access_policy 0.0.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 6d6fec0043cb9fd0e0e318c74c3a123d5928373e
+  data.tar.gz: 416b4171c59eab9dd40e2235e9059cd9a9b8c914
+SHA512:
+  metadata.gz: aa415b1b7d75b12278d6c0edc38d79d2558c912a44d3486b2f3a719fa01bee235eeb80716a84a78e4aa00894614a9ac62cfcf3a72802cbcf27790a891be12780
+  data.tar.gz: 51a51cc18979bed2caf2795cdab657a3137bfb4eae275d2385b2af84c9f0a991332d175482580c49819560f976b5be03d8c04613e00b5a09854e32cb1b597727

data/.gitignore

@@ -0,0 +1,19 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+.version.conf
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+coverage

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format Fuubar

data/.travis.yml

@@ -0,0 +1,6 @@
+language: ruby
+rvm:
+  - 2.1.0
+notifications:
+  recipients:
+    - shad0wrunner@gmx.de

data/Gemfile

@@ -0,0 +1,7 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in access_policy.gemspec
+gemspec
+
+gem 'simplecov', require:  false, group: :test
+gem 'coveralls', require: false

data/Guardfile

@@ -0,0 +1,25 @@
+# A sample Guardfile
+# More info at https://github.com/guard/guard#readme
+
+guard :rspec, all_after_pass: true ,
+              all_on_start: true do
+  
+  watch(%r{^spec/.+_spec\.rb$})
+
+  watch('lib/yaoc.rb')  { "spec" }
+
+  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/unit/lib/#{m[1]}_spec.rb" }
+  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/integration/lib/#{m[1]}_spec.rb" }
+
+  watch('spec/spec_helper.rb')  { "spec" }
+
+  watch(%r{^spec/support/(.+)\.rb$})                  { "spec" }
+
+end
+
+
+guard :bundler do
+  watch('Gemfile')
+  # Uncomment next line if your Gemfile contains the `gemspec' command.
+  watch(/^.+\.gemspec/)
+end

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Dieter Späth
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,118 @@
+# AccessPolicy
+
+Object oriented authorization for ruby. It provides helper to
+protect method call's via Policy-Classes.
+
+Inspired by https://github.com/elabs/pundit, but without Rails
+and with a threat local storage for the current user or role.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'access_policy'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install access_policy
+
+## Usage
+
+```ruby
+
+class ToGuard
+  def method_to_guard
+
+  end
+end
+
+ToGuardPolicy = Struct.new(:current_user_or_role, :object_of_kind_to_guard) do
+
+  def method_to_guard?
+    current_user_or_role.is_allowed?
+  end
+
+end
+
+object_to_guard = ToGuard.new
+
+policy_checker = AccessPolicy::PolicyCheck.new
+
+policy_checker.current_user_or_role_for_policy = current_user
+
+policy_checker.with_user_or_role(current_user) do
+  begin
+    policy_checker.authorize(object_to_guard, 'method_to_guard')
+    object_to_guard.method_to_guard
+  rescue AccessPolicy::PolicyEnforcer::NotAuthorizedError
+   ...
+  rescue AccessPolicy::PolicyEnforcer::NotDefinedError
+   ...
+  end
+end
+
+
+```
+
+Or
+
+```ruby
+
+ class ToGuard
+   include AccessPolicy
+
+   policy_guarded_method 'method_to_guard' do
+     # do some stuff
+   end
+
+ end
+
+ ToGuardPolicy = Struct.new(:current_user_or_role, :object_of_kind_to_guard) do
+
+   def method_to_guard?
+     current_user_or_role.is_allowed?
+   end
+
+ end
+
+ object_to_guard = ToGuard.new
+
+ object_to_guard.with_user_or_role(current_user) do
+   begin
+     object_to_guard.method_to_guard
+   rescue PolicyEnforcer::NotAuthorizedError
+    ...
+   rescue PolicyEnforcer::NotDefinedError
+    ...
+   end
+ end
+
+ object_to_guard.with_user_or_role(current_user) do
+    begin
+      object_to_guard.method_to_guard
+
+      object_to_guard.with_user_or_role(current_user.as_root) do
+        object_to_guard.method_to_guard_for_root
+      end
+
+    rescue PolicyEnforcer::NotAuthorizedError
+     ...
+    rescue PolicyEnforcer::NotDefinedError
+     ...
+    end
+  end
+
+
+```
+
+## Contributing
+
+1. Fork it ( http://github.com/slowjack2k/access_policy/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,14 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new
+
+
+task :default => :spec
+task :test => :spec
+
+desc "Run RSpec with code coverage"
+task :coverage do
+  ENV['SIMPLE_COVERAGE'] = "true"
+  Rake::Task["spec"].execute
+end

