concerns_on_rails 1.13.0 → 1.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4b5bc2f3b03563d643ff2e9cffe13038cf90482499d88475ef49fea9d37ea5f9
-  data.tar.gz: d4b3228e473a838929c108d548674cb7b17738c62af1e1dee7454651f405e68c
+  metadata.gz: b5c234af5baa9aa52269898bb63da24e4cc373bc5e2b3d7db7467ef89a86141b
+  data.tar.gz: 20cd7d9bb802447d7fd38be485e623216774ffa3dba9d5aae9f225ad48fb0b8a
 SHA512:
-  metadata.gz: 9f860c2f0c0a6d7570985c6a0f13c5b923ddb7aa12bcb08060b9dbbcd7ee6106182679d99ac3e7826835d8ccea708ef8bc82101aeb6c142fe20cbfbac77f636b
-  data.tar.gz: 865441dcf91d87c664809919a930ac2aedfa27fce106570a77e0dcf2331cc074313d0f63abecd21691b36c3af5861c72cc21b956ed70e11896ef411737287671
+  metadata.gz: ebef3ed5411bf6fa388b9a1d47ab92eb9a871eeda6e478aee4dc0dfd586a10bcbf05497dba93325b896a897a0a0cc3a296ce833aaef72343decacce42c0087aa
+  data.tar.gz: efc7d26aca5aeff71308135c2617374d98ee8c0e955038a783e2b3c8c2b14a1827ae27fd2a7c64d6637e6c2fe61b2711da796f388e172bdc9dac827dc56e6743

data/CHANGELOG.md

@@ -1,5 +1,15 @@
 <!-- CHANGELOG.md -->
 
+## 1.14.0 (2026-06-06)
+
+### Added
+- **Controllers::Authorizable**: declarative, block-only per-action authorization gate. `authorize_by { current_user.admin? }` (arity-safe — also `|action|` / `|action, user|`) halts the first failing rule with 403; `require_role :admin, :editor, only: :publish` is sugar over the common role check. `only:` / `except:` scope a rule to a subset of actions. When `Respondable` is included the denial delegates to `render_error` (`code: "forbidden"`), otherwise the same envelope is rendered inline. Deliberately not a policy/ability framework (no policy objects, no ability DSL, no resource inference). Zero new runtime dependencies.
+- **Controllers::Throttleable**: per-request rate limiting with a store-agnostic, injectable backend. `throttle_by limit: 100, period: 1.minute` (bucketed per-IP by default, or by any `by:` lambda) halts an over-limit request with 429 plus `Retry-After` and `X-RateLimit-Limit` / `X-RateLimit-Remaining` / `X-RateLimit-Reset`. Fixed-window counter keyed by a floored time bucket; requires an explicit atomic store (`self.throttleable_store = Rails.cache`) — there is no silent in-process default, so the first throttled request raises until one is configured. Backports the essentials of Rails 7.2's `rate_limit` (with standardized headers) to Rails 5.0+. Zero new runtime dependencies.
+- **Controllers::Timezoneable**: per-request `Time.zone` selection via an `around_action` (`Time.use_zone`) — the time analogue of `Controllers::Localizable`. `timezoneable available: [...], default: "UTC"` resolves from `params` → `Time-Zone` header → cookie → default, every candidate validated through `ActiveSupport::TimeZone[...]` so it can never raise at request time; an unknown configured zone fails fast at declaration. Options `param:` / `header:` / `cookie:`. Zero new runtime dependencies.
+
+### Notes
+- All changes are additive and backward-compatible, with zero new runtime dependencies. The three new controller concerns stay namespace-only (`ConcernsOnRails::Controllers::*`), matching the existing controller concerns.
+
 ## 1.13.0 (2026-06-06)
 
