action_policy 0.4.3 → 0.4.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6530513fc2b087beae97b3b33e662f421a0f12911a1e21b2cce9778dc7f693c9
-  data.tar.gz: a915127b22da7b43cb0fc1aa1048c8a4d9c0b5a51f458039594eac17b29e92bc
+  metadata.gz: aa234de7b74f58df4707ec00f9f4d67bee0d89fb721f2b0e4df90627970530e6
+  data.tar.gz: e6e4ba56d3be720b8ddac3a236f42c84eec2472d04b95213914d89e23d291bf7
 SHA512:
-  metadata.gz: 2a34ac6a7ab8289521e2ccb977ed6c6b6e655a185deb053676aad2d78674b7367d04c75abd552dafd59b1ae46465cfa117ae97239b9fd2e3cc6947d020d80775
-  data.tar.gz: 991f5b553314cf11dedaab9964d5d4b4ee384877474ed6dc814fa0c4d4bdf383b8288df46bf987a437b82a33f859ac5314a1c4bd75b1df28d8a2438886f37c40
+  metadata.gz: 450572c0987f8d4174ff6c51fdd188d62bd5dfd288b381a593030ee9ef8575df74852b1600706f6dfb1c115fddb9a45e518f03b2dd0a118e653c0a13c0efc05a
+  data.tar.gz: 1fa6dac85f5fe5f014026d23357c08e9dba0101b68a07a96315275a1ce2aa28762ab82abffbf0ae985a9a277d942de23c521223d485b7acfe1fdceeae9c4179d

data/.github/ISSUE_TEMPLATE.md

@@ -1,5 +1,5 @@
 <!--
-  This template is for bug reports. If you are reporting a bug, please continue on. If you are here for another reason, 
+  This template is for bug reports. If you are reporting a bug, please continue on. If you are here for another reason,
   feel free to skip the rest of this template.
 -->
 
@@ -11,6 +11,9 @@
 
 **Action Policy Version:**
 
+**Reproduction Script:** Use [this template](https://github.com/palkan/action_policy/blob/master/.github/bug_report_template.rb) to
+create a standalone reproduction script. That would help us to fix the problem quicker. Thanks!
+
 ### What did you do?
 
 ### What did you expect to happen?

data/.github/bug_report_template.rb

@@ -0,0 +1,175 @@
+# frozen_string_literal: true
+
+require "bundler/inline"
+
+# This reproduction script allows you to test Action Policy with Rails.
+# It contains:
+#   - Headless User model
+#   - UserPolicy
+#   - UsersController
+#   - Example tests for the controller.
+#
+# Update the classes to reproduce the failing case.
+#
+# Run the script as follows:
+#
+#   $ ruby bug_report_template.rb
+gemfile(true) do
+  source "https://rubygems.org"
+
+  gem "rails", "~> 6.0"
+  gem "action_policy", "~> 0.4"
+
+  gem "pry-byebug", platform: :mri
+end
+
+require "rails"
+require "action_controller/railtie"
+require "action_policy"
+
+require "minitest/autorun"
+
+module Buggy
+  class Application < Rails::Application
+    config.logger = Logger.new("/dev/null")
+    config.eager_load = false
+
+    initializer "routes" do
+      Rails.application.routes.draw do
+        get ":controller(/:action)"
+      end
+    end
+  end
+end
+
+Rails.application.initialize!
+
+class User
+  include Comparable
+
+  attr_reader :name
+
+  def initialize(name)
+    @name = name
+  end
+
+  def admin?
+    name == "admin"
+  end
+
+  def <=>(other)
+    return super unless other.is_a?(User)
+    name <=> other.name
+  end
+end
+
+class UserPolicy < ActionPolicy::Base
+  def index?
+    true
+  end
+
+  def create?
+    user.admin?
+  end
+
+  def show?
+    true
+  end
+
+  def manage?
+    user.admin? && !record.admin?
+  end
+end
+
+class UsersController < ActionController::Base
+  authorize :user, through: :current_user
+
+  before_action :set_user, only: [:update, :show]
+
+  def index
+    authorize!
+    render plain: "OK"
+  end
+
+  def create
+    authorize!
+    render plain: "OK"
+  end
+
+  def update
+    render plain: "OK"
+  end
+
+  def show
+    if allowed_to?(:update?, @user)
+      render plain: "OK"
+    else
+      render plain: "Read-only"
+    end
+  end
+
+  def current_user
+    @current_user ||= User.new(params[:user])
+  end
+
+  private
+
+  def set_user
+    @user = User.new(params[:target])
+    authorize! @user
+  end
+end
+
+class TestBugReproduction < ActionController::TestCase
+  tests UsersController
+
+  def before_setup
+    @routes = Rails.application.routes
+    super
+  end
+
+  def teardown
+    ActionPolicy::PerThreadCache.clear_all
+  end
+
+  def test_index
+    get :index, params: {user: "guest"}
+    assert_equal "OK", response.body
+  end
+
+  def test_create_failed
+    e = assert_raises(ActionPolicy::Unauthorized) do
+      post :create, params: {user: "guest"}
+    end
+
+    assert_equal UserPolicy, e.policy
+    assert_equal :create?, e.rule
+    assert e.result.reasons.is_a?(::ActionPolicy::Policy::FailureReasons)
+  end
+
+  def test_create_succeed
+    post :create, params: {user: "admin"}
+    assert_equal "OK", response.body
+  end
+
+  def test_update_failed
+    assert_raises(ActionPolicy::Unauthorized) do
+      patch :update, params: {user: "admin", target: "admin"}
+    end
+  end
+
+  def test_update_succeed
+    patch :update, params: {user: "admin", target: "guest"}
+    assert_equal "OK", response.body
+  end
+
+  def test_show
+    get :show, params: {user: "admin", target: "guest"}
+    assert_equal "OK", response.body
+  end
+
+  def test_show_admin
+    get :show, params: {user: "admin", target: "admin"}
+    assert_equal "Read-only", response.body
+  end
+end

