RubyGems - cancancan_resource_controller - Versions diffs - 0.0.1 → 1.0.1 - Mend

cancancan_resource_controller 0.0.1 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/cancancan/abstract_resource_controller.rb +19 -151
data/lib/cancancan/configuration.rb +10 -0
data/lib/cancancan/version.rb +5 -0
data/lib/cancancan_resource_controller.rb +24 -1
metadata +18 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a38bfb98462e336b34961d82c4d130022bf466971f55c11699e707b7e6ce4fff
-  data.tar.gz: aa0be9ebb6885fc7b15156d0517f1df7c236c3da081a8cf01f6e5b3bf1b456ba
+  metadata.gz: eee99830d75b2311be4016ca35dce550688103ea8256a919b2c3f6230a3d8a22
+  data.tar.gz: c55c835c8ffd5350d45e246063fc3722e00a604138e9369ea93398c010de6819
 SHA512:
-  metadata.gz: 565013e091449c0a17c33413b7c2c7be15bb660ec644cda55db34df9310cdb7a3b94a3639b256df1745390b1cebc976d121eae3efe39bfe85954f75ef6a4af55
-  data.tar.gz: d7b727d66c11e8cf171e2eb6ba0f5175740b8be186ef0e463782e0a619951ccffca6f83fa4a50576d6ebf406629b77a840f74a5ad57b1344ea20fdce8eb3ddd9
+  metadata.gz: e4eecffac11d43c86bf6c1a65e45476c60b5927fd201940c0863b5aa1e489e7de2377b23f57f511d42fffda88f2f577dffc53c18e3ec9720f072b5603bab667d
+  data.tar.gz: c784109abe07fc8039d96d4eb023b96d72e74fec52af54e2161a127aed238f805a8523bf97dda293823b0d202541330267e6bde522b42651c4c3dbc5750272f2

