cannie 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9fbbd16e6ac148de444fe153765a6dc094dc24e9
-  data.tar.gz: cb1002198639bb6ae623277915b5cc903147c88d
+  metadata.gz: bd4ec59a6c5ecf6c0e7307ea41c381cdca880956
+  data.tar.gz: 666cb9f5b763b66abd5ba9e8e8c5404933e4a940
 SHA512:
-  metadata.gz: 87b47746d61b5604032cc51f2f11720893628a1b6019274d9ab870f41d875d76bd13119105fdfecc154020ecae50d2ada46792853aa4366f147903de97c53445
-  data.tar.gz: ae87022d66e48972f60f9fa31adef1a5e00e4e7324ab312fe32162375051f6ab8a6f78441a77251676740d78a2d3629ab47ee44b945fed372a7963beeb88dd2c
+  metadata.gz: bb8863ea60b52ac207da478b9f890001f3d3525620a0f46971f21135d66fbef5182a315b73ea5ec66554f06a6ebb1aac8aeeebf4c9878e806f62aa9f62533e3f
+  data.tar.gz: 4832f762eaa2a38592721dce60f27390464055ac5b5e8a5a8123fc4f9cd3407249aa526e90d03c6f9380aeeb2f521b4ba9aa0c72b21e0f2c5519242f7e1810b8

data/README.md

@@ -1,6 +1,6 @@
 # Cannie
 
-Cannie is a gem for authorization/permissions checking.
+Cannie is a gem for authorization/permissions checking on per-controller/per-action basis.
 
 ## Installation
 
@@ -24,27 +24,47 @@ Permissions are defined in Permissions class, which could be generated by Rails
 
     rails g cannie:permissions
 
-Than you can define all the permissions you want inside ::initialize method of Permissions class:
+Than you can define all the permissions you want:
 
     class Permissions
       include Cannie::Permissions
 
-      def initialize(user)
-        if user.admin?
-          allow :manage, on: :all
-        else
-          allow :read, on: Post
-          allow :read, on: Comment
-          allow :create, on: Comment
-
-          # allow delete comments, that were created only if user has posted those comments
-          allow :delete, on: Comment do |*comments|
-            comments.all?{|c| c.user_id == user.id}
-          end
+      # allow action on controller
+      allow :index, on: :posts
+
+      # or if controller is namespaced
+      allow :index, on: 'namespace/controller'
+
+      # few actions for controller
+      allow [:index, :show], on: :posts
+
+      # many actions for many controllers
+      allow [:index, :show], on: [:posts, :comments]
+
+      # few rules inside controller scope
+      controller :posts do
+        allow :show
+        allow :new
+      end
+
+      # namespaced controllers
+      namespace :admin do
+        controller :users do
+          allow [:index, :show]
         end
       end
     end
 
+Also its possible to pass conditions for `allow` calls:
+
+    allow :index, on: :posts, if: ->{ user.admin? }
+
+or
+
+    allow :index, on: :posts, unless: ->{ user.guest? }
+
+These conditions are executed in context of `Permissions` object and its possible to use `user` method to access user that was passed to `Permissions::initialize`.
+
 ### Checking permissions
 
 To be sure that permissions checking is handled in each action of your controller, add `check_permissions` method call to your controllers:
@@ -95,54 +115,6 @@ To skip checking permissions for controller, add `skip_check_permissions` method
       #...
     end
 
-Checking of permissions on per-action basis is done by calling `permit!` method inside of controller's actions:
-
-    class PostsController < ApplicationController
-      check_permissions
-
-      def index
-        @posts = Posts.all
-        permit! :read, on: posts # checks whether user able to read fetched posts
-      end
-    end
-
-It is possible to check permissions for resource actions. Currently collection and entry name is taken from resource controller name (some_namespace/entries_controller => @entries/@entry instance variables).
-To add this behavior add `permit_resource_actions` instead of `check_permissions` with no need to write custom `permit!` calls in each resource action:
-
-    class EntriesController < ApplicationController
-      permit_resource_actions
-
-      def index
-        @entries = Entry.all
-      end
-
-      def show
-        @entry = Entry.find(params[:id])
-      end
-    end
-
-For now only standard resource actions supported: `index`, `show`, `new`, `create`, `edit`, `update`, `destroy`.
-To define `Permissions` properly, use this mapping of action names to permissions:
- - :index => :list
- - :show => :read
- - :new or :create => :create
- - :edit or :update => :update
- - :destroy => :destroy
-
- Sample `Permissions` class to deal with all resource actions for `EntriesController`:
-
-    class Permissions
-      include Cannie::Permissions
-
-      def initialize(user)
-        allow :list, on: Entry    # index action
-        allow :read, on: Entry    # show action
-        allow :create, on: Entry  # new & create actions
-        allow :update, on: Entry  # edit & update actions
-        allow :destroy, on: Entry # destroy action
-      end
-    end
-
 ### Handling of unpermitted access
 
 If user is not permitted for appropriate action, `Cannie::ActionForbidden` exception will be raised.

data/lib/cannie/controller_extensions.rb

@@ -7,31 +7,22 @@ module Cannie
       helper_method :can?, :current_permissions
     end
 
-    RESOURCE_ACTIONS = {
-      index:   :list,
-      show:    :read,
-      new:     :create,
-      create:  :create,
-      edit:    :update,
-      update:  :update,
-      destroy: :destroy
-    }
-
     module ClassMethods
       # Method is used to be sure, that permissions checking is handled for each action inside controller.
       #
       #   class PostsController < ApplicationController
       #     check_permissions
       #
-      #     #...
+      #     # ...
       #   end
       #
       def check_permissions(options={})
-        after_action(options.slice(:only, :except)) do |controller|
+        _if, _unless = options.values_at(:if, :unless)
+        before_action(options.slice(:only, :except)) do |controller|
           next if controller.permitted?
-          next if options[:if] && !controller.instance_eval(&options[:if])
-          next if options[:unless] && controller.instance_eval(&options[:unless])
-          raise CheckPermissionsNotPerformed, 'Action failed the check_permissions because it does not calls permit! method. Add skip_check_permissions to bypass this check.'
+          next if _if && !controller.instance_eval(&_if)
+          next if _unless && controller.instance_eval(&_unless)
+          current_permissions.permit!(controller.action_name, controller)
         end
       end
 
@@ -40,63 +31,34 @@ module Cannie
       #   class PostsController < ApplicationController
       #     skip_check_permissions
       #
-      #     #...
+      #     # ...
       #   end
       def skip_check_permissions(*args)
-        before_action(*args) do |controller|
+        prepend_before_action(*args) do |controller|
           controller.instance_variable_set(:@_permitted, true)
         end
       end
-
-      # Permit resource actions [index, show, new, create, edit, update, destroy] in controller
-      #
-      #
-      def permit_resource_actions(options={})
-        after_action(options.slice(:only, :except)) do |controller|
-          begin
-            next if controller.permitted?
-            next if options[:if] && !controller.instance_eval(&options[:if])
-            next if options[:unless] && controller.instance_eval(&options[:unless])
-            controller.permit! RESOURCE_ACTIONS.with_indifferent_access[action_name], on: controller.subject_for_action
-          rescue Cannie::ActionForbidden
-            self.response_body = nil
-            raise
-          end
-        end
-      end
     end
 
     # Checks whether passed action is permitted for passed subject
     #
-    #   can? :read, on: @posts
+    #   can? :index, on: :entries
     #
     # or
     #
-    #   can? :read, on: Post
-    #
-    # @param [Symbol] action
-    # @param [Object] subject
-    # @return [Boolean] result of checking permission
+    #   can? :index, on: EntriesController
     #
-    def can?(action, on: nil)
-      raise Cannie::SubjectNotSetError, 'Subject should be specified' unless on
-      current_permissions.can?(action, on: on)
-    end
-
-    # Define permissions, that should be checked inside controller's action
+    # or
     #
-    #  def index
-    #    permit! :read, on: Post
-    #    @posts = Post.all
-    #  end
+    #   can? :index, on: 'admin/entries'
     #
     # @param [Symbol] action
-    # @param [Object] subject
+    # @param [Object] controller class or controller_path as a string or symbol
+    # @return [Boolean] result of checking permission
     #
-    def permit!(action, on: nil)
+    def can?(action, on: nil)
       raise Cannie::SubjectNotSetError, 'Subject should be specified' unless on
-      current_permissions.permit!(action, on: on)
-      @_permitted = true
+      current_permissions.can?(action, on)
     end
 
     def permitted?
@@ -107,14 +69,6 @@ module Cannie
       @current_permissions ||= ::Permissions.new(current_user)
     end
 
-    def subject_for_action
-      return unless RESOURCE_ACTIONS.with_indifferent_access.keys.include?(action_name)
-      entry_name = controller_name.classify.demodulize.downcase
-      collection_name = entry_name.pluralize
-      variable_name = action_name == 'index' ? collection_name : entry_name
-      instance_variable_get(:"@#{variable_name}")
-    end
-
     private
     attr_reader :_permitted
   end

data/lib/cannie/exceptions.rb

@@ -1,7 +1,5 @@
 module Cannie
   class SubjectNotSetError < StandardError; end
 
-  class CheckPermissionsNotPerformed < StandardError; end
-
   class ActionForbidden < StandardError; end
 end

data/lib/cannie/permissions.rb

@@ -1,71 +1,72 @@
 module Cannie
-  # This module provides possibility to define permissions using "allow" method
-  #
-  #   class Permissions
-  #     include Cannie::Permissions
-  #
-  #     def initialize(user)
-  #       allow :read, on: Model
-  #       allow :manage, on: Model do |*entries|
-  #         entries.all?{|v| v.user == user}
-  #       end
-  #     end
-  #   end
-  #
   module Permissions
-    # Define rules for further permissions checking
-    #
-    #   allow :read, on: Model
-    #
-    # @param actions
-    # @param on
-    # @return array of rules
-    def allow(*actions, on: nil, &block)
-      rules << Rule.new(*actions, on, &block)
+    extend ActiveSupport::Concern
+
+    included do
+      extend ClassMethods
     end
 
-    # Check permission by given action on subject, that is passed in 'on' parameter
-    #
-    #   can? :read, on: Model
-    #
-    # or
-    #
-    #   can? :read, on: models
-    #
-    # @param action
-    # @param on
-    # @return result of permissions check
-    #
-    def can?(action, on: nil)
-      rules = rules_for(action, on)
-      rules.present? && rules.all? do |rule|
-        rule.permits?(*on)
+    module ClassMethods
+      def namespace(name, &block)
+        orig_scope = @scope
+        @scope     = [orig_scope, name].compact.join('/')
+        instance_exec(&block)
+      ensure
+        @scope = orig_scope
+      end
+
+      def controller(name, &block)
+        @controller = name
+        instance_exec(&block)
+      ensure
+        @controller = nil
+      end
+
+      def allow(action, options={})
+        opts = options.slice(:if, :unless)
+        subjects = Array(@controller || options[:on]).map { |v| subject(v) }
+
+        Array(action).each do |action_name|
+          subjects.each do |subj|
+            rules << Rule.new(action_name, subj, opts)
+          end
+        end
+      end
+
+      def rules
+        @rules ||= []
       end
+
+      private
+      def subject(name)
+        (name == :all && name) || ([@scope, name].compact.join('/'))
+      end
+    end
+
+    attr_reader :user
+
+    def initialize(user)
+      @user = user
+    end
+
+    def can?(action, subject)
+      rules_for(action, subject).present?
     end
 
-    # Permit access for action on a subject
-    #
-    #   permit! :read, on: Model
-    #
-    # or
-    #
-    #   permit! :manage, on: models
-    #
-    # @param [Symbol] Action
-    #
-    def permit!(action, on: nil)
-      raise Cannie::ActionForbidden unless can?(action, on: on)
+    def permit!(action, subject)
+      raise Cannie::ActionForbidden unless can?(action, subject)
     end
 
     private
     def rules
-      @rules ||= []
+      @rules ||= self.class.rules.select { |rule| rule.applies_to?(self) }
     end
 
     def rules_for(action, subject)
-      klass = subject.is_a?(Class) ? subject : subject.class
-      rules.select do |r|
-        r.actions.include?(action) && (subject == :all || klass <= r.subject)
+      subject = subject.respond_to?(:controller_path) ? subject.controller_path : subject.to_s
+
+      rules.select do |rule|
+        rule.action.to_sym == action.to_sym && (rule.subject == :all || rule.subject == subject)
       end
     end
   end

data/lib/cannie/rule.rb

@@ -1,19 +1,24 @@
 module Cannie
   class Rule
-    attr_reader :actions, :subject, :condition
+    attr_reader :action, :subject
 
-    def initialize(*actions, subject, &block)
-      @actions = actions
-      @subject = subject
-      @condition = block
+    def initialize(action, subject, options={})
+      @action, @subject, @_if, @_unless = action, subject, *options.values_at(:if, :unless)
     end
 
-    def permits?(*args)
-      if condition
-        !!condition.call(*args)
-      else
-        true
-      end
+    def applies_to?(permissions)
+      if?(permissions) && unless?(permissions)
+    end
+
+    private
+    attr_reader :_if, :_unless
+
+    def if?(permissions)
+      _if ? permissions.instance_exec(&_if) : true
+    end
+
+    def unless?(permissions)
+      _unless ? !permissions.instance_exec(&_unless) : true
     end
   end
 end

data/lib/cannie/version.rb

@@ -1,3 +1,3 @@
 module Cannie
-  VERSION = '0.1.0'
+  VERSION = '0.2.0'
 end

data/lib/generators/cannie/permissions/templates/permissions.rb

@@ -1,15 +1,19 @@
 class Permissions
   include Cannie::Permissions
 
-  def initialize(user)
-    # Define abilities for the passed user:
-    #
-    #   user ||= User.new
-    #   if user.admin?
-    #     allow :manage, on: Model
-    #   else
-    #     can :read, on: Model
-    #   end
-    #
-  end
+  # namespace :admin do
+  #   allow :index, on: :users, if: ->{ user.admin? }
+  #   allow :show, on: :users, if: :admin?
+  #   allow :new, on: :users, unless: :member?
+  #
+  #   controller :posts do
+  #     allow :index
+  #   end
+  # end
+  #
+  # controller :users do
+  #   allow [:sign_in, :sign_up]
+  # end
+  #
+  # allow [:index, :show, :new, :create, :edit, :update, :destroy], on: [:posts, :comments]
 end

data/spec/cannie/controller_extensions_spec.rb

@@ -1,22 +1,22 @@
 require 'spec_helper'
 
 describe Cannie::ControllerExtensions do
-  let(:klass) {
+  let(:klass) do
     Class.new(ActionController::Base) do
-      def action; end
+      def action
+        render nothing: true
+      end
+
       def index
         @entries = [1,2,3,4,5]
         render text: @entries.to_s
       end
 
-      %i(show new create edit update destroy).each do |action|
-        define_method action do
-          @entry = 123
-          render text: @entry.to_s
-        end
+      def self.controller_path
+        'entries'
       end
     end
-  }
+  end
 
   subject { klass.new }
 
@@ -24,50 +24,38 @@ describe Cannie::ControllerExtensions do
     Class.new do
       include Cannie::Permissions
 
-      def initialize
-        allow :update, on: Array do |*attrs|
-          attrs.all?{|v| v % 3 == 0}
-        end
-      end
-    end
-  end
-
-  let(:resource_permissions) do
-    Class.new do
-      include Cannie::Permissions
-
-      def initialize
-        allow :list, on: Array
-        %i(read create update destroy).each{ |v| allow v, on: Fixnum }
-      end
+      allow :index, on: :entries
     end
   end
 
   describe '.check_permissions' do
+    before { subject.stub(:current_permissions).and_return(permissions.new('User')) }
+
     describe 'without conditions' do
-      before { klass.check_permissions }
+      before do
+        klass.check_permissions
+      end
 
-      it 'raises exception if controller.permitted? evaluates to false' do
-        expect { subject.run_callbacks(:process_action) }.to raise_error(Cannie::CheckPermissionsNotPerformed)
+      it 'raises exception if no rules for action & subject exist' do
+        expect { subject.dispatch(:action, ActionDispatch::TestRequest.new) }.to raise_error(Cannie::ActionForbidden)
       end
 
-      it 'does not raise exception if controller.permitted? evaluates to true' do
-        subject.stub(:permitted?).and_return(true)
-        expect { subject.run_callbacks(:process_action) }.not_to raise_error
+      it 'does not raise exception rules match action & subject' do
+        expect { subject.dispatch(:index, ActionDispatch::TestRequest.new) }.not_to raise_error
       end
     end
 
     describe 'with if condition' do
       before { klass.check_permissions if: :condition? }
 
-      it 'raises exception if :if block executed in controller scope returns true' do
+      it 'raises exception if :if block executed in controller scope returns true and no rules for action/subject' do
         subject.stub(:condition?).and_return(true)
-        expect { subject.run_callbacks(:process_action) }.to raise_error(Cannie::CheckPermissionsNotPerformed)
+        expect { subject.dispatch(:action, ActionDispatch::TestRequest.new) }.to raise_error(Cannie::ActionForbidden)
       end
 
       it 'does not raise exception if :if block executed in controller scope returns false' do
         subject.stub(:condition?).and_return(false)
-        expect { subject.run_callbacks(:process_action) }.not_to raise_error
+        expect { subject.dispatch(:action, ActionDispatch::TestRequest.new) }.not_to raise_error
       end
     end
 
@@ -76,12 +64,12 @@ describe Cannie::ControllerExtensions do
 
       it 'raises exception if :unless block executed in controller scope returns false' do
         subject.stub(:condition?).and_return(false)
-        expect { subject.run_callbacks(:process_action) }.to raise_error(Cannie::CheckPermissionsNotPerformed)
+        expect { subject.dispatch(:action, ActionDispatch::TestRequest.new) }.to raise_error(Cannie::ActionForbidden)
       end
 
       it 'does not raise exception if :unless block executed in controller scope returns false' do
         subject.stub(:condition?).and_return(true)
-        expect { subject.run_callbacks(:process_action) }.not_to raise_error
+        expect { subject.dispatch(:action, ActionDispatch::TestRequest.new) }.not_to raise_error
       end
     end
   end
@@ -94,77 +82,26 @@ describe Cannie::ControllerExtensions do
     end
   end
 
-  describe 'permit_resource_actions' do
-    before do
-      klass.permit_resource_actions
-      subject.stub(:controller_name).and_return('test/entries')
-      subject.stub(:current_permissions).and_return resource_permissions.new
-    end
-
-    it 'calls permit! for index with valid params' do
-      expect(subject).to receive(:permit!).with(Cannie::ControllerExtensions::RESOURCE_ACTIONS[:index], on: [1,2,3,4,5])
-      subject.dispatch(:index, ActionDispatch::TestRequest.new)
-    end
-
-    it 'calls permit! for show with valid params' do
-      expect(subject).to receive(:permit!).with(Cannie::ControllerExtensions::RESOURCE_ACTIONS[:show], on: 123)
-      subject.dispatch(:show, ActionDispatch::TestRequest.new)
-    end
-
-    %i(index show).each do |action|
-      it "permits #{action} action" do
-        subject.dispatch(action, ActionDispatch::TestRequest.new)
-        expect(subject.permitted?).to be_true
-      end
-    end
-
-    it 'raises Cannie::ActionForbidden error up the stack' do
-      expect(subject).to receive(:index).and_raise(Cannie::ActionForbidden)
-      expect { subject.dispatch(:index, ActionDispatch::TestRequest.new) }.to raise_error(Cannie::ActionForbidden)
-      expect(subject.response_body).to be_nil
-    end
-  end
-
   describe '#can?' do
     it 'raises SubjectNotSetError if value of :on param is nil' do
-      expect { subject.can? :action }.to raise_error(Cannie::SubjectNotSetError)
+      expect { subject.can? :action, on: nil }.to raise_error(Cannie::SubjectNotSetError)
     end
 
     it 'returns true if action allowed on subject' do
-      subject.stub(:current_permissions).and_return permissions.new
-      expect(subject.can? :update, on: [3,6,9]).to be_true
+      subject.stub(:current_permissions).and_return permissions.new('user')
+      expect(subject.can? :index, on: klass).to be_true
     end
 
     it 'returns false if action not allowed on subject' do
-      subject.stub(:current_permissions).and_return permissions.new
-      expect(subject.can? :update, on: [3,7,9]).to be_false
-    end
-  end
-
-  describe '#permit!' do
-    it 'raises SubjectNotSetError if value of :on param is nil' do
-      expect { subject.permit! :action }.to raise_error(Cannie::SubjectNotSetError)
-    end
-
-    it 'assigns @_permitted to true if action is allowed on subject' do
-      subject.stub(:current_permissions).and_return permissions.new
-      subject.permit! :update, on: [3,6,9]
-      expect(subject.permitted?).to be_true
-    end
-
-    it 'raises AccessDenied error if action is not allowed on subject' do
-      subject.stub(:current_permissions).and_return permissions.new
-      expect { subject.permit! :update, on: [3,6,11] }.to raise_error(Cannie::ActionForbidden)
+      subject.stub(:current_permissions).and_return permissions.new('user')
+      expect(subject.can? :action, on: klass).to be_false
     end
   end
 
   describe '#current_permissions' do
     before(:all) do
       Permissions = Class.new do
-        attr_reader :user
-        def initialize(user)
-          @user = user
-        end
+        include Cannie::Permissions
       end
     end
 

data/spec/cannie/permissions_spec.rb

@@ -3,82 +3,125 @@ require 'spec_helper'
 describe Cannie::Permissions do
   subject { Class.new { include Cannie::Permissions } }
 
-  describe '#allow' do
-    before do
-      subject.class_eval do
-        def initialize
-          allow :read, :update, on: Array
-        end
+  let(:permissions) do
+    subject.class_exec do
+      controller :entries do
+        allow :index
+        allow :show
       end
-    end
-
-    let(:rules) { subject.new.send(:rules) }
 
-    it 'creates only one rule for each call of allow method' do
-      expect(rules.size).to eq(1)
+      allow :new, on: :all
     end
+    subject.new('user')
+  end
 
-    it 'creates and stores Rule object with passed actions' do
-      expect(rules.first.actions).to eq([:read, :update])
+  let(:klass) do
+    Class.new(ActionController::Base) do
+      def index; end
+      def self.controller_path
+        'entries'
+      end
     end
+  end
 
-    it 'creates and stores Rule object with passed subject' do
-      expect(rules.first.subject).to eq(Array)
+  describe '.namespace' do
+    it 'executes block with changed scope' do
+      expect(subject.namespace('test_namespace') { subject('entries') }).to eq('test_namespace/entries')
     end
 
-    it 'creates and stores Rule object with passed condition block' do
-      expect(rules.first.condition).to be_nil
+    it 'allows nesting of namespaces' do
+      expect(
+        subject.namespace('test_namespace') do
+          namespace 'namespace_2' do
+            subject('entries')
+          end
+        end
+      ).to eq('test_namespace/namespace_2/entries')
     end
   end
 
-  describe '#can?' do
-    before do
-      subject.class_eval do
-        def initialize
-          allow :read, on: Array
+  describe '.controller' do
+    it 'executes block with changed controller' do
+      subject.controller('entries') { allow :index }
+      expect(subject.rules.map(&:subject)).to eq(['entries'])
+    end
 
-          allow(:read, on: Array) do |*args|
-            args.all?{|v| v % 2 == 0}
-          end
-        end
+    it 'allows nesting into namespaces' do
+      subject.namespace(:namespace) do
+        controller(:entries) { allow :index }
       end
+      expect(subject.rules.map(&:subject)).to eq(['namespace/entries'])
     end
+  end
 
-    let(:permissions) { subject.new }
-
-    it 'returns false if no rules for action exists' do
-      permissions.stub(:rules).and_return([])
-      expect(permissions.can? :read, on: [2, 4, 8]).to be_false
+  describe '.allow' do
+    it 'creates Rule object for specified controller and action' do
+      subject.allow :index, on: :entries
+      rule = subject.rules.last
+      expect(rule).to be_instance_of(Cannie::Rule)
+      expect(rule.action).to eq(:index)
+      expect(rule.subject).to eq('entries')
     end
 
-    it 'returns true if all rules for action & subject are permitted' do
-      expect(permissions.can? :read, on: [2, 4, 8]).to be_true
+    it 'creates Rule object for each of specified actions and controllers' do
+      subject.allow [:index, :show], on: [:entries, :comments]
+      expected = [[:index, 'entries'], [:index, 'comments'], [:show, 'entries'], [:show, 'comments']]
+      expect(subject.rules.map { |rule| [rule.action, rule.subject] }).to eq(expected)
     end
 
-    it 'returns false if not all rules for action & subject are permitted' do
-      expect(permissions.can? :read, on: [1, 2, 3]).to be_false
+    it 'allows nesting into controllers' do
+      subject.class_exec do
+        allow :index, on: :entries
+
+        controller :entries do
+          allow :show
+        end
+
+        allow :show, on: :comments
+      end
+
+      expected = [[:index, 'entries'], [:show, 'entries'], [:show, 'comments']]
+      expect(subject.rules.map { |rule| [rule.action, rule.subject] }).to eq(expected)
     end
   end
 
-  describe '#permit!' do
-    before do
-      subject.class_eval do
-        def initialize
-          allow :read, on: Array do |*args|
-            args.all?{|v| v % 2 == 0}
-          end
-        end
+  describe '#can?' do
+    describe 'when passed as class' do
+      it 'returns true if it has at least one rule for corresponding action & subject' do
+        expect(permissions.can?(:index, klass)).to be_true
+      end
+
+      it 'returns true for any subject if rule subject set to :all' do
+        expect(permissions.can?(:new, klass)).to be_true
+      end
+
+      it 'returns false if no rules found for corresponding action & subject' do
+        expect(permissions.can?(:edit, klass)).to be_false
       end
     end
 
-    let(:permissions) { subject.new }
+    describe 'when passed as string' do
+      it 'returns true if it has at least one rule for corresponding action & subject' do
+        expect(permissions.can?(:index, klass.controller_path)).to be_true
+      end
+
+      it 'returns true for any subject if rule subject set to :all' do
+        expect(permissions.can?(:new, klass.controller_path)).to be_true
+      end
+
+      it 'returns false if no rules found for corresponding action & subject' do
+        expect(permissions.can?(:edit, klass.controller_path)).to be_false
+      end
+    end
+  end
 
-    it 'raises AccessDenied error if permission checking failed' do
-      expect { permissions.permit! :read, on: [1, 2, 3] }.to raise_error
+  describe '#permit!' do
+    it 'raises ActionForbidden error if can? returns false' do
+      expect { permissions.permit!(:edit, klass) }.to raise_error(Cannie::ActionForbidden)
     end
 
-    it 'does not raise AccessDenied error if permission checking was successfull' do
-      expect { permissions.permit! :read, on: [2, 4, 6] }.not_to raise_error
+    it 'does not raise ActionForbidden error if can? returns true' do
+      expect { permissions.permit!(:index, klass) }.not_to raise_error
     end
   end
 

data/spec/cannie/rule_spec.rb

@@ -2,41 +2,62 @@ require 'spec_helper'
 
 describe Cannie::Rule do
   describe '#initialize' do
-    it 'stores passed actions' do
-      actions = %i(read create update delete)
-      rule = described_class.new *actions, Array
-      expect(rule.actions).to eq(actions)
+    it 'stores passed action' do
+      rule = described_class.new :index, 'entries'
+      expect(rule.action).to eq(:index)
     end
 
     it 'stores passed subject' do
-      rule = described_class.new :read, Array
-      expect(rule.subject).to eq(Array)
-    end
-
-    it 'scores passed block' do
-      rule = described_class.new(:read, Array){ |*attrs| attrs.all?{ |v| v % 2 == 0 } }
-      expect(rule.condition.call(2,4,8)).to be_true
+      rule = described_class.new :index, 'entries'
+      expect(rule.subject).to eq('entries')
     end
   end
 
-  describe '#permits?' do
-    let(:rule) do
-      described_class.new(:read, Array) do |*attrs|
-        attrs.all?{ |v| v % 2 == 0 }
+  describe 'applies_to?' do
+    let(:permissions) do
+      Class.new do
+        def initialize(is_admin=false, is_guest=false)
+          @is_admin, @is_guest = is_admin, is_guest
+        end
+
+        def admin?
+          !!@is_admin
+        end
+
+        def guest?
+          !!@is_guest
+        end
       end
     end
 
-    it 'returns true if result of executing condition is true' do
-      expect(rule.permits?(2,4,8)).to be_true
+    it 'returns true if no conditions passed in initialize' do
+      rule = described_class.new(:index, 'entries')
+      expect(rule.applies_to?(Array)).to be_true
+    end
+
+    it 'returns true if passed if-condition evaluated in scope of passed argument return true' do
+      rule = described_class.new(:index, 'entries', if: -> { admin? })
+      expect(rule.applies_to?(permissions.new(true))).to be_true
+    end
+
+    it 'returns false if passed if-condition evaluated in scope of passed argument return false' do
+      rule = described_class.new(:index, 'entries', if: -> { admin? })
+      expect(rule.applies_to?(permissions.new())).to be_false
+    end
+
+    it 'returns true if passed unless-condition evaluated in scope of passed argument return false' do
+      rule = described_class.new(:index, 'entries', unless: -> { admin? })
+      expect(rule.applies_to?(permissions.new)).to be_true
     end
 
-    it 'returns false if result of executing condition is false' do
-      expect(rule.permits?(1,4,8)).to be_false
+    it 'returns false if passed unless-condition evaluated in scope of passed argument return true' do
+      rule = described_class.new(:index, 'entries', unless: -> { admin? })
+      expect(rule.applies_to?(permissions.new(true))).to be_false
     end
 
-    it 'returns true for any subject if rule subject is :all' do
-      rule = described_class.new(:read, :all)
-      expect(rule.permits?(1,2,3)).to be_true
+    it 'returns true if all conditions returned true' do
+      rule = described_class.new(:index, 'entries', if: -> { admin? }, unless: -> { guest? })
+      expect(rule.applies_to?(permissions.new(true))).to be_true
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cannie
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - hck
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-09-17 00:00:00.000000000 Z
+date: 2013-09-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler