action_policy 0.3.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ad9e103ab1e208d993b595bf24954cdce732d88b0b0a098575c4fa29bd1e51fc
-  data.tar.gz: 1e2d3ed392136834dab5cee6626a6c1f2b2c1baf7898453c20d4b8ba37768bd7
+  metadata.gz: e593d4567bab1e7fec960db2d67d7d659d4b4df92159741b7db715b35b75c790
+  data.tar.gz: efdc9d9815936a6dcbb0e94b0098050bc30fddae20a3d06f35bf03b91787d500
 SHA512:
-  metadata.gz: ac86e5d6437375cdfa33446633bffb66bf3cc8be82723991553945e95ae68805f38acff048540c82d537733c1eb4b1f77f0a2a2b626a1fcedf5eccd544e12f43
-  data.tar.gz: 4be9d2ea33273e3475f44c16163e87484db3d3ed95e36482a047198a217835d7d5918ffb3b3d35045121bec7381a48bae64a5581f0713240d4bb48d3ffd10876
+  metadata.gz: c58c58e14c25f4daadc890ab67de43781f33f28485811b05458568b9003b9037911fbaade9332dca0b458dec811138df87fa094564574cd55fae948a09379be8
+  data.tar.gz: 12db66ef181fa94ec6ac2c48feeb7fe49d12a3b66a9a554c925594b9b622ec3cec94412e48db13406d71733d0ae001f7dece5fedfe56ca11216f6e027754765f

data/.github/FUNDING.yml

@@ -0,0 +1 @@
+tidelift: "rubygems/action_policy"

data/.rubocop.yml

@@ -13,7 +13,7 @@ AllCops:
     - 'vendor/**/*'
     - 'gemfiles/**/*'
   DisplayCopNames: true
-  TargetRubyVersion: 2.4s
+  TargetRubyVersion: 2.4
 
 Standard/SemanticBlocks:
   Enabled: false

data/.tidelift.yml

@@ -0,0 +1,6 @@
+ci:
+  type:
+    development:
+      tests:
+        unlicensed: skip
+        outdated: skip

data/CHANGELOG.md

@@ -1,5 +1,11 @@
 ## master
 
+## 0.3.1 (2019-05-30)
+
+- Fixed bug with missing implicit target and hash like scoping data. ([@palkan][])
+
+  Fixes [#70](https://github.com/palkan/action_policy/issues/70).
+
 ## 0.3.0 (2019-04-02)
 
 - Added ActiveSupport-based instrumentation. ([@palkan][])

data/README.md

@@ -13,9 +13,15 @@ Action Policy is an authorization framework for Ruby and Rails applications.
 
 ## Resources
 
+- Seattle.rb, 2019 "A Denial!" talk [[slides](https://speakerdeck.com/palkan/seattle-dot-rb-2019-a-denial)]
+
 - RailsConf, 2018 "Access Denied" talk [[video](https://www.youtube.com/watch?v=NVwx0DARDis), [slides](https://speakerdeck.com/palkan/railsconf-2018-access-denied-the-missing-guide-to-authorization-in-rails)]
 
 
+## Integrations
+
+- GraphQL Ruby ([`action_policy-graphql`](https://github.com/palkan/action_policy-graphql))
+
 ## Installation
 
 Add this line to your application's `Gemfile`:
@@ -107,3 +113,8 @@ Bug reports and pull requests are welcome on GitHub at https://github.com/palkan
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
 
 [Documentation]: http://actionpolicy.evilmartians.io
+
+## Security Contact
+
+To report a security vulnerability, please use the [Tidelift security contact](https://tidelift.com/security). Tidelift will coordinate the fix and disclosure.
+

data/Rakefile

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "bundler/gem_tasks"
 require "rake/testtask"
 require "rubocop/rake_task"
 require "rspec/core/rake_task"

data/action_policy.gemspec

@@ -19,6 +19,14 @@ Gem::Specification.new do |spec|
     f.match(%r{^(test|spec|features)/})
   end
 