data/lib/cancancan/abstract_resource_controller.rb CHANGED Viewed

@@ -1,3 +1,4 @@
+require 'cancancan_nested_assignment_and_authorization'
 # How to utilize CanCan Permissions to work with this controller:
 module CanCanCan
   module AbstractResourceController
@@ -11,14 +12,6 @@ module CanCanCan
     MAX_ASSOCIATIVE_NESTED_DEPTH = 60
     REGEX_FOR_HTML_TAG_DETECTION = /.*\<\/?[^_\W]+\>.*/
-    # to handle adding/removing associations by "_ids" suffix
-    IDS_ATTIB_PERMISSION_KEY_GEN = Proc.new { |assoc_key| "#{assoc_key.to_s.singularize}_ids".to_sym }
-    IDS_ACTION_PERMISSION_KEY_GEN = Proc.new { |assoc_key| "_can_add_or_remove_association_#{assoc_key.to_s}".to_sym }
-    # to handle updating nested attributes
-    NESTED_ATTIB_PERMISSION_KEY_GEN = Proc.new { |assoc_key| "#{assoc_key.to_s}_attributes".to_sym }
-    NESTED_ACTION_PERMISSION_KEY_GEN  = Proc.new { |assoc_key| "_can_update_association_#{assoc_key.to_s}".to_sym }
     # For Read-Only fields
     #  - define this on your class model
     # optional allowlist for incoming parameters for the implemented resource
@@ -95,15 +88,13 @@ module CanCanCan
       # Allow @resource to be set from subclass controller
       @resource ||= @resource_class.find(params[:id])
       authorize! :show, @resource
       respond_with_resource
     end
     def new
       authorize! :create, @resource_class
       @resource ||= @resource_class.new(resource_params)
-      # 2nd auth on the object itself
-      #   Not authing on the nested resources, that could have come in as nested attributes.
       authorize! :create, @resource
       respond_with_resource
@@ -125,17 +116,16 @@ module CanCanCan
     def create
       authorize! :create, @resource_class
-      # @resource = @resource_class.new(resource_params)
+      @resource ||= @resource_class.new
-      # This 2nd @resource initiation is so we run run whitelisting attribs on the object.
-      #   Class whitelisting is far more broad than object attrib whitelisting.
-      #   Necessary if class permissions have a permissions-block.
-      @resource ||= @resource_class.new(resource_params(@resource))
-      # 2nd auth on the object itself
-      authorize! :create, @resource
+      service = CanCanCan::AssignmentAndAuthorization.new(
+        current_ability,
+        action_name,
+        @resource,
+        clean_parameter_data(params)
+      )
-      if @resource.save
+      if service.call
         respond_with_resource
       else
         begin
@@ -152,25 +142,14 @@ module CanCanCan
     def update
       authorize! :update, @resource_class
       @resource ||= @resource_class.find(params[:id])
-      authorize! :update, @resource
-      second_authorize = false
-      ActiveRecord::Base.transaction do
-        @resource.assign_attributes(resource_params(@resource))
-        second_authorize = can?(action_name.to_sym, @resource)
-        unless second_authorize
-          # NOTE: Does not halt the controller process, just rolls back the DB
-          raise ActiveRecord::Rollback
-        end
-      end
-      unless second_authorize
-        raise CanCan::AccessDenied.new("Not authorized!", action_name.to_sym, @resource)
-      end
-      # 2nd auth, on the updates of the object, without saving, so we can rollback without auth.
-      # authorize! :update, @resource
-      if @resource.save
+      service = CanCanCan::AssignmentAndAuthorization.new(
+        current_ability,
+        action_name,
+        @resource,
+        clean_parameter_data(params)
+      )
+      if service.call
         respond_with_resource
       else
         begin
@@ -189,7 +168,6 @@ module CanCanCan
       @resource ||= @resource_class.find(params[:id])
       authorize! :destroy, @resource
       # retuning the resource in a pre-destroyed state as a destroy response
-      results = @resource
       if @resource.destroy
         respond_after_destroy
       else
@@ -237,7 +215,7 @@ module CanCanCan
     def respond_after_destroy
       respond_to do |format|
         format.html { redirect_to url_for(controller: controller_name, action: 'index') }
-        format.json { render json: results, status: :no_content }
+        format.json { render json: @resource, status: :no_content }
       end
     end
@@ -246,36 +224,6 @@ module CanCanCan
       return resource_query
     end
-    # can pass in custom method to supplant 'param.permit', like if you wanted to whitelist a hash instead of params.
-    # ex: CanCanCanResourceController#deactivate_helper, permits on fake params: ActionController::Parameters.new(deactive_params)
-    def resource_params resource_object = nil, opts = {}, &block
-      local_action_name = opts[:custom_action_name] || action_name
-      allowlist_permitted = get_nested_attributes_for_class(@resource_class, local_action_name.to_sym, resource_object)
-      # # Rails kludge, issue with allowing parameters with empty arrays
-      # # Needs to be nested, recursive
-      # # Updating params in-place
-      # params.each do |key, value|
-      #   if key.to_s =~ /(.*)_ids/ && (value == "remove" || value == ["remove"])
-      #     params[key] = []
-      #   end
-      # end
-      if block_given?
-        params_with_only_allowed_parameters = yield(allowlist_permitted)
-      else
-        params_with_only_allowed_parameters = param_permit(allowlist_permitted)
-      end
-      # sanitize all input.
-      sanitized_params_with_only_allowed_parameters = clean_parameter_data(params_with_only_allowed_parameters)
-      # recast type (and have to re-permit)
-      sanitized_params_with_only_allowed_parameters = ActionController::Parameters.new(sanitized_params_with_only_allowed_parameters).permit(allowlist_permitted)
-      return sanitized_params_with_only_allowed_parameters
-    end
     # recursive
     # src: https://apidock.com/rails/v5.2.3/ActionView/Helpers/SanitizeHelper/sanitize
     def clean_parameter_data param_value
@@ -312,86 +260,6 @@ module CanCanCan
       end
     end
-    # Not checking instances of classes. What if they are object-state dependent?
-    # Need to run them again, after object instantiation, but in a different method.
-    def get_nested_attributes_for_class resource_class, action_name, root_level_object, depth = 0
-      raise "invalid action class: #{action_name.class}" if !action_name.is_a?(Symbol)
-      association_parameters = []
-      if depth > MAX_ASSOCIATIVE_NESTED_DEPTH
-        return association_parameters
-      end
-      # Handle resource_class attribs
-      # issue here is the 'action_name' on the root 'resource_class' may not be the action that the user has for the 'assoc_class'
-      # i.e:
-      #   We may want the user to update Account, and create attachments on it, but not 'update' attachments.
-      if depth == 0
-        association_parameters = current_ability.permitted_attributes(action_name, (root_level_object || resource_class))
-      else
-        association_parameters = current_ability.permitted_attributes(action_name, resource_class)
-      end
-      if resource_class.const_defined?('RESOURCE_CONTROLLER_ATTRIB_ALLOWLIST') && !resource_class::RESOURCE_CONTROLLER_ATTRIB_ALLOWLIST.nil?
-        association_parameters &= resource_class::RESOURCE_CONTROLLER_ATTRIB_ALLOWLIST
-      end
-      # remove customized, non-params, assoc' attrib data by only allowing class columns
-      association_parameters &= resource_class.column_names.collect(&:to_sym)
-      resource_class.reflect_on_all_associations(:has_many).each do |assoc_class|
-        resource_key = assoc_class.name
-        # attrib_permission_key = (resource_key.to_s.singularize + '_ids').to_sym
-        attrib_permission_key = IDS_ATTIB_PERMISSION_KEY_GEN.call(resource_key)
-        # action_permission_key = ('_can_add_or_remove_association_' + resource_key.to_s).to_sym
-        action_permission_key = IDS_ACTION_PERMISSION_KEY_GEN.call(resource_key)
-        # i.e. can?(:can_participation_ids, Account)
-        # Check to see if we manually gave the user a custom permission
-        # # (i.e.: can [:update, :can_account_sector_ids], Account)
-        # OR
-        # see if it has the attribute on the class's allowed params
-        if can?(action_permission_key, resource_class) || can?(action_name, resource_class, attrib_permission_key)
-          association_parameters << {
-            attrib_permission_key => []
-          }
-        end
-      end
-      resource_class.nested_attributes_options.each do |resource_key, options|
-        reflection_class = resource_class.reflect_on_association(resource_key).class
-        reflection_type  = reflection_class.name
-        assoc_class = resource_class.reflect_on_association(resource_key).klass
-        if [
-          "ActiveRecord::Reflection::BelongsToReflection",
-          "ActiveRecord::Reflection::HasOneReflection",
-          "ActiveRecord::Reflection::HasManyReflection"
-        ].include?(reflection_type)
-          parameter_key = NESTED_ATTIB_PERMISSION_KEY_GEN.call(resource_key)
-          permission_key = NESTED_ACTION_PERMISSION_KEY_GEN.call(resource_key)
-          # Can check if permission to update assoc is defined as an action OR as an attrib on the parent resource_class
-          if can?(permission_key, resource_class) || can?(action_name, resource_class, parameter_key)
-            # Handle recursion
-            assoc_parameters = get_nested_attributes_for_class(assoc_class, action_name, root_level_object, depth + 1)
-            if options[:allow_destroy] && can?(:destroy, resource_class)
-              assoc_parameters << :_destroy
-            end
-            association_parameters << {
-              parameter_key => assoc_parameters
-            }
-          end
-        end
-      end
-      return association_parameters
-    end
-    def param_permit base_parameters
-      params.permit(base_parameters)
-    end
     def initialize_resource_class
       # First priority is the namespaced model, e.g. User::Group
       @resource_class ||= begin

