protector 0.0.4 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5196d6460c7c9550f4be2cef9135916d900dcdc0
-  data.tar.gz: 08886a665e9f57db43dd49d064c23b569e01106b
+  metadata.gz: 70b9f27e548ca491e3d9e72033d82ccc6c1ef9a6
+  data.tar.gz: 174de9ede88655d225d7281e2d633cfd9c113cd4
 SHA512:
-  metadata.gz: 87cd3b93a9b8b3ca0b86d034234385111cd8aa9c793e6440908fc6362a6160e21a7d6010b6c89018a4245a44e1cb043c0086a023cf88ce50e501be7a21cece95
-  data.tar.gz: 2fffcf64bc2669bfb3292e432e52408d1a9207263085a6cac74dde4200882dc645523c93320449ffe9320f76aa94389caf3ce2c7c993ddfc56333e2426d1d5c8
+  metadata.gz: 7f86cb799de05ecb102b5c413492024be29a3d5b27a40e479c7e94e9afcfc7d47f8203e4e62d99f9ed406fa2943880acca7f79449341f3a6fc8ac480b8e59b59
+  data.tar.gz: 4864da9f17564ee319ed2faa7891a7a5e30f336bd7a9966ffda20aeae96337e02148ebf196bd0f504ad14f4487ff84b3ede8e7580a8e6f1ac045779ba33176c8

data/Appraisals

@@ -1,5 +1,5 @@
 appraise "AR_3.2" do
-  gem "activerecord", "3.2", require: "active_record"
+  gem "activerecord", "3.2.9", require: "active_record"
   gem "activerecord-jdbcsqlite3-adapter", platform: :jruby, github: "jruby/activerecord-jdbc-adapter"
 end
 

data/README.md

@@ -7,7 +7,7 @@ Protector is a Ruby ORM extension for managing security restrictions on a field
 
 Currently Protector supports the following ORM adapters:
 
-  * [ActiveRecord](http://guides.rubyonrails.org/active_record_querying.html) (>= 3.2)
+  * [ActiveRecord](http://guides.rubyonrails.org/active_record_querying.html) (>= 3.2.9)
 
 We are working hard to extend the list with:
 
@@ -111,6 +111,27 @@ Protector is aware of associations. All the associations retrieved from restrict
 
 The access to `belongs_to` kind of association depends on corresponding foreign key readability.
 
+## Eager Loading
+
+To take a long story short: it works and you are very likely to never notice changes it introduces to the process.
+
+Eager Loading has 2 possible strategies: JOINs and additional requests. Whenever you mark an association to preload and at the same time use this relation among `where` clause – ORMs prefer JOIN. Otherwise it goes with additional requests.
+
+```ruby
+Foo.includes(:bars)                                  # This will make 2 queries
+Foo.includes(:bars).where(bars: {absolute: true})    # This will make 1 big JOINfull query
+```
+
+The problem here is that JOIN strategy is impossible for scoped restrictions. I.e. for the following code:
+
+```ruby
+Foo.restrict(current_user).includes(:bars).where(bars: {absolute: true})
+```
+
+we can appear in the situation where `foos` and `bars` relations are having different restrictions scopes. In this case JOIN would filter by an intersection of scopes which is wrong.
+
+To solve the issue Protector forces additional requests strategy and intelligently adds proper JOINs to the general query to make your conditions work. That's why unlike unrestricted query from the first sample, the code from the second sample will result into 2 queries.
+
 ## Ideology
 
 Protector is a successor to [Heimdallr](https://github.com/inossidabile/heimdallr). The latter being a proof-of-concept appeared to be way too paranoid and incompatible with the rest of the world. Protector re-implements same idea keeping the Ruby way:

data/gemfiles/AR_3.2.gemfile

@@ -10,7 +10,7 @@ gem "guard-rspec"
 gem "appraisal"
 gem "sqlite3", :platform=>:ruby
 gem "jdbc-sqlite3", :platform=>:jruby
-gem "activerecord", "3.2", :require=>"active_record"
+gem "activerecord", "3.2.9", :require=>"active_record"
 gem "activerecord-jdbcsqlite3-adapter", :platform=>:jruby, :github=>"jruby/activerecord-jdbc-adapter"
 
 gemspec :path=>"../"

data/gemfiles/AR_3.2.gemfile.lock

@@ -1,31 +1,27 @@
 GIT
   remote: git://github.com/jruby/activerecord-jdbc-adapter.git
-  revision: b1cb2cb59496a7c3ae22799f88c8c4789e6a8cce
+  revision: 180dd863d30d6048c914622e4e77f018cf77026a
   specs:
-    activerecord-jdbcsqlite3-adapter (1.3.0.DEV)
-      activerecord-jdbc-adapter (~> 1.3.0.DEV)
-      jdbc-sqlite3 (~> 3.7.2)
 
 PATH
   remote: /Users/inossidabile/Repos/protector
   specs:
-    protector (0.0.3)
+    protector (0.1.0)
       activesupport
       i18n
 
 GEM
   remote: https://rubygems.org/
   specs:
-    activemodel (3.2.0)
-      activesupport (= 3.2.0)
+    activemodel (3.2.9)
+      activesupport (= 3.2.9)
       builder (~> 3.0.0)
-    activerecord (3.2.0)
-      activemodel (= 3.2.0)
-      activesupport (= 3.2.0)
-      arel (~> 3.0.0)
+    activerecord (3.2.9)
+      activemodel (= 3.2.9)
+      activesupport (= 3.2.9)
+      arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activerecord-jdbc-adapter (1.3.0.beta1)
-    activesupport (3.2.0)
+    activesupport (3.2.9)
       i18n (~> 0.6)
       multi_json (~> 1.0)
     appraisal (0.5.2)
@@ -36,7 +32,6 @@ GEM
     coderay (1.0.9)
     diff-lcs (1.2.4)
     ffi (1.8.1)
-    ffi (1.8.1-java)
     formatador (0.2.4)
     guard (1.8.0)
       formatador (>= 0.2.4)
@@ -48,23 +43,17 @@ GEM
       guard (>= 1.8)
       rspec (~> 2.13)
     i18n (0.6.4)
-    jdbc-sqlite3 (3.7.2)
     listen (1.1.3)
       rb-fsevent (>= 0.9.3)
       rb-inotify (>= 0.9)
       rb-kqueue (>= 0.2)
     lumberjack (1.0.3)
     method_source (0.8.1)
-    multi_json (1.7.3)
+    multi_json (1.7.4)
     pry (0.9.12.2)
       coderay (~> 1.0.5)
       method_source (~> 0.8)
       slop (~> 3.4)
-    pry (0.9.12.2-java)
-      coderay (~> 1.0.5)
-      method_source (~> 0.8)
-      slop (~> 3.4)
-      spoon (~> 0.0)
     rake (10.0.4)
     rb-fsevent (0.9.3)
     rb-inotify (0.9.0)
@@ -80,18 +69,15 @@ GEM
       diff-lcs (>= 1.1.3, < 2.0)
     rspec-mocks (2.13.1)
     slop (3.4.5)
-    spoon (0.0.4)
-      ffi
     sqlite3 (1.3.7)
     thor (0.18.1)
     tzinfo (0.3.37)
 
 PLATFORMS
-  java
   ruby
 
 DEPENDENCIES
-  activerecord (= 3.2)
+  activerecord (= 3.2.9)
   activerecord-jdbcsqlite3-adapter!
   appraisal
   guard

data/gemfiles/AR_4.gemfile.lock

@@ -9,7 +9,7 @@ GIT
 PATH
   remote: /Users/inossidabile/Repos/protector
   specs:
-    protector (0.0.3)
+    protector (0.1.0)
       activesupport
       i18n
 

data/lib/protector/adapters/active_record.rb

@@ -1,6 +1,7 @@
 require 'protector/adapters/active_record/base'
 require 'protector/adapters/active_record/association'
 require 'protector/adapters/active_record/relation'
+require 'protector/adapters/active_record/preloader'
 
 module Protector
   module Adapters
@@ -10,7 +11,8 @@ module Protector
         ::ActiveRecord::Relation.send :include, Protector::Adapters::ActiveRecord::Relation
         ::ActiveRecord::Associations::SingularAssociation.send :include, Protector::Adapters::ActiveRecord::Association
         ::ActiveRecord::Associations::CollectionAssociation.send :include, Protector::Adapters::ActiveRecord::Association
-        # ::ActiveRecord::Associations::Preloader::Association.send :include, Protector::Adapters::ActiveRecord::PreloaderAssociation
+        ::ActiveRecord::Associations::Preloader.send :include, Protector::Adapters::ActiveRecord::Preloader
+        ::ActiveRecord::Associations::Preloader::Association.send :include, Protector::Adapters::ActiveRecord::Preloader::Association
       end
     end
   end

data/lib/protector/adapters/active_record/association.rb

@@ -5,25 +5,18 @@ module Protector
         extend ActiveSupport::Concern
 
         included do
-          alias_method_chain :scope, :protector
+          if method_defined?(:scope)
+            alias_method_chain :scope, :protector
+          else
+            alias_method "scope_without_protector", "scoped"
+            alias_method "scoped", "scope_with_protector"
+          end
         end
 
         def scope_with_protector(*args)
           scope_without_protector(*args).restrict!(owner.protector_subject)
         end
       end
-
-      module PreloaderAssociation
-        extend ActiveSupport::Concern
-
-        included do
-          alias_method_chain :scope, :protector
-        end
-
-        def scope_with_protector
-          scope_without_protector
-        end
-      end
     end
   end
 end

data/lib/protector/adapters/active_record/base.rb

@@ -46,7 +46,8 @@ module Protector
           def define_method_attribute(name)
             super
 
-            unless (primary_key == name || (primary_key.is_a?(Array) && primary_key.include?(name)))
+            # Show some <3 to composite primary keys
+            unless (primary_key == name || Array(primary_key).include?(name))
               generated_attribute_methods.module_eval <<-STR, __FILE__, __LINE__ + 1
                 alias_method #{"#{name}_unprotected".inspect}, #{name.inspect}
 
