc38d79d2558c912a44d3486b2f3a719fa01bee235eeb80716a84a78e4aa00894614a9ac62cfcf3a72802cbcf27790a891be12780
-  data.tar.gz: 51a51cc18979bed2caf2795cdab657a3137bfb4eae275d2385b2af84c9f0a991332d175482580c49819560f976b5be03d8c04613e00b5a09854e32cb1b597727
+  metadata.gz: 08b09203d8dfeda012749a7b6480ecbc594120cf16df57b92734f06eb8fbd5501a9429c5c836670bef0fd6a73e361b28482540c962b9a1aec6bd8986d287f029
+  data.tar.gz: 12c95f04b081718da2b910b68d89942514862d59fdc44ad240c86f30d14273c9e28be567feb6915edf769d6ee9453ec68ecf29105cb7a6e47db17248443f8e34

data/README.md CHANGED Viewed

@@ -1,4 +1,4 @@
-# AccessPolicy
+# AccessPolicy [![Code Climate](https://codeclimate.com/github/slowjack2k/access_policy.png)](https://codeclimate.com/github/slowjack2k/access_policy) [![Build Status](https://travis-ci.org/slowjack2k/access_policy.png?branch=master)](https://travis-ci.org/slowjack2k/access_policy) [![Coverage Status](https://coveralls.io/repos/slowjack2k/access_policy/badge.png?branch=master)](https://coveralls.io/r/slowjack2k/access_policy?branch=master) [![Gem Version](https://badge.fury.io/rb/access_policy.png)](http://badge.fury.io/rb/access_policy)
 Object oriented authorization for ruby. It provides helper to
 protect method call's via Policy-Classes.
@@ -32,8 +32,15 @@ end
 ToGuardPolicy = Struct.new(:current_user_or_role, :object_of_kind_to_guard) do
+  attr_accessor :error_message # optional
   def method_to_guard?
-    current_user_or_role.is_allowed?
+    if current_user_or_role.is_allowed?
+      true
+    else
+      self.error_message = "you'r not allowed to do this" # optional
+      false
+    end
   end
 end
@@ -48,9 +55,9 @@ policy_checker.with_user_or_role(current_user) do
   begin
     policy_checker.authorize(object_to_guard, 'method_to_guard')
     object_to_guard.method_to_guard
-  rescue AccessPolicy::PolicyEnforcer::NotAuthorizedError
+  rescue AccessPolicy::NotAuthorizedError
    ...
-  rescue AccessPolicy::PolicyEnforcer::NotDefinedError
+  rescue AccessPolicy::NotDefinedError
    ...
   end
 end
@@ -84,9 +91,9 @@ Or
  object_to_guard.with_user_or_role(current_user) do
    begin
      object_to_guard.method_to_guard
-   rescue PolicyEnforcer::NotAuthorizedError
+   rescue AccessPolicy::NotAuthorizedError
     ...
-   rescue PolicyEnforcer::NotDefinedError
+   rescue AccessPolicy::NotDefinedError
     ...
    end
  end
@@ -99,14 +106,83 @@ Or
         object_to_guard.method_to_guard_for_root
       end
-    rescue PolicyEnforcer::NotAuthorizedError
+    rescue AccessPolicy::NotAuthorizedError
      ...
-    rescue PolicyEnforcer::NotDefinedError
+    rescue AccessPolicy::NotDefinedError
      ...
     end
   end
+```
+Test policies with rspec:
+```ruby
+require 'spec_helper'
+require 'access_policy/rspec_matchers'
+module MatcherExampleSpec
+  DummyPolicy = Struct.new(:current_user, :object_to_guard) do
+    def read?
+      true
+    end
+    def write?
+      current_user && current_user.allowed?
+    end
+    def destroy?
+      write? && object_to_guard && !object_to_guard.locked?
