action_policy 0.6.7 → 0.6.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: df57cf926c648dc59ed1a1afc44b352eb998f5bf03a9405127105611e641ffdb
-  data.tar.gz: 51a8e81c6479bf06894da3a2f8fa83c98ed25da678e73bf2462f029a75c55ec4
+  metadata.gz: 1e78f24a8faa881e8cad62f6bb4fc58921668fb7d41ac933c7fb1934117acc7d
+  data.tar.gz: 39f55de2e98b9a1d67519df40452349a2007e8d7168039438d2c8469cc7779e7
 SHA512:
-  metadata.gz: 6c55e23ffeff3a1d9800512759105e509abb6b51dabee1a984c56f04daa04e661ef37e056e2fee64b86a17bff8fab8167b557d8f5fe6bd9118febf0b116f7b3a
-  data.tar.gz: 8c1459872bb8daa8bca216c1ee342b9c8c4b4b6fb5654301765ec4d2c7f8ff6612ab784269a89920c29f575ee9ecd79b2a470a415f92246db70c0b9d7a3631b1
+  metadata.gz: 66b0de36683bc63ce349b0fba097585b7fcb4d7d65145da53c26cd5d6f0c798ef76c447d75a987c1f16110d3d4bb379153407ef79b531613cc6cfa8e55171570
+  data.tar.gz: b7eadbbd0020e60addce888bf8287722c8bafd32a8b35ff2c66d8ea51eaa3b9c6f406e5214fdcddda4e7d4d527d12f08be3f86eac64d28db3b62b7976de28f17

data/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## master
 
+## 0.6.8 (2024-01-17)
+
+- Do not preload Rails base classes, use load hooks everywhere. ([@palkan][])
+
 ## 0.6.7 (2023-09-13)
 
 - Fix loading Rails extensions during eager load. ([@palkan][])

data/LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2018-2023 Vladimir Dementyev
+Copyright (c) 2018-2024 Vladimir Dementyev
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/lib/.rbnext/2.7/action_policy/behaviours/policy_for.rb

@@ -57,7 +57,7 @@ module ActionPolicy
         )
       end
 
-      def policy_for_cache_key(record:, with: nil, namespace: nil, context: authorization_context, **)
+      def policy_for_cache_key(record:, with: nil, namespace: nil, context: authorization_context, **__kwrest__)
         record_key = record._policy_cache_key(use_object_id: true)
         context_key = context.values.map { |_1| _1._policy_cache_key(use_object_id: true) }.join(".")
 

data/lib/.rbnext/2.7/action_policy/rails/scope_matchers/action_controller_params.rb

@@ -12,8 +12,10 @@ module ActionPolicy
   end
 end
 
-# Register params scope matcher
-ActionPolicy::Base.scope_matcher :action_controller_params, ActionController::Parameters
-
 # Add alias to base policy
 ActionPolicy::Base.extend ActionPolicy::ScopeMatchers::ActionControllerParams
+
+ActiveSupport.on_load(:action_controller) do
+  # Register params scope matcher
+  ActionPolicy::Base.scope_matcher :action_controller_params, ActionController::Parameters
+end

data/lib/.rbnext/2.7/action_policy/rails/scope_matchers/active_record.rb

@@ -12,18 +12,20 @@ module ActionPolicy
   end
 end
 
-# Register relation scope matcher
-ActionPolicy::Base.scope_matcher :active_record_relation, ActiveRecord::Relation
-
 # Add alias to base policy
 ActionPolicy::Base.extend ActionPolicy::ScopeMatchers::ActiveRecord
 
-ActiveRecord::Relation.include(Module.new do
-  def policy_name
-    if model.respond_to?(:policy_name)
-      model.policy_name.to_s
-    else
-      "#{model}Policy"
+ActiveSupport.on_load(:active_record) do
+  # Register relation scope matcher
+  ActionPolicy::Base.scope_matcher :active_record_relation, ActiveRecord::Relation
+
+  ActiveRecord::Relation.include(Module.new do
+    def policy_name
+      if model.respond_to?(:policy_name)
+        model.policy_name.to_s
+      else
+        "#{model}Policy"
+      end
     end
-  end
-end)
+  end)
+end

data/lib/.rbnext/2.7/action_policy/rspec/be_authorized_to.rb

@@ -54,7 +54,7 @@ module ActionPolicy
         actual_calls.any? { |_1| _1.matches?(policy, rule, target, context) }
       end
 
