action_policy 0.7.4 → 0.7.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c2ca6d3ab4293001cc4b07e7fe5503a8c06a8b72684c0f7a9c4e7a4ef8a32c89
-  data.tar.gz: f1e726704611a3bc9ade5d3466fd64c4a5c9faddf5aa8338f3179ec4da2381e5
+  metadata.gz: 322dfe78ddec91cb0d7c46b290f69484ba2fdf417c85c687d23e6b521db3e097
+  data.tar.gz: b263d5a7000f202b480331e4dd486726563ab83a4828bd57dbaa8c2e8a3b86a3
 SHA512:
-  metadata.gz: aa35a3efefa37fc64066a78899b9b03a2283e2458471425a2e7cc2bc0b4ff829e87beda744057866f661e37fc54f14d094ba0fc446ea155537042478109576a7
-  data.tar.gz: d90069b7a1b3bea22c2d5e6dd990231f1bf24f85fd50081a92a54bcd5c271faa42f40c9c526a8434abd793e6f4c928b5cb28d4dad3fbaeb2bf3701f67fd4fd21
+  metadata.gz: 93628bb047eb417395cc9b7f0b15f2f97882d327c32212105d186ef42187fc24e84abd37bdf40968ae5a5988d318d717f0fb3af454f5fb14059a3dc84fe98c08
+  data.tar.gz: 9d0387f6aea496ac9d3affdb6cfe89b9fef008d9ff2f96a97a69ce19c0832f8fe01d2023f4497a150325e00e341d6a170b8218e3ce47e06a96d8de28aea38cb5

data/CHANGELOG.md

@@ -2,13 +2,23 @@
 
 ## master
 
+## 0.7.6 (2025-01-13)
+
+- Execute proc passed to the `:through` option of `authorize` against `self` ([@Pagehey][])
+
+- Add authorization result to the instrumentation payload (as `event[:result]`). ([@palkan][])
+
+## 0.7.5 (2025-05-09) 🎇
+
+- Ensure `result.value` is true or false. ([@palkan][])
+
 ## 0.7.4 (2025-03-12)
 
-- Let authorize! return the policy record ([@sedubois][])
+- Let authorize! return the policy record. ([@sedubois][])
 
-- Enable `allowance_to` as a helper method by default ([@stephannv][])
+- Enable `allowance_to` as a helper method by default. ([@stephannv][])
 
-- Allow the `:through` option of `authorize` to be passed a proc ([@brendon][])
+- Allow the `:through` option of `authorize` to be passed a Proc. ([@brendon][])
 
 ## 0.7.3 (2024-12-18)
 
@@ -549,3 +559,4 @@ This value is now stored in a cache (if any) instead of just the call result (`t
 [@Spone]: https://github.com/Spone
 [@stephannv]: https://github.com/stephannv
 [@sedubois]: https://github.com/sedubois
+[@Pagehey]: https://github.com/Pagehey

data/lib/.rbnext/3.0/action_policy/behaviours/policy_for.rb

@@ -61,7 +61,7 @@ module ActionPolicy
 
       def policy_for_cache_key(record:, with: nil, namespace: nil, context: authorization_context, **__kwrest__)
         record_key = record._policy_cache_key(use_object_id: true)
-        context_key = context.values.map { _1._policy_cache_key(use_object_id: true) }.join(".")
+        context_key = context.values.map { |it| it._policy_cache_key(use_object_id: true) }.join(".")
 
         "#{namespace}/#{with}/#{context_key}/#{record_key}"
       end

data/lib/.rbnext/3.0/action_policy/policy/cache.rb

@@ -29,7 +29,7 @@ module ActionPolicy # :nodoc:
         [
           cache_namespace,
           *parts
-        ].map { _1._policy_cache_key }.join("/")
+        ].map { |it| it._policy_cache_key }.join("/")
       end
 
       def rule_cache_key(rule)

data/lib/.rbnext/3.0/action_policy/policy/execution_result.rb

@@ -16,7 +16,7 @@ module ActionPolicy
 
       # Populate the final value
       def load(value)
-        @value = value
+        @value = !!value
       end
 
       def success?() ;  @value == true; end

data/lib/.rbnext/3.0/action_policy/policy/pre_check.rb

@@ -125,7 +125,7 @@ module ActionPolicy
         def pre_check(*names, **options)
           names.each do |name|
             # do not allow pre-check override
-            check = pre_checks.find { _1.name == name }
+            check = pre_checks.find { |it| it.name == name }
             raise "Pre-check already defined: #{name}" unless check.nil?
 
             pre_checks << Check.new(self, name, **options)
@@ -134,14 +134,14 @@ module ActionPolicy
 
         def skip_pre_check(*names, **options)
           names.each do |name|
-            check = pre_checks.find { _1.name == name }
+            check = pre_checks.find { |it| it.name == name }
             raise "Pre-check not found: #{name}" if check.nil?
 