@@ -69,8 +70,8 @@ module Protector
 
           self.class.protector_meta.evaluate(
             self.class,
-            self.class.column_names,
             @protector_subject,
+            self.class.column_names,
             self
           )
         end

data/lib/protector/adapters/active_record/preloader.rb

@@ -0,0 +1,32 @@
+module Protector
+  module Adapters
+    module ActiveRecord
+      module Preloader extend ActiveSupport::Concern
+
+        module Association extend ActiveSupport::Concern
+          included do
+            if method_defined?(:scope)
+              alias_method_chain :scope, :protector
+            else
+              alias_method "scope_without_protector", "scoped"
+              alias_method "scoped", "scope_with_protector"
+            end
+          end
+
+          def protector_subject
+            # Owners are always loaded from the single source
+            # having same protector_subject
+            owners.first.protector_subject
+          end
+
+          def scope_with_protector(*args)
+            return scope_without_protector unless protector_subject
+
+            @meta ||= klass.protector_meta.evaluate(klass, protector_subject)
+            scope_without_protector.merge(@meta.relation)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/protector/adapters/active_record/relation.rb

@@ -8,10 +8,29 @@ module Protector
           include Protector::DSL::Base
 
           alias_method_chain :exec_queries, :protector
+          alias_method_chain :eager_loading?, :protector
+
+          attr_accessor :eager_loadable_when_protected
+
+          # AR 3.2 workaround. Come on, guys... SQL parsing :(
+          unless method_defined?(:references_values)
+            def references_values
+              tables_in_string(to_sql)
+            end
+          end
+
+          unless method_defined?(:includes!)
+            def includes!(*args)
+              self.includes_values += args
+              self
+            end
+          end
         end
 
         def protector_meta
-          @klass.protector_meta.evaluate(@klass, @klass.column_names, @protector_subject)
+          # We don't seem to require columns here as well
+          # @klass.protector_meta.evaluate(@klass, @protector_subject, @klass.column_names)
+          @klass.protector_meta.evaluate(@klass, @protector_subject)
         end
 
         def unscoped
@@ -41,7 +60,119 @@ module Protector
 
           subject  = @protector_subject
           relation = merge(protector_meta.relation).unrestrict!
+
+          relation = protector_substitute_includes(relation)
+
+          # We should explicitly allow/deny eager loading now that we know
+          # if we can use it
+          relation.eager_loadable_when_protected = relation.includes_values.any?
+
+          # Preserve associations from internal loading. We are going to handle that
+          # ourselves respecting security scopes FTW!
+          associations, relation.preload_values = relation.preload_values, []
+
           @records = relation.send(:exec_queries).each{|r| r.restrict!(subject)}
+
+          # Now we have @records restricted properly so let's preload associations!
+          associations.each do |a|
+            ::ActiveRecord::Associations::Preloader.new(@records, a).run
+          end
+
+          @loaded = true
+          @records
+        end
+
+        #
+        # This method swaps `includes` with `preload` and adds JOINs
+        # to any table referenced from `where` (or manually with `reference`)
+        #
+        def protector_substitute_includes(relation)
+          subject = @protector_subject
+          includes, relation.includes_values = relation.includes_values, []
+
+          # We can not allow join-based eager loading for scoped associations
+          # since actual filtering can differ for host model and joined relation.
+          # Therefore we turn all `includes` into `preloads`.
+          # 
+          # Note that `includes_values` shares reference across relation diffs so
+          # it has to be COPIED not modified
+          includes.each do |iv|
+            protector_expand_include(iv).each do |ive|
+              # First-level associations can stay JOINed if restriction scope
+              # is absent. Checking deep associations would make us to check
+              # every parent. This should probably be done sometimes :\
+              meta = ive[0].protector_meta.evaluate(ive[0], subject) unless ive[1].is_a?(Hash)
+
+              # We leave unscoped restrictions as `includes`
+              # but turn scoped ones into `preloads`
+              if meta && !meta.scoped?
+                relation.includes!(ive[1])
+              else
+                if relation.references_values.include?(ive[0].table_name)
+                  if relation.respond_to?(:joins!)
+                    relation.joins!(ive[1])
+                  else
+                    relation = relation.joins(ive[1])
+                  end
+                end
+
+                # AR 3.2 Y U NO HAVE BANG RELATION MODIFIERS
+                relation.preload_values << ive[1]
+                false
+              end
+            end
+          end
+
+          relation
+        end
+
+        #
+        # Indexes `includes` format by actual entity class
+        # Turns {foo: :bar} into [[Foo, :foo], [Bar, {foo: :bar}]
+        #
+        def protector_expand_include(inclusion, results=[], base=[], klass=@klass)
+          if inclusion.is_a?(Hash)
+            protector_expand_include_hash(inclusion, results, base, klass)
+          else
+            Array(inclusion).each do |i|
+              if i.is_a?(Hash)
+                protector_expand_include_hash(i, results, base, klass)
+              else
+                results << [
+                  klass.reflect_on_association(i.to_sym).klass,
+                  i.to_sym
+                ]
+              end
+            end
+          end
+
+          results
+        end
+
+        def protector_expand_include_hash(inclusion, results=[], base=[], klass=@klass)
+          inclusion.each do |key, value|
+            model = klass.reflect_on_association(key.to_sym).klass
+            value = [value] unless value.is_a?(Array)
+
+            value.each do |v|
+              if v.is_a?(Hash)
+                protector_expand_include_hash(v, results, [key]+base)
+              else
+                results << [
+                  model.reflect_on_association(v.to_sym).klass,
+                  ([key]+base).inject(v){|a, n| { n => a } }
+                ]
+              end
+            end
+
+            results << [model, base.inject(key){|a, n| { n => a } }]
+          end
+        end
+
+        def eager_loading_with_protector?
+          flag = eager_loading_without_protector?
+          flag &&= !!@eager_loadable_when_protected unless @eager_loadable_when_protected.nil?
+          flag
         end
       end
     end

data/lib/protector/dsl.rb

@@ -30,6 +30,10 @@ module Protector
           @access.each{|k,v| @access_keys[k] = v.keys}
         end
 
