ae_declarative_authorization 2.2.0 → 2.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0a7b71e8b588137b1b2b96bc7e214cb6ab58ca778b9bdbafd34d6887897d7537
-  data.tar.gz: 98662f0d7b0d3ef4fcbec3bae6b71bb3ab8f97051e7fe3c9042c55f1f9c5391b
+  metadata.gz: d48feceb3557edc83090bde5cc134402ccd1aa879482e126cc38c0bc32618773
+  data.tar.gz: db4fea2e76369d625965842d4b47c5f4a192023de3530e3abe5880e573e20c37
 SHA512:
-  metadata.gz: f7c3fe0957edf2aebac772624e17ba87157a0c99181ec7e64794cec22865acd1d74ab2f051b5429fe2a25abbee2665a4cef7b63235b6e26999df5c998bf51ad5
-  data.tar.gz: cc90c97438fc87fef2a014296abed704e56f37a810d8e858327caaec39cf71d3a46201a82cd4640106d7b70ffe3708163f8db0b9a72ed9612580f9c4d2d23944
+  metadata.gz: f58364fc40bd34c86a41dd42179520e4be8fdd275915e20f1d96b7a101424048c348a2b6f86d6b2fe7cfb52d267a0504b06b6afcdd3980d98784d8d31f916858
+  data.tar.gz: 5856fbb3162520b104e21e4aaa0c582f9a86b3f6f5299b0c1831c3038b5c27231eb6dc7db25a541c3e5f6883b5cbc5386e7109dbf4e7afd124e189fecf79ca0a

data/lib/declarative_authorization/authorization.rb

@@ -27,8 +27,13 @@ module Authorization
     # - event details (hash)
     attr_accessor :authorization_denied_callback
 
+    # Optional callback to wrap authorization check execution.
+    # Must return the result of executing the authorization check block.
+    attr_accessor :trace_authorization
+
     def initialize
       @authorization_denied_callback = nil
+      @trace_authorization = nil
     end
   end
 

data/lib/declarative_authorization/controller/grape.rb

@@ -1,6 +1,7 @@
 require File.dirname(__FILE__) + '/../authorization.rb'
 require File.dirname(__FILE__) + '/dsl.rb'
 require File.dirname(__FILE__) + '/runtime.rb'
+require File.dirname(__FILE__) + '/observability.rb'
 
 #
 # This mixin can be used to add declarative authorization support to APIs built using Grape
@@ -31,6 +32,7 @@ module Authorization
 
         base.helpers do
           include ::Authorization::Controller::Runtime
+          include ::Authorization::Controller::Observability
 
           def authorization_engine
             ::Authorization::Engine.instance
@@ -43,7 +45,14 @@ module Authorization
               # Acceessing route raises an exception when the response is a 405 MethodNotAllowed
               return
             end
-            unless allowed?("#{request.request_method} #{route.origin}")
+
+            action = "#{request.request_method} #{route.origin}"
+
+            allowed = trace_authorization(api: api_class&.name, action: action) do
+              allowed?(action)
+            end
+
+            unless allowed
               if respond_to?(:permission_denied, true)
                 # permission_denied needs to render or redirect
                 send(:permission_denied)

data/lib/declarative_authorization/controller/observability.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+#
+# Observability support for declarative authorization
+#
+module Authorization
+  module Controller
+    module Observability
+      def trace_authorization(*args, &block)
+        if ::Authorization.config.trace_authorization
+          ::Authorization.config.trace_authorization.call(*args, &block)
+        else
+          yield
+        end
+      end
+    end
+  end
+end

data/lib/declarative_authorization/controller/rails.rb

@@ -1,6 +1,7 @@
 require File.dirname(__FILE__) + '/../authorization.rb'
 require File.dirname(__FILE__) + '/dsl.rb'
 require File.dirname(__FILE__) + '/runtime.rb'
+require File.dirname(__FILE__) + '/observability.rb'
 
