mongoid_ability 1.0.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7e6c83227c58a27548a247cbf0de7931eccaed58
-  data.tar.gz: 4cfe776c15b918916f2f6d20acd786a6674755ff
+  metadata.gz: dae67db7ec93cdbf840238c3dd2b482646550ea5
+  data.tar.gz: 9585efb9e63dbbee879f2865d378e9dcf81081a8
 SHA512:
-  metadata.gz: c79d13c3df3c743fe5c6c8cc5272336590dc4f24b666ec798b8c355898f4bcf6a63b4c3e418506342af415165048bbb0aa8f8e72f6771f42eb8e18d97733a3a2
-  data.tar.gz: 4d8a1b214ab11100d361d31d46ee4a607642951f9727e967fb70e395b0282dcc9967153b1482c9cffd750e6bc18fba8d3f9a63c952055e352c58c935e41f5929
+  metadata.gz: e92310170b4733d744668f02b59595f5ffc0a1b10b8aab414ff1db137a0fb417d0392f370b0cc341895503fea19bebd89799d8d7744c989ddc9d23aef946e06c
+  data.tar.gz: f02421d9e891f91af19df44dc0a289beef01719e5fff3a1ef116a341f6ae10515bd4fc34fbddbc139ba03056e945fdf8a187e96c859203adc975c77539edbd62

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+# 2.0.0
+
+* Full rewrite, which more closely follows the `CanCanCan` conventions: instead of custom algorithm for resolving permissions, the `Lock` documents are now converted to standard `CanCanCan` rules. Similarly the `.acessible_by` criteria are now handled by standard model adapter (`MongoidAdapter`), to be extracted to separate gem. Therefore this gem can benefit for potential future performance improvements of `CanCanCan`. Lastly, the `ability` objects are now cacheable, therefore the conversion of `Lock` documents to `CanCanCan` rule objects does not need to be performed on every request.
+
 # 1.0.0
 
 * conforms to '[MONGOID-4418](https://jira.mongodb.org/browse/MONGOID-4418) Don't allow PersistenceContext method as field names' by renaming the `Lock` field `:options` to `:opts` (but aliasing it `as: :options`). As a result the `Mongoid::Ability` API stays unchanged, however in some cases it might be necessary to migrate the values from the `:options` fields to the new `:opts`.

data/Gemfile

@@ -1,3 +1,10 @@
 source 'https://rubygems.org'
 
+git_source(:github) do |repo_name|
+  repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/")
+  "git@github.com:#{repo_name}.git"
+end
+
 gemspec
+
+# gem 'cancancan-mongoid', github: 'tomasc/cancancan-mongoid', branch: 'master'

data/README.md

@@ -50,24 +50,11 @@ This class defines a permission itself using the following fields:
 
 These fields define what subject (respectively subject type, when referring to a class) the lock applies to, which action it is defined for (for example `:read`), and whether the outcome is positive or negative.
 
-For more specific behavior, it is possible to override the `#calculated_outcome` method (should, for example, the permission depend on some additional factors). The `#calculated_outcome` method receives options that are passed when checking the permissions using for example `can? :read, MyClass, { option_1: 1 }`
-
-```ruby
-def calculated_outcome options={}
-    # custom behaviour
-    # return true/false
-end
-```
-
-If you wish to check the state of a lock directly, please use the convenience methods `#open?` and `#closed?`. These take into account the `#calculated_outcome`. Using the `:outcome` field directly is discouraged as it just returns the boolean attribute.
-
-The lock class can be further subclassed in order to customise its behavior, for example per action.
-
 ### Subject
 
 All subjects (classes which permissions you want to control) will include the `MongoidAbility::Subject` module.
 
-Each action and its default outcome, needs to be defined using the `.default_lock` macro.
+Each action and its default outcome needs to be defined using the `.default_lock` macro.
 
 ```ruby
 class MySubject
@@ -130,6 +117,60 @@ current_user.can?(:read, resource, options)
 other_user.can?(:read, ResourceClass, options)
 ```
 