data/access_policy.gemspec

@@ -0,0 +1,44 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'access_policy/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "access_policy"
+  spec.version       = AccessPolicy::VERSION
+  spec.authors       = ["Dieter Späth"]
+  spec.email         = ["shad0wrunner@gmx.de"]
+  spec.summary       = %q{Object oriented authorization for ruby.}
+  spec.description   = %q{Object oriented authorization for ruby.}
+  spec.homepage      = ""
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency 'scoped_storage'
+
+  spec.add_development_dependency "bundler", "~> 1.5"
+  spec.add_development_dependency "rake"
+
+
+  spec.add_development_dependency "rspec", "2.99.0.beta1"
+  # show nicely how many specs have to be run
+  spec.add_development_dependency "fuubar"
+  # extended console
+  spec.add_development_dependency "pry"
+  spec.add_development_dependency 'pry-remote'
+
+  # automatic execute tasks on file changes
+  spec.add_development_dependency 'guard'
+  spec.add_development_dependency 'guard-rspec'
+  spec.add_development_dependency 'guard-bundler'
+  spec.add_development_dependency 'rb-fsevent'
+
+  # https://github.com/pry/pry-stack_explorer
+  spec.add_development_dependency 'pry-stack_explorer'
+  # https://github.com/nixme/pry-debugger
+  spec.add_development_dependency 'pry-debugger'
+end

data/lib/access_policy.rb

@@ -0,0 +1,50 @@
+require "access_policy/version"
+require 'scoped_storage'
+
+require 'access_policy/policy_check'
+require 'access_policy/policy_enforcer'
+
+module AccessPolicy
+
+  def self.included(base)
+    base.extend ClassMethods
+  end
+
+  def _default_error_policy
+    ->(*){raise}
+  end
+
+  def _scope_storage
+    ScopedStorage::ThreadLocalStorage
+  end
+
+  def _guard
+    @_guard ||= PolicyCheck.new(default_error_policy: _default_error_policy,
+                                scope_storage: _scope_storage
+                               )
+  end
+
+  def _authorize(query)
+    _guard.authorize self, query.to_sym
+  end
+
+  def with_user_or_role(user_or_role, error_policy =  _default_error_policy ,&block)
+    _guard.with_user_or_role(user_or_role, error_policy, &block)
+  end
+
+  module ClassMethods
+
+    def policy_guarded_method(action_name, &block)
+      unsafe_action_name = :"#{action_name}_unsafe"
+
+      define_method action_name do |*args|
+        _authorize "#{action_name}?"
+        self.send(unsafe_action_name, *args)
+      end
+
+      define_method unsafe_action_name, block
+    end
+
+  end
+
+end

