authorized_persona 0.1.0 → 0.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +2 -0
- data/README.md +25 -2
- data/authorized_persona.gemspec +2 -2
- data/lib/authorized_persona.rb +0 -1
- data/lib/authorized_persona/authorization.rb +9 -4
- data/lib/authorized_persona/persona.rb +21 -0
- data/lib/authorized_persona/version.rb +1 -1
- metadata +5 -6
- data/Gemfile.lock +0 -112
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3072dc5f8b435349401f93116e4b0b7e3b7186f575edc9b8445d8cb57b0dff5a
|
|
4
|
+
data.tar.gz: b667896c39b2f9707949556f27bbaf38da5c98c59e0bdd2ef7fe201eb078f6b4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 359023dc6e9a4a3404fba063afc428cab6054910c7f495acbd3e8eaac045d1a3e8145f57b9b2e3355b7518110b57dcf6977338d75981ef6e93e5d267a01ba9e7
|
|
7
|
+
data.tar.gz: 6109174ab892f4585d4a6cec4300d29184d55db985b100aae70a299b0a1f5f555bf50b97f20065b34e282cec13a633047989e759d2141cbca578b571e7ac84da
|
data/.gitignore
CHANGED
data/README.md
CHANGED
|
@@ -34,7 +34,7 @@ your data model and trust root chaining. But even when more access
|
|
|
34
34
|
control logic is required, you will develop simpler, better-fit
|
|
35
35
|
solutions within your application.
|
|
36
36
|
|
|
37
|
-
Which
|
|
37
|
+
Which led us to the following conclusions:
|
|
38
38
|
|
|
39
39
|
* Applications should be built for a single persona each.
|
|
40
40
|
* In Rails applications, authorization should be granted and enforced
|
|
@@ -73,7 +73,7 @@ We'll assume you're using an authentication library like `devise` or
|
|
|
73
73
|
|
|
74
74
|
1. Integrate AuthorizedPersona into your user model.
|
|
75
75
|
|
|
76
|
-
The example uses ActiveRecord, but any ActiveModel-
|
|
76
|
+
The example uses ActiveRecord, but any ActiveModel-like ORM will do.
|
|
77
77
|
Your model only needs to have a string attribute named
|
|
78
78
|
`authorization_tier`.
|
|
79
79
|
|
|
@@ -107,6 +107,11 @@ end
|
|
|
107
107
|
class ApplicationController < ActionController::Base
|
|
108
108
|
include AuthorizedPersona::Authorization
|
|
109
109
|
|
|
110
|
+
# Any needed hooks your authentication library needs to ensure
|
|
111
|
+
# `current_user` is set before # authorization, e.g.:
|
|
112
|
+
#
|
|
113
|
+
# before_filter :authenticate_user!
|
|
114
|
+
|
|
110
115
|
authorize_persona class_name: "User"
|
|
111
116
|
|
|
112
117
|
# or optionally override the method name we use to fetch current_[class_name] e.g.:
|
|
@@ -187,6 +192,24 @@ class BillSearch
|
|
|
187
192
|
end
|
|
188
193
|
```
|
|
189
194
|
|
|
195
|
+
6. (Advanced) If you need to determine which users are at or above an
|
|
196
|
+
authorization tier, e.g. for fanning out notifications:
|
|
197
|
+
|
|
198
|
+
```ruby
|
|
199
|
+
# app/jobs/sensitive_bill_notification_job.rb
|
|
200
|
+
class SensitiveBillNotificationJob < ApplicationJob
|
|
201
|
+
|
|
202
|
+
def perform(bill_id)
|
|
203
|
+
bill = Bill.find(bill_id)
|
|
204
|
+
# AuthorizedPersona::Persona provides a `.[tier]_or_above` scope if
|
|
205
|
+
# your ORM supports a `.where` method
|
|
206
|
+
User.admin_or_above.find_each do |admin|
|
|
207
|
+
AdminMailer.with(user: admin, bill: bill).sensitive_bill_notification.deliver_later
|
|
208
|
+
end
|
|
209
|
+
end
|
|
210
|
+
end
|
|
211
|
+
```
|
|
212
|
+
|
|
190
213
|
## Development
|
|
191
214
|
|
|
192
215
|
After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
|
data/authorized_persona.gemspec
CHANGED
|
@@ -24,9 +24,9 @@ Gem::Specification.new do |spec|
|
|
|
24
24
|
|
|
25
25
|
rails_version_range = [">= 5.1.6.2", "< 7"]
|
|
26
26
|
|
|
27
|
-
spec.add_dependency "
|
|
28
|
-
spec.add_dependency "railties", *rails_version_range
|
|
27
|
+
spec.add_dependency "railties", *rails_version_range
|
|
29
28
|
|
|
29
|
+
spec.add_development_dependency "activemodel", *rails_version_range
|
|
30
30
|
spec.add_development_dependency "bundler", "~> 2.0"
|
|
31
31
|
spec.add_development_dependency "rake", "~> 10.0"
|
|
32
32
|
spec.add_development_dependency "rspec", "~> 3.0"
|
data/lib/authorized_persona.rb
CHANGED
|
@@ -9,13 +9,11 @@ module AuthorizedPersona
|
|
|
9
9
|
self.authorized_actions = {}
|
|
10
10
|
|
|
11
11
|
helper_method :authorization_current_user
|
|
12
|
-
|
|
13
|
-
before_action :authorize!
|
|
14
12
|
end
|
|
15
13
|
|
|
16
14
|
class_methods do
|
|
17
15
|
# Configure authorization for an authorized persona class
|
|
18
|
-
def authorize_persona(class_name:, current_user_method: nil) # rubocop:disable Metrics/AbcSize
|
|
16
|
+
def authorize_persona(class_name:, current_user_method: nil) # rubocop:disable Metrics/AbcSize, Metrics/PerceivedComplexity, Metrics/MethodLength, Metrics/LineLength
|
|
19
17
|
raise AuthorizedPersona::Error, "you can only configure authorization once" if authorization_persona_class_name.present?
|
|
20
18
|
raise AuthorizedPersona::Error, "class_name must be a string" unless class_name.is_a?(String)
|
|
21
19
|
raise AuthorizedPersona::Error, "current_user_method must be a symbol" if current_user_method && !current_user_method.is_a?(Symbol)
|
|
@@ -26,7 +24,14 @@ module AuthorizedPersona
|
|
|
26
24
|
raise AuthorizedPersona::Error, "#{class_name} must be an AuthorizedPersona::Persona"
|
|
27
25
|
end
|
|
28
26
|
|
|
29
|
-
|
|
27
|
+
model_name = if authorization_persona.respond_to?(:model_name)
|
|
28
|
+
authorization_persona.model_name.singular_route_key
|
|
29
|
+
else
|
|
30
|
+
authorization_persona.name.underscore
|
|
31
|
+
end
|
|
32
|
+
self.authorization_current_user_method = current_user_method || :"current_#{model_name}"
|
|
33
|
+
|
|
34
|
+
before_action :authorize!
|
|
30
35
|
end
|
|
31
36
|
|
|
32
37
|
# Grants replace all previous grants to avoid privilege leakage
|
|
@@ -2,6 +2,14 @@ module AuthorizedPersona
|
|
|
2
2
|
module Persona
|
|
3
3
|
extend ActiveSupport::Concern
|
|
4
4
|
|
|
5
|
+
included do
|
|
6
|
+
if respond_to?(:where)
|
|
7
|
+
def self.with_authorization_tier_at_or_above(tier)
|
|
8
|
+
where(authorization_tier_attribute_name => authorization_tier_names.drop(authorization_tier_level(tier)))
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
|
|
5
13
|
class_methods do
|
|
6
14
|
# Get the attribute name for authorization_tier
|
|
7
15
|
def authorization_tier_attribute_name
|
|
@@ -45,6 +53,19 @@ module AuthorizedPersona
|
|
|
45
53
|
end
|
|
46
54
|
end
|
|
47
55
|
|
|
56
|
+
if respond_to?(:with_authorization_tier_at_or_above)
|
|
57
|
+
class_methods = Module.new
|
|
58
|
+
extend class_methods
|
|
59
|
+
|
|
60
|
+
class_methods.module_eval do
|
|
61
|
+
tiers.keys.each do |tier|
|
|
62
|
+
define_method "#{tier}_or_above" do
|
|
63
|
+
with_authorization_tier_at_or_above(tier)
|
|
64
|
+
end
|
|
65
|
+
end
