pundit-expected-attribute-values 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 13d3ca03cc6ed67002240c06411113474f4627e91ada88e42d023b565df7faba
+  data.tar.gz: c8b6536f9e9c3c111a5eb80b0a35ff775d66bf690f3c30136bb20168c72b61b8
+SHA512:
+  metadata.gz: f9bc11575eef2a6ccc2caf923fcff8464e442a834f25fe08db3bfd0b5325e131ebef94d2ac5e4fbd81386c99d5e0d37537f966d3696adc16ccabb6f91d9920c0
+  data.tar.gz: 628277f5210d88d74c470fb9f113d3bbe32ab59bbed6b5858db6f4c935236c7b64133dded419fb17168550eee847cf45b70c3a9e56612f4d3f60757e0b45dbeb

data/CHANGELOG.md

@@ -0,0 +1,26 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.0.0] - 2026-06-13
+
+### Added
+
+- Per-attribute allowed values for Pundit `expected_attributes`, declared in policy classes via `expected_attribute_values_for_action` and action-specific helpers such as `expected_attribute_values_for_update`.
+- Controller integration through `Pundit::ExpectedAttributeValues::Authorization`, including `expected_attributes` value filtering and `pundit_expected_attribute_values_for`.
+- `Pundit::ExpectedAttributeValues.filter` for manual filtering of permitted params or plain hashes.
+- Configurable invalid-value behavior (`:strip` or `:raise`) via `Pundit::ExpectedAttributeValues.configure`.
+- `Pundit::ExpectedAttributeValues::UnexpectedValue` exception when `invalid_behavior` is `:raise`.
+- Value sources: static arrays, callables, and method references resolved through the policy instance.
+- RSpec matchers (`permit_expected_value`, `permit_expected_values`) and Minitest assertions.
+- Rails install generator: `rails generate pundit:expected_attribute_values:install`.
+- Compatibility shim for Pundit 2.5 controllers that do not yet ship `expected_attributes`.
+
+### Fixed
+
+- Preserve the permitted state of `ActionController::Parameters` when filtering already-permitted params from `params.expect`, avoiding `ActiveModel::ForbiddenAttributesError` on assignment.
+
+[1.0.0]: https://github.com/davedkg/pundit-expected-attribute-values/releases/tag/v1.0.0

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,129 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+**davedkg@users.noreply.github.com**.
+
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior,  harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.

data/CONTRIBUTING.md

@@ -0,0 +1,39 @@
+# Contributing
+
+Thanks for your interest in contributing to **pundit-expected-attribute-values**.
+
+## Development setup
+
+```bash
+git clone https://github.com/davedkg/pundit-expected-attribute-values.git
+cd pundit-expected-attribute-values
+bin/setup
+bundle exec rake
+```
+
+`bin/setup` installs dependencies. `bundle exec rake` runs Minitest, RSpec, and is the default task.
+
+## Pull requests
+
+1. Open an issue first for substantial changes so we can agree on the approach.
+2. Add or update tests for the behavior you change.
+3. Run the full test suite and RuboCop before opening a PR:
+
+   ```bash
+   bundle exec rake
+   bundle exec rubocop
+   ```
+
+4. Keep commits focused and write clear commit messages.
+
+## Reporting bugs
+
+Open a [GitHub issue](https://github.com/davedkg/pundit-expected-attribute-values/issues) with:
+
+- Ruby, Rails, Pundit, and gem versions
+- Steps to reproduce
+- Expected vs. actual behavior
+
+## Code of conduct
+
+This project follows the [Contributor Covenant](CODE_OF_CONDUCT.md). By participating, you agree to uphold it.