data/lib/access_policy/policy_check.rb

@@ -0,0 +1,75 @@
+module AccessPolicy
+
+  class PolicyCheck
+
+    attr_accessor :default_error_policy, :scope_storage
+
+    def initialize(default_error_policy: ->(*) { raise },
+        scope_storage: ScopedStorage::ThreadLocalStorage)
+
+      self.default_error_policy = default_error_policy
+      self.scope_storage = scope_storage
+    end
+
+
+    def authorize(object_to_guard, action_to_guard, error_policy: default_error_policy)
+      PolicyEnforcer.new(current_user_or_role_for_policy, object_to_guard, action_to_guard).authorize(error_policy) do
+        self.policy_authorized=true
+      end
+    end
+
+    def policy_for(object_or_class, error_policy = default_error_policy)
+      PolicyEnforcer.new(current_user_or_role_for_policy, object_or_class).policy(error_policy)
+    end
+
+    def with_user_or_role(new_current_user_or_role_for_policy, error_policy = default_error_policy)
+      self.policy_authorized = false
+
+      switched_user_or_role(new_current_user_or_role_for_policy) do
+        begin
+          yield if block_given?
+          raise(PolicyEnforcer::NotAuthorizedError, "#{new_current_user_or_role_for_policy}") unless policy_authorized?
+        rescue => e
+          error_policy.call(e)
+        end
+      end
+    end
+
+    def current_user_or_role_for_policy=(new_user)
+      scope['current_user_or_role_for_policy'] = new_user
+    end
+
+    def current_user_or_role_for_policy
+      scope['current_user_or_role_for_policy']
+    end
+
+    def policy_authorized=(new_value)
+      scope['policy_authorized'] = new_value
+    end
+
+    def policy_authorized?
+      !!policy_authorized
+    end
+
+    protected
+
+    def policy_authorized
+      scope['policy_authorized']
+    end
+
+    def scope
+      @scope ||= ScopedStorage::Scope.new('policy_infos', scope_storage)
+    end
+
+    def switched_user_or_role(new_current_user_or_role_for_policy)
+      old_current_user_or_role = self.current_user_or_role_for_policy
+      self.current_user_or_role_for_policy = new_current_user_or_role_for_policy
+
+      yield if block_given?
+
+    ensure
+      self.current_user_or_role_for_policy = old_current_user_or_role
+    end
+
+  end
+end

data/lib/access_policy/policy_enforcer.rb

@@ -0,0 +1,65 @@
+module AccessPolicy
+  class PolicyEnforcer
+    class NotDefinedError < StandardError;
+    end
+    class NotAuthorizedError < StandardError;
+    end
+
+    attr_accessor :current_user_or_role, :object_or_class, :query, :default_error_policy
+
+    def initialize(current_user_or_role, object_or_class, query=nil, default_error_policy=->(*) { raise })
+      raise NotDefinedError, 'unable to find policy class for anonymous classes' if class_to_guard(object_or_class).name.nil? || class_to_guard(object_or_class).name.length < 1
+
+      self.current_user_or_role = current_user_or_role
+      self.object_or_class = object_or_class
+      self.query = query
+      self.default_error_policy = default_error_policy
+
+    end
+
+    def authorize(error_policy=default_error_policy)
+      raise(PolicyEnforcer::NotAuthorizedError, "not allowed to #{query} this #{object_or_class}" ) unless _guard_action()
+      yield true if block_given?
+      true
+    rescue
+      error_policy.call(object_or_class)
+    end
+
+    def policy(error_policy=default_error_policy)
+      specific_policy_for_class.new(current_user_or_role, object_or_class)
+    rescue
+      error_policy.call(object_or_class)
+    end
+
+    def query=(new_query)
+      new_query = new_query.to_s
+      @query = (new_query.end_with?('?') ? new_query : "#{new_query}?").to_sym
+    end
+
+    protected
+
+    def class_to_guard(obj_or_class=object_or_class)
+      obj_or_class.is_a?(Class) ? obj_or_class : obj_or_class.class
+    end
+
+    def default_policy_name
+      "#{class_to_guard.name}Policy"
+    end
+
+    def _guard_action
+      policy(->(*) { raise }).public_send(query)
+    rescue NoMethodError
+      raise NotDefinedError, "unable to find policy method #{query} for #{policy}"
+    end
+
+    def specific_policy_for_class
+
+      policy_class = class_to_guard.policy_class if class_to_guard.respond_to? :policy_class
+      policy_class || Object.const_get(default_policy_name, false)
+    rescue
+      raise NotDefinedError, "unable to find policy class #{default_policy_name}"
+    end
+
+
+  end
+end

data/lib/access_policy/rspec_matchers.rb

@@ -0,0 +1,81 @@
+module AccessPolicy
+  module RspecMatchers
+    extend ::RSpec::Matchers::DSL
+
+    def self.included(base)
+      base.metadata[:type] = :policy
+    end
+
+    module Common
+      def self.call(base)
+        base.instance_eval do
+          chain :to do |user|
+            @user = user
+          end
+
+          chain :on do |object_to_guard|
+            @object_to_guard = object_to_guard
+          end
+
+          define_method :permission_granted? do |policy_class, permission |
+            policy = policy_class.new(@user, @object_to_guard)
+            policy.public_send("#{permission}?")
+          end
+
+          define_method :permission_denied? do |*args|
+            ! permission_granted?(*args)
+          end
+
+          define_method :object_as_text do
+            @object_to_guard.nil? ? '' : " on #{@object_to_guard.inspect}"
+          end
+
+          define_method :user_as_text do
+            @user.nil? ? '' : " for #{@user.inspect}"
+          end
+
+        end
+      end
+
+    end
+
+    matcher :permit do |permission|
+      match do |policy_class|
+        permission_granted?(policy_class, permission)
+      end
+
+      failure_message_for_should do |policy_class|
+        "#{policy_class} does not permit #{permission} #{object_as_text}#{user_as_text}."
+      end
+
+      failure_message_for_should_not do |policy_class|
+        "#{policy_class} does not forbid #{permission}#{object_as_text}#{user_as_text}."
+      end
+
+      Common.call(self)
+
+    end
+
+    matcher :forbid do |permission|
+      match do |policy_class|
+        permission_denied?(policy_class, permission)
+      end
+
+      failure_message_for_should do |policy_class|
+        "#{policy_class} does not forbid #{permission} #{object_as_text}#{user_as_text}."
+      end
+
+      failure_message_for_should_not do |policy_class|
+        "#{policy_class} does not permit #{permission}#{object_as_text}#{user_as_text}."
+      end
+
+      Common.call(self)
+    end
+  end
+end
+
+RSpec.configure do |config|
+  config.include AccessPolicy::RspecMatchers, type: :policy, example_group: ->(example_group, metadata){
+    metadata[:type].nil? && %r{spec/policies} =~ example_group[:file_path]
+  }
+end

data/lib/access_policy/version.rb

@@ -0,0 +1,3 @@
+module AccessPolicy
+  VERSION = "0.0.3"
+end

data/spec/acceptance/matcher_example_spec.rb

@@ -0,0 +1,61 @@
+require 'spec_helper'
+require 'access_policy/rspec_matchers'
+
+module MatcherExampleSpec
+  DummyPolicy = Struct.new(:current_user, :object_to_guard) do
+    def read?
+      true
+    end
+
+    def write?
+      current_user && current_user.allowed?
+    end
+
+    def destroy?
+      write? && object_to_guard && !object_to_guard.locked?
+    end
+  end
+end
+
+describe "PolicyMatchers", type: :policy do
+  subject(:policy){
+    MatcherExampleSpec::DummyPolicy
+  }
+
+
+  context 'for a visitor' do
+    let(:visitor){nil}
+
+    it 'permits read' do
+      expect(policy).to permit(:read).to(visitor)
+    end
+
+    it 'forbids write' do
+      expect(policy).not_to permit(:write).to(visitor)
+    end
+  end
+
+  context 'for a admin' do
+    let(:admin){double('admin', allowed?: true)}
+    let(:locked_object_to_guard){double('object to guard', locked?: true)}
+    let(:unlocked_object_to_guard){double('object to guard', locked?: false)}
+
+    it 'permits read' do
+      expect(policy).to permit(:read).to(admin)
+    end
+
+    it 'permits write' do
+      expect(policy).to permit(:write).to(admin)
+    end
+
+    it 'permits destroy for unlocked objects'  do
+      expect(policy).to permit(:destroy).on(unlocked_object_to_guard).to(admin)
+    end
+
+    it 'forbids destroy for locked objects' do
+      expect(policy).to forbid(:destroy).on(locked_object_to_guard).to(admin)
+    end
+
+  end
+
+end

