mongoid_ability 0.0.11 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1541d93003dfaadfd76721962e2e8c299ac86f81
-  data.tar.gz: cd39407e3a4f06d0320493bfd327b7127b7e96d4
+  metadata.gz: 5c94126d8c7b257f7a07a4523aa5967a197e4ed5
+  data.tar.gz: 0a7daeea08caa81ed98c488185928942eb144aa4
 SHA512:
-  metadata.gz: b44dd1f63f22cc8f3caac82f6da16475fb17fcaa6a84c45a5a3cc889009ed4405e98d10a0aee161a6e89f4efa8954a74dea1d6c2616a54d3114c30e8be8b5eff
-  data.tar.gz: ffeda7ae0ad1ffa0a0d9d682030a47b3e466967dd403f9413fe953f07fdea3f8de9c0a51593f6d9bd0ce5240103a862bf3601b8e71caa2067d2cea4cf83a993a
+  metadata.gz: bac9709c73d4d227bdb3786d8de7ffdda5aea899f294c9e3adbf0d7f543832f2c82266c41e73ef7f7bc938d409e2ab8dbafd8402c21545923745287b213411dc
+  data.tar.gz: 9174b6fa5c46d17cd480d1fd468874d1c67cef6562e2fd77f43406fb5e392e0d0cbe56fd32ba505534d7ffbcbbda810e426f66cf954f4aef2df56033938df930

data/README.md

@@ -50,16 +50,16 @@ This class defines a permission itself using the following fields:
 
 These fields define what subject (respectively subject type, when referring to a class) the lock applies to, which action it is defined for (for example `:read`), and whether the outcome is positive or negative.
 
-For more specific behavior, it is possible to override the `#calculated_outcome` method (should, for example, the permission depend on some additional factors).
+For more specific behavior, it is possible to override the `#calculated_outcome` method (should, for example, the permission depend on some additional factors). The `#calculated_outcome` method receives options that are passed when checking the permissions using for example `can? :read, MyClass, { option_1: 1 }`
 
 ```ruby
-def calculated_outcome
+def calculated_outcome options={}
     # custom behaviour
-    # returns true/false
+    # return true/false
 end
 ```
 
-If you wish to check the state of a lock directly, please use the convenience methods `#open?` and `#closed?`. These take into account the `#calculated_outcome`. Using the `:outcome` field directly is discouraged.
+If you wish to check the state of a lock directly, please use the convenience methods `#open?` and `#closed?`. These take into account the `#calculated_outcome`. Using the `:outcome` field directly is discouraged as it just returns the boolean attribute.
 
 The lock class can be further subclassed in order to customise its behavior, for example per action.
 
@@ -74,23 +74,23 @@ class MySubject
     include Mongoid::Document
     include MongoidAbility::Subject
 
-    default_lock :read, true
-    default_lock :update, false
+    default_lock MyLock, :read, true
+    default_lock MyLock, :update, false
 end
 ```
 
-The subject classes can be subclassed. Subclasses inherit the default locks (unless they override them), the resulting outcome being correctly calculated bottom-up the superclass chain. 
+The subject classes can be subclassed. Subclasses inherit the default locks (unless they override them), the resulting outcome being correctly calculated bottom-up the superclass chain.
 
 The subject also acquires a convenience `Mongoid::Criteria` named `.accessible_by`. This criteria can be used to query for subject based on the user's ability:
 
 ```ruby
 ability = MongoidAbility::Ability.new(current_user)
-MySubject.accessible_by(ability, :read)
+MySubject.accessible_by(ability, :read, options={})
 ```
 
 ### Owner
 
-This gem supports two levels of ownership of a lock: a `User` and its many `Role`s. The locks can be either embedded (via `.embeds_many`) or associated (via `.has_many`). Make sure to include the `as: :owner` option.
+This `Ability` class supports two levels of inheritance (for example User and its Roles). The locks can be either embedded (via `.embeds_many`) or associated (via `.has_many`). Make sure to include the `as: :owner` option.
 
 ```ruby
 class MyUser
@@ -101,8 +101,13 @@ class MyUser
     has_and_belongs_to_many :roles, class_name: 'MyRole'
 
     # override if your relation is named differently
-    def self.roles_relation_name
-        :roles
+    def self.locks_relation_name
+      :locks
+    end
+
+    # override if your relation is named differently
+    def self.inherit_from_relation_name
+      :roles
     end
 end
 ```
@@ -122,8 +127,8 @@ Both users and roles can be further subclassed.
 The owner also gains the `#can?` and `#cannot?` methods, that are delegate to the user's ability. It is then easy to perform permission checks per user:
 
 ```ruby
-current_user.can?(:read, resource)
-other_user.can?(:read, ResourceClass)
+current_user.can?(:read, resource, options)
+other_user.can?(:read, ResourceClass, options)
 ```
 
 ### CanCanCan

data/lib/mongoid_ability.rb

@@ -1,12 +1,18 @@
 require "mongoid_ability/version"
 
 require "mongoid_ability/ability"
-require "mongoid_ability/ability_resolver"
-require "mongoid_ability/accessible_query_builder"
+
 require "mongoid_ability/lock"
 require "mongoid_ability/owner"
 require "mongoid_ability/subject"
 
+require "mongoid_ability/resolve_locks"
+require "mongoid_ability/resolve_default_locks"
+require "mongoid_ability/resolve_inherited_locks"
+require "mongoid_ability/resolve_owner_locks"
+
+require "mongoid_ability/accessible_query_builder"
+
 # ---------------------------------------------------------------------
 
 if defined?(Rails)

data/lib/mongoid_ability/ability.rb

@@ -2,57 +2,59 @@ require 'cancancan'
 
 module MongoidAbility
   class Ability
-
     include CanCan::Ability
 
     attr_reader :owner
 
-    # =====================================================================
-
     def initialize owner
       @owner = owner
 
-      can do |action, subject_type, subject|
-        subject_class = subject_type.to_s.constantize
-        outcome = nil
-
-        subject_class.self_and_ancestors_with_default_locks.each do |cls|
-          outcome = combined_outcome(owner, action, cls, subject)
-          break unless outcome.nil?
+      can do |action, subject_type, subject, options|
+        if defined? Rails
+          ::Rails.cache.fetch( [ cache_key ] + cache_keys(action, subject_type, subject, options) ) do
+            _can(action, subject_type, subject, options)
+          end
+        else
+          _can(action, subject_type, subject, options)
         end
-
-        outcome
       end
     end
 
-    private # =============================================================
-
-    def combined_outcome  owner, action, cls, subject
-      uo = user_outcome(owner, action, cls, subject)
-      return uo unless uo.nil?
+    # ---------------------------------------------------------------------
 
-      if owner.respond_to?(owner.class.roles_relation_name)
-        ro = owner.roles_relation.collect{ |role| AbilityResolver.new(role, action, cls.to_s, subject).outcome }.compact
-        return ro.any?{ |i| i == true } unless ro.empty?
+    def _can action, subject_type, subject, options
+      subject_class = subject_type.to_s.constantize
+      outcome = nil
+      options ||= {}
+      subject_class.self_and_ancestors_with_default_locks.each do |cls|
+        outcome = ResolveInheritedLocks.call(owner, action, cls, subject, options)
+        break if outcome != nil
       end
-
-      class_outcome(cls, action)
+      outcome
     end
 
     # ---------------------------------------------------------------------
 
-    def user_outcome owner, action, cls, subject
-      AbilityResolver.new(owner, action, cls.to_s, subject).outcome
+    def cache_key
+      ["ability", owner.cache_key, inherit_from_relation_cache_keys].compact.join('/')
+    end
+
+    def cache_keys action, subject_type, subject, options
+      res = []
+      res << action
+      res << subject_type
+      res << subject.cache_key unless subject.nil?
+      res << options_cache_key(options)
+      res.compact
     end
 
-    def role_outcome role, action, cls, subject
-      AbilityResolver.new(role, action, cls.to_s, subject).outcome
+    def options_cache_key options={}
+      Digest::SHA1.hexdigest( options.to_a.sort_by { |k,v| k.to_s }.to_s )
     end
 
-    def class_outcome subject_class, action
-      class_locks = subject_class.default_locks.select{ |l| l.action == action }
-      return false if class_locks.any?(&:closed?)
-      return true if class_locks.any?(&:open?)
+    def inherit_from_relation_cache_keys
+      return unless owner.respond_to?(owner.class.inherit_from_relation_name) && owner.inherit_from_relation != nil
