i_am_i_can 2.1.0

data/lib/i_am_i_can/has_an_array_of.rb

@@ -0,0 +1,75 @@
+module IAmICan
+  module HasAnArrayOf
+    def has_an_array_of obj, model: nil, field: nil,
+                        prefix: nil, attrs: [ ], located_by: nil, cache_expires_in: nil, for_related_name: nil
+      obj_model = model.constantize || obj.to_s.singularize.camelize.constantize
+      field = field || :"#{obj.to_s.singularize}_ids"
+      prefix = "#{prefix}_" if prefix
+
+      # User.where(..).stored_roles
+      define_singleton_method "#{prefix}#{obj}" do
+        obj_ids = self.all.map(&field).flatten.uniq
+        obj_model.where(id: obj_ids)
+      end
+
+      # user.stored_roles
+      define_method "#{prefix}#{obj}" do
+        obj_model.where(id: send(field))
+      end
+
+      # cached_stored_roles
+      define_method "cached_#{prefix}#{obj}" do |**options|
+        Rails.cache.fetch("#{self.class.name}/#{id}/#{obj}", expires_in: cache_expires_in, **options) do
+          obj_model.where(id: send(field))
+        end
+      end
+
+      # stored_roles_add
+      define_method "#{prefix}#{obj}_add" do |locate_vals = nil, check_size: nil, **condition|
+        condition = { located_by => locate_vals } if locate_vals
+        obj_ids = obj_model.where(condition)&.pluck(:id)
+        # will return false if it does nothing
+        return false if obj_ids.blank? || (check_size && obj_ids != check_size)
+        (send(field).concat(obj_ids)).uniq!
+        save!
+      end
+
+      # stored_roles_rmv
+      define_method "#{prefix}#{obj}_rmv" do |locate_vals = nil, check_size: nil, **condition|
+        condition = { located_by => locate_vals } if locate_vals
+        obj_ids = obj_model.where(condition)&.pluck(:id)
+        # will return false if it does nothing
+        return false if obj_ids.blank? || (check_size && obj_ids != check_size)
+        send("#{field}=", send(field) - obj_ids)
+        save!
+      end
+
+      attrs.each do |(attr_name, attr_type)|
+        # User.where(..).stored_role_names
+        define_singleton_method "#{prefix}#{obj.to_s.singularize}_#{attr_name.to_s.pluralize}" do
+          res = send("#{prefix}#{obj}").pluck(attr_name)
+          attr_type ? res.map(&attr_type) : res
+        end
+
+        # user.stored_role_names
+        define_method "#{prefix}#{obj.to_s.singularize}_#{attr_name.to_s.pluralize}" do
+          res = send("#{prefix}#{obj}").pluck(attr_name)
+          attr_type ? res.map(&attr_type) : res
+        end
+      end
+
+      # === actions for object model ===
+      obj_model.class_exec(for_related_name, self, field) do |subject_name, subject_model, related_field|
+        # roles.related_users
+        define_singleton_method "related_#{(subject_name || subject_model.name).underscore.pluralize}" do
+          subject_model.where("#{related_field} @> ARRAY[?]::integer[]", ids)
+        end
+
+        # role.related_users
+        define_method "related_#{(subject_name || subject_model.name).underscore.pluralize}" do
+          subject_model.where("? = ANY (#{related_field})", self.id)
+        end
+      end
+    end
+  end
+end

