RubyGems - cancancan_resource_controller - Versions diffs - 0.0.1 → 1.0.1 - Mend

cancancan_resource_controller 0.0.1 → 1.0.1

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/cancancan/abstract_resource_controller.rb +19 -151
data/lib/cancancan/configuration.rb +10 -0
data/lib/cancancan/version.rb +5 -0
data/lib/cancancan_resource_controller.rb +24 -1
metadata +18 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a38bfb98462e336b34961d82c4d130022bf466971f55c11699e707b7e6ce4fff
-  data.tar.gz: aa0be9ebb6885fc7b15156d0517f1df7c236c3da081a8cf01f6e5b3bf1b456ba
+  metadata.gz: eee99830d75b2311be4016ca35dce550688103ea8256a919b2c3f6230a3d8a22
+  data.tar.gz: c55c835c8ffd5350d45e246063fc3722e00a604138e9369ea93398c010de6819
 SHA512:
-  metadata.gz: 565013e091449c0a17c33413b7c2c7be15bb660ec644cda55db34df9310cdb7a3b94a3639b256df1745390b1cebc976d121eae3efe39bfe85954f75ef6a4af55
-  data.tar.gz: d7b727d66c11e8cf171e2eb6ba0f5175740b8be186ef0e463782e0a619951ccffca6f83fa4a50576d6ebf406629b77a840f74a5ad57b1344ea20fdce8eb3ddd9
+  metadata.gz: e4eecffac11d43c86bf6c1a65e45476c60b5927fd201940c0863b5aa1e489e7de2377b23f57f511d42fffda88f2f577dffc53c18e3ec9720f072b5603bab667d
+  data.tar.gz: c784109abe07fc8039d96d4eb023b96d72e74fec52af54e2161a127aed238f805a8523bf97dda293823b0d202541330267e6bde522b42651c4c3dbc5750272f2

