active_record_api-rest 0.1.9 → 1.0.1

data/Gemfile.lock

@@ -1,10 +1,9 @@
 PATH
   remote: .
   specs:
-    active_record_api-rest (0.1.8)
+    active_record_api-rest (1.0.0)
       active_attr
       active_model_serializers
-      cancancan
       rails (>= 5.1)
 
 GEM
@@ -64,7 +63,6 @@ GEM
     arel (9.0.0)
     builder (3.2.3)
     byebug (10.0.2)
-    cancancan (2.3.0)
     case_transform (0.2)
       activesupport
     coderay (1.1.2)
@@ -212,4 +210,4 @@ DEPENDENCIES
   webmock
 
 BUNDLED WITH
-   1.16.2
+   1.17.2

data/active_record_api-rest.gemspec

@@ -37,6 +37,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rspec-rails'
   spec.add_dependency 'active_attr'
   spec.add_dependency 'active_model_serializers'
-  spec.add_dependency 'cancancan'
   spec.add_dependency 'rails', '>= 5.1'
 end

data/lib/active_record_api-rest.rb

@@ -5,9 +5,12 @@ require 'active_support'
 module ActiveRecordApi
   module Rest
     extend ActiveSupport::Autoload
+    autoload :AccessDeniedException
+    autoload :ApplicationPolicy
+    autoload :BadSessionException
     autoload :Controller
-    autoload :RequestUrlGenerator
     autoload :GracefulErrors
+    autoload :RequestUrlGenerator
     autoload :VERSION
   end
 end

data/lib/active_record_api/rest/access_denied_exception.rb

@@ -0,0 +1,12 @@
+# module ActiveRecordApi
+#   module Rest
+#     class AccessDeniedException < Exception
+#       attr_reader :action
+#       attr_reader :controller
+#       def initialize(controller, action)
+#         @action = action
+#         @controller = controller
+#       end
+#     end
+#   end
+# end

data/lib/active_record_api/rest/application_policy.rb

@@ -0,0 +1,33 @@
+module ActiveRecordApi
+  module Rest
+    class ApplicationPolicy
+      attr_reader :user
+      attr_reader :entity
+
+      def initialize(user, entity)
+        @user = user
+        @entity = entity
+      end
+
+      def index?
+        true
+      end
+
+      def show?
+        true
+      end
+
+      def create?
+        true
+      end
+
+      def update?
+        true
+      end
+
+      def destroy?
+        true
+      end
+    end
+  end
+end

data/lib/active_record_api/rest/bad_session_exception.rb

@@ -0,0 +1,6 @@
+module ActiveRecordApi
+  module Rest
+    class BadSessionException < Exception
+    end
+  end
+end

data/lib/active_record_api/rest/controller.rb

@@ -3,8 +3,12 @@ require_relative 'index_controller'
 module ActiveRecordApi
   module Rest
     class Controller < IndexController
+      attr_reader :model
+
       before_action :initialize_model, only: :create
+      before_action :load_model, only: %i[show update destroy]
       before_action :only_valid_params, only: %i[create update]
+      before_action :authorize
 
       def show
         return unless stale?(last_modified: model.updated_at)
@@ -55,9 +59,20 @@ module ActiveRecordApi
         @not_allowed_params ||= ((params.keys.map(&:to_sym) - [:controller, :action, :id, controller_name.singularize.to_sym]) - resource_params.keys.map(&:to_sym))
       end
 
+      def load_model
+        @model ||= model_klass.find(params[:id])
+      end
+
       def initialize_model
         instance_variable_set("@#{controller_name.singularize}", model_klass.new(filtered_params))
       end
+
+      def authorize
+        user = current_user
+        raise BadSessionException if user.nil?
+        policy = ("#{controller_name.classify}Policy".safe_constantize) ? "#{controller_name.classify}Policy".constantize.new(user, model) : ApplicationPolicy.new(user, model)
+        raise AccessDeniedException.new(controller_name, action_name) unless policy.send("#{action_name}?")
+      end
     end
   end
 end

data/lib/active_record_api/rest/graceful_errors.rb

@@ -8,9 +8,9 @@ module ActiveRecordApi
           render status: :not_found, json: { base: exception.message }
         end
 
