authorizy 0.2.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: faaf887b6dd9e95abc874df1b5ac534de5dc2dbebda5b2d887472a14a582fa9f
-  data.tar.gz: 156619514026194dc25299d689aec65ef0cce3ee5500c79090677286cb59dd61
+  metadata.gz: d5aa4cb2402214093d2887dcd0760f1087586e28d558c52bfcb4999ff18f72cc
+  data.tar.gz: e189e2a283e745c6cb37ddab2683b362d86a4355d776866f031d4cc2c2913079
 SHA512:
-  metadata.gz: 9d3e8128355ad5fc09b3bfd8f6719dc8b5ae1a11470de49979e8877f48c2f87752a7990549dc921758499585df4a6615f3941f91863afa65eb25520290577f81
-  data.tar.gz: 49f47d3b8d83d810a419139fb8c9419b51939bf817c6ec617200382e9951376c2ff545a669548d9f3ad6b44270facb849073ad80b5efa6f9348376b56c448df7
+  metadata.gz: bc846ae164fabea516698ef5ddfaec65618a30f2949ec59cc8d93a7b380f240a1a1e25afd53ea6cdfb4f0db7b43cb5a1b26fdd8f87220ef47f9de0d8064b4508
+  data.tar.gz: 24e3e907dc28f062932bcc41387f5075ca3865b3406dc80cef0da09439c9db47a52d9c1b3d6ef1871138292f888e43608711e0fc3167a02da5e0d439fcc83091

data/CHANGELOG.md

@@ -1,3 +1,31 @@
+# v0.4.0
+
+## Fixes
+
+- Returns `403` status code, to represent recognized but not authorized, instead `401`;
+
+## Features
+
+- Added `denied` callback allowing a custom acess denied treatment;
+
+# v0.3.0
+
+## Features
+
+- Added options `field` to customize how the authorizy field is fetched;
+
+# v0.2.2
+
+## Fixes
+
+- When Cop returns anything different from `true` it is converted to `false`;
+
+# v0.2.1
+
+## Fixes
+
+- Returns `401` status code when user has no authorization on a XHR request;
+
 # v0.2.0
 
 ## Break Changes

data/README.md

@@ -8,10 +8,6 @@
 
 A JSON based Authorization.
 
-##### Why not [cancancan](https://github.com/CanCanCommunity/cancancan)?
-
-I have been working with cancan/cancancan for years. Since the beginning with [database access](https://github.com/CanCanCommunity/cancancan/blob/develop/docs/Abilities-in-Database.md). After a while, I realised I built a couple of abstractions around `ability` class and suddenly migrated to JSON for better performance. As I need a full role admin I decided to start to extract this logic to a gem.
-
 ## Install
 
 Add the following code on your `Gemfile` and run `bundle install`:
@@ -84,25 +80,6 @@ Authorizy.configure do |config|
 end
 ```
 
-### Dependencies
-
-You can allow access to one or more controllers and actions based on your permissions. It'll consider not only the `action`, like [aliases](#aliases) but the controller either.
-
-```ruby
-Authorizy.configure do |config|
-  config.dependencies = {
-    payments: {
-      index: [
-        ['system/users', :index],
-        ['system/enrollments', :index],
-      ]
-    }
-  }
-end
-```
-
-So now if a have the permission `payments#index` I'll receive more two permissions: `users#index` and `enrollments#index`.
-
 ### Cop
 
 Sometimes we need to allow access in runtime because the permission will depend on the request data and/or some dynamic logic. For this you can create a *Cop* class, that inherits from `Authorizy::BaseCop`, to allow it based on logic. It works like a [Interceptor](https://en.wikipedia.org/wiki/Interceptor_pattern).
@@ -161,6 +138,43 @@ Authorizy.configure do |config|
 end
 ```
 
+### Denied
+
+When some access is denied, by default, Authorizy checks if it is a XHR request or not and then redirect or serializes a message with status code `403`. You can rescue it by yourself:
+
+```ruby
+config.denied = ->(context) { context.redirect_to(subscription_path, info: 'Subscription expired!') }
+```
+
+### Dependencies
+
+You can allow access to one or more controllers and actions based on your permissions. It'll consider not only the `action`, like [aliases](#aliases) but the controller either.
+
+```ruby
+Authorizy.configure do |config|
+  config.dependencies = {
+    payments: {
+      index: [
+        ['system/users', :index],
+        ['system/enrollments', :index],
+      ]
+    }
+  }
+end
+```
+
+So now if a have the permission `payments#index` I'll receive more two permissions: `users#index` and `enrollments#index`.
+
+### Field
+
+By default the permissions are located inside the field called `authorizy` in the configured `current_user`. You can change how this field is fetched:
+
+```ruby
+Authorizy.configure do |config|
+  @field = ->(current_user) { current_user.profile.authorizy }
+end
+```
+
 ### Redirect URL
 