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2026 David Guilfoyle
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,165 @@
+# pundit-expected-attribute-values
+
+[![CI](https://github.com/davedkg/pundit-expected-attribute-values/actions/workflows/main.yml/badge.svg)](https://github.com/davedkg/pundit-expected-attribute-values/actions/workflows/main.yml)
+[![Gem Version](https://badge.fury.io/rb/pundit-expected-attribute-values.svg)](https://badge.fury.io/rb/pundit-expected-attribute-values)
+
+Expected **values** for [Pundit](https://github.com/varvet/pundit) strong parameters. Works with Pundit 2.6+ `expected_attributes` / `expected_attributes_for_action` and Rails `params.expect`.
+
+Declare which scalar values each attribute may have during mass assignment (for example, admins may set `role` to `manager` or `user`, while managers may only set `role` to `user`).
+
+Keys stay in `expected_attributes_for_action`; allowed values live in `expected_attribute_values_for_action`.
+
+## Requirements
+
+- Ruby >= 3.3
+- Pundit >= 2.5 (ships a compatibility shim for `expected_attributes` until Pundit 2.6 is released)
+- Rails >= 7.0 (uses `params.expect`)
+
+## Installation
+
+```ruby
+gem "pundit-expected-attribute-values"
+```
+
+```bash
+bundle install
+rails generate pundit:expected_attribute_values:install
+```
+
+### Manual setup
+
+```ruby
+# app/policies/application_policy.rb
+class ApplicationPolicy
+  include Pundit::ExpectedAttributeValues::Policy
+end
+
+# app/controllers/application_controller.rb
+class ApplicationController < ActionController::Base
+  include Pundit::Authorization
+  include Pundit::ExpectedAttributeValues::Authorization
+end
+```
+
+## Usage
+
+### Policy
+
+```ruby
+class UserPolicy < ApplicationPolicy
+  def expected_attributes_for_action(_action)
+    [:name, :email, :role]
+  end
+
+  def expected_attribute_values_for_action(_action)
+    { role: :allowed_roles }
+  end
+
+  private
+
+  def allowed_roles
+    return %w[user manager admin] if user.admin?
+    return %w[user] if user.manager?
+
+    []
+  end
+end
+```
+
+Action-specific value rules (optional):
+
+```ruby
+def expected_attribute_values_for_update
+  { role: %w[user] }
+end
+```
+
+Value sources: static arrays, callables (`-> { ... }`), or method references (`:allowed_roles`).
+
+### Controller
+
+```ruby
+def update
+  authorize @user
+  if @user.update(expected_attributes(@user))
+    redirect_to @user
+  else
+    render :edit
+  end
+end
+```
+
+Allowed values for forms or APIs:
+
+```ruby
+pundit_expected_attribute_values_for(@user, :role)
+# => ["user", "manager"]
+```
+
+### Unexpected values
+
+```ruby
+# config/initializers/pundit-expected-attribute-values.rb
+Pundit::ExpectedAttributeValues.configure do |config|
+  config.invalid_behavior = :strip # default — omit unexpected values
+  # config.invalid_behavior = :raise
+end
+```
+
+With `:raise`, unexpected values raise `Pundit::ExpectedAttributeValues::UnexpectedValue`:
+
+```ruby
+rescue_from Pundit::ExpectedAttributeValues::UnexpectedValue, with: :unprocessable
+```
+
+### Manual filtering
+
+```ruby
+attrs = expected_attributes(@user)
+# or on an extracted hash:
+Pundit::ExpectedAttributeValues.filter(attrs, policy(@user), action: "update")
+```
+
+## Testing
+
+### RSpec
+
+```ruby
+# spec/support/pundit-expected-attribute-values.rb
+require "pundit/expected_attribute_values/rspec"
+
+expect(user_policy).to permit_expected_value(:role, "user")
+expect(user_policy).not_to permit_expected_value(:role, "admin")
+expect(user_policy).to permit_expected_values(:role).matching(%w[user manager])
+```
+
+### Minitest
+
+```ruby
+require "pundit/expected_attribute_values/minitest"
+
+assert_permits_expected_value user_policy, :role, "user"
+refute_permits_expected_value user_policy, :role, "admin"
+assert_expected_values user_policy, :role, %w[user manager]
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`.
+
+## Releasing
+
+1. Update the version in `lib/pundit/expected_attribute_values/version.rb`.
+2. Add a dated section to [CHANGELOG.md](CHANGELOG.md).
+3. Commit, tag (`git tag vX.Y.Z`), and push the tag.
+4. GitHub Actions publishes the gem to [RubyGems](https://rubygems.org) when a `v*` tag is pushed. Configure [trusted publishing](https://guides.rubygems.org/trusted-publishing/) on RubyGems.org for this repository (recommended), or publish locally with `bundle exec rake release` after configuring RubyGems credentials.
+
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md). Bug reports and pull requests are welcome on GitHub.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/SECURITY.md

