action_policy 0.3.4 → 0.4.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 272123a33fae55ffd9e6e09b1098862fbbf353a6ed5ff71d090bc5fd01396244
-  data.tar.gz: ec53e2634999660b46c95dddc85bcf71055e336fdae5a8ea47023a671bba55ce
+  metadata.gz: aa234de7b74f58df4707ec00f9f4d67bee0d89fb721f2b0e4df90627970530e6
+  data.tar.gz: e6e4ba56d3be720b8ddac3a236f42c84eec2472d04b95213914d89e23d291bf7
 SHA512:
-  metadata.gz: 62353ff2be45386257efcd127a43c7eac61d1cb7fc3cfcbf1acc6d6563e6d0a0a91873a0593b8ff62d51adc70b730e1799eb5a1565e3a1ed3c1f2593d46a05ff
-  data.tar.gz: 837e717de9323e7131c535a41fe848aaa9501ad8f10471f082ff1355ae824afa7691b44bb9c8db71cb0b33898ad126963f3518b8cfcc1207e34469a282648d62
+  metadata.gz: 450572c0987f8d4174ff6c51fdd188d62bd5dfd288b381a593030ee9ef8575df74852b1600706f6dfb1c115fddb9a45e518f03b2dd0a118e653c0a13c0efc05a
+  data.tar.gz: 1fa6dac85f5fe5f014026d23357c08e9dba0101b68a07a96315275a1ce2aa28762ab82abffbf0ae985a9a277d942de23c521223d485b7acfe1fdceeae9c4179d

data/.github/ISSUE_TEMPLATE.md

@@ -1,5 +1,5 @@
 <!--
-  This template is for bug reports. If you are reporting a bug, please continue on. If you are here for another reason, 
+  This template is for bug reports. If you are reporting a bug, please continue on. If you are here for another reason,
   feel free to skip the rest of this template.
 -->
 
@@ -11,6 +11,9 @@
 
 **Action Policy Version:**
 
+**Reproduction Script:** Use [this template](https://github.com/palkan/action_policy/blob/master/.github/bug_report_template.rb) to
+create a standalone reproduction script. That would help us to fix the problem quicker. Thanks!
+
 ### What did you do?
 
 ### What did you expect to happen?

data/.github/bug_report_template.rb

@@ -0,0 +1,175 @@
+# frozen_string_literal: true
+
+require "bundler/inline"
+
+# This reproduction script allows you to test Action Policy with Rails.
+# It contains:
+#   - Headless User model
+#   - UserPolicy
+#   - UsersController
+#   - Example tests for the controller.
+#
+# Update the classes to reproduce the failing case.
+#
+# Run the script as follows:
+#
+#   $ ruby bug_report_template.rb
+gemfile(true) do
+  source "https://rubygems.org"
+
+  gem "rails", "~> 6.0"
+  gem "action_policy", "~> 0.4"
+
+  gem "pry-byebug", platform: :mri
+end
+
+require "rails"
+require "action_controller/railtie"
+require "action_policy"
+
+require "minitest/autorun"
+
+module Buggy
+  class Application < Rails::Application
+    config.logger = Logger.new("/dev/null")
+    config.eager_load = false
+
+    initializer "routes" do
+      Rails.application.routes.draw do
+        get ":controller(/:action)"
+      end
+    end
+  end
+end
+
+Rails.application.initialize!
+
+class User
+  include Comparable
+
+  attr_reader :name
+
+  def initialize(name)
+    @name = name
+  end
+
+  def admin?
+    name == "admin"
+  end
+
+  def <=>(other)
+    return super unless other.is_a?(User)
+    name <=> other.name
+  end
+end
+
+class UserPolicy < ActionPolicy::Base
+  def index?
+    true
+  end
+
+  def create?
+    user.admin?
+  end
+
+  def show?
+    true
+  end
+
+  def manage?
+    user.admin? && !record.admin?
+  end
+end
+
+class UsersController < ActionController::Base
+  authorize :user, through: :current_user
+
+  before_action :set_user, only: [:update, :show]
+
+  def index
+    authorize!
+    render plain: "OK"
+  end
+
+  def create
+    authorize!
+    render plain: "OK"
+  end
+
+  def update
+    render plain: "OK"
+  end
+
+  def show
+    if allowed_to?(:update?, @user)
+      render plain: "OK"
+    else
+      render plain: "Read-only"
+    end
+  end
+
+  def current_user
+    @current_user ||= User.new(params[:user])
+  end
+
+  private
+
+  def set_user
+    @user = User.new(params[:target])
+    authorize! @user
+  end
+end
+
+class TestBugReproduction < ActionController::TestCase
+  tests UsersController
+
+  def before_setup
+    @routes = Rails.application.routes
+    super
+  end
+
+  def teardown
+    ActionPolicy::PerThreadCache.clear_all
+  end
+
+  def test_index
+    get :index, params: {user: "guest"}
+    assert_equal "OK", response.body
+  end
+
+  def test_create_failed
+    e = assert_raises(ActionPolicy::Unauthorized) do
+      post :create, params: {user: "guest"}
+    end
+
+    assert_equal UserPolicy, e.policy
+    assert_equal :create?, e.rule
+    assert e.result.reasons.is_a?(::ActionPolicy::Policy::FailureReasons)
+  end
+
+  def test_create_succeed
+    post :create, params: {user: "admin"}
+    assert_equal "OK", response.body
+  end
+
+  def test_update_failed
+    assert_raises(ActionPolicy::Unauthorized) do
+      patch :update, params: {user: "admin", target: "admin"}
+    end
+  end
+
+  def test_update_succeed
+    patch :update, params: {user: "admin", target: "guest"}
+    assert_equal "OK", response.body
+  end
+
+  def test_show
+    get :show, params: {user: "admin", target: "guest"}
+    assert_equal "OK", response.body
+  end
+
+  def test_show_admin
+    get :show, params: {user: "admin", target: "admin"}
+    assert_equal "Read-only", response.body
+  end
+end