             # when no options provided we remove this check completely
             next pre_checks.delete(check) if options.empty?
 
             # otherwise duplicate and apply skip options
-            pre_checks[pre_checks.index(check)] = check.dup.tap { _1.skip!(**options) }
+            pre_checks[pre_checks.index(check)] = check.dup.tap { |it| it.skip!(**options) }
           end
         end
 

data/lib/.rbnext/3.0/action_policy/rspec/be_authorized_to.rb

@@ -51,7 +51,7 @@ module ActionPolicy
 
         @actual_calls = ActionPolicy::Testing::AuthorizeTracker.calls
 
-        actual_calls.any? { _1.matches?(policy, rule, target, context) }
+        actual_calls.any? { |it| it.matches?(policy, rule, target, context) }
       end
 
       def does_not_match?(*__rest__)
@@ -63,7 +63,7 @@ module ActionPolicy
       def failure_message
         "expected #{formatted_record} " \
         "to be authorized with #{policy}##{rule}, " \
-        "#{context ? "and context #{context.inspect}, " : ""}" \
+        "#{"and context #{context.inspect}, " if context}" \
         "but #{actual_calls_message}"
       end
 
@@ -77,8 +77,8 @@ module ActionPolicy
       end
 
       def formatted_calls
-        actual_calls.map do
-          " - #{_1.inspect}"
+        actual_calls.map do |it|
+          " - #{it.inspect}"
         end.join("\n")
       end
 

data/lib/.rbnext/3.0/action_policy/rspec/have_authorized_scope.rb

@@ -61,7 +61,7 @@ module ActionPolicy
 
         @actual_scopes = ActionPolicy::Testing::AuthorizeTracker.scopings
 
-        matching_scopes = actual_scopes.select { _1.matches?(policy, type, name, scope_options, context) }
+        matching_scopes = actual_scopes.select { |it| it.matches?(policy, type, name, scope_options, context) }
 
         return false if matching_scopes.empty?
 
@@ -85,7 +85,7 @@ module ActionPolicy
       def failure_message
         "expected a scoping named :#{name} for type :#{type} " \
         "#{scope_options_message} " \
-        "#{context ? "and context #{context.inspect} " : ""}" \
+        "#{"and context #{context.inspect} " if context}" \
         "from #{policy} to have been applied, " \
         "but #{actual_scopes_message}"
       end
@@ -113,8 +113,8 @@ module ActionPolicy
       end
 
       def formatted_scopings
-        actual_scopes.map do
-          " - #{_1.inspect}"
+        actual_scopes.map do |it|
+          " - #{it.inspect}"
         end.join("\n")
       end
     end

data/lib/.rbnext/3.0/action_policy/utils/pretty_print.rb

@@ -111,7 +111,7 @@ module ActionPolicy
       end
 
       def indented(str)
-        "#{indent.zero? ? "↳ " : ""}#{" " * indent}#{str}".tap do
+        "#{"↳ " if indent.zero?}#{" " * indent}#{str}".tap do
           # increase indent after the first expression
           self.indent += 2 if indent.zero?
         end
@@ -119,7 +119,7 @@ module ActionPolicy
 
       # Some lines should not be evaled
       def ignore_exp?(exp)
-        PrettyPrint.ignore_expressions.any? { exp.match?(_1) }
+        PrettyPrint.ignore_expressions.any? { |it| exp.match?(it) }
       end
     end
 

data/lib/.rbnext/3.1/action_policy/behaviours/policy_for.rb

@@ -61,7 +61,7 @@ module ActionPolicy
 
       def policy_for_cache_key(record:, with: nil, namespace: nil, context: authorization_context, **__kwrest__)
         record_key = record._policy_cache_key(use_object_id: true)
-        context_key = context.values.map { _1._policy_cache_key(use_object_id: true) }.join(".")
+        context_key = context.values.map { |it| it._policy_cache_key(use_object_id: true) }.join(".")
 