+        def scoped?
+          !!@relation
+        end
+
         def scope(&block)
           @relation = @model.instance_eval(&block)
         end
@@ -112,7 +116,7 @@ module Protector
         (@blocks ||= []) << block
       end
 
-      def evaluate(model, fields, subject, entry=nil)
+      def evaluate(model, subject, fields=[], entry=nil)
         Box.new(model, fields, subject, entry, @blocks)
       end
     end

data/lib/protector/version.rb

@@ -1,3 +1,3 @@
 module Protector
-  VERSION = "0.0.4"
+  VERSION = "0.1.0"
 end

data/spec/lib/adapters/active_record_spec.rb

@@ -3,21 +3,29 @@ require 'spec_helpers/boot'
 if defined?(ActiveRecord)
 
   RSpec::Matchers.define :invalidate do
-  match do |actual|
-    actual.save.should == false
-    actual.errors[:base].should == ["Access denied"]
-  end
+    match do |actual|
+      actual.save.should == false
+      actual.errors[:base].should == ["Access denied"]
+    end
   end
 
   RSpec::Matchers.define :validate do
-  match do |actual|
-    actual.class.transaction do
-      actual.save.should == true
-      raise ActiveRecord::Rollback
-    end
+    match do |actual|
+      actual.class.transaction do
+        actual.save.should == true
+        raise ActiveRecord::Rollback
+      end
 
-    true
+      true
+    end
   end
+
+  def log!
+    around(:each) do |e|
+      ActiveRecord::Base.logger = Logger.new(STDOUT)
+      e.run
+      ActiveRecord::Base.logger = nil
+    end
   end
 
   describe Protector::Adapters::ActiveRecord do
@@ -25,67 +33,82 @@ if defined?(ActiveRecord)
       ActiveRecord::Schema.verbose = false
       ActiveRecord::Base.establish_connection adapter: "sqlite3", database: ":memory:"
 
-      ActiveRecord::Migration.create_table :dummies do |t|
-        t.string      :string
-        t.integer     :number
-        t.text        :text
-        t.timestamps
+      [:dummies, :fluffies, :bobbies].each do |m|
+        ActiveRecord::Migration.create_table m do |t|
+          t.string      :string
+          t.integer     :number
+          t.text        :text
+          t.belongs_to  :dummy
+          t.timestamps
+        end
       end
 
-      ActiveRecord::Migration.create_table :fluffies do |t|
-        t.string      :string
-        t.integer     :number
-        t.belongs_to  :dummy
-        t.timestamps
-      end
+      ActiveRecord::Migration.create_table(:loonies){|t| t.belongs_to :fluffy; t.string :string }
 
       Protector::Adapters::ActiveRecord.activate!
 
-      class Dummy < ActiveRecord::Base
-        protect do |x|
-          scope{ where('1=0') } if x == '-'
-          scope{ where(number: 999) } if x == '+'
+      module Tester extend ActiveSupport::Concern
+        included do
+          protect do |x|
+            scope{ where('1=0') } if x == '-'
+            scope{ where(number: 999) } if x == '+' 
+
+            can :view, :dummy_id unless x == '-'
+          end
+
+          scope :none, where('1 = 0') unless respond_to?(:none)
         end
+      end
 
-        scope :none, where('1 = 0') unless respond_to?(:none)
+      class Dummy < ActiveRecord::Base
+        include Tester
         has_many :fluffies
+        has_many :bobbies
       end
-      Dummy.create! string: 'zomgstring', number: 999, text: 'zomgtext'
-      Dummy.create! string: 'zomgstring', number: 777, text: 'zomgtext'
 
       class Fluffy < ActiveRecord::Base
-        protect do |x|
-          scope{ where('1=0') } if x == '-'
-          scope{ where(number: 999) } if x == '+'
+        include Tester
+        belongs_to :dummy
+        has_one :loony
+      end
 
-          can :view, :dummy_id unless x == '-'
-        end
+      class Bobby < ActiveRecord::Base
+        protect do; end
+      end
 
-        scope :none, where('1 = 0') unless respond_to?(:none)
-        belongs_to :dummy
+      class Loony < ActiveRecord::Base
+        protect do; end
+      end
+
+      Dummy.create! string: 'zomgstring', number: 999, text: 'zomgtext'
+      Dummy.create! string: 'zomgstring', number: 999, text: 'zomgtext'
+      Dummy.create! string: 'zomgstring', number: 777, text: 'zomgtext'
+      Dummy.create! string: 'zomgstring', number: 777, text: 'zomgtext'
+
+      [Fluffy, Bobby].each do |m|
+        m.create! string: 'zomgstring', number: 999, text: 'zomgtext', dummy_id: 1
+        m.create! string: 'zomgstring', number: 777, text: 'zomgtext', dummy_id: 1
+        m.create! string: 'zomgstring', number: 999, text: 'zomgtext', dummy_id: 2
+        m.create! string: 'zomgstring', number: 777, text: 'zomgtext', dummy_id: 2
       end
-      Fluffy.create! string: 'zomgstring', number: 999, dummy_id: 1
-      Fluffy.create! string: 'zomgstring', number: 777, dummy_id: 1
+
+      Fluffy.all.each{|f| Loony.create! fluffy_id: f.id, string: 'zomgstring' }
     end
 
