action_policy 0.7.4 → 0.7.6

data/lib/.rbnext/3.4/action_policy/rspec/be_authorized_to.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+require "action_policy/testing"
+
+module ActionPolicy
+  module RSpec
+    # Authorization matcher `be_authorized_to`.
+    #
+    # Verifies that a block of code has been authorized using specific policy.
+    #
+    # Example:
+    #
+    #   # in controller/request specs
+    #   subject { patch :update, id: product.id }
+    #
+    #   it "is authorized" do
+    #     expect { subject }
+    #       .to be_authorized_to(:manage?, product)
+    #       .with(ProductPolicy)
+    #   end
+    #
+    class BeAuthorizedTo < ::RSpec::Matchers::BuiltIn::BaseMatcher
+      attr_reader :rule, :target, :policy, :actual_calls, :context
+
+      def initialize(rule, target)
+        @rule = rule
+        @target = target
+      end
+
+      def with(policy)
+        @policy = policy
+        self
+      end
+
+      def with_context(context)
+        @context = context
+        self
+      end
+
+      def match(_expected, actual)
+        raise "This matcher only supports block expectations" unless actual.is_a?(Proc)
+
+        @policy ||= ::ActionPolicy.lookup(target)
+        @context ||= nil
+
+        begin
+          ActionPolicy::Testing::AuthorizeTracker.tracking { actual.call }
+        rescue ActionPolicy::Unauthorized
+          # we don't want to care about authorization result
+        end
+
+        @actual_calls = ActionPolicy::Testing::AuthorizeTracker.calls
+
+        actual_calls.any? { |it| it.matches?(policy, rule, target, context) }
+      end
+
+      def does_not_match?(*)
+        raise "This matcher doesn't support negation"
+      end
+
+      def supports_block_expectations?() = true
+
+      def failure_message
+        "expected #{formatted_record} " \
+        "to be authorized with #{policy}##{rule}, " \
+        "#{"and context #{context.inspect}, " if context}" \
+        "but #{actual_calls_message}"
+      end
+
+      def actual_calls_message
+        if actual_calls.empty?
+          "no authorization calls have been made"
+        else
+          "the following calls were encountered:\n" \
+          "#{formatted_calls}"
+        end
+      end
+
+      def formatted_calls
+        actual_calls.map do |it|
+          " - #{it.inspect}"
+        end.join("\n")
+      end
+
+      def formatted_record(record = target) = ::RSpec::Support::ObjectFormatter.format(record)
+    end
+  end
+end
+
+RSpec.configure do |config|
+  config.include(Module.new do
+    def be_authorized_to(rule, target)
+      ActionPolicy::RSpec::BeAuthorizedTo.new(rule, target)
+    end
+  end)
+end

data/lib/.rbnext/3.4/action_policy/rspec/have_authorized_scope.rb

@@ -0,0 +1,130 @@
+# frozen_string_literal: true
+
+require "action_policy/testing"
+
+module ActionPolicy
+  module RSpec
+    # Implements `have_authorized_scope` matcher.
+    #
+    # Verifies that a block of code applies authorization scoping using specific policy.
+    #
+    # Example:
+    #
+    #   # in controller/request specs
+    #   subject { get :index }
+    #
+    #   it "has authorized scope" do
+    #     expect { subject }
+    #       .to have_authorized_scope(:active_record_relation)
+    #       .with(ProductPolicy)
+    #   end
+    #
+    class HaveAuthorizedScope < ::RSpec::Matchers::BuiltIn::BaseMatcher
+      attr_reader :type, :name, :policy, :scope_options, :actual_scopes,
+        :target_expectations, :context
+
+      def initialize(type)
+        @type = type
+        @name = :default
+        @scope_options = nil
+      end
+
+      def with(policy)
+        @policy = policy
+        self
+      end
+
+      def as(name)
+        @name = name
+        self
+      end
+
+      def with_scope_options(scope_options)
+        @scope_options = scope_options
+        self
+      end
+
+      def with_target(&block)
+        @target_expectations = block
+        self
+      end
+
+      def with_context(context)
+        @context = context
+        self
+      end
+
+      def match(_expected, actual)
+        raise "This matcher only supports block expectations" unless actual.is_a?(Proc)
+
+        ActionPolicy::Testing::AuthorizeTracker.tracking { actual.call }
+
+        @actual_scopes = ActionPolicy::Testing::AuthorizeTracker.scopings
+
+        matching_scopes = actual_scopes.select { |it| it.matches?(policy, type, name, scope_options, context) }
+
+        return false if matching_scopes.empty?
+
+        return true unless target_expectations
+
+        if matching_scopes.size > 1
+          raise "Too many matching scopings (#{matching_scopes.size}), " \
+                "you can run `.with_target` only when there is the only one match"
+        end
+
+        target_expectations.call(matching_scopes.first.target)
+        true
+      end
+
+      def does_not_match?(*)
+        raise "This matcher doesn't support negation"
+      end
+
+      def supports_block_expectations?() = true
+
+      def failure_message
+        "expected a scoping named :#{name} for type :#{type} " \
+        "#{scope_options_message} " \
+        "#{"and context #{context.inspect} " if context}" \
+        "from #{policy} to have been applied, " \
+        "but #{actual_scopes_message}"
+      end
+
+      def scope_options_message
+        if scope_options
+          if defined?(::RSpec::Matchers::Composable) &&
+              scope_options.is_a?(::RSpec::Matchers::Composable)
+            "with scope options #{scope_options.description}"
+          else
+            "with scope options #{scope_options}"
+          end
+        else
+          "without scope options"
+        end
+      end
+
+      def actual_scopes_message
+        if actual_scopes.empty?
+          "no scopings have been made"
+        else
+          "the following scopings were encountered:\n" \
+          "#{formatted_scopings}"
+        end
+      end
+
+      def formatted_scopings
+        actual_scopes.map do |it|
+          " - #{it.inspect}"
+        end.join("\n")
+      end
+    end
+  end
+end
+
+RSpec.configure do |config|
+  config.include(Module.new do
+    def have_authorized_scope(type)
+      ActionPolicy::RSpec::HaveAuthorizedScope.new(type)
+    end
+  end)
+end