@@ -0,0 +1,19 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.0.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+Please report security vulnerabilities privately by emailing
+**davedkg@users.noreply.github.com** or using
+[GitHub Security Advisories](https://github.com/davedkg/pundit-expected-attribute-values/security/advisories/new).
+
+Do not open a public issue for security-sensitive reports.
+
+You can expect an initial response within a few business days. If the report is
+accepted, we will work on a fix and coordinate disclosure. If declined, we will
+explain why.

data/lib/generators/pundit/expected_attribute_values/install_generator.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require "rails/generators/base"
+
+module Pundit
+  module ExpectedAttributeValues
+    module Generators
+      class InstallGenerator < Rails::Generators::Base
+        source_root File.expand_path("templates", __dir__)
+
+        desc "Install Pundit::ExpectedAttributeValues in ApplicationPolicy and ApplicationController"
+
+        class_option :test_framework, type: :string, default: nil,
+                                      desc: "Test framework (rspec or minitest)"
+
+        def add_policy_concern
+          inject_into_class policy_path, "ApplicationPolicy", <<-RUBY
+
+    include Pundit::ExpectedAttributeValues::Policy
+          RUBY
+        end
+
+        def add_controller_concern
+          inject_into_class controller_path, "ApplicationController", <<-RUBY
+
+    include Pundit::ExpectedAttributeValues::Authorization
+          RUBY
+        end
+
+        def add_test_helper_snippet
+          template "test_helper.#{detected_test_framework}.rb", test_helper_destination
+        end
+
+        private
+
+        def policy_path
+          "app/policies/application_policy.rb"
+        end
+
+        def controller_path
+          "app/controllers/application_controller.rb"
+        end
+
+        def detected_test_framework
+          return options[:test_framework] if options[:test_framework]
+
+          File.directory?("spec") ? "rspec" : "minitest"
+        end
+
+        def test_helper_destination
+          if detected_test_framework == "rspec"
+            "spec/support/pundit-expected-attribute-values.rb"
+          else
+            "test/support/pundit-expected-attribute-values.rb"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/generators/pundit/expected_attribute_values/templates/test_helper.minitest.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require "pundit/expected_attribute_values/minitest"

data/lib/generators/pundit/expected_attribute_values/templates/test_helper.rspec.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require "pundit/expected_attribute_values/rspec"

data/lib/pundit/expected_attribute_values/authorization.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module Pundit
+  module ExpectedAttributeValues
+    module Authorization
+      extend ActiveSupport::Concern
+
+      included do
+        prepend ExpectedAttributesCompat unless Pundit::Authorization.method_defined?(:expected_attributes)
+        prepend ControllerMethods
+      end
+
+      module ControllerMethods
+        def pundit_expected_attribute_values_for(record, attribute, action: action_name)
+          policy(record).pundit_expected_attribute_values_for_attribute(attribute, action: action)
+        end
+
+        def expected_attributes(record, action: action_name, **options)
+          raw = super
+          apply_expected_values_filter(record, raw, action)
+        end
+
+        private
+
+        def apply_expected_values_filter(record, params, action)
+          policy_instance = policy(record)
+          constraints = ValueResolver.resolve_hash_for_action(policy_instance, action)
+          return params if constraints.empty?
+
+          Filter.call(
+            params,
+            constraints,
+            invalid: ExpectedAttributeValues.invalid_behavior,
+            policy: policy_instance
+          )
+        end
+      end
+
+      class << self
+        def filter(params, policy, action:)
+          raise ArgumentError, "action is required" if action.nil?
+
+          constraints = ValueResolver.resolve_hash_for_action(policy, action)
+          Filter.call(
+            params,
+            constraints,
+            invalid: ExpectedAttributeValues.invalid_behavior,
+            policy: policy
+          )
+        end
+      end
+    end
+  end
+end

