action_policy 0.4.0 → 0.5.0

data/LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2018-2019 Vladimir Dementyev
+Copyright (c) 2018-2020 Vladimir Dementyev
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.md

@@ -1,8 +1,9 @@
 [![Gem Version](https://badge.fury.io/rb/action_policy.svg)](https://badge.fury.io/rb/action_policy)
-[![Build Status](https://travis-ci.org/palkan/action_policy.svg?branch=master)](https://travis-ci.org/palkan/action_policy)
+![Build](https://github.com/palkan/action_policy/workflows/Build/badge.svg)
+![JRuby Build](https://github.com/palkan/action_policy/workflows/JRuby%20Build/badge.svg)
 [![Documentation](https://img.shields.io/badge/docs-link-brightgreen.svg)](https://actionpolicy.evilmartians.io)
 
-# ActionPolicy
+# Action Policy
 
 Authorization framework for Ruby and Rails applications.
 
@@ -21,7 +22,6 @@ Composable. Extensible. Performant.
 
 - RailsConf, 2018 "Access Denied" talk ([video](https://www.youtube.com/watch?v=NVwx0DARDis), [slides](https://speakerdeck.com/palkan/railsconf-2018-access-denied-the-missing-guide-to-authorization-in-rails))
 
-
 ## Integrations
 
 - GraphQL Ruby ([`action_policy-graphql`](https://github.com/palkan/action_policy-graphql))
@@ -36,7 +36,9 @@ gem "action_policy", "~> 0.4.0"
 
 And then execute:
 
-    $ bundle
+```sh
+bundle install
+```
 
 ## Usage
 
@@ -89,7 +91,6 @@ end
 
 \* See [Non-Rails Usage](docs/non_rails.md) on how to add `authorize!` to any Ruby project.
 
-
 When authorization is successful (i.e., the corresponding rule returns `true`), nothing happens, but in case of authorization failure `ActionPolicy::Unauthorized` error is raised.
 
 There is also an `allowed_to?` method which returns `true` or `false`, and could be used, in views, for example:
@@ -98,7 +99,7 @@ There is also an `allowed_to?` method which returns `true` or `false`, and could
 <% @posts.each do |post| %>
   <li><%= post.title %>
     <% if allowed_to?(:edit?, post) %>
-      = link_to post, "Edit"
+      <%= link_to post, "Edit">
     <% end %>
   </li>
 <% end %>
@@ -121,8 +122,3 @@ Bug reports and pull requests are welcome on GitHub at https://github.com/palkan
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
 
 [Documentation]: http://actionpolicy.evilmartians.io
-
-## Security Contact
-
-To report a security vulnerability, please use the [Tidelift security contact](https://tidelift.com/security). Tidelift will coordinate the fix and disclosure.
-

data/lib/action_policy.rb

@@ -1,5 +1,10 @@
 # frozen_string_literal: true
 
+require "ruby-next"
+
+require "ruby-next/language/setup"
+RubyNext::Language.setup_gem_load_path(transpile: true)
+
 # ActionPolicy is an authorization framework for Ruby/Rails applications.
 #
 # It provides a way to write access policies and helpers to check these policies
@@ -30,8 +35,9 @@ module ActionPolicy
     attr_accessor :cache_store
 
     # Find a policy class for a target
-    def lookup(target, allow_nil: false, **options)
+    def lookup(target, allow_nil: false, default: nil, **options)
       LookupChain.call(target, **options) ||
+        default ||
         (allow_nil ? nil : raise(NotFound, target))
     end
   end

data/lib/action_policy/behaviour.rb

@@ -35,12 +35,7 @@ module ActionPolicy
     #
     # Raises `ActionPolicy::Unauthorized` if check failed.
     def authorize!(record = :__undef__, to:, **options)
-      record = implicit_authorization_target! if record == :__undef__
-      raise ArgumentError, "Record must be specified" if record.nil?
-
-      options[:context] && (options[:context] = authorization_context.merge(options[:context]))
-
-      policy = policy_for(record: record, **options)
+      policy = lookup_authorization_policy(record, **options)
 
