active_record_api-rest 1.0.3 → 1.0.4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (11) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +1 -1
  3. data/lib/active_record_api/rest/access_denied_exception.rb +13 -12
  4. data/lib/active_record_api/rest/application_policy.rb +36 -8
  5. data/lib/active_record_api/rest/bad_session_exception.rb +6 -0
  6. data/lib/active_record_api/rest/controller.rb +11 -5
  7. data/lib/active_record_api/rest/graceful_errors.rb +7 -3
  8. data/lib/active_record_api/rest/index_controller.rb +1 -1
  9. data/lib/active_record_api/rest/spec/rest_controller_shared_example.rb +62 -66
  10. data/lib/active_record_api/rest/version.rb +1 -1
  11. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f46306ab7aa8dfd69c9d099776f1fc095c2e9188eee1ece50edc83b87543ac69
4
- data.tar.gz: 59fc5ee48bfa4341773b76b41e7f543f0aefe6973332751aaa931b49a6197fb8
3
+ metadata.gz: d6c7bfa36f4f4e1cf3a3013003dc091864a44e6a2f0df9c47886ce37b7c4a88f
4
+ data.tar.gz: 5929dfad290e2789a5acbfa574cde379c409d4de125679966c0ed5e98f230edf
5
5
  SHA512:
6
- metadata.gz: 421c5a6f00e821c52d51d1b940664e9f8498b049ab77fbec9adb955564b7053ccc804c2310d7322d3e3806f801b536c890c46baf4d23a6a07d63abefb0d8aee1
7
- data.tar.gz: 69b974c414193b3667f0e5327e0e60e12939b6024937452c2d3f7b6ed7f05582eb339828b6f3ac5d8d52eadb155ac68d6e3e573a7f70a2085b22c2790fb7d4d2
6
+ metadata.gz: a524c311c0cd8ecda10d96d82a9900b68853e108c96d59109e5493dce0052a6ee31348807a2f423a0234ce011bbf272eccf3d39ca2063e095ca585ef951033b1
7
+ data.tar.gz: b3c7af25eb3864129781d0cdc564c33a65ba14da22001601b5450a517267466fa865e1dd63b0b48d6d26b89137c61b9f227c8a06ddbfe7675ba50abe5ce9b719
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- active_record_api-rest (1.0.1)
4
+ active_record_api-rest (1.0.3)
5
5
  active_attr
6
6
  active_model_serializers
7
7
  rails (>= 5.1)
data/lib/active_record_api/rest/access_denied_exception.rb CHANGED
@@ -1,12 +1,13 @@
1
- # module ActiveRecordApi
2
- # module Rest
3
- # class AccessDeniedException < Exception
4
- # attr_reader :action
5
- # attr_reader :controller
6
- # def initialize(controller, action)
7
- # @action = action
8
- # @controller = controller
9
- # end
10
- # end
11
- # end
12
- # end
1
+ module ActiveRecordApi
2
+ module Rest
3
+ class AccessDeniedException < Exception
4
+ attr_reader :action
5
+ attr_reader :controller
6
+ def initialize(controller, action, message)
7
+ super(message)
8
+ @action = action
9
+ @controller = controller
10
+ end
11
+ end
12
+ end
13
+ end
data/lib/active_record_api/rest/application_policy.rb CHANGED
@@ -1,32 +1,60 @@
1
1
  module ActiveRecordApi
2
2
  module Rest
3
3
  class ApplicationPolicy
4
+ class Scope
5
+ attr_reader :user, :scope
6
+
7
+ def initialize(user, scope)
8
+ @user = user
9
+ @scope = scope
10
+ end
11
+
12
+ def resolve
13
+ @scope.where(id: false)
14
+ end
15
+ end
16
+
4
17
  attr_reader :user
5
- attr_reader :entity
18
+ attr_reader :model_class
19
+
20
+ READ = 'read'.freeze
21
+ MANAGE = 'manage'.freeze
6
22
 
7
- def initialize(user, entity)
23
+ def initialize(user, model_class)
8
24
  @user = user
9
- @entity = entity
25
+ @model_class = model_class
10
26
  end
11
27
 