data/lib/i_am_i_can/permission/assignment.rb

@@ -0,0 +1,90 @@
+require 'i_am_i_can/permission/helpers'
+
+module IAmICan
+  module Permission
+    module Assignment
+      include Helpers::Ins
+
+      # permission assignment for stored role
+      def can *preds, obj: nil, strict_mode: false, auto_define_before: config.auto_define_before
+        self.class.have_permissions *preds, obj: obj if auto_define_before
+        not_defined_items, covered_items = [ ], [ ]
+
+        preds.each do |pred|
+          pms_name = pms_naming(pred, obj)
+          covered_items << pms_name if pms_matched?(pms_name, in: stored_permission_names)
+          not_defined_items << pms_name unless stored_permissions_add(pred: pred, **deconstruct_obj(obj))
+        end
+
+        _pms_assignment_result(preds, obj, not_defined_items, covered_items, strict_mode)
+      end
+
+      alias has_permission can
+
+      def temporarily_can *preds, obj: nil, strict_mode: false, auto_define_before: config.auto_define_before
+        raise Error, "Permission Assignment: local role `#{name}` was not defined" unless config.subject_model.defined_local_roles.key?(self.name.to_sym)
+        self.class.have_permissions *preds, obj: obj, save: false if auto_define_before
+        not_defined_items, covered_items = [ ], [ ]
+
+        preds.each do |pred|
+          pms_name = pms_naming(pred, obj)
+          next not_defined_items << pms_name unless pms_name.in?(defined_permissions.keys)
+          covered_items << pms_name if pms_matched?(pms_name, in: pms_of_defined_local_role(self.name))
+          pms_of_defined_local_role(self.name) << pms_name
+        end
+
+        _pms_assignment_result(preds, obj, not_defined_items, covered_items, strict_mode)
+      end
+
+      alias locally_can temporarily_can
+
+      def cannot *preds, obj: nil, saved: true
+        not_defined_items = [ ]
+
+        preds.each do |pred|
+          pms_name = pms_naming(pred, obj)
+          if saved
+            next if stored_permissions_rmv(pred: pred, **deconstruct_obj(obj))
+            not_defined_items << pms_name
+          else
+            next not_defined_items << pms_name unless pms_name.in?(defined_permissions.keys)
+            pms_of_defined_local_role(self.name).delete(pms_name)
+          end
+        end
+
+        _pms_assignment_result(preds, obj, not_defined_items)
+      end
+
+      alias is_not_allowed_to cannot
+
+      # `can? :manage, User` / `can? :manage, obj: User`
+      def can? pred, obj0 = nil, obj: nil
+        obj = obj0 || obj
+        pms_name = pms_naming(pred, obj)
+        temporarily_can?(pred, obj) || pms_matched?(pms_name, in: stored_permission_names)
+      end
+
+      def temporarily_can? pred, obj
+        pms_name = pms_naming(pred, obj)
+        pms_matched?(pms_name, in: pms_of_defined_local_role(self.name))
+      end
+
+      alias locally_can? temporarily_can?
+
+      def local_permissions
+        @local_permissions ||= [ ]
+      end
+
+      alias local_permission_names local_permissions
+
+      def stored_permission_names
+        stored_permissions.map(&:name)
+      end
+
+      # TODO: show by hash
+      def permissions
+        local_permission_names + stored_permission_names
+      end
+    end
+  end
+end

data/lib/i_am_i_can/permission/definition.rb

@@ -0,0 +1,61 @@
+require 'i_am_i_can/permission/helpers'
+require 'i_am_i_can/permission/p_array'
+
+module IAmICan
+  module Permission
+    module Definition
+      include Helpers::Cls
+
+      def which(name:)
+        find_by!(name: name)
+      end
+
+      def have_permission *preds, obj: nil, desc: nil, save: config.default_save
+        failed_items = [ ]
+
+        preds.each do |pred|
+          pms_name = pms_naming(pred, obj)
+          description = desc || pms_name.to_s.tr('_', ' ')
+          if save
+            failed_items << pms_name unless _to_store_permission(pred, obj, desc: description)
+          else
+            failed_items << pms_name if pms_name.in?(defined_local_permissions.keys)
+            defined_local_permissions[pms_name] ||= { desc: description }
+          end
+        end
+
+        _pms_definition_result(preds, obj, failed_items)
+      end
+
+      alias have_permissions have_permission
+      alias has_permission   have_permission
+      alias has_permissions  have_permission
+
+      def declare_permission *preds, **options
+        have_permission *preds, **options, save: false
+      end
+
+      alias declare_permissions declare_permission
+
+      def defined_local_permissions
+        @defined_local_permissions ||= { }
+      end
+
+      def defined_stored_pms_names
+        config.permission_model.all.map(&:name)
+      end
+
+      def defined_stored_permissions
+        config.permission_model.all.map { |pms| [ pms.name, pms.desc ] }.to_h
+      end
+
+      def defined_permissions
+        defined_local_permissions.deep_merge(defined_stored_permissions)
+      end
+
+      def self.extended(kls)
+        kls.delegate :defined_permissions, :pms_naming, :deconstruct_obj, :pms_of_defined_local_role, to: kls
+      end
+    end
+  end
+end