       Authorizer.call(policy, authorization_rule_for(policy, to))
     end
@@ -49,14 +44,17 @@ module ActionPolicy
     #
     # Returns true of false.
     def allowed_to?(rule, record = :__undef__, **options)
-      record = implicit_authorization_target! if record == :__undef__
-      raise ArgumentError, "Record must be specified" if record.nil?
+      policy = lookup_authorization_policy(record, **options)
 
-      options[:context] && (options[:context] = authorization_context.merge(options[:context]))
+      policy.apply(authorization_rule_for(policy, rule))
+    end
 
-      policy = policy_for(record: record, **options)
+    # Returns the authorization result object after applying a specified rule to a record.
+    def allowance_to(rule, record = :__undef__, **options)
+      policy = lookup_authorization_policy(record, **options)
 
       policy.apply(authorization_rule_for(policy, rule))
+      policy.result
     end
 
     def authorization_context
@@ -75,6 +73,15 @@ module ActionPolicy
       policy.resolve_rule(rule)
     end
 
+    def lookup_authorization_policy(record, **options) # :nodoc:
+      record = implicit_authorization_target! if record == :__undef__
+      raise ArgumentError, "Record must be specified" if record.nil?
+
+      options[:context] && (options[:context] = authorization_context.merge(options[:context]))
+
+      policy_for(record: record, **options)
+    end
+
     module ClassMethods # :nodoc:
       # Configure authorization context.
       #
@@ -97,12 +104,11 @@ module ActionPolicy
       def authorization_targets
         return @authorization_targets if instance_variable_defined?(:@authorization_targets)
 
-        @authorization_targets =
-          if superclass.respond_to?(:authorization_targets)
-            superclass.authorization_targets.dup
-          else
-            {}
-          end
+        if superclass.respond_to?(:authorization_targets)
+          superclass.authorization_targets.dup
+        else
+          {}
+        end => @authorization_targets
       end
     end
   end

data/lib/action_policy/behaviours/policy_for.rb

@@ -8,8 +8,11 @@ module ActionPolicy
       using ActionPolicy::Ext::PolicyCacheKey
 
       # Returns policy instance for the record.
-      def policy_for(record:, with: nil, namespace: authorization_namespace, context: authorization_context, allow_nil: false)
-        policy_class = with || ::ActionPolicy.lookup(record, namespace: namespace, context: context, allow_nil: allow_nil)
+      def policy_for(record:, with: nil, namespace: authorization_namespace, context: authorization_context, allow_nil: false, default: default_authorization_policy_class)
+        policy_class = with || ::ActionPolicy.lookup(
+          record,
+          **{namespace, context, allow_nil, default}
+        )
         policy_class&.new(record, **context)
       end
 
@@ -21,6 +24,10 @@ module ActionPolicy
         # override to provide specific authorization namespace
       end
 
+      def default_authorization_policy_class
+        # override to provide a policy class use when no policy found
+      end
+
       # Override this method to provide implicit authorization target
       # that would be used in case `record` is not specified in
       # `authorize!` and `allowed_to?` call.
@@ -46,7 +53,7 @@ module ActionPolicy
 
       def policy_for_cache_key(record:, with: nil, namespace: nil, context: authorization_context, **)
         record_key = record._policy_cache_key(use_object_id: true)
-        context_key = context.values.map { |v| v._policy_cache_key(use_object_id: true) }.join(".")
+        context_key = context.values.map { _1._policy_cache_key(use_object_id: true) }.join(".")
 
         "#{namespace}/#{with}/#{context_key}/#{record_key}"
       end

data/lib/action_policy/behaviours/scoping.rb

@@ -17,8 +17,9 @@ module ActionPolicy
         policy ||= policy_for(record: implicit_authorization_target!, **options)
 
         type ||= authorization_scope_type_for(policy, target)
+        name = as
 
-        Authorizer.scopify(target, policy, type: type, name: as, scope_options: scope_options)
+        Authorizer.scopify(target, policy, **{type, name, scope_options})
       end
 
       # For backward compatibility

data/lib/action_policy/behaviours/thread_memoized.rb

@@ -7,9 +7,7 @@ module ActionPolicy
     class << self
       attr_writer :enabled
 
-      def enabled?
-        @enabled == true
-      end
+      def enabled?() = @enabled == true
 
       def fetch(key)
         return yield unless enabled?