data/spec/integration/lib/access_policy_spec.rb

@@ -0,0 +1,76 @@
+require 'spec_helper'
+
+module AccessPolicySpec
+  DummyPolicy = Struct.new(:current_user, :object_to_guard) do
+    def call?
+      current_user && current_user.allowed?
+    end
+  end
+
+
+  class Dummy
+    include AccessPolicy
+
+    policy_guarded_method 'call' do
+      :return_value
+    end
+
+  end
+end
+
+describe AccessPolicy do
+  subject{
+    AccessPolicySpec::Dummy.new
+  }
+
+  let(:falsy_user){
+    double("user", allowed?: false)
+  }
+
+  let(:truethy_user){
+    double("user", allowed?: true)
+  }
+
+
+
+  describe '.policy_guarded_method' do
+    it 'creates a guarded method' do
+      expect(subject).to respond_to :call
+    end
+
+    it 'protects created methods' do
+      expect {
+        subject.call
+      }.to  raise_error AccessPolicy::PolicyEnforcer::NotAuthorizedError
+    end
+
+    it 'grands access to guarded methods when the user has the right' do
+      expect {
+        subject.with_user_or_role(truethy_user) do
+          subject.call
+        end
+      }.not_to  raise_error
+    end
+
+    it 'creates a not guarded method' do
+      expect(subject).to respond_to :call_unsafe
+    end
+
+    it 'does not protect unsafe methods' do
+      expect {
+        subject.call_unsafe
+      }.not_to  raise_error
+    end
+  end
+
+  describe '.with_user_or_role' do
+    it 'delegates to the policy check object' do
+      error_policy = ->(exception){}
+      current_user = double('user')
+      expect(subject._guard).to receive(:with_user_or_role).with(current_user, error_policy)
+
+      subject.with_user_or_role(current_user, error_policy)
+    end
+  end
+
+end

data/spec/spec_helper.rb

@@ -0,0 +1,42 @@
+require 'bundler/setup'
+Bundler.require(:development)
+
+require 'coveralls'
+Coveralls.wear! unless ENV["SIMPLE_COVERAGE"]
+
+begin
+  if ENV["SIMPLE_COVERAGE"]
+    require 'simplecov'
+    SimpleCov.start do
+      add_group "Lib", "lib"
+
+      add_filter "/spec/"
+    end
+  end
+rescue LoadError
+  warn "=" * 80
+  warn 'simplecov not installed. No coverage report'
+  warn "=" * 80
+end
+
+require 'access_policy'
+
+Dir[File.join(File.expand_path(__dir__ ), "support/**/*.rb")].each { |f| require f }
+
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# Require this file using `require "spec_helper"` to ensure that it is only
+# loaded once.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = 'random'
+end

data/spec/unit/lib/access_policy/matcher_spec.rb

@@ -0,0 +1,24 @@
+require 'spec_helper'
+require 'access_policy/rspec_matchers'
+
+describe 'PolicyMatchers' do
+  context 'none policy spec' do
+    it 'has no access to permit' do
+      expect { permit }.to raise_error(NameError)
+    end
+
+    it 'has no access to forbid' do
+      expect { forbid }.to raise_error(NameError)
+    end
+  end
+
+  context 'policy spec', type: :policy do
+    it 'grands access to permit' do
+      expect { permit }.not_to raise_error
+    end
+
+    it 'grands access to forbid' do
+      expect { forbid }.not_to raise_error
+    end
+  end
+end

