live_record 0.2.7 → 0.2.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 186f7837ba3477c89c64825de64ab23966f633f0
-  data.tar.gz: 8a1d31b23fdbf06a16fb18e0c3460b6f90d77d6a
+  metadata.gz: d08ed348f467c4dad7084528d36552775a03f365
+  data.tar.gz: 3698f07abf6f4e6edc1430870fb8eb7ad6862bad
 SHA512:
-  metadata.gz: 72b4f7a7ecd74ad4b4f4ad6d5f9d74ce5561d5ebaee4982a0313b3567331810a1e4bcf554d3f90b276a04a1c7b111b999f700bc178d705ebd125a4d27d63ebeb
-  data.tar.gz: 8035a50ec324b8e19f3f143a48379ef510336ffa0f781461fa57df8e1ce0fa964f3ccb7622e1c2125fc3c1724878fdc868165a4af3cef8989af6ede5affb58a8
+  metadata.gz: 482a0751d39af81591ac4137fc2a8f12206fa4e687aeb5b1508c1ce60fb85fe1d92465ff853affad114017f1f97e19a859a2d39553f3d92d387d05ccc5840630
+  data.tar.gz: '081b8691a3f37984961031d230afa749603c9c61e402347d63a914ed854170cf6c2df561c68d8be8514e0bfc04cfc139cfbe1878573ff72fc5057a94bb0401b8'

data/README.md

@@ -101,9 +101,9 @@
       # Add attributes to this array that you would like `current_user` to have access to when syncing this particular `book`
       # empty array means not-authorised
       if book.user == current_user
-        [:title, :author, :created_at, :updated_at, :reference_id, :origin_address]
+        [:id, :title, :author, :created_at, :updated_at, :reference_id, :origin_address]
       elsif current_user.present?
-        [:title, :author, :created_at, :updated_at]
+        [:id ,:title, :author, :created_at, :updated_at]
       else
         []
       end
@@ -113,7 +113,7 @@
       # Add attributes to this array that you would like `current_user` to be able to query upon on the `subscribe({where: {...}}) function`
       # empty array means not-authorised
       if current_user.isAdmin?
-        [:title, :author, :created_at, :updated_at, :reference_id, :origin_address]
+        [:id, :title, :author, :created_at, :updated_at, :reference_id, :origin_address]
       else
         []
       end
@@ -127,7 +127,7 @@
 1. Add the following to your `Gemfile`:
 
     ```ruby
-    gem 'live_record', '~> 0.2.7'
+    gem 'live_record', '~> 0.2.8'
     ```
 
 2. Run:
@@ -180,13 +180,13 @@
       def self.live_record_whitelisted_attributes(book, current_user)
         # Add attributes to this array that you would like current_user to have access to when syncing.
         # Defaults to empty array, thereby blocking everything by default, only unless explicitly stated here so.
-        [:title, :author, :created_at, :updated_at]
+        [:id, :title, :author, :created_at, :updated_at]
       end
 
       def self.live_record_queryable_attributes(current_user)
         # Add attributes to this array that you would like current_user to query upon when using `.subscribe({where: {...})`
         # Defaults to empty array, thereby blocking everything by default, only unless explicitly stated here so.
-        [:title, :author, :created_at, :updated_at]
+        [:id, :title, :author, :created_at, :updated_at]
       end
     end
     ```
@@ -203,9 +203,9 @@
         # Notice that from above, you also have access to `book` (the record currently requested by the client to be synced),
         # and the `current_user`, the current user who is trying to sync the `book` record.
         if book.user == current_user
-          [:title, :author, :created_at, :updated_at, :reference_id, :origin_address]
+          [:id, :title, :author, :created_at, :updated_at, :reference_id, :origin_address]
         elsif current_user.present?
-          [:title, :author, :created_at, :updated_at]
+          [:id, :title, :author, :created_at, :updated_at]
         else
           []
         end
@@ -215,7 +215,7 @@
         # this method should look like your `live_record_whitelisted_attributes` above, only except if you want to further customise this for flexibility
         # or... that you may just simply return `[]` (empty array) if you do not want to allow users to use `subscribe()`
         # also take note that this method only has `current_user` argument compared to `live_record_whitelisted_attributes` above which also has the `book` argument. This is intended for SQL performance reasons
-        [:title, :author, :created_at, :updated_at]
+        [:id, :title, :author, :created_at, :updated_at]
       end
     end
     ```
@@ -439,14 +439,14 @@
         has_many :live_record_updates, as: :recordable, dependent: :destroy
 
         def self.live_record_whitelisted_attributes(book, current_user)
-          [:title, :is_enabled]
+          [:id, :title, :is_enabled]
         end
 
