permisi 0.0.1 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f4321f19a7a5c2ecbfa99d51c00a82d7fb1861007f52e6eab462c49df2c5b390
-  data.tar.gz: ed73932d3a013e89a3d6c49c79c3328fe84ecfb566f66cd53ac1a9d355de383c
+  metadata.gz: 4b56c15224ab819fd173b51ce3cd341836a9edcbf6d2a0c0496813826c168f4c
+  data.tar.gz: 1eb2ef335b4fa1a2790573ca118c9178cff6d96ef6d3334cc165650c216bbc97
 SHA512:
-  metadata.gz: a9ada7b5c95dcfa0a9627a7606bf4909e516f2e291aac518f61d1cf1a422e904027bf6c95910fc7ddde9b47c61e88d2027e0e377261af06e0d2dac16dd78e43d
-  data.tar.gz: 421d311e27eb1f2663c6515c62623c3804ee77ee76bec16162b199370eb1619a4283acf5a79ae8eaca86da6daf7f32f5324c872ce9acc92a07b120f29cebe00c
+  metadata.gz: 9e099b2453555f7da80bfef2c4948a80523625271ba9666d2c053e455b0c42dc90d53f7f4a7233e1572696d58c7f1553dbdcaf38f9a4d6e351432a98de21d3ae
+  data.tar.gz: ea49a2fa692188d5864da2322a37c01de5856fb3d5bb4529966328f45e2ccc0114119c07289fa12c68afffc7f9e2030db99a10815480f180f3ea17fccd082218

data/.github/workflows/ci.yml

@@ -0,0 +1,53 @@
+name: Lint and test
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - '!*'
+  pull_request:
+    paths:
+      - '!*.MD'
+      - '!*.md'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+
+    - name: Set up Ruby 2.7
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.7
+
+    - name: Generate lockfile for cache key
+      run: bundle lock
+
+    - name: Cache gems
+      uses: actions/cache@v1
+      with:
+        path: vendor/bundle
+        key: ${{ runner.os }}-rspec-${{ hashFiles('**/Gemfile.lock') }}
+        restore-keys: |
+          ${{ runner.os }}-rspec-
+
+    - name: Install gems
+      run: |
+        bundle config path vendor/bundle
+        bundle install --jobs 4 --retry 3
+
+    - name: Run RuboCop
+      uses: reviewdog/action-rubocop@v1
+      with:
+        rubocop_version: gemfile
+        rubocop_extensions: rubocop-rails:gemfile rubocop-rspec:gemfile
+        github_token: ${{ secrets.github_token }}
+        reporter: github-pr-check # Default is github-pr-check
+
+    - name: Run RSpec
+      run: bundle exec rake spec
+      env:
+        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

data/.gitignore

@@ -1,3 +1,4 @@
+/spec/support/db/*.db
 /.bundle/
 /.yardoc
 /_yardoc/
@@ -9,3 +10,6 @@
 
 # rspec failure tracking
 .rspec_status
+
+*.sublime-*
+.byebug_history

data/.rubocop.yml

@@ -1,5 +1,10 @@
 AllCops:
   TargetRubyVersion: 2.4
+  NewCops: enable
+  Exclude:
+    - "lib/generators/**/*"
+    - "spec/**/*" # stuff for later
+    - "lib/permisi/permission_util.rb" # The necessary evil (for now)
 
 Style/StringLiterals:
   Enabled: true
@@ -11,3 +16,7 @@ Style/StringLiteralsInInterpolation:
 
 Layout/LineLength:
   Max: 120
+
+# Stuff for later
+Documentation:
+  Enabled: false

data/CHANGELOG.md

@@ -1,4 +1,47 @@
-0.0.0
-=====
+# Changelog
 
-- Reserve gem name.
+# 0.1.4
+
+[_View the docs._](https://github.com/ukazap/permisi/blob/v0.1.4/README.md)
+
+- Add actor-role uniqueness constraint (previously it was possible to append the same role to an actor many times), if you are upgrading from previous versions, please create the following migration: `add_index :permisi_actor_roles, [:actor_id, :role_id], unique: true`
+- Show warning when calling "roles.delete" because it won't invalidate the cache
+
+# 0.1.3
+
+[_View the docs._](https://github.com/ukazap/permisi/blob/v0.1.3/README.md)
+
+- Correct grammars and examples in the docs
+- Change actor permissions cache key
+
+# 0.1.2
+
+[_View the docs._](https://github.com/ukazap/permisi/blob/v0.1.2/README.md)
+
+- Fix namespaces/actions should no longer contain periods
+- Implement cache config for faster access to actor permissions
+
+# 0.1.1
+
+[_View the docs._](https://github.com/ukazap/permisi/blob/v0.1.1/README.md)
+
+- General code refactoring
+- Improvements on ActiveRecord backend:
+  - Code refactoring
+  - Implement cache invalidation
+
+# 0.1.0
+
+[_View the docs._](https://github.com/ukazap/permisi/blob/v0.1.0/README.md)
+
+Finished extraction work from my past projects.
+
+- Implement ActiveRecord backend
+- Implement `Actable` mixin
+- Implement permissions hash sanitization and checking
+
+# 0.0.1
+
+[_View the docs._](https://github.com/ukazap/permisi/blob/v0.0.1/README.md)
+
+Reserved the gem name: https://en.wiktionary.org/wiki/permisi

data/CONTRIBUTING.md

@@ -0,0 +1,25 @@
+# How to contribute
+
+This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/ukazap/permisi/blob/master/CODE_OF_CONDUCT.md).
+
+## Found a bug?
+
+- Search the [issues labeled "bug"](https://github.com/ukazap/permisi/issues?q=is%3Aissue+label%3Abug) to see if it's already reported.
+- Make sure you are using the latest version of Permisi [![Gem Version](https://badge.fury.io/rb/permisi.svg)](https://badge.fury.io/rb/permisi)
+- If you are still having an issue, create an issue including:
+  - Ruby version
+  - Gemfile.lock contents or at least major gem versions, such as Rails version
+  - Steps to reproduce the issue
+  - Full backtrace for any errors encountered
+
+## Submitting changes
+
+If you want to contribute an enhancement or a fix:
+
+- Fork the project on GitHub
+- After checking out the repo, run `bin/setup` to install dependencies
+- Make your changes with tests
+- Run `bundle exec rubocop -A` to auto-format your code
+- Run `rake spec` to run the tests
+- Commit the changes without making changes to the Rakefile or any other files that aren't related to your enhancement or fix
+- Send a pull request

data/Gemfile

@@ -5,8 +5,10 @@ source "https://rubygems.org"
 # Specify your gem's dependencies in permisi.gemspec
 gemspec
 
+gem "byebug", "~> 11.1"
+gem "codecov", "~> 0.4.3"
 gem "rake", "~> 13.0"
-
 gem "rspec", "~> 3.0"
-
-gem "rubocop", "~> 1.7"
+gem "rubocop", "~> 1.9"
+gem "simplecov", "~> 0.21.2"
+gem "sqlite3", "~> 1.4"

data/Gemfile.lock

@@ -1,13 +1,36 @@
 PATH
   remote: .
   specs:
-    permisi (0.0.0)
+    permisi (0.1.4)
+      activemodel (>= 3.2.0)
+      activerecord (>= 3.2.0)
+      activesupport (>= 3.2.0)
+      zeitwerk (~> 2.4, >= 2.4.2)
 
 GEM
   remote: https://rubygems.org/
   specs:
+    activemodel (6.1.3)
+      activesupport (= 6.1.3)
+    activerecord (6.1.3)
+      activemodel (= 6.1.3)
+      activesupport (= 6.1.3)
+    activesupport (6.1.3)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
     ast (2.4.2)
+    byebug (11.1.3)
+    codecov (0.4.3)
+      simplecov (>= 0.15, < 0.22)
+    concurrent-ruby (1.1.8)
     diff-lcs (1.4.4)
+    docile (1.3.5)
+    i18n (1.8.9)
+      concurrent-ruby (~> 1.0)
+    minitest (5.14.3)
     parallel (1.20.1)
     parser (3.0.0.0)
       ast (~> 2.4.1)
@@ -28,7 +51,7 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.10.0)
     rspec-support (3.10.2)
-    rubocop (1.9.1)
+    rubocop (1.10.0)
       parallel (~> 1.10)
       parser (>= 3.0.0.0)
       rainbow (>= 2.2.2, < 4.0)
@@ -40,16 +63,30 @@ GEM
     rubocop-ast (1.4.1)
       parser (>= 2.7.1.5)
     ruby-progressbar (1.11.0)
+    simplecov (0.21.2)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.12.3)
+    simplecov_json_formatter (0.1.2)
+    sqlite3 (1.4.2)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
     unicode-display_width (2.0.0)
+    zeitwerk (2.4.2)
 
 PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
+  byebug (~> 11.1)
+  codecov (~> 0.4.3)
   permisi!
   rake (~> 13.0)
   rspec (~> 3.0)
-  rubocop (~> 1.7)
+  rubocop (~> 1.9)
+  simplecov (~> 0.21.2)
+  sqlite3 (~> 1.4)
 
 BUNDLED WITH
    2.2.5

data/README.md

@@ -1,10 +1,46 @@
-# Permisi
-
-[![Gem Version](https://badge.fury.io/rb/permisi.svg)](https://badge.fury.io/rb/permisi)
-
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/permisi`. To experiment with that code, run `bin/console` for an interactive prompt.
-
-TODO: Delete this and the text above, and describe your gem
+If you're viewing this at https://github.com/ukazap/permisi, you're reading the documentation for the main branch. [Go to specific version.](https://github.com/ukazap/permisi/blob/main/CHANGELOG.md)
+
+<table>
+  <tr>
+    <th>
+      <a href="https://commons.wikimedia.org/wiki/File:Female_Chinese_Lion_Statue.jpg">
+        <img src="https://upload.wikimedia.org/wikipedia/commons/thumb/1/17/Female_Chinese_Lion_Statue.jpg/102px-Female_Chinese_Lion_Statue.jpg">
+      </a>
+    </th>
+    <th>
+      <h1>Permisi</h1>
+      <p><em>Simple and dynamic role-based access control for Rails</em></p>
+      <p>
+        <a href="https://badge.fury.io/rb/permisi">
+          <img src="https://badge.fury.io/rb/permisi.svg" alt="Gem Version">
+        </a>
+        <a href="https://codeclimate.com/github/ukazap/permisi/maintainability">
+          <img src="https://api.codeclimate.com/v1/badges/0b1238302f2012b20740/maintainability" />
+        </a>
+        <a href="https://codecov.io/gh/ukazap/permisi">
+          <img src="https://codecov.io/gh/ukazap/permisi/branch/main/graph/badge.svg?token=9YRMVFCDA8"/>
+        </a>
+      </p>
+    </th>
+    <th>
+      <a href="https://commons.wikimedia.org/wiki/File:Male_Chinese_Lion_Statue.jpg">
+        <img src="https://upload.wikimedia.org/wikipedia/commons/thumb/1/14/Male_Chinese_Lion_Statue.jpg/98px-Male_Chinese_Lion_Statue.jpg">
+      </a>
+    </th>
+  </tr>
+</table>
+
+## Concept
+
+Permisi provides a way of dynamically declaring user rights (a.k.a. permissions) using a simple role-based access control scheme.
+
+This is not an alternative to CanCanCan/Pundit, instead it complement them with dynamic role definition and role membership.
+
+Permisi has three basic concepts:
+
+- Actor: a person, group of people, or an automated agent who interacts with the app
+- Role: a job function, job title, or rank which determines an actor's authority
+- Permission: the ability to perform an action
 
 ## Installation
 
@@ -17,24 +53,197 @@ gem 'permisi'
 And then execute:
 
     $ bundle install
+    $ rails g permisi:install
+
+## Configuring backend
+
+Set `config.backend` in the initializer to the backend of choice for storing and retrieving roles:
+
+```ruby
+# config/initializers/permisi.rb
+
+Permisi.init do |config|
+  #...
+  config.backend = :active_record
+  #...
+end
+```
+
+To use `:active_record`, run the generated migration from the installation step:
+
+    $ rails db:migrate
+
+Permisi only support `:active_record` backend at the moment. In the future, it will be possible to use `:mongoid`.
+
+## Configuring permissions
+
+First you have to predefine the permissions, which is basically a set of possible actions according to the app's use cases. The actions can be grouped in any way possible. For example, you might want to define actions around resource types.
 
-Or install it yourself as:
+To define the available actions in the system, assign a hash to the `config.permissions` with the following format:
 
