RubyGems - access_policy - Versions diffs - 0.0.3 → 0.0.4 - Mend

access_policy 0.0.3 → 0.0.4

Files changed (13) hide show

checksums.yaml +4 -4
data/README.md +84 -8
data/lib/access_policy/policy_check.rb +9 -9
data/lib/access_policy/policy_enforcer.rb +5 -6
data/lib/access_policy/rspec_matchers.rb +68 -40
data/lib/access_policy/version.rb +1 -1
data/lib/access_policy.rb +9 -0
data/spec/integration/lib/access_policy_spec.rb +4 -2
data/spec/unit/lib/access_policy/policy_check_spec.rb +5 -5
data/spec/unit/lib/access_policy/policy_enforcer_spec.rb +12 -3
data/spec/unit/lib/access_policy/rspec_matchers_spec.rb +83 -0
metadata +4 -4
data/spec/unit/lib/access_policy/matcher_spec.rb +0 -24

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6d6fec0043cb9fd0e0e318c74c3a123d5928373e
-  data.tar.gz: 416b4171c59eab9dd40e2235e9059cd9a9b8c914
+  metadata.gz: c13ac5c6dac57c9f9941984ef3a3cdfb41ea0a2e
+  data.tar.gz: 72b632f8163d91a4655bb8b9fdd4989402c76777
 SHA512:
-  metadata.gz: aa415b1b7d75b12278d6c0edc38d79d2558c912a44d3486b2f3a719fa01bee235eeb80716a84a78e4aa00894614a9ac62cfcf3a72802cbcf27790a891be12780
-  data.tar.gz: 51a51cc18979bed2caf2795cdab657a3137bfb4eae275d2385b2af84c9f0a991332d175482580c49819560f976b5be03d8c04613e00b5a09854e32cb1b597727
+  metadata.gz: 08b09203d8dfeda012749a7b6480ecbc594120cf16df57b92734f06eb8fbd5501a9429c5c836670bef0fd6a73e361b28482540c962b9a1aec6bd8986d287f029
+  data.tar.gz: 12c95f04b081718da2b910b68d89942514862d59fdc44ad240c86f30d14273c9e28be567feb6915edf769d6ee9453ec68ecf29105cb7a6e47db17248443f8e34

data/README.md CHANGED Viewed

@@ -1,4 +1,4 @@
-# AccessPolicy
+# AccessPolicy [![Code Climate](https://codeclimate.com/github/slowjack2k/access_policy.png)](https://codeclimate.com/github/slowjack2k/access_policy) [![Build Status](https://travis-ci.org/slowjack2k/access_policy.png?branch=master)](https://travis-ci.org/slowjack2k/access_policy) [![Coverage Status](https://coveralls.io/repos/slowjack2k/access_policy/badge.png?branch=master)](https://coveralls.io/r/slowjack2k/access_policy?branch=master) [![Gem Version](https://badge.fury.io/rb/access_policy.png)](http://badge.fury.io/rb/access_policy)
 Object oriented authorization for ruby. It provides helper to
 protect method call's via Policy-Classes.
@@ -32,8 +32,15 @@ end
 ToGuardPolicy = Struct.new(:current_user_or_role, :object_of_kind_to_guard) do
+  attr_accessor :error_message # optional
   def method_to_guard?
-    current_user_or_role.is_allowed?
+    if current_user_or_role.is_allowed?
+      true
+    else
+      self.error_message = "you'r not allowed to do this" # optional
+      false
+    end
   end
 end
@@ -48,9 +55,9 @@ policy_checker.with_user_or_role(current_user) do
   begin
     policy_checker.authorize(object_to_guard, 'method_to_guard')
     object_to_guard.method_to_guard
-  rescue AccessPolicy::PolicyEnforcer::NotAuthorizedError
+  rescue AccessPolicy::NotAuthorizedError
    ...
-  rescue AccessPolicy::PolicyEnforcer::NotDefinedError
+  rescue AccessPolicy::NotDefinedError
    ...
   end
 end
@@ -84,9 +91,9 @@ Or
  object_to_guard.with_user_or_role(current_user) do
    begin
      object_to_guard.method_to_guard
-   rescue PolicyEnforcer::NotAuthorizedError
+   rescue AccessPolicy::NotAuthorizedError
     ...
