pundit 1.0.1 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e2a27c306e9cc67fc0ecabc8c910f7e4a5b0706a
-  data.tar.gz: e94f7b364462ea0cf5b4c30d48620f523d89ff4a
+  metadata.gz: a2c188098c86ad5a0804044f80219014564501ef
+  data.tar.gz: 2ab7f79275d9ae66e5d04cf980c11e2c2983a4ef
 SHA512:
-  metadata.gz: d754a6ba6a9b2c00eff1100c320cba4ab34dbca2877e966d477febec75aa79348b978397f53a7961f771f694ac377fb0b87a4af8e79be75e840d15ff0cf53189
-  data.tar.gz: ce78572422e59c3cd811b9062cc033aabfe69713a7e7ee364a0fe12c505f4399ebbd645683d0935b1f045af8903835e9a97d31e47edcf2928c4fd90f89cbe87d
+  metadata.gz: 55fbbf71ad514c0cfe4f8933dea59915314f749efa53ab5579f2da9dfcf2b4786343cefa53d3a35e26f4a346776c1c513884595a39561d280b259e6b6fb9b31a
+  data.tar.gz: bbcf9417801b22deac78afe2d5ea8a268193daf0e011f861006c25b1d0124d1f462aa37d4d38e623b9d438cb29ceb52b250575118e053862b74561795bbdd7a4

data/.rubocop.yml

@@ -0,0 +1,95 @@
+AllCops:
+  Exclude:
+    - "gemfiles/**/*"
+    - "vendor/**/*"
+    - "lib/generators/**/*"
+
+Metrics/MethodLength:
+  Max: 40
+
+Metrics/ModuleLength:
+  Max: 200
+
+Metrics/LineLength:
+  Max: 120
+
+Metrics/AbcSize:
+  Enabled: false
+
+Metrics/CyclomaticComplexity:
+  Enabled: false
+
+Metrics/PerceivedComplexity:
+  Enabled: false
+
+Style/StructInheritance:
+  Enabled: false
+
+Style/AlignParameters:
+  EnforcedStyle: with_fixed_indentation
+
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+
+Style/StringLiteralsInInterpolation:
+  EnforcedStyle: double_quotes
+
+Style/ClosingParenthesisIndentation:
+  Enabled: false
+
+Style/OneLineConditional:
+  Enabled: false
+
+Style/AndOr:
+  Enabled: false
+
+Style/Not:
+  Enabled: false
+
+Documentation:
+  Enabled: false # TODO: Enable again once we have more docs
+
+Style/CaseIndentation:
+  IndentWhenRelativeTo: case
+  SupportedStyles:
+    - case
+    - end
+  IndentOneStep: true
+
+Style/PercentLiteralDelimiters:
+  PreferredDelimiters:
+    '%w': "[]"
+    '%W': "[]"
+
+Style/AccessModifierIndentation:
+  EnforcedStyle: outdent
+
+Style/SignalException:
+  Enabled: false
+
+Style/IndentationWidth:
+  Enabled: false
+
+Style/TrivialAccessors:
+  ExactNameMatch: true
+
+Lint/EndAlignment:
+  AlignWith: variable
+
+Lint/DefEndAlignment:
+  Enabled: false
+
+Lint/HandleExceptions:
+  Enabled: false
+
+Style/SpecialGlobalVars:
+  Enabled: false
+
+Style/TrivialAccessors:
+  Enabled: false
+
+Style/IndentHash:
+  Enabled: false
+
+Style/DoubleNegation:
+  Enabled: false

data/.travis.yml

@@ -2,8 +2,8 @@ language: ruby
 sudo: false
 rvm:
   - 2.0.0
-  - 2.1.5
-  - 2.2.0
+  - 2.1
+  - 2.2
   - jruby-19mode
   - rbx-2
 env:

data/.yardopts

@@ -0,0 +1 @@
+--api public --hide-void-return --markup markdown

data/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Pundit
 
+## 1.1.0 (2016-01-14)
+
+- Can retrieve policies via an array of symbols/objects.
+- Add autodetection of param key to `permitted_attributes` helper.
+- Hide some methods which should not be actions.
+- Permitted attributes should be expanded.
+- Generator uses `RSpec.describe` according to modern best practices.
+
 ## 1.0.1 (2015-05-27)
 
 - Fixed a regression where NotAuthorizedError could not be ininitialized with a string.
@@ -17,7 +25,7 @@
 - Add `skip_authorization` and `skip_policy_scope` helpers.
 - Better errors when checking multiple permissions in RSpec tests.
 - Better errors in case `nil` is passed to `policy` or `policy_scope`.
-- Use `inpect` when printing object for better errors.
+- Use `inspect` when printing object for better errors.
 - Dropped official support for Ruby 1.9.3
 
 ## 0.3.0 (2014-08-22)

data/Gemfile

@@ -1,5 +1,4 @@
-source 'https://rubygems.org'
+source "https://rubygems.org"
 
-# Specify your gem's dependencies in pundit.gemspec
 gem "rspec", ENV["RSPEC_VERSION"] unless ENV["RSPEC_VERSION"].to_s.empty?
 gemspec

data/README.md

@@ -1,8 +1,9 @@
 # Pundit
 
-[![Build Status](https://secure.travis-ci.org/elabs/pundit.png?branch=master)](https://travis-ci.org/elabs/pundit)
-[![Code Climate](https://codeclimate.com/github/elabs/pundit.png)](https://codeclimate.com/github/elabs/pundit)
-[![Inline docs](http://inch-ci.org/github/elabs/pundit.png)](http://inch-ci.org/github/elabs/pundit)
+[![Build Status](https://secure.travis-ci.org/elabs/pundit.svg?branch=master)](https://travis-ci.org/elabs/pundit)
+[![Code Climate](https://codeclimate.com/github/elabs/pundit.svg)](https://codeclimate.com/github/elabs/pundit)
+[![Inline docs](http://inch-ci.org/github/elabs/pundit.svg?branch=master)](http://inch-ci.org/github/elabs/pundit)
+[![Gem Version](https://badge.fury.io/rb/pundit.svg)](http://badge.fury.io/rb/pundit)
 
 Pundit provides a set of helpers which guide you in leveraging regular Ruby
 classes and object oriented design patterns to build a simple, robust and
@@ -130,6 +131,26 @@ def publish
 end
 ```
 
+If you don't have an instance for the first argument to `authorize`, then you can pass
+the class. For example:
+
+Policy:
+```ruby
+class PostPolicy < ApplicationPolicy
+  def admin_list?
+    user.admin?
+  end
+end
+```
+
+Controller:
+```ruby
+def admin_list
+  authorize Post # we don't have a particular post to authorize
+  # Rest of controller action
+end
+```
+
 You can easily get a hold of an instance of the policy through the `policy`
 method in both the view and controller. This is especially useful for
 conditionally showing links or buttons in the view:
@@ -172,7 +193,7 @@ forgotten to authorize the action. For example:
 
 ``` ruby
 class ApplicationController < ActionController::Base
-  after_action :verify_authorized, :except => :index
+  after_action :verify_authorized
 end
 ```
 
@@ -184,7 +205,8 @@ authorize individual instances.
 
 ``` ruby
 class ApplicationController < ActionController::Base
-  after_action :verify_policy_scoped, :only => :index
+  after_action :verify_authorized, except: :index
+  after_action :verify_policy_scoped, only: :index
 end
 ```
 
@@ -222,7 +244,7 @@ class PostPolicy < ApplicationPolicy
     attr_reader :user, :scope
 
     def initialize(user, scope)
-      @user = user
+      @user  = user
       @scope = scope
     end
 
@@ -230,7 +252,7 @@ class PostPolicy < ApplicationPolicy
       if user.admin?
         scope.all
       else
-        scope.where(:published => true)
+        scope.where(published: true)
       end
     end
   end
@@ -263,7 +285,7 @@ class PostPolicy < ApplicationPolicy
       if user.admin?
         scope.all
       else
-        scope.where(:published => true)
+        scope.where(published: true)
       end
     end
   end
@@ -351,7 +373,7 @@ got through. This way you can fail more gracefully.
 class ApplicationPolicy
   def initialize(user, record)
     raise Pundit::NotAuthorizedError, "must be logged in" unless user
-    @user = user
+    @user   = user
     @record = record
   end
 end
@@ -470,7 +492,7 @@ class UserContext
 
   def initialize(user, ip)
     @user = user
-    @ip = ip
+    @ip   = ip
   end
 end
 
@@ -559,24 +581,24 @@ Then put your policy specs in `spec/policies`, and make them look somewhat like
 describe PostPolicy do
   subject { described_class }
 
-  permissions :update? do
+  permissions :update?, :edit? do
     it "denies access if post is published" do
-      expect(subject).not_to permit(User.new(:admin => false), Post.new(:published => true))
+      expect(subject).not_to permit(User.new(admin: false), Post.new(published: true))
     end
 
     it "grants access if post is published and user is an admin" do
-      expect(subject).to permit(User.new(:admin => true), Post.new(:published => true))
+      expect(subject).to permit(User.new(admin: true), Post.new(published: true))
     end
 
     it "grants access if post is unpublished" do
-      expect(subject).to permit(User.new(:admin => false), Post.new(:published => false))
+      expect(subject).to permit(User.new(admin: false), Post.new(published: false))
     end
   end
 end
 ```
 
 An alternative approach to Pundit policy specs is scoping them to a user context as outlined in this
-[excellent post](http://thunderboltlabs.com/blog/2013/03/27/testing-pundit-policies-with-rspec/).
+[excellent post](http://thunderboltlabs.com/blog/2013/03/27/testing-pundit-policies-with-rspec/) and implemented in the third party [pundit-matchers](https://github.com/chrisalley/pundit-matchers) gem.
 
 # External Resources
 
@@ -584,6 +606,7 @@ An alternative approach to Pundit policy specs is scoping them to a user context
 - [Migrating to Pundit from CanCan](http://blog.carbonfive.com/2013/10/21/migrating-to-pundit-from-cancan/)
 - [Testing Pundit Policies with RSpec](http://thunderboltlabs.com/blog/2013/03/27/testing-pundit-policies-with-rspec/)
 - [Using Pundit outside of a Rails controller](https://github.com/elabs/pundit/pull/136)
+- [Straightforward Rails Authorization with Pundit](http://www.sitepoint.com/straightforward-rails-authorization-with-pundit/)
 
 # License
 

data/Rakefile

@@ -1,17 +1,19 @@
-require 'rubygems'
-require 'bundler/gem_tasks'
-require 'rspec/core/rake_task'
-require 'yard'
+require "rubygems"
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+require "yard"
+require "rubocop/rake_task"
+
+RuboCop::RakeTask.new
 
 desc "Run all examples"
 RSpec::Core::RakeTask.new(:spec) do |t|
-  #t.rspec_path = 'bin/rspec'
   t.rspec_opts = %w[--color]
 end
 
