dry-ability 0.0.1

data/lib/dry/ability/controller/mixin.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+module Dry
+  module Ability
+    module Controller
+      module Mixin
+        extend ActiveSupport::Concern
+
+        included do
+          class_attribute :ability_class, instance_accessor: false
+          helper_method :can?, :cannot?, :current_ability if respond_to? :helper_method
+        end
+
+        # Raises a Dry::Ability::AccessDenied exception if the current_ability cannot
+        # perform the given action. This is usually called in a controller action or
+        # before filter to perform the authorization.
+        #
+        #   def show
+        #     @article = Article.find(params[:id])
+        #     authorize! :read, @article
+        #   end
+        #
+        # A :message option can be passed to specify a different message.
+        #
+        #   authorize! :read, @article, :message => "Not authorized to read #{@article.name}"
+        #
+        # You can also use I18n to customize the message. Action aliases defined in Ability work here.
+        #
+        #   en:
+        #     unauthorized:
+        #       manage:
+        #         all: "Not authorized to %{action} %{subject}."
+        #         user: "Not allowed to manage other user accounts."
+        #       update:
+        #         project: "Not allowed to update this project."
+        #
+        # You can rescue from the exception in the controller to customize how unauthorized
+        # access is displayed to the user.
+        #
+        #   class ApplicationController < ActionController::Base
+        #     rescue_from CanCan::AccessDenied do |exception|
+        #       redirect_to root_url, :alert => exception.message
+        #     end
+        #   end
+        #
+        # See the CanCan::AccessDenied exception for more details on working with the exception.
+        #
+        # See the load_and_authorize_resource method to automatically add the authorize! behavior
+        # to the default RESTful actions.
+        def authorize!(*args)
+          @_authorized = true
+          current_ability.authorize!(*args)
+        end
+
+        # Creates and returns the current user's ability and caches it. If you
+        # want to override how the Ability is defined then this is the place.
+        # Just define the method in the controller to change behavior.
+        #
+        #   def current_ability
+        #     # instead of Ability.new(current_user)
+        #     @current_ability ||= UserAbility.new(current_account)
+        #   end
+        #
+        # Notice it is important to cache the ability object so it is not
+        # recreated every time.
+        def current_ability
+          @current_ability ||= ability_class.new(current_user)
+        end
+
+        # @!method can?(*args)
+        #   @see Dry::Ability::Mixin#can?
+        delegate :can?, to: :current_ability
+
+        # @!method cannot?(*args)
+        #   @see Dry::Ability::Mixin#cannot?
+        delegate :cannot?, to: :current_ability
+      end
+    end
+  end
+end

data/lib/dry/ability/controller/resource.rb

@@ -0,0 +1,218 @@
+# frozen_string_literal: true
+
+require "dry/initializer"
+require "dry/ability/t"
+
+module Dry
+  module Ability
+    module Controller
+      # @private
+      class Resource
+        include Initializer[undefined: false].define -> do
+          param :mediator,   T.Instance(ResourceMediator)
+          param :controller, T.Instance(Controller::Mixin)
+
+          option :action_name,     T['params.symbol'], default: proc { @controller.action_name.to_sym }
+          option :controller_name, T['params.symbol'], default: proc { @controller.controller_name.to_sym }
+          option :is_member,       T['bool'],          default: proc { @mediator.member_action?(action_name, params) }
+          option :is_collection,   T['bool'],          default: proc { @mediator.collection_action?(action_name) }
+        end
+
+        alias_method :member_action?, :is_member
+        alias_method :collection_action?, :is_collection
+
+        delegate :params, to: :controller
+        delegate :name, to: :mediator
+        delegate_missing_to :mediator
+
+        def call
+          @controller.instance_variable_set(:@_ability_resource, self)
+          retval = nil
+          @mediator.sequence.each do |sym|
+            retval = public_send(sym)
+          end
+          retval
+        end
+
+        def load_and_authorize_resource
+          load_resource
+          authorize_resource
+        end
+
+        def load_resource
+          return if skip?(:load)
+          if load_instance?
+            self.resource_instance ||= load_resource_instance
+          elsif collection_action?
+            self.collection_instance ||= load_collection
+          end
+        end
+
+        def authorize_resource
+          return if skip?(:authorize)
+          @controller.authorize!(authorization_action, resource_instance || resource_class_with_parent)
+        end
+
+        def parent?
+          @mediator.parent.nil? ? @mediator.collection_name != controller_name.to_sym : @mediator.parent?
+        end
+
+        def skip?(behavior)
+          options = @controller.class.cancan_skipper.dig(behavior, name)
+          return false if options.nil?
+          options.blank? &&
+            options[:except] && !action_exists_in?(options[:except]) ||
+            action_exists_in?(options[:only])
+        end
+
+        def load_resource_instance
+          raise NotImplementedError
+        end
+
+        def resource_base
+          raise NotImplementedError
+        end
+
+        def load_instance?
+          parent? || member_action?
+        end
+
+        # def load_collection?
+        #   collection_action?
+        #   # current_ability.has_scope?(authorization_action, resource_class) || resource_base.respond_to?(:accessible_by)
+        # end
+
+        def load_collection
+          current_ability.scope_for(authorization_action, resource_class) do
+            resource_base.accessible_by(current_ability, authorization_action)
+          end
+        end
+
+        def assign_attributes(resource)
+          resource.send(:"#{parent_name}=", parent_resource) if singleton? && parent_resource
+          initial_attributes.each do |attr_name, value|
+            resource.send(:"#{attr_name}=", value)
+          end
+          resource
+        end
+
+        def initial_attributes
+          current_ability.attributes_for(@action_name, resource_class).delete_if do |key, _|
+            resource_params && resource_params.include?(key)
+          end
+        end
+
+        def authorization_action
+          parent? ? @mediator.parent_action : @action_name
+        end
+
+        def id_param
+          params[@mediator.id_param_key] if params.key?(@mediator.id_param_key)
+        end
+
+        # Returns the class used for this resource. This can be overriden by the :class option.
+        # If +false+ is passed in it will use the resource name as a symbol in which case it should
+        # only be used for authorization, not loading since there's no class to load through.
+        def resource_class
+          case class_name
+          when false then
+            name.to_sym
+          when String then
+            class_name.constantize
+          else
+            raise ArgumentError, "unexpected class_name: #{class_name}"
+          end
+        end
+
+        def resource_class_with_parent
+          parent_resource ? { parent_resource => resource_class } : resource_class
+        end
+
+        def resource_instance=(instance)
+          @controller.instance_variable_set(:"@#{instance_name}", instance)
+        end
+
+        def resource_instance
+          @controller.instance_variable_get(:"@#{instance_name}") if load_instance?
+        end
+
+        def collection_instance=(instance)
+          @controller.instance_variable_set(:"@#{collection_name}", instance)
+        end
+
+        def collection_instance
+          @controller.instance_variable_get(:"@#{collection_name}")
+        end
+
+        def parent_name
+          return @parent_name if defined?(@parent_name)
+          @parent_name = @mediator.through unless parent_resource.nil?
+        end
+
+        # The object to load this resource through.
+        def parent_resource
+          return @parent_resource if defined?(@parent_resource)
+          @parent_resource = if @mediator.through
+            if @controller.instance_variable_defined? :"@#{@mediator.through}"
+              @controller.instance_variable_get(:"@#{@mediator.through}")
+            elsif @controller.respond_to?(@mediator.through, true)
+              @controller.send(@mediator.through)
+            end
+          end
+        end
+
+        def current_ability
+          @controller.send(:current_ability)
+        end
+
+        def resource_params
+          if parameters_require_sanitizing? && params_method.present?
+            case params_method
+            when Symbol then
+              @controller.send(params_method)
+            when String then
+              @controller.instance_eval(params_method)
+            when Proc then
+              params_method.call(@controller)
+            end
+          else
+            resource_params_by_namespaced_name
+          end
+        end
+
+        def parameters_require_sanitizing?
+          @mediator.save_actions.include?(@action_name) || resource_params_by_namespaced_name.present?
+        end
+
+        def resource_params_by_namespaced_name
+          return @resource_params_by_namespaced_name if defined?(@resource_params_by_namespaced_name)
+          @resource_params_by_namespaced_name =
+            if params.key?(@mediator.instance_name)
+              params[@mediator.instance_name]
+            elsif params.key?(key = extract_key(@mediator.class_name))
+              params[key]
+            else
+              params[name]
+            end
+        end
+
+        def params_method
+          @params_method ||= @mediator.params_method || begin
+            [:"#{@action_name}_params", :"#{name}_params", :resource_params].
+              detect { |method| @controller.respond_to?(method, true) }
+          end
+        end
+
+        private
+
+        def action_exists_in?(options)
+          Array.wrap(options).include?(@controller.action_name.to_sym)
+        end
+
+        def extract_key(value)
+          value.to_s.underscore.tr(?/, ?_)
+        end
+      end
+    end
+  end
+end

data/lib/dry/ability/controller_resource.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require "dry/ability/controller/resource"
+
+module Dry
+  module Ability
+    # Handle the load and authorization controller logic
+    # so we don't clutter up all controllers with non-interface methods.
+    # This class is used internally, so you do not need to call methods directly on it.
+    class ControllerResource < Controller::Resource
+      def load_resource_instance
+        if !parent? && @mediator.new_actions.include?(@action_name)
+          build_resource
+        elsif @mediator.id_param_key || @mediator.singleton?
+          find_resource
+        end
+      end
+
+      def build_resource
+        resource = resource_base.new(resource_params || {})
+        assign_attributes(resource)
+      end
+
+      def find_resource
+        if singleton? && parent_resource.respond_to?(name)
+          parent_resource.public_send(name)
+        elsif find_by.present?
+          if resource_base.respond_to? find_by
+            resource_base.public_send(find_by, id_param)
+          else
+            resource_base.find_by(find_by => id_param)
+          end
+        else
+          resource_base.find(id_param)
+        end
+      end
+
+      # The object that methods (such as "find", "new" or "build") are called on.
+      # If the :through option is passed it will go through an association on that instance.
+      # If the :shallow option is passed it will use the resource_class if there's no parent
+      # If the :singleton option is passed it won't use the association because it needs to be handled later.
+      def resource_base
+        if @mediator.through
+          resource_base_through
+        else
+          resource_class
+        end
+      end
+
+      def resource_base_through
+        if parent_resource
+          @mediator.singleton? ? resource_class : parent_resource.public_send(@mediator.through_association)
+        elsif @mediator.shallow?
+          resource_class
+        else
+          # maybe this should be a record not found error instead?
+          raise AccessDenied.new(nil, authorization_action, resource_class)
+        end
+      end
+    end
+  end
+end

data/lib/dry/ability/exceptions.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Dry
+  module Ability
+    # A general CanCan exception
+    class Error < StandardError; end
+
+    # Raised when using check_authorization without calling authorized!
+    class AuthorizationNotPerformed < Error; end
+
+    class RuleNotDefined < Error
+      DEFAULT_MESSAGE_TEMPLATE = "Rule for subject: %p, action: %p is not defined (candidates: %p)"
+      NONE = [].freeze
+
+      def initialize(message = nil, subject:, action:, candidates: NONE)
+        @action, @subject = action, subject
+        message ||= format(DEFAULT_MESSAGE_TEMPLATE, subject, action, candidates)
+        super(message)
+      end
+    end
+
+    class ScopeNotDefault < Error; end
+
+    class AccessDenied < Error
+      DEFAULT_MESSAGE_TEMPLATE = "The requester is not authorized to %s %p."
+
+      attr_reader :action, :subject
+
+      def initialize(message = nil, action, subject)
+        @action, @subject = action, subject
+        message ||= format(DEFAULT_MESSAGE_TEMPLATE, action, subject)
+        super(message)
+      end
+    end
+  end
+end

data/lib/dry/ability/f.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require "dry/transformer/recursion"
+require "dry/transformer/hash"
+
+module Dry
+  module Ability
+    module F
+      extend Transformer::Registry
+
+      import :array_recursion, from: Transformer::Recursion
+      import :eval_values, from: Transformer::HashTransformations
+
+      key_or_to_s = T::CoercKey | T['coercible.string']
+      register :coerc_key, Transformer::Function.new(key_or_to_s.to_proc)
+
+      # def self.to_mapping_key(key, *namespaces)
+      #   *namespaces, key = key if key.is_a?(Array)
+      #   coerced = coerc_key(key)
+      #   namespaces.blank ? coerced : "#{namespaces * ?.}.#{coerced}"
+      # end
+      #
+      # def self.ns_path(*namespaces)
+      #   namespaces.flatten!
+      #   namespaces.blank? ? nil : namespaces.join(?.)
+      # end
+
+      def self.get_mapping(key, container, nsfn, &block)
+        key = Key.new(key, nsfn)
+        yield(key) if block_given?
+        if container.key?(key.nsed)
+          Array.wrap(container[key.nsed]).flat_map do |mapped|
+            get_mapping(mapped, container, nsfn, &block)
+          end
+        else
+          key.to_s
+        end
+      end
+
+      def self.collect_mappings(key, container, nsfn)
+        list = Set.new
+        get_mapping(key, container, nsfn) do |key|
+          key = yield(key) if block_given?
+          list << key
+        end
+        list.to_a
+      end
+
+      def self.string_tpl(*args, pattern)
+        args = args[0] if args.size == 1 && args[0].is_a?(Array)
+        format(pattern, *args)
+      end
+
+      # register :recursively_apply_mappings, t(:array_recursion, t)
+    end
+  end
+end