consent 0.6.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5f54a2338cba28ba0e887ec44e7e43f9aae2209d4b1017638eaf4334564eae2c
-  data.tar.gz: 2dc433ca07b4615fc56a344d32c3b6adfc5267420419d6d1fd201040ee9bdb31
+  metadata.gz: 66e7e1705d61760713253718eabda896ffa49f25ea6e1a9a6c4fc1a188730cfb
+  data.tar.gz: 4dc120c6f1e89a3cb612a62cf9fdbac565e51b9fabe9d04a68c64c3d9a8fd193
 SHA512:
-  metadata.gz: e1ddfc63c31df91ccac74ada8806408353e81f2626d0592dcb954f34c3ffd03aacde585c0f625d9534cd749b2999deebb05860cd2cc3be34ba9b40c2a8645ac4
-  data.tar.gz: 5389891aeef0e65d3752ada1c647c9e0dc1c60debb67fc22019f067dbeb4a4b0c5ac07ab14d0fb760680818c38beab6e4fb4c225f5d07639945b9377cf2dd0bd
+  metadata.gz: 9ca74d2788b689711966b38e11ce4b857009064d1fce59c2b5335adc437c1b20a9298acb61a0e71cf3aac2eef1f13f6b8b06570014938ef757374b6a4f98b9c4
+  data.tar.gz: 9d4e6cf5d18d0671c9aade10a33933cc93b0cb704c623d6705332de55a1a02b3952b01fdee9d357a1c0ba9f37d570910ac1fe54614087cd88c94d3d890b5761d

data/.gitignore

@@ -7,3 +7,4 @@
 /pkg/
 /spec/reports/
 /tmp/
+/consent-*.gem

data/.travis.yml

@@ -1,8 +1,10 @@
 sudo: false
 language: ruby
 rvm:
-- 2.2.2
-- 2.5.0
+- 2.5.8
+- 2.6.6
+- 2.7.2
+- 3.0.0
 before_install: gem install bundler -v 1.17.3
 script:
   - bundle exec rubocop
@@ -15,4 +17,4 @@ deploy:
   on:
     tags: true
     repo: powerhome/consent
-    ruby: 2.5.0
+    ruby: 2.6.6

data/README.md

@@ -18,21 +18,21 @@ Or install it yourself as:
 
 ## What is Consent
 
-Consent makes defining permissions easier by providing a clean, concise DSL for authorization so that all abilities do not have to be in your `Ability`
+Consent makes defining permissions easier by providing a clean, concise DSL for authorization
+so that all abilities do not have to be in your `Ability`
 class.
 
-Consent takes application permissions and models them so that permissions are organized and can be defined granularly. It does so using the
-following models:
+Consent takes application permissions and models them so that permissions are organized and can
+be defined granularly. It does so using the following models:
 
 * View: A collection of objects limited by a given condition.
 * Action: An action performed on top of the objects limited by the view. For example, one user could only `:view` something, while another could `:manage` it.
 * Subject: Holds the scope of the actions.
-* Permission: What is given to the user. Combines a subject, an action and
-a view.
+* Permission: The combination of a subject, an action, and a view (or full-access).
 
 ## What Consent Is Not
 
-Consent isn't a tool to enforce permissions -- it is intended to be used with CanCanCan and is only to make permissions more easily readable and definable.
+Consent isn't a tool to enforce permissions -- it supports CanCan(Can) for that goal.
 
 ## Subject
 
@@ -50,7 +50,8 @@ Consent.define Project, 'Our Projects' do
 end
 ```
 
-The scope is the action that's being performed on the subject. It can be anything, but will typically be an ActiveRecord class, a `:symbol`, or a PORO.
+The scope is the action that's being performed on the subject. It can be anything, but will
+typically be an ActiveRecord class, a `:symbol`, or a PORO.
 
 For instance:
 
@@ -62,16 +63,15 @@ end
 
 ## Views
 
-Views are the rules that limit the access to actions. For instance,
-a user may see a `Project` from his department, but not from others. That rule
-could be enforced with a `:department` view, defined like this:
+Views are the rules that limit access to actions. For instance, a user may see a `Project`
+from his department, but not from others. You can enforce it with a `:department` view,
+as in the examples below:
 
 ### Hash Conditions
 
-This is probably the most commonly used and is useful, for example,
-when the view can be defined using a where condition in an ActiveRecord context.
-It follows a match condition and will return all objects that meet the criteria
-and is based off a boolean:
+Probably the most commonly used. When the view can be defined using a `where` scope in
+an ActiveRecord context. It follows a match condition and will return all objects that meet
+the criteria:
 