data/spec/unit/lib/access_policy/policy_check_spec.rb

@@ -0,0 +1,133 @@
+require 'spec_helper'
+
+module PolicyCheckSpec
+  class Dummy
+
+  end
+
+  DummyPolicy = Struct.new(:current_user, :object_to_guard) do
+    def call?
+      true
+    end
+  end
+end
+
+module AccessPolicy
+  describe PolicyCheck do
+    subject {
+      AccessPolicy::PolicyCheck.new.tap { |p|
+        p.current_user_or_role_for_policy=nil
+        p.policy_authorized = true
+      }
+
+    }
+
+    let(:current_user) {
+      "It's me"
+    }
+
+
+    describe '.policy_for' do
+
+      it 'returns a policy object for a class' do
+        expect(subject.policy_for(PolicyCheckSpec::Dummy)).to be_kind_of PolicyCheckSpec::DummyPolicy
+      end
+
+      it 'returns a policy object for a object' do
+        expect(subject.policy_for(PolicyCheckSpec::Dummy.new)).to be_kind_of PolicyCheckSpec::DummyPolicy
+      end
+
+      it 'sets the current user' do
+        subject.current_user_or_role_for_policy = current_user
+        expect(subject.policy_for(PolicyCheckSpec::Dummy.new).current_user).to be current_user
+      end
+
+      it 'uses my error handler' do
+        object_to_guard = Object.new
+        error_handler=double('error handler')
+        expect(error_handler).to receive(:call).with(object_to_guard)
+
+        subject.policy_for(object_to_guard, error_handler)
+      end
+    end
+
+    describe '.with_user_or_role' do
+      it 'sets the current user' do
+        subject.with_user_or_role(current_user) do
+          subject.policy_authorized = true
+          expect(subject.current_user_or_role_for_policy).to eq current_user
+        end
+      end
+
+      it 'sets the current user back after execution' do
+        subject.current_user_or_role_for_policy = 'other user'
+
+        subject.with_user_or_role(current_user) do
+          subject.policy_authorized = true
+        end
+
+        expect(subject.current_user_or_role_for_policy).to eq 'other user'
+      end
+
+      it 'raises PolicyEnforcer::NotAuthorizedError when authorize is not called' do
+        expect { subject.with_user_or_role(current_user) }.to raise_error PolicyEnforcer::NotAuthorizedError
+      end
+
+      it 'does not raise PolicyEnforcer::NotAuthorizedError when authorize is called' do
+        expect {
+          subject.with_user_or_role(current_user) do
+            subject.authorize(PolicyCheckSpec::Dummy.new, "call")
+          end
+        }.not_to raise_error
+      end
+
+      it 'uses an custom an error handler' do
+        error_handler=double('error handler')
+        expect(error_handler).to receive(:call).with(kind_of(StandardError))
+
+        subject.with_user_or_role(current_user, error_handler)
+      end
+
+      it 'supports nested context switches' do
+        user1 = 'user 1'
+        user2 = 'user 2'
+        user3 = 'user 3'
+
+        subject.current_user_or_role_for_policy = user1
+
+        subject.with_user_or_role(user2, ->(*){}) do
+          expect(subject.current_user_or_role_for_policy).to eq user2
+
+          subject.with_user_or_role(user3) do
+            expect(subject.current_user_or_role_for_policy).to eq user3
+          end
+
+          expect(subject.current_user_or_role_for_policy).to eq user2
+        end
+
+        expect(subject.current_user_or_role_for_policy).to eq user1
+
+      end
+
+    end
+
+    describe '.authorize' do
+      it 'returns true when the user is authorized' do
+        expect(subject.authorize(PolicyCheckSpec::Dummy.new, "call")).to be == true
+      end
+
+      it 'raises an exception when no method is defined' do
+        expect { subject.authorize(PolicyCheckSpec::Dummy.new, "call2") }.to raise_error
+      end
+
+      it 'uses a given error handler' do
+        object_to_guard = PolicyCheckSpec::Dummy.new
+        error_handler=double('error handler')
+        expect(error_handler).to receive(:call).with(object_to_guard)
+
+        subject.authorize(object_to_guard, "call2", error_policy: error_handler)
+      end
+    end
+
+  end
+end