     describe Protector::Adapters::ActiveRecord::Base do
-      before(:each) do
-        @dummy = Class.new(ActiveRecord::Base) do
+      let(:dummy) do
+        Class.new(ActiveRecord::Base) do
           self.table_name = "dummies"
           scope :none, where('1 = 0') unless respond_to?(:none)
         end
       end
 
       it "includes" do
-        @dummy.ancestors.should include(Protector::Adapters::ActiveRecord::Base)
+        Dummy.ancestors.should include(Protector::Adapters::ActiveRecord::Base)
       end
 
       it "scopes" do
-        @dummy.instance_eval do
-          protect do; scope{ all }; end
-        end
-
-        scope = @dummy.restrict!('!')
+        scope = Dummy.restrict!('!')
         scope.should be_a_kind_of ActiveRecord::Relation
         scope.protector_subject.should == '!'
       end
@@ -93,101 +116,104 @@ if defined?(ActiveRecord)
       it_behaves_like "a model"
 
       describe "eager loading" do
-        # around(:each) do |e|
-        #   ActiveRecord::Base.logger = Logger.new(STDOUT)
-        #   e.run
-        #   ActiveRecord::Base.logger = nil
-        # end
-
         it "scopes" do
-          dummy = Dummy.restrict!('+').includes(:fluffies).first
-          dummy.fluffies.length.should == 1
+          d = Dummy.restrict!('+').includes(:fluffies)
+          d.length.should == 2
+          d.first.fluffies.length.should == 1
         end
-      end
-    end
 
-    describe Protector::Adapters::ActiveRecord::Relation do
-      before(:all) do
-        @dummy = Class.new(ActiveRecord::Base) do
-          self.table_name = "dummies"
-          scope :none, where('1 = 0') unless respond_to?(:none)
+        context "joined to filtered association" do
+          it "scopes" do
+            d = Dummy.restrict!('+').includes(:fluffies).where(fluffies: {number: 777})
+            d.length.should == 2
+            d.first.fluffies.length.should == 1
+          end
+        end
+
+        context "joined to plain association" do
+          it "scopes" do
+            d = Dummy.restrict!('+').includes(:bobbies, :fluffies).where(
+              bobbies: {number: 777}, fluffies: {number: 777}
+            )
+            d.length.should == 2
+            d.first.fluffies.length.should == 1
+            d.first.bobbies.length.should == 1
+          end
+        end
+
+        context "with complex include" do
+          it "scopes" do
+            d = Dummy.restrict!('+').includes(fluffies: :loony).where(
+              fluffies: {number: 777},
+              loonies: {string: 'zomgstring'}
+            )
+            d.length.should == 2
+            d.first.fluffies.length.should == 1
+            d.first.fluffies.first.loony.should be_a_kind_of(Loony)
+          end
         end
       end
+    end
 
+    describe Protector::Adapters::ActiveRecord::Relation do
       it "includes" do
-        @dummy.none.ancestors.should include(Protector::Adapters::ActiveRecord::Base)
+        Dummy.none.ancestors.should include(Protector::Adapters::ActiveRecord::Base)
       end
 
       it "saves subject" do
-        @dummy.restrict!('!').where(number: 999).protector_subject.should == '!'
+        Dummy.restrict!('!').where(number: 999).protector_subject.should == '!'
       end
 
       it "forwards subject" do
-        @dummy.instance_eval do
-          protect do; end
-        end
-
-        @dummy.restrict!('!').where(number: 999).first.protector_subject.should == '!'
-        @dummy.restrict!('!').where(number: 999).to_a.first.protector_subject.should == '!'
+        Dummy.restrict!('!').where(number: 999).first.protector_subject.should == '!'
+        Dummy.restrict!('!').where(number: 999).to_a.first.protector_subject.should == '!'
       end
 
       context "with null relation" do
-        before(:each) do
-          @dummy.instance_eval do
-            protect do; scope{ none }; end
-          end
-        end
-
         it "checks existence" do
-          @dummy.any?.should == true
-          @dummy.restrict!('!').any?.should == false
+          Dummy.any?.should == true
+          Dummy.restrict!('-').any?.should == false
         end
 
         it "counts" do
-          @dummy.count.should == 2
-          @dummy.restrict!('!').count.should == 0
+          Dummy.count.should == 4
+          Dummy.restrict!('-').count.should == 0
         end
 
         it "fetches" do
-          fetched = @dummy.restrict!('!').to_a
+          fetched = Dummy.restrict!('-').to_a
 
-          @dummy.all.length.should == 2
+          Dummy.count.should == 4
           fetched.length.should == 0
         end
 
         it "keeps security scope when unscoped" do
-          @dummy.unscoped.restrict!('!').count.should == 0
-          @dummy.restrict!('!').unscoped.count.should == 0
+          Dummy.unscoped.restrict!('-').count.should == 0
+          Dummy.restrict!('-').unscoped.count.should == 0
         end
       end
 
       context "with active relation" do
-        before(:each) do
-          @dummy.instance_eval do
-            protect do; scope{ where(number: 999) }; end
-          end
-        end
-
         it "checks existence" do
-          @dummy.any?.should == true
-          @dummy.restrict!('!').any?.should == true
+          Dummy.any?.should == true
+          Dummy.restrict!('+').any?.should == true
         end
 
         it "counts" do
-          @dummy.count.should == 2
-          @dummy.restrict!('!').count.should == 1
+          Dummy.count.should == 4
+          Dummy.restrict!('+').count.should == 2
         end
 
         it "fetches" do
-          fetched = @dummy.restrict!('!').to_a
+          fetched = Dummy.restrict!('+').to_a
 
-          @dummy.all.length.should == 2
-          fetched.length.should == 1
+          Dummy.count.should == 4
+          fetched.length.should == 2
         end
 
         it "keeps security scope when unscoped" do
-          @dummy.unscoped.restrict!('!').count.should == 1
-          @dummy.restrict!('!').unscoped.count.should == 1
+          Dummy.unscoped.restrict!('+').count.should == 2
+          Dummy.restrict!('+').unscoped.count.should == 2
         end
       end
     end

data/spec/lib/dsl_spec.rb

@@ -70,16 +70,16 @@ describe Protector::DSL do
     end
 
     it "evaluates" do
-      @meta.evaluate(nil, [], 'user', 'entry')
+      @meta.evaluate(nil, 'user', [], 'entry')
     end
 
     it "sets relation" do
-      data = @meta.evaluate(nil, [], 'user', 'entry')
+      data = @meta.evaluate(nil, 'user', [], 'entry')
       data.relation.should == 'relation'
     end
 
     it "sets access" do
-      data = @meta.evaluate(nil, %w(field1 field2 field3 field4 field5), 'user', 'entry')
+      data = @meta.evaluate(nil, 'user', %w(field1 field2 field3 field4 field5), 'entry')
       data.access.should == {
         "update" => {
           "field1" => nil,
@@ -98,17 +98,17 @@ describe Protector::DSL do
     end
 
     it "marks destroyable" do
-      data = @meta.evaluate(nil, [], 'user', 'entry')
+      data = @meta.evaluate(nil, 'user', [], 'entry')
       data.destroyable?.should == true
     end
 
     it "marks updatable" do
-      data = @meta.evaluate(nil, [], 'user', 'entry')
+      data = @meta.evaluate(nil, 'user', [], 'entry')
       data.updatable?.should == true
     end
 
     it "marks creatable" do
-      data = @meta.evaluate(nil, [], 'user', 'entry')
+      data = @meta.evaluate(nil, 'user', [], 'entry')
       data.creatable?.should == false
     end
   end

data/spec/spec_helpers/model.rb

@@ -1,6 +1,6 @@
 shared_examples_for "a model" do
   it "evaluates meta properly" do
-    @dummy.instance_eval do
+    dummy.instance_eval do
       protect do |subject, dummy|
         subject.should == '!'
 
@@ -12,9 +12,8 @@ shared_examples_for "a model" do
       end
     end
 
-    fields = Hash[*%w(id string number text created_at updated_at).map{|x| [x, nil]}.flatten]
-    dummy  = @dummy.new.restrict!('!')
-    meta   = dummy.protector_meta
+    fields = Hash[*%w(id string number text dummy_id created_at updated_at).map{|x| [x, nil]}.flatten]
+    meta   = dummy.new.restrict!('!').protector_meta
 
     meta.access[:view].should   == fields
     meta.access[:create].should == fields
@@ -23,11 +22,6 @@ shared_examples_for "a model" do
 
   describe "association" do
     context "(has_many)" do
-      around(:each) do |e|
-        ActiveRecord::Base.logger = Logger.new(STDOUT)
-        e.run
-        ActiveRecord::Base.logger = nil
-      end
       it "loads" do
         Dummy.first.restrict!('!').fluffies.length.should == 2
         Dummy.first.restrict!('+').fluffies.length.should == 1
@@ -49,60 +43,52 @@ shared_examples_for "a model" do
 
   describe "visibility" do
     it "marks blocked" do
-      @dummy.instance_eval do
-        protect do; scope { none }; end
-      end
-
-      @dummy.first.restrict!('!').visible?.should == false
+      Dummy.first.restrict!('-').visible?.should == false
     end
 
     it "marks allowed" do
-      @dummy.instance_eval do
-        protect do; scope { limit(5) }; end
-      end
-
-      @dummy.first.restrict!('!').visible?.should == true
+      Dummy.first.restrict!('+').visible?.should == true
     end
   end
 
   describe "readability" do
     it "hides fields" do
-      @dummy.instance_eval do
+      dummy.instance_eval do
         protect do
           can :view, :string
         end
       end
 
-      dummy = @dummy.first.restrict!('!')
-      dummy.number.should == nil
-      dummy[:number].should == nil
-      dummy.read_attribute(:number).should_not == nil
-      dummy.string.should == 'zomgstring'
+      d = dummy.first.restrict!('!')
+      d.number.should == nil
+      d[:number].should == nil
+      d.read_attribute(:number).should_not == nil
+      d.string.should == 'zomgstring'
     end
   end
 
   describe "creatability" do
     context "with empty meta" do
       before(:each) do
-        @dummy.instance_eval do
+        dummy.instance_eval do
           protect do; end
         end
       end
 
       it "marks blocked" do
-        dummy = @dummy.new(string: 'bam', number: 1)
-        dummy.restrict!('!').creatable?.should == false
+        d = dummy.new(string: 'bam', number: 1)
+        d.restrict!('!').creatable?.should == false
       end
 