data/.travis.yml

@@ -16,16 +16,16 @@ matrix:
   include:
     - rvm: ruby-head
       gemfile: gemfiles/railsmaster.gemfile
-    - rvm: jruby-9.2.5.0
+    - rvm: jruby-9.2.8.0
       gemfile: gemfiles/jruby.gemfile
-    - rvm: 2.6.0
+    - rvm: 2.6.5
       gemfile: gemfiles/rails6.gemfile
     - rvm: 2.5.3
       gemfile: Gemfile
-    - rvm: 2.4.3
+    - rvm: 2.5.3
       gemfile: gemfiles/rails42.gemfile
   allow_failures:
     - rvm: ruby-head
       gemfile: gemfiles/railsmaster.gemfile
-    - rvm: jruby-9.2.5.0
+    - rvm: jruby-9.2.8.0
       gemfile: gemfiles/jruby.gemfile

data/CHANGELOG.md

@@ -1,5 +1,58 @@
+# Change log
+
 ## master
 
+## 0.4.4 (2020-07-07)
+
+- Fix symbol lookup with namespaces. ([@palkan][])
+
+Fixes [#122](https://github.com/palkan/action_policy/issues/122).
+
+- Separated `#classify`-based and `#camelize`-based symbol lookups. ([Be-ngt-oH][])
+
+Only affects Rails apps. Now lookup for `:users` tries to find `UsersPolicy` first (camelize),
+and only then search for `UserPolicy` (classify).
+
+See [PR#118](https://github.com/palkan/action_policy/pull/118).
+
+- Fix calling rules with `allowed_to?` directly. ([@palkan][])
+
+  Fixes [#113](https://github.com/palkan/action_policy/issues/113)
+
+## 0.4.3 (2019-12-14)
+
+- Add `#cache(*parts, **options) { ... }` method. ([@palkan][])
+
+  Allows you to cache anything in policy classes using the Action Policy
+  cache key generation mechanism.
+
+- Handle versioned Rails cache keys. ([@palkan][])
+
+  Use `#cache_with_version` as a cache key if defined.
+
+## 0.4.2 (2019-12-13)
+
+- Fix regression introduced in 0.4.0 which broke testing Class targets. ([@palkan][])
+
+## 0.4.0 (2019-12-11)
+
+- Add `action_policy.init` instrumentation event. ([@palkan][])
+
+  Triggered every time a new policy object is initialized.
+
+- Fix policy memoization with explicit context. ([@palkan][])
+
+  Explicit context (`authorize! context: {}`) wasn't considered during
+  policies memoization. Not this is fixed.
+
+- Support composed matchers for authorization target testing. ([@palkan][])
+
+  Now you can write tests like this:
+
+  ```ruby
+  expect { subject }.to be_authorized_to(:show?, an_instance_of(User))
+  ```
+
 ## 0.3.4 (2019-11-27)
 
 - Fix Rails generators. ([@palkan][])
@@ -346,3 +399,4 @@
 [@korolvs]: https://github.com/korolvs
 [@nicolas-brousse]: https://github.com/nicolas-brousse
 [@somenugget]: https://github.com/somenugget
+[@Be-ngt-oH]: https://github.com/Be-ngt-oH

data/LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2018-2019 Vladimir Dementyev
+Copyright (c) 2018-2020 Vladimir Dementyev
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.md

@@ -2,7 +2,7 @@
 [![Build Status](https://travis-ci.org/palkan/action_policy.svg?branch=master)](https://travis-ci.org/palkan/action_policy)
 [![Documentation](https://img.shields.io/badge/docs-link-brightgreen.svg)](https://actionpolicy.evilmartians.io)
 
-# ActionPolicy
+# Action Policy
 
 Authorization framework for Ruby and Rails applications.
 
@@ -15,9 +15,11 @@ Composable. Extensible. Performant.
 