-      def does_not_match?(*)
+      def does_not_match?(*__rest__)
         raise "This matcher doesn't support negation"
       end
 

data/lib/.rbnext/2.7/action_policy/rspec/have_authorized_scope.rb

@@ -71,7 +71,7 @@ module ActionPolicy
         true
       end
 
-      def does_not_match?(*)
+      def does_not_match?(*__rest__)
         raise "This matcher doesn't support negation"
       end
 

data/lib/.rbnext/3.0/action_policy/ext/policy_cache_key.rb

@@ -27,45 +27,45 @@ module ActionPolicy
       end
 
       refine NilClass do
-        def _policy_cache_key(*) ;  ""; end
+        def _policy_cache_key(*__rest__) ;  ""; end
       end
 
       refine TrueClass do
-        def _policy_cache_key(*) ;  "t"; end
+        def _policy_cache_key(*__rest__) ;  "t"; end
       end
 
       refine FalseClass do
-        def _policy_cache_key(*) ;  "f"; end
+        def _policy_cache_key(*__rest__) ;  "f"; end
       end
 
       refine String do
-        def _policy_cache_key(*) ;  self; end
+        def _policy_cache_key(*__rest__) ;  self; end
       end
 
       refine Symbol do
-        def _policy_cache_key(*) ;  to_s; end
+        def _policy_cache_key(*__rest__) ;  to_s; end
       end
 
       if RUBY_PLATFORM.match?(/java/i)
         refine Integer do
-          def _policy_cache_key(*) ;  to_s; end
+          def _policy_cache_key(*__rest__) ;  to_s; end
         end
 
         refine Float do
-          def _policy_cache_key(*) ;  to_s; end
+          def _policy_cache_key(*__rest__) ;  to_s; end
         end
       else
         refine Numeric do
-          def _policy_cache_key(*) ;  to_s; end
+          def _policy_cache_key(*__rest__) ;  to_s; end
         end
       end
 
       refine Time do
-        def _policy_cache_key(*) ;  to_s; end
+        def _policy_cache_key(*__rest__) ;  to_s; end
       end
 
       refine Module do
-        def _policy_cache_key(*) ;  name; end
+        def _policy_cache_key(*__rest__) ;  name; end
       end
     end
   end

data/lib/.rbnext/3.0/action_policy/policy/core.rb

@@ -75,7 +75,7 @@ module ActionPolicy
       attr_reader :record, :result
 
       # NEXT_RELEASE: deprecate `record` arg, migrate to `record: nil`
-      def initialize(record = nil, *)
+      def initialize(record = nil, *__rest__)
         @record = record
       end
 

data/lib/.rbnext/3.0/action_policy/rspec/be_authorized_to.rb

@@ -54,7 +54,7 @@ module ActionPolicy
         actual_calls.any? { _1.matches?(policy, rule, target, context) }
       end
 
-      def does_not_match?(*)
+      def does_not_match?(*__rest__)
         raise "This matcher doesn't support negation"
       end
 

data/lib/.rbnext/3.0/action_policy/rspec/have_authorized_scope.rb

@@ -71,7 +71,7 @@ module ActionPolicy
         true
       end
 
-      def does_not_match?(*)
+      def does_not_match?(*__rest__)
         raise "This matcher doesn't support negation"
       end
 

data/lib/.rbnext/3.0/action_policy/utils/suggest_message.rb

@@ -13,7 +13,7 @@ module ActionPolicy
         suggestion ? "\nDid you mean? #{suggestion}" : ""
       end
     else
-      def suggest(*) ;  ""; end
+      def suggest(*__rest__) ;  ""; end
     end
   end
 end

data/lib/.rbnext/3.1/action_policy/behaviours/policy_for.rb

@@ -57,7 +57,7 @@ module ActionPolicy
         )
       end
 
-      def policy_for_cache_key(record:, with: nil, namespace: nil, context: authorization_context, **)
+      def policy_for_cache_key(record:, with: nil, namespace: nil, context: authorization_context, **__kwrest__)
         record_key = record._policy_cache_key(use_object_id: true)
         context_key = context.values.map { _1._policy_cache_key(use_object_id: true) }.join(".")
 

