authorizy 0.1.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d9be49c0763122d6a892671c240a9211720a664a62d66ee457c31203a436c0f8
-  data.tar.gz: 8c6806a8c63b06c3f750cba5ed61ce512e8520b79d20273711cfdac1b1345188
+  metadata.gz: 1bdbf8fe26ec2fa456858b922f21efa63830f329018f07d6c2bed196d7e5cd8a
+  data.tar.gz: 49ad3862405c7707a3ab83c458e8c950d4fcf8b3e6488d7edc6fa6416e912cd9
 SHA512:
-  metadata.gz: 4aecc0fc9dfb238e9a0b4948bf49e424ae3bdd1ce9d8b5942c8ae66605c259b0f2f80b0800dcf6c383248a76a6a47ead49f42ff4f746523875eb8fb8e3c2a628
-  data.tar.gz: 62386459e46f79d0d17a21e4229fd69c4915eb762f115adf2a76323590f0c471ef325bfa9f8c44ab6283a20e32dd196692da4958fd9a1f436255baafa83d1248
+  metadata.gz: 88568952618d7984a5ec9b548a74adaa64a263d4bfecdae71ec5e28225df8a5a93d5febf6aedb5a27a87f22ced4c066da8b330a5e8c96bc77abc7cea71cbde20
+  data.tar.gz: 2be439b99e310b42fca0122ba1a2c7bdf79d932a38be47e09722f6308763f73f25f76ad3481874ac0f7bd3b3e6ea7f33728c1605d372aba71a15c6de8143ffc7

data/CHANGELOG.md

@@ -1,3 +1,44 @@
+# v0.3.0
+
+## Features
+
+- Added options `field` to customize how the authorizy field is fetched;
+
+# v0.2.2
+
+## Fixes
+
+- When Cop returns anything different from `true` it is converted to `false`;
+
+# v0.2.1
+
+## Fixes
+
+- Returns `401` status code when user has no authorization on a XHR request;
+
+# v0.2.0
+
+## Break Changes
+
+- The permissions format now is:
+
+```
+{
+  permissions: [
+    ['controller', 'action'],
+    ['controller2', 'action2'],
+  ]
+}
+```
+
+## Fixes
+
+- Calls the `Authorizy::BaseCop#access?` as the first check intercepting all requests;
+
+## Features
+
+- Added RSpec matcher to make the test easier;
+
 # v0.1.0
 
 ## Features

data/README.md

@@ -3,8 +3,8 @@
 [![CI](https://github.com/wbotelhos/authorizy/workflows/CI/badge.svg)](https://github.com/wbotelhos/authorizy/actions)
 [![Gem Version](https://badge.fury.io/rb/authorizy.svg)](https://badge.fury.io/rb/authorizy)
 [![Maintainability](https://api.codeclimate.com/v1/badges/f312587b4f126bb13e85/maintainability)](https://codeclimate.com/github/wbotelhos/authorizy/maintainability)
-[![Coverage](https://codecov.io/gh/wbotelhos/blogy/branch/master/graph/badge.svg?token=PENDING)](https://codecov.io/gh/wbotelhos/authorizy)
-[![Sponsor](https://img.shields.io/badge/donate-%3C3-brightgreen.svg)](https://www.patreon.com/wbotelhos)
+[![Coverage](https://codecov.io/gh/wbotelhos/authorizy/branch/main/graph/badge.svg)](https://codecov.io/gh/wbotelhos/authorizy)
+[![Sponsor](https://img.shields.io/badge/sponsor-%3C3-green)](https://www.patreon.com/wbotelhos)
 
 A JSON based Authorization.
 