+  spec.metadata = {
+    "bug_tracker_uri" => "http://github.com/palkan/action_policy/issues",
+    "changelog_uri" => "https://github.com/palkan/action_policy/blob/master/CHANGELOG.md",
+    "documentation_uri" => "https://actionpolicy.evilmartians.io/",
+    "homepage_uri" => "https://actionpolicy.evilmartians.io/",
+    "source_code_uri" => "http://github.com/palkan/action_policy"
+  }
+
   spec.require_paths = ["lib"]
 
   spec.required_ruby_version = ">= 2.4.0"
@@ -27,9 +35,9 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "minitest", "~> 5.0"
   spec.add_development_dependency "rake", "~> 10.0"
   spec.add_development_dependency "rspec", "~> 3.3"
-  spec.add_development_dependency "rubocop", "~> 0.65.0"
+  spec.add_development_dependency "rubocop", "~> 0.67.0"
   spec.add_development_dependency "rubocop-md", "~> 0.2"
-  spec.add_development_dependency "standard", "~> 0.0.36"
+  spec.add_development_dependency "standard", "~> 0.0.39"
   spec.add_development_dependency "benchmark-ips", "~> 2.7.0"
   spec.add_development_dependency "i18n"
 end

data/docs/README.md

@@ -22,7 +22,7 @@ Action Policy provides flexible tools to build an _authorization layer_ for your
 
 ## Project State
 
-The project is in active development phase. Check out our [development board](https://github.com/palkan/action_policy/projects/1) to see what's coming next.
+The project is being used in production since mid 2018. Major features have been implemented, API has been stabilized. Check out our [development board](https://github.com/palkan/action_policy/projects/1) to see what's coming next.
 
 ## History
 
@@ -58,6 +58,8 @@ Learn more about the motivation behind the Action Policy and its features by wat
 
 ## Resources
 
+- Seattle.rb, 2019 "A Denial!" talk [[slides](https://speakerdeck.com/palkan/seattle-dot-rb-2019-a-denial)]
+
 - RailsConf, 2018 "Access Denied" talk [[video](https://www.youtube.com/watch?v=NVwx0DARDis), [slides](https://speakerdeck.com/palkan/railsconf-2018-access-denied-the-missing-guide-to-authorization-in-rails)]
 
 <a href="https://evilmartians.com/?utm_source=action_policy">

data/docs/_sidebar.md

@@ -3,6 +3,7 @@
   * [Writing Policies](writing_policies.md)
   * [Rails Integration](rails.md)
   * [Non-Rails Usage](non_rails.md)
+  * [GraphQL Integration](graphql.md)
   * [Testing](testing.md)
 * Features
   * [Authorization Behaviour](behaviour.md)

data/docs/aliases.md

@@ -41,15 +41,19 @@ You can add a _default_ rule–the rule that would be applied if the rule specif
 
 ```ruby
 class PostPolicy < ApplicationPolicy
+  # For an ApplicationPolicy, makes :manage? match anything that is
+  # not :index?, :create? or :new?
   default_rule :manage?
 
+  # If you want manage? to catch really everything, place this alias
+  #alias_rule :index?, :create?, :new?, to: :manage?
   def manage?
     # ...
   end
 end
 ```
 
-Now when you call `authorize! post` with any rule not explicitly defined in policy class, the `manage?` rule is applied.
+Now when you call `authorize! post` with any rule not defined in the policy class, the `manage?` rule is applied.  Note that `index?` `create?` and `new?` are already defined in the [superclass by default](custom_policy.md) (returning `false`) - if you want the same behaviour for *all* actions, define aliases like in the example above (commented out).
 
 By default, `ActionPolicy::Base` sets `manage?` as a default rule.
 