 ### Added

data/README.md

@@ -52,6 +52,9 @@ Article.published.without_deleted.find("hello-world")
   - [Includable](#-includable) — whitelisted association sideloading + sparse fieldsets
   - [SecureHeadable](#-secureheadable) — security response headers + native CSP DSL
   - [Localizable](#-localizable) — per-request locale from params / Accept-Language
+  - [Authorizable](#-authorizable) — per-action 403 authorization gate (block-based)
+  - [Throttleable](#-throttleable) — rate limiting with 429 + `X-RateLimit-*` headers
+  - [Timezoneable](#-timezoneable) — per-request `Time.zone` from params / header / cookie
 - [Module paths & namespacing](#-module-paths--namespacing)
 - [Development](#-development)
 - [Contributing](#-contributing)
@@ -1214,6 +1217,88 @@ Resolution order: `params[param]` → first match in `Accept-Language` → `defa
 
 ---
 
+## 🔒 Authorizable
+
+A declarative, **block-only** per-action authorization gate. Each rule is a predicate; the first one that applies to the current action and returns falsey halts the request with **403**. Deliberately small — not a Pundit/CanCan replacement.
+
+```ruby
+class Api::BaseController < ApplicationController
+  include ConcernsOnRails::Controllers::Authorizable
+
+  authorize_by { current_user.present? }                          # every action
+  authorize_by(only: %i[update destroy]) { |_action, user| user.admin? }
+  require_role :admin, :editor, only: :publish                    # role sugar
+end
+```
+
+The predicate runs via `instance_exec`, so `current_user` (and any helper) resolves on the controller. It is **arity-safe** — write it with zero, one (`|action|`), or two (`|action, user|`) parameters.
+
+**API**
+
+| Method         | Signature                                                                                  |
+|----------------|--------------------------------------------------------------------------------------------|
+| `authorize_by` | `authorize_by(only: nil, except: nil, status: :forbidden, message: "Forbidden", &block)`   |
+| `require_role` | `require_role(*roles, via: :current_user, role_method: :role, only:, except:, status:, message:)` |
+
+**Notes**
+- Rules run in declaration order; the first failing rule renders and halts.
+- When `Respondable` is also included, denials delegate to `render_error` (envelope `{ success: false, error: { message:, code: "forbidden" } }`); otherwise the same envelope is rendered inline.
+- `only:` / `except:` are mutually exclusive (passing both raises `ArgumentError`); `authorize_by` requires a block and `require_role` requires at least one role.
+- **Non-goals**: no policy objects, no ability DSL, no resource inference — reach for [`pundit`](https://github.com/varvet/pundit) / [`cancancan`](https://github.com/CanCanCommunity/cancancan) when you outgrow a predicate per action.
+
+---
+
+## 🚦 Throttleable
+
+Per-request rate limiting with a **store-agnostic, injectable** backend — no `rack-attack` needed. When a rule's limit is exceeded the request is halted with **429** plus `Retry-After` and `X-RateLimit-Limit` / `X-RateLimit-Remaining` / `X-RateLimit-Reset`.
+
+```ruby
+class Api::BaseController < ApplicationController
+  include ConcernsOnRails::Controllers::Throttleable
+
+  self.throttleable_store = Rails.cache               # must support atomic #increment
+
+  throttle_by limit: 100, period: 1.minute                          # by IP (default)
+  throttle_by limit: 5,   period: 1.minute, only: :create,
+              by: -> { current_user&.id || request.remote_ip }
+end
+```
+
+Fixed-window counter: the key embeds a floored time bucket (`epoch / period`) so each window starts clean and `X-RateLimit-Reset` is exact.
+
+**Options**: `limit:` (positive integer), `period:` (a `Duration` or seconds), `by:` (discriminator lambda, default per-IP), `only:` / `except:` (mutually exclusive action scoping), `name:` (disambiguates the counter key).
+
+**Notes**
+- The store MUST support **atomic increment-with-expiry** (`Rails.cache` with `#increment`, or Redis) — a non-atomic store under-counts under concurrency.
+- There is **no in-process default store** on purpose: the first throttled request raises `ArgumentError` until you set `throttleable_store`, so you never silently rate-limit per-process.
+- When `Respondable` is included, the 429 body delegates to `render_error` (`code: "rate_limited"`).
+- Backports the essentials of Rails 7.2's `rate_limit` (with standardized headers) to Rails 5.0+. For richer rules (fail2ban, allow/deny lists, exponential backoff) reach for [`rack-attack`](https://github.com/rack/rack-attack).
+
+---
+
+## 🕒 Timezoneable
+
+Per-request `Time.zone` selection wrapped in an `around_action` (`Time.use_zone`) — the time analogue of [Localizable](#-localizable). Dependency-free.
+
+```ruby
+class ApplicationController < ActionController::Base
+  include ConcernsOnRails::Controllers::Timezoneable
+
+  timezoneable available: ["UTC", "Eastern Time (US & Canada)"], default: "UTC"
+  # timezoneable param: :tz, header: false, cookie: :time_zone
+end
+```
+
+Resolution order: `params[param]` → `Time-Zone` header → cookie (if enabled) → `default` → the current `Time.zone`. Every value — the configured `available:` / `default:` **and** each request candidate — is resolved through `ActiveSupport::TimeZone[...]`, so a zone accepted at boot can never be rejected at request time.
+
+**Options**: `available:` (allow-list applied to param/header/cookie matching; `default:` bypasses it, mirroring Localizable), `default:`, `param:` (default `:time_zone`), `header:` (default `true`, reads the `Time-Zone` header), `cookie:` (default `false`; `true` reads the `:time_zone` cookie, or pass a cookie name).
+
+**Notes**
+- An unknown `available:` / `default:` zone raises `ArgumentError` at declaration time (fail-fast on misconfiguration).
+- Pairs naturally with the model concerns that read the clock (`Schedulable`, `Publishable`, `Expirable`, `SoftDeletable`).
+
+---
+
 ## 🗂️ Module paths & namespacing
 