data/lib/.rbnext/3.4/action_policy/utils/pretty_print.rb

@@ -0,0 +1,155 @@
+# frozen_string_literal: true
+
+old_verbose = $VERBOSE
+
+begin
+  require "method_source"
+  # Ignore parse warnings when patch
+  # Ruby version mismatches
+  $VERBOSE = nil
+  require "prism"
+rescue LoadError
+  # do nothing
+ensure
+  $VERBOSE = old_verbose
+end
+
+module ActionPolicy
+  using RubyNext
+
+  # Takes the object and a method name,
+  # and returns the "annotated" source code for the method:
+  # code is split into parts by logical operators and each
+  # part is evaluated separately.
+  #
+  # Example:
+  #
+  #  class MyClass
+  #    def access?
+  #      admin? && access_feed?
+  #    end
+  #  end
+  #
+  #  puts PrettyPrint.format_method(MyClass.new, :access?)
+  #
+  #  #=> MyClass#access?
+  #  #=> ↳ admin? #=> false
+  #  #=> AND
+  #  #=> access_feed? #=> true
+  module PrettyPrint
+    TRUE = "\e[32mtrue\e[0m"
+    FALSE = "\e[31mfalse\e[0m"
+
+    class Visitor
+      attr_reader :lines, :object, :source
+      attr_accessor :indent
+
+      def initialize(object)
+        @object = object
+      end
+
+      def collect(ast)
+        @lines = []
+        @indent = 0
+        @source = ast.source.source
+        ast = ast.value.child_nodes[0].child_nodes[0].body
+
+        visit_node(ast)
+
+        lines.join("\n")
+      end
+
+      def visit_node(ast)
+        if respond_to?("visit_#{ast.type}")
+          send("visit_#{ast.type}", ast)
+        else
+          visit_missing ast
+        end
+      end
+
+      def expression_with_result(sexp)
+        expression = source[sexp.location.start_offset...sexp.location.end_offset]
+        "#{expression} #=> #{PrettyPrint.colorize(eval_exp(expression))}"
+      end
+
+      def eval_exp(exp)
+        return "<skipped>" if ignore_exp?(exp)
+        object.instance_eval(exp)
+      rescue => e
+        "Failed: #{e.message}"
+      end
+
+      def visit_and_node(ast)
+        visit_node(ast.left)
+        lines << indented("AND")
+        visit_node(ast.right)
+      end
+
+      def visit_or_node(ast)
+        visit_node(ast.left)
+        lines << indented("OR")
+        visit_node(ast.right)
+      end
+
+      def visit_statements_node(ast)
+        ast.child_nodes.each do |node|
+          visit_node(node)
+          # restore indent after each expression
+          self.indent -= 2
+        end
+      end
+
+      def visit_parentheses_node(ast)
+        lines << indented("(")
+        self.indent += 2
+        visit_node(ast.child_nodes[0])
+        lines << indented(")")
+      end
+
+      def visit_missing(ast)
+        lines << indented(expression_with_result(ast))
+      end
+
+      def indented(str)
+        "#{"↳ " if indent.zero?}#{" " * indent}#{str}".tap do
+          # increase indent after the first expression
+          self.indent += 2 if indent.zero?
+        end
+      end
+
+      # Some lines should not be evaled
+      def ignore_exp?(exp)
+        PrettyPrint.ignore_expressions.any? { |it| exp.match?(it) }
+      end
+    end
+
+    class << self
+      attr_accessor :ignore_expressions
+
+      if defined?(::Prism) && defined?(::MethodSource)
+        def available?() = true
+
+        def print_method(object, method_name)
+          ast = Prism.parse(object.method(method_name).source)
+
+          Visitor.new(object).collect(ast)
+        end
+      else
+        def available?() = false
+
+        def print_method(_, _) = ""
+      end
+
+      def colorize(val)
+        return val unless $stdout.isatty
+        return TRUE if val.eql?(true) # rubocop:disable Lint/DeprecatedConstants
+        return FALSE if val.eql?(false) # rubocop:disable Lint/DeprecatedConstants
+        val
+      end
+    end
+
+    self.ignore_expressions = [
+      /^\s*binding\.(pry|irb)\s*$/s
+    ]
+  end
+end

data/lib/action_policy/behaviour.rb

@@ -65,7 +65,7 @@ module ActionPolicy
     private def build_authorization_context
       self.class.authorization_targets
         .each_with_object({}) do |(key, method_or_proc), obj|
-        obj[key] = method_or_proc.is_a?(Proc) ? method_or_proc.call : send(method_or_proc)
+          obj[key] = method_or_proc.is_a?(Proc) ? instance_exec(&method_or_proc) : send(method_or_proc)
       end
     end
 

data/lib/action_policy/behaviours/policy_for.rb

@@ -61,7 +61,7 @@ module ActionPolicy
 
       def policy_for_cache_key(record:, with: nil, namespace: nil, context: authorization_context, **)
         record_key = record._policy_cache_key(use_object_id: true)
-        context_key = context.values.map { _1._policy_cache_key(use_object_id: true) }.join(".")
+        context_key = context.values.map { it._policy_cache_key(use_object_id: true) }.join(".")
 
         "#{namespace}/#{with}/#{context_key}/#{record_key}"
       end

data/lib/action_policy/i18n.rb

@@ -21,7 +21,7 @@ module ActionPolicy
       private
 
       def candidates_for(policy_class, rule)
-        policy_hierarchy = policy_class.ancestors.select { _1.respond_to?(:identifier) }
+        policy_hierarchy = policy_class.ancestors.select { it.respond_to?(:identifier) }
         [
           *policy_hierarchy.map { |klass| :"policy.#{klass.identifier}.#{rule}" },
           :"policy.#{rule}",

data/lib/action_policy/policy/cache.rb

@@ -29,7 +29,7 @@ module ActionPolicy # :nodoc:
         [
           cache_namespace,
           *parts
-        ].map { _1._policy_cache_key }.join("/")
+        ].map { it._policy_cache_key }.join("/")
       end
 
       def rule_cache_key(rule)

data/lib/action_policy/policy/execution_result.rb

@@ -16,7 +16,7 @@ module ActionPolicy
 
       # Populate the final value
       def load(value)
-        @value = value
+        @value = !!value
       end
 
       def success?() = @value == true

data/lib/action_policy/policy/pre_check.rb

@@ -125,7 +125,7 @@ module ActionPolicy
         def pre_check(*names, **options)
           names.each do |name|
             # do not allow pre-check override
-            check = pre_checks.find { _1.name == name }
+            check = pre_checks.find { it.name == name }
             raise "Pre-check already defined: #{name}" unless check.nil?
 
