authorizy 0.2.1 → 0.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d3025788b5adf8a466ed73bfc45f709612ad1b05de0e5e887a84c67c31cd5074
-  data.tar.gz: 354c47240e842ecdd4afa112e95e02ef094f94dfcd17e9431d7dbe97ee580283
+  metadata.gz: adf5a52d89eabb0dd6503d0f96fb44ae9d4268213a6da8b91fb758805db97371
+  data.tar.gz: 01bcedd187623c4364c38d0c4f53b5a12ee1877f4426df44b21cc3b7446f6b5d
 SHA512:
-  metadata.gz: a8a73b41a1b8ea247cd59114d9ddf857f7727efa4c780fd5b6fe17a8805aa86528061e7fa49ec2f32c9fe4a80bb0d05a70341d8176af302cb6e31da4bdce9403
-  data.tar.gz: d9c32ae7a0b4a81742d3caa9879c69b7949cc86ecf104b4e79f7e642fa7b92efb5b4047993a38f2136e8b226dd5119046f5e5faed85134e5f249513c3fed72dc
+  metadata.gz: 0623f322536c3a6de17848f3f6b3642d70041384e220d0417d028a045d59970c97dfa84e659dd6a95795fe30f2ed09bb7d6203cf0bc7b600fbea0e53ff63bec5
+  data.tar.gz: 4e4862f37eb92ef4c0eb247ecd0fa0abe0652d6d750b282bb20908fadaf3dbaf54738ed51167cfa5784e1d158a441d349c75f9a460981c800def31df30b1d002

data/CHANGELOG.md

@@ -1,3 +1,31 @@
+# v0.4.1
+
+## Fixes
+
+- `redirect_url` was receiving the `denied` context instead of the controller's context;
+
+# v0.4.0
+
+## Fixes
+
+- Returns `403` status code, to represent recognized but not authorized, instead `401`;
+
+## Features
+
+- Added `denied` callback allowing a custom acess denied treatment;
+
+# v0.3.0
+
+## Features
+
+- Added options `field` to customize how the authorizy field is fetched;
+
+# v0.2.2
+
+## Fixes
+
+- When Cop returns anything different from `true` it is converted to `false`;
+
 # v0.2.1
 
 ## Fixes

data/README.md

@@ -8,10 +8,6 @@
 
 A JSON based Authorization.
 
-##### Why not [cancancan](https://github.com/CanCanCommunity/cancancan)?
-
-I have been working with cancan/cancancan for years. Since the beginning with [database access](https://github.com/CanCanCommunity/cancancan/blob/develop/docs/Abilities-in-Database.md). After a while, I realised I built a couple of abstractions around `ability` class and suddenly migrated to JSON for better performance. As I need a full role admin I decided to start to extract this logic to a gem.
-
 ## Install
 
 Add the following code on your `Gemfile` and run `bundle install`:
@@ -84,25 +80,6 @@ Authorizy.configure do |config|
 end
 ```
 
-### Dependencies
-
-You can allow access to one or more controllers and actions based on your permissions. It'll consider not only the `action`, like [aliases](#aliases) but the controller either.
-
-```ruby
-Authorizy.configure do |config|
-  config.dependencies = {
-    payments: {
-      index: [
-        ['system/users', :index],
-        ['system/enrollments', :index],
-      ]
-    }
-  }
-end
-```
-
-So now if a have the permission `payments#index` I'll receive more two permissions: `users#index` and `enrollments#index`.
-
 ### Cop
 
 Sometimes we need to allow access in runtime because the permission will depend on the request data and/or some dynamic logic. For this you can create a *Cop* class, that inherits from `Authorizy::BaseCop`, to allow it based on logic. It works like a [Interceptor](https://en.wikipedia.org/wiki/Interceptor_pattern).
@@ -161,6 +138,43 @@ Authorizy.configure do |config|
 end
 ```
 
+### Denied
+
+When some access is denied, by default, Authorizy checks if it is a XHR request or not and then redirect or serializes a message with status code `403`. You can rescue it by yourself:
+
+```ruby
+config.denied = ->(context) { context.redirect_to(subscription_path, info: 'Subscription expired!') }
+```
+
+### Dependencies
+
+You can allow access to one or more controllers and actions based on your permissions. It'll consider not only the `action`, like [aliases](#aliases) but the controller either.
+
+```ruby
+Authorizy.configure do |config|
+  config.dependencies = {
+    payments: {
+      index: [
+        ['system/users', :index],
+        ['system/enrollments', :index],
+      ]
+    }
+  }
+end
+```
+
+So now if a have the permission `payments#index` I'll receive more two permissions: `users#index` and `enrollments#index`.
+
+### Field
+
+By default the permissions are located inside the field called `authorizy` in the configured `current_user`. You can change how this field is fetched:
+
+```ruby
+Authorizy.configure do |config|
+  @field = ->(current_user) { current_user.profile.authorizy }
+end
+```
+
 ### Redirect URL
 