 Every concern is available under two paths:

data/lib/concerns_on_rails/controllers/authorizable.rb

@@ -0,0 +1,124 @@
+require "active_support/concern"
+
+module ConcernsOnRails
+  module Controllers
+    # Declarative, block-only per-action authorization gate. Each rule is a
+    # predicate; the first rule that applies to the current action and returns a
+    # falsey value halts the request with 403 (rendered via Respondable's
+    # `render_error` when available, otherwise an inline envelope).
+    #
+    #   class Api::BaseController < ApplicationController
+    #     include ConcernsOnRails::Controllers::Authorizable
+    #
+    #     authorize_by { current_user.present? }                       # every action
+    #     authorize_by(only: %i[update destroy]) { |_action, user| user.admin? }
+    #     require_role :admin, :editor, only: :publish                 # role sugar
+    #   end
+    #
+    # The block is invoked with `instance_exec` so `current_user` (and any other
+    # helper) resolves on the controller. It is arity-safe: write it with zero,
+    # one (`|action|`), or two (`|action, user|`) parameters.
+    #
+    # Non-goals (kept deliberately small): this is NOT a policy/ability framework.
+    # No policy objects, no ability DSL, no resource inference — reach for Pundit
+    # or CanCanCan when you outgrow a predicate per action.
+    module Authorizable
+      extend ActiveSupport::Concern
+
+      included do
+        class_attribute :authorizable_rules, instance_accessor: false, default: []
+        before_action :enforce_authorization
+      end
+
+      module ClassMethods
+        # Register an authorization predicate. `only:`/`except:` scope it to a
+        # subset of actions (mutually exclusive). `status:` (default :forbidden)
+        # and `message:` control the denial response.
+        def authorize_by(only: nil, except: nil, status: :forbidden, message: "Forbidden", &block)
+          raise ArgumentError, "ConcernsOnRails::Controllers::Authorizable: a block is required" unless block
+
+          add_authorization_rule(check: block, only: only, except: except, status: status, message: message)
+        end
+
+        # Sugar for the common "actor must have one of these roles" rule. The
+        # actor is read via `via:` (default `:current_user`) and its role via
+        # `role_method:` (default `:role`). Implemented as a proc, never a lambda,
+        # so arity slicing can't raise.
+        def require_role(*roles, via: :current_user, role_method: :role, only: nil, except: nil,
+                         status: :forbidden, message: "Forbidden")
+          raise ArgumentError, "ConcernsOnRails::Controllers::Authorizable: at least one role is required" if roles.empty?
+
+          wanted = roles.map(&:to_s)
+          check = proc do
+            actor = respond_to?(via) ? send(via) : nil
+            actor.respond_to?(role_method) && wanted.include?(actor.public_send(role_method).to_s)
+          end
+          add_authorization_rule(check: check, only: only, except: except, status: status, message: message)
+        end
+
+        private
+
+        def add_authorization_rule(check:, only:, except:, status:, message:)
+          raise ArgumentError, "ConcernsOnRails::Controllers::Authorizable: pass either :only or :except, not both" if only && except
+
+          rule = {
+            check: check,
+            only: only && Array(only).map(&:to_s),
+            except: except && Array(except).map(&:to_s),
+            status: status,
+            message: message
+          }
+          self.authorizable_rules = authorizable_rules + [rule]
+        end
+      end
+
+      # Public so subclasses can override. Iterates the declared rules in order
+      # and denies on the first failing rule that applies to the current action.
+      def enforce_authorization
+        self.class.authorizable_rules.each do |rule|
+          next unless authorization_rule_applies?(rule)
+          next if invoke_authorization_check(rule[:check])
+
+          return authorization_denied(status: rule[:status], message: rule[:message])
+        end
+        nil
+      end
+
+      # Public override point for how a denial is rendered.
+      def authorization_denied(status:, message:)
+        return unless respond_to?(:response) && response
+
+        return render_error(message: message, status: status, code: "forbidden") if respond_to?(:render_error)
+
+        render json: { success: false, error: { message: message, code: "forbidden" } }, status: status
+      end
+
+      private
+
+      def authorization_rule_applies?(rule)
+        action = authorization_action_name
+        return rule[:only].include?(action) if rule[:only]
+        return !rule[:except].include?(action) if rule[:except]
+
+        true
+      end
+
+      # Arity-safe: slice the args to the predicate's arity before instance_exec
+      # so a zero/one/two-arg block all work. A negative arity (splat/optional)
+      # receives every arg.
+      def invoke_authorization_check(check)
+        args = [authorization_action_name, authorization_actor]
+        sliced = check.arity.negative? ? args : args.first(check.arity)
+        instance_exec(*sliced, &check)
+      end
+
+      def authorization_actor
+        respond_to?(:current_user) ? current_user : nil
+      end
+
+      def authorization_action_name
+        respond_to?(:action_name) ? action_name.to_s : nil
+      end
+    end
+  end
+end

data/lib/concerns_on_rails/controllers/throttleable.rb

@@ -0,0 +1,159 @@
+require "active_support/concern"
+
+module ConcernsOnRails
+  module Controllers
+    # Per-request rate limiting with a store-agnostic, injectable backend. When a
+    # rule's limit is exceeded the request is halted with 429 plus
+    # `Retry-After` and `X-RateLimit-Limit` / `X-RateLimit-Remaining` /
+    # `X-RateLimit-Reset` headers.
+    #
+    #   class Api::BaseController < ApplicationController
+    #     include ConcernsOnRails::Controllers::Throttleable
+    #
+    #     self.throttleable_store = Rails.cache               # must support atomic #increment
+    #
+    #     throttle_by limit: 100, period: 1.minute                          # by IP (default)
+    #     throttle_by limit: 5,   period: 1.minute, only: :create,
+    #                 by: -> { current_user&.id || request.remote_ip }
+    #   end
+    #
+    # Fixed-window counter: the key embeds a floored time bucket
+    # (`epoch / period`) so each window starts clean and `X-RateLimit-Reset` is
+    # exact. The store MUST support atomic increment-with-expiry (`Rails.cache`
+    # with `#increment`, or Redis); a non-atomic store under-counts under
+    # concurrency. There is no in-process default store on purpose — configure
+    # one explicitly or the first throttled request raises ArgumentError.
+    module Throttleable
+      extend ActiveSupport::Concern
+
+      # Default discriminator — one counter per client IP. Evaluated with
+      # instance_exec on the controller, so `request` resolves normally.
+      DEFAULT_DISCRIMINATOR = -> { request.remote_ip }
+
+      included do
+        class_attribute :throttleable_rules, instance_accessor: false, default: []
+        class_attribute :throttleable_store, instance_accessor: false, default: nil
+        before_action :enforce_throttles
+      end
+
+      module ClassMethods
+        # Declare a rate-limit rule. `limit` requests per `period` (a Duration or
+        # seconds), bucketed by `by:` (a callable, default per-IP). `only:`/
+        # `except:` scope it to a subset of actions (mutually exclusive). `name:`
+        # disambiguates the counter key when several rules share a discriminator.
+        def throttle_by(limit:, period:, by: nil, only: nil, except: nil, name: nil)
+          validate_throttle!(limit: limit, period: period, by: by, only: only, except: except)
+
+          rule = {
+            limit: limit,
+            period: period.to_i,
+            by: by || DEFAULT_DISCRIMINATOR,
+            only: only && Array(only).map(&:to_s),
+            except: except && Array(except).map(&:to_s),
+            name: (name || "rule#{throttleable_rules.size}").to_s
+          }
+          self.throttleable_rules = throttleable_rules + [rule]
+        end
+
+        private
+
+        def validate_throttle!(limit:, period:, by:, only:, except:)
+          prefix = "ConcernsOnRails::Controllers::Throttleable"
+          raise ArgumentError, "#{prefix}: :limit must be a positive integer" unless positive_integer?(limit)
+          raise ArgumentError, "#{prefix}: :period must be a positive duration" unless period.to_i.positive?
+          raise ArgumentError, "#{prefix}: :by must be callable" unless callable_or_nil?(by)
+          raise ArgumentError, "#{prefix}: pass either :only or :except, not both" if only && except