 YARD::Rake::YardocTask.new do |t|
-  t.files   = ['lib/**/*.rb']
-  #t.options = ['--any', '--extra', '--opts'] # optional
+  t.files = ["lib/**/*.rb"]
 end
 
-task :default => [:spec]
+task default: :spec
+task default: :rubocop unless RUBY_ENGINE == "rbx"

data/lib/generators/rspec/templates/policy_spec.rb

@@ -1,6 +1,6 @@
 require '<%= File.exists?('spec/rails_helper.rb') ? 'rails_helper' : 'spec_helper' %>'
 
-describe <%= class_name %>Policy do
+RSpec.describe <%= class_name %>Policy do
 
   let(:user) { User.new }
 

data/lib/pundit.rb

@@ -6,10 +6,17 @@ require "active_support/core_ext/object/blank"
 require "active_support/core_ext/module/introspection"
 require "active_support/dependencies/autoload"
 
+# @api public
 module Pundit
   SUFFIX = "Policy"
 
+  # @api private
+  module Generators; end
+
+  # @api private
   class Error < StandardError; end
+
+  # Error that will be raiser when authorization has failed
   class NotAuthorizedError < Error
     attr_reader :query, :record, :policy
 
@@ -27,42 +34,86 @@ module Pundit
       super(message)
     end
   end
+
+  # Error that will be raised if a controller action has not called the
+  # `authorize` or `skip_authorization` methods.
   class AuthorizationNotPerformedError < Error; end
+
+  # Error that will be raised if a controller action has not called the
+  # `policy_scope` or `skip_policy_scope` methods.
   class PolicyScopingNotPerformedError < AuthorizationNotPerformedError; end
+
+  # Error that will be raised if a policy or policy scope is not defined.
   class NotDefinedError < Error; end
 
   extend ActiveSupport::Concern
 
   class << self
+    # Retrieves the policy for the given record, initializing it with the
+    # record and user and finally throwing an error if the user is not
+    # authorized to perform the given action.
+    #
+    # @param user [Object] the user that initiated the action
+    # @param record [Object] the object we're checking permissions of
+    # @param record [Symbol] the query method to check on the policy (e.g. `:show?`)
+    # @raise [NotAuthorizedError] if the given query method returned false
+    # @return [true] Always returns true
     def authorize(user, record, query)
       policy = policy!(user, record)
 
       unless policy.public_send(query)
-        raise NotAuthorizedError.new(query: query, record: record, policy: policy)
+        raise NotAuthorizedError, query: query, record: record, policy: policy
       end
 
       true
     end
 
+    # Retrieves the policy scope for the given record.
+    #
+    # @see https://github.com/elabs/pundit#scopes
+    # @param user [Object] the user that initiated the action
+    # @param record [Object] the object we're retrieving the policy scope for
+    # @return [Scope{#resolve}, nil] instance of scope class which can resolve to a scope
     def policy_scope(user, scope)
       policy_scope = PolicyFinder.new(scope).scope
       policy_scope.new(user, scope).resolve if policy_scope
     end
 
+    # Retrieves the policy scope for the given record.
+    #
+    # @see https://github.com/elabs/pundit#scopes
+    # @param user [Object] the user that initiated the action
+    # @param record [Object] the object we're retrieving the policy scope for
+    # @raise [NotDefinedError] if the policy scope cannot be found
+    # @return [Scope{#resolve}] instance of scope class which can resolve to a scope
     def policy_scope!(user, scope)
       PolicyFinder.new(scope).scope!.new(user, scope).resolve
     end
 
+    # Retrieves the policy for the given record.
+    #
+    # @see https://github.com/elabs/pundit#policies
+    # @param user [Object] the user that initiated the action
+    # @param record [Object] the object we're retrieving the policy for
+    # @return [Object, nil] instance of policy class with query methods
     def policy(user, record)
       policy = PolicyFinder.new(record).policy
       policy.new(user, record) if policy
     end
 
+    # Retrieves the policy for the given record.
+    #
+    # @see https://github.com/elabs/pundit#policies
+    # @param user [Object] the user that initiated the action
+    # @param record [Object] the object we're retrieving the policy for
+    # @raise [NotDefinedError] if the policy cannot be found
+    # @return [Object] instance of policy class with query methods
     def policy!(user, record)
       PolicyFinder.new(record).policy!.new(user, record)
     end
   end
 
+  # @api private
   module Helper
     def policy_scope(scope)
       pundit_policy_scope(scope)
@@ -88,68 +139,141 @@ module Pundit
       hide_action :pundit_user
       hide_action :skip_authorization
       hide_action :skip_policy_scope
+      hide_action :pundit_policy_authorized?
+      hide_action :pundit_policy_scoped?
     end
   end
 
+  # @return [Boolean] whether authorization has been performed, i.e. whether
+  #                   one {#authorize} or {#skip_authorization} has been called
   def pundit_policy_authorized?
     !!@_pundit_policy_authorized
   end
 
+  # @return [Boolean] whether policy scoping has been performed, i.e. whether
+  #                   one {#policy_scope} or {#skip_policy_scope} has been called
   def pundit_policy_scoped?
     !!@_pundit_policy_scoped
   end
 
+  # Raises an error if authorization has not been performed, usually used as an
+  # `after_action` filter to prevent programmer error in forgetting to call
+  # {#authorize} or {#skip_authorization}.
+  #
+  # @see https://github.com/elabs/pundit#ensuring-policies-are-used
+  # @raise [AuthorizationNotPerformedError] if authorization has not been performed
+  # @return [void]
   def verify_authorized
-    raise AuthorizationNotPerformedError unless pundit_policy_authorized?
+    raise AuthorizationNotPerformedError, self.class unless pundit_policy_authorized?
   end
 
+  # Raises an error if policy scoping has not been performed, usually used as an
+  # `after_action` filter to prevent programmer error in forgetting to call
+  # {#policy_scope} or {#skip_policy_scope} in index actions.
+  #
+  # @see https://github.com/elabs/pundit#ensuring-policies-are-used
+  # @raise [AuthorizationNotPerformedError] if policy scoping has not been performed
+  # @return [void]
   def verify_policy_scoped
-    raise PolicyScopingNotPerformedError unless pundit_policy_scoped?
+    raise PolicyScopingNotPerformedError, self.class unless pundit_policy_scoped?
   end
 
-  def authorize(record, query=nil)
+  # Retrieves the policy for the given record, initializing it with the record
+  # and current user and finally throwing an error if the user is not
+  # authorized to perform the given action.
+  #
+  # @param record [Object] the object we're checking permissions of
+  # @param record [Symbol, nil] the query method to check on the policy (e.g. `:show?`)
+  # @raise [NotAuthorizedError] if the given query method returned false
+  # @return [true] Always returns true
+  def authorize(record, query = nil)
     query ||= params[:action].to_s + "?"
 
     @_pundit_policy_authorized = true
 
     policy = policy(record)
+
     unless policy.public_send(query)
-      raise NotAuthorizedError.new(query: query, record: record, policy: policy)
+      raise NotAuthorizedError, query: query, record: record, policy: policy
     end
 
     true
   end
 
+  # Allow this action not to perform authorization.
+  #
+  # @see https://github.com/elabs/pundit#ensuring-policies-are-used
+  # @return [void]
   def skip_authorization
     @_pundit_policy_authorized = true
   end
 
+  # Allow this action not to perform policy scoping.
+  #
+  # @see https://github.com/elabs/pundit#ensuring-policies-are-used
+  # @return [void]
   def skip_policy_scope
     @_pundit_policy_scoped = true
   end
 
+  # Retrieves the policy scope for the given record.
+  #
+  # @see https://github.com/elabs/pundit#scopes
+  # @param record [Object] the object we're retrieving the policy scope for
+  # @return [Scope{#resolve}, nil] instance of scope class which can resolve to a scope
   def policy_scope(scope)
     @_pundit_policy_scoped = true
     pundit_policy_scope(scope)
   end
 
+  # Retrieves the policy for the given record.
+  #
+  # @see https://github.com/elabs/pundit#policies
+  # @param record [Object] the object we're retrieving the policy for
+  # @return [Object, nil] instance of policy class with query methods
   def policy(record)
     policies[record] ||= Pundit.policy!(pundit_user, record)
   end
 
-  def permitted_attributes(record)
-    name = record.class.to_s.demodulize.underscore
-    params.require(name).permit(policy(record).permitted_attributes)
+  # Retrieves a set of permitted attributes from the policy by instantiating
+  # the policy class for the given record and calling `permitted_attributes` on
+  # it, or `permitted_attributes_for_{action}` if it is defined. It then infers
+  # what key the record should have in the params hash and retrieves the
+  # permitted attributes from the params hash under that key.
+  #
+  # @see https://github.com/elabs/pundit#strong-parameters
+  # @param record [Object] the object we're retrieving permitted attributes for
+  # @return [Hash{String => Object}] the permitted attributes
+  def permitted_attributes(record, action = params[:action])
+    param_key = PolicyFinder.new(record).param_key
+    policy = policy(record)
+    method_name = if policy.respond_to?("permitted_attributes_for_#{action}")
+      "permitted_attributes_for_#{action}"
+    else
+      "permitted_attributes"
+    end
+    params.require(param_key).permit(policy.public_send(method_name))
   end
 
+  # Cache of policies. You should not rely on this method.
+  #
+  # @api private
   def policies
     @_pundit_policies ||= {}
   end
 
+  # Cache of policy scope. You should not rely on this method.
+  #
+  # @api private
   def policy_scopes
     @_pundit_policy_scopes ||= {}
   end
 
+  # Hook method which allows customizing which user is passed to policies and
+  # scopes initialized by {#authorize}, {#policy} and {#policy_scope}.
+  #
+  # @see https://github.com/elabs/pundit#customize-pundit-user
+  # @return [Object] the user object to be used with pundit
   def pundit_user
     current_user
   end

data/lib/pundit/policy_finder.rb

@@ -1,17 +1,40 @@
 module Pundit
+  # Finds policy and scope classes for given object.
+  # @api public
+  # @example
+  #   user = User.find(params[:id])
+  #   finder = PolicyFinder.new(user)
+  #   finder.policy #=> UserPolicy
+  #   finder.scope #=> UserPolicy::Scope
+  #
   class PolicyFinder
     attr_reader :object
 
+    # @param object [any] the object to find policy and scope classes for
+    #
     def initialize(object)
       @object = object
     end
 
