accessly 0.0.1

data/lib/accessly/models/permitted_action_on_object.rb

@@ -0,0 +1,8 @@
+require "active_record"
+
+module Accessly
+  class PermittedActionOnObject < ActiveRecord::Base
+    belongs_to :actor, polymorphic: true
+    belongs_to :object, polymorphic: true
+  end
+end

data/lib/accessly/permission/grant.rb

@@ -0,0 +1,95 @@
+module Accessly
+  module Permission
+    class Grant < Accessly::Base
+
+      # Create an instance of Accessly::Permission::Grant
+      # Pass in an ActiveRecord::Base for actor
+      #
+      # @param actor [ActiveRecord::Base] The actor to grant permission
+      def initialize(actor)
+        super(actor)
+        @actor = case actor
+        when ActiveRecord::Base
+          actor
+        else
+          raise Accessly::GrantError.new("Actor is not an ActiveRecord::Base object")
+        end
+      end
+
+      # Grant a permission to an actor.
+      # @return [nil]
+      # @overload grant!(action_id, object_type)
+      #   Allow permission on a general action in the given namespace represented by object_type.
+      #   A grant is universally unique and is enforced at the database level.
+      #
+      #   @param action_id [Integer] The action to grant for the object
+      #   @param object_type [String] The namespace of the given action_id.
+      #   @raise [Accessly::GrantError] if the operation does not succeed
+      #   @return [nil] Returns nil if successful
+      #
+      #   @example
+      #     # Allow the user access to posts for action id 3
+      #     Accessly::Permission::Grant.new(user).grant!(3, "posts")
+      #   @example
+      #     # Allow the user access to posts for action id 3 on a segment
+      #     Accessly::Permission::Grant.new(user).on_segment(1).grant!(3, "posts")
+      #
+      # @overload grant!(action_id, object_type, object_id)
+      #   Allow permission on an ActiveRecord object.
+      #   A grant is universally unique and is enforced at the database level.
+      #
+      #   @param action_id [Integer] The action to grant for the object
+      #   @param object_type [ActiveRecord::Base] The ActiveRecord model that receives a permission grant.
+      #   @param object_id [Integer] The id of the ActiveRecord object which receives a permission grant
+      #   @raise [Accessly::GrantError] if the operation does not succeed
+      #   @return [nil] Returns nil if successful
+      #
+      #   @example
+      #     # Allow the user access to Post 7 for action id 3
+      #     Accessly::Permission::Grant.new(user).grant!(3, Post, 7)
+      #   @example
+      #     # Allow the user access to Post 7 for action id 3 on a segment
+      #     Accessly::Permission::Grant.new(user).on_segment(1).grant!(3, Post, 7)
+      def grant!(action_id, object_type, object_id = nil)
+        if object_id.nil?
+          general_action_grant(action_id, object_type)
+        else
+          object_action_grant(action_id, object_type, object_id)
+        end
+      end
+
+      private
+
+      def general_action_grant(action_id, object_type)
+        Accessly::PermittedAction.create!(
+          id: SecureRandom.uuid,
+          segment_id: @segment_id,
+          actor: @actor,
+          action: action_id,
+          object_type: String(object_type)
+        )
+        nil
+      rescue ActiveRecord::RecordNotUnique
+        nil
+      rescue => e
+        raise Accessly::GrantError.new("Could not grant action #{action_id} on object #{object_type} for actor #{@actor} because #{e}")
+      end
+
+      def object_action_grant(action_id, object_type, object_id)
+        Accessly::PermittedActionOnObject.create!(
+          id: SecureRandom.uuid,
+          segment_id: @segment_id,
+          actor: @actor,
+          action: action_id,
+          object_type: String(object_type),
+          object_id: object_id
+        )
+        nil
+      rescue ActiveRecord::RecordNotUnique
+        nil
+      rescue => e
+        raise Accessly::GrantError.new("Could not grant action #{action_id} on object #{object_type} with id #{object_id} for actor #{@actor} because #{e}")
+      end
+    end
+  end
+end