data/docs/graphql.md

@@ -0,0 +1,252 @@
+# GraphQL integration
+
+You can use Action Policy as an authorization library for you [GraphQL Ruby](https://graphql-ruby.org/) application via the [`action_policy-graphql` gem](https://github.com/palkan/action_policy-graphql).
+
+This integration provides the following features:
+- Fields & mutations authorization
+- List and connections scoping
+- [**Exposing permissions/authorization rules in the API**](https://dev.to/evilmartians/exposing-permissions-in-graphql-apis-with-action-policy-1mfh).
+
+## Getting Started
+
+First, add `action_policy-graphql` gem to your Gemfile (see [installation instructions](https://github.com/palkan/action_policy-graphql#installation)).
+
+Then, include `ActionPolicy::GraphQL::Behaviour` to your base type (or any other type/mutation where you want to use authorization features):
+
+```ruby
+# For fields authorization, lists scoping and rules exposing
+class Types::BaseObject < GraphQL::Schema::Object
+  include ActionPolicy::GraphQL::Behaviour
+end
+
+# For using authorization helpers in mutations
+class Types::BaseMutation < GraphQL::Schema::Mutation
+  include ActionPolicy::GraphQL::Behaviour
+end
+```
+
+## Authorization Context
+
+By default, Action Policy use `context[:current_user]` as the `user` [authorization context](./authoriation_context.md).
+
+**NOTE:** see below for more information on what's included into `ActionPolicy::GraphQL::Behaviour`.
+
+## Authorizing Fields
+
+You can add `authorize: true` option to any field (=underlying object) to protect the access (it's equal to calling `authorize! object, to: :show?`):
+
+```ruby
+# authorization could be useful for find-like methods,
+# where the object is resolved from the provided params (e.g., ID)
+field :home, Home, null: false, authorize: true do
+  argument :id, ID, required: true
+end
+
+def home(id:)
+  Home.find(id)
+end
+
+# Without `authorize: true` the code would look like this
+def home(id:)
+  Home.find(id).tap { |home| authorize! home, to: :show? }
+end
+```
+
+You can use authorization options to customize the behaviour, e.g. `authorize: {to: :preview?, with: CustomPolicy}`.
+
+By default, if a user is not authorized to access the field, an `ActionPolicy::Unauthorized` exception is raised.
+
+If you want to return a `nil` instead, you should add `raise: false` to the options:
+
+```ruby
+# NOTE: don't forget to mark your field as nullable
+field :home, Home, null: true, authorize: {raise: false}
+```
+
+You can make non-raising behaviour a default by setting a configuration option:
+
+```ruby
+ActionPolicy::GraphQL.authorize_raise_exception = false
+```
+
+You can also change the default `show?` rule globally:
+
+```ruby
+ActionPolicy::GraphQL.default_authorize_rule = :show_graphql_field?
+```
+
+### Class-level authorization
+
+You can use Action Policy in the class-level [authorization hooks](https://graphql-ruby.org/authorization/authorization.html) (`self.authorized?`) like this:
+
+```ruby
+class Types::Friendship < Types::BaseObject
+  def self.authorized?(object, context)
+    super &&
+      object.allowed_to?(
+        :show?,
+        object,
+        context: {user: context[:current_user]}
+      )
+  end
+end
+```
+
+## Authorizing Mutations
+
+Mutation is just a Ruby class with a single API method. There is nothing specific in authorizing mutations: from the Action Policy point of view, they are just [_behaviours_](./behaviour.md).
+
+If you want to authorize the mutation, you call `authorize!` method. For example:
+
+```ruby
+class Mutations::DestroyUser < Types::BaseMutation
+  argument :id, ID, required: true
+
+  def resolve(id:)
+    user = User.find(id)
+
+    # Raise an exception if the user has not enough permissions
+    authorize! user, to: :destroy?
+    # Or check without raising and do what you want
+    #
+    #     if allowed_to?(:destroy?, user)
+
+    user.destroy!
+
+    {deleted_id: user.id}
+  end
+end
+```
+
+## Handling exceptions
+
+The query would fail with `ActionPolicy::Unauthorized` exception when using `authorize: true` (in raising mode) or calling `authorize!` explicitly.
+
+That could be useful to handle this exception and send a more detailed error message to the client, for example:
+
+```ruby
+# in your schema file
+rescue_from(ActionPolicy::Unauthorized) do |exp|
+  raise GraphQL::ExecutionError.new(
+    # use result.message (backed by i18n) as an error message
+    exp.result.message,
+    # use GraphQL error extensions to provide more context
+    extensions: {
+      code: :unauthorized,
+      fullMessages: exp.result.reasons.full_messages,
+      details: exp.result.reasons.details
+    }
+  )
+end
+```
+
+## Scoping Data
+
+You can add `authorized_scope: true` option to a field (list or [_connection_](https://graphql-ruby.org/relay/connections.html)) to apply the corresponding policy rules to the data:
+
+```ruby
+class CityType < ::Common::Graphql::Type
+  # It would automatically apply the relation scope from the EventPolicy to
+  # the relation (city.events)
+  field :events, EventType.connection_type,
+        null: false,
+        authorized_scope: true
+
+  # you can specify the policy explicitly
+  field :events, EventType.connection_type,
+        null: false,
+        authorized_scope: {with: CustomEventPolicy}
+
+  # without the option you would write the following code
+  def events
+    authorized_scope object.events
+    # or if `with` option specified
+    authorized_scope object.events, with: CustomEventPolicy
+  end
+end
+```
+
+See the documenation on [scoping](./scoping.md).
+
+## Exposing Authorization Rules
+
+With `action_policy-graphql` gem, you can easily expose your authorization logic to the client in a standardized way.
+
+For example, if you want to "tell" the client which actions could be performed against the object you
+can use the `expose_authorization_rules` macro to add authorization-related fields to your type:
+
+```ruby
+class ProfileType < Types::BaseType
+  # Adds can_edit, can_destroy fields with
+  # AuthorizationResult type.
+
+  # NOTE: prefix "can_" is used by default, no need to specify it explicitly
+  expose_authorization_rules :edit?, :destroy?, prefix: "can_"
+end
+```
+
+**NOTE:** you can use [aliases](./aliases.md) here as well as defined rules.
+
+ **NOTE:** This feature relies the [_failure reasons_](./reasons.md) and
+the [i18n integration](./i18n.md) extensions. If your policies don't include any of these,
+you won't be able to use it.
+
+Then the client could perform the following query:
+
+```gql
+{
+  post(id: $id) {
+    canEdit {
+      # (bool) true|false; not null
+      value
+      # top-level decline message ("Not authorized" by default); null if value is true
+      message
+      # detailed information about the decline reasons; null if value is true or you don't have "failure reasons" extension enabled
+      reasons {
+        details # JSON-encoded hash of the form { "event" => [:privacy_off?] }
+        fullMessages # Array of human-readable reasons
+      }
+    }
+
+    canDestroy {
+      # ...
+    }
+  }
+}
+```
+
+You can override a custom authorization field prefix (`can_`):
+
+```ruby
+ActionPolicy::GraphQL.default_authorization_field_prefix = "allowed_to_"
+```
+
+## Custom Behaviour
+
+Including the default `ActionPolicy::GraphQL::Behaviour` is equal to adding the following to your base class:
+
+```ruby
+class Types::BaseObject < GraphQL::Schema::Object
+  # include Action Policy behaviour and its extensions
+  include ActionPolicy::Behaviour
+  include ActionPolicy::Behaviours::ThreadMemoized
+  include ActionPolicy::Behaviours::Memoized
+  include ActionPolicy::Behaviours::Namespaced
+
+  # define authorization context
+  authorize :user, through: :current_user
+
+  # add a method helper to get the current_user from the context
+  def current_user
+    context[:current_user]
+  end
+
+  # extend the field class to add `authorize` and `authorized_scope` options
+  field_class.prepend(ActionPolicy::GraphQL::AuthorizedField)
+
+  # add `expose_authorization_rules` macro
+  include ActionPolicy::GraphQL::Fields
+end
+```
+
+Feel free to create your own behaviour by adding only the functionality you need.