+    # @return [nil, Scope{#resolve}] scope class which can resolve to a scope
+    # @see https://github.com/elabs/pundit#scopes
+    # @example
+    #   scope = finder.scope #=> UserPolicy::Scope
+    #   scope.resolve #=> <#ActiveRecord::Relation ...>
+    #
     def scope
       policy::Scope if policy
     rescue NameError
       nil
     end
 
+    # @return [nil, Class] policy class with query methods
+    # @see https://github.com/elabs/pundit#policies
+    # @example
+    #   policy = finder.policy #=> UserPolicy
+    #   policy.show? #=> true
+    #   policy.update? #=> false
+    #
     def policy
       klass = find
       klass = klass.constantize if klass.is_a?(String)
@@ -20,16 +43,34 @@ module Pundit
       nil
     end
 
+    # @return [Scope{#resolve}] scope class which can resolve to a scope
+    # @raise [NotDefinedError] if scope could not be determined
+    #
     def scope!
       raise NotDefinedError, "unable to find policy scope of nil" if object.nil?
       scope or raise NotDefinedError, "unable to find scope `#{find}::Scope` for `#{object.inspect}`"
     end
 
+    # @return [Class] policy class with query methods
+    # @raise [NotDefinedError] if policy could not be determined
+    #
     def policy!
       raise NotDefinedError, "unable to find policy of nil" if object.nil?
       policy or raise NotDefinedError, "unable to find policy `#{find}` for `#{object.inspect}`"
     end
 
+    # @return [String] the name of the key this object would have in a params hash
+    #
+    def param_key
+      if object.respond_to?(:model_name)
+        object.model_name.param_key.to_s
+      elsif object.is_a?(Class)
+        object.to_s.demodulize.underscore
+      else
+        object.class.to_s.demodulize.underscore
+      end
+    end
+
   private
 
     def find
@@ -40,21 +81,27 @@ module Pundit
       elsif object.class.respond_to?(:policy_class)
         object.class.policy_class
       else
-        klass = if object.respond_to?(:model_name)
-          object.model_name
-        elsif object.class.respond_to?(:model_name)
-          object.class.model_name
-        elsif object.is_a?(Class)
-          object
-        elsif object.is_a?(Symbol)
-          object.to_s.camelize
-        elsif object.is_a?(Array)
-          object.join('/').camelize
+        klass = if object.is_a?(Array)
+          object.map { |x| find_class_name(x) }.join("::")
         else
-          object.class
+          find_class_name(object)
         end
         "#{klass}#{SUFFIX}"
       end
     end
+
+    def find_class_name(subject)
+      if subject.respond_to?(:model_name)
+        subject.model_name
+      elsif subject.class.respond_to?(:model_name)
+        subject.class.model_name
+      elsif subject.is_a?(Class)
+        subject
+      elsif subject.is_a?(Symbol)
+        subject.to_s.camelize
+      else
+        subject.class
+      end
+    end
   end
 end

data/lib/pundit/rspec.rb

@@ -7,23 +7,29 @@ module Pundit
 
       matcher :permit do |user, record|
         match_proc = lambda do |policy|
-          @violating_permissions = permissions.find_all { |permission| not policy.new(user, record).public_send(permission) }
+          @violating_permissions = permissions.find_all do |permission|
+            not policy.new(user, record).public_send(permission)
+          end
           @violating_permissions.empty?
         end
 
         match_when_negated_proc = lambda do |policy|
-          @violating_permissions = permissions.find_all { |permission| policy.new(user, record).public_send(permission) }
+          @violating_permissions = permissions.find_all do |permission|
+            policy.new(user, record).public_send(permission)
+          end
           @violating_permissions.empty?
         end
 
         failure_message_proc = lambda do |policy|
           was_were = @violating_permissions.count > 1 ? "were" : "was"
-          "Expected #{policy} to grant #{permissions.to_sentence} on #{record} but #{@violating_permissions.to_sentence} #{was_were} not granted"
+          "Expected #{policy} to grant #{permissions.to_sentence} on \
+          #{record} but #{@violating_permissions.to_sentence} #{was_were} not granted"
         end
 
         failure_message_when_negated_proc = lambda do |policy|
           was_were = @violating_permissions.count > 1 ? "were" : "was"
-          "Expected #{policy} not to grant #{permissions.to_sentence} on #{record} but #{@violating_permissions.to_sentence} #{was_were} granted"
+          "Expected #{policy} not to grant #{permissions.to_sentence} on \
+          #{record} but #{@violating_permissions.to_sentence} #{was_were} granted"
         end
 
         if respond_to?(:match_when_negated)
@@ -47,7 +53,7 @@ module Pundit
 
     module DSL
       def permissions(*list, &block)
-        describe(list.to_sentence, :permissions => list, :caller => caller) { instance_eval(&block) }
+        describe(list.to_sentence, permissions: list, caller: caller) { instance_eval(&block) }
       end
     end
 