data/CHANGELOG.md

@@ -2,6 +2,23 @@
 
 ## master
 
+## 0.4.4 (2020-07-07)
+
+- Fix symbol lookup with namespaces. ([@palkan][])
+
+Fixes [#122](https://github.com/palkan/action_policy/issues/122).
+
+- Separated `#classify`-based and `#camelize`-based symbol lookups. ([Be-ngt-oH][])
+
+Only affects Rails apps. Now lookup for `:users` tries to find `UsersPolicy` first (camelize),
+and only then search for `UserPolicy` (classify).
+
+See [PR#118](https://github.com/palkan/action_policy/pull/118).
+
+- Fix calling rules with `allowed_to?` directly. ([@palkan][])
+
+  Fixes [#113](https://github.com/palkan/action_policy/issues/113)
+
 ## 0.4.3 (2019-12-14)
 
 - Add `#cache(*parts, **options) { ... }` method. ([@palkan][])
@@ -382,3 +399,4 @@
 [@korolvs]: https://github.com/korolvs
 [@nicolas-brousse]: https://github.com/nicolas-brousse
 [@somenugget]: https://github.com/somenugget
+[@Be-ngt-oH]: https://github.com/Be-ngt-oH

data/LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2018-2019 Vladimir Dementyev
+Copyright (c) 2018-2020 Vladimir Dementyev
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.md

@@ -2,7 +2,7 @@
 [![Build Status](https://travis-ci.org/palkan/action_policy.svg?branch=master)](https://travis-ci.org/palkan/action_policy)
 [![Documentation](https://img.shields.io/badge/docs-link-brightgreen.svg)](https://actionpolicy.evilmartians.io)
 
-# ActionPolicy
+# Action Policy
 
 Authorization framework for Ruby and Rails applications.
 
@@ -98,7 +98,7 @@ There is also an `allowed_to?` method which returns `true` or `false`, and could
 <% @posts.each do |post| %>
   <li><%= post.title %>
     <% if allowed_to?(:edit?, post) %>
-      = link_to post, "Edit"
+      <%= link_to post, "Edit">
     <% end %>
   </li>
 <% end %>
@@ -121,8 +121,3 @@ Bug reports and pull requests are welcome on GitHub at https://github.com/palkan
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
 
 [Documentation]: http://actionpolicy.evilmartians.io
-
-## Security Contact
-
-To report a security vulnerability, please use the [Tidelift security contact](https://tidelift.com/security). Tidelift will coordinate the fix and disclosure.
-

data/benchmarks/namespaced_lookup_cache.rb

@@ -39,6 +39,9 @@ if ENV["NO_CACHE"]
   ActionPolicy::LookupChain.namespace_cache_enabled = false
 end
 
