declarative_policy 1.1.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6dffd68fb3da1c6d7629901c2436d47e87d7a2b275dfa7282371ef97e7e623b9
-  data.tar.gz: 9d07ae900c5c2de61025ac2ecff512da42a235f2365db2696babc4b41a654ec2
+  metadata.gz: 05f875265a827bd025947cd0098d09804051cf0fa2c02857aa230e03d8554f02
+  data.tar.gz: 38452f2308ad61d9cf54bb604f68cbdd73cb75d342ea24a55c265ee708f588b4
 SHA512:
-  metadata.gz: e95c536a5b724dc302e192c975b7adf9a3096a7b2fca2ebe63cc1a6fcead19bb37928fecd796b63403902c7885f577859beff3a51237ce37d7a4deff9a51318d
-  data.tar.gz: acfa272dae2fce1bb4ea9be06c45d10f3da93a8a87ea8c329db1b2e8cd8cf707615104945872bc391e4eb35bc9b2adba0d768ecdd9ddf1bb5ce480ba7dd337c0
+  metadata.gz: 82ac859206da667fb45b59662aa9a35fb760f59179e0976f9e7ed9ffba92259ba271fa6732ec9b84e3e14e14961f1362fb13077deb7191c75436c83ef60ab342
+  data.tar.gz: c9e41debc20ab2ecc2dc8da44c2e782f50e58ec7d9cba23986c5494c7c00d334de82a3f6f2c9a5b35739a402ecc097f144cb05314ab8584f07aa46dab548b6c0

data/CHANGELOG.md

@@ -1,3 +1,17 @@
+Starting from version 2.0, changelog entries are tracked via https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/-/releases
+
+2.0.0:
+
+- Drop explicit support for Ruby 2.6 and 2.7 by removing those versions from
+  the CI matrix. These Ruby versions are now past EOL.
+- Rename default condition scope name to `:user_and_subject`
+- Clarify the use of `User` and `Subject` in README and documentation
+- Update `ruby-git` in Gemfile.lock
+
+1.1.1:
+
+- Define development dependencies
+
 1.1.0:
 
 - Add cache invalidation API: `DeclarativePolicy.invalidate(cache, keys)`

data/README.md

@@ -20,14 +20,72 @@ gem 'declarative_policy'
 
 And then execute:
 
-    $ bundle install
+```plain
+$ bundle install
+```
 
 Or install it yourself as:
 
-    $ gem install declarative_policy
+```plain
+$ gem install declarative_policy
+```
 
-## Usage
+## Example
+
+```ruby
+require 'declarative_policy'
+
+class User
+  attr_reader :name
+
+  def initialize(name:)
+    @name = name
+  end
+end
+
+class Vehicle
+  def initialize(owner:, trusted: [])
+    @owner = owner
+    @trusted = trusted
+  end
+
+  def owner?(user)
+    @owner.name == user.name
+  end
+
+  def trusted?(user)
+    @owner.name == user.name || @trusted.detect { |t| t.name == user.name }
+  end
+end
+
+class VehiclePolicy < DeclarativePolicy::Base
+  condition(:owns) { @subject.owner?(@user) }
+  condition(:trusted) { @subject.trusted?(@user) }
 
+  rule { owns }.enable :sell_vehicle
+  rule { trusted }.enable :drive_vehicle
+end
+
+jack = User.new(name: 'jack')
+jill = User.new(name: 'jill')
+jacks_vehicle = Vehicle.new(owner: jack, trusted: [jill])
+jills_vehicle = Vehicle.new(owner: jill, trusted: [jack])
+
+puts "Jack can drive Jack's vehicle? -> #{DeclarativePolicy.policy_for(jack, jacks_vehicle).can?(:drive_vehicle)}"
+puts "Jack can drive Jill's vehicle? -> #{DeclarativePolicy.policy_for(jack, jills_vehicle).can?(:drive_vehicle)}"
+puts "Jack can sell Jack's vehicle? -> #{DeclarativePolicy.policy_for(jack, jacks_vehicle).can?(:sell_vehicle)}"
+puts "Jack can sell Jill's vehicle? -> #{DeclarativePolicy.policy_for(jack, jills_vehicle).can?(:sell_vehicle)}"
+```
+
+```plain
+$ ruby example.rb
+Jack can drive Jack's vehicle? -> true
+Jack can drive Jill's vehicle? -> true
+Jack can sell Jack's vehicle? -> true
+Jack can sell Jill's vehicle? -> false
+```
+
+## Usage
 