       it "invalidates" do
-        dummy = @dummy.new(string: 'bam', number: 1).restrict!('!')
-        dummy.should invalidate
+        d = dummy.new(string: 'bam', number: 1).restrict!('!')
+        d.should invalidate
       end
     end
 
     context "by list of fields" do
       before(:each) do
-        @dummy.instance_eval do
+        dummy.instance_eval do
           protect do
             can :create, :string
           end
@@ -110,29 +96,29 @@ shared_examples_for "a model" do
       end
 
       it "marks blocked" do
-        dummy = @dummy.new(string: 'bam', number: 1)
-        dummy.restrict!('!').creatable?.should == false
+        d = dummy.new(string: 'bam', number: 1)
+        d.restrict!('!').creatable?.should == false
       end
 
       it "marks allowed" do
-        dummy = @dummy.new(string: 'bam')
-        dummy.restrict!('!').creatable?.should == true
+        d = dummy.new(string: 'bam')
+        d.restrict!('!').creatable?.should == true
       end
 
       it "invalidates" do
-        dummy = @dummy.new(string: 'bam', number: 1).restrict!('!')
-        dummy.should invalidate
+        d = dummy.new(string: 'bam', number: 1).restrict!('!')
+        d.should invalidate
       end
 
       it "validates" do
-        dummy = @dummy.new(string: 'bam').restrict!('!')
-        dummy.should validate
+        d = dummy.new(string: 'bam').restrict!('!')
+        d.should validate
       end
     end
 
     context "by lambdas" do
       before(:each) do
-        @dummy.instance_eval do
+        dummy.instance_eval do
           protect do
             can :create, string: lambda {|x| x.try(:length) == 5 }
           end
@@ -140,29 +126,29 @@ shared_examples_for "a model" do
       end
 
       it "marks blocked" do
-        dummy = @dummy.new(string: 'bam')
-        dummy.restrict!('!').creatable?.should == false
+        d = dummy.new(string: 'bam')
+        d.restrict!('!').creatable?.should == false
       end
 
       it "marks allowed" do
-        dummy = @dummy.new(string: '12345')
-        dummy.restrict!('!').creatable?.should == true
+        d = dummy.new(string: '12345')
+        d.restrict!('!').creatable?.should == true
       end
 
       it "invalidates" do
-        dummy = @dummy.new(string: 'bam').restrict!('!')
-        dummy.should invalidate
+        d = dummy.new(string: 'bam').restrict!('!')
+        d.should invalidate
       end
 
       it "validates" do
-        dummy = @dummy.new(string: '12345').restrict!('!')
-        dummy.should validate
+        d = dummy.new(string: '12345').restrict!('!')
+        d.should validate
       end
     end
 
     context "by ranges" do
       before(:each) do
-        @dummy.instance_eval do
+        dummy.instance_eval do
           protect do
             can :create, number: 0..2
           end
@@ -170,23 +156,23 @@ shared_examples_for "a model" do
       end
 
       it "marks blocked" do
-        dummy = @dummy.new(number: 500)
-        dummy.restrict!('!').creatable?.should == false
+        d = dummy.new(number: 500)
+        d.restrict!('!').creatable?.should == false
       end
 
       it "marks allowed" do
-        dummy = @dummy.new(number: 2)
-        dummy.restrict!('!').creatable?.should == true
+        d = dummy.new(number: 2)
+        d.restrict!('!').creatable?.should == true
       end
 
       it "invalidates" do
-        dummy = @dummy.new(number: 500).restrict!('!')
-        dummy.should invalidate
+        d = dummy.new(number: 500).restrict!('!')
+        d.should invalidate
       end
 
       it "validates" do
-        dummy = @dummy.new(number: 2).restrict!('!')
-        dummy.should validate
+        d = dummy.new(number: 2).restrict!('!')
+        d.should validate
       end
     end
   end
@@ -194,27 +180,27 @@ shared_examples_for "a model" do
   describe "updatability" do
     context "with empty meta" do
       before(:each) do
-        @dummy.instance_eval do
+        dummy.instance_eval do
           protect do; end
         end
       end
 
       it "marks blocked" do
-        dummy = @dummy.first
-        dummy.assign_attributes(string: 'bam', number: 1)
-        dummy.restrict!('!').updatable?.should == false
+        d = dummy.first
+        d.assign_attributes(string: 'bam', number: 1)
+        d.restrict!('!').updatable?.should == false
       end
 
       it "invalidates" do
-        dummy = @dummy.first.restrict!('!')
-        dummy.assign_attributes(string: 'bam', number: 1)
-        dummy.should invalidate
+        d = dummy.first.restrict!('!')
+        d.assign_attributes(string: 'bam', number: 1)
+        d.should invalidate
       end
     end
 
     context "by list of fields" do
       before(:each) do
-        @dummy.instance_eval do
+        dummy.instance_eval do
           protect do
             can :update, :string
           end
@@ -222,33 +208,33 @@ shared_examples_for "a model" do
       end
 
       it "marks blocked" do
-        dummy = @dummy.first
-        dummy.assign_attributes(string: 'bam', number: 1)
-        dummy.restrict!('!').updatable?.should == false
+        d = dummy.first
+        d.assign_attributes(string: 'bam', number: 1)
+        d.restrict!('!').updatable?.should == false
       end
 