+    end
+  end
+end
+describe "PolicyMatchers", type: :policy do
+  subject(:policy){
+    MatcherExampleSpec::DummyPolicy
+  }
+  context 'for a visitor' do
+    let(:visitor){nil}
+    it 'permits read' do
+      expect(policy).to permit(:read).to(visitor)
+    end
+    it 'forbids write' do
+      expect(policy).not_to permit(:write).to(visitor)
+    end
+  end
+  context 'for a admin' do
+    let(:admin){double('admin', allowed?: true)}
+    let(:locked_object_to_guard){double('object to guard', locked?: true)}
+    let(:unlocked_object_to_guard){double('object to guard', locked?: false)}
+    it 'permits read' do
+      expect(policy).to permit(:read).to(admin)
+    end
+    it 'permits write' do
+      expect(policy).to permit(:write).to(admin)
+    end
+    it 'permits destroy for unlocked objects'  do
+      expect(policy).to permit(:destroy).on(unlocked_object_to_guard).to(admin)
+    end
+    it 'forbids destroy for locked objects' do
+      expect(policy).to forbid(:destroy).on(locked_object_to_guard).to(admin)
+    end
+  end
+end
 ```
 ## Contributing

data/lib/access_policy/policy_check.rb CHANGED Viewed

@@ -14,7 +14,7 @@ module AccessPolicy
     def authorize(object_to_guard, action_to_guard, error_policy: default_error_policy)
       PolicyEnforcer.new(current_user_or_role_for_policy, object_to_guard, action_to_guard).authorize(error_policy) do
-        self.policy_authorized=true
+        self.policy_authorize_called=true
       end
     end
@@ -23,12 +23,12 @@ module AccessPolicy
     end
     def with_user_or_role(new_current_user_or_role_for_policy, error_policy = default_error_policy)
-      self.policy_authorized = false
+      self.policy_authorize_called = false
       switched_user_or_role(new_current_user_or_role_for_policy) do
         begin
           yield if block_given?
-          raise(PolicyEnforcer::NotAuthorizedError, "#{new_current_user_or_role_for_policy}") unless policy_authorized?
+          raise(AccessPolicy::AuthorizeNotCalledError, "#{new_current_user_or_role_for_policy}") unless policy_authorize_called?
         rescue => e
           error_policy.call(e)
         end
@@ -43,18 +43,18 @@ module AccessPolicy
       scope['current_user_or_role_for_policy']
     end
-    def policy_authorized=(new_value)
-      scope['policy_authorized'] = new_value
+    def policy_authorize_called=(new_value)
+      scope['policy_authorize_called'] = new_value
     end
-    def policy_authorized?
-      !!policy_authorized
+    def policy_authorize_called?
+      !!policy_authorize_called
     end
     protected
-    def policy_authorized
-      scope['policy_authorized']
+    def policy_authorize_called
+      scope['policy_authorize_called']
     end
     def scope

data/lib/access_policy/policy_enforcer.rb CHANGED Viewed

@@ -1,9 +1,5 @@
 module AccessPolicy
   class PolicyEnforcer
-    class NotDefinedError < StandardError;
-    end
-    class NotAuthorizedError < StandardError;
-    end
     attr_accessor :current_user_or_role, :object_or_class, :query, :default_error_policy
@@ -18,7 +14,10 @@ module AccessPolicy
     end
     def authorize(error_policy=default_error_policy)
-      raise(PolicyEnforcer::NotAuthorizedError, "not allowed to #{query} this #{object_or_class}" ) unless _guard_action()
+      unless _guard_action()
+        error_message = policy.respond_to?(:error_message) ? policy.error_message : "not allowed to #{query} this #{object_or_class}"
+        raise(AccessPolicy::NotAuthorizedError, error_message)
+      end
       yield true if block_given?
       true
     rescue
@@ -26,7 +25,7 @@ module AccessPolicy
     end
     def policy(error_policy=default_error_policy)
-      specific_policy_for_class.new(current_user_or_role, object_or_class)
+      @policy||= specific_policy_for_class.new(current_user_or_role, object_or_class)
     rescue
       error_policy.call(object_or_class)
     end

data/lib/access_policy/rspec_matchers.rb CHANGED Viewed

@@ -2,75 +2,103 @@ module AccessPolicy
   module RspecMatchers
     extend ::RSpec::Matchers::DSL
     def self.included(base)
       base.metadata[:type] = :policy
     end
-    module Common
-      def self.call(base)
-        base.instance_eval do
-          chain :to do |user|
-            @user = user
-          end
+    class PositivePolicyMatcher
+      attr_accessor :policy_class, :user, :object_to_guard, :permission
+      def initialize(permission)
+        self.permission = permission
+      end
+      def matches?(policy_class)
+        self.policy_class = policy_class
+        eval_match
+      end
-          chain :on do |object_to_guard|
-            @object_to_guard = object_to_guard
-          end
+      def eval_match
+        permission_granted?