 #
 # Mixin to be added to rails controllers
@@ -18,6 +19,7 @@ module Authorization
         end
 
         base.include Runtime
+        base.include Observability
       end
 
       module ClassMethods
@@ -280,7 +282,11 @@ module Authorization
       protected
 
       def filter_access_filter # :nodoc:
-        unless allowed?(action_name)
+        allowed = trace_authorization(controller: self.class.name, action: action_name) do
+          allowed?(action_name)
+        end
+
+        unless allowed
           if respond_to?(:permission_denied, true)
             # permission_denied needs to render or redirect
             send(:permission_denied)

data/lib/declarative_authorization/controller/runtime.rb

@@ -14,6 +14,7 @@ module Authorization
       def self.failed_auto_loading_is_not_found?
         @@failed_auto_loading_is_not_found
       end
+
       def self.failed_auto_loading_is_not_found=(new_value)
         @@failed_auto_loading_is_not_found = new_value
       end
@@ -28,11 +29,27 @@ module Authorization
       # in the authorization rules are only evaluated if an object is given
       # for context.
       #
-      # See examples for Authorization::AuthorizationHelper #permitted_to?
-      #
       # If no object or context is specified, the controller_name is used as
       # context.
       #
+      # Examples:
+      #     <% permitted_to? :create, :users do %>
+      #     <%= link_to 'New', new_user_path %>
+      #     <% end %>
+      #     ...
+      #     <% if permitted_to? :create, :users %>
+      #     <%= link_to 'New', new_user_path %>
+      #     <% else %>
+      #     You are not allowed to create new users!
+      #     <% end %>
+      #     ...
+      #     <% for user in @users %>
+      #     <%= link_to 'Edit', edit_user_path(user) if permitted_to? :update, user %>
+      #     <% end %>
+      #
+      # To pass in an object and override the context, you can use the optional
+      # options:
+      #     permitted_to? :update, user, :context => :account
       def permitted_to?(privilege, object_or_sym = nil, options = {})
         if authorization_engine.permit!(privilege, options_for_permit(object_or_sym, options, false))
           yield if block_given?
@@ -48,16 +65,27 @@ module Authorization
         authorization_engine.permit!(privilege, options_for_permit(object_or_sym, options, true))
       end
 
-      # While permitted_to? is used for authorization, in some cases
+      # While permitted_to? is used for authorization in views, in some cases
       # content should only be shown to some users without being concerned
       # with authorization.  E.g. to only show the most relevant menu options
       # to a certain group of users.  That is what has_role? should be used for.
+      #
+      # Examples:
+      #     <% has_role?(:sales) do %>
+      #     <%= link_to 'All contacts', contacts_path %>
+      #     <% end %>
+      #     ...
+      #     <% if has_role?(:sales) %>
+      #     <%= link_to 'Customer contacts', contacts_path %>
+      #     <% else %>
+      #     ...
+      #     <% end %>
       def has_role?(*roles)
         user_roles = authorization_engine.roles_for(current_user)
         result = roles.all? do |role|
           user_roles.include?(role)
         end
-        yield if result and block_given?
+        yield if result && block_given?
         result
       end
 
@@ -68,7 +96,7 @@ module Authorization
         result = roles.any? do |role|
           user_roles.include?(role)
         end
-        yield if result and block_given?
+        yield if result && block_given?
         result
       end
 
@@ -78,7 +106,7 @@ module Authorization
         result = roles.all? do |role|
           user_roles.include?(role)
         end
-        yield if result and block_given?
+        yield if result && block_given?
         result
       end
 
@@ -88,7 +116,7 @@ module Authorization
         result = roles.any? do |role|
           user_roles.include?(role)
         end
-        yield if result and block_given?
+        yield if result && block_given?
         result
       end
 
@@ -96,16 +124,18 @@ module Authorization
         context = object = nil
         if object_or_sym.nil?
           context = decl_auth_context
-        elsif !Authorization.is_a_association_proxy?(object_or_sym) and object_or_sym.is_a?(Symbol)
+        elsif !Authorization.is_a_association_proxy?(object_or_sym) && object_or_sym.is_a?(Symbol)
           context = object_or_sym
         else
           object = object_or_sym
         end
 
-        result = {:object => object,
-          :context => context,
-          :skip_attribute_test => object.nil?,
-          :bang => bang}.merge(options)
+        result = {
+          object: object,
+          context: context,
+          skip_attribute_test: object.nil?,
+          bang: bang
+        }.merge(options)
         result[:user] = current_user unless result.key?(:user)
         result
       end
@@ -120,12 +150,12 @@ module Authorization
 
         begin
           allowed = if matching_permissions.any?
-            matching_permissions.all? { |p| p.permit!(self, action_name) }
-          elsif all_permissions.any?
-            all_permissions.all? { |p| p.permit!(self, action_name) }
-          else
-            !DEFAULT_DENY
-          end
+                      matching_permissions.all? { |p| p.permit!(self, action_name) }
+                    elsif all_permissions.any?
+                      all_permissions.all? { |p| p.permit!(self, action_name) }
+                    else
+                      !DEFAULT_DENY
+                    end
         rescue ::Authorization::NotAuthorized => e
           auth_exception = e
         end

data/lib/declarative_authorization/helper.rb

@@ -1,78 +1,12 @@
 # Authorization::AuthorizationHelper
-require File.dirname(__FILE__) + '/authorization.rb'
+require "#{File.dirname(__FILE__)}/authorization.rb"
 
 module Authorization
+  # Include this module in your views
   module AuthorizationHelper
-  
-    # If the current user meets the given privilege, permitted_to? returns true
-    # and yields to the optional block.  The attribute checks that are defined
-    # in the authorization rules are only evaluated if an object is given
-    # for context.
-    # 
-    # Examples:
-    #     <% permitted_to? :create, :users do %>
-    #     <%= link_to 'New', new_user_path %>
-    #     <% end %>
-    #     ...
-    #     <% if permitted_to? :create, :users %>
-    #     <%= link_to 'New', new_user_path %>
-    #     <% else %>
-    #     You are not allowed to create new users!
-    #     <% end %>
-    #     ...
-    #     <% for user in @users %>
-    #     <%= link_to 'Edit', edit_user_path(user) if permitted_to? :update, user %>
-    #     <% end %>
-    #
-    # To pass in an object and override the context, you can use the optional
-    # options:
-    #     permitted_to? :update, user, :context => :account
-    # 
-    def permitted_to?(privilege, object_or_sym = nil, options = {})
-      controller.permitted_to?(privilege, object_or_sym, options) do
-        yield if block_given?
-      end
-    end
-  
-    # While permitted_to? is used for authorization in views, in some cases
-    # content should only be shown to some users without being concerned
-    # with authorization.  E.g. to only show the most relevant menu options 
-    # to a certain group of users.  That is what has_role? should be used for.
-    # 
-    # Examples:
-    #     <% has_role?(:sales) do %>
-    #     <%= link_to 'All contacts', contacts_path %>
-    #     <% end %>
-    #     ...
-    #     <% if has_role?(:sales) %>
-    #     <%= link_to 'Customer contacts', contacts_path %>
-    #     <% else %>
-    #     ...
-    #     <% end %>
-    # 
-    def has_role?(*roles)
-      controller.has_role?(*roles) do
-        yield if block_given?
-      end
-    end
-    
-    # As has_role? except checks all roles included in the role hierarchy
-    def has_role_with_hierarchy?(*roles)
-      controller.has_role_with_hierarchy?(*roles) do
-        yield if block_given?
-      end
-    end
-    
-    def has_any_role?(*roles)
-      controller.has_any_role?(*roles) do
-        yield if block_given?
-      end
-    end
-    
-    def has_any_role_with_hierarchy?(*roles)
-      controller.has_any_role_with_hierarchy?(*roles) do
-        yield if block_given?
-      end
-    end
+    delegate :has_role?, :has_role_with_hierarchy?,
+             :has_any_role?, :has_any_role_with_hierarchy?,
+             :permitted_to?,
+             to: :controller
   end
 end

data/lib/declarative_authorization/version.rb

@@ -1,3 +1,3 @@
 module DeclarativeAuthorization
-  VERSION = '2.2.0'.freeze
+  VERSION = '2.3.1'.freeze
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ae_declarative_authorization
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.3.1
 platform: ruby
 authors:
 - AppFolio
@@ -63,6 +63,7 @@ files:
 - lib/declarative_authorization/authorization.rb
 - lib/declarative_authorization/controller/dsl.rb
 - lib/declarative_authorization/controller/grape.rb
+- lib/declarative_authorization/controller/observability.rb
 - lib/declarative_authorization/controller/rails.rb
 - lib/declarative_authorization/controller/runtime.rb
 - lib/declarative_authorization/controller_permission.rb