data/lib/accessly/permission/revoke.rb

@@ -0,0 +1,87 @@
+module Accessly
+  module Permission
+    class Revoke < Accessly::Base
+
+      # Create an instance of Accessly::Permission::Revoke
+      # Pass in an ActiveRecord::Base for actor
+      #
+      # @param actor [ActiveRecord::Base] The actor to revoke permission
+      def initialize(actor)
+        super(actor)
+        @actor = case actor
+        when ActiveRecord::Base
+          actor
+        else
+          raise Accessly::RevokeError.new("Actor is not an ActiveRecord::Base object")
+        end
+      end
+
+      # Revoke a permission for an actor.
+      # @return [nil]
+      # @overload revoke!(action_id, object_type)
+      #   Revoke permission on a general action in the given namespace represented by object_type.
+      #
+      #   @param action_id [Integer] The action to revoke
+      #   @param object_type [String] The namespace of the given action_id.
+      #   @raise [Accessly::RevokeError] if the operation does not succeed
+      #   @return [nil] Returns nil if successful
+      #
+      #   @example
+      #     # Remove user access to posts for action id 3
+      #     Accessly::Permission::Revoke.new(user).revoke!(3, Post)
+      #   @example
+      #     # Remove user access to posts for action id 3 on a segment
+      #     Accessly::Permission::Revoke.new(user).on_segment(1).revoke!(3, Post)
+      #
+      # @overload revoke!(action_id, object_type, object_id)
+      #   Revoke permission on an ActiveRecord object.
+      #
+      #   @param action_id [Integer] The action to revoke
+      #   @param object_type [ActiveRecord::Base] The ActiveRecord model that removes a permission.
+      #   @param object_id [Integer] The id of the ActiveRecord object that removes a permission
+      #   @raise [Accessly::RevokeError] if the operation does not succeed
+      #   @return [nil] Returns nil if successful
+      #
+      #   @example
+      #     # Remove user access to Post 7 for action id 3
+      #     Accessly::Permission::Revoke.new(user).revoke!(3, Post, 7)
+      #   @example
+      #     # Remove user access to Post 7 for action id 3 on a segment
+      #     Accessly::Permission::Revoke.new(user).on_segment(1).revoke!(3, Post, 7)
+      def revoke!(action_id, object_type, object_id = nil)
+        if object_id.nil?
+          general_action_revoke(action_id, object_type)
+        else
+          object_action_revoke(action_id, object_type, object_id)
+        end
+      end
+
+      private
+
+      def general_action_revoke(action_id, object_type)
+        Accessly::PermittedAction.where(
+          segment_id: @segment_id,
+          actor: @actor,
+          action: action_id,
+          object_type: String(object_type)
+        ).delete_all
+        nil
+      rescue => e
+        raise Accessly::RevokeError.new("Could not revoke action #{action_id} on object #{object_type} for actor #{@actor} because #{e}")
+      end
+
+      def object_action_revoke(action_id, object_type, object_id)
+        Accessly::PermittedActionOnObject.where(
+          segment_id: @segment_id,
+          actor: @actor,
+          action: action_id,
+          object_type: String(object_type),
+          object_id: object_id
+        ).delete_all
+        nil
+      rescue => e
+        raise Accessly::RevokeError.new("Could not revoke #{action_id} on object #{object_type} with id #{object_id} for actor #{@actor} because #{e}")
+      end
+    end
+  end
+end

data/lib/accessly/permitted_actions/base.rb

@@ -0,0 +1,40 @@
+require "accessly/query_builder"
+
+module Accessly
+  module PermittedActions
+    class Base
+
+      def initialize(actors, segment_id)
+        @actors = actors
+        @segment_id = segment_id
+      end
+
+      protected
+
+      def past_lookups
+        @_past_lookups ||= {}
+      end
+
+      def find_or_set_value(*keys, &query)
+        found_value = past_lookups.dig(*keys)
+
+        if found_value.nil?
+          found_value = query.call
+          set_value(*keys, value: found_value)
+        end
+
+        found_value
+      end
+
+      def set_value(*keys, value:)
+        lookup = past_lookups
+        keys[0..-2].each do |key|
+          lookup[key] ||= {}
+          lookup = lookup[key]
+        end
+
+        lookup[keys[-1]] = value
+      end
+    end
+  end
+end