data/lib/pundit/expected_attribute_values/configuration.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Pundit
+  module ExpectedAttributeValues
+    class << self
+      attr_accessor :invalid_behavior, :symbolize_values
+
+      def configure
+        yield self if block_given?
+        self
+      end
+    end
+
+    self.invalid_behavior = :strip
+    self.symbolize_values = false
+  end
+end

data/lib/pundit/expected_attribute_values/errors.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Pundit
+  module ExpectedAttributeValues
+    class UnexpectedValue < Pundit::NotAuthorizedError
+      attr_reader :attribute, :value, :expected
+
+      def initialize(attribute:, value:, expected:)
+        @attribute = attribute
+        @value = value
+        @expected = expected
+        super(
+          "Value #{value.inspect} is not expected for #{attribute}; " \
+          "expected: #{expected.inspect}"
+        )
+      end
+    end
+  end
+end

data/lib/pundit/expected_attribute_values/expected_attributes_compat.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Pundit
+  module ExpectedAttributeValues
+    # Provides Pundit 2.6's +expected_attributes+ on controllers until a released
+    # Pundit version includes it. Not used when +Pundit::Authorization+ already
+    # defines the method.
+    module ExpectedAttributesCompat
+      def expected_attributes(record, action: action_name, param_key: pundit_param_key(record))
+        policy_instance = policy(record)
+        shape = policy_instance.expected_attributes_for_action(action)
+        params.expect(param_key => shape)
+      end
+
+      def pundit_param_key(record)
+        Pundit::PolicyFinder.new(record).param_key
+      end
+    end
+  end
+end

data/lib/pundit/expected_attribute_values/filter.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+module Pundit
+  module ExpectedAttributeValues
+    class Filter
+      def self.call(params, constraints, invalid: ExpectedAttributeValues.invalid_behavior, policy: nil)
+        new(params, constraints, invalid: invalid, policy: policy).call
+      end
+
+      def initialize(params, constraints, invalid: ExpectedAttributeValues.invalid_behavior, policy: nil)
+        @params = params
+        @constraints = constraints
+        @invalid = invalid
+        @policy = policy
+      end
+
+      def call
+        return @params if @constraints.empty?
+
+        result = @params.to_unsafe_h.dup
+        @constraints.each do |attribute, source|
+          key = find_key(result, attribute)
+          next unless key
+          next unless result.key?(key)
+
+          expected = expected_values_for(attribute, source)
+          filter_attribute!(result, key, expected)
+        end
+
+        build_parameters(result)
+      end
+
+      private
+
+      def find_key(hash, attribute)
+        return attribute if hash.key?(attribute)
+        return attribute.to_s if hash.key?(attribute.to_s)
+        return attribute.to_sym if hash.key?(attribute.to_sym)
+
+        nil
+      end
+
+      def expected_values_for(_attribute, source)
+        values = ValueResolver.resolve(source, @policy)
+        ValueResolver.normalize_list(values)
+      end
+
+      def filter_attribute!(result, key, expected)
+        value = result[key]
+
+        if value.is_a?(Array)
+          filtered = value.select { |element| expected.include?(ValueResolver.normalize_value(element)) }
+          handle_filtered(result, key, filtered, value, expected)
+        else
+          normalized = ValueResolver.normalize_value(value)
+          if expected.include?(normalized)
+            result[key] = normalized
+          else
+            handle_unexpected(result, key, value, expected)
+          end
+        end
+      end
+
+      def handle_filtered(result, key, filtered, original, expected)
+        if filtered.empty? && !original.empty?
+          handle_unexpected(result, key, original, expected)
+        elsif filtered.empty?
+          result.delete(key)
+        else
+          result[key] = filtered.map { |v| ValueResolver.normalize_value(v) }
+        end
+      end
+
+      def handle_unexpected(result, key, value, expected)
+        case @invalid
+        when :raise
+          raise UnexpectedValue.new(attribute: key, value: value, expected: expected)
+        else
+          result.delete(key)
+        end
+      end
+
+      def build_parameters(result)
+        if defined?(ActionController::Parameters) && @params.is_a?(ActionController::Parameters)
+          filtered = ActionController::Parameters.new(result)
+          # Preserve the permitted state of the source params. Callers such as
+          # the +expected_attributes+ controller helper pass already-permitted
+          # params (via +params.expect+); rebuilding would otherwise reset the
+          # flag and raise ActiveModel::ForbiddenAttributesError on assignment.
+          filtered.permit! if @params.permitted?
+          filtered
+        else
+          result
+        end
+      end
+    end
+  end
+end

