critic 0.2.2 → 0.2.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4094e59ee71c2769e9e05d891dc36e4a95dd8aa2
-  data.tar.gz: 24336a0cf53571ea45cccd651f49fda0758d2e68
+  metadata.gz: 1f826726f9d8ac8cc997b05fdbc56a8ccc1b5a60
+  data.tar.gz: 18a60cef6bfc4fbb47b9e0abd600663caae9b8cc
 SHA512:
-  metadata.gz: ff851589a932c9e65322d6df6625d35a3148226d330842765262d70770b43c93493932ab70471094a819149be7017c42aaa61c74fd39e39006ecdfce11768a39
-  data.tar.gz: 201e017b6fe055d0779ab2cf09714082660266264cdb95614cc58fc1668199df9ed3ebefec0ade24197bedc2e66dee6aa12ddd8a08ef6b3f9e9aa344dc36ca81
+  metadata.gz: 4990660d3ea2c6e66d97c27fe5cd5f2014da4ef206783cc4b0203eb07454c9b94d0c4838797465ea9dab0b6a9f4b31469853b9752ba5efa348e41791edc32758
+  data.tar.gz: 9167566dd54f8224645edcc09925466f39b35d5c5d9e3cb0a6a5771d2813a931af24067fd4c448a9dfe9b237eaf442169d4cb87e39ba55ded176c3579c66623b

data/.travis.yml

@@ -1,5 +1,8 @@
 language: ruby
 sudo: false
+before_install:
+  - gem install -v 1.13.6 bundler --no-document
+  - gem install -v 1.17.3 bundler --no-document
 cache:
   - bundler
 rvm:
@@ -10,6 +13,7 @@ script:
 notifications:
   email: false
 gemfile:
+  - gemfiles/activesupport_5_2.gemfile
   - gemfiles/activesupport_5.gemfile
   - gemfiles/activesupport_4.gemfile
   - gemfiles/activesupport_3.gemfile

data/CHANGELOG.md

@@ -1,6 +1,23 @@
-# Change Log
+# Changelog
+
+## [Unreleased](https://github.com/lanej/critic/tree/HEAD)
+
+[Full Changelog](https://github.com/lanej/critic/compare/v0.2.2...HEAD)
+
+**Merged pull requests:**
+
+- Fix for ActiveSupport 5.2 [\#5](https://github.com/lanej/critic/pull/5) ([akappen](https://github.com/akappen))
+
+## [v0.2.2](https://github.com/lanej/critic/tree/v0.2.2) (2017-01-04)
+
+[Full Changelog](https://github.com/lanej/critic/compare/v0.2.1...v0.2.2)
+
+**Merged pull requests:**
+
+- Fix ActiveRecord 5 support [\#4](https://github.com/lanej/critic/pull/4) ([lanej](https://github.com/lanej))
 
 ## [v0.2.1](https://github.com/lanej/critic/tree/v0.2.1) (2016-12-28)
+
 [Full Changelog](https://github.com/lanej/critic/compare/v0.2.0...v0.2.1)
 
 **Merged pull requests:**
@@ -9,6 +26,7 @@
 - add MIT license [\#2](https://github.com/lanej/critic/pull/2) ([thommahoney](https://github.com/thommahoney))
 
 ## [v0.2.0](https://github.com/lanej/critic/tree/v0.2.0) (2016-06-22)
+
 [Full Changelog](https://github.com/lanej/critic/compare/v0.1.1...v0.2.0)
 
 **Merged pull requests:**
@@ -17,5 +35,8 @@
 
 ## [v0.1.1](https://github.com/lanej/critic/tree/v0.1.1) (2016-06-07)
 
+[Full Changelog](https://github.com/lanej/critic/compare/d8ca29b513cae27a858aec24862372aa1fa02bd5...v0.1.1)
+
+
 
-\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
+\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*

data/LICENSE.txt

@@ -1,7 +1,21 @@
-Copyright (c) 2016 Joshua Lane
+MIT License
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+Copyright (c) 2017 Josh Lane
 
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -36,6 +36,27 @@ There are two types of methods:
 * *action* - determines if subject is authorized to perform a specific operation on the resource
 * *scope* - returns a list of resources available to the subject
 
+The default scope is `index` but it can be overridden by specifying `.scope`.
+
+```ruby
+# app/policies/post_policy.rb
+class PostPolicy
+  include Critic::Policy
+
+  # set default scope
+  self.scope = :author_index
+
+  # now default scope
+  def author_index
+    resource.where(author_id: subject.id)
+  end
+
+  # no longer the default scope
+  def index
+    resource.order(:created_at)
+  end
+end
+```
 
 #### Actions
 
@@ -47,7 +68,8 @@ class PostPolicy
   include Critic::Policy
 
   def update?
-    !resource.locked
+    !resource.locked? &&
+      resource.published_at.present?
   end
 end
 ```
@@ -64,6 +86,76 @@ PostPolicy.authorize(:update?, User.new, Post.new(false)).granted? #=> true
 PostPolicy.authorize(:update?, User.new, Post.new(true)).granted? #=> false
 ```
 