         "#{namespace}/#{with}/#{context_key}/#{record_key}"
       end

data/lib/.rbnext/3.2/action_policy/behaviours/policy_for.rb

@@ -61,7 +61,7 @@ module ActionPolicy
 
       def policy_for_cache_key(record:, with: nil, namespace: nil, context: authorization_context, **__kwrest__)
         record_key = record._policy_cache_key(use_object_id: true)
-        context_key = context.values.map { _1._policy_cache_key(use_object_id: true) }.join(".")
+        context_key = context.values.map { |it| it._policy_cache_key(use_object_id: true) }.join(".")
 
         "#{namespace}/#{with}/#{context_key}/#{record_key}"
       end

data/lib/.rbnext/3.2/action_policy/rspec/be_authorized_to.rb

@@ -51,7 +51,7 @@ module ActionPolicy
 
         @actual_calls = ActionPolicy::Testing::AuthorizeTracker.calls
 
-        actual_calls.any? { _1.matches?(policy, rule, target, context) }
+        actual_calls.any? { |it| it.matches?(policy, rule, target, context) }
       end
 
       def does_not_match?(*__rest__)
@@ -63,7 +63,7 @@ module ActionPolicy
       def failure_message
         "expected #{formatted_record} " \
         "to be authorized with #{policy}##{rule}, " \
-        "#{context ? "and context #{context.inspect}, " : ""}" \
+        "#{"and context #{context.inspect}, " if context}" \
         "but #{actual_calls_message}"
       end
 
@@ -77,8 +77,8 @@ module ActionPolicy
       end
 
       def formatted_calls
-        actual_calls.map do
-          " - #{_1.inspect}"
+        actual_calls.map do |it|
+          " - #{it.inspect}"
         end.join("\n")
       end
 

data/lib/.rbnext/3.2/action_policy/rspec/have_authorized_scope.rb

@@ -61,7 +61,7 @@ module ActionPolicy
 
         @actual_scopes = ActionPolicy::Testing::AuthorizeTracker.scopings
 
-        matching_scopes = actual_scopes.select { _1.matches?(policy, type, name, scope_options, context) }
+        matching_scopes = actual_scopes.select { |it| it.matches?(policy, type, name, scope_options, context) }
 
         return false if matching_scopes.empty?
 
@@ -85,7 +85,7 @@ module ActionPolicy
       def failure_message
         "expected a scoping named :#{name} for type :#{type} " \
         "#{scope_options_message} " \
-        "#{context ? "and context #{context.inspect} " : ""}" \
+        "#{"and context #{context.inspect} " if context}" \
         "from #{policy} to have been applied, " \
         "but #{actual_scopes_message}"
       end
@@ -113,8 +113,8 @@ module ActionPolicy
       end
 
       def formatted_scopings
-        actual_scopes.map do
-          " - #{_1.inspect}"
+        actual_scopes.map do |it|
+          " - #{it.inspect}"
         end.join("\n")
       end
     end

data/lib/.rbnext/3.4/action_policy/behaviours/policy_for.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+module ActionPolicy
+  module Behaviours
+    # Adds `policy_for` method
+    module PolicyFor
+      require "action_policy/ext/policy_cache_key"
+      using ActionPolicy::Ext::PolicyCacheKey
+
+      # Returns policy instance for the record.
+      def policy_for(record:, with: nil, namespace: authorization_namespace, context: nil, allow_nil: false, default: default_authorization_policy_class, strict_namespace: authorization_strict_namespace)
+        context = context ? build_authorization_context.merge(context) : authorization_context
+
+        policy_class = with || ::ActionPolicy.lookup(
+          record,
+          namespace:, context:, allow_nil:, default:, strict_namespace:
+        )
+        policy_class&.new(record, **context)
+      end
+
+      def authorization_context = @authorization_context ||= build_authorization_context
+
+      def build_authorization_context
+        Kernel.raise NotImplementedError, "Please, define `build_authorization_context` method!"
+      end
+
+      def authorization_namespace
+        # override to provide specific authorization namespace
+      end
+
+      def default_authorization_policy_class
+        # override to provide a policy class use when no policy found
+      end
+
+      def authorization_strict_namespace
+        # override to provide strict namespace lookup option
+      end
+
+      # Override this method to provide implicit authorization target
+      # that would be used in case `record` is not specified in
+      # `authorize!` and `allowed_to?` call.
+      #
+      # It is also used to infer a policy for scoping (in `authorized_scope` method).
+      def implicit_authorization_target
+        # no-op
+      end
+
+      # Return implicit authorization target or raises an exception if it's nil
+      def implicit_authorization_target!
+        implicit_authorization_target || Kernel.raise(
+          NotFound,
+          [
+            self,
+            "Couldn't find implicit authorization target " \
+            "for #{self.class}. " \
+            "Please, provide policy class explicitly using `with` option or " \
+            "define the `implicit_authorization_target` method."
+          ]
+        )
+      end
+
+      def policy_for_cache_key(record:, with: nil, namespace: nil, context: authorization_context, **)
+        record_key = record._policy_cache_key(use_object_id: true)
+        context_key = context.values.map { |it| it._policy_cache_key(use_object_id: true) }.join(".")
+
+        "#{namespace}/#{with}/#{context_key}/#{record_key}"
+      end
+    end
+  end
+end