 ```ruby
 Consent.define Project, 'Projects' do
@@ -81,22 +81,21 @@ Consent.define Project, 'Projects' do
 end
 ```
 
-Although hash conditions (matching object's attributes) are recommended,
-the constraints can be anything you want. Since Consent does not enforce the
-rules, those rules are directly given to CanCan. Following [CanCan rules](https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities%3A-Best-Practice)
+Although hash conditions (matching object's attributes) are recommended, the constraints can
+be anything you want. Since Consent does not enforce the rules, those rules are directly given
+to CanCan. Following [CanCan rules](https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities%3A-Best-Practice)
 for defining abilities is recommended.
 
 ### Object Conditions
 
-If you're not matching for equal values, then you would need to use an object
-condition, which matches data based off a range.
+If you're not matching for equal values, then you would need to use an object condition.
 
-If you already have an object and want to check to see whether the user has
-permission to view that specific object, you would use object conditions.
+If you already have an object and want to check to see whether the user has permission to view
+that specific object, you would use object conditions.
 
-If your needs can't be satisfied by hash conditions, it is recommended that a
-second condition is given for constraining object instances. For example, if you
-want to restrict a view for smaller volume projects:
+If your needs can't be satisfied by hash conditions, it is recommended that a second condition
+is given for constraining object instances. For example, if you want to restrict a view for smaller
+volume projects:
 
 ```ruby
 Consent.define Project, 'Projects' do
@@ -111,7 +110,7 @@ end
 ```
 
 For object conditions, the latter argument will be the referred object, while the
-former will be the context given to the [Permission](#permission) (also check
+first will be the context given to the [Permission](#permission) (also check
 [CanCan integration](#cancan-integration)).
 
 ## Action
@@ -161,73 +160,81 @@ end
 
 ## Permission
 
-A permission is what is consented to the user. It is the *permission* to perform
+A permission is what is consented to the user. It consentment to perform
 an *action* on a limited *view* of the *subject*. It marries the three concepts
 to consent an access to the user.
 
-A permission is not specified by the user, it is calculated from a permissions
-hash owned by a `User`, or a `Role` on an application.
+## CanCan Integration
 
-The permissions hash looks like the following:
+Consent provides a CanCan ability (Consent::Ability) to integrate your
+permissions with frameworks like Rails. To use it with Rails check out the
+example at [Ability for Other Users](https://github.com/CanCanCommunity/cancancan/wiki/Ability-for-Other-Users)
+on CanCanCan's wiki.
+
+In the ability you define the scope of the permissions. This is typically a
+user:
 
 ```ruby
-{
-  project: {
-    read: 'department',
-    approve: 'small_volumes'
-  }
-}
+Consent::Ability.new(user)
 ```
 
-In other words:
+You'd more commonly define a subclass of `Consent::Ability`, and consent access
+to the user by calling `consent`:
 
 ```ruby
-{
-  <subject>: {
-    <action>: <view>
-  }
-}
+class MyAbility < Consent::Ability
+  def initialize(user)
+    super user
+
+    consent :read, Project, :department
+  end
+end
 ```
 
-### Full Access
+You can also consent full access by not specifying the view:
 
-Full (unrestricted by views) access is granted when view is `'1'`, `true` or
-`'true'`. For instance:
+```ruby
+  consent :read, Project
+```
 
-In other words:
+If you have a somehow manageable permission, you can consent them in batch in your ability:
 