 The core abstraction of this library is a `Policy`. Policies combine:
 
@@ -36,10 +94,13 @@ The core abstraction of this library is a `Policy`. Policies combine:
 
 This library exists to determine the truth value of statements of the form:
 
-```
-Subject Predicate [Object]
+```plain
+User Predicate [Subject]
 ```
 
+Renaming `User` to `Actor` and `Subject` to `Resource` is discussed in
+[this issue](https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/-/issues/6).
+
 For example:
 
 - `user :is_alive`
@@ -64,14 +125,14 @@ class VehiclePolicy < DeclarativePolicy::Base
   condition(:owns, score: 0) { @subject.owner == @user }
   condition(:has_access_to, score: 3) { @subject.owner.trusts?(@user) }
   condition(:intoxicated, score: 5) { @user.blood_alcohol > laws.max_blood_alcohol }
-  
+
   # conclusions we can draw:
   rule { owns }.enable :drive_vehicle
   rule { has_access_to }.enable :drive_vehicle
   rule { ~old_enough_to_drive }.prevent :drive_vehicle
   rule { intoxicated }.prevent :drive_vehicle
   rule { ~has_driving_license }.prevent :drive_vehicle
-  
+
   # we can use methods to abstract common logic
   def laws
     @subject.registration.country.driving_laws
@@ -128,13 +189,33 @@ interactive prompt that will allow you to experiment.
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
+## Additional Reading Material
+
+More details on policies and custom roles can be found in the following pages:
+- [Development Process for the DeclarativePolicy framework](https://docs.gitlab.com/ee/development/policies.html)
+- [Custom Roles docs](https://docs.gitlab.com/ee/development/permissions/custom_roles.html)
+
 ## Contributing
 
 Bug reports and merge requests are welcome on GitLab at
-https://gitlab.com/gitlab-org/declarative-policy. This project is intended to be
+https://gitlab.com/gitlab-org/ruby/gems/declarative-policy. This project is intended to be
 a safe, welcoming space for collaboration, and contributors are expected to
 adhere to the [GitLab code of conduct](https://about.gitlab.com/community/contribute/code-of-conduct/).
 
+## Release process
+
+We release `declarative_policy` on an ad-hoc basis. There is no regularity to when
+we release, we just release when we make a change - no matter the size of the
+change.
+
+To release a new version:
+
+1. Create a Merge Request.
+1. Use Merge Request template [Release.md](https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/-/blob/main/.gitlab/merge_request_templates/Release.md).
+1. Follow the instructions.
+1. After the Merge Request has been merged, a new gem version is [published automatically](https://gitlab.com/gitlab-org/components/gem-release).
+1. Once the new gem version is visible on [RubyGems.org](https://rubygems.org/gems/declarative_policy), it is recommended to update [GitLab's `Gemfile`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/Gemfile) to bump the `declarative_policy` Ruby gem to the new version also.
+
 ## License
 
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
@@ -143,4 +224,4 @@ The gem is available as open source under the terms of the [MIT License](https:/
 
 Everyone interacting in the `DeclarativePolicy` project's codebase, issue
 trackers, chat rooms and mailing lists is expected to follow
-the [code of conduct](https://github.com/[USERNAME]/declarative-policy/blob/master/CODE_OF_CONDUCT.md).
+the [code of conduct](https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/blob/main/CODE_OF_CONDUCT.md).

data/{declarative_policy.gemspec → declarative-policy.gemspec}

@@ -5,8 +5,8 @@ require_relative 'lib/declarative_policy/version'
 Gem::Specification.new do |spec|
   spec.name          = 'declarative_policy'
   spec.version       = DeclarativePolicy::VERSION
-  spec.authors       = ['Jeanine Adkisson', 'Alexis Kalderimis']
-  spec.email         = ['akalderimis@gitlab.com']
+  spec.authors       = ['group::authorization']
+  spec.email         = ['engineering@gitlab.com']
 
   spec.summary       = 'An authorization library with a focus on declarative policy definitions.'
   spec.description   = <<~DESC
@@ -17,20 +17,35 @@ Gem::Specification.new do |spec|
 
     This library is in production use at GitLab.com
   DESC
-  spec.homepage      = 'https://gitlab.com/gitlab-org/declarative-policy'