data/lib/cancancan/configuration.rb ADDED Viewed

@@ -0,0 +1,10 @@
+module CanCanCan
+  module AbstractResourceController
+    class Configuration
+      # attr_accessor :silence_raised_errors, :use_smart_nested_authorizations
+      def initialize
+      end
+    end
+  end
+end

data/lib/cancancan/version.rb ADDED Viewed

@@ -0,0 +1,5 @@
+module CanCanCan
+  module AbstractResourceController
+    VERSION = '1.0.1'
+  end
+end

data/lib/cancancan_resource_controller.rb CHANGED Viewed

@@ -1,4 +1,27 @@
+require_relative 'cancancan/configuration'
 require_relative 'cancancan/abstract_resource_controller'
+require_relative 'cancancan/version'
 # include the extension
-# ActiveRecord::Base.send(:include, Serializer::Concern)
+# ActiveRecord::Base.send(:include, Serializer::Concern)
+module CanCanCan
+  module AbstractResourceController
+    # config src: http://lizabinante.com/blog/creating-a-configurable-ruby-gem/
+    class << self
+      attr_accessor :configuration
+    end
+    def self.configuration
+      @configuration ||= Configuration.new
+    end
+    def self.reset
+      @configuration = Configuration.new
+    end
+    def self.configure
+      yield(configuration)
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cancancan_resource_controller
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 1.0.1
 platform: ruby
 authors:
 - benjamin.dana.software.dev@gmail.com
@@ -30,6 +30,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.5.0
+- !ruby/object:Gem::Dependency
+  name: cancancan_nested_auth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -121,6 +135,8 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/cancancan/abstract_resource_controller.rb
+- lib/cancancan/configuration.rb
+- lib/cancancan/version.rb
 - lib/cancancan_resource_controller.rb
 homepage: https://github.com/danabr75/cancancan_resource_controller
 licenses:
@@ -141,7 +157,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.4.15
 signing_key:
 specification_version: 4
 summary: A Rails Controller Module that uses CanCan's permitted attribs instead of