             pre_checks << Check.new(self, name, **options)
@@ -134,14 +134,14 @@ module ActionPolicy
 
         def skip_pre_check(*names, **options)
           names.each do |name|
-            check = pre_checks.find { _1.name == name }
+            check = pre_checks.find { it.name == name }
             raise "Pre-check not found: #{name}" if check.nil?
 
             # when no options provided we remove this check completely
             next pre_checks.delete(check) if options.empty?
 
             # otherwise duplicate and apply skip options
-            pre_checks[pre_checks.index(check)] = check.dup.tap { _1.skip!(**options) }
+            pre_checks[pre_checks.index(check)] = check.dup.tap { it.skip!(**options) }
           end
         end
 

data/lib/action_policy/rails/controller.rb

@@ -11,9 +11,16 @@ module ActionPolicy
     end
   end
 
+  # Raised when `authorized_scope` hasn't been called for action
+  class UnscopedAction < Error
+    def initialize(controller, action)
+      super("Action '#{controller}##{action}' hasn't been scoped")
+    end
+  end
+
   # Controller concern.
   # Add `authorize!` and `allowed_to?` methods,
-  # provide `verify_authorized` hook.
+  # provide `verify_authorized` and `verify_authorized_scoped` hooks.
   module Controller
     extend ActiveSupport::Concern
 
@@ -29,10 +36,10 @@ module ActionPolicy
         helper_method :allowance_to
       end
 
-      attr_writer :authorize_count
-      attr_reader :verify_authorized_skipped
+      attr_writer :authorize_count, :scoped_count
+      attr_reader :verify_authorized_skipped, :verify_authorized_scoped_skipped
 
-      protected :authorize_count=, :authorize_count
+      protected :authorize_count=, :authorize_count, :scoped_count=, :scoped_count
     end
 
     # Authorize action against a policy.
@@ -56,6 +63,16 @@ module ActionPolicy
       policy_record
     end
 
+    # Apply scope to the target.
+    #
+    # @return the scoped target
+    def authorized_scope(target, **options)
+      scoped = super
+
+      self.scoped_count += 1
+      scoped
+    end
+
     # Tries to infer the resource class from controller name
     # (i.e. `controller_name.classify.safe_constantize`).
     def implicit_authorization_target
@@ -67,14 +84,27 @@ module ActionPolicy
         authorize_count.zero? && !verify_authorized_skipped
     end
 
+    def verify_authorized_scoped
+      Kernel.raise UnscopedAction.new(controller_path, action_name) if
+        scoped_count.zero? && !verify_authorized_scoped_skipped
+    end
+
     def authorize_count
       @authorize_count ||= 0
     end
 
+    def scoped_count
+      @scoped_count ||= 0
+    end
+
     def skip_verify_authorized!
       @verify_authorized_skipped = true
     end
 
+    def skip_verify_authorized_scoped!
+      @verify_authorized_scoped_skipped = true
+    end
+
     class_methods do
       # Adds after_action callback to check that
       # authorize! method has been called.
@@ -86,6 +116,17 @@ module ActionPolicy
       def skip_verify_authorized(**options)
         skip_after_action :verify_authorized, options
       end
+
+      # Adds after_action callback to check that
+      # authorized_scope method has been called.
+      def verify_authorized_scoped(**options)
+        after_action :verify_authorized_scoped, options
+      end
+
+      # Skips verify_authorized_scoped after_action callback.
+      def skip_verify_authorized_scoped(**options)
+        skip_after_action :verify_authorized_scoped, options
+      end
     end
   end
 end