+        end
+
+        def positive_integer?(value)
+          value.is_a?(Integer) && value.positive?
+        end
+
+        def callable_or_nil?(value)
+          value.nil? || value.respond_to?(:call)
+        end
+      end
+
+      # Public so subclasses can override. Applies each in-scope rule; the first
+      # rule that exceeds its limit halts the request with a 429.
+      def enforce_throttles
+        self.class.throttleable_rules.each do |rule|
+          next unless throttle_rule_applies?(rule)
+
+          result = register_throttle_hit(rule)
+          emit_throttle_headers(rule, result)
+
+          return throttled_response(rule, result) if result[:count] > rule[:limit]
+        end
+        nil
+      end
+
+      # Public override point for the 429 body.
+      def throttled_response(_rule, result)
+        return unless respond_to?(:response) && response
+
+        message = "Rate limit exceeded. Retry in #{result[:retry_after]}s."
+        return render_error(message: message, status: :too_many_requests, code: "rate_limited") if respond_to?(:render_error)
+
+        render json: { success: false, error: { message: message, code: "rate_limited" } }, status: :too_many_requests
+      end
+
+      private
+
+      def throttle_rule_applies?(rule)
+        action = throttle_action_name
+        return rule[:only].include?(action) if rule[:only]
+        return !rule[:except].include?(action) if rule[:except]
+
+        true
+      end
+
+      def register_throttle_hit(rule)
+        store = throttle_store!
+        now = Time.now.to_i
+        window = now / rule[:period]
+        reset_at = (window + 1) * rule[:period]
+        key = "throttleable:#{rule[:name]}:#{throttle_discriminator(rule)}:#{window}"
+
+        # Atomic increment-with-expiry. Some stores return nil on the first
+        # increment of a missing key — seed it to 1 in that case.
+        count = store.increment(key, 1, expires_in: rule[:period])
+        count ||= seed_throttle_key(store, key, rule[:period])
+
+        { count: count.to_i, reset_at: reset_at, retry_after: [reset_at - now, 0].max }
+      end
+
+      def seed_throttle_key(store, key, period)
+        store.write(key, 1, expires_in: period) if store.respond_to?(:write)
+        1
+      end
+
+      def throttle_discriminator(rule)
+        instance_exec(&rule[:by])
+      end
+
+      def emit_throttle_headers(rule, result)
+        return unless respond_to?(:response) && response
+
+        remaining = [rule[:limit] - result[:count], 0].max
+        response.set_header("X-RateLimit-Limit", rule[:limit].to_s)
+        response.set_header("X-RateLimit-Remaining", remaining.to_s)
+        response.set_header("X-RateLimit-Reset", result[:reset_at].to_s)
+        response.set_header("Retry-After", result[:retry_after].to_s) if result[:count] > rule[:limit]
+      end
+
+      def throttle_store!
+        store = self.class.throttleable_store
+        return store if store
+
+        raise ArgumentError,
+              "ConcernsOnRails::Controllers::Throttleable: no store configured. " \
+              "Set `self.throttleable_store = Rails.cache` (must support atomic #increment)."
+      end
+
+      def throttle_action_name
+        respond_to?(:action_name) ? action_name.to_s : nil
+      end
+    end
+  end
+end