data/lib/action_policy/ext/module_namespace.rb

@@ -9,11 +9,6 @@ module ActionPolicy
         using ActionPolicy::Ext::StringConstantize
       end
 
-      unless "".respond_to?(:match?)
-        require "action_policy/ext/string_match"
-        using ActionPolicy::Ext::StringMatch
-      end
-
       module Ext
         def namespace
           return unless name&.match?(/[^^]::/)
@@ -23,7 +18,7 @@ module ActionPolicy
       end
 
       # See https://github.com/jruby/jruby/issues/5220
-      ::Module.include(Ext) if RUBY_PLATFORM =~ /java/i
+      ::Module.include(Ext) if RUBY_PLATFORM.match?(/java/i)
 
       refine Module do
         include Ext

data/lib/action_policy/ext/policy_cache_key.rb

@@ -13,77 +13,59 @@ module ActionPolicy
       module ObjectExt
         def _policy_cache_key(use_object_id: false)
           return policy_cache_key if respond_to?(:policy_cache_key)
+          return cache_key_with_version if respond_to?(:cache_key_with_version)
           return cache_key if respond_to?(:cache_key)
 
-          return object_id if use_object_id == true
+          return object_id.to_s if use_object_id == true
 
           raise ArgumentError, "object is not cacheable"
         end
       end
 
-      # JRuby doesn't support _global_ modules refinements (see https://github.com/jruby/jruby/issues/5220)
-      # Fallback to monkey-patching.
-      # TODO: remove after 9.2.7.0 (See https://github.com/jruby/jruby/pull/5627)
-      ::Object.include(ObjectExt) if RUBY_PLATFORM =~ /java/i
-
       refine Object do
         include ObjectExt
       end
 
       refine NilClass do
-        def _policy_cache_key(*)
-          ""
-        end
+        def _policy_cache_key(*) = ""
       end
 
       refine TrueClass do
-        def _policy_cache_key(*)
-          "t"
-        end
+        def _policy_cache_key(*) = "t"
       end
 
       refine FalseClass do
-        def _policy_cache_key(*)
-          "f"
-        end
+        def _policy_cache_key(*) = "f"
       end
 
       refine String do
-        def _policy_cache_key(*)
-          self
-        end
+        def _policy_cache_key(*) = self
       end
 
       refine Symbol do
-        def _policy_cache_key(*)
-          to_s
-        end
+        def _policy_cache_key(*) = to_s
       end
 
       if RUBY_PLATFORM.match?(/java/i)
         refine Integer do
-          def _policy_cache_key(*)
-            to_s
-          end
+          def _policy_cache_key(*) = to_s
         end
 
         refine Float do
-          def _policy_cache_key(*)
-            to_s
-          end
+          def _policy_cache_key(*) = to_s
         end
       else
         refine Numeric do
-          def _policy_cache_key(*)
-            to_s
-          end
+          def _policy_cache_key(*) = to_s
         end
       end
 
       refine Time do
-        def _policy_cache_key(*)
-          to_s
-        end
+        def _policy_cache_key(*) = to_s
+      end
+
+      refine Module do
+        def _policy_cache_key(*) = name
       end
     end
   end

data/lib/action_policy/ext/{symbol_classify.rb → symbol_camelize.rb}

@@ -2,15 +2,15 @@
 
 module ActionPolicy
   module Ext
-    # Add `classify` to Symbol
-    module SymbolClassify
+    # Add `camelize` to Symbol
+    module SymbolCamelize
       refine Symbol do
-        if "".respond_to?(:classify)
-          def classify
-            to_s.classify
+        if "".respond_to?(:camelize)
+          def camelize
+            to_s.camelize
           end
         else
-          def classify
+          def camelize
             word = to_s.capitalize
             word.gsub!(/(?:_)([a-z\d]*)/) { $1.capitalize }
             word

data/lib/action_policy/i18n.rb

@@ -21,7 +21,7 @@ module ActionPolicy
       private
 
       def candidates_for(policy_class, rule)
-        policy_hierarchy = policy_class.ancestors.select { |klass| klass.respond_to?(:identifier) }
+        policy_hierarchy = policy_class.ancestors.select { _1.respond_to?(:identifier) }
         [
           *policy_hierarchy.map { |klass| :"policy.#{klass.identifier}.#{rule}" },
           :"policy.#{rule}",

data/lib/action_policy/lookup_chain.rb

@@ -12,8 +12,8 @@ module ActionPolicy
       using ActionPolicy::Ext::StringConstantize
     end
 