data/lib/action_policy/rails/policy/instrumentation.rb

@@ -22,6 +22,7 @@ module ActionPolicy # :nodoc:
             result = super
             event[:cached] = result.cached?
             event[:value] = result.value
+            event[:result] = result
             result
           end
         end

data/lib/action_policy/rspec/be_authorized_to.rb

@@ -51,7 +51,7 @@ module ActionPolicy
 
         @actual_calls = ActionPolicy::Testing::AuthorizeTracker.calls
 
-        actual_calls.any? { _1.matches?(policy, rule, target, context) }
+        actual_calls.any? { it.matches?(policy, rule, target, context) }
       end
 
       def does_not_match?(*)
@@ -63,7 +63,7 @@ module ActionPolicy
       def failure_message
         "expected #{formatted_record} " \
         "to be authorized with #{policy}##{rule}, " \
-        "#{context ? "and context #{context.inspect}, " : ""}" \
+        "#{"and context #{context.inspect}, " if context}" \
         "but #{actual_calls_message}"
       end
 
@@ -78,7 +78,7 @@ module ActionPolicy
 
       def formatted_calls
         actual_calls.map do
-          " - #{_1.inspect}"
+          " - #{it.inspect}"
         end.join("\n")
       end
 

data/lib/action_policy/rspec/have_authorized_scope.rb

@@ -61,7 +61,7 @@ module ActionPolicy
 
         @actual_scopes = ActionPolicy::Testing::AuthorizeTracker.scopings
 
-        matching_scopes = actual_scopes.select { _1.matches?(policy, type, name, scope_options, context) }
+        matching_scopes = actual_scopes.select { it.matches?(policy, type, name, scope_options, context) }
 
         return false if matching_scopes.empty?
 
@@ -85,7 +85,7 @@ module ActionPolicy
       def failure_message
         "expected a scoping named :#{name} for type :#{type} " \
         "#{scope_options_message} " \
-        "#{context ? "and context #{context.inspect} " : ""}" \
+        "#{"and context #{context.inspect} " if context}" \
         "from #{policy} to have been applied, " \
         "but #{actual_scopes_message}"
       end
@@ -114,7 +114,7 @@ module ActionPolicy
 
       def formatted_scopings
         actual_scopes.map do
-          " - #{_1.inspect}"
+          " - #{it.inspect}"
         end.join("\n")
       end
     end

data/lib/action_policy/test_helper.rb

@@ -52,7 +52,7 @@ module ActionPolicy
       assert(
         actual_calls.any? { |call| call.matches?(policy, rule, target, context) },
         "Expected #{target.inspect} to be authorized with #{policy}##{rule}, " \
-        "#{context ? "and context #{context}, " : ""}" \
+        "#{"and context #{context}, " if context}" \
         "but no such authorization has been made.\n" \
         "Registered authorizations: " \
         "#{actual_calls.empty? ? "none" : actual_calls.map(&:inspect).join(",")}"

data/lib/action_policy/utils/pretty_print.rb

@@ -111,7 +111,7 @@ module ActionPolicy
       end
 
       def indented(str)
-        "#{indent.zero? ? "↳ " : ""}#{" " * indent}#{str}".tap do
+        "#{"↳ " if indent.zero?}#{" " * indent}#{str}".tap do
           # increase indent after the first expression
           self.indent += 2 if indent.zero?
         end
@@ -119,7 +119,7 @@ module ActionPolicy
 
       # Some lines should not be evaled
       def ignore_exp?(exp)
-        PrettyPrint.ignore_expressions.any? { exp.match?(_1) }
+        PrettyPrint.ignore_expressions.any? { exp.match?(it) }
       end
     end
 

data/lib/action_policy/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ActionPolicy
-  VERSION = "0.7.4"
+  VERSION = "0.7.6"
 end

data/lib/action_policy.rb

@@ -21,7 +21,7 @@ module ActionPolicy
       @message =
         message ||
         "Couldn't find policy class for #{target.inspect}" \
-        "#{target.is_a?(Module) ? "" : " (#{target.class})"}"
+        "#{" (#{target.class})" unless target.is_a?(Module)}"
     end
   end