pundit-resources 1.0.0 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 84095ef1d7eddc023bc1c00e4501b4068e86386e
-  data.tar.gz: 557410b3f7c007a2905702fb2a9c4d5c15331e16
+  metadata.gz: 83ed65ad31c7f9d50aa2bc1fa4f7a1682f999b62
+  data.tar.gz: 800f0caa6caf805f4245718f6e0b1ccec494ba42
 SHA512:
-  metadata.gz: e4ba2f3c7e00b6cc852858920804acd20ec77bdc3a23a772412ec05c2077c4d9926e64e49ad41b6f8fa4858e0c5f5465fa355fcbe4ccf8c02772783122c99083
-  data.tar.gz: 8c37cec27ae036fb6de09bda7ed756d5e1ea27eb58cc2f67c0dd84303b463507393d6da399bd2978bd8f6f195d39b4425a1e8a454de1f54d5442310a6fdc1743
+  metadata.gz: 5294401c2ed0c81a816c00b878f81a74af6875348645a4810b4c4acfed810ca29d726a548e33c6e049efdc95f0a34e3717d8b3cb73aa831ccc36f86ba2e951d1
+  data.tar.gz: 51a8ddcf155a373252a159ef3694a982bd8fb4e47a920b212dfd1f436a8ba892f815b8e226f2f1454d8cd0a7b0748e6e8c635594c0d3bad9e521d700439e0e73

data/.gitignore

@@ -16,3 +16,4 @@ spec/dummy/log/*.log
 spec/dummy/tmp/
 !spec/dummy/tmp/.keep
 spec/examples.txt
+/gemfiles/*.gemfile.lock

data/.rspec

@@ -1,3 +1,2 @@
---format documentation
 --require spec_helper
 --color

data/Appraisals

@@ -0,0 +1,7 @@
+appraise "rails-4" do
+  gem "rails", "~> 4.2"
+end
+
+appraise "rails-5" do
+  gem "rails", "~> 5.0"
+end

data/Gemfile

@@ -1,5 +1,7 @@
 source 'https://rubygems.org'
 
+gem 'appraisal'
+
 # Dependencies for dummy application
 gem 'sqlite3'
 gem 'jsonapi-resources', github: 'cerebris/jsonapi-resources'

data/README.md

@@ -1,6 +1,6 @@
 # Pundit::Resources
 
-Pundit::Resources is a gem that makes [JSONAPI::Resources](jsonapi-resources) use [Pundit][pundit] authorization.
+Pundit::Resources is a gem that makes [JSONAPI::Resources][jsonapi-resources] use [Pundit][pundit] authorization.
 
 ## Installation
 
@@ -29,6 +29,8 @@ Include `Pundit::ResourceController` in the resource controllers that should use
 You also need to define a `current_user` method on the controller.
 The result of this method will be passed as the user parameter to the Pundit policies.
 