data/lib/.rbnext/3.1/action_policy/ext/policy_cache_key.rb

@@ -27,45 +27,45 @@ module ActionPolicy
       end
 
       refine NilClass do
-        def _policy_cache_key(*) = ""
+        def _policy_cache_key(*__rest__) = ""
       end
 
       refine TrueClass do
-        def _policy_cache_key(*) = "t"
+        def _policy_cache_key(*__rest__) = "t"
       end
 
       refine FalseClass do
-        def _policy_cache_key(*) = "f"
+        def _policy_cache_key(*__rest__) = "f"
       end
 
       refine String do
-        def _policy_cache_key(*) = self
+        def _policy_cache_key(*__rest__) = self
       end
 
       refine Symbol do
-        def _policy_cache_key(*) = to_s
+        def _policy_cache_key(*__rest__) = to_s
       end
 
       if RUBY_PLATFORM.match?(/java/i)
         refine Integer do
-          def _policy_cache_key(*) = to_s
+          def _policy_cache_key(*__rest__) = to_s
         end
 
         refine Float do
-          def _policy_cache_key(*) = to_s
+          def _policy_cache_key(*__rest__) = to_s
         end
       else
         refine Numeric do
-          def _policy_cache_key(*) = to_s
+          def _policy_cache_key(*__rest__) = to_s
         end
       end
 
       refine Time do
-        def _policy_cache_key(*) = to_s
+        def _policy_cache_key(*__rest__) = to_s
       end
 
       refine Module do
-        def _policy_cache_key(*) = name
+        def _policy_cache_key(*__rest__) = name
       end
     end
   end

data/lib/.rbnext/3.2/action_policy/behaviours/policy_for.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+module ActionPolicy
+  module Behaviours
+    # Adds `policy_for` method
+    module PolicyFor
+      require "action_policy/ext/policy_cache_key"
+      using ActionPolicy::Ext::PolicyCacheKey
+
+      # Returns policy instance for the record.
+      def policy_for(record:, with: nil, namespace: authorization_namespace, context: nil, allow_nil: false, default: default_authorization_policy_class, strict_namespace: authorization_strict_namespace)
+        context = context ? authorization_context.merge(context) : authorization_context
+
+        policy_class = with || ::ActionPolicy.lookup(
+          record,
+          namespace:, context:, allow_nil:, default:, strict_namespace:
+        )
+        policy_class&.new(record, **context)
+      end
+
+      def authorization_context
+        Kernel.raise NotImplementedError, "Please, define `authorization_context` method!"
+      end
+
+      def authorization_namespace
+        # override to provide specific authorization namespace
+      end
+
+      def default_authorization_policy_class
+        # override to provide a policy class use when no policy found
+      end
+
+      def authorization_strict_namespace
+        # override to provide strict namespace lookup option
+      end
+
+      # Override this method to provide implicit authorization target
+      # that would be used in case `record` is not specified in
+      # `authorize!` and `allowed_to?` call.
+      #
+      # It is also used to infer a policy for scoping (in `authorized_scope` method).
+      def implicit_authorization_target
+        # no-op
+      end
+
+      # Return implicit authorization target or raises an exception if it's nil
+      def implicit_authorization_target!
+        implicit_authorization_target || Kernel.raise(
+          NotFound,
+          [
+            self,
+            "Couldn't find implicit authorization target " \
+            "for #{self.class}. " \
+            "Please, provide policy class explicitly using `with` option or " \
+            "define the `implicit_authorization_target` method."
+          ]
+        )
+      end
+
+      def policy_for_cache_key(record:, with: nil, namespace: nil, context: authorization_context, **__kwrest__)
+        record_key = record._policy_cache_key(use_object_id: true)
+        context_key = context.values.map { _1._policy_cache_key(use_object_id: true) }.join(".")
+
+        "#{namespace}/#{with}/#{context_key}/#{record_key}"
+      end
+    end
+  end
+end

data/lib/.rbnext/3.2/action_policy/ext/policy_cache_key.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+module ActionPolicy
+  module Ext
+    # Adds #_policy_cache_key method to Object,
+    # which just call #policy_cache_key or #cache_key
+    # or #object_id (if `use_object_id` parameter is set to true).
+    #
+    # For other core classes returns string representation.
+    #
+    # Raises ArgumentError otherwise.
+    module PolicyCacheKey # :nodoc: all
+      module ObjectExt
+        def _policy_cache_key(use_object_id: false)
+          return policy_cache_key if respond_to?(:policy_cache_key)
+          return cache_key_with_version if respond_to?(:cache_key_with_version)
+          return cache_key if respond_to?(:cache_key)
+
+          return object_id.to_s if use_object_id == true
+
+          raise ArgumentError, "object is not cacheable"
+        end
+      end
+
+      refine Object do
+        import_methods ObjectExt
+      end
+
+      refine NilClass do
+        def _policy_cache_key(*__rest__) = ""
+      end
+
+      refine TrueClass do
+        def _policy_cache_key(*__rest__) = "t"
+      end
+
+      refine FalseClass do
+        def _policy_cache_key(*__rest__) = "f"
+      end
+
+      refine String do
+        def _policy_cache_key(*__rest__) = self
+      end
+
+      refine Symbol do
+        def _policy_cache_key(*__rest__) = to_s
+      end
+
+      if RUBY_PLATFORM.match?(/java/i)
+        refine Integer do
+          def _policy_cache_key(*__rest__) = to_s
+        end
+
+        refine Float do
+          def _policy_cache_key(*__rest__) = to_s
+        end
+      else
+        refine Numeric do
+          def _policy_cache_key(*__rest__) = to_s
+        end
+      end
+
+      refine Time do
+        def _policy_cache_key(*__rest__) = to_s
+      end
+
+      refine Module do
+        def _policy_cache_key(*__rest__) = name
+      end
+    end
+  end
+end

data/lib/.rbnext/3.2/action_policy/lookup_chain.rb

@@ -0,0 +1,145 @@
+# frozen_string_literal: true
+
+module ActionPolicy
+  # LookupChain contains _resolvers_ to determine a policy
+  # for a record (with additional options).
+  #
+  # You can modify the `LookupChain.chain` (for example, to add
+  # custom resolvers).
+  module LookupChain
+    unless "".respond_to?(:safe_constantize)
+      require "action_policy/ext/string_constantize"
+      using ActionPolicy::Ext::StringConstantize
+    end
+
+    require "action_policy/ext/symbol_camelize"
+    using ActionPolicy::Ext::SymbolCamelize
+
+    require "action_policy/ext/module_namespace"
+    using ActionPolicy::Ext::ModuleNamespace
+
+    # Cache namespace resolving result for policies.
+    # @see benchmarks/namespaced_lookup_cache.rb
+    class NamespaceCache
+      class << self
+        attr_reader :store
+
+        def put_if_absent(scope, namespace, policy)
+          local_store = store[scope][namespace]
+          return local_store[policy] if local_store[policy]
+          local_store[policy] ||= yield
+        end
+
+        def fetch(namespace, policy, strict:, &block)
+          return yield unless LookupChain.namespace_cache_enabled?
+
+          if strict
+            put_if_absent(:strict, namespace, policy, &block)
+          else
+            put_if_absent(:flexible, namespace, policy, &block)
+          end
+        end
+
+        def clear
+          hash = Hash.new { |h, k| h[k] = {} }
+          @store = {strict: hash, flexible: hash.clone}
+        end
+      end
+
+      clear
+    end
+
+    class << self
+      attr_accessor :chain, :namespace_cache_enabled
+
+      alias_method :namespace_cache_enabled?, :namespace_cache_enabled
+
+      def call(record, **opts)
+        chain.each do |probe|
+          val = probe.call(record, **opts)
+          return val unless val.nil?
+        end
+        nil
+      end
+
+      private
+
+      def lookup_within_namespace(policy_name, namespace, strict: false)
+        NamespaceCache.fetch(namespace&.name || "Kernel", policy_name, strict: strict) do
+          mod = namespace
+          policy_class = nil
+
+          loop do
+            policy_class = [mod&.name, policy_name].compact.join("::").safe_constantize
+            break policy_class if policy_class || mod.nil?
+
+            mod = mod.namespace
+          end
+
+          next policy_class if !strict || namespace.nil? || policy_class.nil?
+
+          # If we're in the strict mode and the namespace boundary is provided,
+          # we must check that the found policy satisfies it
+          policy_class if policy_class.name.start_with?("#{namespace.name}::")
+        end
+      end
+
+      def policy_class_name_for(record)
+        return record.policy_name.to_s if record.respond_to?(:policy_name)
+
+        record_class = record.is_a?(Module) ? record : record.class
+
+        if record_class.respond_to?(:policy_name)
+          record_class.policy_name.to_s
+        else
+          "#{record_class}Policy"
+        end
+      end
+    end
+
+    # Enable namespace cache by default or
+    # if RACK_ENV provided and equal to "production"
+    self.namespace_cache_enabled =
+      (!ENV["RACK_ENV"].nil?) ? ENV["RACK_ENV"] == "production" : true
+
+    # By self `policy_class` method
+    INSTANCE_POLICY_CLASS = ->(record, **__kwrest__) {
+      record.policy_class if record.respond_to?(:policy_class)
+    }
+
+    # By record's class `policy_class` method
+    CLASS_POLICY_CLASS = ->(record, **__kwrest__) {
+      record.class.policy_class if record.class.respond_to?(:policy_class)
+    }
+
+    # Infer from class name
+    INFER_FROM_CLASS = ->(record, namespace: nil, strict_namespace: false, **__kwrest__) {
+      policy_name = policy_class_name_for(record)
+      lookup_within_namespace(policy_name, namespace, strict: strict_namespace)
+    }
+
+    # Infer from passed symbol
+    SYMBOL_LOOKUP = ->(record, namespace: nil, strict_namespace: false, **__kwrest__) {
+      next unless record.is_a?(Symbol)
+
+      policy_name = "#{record.camelize}Policy"
+      lookup_within_namespace(policy_name, namespace, strict: strict_namespace)
+    }
+
+    # (Optional) Infer using String#classify if available
+    CLASSIFY_SYMBOL_LOOKUP = ->(record, namespace: nil, strict_namespace: false, **__kwrest__) {
+      next unless record.is_a?(Symbol)
+
+      policy_name = "#{record.to_s.classify}Policy"
+      lookup_within_namespace(policy_name, namespace, strict: strict_namespace)
+    }
+
+    self.chain = [
+      SYMBOL_LOOKUP,
+      (CLASSIFY_SYMBOL_LOOKUP if String.method_defined?(:classify)),
+      INSTANCE_POLICY_CLASS,
+      CLASS_POLICY_CLASS,
+      INFER_FROM_CLASS
+    ].compact
+  end
+end

data/lib/.rbnext/3.2/action_policy/policy/core.rb

@@ -0,0 +1,168 @@
+# frozen_string_literal: true
+
+require "action_policy/behaviours/policy_for"
+require "action_policy/policy/execution_result"
+require "action_policy/utils/suggest_message"
+require "action_policy/utils/pretty_print"
+
+unless "".respond_to?(:underscore)
+  require "action_policy/ext/string_underscore"
+  using ActionPolicy::Ext::StringUnderscore
+end
+
+module ActionPolicy
+  using RubyNext
+
+  # Raised when `resolve_rule` failed to find an approriate
+  # policy rule method for the activity
+  class UnknownRule < Error
+    include ActionPolicy::SuggestMessage
+
+    attr_reader :policy, :rule, :message
+
+    def initialize(policy, rule)
+      @policy = policy.class
+      @rule = rule
+      @message = "Couldn't find rule '#{@rule}' for #{@policy}" \
+        "#{suggest(@rule, @policy.instance_methods - Object.instance_methods)}"
+    end
+  end
+
+  class NonPredicateRule < UnknownRule
+    def initialize(policy, rule)
+      @policy = policy.class
+      @rule = rule
+      @message = "The rule '#{@rule}' of '#{@policy}' must ends with ? (question mark)\nDid you mean? #{@rule}?"
+    end
+  end
+
+  module Policy
+    # Core policy API
+    module Core
+      class << self
+        def included(base)
+          base.extend ClassMethods
+
+          # Generate a new class for each _policy chain_
+          # in order to extend it independently
+          base.module_eval do
+            @result_class = Class.new(ExecutionResult)
+
+            # we need to make this class _named_,
+            # 'cause anonymous classes couldn't be marshalled
+            base.const_set(:APR, @result_class)
+          end
+        end
+      end
+
+      module ClassMethods # :nodoc:
+        attr_writer :identifier
+
+        def result_class
+          return @result_class if instance_variable_defined?(:@result_class)
+          @result_class = superclass.result_class
+        end
+
+        def identifier
+          return @identifier if instance_variable_defined?(:@identifier)
+
+          @identifier = name.sub(/Policy$/, "").underscore.to_sym
+        end
+      end
+
+      include ActionPolicy::Behaviours::PolicyFor
+
+      attr_reader :record, :result
+
+      # NEXT_RELEASE: deprecate `record` arg, migrate to `record: nil`
+      def initialize(record = nil, *__rest__)
+        @record = record
+      end
+
+      # Returns a result of applying the specified rule (true of false).
+      # Unlike simply calling a predicate rule (`policy.manage?`),
+      # `apply` also calls pre-checks.
+      def apply(rule)
+        @result = self.class.result_class.new(self.class, rule)
+
+        catch :policy_fulfilled do
+          result.load __apply__(resolve_rule(rule))
+        end
+
+        result.value
+      end
+
+      def deny!
+        result&.load false
+        throw :policy_fulfilled
+      end
+
+      def allow!
+        result&.load true
+        throw :policy_fulfilled
+      end
+
+      # This method performs the rule call.
+      # Override or extend it to provide custom functionality
+      # (such as caching, pre checks, etc.)
+      def __apply__(rule) = public_send(rule)
+
+      # Wrap code that could modify result
+      # to prevent the current result modification
+      def with_clean_result # :nodoc:
+        was_result = @result
+        yield
+        @result
+      ensure
+        @result = was_result
+      end
+
+      # Returns a result of applying the specified rule to the specified record.
+      # Under the hood a policy class for record is resolved
+      # (unless it's explicitly set through `with` option).
+      #
+      # If record is `nil` then we uses the current policy.
+      def allowed_to?(rule, record = :__undef__, **options)
+        if (record == :__undef__ || record == self.record) && options.empty?
+          __apply__(resolve_rule(rule))
+        else
+          policy_for(record: record, **options).then do |policy|
+            policy.apply(policy.resolve_rule(rule))
+          end
+        end
+      end
+
+      # An alias for readability purposes
+      def check?(*args, **hargs) = allowed_to?(*args, **hargs)
+
+      # Returns a rule name (policy method name) for activity.
+      #
+      # By default, rule name is equal to activity name.
+      #
+      # Raises ActionPolicy::UnknownRule when rule is not found in policy.
+      def resolve_rule(activity)
+        raise UnknownRule.new(self, activity) unless
+          respond_to?(activity)
+        activity
+      end
+
+      # Return annotated source code for the rule
+      # NOTE: require "method_source" and "unparser" gems to be installed.
+      # Otherwise returns empty string.
+      def inspect_rule(rule) = PrettyPrint.print_method(self, rule)
+
+      # Helper for printing the annotated rule source.
+      # Useful for debugging: type `pp :show?` within the context of the policy
+      # to preview the rule.
+      def pp(rule)
+        with_clean_result do
+          # We need result to exist for `allowed_to?` to work correctly
+          @result = self.class.result_class.new(self.class, rule)
+          header = "#{self.class.name}##{rule}"
+          source = inspect_rule(rule)
+          $stdout.puts "#{header}\n#{source}"
+        end
+      end
+    end
+  end
+end