data/lib/i_am_i_can/permission/helpers.rb

@@ -0,0 +1,46 @@
+module IAmICan
+  module Permission
+    module Helpers
+      module Cls
+        def _pms_definition_result(preds, obj, failed_items)
+          prefix = 'Permission Definition Done'
+          fail_msg = prefix + ", but #{failed_items} have been defined" if failed_items.present?
+          raise Error, fail_msg if  config.strict_mode && fail_msg
+          fail_msg ? fail_msg : prefix
+        end
+
+        def _to_store_permission(pred, obj, **options)
+          return false if config.permission_model.exists?(pred, obj)
+          config.permission_model.create!(pred: pred, **deconstruct_obj(obj), **options)
+        end
+
+        def pms_naming(pred, obj)
+          config.permission_model.naming(pred, obj)
+        end
+
+        def deconstruct_obj(obj)
+          config.permission_model.deconstruct_obj(obj)
+        end
+
+        def pms_of_defined_local_role(role_name)
+          config.subject_model.defined_local_roles[role_name.to_sym]&.[](:permissions) || []
+        end
+      end
+
+      module Ins
+        def _pms_assignment_result(preds, obj, not_defined_items, covered_items = nil, strict_mode = false)
+          prefix = 'Permission Assignment Done'
+          msg1 = "#{not_defined_items} have not been defined" if not_defined_items.present?
+          msg2 = "#{covered_items} have been covered" if covered_items.present?
+          fail_msg = prefix + ', but ' + [msg1, msg2].compact.join(', ') if msg1 || msg2
+          raise Error, fail_msg if (strict_mode || config.strict_mode) && fail_msg
+          fail_msg ? fail_msg : prefix
+        end
+
+        def pms_matched?(pms_name, plist)
+          config.permission_model.matched?(pms_name, in: plist[:in])
+        end
+      end
+    end
+  end
+end

data/lib/i_am_i_can/permission/p_array.rb

@@ -0,0 +1,22 @@
+module IAmICan
+  module Permission
+    class PArray < ::Array
+      attr_accessor :pms
+
+      def matched?(pms_name)
+        return false if self.blank?
+        self.pms = pms_name.to_sym
+        found? || covered?
+      end
+
+      def found?
+        pms.in? self
+      end
+
+      def covered?
+        pred, obj_type, obj_id = pms.to_s.split('_')
+        pred.to_sym.in?(self) || :"#{pred}_#{obj_type}".in?(self)
+      end
+    end
+  end
+end

data/lib/i_am_i_can/permission.rb

@@ -0,0 +1,68 @@
+require 'i_am_i_can/permission/p_array'
+
+module IAmICan
+  module Permission
+    def matched?(pms_name = nil, pred: nil, obj: nil, **options)
+      PArray.new(options[:in]).matched?(pms_name || naming(pred, obj))
+    end
+
+    def which(pred:, obj: nil)
+      find_by!(pred: pred, **deconstruct_obj(obj))
+    end
+
+    def naming(pred, obj)
+      obj_type, obj_id = deconstruct_obj(obj).values
+      otp = "_#{obj_type}" if obj_type.present?
+      oid = "_#{obj_id}" if obj_id.present?
+      [pred, otp, oid].join.to_sym
+    end
+
+    def deconstruct_obj(obj)
+      return { } unless obj
+
+      if obj.is_a?(String) || obj.is_a?(Symbol)
+        { obj_type: obj }
+      elsif obj.respond_to?(:attributes)
+        { obj_type: obj.class.name, obj_id: obj.id }
+      else
+        { obj_type: obj.to_s }
+      end
+    end
+
+    def exists?(pred, obj)
+      super(pred: pred, **deconstruct_obj(obj))
+    end
+
+    def self.extended(kls)
+      kls.include InstanceMethods
+    end
+  end
+
+  # === End of ClassMethods ===
+
+  module Permission::InstanceMethods
+    # like: manage_User_1
+    def name
+      otp = "_#{obj_type}" if obj_type.present?
+      oid = "_#{obj_id}" if obj_id.present?
+      [pred, otp, oid].join.to_sym
+    end
+
+    def assign_to role: nil, group: nil
+      obj = if role
+              role.is_a?(Symbol) ? ii_config.role_model.find(name: role) : role
+            else
+              group.is_a?(Symbol) ? ii_config.role_group_model.find(name: role) : group
+            end
+      obj.have_permission self.pred, obj: self.obj
+    end
+
+    alias is_assigned_to assign_to
+
+    # :user, User, user
+    def obj
+      return obj_type.constantize.find(obj_id) if obj_id.present?
+      obj_type[/[A-Z]/] ? obj_type.constantize : obj_type.to_sym
+    end
+  end
+end