data/lib/.rbnext/3.4/action_policy/i18n.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module ActionPolicy
+  module I18n # :nodoc:
+    DEFAULT_UNAUTHORIZED_MESSAGE = "You are not authorized to perform this action"
+
+    class << self
+      def full_message(policy_class, rule, details = nil)
+        candidates = candidates_for(policy_class, rule)
+
+        options = {scope: :action_policy}
+        options.merge!(details) unless details.nil?
+
+        ::I18n.t(
+          candidates.shift,
+          default: candidates,
+          **options
+        )
+      end
+
+      private
+
+      def candidates_for(policy_class, rule)
+        policy_hierarchy = policy_class.ancestors.select { |it| it.respond_to?(:identifier) }
+        [
+          *policy_hierarchy.map { |klass| :"policy.#{klass.identifier}.#{rule}" },
+          :"policy.#{rule}",
+          :unauthorized,
+          DEFAULT_UNAUTHORIZED_MESSAGE
+        ]
+      end
+    end
+
+    ActionPolicy::Policy::FailureReasons.prepend(Module.new do
+      def full_messages
+        reasons.flat_map do |policy_klass, rules|
+          rules.flat_map do |rule|
+            if rule.is_a?(::Hash)
+              rule.map do |key, details|
+                ActionPolicy::I18n.full_message(policy_klass, key, details)
+              end
+            else
+              ActionPolicy::I18n.full_message(policy_klass, rule)
+            end
+          end
+        end
+      end
+    end)
+
+    ActionPolicy::Policy::ExecutionResult.prepend(Module.new do
+      def message
+        ActionPolicy::I18n.full_message(policy, rule, details)
+      end
+    end)
+  end
+end

data/lib/.rbnext/3.4/action_policy/policy/cache.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+require "action_policy/version"
+
+module ActionPolicy # :nodoc:
+  using RubyNext
+
+  # By default cache namespace (or prefix) contains major and minor version of the gem
+  CACHE_NAMESPACE = "acp:#{ActionPolicy::VERSION.split(".").take(2).join(".")}"
+
+  require "action_policy/ext/policy_cache_key"
+
+  using ActionPolicy::Ext::PolicyCacheKey
+
+  module Policy
+    # Provides long-lived cache through ActionPolicy.cache_store.
+    #
+    # NOTE: if cache_store is nil then we silently skip all the caching.
+    module Cache
+      class << self
+        def included(base)
+          base.extend ClassMethods
+        end
+      end
+
+      def cache_namespace() = ActionPolicy::CACHE_NAMESPACE
+
+      def cache_key(*parts)
+        [
+          cache_namespace,
+          *parts
+        ].map { |it| it._policy_cache_key }.join("/")
+      end
+
+      def rule_cache_key(rule)
+        cache_key(
+          context_cache_key,
+          record,
+          self.class,
+          rule
+        )
+      end
+
+      def context_cache_key
+        authorization_context.map { _2._policy_cache_key.to_s }.join("/")
+      end
+
+      def apply_with_cache(rule)
+        options = self.class.cached_rules.fetch(rule)
+        key = rule_cache_key(rule)
+
+        ActionPolicy.cache_store.then do |store|
+          result = store.read(key)
+          unless result.nil?
+            result.cached!
+            next result
+          end
+          yield.tap do |result|
+            store.write(key, result, options)
+          end
+        end
+      end
+
+      def apply_r(rule)
+        return super if ActionPolicy.cache_store.nil? ||
+          !self.class.cached_rules.key?(rule)
+
+        apply_with_cache(rule) { super }
+      end
+
+      def cache(*parts, **options)
+        key = cache_key(*parts)
+        ActionPolicy.cache_store.then do |store|
+          res = store.read(key)
+          next res unless res.nil?
+          res = yield
+          store.write(key, res, options)
+          res
+        end
+      end
+
+      module ClassMethods # :nodoc:
+        def cache(*rules, **options)
+          rules.each do |rule|
+            cached_rules[rule] = options
+          end
+        end
+
+        def cached_rules
+          return @cached_rules if instance_variable_defined?(:@cached_rules)
+
+          @cached_rules = if superclass.respond_to?(:cached_rules)
+            superclass.cached_rules.dup
+          else
+            {}
+          end
+        end
+      end
+    end
+  end
+end

