dry-ability 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 8d5704a2a2bf2199fda53a0a74556d9f93c1cc82a46ef9d9912d2452f34fce4f
+  data.tar.gz: b9dd8b4243ad05c462fd14a2052c623bac572588941368f3943a91d6228ce548
+SHA512:
+  metadata.gz: 816667eb2d315a2fda11b40df7e1a5bef065f4425cb4a6785e9bcf617c4761670b9b406f3ddfacef5d0ccde498ef9d226c2f6a4a66596ee8dee0b0c1f04a4944
+  data.tar.gz: de539543156d5b2b9878a0057f4e5271100c06d7d74d9fce7e5abe56215d85a6d7a68db281f258838eff31e6bf044d0b125b52de6b766a9d0392f6f6115a3cb6

data/.gitattributes

@@ -0,0 +1,2 @@
+# Auto detect text files and perform LF normalization
+* text=auto

data/.gitignore

@@ -0,0 +1,50 @@
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+# Used by dotenv library to load environment variables.
+# .env
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+*.bridgesupport
+build-iPhoneOS/
+build-iPhoneSimulator/
+
+## Specific to RubyMotion (use of CocoaPods):
+#
+# We recommend against adding the Pods directory to your .gitignore. However
+# you should judge for yourself, the pros and cons are mentioned at:
+# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
+#
+# vendor/Pods/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+# Gemfile.lock
+# .ruby-version
+# .ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc

data/.ruby-version

@@ -0,0 +1 @@
+2.6.5

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 Anton
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,20 @@
+# Dry::Ability
+
+Dry::Ability is an authorization library, which is trying to replace [cancancan](https://github.com/CanCanCommunity/cancancan) API. The goal is creating less secondary objects by performing authorization. Some codebase, like a controller extension, was copied from cancancan and slightly modified, but public API stays the same. By some reasons (especially, due to integration with InheritedResources) I forked it from version `1.17.0`.
+
+One significant difference with CanCanCan is that an ability's rules a defined once on class definition and stored into `Dry::Container`.
+
+Docs, specs & benchmarks is coming soon…
+
+
+## Installation
+
+Add this to your Gemfile:
+
+    gem 'dry-ability'
+
+and run the `bundle install` command.
+
+## Getting Started
+
+Soon…

data/Rakefile

@@ -0,0 +1,13 @@
+require 'bundler/gem_tasks'
+# require 'rspec/core/rake_task'
+# require 'rubocop/rake_task'
+
+# desc 'Run Rubocop'
+# RuboCop::RakeTask.new
+#
+# desc 'Run RSpec'
+# RSpec::Core::RakeTask.new do |t|
+#   t.verbose = false
+# end
+#
+# task default: [:rubocop, :spec]

data/dry-ability.gemspec

@@ -0,0 +1,36 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+require 'dry/ability/version'
+
+Gem::Specification.new do |s|
+  s.name        = 'dry-ability'
+  s.version     = Dry::Ability::VERSION
+  s.authors     = ['Anton Semenov', 'Alessandro Rodi (Renuo AG)', 'Bryan Rite', 'Ryan Bates', 'Richard Wilson']
+  s.email       = 'anton.estum@gmail.com'
+  s.homepage    = 'https://github.com/estum/dry-ability'
+  s.summary     = 'Dried authorization solution for Rails.'
+  s.description = 'Dried authorization solution for Rails. All permissions are stored in a single location.'
+  s.platform    = Gem::Platform::RUBY
+  s.license     = 'MIT'
+
+  s.files       = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
+  s.test_files  = `git ls-files -- Appraisals {spec,features,gemfiles}/*`.split($INPUT_RECORD_SEPARATOR)
+  s.executables = `git ls-files -- bin/*`.split($INPUT_RECORD_SEPARATOR).map { |f| File.basename(f) }
+  s.require_paths = ['lib']
+
+  s.required_ruby_version = '>= 2.6.0'
+
+  s.add_dependency 'activesupport', '>= 5.2'
+  s.add_dependency 'dry-types', '>= 1.5.0'
+  s.add_dependency 'dry-initializer', '>= 3.0.4'
+  s.add_dependency 'dry-container', '>= 0.7.2'
+  s.add_dependency 'concurrent-ruby', '>= 1.1.8'
+
+  s.add_development_dependency 'bundler', '~> 2.2.15'
+  s.add_development_dependency 'rubocop', '~> 0.46'
+  s.add_development_dependency 'rake', '~> 13.0.3'
+  s.add_development_dependency 'rspec', '~> 3.2.0'
+  s.add_development_dependency 'appraisal', '>= 2.0.0'
+end