data/lib/pundit/expected_attribute_values/minitest.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require_relative "test_helpers"
+
+module Pundit
+  module ExpectedAttributeValues
+    module MinitestAssertions
+      def assert_permits_expected_value(policy, attribute, value, action: "update")
+        assert ExpectedAttributeValues::TestHelpers.expects_value?(policy, attribute, value, action: action),
+               "Expected policy to allow value #{value.inspect} for :#{attribute} on #{action}"
+      end
+
+      def refute_permits_expected_value(policy, attribute, value, action: "update")
+        refute ExpectedAttributeValues::TestHelpers.expects_value?(policy, attribute, value, action: action),
+               "Expected policy not to allow value #{value.inspect} for :#{attribute} on #{action}"
+      end
+
+      def assert_expected_values(policy, attribute, expected, action: "update")
+        assert ExpectedAttributeValues::TestHelpers.matches_expected_values?(
+          policy, attribute, expected, action: action
+        ),
+               lambda {
+                 actual = ExpectedAttributeValues::TestHelpers.expected_values_for(policy, attribute, action: action)
+                 "Expected values #{expected.inspect} for :#{attribute} on #{action}, got #{actual.inspect}"
+               }
+      end
+    end
+  end
+end
+
+Minitest::Test.include Pundit::ExpectedAttributeValues::MinitestAssertions if defined?(Minitest::Test)

data/lib/pundit/expected_attribute_values/policy.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Pundit
+  module ExpectedAttributeValues
+    module Policy
+      extend ActiveSupport::Concern
+
+      def expected_attribute_values_for_action(action_name)
+        action_method = "expected_attribute_values_for_#{action_name}"
+        if respond_to?(action_method, true)
+          public_send(action_method) || {}
+        elsif respond_to?(:expected_attribute_values, true)
+          expected_attribute_values || {}
+        else
+          {}
+        end
+      end
+
+      def pundit_expected_attribute_values_for_attribute(attribute, action:)
+        raise ArgumentError, "action is required" if action.nil?
+
+        hash = expected_attribute_values_for_action(action.to_s)
+        source = hash[attribute.to_sym] || hash[attribute.to_s]
+        return [] unless source
+
+        ValueResolver.normalize_list(ValueResolver.resolve(source, self))
+      end
+    end
+  end
+end

data/lib/pundit/expected_attribute_values/railtie.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Pundit
+  module ExpectedAttributeValues
+    class Railtie < Rails::Railtie
+      initializer "pundit-expected-attribute-values.configure" do
+        # Host apps may call Pundit::ExpectedAttributeValues.configure in an initializer.
+      end
+    end
+  end
+end