         ## this method will be invoked when `subscribe()` is called
         ## but, you should not use this method when using `ransack` gem!
         ## ransack's methods like `ransackable_attributes` below will be invoked instead
         # def self.live_record_queryable_attributes(book, current_user)
-        #   [:title, :is_enabled]
+        #   [:id, :title, :is_enabled]
         # end
 
         private
@@ -659,11 +659,14 @@
 * MIT
 
 ## Changelog
+* 0.2.8
+  * You can now specify `:id` into `live_record_whitelisted_attributes` for verbosity; used to be automatically-included by default. Needed to do this otherwise there was this minor bug where `subscribe()` still receives records (having just `:id` attribute though) even when it is specified to be not-authorized.
+  * fixed minor bug when `live_record_whitelisted_attributes` is not returning anything, throwing a `NoMethodError`
 * 0.2.7
   * improved performance when using `subscribe({reload: true})`, but by doing so, I am forced to a conscious decision to have another separate model method for "queryable" attributes: `live_record_queryable_attributes`, which both has `pro` and `cons`
     * pros:
       * greatly sped up SQL for loading of data
-    * pro & con: now two methods in model: `live_record_whitelisted_attributes` and `live_record_queryable_attributes` which should have mostly the same code [(see some differences above)]('#example-1---simple-usage') which makes it repetitive to some degree, although this allows more flexibility.
+    * pro & con: now two methods in model: `live_record_whitelisted_attributes` and `live_record_queryable_attributes` which should have mostly the same code [(see some differences above)](#example-1---simple-usage) which makes it repetitive to some degree, although this allows more flexibility.
   * added `matches` and `does_not_match` filters
 * 0.2.6
   * fixed minor bug where `MODELINSTANCE.changes` do not accurately work on NULL values.

data/app/channels/live_record/base_channel.rb

@@ -1,13 +1,32 @@
 class LiveRecord::BaseChannel < ActionCable::Channel::Base
 
-  protected
+  module Helpers
+    def self.whitelisted_attributes(record, current_user)
+      whitelisted_attributes = record.class.live_record_whitelisted_attributes(record, current_user)
+
+      unless whitelisted_attributes.is_a? Array
+        raise "#{record.class}.live_record_whitelisted_attributes should return an array"
+      end
+
+      whitelisted_attributes = whitelisted_attributes.map(&:to_s)
+
+      if !whitelisted_attributes.empty? && !whitelisted_attributes.include?('id')
+        raise "#{record.class}.live_record_whitelisted_attributes should return an array that also includes the :id attribute, as you are authorizing at least one other attribute along with it."
+      end
 
-  def authorised_attributes(record, current_user)
-    whitelisted_attributes = record.class.live_record_whitelisted_attributes(record, current_user)
-    raise "#{record.model}.live_record_whitelisted_attributes should return an array" unless whitelisted_attributes.is_a? Array
-    ([:id] + whitelisted_attributes).map(&:to_s).to_set
+      whitelisted_attributes.to_set
+    end
+
+    def self.queryable_attributes(model_class, current_user)
+      queryable_attributes = model_class.live_record_queryable_attributes(current_user)
+      raise "#{model_class}.live_record_queryable_attributes should return an array" unless queryable_attributes.is_a? Array
+      queryable_attributes = queryable_attributes.map(&:to_s)
+      queryable_attributes.to_set
+    end
   end
 
+  protected
+
   def filtered_message(message, filters)
     message['attributes'].slice!(*filters) if message['attributes'].present?
     message

data/app/channels/live_record/changes_channel.rb

@@ -5,20 +5,19 @@ class LiveRecord::ChangesChannel < LiveRecord::BaseChannel
 
   def subscribed
     find_record_from_params(params) do |record|
-      authorised_attributes = authorised_attributes(record, current_user)
+      whitelisted_attributes = Helpers.whitelisted_attributes(record, current_user)
 
-      if authorised_attributes.present?
+      if whitelisted_attributes.present?
         stream_for record, coder: ActiveSupport::JSON do |message|
           begin
             record.reload
           rescue ActiveRecord::RecordNotFound
           end
 
-          authorised_attributes = authorised_attributes(record, current_user)
+          whitelisted_attributes = Helpers.whitelisted_attributes(record, current_user)
 
-          # if not just :id
-          if authorised_attributes.size > 1
-            response = filtered_message(message, authorised_attributes)
+          if whitelisted_attributes.size > 0
+            response = filtered_message(message, whitelisted_attributes)
             transmit response if response.present?
           else
             respond_with_error(:forbidden)
@@ -36,10 +35,9 @@ class LiveRecord::ChangesChannel < LiveRecord::BaseChannel
     params = data.symbolize_keys
 
     find_record_from_params(params) do |record|
-      authorised_attributes = authorised_attributes(record, current_user)
+      whitelisted_attributes = Helpers.whitelisted_attributes(record, current_user)
 
-      # if not just :id
-      if authorised_attributes.size > 1
+      if whitelisted_attributes.size > 0
         live_record_updates = nil
 
         if params[:stale_since].present?
@@ -55,7 +53,7 @@ class LiveRecord::ChangesChannel < LiveRecord::BaseChannel
         # then we update the record in the client-side
         if params[:stale_since].blank? || live_record_updates.exists?
           message = { 'action' => 'update', 'attributes' => record.attributes }
-          response = filtered_message(message, authorised_attributes)
+          response = filtered_message(message, whitelisted_attributes)
           transmit response if response.present?
         end
       else

data/app/channels/live_record/publications_channel.rb

@@ -14,7 +14,7 @@ class LiveRecord::PublicationsChannel < LiveRecord::BaseChannel
       reject_subscription
     end
 
-    if !(model_class && model_class.live_record_queryable_attributes(current_user).present?)
+    if !(model_class && Helpers.queryable_attributes(model_class, current_user).present?)
       respond_with_error(:forbidden, 'You do not have privileges to query')
       reject_subscription
     end
@@ -29,11 +29,11 @@ class LiveRecord::PublicationsChannel < LiveRecord::BaseChannel
       )
 
       if active_record_relation.exists?(id: newly_created_record.id)
-        @authorised_attributes ||= authorised_attributes(newly_created_record, current_user)
-        # if not just :id
-        if @authorised_attributes.size > 1
+        whitelisted_attributes = Helpers.whitelisted_attributes(newly_created_record, current_user)
+
+        if whitelisted_attributes.size > 0
           message = { 'action' => 'create', 'attributes' => message['attributes'] }
-          response = filtered_message(message, @authorised_attributes)
+          response = filtered_message(message, whitelisted_attributes)
           transmit response if response.present?
         end
       end
@@ -61,11 +61,13 @@ class LiveRecord::PublicationsChannel < LiveRecord::BaseChannel
       # we `transmmit` a message back to client for each matching record
       active_record_relation.find_each do |record|
         # but first, check for the authorised attributes, if exists
-        current_authorised_attributes = authorised_attributes(record, current_user)
+        whitelisted_attributes = Helpers.whitelisted_attributes(record, current_user)
 
-        message = { 'action' => 'create', 'attributes' => record.attributes }
-        response = filtered_message(message, current_authorised_attributes)
-        transmit response if response.present?
+        if whitelisted_attributes.size > 0
+          message = { 'action' => 'create', 'attributes' => record.attributes }
+          response = filtered_message(message, whitelisted_attributes)
+          transmit response if response.present?
+        end
       end
     else
       respond_with_error(:bad_request, 'Not a correct model name')

data/app/channels/live_record/publications_channel/search_adapters.rb

@@ -28,12 +28,12 @@ class LiveRecord::PublicationsChannel
         current_user = args.fetch(:current_user)
 
         current_active_record_relation = model_class.all
-        queryable_attributes = model_class.live_record_queryable_attributes(current_user)
+        queryable_attributes = LiveRecord::BaseChannel::Helpers.queryable_attributes(model_class, current_user)
 
         conditions_hash.each do |key, value|
           operator = key.split('_').last
           # to get attribute_name, we subtract the end part of the string with size of operator substring; i.e.: created_at_lteq -> created_at
-          attribute_name = key[0..(-1 - operator.size - 1)].to_sym
+          attribute_name = key[0..(-1 - operator.size - 1)]
 
           if queryable_attributes.include?(attribute_name)
             case operator

data/lib/live_record/generators/templates/model.rb.rb

@@ -20,7 +20,7 @@ class <%= class_name %> < <%= parent_class_name.classify %>
     # then only these whitelisted attributes will be sent to this current_user client
     # Empty array means unauthorized
     # Example:
-    # [:email, :name, :is_admin, :group_id, :created_at, :updated_at]
+    # [:id, :email, :name, :is_admin, :group_id, :created_at, :updated_at]
     []
   end
 
@@ -36,7 +36,7 @@ class <%= class_name %> < <%= parent_class_name.classify %>
     # if you're using `ransack` gem, use `ransackable_attributes`
     # Empty array means unauthorized
     # Example:
-    # [:email, :name, :is_admin, :group_id, :created_at, :updated_at]
+    # [:id, :email, :name, :is_admin, :group_id, :created_at, :updated_at]
     []
   end
 end

data/lib/live_record/version.rb

@@ -1,3 +1,3 @@
 module LiveRecord
-  VERSION = '0.2.7'.freeze
+  VERSION = '0.2.8'.freeze
 end

data/spec/internal/app/models/post.rb

@@ -5,29 +5,10 @@ class Post < ApplicationRecord
   has_many :live_record_updates, as: :recordable, dependent: :destroy
 
   def self.live_record_whitelisted_attributes(post, current_user)
-    # Add attributes to this array that you would like current_user client to be able to receive
-    # Defaults to empty array, thereby blocking everything by default, only unless explicitly stated here so.
-    # i.e. if this file is a User model, and that a User has been created/updated in the backend,
-    # then only these whitelisted attributes will be sent to this current_user client
-    # Empty array means unauthorized
-    # Example:
-    # [:email, :name, :is_admin, :group_id, :created_at, :updated_at]
-    [:title, :is_enabled, :user_id, :created_at, :updated_at]
+    [:id, :title, :is_enabled, :user_id, :created_at, :updated_at]
   end
 
   def self.live_record_queryable_attributes(current_user)
-    # This method only applies when not using `ransack` gem!
-    # If you're using ransack gem, instead of this method, use one or more of the ransack methods:
-    # see https://github.com/activerecord-hackery/ransack#authorization-whitelistingblacklisting
-    #
-    # Add attributes to this array that you would like current_user client to be able to query upon when "subscribing"
-    # Defaults to empty array, thereby blocking everything by default, only unless explicitly stated here so.
-    # i.e. if a current_user client subscribes to "new records creation" using `.subscribe({where: {...}})`,
-    # then only these attributes will be considered in the "{where: ...}" argument
-    # if you're using `ransack` gem, use `ransackable_attributes`
-    # Empty array means unauthorized
-    # Example:
-    # [:email, :name, :is_admin, :group_id, :created_at, :updated_at]
-    [:title, :is_enabled, :user_id, :created_at, :updated_at]
+    [:id, :title, :is_enabled, :user_id, :created_at, :updated_at]
   end
 end

data/spec/internal/app/models/user.rb

@@ -5,9 +5,7 @@ class User < ApplicationRecord
   has_many :posts
 
   def self.live_record_whitelisted_attributes(user, current_user)
-    # Add attributes to this array that you would like current_user to have access to.
-    # Defaults to empty array, thereby blocking everything by default, only unless explicitly stated here so.
-    [:email, :created_at, :updated_at]
+    [:id, :email, :created_at, :updated_at]
   end
 
   def self.live_record_queryable_attributes(current_user)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: live_record
 version: !ruby/object:Gem::Version
-  version: 0.2.7
+  version: 0.2.8
 platform: ruby
 authors:
 - Jules Roman B. Polidario