@@ -65,14 +71,14 @@ end
 
 RSpec.configure do |config|
   if RSpec::Core::Version::STRING.split(".").first.to_i >= 3
-    config.include(Pundit::RSpec::PolicyExampleGroup, {
-      :type => :policy,
-      :file_path => /spec\/policies/,
-    })
+    config.include(Pundit::RSpec::PolicyExampleGroup,
+      type: :policy,
+      file_path: %r{spec/policies}
+    )
   else
-    config.include(Pundit::RSpec::PolicyExampleGroup, {
-      :type => :policy,
-      :example_group => { :file_path => /spec\/policies/ }
-    })
+    config.include(Pundit::RSpec::PolicyExampleGroup,
+      type: :policy,
+      example_group: { file_path: %r{spec/policies} }
+    )
   end
 end

data/lib/pundit/version.rb

@@ -1,3 +1,3 @@
 module Pundit
-  VERSION = "1.0.1"
+  VERSION = "1.1.0"
 end

data/pundit.gemspec

@@ -1,20 +1,20 @@
 # -*- encoding: utf-8 -*-
-lib = File.expand_path('../lib', __FILE__)
+lib = File.expand_path("../lib", __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'pundit/version'
+require "pundit/version"
 
 Gem::Specification.new do |gem|
   gem.name          = "pundit"
   gem.version       = Pundit::VERSION
   gem.authors       = ["Jonas Nicklas", "Elabs AB"]
   gem.email         = ["jonas.nicklas@gmail.com", "dev@elabs.se"]
-  gem.description   = %q{Object oriented authorization for Rails applications}
-  gem.summary       = %q{OO authorization for Rails}
+  gem.description   = "Object oriented authorization for Rails applications"
+  gem.summary       = "OO authorization for Rails"
   gem.homepage      = "https://github.com/elabs/pundit"
   gem.license       = "MIT"
 
   gem.files         = `git ls-files`.split($/)
-  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.executables   = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
 
@@ -26,4 +26,5 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency "pry"
   gem.add_development_dependency "rake"
   gem.add_development_dependency "yard"
+  gem.add_development_dependency "rubocop"
 end

data/spec/pundit_spec.rb

@@ -3,13 +3,18 @@ require "spec_helper"
 describe Pundit do
   let(:user) { double }
   let(:post) { Post.new(user) }
+  let(:customer_post) { Customer::Post.new(user) }
+  let(:post_four_five_six) { PostFourFiveSix.new(user) }
   let(:comment) { Comment.new }
+  let(:comment_four_five_six) { CommentFourFiveSix.new }
   let(:article) { Article.new }
-  let(:controller) { Controller.new(user, { :action => 'update' }) }
+  let(:controller) { Controller.new(user, action: "update") }
   let(:artificial_blog) { ArtificialBlog.new }
   let(:article_tag) { ArticleTag.new }
   let(:comments_relation) { CommentsRelation.new }
   let(:empty_comments_relation) { CommentsRelation.new(true) }
+  let(:tag_four_five_six) { ProjectOneTwoThree::TagFourFiveSix.new(user) }
+  let(:avatar_four_five_six) { ProjectOneTwoThree::AvatarFourFiveSix.new }
 
   describe ".authorize" do
     it "infers the policy and authorizes based on it" do
@@ -22,7 +27,10 @@ describe Pundit do
     end
 
     it "raises an error with a query and action" do
-      expect { Pundit.authorize(user, post, :destroy?) }.to raise_error(Pundit::NotAuthorizedError, "not allowed to destroy? this #<Post>") do |error|
+      # rubocop:disable Style/MultilineBlockChain
+      expect do
+        Pundit.authorize(user, post, :destroy?)
+      end.to raise_error(Pundit::NotAuthorizedError, "not allowed to destroy? this #<Post>") do |error|
         expect(error.query).to eq :destroy?
         expect(error.record).to eq post
         expect(error.policy).to eq Pundit.policy(user, post)
@@ -74,7 +82,9 @@ describe Pundit do
     end
 
     it "throws an exception if the given policy scope is nil" do
-      expect { Pundit.policy_scope!(user, nil) }.to raise_error(Pundit::NotDefinedError, "unable to find policy scope of nil")
+      expect do
+        Pundit.policy_scope!(user, nil)
+      end.to raise_error(Pundit::NotDefinedError, "unable to find policy scope of nil")
     end
   end
 
@@ -103,6 +113,93 @@ describe Pundit do
       expect(policy.comment).to eq Comment
     end
 