data/docs/reasons.md

@@ -2,7 +2,8 @@
 
 When you have complex policy rules, it could be helpful to have an ability to define an exact reason for why a specific authorization was rejected.
 
-It is especially helpful when you compose policies (i.e., use one policy within another).
+It is especially helpful when you compose policies (i.e., use one policy within another) or want
+to expose permissions to client applications (see [GraphQL](./graphql)).
 
 Action Policy allows you to track failed `allowed_to?` checks in your rules.
 

data/gemfiles/railsmaster.gemfile

@@ -1,6 +1,6 @@
 source "https://rubygems.org"
 
-gem "sqlite3", "~> 1.3.0"
+gem "sqlite3", "~> 1.4.0"
 gem "rails", github: "rails/rails"
 
 gemspec path: ".."

data/lib/action_policy.rb

@@ -11,9 +11,9 @@ module ActionPolicy
   class NotFound < Error
     attr_reader :target, :message
 
-    def initialize(target)
+    def initialize(target, message = nil)
       @target = target
-      @message = "Couldn't find policy class for #{target.inspect}"
+      @message = message || "Couldn't find policy class for #{target.inspect}"
     end
   end
 

data/lib/action_policy/behaviour.rb

@@ -35,7 +35,7 @@ module ActionPolicy
     #
     # Raises `ActionPolicy::Unauthorized` if check failed.
     def authorize!(record = :__undef__, to:, **options)
-      record = implicit_authorization_target if record == :__undef__
+      record = implicit_authorization_target! if record == :__undef__
       raise ArgumentError, "Record must be specified" if record.nil?
 
       policy = policy_for(record: record, **options)
@@ -47,7 +47,7 @@ module ActionPolicy
     #
     # Returns true of false.
     def allowed_to?(rule, record = :__undef__, **options)
-      record = implicit_authorization_target if record == :__undef__
+      record = implicit_authorization_target! if record == :__undef__
       raise ArgumentError, "Record must be specified" if record.nil?
 