data/init.rb

@@ -0,0 +1 @@
+require 'dry-ability'

data/lib/dry-ability.rb

@@ -0,0 +1 @@
+require "dry/ability"

data/lib/dry/ability.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+require 'active_support/concern'
+require 'active_support/core_ext/object/with_options'
+require 'active_support/core_ext/module/delegation'
+require 'active_support/core_ext/class/attribute'
+
+require 'dry/ability/version'
+require 'dry/ability/exceptions'
+require "dry/ability/f"
+require "dry/ability/t"
+require "dry/ability/key"
+require 'dry/ability/rules_builder'
+
+module Dry
+  # Mixin class with DSL to define abilities
+  #
+  # @example
+  #
+  #   class Ability
+  #     include Dry::Ability.define -> do
+  #       map_subject! :public => %w(Post Like Comment)
+  #
+  #       map_action!  :read   => %i(index show),
+  #                    :create => %i(new),
+  #                    :update => %i(edit),
+  #                    :crud   => %i(index create read show update destroy),
+  #                    :change => %i(update destroy)
+  #
+  #       can :read, :public
+  #       can :
+  #
+  #     end
+  #   end
+  module Ability
+    # @private
+    module DSL
+      def define(proc = nil, **options, &block)
+        rules = RulesBuilder.new(**options)
+        rules.instance_exec(&(proc || block))
+        [self, rules.mixin]
+      end
+    end
+
+    extend ActiveSupport::Concern
+    extend DSL
+
+    module ClassMethods
+      attr_reader :_container
+      alias_method :rules, :_container
+    end
+
+    attr_reader :account
+
+    def initialize(account)
+      @account = account
+    end
+
+    def authorize!(action, subject, message: nil)
+      if can?(action, subject)
+        subject
+      else
+        raise AccessDenied.new(message, action, subject)
+      end
+    end
+
+    def can?(action, subject)
+      rules = resolve_rules(action, subject) do
+        return false
+      end
+
+      rules.reduce(true) do |result, rule|
+        result && rule[@account, subject]
+      end
+    end
+
+    def cannot?(action, subject, *args)
+      !can?(action, subject, *args)
+    end
+
+    def attributes_for(action, subject)
+      rules = resolve_rules(action, subject) do
+        return {}
+      end
+      rules.reduce({}) do |result, rule|
+        result.merge!(rule.attributes_for(@account, subject)); result
+      end
+    end
+
+    def scope_for(action, subject)
+      rules = resolve_rules(action, subject) do
+        return yield if block_given?
+        if subject.respond_to?(:none)
+          return subject.none
+        else
+          raise ArgumentError, "expected subject to be an ActiveRecord::Base class or Relation. given: #{subject}"
+        end
+      end
+      if rules.none?(&:accessible?)
+        if block_given?
+          return yield
+        else
+          raise Error, "none of matched rules are provides scope for #{action}, #{subject}, pass block instead"
+        end
+      end
+      rules.map { |rule| rule.scope_for(@account, subject) }.reduce(:merge)
+    end
+
+    def resolve_rules(action, subject)
+      rules.resolve_with_mappings(action, subject) do |e|
+        Rails.logger.warn { e.message }
+        block_given? ? yield : nil
+      end
+    end
+
+    private
+
+    delegate :rules, to: "self.class"
+  end
+end