-   rescue PolicyEnforcer::NotDefinedError
+   rescue AccessPolicy::NotDefinedError
     ...
    end
  end
@@ -99,14 +106,83 @@ Or
         object_to_guard.method_to_guard_for_root
       end
-    rescue PolicyEnforcer::NotAuthorizedError
+    rescue AccessPolicy::NotAuthorizedError
      ...
-    rescue PolicyEnforcer::NotDefinedError
+    rescue AccessPolicy::NotDefinedError
      ...
     end
   end
+```
+Test policies with rspec:
+```ruby
+require 'spec_helper'
+require 'access_policy/rspec_matchers'
+module MatcherExampleSpec
+  DummyPolicy = Struct.new(:current_user, :object_to_guard) do
+    def read?
+      true
+    end
+    def write?
+      current_user && current_user.allowed?
+    end
+    def destroy?
+      write? && object_to_guard && !object_to_guard.locked?
+    end
+  end
+end
+describe "PolicyMatchers", type: :policy do
+  subject(:policy){
+    MatcherExampleSpec::DummyPolicy
+  }
+  context 'for a visitor' do
+    let(:visitor){nil}
+    it 'permits read' do
+      expect(policy).to permit(:read).to(visitor)
+    end
+    it 'forbids write' do
+      expect(policy).not_to permit(:write).to(visitor)
+    end
+  end
+  context 'for a admin' do
+    let(:admin){double('admin', allowed?: true)}
+    let(:locked_object_to_guard){double('object to guard', locked?: true)}
+    let(:unlocked_object_to_guard){double('object to guard', locked?: false)}
+    it 'permits read' do
+      expect(policy).to permit(:read).to(admin)
+    end
+    it 'permits write' do
+      expect(policy).to permit(:write).to(admin)
+    end
+    it 'permits destroy for unlocked objects'  do
+      expect(policy).to permit(:destroy).on(unlocked_object_to_guard).to(admin)
+    end
+    it 'forbids destroy for locked objects' do
+      expect(policy).to forbid(:destroy).on(locked_object_to_guard).to(admin)
+    end
+  end
+end
 ```
 ## Contributing

data/lib/access_policy/policy_check.rb CHANGED Viewed

@@ -14,7 +14,7 @@ module AccessPolicy
     def authorize(object_to_guard, action_to_guard, error_policy: default_error_policy)
       PolicyEnforcer.new(current_user_or_role_for_policy, object_to_guard, action_to_guard).authorize(error_policy) do
-        self.policy_authorized=true
+        self.policy_authorize_called=true
       end
     end
@@ -23,12 +23,12 @@ module AccessPolicy
     end
     def with_user_or_role(new_current_user_or_role_for_policy, error_policy = default_error_policy)
-      self.policy_authorized = false
+      self.policy_authorize_called = false
       switched_user_or_role(new_current_user_or_role_for_policy) do
         begin
           yield if block_given?
-          raise(PolicyEnforcer::NotAuthorizedError, "#{new_current_user_or_role_for_policy}") unless policy_authorized?
+          raise(AccessPolicy::AuthorizeNotCalledError, "#{new_current_user_or_role_for_policy}") unless policy_authorize_called?
         rescue => e
           error_policy.call(e)
         end
@@ -43,18 +43,18 @@ module AccessPolicy
       scope['current_user_or_role_for_policy']
     end
-    def policy_authorized=(new_value)
-      scope['policy_authorized'] = new_value
+    def policy_authorize_called=(new_value)
+      scope['policy_authorize_called'] = new_value
     end
-    def policy_authorized?
-      !!policy_authorized
+    def policy_authorize_called?
+      !!policy_authorize_called
     end
     protected
-    def policy_authorized
-      scope['policy_authorized']
+    def policy_authorize_called
+      scope['policy_authorize_called']
     end
     def scope

data/lib/access_policy/policy_enforcer.rb CHANGED Viewed

@@ -1,9 +1,5 @@
 module AccessPolicy
   class PolicyEnforcer
-    class NotDefinedError < StandardError;
-    end
-    class NotAuthorizedError < StandardError;
-    end
     attr_accessor :current_user_or_role, :object_or_class, :query, :default_error_policy
@@ -18,7 +14,10 @@ module AccessPolicy
     end
     def authorize(error_policy=default_error_policy)
-      raise(PolicyEnforcer::NotAuthorizedError, "not allowed to #{query} this #{object_or_class}" ) unless _guard_action()
+      unless _guard_action()
+        error_message = policy.respond_to?(:error_message) ? policy.error_message : "not allowed to #{query} this #{object_or_class}"
+        raise(AccessPolicy::NotAuthorizedError, error_message)
+      end
       yield true if block_given?
       true
     rescue
@@ -26,7 +25,7 @@ module AccessPolicy
     end
     def policy(error_policy=default_error_policy)
-      specific_policy_for_class.new(current_user_or_role, object_or_class)
+      @policy||= specific_policy_for_class.new(current_user_or_role, object_or_class)
     rescue
       error_policy.call(object_or_class)
     end

data/lib/access_policy/rspec_matchers.rb CHANGED Viewed

@@ -2,75 +2,103 @@ module AccessPolicy
   module RspecMatchers
     extend ::RSpec::Matchers::DSL
     def self.included(base)
       base.metadata[:type] = :policy
     end
-    module Common
-      def self.call(base)
-        base.instance_eval do
-          chain :to do |user|
-            @user = user
-          end
+    class PositivePolicyMatcher
+      attr_accessor :policy_class, :user, :object_to_guard, :permission
+      def initialize(permission)
+        self.permission = permission
+      end
+      def matches?(policy_class)
+        self.policy_class = policy_class
+        eval_match
+      end
-          chain :on do |object_to_guard|
-            @object_to_guard = object_to_guard
-          end
+      def eval_match
+        permission_granted?
+      end
-          define_method :permission_granted? do |policy_class, permission |
-            policy = policy_class.new(@user, @object_to_guard)
-            policy.public_send("#{permission}?")
-          end
+      def failure_message
+        "#{policy_class} #{failure_message_part} '#{permission}'#{object_as_text}#{user_as_text}."
+      end
-          define_method :permission_denied? do |*args|
-            ! permission_granted?(*args)
-          end
+      def negative_failure_message
+        "#{policy_class} #{negative_failure_message_part} '#{permission}'#{object_as_text}#{user_as_text}."
+      end
-          define_method :object_as_text do
-            @object_to_guard.nil? ? '' : " on #{@object_to_guard.inspect}"
-          end
-          define_method :user_as_text do
-            @user.nil? ? '' : " for #{@user.inspect}"
-          end
+      def failure_message_part
+        'does not permit'
+      end
-        end
+      def negative_failure_message_part
+        'does not forbid'
       end
-    end
+      def to(user)
+        self.user = user
+        self
+      end
+      alias_method :for, :to
+      alias_method :for_user, :to
+      alias_method :to_user, :to
-    matcher :permit do |permission|
-      match do |policy_class|
-        permission_granted?(policy_class, permission)
+      def on(object_to_guard)
+        self.object_to_guard = object_to_guard
+        self
       end
+      alias_method :with, :on
+      protected
-      failure_message_for_should do |policy_class|
-        "#{policy_class} does not permit #{permission} #{object_as_text}#{user_as_text}."
+      def permission_granted?
+        policy = policy_class.new(@user, @object_to_guard)
+        policy.public_send("#{permission}?")
       end
-      failure_message_for_should_not do |policy_class|
-        "#{policy_class} does not forbid #{permission}#{object_as_text}#{user_as_text}."
+      def object_as_text
+        self.object_to_guard.nil? ? '' : " on #{self.object_to_guard.inspect}"
       end
-      Common.call(self)
+      def  user_as_text
+        self.user.nil? ? '' : " to #{self.user.inspect}"
+      end
     end
-    matcher :forbid do |permission|
-      match do |policy_class|
-        permission_denied?(policy_class, permission)
+    class NegativePolicyMatcher < PositivePolicyMatcher
+      def eval_match
+        permission_denied?
+      end
+      def failure_message_part
+        'does not forbid'
       end
-      failure_message_for_should do |policy_class|
-        "#{policy_class} does not forbid #{permission} #{object_as_text}#{user_as_text}."
+      def negative_failure_message_part
+        'does permit'
       end
-      failure_message_for_should_not do |policy_class|
-        "#{policy_class} does not permit #{permission}#{object_as_text}#{user_as_text}."
+      protected
+      def permission_denied?
+        ! permission_granted?
       end
+    end
-      Common.call(self)
+    def permit(expected=nil)
+      PositivePolicyMatcher.new(expected)
     end
+    def forbid(expected=nil)
+      NegativePolicyMatcher.new(expected)
+    end
   end
 end

data/lib/access_policy/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module AccessPolicy
-  VERSION = "0.0.3"
+  VERSION = "0.0.4"
 end

data/lib/access_policy.rb CHANGED Viewed

@@ -6,6 +6,15 @@ require 'access_policy/policy_enforcer'
 module AccessPolicy
+  class NotDefinedError < StandardError
+  end
+  class NotAuthorizedError < StandardError
+  end
+  class AuthorizeNotCalledError < StandardError
+  end
   def self.included(base)
     base.extend ClassMethods
   end

data/spec/integration/lib/access_policy_spec.rb CHANGED Viewed

@@ -40,8 +40,10 @@ describe AccessPolicy do
     it 'protects created methods' do
       expect {
-        subject.call
-      }.to  raise_error AccessPolicy::PolicyEnforcer::NotAuthorizedError
+        subject.with_user_or_role(falsy_user) do
+          subject.call
+        end
+      }.to  raise_error AccessPolicy::NotAuthorizedError
     end
     it 'grands access to guarded methods when the user has the right' do

data/spec/unit/lib/access_policy/policy_check_spec.rb CHANGED Viewed

@@ -17,7 +17,7 @@ module AccessPolicy
     subject {
       AccessPolicy::PolicyCheck.new.tap { |p|
         p.current_user_or_role_for_policy=nil
-        p.policy_authorized = true
+        p.policy_authorize_called = true
       }
     }
@@ -54,7 +54,7 @@ module AccessPolicy
     describe '.with_user_or_role' do
       it 'sets the current user' do
         subject.with_user_or_role(current_user) do
-          subject.policy_authorized = true
+          subject.policy_authorize_called = true
           expect(subject.current_user_or_role_for_policy).to eq current_user
         end
       end
@@ -63,14 +63,14 @@ module AccessPolicy
         subject.current_user_or_role_for_policy = 'other user'
         subject.with_user_or_role(current_user) do
-          subject.policy_authorized = true
+          subject.policy_authorize_called = true
         end
         expect(subject.current_user_or_role_for_policy).to eq 'other user'
       end
-      it 'raises PolicyEnforcer::NotAuthorizedError when authorize is not called' do
-        expect { subject.with_user_or_role(current_user) }.to raise_error PolicyEnforcer::NotAuthorizedError
+      it 'raises PolicyEnforcer::AuthorizeNotCalledError when authorize is not called' do
+        expect { subject.with_user_or_role(current_user) }.to raise_error AccessPolicy::AuthorizeNotCalledError
       end
       it 'does not raise PolicyEnforcer::NotAuthorizedError when authorize is called' do

data/spec/unit/lib/access_policy/policy_enforcer_spec.rb CHANGED Viewed

@@ -13,6 +13,10 @@ module PolicyEnforcerSpec
     def not_allowed_call?
       false
     end
+    def error_message
+      "some thing went wrong"
+    end
   end
   module A
@@ -87,12 +91,12 @@ module AccessPolicy
       it 'raises Policy::NotDefinedError when no policy class found' do
         B = Object
         subject.object_or_class = B
-        expect { subject.policy }.to raise_error PolicyEnforcer::NotDefinedError
+        expect { subject.policy }.to raise_error AccessPolicy::NotDefinedError
       end
       it 'raises Policy::NotDefinedError when class.name is empty' do
         subject.object_or_class = Class.new
-        expect { subject.policy }.to raise_error PolicyEnforcer::NotDefinedError
+        expect { subject.policy }.to raise_error AccessPolicy::NotDefinedError
       end
     end
@@ -106,9 +110,14 @@ module AccessPolicy
         expect{subject.authorize}.to raise_error
       end
+      it 'sets custom error messages on the error' do
+        subject.query = "not_allowed_call"
+        expect{subject.authorize}.to raise_error(AccessPolicy::NotAuthorizedError, "some thing went wrong")
+      end
       it 'raises an exception when no method is defined' do
         subject.query = "call2"
-        expect { subject.authorize }.to raise_error PolicyEnforcer::NotDefinedError
+        expect { subject.authorize }.to raise_error AccessPolicy::NotDefinedError
       end
       it 'uses a given error handler' do

data/spec/unit/lib/access_policy/rspec_matchers_spec.rb ADDED Viewed

@@ -0,0 +1,83 @@
+require 'spec_helper'
+require 'access_policy/rspec_matchers'
+module RspecMatchersSpec
+  DummyPolicy = Struct.new(:current_user, :object_to_guard) do
+    def read?
+      true
+    end
+    def write?
+      false
+    end
+  end
+end
+describe 'PolicyMatchers' do
+  context 'none policy spec' do
+    it 'has no access to permit' do
+      expect { permit }.to raise_error(NameError)
+    end
+    it 'has no access to forbid' do
+      expect { forbid }.to raise_error(NameError)
+    end
+  end
+  context 'policy spec', type: :policy do
+    it 'grands access to permit' do
+      expect { permit }.not_to raise_error
+    end
+    it 'grands access to forbid' do
+      expect { forbid }.not_to raise_error
+    end
+    context 'permit' do
+      let(:record){'a record'}
+      let(:user){'a user'}
+      it 'returns true when permission in granted' do
+        matcher = permit(:read).on(record).to(user)
+        expect(matcher.matches?(RspecMatchersSpec::DummyPolicy)).to be_truthy
+      end
+      it 'sets error messages' do
+        matcher = permit(:read).on(record).to(user)
+        matcher.matches?(RspecMatchersSpec::DummyPolicy)
+        expect(matcher.failure_message).to eq %q{RspecMatchersSpec::DummyPolicy does not permit 'read' on "a record" to "a user".}
+        expect(matcher.negative_failure_message).to eq %q{RspecMatchersSpec::DummyPolicy does not forbid 'read' on "a record" to "a user".}
+      end
+      it 'returns false when permission is not granted' do
+        matcher = permit(:write).on(record).to(user)
+        expect(matcher.matches?(RspecMatchersSpec::DummyPolicy)).to be_falsy
+      end
+    end
+    context 'forbid' do
+      let(:record){'a record'}
+      let(:user){'a user'}
+      it 'returns false when permission in granted' do
+        matcher = forbid(:read).on(record).to(user)
+        expect(matcher.matches?(RspecMatchersSpec::DummyPolicy)).to be_falsy
+      end
+      it 'returns true when permission is not granted' do
+        matcher = forbid(:write).on(record).to(user)
+        expect(matcher.matches?(RspecMatchersSpec::DummyPolicy)).to be_truthy
+      end
+      it 'sets error messages' do
+        matcher = forbid(:read).on(record).to(user)
+        matcher.matches?(RspecMatchersSpec::DummyPolicy)
+        expect(matcher.failure_message).to eq %q{RspecMatchersSpec::DummyPolicy does not forbid 'read' on "a record" to "a user".}
+        expect(matcher.negative_failure_message).to eq %q{RspecMatchersSpec::DummyPolicy does permit 'read' on "a record" to "a user".}
+      end
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: access_policy
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.4
 platform: ruby
 authors:
 - Dieter Späth
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-02-11 00:00:00.000000000 Z
+date: 2014-02-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: scoped_storage
@@ -216,9 +216,9 @@ files:
 - spec/acceptance/matcher_example_spec.rb
 - spec/integration/lib/access_policy_spec.rb
 - spec/spec_helper.rb
-- spec/unit/lib/access_policy/matcher_spec.rb
 - spec/unit/lib/access_policy/policy_check_spec.rb
 - spec/unit/lib/access_policy/policy_enforcer_spec.rb
+- spec/unit/lib/access_policy/rspec_matchers_spec.rb
 homepage: ''
 licenses:
 - MIT
@@ -247,6 +247,6 @@ test_files:
 - spec/acceptance/matcher_example_spec.rb
 - spec/integration/lib/access_policy_spec.rb
 - spec/spec_helper.rb
-- spec/unit/lib/access_policy/matcher_spec.rb
 - spec/unit/lib/access_policy/policy_check_spec.rb
 - spec/unit/lib/access_policy/policy_enforcer_spec.rb
+- spec/unit/lib/access_policy/rspec_matchers_spec.rb

data/spec/unit/lib/access_policy/matcher_spec.rb DELETED Viewed

@@ -1,24 +0,0 @@
-require 'spec_helper'
-require 'access_policy/rspec_matchers'
-describe 'PolicyMatchers' do
-  context 'none policy spec' do
-    it 'has no access to permit' do
-      expect { permit }.to raise_error(NameError)
-    end
-    it 'has no access to forbid' do
-      expect { forbid }.to raise_error(NameError)
-    end
-  end
-  context 'policy spec', type: :policy do
-    it 'grands access to permit' do
-      expect { permit }.not_to raise_error
-    end
-    it 'grands access to forbid' do
-      expect { forbid }.not_to raise_error
-    end
-  end
-end