lawkeeper 0.0.1 → 0.1.0

data/README.md

@@ -72,17 +72,54 @@ only requirement is that they end with '?'.
 Policy classes are instantiated with the current user and a record for checking.
 
 If you wish to use an unconventially named Policy class for a model, add the
-`#policy_class` instance method to your model.  For example:
+`.policy_class` class method to your model.  For example:
 
 ```ruby
 class Post
-  def policy_class
+  def self.policy_class
     OwnershipPolicy
   end
 end
 ```
 
-Lawkeeper helper methods will prefer the `#policy_class` specified if it exists.
+Lawkeeper helper methods will prefer the `policy_class` specified if it exists.
+
+### Specifying Scope classes for policy use
+
+For finding records for collection records (like an index) it is possible to
+do scoped find if your relational or document mapper permits it.  This is
+accomplished by creating a `Scope` class inside your policy class.  Take
+this example for Ohm:
+
+```ruby
+class PostPolicy < AppPolicy
+  class Scope < Lawkeeper::Policy::Scope
+    def resolve
+      scope.find(published: "true")
+    end
+  end
+end
+```
+
+You can proceed to use this in an action to find posts where published is the
+string "true":
+
+```ruby
+@posts = policy_scope(Post)
+```
+
+The policy scope lookup is handled by a scope finder stored at `Lawkeeper.scope_finder`.
+Currently Ohm and ActiveRecord adapters are provided.  The finder only has one requirement,
+it must respond to `call`.  You can use a class method or Proc to facilitate this.  It
+should return a capitalized string representing the class, such as "Post" or "Comment".
+
+If you wish to use `policy_scope` you should configure a finder appropriate for your storage:
+
+```ruby
+Lawkeeper.scope_finder = Lawkeeper::ScopeFinders::Ohm
+# or
+Lawkeeper.scope_finder = Proc.new { |s| ... }
+```
 
 ### Authorizing in actions
 
@@ -145,30 +182,6 @@ Lawkeeper.skip_set_headers = true
 This will not prevent how Lawkeeper does its primary job of authorizing policy
 actions.
 
-## Outstanding Problems
-
-Lawkeeper as yet has no mechanism for scoping finds for collection 'index' like
-methods.  Pundit (which Lawkeeper is influenced by) has some similiar problems
-in this area as well (though it does provide a scope object).
-
-The primary challenges are:
-
-* A collection action is very different than an instance authorization, because
-  you don't authorize instances but rather find them via policy
-* As compared to instance authorization, scoped finding is very coupled to an
-  ORM, model, or storage pattern in a given application.
-
-My immediate thinking for Lawkeeper is to call `skip_authorization` in actions
-where you have performed a scoped find.  This will likely keep development in check
-since adding the call is a mental note for "hey this should be permitted records only"
-
-To build upon this, I believe either:
-
-* The scoping should be up to you, or
-* The scope permission handling should delegate to third party ORM specific plugins.
-
-I am still rolling around this in my head, with the goal of keeping it simple
-
 ## Contributing
 
 1. Fork it

data/lib/lawkeeper.rb

@@ -8,12 +8,25 @@ module Lawkeeper
   class NotDefined < StandardError; end
 
   class << self
-    attr_accessor :skip_set_headers
+    attr_accessor :skip_set_headers, :scope_finder
   end
 
   class Policy
     attr_reader :user, :record
 
+    class Scope
+      attr_reader :user, :scope
+
+      def initialize(user, scope)
+        @user  = user
+        @scope = scope
+      end
+
+      def resolve
+        scope
+      end
+    end
+
     def initialize(user, record)
       @user   = user
       @record = record
@@ -22,16 +35,23 @@ module Lawkeeper
 
   class PolicyLookup
     def self.[](model)
-      if model.respond_to?(:policy_class)
-        model.policy_class
+      klass = model.is_a?(Class) ? model : model.class
+
+      if klass.respond_to?(:policy_class)
+        klass.policy_class
       else
         begin
-          Object.const_get("#{model.class}Policy")
+          Object.const_get("#{klass}Policy")
         rescue NameError
           raise NotDefined
         end
       end
     end
+
+    def self.for_scope(scope)
+      model_name = Lawkeeper.scope_finder.call(scope)
+      self[Object.const_get(model_name)]
+    end
   end
 
   module Helpers
@@ -49,6 +69,12 @@ module Lawkeeper
       end
     end
 
+    def policy_scope(scope)
+      set_lawkeeper_header(AUTHORIZED_HEADER)
+      klass = Lawkeeper::PolicyLookup.for_scope(scope)::Scope
+      klass.new(current_user, scope).resolve
+    end
+
     def skip_authorization
       set_lawkeeper_header(SKIPPED_HEADER)
     end

data/lib/lawkeeper/scope_finders/active_record.rb

@@ -0,0 +1,9 @@
+module Lawkeeper
+  module ScopeFinders
+    class ActiveRecord
+      def self.call(scope)
+        scope.model_name
+      end
+    end
+  end
+end

data/lib/lawkeeper/scope_finders/ohm.rb

@@ -0,0 +1,9 @@
+module Lawkeeper
+  module ScopeFinders
+    class Ohm
+      def self.call(scope)
+        scope.key.split(':')[0]
+      end
+    end
+  end
+end

data/lib/lawkeeper/version.rb

@@ -1,3 +1,3 @@
 module Lawkeeper
-  VERSION = "0.0.1"
+  VERSION = "0.1.0"
 end

data/spec/helpers_spec.rb

@@ -72,7 +72,7 @@ describe Lawkeeper::Helpers do
 
       permit_action
       controller.authorize(comment, :read)
-      controller.headers['Lawkeeper-Authorized'].must_be_nil 'true'
+      controller.headers['Lawkeeper-Authorized'].must_be_nil
 