12
28
  def index?
13
- true
29
+ can?(READ)
14
30
  end
15
31
 
16
32
  def show?
17
- true
33
+ can?(READ)
18
34
  end
19
35
 
20
36
  def create?
21
- true
37
+ can?(MANAGE)
22
38
  end
23
39
 
24
40
  def update?
25
- true
41
+ can?(MANAGE)
26
42
  end
27
43
 
28
44
  def destroy?
29
- true
45
+ can?(MANAGE)
46
+ end
47
+
48
+ protected
49
+
50
+ def can?(action)
51
+ user.full_permissions.include?("#{service_name}__#{@model_class.name.downcase}:#{action}")
52
+ end
53
+
54
+ private
55
+
56
+ def service_name
57
+ File.basename(Rails.root.to_s)
30
58
  end
31
59
  end
32
60
  end
data/lib/active_record_api/rest/bad_session_exception.rb CHANGED
@@ -1,6 +1,12 @@
1
1
  module ActiveRecordApi
2
2
  module Rest
3
3
  class BadSessionException < Exception
4
+ attr_reader :action
5
+ attr_reader :controller
6
+ def initialize(controller, action)
7
+ @action = action
8
+ @controller = controller
9
+ end
4
10
  end
5
11
  end
6
12
  end
data/lib/active_record_api/rest/controller.rb CHANGED
@@ -60,7 +60,7 @@ module ActiveRecordApi
60
60
  end
61
61
 
62
62
  def load_model
63
- @model ||= model_klass.find(params[:id])
63
+ @model ||= scope_filter(model_klass).find(params[:id])
64
64
  end
65
65
 
66
66
  def initialize_model
@@ -68,10 +68,16 @@ module ActiveRecordApi
68
68
  end
69
69
 
70
70
  def authorize
71
- user = current_user
72
- raise BadSessionException if user.nil?
73
- policy = ("#{controller_name.classify}Policy".safe_constantize) ? "#{controller_name.classify}Policy".constantize.new(user, model) : ApplicationPolicy.new(user, model)
74
- raise AccessDeniedException.new(controller_name, action_name) unless policy.send("#{action_name}?")
71
+ raise BadSessionException.new(controller_name, action_name) if current_user.nil?
72
+ raise AccessDeniedException.new(controller_name, action_name, 'Insufficient permissions') unless policy.send("#{action_name}?")
73
+ end
74
+
75
+ def scope_filter(scope)
76
+ "#{policy.class.name}::Scope".constantize.new(current_user, scope).resolve
77
+ end
78
+
79
+ def policy
80
+ @policy ||= ("#{controller_name.classify}Policy".safe_constantize) ? "#{controller_name.classify}Policy".constantize.new(current_user, model_klass) : ApplicationPolicy.new(current_user, model_klass)
75
81
  end
76
82
  end
77
83
  end
data/lib/active_record_api/rest/graceful_errors.rb CHANGED
@@ -8,9 +8,13 @@ module ActiveRecordApi
8
8
  render status: :not_found, json: { base: exception.message }
9
9
  end
10
10
 
11
- # rescue_from AccessDeniedException do |exception|
12
- # render status: :forbidden, json: { base: "Access denied on #{exception.action} #{exception.controller}" }
13
- # end
11
+ rescue_from BadSessionException do |exception|
12
+ render status: :unauthorized, json: { base: "No user for session on #{exception.action} #{exception.controller}" }
13
+ end
14
+
15
+ rescue_from AccessDeniedException do |exception|
16
+ render status: :forbidden, json: { base: "Access denied on #{exception.action} #{exception.controller}", message: exception.message }
17
+ end
14
18
  end
15
19
  end
16
20
  end
data/lib/active_record_api/rest/index_controller.rb CHANGED
@@ -36,7 +36,7 @@ module ActiveRecordApi
36
36
  end
37
37
 