data/lib/cancancan/abstract_resource_controller.rb CHANGED Viewed

@@ -1,3 +1,4 @@
+require 'cancancan_nested_assignment_and_authorization'
 # How to utilize CanCan Permissions to work with this controller:
 module CanCanCan
   module AbstractResourceController
@@ -11,14 +12,6 @@ module CanCanCan
     MAX_ASSOCIATIVE_NESTED_DEPTH = 60
     REGEX_FOR_HTML_TAG_DETECTION = /.*\<\/?[^_\W]+\>.*/
-    # to handle adding/removing associations by "_ids" suffix
-    IDS_ATTIB_PERMISSION_KEY_GEN = Proc.new { |assoc_key| "#{assoc_key.to_s.singularize}_ids".to_sym }
-    IDS_ACTION_PERMISSION_KEY_GEN = Proc.new { |assoc_key| "_can_add_or_remove_association_#{assoc_key.to_s}".to_sym }
-    # to handle updating nested attributes
-    NESTED_ATTIB_PERMISSION_KEY_GEN = Proc.new { |assoc_key| "#{assoc_key.to_s}_attributes".to_sym }
-    NESTED_ACTION_PERMISSION_KEY_GEN  = Proc.new { |assoc_key| "_can_update_association_#{assoc_key.to_s}".to_sym }
     # For Read-Only fields
     #  - define this on your class model
     # optional allowlist for incoming parameters for the implemented resource
@@ -95,15 +88,13 @@ module CanCanCan
       # Allow @resource to be set from subclass controller
       @resource ||= @resource_class.find(params[:id])
       authorize! :show, @resource
       respond_with_resource
     end
     def new
       authorize! :create, @resource_class
       @resource ||= @resource_class.new(resource_params)
-      # 2nd auth on the object itself
-      #   Not authing on the nested resources, that could have come in as nested attributes.
       authorize! :create, @resource
       respond_with_resource
@@ -125,17 +116,16 @@ module CanCanCan
     def create
       authorize! :create, @resource_class
-      # @resource = @resource_class.new(resource_params)
+      @resource ||= @resource_class.new
-      # This 2nd @resource initiation is so we run run whitelisting attribs on the object.
-      #   Class whitelisting is far more broad than object attrib whitelisting.
-      #   Necessary if class permissions have a permissions-block.
-      @resource ||= @resource_class.new(resource_params(@resource))
-      # 2nd auth on the object itself
-      authorize! :create, @resource
+      service = CanCanCan::AssignmentAndAuthorization.new(
+        current_ability,
+        action_name,
+        @resource,
+        clean_parameter_data(params)
+      )
-      if @resource.save
+      if service.call
         respond_with_resource
       else
         begin
@@ -152,25 +142,14 @@ module CanCanCan
     def update
       authorize! :update, @resource_class
       @resource ||= @resource_class.find(params[:id])
-      authorize! :update, @resource
-      second_authorize = false
-      ActiveRecord::Base.transaction do
-        @resource.assign_attributes(resource_params(@resource))
-        second_authorize = can?(action_name.to_sym, @resource)
-        unless second_authorize
-          # NOTE: Does not halt the controller process, just rolls back the DB
-          raise ActiveRecord::Rollback
-        end
-      end
-      unless second_authorize
-        raise CanCan::AccessDenied.new("Not authorized!", action_name.to_sym, @resource)
-      end
-      # 2nd auth, on the updates of the object, without saving, so we can rollback without auth.
-      # authorize! :update, @resource
-      if @resource.save
+      service = CanCanCan::AssignmentAndAuthorization.new(
+        current_ability,
+        action_name,
+        @resource,
+        clean_parameter_data(params)
+      )
+      if service.call
         respond_with_resource
       else
         begin
@@ -189,7 +168,6 @@ module CanCanCan
       @resource ||= @resource_class.find(params[:id])
       authorize! :destroy, @resource
       # retuning the resource in a pre-destroyed state as a destroy response
-      results = @resource
       if @resource.destroy
         respond_after_destroy
       else
@@ -237,7 +215,7 @@ module CanCanCan
     def respond_after_destroy
       respond_to do |format|
         format.html { redirect_to url_for(controller: controller_name, action: 'index') }
-        format.json { render json: results, status: :no_content }
+        format.json { render json: @resource, status: :no_content }
       end
     end
@@ -246,36 +224,6 @@ module CanCanCan
       return resource_query
     end
-    # can pass in custom method to supplant 'param.permit', like if you wanted to whitelist a hash instead of params.
-    # ex: CanCanCanResourceController#deactivate_helper, permits on fake params: ActionController::Parameters.new(deactive_params)
-    def resource_params resource_object = nil, opts = {}, &block
-      local_action_name = opts[:custom_action_name] || action_name
-      allowlist_permitted = get_nested_attributes_for_class(@resource_class, local_action_name.to_sym, resource_object)
-      # # Rails kludge, issue with allowing parameters with empty arrays
-      # # Needs to be nested, recursive
-      # # Updating params in-place
-      # params.each do |key, value|
-      #   if key.to_s =~ /(.*)_ids/ && (value == "remove" || value == ["remove"])
-      #     params[key] = []
-      #   end
-      # end
-      if block_given?
-        params_with_only_allowed_parameters = yield(allowlist_permitted)
-      else
-        params_with_only_allowed_parameters = param_permit(allowlist_permitted)
-      end
-      # sanitize all input.
-      sanitized_params_with_only_allowed_parameters = clean_parameter_data(params_with_only_allowed_parameters)
-      # recast type (and have to re-permit)
-      sanitized_params_with_only_allowed_parameters = ActionController::Parameters.new(sanitized_params_with_only_allowed_parameters).permit(allowlist_permitted)
-      return sanitized_params_with_only_allowed_parameters
-    end
     # recursive
     # src: https://apidock.com/rails/v5.2.3/ActionView/Helpers/SanitizeHelper/sanitize
     def clean_parameter_data param_value
@@ -312,86 +260,6 @@ module CanCanCan
       end
     end
-    # Not checking instances of classes. What if they are object-state dependent?
-    # Need to run them again, after object instantiation, but in a different method.
-    def get_nested_attributes_for_class resource_class, action_name, root_level_object, depth = 0
-      raise "invalid action class: #{action_name.class}" if !action_name.is_a?(Symbol)
-      association_parameters = []
-      if depth > MAX_ASSOCIATIVE_NESTED_DEPTH
-        return association_parameters
-      end
-      # Handle resource_class attribs
-      # issue here is the 'action_name' on the root 'resource_class' may not be the action that the user has for the 'assoc_class'
-      # i.e:
-      #   We may want the user to update Account, and create attachments on it, but not 'update' attachments.
-      if depth == 0
-        association_parameters = current_ability.permitted_attributes(action_name, (root_level_object || resource_class))
-      else
-        association_parameters = current_ability.permitted_attributes(action_name, resource_class)
-      end
-      if resource_class.const_defined?('RESOURCE_CONTROLLER_ATTRIB_ALLOWLIST') && !resource_class::RESOURCE_CONTROLLER_ATTRIB_ALLOWLIST.nil?
-        association_parameters &= resource_class::RESOURCE_CONTROLLER_ATTRIB_ALLOWLIST
-      end
-      # remove customized, non-params, assoc' attrib data by only allowing class columns
-      association_parameters &= resource_class.column_names.collect(&:to_sym)
-      resource_class.reflect_on_all_associations(:has_many).each do |assoc_class|
-        resource_key = assoc_class.name
-        # attrib_permission_key = (resource_key.to_s.singularize + '_ids').to_sym
-        attrib_permission_key = IDS_ATTIB_PERMISSION_KEY_GEN.call(resource_key)
-        # action_permission_key = ('_can_add_or_remove_association_' + resource_key.to_s).to_sym
-        action_permission_key = IDS_ACTION_PERMISSION_KEY_GEN.call(resource_key)
-        # i.e. can?(:can_participation_ids, Account)
-        # Check to see if we manually gave the user a custom permission
-        # # (i.e.: can [:update, :can_account_sector_ids], Account)
-        # OR
-        # see if it has the attribute on the class's allowed params
-        if can?(action_permission_key, resource_class) || can?(action_name, resource_class, attrib_permission_key)
-          association_parameters << {
-            attrib_permission_key => []
-          }
-        end
-      end
-      resource_class.nested_attributes_options.each do |resource_key, options|
-        reflection_class = resource_class.reflect_on_association(resource_key).class
-        reflection_type  = reflection_class.name
-        assoc_class = resource_class.reflect_on_association(resource_key).klass
-        if [
-          "ActiveRecord::Reflection::BelongsToReflection",
-          "ActiveRecord::Reflection::HasOneReflection",
-          "ActiveRecord::Reflection::HasManyReflection"
-        ].include?(reflection_type)
-          parameter_key = NESTED_ATTIB_PERMISSION_KEY_GEN.call(resource_key)
-          permission_key = NESTED_ACTION_PERMISSION_KEY_GEN.call(resource_key)
-          # Can check if permission to update assoc is defined as an action OR as an attrib on the parent resource_class
-          if can?(permission_key, resource_class) || can?(action_name, resource_class, parameter_key)
-            # Handle recursion
-            assoc_parameters = get_nested_attributes_for_class(assoc_class, action_name, root_level_object, depth + 1)
-            if options[:allow_destroy] && can?(:destroy, resource_class)
-              assoc_parameters << :_destroy
-            end
-            association_parameters << {
-              parameter_key => assoc_parameters
-            }
-          end
-        end
-      end
-      return association_parameters
-    end
-    def param_permit base_parameters
-      params.permit(base_parameters)
-    end
     def initialize_resource_class
       # First priority is the namespaced model, e.g. User::Group
       @resource_class ||= begin