+#### Authorization Result
+
+Returning a String from your action is interpreted as a failure.  The String is added to the messages of the authorization.
+
+```ruby
+Post = Struct.new(:author_id)
+User = Struct.new(:id)
+
+class PostPolicy
+  include Critic::Policy
+
+  def destroy?
+    return true if resource.author_id == subject.id
+    "Cannot destroy Post: This post is authored by #{resource.author_id}"
+  end
+end
+
+authorization = PostPolicy.authorize(destroy?, User.new(1), Post.new(2))
+authorization.granted? #=> false
+authorization.messages #=> ["Cannot destroy Post: This post is authored by 2"']
+```
+
+`halt` can be used to indicate early failure.  The argument provided to `halt` becomes the result of the authorization.
+
+```ruby
+Post = Struct.new(:author_id)
+User = Struct.new(:id)
+
+class PostPolicy
+  include Critic::Policy
+
+  def destroy?
+    if resource.author_id != subject.id
+      halt "Cannot destroy Post: This post is authored by #{resource.author_id}"
+    end
+    true
+  end
+end
+
+authorization = PostPolicy.authorize(destroy?, User.new(1), Post.new(2))
+authorization.granted? #=> false
+authorization.messages #=> ["Cannot destroy Post: This post is authored by 2"']
+```
+
+`halt(true)` indicates immediate success.
+
+```ruby
+Post = Struct.new(:author_id)
+User = Struct.new(:id)
+
+class PostPolicy
+  include Critic::Policy
+
+  def destroy?
+    check_ownership
+    false
+  end
+
+  private
+
+  def check_ownership
+    halt(true) if resource.author_id == subject.id
+  end
+end
+
+authorization = PostPolicy.authorize(destroy?, User.new(1), Post.new(2))
+authorization.granted? #=> false
+authorization.messages #=> ["Cannot destroy Post: This post is authored by 2"']
+```
+
 #### Scopes
 
 Scopes treat `resource` as a starting point and return a restricted set of associated resources.  Policies can have any number of scopes.  The default scope is `#index`.
@@ -79,6 +171,17 @@ class PostPolicy
 end
 ```
 
+Verify authorization using `#authorize`.
+
+```ruby
+Post = Class.new(ActiveRecord::Base)
+User = Struct.new
+
+authorization = PostPolicy.authorize(index, User.new, Post.new(false))
+authorization.granted? #=> true
+authorization.result #=> <#ActiveRecord::Relation..>
+```
+
 #### Convention
 
 It can be a useful convention to add a `?` suffix to your action methods.  This allows a clear separation between actions and scopes.  All other methods should be `protected`, similar to Rails controller.
@@ -90,12 +193,12 @@ class PostPolicy
 
   # default scope
   def index
-    Post.where(published: true)
+    resource.where(published: true)
   end
 
   # custom scope
   def author_index
-    Post.where(author_id: subject.id)
+    resource.where(author_id: subject.id)
   end
 
   # action
@@ -117,6 +220,8 @@ end
 
 Controllers are the primary consumer of policies.  Controllers ask the policy if an authenticated subject is authorized to perform a specific action on a specific resource.
 
+#### Actions
+
 In Rails, the policy action is inferred from `params[:action]` which corresponds to the controller action method name.
 
 When `authorize` fails, a `Critic::AuthorizationDenied` exception is raised with reference to the performed authorization.
@@ -150,7 +255,7 @@ class PostController < Sinatra::Base
   error Critic::AuthorizationDenied do |exception|
     messages = exception.authorization.messages || exception.message
 
-    body {errors: [messages]}
+    body {errors: [*messages]}
     halt 403
   end
 
@@ -161,8 +266,103 @@ class PostController < Sinatra::Base
     post.to_json
   end
 end
+```
+
+##### Gentle
 
+Calling `authorized?` returns `true` or `false` instead of raising an exception.
 
+```ruby
+# app/controllers/post_controller.rb
+class PostController < Sinatra::Base
+  include Critic::Controller
+
+  put '/posts/:id' do |id|
+    post = Post.find(id)
+
+    halt(403) unless authorized?(post, :update)
+
+    post.to_json
+  end
+end
+```
+
+##### Verify authorization
+
+`verify_authorized` enforces that the request was authorized before the response is returned.  A `Critic::AuthorizationMissing` error is raised in this case.  A request is authorized if `authorized?`, `authorize` or `authorizing!` is called before the response is returned.
+
+```ruby
+# app/controllers/post_controller.rb
+class PostController < Sinatra::Base
+  include Critic::Controller
+
+  verify_authorized
+
+  error Critic::AuthorizationMissing do |exception|
+    # notify developers that something has gone horribly wrong
+    halt 503
+  end
+
+  put '/posts/:id' do |id|
+    post = Post.find(id)
+
+    post.to_json
+  end
+end
+```
+
+This check can be artificially skipped calling `authorizing!`.
+
+```ruby
+# app/controllers/invitation_controller.rb
+class InvitationController < Sinatra::Base
+  include Critic::Controller
+
+  verify_authorized
+
+  post '/invitation/accept/code' do |code|
+    invitation = Invitiation.find_by(code: code)
+
+    invitation.accept!
+    authorizing! # Skip authorization check
+
+    redirect '/'
+  end
+end
+```
+
+#### Scopes
+
+Use `authorize_scope` and provide the base scope.  The return value is the result.
+
+```ruby
+# app/controllers/post_controller.rb
+class PostController < Sinatra::Base
+  include Critic::Controller
+
+  get '/customers/:customer_id/posts' do |customer_id|
+    posts =
+      authorize_scope(Post.where(customer_id: customer_id))
+
+    posts.to_json
+  end
+end
+```
+
+Custom indexes can be used by passing an `action` parameter.
+
+```ruby
+# app/controllers/post_controller.rb
+class PostController < Sinatra::Base
+  include Critic::Controller
+
+  get '/posts' d
+    posts =
+      authorize_scope(Post, action: :custom_index)
+
+    posts.to_json
+  end
+end
 ```
 
