kant 0.0.3 → 0.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: d0b65ae77365d3fb81725cb1dad2634d25b51640
-  data.tar.gz: dac368c947e0ab658ce42dbc0570214d218dbec5
+SHA256:
+  metadata.gz: 68ec4aab07bd2a439486323f6786768abd9cc88d70f52c52123ee8a51106cdca
+  data.tar.gz: 562cda2f7eacf2dc4503c74affc2e93aae25589bd7c8556d0dac15f636b06cfb
 SHA512:
-  metadata.gz: 4a6684cc5fbbe9d9a90a8b14aa7c32b75dfc112eac379630c383646679f9cf0588e932057ad0eb585a2ea6ec7108287342cf73ca458aacad83cc8d82d3338628
-  data.tar.gz: bd2b8391077f3f7ec7b13b03375bf6e4310fe9f57ff3dc957a9be82785cfc2f786a575f35f216eefc0c27a61a3372496d9d2dfa728b063ed911cff30e8362caa
+  metadata.gz: 84c9056712e89db73be4428943c572dc4a778ec4c6415cb01b095d9cf981b92fe32cbd4920b6c15421bb3f0449bd5c4c56ac8606eba35845460ba5aae2927b44
+  data.tar.gz: aa16b2826f4defef93aa6a00c50fd65d7e806d973030cf38ca0b03e85ca56e726cf10eb3af21c68627d60f5e644502ccca86e6adb27b43081bc73c7ea220ae86

data/.travis.yml

@@ -0,0 +1,14 @@
+sudo: false
+language: ruby
+rvm:
+  - ruby-head
+  - 2.5
+  - 2.6
+  - 2.7
+  - 3.0
+  - 3.1
+cache:
+  - bundler
+  - directories:
+     - /home/travis/.rvm/
+script: bundle exec rspec -fd

data/README.md

@@ -1,4 +1,4 @@
-# Kant v0.0.3
+# Kant v0.0.6 [![Build Status](https://travis-ci.org/markprzepiora/kant.svg?branch=master)](https://app.travis-ci.com/github/markprzepiora/kant)
 
 Kant is a tiny authorization library for your Ruby (especially Rails and/or
 ActiveRecord) projects.

data/kant.gemspec

@@ -18,10 +18,10 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
-  spec.add_development_dependency "bundler", "~> 1.7"
+  spec.add_development_dependency "bundler", ">= 1.7"
   spec.add_development_dependency "rake", "~> 10.0"
   spec.add_development_dependency "rspec", "~> 3.1.0"
-  spec.add_development_dependency "with_model", "~> 1.2.1"
-  spec.add_development_dependency "sqlite3", "~> 1.3.10"
-  spec.add_development_dependency "activerecord", ">= 3.2"
+  spec.add_development_dependency "with_model", "~> 2.1"
+  spec.add_development_dependency "sqlite3", ">= 1.4"
+  spec.add_development_dependency "activerecord", "~> 6.1"
 end

data/lib/kant/all_access.rb

@@ -2,7 +2,7 @@ module Kant
   class AllAccess
     attr_reader :user
 
-    def initialize(user)
+    def initialize(user = nil)
       @user = user
     end
 
@@ -10,7 +10,7 @@ module Kant
       true
     end
 
-    def accessible(action, scope)
+    def accessible(action, scope, *rest)
       scope.all
     end
   end

data/lib/kant/no_access.rb

@@ -10,7 +10,7 @@ module Kant
       false
     end
 
-    def accessible(action, scope)
+    def accessible(action, scope, *rest)
       scope.none
     end
   end

data/lib/kant/policy_access.rb

@@ -37,12 +37,12 @@ module Kant
     #
     #   ability.accessible(:read, Content)
     #   # => a Content scope
-    def accessible(action, scope)
+    def accessible(action, scope, *rest)
       abilities = resolve_scope(scope)
       _scope_method = scope_method(abilities, action)
 
       if _scope_method
-        abilities.send(_scope_method, scope, user)
+        abilities.send(_scope_method, scope, user, *rest)
       else
         scope.none
       end

data/lib/kant/version.rb

@@ -1,3 +1,3 @@
 module Kant
-  VERSION = "0.0.3"
+  VERSION = "0.0.6"
 end

data/spec/kant/policy_access_spec.rb

@@ -1,5 +1,6 @@
 require 'spec_helper'
 require 'kant/policy_access'
+require 'kant/access_denied'
 
 describe Kant::PolicyAccess do
   setup_models
@@ -99,6 +100,7 @@ describe Kant::PolicyAccess do
 
   describe "#accessible" do
     let(:user) { User.create!(email: 'foo@bar.com') }
+    let(:another_user) { User.create!(email: 'foo@baz.com') }
     subject(:policy_access) { Kant::PolicyAccess.new(user) }
 