+    it "returns an instantiated policy given a symbol" do
+      policy = Pundit.policy(user, :criteria)
+      expect(policy.class).to eq CriteriaPolicy
+      expect(policy.user).to eq user
+      expect(policy.criteria).to eq :criteria
+    end
+
+    it "returns an instantiated policy given an array of symbols" do
+      policy = Pundit.policy(user, [:project, :criteria])
+      expect(policy.class).to eq Project::CriteriaPolicy
+      expect(policy.user).to eq user
+      expect(policy.criteria).to eq [:project, :criteria]
+    end
+
+    it "returns an instantiated policy given an array of a symbol and plain model instance" do
+      policy = Pundit.policy(user, [:project, post])
+      expect(policy.class).to eq Project::PostPolicy
+      expect(policy.user).to eq user
+      expect(policy.post).to eq [:project, post]
+    end
+
+    it "returns an instantiated policy given an array of a symbol and an active model instance" do
+      policy = Pundit.policy(user, [:project, comment])
+      expect(policy.class).to eq Project::CommentPolicy
+      expect(policy.user).to eq user
+      expect(policy.post).to eq [:project, comment]
+    end
+
+    it "returns an instantiated policy given an array of a symbol and a plain model class" do
+      policy = Pundit.policy(user, [:project, Post])
+      expect(policy.class).to eq Project::PostPolicy
+      expect(policy.user).to eq user
+      expect(policy.post).to eq [:project, Post]
+    end
+
+    it "returns an instantiated policy given an array of a symbol and an active model class" do
+      policy = Pundit.policy(user, [:project, Comment])
+      expect(policy.class).to eq Project::CommentPolicy
+      expect(policy.user).to eq user
+      expect(policy.post).to eq [:project, Comment]
+    end
+
+    it "returns correct policy class for an array of a multi-word symbols" do
+      policy = Pundit.policy(user, [:project_one_two_three, :criteria_four_five_six])
+      expect(policy.class).to eq ProjectOneTwoThree::CriteriaFourFiveSixPolicy
+    end
+
+    it "returns correct policy class for an array of a multi-word symbol and a multi-word plain model instance" do
+      policy = Pundit.policy(user, [:project_one_two_three, post_four_five_six])
+      expect(policy.class).to eq ProjectOneTwoThree::PostFourFiveSixPolicy
+    end
+
+    it "returns correct policy class for an array of a multi-word symbol and a multi-word active model instance" do
+      policy = Pundit.policy(user, [:project_one_two_three, comment_four_five_six])
+      expect(policy.class).to eq ProjectOneTwoThree::CommentFourFiveSixPolicy
+    end
+
+    it "returns correct policy class for an array of a multi-word symbol and a multi-word plain model class" do
+      policy = Pundit.policy(user, [:project_one_two_three, PostFourFiveSix])
+      expect(policy.class).to eq ProjectOneTwoThree::PostFourFiveSixPolicy
+    end
+
+    it "returns correct policy class for an array of a multi-word symbol and a multi-word active model class" do
+      policy = Pundit.policy(user, [:project_one_two_three, CommentFourFiveSix])
+      expect(policy.class).to eq ProjectOneTwoThree::CommentFourFiveSixPolicy
+    end
+
+    it "returns correct policy class for a multi-word scoped plain model class" do
+      policy = Pundit.policy(user, ProjectOneTwoThree::TagFourFiveSix)
+      expect(policy.class).to eq ProjectOneTwoThree::TagFourFiveSixPolicy
+    end
+
+    it "returns correct policy class for a multi-word scoped plain model instance" do
+      policy = Pundit.policy(user, tag_four_five_six)
+      expect(policy.class).to eq ProjectOneTwoThree::TagFourFiveSixPolicy
+    end
+
+    it "returns correct policy class for a multi-word scoped active model class" do
+      policy = Pundit.policy(user, ProjectOneTwoThree::AvatarFourFiveSix)
+      expect(policy.class).to eq ProjectOneTwoThree::AvatarFourFiveSixPolicy
+    end
+
+    it "returns correct policy class for a multi-word scoped active model instance" do
+      policy = Pundit.policy(user, avatar_four_five_six)
+      expect(policy.class).to eq ProjectOneTwoThree::AvatarFourFiveSixPolicy
+    end
+
     it "returns nil if the given policy can't be found" do
       expect(Pundit.policy(user, article)).to be_nil
       expect(Pundit.policy(user, Article)).to be_nil
@@ -136,20 +233,6 @@ describe Pundit do
         expect(policy.user).to eq user
         expect(policy.tag).to eq ArticleTag
       end
-
-      it "returns an instantiated policy given a symbol" do
-        policy = Pundit.policy(user, :criteria)
-        expect(policy.class).to eq CriteriaPolicy
-        expect(policy.user).to eq user
-        expect(policy.criteria).to eq :criteria
-      end
-
-      it "returns an instantiated policy given an array" do
-        policy = Pundit.policy(user, [:project, :criteria])
-        expect(policy.class).to eq Project::CriteriaPolicy
-        expect(policy.user).to eq user
-        expect(policy.criteria).to eq [:project, :criteria]
-      end
     end
   end
 
@@ -185,7 +268,7 @@ describe Pundit do
       expect(policy.criteria).to eq :criteria
     end
 
-    it "returns an instantiated policy given an array" do
+    it "returns an instantiated policy given an array of symbols" do
       policy = Pundit.policy!(user, [:project, :criteria])
       expect(policy.class).to eq Project::CriteriaPolicy
       expect(policy.user).to eq user
@@ -295,7 +378,7 @@ describe Pundit do
   end
 
   describe "#pundit_user" do
-    it 'returns the same thing as current_user' do
+    it "returns the same thing as current_user" do
       expect(controller.pundit_user).to eq controller.current_user
     end
   end
@@ -338,10 +421,49 @@ describe Pundit do
 
   describe "#permitted_attributes" do
     it "checks policy for permitted attributes" do
-      params = ActionController::Parameters.new({ action: 'update', post: { title: 'Hello', votes: 5, admin: true } })
+      params = ActionController::Parameters.new(action: "update", post: {
+        title: "Hello",
+        votes: 5,
+        admin: true
+      })
+
+      expect(Controller.new(user, params).permitted_attributes(post)).to eq("title" => "Hello", "votes" => 5)
+      expect(Controller.new(double, params).permitted_attributes(post)).to eq("votes" => 5)
+    end
+
+    it "checks policy for permitted attributes for record of a ActiveModel type" do
+      params = ActionController::Parameters.new(action: "update", customer_post: {
+        title: "Hello",
+        votes: 5,
+        admin: true
+      })
+
+      expect(Controller.new(user, params).permitted_attributes(customer_post)).to eq("title" => "Hello", "votes" => 5)
+      expect(Controller.new(double, params).permitted_attributes(customer_post)).to eq("votes" => 5)
+    end
+  end
+
+  describe "#permitted_attributes_for_action" do
+    it "is checked if it is defined in the policy" do
+      params = ActionController::Parameters.new(action: "revise", post: {
+        title: "Hello",
+        body: "blah",
+        votes: 5,
+        admin: true
+      })
+
+      expect(Controller.new(user, params).permitted_attributes(post)).to eq("body" => "blah")
+    end
+
+    it "can be explicitly set" do
+      params = ActionController::Parameters.new(action: "update", post: {
+        title: "Hello",
+        body: "blah",
+        votes: 5,
+        admin: true
+      })
 