 When authorization fails and the request is not a XHR request a redirect happens to `/` path. You can change it:

data/lib/authorizy/config.rb

@@ -2,13 +2,23 @@
 
 module Authorizy
   class Config
-    attr_accessor :aliases, :dependencies, :cop, :current_user, :redirect_url
+    attr_accessor :aliases, :cop, :current_user, :denied, :dependencies, :field, :redirect_url
 
     def initialize
       @aliases      = {}
       @cop          = Authorizy::BaseCop
       @current_user = ->(context) { context.respond_to?(:current_user) ? context.current_user : nil }
+
+      @denied = lambda { |context|
+        info = I18n.t('authorizy.denied', controller: context.params[:controller], action: context.params[:action])
+
+        return context.render(json: { message: info }, status: 403) if context.request.xhr?
+
+        context.redirect_to(redirect_url.call(self), info: info)
+      }
+
       @dependencies = {}
+      @field        = ->(current_user) { current_user.respond_to?(:authorizy) ? current_user.authorizy : {} }
       @redirect_url = ->(context) { context.respond_to?(:root_url) ? context.root_url : '/' }
     end
   end

data/lib/authorizy/core.rb

@@ -16,7 +16,7 @@ module Authorizy
                      session_permissions.any? { |tuple| route_match?(tuple) } ||
                      user_permissions.any? { |tuple| route_match?(tuple) }
 
-      return @cop.public_send(cop_controller) if @cop.respond_to?(cop_controller)
+      return @cop.public_send(cop_controller) == true if @cop.respond_to?(cop_controller)
 
       false
     end
@@ -50,7 +50,7 @@ module Authorizy
     end
 
     def user_permissions
-      expand(@user.authorizy.try(:[], 'permissions'))
+      expand(Authorizy.config.field.call(@user).try(:[], 'permissions'))
     end
   end
 end

data/lib/authorizy/extension.rb

@@ -8,38 +8,26 @@ module Authorizy
       helper_method(:authorizy?)
 
       def authorizy
-        return if authorizy_core.new(authorizy_user, params, session, cop: authorizy_cop).access?
+        return if Authorizy::Core.new(authorizy_user, params, session, cop: authorizy_cop).access?
 
-        info = I18n.t('authorizy.denied', controller: params[:controller], action: params[:action])
-
-        return render(json: { message: info }, status: 422) if request.xhr?
-
-        redirect_to authorizy_config.redirect_url.call(self), info: info
+        Authorizy.config.denied.call(self)
       end
 
       def authorizy?(controller, action)
         params['controller'] = controller
         params['action'] = action
 
-        authorizy_core.new(authorizy_user, params, session, cop: authorizy_cop).access?
+        Authorizy::Core.new(authorizy_user, params, session, cop: authorizy_cop).access?
       end
 
       private
 
-      def authorizy_core
-        Authorizy::Core
-      end
-
       def authorizy_user
-        authorizy_config.current_user.call(self)
-      end
-
-      def authorizy_config
-        Authorizy.config
+        Authorizy.config.current_user.call(self)
       end
 
       def authorizy_cop
-        authorizy_config.cop.new(authorizy_user, params, session)
+        Authorizy.config.cop.new(authorizy_user, params, session)
       end
     end
   end

data/lib/authorizy/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Authorizy
-  VERSION = '0.2.0'
+  VERSION = '0.4.0'
 end

data/lib/generators/authorizy/templates/config/initializers/authorizy.rb

@@ -9,14 +9,28 @@ Authorizy.configure do |config|
   # https://github.com/wbotelhos/authorizy#cop
   # config.cop = Authorizy::BaseCop
 
-  # The current user from we fetch the permissions
+  # The current user from where we fetch the permissions
   # https://github.com/wbotelhos/authorizy#current-user
   # config.current_user = -> (context) { context.respond_to?(:current_user) ? context.current_user : nil }
 
+  # Callback called when access is denied
+  # https://github.com/wbotelhos/authorizy#denied
+  # config.denied = lambda { |context|
+  #   info = I18n.t('authorizy.denied', controller: context.params[:controller], action: context.params[:action])
+
+  #   return context.render(json: { message: info }, status: 403) if context.request.xhr?
+
+  #   context.redirect_to(redirect_url.call(self), info: info)
+  # }
+
   # Inherited permissions from some other permission the user already has
   # https://github.com/wbotelhos/authorizy#dependencies
   # config.dependencies = {}
 