data/lib/dry/ability/container.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require "dry/container"
+require "dry/ability/f"
+
+module Dry
+  module Ability
+    class Container < Dry::Container
+      MAPPING_NSFN = {
+        :subject => F[:string_tpl, "mappings.subject.%s"].to_proc,
+        :action  => F[:string_tpl, "mappings.action.%s"].to_proc
+      }
+      RULES_NSFN = F[:string_tpl, "rules.%s.%s"].to_proc
+
+      # @yieldparam exception
+      #   Yields block with an instance of +RuleNotDefault+ exception class
+      def resolve_with_mappings(action, subject)
+        candidates = key_candidates(action, subject)
+        result = []
+        candidates.each do |key|
+          next unless key?(key)
+          result << resolve(key)
+        end
+        if result.blank?
+          exception = RuleNotDefined.new(action: action, subject: subject, candidates: candidates)
+          raise exception unless block_given?
+          yield(exception)
+        else
+          result
+        end
+      end
+
+      def key_candidates(action, subject)
+        subject, action = mappings(:subject, subject), mappings(:action, action)
+        subject.product(action).map!(&RULES_NSFN)
+      end
+
+      def mappings(kind, key)
+        F.collect_mappings(key, self, MAPPING_NSFN[kind], &:to_s)
+      end
+    end
+  end
+end

data/lib/dry/ability/controller.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require "dry/ability/resource_mediator"
+require "dry/ability/controller/mixin"
+require "dry/ability/controller/dsl"
+require "dry/ability/controller_resource"
+require "dry/ability/inherited_resource" if defined?(::InheritedResources)
+
+module Dry
+  module Ability
+    module Controller
+      extend ActiveSupport::Concern
+
+      include Controller::Mixin
+
+      module ClassMethods
+        include Controller::DSL
+      end
+    end
+  end
+end

data/lib/dry/ability/controller/dsl.rb

@@ -0,0 +1,161 @@
+# frozen_string_literal: true
+
+require "concurrent/map"
+
+module Dry
+  module Ability
+    module Controller
+      module DSL
+        private def inherited(klass)
+          super(klass)
+          klass.instance_variable_set(:@_resource_mediators, @_resource_mediators.dup)
+          klass.instance_variable_set(:@_cancan_skipper, @_cancan_skipper.dup)
+          klass
+        end
+
+        # @api private
+        def set_resource_mediator_callback(name, **opts)
+          callback_options = opts.extract!(:only, :except, :if, :unless, :prepend)
+          @_resource_mediators ||= Concurrent::Map.new
+          @_resource_mediators.fetch_or_store(name) do
+            ResourceMediator.new(name, controller_path, __callee__, **opts).
+              tap { |m| before_action m, callback_options }
+          end.sequence << __callee__
+        end
+
+        # @!method load_and_authorize_resource(*args, **opts)
+        alias_method :load_and_authorize_resource, :set_resource_mediator_callback
+
+        # @!method load_resource(*args, **opts)
+        #   @see #load_and_authorize_resource
+        #   @option opts [Array<String,Symbol>] :only Only applies before filter to given actions.
+        #   @option opts [Array<String,Symbol>] :except Does not apply before filter to given actions.
+        #   @option opts [Boolean] :prepend Prepend callback
+        #   @option opts [Symbol] :through Load this resource through another one.
+        #   @option opts [Symbol] :through_association
+        #   @option opts [Boolean] :shallow (false) allow this resource to be loaded directly when parent is +nil+
+        #   @option opts [Boolean] :singleton (false) singleton resource through a +has_one+ association.
+        #   @option opts [Boolean] :parent defaults to +true+ if a resource name is given which does not match the controller.
+        #   @option opts [String,Class] :class The class to use for the model (string or constant).
+        #   @option opts [String,Symbol] :instance_name The name of the instance variable to load the resource into.
+        #   @option opts [Symbol] :find_by will use find_by(permalink: params[:id])
+        #   @option opts [Symbol] :id_param Find using a param key other than :id. For example:
+        #   @option opts [Array<Symbol>] :collection External actions as resource collection
+        #   @option opts [Array<Symbol>] :new External actions as new resource
+        alias_method :load_resource, :set_resource_mediator_callback
+
+        # @!method authorize_resource(*args, **opts)
+        #   @see #load_and_authorize_resource
+        #   @option opts [Array<String,Symbol>] :only Only applies before filter to given actions.
+        #   @option opts [Array<String,Symbol>] :except Does not apply before filter to given actions.
+        #   @option opts [Boolean] :prepend Prepend callback
+        #   @option opts [Boolean] :singleton (false) singleton resource through a +has_one+ association.
+        #   @option opts [Boolean] :parent (true)
+        #   @option opts [String,Class] :class The class to use for the model (string or constant).
+        #   @option opts [String,Symbol] :instance_name The name of the instance variable to load the resource into.
+        #   @option opts [Symbol] :through Authorize conditions on this parent resource when instance isn't available.
+        alias_method :authorize_resource, :set_resource_mediator_callback
+
+        undef_method :set_resource_mediator_callback
+
+        # Skip both the loading and authorization behavior of CanCan for this given controller. This is primarily
+        # useful to skip the behavior of a superclass. You can pass :only and :except options to specify which actions
+        # to skip the effects on. It will apply to all actions by default.
+        #
+        #   class ProjectsController < SomeOtherController
+        #     skip_load_and_authorize_resource :only => :index
+        #   end
+        #
+        # You can also pass the resource name as the first argument to skip that resource.
+        def skip_load_and_authorize_resource(*args)
+          skip_load_resource(*args)
+          skip_authorize_resource(*args)
+        end
+
+        # Skip the loading behavior of CanCan. This is useful when using +load_and_authorize_resource+ but want to
+        # only do authorization on certain actions. You can pass :only and :except options to specify which actions to
+        # skip the effects on. It will apply to all actions by default.
+        #
+        #   class ProjectsController < ApplicationController
+        #     load_and_authorize_resource
+        #     skip_load_resource :only => :index
+        #   end
+        #
+        # You can also pass the resource name as the first argument to skip that resource.
+        def skip_load_resource(name, **options)
+          cancan_skipper[:load][name] = options
+        end
+
+        # Skip the authorization behavior of CanCan. This is useful when using +load_and_authorize_resource+ but want to
+        # only do loading on certain actions. You can pass :only and :except options to specify which actions to
+        # skip the effects on. It will apply to all actions by default.
+        #
+        #   class ProjectsController < ApplicationController
+        #     load_and_authorize_resource
+        #     skip_authorize_resource :only => :index
+        #   end
+        #
+        # You can also pass the resource name as the first argument to skip that resource.
+        def skip_authorize_resource(name, **options)
+          cancan_skipper[:authorize][name] = options
+        end
+
+        # Add this to a controller to ensure it performs authorization through +authorized+! or +authorize_resource+ call.
+        # If neither of these authorization methods are called,
+        # a CanCan::AuthorizationNotPerformed exception will be raised.
+        # This is normally added to the ApplicationController to ensure all controller actions do authorization.
+        #
+        #   class ApplicationController < ActionController::Base
+        #     check_authorization
+        #   end
+        #
+        # See skip_authorization_check to bypass this check on specific controller actions.
+        #
+        # Options:
+        # [:+only+]
+        #   Only applies to given actions.
+        #
+        # [:+except+]
+        #   Does not apply to given actions.
+        #
+        # [:+if+]
+        #   Supply the name of a controller method to be called.
+        #   The authorization check only takes place if this returns true.
+        #
+        #     check_authorization :if => :admin_controller?
+        #
+        # [:+unless+]
+        #   Supply the name of a controller method to be called.
+        #   The authorization check only takes place if this returns false.
+        #
+        #     check_authorization :unless => :devise_controller?
+        #
+        def check_authorization(**options)
+          after_action(**options) do |controller|
+            next if controller.instance_variable_defined?(:@_authorized)
+            raise AuthorizationNotPerformed,
+                  'This action failed the check_authorization because it does not authorize_resource. '\
+                  'Add skip_authorization_check to bypass this check.'
+          end
+        end
+
+        # Call this in the class of a controller to skip the check_authorization behavior on the actions.
+        #
+        #   class HomeController < ApplicationController
+        #     skip_authorization_check :only => :index
+        #   end
+        #
+        # Any arguments are passed to the +before_action+ it triggers.
+        def skip_authorization_check(*args)
+          before_action(*args) do |controller|
+            controller.instance_variable_set(:@_authorized, true)
+          end
+        end
+
+        def cancan_skipper
+          @_cancan_skipper ||= { authorize: {}, load: {} }
+        end
+      end
+    end
+  end
+end