data/lib/.rbnext/3.2/action_policy/rspec/be_authorized_to.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+require "action_policy/testing"
+
+module ActionPolicy
+  module RSpec
+    # Authorization matcher `be_authorized_to`.
+    #
+    # Verifies that a block of code has been authorized using specific policy.
+    #
+    # Example:
+    #
+    #   # in controller/request specs
+    #   subject { patch :update, id: product.id }
+    #
+    #   it "is authorized" do
+    #     expect { subject }
+    #       .to be_authorized_to(:manage?, product)
+    #       .with(ProductPolicy)
+    #   end
+    #
+    class BeAuthorizedTo < ::RSpec::Matchers::BuiltIn::BaseMatcher
+      attr_reader :rule, :target, :policy, :actual_calls, :context
+
+      def initialize(rule, target)
+        @rule = rule
+        @target = target
+      end
+
+      def with(policy)
+        @policy = policy
+        self
+      end
+
+      def with_context(context)
+        @context = context
+        self
+      end
+
+      def match(_expected, actual)
+        raise "This matcher only supports block expectations" unless actual.is_a?(Proc)
+
+        @policy ||= ::ActionPolicy.lookup(target)
+        @context ||= nil
+
+        begin
+          ActionPolicy::Testing::AuthorizeTracker.tracking { actual.call }
+        rescue ActionPolicy::Unauthorized
+          # we don't want to care about authorization result
+        end
+
+        @actual_calls = ActionPolicy::Testing::AuthorizeTracker.calls
+
+        actual_calls.any? { _1.matches?(policy, rule, target, context) }
+      end
+
+      def does_not_match?(*__rest__)
+        raise "This matcher doesn't support negation"
+      end
+
+      def supports_block_expectations?() = true
+
+      def failure_message
+        "expected #{formatted_record} " \
+        "to be authorized with #{policy}##{rule}, " \
+        "#{context ? "and context #{context.inspect}, " : ""}" \
+        "but #{actual_calls_message}"
+      end
+
+      def actual_calls_message
+        if actual_calls.empty?
+          "no authorization calls have been made"
+        else
+          "the following calls were encountered:\n" \
+          "#{formatted_calls}"
+        end
+      end
+
+      def formatted_calls
+        actual_calls.map do
+          " - #{_1.inspect}"
+        end.join("\n")
+      end
+
+      def formatted_record(record = target) = ::RSpec::Support::ObjectFormatter.format(record)
+    end
+  end
+end
+
+RSpec.configure do |config|
+  config.include(Module.new do
+    def be_authorized_to(rule, target)
+      ActionPolicy::RSpec::BeAuthorizedTo.new(rule, target)
+    end
+  end)
+end