+  # Field used to fetch the Authorizy permissions
+  # https://github.com/wbotelhos/authorizy#field
+  # config.field = ->(current_user) { current_user.respond_to?(:authorizy) ? current_user.authorizy : {} }
+
   # URL to be redirect when user has no permission to access some resource
   # https://github.com/wbotelhos/authorizy#dependencies
   # config.redirect_url = -> (context) { context.respond_to?(:root_url) ? context.root_url : '/' }

data/spec/authorizy/config/current_user_spec.rb

@@ -15,9 +15,7 @@ RSpec.describe Authorizy::Config, '#current_user' do
     context 'when context does not respond to current_user' do
       let!(:context) { 'context' }
 
-      it 'returns nil' do
-        expect(config.current_user.call(context)).to be(nil)
-      end
+      it { expect(config.current_user.call(context)).to be(nil) }
     end
   end
 

data/spec/authorizy/config/denied_spec.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+RSpec.describe Authorizy::Config, '#denied' do
+  let!(:config) { described_class.new }
+
+  context 'with default denied callback' do
+    context 'when is a xhr request' do
+      let!(:context) do
+        double('context',
+          params: { controller: 'users', action: 'index' },
+          request: OpenStruct.new(xhr?: true)
+        )
+      end
+
+      it 'renders' do
+        allow(context).to receive(:render)
+
+        config.denied.call(context)
+
+        expect(context).to have_received(:render).with(json: { message: 'Action denied for users#index' }, status: 403)
+      end
+    end
+
+    context 'when is not a xhr request' do
+      let!(:context) do
+        double('context',
+          params: { controller: 'users', action: 'index' },
+          request: OpenStruct.new(xhr?: false)
+        )
+      end
+
+      it 'renders' do
+        allow(context).to receive(:redirect_to)
+
+        config.denied.call(context)
+
+        expect(context).to have_received(:redirect_to).with('/', info: 'Action denied for users#index')
+      end
+    end
+  end
+
+  context 'with custom denied callback' do
+    it 'calls the callback' do
+      config.denied = ->(context) { context[:key] }
+
+      expect(config.denied.call(key: :value)).to eq(:value)
+    end
+  end
+end

data/spec/authorizy/config/field_spec.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+RSpec.describe Authorizy::Config, '#field' do
+  let!(:config) { described_class.new }
+
+  context 'when uses default value' do
+    context 'when current_user responds to authorizy' do
+      let!(:current_user) { OpenStruct.new(authorizy: { permissions: [%i[users index]] }) }
+
+      it 'is called' do
+        expect(config.field.call(current_user)).to eq(permissions: [%i[users index]])
+      end
+    end
+
+    context 'when current_user does not respond to field' do
+      let!(:current_user) { nil }
+
+      it { expect(config.field.call(current_user)).to eq({}) }
+    end
+  end
+
+  context 'when uses custom value' do
+    it 'executes what you want' do
+      config.field = ->(current_user) { current_user[:value] }
+
+      expect(config.field.call({ value: 'value' })).to eq('value')
+    end
+  end
+end

data/spec/authorizy/config/redirect_url_spec.rb

@@ -23,9 +23,9 @@ RSpec.describe Authorizy::Config, '#redirect_url' do
 
   context 'when uses custom value' do
     it 'executes what you want' do
-      config.redirect_url = ->(context) { context[:value] }
+      config.redirect_url = ->(context) { context[:key] }
 
-      expect(config.redirect_url.call({ value: 'value' })).to eq('value')
+      expect(config.redirect_url.call({ key: :value })).to eq(:value)
     end
   end
 end

data/spec/authorizy/core/access_spec.rb

@@ -85,6 +85,76 @@ RSpec.describe Authorizy::Core, '#access?' do
         expect(described_class.new(current_user, params, session, cop: cop).access?).to be(true)
       end
     end
+
+    context 'when cop return nil' do
+      let!(:cop) do
+        Class.new(Authorizy::BaseCop) do
+          def access?
+            false
+          end
+
+          def admin__controller
+            nil
+          end
+        end.new(current_user, params, session)
+      end
+
+      it 'is converted to false' do
+        expect(described_class.new(current_user, params, session, cop: cop).access?).to be(false)
+      end
+    end
+
+    context 'when cop return empty' do
+      let!(:cop) do
+        Class.new(Authorizy::BaseCop) do
+          def access?
+            false
+          end
+
+          def admin__controller
+            ''
+          end
+        end.new(current_user, params, session)
+      end
+
+      it 'is converted to false' do
+        expect(described_class.new(current_user, params, session, cop: cop).access?).to be(false)
+      end
+    end
+
+    context 'when cop return nothing' do
+      let!(:cop) do
+        Class.new(Authorizy::BaseCop) do
+          def access?
+            false
+          end
+
+          def admin__controller; end
+        end.new(current_user, params, session)
+      end
+
+      it 'is converted to false' do
+        expect(described_class.new(current_user, params, session, cop: cop).access?).to be(false)
+      end
+    end
+
+    context 'when cop return true as string' do
+      let!(:cop) do
+        Class.new(Authorizy::BaseCop) do
+          def access?
+            false
+          end
+
+          def admin__controller
+            'true'
+          end
+        end.new(current_user, params, session)
+      end
+
+      it 'is converted to false' do
+        expect(described_class.new(current_user, params, session, cop: cop).access?).to be(false)
+      end
+    end
   end
 
   context 'when user has the controller permission but not action' do

data/spec/authorizy/extension/authorizy_spec.rb

@@ -3,18 +3,15 @@
 require 'support/controllers/dummy_controller'
 