data/lib/accessly/permitted_actions/on_object_query.rb

@@ -0,0 +1,65 @@
+module Accessly
+  module PermittedActions
+    class OnObjectQuery < Base
+
+      def initialize(actors, segment_id)
+        super(actors, segment_id)
+      end
+      # Ask whether the actor has permission to perform action_id
+      # on a given record.
+      #
+      # Lookups are cached in the object to prevent redundant database calls.
+      #
+      # @param action_id [Integer, Array<Integer>] The action or actions we're checking whether the actor has. If this is an array, then the check is ORed.
+      # @param object_type [ActiveRecord::Base] The ActiveRecord model which we're checking for permission on.
+      # @param object_id [Integer] The id of the ActiveRecord object which we're checking for permission on.
+      # @return [Boolean] Returns true if actor has been granted the permission on the specified record, false otherwise.
+      #
+      # @example
+      #   # Can the user perform the action with id 5 for the Post with id 7?
+      #   Accessly::Query.new(user).can?(5, Post, 7)
+      # @example
+      #   # Can the user perform the action with id 5 for the Post with id 7 on segment 1?
+      #   Accessly::Query.new(user).on_segment(1).can?(5, Post, 7)
+      def can?(action_id, object_type, object_id)
+        find_or_set_value(action_id, object_type, object_id) do
+          Accessly::QueryBuilder.with_actors(Accessly::PermittedActionOnObject, @actors)
+            .where(
+              segment_id: @segment_id,
+              action: action_id,
+              object_type: String(object_type),
+              object_id: object_id
+            ).exists?
+        end
+      end
+
+      # Returns an ActiveRecord::Relation of ids in the namespace for
+      # which the actor has permission to perform action_id.
+      #
+      # @param action_id [Integer] The action we're checking on the actor in the namespace.
+      # @param namespace [String] The namespace to check actor permissions.
+      # @return [ActiveRecord::Relation]
+      #
+      # @example
+      #   # Give me the list of Post ids on which the user has permission to perform action_id 3
+      #   Accessly::Query.new(user).list(3, Post)
+      # @example
+      #   # Give me the list of Post ids on which the user has permission to perform action_id 3 on segment 1
+      #   Accessly::Query.new(user).on_segment(1).list(3, Post)
+      # @example
+      #   # Give me the list of Post ids on which the user and its groups has permission to perform action_id 3
+      #   Accessly::Query.new(User => user.id, Group => [1,2]).list(3, Post)
+      # @example
+      #   # Give me the list of Post ids on which the user and its groups has permission to perform action_id 3 on segment 1
+      #   Accessly::Query.new(User => user.id, Group => [1,2]).on_segment(1).list(3, Post)
+      def list(action_id, namespace)
+        Accessly::QueryBuilder.with_actors(Accessly::PermittedActionOnObject, @actors)
+          .where(
+            segment_id: @segment_id,
+            action: Integer(action_id),
+            object_type: String(namespace),
+          ).select(:object_id)
+      end
+    end
+  end
+end

data/lib/accessly/permitted_actions/query.rb

@@ -0,0 +1,42 @@
+require "accessly/permitted_actions/base"
+
+module Accessly
+  module PermittedActions
+    class Query < Base
+
+      def initialize(actors, segment_id)
+        super(actors, segment_id)
+      end
+
+      # Ask whether the actor has permission to perform action_id
+      # in the given namespace. Multiple actions can have the same id
+      # as long as their namespace is different. The namespace can be
+      # any String. We recommend using namespace to group a class of
+      # permissions, such as to group parts of a particular feature
+      # in your application.
+      #
+      # Lookups are cached in the object to prevent redundant database calls.
+      #
+      # @param action_id [Integer, Array<Integer>] The action or actions we're checking whether the actor has. If this is an array, then the check is ORed.
+      # @param object_type [String] The namespace of the given action_id.
+      # @return [Boolean] Returns true if actor has been granted the permission, false otherwise.
+      #
+      # @example
+      #   # Can the user perform the action with id 3 for posts?
+      #   Accessly::Query.new(user).can?(3, Post)
+      # @example
+      #   # Can the user perform the action with id 3 for posts on segment 1?
+      #   Accessly::Query.new(user).on_segment(1).can?(3, Post)
+      def can?(action_id, object_type)
+        find_or_set_value(action_id, object_type) do
+          Accessly::QueryBuilder.with_actors(Accessly::PermittedAction, @actors)
+            .where(
+              segment_id: @segment_id,
+              action: action_id,
+              object_type: String(object_type),
+            ).exists?
+        end
+      end
+    end
+  end
+end

data/lib/accessly/policy/base.rb

@@ -0,0 +1,269 @@
+module Accessly
+  module Policy
+    class Base
+
+      attr_reader :actor
+
+      def initialize(actor)
+        @actor = actor
+      end
+
+      def self.actions(actions)
+        _actions.merge!(actions)
+        actions.each do |action, action_id|
+          _define_action_methods(action, action_id)
+        end
+      end
+
+      def self.actions_on_objects(actions_on_objects)
+        _actions_on_objects.merge!(actions_on_objects)
+        actions_on_objects.each do |action, action_id|
+          _define_action_methods(action, action_id)
+        end
+      end
+
+      def self.namespace
+        String(self)
+      end
+
+      def namespace
+        self.class.namespace
+      end
+
+      def self.model_scope
+        raise ArgumentError.new("#model_scope is not defined on #{self.name}.")
+      end
+
+      def model_scope
+        self.class.model_scope
+      end
+
+      def unrestricted?
+        false
+      end
+
+      def segment_id
+        nil
+      end
+
+      def grant(action, object = nil)
+        object_id = _get_object_id(object)
+
+        action_id = if object_id.nil?
+          _get_general_action_id!(action)
+        else
+          _get_action_on_object_id!(action)
+        end
+
+        grant_object.grant!(action_id, namespace, object_id)
+      end
+
+      def revoke(action, object = nil)
+        object_id = _get_object_id(object)
+
+        action_id = if object_id.nil?
+          _get_general_action_id!(action)
+        else
+          _get_action_on_object_id!(action)
+        end
+
+        revoke_object.revoke!(action_id, namespace, object_id)
+      end
+
+      def accessly_query
+        @_accessly_query ||= begin
+          query = Accessly::Query.new(actor)
+          query.on_segment(segment_id) unless segment_id.nil?
+          query
+        end
+      end
+
+      def grant_object
+        grant_object = Accessly::Permission::Grant.new(actor)
+        grant_object.on_segment(segment_id) unless segment_id.nil?
+
+        grant_object
+      end
+
+      def revoke_object
+        revoke_object = Accessly::Permission::Revoke.new(actor)
+        revoke_object.on_segment(segment_id) unless segment_id.nil?
+
+        revoke_object
+      end
+
+      private
+
+      # Determines whether the caller is trying to call an action method
+      # in the format `action_name?`. If so, this calls that method with
+      # the given arguments.
+      def method_missing(method_name, *args)
+        action_method_name = _resolve_action_method_name(method_name)
+        if action_method_name.nil?
+          super
+        else
+          send(action_method_name, *args)
+        end
+      end
+
+      # Parses an action name from a given method name of the format
+      # `action_name?` or `action_name and returns the action method
+      # or the list method name. If the method name does not follow
+      # one of those formats, this assumes the caller is not calling
+      # an action or list method and returns nil.
+      def _resolve_action_method_name(method_name)
+        action_method_match = /\A(\w+)(\??)\z/.match(method_name)
+
+        return nil if action_method_match.nil? || action_method_match[1].nil?
+
+        action_name = action_method_match[1].to_sym
+        is_predicate = action_method_match[2] == "?"
+
+        if !_action_defined?(action_name)
+          nil
+        elsif is_predicate
+          _action_method_name(action_name)
+        else
+          _action_list_method_name(action_name)
+        end
+      end
+
+      # The implementation for action methods follow the naming format
+      # `_resolve_action_name`. This is to allow child Policies to override
+      # the action method and still be able to call `super` when they
+      # need to call the base implementation of the action method.
+      def self._action_method_name(action_name)
+        "_resolve_#{action_name}"
+      end
+
+      def _action_method_name(action_name)
+        self.class._action_method_name(action_name)
+      end
+