+  spec.homepage      = 'https://gitlab.com/gitlab-org/ruby/gems/declarative-policy'
   spec.license       = 'MIT'
-  spec.required_ruby_version = Gem::Requirement.new('>= 2.5.0')
+  spec.required_ruby_version = Gem::Requirement.new('>= 3.0.0')
 
   spec.metadata['homepage_uri'] = spec.homepage
-  spec.metadata['source_code_uri'] = 'https://gitlab.com/gitlab-org/declarative-policy'
-  spec.metadata['changelog_uri'] = 'https://gitlab.com/gitlab-org/declarative-policy/-/blobs/master/CHANGELOG.md'
+  spec.metadata['source_code_uri'] = 'https://gitlab.com/gitlab-org/ruby/gems/declarative-policy'
+  spec.metadata['changelog_uri'] = 'https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/-/releases'
+
+  spec.metadata['rubygems_mfa_required'] = 'false'
 
   # Specify which files should be added to the gem when it is released.
-  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
   spec.files = Dir.chdir(File.expand_path(__dir__)) do
-    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+    %w[
+      *.gemspec
+      lib/**/*.rb
+      *.{md,txt}
+      doc/**/*
+    ].flat_map { |pattern| Dir.glob(pattern) }
   end
   spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
+
+  # Development dependencies:
+  spec.add_development_dependency 'benchmark-ips', '~> 2.12'
+  spec.add_development_dependency 'gitlab-dangerfiles', '~> 3.8'
+  spec.add_development_dependency 'gitlab-styles', '~> 12.0'
+  spec.add_development_dependency 'pry-byebug'
+  spec.add_development_dependency 'rake', '~> 12.0'
+  spec.add_development_dependency 'rspec', '~> 3.10'
+  spec.add_development_dependency 'rspec-parameterized', '~> 1.0'
 end

data/doc/caching.md

@@ -122,8 +122,8 @@ policy itself.
 
 The best approach here is to use normal Ruby methods and instance variables for
 such values. The policy instances themselves are cached, so that any two
-invocations of `DeclarativePolicy.policy_for(user, object)` with identical
-`user` and `object` arguments will always return the same policy object. This
+invocations of `DeclarativePolicy.policy_for(user, subject)` with identical
+`user` and `subject` arguments will always return the same policy object. This
 means instance variables stored on the policy will be available for the lifetime
 of the cache.
 
@@ -209,18 +209,18 @@ In this case, it doesn't matter who the user is or even where they are going:
 the condition will be computed once (per cache lifetime) for all combinations.
 
 Because of the implications for sharing, the scope determines the
-[`#score`](https://gitlab.com/gitlab-org/declarative-policy/blob/2ab9dbdf44fb37beb8d0f7c131742d47ae9ef5d0/lib/declarative_policy/condition.rb#L58-77) of
+[`#score`](https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/blob/2ab9dbdf44fb37beb8d0f7c131742d47ae9ef5d0/lib/declarative_policy/condition.rb#L58-77) of
 the condition (if not provided explicitly). The intention is to prefer values we
 are more likely (all other things being equal) to re-use:
 
 - Conditions we have already cached get a score of `0`.
 - Conditions that are in the `:global` scope get a score of `2`.
 - Conditions that are in the `:user` or `:subject` scopes get a score of `8`.
-- Conditions that are in the `:normal` scope get a score of `16`.
+- Conditions that are in the `:user_and_subject` scope get a score of `16`.
 
 Bear helper-methods in mind when defining scopes. While the instance level cache
 for non-boolean values would not be shared, as long as the derived condition is
-shared (for example by being in the `:user` scope, rather than the `:normal`
+shared (for example by being in the `:user` scope, rather than the `:user_and_subject`
 scope), helper-methods will also benefit from improved cache hits.
 
 ### Preferred scope
@@ -231,7 +231,7 @@ the `:subject` or the `:user` scope. We can inform the optimizer of this
 by setting `DeclarativePolicy.preferred_scope`.
 
 To do this, check the abilities within a block bounded
-by [`DeclarativePolicy.with_preferred_scope`](https://gitlab.com/gitlab-org/declarative-policy/blob/481c322a74f76c325d3ccab7f2f3cc2773e8168b/lib/declarative_policy/preferred_scope.rb#L7-13).
+by [`DeclarativePolicy.with_preferred_scope`](https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/blob/481c322a74f76c325d3ccab7f2f3cc2773e8168b/lib/declarative_policy/preferred_scope.rb#L7-13).
 For example:
 