 RSpec.describe DummyController, '#authorizy', type: :controller do
-  let!(:config) { Authorizy.config }
   let!(:parameters) { ActionController::Parameters.new(key: 'value', controller: 'dummy', action: 'action') }
   let!(:user) { nil }
 
-  before { allow(Authorizy).to receive(:config).and_return(config) }
-
   context 'when user has access' do
     let!(:authorizy_core) { instance_double('Authorizy::Core', access?: true) }
 
     before do
       allow(Authorizy::Core).to receive(:new)
-        .with(user, parameters, session, cop: config.cop)
+        .with(user, parameters, session, cop: Authorizy.config.cop)
         .and_return(authorizy_core)
     end
 
@@ -42,27 +39,16 @@ RSpec.describe DummyController, '#authorizy', type: :controller do
 
     before do
       allow(Authorizy::Core).to receive(:new)
-        .with(user, parameters, session, cop: config.cop)
+        .with(user, parameters, session, cop: Authorizy.config.cop)
         .and_return(authorizy_core)
     end
 
-    context 'when is a xhr request' do
-      it 'receives the default values and denied the access' do
-        get :action, xhr: true, params: { key: 'value' }
+    it 'calls denied callback' do
+      allow(Authorizy.config.denied).to receive(:call)
 
-        expect(response.body).to   eq('{"message":"Action denied for dummy#action"}')
-        expect(response.status).to be(422)
-      end
-    end
+      get :action, xhr: true, params: { key: 'value' }
 
-    context 'when is a html request' do
-      it 'receives the default values and do not denied the access' do
-        get :action, params: { key: 'value' }
-
-        expect(response).to redirect_to '/'
-
-        # expect(flash[:info]).to eq('Action denied for dummy#action') # TODO: get flash message
-      end
+      expect(Authorizy.config.denied).to have_received(:call).with(subject)
     end
   end
 end

data/spec/authorizy/rspec_spec.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+RSpec.describe RSpec::Matchers, '#be_authorized' do
+  it 'pending' do
+    matcher = be_authorized('controller', 'action', params: { params: true }, session: { session: true })
+
+    expect(matcher.description).to eq %(
+      be authorized "controller", "action", and {:params=>{:params=>true}, :session=>{:session=>true}}
+    ).squish
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authorizy
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Washington Botelho
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-05 00:00:00.000000000 Z
+date: 2021-09-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
@@ -163,7 +163,9 @@ files:
 - spec/authorizy/config/aliases_spec.rb
 - spec/authorizy/config/cop_spec.rb
 - spec/authorizy/config/current_user_spec.rb
+- spec/authorizy/config/denied_spec.rb
 - spec/authorizy/config/dependencies_spec.rb
+- spec/authorizy/config/field_spec.rb
 - spec/authorizy/config/initialize_spec.rb
 - spec/authorizy/config/redirect_url_spec.rb
 - spec/authorizy/cop/controller_spec.rb
@@ -173,6 +175,7 @@ files:
 - spec/authorizy/expander/expand_spec.rb
 - spec/authorizy/extension/authorizy_question_spec.rb
 - spec/authorizy/extension/authorizy_spec.rb
+- spec/authorizy/rspec_spec.rb
 - spec/common_helper.rb
 - spec/spec_helper.rb
 - spec/support/application.rb
@@ -215,7 +218,9 @@ test_files:
 - spec/authorizy/config/aliases_spec.rb
 - spec/authorizy/config/cop_spec.rb
 - spec/authorizy/config/current_user_spec.rb
+- spec/authorizy/config/denied_spec.rb
 - spec/authorizy/config/dependencies_spec.rb
+- spec/authorizy/config/field_spec.rb
 - spec/authorizy/config/initialize_spec.rb
 - spec/authorizy/config/redirect_url_spec.rb
 - spec/authorizy/cop/controller_spec.rb
@@ -225,6 +230,7 @@ test_files:
 - spec/authorizy/expander/expand_spec.rb
 - spec/authorizy/extension/authorizy_question_spec.rb
 - spec/authorizy/extension/authorizy_spec.rb
+- spec/authorizy/rspec_spec.rb
 - spec/common_helper.rb
 - spec/spec_helper.rb
 - spec/support/application.rb