+      owner.inherit_from_relation.map(&:cache_key)
     end
 
   end

data/lib/mongoid_ability/accessible_query_builder.rb

@@ -1,5 +1,5 @@
 module MongoidAbility
-  class AccessibleQueryBuilder < Struct.new(:base_class, :ability, :action)
+  class AccessibleQueryBuilder < Struct.new(:base_class, :ability, :action, :options)
 
     def self.call *args
       new(*args).call
@@ -8,17 +8,20 @@ module MongoidAbility
     # =====================================================================
 
     def call
-      criteria = base_criteria
-
-      base_class_and_descendants.each do |cls|
-        criteria = criteria.merge(criteria_for_class(cls))
+      if defined? Rails
+        # FIXME: this is a bit of a dirty hack, since the marshalling of criteria does not preserve the embedded attributes
+        Rails.cache.fetch( [ 'ability-query', base_class, ability.cache_key, action, ability.options_cache_key(options) ] ) { _call }.tap { |criteria| criteria.embedded = base_criteria.embedded }
+      else
+        _call
       end
-
-      criteria
     end
 
     private # =============================================================
 
+    def _call
+      base_class_and_descendants.inject(base_criteria) { |criteria, cls| criteria.merge!(criteria_for_class(cls)) }
+    end
+
     def base_criteria
       @base_criteria ||= base_class.criteria
     end
@@ -34,7 +37,7 @@ module MongoidAbility
     end
 
     def base_class_and_descendants
-      [base_class].concat(base_class_descendants)
+      @base_class_and_descendants ||= [base_class].concat(base_class_descendants)
     end
 
     def hereditary?
@@ -44,71 +47,88 @@ module MongoidAbility
     # ---------------------------------------------------------------------
 
     def owner
-      ability.owner
+      @owner ||= ability.owner
     end
 
-    def roles
-      return unless owner.respond_to?(owner.class.roles_relation_name)
-      owner.roles_relation
+    def inherited_from_relation
+      return unless owner.respond_to?(owner.class.inherit_from_relation_name)
+      owner.inherit_from_relation
     end
 
     # ---------------------------------------------------------------------
 
-    def user_id_locks_for_subject_type cls
-      owner.locks_relation.id_locks.for_action(action).for_subject_type(cls.to_s)
+    def owner_id_locks_for_subject_type cls
+      @owner_id_locks_for_subject_type ||= {}
+      @owner_id_locks_for_subject_type[cls] ||= owner.locks_relation.id_locks.for_action(action).for_subject_type(cls.to_s)
     end
 
-    def roles_ids_locks_for_subject_type cls
-      return [] unless roles
-      roles.collect { |role| role.locks_relation.id_locks.for_action(action).for_subject_type(cls.to_s) }.flatten
+    def inherited_from_relation_ids_locks_for_subject_type cls
+      return [] unless inherited_from_relation
+      @inherited_from_relation_ids_locks_for_subject_type ||= {}
+      @inherited_from_relation_ids_locks_for_subject_type[cls] ||= inherited_from_relation.collect { |o|
+        o.locks_relation.id_locks.for_action(action).for_subject_type(cls.to_s)
+      }.flatten
     end
 
     # ---------------------------------------------------------------------
 
     def role_has_open_id_lock? cls, subject_id
-      roles_ids_locks_for_subject_type(cls).
-        select(&:open?).
-        map(&:subject_id).
-        include?(subject_id)
+      @role_has_open_id_lock ||= {}
+      @role_has_open_id_lock["#{cls}_#{subject_id}"] ||= begin
+        inherited_from_relation_ids_locks_for_subject_type(cls).
+          select{ |l| l.open?(options) }.
+          map(&:subject_id).
+          include?(subject_id)
+      end
     end
 
-    def user_has_open_id_lock? cls, subject_id
-      user_id_locks_for_subject_type(cls).
-        select(&:open?).
-        map(&:subject_id).
-        include?(subject_id)
+    def owner_has_open_id_lock? cls, subject_id
+      @owner_has_open_id_lock ||= {}
+      @owner_has_open_id_lock["#{cls}_#{subject_id}"] ||= begin
+        owner_id_locks_for_subject_type(cls).
+          select{ |l| l.open?(options) }.
+          map(&:subject_id).
+          include?(subject_id)
+      end
     end
 
     # ---------------------------------------------------------------------
 
     def criteria_for_class cls
-      ability.can?(action, cls) ? exclude_criteria(cls) : include_criteria(cls)
+      @criteria_for_class ||= {}
+      @criteria_for_class[cls] ||= ability.can?(action, cls, options) ? exclude_criteria(cls) : include_criteria(cls)
     end
 
     def exclude_criteria cls
-      id_locks = roles_ids_locks_for_subject_type(cls).select(&:closed?)
-      id_locks = id_locks.reject{ |lock| role_has_open_id_lock?(cls, lock.subject_id) }
-      id_locks = id_locks.reject{ |lock| user_has_open_id_lock?(cls, lock.subject_id) }
-      id_locks += user_id_locks_for_subject_type(cls).select(&:closed?)
+      @exclude_criteria ||= {}
+      @exclude_criteria[cls] ||= begin
+        id_locks = inherited_from_relation_ids_locks_for_subject_type(cls).select{ |l| l.closed?(options) }
+        id_locks = id_locks.reject{ |lock| role_has_open_id_lock?(cls, lock.subject_id) }
+        id_locks = id_locks.reject{ |lock| owner_has_open_id_lock?(cls, lock.subject_id) }
+        id_locks += owner_id_locks_for_subject_type(cls).select{ |l| l.closed?(options) }
 
-      excluded_ids = id_locks.map(&:subject_id).flatten
+        excluded_ids = id_locks.map(&:subject_id).flatten
 
-      conditions = { :_id.nin => excluded_ids }
-      conditions = conditions.merge(_type: cls.to_s) if hereditary?
+        conditions = { :_id.nin => excluded_ids }
+        conditions = conditions.merge(_type: cls.to_s) if hereditary?
 
-      base_criteria.or(conditions)
+        base_criteria.or(conditions)
+      end
     end
 
     def include_criteria cls
-      id_locks = roles_ids_locks_for_subject_type(cls).select(&:open?)
-      id_locks += user_id_locks_for_subject_type(cls).select(&:open?)
+      @include_criteria ||= {}
+      @include_criteria[cls] ||= begin
+        id_locks = inherited_from_relation_ids_locks_for_subject_type(cls).select{ |l| l.open?(options) }
+        id_locks += owner_id_locks_for_subject_type(cls).select{ |l| l.open?(options) }
 
-      included_ids = id_locks.map(&:subject_id).flatten
+        included_ids = id_locks.map(&:subject_id).flatten
 
-      conditions = { :_id.in => included_ids }
-      conditions = conditions.merge(_type: cls.to_s) if hereditary?
+        conditions = { :_id.in => included_ids }
+        conditions = conditions.merge(_type: cls.to_s) if hereditary?
 
-      base_criteria.or(conditions)
+        base_criteria.or(conditions)
+      end
     end
 
   end

data/lib/mongoid_ability/lock.rb

@@ -1,24 +1,19 @@
+require 'mongoid'
+
 module MongoidAbility
   module Lock
-
     def self.included base
       base.extend ClassMethods
       base.class_eval do
         field :action, type: Symbol, default: :read
         field :outcome, type: Boolean, default: false
 
-        # ---------------------------------------------------------------------
-
         belongs_to :subject, polymorphic: true, touch: true
 
-        # ---------------------------------------------------------------------
-
         # TODO: validate that action is defined on subject or its superclasses
         validates :action, presence: true, uniqueness: { scope: [ :subject_type, :subject_id, :outcome ] }
         validates :outcome, presence: true
 
-        # ---------------------------------------------------------------------
-
         scope :for_action, -> action { where(action: action.to_sym) }
 
         scope :for_subject_type, -> subject_type { where(subject_type: subject_type.to_s) }
@@ -32,43 +27,35 @@ module MongoidAbility
 
     # =====================================================================
 
-    module ClassMethods
+    # NOTE: override for more complicated results
+    def calculated_outcome options={}
+      outcome
     end
 
-    # =====================================================================
-
-    def calculated_outcome
-      self.outcome
+    # NOTE: override for more complicated results
+    def conditions
+      res = { _type: subject_type }
+      res = res.merge(_id: subject_id) if subject_id.present?
+      res = { '$not' => res } if calculated_outcome == false
+      res
     end
 
     # ---------------------------------------------------------------------
 
-    def open?
-      self.calculated_outcome == true
+    def open? options={}
+      calculated_outcome(options) == true
     end
 
-    def closed?
-      !open?
+    def closed? options={}
+      !open?(options)
     end
 
-    # ---------------------------------------------------------------------
-
     def class_lock?
       !id_lock?
     end
 
     def id_lock?
-      self.subject_id.present?
-    end
-
-    # ---------------------------------------------------------------------
-
-    def conditions
-      res = { _type: subject_type }
-      res = res.merge(_id: subject_id) if subject_id.present?
-      res = { '$not' => res } if calculated_outcome == false
-      res
+      subject_id.present?
     end
-
   end
 end