 When authorization fails and the request is not a XHR request a redirect happens to `/` path. You can change it:

data/lib/authorizy/config.rb

@@ -2,13 +2,23 @@
 
 module Authorizy
   class Config
-    attr_accessor :aliases, :dependencies, :cop, :current_user, :redirect_url
+    attr_accessor :aliases, :cop, :current_user, :denied, :dependencies, :field, :redirect_url
 
     def initialize
       @aliases      = {}
       @cop          = Authorizy::BaseCop
       @current_user = ->(context) { context.respond_to?(:current_user) ? context.current_user : nil }
+
+      @denied = lambda { |context|
+        info = I18n.t('authorizy.denied', controller: context.params[:controller], action: context.params[:action])
+
+        return context.render(json: { message: info }, status: 403) if context.request.xhr?
+
+        context.redirect_to(redirect_url.call(context), info: info)
+      }
+
       @dependencies = {}
+      @field        = ->(current_user) { current_user.respond_to?(:authorizy) ? current_user.authorizy : {} }
       @redirect_url = ->(context) { context.respond_to?(:root_url) ? context.root_url : '/' }
     end
   end

data/lib/authorizy/core.rb

@@ -16,7 +16,7 @@ module Authorizy
                      session_permissions.any? { |tuple| route_match?(tuple) } ||
                      user_permissions.any? { |tuple| route_match?(tuple) }
 
-      return @cop.public_send(cop_controller) if @cop.respond_to?(cop_controller)
+      return @cop.public_send(cop_controller) == true if @cop.respond_to?(cop_controller)
 
       false
     end
@@ -50,7 +50,7 @@ module Authorizy
     end
 
     def user_permissions
-      expand(@user.authorizy.try(:[], 'permissions'))
+      expand(Authorizy.config.field.call(@user).try(:[], 'permissions'))
     end
   end
 end

data/lib/authorizy/extension.rb

@@ -8,38 +8,26 @@ module Authorizy
       helper_method(:authorizy?)
 
       def authorizy
-        return if authorizy_core.new(authorizy_user, params, session, cop: authorizy_cop).access?
+        return if Authorizy::Core.new(authorizy_user, params, session, cop: authorizy_cop).access?
 
-        info = I18n.t('authorizy.denied', controller: params[:controller], action: params[:action])
-
-        return render(json: { message: info }, status: 401) if request.xhr?
-
-        redirect_to authorizy_config.redirect_url.call(self), info: info
+        Authorizy.config.denied.call(self)
       end
 
       def authorizy?(controller, action)
         params['controller'] = controller
         params['action'] = action
 
-        authorizy_core.new(authorizy_user, params, session, cop: authorizy_cop).access?
+        Authorizy::Core.new(authorizy_user, params, session, cop: authorizy_cop).access?
       end
 
       private
 
-      def authorizy_core
-        Authorizy::Core
-      end
-
       def authorizy_user
-        authorizy_config.current_user.call(self)
-      end
-
-      def authorizy_config
-        Authorizy.config
+        Authorizy.config.current_user.call(self)
       end
 
       def authorizy_cop
-        authorizy_config.cop.new(authorizy_user, params, session)
+        Authorizy.config.cop.new(authorizy_user, params, session)
       end
     end
   end

data/lib/authorizy/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Authorizy
-  VERSION = '0.2.1'
+  VERSION = '0.4.1'
 end

data/lib/generators/authorizy/templates/config/initializers/authorizy.rb

@@ -9,14 +9,28 @@ Authorizy.configure do |config|
   # https://github.com/wbotelhos/authorizy#cop
   # config.cop = Authorizy::BaseCop
 
-  # The current user from we fetch the permissions
+  # The current user from where we fetch the permissions
   # https://github.com/wbotelhos/authorizy#current-user
   # config.current_user = -> (context) { context.respond_to?(:current_user) ? context.current_user : nil }
 
+  # Callback called when access is denied
+  # https://github.com/wbotelhos/authorizy#denied
+  # config.denied = lambda { |context|
+  #   info = I18n.t('authorizy.denied', controller: context.params[:controller], action: context.params[:action])
+
+  #   return context.render(json: { message: info }, status: 403) if context.request.xhr?
+
+  #   context.redirect_to(redirect_url.call(self), info: info)
+  # }
+
   # Inherited permissions from some other permission the user already has
   # https://github.com/wbotelhos/authorizy#dependencies
   # config.dependencies = {}
 