-        rescue_from CanCan::AccessDenied do |exception|
-          render status: :forbidden, json: { base: "Access denied on #{exception.action} #{exception.subject.inspect}" }
-        end
+        # rescue_from AccessDeniedException do |exception|
+        #   render status: :forbidden, json: { base: "Access denied on #{exception.action} #{exception.controller}" }
+        # end
       end
     end
   end

data/lib/active_record_api/rest/index_controller.rb

@@ -1,13 +1,8 @@
-require 'cancancan'
-
 module ActiveRecordApi
   module Rest
     class IndexController < ApplicationController
-      include CanCan::ControllerAdditions
-
+      attr_reader :models
       include GracefulErrors
-
-      load_and_authorize_resource
       before_action :load_models, only: :index
 
       def index
@@ -40,35 +35,19 @@ module ActiveRecordApi
         @filtered_params ||= params.permit(allowed_params).to_h
       end
 
-      def model
-        instance_variable_get("@#{controller_name.singularize}")
-      end
-
       def load_models
-        filter_models
+        @models = model_klass.where(filtered_params)
         @total = models.count
         page_models
       end
 
-      def filter_models
-        models models.where(filtered_params)
-      end
-
       def page_models
         id_field = model_klass.arel_table[:id]
-        updated_models = models.order(:id)
+        updated_models = @models.order(:id)
         updated_models = updated_models.where(id_field.gt previous_id) if previous_id.present?
-        models updated_models
+        @models = updated_models
         @remaining_count = models.count
-        models models.limit(limit)
-      end
-
-      def models(updated_models = nil)
-        if updated_models.nil?
-          instance_variable_get("@#{controller_name}")
-        else
-          instance_variable_set("@#{controller_name}", updated_models)
-        end
+        @models = @models.limit(limit)
       end
 
       def model_klass

data/lib/active_record_api/rest/spec/rest_controller_shared_example.rb

@@ -59,14 +59,14 @@ shared_examples 'get::show' do
         it { expect(JSON.parse(response.body)['base']).to include "Couldn't find #{base_model_klass} with 'id'=-1" }
       end
     end
-    context 'when not authorized' do
-      before(:each) do
-        unauthorize_read
-        get :show, params: { id: model.to_param }
-      end
-      it { expect(response.status).to eq 403 }
-      it { expect(JSON.parse(response.body)['base']).to include 'Access denied on show' }
-    end
+    # context 'when not authorized' do
+    #   before(:each) do
+    #     unauthorize_read
+    #     get :show, params: { id: model.to_param }
+    #   end
+    #   it { expect(response.status).to eq 403 }
+    #   it { expect(JSON.parse(response.body)['base']).to include 'Access denied on show' }
+    # end
   end
 end
 
@@ -99,26 +99,26 @@ shared_examples 'get::index' do
         it { expect(response.body).to be_json_eql model_klass.where('id > ?', previous_id).limit(1).map { |o| serializer.new(o) }.to_json }
       end
 
-      context 'when only access some of the data' do
-        before(:each) do
-          index_non_accessible_data
-          get :index
-        end
-        it { expect(response.status).to eq 200 }
-        it { expect(response.headers['x-total']).to eq 1 }
-        it { expect(response.body).to be_json_eql [serializer.new(model)].to_json }
-      end
-    end
-    context 'when not authorized' do
-      before(:each) do
-        unauthorize_read
-      end
-      before(:each) do
-        get :index
-      end
-      it { expect(response.status).to eq 403 }
-      it { expect(JSON.parse(response.body)['base']).to include 'Access denied on index' }
+      # context 'when only access some of the data' do
+      #   before(:each) do
+      #     index_non_accessible_data
+      #     get :index
+      #   end
+      #   it { expect(response.status).to eq 200 }
+      #   it { expect(response.headers['x-total']).to eq 1 }
+      #   it { expect(response.body).to be_json_eql [serializer.new(model)].to_json }
+      # end
     end
+    # context 'when not authorized' do
+    #   before(:each) do
+    #     unauthorize_read
+    #   end
+    #   before(:each) do
+    #     get :index
+    #   end
+    #   it { expect(response.status).to eq 403 }
+    #   it { expect(JSON.parse(response.body)['base']).to include 'Access denied on index' }
+    # end
   end
 end
 
@@ -154,14 +154,14 @@ shared_examples 'put::update' do
         it { expect(response.body).to be_json_eql({ base: 'Extra parameters are not allow: foobars' }.to_json) }
       end
     end
-    context 'when not authorized' do
-      before(:each) do
-        unauthorize_update
-        get :show, params: new_attributes
-      end
-      it { expect(response.status).to eq 403 }
-      it { expect(JSON.parse(response.body)['base']).to include 'Access denied on show' }
-    end
+    # context 'when not authorized' do
+    #   before(:each) do
+    #     unauthorize_update
+    #     get :show, params: new_attributes
+    #   end
+    #   it { expect(response.status).to eq 403 }
+    #   it { expect(JSON.parse(response.body)['base']).to include 'Access denied on show' }
+    # end
   end
 end
 
@@ -192,14 +192,14 @@ shared_examples 'post::create' do
         end
       end
     end
-    context 'when not authorized' do
-      before(:each) do
-        unauthorize_create
-        post :create, params: new_attributes
-      end
-      it { expect(response.status).to eq 403 }
-      it { expect(JSON.parse(response.body)['base']).to include 'Access denied on create' }
-    end
+    # context 'when not authorized' do
+    #   before(:each) do
+    #     unauthorize_create
+    #     post :create, params: new_attributes
+    #   end
+    #   it { expect(response.status).to eq 403 }
+    #   it { expect(JSON.parse(response.body)['base']).to include 'Access denied on create' }
+    # end
   end
 end
 
@@ -216,13 +216,13 @@ shared_examples 'delete::delete' do
         }.to change(model_klass, :count).by(-1)
       end
     end
-    context 'when not authorized' do
-      before(:each) do
-        unauthorize_delete
-        delete :destroy, params: { id: model.id }
-      end
-      it { expect(response.status).to eq 403 }
-      it { expect(JSON.parse(response.body)['base']).to include 'Access denied on destroy' }
-    end
+    # context 'when not authorized' do
+    #   before(:each) do
+    #     unauthorize_delete
+    #     delete :destroy, params: { id: model.id }
+    #   end
+    #   it { expect(response.status).to eq 403 }
+    #   it { expect(JSON.parse(response.body)['base']).to include 'Access denied on destroy' }
+    # end
   end
 end

data/lib/active_record_api/rest/version.rb

@@ -2,6 +2,6 @@
 
 module ActiveRecordApi
   module Rest
-    VERSION = '0.1.9'.freeze
+    VERSION = '1.0.1'.freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: active_record_api-rest
 version: !ruby/object:Gem::Version
-  version: 0.1.9
+  version: 1.0.1
 platform: ruby
 authors:
 - Full Measure Education
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-02-25 00:00:00.000000000 Z
+date: 2019-03-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -108,20 +108,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: cancancan
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -158,6 +144,9 @@ files:
 - bin/console
 - bin/setup
 - lib/active_record_api-rest.rb
+- lib/active_record_api/rest/access_denied_exception.rb
+- lib/active_record_api/rest/application_policy.rb
+- lib/active_record_api/rest/bad_session_exception.rb
 - lib/active_record_api/rest/controller.rb
 - lib/active_record_api/rest/graceful_errors.rb
 - lib/active_record_api/rest/index_controller.rb