 ## Resources
 
-- Seattle.rb, 2019 "A Denial!" talk [[slides](https://speakerdeck.com/palkan/seattle-dot-rb-2019-a-denial)]
+- RubyRussia, 2019 "Welcome, or access denied?" talk ([video](https://www.youtube.com/watch?v=y15a2g7v8i0) [RU], [slides](https://speakerdeck.com/palkan/rubyrussia-2019-welcome-or-access-denied))
 
-- RailsConf, 2018 "Access Denied" talk [[video](https://www.youtube.com/watch?v=NVwx0DARDis), [slides](https://speakerdeck.com/palkan/railsconf-2018-access-denied-the-missing-guide-to-authorization-in-rails)]
+- Seattle.rb, 2019 "A Denial!" talk ([slides](https://speakerdeck.com/palkan/seattle-dot-rb-2019-a-denial))
+
+- RailsConf, 2018 "Access Denied" talk ([video](https://www.youtube.com/watch?v=NVwx0DARDis), [slides](https://speakerdeck.com/palkan/railsconf-2018-access-denied-the-missing-guide-to-authorization-in-rails))
 
 
 ## Integrations
@@ -29,7 +31,7 @@ Composable. Extensible. Performant.
 Add this line to your application's `Gemfile`:
 
 ```ruby
-gem "action_policy", "~> 0.3.0"
+gem "action_policy", "~> 0.4.0"
 ```
 
 And then execute:
@@ -96,7 +98,7 @@ There is also an `allowed_to?` method which returns `true` or `false`, and could
 <% @posts.each do |post| %>
   <li><%= post.title %>
     <% if allowed_to?(:edit?, post) %>
-      = link_to post, "Edit"
+      <%= link_to post, "Edit">
     <% end %>
   </li>
 <% end %>
@@ -119,8 +121,3 @@ Bug reports and pull requests are welcome on GitHub at https://github.com/palkan
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
 
 [Documentation]: http://actionpolicy.evilmartians.io
-
-## Security Contact
-
-To report a security vulnerability, please use the [Tidelift security contact](https://tidelift.com/security). Tidelift will coordinate the fix and disclosure.
-

data/benchmarks/namespaced_lookup_cache.rb

@@ -39,6 +39,9 @@ if ENV["NO_CACHE"]
   ActionPolicy::LookupChain.namespace_cache_enabled = false
 end
 
+results_path = File.join(__dir__, "../tmp/#{__FILE__.sub(/\.rb$/, ".txt")}")
+FileUtils.mkdir_p File.dirname(results_path)
+
 Benchmark.ips do |x|
   x.warmup = 0
 
@@ -58,14 +61,14 @@ Benchmark.ips do |x|
     ActionPolicy.lookup(b, namespace: X::Y::Z)
   end
 
-  x.hold! "temp_results"
+  x.hold! results_path
 
   x.compare!
 end
 
 #
 # Comparison:
-#             cache B:   178577.4 i/s
-#             cache A:   173061.4 i/s - same-ish: difference falls within error
-#         no cache A:    97991.7 i/s - same-ish: difference falls within error
-#         no cache B:    42505.4 i/s - 4.20x  slower
+#             cache A:   204788.3 i/s
+#             cache B:   202536.9 i/s - same-ish: difference falls within error
+#          no cache A:   127772.8 i/s - same-ish: difference falls within error
+#          no cache B:    63487.2 i/s - 3.23x  slower

data/benchmarks/pre_checks.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+# This benchmark measures the difference between catch/throw and jump-less implementation.
+
+$LOAD_PATH.unshift File.expand_path("../lib", __dir__)
+
+require "action_policy"
+require "benchmark/ips"
+
+GC.disable
+
+class A; end
+
+class B; end
+
+class APolicy < ActionPolicy::Base
+  authorize :user, optional: true
+
+  pre_check :do_nothing, :deny_all
+
+  def show?
+    true
+  end
+
+  def do_nothing
+  end
+
+  def deny_all
+    deny!
+  end
+end
+
+class BPolicy < APolicy
+  def run_pre_checks(rule)
+    catch :policy_fulfilled do
+      self.class.pre_checks.each do |check|
+        next unless check.applicable?(rule)
+        check.call(self)
+      end
+
+      return yield if block_given?
+    end
+
+    result.value
+  end
+
+  def deny!
+    result.load false
+    throw :policy_fulfilled
+  end
+end
+
+a = A.new
+
+(APolicy.new(record: a).apply(:show?) == BPolicy.new(record: a).apply(:show?)) || raise("Implementations are not equal")
+
+Benchmark.ips do |x|
+  x.warmup = 0
+
+  x.report("loop pre-check") do
+    APolicy.new(record: a).apply(:show?)
+  end
+
+  x.report("catch/throw pre-check") do
+    BPolicy.new(record: a).apply(:show?)
+  end
+
+  x.compare!
+end
+
+# Comparison:
+# catch/throw pre-check:   286094.2 i/s
+#      loop pre-check:   184786.1 i/s - 1.55x  slower