       Lawkeeper.skip_set_headers = nil
     end
@@ -93,6 +93,40 @@ describe Lawkeeper::Helpers do
     end
   end
 
+  describe '#policy_scope' do
+    before do
+      Foo ||= Class.new
+
+      class FooPolicy
+        class Scope
+          def initialize(*)
+          end
+
+          def resolve
+            [:foo, :bar]
+          end
+        end
+      end
+
+      @klass = Class.new do
+        def self.policy_class
+          FooPolicy
+        end
+      end
+
+      Lawkeeper.scope_finder = Proc.new { "Foo" }
+    end
+
+    it "sets the authorized header to 'true'" do
+      controller.policy_scope(@klass)
+      controller.headers['Lawkeeper-Authorized'].must_equal 'true'
+    end
+
+    it "resolves using the found scope class" do
+      controller.policy_scope(@klass).must_equal [:foo, :bar]
+    end
+  end
+
   describe '#skip_authorization' do
     it "sets the authorized header to 'true'" do
       controller.skip_authorization

data/spec/policy_lookup_spec.rb

@@ -4,17 +4,19 @@ class Post; end
 class PostPolicy; end
 class SpecifiedPolicy; end
 
-describe Lawkeeper::PolicyLookup do
+describe Lawkeeper::PolicyLookup, '.[]' do
   it "returns PostPolicy for a Post instance" do
     Lawkeeper::PolicyLookup[Post.new].must_equal PostPolicy
   end
 
-  it "prefers the instance#policy_class if available" do
+  it "prefers the classes policy_class if available" do
     post = Post.new
-    def post.policy_class
-      SpecifiedPolicy
+    klass = Class.new do
+      def self.policy_class
+        SpecifiedPolicy
+      end
     end
-    Lawkeeper::PolicyLookup[post].must_equal SpecifiedPolicy
+    Lawkeeper::PolicyLookup[klass].must_equal SpecifiedPolicy
   end
 
   it "raises NotDefined if the policy can not be found" do
@@ -23,3 +25,13 @@ describe Lawkeeper::PolicyLookup do
     }.must_raise(Lawkeeper::NotDefined)
   end
 end
+
+describe Lawkeeper::PolicyLookup, '.for_scope' do
+  it "calls to the Lawkeeper.scope_finder" do
+    class ForScope; end
+    class ForScopePolicy; end
+    Lawkeeper.scope_finder = Proc.new { |s| s.class.name }
+
+    Lawkeeper::PolicyLookup.for_scope(ForScope.new).must_equal ForScopePolicy
+  end
+end

data/spec/scope_finders_spec.rb

@@ -0,0 +1,23 @@
+require 'spec_helper'
+require "lawkeeper/scope_finders/active_record"
+require "lawkeeper/scope_finders/ohm"
+
+describe Lawkeeper::ScopeFinders::ActiveRecord do
+  it "returns the .model_name of the passed scope" do
+    o = Object.new
+    def o.model_name
+      "Comment"
+    end
+    Lawkeeper::ScopeFinders::ActiveRecord.call(o).must_equal "Comment"
+  end
+end
+
+describe Lawkeeper::ScopeFinders::Ohm do
+  it "returns the first portion of the .key for the passed scope" do
+    o = Object.new
+    def o.key
+      "Comment:1"
+    end
+    Lawkeeper::ScopeFinders::Ohm.call(o).must_equal "Comment"
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: lawkeeper
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.1.0
   prerelease: 
 platform: ruby
 authors:
@@ -13,7 +13,7 @@ date: 2013-06-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
-  requirement: &2152801400 !ruby/object:Gem::Requirement
+  requirement: &2152801280 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,7 +21,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2152801400
+  version_requirements: *2152801280
 description: Lawkeeper - Simple authorization policies for Rack apps
 email:
 - xternal1+github@gmail.com
@@ -36,11 +36,14 @@ files:
 - Rakefile
 - lawkeeper.gemspec
 - lib/lawkeeper.rb
+- lib/lawkeeper/scope_finders/active_record.rb
+- lib/lawkeeper/scope_finders/ohm.rb
 - lib/lawkeeper/version.rb
 - spec/helpers_spec.rb
 - spec/middleware_spec.rb
 - spec/policy_lookup_spec.rb
 - spec/policy_spec.rb
+- spec/scope_finders_spec.rb
 - spec/spec_helper.rb
 homepage: ''
 licenses: []
@@ -71,4 +74,5 @@ test_files:
 - spec/middleware_spec.rb
 - spec/policy_lookup_spec.rb
 - spec/policy_spec.rb
+- spec/scope_finders_spec.rb
 - spec/spec_helper.rb