-    $ gem install permisi
+```ruby
+# config/initializers/permisi.rb
+Permisi.init do |config|
+  # ...
+  config.permissions = {
+    # A symbol-array pair denotes a namespace.
+    # A common use of namespacing is for grouping
+    # available actions by resources.
+    authors: [
+      # Enclosed in the array are symbols
+      # denoting available actions in the namespace:
+      :list,
+      :view,
+      :create,
+      :edit,
+      :delete
+    ],
+    # You can also use the simplified %i[] notation:
+    publishers: %i[list view create edit delete],
+    # Besides actions, you can also have nested
+    # namespaces:
+    books: [
+      :list,
+      :view,
+      :create,
+      :edit,
+      :delete,
+      {
+        editions: [
+          :list, :view, :create, :edit, :delete, :archive
+        ]
+      }
+    ]
+  }
+  # ...
+end
+```
+
+## Defining and managing roles
+
+Once you have the predefined permissions, you can then define different roles with different level of access within the boundary of the predefined permissions. You can delete or create new roles according to organizational changes. You can also modify existing roles without a change in your code.
+
+You can create, edit, and destroy roles at runtime. You might also want to define preset roles via `db/seeds.rb`.
+
+```ruby
+# Interact with Permisi.roles as you would with ActiveRecord query interfaces:
+
+# List all roles
+Permisi.roles.all
+
+# Create a new role
+admin_role = Permisi.roles.create(slug: :admin, name: "Administrator", permissions: {
+  books: {
+    list: true,
+    view: true,
+    create: true,
+    edit: true
+  }
+})
+
+# Ask specific role permission
+admin_role.allows?("books.delete") # == false
+
+# Update existing role
+admin_role.permissions[:books].merge!({ delete: true })
+admin_role.save
+admin_role.allows?("books.delete") # == true
+```
+
+## Configuring actors
+
+You can then give or take multiple roles to an actor which will allow or prevent them to perform certain actions in a flexible manner. But before you can do that, you have to wire up your user model with Permisi using via `Permisi::Actable` mixin.
+
+Permisi does not hold an assumption that a specific model is present (e.g. User model). Instead, it keeps track of "actors" internally. The goal is to support multiple use cases such as actor polymorphism, user _groups_, etc.
+
+For example, you can map your user model to Permisi's actor model like so:
+
+```ruby
+# app/models/user.rb
 
-## Usage
+class User < ApplicationRecord
+  include Permisi::Actable
+end
+```
+
+You can then interact using `#permisi` method:
+
+```ruby
+user = User.find_by_email "esther@example.com"
+user.permisi # => instance of Actor
+
+admin_role = Permisi.roles.find_by_slug(:admin)
+admin_role.allows?("books.delete") # == true
+
+user.permisi.roles << admin_role
+
+user.permisi.role?(:admin) # == true
+user.permisi.has_role?(:admin) # == user.permisi.role? :admin
+
+user.permisi.may_i?("books.delete") # == true
+user.permisi.may?("books.delete") # == user.permisi.may_i? "books.delete"
+
+user.permisi.roles.destroy(admin_role)
+
+user.permisi.role?(:admin) # == false
+user.permisi.may_i?("books.delete") # == false
+```
+
+## Caching
+
+Permisi has several optimizations out of the box: actor roles eager loading, actor permissions memoization, and the optional actor permissions caching.
+
+### Actor roles eager loading
+
+Although checking whether an actor has a role goes against a good RBAC practice, it is still possible on Permisi. Calling `role?` multiple times will only make one call to the database:
+
+```ruby
+user = User.find_by_email "esther@example.com"
+user.permisi.role?(:admin) # eager loads roles
+user.permisi.role?(:admin) # uses the eager-loaded roles
+user.permisi.has_role?(:admin) # uses the eager-loaded roles
+```
+
+### Actor permissions memoization
+
+To check whether or not an actor is allowed to perform a specific action (`#may_i?`), Permisi will check on the actor's permissions which is constructed in the following steps:
+
+- load all the roles an actor have from the database
+- initialize an empty aggregate hash
+- for each role, merge its permissions hash to the aggregate hash
+
+Deserializing the hashes from the database and deeply-merging them into an aggregate hash can be expensive, so it will only happen to an instance of actor only once through memoization.
+
+### Actor permissions caching
+
+Although memoization helps, the permission hash construction will still occur every time an actor is initialized. To alleviate this, we can introduce a caching layer so that we can skip the hash construction for fresh actors. You must configure a cache store to use caching:
+
+```ruby
+# config/initializers/permisi.rb
+
+Permisi.init do |config|
+  # You can use the default Rails cache store
+  config.cache_store = Rails.cache
+  # or use other cache stores
+  config.cache_store = ActiveSupport::Cache::RedisCacheStore.new(url: ENV['REDIS_URL'])
+  # or
+  config.cache_store = ActiveSupport::Cache::FileStore.new("/home/ukazap/permisi_cache/")
+end
+```
 
-TODO: Write usage instructions here
+You can also roll your own [custom cache store](https://guides.rubyonrails.org/caching_with_rails.html#custom-cache-stores).
 
-## Development
+### Cache/memo invalidation
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+The following will trigger actor's permissions cache/memo invalidation:
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+- adding roles to the actor
+- removing roles from the actor
+- editing roles that belongs to the actor
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/permisi. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/permisi/blob/master/CODE_OF_CONDUCT.md).
+For development and how to submit improvements, please refer to the [contribution guide](https://github.com/ukazap/permisi/blob/main/CONTRIBUTING.md).
 
 ## License
 
@@ -42,4 +251,4 @@ The gem is available as open source under the terms of the [MIT License](https:/
 
 ## Code of Conduct
 
-Everyone interacting in the Permisi project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/permisi/blob/master/CODE_OF_CONDUCT.md).
+Everyone interacting in the Permisi project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/ukazap/permisi/blob/main/CODE_OF_CONDUCT.md).

data/lib/generators/permisi/install_generator.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+require "rails/generators/migration"
+require "rails/generators/active_record"
+
+module Permisi
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      include Rails::Generators::Migration
+
+      source_root File.expand_path("templates", __dir__)
+
+      def self.next_migration_number(path)
+        ActiveRecord::Generators::Base.next_migration_number(path)
+      end
+
+      def create_initializer
+        template "initializer.rb", "config/initializers/permisi.rb"
+      end
+
+      def create_migrations
+        migration_template "migration.rb", "db/migrate/create_permisi_tables.rb", migration_version: migration_version
+      end
+
+      private
+
+      def migration_version
+        "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]" if ActiveRecord.version.version > "5"
+      end
+    end
+  end
+end

data/lib/generators/permisi/templates/initializer.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require "permisi"
+
+Permisi.init do |config|
+  # Define which backend to use
+  # See https://github.com/ukazap/permisi#configuring-backend
+  config.backend = :active_record
+
+  # Define all permissions available in the system
+  # See https://github.com/ukazap/permisi#configuring-permissions
+  config.permissions = {}
+
+  # Define cache store
+  # See https://github.com/ukazap/permisi#caching
+  config.cache_store = Rails.cache
+end

data/lib/generators/permisi/templates/migration.rb

@@ -0,0 +1,30 @@
+class CreatePermisiTables < ActiveRecord::Migration<%= migration_version %>
+  def up
+    create_table :permisi_actors do |t|
+      t.references :aka, polymorphic: true
+      t.timestamps
+    end
+
+    add_index :permisi_actors, [:aka_type, :aka_id]
+
+    create_table :permisi_roles do |t|
+      t.string :slug, null: false, unique: true
+      t.string :name, null: false, unique: true
+      t.json :permissions
+      t.timestamps
+    end
+
+    create_table :permisi_actor_roles do |t|
+      t.belongs_to :actor
+      t.belongs_to :role
+    end
+
+    add_index :permisi_actor_roles, [:actor_id, :role_id], unique: true
+  end
+
+  def down
+    drop_table :permisi_actor_roles
+    drop_table :permisi_roles
+    drop_table :permisi_actors
+  end
+end

data/lib/permisi.rb

@@ -1,8 +1,35 @@
 # frozen_string_literal: true
 
-require_relative "permisi/version"
+require "active_model/type"
+require "active_support"
+require "zeitwerk"
 
 module Permisi
-  class Error < StandardError; end
-  # Your code goes here...
+  LOADER = Zeitwerk::Loader.for_gem
+
+  class << self
+    def init
+      yield config if block_given?
+    end
+
+    def config
+      @config ||= Config.new
+    end
+
+    def actors
+      config.backend.actors
+    end
+
+    def actor(aka)
+      config.backend.findsert_actor(aka)
+    end
+
+    def roles
+      config.backend.roles
+    end
+  end
 end
+
+Permisi::LOADER.ignore("#{__dir__}/generators")
+Permisi::LOADER.ignore("#{__dir__}/permisi/backend/mongoid.rb") # todo
+Permisi::LOADER.setup

data/lib/permisi/actable.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Permisi
+  module Actable
+    def permisi_actor
+      @permisi_actor ||= Permisi.actor(self)
+    end
+
+    alias permisi permisi_actor
+  end
+end

data/lib/permisi/backend.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Permisi
+  module Backend
+    class InvalidBackend < StandardError
+      def initialize(message = "Please check https://github.com/ukazap/permisi#configuring-backend")
+        super
+      end
+    end
+
+    module NullBackend
+      class << self
+        def findsert_actor(_aka)
+          raise InvalidBackend
+        end
+
+        def actors
+          raise InvalidBackend
+        end
+
+        def roles
+          raise InvalidBackend
+        end
+      end
+    end
+  end
+end

data/lib/permisi/backend/active_record.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require "active_record"
+
+module Permisi
+  module Backend
+    module ActiveRecord
+      class << self
+        def table_name_prefix
+          "permisi_"
+        end
+
+        def findsert_actor(aka)
+          Actor.find_or_create_by(aka: aka)
+        end
+
+        def actors
+          Actor.all
+        end
+
+        def roles
+          Role.all
+        end
+      end
+    end
+  end
+end

data/lib/permisi/backend/active_record/actor.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module Permisi
+  module Backend
+    module ActiveRecord
+      class Actor < ::ActiveRecord::Base
+        belongs_to :aka, polymorphic: true, touch: true
+        has_many :actor_roles, dependent: :destroy
+        has_many :roles, -> { distinct }, through: :actor_roles
+
+        after_commit :reset_permissions
+
+        def roles
+          super.extend(ActorRolesCollectionProxy)
+        end
+
+        def role?(role_slug)
+          roles.load.any? { |role| role.slug == role_slug.to_s }
+        end
+
+        def may_i?(action_path)
+          PermissionUtil.allows?(permissions, action_path)
+        end
+
+        # Memoized and cached actor permissions
+        def permissions
+          @permissions ||= Permisi.config.cache_store.fetch("#{cache_key}-p") { aggregate_permissions }
+        end
+
+        # Aggregate permissions from all roles an actor plays
+        def aggregate_permissions
+          roles.load.inject(HashWithIndifferentAccess.new) do |aggregate, role|
+            aggregate.deep_merge(role.permissions) do |_key, effect, another_effect|
+              effect == true || another_effect == true
+            end
+          end
+        end
+
+        def reset_permissions
+          @permissions = nil
+        end
+
+        alias may? may_i?
+        alias has_role? role?
+
+        module ActorRolesCollectionProxy
+          def <<(new_role)
+            super
+          rescue ::ActiveRecord::RecordNotUnique
+            self
+          end
+
+          def delete(*records)
+            warn "WARNING: `#delete(*records)` won't invalidate the cache, use `#destroy(*records)` instead."
+            super
+          end
+        end
+      end
+    end
+  end
+end

data/lib/permisi/backend/active_record/actor_role.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Permisi
+  module Backend
+    module ActiveRecord
+      class ActorRole < ::ActiveRecord::Base
+        belongs_to :actor, touch: true
+        belongs_to :role
+
+        after_destroy :touch_actor
+
+        private
+
+        def touch_actor
+          actor.touch
+        end
+      end
+    end
+  end
+end

data/lib/permisi/backend/active_record/role.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Permisi
+  module Backend
+    module ActiveRecord
+      class Role < ::ActiveRecord::Base
+        has_many :actor_roles, dependent: :destroy
+        has_many :actors, through: :actor_roles
+        has_many :akas, through: :actors
+
+        validates_presence_of :name, :slug
+        validates_uniqueness_of :name, :slug
+
+        after_initialize :set_default_permissions
+        before_validation :sanitize_attributes
+        after_update :touch_actor_roles
+
+        serialize :permissions, Permisi::PermissionUtil::Serializer
+
+        def allows?(action_path)
+          Permisi::PermissionUtil.allows?(permissions, action_path)
+        end
+
+        private
+
+        def set_default_permissions
+          self.permissions ||= HashWithIndifferentAccess.new if new_record?
+        end
+
+        def sanitize_attributes
+          self.name ||= slug.try(:titleize)
+          self.permissions = Permisi::PermissionUtil.sanitize_permissions(self.permissions)
+        end
+
+        def touch_actor_roles
+          actor_roles.each(&:touch)
+        end
+      end
+    end
+  end
+end

data/lib/permisi/backend/mongoid.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Permisi
+  module Backend
+    module Mongoid
+      raise "under construction"
+    end
+  end
+end

data/lib/permisi/config.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Permisi
+  class Config
+    class InvalidCacheStore < StandardError; end
+
+    NULL_CACHE_STORE = ActiveSupport::Cache::NullStore.new
+
+    attr_reader :permissions, :default_permissions
+
+    def initialize
+      @permissions = ::HashWithIndifferentAccess.new
+      @default_permissions = ::HashWithIndifferentAccess.new
+    end
+
+    def backend=(chosen_backend)
+      chosen_backend = "::Permisi::Backend::#{chosen_backend.to_s.classify}".constantize if chosen_backend.is_a? Symbol
+
+      if chosen_backend == Backend::ActiveRecord && VERSION == "0.1.4"
+        warn <<~MESSAGE
+
+          WARNING: If you are upgrading from Permisi >v0.1.4, please create the following migration:
+          `add_index :permisi_actor_roles, [:actor_id, :role_id], unique: true`
+
+        MESSAGE
+      end
+
+      @backend = chosen_backend
+    rescue NameError
+      raise Backend::InvalidBackend
+    end
+
+    def backend
+      @backend || Backend::NullBackend
+    end
+
+    def permissions=(permissions_hash)
+      permissions_hash = HashWithIndifferentAccess.new(permissions_hash)
+      @default_permissions = PermissionUtil.transform_namespace(permissions_hash)
+      @permissions = permissions_hash
+    end
+
+    def cache_store=(cache_store)
+      raise InvalidCacheStore unless cache_store.respond_to?(:fetch)
+
+      @cache_store = cache_store
+    end
+
+    def cache_store
+      @cache_store || NULL_CACHE_STORE
+    end
+  end
+end

data/lib/permisi/permission_util.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+module Permisi
+  module PermissionUtil
+    class InvalidNamespace < StandardError; end
+
+    class << self
+      def allows?(hash, action_path)
+        return false unless hash.is_a?(Hash)
+
+        action_path_arr = action_path.split(".")
+        begin
+          !Permisi.config.default_permissions.dig(*action_path_arr).nil?
+        rescue StandardError
+          false
+        end &&
+          hash.dig(*action_path_arr) == true
+      end
+
+      def transform_namespace(namespace, current_path: nil)
+        HashWithIndifferentAccess.new.tap do |transformed|
+          namespace.each_pair do |key, value|
+            if !value.is_a? Array
+              raise InvalidNamespace,
+                    "`#{[current_path, key].compact.join(".")}` should be an array"
+            end
+
+            if key.to_s.include?(".")
+              raise InvalidNamespace, "namespace or action should not contain period: `#{key}`"
+            end
+
+            value.each.with_index do |arr_v, arr_i|
+              case arr_v
+              when Symbol
+                if arr_v.to_s.include?(".")
+                  raise InvalidNamespace, "namespace or action should not contain period: `#{arr_v}`"
+                end
+
+                transformed[key] ||= ::HashWithIndifferentAccess.new
+                if transformed[key].key? arr_v
+                  raise InvalidNamespace, "duplicate entry: `#{[current_path, key, arr_v].compact.join(".")}`"
+                end
+
+                transformed[key][arr_v] = false
+              when Hash
+                transform_namespace(arr_v,
+                                    current_path: [current_path, key].compact.join(".")).each_pair do |ts_k, ts_v|
+                  transformed[key] ||= ::HashWithIndifferentAccess.new
+                  if transformed[key].key? ts_k
+                    raise InvalidNamespace, "duplicate entry: `#{[current_path, key, ts_k].compact.join(".")}`"
+                  end
+
+                  transformed[key][ts_k] = ts_v
+                end
+              else
+                raise InvalidNamespace,
+                      "`#{[current_path, key].compact.join(".")}[#{arr_i}]` should be a symbol or a hash"
+              end
+            end
+          end
+        end
+      end
+
+      def sanitize_permissions(permission_hash)
+        __deeply_sanitize_permissions(permission_hash, template: Permisi.config.default_permissions)
+      end
+
+      private
+
+      def __deeply_sanitize_permissions(permission_hash, template: {})
+        HashWithIndifferentAccess.new.tap do |sanitized|
+          permission_hash.each_pair do |key, value|
+            next unless template.key?(key)
+
+            sanitized[key] = if value.is_a?(Hash)
+                               __deeply_sanitize_permissions(value, template: template[key])
+                             else
+                               __cast_value_to_boolean(value)
+                             end
+          end
+        end
+      end
+
+      def __cast_value_to_boolean(value)
+        bool = ActiveModel::Type::Boolean.new.cast(value)
+        bool ||= false
+      end
+    end
+
+    class Serializer
+      def self.dump(hash)
+        hash
+      end
+
+      def self.load(hash)
+        (hash.is_a?(Hash) ? hash : {}).with_indifferent_access
+      end
+    end
+  end
+end

data/lib/permisi/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Permisi
-  VERSION = "0.0.1"
+  VERSION = "0.1.4"
 end

data/permisi.gemspec

@@ -8,15 +8,21 @@ Gem::Specification.new do |spec|
   spec.authors       = ["Ukaza Perdana"]
   spec.email         = ["ukaza@hey.com"]
 
-  spec.summary       = "Simple and dynamic user roles and permissions scheme for Rails"
-  spec.description   = "Permisi provides a way of dynamically declaring user rights (a.k.a. permissions) using a simple role-based access control scheme. A user may be associated to multiple roles with a different set of rights in each role."
+  spec.summary       = "Simple and dynamic role-based access control for Rails"
+
+  spec.description   = <<~DESCRIPTION
+    Permisi provides a way of dynamically declaring user rights (a.k.a. permissions) using a simple role-based access control scheme.
+    A user may be associated to multiple roles with a different set of permissions in each role.
+    The roles and user-roles association can be dynamically defined and changed on runtime.
+  DESCRIPTION
+
   spec.homepage      = "https://github.com/ukazap/permisi"
   spec.license       = "MIT"
-  spec.required_ruby_version = Gem::Requirement.new(">= 2.4.0")
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.4.4")
 
   spec.metadata["homepage_uri"] = spec.homepage
   spec.metadata["source_code_uri"] = spec.homepage
-  spec.metadata["changelog_uri"] = "https://github.com/ukazap/permisi/blob.main/CHANGELOG.md"
+  spec.metadata["changelog_uri"] = "#{spec.homepage}/blob/main/CHANGELOG.md"
 
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
@@ -27,8 +33,10 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  # Uncomment to register a new dependency of your gem
-  # spec.add_dependency "example-gem", "~> 1.0"
+  spec.add_dependency "activemodel", ">= 3.2.0"
+  spec.add_dependency "activerecord", ">= 3.2.0"
+  spec.add_dependency "activesupport", ">= 3.2.0"
+  spec.add_dependency "zeitwerk", ["~> 2.4", ">= 2.4.2"]
 
   # For more information and examples about making a new gem, checkout our
   # guide at: https://bundler.io/guides/creating_gem.html

metadata

@@ -1,30 +1,94 @@
 --- !ruby/object:Gem::Specification
 name: permisi
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.1.4
 platform: ruby
 authors:
 - Ukaza Perdana
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-02-04 00:00:00.000000000 Z
-dependencies: []
-description: Permisi provides a way of dynamically declaring user rights (a.k.a. permissions)
-  using a simple role-based access control scheme. A user may be associated to multiple
-  roles with a different set of rights in each role.
+date: 2021-02-23 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activemodel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+- !ruby/object:Gem::Dependency
+  name: activerecord
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+- !ruby/object:Gem::Dependency
+  name: zeitwerk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.4'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.4.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.4'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.4.2
+description: |
+  Permisi provides a way of dynamically declaring user rights (a.k.a. permissions) using a simple role-based access control scheme.
+  A user may be associated to multiple roles with a different set of permissions in each role.
+  The roles and user-roles association can be dynamically defined and changed on runtime.
 email:
 - ukaza@hey.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".github/workflows/main.yml"
+- ".github/workflows/ci.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -32,7 +96,19 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- lib/generators/permisi/install_generator.rb
+- lib/generators/permisi/templates/initializer.rb
+- lib/generators/permisi/templates/migration.rb
 - lib/permisi.rb
+- lib/permisi/actable.rb
+- lib/permisi/backend.rb
+- lib/permisi/backend/active_record.rb
+- lib/permisi/backend/active_record/actor.rb
+- lib/permisi/backend/active_record/actor_role.rb
+- lib/permisi/backend/active_record/role.rb
+- lib/permisi/backend/mongoid.rb
+- lib/permisi/config.rb
+- lib/permisi/permission_util.rb
 - lib/permisi/version.rb
 - permisi.gemspec
 homepage: https://github.com/ukazap/permisi
@@ -41,7 +117,7 @@ licenses:
 metadata:
   homepage_uri: https://github.com/ukazap/permisi
   source_code_uri: https://github.com/ukazap/permisi
-  changelog_uri: https://github.com/ukazap/permisi/blob.main/CHANGELOG.md
+  changelog_uri: https://github.com/ukazap/permisi/blob/main/CHANGELOG.md
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -50,7 +126,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.4.0
+      version: 2.4.4
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
@@ -60,5 +136,5 @@ requirements: []
 rubygems_version: 3.2.3
 signing_key: 
 specification_version: 4
-summary: Simple and dynamic user roles and permissions scheme for Rails
+summary: Simple and dynamic role-based access control for Rails
 test_files: []

data/.github/workflows/main.yml

@@ -1,18 +0,0 @@
-name: Ruby
-
-on: [push,pull_request]
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-    - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
-      with:
-        ruby-version: 3.0.0
-    - name: Run the default task
-      run: |
-        gem install bundler -v 2.2.5
-        bundle install
-        bundle exec rake