+`Pundit::ResourceController` will raise an exception if authorization is not performed on any action, so you don't have to worry about anything slipping through the cracks.
+
 ```ruby
 class ApplicationController < JSONAPI::ResourceController
   include Pundit::ResourceController
@@ -54,7 +56,7 @@ Instead, it checks to see if the given resource is included in the Scope for tha
 
 ## Development
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org][rubygems].
 

data/Rakefile

@@ -1,6 +1,11 @@
 require "bundler/gem_tasks"
 require "rspec/core/rake_task"
+require "appraisal"
 
 RSpec::Core::RakeTask.new(:spec)
 
 task :default => :spec
+
+if !ENV["APPRAISAL_INITIALIZED"] && !ENV["TRAVIS"]
+  task :default => :appraisal
+end

data/bin/setup

@@ -3,6 +3,6 @@ set -euo pipefail
 IFS=$'\n\t'
 set -vx
 
-bundle install
+appraisal install
 
 # Do any other automated setup that you need to do here

data/gemfiles/rails_4.gemfile

@@ -0,0 +1,11 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal"
+gem "sqlite3"
+gem "jsonapi-resources", :github => "cerebris/jsonapi-resources"
+gem "pundit"
+gem "rails", "~> 4.2"
+
+gemspec :path => "../"

data/gemfiles/rails_5.gemfile

@@ -0,0 +1,11 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal"
+gem "sqlite3"
+gem "jsonapi-resources", :github => "cerebris/jsonapi-resources"
+gem "pundit"
+gem "rails", "~> 5.0"
+
+gemspec :path => "../"

data/lib/pundit/resource.rb

@@ -14,6 +14,7 @@ module Pundit
         warn_if_show_defined
 
         context = options[:context]
+        context[:policy_used]&.call
         Pundit.policy_scope!(context[:current_user], _model_class)
       end
 
@@ -21,7 +22,7 @@ module Pundit
 
       def warn_if_show_defined
         policy_class = Pundit::PolicyFinder.new(_model_class.new).policy!
-        if policy_class.method_defined?(:show?)
+        if policy_class.instance_methods(false).include?(:show?)
           puts "WARN: pundit-resources does not use the show? action."
           puts "      #{policy_class::Scope} will be used instead."
         end
@@ -30,6 +31,11 @@ module Pundit
 
     protected
 
+    def can(method)
+      context[:policy_used]&.call
+      policy.public_send(method)
+    end
+
     def current_user
       context&.[](:current_user)
     end
@@ -40,29 +46,39 @@ module Pundit
 
     def authorize_create_or_update
       action = _model.new_record? ? :create : :update
-      not_authorized!(action) unless policy.public_send(:"#{action}?")
+      not_authorized!(action) unless can :"#{action}?"
     end
 
     def authorize_destroy
-      not_authorized! :destroy unless policy.destroy?
+      not_authorized! :destroy unless can :destroy?
     end
 
     def records_for(association_name, options={})
-      association_reflection = _model.class.reflect_on_association(association_name)
+      relationships = self.class._relationships.
+        values.
+        select { |r| r.relation_name(context: @context) == association_name }.
+        uniq(&:class)
+
+      unless relationships.count == 1
+        raise "Can't infer relationship type for #{association_name}"
+      end
+
+      relationship = relationships.first
 
-      if association_reflection.macro == :has_many
+      case relationship
+      when JSONAPI::Relationship::ToMany
         records = _model.public_send(association_name)
         policy_scope = Pundit.policy_scope!(
           context[:current_user],
-          association_reflection.class_name.constantize
+          records
         )
         records.merge(policy_scope)
-      elsif [:has_one, :belongs_to].include?(association_reflection.macro)
+      when JSONAPI::Relationship::ToOne
         record = _model.public_send(association_name)
 
         # Don't rely on policy.show? being defined since it isn't used for
         # show actions directly and should always have the same behaviour.
-        if record && show?(Pundit.policy!(context[:current_user], record))
+        if record && show?(Pundit.policy!(context[:current_user], record), record.id)
           record
         else
           nil
@@ -77,8 +93,8 @@ module Pundit
       raise Pundit::NotAuthorizedError, options
     end
 
-    def show?(policy)
-      policy.scope.where(id: policy.record.id).exists?
+    def show?(policy, record_id)
+      policy.scope.where(id: record_id).exists?
     end
   end
 end

data/lib/pundit/resource_controller.rb

@@ -4,6 +4,9 @@ module Pundit
 
     included do
       include ActionController::Rescue
+      include AbstractController::Callbacks
+
+      after_action :enforce_policy_use
 
       JSONAPI.configure do |config|
         error = Pundit::NotAuthorizedError
@@ -17,6 +20,12 @@ module Pundit
 
     protected
 
+    def enforce_policy_use
+      return if @policy_used || response.status.in?(400...600)
+      raise Pundit::AuthorizationNotPerformedError,
+        "#{params[:controller]}##{params[:action]}"
+    end
+
     def reject_forbidden_request(error)
       type = error.record.class.name.underscore.humanize(capitalize: false)
       error = JSONAPI::Error.new(
@@ -30,10 +39,7 @@ module Pundit
     end
 
     def context
-      { current_user: current_user }
-    end
-
-    def current_user
+      { current_user: current_user, policy_used: -> { @policy_used = true } }
     end
   end
 end

data/lib/pundit/resources/version.rb

@@ -1,5 +1,5 @@
 module Pundit
   module Resources
-    VERSION = "1.0.0"
+    VERSION = "1.0.1"
   end
 end

data/pundit-resources.gemspec

@@ -21,7 +21,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "activesupport"
   spec.add_dependency "jsonapi-resources"
   spec.add_dependency "pundit"
-  spec.add_dependency "rails", ">= 5.0.0.rc1", "< 5.1"
+  spec.add_dependency "rails", ">= 4.2.1", "< 5.1"
 
   spec.add_development_dependency "bundler", "~> 1.11"
   spec.add_development_dependency "rake", "~> 10.0"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pundit-resources
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.1
 platform: ruby
 authors:
 - Ross Penman
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-05-25 00:00:00.000000000 Z
+date: 2016-07-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -59,7 +59,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 5.0.0.rc1
+        version: 4.2.1
     - - "<"
       - !ruby/object:Gem::Version
         version: '5.1'
@@ -69,7 +69,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 5.0.0.rc1
+        version: 4.2.1
     - - "<"
       - !ruby/object:Gem::Version
         version: '5.1'
@@ -132,12 +132,15 @@ files:
 - ".gitignore"
 - ".rspec"
 - ".travis.yml"
+- Appraisals
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
 - bin/console
 - bin/setup
+- gemfiles/rails_4.gemfile
+- gemfiles/rails_5.gemfile
 - lib/pundit/resource.rb
 - lib/pundit/resource_controller.rb
 - lib/pundit/resources.rb
@@ -168,3 +171,4 @@ signing_key:
 specification_version: 4
 summary: Integrate JSONAPI::Resources with Pundit
 test_files: []
+has_rdoc: