pundit 1.1.0 → 2.1.0

data/Rakefile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "rubygems"
 require "bundler/gem_tasks"
 require "rspec/core/rake_task"
@@ -16,4 +18,3 @@ YARD::Rake::YardocTask.new do |t|
 end
 
 task default: :spec
-task default: :rubocop unless RUBY_ENGINE == "rbx"

data/lib/generators/pundit/install/install_generator.rb

@@ -1,7 +1,7 @@
 module Pundit
   module Generators
     class InstallGenerator < ::Rails::Generators::Base
-      source_root File.expand_path(File.join(File.dirname(__FILE__), 'templates'))
+      source_root File.expand_path('templates', __dir__)
 
       def copy_application_policy
         template 'application_policy.rb', 'app/policies/application_policy.rb'

data/lib/generators/pundit/install/templates/application_policy.rb

@@ -11,7 +11,7 @@ class ApplicationPolicy
   end
 
   def show?
-    scope.where(:id => record.id).exists?
+    false
   end
 
   def create?
@@ -34,10 +34,6 @@ class ApplicationPolicy
     false
   end
 
-  def scope
-    Pundit.policy_scope!(user, record.class)
-  end
-
   class Scope
     attr_reader :user, :scope
 
@@ -47,7 +43,7 @@ class ApplicationPolicy
     end
 
     def resolve
-      scope
+      scope.all
     end
   end
 end

data/lib/generators/pundit/policy/policy_generator.rb

@@ -1,7 +1,7 @@
 module Pundit
   module Generators
     class PolicyGenerator < ::Rails::Generators::NamedBase
-      source_root File.expand_path(File.join(File.dirname(__FILE__), 'templates'))
+      source_root File.expand_path('templates', __dir__)
 
       def create_policy
         template 'policy.rb', File.join('app/policies', class_path, "#{file_name}_policy.rb")

data/lib/generators/pundit/policy/templates/policy.rb

@@ -2,7 +2,7 @@
 class <%= class_name %>Policy < ApplicationPolicy
   class Scope < Scope
     def resolve
-      scope
+      scope.all
     end
   end
 end

data/lib/generators/rspec/policy_generator.rb

@@ -1,7 +1,7 @@
 module Rspec
   module Generators
     class PolicyGenerator < ::Rails::Generators::NamedBase
-      source_root File.expand_path(File.join(File.dirname(__FILE__), 'templates'))
+      source_root File.expand_path('templates', __dir__)
 
       def create_policy_spec
         template 'policy_spec.rb', File.join('spec/policies', class_path, "#{file_name}_policy_spec.rb")

data/lib/generators/rspec/templates/policy_spec.rb

@@ -1,7 +1,6 @@
 require '<%= File.exists?('spec/rails_helper.rb') ? 'rails_helper' : 'spec_helper' %>'
 
-RSpec.describe <%= class_name %>Policy do
-
+RSpec.describe <%= class_name %>Policy, type: :policy do
   let(:user) { User.new }
 
   subject { described_class }

data/lib/generators/test_unit/policy_generator.rb

@@ -1,7 +1,7 @@
 module TestUnit
   module Generators
     class PolicyGenerator < ::Rails::Generators::NamedBase
-      source_root File.expand_path(File.join(File.dirname(__FILE__), 'templates'))
+      source_root File.expand_path('templates', __dir__)
 
       def create_policy_test
         template 'policy_test.rb', File.join('test/policies', class_path, "#{file_name}_policy_test.rb")

data/lib/generators/test_unit/templates/policy_test.rb

@@ -1,7 +1,6 @@
 require 'test_helper'
 
 class <%= class_name %>PolicyTest < ActiveSupport::TestCase
-
   def test_scope
   end
 

data/lib/pundit.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "pundit/version"
 require "pundit/policy_finder"
 require "active_support/concern"
@@ -6,17 +8,19 @@ require "active_support/core_ext/object/blank"
 require "active_support/core_ext/module/introspection"
 require "active_support/dependencies/autoload"
 
+# @api private
+# To avoid name clashes with common Error naming when mixing in Pundit,
+# keep it here with compact class style definition.
+class Pundit::Error < StandardError; end # rubocop:disable Style/ClassAndModuleChildren
+
 # @api public
 module Pundit
-  SUFFIX = "Policy"
+  SUFFIX = "Policy".freeze
 
   # @api private
   module Generators; end
 
-  # @api private
-  class Error < StandardError; end
-
-  # Error that will be raiser when authorization has failed
+  # Error that will be raised when authorization has failed
   class NotAuthorizedError < Error
     attr_reader :query, :record, :policy
 
@@ -28,13 +32,16 @@ module Pundit
         @record = options[:record]
         @policy = options[:policy]
 
-        message = options.fetch(:message) { "not allowed to #{query} this #{record.inspect}" }
+        message = options.fetch(:message) { "not allowed to #{query} this #{record.class}" }
       end
 
       super(message)
     end
   end
 
+  # Error that will be raised if a policy or policy scope constructor is not called correctly.
+  class InvalidConstructorError < Error; end
+
   # Error that will be raised if a controller action has not called the
   # `authorize` or `skip_authorization` methods.
   class AuthorizationNotPerformedError < Error; end
@@ -55,61 +62,92 @@ module Pundit
     #
     # @param user [Object] the user that initiated the action
     # @param record [Object] the object we're checking permissions of
-    # @param record [Symbol] the query method to check on the policy (e.g. `:show?`)
+    # @param query [Symbol, String] the predicate method to check on the policy (e.g. `:show?`)
+    # @param policy_class [Class] the policy class we want to force use of
     # @raise [NotAuthorizedError] if the given query method returned false
-    # @return [true] Always returns true
-    def authorize(user, record, query)
-      policy = policy!(user, record)
+    # @return [Object] Always returns the passed object record
+    def authorize(user, record, query, policy_class: nil)
+      policy = policy_class ? policy_class.new(user, record) : policy!(user, record)
 
-      unless policy.public_send(query)
-        raise NotAuthorizedError, query: query, record: record, policy: policy
-      end
+      raise NotAuthorizedError, query: query, record: record, policy: policy unless policy.public_send(query)
 
-      true
+      record
     end
 
     # Retrieves the policy scope for the given record.
     #
-    # @see https://github.com/elabs/pundit#scopes
+    # @see https://github.com/varvet/pundit#scopes
     # @param user [Object] the user that initiated the action
-    # @param record [Object] the object we're retrieving the policy scope for
+    # @param scope [Object] the object we're retrieving the policy scope for
+    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
     # @return [Scope{#resolve}, nil] instance of scope class which can resolve to a scope
     def policy_scope(user, scope)
-      policy_scope = PolicyFinder.new(scope).scope
-      policy_scope.new(user, scope).resolve if policy_scope
+      policy_scope_class = PolicyFinder.new(scope).scope
+      return unless policy_scope_class
+
+      begin
+        policy_scope = policy_scope_class.new(user, pundit_model(scope))
+      rescue ArgumentError
+        raise InvalidConstructorError, "Invalid #<#{policy_scope_class}> constructor is called"
+      end
+
+      policy_scope.resolve
     end
 
     # Retrieves the policy scope for the given record.
     #
-    # @see https://github.com/elabs/pundit#scopes
+    # @see https://github.com/varvet/pundit#scopes
     # @param user [Object] the user that initiated the action
-    # @param record [Object] the object we're retrieving the policy scope for
+    # @param scope [Object] the object we're retrieving the policy scope for
     # @raise [NotDefinedError] if the policy scope cannot be found
+    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
     # @return [Scope{#resolve}] instance of scope class which can resolve to a scope
     def policy_scope!(user, scope)
-      PolicyFinder.new(scope).scope!.new(user, scope).resolve
+      policy_scope_class = PolicyFinder.new(scope).scope!
+      return unless policy_scope_class
+
+      begin
+        policy_scope = policy_scope_class.new(user, pundit_model(scope))
+      rescue ArgumentError
+        raise InvalidConstructorError, "Invalid #<#{policy_scope_class}> constructor is called"
+      end
+
+      policy_scope.resolve
     end
 
     # Retrieves the policy for the given record.
     #
-    # @see https://github.com/elabs/pundit#policies
+    # @see https://github.com/varvet/pundit#policies
     # @param user [Object] the user that initiated the action
     # @param record [Object] the object we're retrieving the policy for
+    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
     # @return [Object, nil] instance of policy class with query methods
     def policy(user, record)
       policy = PolicyFinder.new(record).policy
-      policy.new(user, record) if policy
+      policy.new(user, pundit_model(record)) if policy
+    rescue ArgumentError
+      raise InvalidConstructorError, "Invalid #<#{policy}> constructor is called"
     end
 
     # Retrieves the policy for the given record.
     #
-    # @see https://github.com/elabs/pundit#policies
+    # @see https://github.com/varvet/pundit#policies
     # @param user [Object] the user that initiated the action
     # @param record [Object] the object we're retrieving the policy for
     # @raise [NotDefinedError] if the policy cannot be found
+    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
     # @return [Object] instance of policy class with query methods
     def policy!(user, record)
-      PolicyFinder.new(record).policy!.new(user, record)
+      policy = PolicyFinder.new(record).policy!
+      policy.new(user, pundit_model(record))
+    rescue ArgumentError
+      raise InvalidConstructorError, "Invalid #<#{policy}> constructor is called"
+    end
+
+  private
+
+    def pundit_model(record)
+      record.is_a?(Array) ? record.last : record
     end
   end
 
@@ -127,23 +165,10 @@ module Pundit
       helper_method :pundit_policy_scope
       helper_method :pundit_user
     end
-    if respond_to?(:hide_action)
-      hide_action :policy
-      hide_action :policy_scope
-      hide_action :policies
-      hide_action :policy_scopes
-      hide_action :authorize
-      hide_action :verify_authorized
-      hide_action :verify_policy_scoped
-      hide_action :permitted_attributes
-      hide_action :pundit_user
-      hide_action :skip_authorization
-      hide_action :skip_policy_scope
-      hide_action :pundit_policy_authorized?
-      hide_action :pundit_policy_scoped?
-    end
   end
 
+protected
+
   # @return [Boolean] whether authorization has been performed, i.e. whether
   #                   one {#authorize} or {#skip_authorization} has been called
   def pundit_policy_authorized?
@@ -160,7 +185,7 @@ module Pundit
   # `after_action` filter to prevent programmer error in forgetting to call
   # {#authorize} or {#skip_authorization}.
   #
-  # @see https://github.com/elabs/pundit#ensuring-policies-are-used
+  # @see https://github.com/varvet/pundit#ensuring-policies-and-scopes-are-used
   # @raise [AuthorizationNotPerformedError] if authorization has not been performed
   # @return [void]
   def verify_authorized
@@ -171,7 +196,7 @@ module Pundit
   # `after_action` filter to prevent programmer error in forgetting to call
   # {#policy_scope} or {#skip_policy_scope} in index actions.
   #
-  # @see https://github.com/elabs/pundit#ensuring-policies-are-used
+  # @see https://github.com/varvet/pundit#ensuring-policies-and-scopes-are-used
   # @raise [AuthorizationNotPerformedError] if policy scoping has not been performed
   # @return [void]
   def verify_policy_scoped
@@ -183,26 +208,26 @@ module Pundit
   # authorized to perform the given action.
   #
   # @param record [Object] the object we're checking permissions of
-  # @param record [Symbol, nil] the query method to check on the policy (e.g. `:show?`)
+  # @param query [Symbol, String] the predicate method to check on the policy (e.g. `:show?`).
+  #   If omitted then this defaults to the Rails controller action name.
+  # @param policy_class [Class] the policy class we want to force use of
   # @raise [NotAuthorizedError] if the given query method returned false
-  # @return [true] Always returns true
-  def authorize(record, query = nil)
-    query ||= params[:action].to_s + "?"
+  # @return [Object] Always returns the passed object record
+  def authorize(record, query = nil, policy_class: nil)
+    query ||= "#{action_name}?"
 
     @_pundit_policy_authorized = true
 
-    policy = policy(record)
+    policy = policy_class ? policy_class.new(pundit_user, record) : policy(record)
 
-    unless policy.public_send(query)
-      raise NotAuthorizedError, query: query, record: record, policy: policy
-    end
+    raise NotAuthorizedError, query: query, record: record, policy: policy unless policy.public_send(query)
 
-    true
+    record
   end
 
   # Allow this action not to perform authorization.
   #
-  # @see https://github.com/elabs/pundit#ensuring-policies-are-used
+  # @see https://github.com/varvet/pundit#ensuring-policies-and-scopes-are-used
   # @return [void]
   def skip_authorization
     @_pundit_policy_authorized = true
@@ -210,7 +235,7 @@ module Pundit
 
   # Allow this action not to perform policy scoping.
   #
-  # @see https://github.com/elabs/pundit#ensuring-policies-are-used
+  # @see https://github.com/varvet/pundit#ensuring-policies-and-scopes-are-used
   # @return [void]
   def skip_policy_scope
     @_pundit_policy_scoped = true
@@ -218,17 +243,18 @@ module Pundit
 