@@ -23,7 +23,7 @@ gem 'authorizy'
 Run the following task to create Authorizy migration and initialize.
 
 ```sh
-rails g rating:install
+rails g authorizy:install
 ```
 
 Then execute the migration to adds the column `authorizy` to your `users` table.
@@ -55,8 +55,8 @@ The column `authorizy` is a JSON column that has a key called `permission` with
 ```ruby
 {
   permissions: [
-    { controller: :user, action: :create },
-    { controller: :user, action: :update },
+    [users, :create],
+    [users, :update],
   }
 }
 ```
@@ -84,28 +84,9 @@ Authorizy.configure do |config|
 end
 ```
 
-### Dependencies
-
-You can allow access to one or more controllers and actions based on your permissions. It'll consider not only the `action`, like [aliases](#aliases) but the controller either.
-
-```ruby
-Authorizy.configure do |config|
-  config.dependencies = {
-    payments: {
-      index: [
-        { controller: :users, action: :index },
-        { controller: :enrollments, action: :index },
-      ]
-    }
-  }
-end
-```
-
-So now if a have the permission `payments#index` I'll receive more two permissions: `users#index` and `enrollments#index`.
-
 ### Cop
 
-Sometimes we need to allow access in runtime because the permission will depend on the request data and/or some dynamic logic. For this you can create a *Cop* class, the inherit from `Authorizy::BaseCop`, to allow it based on logic. It works like a [Interceptor](https://en.wikipedia.org/wiki/Interceptor_pattern).
+Sometimes we need to allow access in runtime because the permission will depend on the request data and/or some dynamic logic. For this you can create a *Cop* class, that inherits from `Authorizy::BaseCop`, to allow it based on logic. It works like a [Interceptor](https://en.wikipedia.org/wiki/Interceptor_pattern).
 
 First, you need to configure your cop:
 
@@ -130,6 +111,7 @@ end
 ```
 
 As you can see, you have access to a couple of variables: `action`, `controller`, `current_user`, `params`, and `session`.
+When you return `false`, the authorization will be denied, when you return `true` your access will be allowed.
 
 If your controller has a namespace, just use `__` to separate the modules name:
 
@@ -140,13 +122,52 @@ class AuthorizyCop < Authorizy::BaseCop
 end
 ```
 
+If you want to intercept all request as the first Authorizy check, you can override the `access?` method:
+
+```ruby
+class AuthorizyCop < Authorizy::BaseCop
+  def access?
+    return true if current_user.admin?
+  end
+end
+```
+
 ### Current User
 
 By default Authorizy fetch the current user from the variable `current_user`. You have a config, that receives the controller context, where you can change it:
 
 ```ruby
 Authorizy.configure do |config|
-  config.current_user -> (context) { context.current_person }
+  config.current_user = -> (context) { context.current_person }
+end
+```
+
+### Dependencies
+
+You can allow access to one or more controllers and actions based on your permissions. It'll consider not only the `action`, like [aliases](#aliases) but the controller either.
+
+```ruby
+Authorizy.configure do |config|
+  config.dependencies = {
+    payments: {
+      index: [
+        ['system/users', :index],
+        ['system/enrollments', :index],
+      ]
+    }
+  }
+end
+```
+
+So now if a have the permission `payments#index` I'll receive more two permissions: `users#index` and `enrollments#index`.
+
+### Field
+
+By default the permissions are located inside the field called `authorizy` in the configured `current_user`. You can change how this field is fetched:
+
+```ruby
+Authorizy.configure do |config|
+  @field = ->(current_user) { current_user.profile.authorizy }
 end
 ```
 
@@ -156,7 +177,7 @@ When authorization fails and the request is not a XHR request a redirect happens
 