38
38
  def load_models
39
- @models = model_klass.where(filtered_params)
39
+ @models = scope_filter(model_klass).where(filtered_params)
40
40
  @total = models.count
41
41
  page_models
42
42
  end
data/lib/active_record_api/rest/spec/rest_controller_shared_example.rb CHANGED
@@ -1,15 +1,14 @@
1
1
  shared_examples 'all::rest::actions' do
2
- let(:authorize_read) { mock_valid_auth(permission_name(model_klass, 'r'), model.organization_id) }
3
- let(:unauthorize_read) { mock_valid_auth(permission_name(model_klass, ''), -1) }
4
- let(:authorize_create) { mock_valid_auth(permission_name(model_klass, 'c'), model.organization_id) }
5
- let(:unauthorize_create) { mock_valid_auth(permission_name(model_klass, ''), -1) }
6
- let(:authorize_update) { mock_valid_auth(permission_name(model_klass, 'u'), model.organization_id) }
7
- let(:unauthorize_update) { mock_valid_auth(permission_name(model_klass, ''), -1) }
8
- let(:authorize_delete) { mock_valid_auth(permission_name(model_klass, 'd'), model.organization_id) }
9
- let(:unauthorize_delete) { mock_valid_auth(permission_name(model_klass, ''), -1) }
2
+ let(:authorize_read) { mock_valid_auth([permission_name(model_klass, 'read')]) }
3
+ let(:unauthorize_read) { mock_valid_auth([permission_name(model_klass, '')]) }
4
+ let(:authorize_create) { mock_valid_auth([permission_name(model_klass, 'manage')]) }
5
+ let(:unauthorize_create) { mock_valid_auth([permission_name(model_klass, '')]) }
6
+ let(:authorize_update) { mock_valid_auth([permission_name(model_klass, 'manage')]) }
7
+ let(:unauthorize_update) { mock_valid_auth([permission_name(model_klass, '')]) }
8
+ let(:authorize_delete) { mock_valid_auth([permission_name(model_klass, 'manage')]) }
9
+ let(:unauthorize_delete) { mock_valid_auth([permission_name(model_klass, '')]) }
10
10
  let(:factory_symbol) { model_klass.to_s.underscore.to_sym }
11
- let(:index_non_accessible_data) { create factory_symbol, organization_id: (model.organization_id + 1) }
12
- let(:model_array) { [model] + create_list(factory_symbol, 4, organization_id: model.organization_id) }
11
+ let(:model_array) { [model] + create_list(factory_symbol, 4) }
13
12
  let(:base_model_klass) do
14
13
  if model_klass.superclass == ApplicationRecord
15
14
  model_klass
@@ -59,14 +58,21 @@ shared_examples 'get::show' do
59
58
  it { expect(JSON.parse(response.body)['base']).to include "Couldn't find #{base_model_klass} with 'id'=-1" }
60
59
  end
61
60
  end
62
- # context 'when not authorized' do
63
- # before(:each) do
64
- # unauthorize_read
65
- # get :show, params: { id: model.to_param }
66
- # end
67
- # it { expect(response.status).to eq 403 }
68
- # it { expect(JSON.parse(response.body)['base']).to include 'Access denied on show' }
69
- # end
61
+ context 'when not authorized' do
62
+ before(:each) do
63
+ unauthorize_read
64
+ get :show, params: { id: model.to_param }
65
+ end
66
+ it { expect(response.status).to eq 403 }
67
+ it { expect(JSON.parse(response.body)['base']).to include 'Access denied on show' }
68
+ end
69
+ context 'when bad session' do
70
+ before(:each) do
71
+ get :show, params: { id: model.to_param }
72
+ end
73
+ it { expect(response.status).to eq 401 }
74
+ it { expect(JSON.parse(response.body)['base']).to include 'No user for session on show' }
75
+ end
70
76
  end
71
77
  end
72
78
 
@@ -98,27 +104,17 @@ shared_examples 'get::index' do
98
104
  it { expect(response.headers['x-link-next']).to eq "#{host}#{request.path}?limit=1&previous_id=#{next_previous_id}" }
99
105
  it { expect(response.body).to be_json_eql model_klass.where('id > ?', previous_id).limit(1).map { |o| serializer.new(o) }.to_json }
100
106
  end
101
-
102
- # context 'when only access some of the data' do
103
- # before(:each) do
104
- # index_non_accessible_data
105
- # get :index
106
- # end
107
- # it { expect(response.status).to eq 200 }
108
- # it { expect(response.headers['x-total']).to eq 1 }
109
- # it { expect(response.body).to be_json_eql [serializer.new(model)].to_json }
110
- # end
111
107
  end
112
- # context 'when not authorized' do
113
- # before(:each) do
114
- # unauthorize_read
115
- # end
116
- # before(:each) do
117
- # get :index
118
- # end
119
- # it { expect(response.status).to eq 403 }
120
- # it { expect(JSON.parse(response.body)['base']).to include 'Access denied on index' }
121
- # end
108
+ context 'when not authorized' do
109
+ before(:each) do
110
+ unauthorize_read
111
+ end
112
+ before(:each) do
113
+ get :index
114
+ end
115
+ it { expect(response.status).to eq 403 }
116
+ it { expect(JSON.parse(response.body)['base']).to include 'Access denied on index' }
117
+ end
122
118
  end
123
119
  end
124
120
 