data/lib/concerns_on_rails/controllers/timezoneable.rb

@@ -0,0 +1,129 @@
+require "active_support/concern"
+
+module ConcernsOnRails
+  module Controllers
+    # Per-request `Time.zone` selection from the request params, the `Time-Zone`
+    # header, and/or a cookie, wrapped in an `around_action` so `Time.zone` is set
+    # for the action and restored afterwards. The time analogue of Localizable
+    # (which does the same for `I18n.locale`). Dependency-free.
+    #
+    #   class ApplicationController < ActionController::Base
+    #     include ConcernsOnRails::Controllers::Timezoneable
+    #
+    #     timezoneable available: ["UTC", "Eastern Time (US & Canada)"], default: "UTC"
+    #     # timezoneable param: :tz, header: false, cookie: :time_zone
+    #   end
+    #
+    # Resolution order: `params[param]` → `Time-Zone` header → cookie (if enabled)
+    # → `default` → the current `Time.zone`. Every value — the configured
+    # `available:`/`default:` AND each request candidate — is resolved through
+    # `ActiveSupport::TimeZone[...]`, so a zone accepted at boot can never be
+    # rejected at request time.
+    #
+    # Options: `available:` (allow-list applied to param/header/cookie matching;
+    # `default:` bypasses it, mirroring Localizable), `default:`, `param:`
+    # (default `:time_zone`), `header:` (default `true`), `cookie:` (default
+    # `false`; `true` reads the `:time_zone` cookie, or pass a cookie name).
+    module Timezoneable
+      extend ActiveSupport::Concern
+
+      included do
+        class_attribute :timezoneable_options, instance_accessor: false, default: {}
+        around_action :switch_time_zone
+      end
+
+      module ClassMethods
+        def timezoneable(available: nil, default: nil, param: :time_zone, header: true, cookie: false)
+          self.timezoneable_options = {
+            available: validate_time_zones(available),
+            default: validate_time_zone(default),
+            param: param&.to_sym,
+            header: header,
+            cookie: cookie == true ? :time_zone : cookie.presence
+          }
+        end
+
+        private
+
+        def validate_time_zones(zones)
+          return nil if zones.nil?
+
+          Array(zones).map { |zone| validate_time_zone(zone) }
+        end
+
+        # Resolve a single configured zone to an ActiveSupport::TimeZone at boot,
+        # raising on an unknown name so misconfiguration fails fast.
+        def validate_time_zone(zone)
+          return nil if zone.nil?
+
+          ActiveSupport::TimeZone[zone] ||
+            raise(ArgumentError, "ConcernsOnRails::Controllers::Timezoneable: unknown time zone '#{zone}'")
+        end
+      end
+
+      # Public so subclasses can override; runs the action under the resolved
+      # zone. UNGUARDED on purpose — it touches `Time` globally, not the response
+      # (mirrors Localizable#switch_locale).
+      def switch_time_zone(&)
+        Time.use_zone(resolved_time_zone, &)
+      end
+
+      # The ActiveSupport::TimeZone chosen for this request — always one `Time`
+      # can switch to (falls back to the current `Time.zone`).
+      def resolved_time_zone
+        opts = self.class.timezoneable_options
+        allowed = opts[:available]
+        candidate = zone_from_param(opts, allowed) ||
+                    zone_from_header(opts, allowed) ||
+                    zone_from_cookie(opts, allowed) ||
+                    opts[:default]
+
+        resolve_zone(candidate) || Time.zone
+      end
+
+      private
+
+      # Match a raw source value against the allow-list (when present), returning
+      # the resolved TimeZone or nil so the resolution chain falls through.
+      def match_zone(raw, allowed)
+        return nil if raw.blank?
+
+        zone = ActiveSupport::TimeZone[raw.to_s]
+        return nil unless zone
+        return nil if allowed&.none? { |z| z.name == zone.name }
+
+        zone
+      end
+
+      # Final coercion: `default` is already a TimeZone; the Time.zone fallback is
+      # handled by the caller.
+      def resolve_zone(candidate)
+        return nil if candidate.blank?
+        return candidate if candidate.is_a?(ActiveSupport::TimeZone)
+
+        ActiveSupport::TimeZone[candidate.to_s]
+      end
+
+      def zone_from_param(opts, allowed)
+        return nil unless opts[:param] && respond_to?(:params) && params
+
+        match_zone(params[opts[:param]], allowed)
+      end
+
+      def zone_from_header(opts, allowed)
+        return nil unless opts[:header] && respond_to?(:request)
+
+        req = request
+        header = req.respond_to?(:headers) ? req.headers["Time-Zone"] : nil
+        match_zone(header, allowed)
+      end
+
+      def zone_from_cookie(opts, allowed)
+        key = opts[:cookie]
+        return nil unless key && respond_to?(:cookies) && cookies
+
+        match_zone(cookies[key], allowed)
+      end
+    end
+  end
+end