 ```ruby
 Authorizy.configure do |config|
-  config.redirect_url -> (context) { context.new_session_url }
+  config.redirect_url = -> (context) { context.new_session_url }
 end
 ```
 
@@ -188,3 +209,74 @@ Using on jBuilder view:
 ```ruby
 json.create_link new_users_url if authorizy?(:users, :create)
 ```
+
+# Specs
+
+To test some routes you'll need to give or not permission to the user, for that you have to ways, where the first is give permission to the user via session:
+
+```ruby
+before do
+  sign_in(current_user)
+
+  session[:permissions] = [[:users, :create]]
+end
+```
+
+Or you can put the permission directly in the current user:
+
+```ruby
+before do
+  sign_in(current_user)
+
+  current_user.update(permissions: [[:users, :create]])
+end
+```
+
+## Checks
+
+We have a couple of check, here is the order:
+
+1. `Authorizy::BaseCop#access?`;
+2. `session[:permissions]`;
+3. `current_user.authorizy['permissions']`;
+4. `Authorizy::BaseCop#controller_name`;
+
+## Performance
+
+If you have few permissions, you can save the permissions in the session and avoid hit database many times, but if you have a couple of them, maybe it's a good idea save it in some place like [Redis](https://redis.io).
+
+## Management
+
+It's a good idea you keep your permissions in the database, so the customer can change it dynamic. You can load all permissions when the user is logged and cache it later. For cache expiration, you can trigger a refresh everytime that the permissions change.
+
+## Database Structure
+
+Inside database you can use the following relation to dynamicly change your permissions:
+
+```ruby
+plans -> plans_permissions <- permissions
+                |
+                v
+        role_plan_permissions
+                ^
+                |
+              roles
+```
+
+## RSpec
+
+You can test you app passing through all authorizy layers:
+
+```ruby
+user = User.create!(permission: { permissions: [[:users, :create]] })
+
+expect(user).to be_authorized(:users, :create)
+```
+
+Or make sure the user does not have access:
+
+```ruby
+user = User.create!(permission: {})
+
+expect(user).not_to be_authorized(:users, :create)
+```

data/lib/authorizy/base_cop.rb

@@ -2,9 +2,9 @@
 
 module Authorizy
   class BaseCop
-    def initialize(current_user, params, session, controller, action)
-      @action       = action
-      @controller   = controller
+    def initialize(current_user, params, session)
+      @action       = params[:action].to_s
+      @controller   = params[:controller].to_s
       @current_user = current_user
       @params       = params
       @session      = session

data/lib/authorizy/config.rb

@@ -2,14 +2,15 @@
 
 module Authorizy
   class Config
-    attr_accessor :aliases, :dependencies, :cop, :current_user, :redirect_url
+    attr_accessor :aliases, :cop, :current_user, :dependencies, :field, :redirect_url
 
     def initialize
       @aliases      = {}
       @cop          = Authorizy::BaseCop
-      @current_user = -> (context) { context.respond_to?(:current_user) ? context.current_user : nil }
+      @current_user = ->(context) { context.respond_to?(:current_user) ? context.current_user : nil }
       @dependencies = {}
-      @redirect_url = -> (context) { context.respond_to?(:root_url) ? context.root_url : '/' }
+      @field        = ->(current_user) { current_user.respond_to?(:authorizy) ? current_user.authorizy : {} }
+      @redirect_url = ->(context) { context.respond_to?(:root_url) ? context.root_url : '/' }
     end
   end
 end

data/lib/authorizy/core.rb

@@ -2,42 +2,55 @@
 
 module Authorizy
   class Core
-    def initialize(current_user, params, session, controller: params['controller'], action: params['action'])
-      @action       = action.to_s
-      @controller   = controller.to_s
-      @current_user = current_user
-      @params       = params
-      @session      = session
+    def initialize(user, params, session, cop:)
+      @cop     = cop
+      @params  = params
+      @session = session
+      @user    = user
     end
 
     def access?
-      return false if @current_user.blank?
+      return false if @user.blank?
 
-      granted = permissions.any? do |item|
-        data = item.stringify_keys
+      return true if @cop.access? ||
+                     session_permissions.any? { |tuple| route_match?(tuple) } ||
+                     user_permissions.any? { |tuple| route_match?(tuple) }
 
-        data['controller'].to_s == @controller && data['action'].to_s == @action
-      end
+      return @cop.public_send(cop_controller) == true if @cop.respond_to?(cop_controller)
 