@@ -154,14 +150,14 @@ shared_examples 'put::update' do
154
150
  it { expect(response.body).to be_json_eql({ base: 'Extra parameters are not allow: foobars' }.to_json) }
155
151
  end
156
152
  end
157
- # context 'when not authorized' do
158
- # before(:each) do
159
- # unauthorize_update
160
- # get :show, params: new_attributes
161
- # end
162
- # it { expect(response.status).to eq 403 }
163
- # it { expect(JSON.parse(response.body)['base']).to include 'Access denied on show' }
164
- # end
153
+ context 'when not authorized' do
154
+ before(:each) do
155
+ unauthorize_update
156
+ get :show, params: new_attributes
157
+ end
158
+ it { expect(response.status).to eq 403 }
159
+ it { expect(JSON.parse(response.body)['base']).to include 'Access denied on show' }
160
+ end
165
161
  end
166
162
  end
167
163
 
@@ -192,14 +188,14 @@ shared_examples 'post::create' do
192
188
  end
193
189
  end
194
190
  end
195
- # context 'when not authorized' do
196
- # before(:each) do
197
- # unauthorize_create
198
- # post :create, params: new_attributes
199
- # end
200
- # it { expect(response.status).to eq 403 }
201
- # it { expect(JSON.parse(response.body)['base']).to include 'Access denied on create' }
202
- # end
191
+ context 'when not authorized' do
192
+ before(:each) do
193
+ unauthorize_create
194
+ post :create, params: new_attributes
195
+ end
196
+ it { expect(response.status).to eq 403 }
197
+ it { expect(JSON.parse(response.body)['base']).to include 'Access denied on create' }
198
+ end
203
199
  end
204
200
  end
205
201
 
@@ -210,19 +206,19 @@ shared_examples 'delete::delete' do
210
206
  authorize_delete
211
207
  end
212
208
  it 'remove record' do
213
- expect {
214
- expect_any_instance_of(model_klass).to receive(:destroyed_bus_cleanup_message_publish) if model.respond_to? :destroyed_bus_cleanup_message_publish
215
- delete :destroy, params: { id: model.id }
216
- }.to change(model_klass, :count).by(-1)
209
+ model
210
+ before_count = model_klass.count
211
+ delete :destroy, params: { id: model.id }
212
+ expect(model_klass.count).to eq(before_count - 1)
213
+ end
214
+ end
215
+ context 'when not authorized' do
216
+ before(:each) do
217
+ unauthorize_delete
218
+ delete :destroy, params: { id: model.id }
217
219
  end
220
+ it { expect(response.status).to eq 403 }
221
+ it { expect(JSON.parse(response.body)['base']).to include 'Access denied on destroy' }
218
222
  end
219
- # context 'when not authorized' do
220
- # before(:each) do
221
- # unauthorize_delete
222
- # delete :destroy, params: { id: model.id }
223
- # end
224
- # it { expect(response.status).to eq 403 }
225
- # it { expect(JSON.parse(response.body)['base']).to include 'Access denied on destroy' }
226
- # end
227
223
  end
228
224
  end
data/lib/active_record_api/rest/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module ActiveRecordApi
4
4
  module Rest
5
- VERSION = '1.0.3'.freeze
5
+ VERSION = '1.0.4'.freeze
6
6
  end
7
7
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: active_record_api-rest
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.3
4
+ version: 1.0.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Full Measure Education
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2019-03-15 00:00:00.000000000 Z
11
+ date: 2019-03-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler