databound 1.0.2 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 75628544c55d555443270f18bec2d723e5247dd9
-  data.tar.gz: e2ba0d164beae08f7ecffb6700676f3be5130539
+  metadata.gz: cba051b706bde49ff4b03cb1bd19bc6eefe5e80d
+  data.tar.gz: 242d8947ae63c6dc7493bece2f5bcaca287109f3
 SHA512:
-  metadata.gz: a0c9d33f8bc9b6b7cbf0ceb3f1bd8e6a63845e7ed074a1dfe1fb2141df81252816a366add71e1ac6ae676b1187829a6fc1415d374a290ff57530b460b86e05b3
-  data.tar.gz: 8cd35af44b1cefb63cf46b3a4910b993a275f69a70377cac009ce66c5c0dc1f074bb284ed3c62e1fcb2dd546a387fa9c0bc1280ad24ab9b0abc336bf79f0e3e2
+  metadata.gz: 13e7fced989080e8d64ff36329f92cfb0355947e2596bf5ce22e677d6cc2718e23ba867941512424a8682f8447d0b84bfc49dd5cf57464dc5199425af00a7149
+  data.tar.gz: fff50fcc18795b848f4c4f7ba172eb7681e2ac6589938312568659c5f13de5a3c26b2230a4c23f93fa364f711cb1681d9efd4ed3c54fc3dad4025f87b6c0be86

data/.travis.yml

@@ -1,5 +1,6 @@
 language: ruby
 rvm:
+  - 2.2.0
   - 2.1.3
   - 2.0.0
 script: bundle exec rspec --pattern "spec/**/*_spec.rb"

data/lib/databound.rb

@@ -100,6 +100,7 @@ module Databound
   module ClassMethods
     attr_reader :dsls
     attr_reader :stricts
+    attr_reader :permit_update_destroy
 
     def dsl(name, value, strict: true, &block)
       @stricts ||= {}
@@ -109,5 +110,9 @@ module Databound
       @dsls[name.to_s] ||= {}
       @dsls[name.to_s][value.to_s] = block
     end
+
+    def permit_update_destroy?(&block)
+      @permit_update_destroy = block
+    end
   end
 end

data/lib/databound/manager.rb

@@ -2,12 +2,8 @@ module Databound
   class NotPermittedError < RuntimeError; end
   class Manager
     def initialize(controller)
-      @model = controller.send(:model)
-      @permitted_columns = controller.send(:permitted_columns)
-
-      scope_js = controller.params[:scope]
-      data_js = controller.params[:data]
-      extra_where_scopes_js = controller.params[:extra_where_scopes] || '[]'
+      @controller = controller
+      @model = @controller.send(:model)
 
       @scope = Databound::Data.new(controller, scope_js)
       @data = Databound::Data.new(controller, data_js).to_h
@@ -42,27 +38,57 @@ module Databound
 
       check_params!
       record = @model.find(id)
+      check_permit_update_destroy!(record)
       record.update(@data)
 
       record
     end
 
     def destroy_from_data
-      @model.find(@data['id']).destroy
+      record = @model.find(@data['id'])
+      check_permit_update_destroy!(record)
+      record.destroy
     end
 
     private
 
     def check_params!
-      return if @permitted_columns == :all
+      return if permitted_columns == :all
       return if unpermitted_columns.empty?
 
       raise NotPermittedError, "Request includes unpermitted columns: #{unpermitted_columns.join(', ')}"
     end
 
+    def check_permit_update_destroy!(record)
+      return unless permit_update_destroy_block
+      return if permit_update_destroy_block.call(record)
+
+      raise NotPermittedError, 'Request for update or destroy not permitted'
+    end
+
+    def permit_update_destroy_block
+      @controller.class.permit_update_destroy
+    end
+
     def unpermitted_columns
       requested = [@scope, @data].map(&:to_h).flat_map(&:keys)
-      requested - @permitted_columns.map(&:to_s)
+      requested - permitted_columns.map(&:to_s)
+    end
+
+    def permitted_columns
+      @controller.send(:permitted_columns)
+    end
+
+    def scope_js
+      @controller.params[:scope]
+    end
+
+    def data_js
+      @controller.params[:data]
+    end
+
+    def extra_where_scopes_js
+      @controller.params[:extra_where_scopes] || '[]'
     end
   end
 end

data/lib/databound/version.rb

@@ -1,3 +1,3 @@
 module Databound
-  VERSION = '1.0.2'
+  VERSION = '1.1.0'
 end

data/spec/controllers/permit_update_destroy_controller_spec.rb

@@ -0,0 +1,66 @@
+require 'spec_helper'
+
+describe PermitUpdateDestroyController, type: :controller do
+  CURRENT_USER_ID = 1
+
+  before :each do
+    Project.create(city: 'LA', user_id: 5)
+    Project.create(city: 'LA', user_id: 1)
+  end
+
+  describe '#update' do
+    it 'raise when scope is not permitted' do
+      data = {
+        data: {
+          id: 1,
+          city: 'Barcelona',
+        },
+        scope: {},
+      }
+
+      expect { post(:update, javascriptize(data)) }.to raise_error(
+        Databound::NotPermittedError,
+        'Request for update or destroy not permitted',
+      )
+    end
+
+    it 'should update when param is permitted' do
+      data = {
+        data: {
+          id: 2,
+          city: 'Barcelona',
+        },
+        scope: {},
+      }
+
+      expect { post(:update, javascriptize(data)) }.not_to raise_error
+    end
+  end
+
+  describe '#destroy' do
+    it 'raise when scope is not permitted' do
+      data = {
+        data: {
+          id: 1,
+        },
+        scope: {},
+      }
+
+      expect { post(:destroy, javascriptize(data)) }.to raise_error(
+        Databound::NotPermittedError,
+        'Request for update or destroy not permitted',
+      )
+    end
+
+    it 'should destroy when param is permitted' do
+      data = {
+        data: {
+          id: 2,
+        },
+        scope: {},
+      }
+
+      expect { post(:destroy, javascriptize(data)) }.not_to raise_error
+    end
+  end
+end

data/spec/internal/app/controllers/permit_update_destroy_controller.rb

@@ -0,0 +1,13 @@
+class PermitUpdateDestroyController < ApplicationController
+  include Databound
+
+  private
+
+  def model
+    Project
+  end
+
+  permit_update_destroy? do |record|
+    record.user_id == CURRENT_USER_ID
+  end
+end

data/spec/internal/app/models/project.rb

@@ -0,0 +1,2 @@
+class Project < ActiveRecord::Base
+end

data/spec/internal/config/routes.rb

@@ -5,4 +5,5 @@ Rails.application.routes.draw do
   databound :dsl
   databound :loose_dsl
   databound :messages
+  databound :permit_update_destroy
 end

data/spec/internal/db/schema.rb

@@ -10,4 +10,10 @@ ActiveRecord::Schema.define do
     t.string :city
     t.timestamps
   end
+
+  create_table(:projects, force: true) do |t|
+    t.string :city
+    t.integer :user_id
+    t.timestamps
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: databound
 version: !ruby/object:Gem::Version
-  version: 1.0.2
+  version: 1.1.0
 platform: ruby
 authors:
 - Domas Bitvinskas
@@ -152,14 +152,17 @@ files:
 - spec/controllers/loose_dsl_controller_spec.rb
 - spec/controllers/no_model_controller_spec.rb
 - spec/controllers/on_the_fly_spec.rb
+- spec/controllers/permit_update_destroy_controller_spec.rb
 - spec/controllers/permitted_columns_controller_spec.rb
 - spec/internal/app/controllers/application_controller.rb
 - spec/internal/app/controllers/dsl_controller.rb
 - spec/internal/app/controllers/loose_dsl_controller.rb
 - spec/internal/app/controllers/no_model_controller.rb
+- spec/internal/app/controllers/permit_update_destroy_controller.rb
 - spec/internal/app/controllers/permitted_columns_controller.rb
 - spec/internal/app/controllers/users_controller.rb
 - spec/internal/app/models/message.rb
+- spec/internal/app/models/project.rb
 - spec/internal/app/models/user.rb
 - spec/internal/config/database.yml
 - spec/internal/config/routes.rb
@@ -247,14 +250,17 @@ test_files:
 - spec/controllers/loose_dsl_controller_spec.rb
 - spec/controllers/no_model_controller_spec.rb
 - spec/controllers/on_the_fly_spec.rb
+- spec/controllers/permit_update_destroy_controller_spec.rb
 - spec/controllers/permitted_columns_controller_spec.rb
 - spec/internal/app/controllers/application_controller.rb
 - spec/internal/app/controllers/dsl_controller.rb
 - spec/internal/app/controllers/loose_dsl_controller.rb
 - spec/internal/app/controllers/no_model_controller.rb
+- spec/internal/app/controllers/permit_update_destroy_controller.rb
 - spec/internal/app/controllers/permitted_columns_controller.rb
 - spec/internal/app/controllers/users_controller.rb
 - spec/internal/app/models/message.rb
+- spec/internal/app/models/project.rb
 - spec/internal/app/models/user.rb
 - spec/internal/config/database.yml
 - spec/internal/config/routes.rb