       policy = policy_for(record: record, **options)

data/lib/action_policy/behaviours/policy_for.rb

@@ -27,6 +27,20 @@ module ActionPolicy
       def implicit_authorization_target
         # no-op
       end
+
+      # Return implicit authorization target or raises an exception if it's nil
+      def implicit_authorization_target!
+        implicit_authorization_target || raise(
+          NotFound,
+          [
+            self,
+            "Couldn't find implicit authorization target " \
+            "for #{self.class}. " \
+            "Please, provide policy class explicitly using `with` option or " \
+            "define the `implicit_authorization_target` method."
+          ]
+        )
+      end
     end
   end
 end

data/lib/action_policy/behaviours/scoping.rb

@@ -12,7 +12,7 @@ module ActionPolicy
       #   - use `implicit_authorization_target` if none of the above works.
       def authorized_scope(target, type: nil, as: :default, scope_options: nil, **options)
         policy = policy_for(record: target, allow_nil: true, **options)
-        policy ||= policy_for(record: implicit_authorization_target, **options)
+        policy ||= policy_for(record: implicit_authorization_target!, **options)
 
         type ||= authorization_scope_type_for(policy, target)
 

data/lib/action_policy/policy/core.rb

@@ -65,7 +65,8 @@ module ActionPolicy
 
       attr_reader :record, :result
 
-      def initialize(record = nil, **_opts)
+      # NEXT_RELEASE: deprecate `record` arg, migrate to `record: nil`
+      def initialize(record = nil, _opts = nil)
         @record = record
       end
 

data/lib/action_policy/policy/scoping.rb

@@ -4,10 +4,6 @@ require "action_policy/behaviours/scoping"
 
 require "action_policy/utils/suggest_message"
 
-require "action_policy/ext/proc_case_eq"
-
-using ActionPolicy::Ext::ProcCaseEq
-
 module ActionPolicy
   class UnknownScopeType < Error # :nodoc:
     include ActionPolicy::SuggestMessage

data/lib/action_policy/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ActionPolicy
-  VERSION = "0.3.0"
+  VERSION = "0.3.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: action_policy
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Vladimir Dementyev
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-04-02 00:00:00.000000000 Z
+date: 2019-05-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -72,14 +72,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.65.0
+        version: 0.67.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.65.0
+        version: 0.67.0
 - !ruby/object:Gem::Dependency
   name: rubocop-md
   requirement: !ruby/object:Gem::Requirement
@@ -100,14 +100,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.36
+        version: 0.0.39
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.36
+        version: 0.0.39
 - !ruby/object:Gem::Dependency
   name: benchmark-ips
   requirement: !ruby/object:Gem::Requirement
@@ -144,10 +144,12 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitattributes"
+- ".github/FUNDING.yml"
 - ".github/ISSUE_TEMPLATE.md"
 - ".github/PULL_REQUEST_TEMPLATE.md"
 - ".gitignore"
 - ".rubocop.yml"
+- ".tidelift.yml"
 - ".travis.yml"
 - CHANGELOG.md
 - Gemfile
@@ -183,6 +185,7 @@ files:
 - docs/debugging.md
 - docs/decorators.md
 - docs/favicon.ico
+- docs/graphql.md
 - docs/i18n.md
 - docs/index.html
 - docs/instrumentation.md
@@ -214,7 +217,6 @@ files:
 - lib/action_policy/ext/hash_transform_keys.rb
 - lib/action_policy/ext/module_namespace.rb
 - lib/action_policy/ext/policy_cache_key.rb
-- lib/action_policy/ext/proc_case_eq.rb
 - lib/action_policy/ext/string_constantize.rb
 - lib/action_policy/ext/string_match.rb
 - lib/action_policy/ext/string_underscore.rb
@@ -253,7 +255,12 @@ files:
 homepage: https://github.com/palkan/action_policy
 licenses:
 - MIT
-metadata: {}
+metadata:
+  bug_tracker_uri: http://github.com/palkan/action_policy/issues
+  changelog_uri: https://github.com/palkan/action_policy/blob/master/CHANGELOG.md
+  documentation_uri: https://actionpolicy.evilmartians.io/
+  homepage_uri: https://actionpolicy.evilmartians.io/
+  source_code_uri: http://github.com/palkan/action_policy
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -269,7 +276,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.2
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Authorization framework for Ruby/Rails application

data/lib/action_policy/ext/proc_case_eq.rb

@@ -1,14 +0,0 @@
-# frozen_string_literal: true
-
-module ActionPolicy
-  module Ext
-    # Add #=== to Proc
-    module ProcCaseEq
-      refine Proc do
-        def ===(other)
-          call(other) == true
-        end
-      end
-    end
-  end
-end