+  # Field used to fetch the Authorizy permissions
+  # https://github.com/wbotelhos/authorizy#field
+  # config.field = ->(current_user) { current_user.respond_to?(:authorizy) ? current_user.authorizy : {} }
+
   # URL to be redirect when user has no permission to access some resource
   # https://github.com/wbotelhos/authorizy#dependencies
   # config.redirect_url = -> (context) { context.respond_to?(:root_url) ? context.root_url : '/' }

data/spec/authorizy/config/current_user_spec.rb

@@ -15,9 +15,7 @@ RSpec.describe Authorizy::Config, '#current_user' do
     context 'when context does not respond to current_user' do
       let!(:context) { 'context' }
 
-      it 'returns nil' do
-        expect(config.current_user.call(context)).to be(nil)
-      end
+      it { expect(config.current_user.call(context)).to be(nil) }
     end
   end
 

data/spec/authorizy/config/denied_spec.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+RSpec.describe Authorizy::Config, '#denied' do
+  let!(:config) { described_class.new }
+
+  context 'with default denied callback' do
+    context 'when is a xhr request' do
+      let!(:context) do
+        double('context',
+          params: { controller: 'users', action: 'index' },
+          request: OpenStruct.new(xhr?: true)
+        )
+      end
+
+      it 'renders' do
+        allow(context).to receive(:render)
+
+        config.denied.call(context)
+
+        expect(context).to have_received(:render).with(json: { message: 'Action denied for users#index' }, status: 403)
+      end
+    end
+
+    context 'when is not a xhr request' do
+      let!(:context) do
+        double('context',
+          params: { controller: 'users', action: 'index' },
+          request: OpenStruct.new(xhr?: false),
+          root_url: 'root_url'
+        )
+      end
+
+      it 'redirects' do
+        allow(context).to receive(:redirect_to)
+        allow(context).to receive(:respond_to?).with(:root_url).and_return(true)
+
+        config.denied.call(context)
+
+        expect(context).to have_received(:redirect_to).with('root_url', info: 'Action denied for users#index')
+      end
+    end
+  end
+
+  context 'with custom denied callback' do
+    it 'calls the callback' do
+      config.denied = ->(context) { context[:key] }
+
+      expect(config.denied.call(key: :value)).to eq(:value)
+    end
+  end
+end

data/spec/authorizy/config/field_spec.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+RSpec.describe Authorizy::Config, '#field' do
+  let!(:config) { described_class.new }
+
+  context 'when uses default value' do
+    context 'when current_user responds to authorizy' do
+      let!(:current_user) { OpenStruct.new(authorizy: { permissions: [%i[users index]] }) }
+
+      it 'is called' do
+        expect(config.field.call(current_user)).to eq(permissions: [%i[users index]])
+      end
+    end
+
+    context 'when current_user does not respond to field' do
+      let!(:current_user) { nil }
+
+      it { expect(config.field.call(current_user)).to eq({}) }
+    end
+  end
+
+  context 'when uses custom value' do
+    it 'executes what you want' do
+      config.field = ->(current_user) { current_user[:value] }
+
+      expect(config.field.call({ value: 'value' })).to eq('value')
+    end
+  end
+end

data/spec/authorizy/config/redirect_url_spec.rb

@@ -23,9 +23,9 @@ RSpec.describe Authorizy::Config, '#redirect_url' do
 
   context 'when uses custom value' do
     it 'executes what you want' do
-      config.redirect_url = ->(context) { context[:value] }
+      config.redirect_url = ->(context) { context[:key] }
 
-      expect(config.redirect_url.call({ value: 'value' })).to eq('value')
+      expect(config.redirect_url.call({ key: :value })).to eq(:value)
     end
   end
 end

data/spec/authorizy/core/access_spec.rb

@@ -85,6 +85,76 @@ RSpec.describe Authorizy::Core, '#access?' do
         expect(described_class.new(current_user, params, session, cop: cop).access?).to be(true)
       end
     end
+
+    context 'when cop return nil' do
+      let!(:cop) do
+        Class.new(Authorizy::BaseCop) do
+          def access?
+            false
+          end
+
+          def admin__controller
+            nil
+          end
+        end.new(current_user, params, session)
+      end
+
+      it 'is converted to false' do
+        expect(described_class.new(current_user, params, session, cop: cop).access?).to be(false)
+      end
+    end
+
+    context 'when cop return empty' do
+      let!(:cop) do
+        Class.new(Authorizy::BaseCop) do
+          def access?
+            false
+          end
+
+          def admin__controller
+            ''
+          end
+        end.new(current_user, params, session)
+      end
+
+      it 'is converted to false' do
+        expect(described_class.new(current_user, params, session, cop: cop).access?).to be(false)
+      end
+    end
+
+    context 'when cop return nothing' do
+      let!(:cop) do
+        Class.new(Authorizy::BaseCop) do
+          def access?
+            false
+          end
+
+          def admin__controller; end
+        end.new(current_user, params, session)
+      end
+
+      it 'is converted to false' do
+        expect(described_class.new(current_user, params, session, cop: cop).access?).to be(false)
+      end
+    end
+
+    context 'when cop return true as string' do
+      let!(:cop) do
+        Class.new(Authorizy::BaseCop) do
+          def access?
+            false
+          end
+
+          def admin__controller
+            'true'
+          end
+        end.new(current_user, params, session)
+      end
+
+      it 'is converted to false' do
+        expect(described_class.new(current_user, params, session, cop: cop).access?).to be(false)
+      end
+    end
   end
 