data/lib/i_am_i_can/role/assignment.rb

@@ -0,0 +1,76 @@
+require 'i_am_i_can/role/helpers'
+
+module IAmICan
+  module Role
+    module Assignment
+      include Helpers::Ins
+
+      def becomes_a *roles, which_can: [ ], obj: nil, auto_define_before: ii_config.auto_define_before, save: ii_config.default_save
+        should_define_role = which_can.present? || auto_define_before
+        self.class.have_roles *roles, which_can: which_can, obj: obj, save: save if should_define_role
+        failed_items = [ ]
+
+        roles.each do |role|
+          if save
+            failed_items << role unless stored_roles_add(role)
+          else
+            next failed_items << role unless role.in?(defined_roles.keys)
+            local_role_names << role unless role.in?(local_role_names)
+          end
+        end
+
+        _role_assignment_result(roles, failed_items)
+      end
+
+      alias is        becomes_a
+      alias is_a_role becomes_a
+      alias is_roles  becomes_a
+      alias has_role  becomes_a
+      alias has_roles becomes_a
+      alias role_is   becomes_a
+      alias roles_are becomes_a
+
+      def temporarily_is *roles, **options
+        becomes_a *roles, save: false, **options
+      end
+
+      alias locally_is temporarily_is
+
+      def falls_from *roles, saved: ii_config.default_save
+        failed_items = [ ]
+
+        roles.each do |role|
+          if saved
+            failed_items << role unless stored_roles_rmv(role)
+          else
+            next failed_items << role unless role.in?(defined_roles.keys)
+            local_role_names.delete(role)
+          end
+        end
+
+        _role_assignment_result(roles, failed_items)
+      end
+
+      alias is_not_a      falls_from
+      alias will_not_be   falls_from
+      alias removes_role  falls_from
+      alias leaves        falls_from
+      alias has_not_role  falls_from
+      alias has_not_roles falls_from
+
+      def local_role_names
+        @local_role_names ||= [ ]
+      end
+
+      def local_roles
+        defined_local_roles.slice(*local_role_names)
+      end
+
+      def roles
+        local_role_names + stored_role_names
+      end
+
+      alias role_names roles
+    end
+  end
+end

data/lib/i_am_i_can/role/definition.rb

@@ -0,0 +1,100 @@
+require 'i_am_i_can/role/helpers'
+
+module IAmICan
+  module Role
+    module Definition
+      include Helpers::Cls
+
+      def have_role *names, desc: nil, save: ii_config.default_save, which_can: [ ], obj: nil
+        failed_items, preds = [ ], which_can
+
+        names.each do |name|
+          description = desc || name.to_s.humanize
+          if save
+            next failed_items << name unless _to_store_role(name, desc: description)
+            ii_config.role_model.which(name: name).can *preds, obj: obj, auto_define_before: true, strict_mode: true if which_can.present?
+          else
+            next failed_items << name if defined_local_roles.key?(name)
+            defined_local_roles[name] ||= { desc: description, permissions: [ ] }
+            local_role_which(name: name, can: preds, obj: obj, auto_define_before: true, strict_mode: true) if which_can.present?
+          end
+        end
+
+        _role_definition_result(names, failed_items)
+      end
+
+      alias have_roles have_role
+      alias has_role   have_role
+      alias has_roles  have_role
+
+      def declare_role *names, **options
+        have_role *names, save: false, **options
+      end
+
+      alias declare_roles has_role
+
+      def group_roles *members, by_name:, which_can: [ ], obj: nil
+        raise Error, 'Some of members have not been defined' unless (members - defined_stored_role_names).empty?
+        raise Error, "Given name #{by_name} has been used by a role" if ii_config.role_model.exists?(name: by_name)
+        ii_config.role_group_model.find_or_create_by!(name: by_name).members_add(members)
+      end
+
+      alias group_role   group_roles
+      alias groups_role  group_roles
+      alias groups_roles group_roles
+
+      def have_and_group_roles *members, by_name:
+        has_roles *members
+        group_roles *members, by_name: by_name
+      end
+
+      alias has_and_groups_roles have_and_group_roles
+
+      # permission assignment locally for local role
+      # User.local_role_which(name: :admin, can: :fly)
+      #   same effect to: UserRole.new(name: :admin).temporarily_can :fly
+      def local_role_which(name:, can:, obj: nil, **options)
+        ii_config.role_model.new(name: name).temporarily_can *Array(can), obj: obj, **options
+      end
+
+      def self.extended(kls)
+        kls.delegate :defined_local_roles, :defined_stored_roles, :defined_roles, to: kls
+      end
+    end
+
+    # === End of MainMethods ===
+
+    module Definition::SecondaryMethods
+      def defined_local_roles
+        @local_roles ||= { }
+      end
+
+      def defined_stored_role_names
+        ii_config.role_model.pluck(:name).map(&:to_sym)
+      end
+
+      def defined_stored_roles
+        ii_config.role_model.all.map { |role| [ role.name.to_sym, role.desc ] }.to_h
+      end
+
+      def defined_roles
+        defined_local_roles.deep_merge(defined_stored_roles)
+      end
+
+      def defined_role_group_names
+        ii_config.role_group_model.pluck(:name).map(&:to_sym)
+
+      end
+
+      def defined_role_groups
+        ii_config.role_group_model.all.map { |group| [ group.name.to_sym, group.member_names.map(&:to_sym) ] }.to_h
+      end
+
+      def members_of_role_group name
+        ii_config.role_group_model.find_by!(name: name).member_names
+      end
+
+      Definition.include self
+    end
+  end
+end