 ```ruby
-{
-  projects: {
-    approve: true
-  }
-}
+class MyAbility < Consent::Ability
+  def initialize(user)
+    super user
+
+    user.permissions.each do |permission|
+      consent permission.action, permission.subject, permission.view
+    end
+  end
+end
 ```
 
-## CanCan Integration
+Consenting the same permission multiple times is handled as a Union by CanCanCan:
 
-Consent provides a CanCan ability (Consent::Ability) to integrate your
-permissions with frameworks like Rails. To use it with Rails check out the
-example at [Ability for Other Users](https://github.com/CanCanCommunity/cancancan/wiki/Ability-for-Other-Users)
-on CanCanCan's wiki.
+```ruby
+class MyAbility < Consent::Ability
+  def initialize(user)
+    super user
 
-In the ability you define the scope of the permissions. This is typically an
-user:
+    consent :read, Project, :department
+    consent :read, Project, :future_projects
+  end
+end
 
-```ruby
-Consent::Ability.new(user.permissions, user)
-```
+user = User.new(department_id: 13)
+ability = MyAbility.new(user)
 
-The first parameter given to the ability is the permissions hash, seen at
-[Permission](#permission). The following parameters are the permission context.
-These parameters are given directly to the condition blocks defined by the views
-in the exact same order, so it's up to you to define what your context is.
+Project.accessible_by(ability, :read).to_sql
+=> SELECT * FROM projects WHERE ((department_id = 13) OR (starts_at > '2021-04-06'))
+```
 
 ## Rails Integration
 
 Consent is integrated into Rails with `Consent::Railtie`. To define where
 your permission files will be, use `config.consent.path`. This defaults to
-`app/permissions/` to conform to Rails' standards.
+`#{Rails.root}/app/permissions/` to conform to Rails' standards.
 
 ## Development
 

data/consent.gemspec

@@ -20,10 +20,9 @@ Gem::Specification.new do |spec|
   end
   spec.require_paths = ['lib']
 
-  spec.add_development_dependency 'activesupport', '>= 4.1.11'
   spec.add_development_dependency 'bundler', '>= 1.17.3'
   spec.add_development_dependency 'cancancan', '~> 1.15.0'
-  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rake', '>= 12.3.3'
   spec.add_development_dependency 'rspec', '~> 3.0'
   spec.add_development_dependency 'rubocop', '~> 0.65.0'
 end

data/lib/consent.rb

@@ -6,7 +6,6 @@ require 'consent/view'
 require 'consent/action'
 require 'consent/dsl'
 require 'consent/permission'
-require 'consent/permissions'
 require 'consent/ability' if defined?(CanCan)
 require 'consent/railtie' if defined?(Rails)
 
@@ -14,8 +13,6 @@ require 'consent/railtie' if defined?(Rails)
 # concise DSL for authorization so that all abilities do not have
 # to be in your `Ability` class.
 module Consent
-  FULL_ACCESS = %w[1 true].freeze
-
   # Default views available to every permission
   #
   # i.e.:

data/lib/consent/ability.rb

@@ -5,11 +5,35 @@ module Consent
   class Ability
     include CanCan::Ability
 
-    def initialize(permissions, *args)
-      Consent.permissions(permissions).each do |permission|
-        conditions = permission.conditions(*args)
-        ocond = permission.object_conditions(*args)
-        can permission.action_key, permission.subject_key, conditions, &ocond
+    def initialize(*args, apply_defaults: true)
+      @context = *args
+      apply_defaults! if apply_defaults
+    end
+
+    def consent(permission: nil, subject: nil, action: nil, view: nil)
+      permission ||= Permission.new(subject, action, view)
+      return unless permission.valid?
+
+      can(
+        permission.action_key, permission.subject_key,
+        permission.conditions(*@context),
+        &permission.object_conditions(*@context)
+      )
+    end
+
+    private
+
+    def apply_defaults!
+      Consent.subjects.each do |subject|
+        subject.actions.each do |action|
+          next unless action.default_view
+
+          consent(
+            subject: subject.key,
+            action: action.key,
+            view: action.default_view
+          )
+        end
       end
     end
   end

data/lib/consent/permission.rb