data/lib/concerns_on_rails/version.rb

@@ -1,3 +1,3 @@
 module ConcernsOnRails
-  VERSION = "1.13.0".freeze
+  VERSION = "1.14.0".freeze
 end

data/lib/concerns_on_rails.rb

@@ -45,6 +45,9 @@ require "concerns_on_rails/controllers/error_handleable"
 require "concerns_on_rails/controllers/includable"
 require "concerns_on_rails/controllers/secure_headable"
 require "concerns_on_rails/controllers/localizable"
+require "concerns_on_rails/controllers/authorizable"
+require "concerns_on_rails/controllers/throttleable"
+require "concerns_on_rails/controllers/timezoneable"
 
 # Backwards compatibility (top-level aliases for pre-1.6 module paths)
 require "concerns_on_rails/legacy_aliases"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: concerns_on_rails
 version: !ruby/object:Gem::Version
-  version: 1.13.0
+  version: 1.14.0
 platform: ruby
 authors:
 - Ethan Nguyen
@@ -70,6 +70,7 @@ files:
 - CODE_OF_CONDUCT.md
 - README.md
 - lib/concerns_on_rails.rb
+- lib/concerns_on_rails/controllers/authorizable.rb
 - lib/concerns_on_rails/controllers/error_handleable.rb
 - lib/concerns_on_rails/controllers/filterable.rb
 - lib/concerns_on_rails/controllers/includable.rb
@@ -78,6 +79,8 @@ files:
 - lib/concerns_on_rails/controllers/respondable.rb
 - lib/concerns_on_rails/controllers/secure_headable.rb
 - lib/concerns_on_rails/controllers/sortable.rb
+- lib/concerns_on_rails/controllers/throttleable.rb
+- lib/concerns_on_rails/controllers/timezoneable.rb
 - lib/concerns_on_rails/legacy_aliases.rb
 - lib/concerns_on_rails/models/activatable.rb
 - lib/concerns_on_rails/models/addressable.rb