-      return true if granted
-
-      cop.respond_to?(cop_controller) && cop.public_send(cop_controller)
+      false
     end
 
     private
 
-    def cop
-      Authorizy.config.cop.new(@current_user, @params, @session, @controller, @action)
+    def action
+      @params[:action].to_s
+    end
+
+    def controller
+      @params[:controller].to_s
     end
 
     def cop_controller
-      @controller.sub('/', '__')
+      controller.sub('/', '__')
+    end
+
+    def expand(permissions)
+      return [] if permissions.blank?
+
+      Authorizy::Expander.new.expand(permissions)
+    end
+
+    def session_permissions
+      expand(@session[:permissions])
+    end
+
+    def route_match?(tuple)
+      tuple[0] == controller && tuple[1] == action
     end
 
-    def permissions
-      Authorizy::Expander.new.expand(
-        [@session['permissions']].flatten.compact.presence || @current_user.authorizy.try(:[], 'permissions')
-      )
+    def user_permissions
+      expand(Authorizy.config.field.call(@user).try(:[], 'permissions'))
     end
   end
 end

data/lib/authorizy/expander.rb

@@ -8,24 +8,27 @@ module Authorizy
       result = {}
 
       permissions.each do |permission|
-        item = permission.stringify_keys.transform_values(&:to_s)
+        controller = permission[0].to_s
+        action = permission[1].to_s
 
-        result[key_for(item)] = item
+        result["#{controller}##{action}"] = [controller, action]
 
-        if (items = controller_dependency(item))
-          items.each { |data| result[key_for(data)] = data }
+        if (items = controller_dependency(controller, action))
+          items.each do |controller_item, action_item|
+            result["#{controller_item}##{action_item}"] = [controller_item, action_item]
+          end
         end
 
-        actions = [default_aliases[item['action']]].flatten.compact
+        actions = [default_aliases[action]].flatten.compact
 
         next if actions.blank?
 
-        actions.each do |action|
-          result[key_for(item, action: action)] = { 'action' => action.to_s, 'controller' => item['controller'].to_s }
+        actions.each do |action_item|
+          result["#{controller}##{action_item}"] = [controller, action_item.to_s]
         end
       end
 
-      result.values
+      result.values # TODO: garantir o uniq
     end
 
     private
@@ -34,11 +37,11 @@ module Authorizy
       Authorizy.config.aliases.stringify_keys
     end
 
-    def controller_dependency(item)
-      return if (actions = dependencies[item['controller']]).blank?
-      return if (permissions = actions[item['action']]).blank?
+    def controller_dependency(controller, action)
+      return if (actions = dependencies[controller]).blank?
+      return if (permissions = actions[action]).blank?
 
-      permissions.map { |permission| permission.transform_values(&:to_s) }
+      permissions.map { |c, a| [c.to_s, a.to_s] }
     end
 
     def default_aliases
@@ -53,9 +56,5 @@ module Authorizy
     def dependencies
       Authorizy.config.dependencies.deep_stringify_keys
     end
-
-    def key_for(item, action: nil)
-      "#{item['controller']}##{action || item['action']}"
-    end
   end
 end

data/lib/authorizy/extension.rb

@@ -8,17 +8,20 @@ module Authorizy
       helper_method(:authorizy?)
 
       def authorizy
-        return if Authorizy::Core.new(authorizy_user, params, session).access?
+        return if Authorizy::Core.new(authorizy_user, params, session, cop: authorizy_cop).access?
 
-        info = I18n.t('authorizy.denied', action: params[:action], controller: params[:controller])
+        info = I18n.t('authorizy.denied', controller: params[:controller], action: params[:action])
 
-        return render(json: { message: info }, status: 422) if request.xhr?
+        return render(json: { message: info }, status: 401) if request.xhr?
 
         redirect_to Authorizy.config.redirect_url.call(self), info: info
       end
 
       def authorizy?(controller, action)
-        Authorizy::Core.new(authorizy_user, params, session, action: action, controller: controller).access?
+        params['controller'] = controller
+        params['action'] = action
+
+        Authorizy::Core.new(authorizy_user, params, session, cop: authorizy_cop).access?
       end
 
       private
@@ -26,6 +29,10 @@ module Authorizy
       def authorizy_user
         Authorizy.config.current_user.call(self)
       end
+
+      def authorizy_cop
+        Authorizy.config.cop.new(authorizy_user, params, session)
+      end
     end
   end
 end