+      # The implementation for list methods follow the naming format
+      # `_list_action_name`. This is to allow child Policies to override
+      # the list method and still be able to call `super` when they
+      # need to call the base implementation of the lsit method.
+      def self._action_list_method_name(action_name)
+        "_list_#{action_name}"
+      end
+
+      def _action_list_method_name(action_name)
+        self.class._action_list_method_name(action_name)
+      end
+
+      # Defines the action method on the Policy class for the given
+      # action name.
+      def self._define_action_methods(action, action_id)
+        unless method_defined?(_action_method_name(action))
+          define_method(_action_method_name(action)) do |*args|
+            _can_do_action?(action, action_id, args.first)
+          end
+        end
+
+        unless method_defined?(_action_list_method_name(action))
+          define_method(_action_list_method_name(action)) do |*args|
+            _list_for_action(action, action_id)
+          end
+        end
+      end
+
+      # Determines whether the caller is calling an object action
+      # method or a non-object action method and calls the appropriate
+      # implementation.
+      def _can_do_action?(action, action_id, object)
+        if object.nil?
+          _can_do_action_without_object?(action, action_id)
+        else
+          _can_do_action_with_object?(action, action_id, object)
+        end
+      end
+
+      # Determines whether the actor has permission to do the action
+      # outside of an object context. If the actor should have unrestricted
+      # access, then this returns true without checking.
+      #
+      # @return [Boolean]
+      def _can_do_action_without_object?(action, action_id)
+        if _actions[action].nil?
+          _invalid_general_action!(action)
+        elsif unrestricted?
+          true
+        else
+          accessly_query.can?(action_id, namespace)
+        end
+      end
+
+      # Determines whether the actor has permission to do the action
+      # on an object. If the actor should have unrestricted access,
+      # then this returns true without checking.
+      #
+      # @return [Boolean]
+      def _can_do_action_with_object?(action, action_id, object)
+        object_id = _get_object_id(object)
+
+        if _actions_on_objects[action].nil?
+          _invalid_action_on_object!(action)
+        elsif unrestricted?
+          true
+        else
+          accessly_query.can?(action_id, namespace, object_id)
+        end
+      end
+
+      def _list_for_action(action, action_id)
+        if _actions_on_objects[action].nil?
+          _invalid_action_on_object!(action)
+        elsif unrestricted?
+          model_scope
+        else
+          model_scope.where(id: accessly_query.list(action_id, namespace))
+        end
+      end
+
+      def _get_general_action_id!(action)
+        _actions[action] || _invalid_general_action!(action)
+      end
+
+      def _get_action_on_object_id!(action)
+        _actions_on_objects[action] || _invalid_action_on_object!(action)
+      end
+
+      def _invalid_general_action!(action)
+        raise ArgumentError.new("#{action} is not defined as a general action for #{self.class.name}")
+      end
+
+      def _invalid_action_on_object!(action)
+        raise ArgumentError.new("#{action} is not defined as an action-on-object for #{self.class.name}")
+      end
+
+      def _get_object_id(object)
+        object.respond_to?(:id) ? object.id : object
+      end
+
+      def self._action_defined?(action_name)
+        _actions.include?(action_name) || _actions_on_objects.include?(action_name)
+      end
+
+      def _action_defined?(action_name)
+        self.class._action_defined?(action_name)
+      end
+
+      def self._actions
+        @@_actions ||= {}
+      end
+
+      def _actions
+        self.class._actions
+      end
+
+      def self._actions_on_objects
+        @@_actions_on_objects ||= {}
+      end
+
+      def _actions_on_objects
+        self.class._actions_on_objects
+      end
+    end
+  end
+end