       it "marks allowed" do
-        dummy = @dummy.first
-        dummy.assign_attributes(string: 'bam')
-        dummy.restrict!('!').updatable?.should == true
+        d = dummy.first
+        d.assign_attributes(string: 'bam')
+        d.restrict!('!').updatable?.should == true
       end
 
       it "invalidates" do
-        dummy = @dummy.first.restrict!('!')
-        dummy.assign_attributes(string: 'bam', number: 1)
-        dummy.should invalidate
+        d = dummy.first.restrict!('!')
+        d.assign_attributes(string: 'bam', number: 1)
+        d.should invalidate
       end
 
       it "validates" do
-        dummy = @dummy.first.restrict!('!')
-        dummy.assign_attributes(string: 'bam')
-        dummy.should validate
+        d = dummy.first.restrict!('!')
+        d.assign_attributes(string: 'bam')
+        d.should validate
       end
     end
 
     context "by lambdas" do
       before(:each) do
-        @dummy.instance_eval do
+        dummy.instance_eval do
           protect do
             can :update, string: lambda {|x| x.try(:length) == 5 }
           end
@@ -256,33 +242,33 @@ shared_examples_for "a model" do
       end
 
       it "marks blocked" do
-        dummy = @dummy.first
-        dummy.assign_attributes(string: 'bam')
-        dummy.restrict!('!').updatable?.should == false
+        d = dummy.first
+        d.assign_attributes(string: 'bam')
+        d.restrict!('!').updatable?.should == false
       end
 
       it "marks allowed" do
-        dummy = @dummy.first
-        dummy.assign_attributes(string: '12345')
-        dummy.restrict!('!').updatable?.should == true
+        d = dummy.first
+        d.assign_attributes(string: '12345')
+        d.restrict!('!').updatable?.should == true
       end
 
       it "invalidates" do
-        dummy = @dummy.first.restrict!('!')
-        dummy.assign_attributes(string: 'bam')
-        dummy.should invalidate
+        d = dummy.first.restrict!('!')
+        d.assign_attributes(string: 'bam')
+        d.should invalidate
       end
 
       it "validates" do
-        dummy = @dummy.first.restrict!('!')
-        dummy.assign_attributes(string: '12345')
-        dummy.should validate
+        d = dummy.first.restrict!('!')
+        d.assign_attributes(string: '12345')
+        d.should validate
       end
     end
 
     context "by ranges" do
       before(:each) do
-        @dummy.instance_eval do
+        dummy.instance_eval do
           protect do
             can :update, number: 0..2
           end
@@ -290,64 +276,64 @@ shared_examples_for "a model" do
       end
 
       it "marks blocked" do
-        dummy = @dummy.first
-        dummy.assign_attributes(number: 500)
-        dummy.restrict!('!').updatable?.should == false
+        d = dummy.first
+        d.assign_attributes(number: 500)
+        d.restrict!('!').updatable?.should == false
       end
 
       it "marks allowed" do
-        dummy = @dummy.first
-        dummy.assign_attributes(number: 2)
-        dummy.restrict!('!').updatable?.should == true
+        d = dummy.first
+        d.assign_attributes(number: 2)
+        d.restrict!('!').updatable?.should == true
       end
 
       it "invalidates" do
-        dummy = @dummy.first.restrict!('!')
-        dummy.assign_attributes(number: 500)
-        dummy.should invalidate
+        d = dummy.first.restrict!('!')
+        d.assign_attributes(number: 500)
+        d.should invalidate
       end
 
       it "validates" do
-        dummy = @dummy.first.restrict!('!')
-        dummy.assign_attributes(number: 2)
-        dummy.should validate
+        d = dummy.first.restrict!('!')
+        d.assign_attributes(number: 2)
+        d.should validate
       end
     end
   end
 
   describe "destroyability" do
     it "marks blocked" do
-      @dummy.instance_eval do
+      dummy.instance_eval do
         protect do; end
       end
 
-      @dummy.first.restrict!('!').destroyable?.should == false
+      dummy.first.restrict!('!').destroyable?.should == false
     end
 
     it "marks allowed" do
-      @dummy.instance_eval do
+      dummy.instance_eval do
         protect do; can :destroy; end
       end
 
-      @dummy.first.restrict!('!').destroyable?.should == true
+      dummy.first.restrict!('!').destroyable?.should == true
     end
 
     it "invalidates" do
-      @dummy.instance_eval do
+      dummy.instance_eval do
         protect do; end
       end
 
-      @dummy.first.restrict!('!').destroy.should == false
+      dummy.first.restrict!('!').destroy.should == false
     end
 
     it "validates" do
-      @dummy.instance_eval do
+      dummy.instance_eval do
         protect do; can :destroy; end
       end
 
-      dummy = @dummy.create!.restrict!('!')
-      dummy.destroy.should == dummy
-      dummy.destroyed?.should == true
+      d = dummy.create!.restrict!('!')
+      d.destroy.should == d
+      d.destroyed?.should == true
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: protector
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.1.0
 platform: ruby
 authors:
 - Boris Staal
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-05-28 00:00:00.000000000 Z
+date: 2013-05-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -62,6 +62,7 @@ files:
 - lib/protector/adapters/active_record.rb
 - lib/protector/adapters/active_record/association.rb
 - lib/protector/adapters/active_record/base.rb
+- lib/protector/adapters/active_record/preloader.rb
 - lib/protector/adapters/active_record/relation.rb
 - lib/protector/dsl.rb
 - lib/protector/version.rb