data/lib/.rbnext/3.4/action_policy/policy/pre_check.rb

@@ -0,0 +1,160 @@
+# frozen_string_literal: true
+
+module ActionPolicy
+  module Policy
+    # Adds callback-style checks to policies to
+    # extract common checks from rules.
+    #
+    #    class ApplicationPolicy < ActionPolicy::Base
+    #      authorize :user
+    #      pre_check :allow_admins
+    #
+    #      private
+    #        # Allow every action for admins
+    #        def allow_admins
+    #          allow! if user.admin?
+    #        end
+    #    end
+    #
+    # You can specify conditional pre-checks (through `except` / `only`) options
+    # and skip already defined pre-checks if necessary.
+    #
+    #    class UserPolicy < ApplicationPolicy
+    #      skip_pre_check :allow_admins, only: :destroy?
+    #
+    #      def destroy?
+    #        user.admin? && !record.admin?
+    #      end
+    #    end
+    module PreCheck
+      # Single pre-check instance.
+      #
+      # Implements filtering logic.
+      class Check
+        attr_reader :name, :policy_class
+
+        def initialize(policy, name, except: nil, only: nil)
+          if !except.nil? && !only.nil?
+            raise ArgumentError,
+              "Only one of `except` and `only` may be specified for pre-check"
+          end
+
+          @policy_class = policy
+          @name = name
+          @blacklist = Array(except) unless except.nil?
+          @whitelist = Array(only) unless only.nil?
+
+          rebuild_filter
+        end
+
+        def applicable?(rule)
+          return true if filter.nil?
+          filter.call(rule)
+        end
+
+        def call(policy) = policy.send(name)
+
+        def skip!(except: nil, only: nil)
+          if !except.nil? && !only.nil?
+            raise ArgumentError,
+              "Only one of `except` and `only` may be specified when skipping pre-check"
+          end
+
+          if except.nil? && only.nil?
+            raise ArgumentError,
+              "At least one of `except` and `only` must be specified when skipping pre-check"
+          end
+
+          if except
+            @whitelist = Array(except)
+            @whitelist -= blacklist if blacklist
+            @blacklist = nil
+          else
+            # only
+            @blacklist += Array(only) if blacklist
+            @whitelist -= Array(only) if whitelist
+            @blacklist = Array(only) if filter.nil?
+          end
+
+          rebuild_filter
+        end
+
+        def dup
+          self.class.new(
+            policy_class,
+            name,
+            except: blacklist&.dup,
+            only: whitelist&.dup
+          )
+        end
+
+        private
+
+        attr_reader :whitelist, :blacklist, :filter
+
+        def rebuild_filter
+          @filter =
+            if whitelist
+              proc { |rule| whitelist.include?(rule) }
+            elsif blacklist
+              proc { |rule| !blacklist.include?(rule) }
+            end
+        end
+      end
+
+      class << self
+        def included(base)
+          base.extend ClassMethods
+        end
+      end
+
+      def run_pre_checks(rule)
+        self.class.pre_checks.each do |check|
+          next unless check.applicable?(rule)
+          check.call(self)
+        end
+
+        yield if block_given?
+      end
+
+      def __apply__(rule)
+        run_pre_checks(rule) { super }
+      end
+
+      module ClassMethods # :nodoc:
+        def pre_check(*names, **options)
+          names.each do |name|
+            # do not allow pre-check override
+            check = pre_checks.find { |it| it.name == name }
+            raise "Pre-check already defined: #{name}" unless check.nil?
+
+            pre_checks << Check.new(self, name, **options)
+          end
+        end
+
+        def skip_pre_check(*names, **options)
+          names.each do |name|
+            check = pre_checks.find { |it| it.name == name }
+            raise "Pre-check not found: #{name}" if check.nil?
+
+            # when no options provided we remove this check completely
+            next pre_checks.delete(check) if options.empty?
+
+            # otherwise duplicate and apply skip options
+            pre_checks[pre_checks.index(check)] = check.dup.tap { |it| it.skip!(**options) }
+          end
+        end
+
+        def pre_checks
+          return @pre_checks if instance_variable_defined?(:@pre_checks)
+
+          @pre_checks = if superclass.respond_to?(:pre_checks)
+            superclass.pre_checks.dup
+          else
+            []
+          end
+        end
+      end
+    end
+  end
+end