     it "delegates to a Policy module" do
@@ -130,6 +132,97 @@ describe Kant::PolicyAccess do
 
       expect(policy_access.accessible(:read, Todo)).to eq(Todo.none)
     end
+
+    # The motivation here is that, when performing authorization for "index"
+    # actions, this often involves some context. For example, the user might be
+    # listing all the todos under a particular project (GET /projects/1/todos).
+    # In a lot of cases it might be possible to define an ActiveRecord or SQL
+    # query that describes what records the user can access regardless of
+    # context, but in some cases this might result in a very complicated query.
+    # (Unfortunately, the example below really doesn't really do the motivation
+    # justice.)
+    #
+    # Imagine instead that a user can normally only access their own User
+    # record (the check being `user == me`). However, when the user is part of
+    # a project they can also see other users in the company that the project
+    # is a part of. (For example, so that they can send a DM to a user.)
+    #
+    # - Company
+    #   - has many Projects
+    #     - has many Users
+    #
+    # Imagine what the query would look like to return all the users I can
+    # message...
+    #
+    #     def self.readable_for_messaging(users, me)
+    #       my_companies = Company.joins(:projects).merge(me.projects)
+    #       my_companies_projects = Project.joins(:company).merge(my_companies)
+    #       my_companies_users = User.joins(:projects).merge(my_companies_projects)
+    #       users.merge(my_companies_users)
+    #     end
+    #
+    # Some notes here:
+    #
+    # 1. This honestly isn't such a gross example, in production this logic can
+    #    get much, much worse.
+    # 2. Even so, you can see it gets pretty complicated.
+    # 3. In practice what we have to do after all this is query the resulting
+    #    scope for users in a particular company... which means more gross queries.
+    #
+    # Instead, by having extra params in the *able function, we can specify a
+    # context (typically this will probably match the shape of the endpoint, so
+    # if your endpoint is /companies/1/users then your *able function will
+    # probably take an extra `companies:` param).
+    #
+    #     def self.readable_for_messaging(users, me, company:)
+    #       my_companies = Company.joins(:projects).merge(me.projects)
+    #       if !my_companies.where(id: company.id).any?
+    #         fail Kant::AccessDenied, "no access"
+    #       end
+    #
+    #       users.joins(:projects).where(projects: { company_id: company.id })
+    #     end
+    it "passes along other params to the *able method" do
+      # module TodoPolicy
+      #   def self.readable_as_owner(todos, user, project:)
+      #     if project.owner_id == user.id
+      #       todos.where(project_id: project_id, completed: true)
+      #     else
+      #       fail Kant::AccessDenied, "user does not have access to this project"
+      #     end
+      #   end
+      # end
+      todo_policy = Class.new do
+        define_singleton_method(:readable_as_owner) do |todos, user, options = {}|
+          project = options[:project]
+          fail ArgumentError if !project
+
+          if project.owner_id == user.id
+            todos.where(project_id: project.id, completed: true)
+          else
+            fail Kant::AccessDenied, "user does not have access to this project"
+          end
+        end
+      end
+
+      stub_const("TodoPolicy", todo_policy)
+
+      my_project = Project.create!(owner: user)
+      another_project = Project.create!(owner: another_user)
+      my_complete_todo = Todo.create!(project: my_project, completed: true)
+      my_incomplete_todo = Todo.create!(project: my_project, completed: false)
+      another_complete_todo = Todo.create!(project: another_project, completed: true)
+
+      expect{
+        policy_access.accessible(:read_as_owner, Todo)
+      }.to raise_error(ArgumentError)
+
+      expect(policy_access.accessible(:read_as_owner, Todo, project: my_project)).to eq([my_complete_todo])
+
+      expect{
+        policy_access.accessible(:read_as_owner, Todo, project: another_project)
+      }.to raise_error(Kant::AccessDenied)
+    end
   end
 
   describe "the policies_module option in initializer" do

metadata

@@ -1,27 +1,27 @@
 --- !ruby/object:Gem::Specification
 name: kant
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.6
 platform: ruby
 authors:
 - Mark Przepiora
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-01-07 00:00:00.000000000 Z
+date: 2022-08-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.7'
 - !ruby/object:Gem::Dependency
@@ -58,42 +58,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2.1
+        version: '2.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2.1
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.3.10
+        version: '1.4'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.3.10
+        version: '1.4'
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.2'
+        version: '6.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.2'
+        version: '6.1'
 description: Kant is a tiny authorization library for your Ruby (especially Rails
   and/or ActiveRecord) projects.
 email:
@@ -103,6 +103,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".travis.yml"
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -142,8 +143,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.4.5.1
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: A tiny, non-magical authorization library