 #### Custom subject

data/gemfiles/activesupport_5_2.gemfile

@@ -0,0 +1,13 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activesupport", "~> 5.2"
+gem "appraisal", "~> 2.1"
+gem "rubocop", "~> 0.46.0", :require => false
+
+group :test do
+  gem "pry-nav"
+end
+
+gemspec :path => "../"

data/gemfiles/activesupport_5_2.gemfile.lock

@@ -0,0 +1,78 @@
+PATH
+  remote: ..
+  specs:
+    critic (0.2.2)
+      activesupport (> 3.0, < 6.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (5.2.4.3)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    appraisal (2.2.0)
+      bundler
+      rake
+      thor (>= 0.14.0)
+    ast (2.4.0)
+    coderay (1.1.2)
+    concurrent-ruby (1.1.6)
+    diff-lcs (1.3)
+    i18n (1.8.2)
+      concurrent-ruby (~> 1.0)
+    method_source (0.9.2)
+    minitest (5.14.1)
+    parser (2.7.1.2)
+      ast (~> 2.4.0)
+    powerpack (0.1.2)
+    pry (0.12.2)
+      coderay (~> 1.1.0)
+      method_source (~> 0.9.0)
+    pry-nav (0.3.0)
+      pry (>= 0.9.10, < 0.13.0)
+    rainbow (2.2.2)
+      rake
+    rake (10.5.0)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.3)
+    rubocop (0.46.0)
+      parser (>= 2.3.1.1, < 3.0)
+      powerpack (~> 0.1)
+      rainbow (>= 1.99.1, < 3.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (~> 1.0, >= 1.0.1)
+    ruby-progressbar (1.10.1)
+    thor (1.0.1)
+    thread_safe (0.3.6)
+    tzinfo (1.2.7)
+      thread_safe (~> 0.1)
+    unicode-display_width (1.7.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activesupport (~> 5.2)
+  appraisal (~> 2.1)
+  bundler (~> 1.10)
+  critic!
+  pry-nav
+  rake (~> 10.0)
+  rspec (~> 3.4)
+  rubocop (~> 0.46.0)
+
+BUNDLED WITH
+   1.17.3

data/lib/critic/callbacks.rb

@@ -66,8 +66,12 @@ module Critic::Callbacks
       from = options[from]
       return unless from
 
-      from = Array(from).map { |o| "authorization.action.to_s == '#{o}'" }
-      options[to] = Array(options[to]).unshift(from).join(' || ')
+      actions = Array(options[to]) + Array(from)
+      options[to] = lambda {
+        actions.any? { |action|
+          authorization.action.to_s == action.to_s
+        }
+      }
     end
 
     # Skip before, after, and around action callbacks matching any of the names.

data/lib/critic/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module Critic
-  VERSION = '0.2.2'
+  VERSION = '0.2.3'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: critic
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.2.3
 platform: ruby
 authors:
 - Josh Lane
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-01-04 00:00:00.000000000 Z
+date: 2020-05-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -100,6 +100,8 @@ files:
 - gemfiles/activesupport_4.gemfile.lock
 - gemfiles/activesupport_5.gemfile
 - gemfiles/activesupport_5.gemfile.lock
+- gemfiles/activesupport_5_2.gemfile
+- gemfiles/activesupport_5_2.gemfile.lock
 - lib/critic.rb
 - lib/critic/authorization.rb
 - lib/critic/authorization_denied.rb
@@ -127,7 +129,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.5.2.3
 signing_key: 
 specification_version: 4
 summary: Resource authorization