 ```ruby
@@ -270,7 +270,7 @@ have different `object_id` values, and using `object_id` will not get optimal ca
 policy subjects should implement `#id` for this reason. `ActiveRecord` models
 with an `id` primary ID attribute do not need any extra configuration.
 
-Please see: [`DeclarativePolicy::Cache`](https://gitlab.com/gitlab-org/declarative-policy/blob/master/lib/declarative_policy/cache.rb).
+Please see: [`DeclarativePolicy::Cache`](https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/blob/main/lib/declarative_policy/cache.rb).
 
 ## Cache invalidation
 

data/doc/defining-policies.md

@@ -22,9 +22,9 @@ and then evaluating them with `DeclarativePolicy::Base#allowed?`.
 You may wish to define a method to abstract policy evaluation. Something like:
 
 ```ruby
-def allowed?(user, ability, object)
+def allowed?(user, ability, subject)
   opts = { cache: Cache.current_cache } # re-using a cache between checks eliminates duplication of work
-  policy = DeclarativePolicy.policy_for(user, object, opts)
+  policy = DeclarativePolicy.policy_for(user, subject, opts)
   policy.allowed?(ability)
 end
 ```
@@ -41,9 +41,9 @@ want to know if a user can drive a vehicle. We need a `VehiclePolicy`:
 ```ruby
 class VehiclePolicy < DeclarativePolicy::Base
   # conditions go here by convention
-  
+
   # rules go here by convention
-  
+
   # helper methods go last
 end
 ```
@@ -55,14 +55,14 @@ Conditions are facts about the state of the system.
 They have access to two elements of the proposition:
 
 - `@user` - the representation of a user in your system: the *subject* of the proposition.
-  `user` in `allowed?(user, ability, object)`. `@user` may be `nil`, which means
+  `user` in `allowed?(user, ability, subject)`. `@user` may be `nil`, which means
   that the current user is anonymous (for example this may reflect an
   unauthenticated request in your system).
 - `@subject` - any domain object that has an associated policy: the *object* of
-  the predicate of the proposition. `object` in `allowed?(user, ability, object)`.
+  the predicate of the proposition. `subject` in `allowed?(user, ability, subject)`.
   `@subject` is never `nil`. See [handling `nil` values](./configuration.md#handling-nil-values)
   for details of how to apply policies to `nil` values.
-  
+
 
 They are defined as `condition(name, **options, &block)`, where the block is
 evaluated in the context of an instance of the policy.
@@ -124,6 +124,42 @@ rule { old_enough_to_drive }.policy do
 end
 ```
 
+#### `prevent_all`
+
+To prevent all abilities at once, use `prevent_all`:
+
+```ruby
+rule { banned }.prevent_all
+```
+
+This is equivalent to adding a `prevent` for every ability in the policy. It is
+commonly used to deny all access when a precondition fails (e.g. a user is
+suspended or a resource is locked).
+
+#### `prevent_all` with exceptions
+
+To prevent all abilities **except** specific ones, pass a block with `except`
+declarations:
+
+```ruby
+rule { suspended }.prevent_all do
+  except :read
+  except :appeal_suspension
+end
+```
+
+Multiple abilities can also be listed in a single `except` call:
+
+```ruby
+rule { suspended }.prevent_all do
+  except :read, :list, :appeal_suspension
+end
+```
+
+Excepted abilities are excluded from the blanket prevent and follow normal
+enable/prevent evaluation. Non-excepted abilities are prevented when the rule's
+condition holds, regardless of any `enable` rules.
+
 Rule blocks do not have access to the internal state of the policy, and cannot
 access the `@user` or `@subject`, or any methods on the policy instance. You
 should not perform I/O in a rule. They exist solely to define the logical rules
@@ -184,7 +220,7 @@ like:
 ```ruby
 class DrivingLicensePolicy < DeclarativePolicy::Base
   condition(:expired) { @subject.expires_at <= Time.current }
-  
+
   rule { expired }.prevent :drive_vehicle
 end
 ```
@@ -194,7 +230,7 @@ And a registration policy:
 ```ruby
 class RegistrationPolicy < DeclarativePolicy::Base
   condition(:valid) { @subject.valid_for?(@user.current_location) }
-  
+
   rule { ~valid }.prevent :drive_vehicle
 end
 ```
@@ -209,3 +245,41 @@ delegate { @subject.registration }
 
 This is a powerful mechanism for inferring rules based on relationships between
 objects.
+
+#### Overrides
+
+It can be useful to declare that the given abilities should not be read
+from delegates. This declaration is useful if you have an ability you want
+to define differently in a policy than in a delegated policy, but you still
+want to delegate all other abilities.
+
+```ruby
+delegate { @subject.parent }
+
+overrides :drive_car, :watch_tv
+```
+
+NOTE:
+Rules with `prevent_all` present in the delegated policy are properly
+not used during overridden abilities evaluation.
+
+#### Delegated conditions
+
+When named delegates are defined, their [conditions](#conditions) can be
+referenced in [rules](#rules) using bare words.
+
+Given a registration policy:
+
+```ruby
+class RegistrationPolicy < DeclarativePolicy::Base
+  condition(:valid) { @subject.valid_for?(@user.current_location) }
+end
+```
+
+The vehicle policy can reference the `:valid` condition as follows:
+
+```ruby
+delegate(:registration) { @subject.registration }
+
+rule { registration.valid }.enable :drive_vehicle
+```

data/doc/optimization.md

@@ -97,7 +97,7 @@ They aren't necessarily run in this order, however. Instead, we try to order
 the list to minimize unnecessary work.
 
 The
-[logic](https://gitlab.com/gitlab-org/declarative-policy/blob/659ac0525773a76cf8712d47b3c2dadd03b758c9/lib/declarative_policy/runner.rb#L80-112)
+[logic](https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/blob/659ac0525773a76cf8712d47b3c2dadd03b758c9/lib/declarative_policy/runner.rb#L80-112)
 to process this list is (in pseudo-code):
 
 ```pseudo

data/lib/declarative_policy/base.rb

@@ -113,9 +113,15 @@ module DeclarativePolicy
 
       # all the [rule, action] pairs that apply to a particular ability.
       # we combine the specific ones looked up in ability_map with the global
-      # ones.
+      # ones, filtering out any global actions that have excepted this ability.
       def configuration_for(ability)
-        ability_map.actions(ability) + global_actions
+        applicable_globals = global_actions.filter_map do |(action, rule, exceptions)|
+          next if exceptions&.include?(ability)
+
+          [action, rule]
+        end
+
+        ability_map.actions(ability) + applicable_globals
       end
 
       ### declaration methods ###
@@ -144,7 +150,7 @@ module DeclarativePolicy
       #
       # example:
       #
-      #   delegate { @subect.parent }
+      #   delegate { @subject.parent }
       #
       #   overrides :drive_car, :watch_tv
       #
@@ -215,8 +221,10 @@ module DeclarativePolicy
 
       # we store global prevents (from `prevent_all`) separately,
       # so that they can be combined into every decision made.
-      def prevent_all_when(rule)
-        own_global_actions << [:prevent, rule]
+      # The optional `except` parameter is a Set of abilities
+      # that should be excluded from the blanket prevent.
+      def prevent_all_when(rule, except: nil)
+        own_global_actions << [:prevent, rule, except]
       end
 
       private
@@ -255,6 +263,8 @@ module DeclarativePolicy
     # This is the main entry point for permission checks. It constructs
     # or looks up a Runner for the given ability and asks it if it passes.
     def allowed?(*abilities)
+      return false if abilities.empty?
+
       abilities.all? { |a| runner(a).pass? }
     end
 
@@ -351,8 +361,17 @@ module DeclarativePolicy
 
     # used in specs - returns true if there is no possible way for any action
     # to be allowed, determined only by the global :prevent_all rules.
+    # Only considers global actions with no exceptions (a prevent_all with
+    # exceptions cannot fully ban, since the excepted abilities may still pass).
     def banned?
-      global_steps = self.class.global_actions.map { |(action, rule)| Step.new(self, rule, action) }
+      global_steps = self.class.global_actions.filter_map do |(action, rule, exceptions)|
+        next if exceptions && !exceptions.empty?
+
+        Step.new(self, rule, action)
+      end
+
+      return false if global_steps.empty?
+
       !Runner.new(global_steps).pass?
     end
 

data/lib/declarative_policy/condition.rb

@@ -9,10 +9,14 @@ module DeclarativePolicy
   class Condition
     attr_reader :name, :description, :scope, :manual_score, :context_key
 
+    VALID_SCOPES = %i[user_and_subject user subject global].freeze
+    ALLOWED_SCOPES = VALID_SCOPES + %i[normal]
+
     def initialize(name, opts = {}, &compute)
       @name = name
       @compute = compute
-      @scope = opts.fetch(:scope, :normal)
+      @scope = fetch_scope(opts)
+
       @description = opts.delete(:description)
       @context_key = opts[:context_key]
       @manual_score = opts.fetch(:score, nil)
@@ -25,6 +29,20 @@ module DeclarativePolicy
     def key
       "#{@context_key}/#{@name}"
     end
+
+    private
+
+    def fetch_scope(options)
+      result = options.fetch(:scope, :user_and_subject)
+      if result == :normal
+        warn "[DEPRECATION] `:normal` is deprecated and will be removed in 2.0. Please use new name `:user_and_subject`"
+        result = :user_and_subject
+      end
+
+      raise "Invalid scope #{result}. Allowed values: #{VALID_SCOPES.inspect}" unless ALLOWED_SCOPES.include?(result)
+
+      result
+    end
   end
 
   # In contrast to a Condition, a ManifestCondition contains
@@ -68,7 +86,7 @@ module DeclarativePolicy
       return 2 if  @condition.scope == :global
 
       # "Normal" rules can't share caches with any other policies
-      return 16 if @condition.scope == :normal
+      return 16 if @condition.scope == :user_and_subject
 
       # otherwise, we're :user or :subject scope, so it's 4 if
       # the caller has declared a preference
@@ -85,11 +103,10 @@ module DeclarativePolicy
     def cache_key
       @cache_key ||=
         case @condition.scope
-        when :normal  then "/dp/condition/#{@condition.key}/#{user_key},#{subject_key}"
+        when :global  then "/dp/condition/#{@condition.key}"
         when :user    then "/dp/condition/#{@condition.key}/#{user_key}"
         when :subject then "/dp/condition/#{@condition.key}/#{subject_key}"
-        when :global  then "/dp/condition/#{@condition.key}"
-        else raise 'invalid scope'
+        else "/dp/condition/#{@condition.key}/#{user_key},#{subject_key}"
         end
     end
 

data/lib/declarative_policy/configuration.rb

@@ -35,7 +35,7 @@ module DeclarativePolicy
     def policy_class(domain_class_name)
       return unless domain_class_name
 
-      @class_for.call((@name_transformation.call(domain_class_name)))
+      @class_for.call(@name_transformation.call(domain_class_name))
     rescue NameError
       nil
     end

data/lib/declarative_policy/delegate_dsl.rb

@@ -15,7 +15,7 @@ module DeclarativePolicy
       @rule_dsl.delegate(@delegate_name, msg)
     end
 
-    def respond_to_missing?(msg, include_all)
+    def respond_to_missing?(_msg, _include_all)
       true
     end
   end

data/lib/declarative_policy/policy_dsl.rb

@@ -29,14 +29,20 @@ module DeclarativePolicy
       @context_class.prevent_when(abilities, @rule)
     end
 
-    def prevent_all
-      @context_class.prevent_all_when(@rule)
+    def prevent_all(&block)
+      if block
+        dsl = PreventAllDsl.new
+        dsl.instance_eval(&block)
+        @context_class.prevent_all_when(@rule, except: dsl.exceptions)
+      else
+        @context_class.prevent_all_when(@rule)
+      end
     end
 
-    def method_missing(msg, *args, &block)
+    def method_missing(msg, ...)
       return super unless @context_class.respond_to?(msg)
 
-      @context_class.__send__(msg, *args, &block) # rubocop: disable GitlabSecurity/PublicSend
+      @context_class.__send__(msg, ...) # rubocop: disable GitlabSecurity/PublicSend
     end
 
     def respond_to_missing?(msg)

data/lib/declarative_policy/preferred_scope.rb

@@ -2,7 +2,7 @@
 
 module DeclarativePolicy
   module PreferredScope
-    PREFERRED_SCOPE_KEY = :"DeclarativePolicy.preferred_scope"
+    PREFERRED_SCOPE_KEY = :'DeclarativePolicy.preferred_scope'
 
     def with_preferred_scope(scope)
       old_scope = Thread.current[PREFERRED_SCOPE_KEY]

data/lib/declarative_policy/prevent_all_dsl.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require 'set'
+
+module DeclarativePolicy
+  # A small DSL class used within a prevent_all { ... } block
+  # to capture exception abilities.
+  #
+  # Usage:
+  #   rule { some_condition }.prevent_all do
+  #     except :read
+  #     except :list
+  #   end
+  class PreventAllDsl
+    attr_reader :exceptions
+
+    def initialize
+      @exceptions = Set.new
+    end
+
+    def except(*abilities)
+      @exceptions.merge(abilities)
+    end
+  end
+end

data/lib/declarative_policy/rule_dsl.rb

@@ -44,7 +44,7 @@ module DeclarativePolicy
       end
     end
 
-    def respond_to_missing?(symbol, include_all)
+    def respond_to_missing?(_symbol, _include_all)
       true
     end
   end

data/lib/declarative_policy/runner.rb

@@ -93,7 +93,7 @@ module DeclarativePolicy
 
     private
 
-    def with_state(&block)
+    def with_state
       @state = State.new
       old_runner_state = Thread.current[:declarative_policy_current_runner_state]
       Thread.current[:declarative_policy_current_runner_state] = @state