data/lib/.rbnext/3.2/action_policy/rspec/have_authorized_scope.rb

@@ -0,0 +1,124 @@
+# frozen_string_literal: true
+
+require "action_policy/testing"
+
+module ActionPolicy
+  module RSpec
+    # Implements `have_authorized_scope` matcher.
+    #
+    # Verifies that a block of code applies authorization scoping using specific policy.
+    #
+    # Example:
+    #
+    #   # in controller/request specs
+    #   subject { get :index }
+    #
+    #   it "has authorized scope" do
+    #     expect { subject }
+    #       .to have_authorized_scope(:active_record_relation)
+    #       .with(ProductPolicy)
+    #   end
+    #
+    class HaveAuthorizedScope < ::RSpec::Matchers::BuiltIn::BaseMatcher
+      attr_reader :type, :name, :policy, :scope_options, :actual_scopes,
+        :target_expectations
+
+      def initialize(type)
+        @type = type
+        @name = :default
+        @scope_options = nil
+      end
+
+      def with(policy)
+        @policy = policy
+        self
+      end
+
+      def as(name)
+        @name = name
+        self
+      end
+
+      def with_scope_options(scope_options)
+        @scope_options = scope_options
+        self
+      end
+
+      def with_target(&block)
+        @target_expectations = block
+        self
+      end
+
+      def match(_expected, actual)
+        raise "This matcher only supports block expectations" unless actual.is_a?(Proc)
+
+        ActionPolicy::Testing::AuthorizeTracker.tracking { actual.call }
+
+        @actual_scopes = ActionPolicy::Testing::AuthorizeTracker.scopings
+
+        matching_scopes = actual_scopes.select { _1.matches?(policy, type, name, scope_options) }
+
+        return false if matching_scopes.empty?
+
+        return true unless target_expectations
+
+        if matching_scopes.size > 1
+          raise "Too many matching scopings (#{matching_scopes.size}), " \
+                "you can run `.with_target` only when there is the only one match"
+        end
+
+        target_expectations.call(matching_scopes.first.target)
+        true
+      end
+
+      def does_not_match?(*__rest__)
+        raise "This matcher doesn't support negation"
+      end
+
+      def supports_block_expectations?() = true
+
+      def failure_message
+        "expected a scoping named :#{name} for type :#{type} " \
+        "#{scope_options_message} " \
+        "from #{policy} to have been applied, " \
+        "but #{actual_scopes_message}"
+      end
+
+      def scope_options_message
+        if scope_options
+          if defined?(::RSpec::Matchers::Composable) &&
+              scope_options.is_a?(::RSpec::Matchers::Composable)
+            "with scope options #{scope_options.description}"
+          else
+            "with scope options #{scope_options}"
+          end
+        else
+          "without scope options"
+        end
+      end
+
+      def actual_scopes_message
+        if actual_scopes.empty?
+          "no scopings have been made"
+        else
+          "the following scopings were encountered:\n" \
+          "#{formatted_scopings}"
+        end
+      end
+
+      def formatted_scopings
+        actual_scopes.map do
+          " - #{_1.inspect}"
+        end.join("\n")
+      end
+    end
+  end
+end
+
+RSpec.configure do |config|
+  config.include(Module.new do
+    def have_authorized_scope(type)
+      ActionPolicy::RSpec::HaveAuthorizedScope.new(type)
+    end
+  end)
+end

data/lib/.rbnext/3.2/action_policy/utils/suggest_message.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module ActionPolicy
+  # Adds `suggest` method which uses did_you_mean
+  # to generate a suggestion message
+  module SuggestMessage
+    if defined?(::DidYouMean::SpellChecker)
+      def suggest(needle, heystack)
+        suggestion = ::DidYouMean::SpellChecker.new(
+          dictionary: heystack
+        ).correct(needle).first
+
+        suggestion ? "\nDid you mean? #{suggestion}" : ""
+      end
+    else
+      def suggest(*__rest__) = ""
+    end
+  end
+end

data/lib/action_policy/rails/scope_matchers/action_controller_params.rb

@@ -12,8 +12,10 @@ module ActionPolicy
   end
 end
 
-# Register params scope matcher
-ActionPolicy::Base.scope_matcher :action_controller_params, ActionController::Parameters
-
 # Add alias to base policy
 ActionPolicy::Base.extend ActionPolicy::ScopeMatchers::ActionControllerParams
+
+ActiveSupport.on_load(:action_controller) do
+  # Register params scope matcher
+  ActionPolicy::Base.scope_matcher :action_controller_params, ActionController::Parameters
+end

data/lib/action_policy/rails/scope_matchers/active_record.rb

@@ -12,18 +12,20 @@ module ActionPolicy
   end
 end
 
-# Register relation scope matcher
-ActionPolicy::Base.scope_matcher :active_record_relation, ActiveRecord::Relation
-
 # Add alias to base policy
 ActionPolicy::Base.extend ActionPolicy::ScopeMatchers::ActiveRecord
 
-ActiveRecord::Relation.include(Module.new do
-  def policy_name
-    if model.respond_to?(:policy_name)
-      model.policy_name.to_s
-    else
-      "#{model}Policy"
+ActiveSupport.on_load(:active_record) do
+  # Register relation scope matcher
+  ActionPolicy::Base.scope_matcher :active_record_relation, ActiveRecord::Relation
+
+  ActiveRecord::Relation.include(Module.new do
+    def policy_name
+      if model.respond_to?(:policy_name)
+        model.policy_name.to_s
+      else
+        "#{model}Policy"
+      end
     end
-  end
-end)
+  end)
+end

data/lib/action_policy/railtie.rb

@@ -74,8 +74,6 @@ module ActionPolicy # :nodoc:
         app.config.action_policy.namespace_cache_enabled
 
       ActiveSupport.on_load(:action_controller) do
-        require "action_policy/rails/scope_matchers/action_controller_params"
-
         next unless app.config.action_policy.auto_inject_into_controller
 
         ActionController::Base.include ActionPolicy::Controller
@@ -95,21 +93,12 @@ module ActionPolicy # :nodoc:
         ActionCable::Channel::Base.authorize :user, through: :current_user
       end
 
+      # Scope matchers
+      require "action_policy/rails/scope_matchers/action_controller_params"
+      require "action_policy/rails/scope_matchers/active_record"
+
       ActiveSupport.on_load(:active_record) do
         require "action_policy/rails/ext/active_record"
-        require "action_policy/rails/scope_matchers/active_record"
-      end
-
-      # Trigger load hooks of the components that extend ActionPolicy itself
-      # (e.g., scope matchers)
-      begin
-        ::ActionController::Base
-      rescue NameError
-      end
-
-      begin
-        ::ActiveRecord::Base
-      rescue NameError
       end
     end
   end

data/lib/action_policy/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ActionPolicy
-  VERSION = "0.6.7"
+  VERSION = "0.6.8"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: action_policy
 version: !ruby/object:Gem::Version
-  version: 0.6.7
+  version: 0.6.8
 platform: ruby
 authors:
 - Vladimir Dementyev
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-09-14 00:00:00.000000000 Z
+date: 2024-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ruby-next-core
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.14.0
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.14.0
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: ammeter
   requirement: !ruby/object:Gem::Requirement
@@ -162,6 +162,13 @@ files:
 - lib/.rbnext/3.1/action_policy/ext/module_namespace.rb
 - lib/.rbnext/3.1/action_policy/ext/policy_cache_key.rb
 - lib/.rbnext/3.1/action_policy/policy/authorization.rb
+- lib/.rbnext/3.2/action_policy/behaviours/policy_for.rb
+- lib/.rbnext/3.2/action_policy/ext/policy_cache_key.rb
+- lib/.rbnext/3.2/action_policy/lookup_chain.rb
+- lib/.rbnext/3.2/action_policy/policy/core.rb
+- lib/.rbnext/3.2/action_policy/rspec/be_authorized_to.rb
+- lib/.rbnext/3.2/action_policy/rspec/have_authorized_scope.rb
+- lib/.rbnext/3.2/action_policy/utils/suggest_message.rb
 - lib/action_policy.rb
 - lib/action_policy/authorizer.rb
 - lib/action_policy/base.rb
@@ -242,7 +249,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.8
+rubygems_version: 3.4.20
 signing_key:
 specification_version: 4
 summary: Authorization framework for Ruby/Rails application