   context 'when user has the controller permission but not action' do

data/spec/authorizy/extension/authorizy_spec.rb

@@ -3,18 +3,15 @@
 require 'support/controllers/dummy_controller'
 
 RSpec.describe DummyController, '#authorizy', type: :controller do
-  let!(:config) { Authorizy.config }
   let!(:parameters) { ActionController::Parameters.new(key: 'value', controller: 'dummy', action: 'action') }
   let!(:user) { nil }
 
-  before { allow(Authorizy).to receive(:config).and_return(config) }
-
   context 'when user has access' do
     let!(:authorizy_core) { instance_double('Authorizy::Core', access?: true) }
 
     before do
       allow(Authorizy::Core).to receive(:new)
-        .with(user, parameters, session, cop: config.cop)
+        .with(user, parameters, session, cop: Authorizy.config.cop)
         .and_return(authorizy_core)
     end
 
@@ -42,27 +39,16 @@ RSpec.describe DummyController, '#authorizy', type: :controller do
 
     before do
       allow(Authorizy::Core).to receive(:new)
-        .with(user, parameters, session, cop: config.cop)
+        .with(user, parameters, session, cop: Authorizy.config.cop)
         .and_return(authorizy_core)
     end
 
-    context 'when is a xhr request' do
-      it 'receives the default values and denied the access' do
-        get :action, xhr: true, params: { key: 'value' }
+    it 'calls denied callback' do
+      allow(Authorizy.config.denied).to receive(:call)
 
-        expect(response.body).to   eq('{"message":"Action denied for dummy#action"}')
-        expect(response.status).to be(401)
-      end
-    end
+      get :action, xhr: true, params: { key: 'value' }
 
-    context 'when is a html request' do
-      it 'receives the default values and do not denied the access' do
-        get :action, params: { key: 'value' }
-
-        expect(response).to redirect_to '/'
-
-        # expect(flash[:info]).to eq('Action denied for dummy#action') # TODO: get flash message
-      end
+      expect(Authorizy.config.denied).to have_received(:call).with(subject)
     end
   end
 end

data/spec/authorizy/rspec_spec.rb

@@ -9,23 +9,3 @@ RSpec.describe RSpec::Matchers, '#be_authorized' do
     ).squish
   end
 end
-
-# matcher.actual
-# matcher.actual_formatted
-# matcher.and
-# matcher.description
-# matcher.diffable?
-# matcher.does_not_match?
-# matcher.expected
-# matcher.expected_formatted
-# matcher.expects_call_stack_jump?
-# matcher.failure_message
-# matcher.failure_message_when_negated
-# matcher.match_unless_raises
-# matcher.matcher_name
-# matcher.matcher_name=
-# matcher.matches?
-# matcher.or
-# matcher.present_ivars
-# matcher.rescued_exception
-# matcher.supports_block_expectations?

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authorizy
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.4.1
 platform: ruby
 authors:
 - Washington Botelho
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-05 00:00:00.000000000 Z
+date: 2021-09-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
@@ -163,7 +163,9 @@ files:
 - spec/authorizy/config/aliases_spec.rb
 - spec/authorizy/config/cop_spec.rb
 - spec/authorizy/config/current_user_spec.rb
+- spec/authorizy/config/denied_spec.rb
 - spec/authorizy/config/dependencies_spec.rb
+- spec/authorizy/config/field_spec.rb
 - spec/authorizy/config/initialize_spec.rb
 - spec/authorizy/config/redirect_url_spec.rb
 - spec/authorizy/cop/controller_spec.rb
@@ -216,7 +218,9 @@ test_files:
 - spec/authorizy/config/aliases_spec.rb
 - spec/authorizy/config/cop_spec.rb
 - spec/authorizy/config/current_user_spec.rb
+- spec/authorizy/config/denied_spec.rb
 - spec/authorizy/config/dependencies_spec.rb
+- spec/authorizy/config/field_spec.rb
 - spec/authorizy/config/initialize_spec.rb
 - spec/authorizy/config/redirect_url_spec.rb
 - spec/authorizy/cop/controller_spec.rb