+results_path = File.join(__dir__, "../tmp/#{__FILE__.sub(/\.rb$/, ".txt")}")
+FileUtils.mkdir_p File.dirname(results_path)
+
 Benchmark.ips do |x|
   x.warmup = 0
 
@@ -58,14 +61,14 @@ Benchmark.ips do |x|
     ActionPolicy.lookup(b, namespace: X::Y::Z)
   end
 
-  x.hold! "temp_results"
+  x.hold! results_path
 
   x.compare!
 end
 
 #
 # Comparison:
-#             cache B:   178577.4 i/s
-#             cache A:   173061.4 i/s - same-ish: difference falls within error
-#         no cache A:    97991.7 i/s - same-ish: difference falls within error
-#         no cache B:    42505.4 i/s - 4.20x  slower
+#             cache A:   204788.3 i/s
+#             cache B:   202536.9 i/s - same-ish: difference falls within error
+#          no cache A:   127772.8 i/s - same-ish: difference falls within error
+#          no cache B:    63487.2 i/s - 3.23x  slower

data/benchmarks/pre_checks.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+# This benchmark measures the difference between catch/throw and jump-less implementation.
+
+$LOAD_PATH.unshift File.expand_path("../lib", __dir__)
+
+require "action_policy"
+require "benchmark/ips"
+
+GC.disable
+
+class A; end
+
+class B; end
+
+class APolicy < ActionPolicy::Base
+  authorize :user, optional: true
+
+  pre_check :do_nothing, :deny_all
+
+  def show?
+    true
+  end
+
+  def do_nothing
+  end
+
+  def deny_all
+    deny!
+  end
+end
+
+class BPolicy < APolicy
+  def run_pre_checks(rule)
+    catch :policy_fulfilled do
+      self.class.pre_checks.each do |check|
+        next unless check.applicable?(rule)
+        check.call(self)
+      end
+
+      return yield if block_given?
+    end
+
+    result.value
+  end
+
+  def deny!
+    result.load false
+    throw :policy_fulfilled
+  end
+end
+
+a = A.new
+
+(APolicy.new(record: a).apply(:show?) == BPolicy.new(record: a).apply(:show?)) || raise("Implementations are not equal")
+
+Benchmark.ips do |x|
+  x.warmup = 0
+
+  x.report("loop pre-check") do
+    APolicy.new(record: a).apply(:show?)
+  end
+
+  x.report("catch/throw pre-check") do
+    BPolicy.new(record: a).apply(:show?)
+  end
+
+  x.compare!
+end
+
+# Comparison:
+# catch/throw pre-check:   286094.2 i/s
+#      loop pre-check:   184786.1 i/s - 1.55x  slower

data/docs/caching.md

@@ -162,7 +162,7 @@ Rails.application.configure do |config|
 end
 ```
 
-Cache store must provide at least a `#read(key)` and `write(key, value, **options)` methods.
+Cache store must provide at least a `#read(key)` and `#write(key, value, **options)` methods.
 
 **NOTE:** cache store also should take care of serialiation/deserialization since the `value` is `ExecutionResult` instance (which contains also some additional information, e.g. failure reasons). Rails cache store supports serialization/deserialization out-of-the-box.
 

data/docs/lookup_chain.md

@@ -2,7 +2,12 @@
 
 Action Policy tries to automatically infer policy class from the target using the following _probes_:
 
-1. If the target is a `Symbol`, then use `"#{target.to_s.classify}Policy"` as a `policy_name` (see below);
+1. If the target is a `Symbol`:
+
+    a) Try `"#{target.to_s.camelize}Policy"` as a `policy_name` (see below);
+
+    b) If `String#classify` is available, e.g. when using Rails' ActiveSupport, try `"#{target.to_s.classify}Policy"`;
+
 2. If the target responds to `policy_class`, then use it;
 3. If the target's class responds to `policy_class`, then use it;
 4. If the target or the target's class responds to `policy_name`, then use it (the `policy_name` should end with `Policy` as it's not appended automatically);

data/docs/namespaces.md

@@ -6,7 +6,7 @@ Consider an example:
 
 ```ruby
 module Admin
-  class UsersController < ApplictionController
+  class UsersController < ApplicationController
     def index
       # uses Admin::UserPolicy if any, otherwise fallbacks to UserPolicy
       authorize!
@@ -20,7 +20,7 @@ Module nesting is also supported:
 ```ruby
 module Admin
   module Client
-    class UsersController < ApplictionController
+    class UsersController < ApplicationController
       def index
         # lookup for Admin::Client::UserPolicy -> Admin::UserPolicy -> UserPolicy
         authorize!

data/docs/quick_start.md

@@ -98,7 +98,7 @@ There is also an `allowed_to?` method which returns `true` or `false` and could
 <% @posts.each do |post| %>
   <li><%= post.title %>
     <% if allowed_to?(:edit?, post) %>
-      = link_to "Edit", post
+      <%= link_to "Edit", post %>
     <% end %>
   </li>
 <% end %>

data/docs/testing.md

@@ -112,6 +112,8 @@ OR
 
 ### Testing scopes
 
+#### Active Record relation example
+
 There is no single rule on how to test scopes, 'cause it dependes on the _nature_ of the scope.
 
 Here's an example of RSpec tests for Active Record scoping rules:
@@ -156,6 +158,35 @@ describe PostPolicy do
 end
 ```
 
+#### Action Controller params example
+
+Here's an example of RSpec tests for Action Controller parameters scoping rules:
+
+```ruby
+describe PostPolicy do
+  describe "params scope" do
+    let(:user) { build_stubbed :user }
+    let(:context) { {user: user} }
+
+    let(:params) { {name: "a", password: "b"} }
+    let(:target) { ActionController::Parameters.new(params) }
+
+    # it's easier to asses the hash representation, not the AC::Params object
+    subject { policy.apply_scope(target, type: :action_controller_params).to_h }
+
+    context "as user" do
+      it { is_expected.to eq({name: "a"}) }
+    end
+
+    context "as manager" do
+      before { user.update!(role: :manager) }
+
+      it { is_expected.to eq({name: "a", password: "b"}) }
+    end
+  end
+end
+```
+
 ## Testing authorization
 
 To test the act of authorization you have to make sure that the `authorize!` method is called with the appropriate arguments.
@@ -331,3 +362,29 @@ expect { subject }.to have_authorized_scope(:scope)
     expect(target).to eq(User.all)
   }
 ```
+
+
+## Testing views
+
+When you test views that call policies methods as `allowed_to?`, your may have `Missing policy authorization context: user` error.
+You may need to stub `current_user` to resolve the issue.
+
+Consider an RSpec example:
+
+```ruby
+describe "users/index.html.slim" do
+  let(:user) { build_stubbed :user }
+  let(:users) { create_list(:user, 2) }
+
+  before do
+    allow(controller).to receive(:current_user).and_return(user)
+
+    assign :users, users
+    render
+  end
+
+  describe "displays user#index correctly" do
+    it { expect(rendered).to have_link(users.first.email, href: edit_user_path(users.first)) }
+  end
+end
+```

data/lib/action_policy/ext/{symbol_classify.rb → symbol_camelize.rb}

@@ -2,15 +2,15 @@
 
 module ActionPolicy
   module Ext
-    # Add `classify` to Symbol
-    module SymbolClassify
+    # Add `camelize` to Symbol
+    module SymbolCamelize
       refine Symbol do
-        if "".respond_to?(:classify)
-          def classify
-            to_s.classify
+        if "".respond_to?(:camelize)
+          def camelize
+            to_s.camelize
           end
         else
-          def classify
+          def camelize
             word = to_s.capitalize
             word.gsub!(/(?:_)([a-z\d]*)/) { $1.capitalize }
             word

data/lib/action_policy/lookup_chain.rb

@@ -12,8 +12,8 @@ module ActionPolicy
       using ActionPolicy::Ext::StringConstantize
     end
 
-    require "action_policy/ext/symbol_classify"
-    using ActionPolicy::Ext::SymbolClassify
+    require "action_policy/ext/symbol_camelize"
+    using ActionPolicy::Ext::SymbolCamelize
 
     require "action_policy/ext/module_namespace"
     using ActionPolicy::Ext::ModuleNamespace
@@ -54,6 +54,7 @@ module ActionPolicy
       private
 
       def lookup_within_namespace(policy_name, namespace)
+        return unless namespace
         NamespaceCache.fetch(namespace.name, policy_name) do
           mod = namespace
 
@@ -114,20 +115,25 @@ module ActionPolicy
     SYMBOL_LOOKUP = ->(record, namespace: nil, **) {
       next unless record.is_a?(Symbol)
 
-      policy_name = "#{record.classify}Policy"
-      if namespace.nil?
-        policy_name.safe_constantize
-      else
-        lookup_within_namespace(policy_name, namespace)
-      end
+      policy_name = "#{record.camelize}Policy"
+      lookup_within_namespace(policy_name, namespace) || policy_name.safe_constantize
+    }
+
+    # (Optional) Infer using String#classify if available
+    CLASSIFY_SYMBOL_LOOKUP = ->(record, namespace: nil, **) {
+      next unless record.is_a?(Symbol)
+
+      policy_name = "#{record.to_s.classify}Policy"
+      lookup_within_namespace(policy_name, namespace) || policy_name.safe_constantize
     }
 
     self.chain = [
       SYMBOL_LOOKUP,
+      (CLASSIFY_SYMBOL_LOOKUP if String.method_defined?(:classify)),
       INSTANCE_POLICY_CLASS,
       CLASS_POLICY_CLASS,
       NAMESPACE_LOOKUP,
       INFER_FROM_CLASS
-    ]
+    ].compact
   end
 end

data/lib/action_policy/policy/reasons.rb

@@ -189,7 +189,7 @@ module ActionPolicy
             policy.result
           end
 
-        result.reasons.add(policy, rule, res.details) if res.fail?
+        result&.reasons&.add(policy, rule, res.details) if res.fail?
 
         res.clear_details
 

data/lib/action_policy/rails/ext/active_record.rb

@@ -7,4 +7,11 @@ ActiveRecord::Relation.include(Module.new do
   def policy_cache_key
     object_id
   end
+
+  # Explicitly define the policy_class method to avoid
+  # making Relation immutable (by initializing `arel` in `#respond_to_missing?).
+  # See https://github.com/palkan/action_policy/issues/101
+  def policy_class
+    nil
+  end
 end)

data/lib/action_policy/rspec/dsl.rb

@@ -68,7 +68,7 @@ if defined?(::RSpec)
 
   ::RSpec.shared_examples_for "action_policy:policy_rule_example" do |success, the_caller|
     if success
-      specify do
+      specify "is allowed" do
         next if subject.success?
         raise(
           RSpec::Expectations::ExpectationNotMetError,
@@ -77,7 +77,7 @@ if defined?(::RSpec)
         )
       end
     else
-      specify do
+      specify "is denied" do
         next if subject.fail?
         raise(
           RSpec::Expectations::ExpectationNotMetError,

data/lib/action_policy/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ActionPolicy
-  VERSION = "0.4.3"
+  VERSION = "0.4.4"
 end

data/lib/generators/action_policy/install/templates/application_policy.rb

@@ -5,7 +5,7 @@ class ApplicationPolicy < ActionPolicy::Base
   #
   #   authorize :account, optional: true
   #
-  # Read more about authoriztion context: https://actionpolicy.evilmartians.io/#/authorization_context
+  # Read more about authorization context: https://actionpolicy.evilmartians.io/#/authorization_context
 
   private
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: action_policy
 version: !ruby/object:Gem::Version
-  version: 0.4.3
+  version: 0.4.4
 platform: ruby
 authors:
 - Vladimir Dementyev
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-12-14 00:00:00.000000000 Z
+date: 2020-07-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ammeter
@@ -158,9 +158,9 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitattributes"
-- ".github/FUNDING.yml"
 - ".github/ISSUE_TEMPLATE.md"
 - ".github/PULL_REQUEST_TEMPLATE.md"
+- ".github/bug_report_template.rb"
 - ".gitignore"
 - ".rubocop.yml"
 - ".tidelift.yml"
@@ -172,6 +172,7 @@ files:
 - Rakefile
 - action_policy.gemspec
 - benchmarks/namespaced_lookup_cache.rb
+- benchmarks/pre_checks.rb
 - bin/console
 - bin/setup
 - docs/.nojekyll
@@ -235,7 +236,7 @@ files:
 - lib/action_policy/ext/string_constantize.rb
 - lib/action_policy/ext/string_match.rb
 - lib/action_policy/ext/string_underscore.rb
-- lib/action_policy/ext/symbol_classify.rb
+- lib/action_policy/ext/symbol_camelize.rb
 - lib/action_policy/ext/yield_self_then.rb
 - lib/action_policy/i18n.rb
 - lib/action_policy/lookup_chain.rb

data/.github/FUNDING.yml

@@ -1 +0,0 @@
-tidelift: "rubygems/action_policy"