-    require "action_policy/ext/symbol_classify"
-    using ActionPolicy::Ext::SymbolClassify
+    require "action_policy/ext/symbol_camelize"
+    using ActionPolicy::Ext::SymbolCamelize
 
     require "action_policy/ext/module_namespace"
     using ActionPolicy::Ext::ModuleNamespace
@@ -24,14 +24,26 @@ module ActionPolicy
       class << self
         attr_reader :store
 
-        def fetch(namespace, policy)
+        def put_if_absent(scope, namespace, policy)
+          local_store = store[scope][namespace]
+          return local_store[policy] if local_store[policy]
+          local_store[policy] ||= yield
+        end
+
+        def fetch(namespace, policy, strict:, &block)
           return yield unless LookupChain.namespace_cache_enabled?
-          return store[namespace][policy] if store[namespace].key?(policy)
-          store[namespace][policy] ||= yield
+
+          if strict
+            put_if_absent(:strict, namespace, policy, &block)
+          else
+            cached_policy = put_if_absent(:strict, namespace, policy, &block)
+            put_if_absent(:flexible, namespace, policy) { cached_policy }
+          end
         end
 
         def clear
-          @store = Hash.new { |h, k| h[k] = {} }
+          hash = Hash.new { |h, k| h[k] = {} }
+          @store = {strict: hash, flexible: hash.clone}
         end
       end
 
@@ -53,22 +65,23 @@ module ActionPolicy
 
       private
 
-      def lookup_within_namespace(policy_name, namespace)
-        NamespaceCache.fetch(namespace.name, policy_name) do
+      def lookup_within_namespace(policy_name, namespace, strict: false)
+        return unless namespace
+        NamespaceCache.fetch(namespace.name, policy_name, strict: strict) do
           mod = namespace
-
           loop do
             policy = "#{mod.name}::#{policy_name}".safe_constantize
-
             break policy unless policy.nil?
-
             mod = mod.namespace
-
-            break if mod.nil?
+            break if mod.nil? || strict
           end
         end
       end
 
+      def objectify_policy(policy_name, strict: false)
+        policy_name.safe_constantize unless strict
+      end
+
       def policy_class_name_for(record)
         return record.policy_name.to_s if record.respond_to?(:policy_name)
 
@@ -111,23 +124,30 @@ module ActionPolicy
     }
 
     # Infer from passed symbol
-    SYMBOL_LOOKUP = ->(record, namespace: nil, **) {
+    SYMBOL_LOOKUP = ->(record, namespace: nil, strict_namespace: false, **) {
       next unless record.is_a?(Symbol)
 
-      policy_name = "#{record.classify}Policy"
-      if namespace.nil?
-        policy_name.safe_constantize
-      else
-        lookup_within_namespace(policy_name, namespace)
-      end
+      policy_name = "#{record.camelize}Policy"
+      lookup_within_namespace(policy_name, namespace, strict: strict_namespace) ||
+        objectify_policy(policy_name, strict: strict_namespace)
+    }
+
+    # (Optional) Infer using String#classify if available
+    CLASSIFY_SYMBOL_LOOKUP = ->(record, namespace: nil, strict_namespace: false, **) {
+      next unless record.is_a?(Symbol)
+
+      policy_name = "#{record.to_s.classify}Policy"
+      lookup_within_namespace(policy_name, namespace, strict: strict_namespace) ||
+        objectify_policy(policy_name, strict: strict_namespace)
     }
 
     self.chain = [
       SYMBOL_LOOKUP,
+      (CLASSIFY_SYMBOL_LOOKUP if String.method_defined?(:classify)),
       INSTANCE_POLICY_CLASS,
       CLASS_POLICY_CLASS,
       NAMESPACE_LOOKUP,
       INFER_FROM_CLASS
-    ]
+    ].compact
   end
 end