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
|
|
48
69
|
@authorization_tiers = tiers.freeze
|
|
49
70
|
end
|
|
50
71
|
|
metadata
CHANGED
|
@@ -1,17 +1,17 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: authorized_persona
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.9.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- John Mileham
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-06-
|
|
11
|
+
date: 2019-06-08 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
|
-
name:
|
|
14
|
+
name: railties
|
|
15
15
|
requirement: !ruby/object:Gem::Requirement
|
|
16
16
|
requirements:
|
|
17
17
|
- - ">="
|
|
@@ -31,7 +31,7 @@ dependencies:
|
|
|
31
31
|
- !ruby/object:Gem::Version
|
|
32
32
|
version: '7'
|
|
33
33
|
- !ruby/object:Gem::Dependency
|
|
34
|
-
name:
|
|
34
|
+
name: activemodel
|
|
35
35
|
requirement: !ruby/object:Gem::Requirement
|
|
36
36
|
requirements:
|
|
37
37
|
- - ">="
|
|
@@ -40,7 +40,7 @@ dependencies:
|
|
|
40
40
|
- - "<"
|
|
41
41
|
- !ruby/object:Gem::Version
|
|
42
42
|
version: '7'
|
|
43
|
-
type: :
|
|
43
|
+
type: :development
|
|
44
44
|
prerelease: false
|
|
45
45
|
version_requirements: !ruby/object:Gem::Requirement
|
|
46
46
|
requirements:
|
|
@@ -120,7 +120,6 @@ files:
|
|
|
120
120
|
- ".travis.yml"
|
|
121
121
|
- CODE_OF_CONDUCT.md
|
|
122
122
|
- Gemfile
|
|
123
|
-
- Gemfile.lock
|
|
124
123
|
- LICENSE.txt
|
|
125
124
|
- README.md
|
|
126
125
|
- Rakefile
|
data/Gemfile.lock
DELETED
|
@@ -1,112 +0,0 @@
|
|
|
1
|
-
PATH
|
|
2
|
-
remote: .
|
|
3
|
-
specs:
|
|
4
|
-
authorized_persona (0.1.0)
|
|
5
|
-
activemodel (>= 5.1.6.2, < 7)
|
|
6
|
-
railties (>= 5.1.6.2, < 7)
|
|
7
|
-
|
|
8
|
-
GEM
|
|
9
|
-
remote: https://rubygems.org/
|
|
10
|
-
specs:
|
|
11
|
-
actionpack (5.2.3)
|
|
12
|
-
actionview (= 5.2.3)
|
|
13
|
-
activesupport (= 5.2.3)
|
|
14
|
-
rack (~> 2.0)
|
|
15
|
-
rack-test (>= 0.6.3)
|
|
16
|
-
rails-dom-testing (~> 2.0)
|
|
17
|
-
rails-html-sanitizer (~> 1.0, >= 1.0.2)
|
|
18
|
-
actionview (5.2.3)
|
|
19
|
-
activesupport (= 5.2.3)
|
|
20
|
-
builder (~> 3.1)
|
|
21
|
-
erubi (~> 1.4)
|
|
22
|
-
rails-dom-testing (~> 2.0)
|
|
23
|
-
rails-html-sanitizer (~> 1.0, >= 1.0.3)
|
|
24
|
-
activemodel (5.2.3)
|
|
25
|
-
activesupport (= 5.2.3)
|
|
26
|
-
activesupport (5.2.3)
|
|
27
|
-
concurrent-ruby (~> 1.0, >= 1.0.2)
|
|
28
|
-
i18n (>= 0.7, < 2)
|
|
29
|
-
minitest (~> 5.1)
|
|
30
|
-
tzinfo (~> 1.1)
|
|
31
|
-
ast (2.4.0)
|
|
32
|
-
builder (3.2.3)
|
|
33
|
-
concurrent-ruby (1.1.5)
|
|
34
|
-
crass (1.0.4)
|
|
35
|
-
diff-lcs (1.3)
|
|
36
|
-
erubi (1.8.0)
|
|
37
|
-
i18n (1.6.0)
|
|
38
|
-
concurrent-ruby (~> 1.0)
|
|
39
|
-
jaro_winkler (1.5.2)
|
|
40
|
-
loofah (2.2.3)
|
|
41
|
-
crass (~> 1.0.2)
|
|
42
|
-
nokogiri (>= 1.5.9)
|
|
43
|
-
method_source (0.9.2)
|
|
44
|
-
mini_portile2 (2.4.0)
|
|
45
|
-
minitest (5.11.3)
|
|
46
|
-
nokogiri (1.10.3)
|
|
47
|
-
mini_portile2 (~> 2.4.0)
|
|
48
|
-
parallel (1.17.0)
|
|
49
|
-
parser (2.6.3.0)
|
|
50
|
-
ast (~> 2.4.0)
|
|
51
|
-
powerpack (0.1.2)
|
|
52
|
-
rack (2.0.7)
|
|
53
|
-
rack-test (1.1.0)
|
|
54
|
-
rack (>= 1.0, < 3)
|
|
55
|
-
rails-dom-testing (2.0.3)
|
|
56
|
-
activesupport (>= 4.2.0)
|
|
57
|
-
nokogiri (>= 1.6)
|
|
58
|
-
rails-html-sanitizer (1.0.4)
|
|
59
|
-
loofah (~> 2.2, >= 2.2.2)
|
|
60
|
-
railties (5.2.3)
|
|
61
|
-
actionpack (= 5.2.3)
|
|
62
|
-
activesupport (= 5.2.3)
|
|
63
|
-
method_source
|
|
64
|
-
rake (>= 0.8.7)
|
|
65
|
-
thor (>= 0.19.0, < 2.0)
|
|
66
|
-
rainbow (3.0.0)
|
|
67
|
-
rake (10.5.0)
|
|
68
|
-
rspec (3.8.0)
|
|
69
|
-
rspec-core (~> 3.8.0)
|
|
70
|
-
rspec-expectations (~> 3.8.0)
|
|
71
|
-
rspec-mocks (~> 3.8.0)
|
|
72
|
-
rspec-core (3.8.0)
|
|
73
|
-
rspec-support (~> 3.8.0)
|
|
74
|
-
rspec-expectations (3.8.3)
|
|
75
|
-
diff-lcs (>= 1.2.0, < 2.0)
|
|
76
|
-
rspec-support (~> 3.8.0)
|
|
77
|
-
rspec-mocks (3.8.0)
|
|
78
|
-
diff-lcs (>= 1.2.0, < 2.0)
|
|
79
|
-
rspec-support (~> 3.8.0)
|
|
80
|
-
rspec-support (3.8.0)
|
|
81
|
-
rubocop (0.61.1)
|
|
82
|
-
jaro_winkler (~> 1.5.1)
|
|
83
|
-
parallel (~> 1.10)
|
|
84
|
-
parser (>= 2.5, != 2.5.1.1)
|
|
85
|
-
powerpack (~> 0.1)
|
|
86
|
-
rainbow (>= 2.2.2, < 4.0)
|
|
87
|
-
ruby-progressbar (~> 1.7)
|
|
88
|
-
unicode-display_width (~> 1.4.0)
|
|
89
|
-
rubocop-betterment (1.8.0)
|
|
90
|
-
rubocop (~> 0.61.1)
|
|
91
|
-
rubocop-rspec (= 1.28.0)
|
|
92
|
-
rubocop-rspec (1.28.0)
|
|
93
|
-
rubocop (>= 0.58.0)
|
|
94
|
-
ruby-progressbar (1.10.1)
|
|
95
|
-
thor (0.20.3)
|
|
96
|
-
thread_safe (0.3.6)
|
|
97
|
-
tzinfo (1.2.5)
|
|
98
|
-
thread_safe (~> 0.1)
|
|
99
|
-
unicode-display_width (1.4.1)
|
|
100
|
-
|
|
101
|
-
PLATFORMS
|
|
102
|
-
ruby
|
|
103
|
-
|
|
104
|
-
DEPENDENCIES
|
|
105
|
-
authorized_persona!
|
|
106
|
-
bundler (~> 2.0)
|
|
107
|
-
rake (~> 10.0)
|
|
108
|
-
rspec (~> 3.0)
|
|
109
|
-
rubocop-betterment
|
|
110
|
-
|
|
111
|
-
BUNDLED WITH
|
|
112
|
-
2.0.1
|