data/spec/unit/lib/access_policy/policy_enforcer_spec.rb

@@ -0,0 +1,135 @@
+require 'spec_helper'
+
+module PolicyEnforcerSpec
+  class Dummy
+
+  end
+
+  DummyPolicy = Struct.new(:current_user, :object_to_guard) do
+    def call?
+      true
+    end
+
+    def not_allowed_call?
+      false
+    end
+  end
+
+  module A
+    class Dummy
+
+    end
+
+    DummyPolicy = Struct.new(:d_current_user, :d_object_to_guard)
+  end
+end
+
+module AccessPolicy
+  describe PolicyEnforcer do
+    subject {
+      AccessPolicy::PolicyEnforcer.new(current_user, object_to_guard, action, error_policy)
+    }
+
+    let(:current_user) {
+      double('user')
+    }
+
+    let(:object_to_guard) {
+      PolicyEnforcerSpec::Dummy.new
+    }
+
+    let(:action) {
+      "call"
+    }
+
+    let(:error_policy) {
+      ->(*) { raise }
+    }
+
+    describe '#new' do
+      it 'raises an error when class to guard has no name' do
+        expect{AccessPolicy::PolicyEnforcer.new(current_user, Class.new.new, action, error_policy)}.to raise_error
+      end
+    end
+
+
+    describe '.policy' do
+
+      it 'returns a policy object for a class' do
+        subject.object_or_class = PolicyEnforcerSpec::Dummy
+        expect(subject.policy).to be_kind_of PolicyEnforcerSpec::DummyPolicy
+      end
+
+      it 'returns a policy object for a object' do
+        expect(subject.policy).to be_kind_of PolicyEnforcerSpec::DummyPolicy
+      end
+
+      it 'sets the current user' do
+        expect(subject.policy.current_user).to be current_user
+      end
+
+      it 'uses my error handler' do
+        object_to_guard = Object.new
+        error_handler=double('error handler')
+        expect(error_handler).to receive(:call).with(object_to_guard)
+
+        subject.object_or_class = object_to_guard
+
+        subject.policy(error_handler)
+      end
+
+
+      it 'returns a policy object for a class within a module' do
+        subject.object_or_class = PolicyEnforcerSpec::A::Dummy.new
+        expect(subject.policy).to be_kind_of PolicyEnforcerSpec::A::DummyPolicy
+      end
+
+      it 'raises Policy::NotDefinedError when no policy class found' do
+        B = Object
+        subject.object_or_class = B
+        expect { subject.policy }.to raise_error PolicyEnforcer::NotDefinedError
+      end
+
+      it 'raises Policy::NotDefinedError when class.name is empty' do
+        subject.object_or_class = Class.new
+        expect { subject.policy }.to raise_error PolicyEnforcer::NotDefinedError
+      end
+    end
+
+    describe '.authorize' do
+      it 'returns true when the user is authorized' do
+        expect(subject.authorize).to be == true
+      end
+
+      it 'raises an exception when the user is not authorized' do
+        subject.query = "not_allowed_call"
+        expect{subject.authorize}.to raise_error
+      end
+
+      it 'raises an exception when no method is defined' do
+        subject.query = "call2"
+        expect { subject.authorize }.to raise_error PolicyEnforcer::NotDefinedError
+      end
+
+      it 'uses a given error handler' do
+        object_to_guard = Object.new
+        error_handler=double('error handler')
+        expect(error_handler).to receive(:call).with(object_to_guard)
+
+        subject.object_or_class = object_to_guard
+
+        subject.authorize(error_handler)
+      end
+
+      it 'yields when authorize was successful' do
+        expect { |block| subject.authorize(&block) }.to yield_with_args(true)
+      end
+
+      it 'does not yield when authorize was not successful' do
+        subject.query = "call2"
+        expect { |block| subject.authorize(->(*) {}, &block) }.not_to yield_with_args
+      end
+    end
+
+  end
+end

metadata

@@ -0,0 +1,252 @@
+--- !ruby/object:Gem::Specification
+name: access_policy
+version: !ruby/object:Gem::Version
+  version: 0.0.3
+platform: ruby
+authors:
+- Dieter Späth
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-02-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: scoped_storage
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.99.0.beta1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.99.0.beta1
+- !ruby/object:Gem::Dependency
+  name: fuubar
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry-remote
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard-bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rb-fsevent
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry-stack_explorer
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry-debugger
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Object oriented authorization for ruby.
+email:
+- shad0wrunner@gmx.de
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- Guardfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- access_policy.gemspec
+- lib/access_policy.rb
+- lib/access_policy/policy_check.rb
+- lib/access_policy/policy_enforcer.rb
+- lib/access_policy/rspec_matchers.rb
+- lib/access_policy/version.rb
+- spec/acceptance/matcher_example_spec.rb
+- spec/integration/lib/access_policy_spec.rb
+- spec/spec_helper.rb
+- spec/unit/lib/access_policy/matcher_spec.rb
+- spec/unit/lib/access_policy/policy_check_spec.rb
+- spec/unit/lib/access_policy/policy_enforcer_spec.rb
+homepage: ''
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.1
+signing_key: 
+specification_version: 4
+summary: Object oriented authorization for ruby.
+test_files:
+- spec/acceptance/matcher_example_spec.rb
+- spec/integration/lib/access_policy_spec.rb
+- spec/spec_helper.rb
+- spec/unit/lib/access_policy/matcher_spec.rb
+- spec/unit/lib/access_policy/policy_check_spec.rb
+- spec/unit/lib/access_policy/policy_enforcer_spec.rb