data/lib/pundit/expected_attribute_values/rspec.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require "rspec/expectations"
+require_relative "test_helpers"
+
+RSpec::Matchers.define :permit_expected_value do |attribute, value|
+  match do |policy|
+    action = @action || "update"
+    Pundit::ExpectedAttributeValues::TestHelpers.expects_value?(policy, attribute, value, action: action)
+  end
+
+  chain :for_action do |action|
+    @action = action
+  end
+
+  failure_message do |policy|
+    action = @action || "update"
+    expected = Pundit::ExpectedAttributeValues::TestHelpers.expected_values_for(policy, attribute, action: action)
+    "expected policy to allow value #{value.inspect} for :#{attribute} on #{action}, " \
+      "but expected values are #{expected.inspect}"
+  end
+
+  failure_message_when_negated do |policy|
+    action = @action || "update"
+    expected = Pundit::ExpectedAttributeValues::TestHelpers.expected_values_for(policy, attribute, action: action)
+    "expected policy not to allow value #{value.inspect} for :#{attribute} on #{action}, " \
+      "but it is in #{expected.inspect}"
+  end
+
+  description do
+    "permit expected value :#{attribute} => #{value.inspect}"
+  end
+end
+
+RSpec::Matchers.define :permit_expected_values do |attribute|
+  chain :matching do |values|
+    @expected = values
+  end
+
+  chain :for_action do |action|
+    @action = action
+  end
+
+  match do |policy|
+    raise ArgumentError, "Use .matching(%w[...]) to specify expected values" unless @expected
+
+    action = @action || "update"
+    Pundit::ExpectedAttributeValues::TestHelpers.matches_expected_values?(
+      policy, attribute, @expected, action: action
+    )
+  end
+
+  failure_message do |policy|
+    action = @action || "update"
+    actual = Pundit::ExpectedAttributeValues::TestHelpers.expected_values_for(policy, attribute, action: action)
+    "expected policy to allow values #{@expected.inspect} for :#{attribute} on #{action}, " \
+      "but expected values are #{actual.inspect}"
+  end
+
+  description do
+    "permit expected values for :#{attribute}"
+  end
+end

data/lib/pundit/expected_attribute_values/test_helpers.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Pundit
+  module ExpectedAttributeValues
+    module TestHelpers
+      module_function
+
+      def expected_values_for(policy, attribute, action:)
+        raise ArgumentError, "action is required" if action.nil?
+
+        policy.pundit_expected_attribute_values_for_attribute(attribute, action: action)
+      end
+
+      def expects_value?(policy, attribute, value, action:)
+        expected_values_for(policy, attribute, action: action).include?(
+          ValueResolver.normalize_value(value)
+        )
+      end
+
+      def refutes_expected_value?(policy, attribute, value, action:)
+        !expects_value?(policy, attribute, value, action: action)
+      end
+
+      def matches_expected_values?(policy, attribute, expected, action:)
+        actual = expected_values_for(policy, attribute, action: action)
+        expected_list = ValueResolver.normalize_list(expected)
+        actual.sort == expected_list.sort
+      end
+    end
+  end
+end

data/lib/pundit/expected_attribute_values/value_resolver.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Pundit
+  module ExpectedAttributeValues
+    module ValueResolver
+      module_function
+
+      def resolve(source, policy)
+        case source
+        when Proc
+          policy.instance_exec(&source)
+        when Symbol
+          policy.public_send(source)
+        else
+          source
+        end
+      end
+
+      def resolve_hash_for_action(policy, action)
+        action_method = "expected_attribute_values_for_#{action}"
+        if policy.respond_to?(action_method, true)
+          policy.public_send(action_method) || {}
+        elsif policy.respond_to?(:expected_attribute_values_for_action, true)
+          policy.expected_attribute_values_for_action(action) || {}
+        elsif policy.respond_to?(:expected_attribute_values, true)
+          policy.expected_attribute_values || {}
+        else
+          {}
+        end
+      end
+
+      def normalize_list(values)
+        Array(values).map { |v| normalize_value(v) }
+      end
+
+      def normalize_value(value)
+        return value.to_sym if ExpectedAttributeValues.symbolize_values && value.respond_to?(:to_sym)
+
+        value.is_a?(Symbol) ? value.to_s : value
+      end
+    end
+  end
+end

data/lib/pundit/expected_attribute_values/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Pundit
+  module ExpectedAttributeValues
+    VERSION = "1.0.0"
+  end
+end

data/lib/pundit_expected_attribute_values.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require "pundit"
+require "active_support/concern"
+
+require_relative "pundit/expected_attribute_values/version"
+require_relative "pundit/expected_attribute_values/configuration"
+require_relative "pundit/expected_attribute_values/errors"
+require_relative "pundit/expected_attribute_values/value_resolver"
+require_relative "pundit/expected_attribute_values/filter"
+require_relative "pundit/expected_attribute_values/policy"
+require_relative "pundit/expected_attribute_values/expected_attributes_compat"
+require_relative "pundit/expected_attribute_values/authorization"
+require_relative "pundit/expected_attribute_values/test_helpers"
+
+module Pundit
+  module ExpectedAttributeValues
+    class Error < StandardError; end
+
+    def self.filter(params, policy, action:)
+      Authorization.filter(params, policy, action: action)
+    end
+  end
+end
+
+require_relative "pundit/expected_attribute_values/railtie" if defined?(Rails::Railtie)

data/sig/pundit-expected-attribute-values.rbs

@@ -0,0 +1,6 @@
+module Pundit
+  module ExpectedAttributeValues
+    VERSION: String
+    # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+  end
+end

metadata

@@ -0,0 +1,117 @@
+--- !ruby/object:Gem::Specification
+name: pundit-expected-attribute-values
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- davedkg
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: actionpack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+- !ruby/object:Gem::Dependency
+  name: pundit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.5'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.5'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: Extend Pundit expected_attributes with per-attribute allowed values,
+  declared in policy classes alongside expected_attributes_for_action.
+email:
+- davedkg@users.noreply.github.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
+- LICENSE.txt
+- README.md
+- SECURITY.md
+- lib/generators/pundit/expected_attribute_values/install_generator.rb
+- lib/generators/pundit/expected_attribute_values/templates/test_helper.minitest.rb
+- lib/generators/pundit/expected_attribute_values/templates/test_helper.rspec.rb
+- lib/pundit/expected_attribute_values/authorization.rb
+- lib/pundit/expected_attribute_values/configuration.rb
+- lib/pundit/expected_attribute_values/errors.rb
+- lib/pundit/expected_attribute_values/expected_attributes_compat.rb
+- lib/pundit/expected_attribute_values/filter.rb
+- lib/pundit/expected_attribute_values/minitest.rb
+- lib/pundit/expected_attribute_values/policy.rb
+- lib/pundit/expected_attribute_values/railtie.rb
+- lib/pundit/expected_attribute_values/rspec.rb
+- lib/pundit/expected_attribute_values/test_helpers.rb
+- lib/pundit/expected_attribute_values/value_resolver.rb
+- lib/pundit/expected_attribute_values/version.rb
+- lib/pundit_expected_attribute_values.rb
+- sig/pundit-expected-attribute-values.rbs
+homepage: https://github.com/davedkg/pundit-expected-attribute-values
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/davedkg/pundit-expected-attribute-values
+  source_code_uri: https://github.com/davedkg/pundit-expected-attribute-values
+  changelog_uri: https://github.com/davedkg/pundit-expected-attribute-values/blob/main/CHANGELOG.md
+  bug_tracker_uri: https://github.com/davedkg/pundit-expected-attribute-values/issues
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: Expected attribute values for Pundit policies
+test_files: []