@@ -2,34 +2,29 @@
 
 module Consent
   class Permission # :nodoc:
-    def initialize(subject, action, view = nil)
-      @subject = subject
-      @action = action
-      @view = view
-    end
+    attr_reader :subject_key, :action_key, :view_key, :view
 
-    def subject_key
-      @subject.key
+    def initialize(subject_key, action_key, view_key = nil)
+      @subject_key = subject_key
+      @action_key = action_key
+      @view_key = view_key
+      @view = Consent.find_view(subject_key, view_key) if view_key
     end
 
-    def action_key
-      @action.key
+    def action
+      @action ||= Consent.find_action(subject_key, action_key)
     end
 
-    # Disables Sytle/SafeNavigation to keep this code
-    # compatible with ruby < 2.3
-    # rubocop:disable Style/SafeNavigation
-    def view_key
-      @view && @view.key
+    def valid?
+      action && (@view_key.nil? == @view.nil?)
     end
 
     def conditions(*args)
-      @view && @view.conditions(*args)
+      @view.nil? ? nil : @view.conditions(*args)
     end
 
     def object_conditions(*args)
-      @view && @view.object_conditions(*args)
+      @view.nil? ? nil : @view.object_conditions(*args)
     end
-    # rubocop:enable Style/SafeNavigation
   end
 end

data/lib/consent/subject.rb

@@ -10,14 +10,5 @@ module Consent
       @actions = []
       @views = Consent.default_views.clone
     end
-
-    def permission_key
-      ActiveSupport::Inflector.underscore(@key.to_s).to_sym
-    end
-
-    def view_for(action, key)
-      view = @views.keys & action.view_keys & [key]
-      @views[view.first] || @views[action.default_view]
-    end
   end
 end

data/lib/consent/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Consent
-  VERSION = '0.6.0'
+  VERSION = '1.0.0'
 end

data/renovate.json

@@ -0,0 +1,5 @@
+{
+  "extends": [
+    "config:base"
+  ]
+}

metadata

@@ -1,29 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: consent
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Carlos Palhares
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-12-22 00:00:00.000000000 Z
+date: 2021-04-22 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: activesupport
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 4.1.11
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 4.1.11
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -56,16 +42,16 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -120,7 +106,6 @@ files:
 - lib/consent/action.rb
 - lib/consent/dsl.rb
 - lib/consent/permission.rb
-- lib/consent/permissions.rb
 - lib/consent/railtie.rb
 - lib/consent/reloader.rb
 - lib/consent/rspec.rb
@@ -130,6 +115,7 @@ files:
 - lib/generators/consent/permissions_generator.rb
 - lib/generators/consent/templates/permissions.rb.erb
 - lib/generators/consent/templates/permissions_spec.rb.erb
+- renovate.json
 homepage: 
 licenses:
 - MIT
@@ -149,8 +135,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 3.0.8
 signing_key: 
 specification_version: 4
 summary: Consent

data/lib/consent/permissions.rb

@@ -1,41 +0,0 @@
-# frozen_string_literal: true
-
-module Consent
-  class Permissions # :nodoc:
-    include Enumerable
-
-    def initialize(permissions)
-      @permissions = permissions
-    end
-
-    def each(&block)
-      Consent.subjects.each do |subject|
-        subject.actions.map do |action|
-          map_permission subject, action
-        end.compact.each(&block)
-      end
-    end
-
-    private
-
-    def map_permission(subject, action)
-      subject_key = subject.permission_key
-      actions = @permissions[subject_key] || @permissions[subject_key.to_s]
-      view = actions && (actions[action.key] || actions[action.key.to_s])
-      full(subject, action, view) || partial(subject, action, view)
-    end
-
-    def full(subject, action, view_key)
-      return unless Consent::FULL_ACCESS.include?(view_key.to_s.strip)
-
-      Permission.new(subject, action)
-    end
-
-    def partial(subject, action, view_key)
-      view = subject.view_for(action, view_key.to_s.to_sym)
-      return if view.nil?
-
-      Permission.new(subject, action, view)
-    end
-  end
-end