+      end
-          define_method :permission_granted? do |policy_class, permission |
-            policy = policy_class.new(@user, @object_to_guard)
-            policy.public_send("#{permission}?")
-          end
+      def failure_message
+        "#{policy_class} #{failure_message_part} '#{permission}'#{object_as_text}#{user_as_text}."
+      end
-          define_method :permission_denied? do |*args|
-            ! permission_granted?(*args)
-          end
+      def negative_failure_message
+        "#{policy_class} #{negative_failure_message_part} '#{permission}'#{object_as_text}#{user_as_text}."
+      end
-          define_method :object_as_text do
-            @object_to_guard.nil? ? '' : " on #{@object_to_guard.inspect}"
-          end
-          define_method :user_as_text do
-            @user.nil? ? '' : " for #{@user.inspect}"
-          end
+      def failure_message_part
+        'does not permit'
+      end
-        end
+      def negative_failure_message_part
+        'does not forbid'
       end
-    end
+      def to(user)
+        self.user = user
+        self
+      end
+      alias_method :for, :to
+      alias_method :for_user, :to
+      alias_method :to_user, :to
-    matcher :permit do |permission|
-      match do |policy_class|
-        permission_granted?(policy_class, permission)
+      def on(object_to_guard)
+        self.object_to_guard = object_to_guard
+        self
       end
+      alias_method :with, :on
+      protected
-      failure_message_for_should do |policy_class|
-        "#{policy_class} does not permit #{permission} #{object_as_text}#{user_as_text}."
+      def permission_granted?
+        policy = policy_class.new(@user, @object_to_guard)
+        policy.public_send("#{permission}?")
       end
-      failure_message_for_should_not do |policy_class|
-        "#{policy_class} does not forbid #{permission}#{object_as_text}#{user_as_text}."
+      def object_as_text
+        self.object_to_guard.nil? ? '' : " on #{self.object_to_guard.inspect}"
       end
-      Common.call(self)
+      def  user_as_text
+        self.user.nil? ? '' : " to #{self.user.inspect}"
+      end
     end
-    matcher :forbid do |permission|
-      match do |policy_class|
-        permission_denied?(policy_class, permission)
+    class NegativePolicyMatcher < PositivePolicyMatcher
+      def eval_match
+        permission_denied?
+      end
+      def failure_message_part
+        'does not forbid'
       end
-      failure_message_for_should do |policy_class|
-        "#{policy_class} does not forbid #{permission} #{object_as_text}#{user_as_text}."
+      def negative_failure_message_part
+        'does permit'
       end
-      failure_message_for_should_not do |policy_class|
-        "#{policy_class} does not permit #{permission}#{object_as_text}#{user_as_text}."
+      protected
+      def permission_denied?
+        ! permission_granted?
       end
+    end
-      Common.call(self)
+    def permit(expected=nil)
+      PositivePolicyMatcher.new(expected)
     end
+    def forbid(expected=nil)
+      NegativePolicyMatcher.new(expected)
+    end
   end
 end

data/lib/access_policy/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module AccessPolicy
-  VERSION = "0.0.3"
+  VERSION = "0.0.4"
 end

data/lib/access_policy.rb CHANGED Viewed

@@ -6,6 +6,15 @@ require 'access_policy/policy_enforcer'
 module AccessPolicy
+  class NotDefinedError < StandardError
+  end
+  class NotAuthorizedError < StandardError
+  end
+  class AuthorizeNotCalledError < StandardError
+  end
   def self.included(base)
     base.extend ClassMethods
   end

data/spec/integration/lib/access_policy_spec.rb CHANGED Viewed

@@ -40,8 +40,10 @@ describe AccessPolicy do
     it 'protects created methods' do
       expect {
-        subject.call
-      }.to  raise_error AccessPolicy::PolicyEnforcer::NotAuthorizedError
+        subject.with_user_or_role(falsy_user) do
+          subject.call
+        end
+      }.to  raise_error AccessPolicy::NotAuthorizedError
     end
     it 'grands access to guarded methods when the user has the right' do

data/spec/unit/lib/access_policy/policy_check_spec.rb CHANGED Viewed

@@ -17,7 +17,7 @@ module AccessPolicy
     subject {
       AccessPolicy::PolicyCheck.new.tap { |p|
         p.current_user_or_role_for_policy=nil
-        p.policy_authorized = true
+        p.policy_authorize_called = true
       }
     }
@@ -54,7 +54,7 @@ module AccessPolicy
     describe '.with_user_or_role' do
       it 'sets the current user' do
         subject.with_user_or_role(current_user) do
-          subject.policy_authorized = true
+          subject.policy_authorize_called = true
           expect(subject.current_user_or_role_for_policy).to eq current_user
         end
       end
@@ -63,14 +63,14 @@ module AccessPolicy
         subject.current_user_or_role_for_policy = 'other user'
         subject.with_user_or_role(current_user) do
-          subject.policy_authorized = true
+          subject.policy_authorize_called = true
         end
         expect(subject.current_user_or_role_for_policy).to eq 'other user'
       end
-      it 'raises PolicyEnforcer::NotAuthorizedError when authorize is not called' do
-        expect { subject.with_user_or_role(current_user) }.to raise_error PolicyEnforcer::NotAuthorizedError
+      it 'raises PolicyEnforcer::AuthorizeNotCalledError when authorize is not called' do
+        expect { subject.with_user_or_role(current_user) }.to raise_error AccessPolicy::AuthorizeNotCalledError
       end
       it 'does not raise PolicyEnforcer::NotAuthorizedError when authorize is called' do

data/spec/unit/lib/access_policy/policy_enforcer_spec.rb CHANGED Viewed

@@ -13,6 +13,10 @@ module PolicyEnforcerSpec
     def not_allowed_call?
       false
     end
+    def error_message
+      "some thing went wrong"
+    end
   end
   module A
@@ -87,12 +91,12 @@ module AccessPolicy
       it 'raises Policy::NotDefinedError when no policy class found' do
         B = Object
         subject.object_or_class = B
-        expect { subject.policy }.to raise_error PolicyEnforcer::NotDefinedError
+        expect { subject.policy }.to raise_error AccessPolicy::NotDefinedError
       end
       it 'raises Policy::NotDefinedError when class.name is empty' do
         subject.object_or_class = Class.new
-        expect { subject.policy }.to raise_error PolicyEnforcer::NotDefinedError
+        expect { subject.policy }.to raise_error AccessPolicy::NotDefinedError
       end
     end
@@ -106,9 +110,14 @@ module AccessPolicy
         expect{subject.authorize}.to raise_error
       end
+      it 'sets custom error messages on the error' do
+        subject.query = "not_allowed_call"
+        expect{subject.authorize}.to raise_error(AccessPolicy::NotAuthorizedError, "some thing went wrong")
+      end
       it 'raises an exception when no method is defined' do
         subject.query = "call2"
-        expect { subject.authorize }.to raise_error PolicyEnforcer::NotDefinedError
+        expect { subject.authorize }.to raise_error AccessPolicy::NotDefinedError
       end
       it 'uses a given error handler' do

data/spec/unit/lib/access_policy/rspec_matchers_spec.rb ADDED Viewed

@@ -0,0 +1,83 @@
+require 'spec_helper'
+require 'access_policy/rspec_matchers'
+module RspecMatchersSpec
+  DummyPolicy = Struct.new(:current_user, :object_to_guard) do
+    def read?
+      true
+    end
+    def write?
+      false
+    end
+  end
+end
+describe 'PolicyMatchers' do
+  context 'none policy spec' do
+    it 'has no access to permit' do
+      expect { permit }.to raise_error(NameError)
+    end
+    it 'has no access to forbid' do
+      expect { forbid }.to raise_error(NameError)
+    end
+  end
+  context 'policy spec', type: :policy do
+    it 'grands access to permit' do
+      expect { permit }.not_to raise_error
+    end
+    it 'grands access to forbid' do
+      expect { forbid }.not_to raise_error
+    end
+    context 'permit' do
+      let(:record){'a record'}
+      let(:user){'a user'}
+      it 'returns true when permission in granted' do
+        matcher = permit(:read).on(record).to(user)
+        expect(matcher.matches?(RspecMatchersSpec::DummyPolicy)).to be_truthy
+      end
+      it 'sets error messages' do
+        matcher = permit(:read).on(record).to(user)
+        matcher.matches?(RspecMatchersSpec::DummyPolicy)
+        expect(matcher.failure_message).to eq %q{RspecMatchersSpec::DummyPolicy does not permit 'read' on "a record" to "a user".}
+        expect(matcher.negative_failure_message).to eq %q{RspecMatchersSpec::DummyPolicy does not forbid 'read' on "a record" to "a user".}
+      end
+      it 'returns false when permission is not granted' do
+        matcher = permit(:write).on(record).to(user)
+        expect(matcher.matches?(RspecMatchersSpec::DummyPolicy)).to be_falsy
+      end
+    end
+    context 'forbid' do
+      let(:record){'a record'}
+      let(:user){'a user'}
+      it 'returns false when permission in granted' do
+        matcher = forbid(:read).on(record).to(user)
+        expect(matcher.matches?(RspecMatchersSpec::DummyPolicy)).to be_falsy
+      end
+      it 'returns true when permission is not granted' do
+        matcher = forbid(:write).on(record).to(user)
+        expect(matcher.matches?(RspecMatchersSpec::DummyPolicy)).to be_truthy
+      end
+      it 'sets error messages' do
+        matcher = forbid(:read).on(record).to(user)
+        matcher.matches?(RspecMatchersSpec::DummyPolicy)
+        expect(matcher.failure_message).to eq %q{RspecMatchersSpec::DummyPolicy does not forbid 'read' on "a record" to "a user".}
+        expect(matcher.negative_failure_message).to eq %q{RspecMatchersSpec::DummyPolicy does permit 'read' on "a record" to "a user".}
+      end
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: access_policy
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.4
 platform: ruby
 authors:
 - Dieter Späth
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-02-11 00:00:00.000000000 Z
+date: 2014-02-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: scoped_storage
@@ -216,9 +216,9 @@ files:
 - spec/acceptance/matcher_example_spec.rb
 - spec/integration/lib/access_policy_spec.rb
 - spec/spec_helper.rb
-- spec/unit/lib/access_policy/matcher_spec.rb
 - spec/unit/lib/access_policy/policy_check_spec.rb
 - spec/unit/lib/access_policy/policy_enforcer_spec.rb
+- spec/unit/lib/access_policy/rspec_matchers_spec.rb
 homepage: ''
 licenses:
 - MIT
@@ -247,6 +247,6 @@ test_files:
 - spec/acceptance/matcher_example_spec.rb
 - spec/integration/lib/access_policy_spec.rb
 - spec/spec_helper.rb
-- spec/unit/lib/access_policy/matcher_spec.rb
 - spec/unit/lib/access_policy/policy_check_spec.rb
 - spec/unit/lib/access_policy/policy_enforcer_spec.rb
+- spec/unit/lib/access_policy/rspec_matchers_spec.rb

data/spec/unit/lib/access_policy/matcher_spec.rb DELETED Viewed

@@ -1,24 +0,0 @@
-require 'spec_helper'
-require 'access_policy/rspec_matchers'
-describe 'PolicyMatchers' do
-  context 'none policy spec' do
-    it 'has no access to permit' do
-      expect { permit }.to raise_error(NameError)
-    end
-    it 'has no access to forbid' do
-      expect { forbid }.to raise_error(NameError)
-    end
-  end
-  context 'policy spec', type: :policy do
-    it 'grands access to permit' do
-      expect { permit }.not_to raise_error
-    end
-    it 'grands access to forbid' do
-      expect { forbid }.not_to raise_error
-    end
-  end
-end