-      expect(Controller.new(user, params).permitted_attributes(post)).to eq({ 'title' => 'Hello', 'votes' => 5 })
-      expect(Controller.new(double, params).permitted_attributes(post)).to eq({ 'votes' => 5 })
+      expect(Controller.new(user, params).permitted_attributes(post, :revise)).to eq("body" => "blah")
     end
   end
 

data/spec/spec_helper.rb

@@ -26,15 +26,24 @@ RSpec.configure do |config|
 end
 
 class PostPolicy < Struct.new(:user, :post)
+  class Scope < Struct.new(:user, :scope)
+    def resolve
+      scope.published
+    end
+  end
+
   def update?
     post.user == user
   end
+
   def destroy?
     false
   end
+
   def show?
     true
   end
+
   def permitted_attributes
     if post.user == user
       [:title, :votes]
@@ -42,61 +51,98 @@ class PostPolicy < Struct.new(:user, :post)
       [:votes]
     end
   end
-end
-class PostPolicy::Scope < Struct.new(:user, :scope)
-  def resolve
-    scope.published
+
+  def permitted_attributes_for_revise
+    [:body]
   end
 end
+
 class Post < Struct.new(:user)
   def self.published
     :published
   end
-  def to_s; "Post"; end
-  def inspect; "#<Post>"; end
+
+  def to_s
+    "Post"
+  end
+
+  def inspect
+    "#<Post>"
+  end
 end
 
-class CommentPolicy < Struct.new(:user, :comment); end
-class CommentPolicy::Scope < Struct.new(:user, :scope)
-  def resolve
-    scope
+module Customer
+  class Post < Post
+    def model_name
+      OpenStruct.new(param_key: "customer_post")
+    end
+
+    def policy_class
+      PostPolicy
+    end
+  end
+end
+
+class CommentPolicy < Struct.new(:user, :comment)
+  class Scope < Struct.new(:user, :scope)
+    def resolve
+      scope
+    end
   end
 end
-class Comment; extend ActiveModel::Naming; end
 
-# minimum mock for an ActiveRecord Relation returning comments
+class Comment
+  extend ActiveModel::Naming
+end
+
 class CommentsRelation
-  def initialize(empty=false); @empty=empty; end
-  def blank?; @empty; end
-  def model_name; Comment.model_name; end
+  def initialize(empty = false)
+    @empty = empty
+  end
+
+  def blank?
+    @empty
+  end
+
+  def model_name
+    Comment.model_name
+  end
 end
 
 class Article; end
 
 class BlogPolicy < Struct.new(:user, :blog); end
+
 class Blog; end
+
 class ArtificialBlog < Blog
   def self.policy_class
     BlogPolicy
   end
 end
+
+class ArticleTagOtherNamePolicy < Struct.new(:user, :tag)
+  def show?
+    true
+  end
+
+  def destroy?
+    false
+  end
+end
+
 class ArticleTag
   def self.policy_class
-    Struct.new(:user, :tag) do
-      def show?
-        true
-      end
-      def destroy?
-        false
-      end
-    end
+    ArticleTagOtherNamePolicy
   end
 end
 
 class CriteriaPolicy < Struct.new(:user, :criteria); end
 
 module Project
+  class CommentPolicy < Struct.new(:user, :post); end
   class CriteriaPolicy < Struct.new(:user, :criteria); end
+  class PostPolicy < Struct.new(:user, :post); end
 end
 
 class DenierPolicy < Struct.new(:user, :record)
@@ -127,3 +173,23 @@ class NilClassPolicy
     raise "I'm only here to be annoying!"
   end
 end
+
+class PostFourFiveSix < Struct.new(:user); end
+
+class CommentFourFiveSix; extend ActiveModel::Naming; end
+
+module ProjectOneTwoThree
+  class CommentFourFiveSixPolicy < Struct.new(:user, :post); end
+
+  class CriteriaFourFiveSixPolicy < Struct.new(:user, :criteria); end
+
+  class PostFourFiveSixPolicy < Struct.new(:user, :post); end
+
+  class TagFourFiveSix < Struct.new(:user); end
+
+  class TagFourFiveSixPolicy < Struct.new(:user, :tag); end
+
+  class AvatarFourFiveSix; extend ActiveModel::Naming; end
+
+  class AvatarFourFiveSixPolicy < Struct.new(:user, :avatar); end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pundit
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.1.0
 platform: ruby
 authors:
 - Jonas Nicklas
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-05-27 00:00:00.000000000 Z
+date: 2016-01-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -123,6 +123,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Object oriented authorization for Rails applications
 email:
 - jonas.nicklas@gmail.com
@@ -132,7 +146,9 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".rubocop.yml"
 - ".travis.yml"
+- ".yardopts"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
@@ -178,7 +194,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.6
+rubygems_version: 2.4.8
 signing_key: 
 specification_version: 4
 summary: OO authorization for Rails