authorized_persona 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 4c94ee11ec5cc61e600479f513dbd1977768ff146b61ec18ae34f34aeaa2e223
+  data.tar.gz: 687dde9d36b005ab6a8b8d08e6b40ea7349819d765fb93c1cd4c06fb568dfc5d
+SHA512:
+  metadata.gz: 7d146c61b9932e9eea82aea03ac7f48798ce42c47bf3eb8eb9cffc403631db58e56559a1098c7b9a640e4598858552a37ca75e6749c564882f248188c8bcd00c
+  data.tar.gz: e371dc3c7752412945d46cb76716d8973ad6d1cdc3149d49bf31dde852b5b12c37e10b3d05490f0b4711694bdb0d1108ea683e28bef6d6ecd9dd322919095db6

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,3 @@
+inherit_gem:
+  rubocop-betterment:
+    - config/default.yml

data/.travis.yml

@@ -0,0 +1,7 @@
+---
+sudo: false
+language: ruby
+cache: bundler
+rvm:
+  - 2.6.1
+before_install: gem install bundler -v 2.0.1

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at john@betterment.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -0,0 +1,4 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in authorized_persona.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,112 @@
+PATH
+  remote: .
+  specs:
+    authorized_persona (0.1.0)
+      activemodel (>= 5.1.6.2, < 7)
+      railties (>= 5.1.6.2, < 7)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actionpack (5.2.3)
+      actionview (= 5.2.3)
+      activesupport (= 5.2.3)
+      rack (~> 2.0)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (5.2.3)
+      activesupport (= 5.2.3)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    activemodel (5.2.3)
+      activesupport (= 5.2.3)
+    activesupport (5.2.3)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    ast (2.4.0)
+    builder (3.2.3)
+    concurrent-ruby (1.1.5)
+    crass (1.0.4)
+    diff-lcs (1.3)
+    erubi (1.8.0)
+    i18n (1.6.0)
+      concurrent-ruby (~> 1.0)
+    jaro_winkler (1.5.2)
+    loofah (2.2.3)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    method_source (0.9.2)
+    mini_portile2 (2.4.0)
+    minitest (5.11.3)
+    nokogiri (1.10.3)
+      mini_portile2 (~> 2.4.0)
+    parallel (1.17.0)
+    parser (2.6.3.0)
+      ast (~> 2.4.0)
+    powerpack (0.1.2)
+    rack (2.0.7)
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
+    railties (5.2.3)
+      actionpack (= 5.2.3)
+      activesupport (= 5.2.3)
+      method_source
+      rake (>= 0.8.7)
+      thor (>= 0.19.0, < 2.0)
+    rainbow (3.0.0)
+    rake (10.5.0)
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+    rspec-core (3.8.0)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.3)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-mocks (3.8.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-support (3.8.0)
+    rubocop (0.61.1)
+      jaro_winkler (~> 1.5.1)
+      parallel (~> 1.10)
+      parser (>= 2.5, != 2.5.1.1)
+      powerpack (~> 0.1)
+      rainbow (>= 2.2.2, < 4.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (~> 1.4.0)
+    rubocop-betterment (1.8.0)
+      rubocop (~> 0.61.1)
+      rubocop-rspec (= 1.28.0)
+    rubocop-rspec (1.28.0)
+      rubocop (>= 0.58.0)
+    ruby-progressbar (1.10.1)
+    thor (0.20.3)
+    thread_safe (0.3.6)
+    tzinfo (1.2.5)
+      thread_safe (~> 0.1)
+    unicode-display_width (1.4.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  authorized_persona!
+  bundler (~> 2.0)
+  rake (~> 10.0)
+  rspec (~> 3.0)
+  rubocop-betterment
+
+BUNDLED WITH
+   2.0.1

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2019 Betterment
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,206 @@
+# AuthorizedPersona
+
+AuthorizedPersona is an extremely simple, declarative Rails
+authorization library implementing the Persona Centric Authorization
+pattern that Betterment developed for their internal tooling.
+
+Persona Centric Authorization is animated by the following observations:
+
+* Organizations are made up of folks with different skill sets and
+  responsibilities. For the purposes of this library, we'll call a
+related set of skills and responsibilities a discipline, and the members
+of a discipline a persona.
+* An application built for a single persona will tend to be simpler,
+  more coherent, and more comprehensible for both its users and
+maintainers than an application attempting to serve many personas at
+once.
+* Within a persona, individuals need varying levels of access to
+  systems based on their responsibilities, competency, accountability,
+and trust levels in order to adhere to the principle of least privilege.
+* Arbitrary matrix-based authorization schemes are complex and difficult
+  to maintain consistently as organizations, applications and
+responsibilities evolve.
+* It is easier to find and avoid security vulnerabilities in simpler
+  software.
+* Code that doesn't exist in an app can't exhibit security
+  vulnerabilities.
+* You can only perform authorization when you have full relevant context
+  both of who a user is, and what they are attempting to do.
+* In the context of a database-backed application, it isn't an
+  authorization library's job to define or validate access control
+relationships between system users and data. This is your application's
+domain.  Appropriate access controls will often emerge naturally from
+your data model and trust root chaining. But even when more access
+control logic is required, you will develop simpler, better-fit
+solutions within your application.
+
+Which lead us to the following conclusions:
+
+* Applications should be built for a single persona each.
+* In Rails applications, authorization should be granted and enforced
+  exclusively at the controller action grain because it is the only
+layer in a Rails application with full context of the semantic action
+being requested, and who is requesting it.
+* In Rails applications, authorization logic should be limited to the
+  view/presenter layer, where the full context of the request is
+available.
+* In an application built for a single persona, we only need to define a
+  single privilege ladder where each tier's access is a superset of
+the prior tier's in order to adhere to the principle of least privilege.
+
+If that all sounds good to you, you should use AuthorizedPersona.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'authorized_persona'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install authorized_persona
+
+## Usage
+
+We'll assume you're using an authentication library like `devise` or
+`clearance` that provides a `current_user` method.
+
+1.  Integrate AuthorizedPersona into your user model.
+
+The example uses ActiveRecord, but any ActiveModel-based ORM will do.
+Your model only needs to have a string attribute named
+`authorization_tier`.
+
+```ruby
+# app/models/user.rb
+class User < ApplicationRecord
+  include AuthorizedPersona::Persona
+
+  authorization_tiers(
+    trainee: "Trainee - limited access",
+    staff: "Staff - standard access",
+    admin: "Admin - all access"
+  )
+
+  # You can use a custom attribute name, if desired, e.g.
+  # self.authorization_tier_attribute_name = :auth_tier
+
+  # If you want to use validations to keep bad data from making it into your table
+  # do the following. The authorization_tier_names method is defined by AuthorizedPersona based
+  # on the `authorization_tiers` declaration above.
+  validates :authorization_tier, inclusion: { in: authorization_tier_names }
+
+  # Your code here...
+end
+```
+
+2. Add AuthorizedPersona to your base controller:
+
+```ruby
+# app/controllers/application_controller.rb
+class ApplicationController < ActionController::Base
+  include AuthorizedPersona::Authorization
+
+  authorize_persona class_name: "User"
+
+  # or optionally override the method name we use to fetch current_[class_name] e.g.:
+  #
+  # authorize_persona class_name: "User", current_user_method_name: :current_fancy_user
+
+  # Your code here...
+end
+```
+
+At this point, no user is authorized to make a request to any descendent
+of `ApplicationController`.
+
+3. Grant privileges in your base controller or any subclass:
+
+```ruby
+# app/controllers/comments_controller.rb
+class CommentsControlller < ApplicationController
+  grant(
+    trainee: [:index, :show],
+    staff: :all
+  )
+
+  def index
+    # ...
+  end
+
+  def show
+    # ...
+  end
+
+  def create
+    # ...
+  end
+end
+```
+
+In the scenario above, trainees will only be authorized to `index` and
+`show` comments. Staff and above (including admins) will be able to
+`create` comments as well (as well as any other actions that may be
+defined).
+
+Grants are inherited by subclasses, but every grant encountered
+completely overrides any previous grants. This is by design to prevent
+accidental privilege leakage into high-security controllers. If you see
+a grant definition in a controller, you can be confident that that is
+the complete definition for that controller and that no other grants
+apply.
+
+4. Make display decisions based on authorization in your views:
+
+```erb
+<%# app/views/home/index.html.erb %>
+
+<% if authorized_to?(:create, :comment) %>
+  <%= link_to("Comment...", new_comment_path) %>
+<% end %>
+```
+
+5. (Advanced) If you need to segment data access by authorization tier, in your
+   presenters:
+
+```ruby
+# app/presenters/bill_search.rb
+class BillSearch
+  attr_reader :searcher, :query
+
+  def initialize(searcher:, query:)
+    @searcher = searcher
+    @query = query
+  end
+
+  def bills
+    # AuthorizedPersona::Persona provides #[tier]_and_above? methods for all defined tiers
+    relation = searcher.admin_or_above? ? Bills.all : Bills.nonsensitive
+    relation.where('title like ?', query)
+  end
+end
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/Betterment/authorized_persona. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+## Code of Conduct
+
+Everyone interacting in the AuthorizedPersona project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/Betterment/authorized_persona/blob/master/CODE_OF_CONDUCT.md).

data/Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :rubocop do
+  sh 'rubocop'
+end
+
+task default: %i(rubocop spec)

data/authorized_persona.gemspec

@@ -0,0 +1,34 @@
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "authorized_persona/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "authorized_persona"
+  spec.version       = AuthorizedPersona::VERSION
+  spec.authors       = ["John Mileham"]
+  spec.email         = ["john@betterment.com"]
+
+  spec.summary     = "the simplest authorization library you will ever love"
+  spec.description = "AuthorizedPersona is a rails implementation of Betterment's Persona Centric Authorization pattern"
+  spec.homepage    = "https://github.com/Betterment/authorized_persona"
+  spec.license       = "MIT"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  rails_version_range = [">= 5.1.6.2", "< 7"]
+
+  spec.add_dependency "activemodel", *rails_version_range
+  spec.add_dependency "railties",    *rails_version_range
+
+  spec.add_development_dependency "bundler", "~> 2.0"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "rubocop-betterment"
+end

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "authorized_persona"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/authorized_persona.rb

@@ -0,0 +1,14 @@
+require "authorized_persona/version"
+
+require "rails"
+require "active_model"
+
+require "authorized_persona/persona"
+require "authorized_persona/authorization"
+require 'authorized_persona/view_helpers'
+
+require "authorized_persona/railtie"
+
+module AuthorizedPersona
+  class Error < StandardError; end
+end

data/lib/authorized_persona/authorization.rb

@@ -0,0 +1,104 @@
+module AuthorizedPersona
+  module Authorization
+    extend ActiveSupport::Concern
+
+    included do
+      class_attribute :authorization_persona_class_name
+      class_attribute :authorization_current_user_method
+      class_attribute :authorized_actions
+      self.authorized_actions = {}
+
+      helper_method :authorization_current_user
+
+      before_action :authorize!
+    end
+
+    class_methods do
+      # Configure authorization for an authorized persona class
+      def authorize_persona(class_name:, current_user_method: nil) # rubocop:disable Metrics/AbcSize
+        raise AuthorizedPersona::Error, "you can only configure authorization once" if authorization_persona_class_name.present?
+        raise AuthorizedPersona::Error, "class_name must be a string" unless class_name.is_a?(String)
+        raise AuthorizedPersona::Error, "current_user_method must be a symbol" if current_user_method && !current_user_method.is_a?(Symbol)
+
+        self.authorization_persona_class_name = class_name
+
+        unless authorization_persona < AuthorizedPersona::Persona
+          raise AuthorizedPersona::Error, "#{class_name} must be an AuthorizedPersona::Persona"
+        end
+
+        self.authorization_current_user_method = current_user_method || :"current_#{authorization_persona.model_name.singular_route_key}"
+      end
+
+      # Grants replace all previous grants to avoid privilege leakage
+      def grant(privileges) # rubocop:disable Metrics/AbcSize
+        self.authorized_actions = Hash[privileges.map { |auth_tier, actions| [auth_tier.to_s, [actions].flatten.map(&:to_sym)] }]
+
+        tier_names = authorization_persona.authorization_tier_names
+        extra_keys = authorized_actions.keys - authorization_persona.authorization_tier_names
+        if extra_keys.present?
+          raise AuthorizedPersona::Error, "invalid grant: #{authorization_persona_class_name} " \
+            "has authorization tiers #{tier_names.join(', ')} but received extra keys: #{extra_keys.join(', ')}"
+        end
+      end
+
+      def authorization_persona
+        unless authorization_persona_class_name.is_a?(String)
+          raise AuthorizedPersona::Error, "you must configure authorization, e.g. `authorize_persona class_name: 'User'`"
+        end
+
+        authorization_persona_class_name.constantize
+      end
+
+      def authorized?(current_user:, action:)
+        raise AuthorizedPersona::Error, "#{current_user} is not a #{authorization_persona}" unless current_user.is_a?(authorization_persona)
+
+        current_user.authorization_tier_at_or_above?(authorized_tier(action: action))
+      end
+
+      def authorized_tier(action:)
+        action = action.to_sym
+        authorization_persona.authorization_tier_names.each do |tier|
+          actions = authorized_actions[tier] || []
+          return tier if actions == [:all] || actions.include?(action)
+        end
+        raise AuthorizedPersona::Error, "missing authorization grant for #{name}##{action}"
+      end
+    end
+
+    def authorized?
+      authorization_current_user && authorization_current_user.authorization_tier_at_or_above?(authorized_tier)
+    end
+
+    private
+
+    def authorization_current_user
+      unless authorization_current_user_method.is_a?(Symbol)
+        raise AuthorizedPersona::Error, "you must configure authorization with a valid current_user method name, " \
+          "e.g. `authorize_persona class_name: 'User', current_user_method: :my_custom_current_user`"
+      end
+
+      send(self.class.authorization_current_user_method)
+    end
+
+    def authorized_tier
+      self.class.authorized_tier(action: params[:action])
+    end
+
+    def authorize! # rubocop:disable Metrics/MethodLength
+      return if authorized?
+
+      respond_to do |format|
+        format.html do
+          flash[:error] = 'You are not authorized to perform this action.'
+          redirect_back fallback_location: '/', allow_other_host: false
+        end
+        format.json do
+          render json: {}, status: :unauthorized
+        end
+        format.any do
+          head :unauthorized
+        end
+      end
+    end
+  end
+end

data/lib/authorized_persona/persona.rb

@@ -0,0 +1,63 @@
+module AuthorizedPersona
+  module Persona
+    extend ActiveSupport::Concern
+
+    class_methods do
+      # Get the attribute name for authorization_tier
+      def authorization_tier_attribute_name
+        @authorization_tier_attribute_name || :authorization_tier
+      end
+
+      # Override the attribute name for authorization_tier
+      def authorization_tier_attribute_name=(override)
+        raise AuthorizedPersona::Error, "authorization_tier_attribute_name must be a symbol" unless override.is_a?(Symbol)
+
+        @authorization_tier_attribute_name = override
+      end
+
+      # Label-first for use in forms
+      def authorization_tier_collection
+        @authorization_tier_collection = @authorization_tiers.invert
+      end
+
+      # Just the tier slugs for inclusion validations, etc.
+      def authorization_tier_names
+        @authorization_tier_names ||= @authorization_tiers.keys.map(&:to_s)
+      end
+
+      # Configure the authorization tiers in my_tier_slug: "My Tier Title And Description" form from lowest to highest privilege.
+      def authorization_tiers(tiers) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+        raise AuthorizedPersona::Error, "you can only define authorization tiers once" if instance_variable_defined?(:@authorization_tiers)
+
+        if !tiers.is_a?(Hash) || !tiers.all? { |k, v| k.is_a?(Symbol) && v.is_a?(String) }
+          raise('you must provide a hash of symbol tier names and string descriptions, e.g. " +
+            trainee: "Trainee - limited access", staff: "Staff - regular access", admin: "Admin - full access"')
+        end
+
+        instance_methods = Module.new
+        include instance_methods
+
+        instance_methods.module_eval do
+          tiers.keys.each do |tier|
+            define_method "#{tier}_or_above?" do
+              authorization_tier_at_or_above?(tier)
+            end
+          end
+        end
+
+        @authorization_tiers = tiers.freeze
+      end
+
+      private
+
+      def authorization_tier_level(tier)
+        authorization_tier_names.index(tier.to_s) || raise("Invalid authorization tier: #{tier}")
+      end
+    end
+
+    def authorization_tier_at_or_above?(target_tier)
+      attr_name = public_send(self.class.authorization_tier_attribute_name)
+      self.class.send(:authorization_tier_level, attr_name) >= self.class.send(:authorization_tier_level, target_tier)
+    end
+  end
+end

data/lib/authorized_persona/railtie.rb

@@ -0,0 +1,7 @@
+module AuthorizedPersona
+  class Railtie < Rails::Railtie
+    initializer "authorized_persona.view_helpers" do
+      ActionView::Base.send :include, AuthorizedPersona::ViewHelpers
+    end
+  end
+end

data/lib/authorized_persona/version.rb

@@ -0,0 +1,3 @@
+module AuthorizedPersona
+  VERSION = "0.1.0".freeze
+end

data/lib/authorized_persona/view_helpers.rb

@@ -0,0 +1,11 @@
+module AuthorizedPersona
+  module ViewHelpers
+    def authorized_to?(action, resource)
+      route = Rails.application.routes.named_routes[resource]
+      raise AuthorizedPersona::Error, "Unable to determine route for #{resource}" if route.nil?
+
+      controller_class = (route.defaults[:controller].camelize + 'Controller').constantize
+      controller_class.authorized?(current_user: authorization_current_user, action: action)
+    end
+  end
+end

metadata

@@ -0,0 +1,159 @@
+--- !ruby/object:Gem::Specification
+name: authorized_persona
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- John Mileham
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2019-06-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activemodel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.1.6.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.1.6.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '7'
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.1.6.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.1.6.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '7'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-betterment
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: AuthorizedPersona is a rails implementation of Betterment's Persona Centric
+  Authorization pattern
+email:
+- john@betterment.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".travis.yml"
+- CODE_OF_CONDUCT.md
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- authorized_persona.gemspec
+- bin/console
+- bin/setup
+- lib/authorized_persona.rb
+- lib/authorized_persona/authorization.rb
+- lib/authorized_persona/persona.rb
+- lib/authorized_persona/railtie.rb
+- lib/authorized_persona/version.rb
+- lib/authorized_persona/view_helpers.rb
+homepage: https://github.com/Betterment/authorized_persona
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: the simplest authorization library you will ever love
+test_files: []