data/lib/i_am_i_can/role/helpers.rb

@@ -0,0 +1,28 @@
+module IAmICan
+  module Role
+    module Helpers
+      module Cls
+        def _to_store_role name, **options
+          return false if ii_config.role_model.exists?(name: name) || ii_config.role_group_model.exists?(name: name)
+          ii_config.role_model.create!(name: name, **options)
+        end
+
+        def _role_definition_result(names, failed_items)
+          prefix = 'Role Definition Done'
+          fail_msg = prefix + ", but name #{failed_items} have been used by other role or group" if failed_items.present?
+          raise Error, fail_msg if ii_config.strict_mode && fail_msg
+          fail_msg ? fail_msg : prefix
+        end
+      end
+
+      module Ins
+        def _role_assignment_result(names, failed_items)
+          prefix = 'Role Assignment Done'
+          fail_msg = prefix + ", but #{failed_items} have not been defined" if failed_items.present?
+          raise Error, fail_msg if ii_config.strict_mode && fail_msg
+          fail_msg ? fail_msg : prefix
+        end
+      end
+    end
+  end
+end

data/lib/i_am_i_can/subject/permission_querying.rb

@@ -0,0 +1,69 @@
+module IAmICan
+  module Subject
+    module PermissionQuerying
+      def can? pred, obj0 = nil, obj: nil, without_group: false
+        obj = obj0 || obj
+        return true if temporarily_can?(pred, obj)
+        return true if stored_can?(pred, obj)
+        group_can?(pred, obj, without_group)
+      end
+
+      def cannot? pred, obj0 = nil, obj: nil
+        !can? pred, obj0, obj: obj
+      end
+
+      def can! pred, obj0 = nil, obj: nil
+        raise InsufficientPermission if cannot? pred, obj0, obj: obj
+        true
+      end
+
+      def can_each? preds, obj0 = nil, obj: nil
+        preds.each { |pred| return false if cannot? pred, obj0, obj: obj } && true
+      end
+
+      alias can_every? can_each?
+
+      def can_each! preds, obj0 = nil, obj: nil
+        preds.each { |pred| can! pred, obj0, obj: obj } && true
+      end
+
+      alias can_every! can_each!
+
+      def can_one_of? preds, obj0 = nil, obj: nil
+        preds.each { |pred| return true if can? pred, obj0, obj: obj } && false
+      end
+
+      def can_one_of! preds, obj0 = nil, obj: nil
+        raise InsufficientPermission unless can_one_of? preds, obj0, obj: obj
+        true
+      end
+
+      def temporarily_can? pred, obj
+        ii_config.permission_model.matched?(pred: pred, obj: obj, in: permissions_of_local_roles)
+      end
+
+      alias locally_can? temporarily_can?
+
+      def stored_can? pred, obj
+        ii_config.permission_model.matched?(pred: pred, obj: obj, in: permissions_of_stored_roles)
+      end
+
+      def group_can? pred, obj, without_group = false
+        return false if without_group || ii_config.without_group
+        ii_config.permission_model.matched?(pred: pred, obj: obj, in: permissions_of_role_groups)
+      end
+
+      def permissions_of_stored_roles
+        stored_roles.stored_permissions.map(&:name)
+      end
+
+      def permissions_of_role_groups
+        stored_roles.related_role_groups.stored_permissions.map(&:name)
+      end
+
+      def permissions_of_local_roles
+        local_roles.map { |(name, info)| info[:permissions] }.flatten.uniq
+      end
+    end
+  end
+end