data/lib/cancancan/configuration.rb ADDED Viewed

@@ -0,0 +1,10 @@
+module CanCanCan
+  module AbstractResourceController
+    class Configuration
+      # attr_accessor :silence_raised_errors, :use_smart_nested_authorizations
+      def initialize
+      end
+    end
+  end
+end

data/lib/cancancan/version.rb ADDED Viewed

@@ -0,0 +1,5 @@
+module CanCanCan
+  module AbstractResourceController
+    VERSION = '1.0.1'
+  end
+end

data/lib/cancancan_resource_controller.rb CHANGED Viewed

@@ -1,4 +1,27 @@
+require_relative 'cancancan/configuration'
 require_relative 'cancancan/abstract_resource_controller'
+require_relative 'cancancan/version'
 # include the extension
-# ActiveRecord::Base.send(:include, Serializer::Concern)
+# ActiveRecord::Base.send(:include, Serializer::Concern)
+module CanCanCan
+  module AbstractResourceController
+    # config src: http://lizabinante.com/blog/creating-a-configurable-ruby-gem/
+    class << self
+      attr_accessor :configuration
+    end
+    def self.configuration
+      @configuration ||= Configuration.new
+    end
+    def self.reset
+      @configuration = Configuration.new
+    end
+    def self.configure
+      yield(configuration)
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cancancan_resource_controller
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 1.0.1
 platform: ruby
 authors:
 - benjamin.dana.software.dev@gmail.com
@@ -30,6 +30,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.5.0
+- !ruby/object:Gem::Dependency
+  name: cancancan_nested_auth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -121,6 +135,8 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/cancancan/abstract_resource_controller.rb
+- lib/cancancan/configuration.rb
+- lib/cancancan/version.rb
 - lib/cancancan_resource_controller.rb
 homepage: https://github.com/danabr75/cancancan_resource_controller
 licenses:
@@ -141,7 +157,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.4.15
 signing_key:
 specification_version: 4
 summary: A Rails Controller Module that uses CanCan's permitted attribs instead of