+Ability can be easily obtained as:
+
+```ruby
+current_user.ability
+```
+
+### Caching
+
+The ability object is fully cache-able, which means it is possible to save some precious time on every request (instead of always converting the Lock documents to CanCan rules):
+
+```ruby
+class ActionController::Base
+  def current_ability
+    @current_ability ||= Rails.cache.fetch([current_user.cache_key, 'ability'].join('/')) do
+      MongoidAbility::Ability.new(current_user)
+    end.tap do |ability|
+      ability.owner ||= current_user
+    end
+  end
+end
+```
+
+And on the owner:
+
+```ruby
+def ability
+  @ability ||= Rails.cache.fetch([cache_key, 'ability'].join('/')) do
+    MongoidAbility::Ability.new(self)
+  end.tap do |ability|
+    ability.owner ||= self
+  end
+end
+```
+
+Of course this assumes the user's `cache_key` updates when any of its locks (or locks stored on its roles) change.
+
+Note the owner has to be assigned after fetching the ability from cache.
+
+### Decoration
+
+To be able to check permissions on decorated objects (for example via the Draper gem) subclass the Ability class as follows:
+
+```ruby
+class MyAbility < MongoidAbility::Ability
+  def can?(action, subject, *extra_args)
+    while subject.is_a?(Draper::Decorator)
+      subject = subject.model
+    end
+
+    super(action, subject, *extra_args)
+  end
+end
+```
+
 ### CanCanCan
 
 The default `:current_ability` defined by [CanCanCan](https://github.com/CanCanCommunity/cancancan) will be automatically overriden by the `Ability` class provided by this gem.
@@ -140,15 +181,6 @@ The default `:current_ability` defined by [CanCanCan](https://github.com/CanCanC
 2. Define permissions using lock objects embedded (or associated to) either in user or role.
 3. Use standard [CanCanCan](https://github.com/CanCanCommunity/cancancan) helpers (`.authorize!`, `#can?`, `#cannot?`) to authorize the current user.
 
-## How it works?
-
-The ability class in this gem looks up and calculates the outcome in the following order:
-
-1. User locks, defined for `:subject_id`, then `:subject_type` (then its superclasses), then defined in the subject class itself (via the `.default_lock` macro) and its superclasses.
-2. Role locks have the same look up chain as the user locks. The role permissions are optimistic, meaning that in case a user has multiple roles, and the roles have locks with conflicting outcomes, the ability favors the positive one.
-
-See the test suite for more details.
-
 ## Contributing
 
 1. Fork it ( https://github.com/tomasc/mongoid_ability/fork )

data/lib/cancancan/model_adapters/mongoid_adapter.rb

@@ -0,0 +1,156 @@
+module CanCan
+  module ModelAdapters
+    class MongoidAdapter < AbstractAdapter
+      def self.for_class?(model_class)
+        model_class <= Mongoid::Document
+      end
+
+      # Used to determine if this model adapter will override the matching behavior for a hash of conditions.
+      # If this returns true then matches_conditions_hash? will be called. See Rule#matches_conditions_hash
+      def self.override_conditions_hash_matching?(_subject, _conditions)
+        false
+      end
+
+      # Override if override_conditions_hash_matching? returns true
+      def self.matches_conditions_hash?(_subject, _conditions)
+        raise NotImplemented, 'This model adapter does not support matching on a conditions hash.'
+      end
+
+      # Used to determine if this model adapter will override the matching behavior for a specific condition.
+      # If this returns true then matches_condition? will be called. See Rule#matches_conditions_hash
+      def self.override_condition_matching?(_subject, _name, _value)
+        true
+      end
+
+      # Override if override_condition_matching? returns true
+      def self.matches_condition?(subject, name, value)
+        attribute = subject.send(name)
+
+        case value
+        when Hash then hash_condition_match?(attribute, value)
+        when Range then value.cover?(attribute)
+        when Regexp then value.match(attribute)
+        when Array then value.include?(attribute)
+        when Enumerable then value.include?(attribute)
+        else attribute == value
+        end
+      end
+
+      def initialize(model_class, rules, options = {})
+        @model_class = model_class
+        @rules = rules
+        @options = options
+      end
+
+      def subject_types
+        @subject_types ||= begin
+          root_cls = @model_class.root_class
+          [root_cls, *root_cls.descendants].compact
+        end
+      end
+
+      def open_subject_types
+        @open_subject_types ||= begin
+          subject_types.inject([]) do |res, cls|
+            subject_type_rules_for(cls).each do |rule|
+              cls_list = [cls, *cls.descendants].compact
+              rule.base_behavior ? res += cls_list : res -= cls_list
+            end
+            res.uniq
+          end
+        end
+      end
+
+      def closed_subject_types
+        @closed_subject_types ||= begin
+          subject_types - open_subject_types
+        end
+      end
+
+      def open_conditions
+        @open_conditions ||= begin
+          condition_rules.select(&:base_behavior).each_with_object([]) do |rule, res|
+            rule.conditions.each do |key, value|
+              key = id_key if %i[id _id].include?(key.to_sym)
+              res <<  case value
+                      when Array then { key => { '$in' => value } }
+                      else { key => value }
+                      end
+            end
+          end
+        end
+      end
+
+      def closed_conditions
+        @closed_conditions ||= begin
+          condition_rules.reject(&:base_behavior).each_with_object([]) do |rule, res|
+            rule.conditions.each do |key, value|
+              key = id_key if %i[id _id].include?(key.to_sym)
+              res <<  case value
+                      when Regexp then { key => { '$not' => value } }
+                      when Array then { key => { '$nin' => value } }
+                      else { key => { '$ne' => value } }
+                      end
+            end
+          end
+        end
+      end
+
+      def subject_type_conditions
+        return unless open_subject_types.present?
+        { :"#{type_key}".nin => closed_subject_types.map(&:to_s) }
+      end
+
+      def has_any_conditions?
+        subject_type_conditions.present? ||
+          open_conditions.present? ||
+          closed_conditions.present?
+      end
+
+      def database_records
+        return @model_class.none unless has_any_conditions?
+
+        or_conditions = { '$or' => ([subject_type_conditions, *open_conditions]).compact }
+        or_conditions = nil if or_conditions['$or'].empty?
+
+        and_conditions = { '$and' => [or_conditions, *closed_conditions].compact }
+        and_conditions = nil if and_conditions['$and'].empty?
+
+        @model_class.where(and_conditions)
+      end
+
+      private
+
+      def subject_type_rules_for(subject_type)
+        subject_type_rules.select do |rule|
+          rule.subjects.include?(subject_type)
+        end
+      end
+
+      def subject_type_rules
+        @rules.reject { |rule| rule.conditions.present? }
+      end
+
+      def condition_rules
+        @rules.select { |rule| rule.conditions.present? }
+      end
+
+      def prefix
+        @options.fetch(:prefix, nil)
+      end
+
+      def id_key
+        @id_key ||= [prefix, '_id'].reject(&:blank?).join.to_sym
+      end
+
+      def type_key
+        @type_key ||= [prefix, '_type'].reject(&:blank?).join.to_sym
+      end
+    end
+  end
+end
+
+# simplest way to add `accessible_by` to all Mongoid Documents
+module Mongoid::Document::ClassMethods
+  include CanCan::ModelAdditions::ClassMethods
+end

data/lib/cancancan/model_additions.rb

@@ -0,0 +1,30 @@
+module CanCan
+  # This module adds the accessible_by class method to a model. It is included in the model adapters.
+  module ModelAdditions
+    module ClassMethods
+      # Returns a scope which fetches only the records that the passed ability
+      # can perform a given action on. The action defaults to :index. This
+      # is usually called from a controller and passed the +current_ability+.
+      #
+      #   @articles = Article.accessible_by(current_ability)
+      #
+      # Here only the articles which the user is able to read will be returned.
+      # If the user does not have permission to read any articles then an empty
+      # result is returned. Since this is a scope it can be combined with any
+      # other scopes or pagination.
+      #
+      # An alternative action can optionally be passed as a second argument.
+      #
+      #   @articles = Article.accessible_by(current_ability, :update)
+      #
+      # Here only the articles which the user can update are returned.
+      def accessible_by(ability, action = :index, options = {})
+        ability.model_adapter(self, action, options).database_records
+      end
+    end
+
+    def self.included(base)
+      base.extend ClassMethods
+    end
+  end
+end

data/lib/mongoid_ability.rb

@@ -1,19 +1,19 @@
-require "mongoid_ability/version"
+require 'cancancan'
+require 'mongoid'
 
-require "mongoid_ability/ability"
+require 'cancancan/model_adapters/mongoid_adapter'
+require 'cancancan/model_additions'
 
-require "mongoid_ability/lock"
-require "mongoid_ability/owner"
-require "mongoid_ability/subject"
+require 'mongoid_ability/version'
 
-require "mongoid_ability/resolver"
-require "mongoid_ability/resolve_locks"
-require "mongoid_ability/resolve_default_locks"
-require "mongoid_ability/resolve_inherited_locks"
-require "mongoid_ability/resolve_owner_locks"
+require 'mongoid_ability/ability'
 
-require "mongoid_ability/values_for_accessible_query"
-require "mongoid_ability/accessible_query_builder"
+require 'mongoid_ability/lock'
+require 'mongoid_ability/owner'
+require 'mongoid_ability/subject'
+
+require 'mongoid_ability/locks_decorator'
+require 'mongoid_ability/find_lock'
 
 # ---------------------------------------------------------------------
 

data/lib/mongoid_ability/ability.rb

@@ -4,47 +4,88 @@ module MongoidAbility
   class Ability
     include CanCan::Ability
 
-    attr_reader :owner
+    attr_accessor :owner
+
+    def marshal_dump
+      @rules
+    end
+
+    def marshal_load(array)
+      Array(array).each do |rule|
+        add_rule(rule)
+      end
+    end
 
     def self.subject_classes
-      Object.descendants.select { |cls| cls.included_modules.include?(MongoidAbility::Subject) }
+      Object.descendants.select do |cls|
+        cls.included_modules.include?(MongoidAbility::Subject)
+      end
     end
 
     def self.subject_root_classes
-      subject_classes.reject { |cls| cls.superclass.included_modules.include?(MongoidAbility::Subject) }
+      subject_classes.reject do |cls|
+        cls.superclass.included_modules.include?(MongoidAbility::Subject)
+      end
     end
 
     def initialize(owner)
       @owner = owner
 
-      can do |action, subject_type, subject, options = {}|
-        subject_id = subject ? subject.id : nil
-        if lock = ResolveLocks.call(owner, action, subject_type, subject_id, options)
-          lock.calculated_outcome(options)
+      inherited_locks = owner.respond_to?(owner.class.inherit_from_relation_name) ? owner.inherit_from_relation.flat_map(&:locks_relation) : []
+      inherited_locks = LocksDecorator.new(inherited_locks)
+
+      owner_locks = owner.respond_to?(owner.class.locks_relation_name) ? owner.locks_relation : []
+
+      self.class.subject_root_classes.each do |cls|
+        cls_list = [cls] + cls.descendants
+        cls_list.each do |subcls|
+          # if 2 of the same, prefer open
+          locks = subcls.default_locks.for_subject_type(subcls).group_by(&:group_key_for_calc).flat_map do |_, locks|
+            locks.detect(&:open?) || locks.first
+          end
+
+          # if 2 of the same, prefer open
+          locks += inherited_locks.for_subject_type(subcls).group_by(&:group_key_for_calc).flat_map do |_, locks|
+            locks.detect(&:open?) || locks.first
+          end
+
+          # if 2 of the same, prefer open
+          locks += owner_locks.for_subject_type(subcls).group_by(&:group_key_for_calc).flat_map do |_, locks|
+            locks.detect(&:open?) || locks.first
+          end
+
+          selected_locks = locks.group_by(&:group_key_for_calc).flat_map do |_, locks|
+            # prefer last one, i.e. the one closest to owner
+            locks.last
+          end
+
+          selected_locks.sort(&Lock.sort).each do |lock|
+            apply_lock_rule(lock)
+          end
         end
       end
     end
 
-    # lambda for easy permission checking:
-    # .select(&current_ability.can_read)
-    # .select(&current_ability.can_update)
-    # .select(&current_ability.can_destroy)
-    # etc.
-    def method_missing(name, *args)
-      return super unless name.to_s =~ /\A(can|cannot)_/
-      return unless action = name.to_s.scan(/\A(can|cannot)_(\w+)/).flatten.last.to_sym
-
-      if args.empty? || args.first.is_a?(Hash)
-        case name
-        when /can_/ then -> (doc) { can?(action, doc, *args) }
-        else -> (doc) { cannot?(action, doc, *args) }
-        end
-      else
-        case name
-        when /can_/ then can?(action, *args)
-        else cannot?(action, *args)
-        end
+    def model_adapter(model_class, action, options = {})
+      adapter_class = CanCan::ModelAdapters::AbstractAdapter.adapter_class(model_class)
+      # include all rules that apply for descendants as well
+      # so the adapter can exclude include subclasses from critieria
+      rules = ([model_class] + model_class.descendants).inject([]) do |res, cls|
+        res += relevant_rules_for_query(action, cls)
+        res.uniq
       end
+      adapter_class.new(model_class, rules, options)
+    end
+
+    private
+
+    def apply_lock_rule(lock)
+      ability_type = lock.outcome ? :can : :cannot
+      cls = lock.subject_class
+      options = lock.options
+      options = options.merge(id: lock.subject_id) if lock.id_lock?
+      action = lock.action
+      send ability_type, action, cls, options
     end
   end
 end