   # Retrieves the policy scope for the given record.
   #
-  # @see https://github.com/elabs/pundit#scopes
-  # @param record [Object] the object we're retrieving the policy scope for
+  # @see https://github.com/varvet/pundit#scopes
+  # @param scope [Object] the object we're retrieving the policy scope for
+  # @param policy_scope_class [Class] the policy scope class we want to force use of
   # @return [Scope{#resolve}, nil] instance of scope class which can resolve to a scope
-  def policy_scope(scope)
+  def policy_scope(scope, policy_scope_class: nil)
     @_pundit_policy_scoped = true
-    pundit_policy_scope(scope)
+    policy_scope_class ? policy_scope_class.new(pundit_user, scope).resolve : pundit_policy_scope(scope)
   end
 
   # Retrieves the policy for the given record.
   #
-  # @see https://github.com/elabs/pundit#policies
+  # @see https://github.com/varvet/pundit#policies
   # @param record [Object] the object we're retrieving the policy for
   # @return [Object, nil] instance of policy class with query methods
   def policy(record)
@@ -237,42 +263,55 @@ module Pundit
 
   # Retrieves a set of permitted attributes from the policy by instantiating
   # the policy class for the given record and calling `permitted_attributes` on
-  # it, or `permitted_attributes_for_{action}` if it is defined. It then infers
+  # it, or `permitted_attributes_for_{action}` if `action` is defined. It then infers
   # what key the record should have in the params hash and retrieves the
   # permitted attributes from the params hash under that key.
   #
-  # @see https://github.com/elabs/pundit#strong-parameters
+  # @see https://github.com/varvet/pundit#strong-parameters
   # @param record [Object] the object we're retrieving permitted attributes for
+  # @param action [Symbol, String] the name of the action being performed on the record (e.g. `:update`).
+  #   If omitted then this defaults to the Rails controller action name.
   # @return [Hash{String => Object}] the permitted attributes
-  def permitted_attributes(record, action = params[:action])
-    param_key = PolicyFinder.new(record).param_key
+  def permitted_attributes(record, action = action_name)
     policy = policy(record)
     method_name = if policy.respond_to?("permitted_attributes_for_#{action}")
       "permitted_attributes_for_#{action}"
     else
       "permitted_attributes"
     end
-    params.require(param_key).permit(policy.public_send(method_name))
+    pundit_params_for(record).permit(*policy.public_send(method_name))
+  end
+
+  # Retrieves the params for the given record.
+  #
+  # @param record [Object] the object we're retrieving params for
+  # @return [ActionController::Parameters] the params
+  def pundit_params_for(record)
+    params.require(PolicyFinder.new(record).param_key)
   end
 
   # Cache of policies. You should not rely on this method.
   #
   # @api private
+  # rubocop:disable Naming/MemoizedInstanceVariableName
   def policies
     @_pundit_policies ||= {}
   end
+  # rubocop:enable Naming/MemoizedInstanceVariableName
 
   # Cache of policy scope. You should not rely on this method.
   #
   # @api private
+  # rubocop:disable Naming/MemoizedInstanceVariableName
   def policy_scopes
     @_pundit_policy_scopes ||= {}
   end
+  # rubocop:enable Naming/MemoizedInstanceVariableName
 
   # Hook method which allows customizing which user is passed to policies and
   # scopes initialized by {#authorize}, {#policy} and {#policy_scope}.
   #
-  # @see https://github.com/elabs/pundit#customize-pundit-user
+  # @see https://github.com/varvet/pundit#customize-pundit-user
   # @return [Object] the user object to be used with pundit
   def pundit_user
     current_user

data/lib/pundit/policy_finder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Pundit
   # Finds policy and scope classes for given object.
   # @api public
@@ -17,75 +19,69 @@ module Pundit
     end
 
     # @return [nil, Scope{#resolve}] scope class which can resolve to a scope
-    # @see https://github.com/elabs/pundit#scopes
+    # @see https://github.com/varvet/pundit#scopes
     # @example
     #   scope = finder.scope #=> UserPolicy::Scope
     #   scope.resolve #=> <#ActiveRecord::Relation ...>
     #
     def scope
-      policy::Scope if policy
-    rescue NameError
-      nil
+      "#{policy}::Scope".safe_constantize
     end
 
     # @return [nil, Class] policy class with query methods
-    # @see https://github.com/elabs/pundit#policies
+    # @see https://github.com/varvet/pundit#policies
     # @example
     #   policy = finder.policy #=> UserPolicy
     #   policy.show? #=> true
     #   policy.update? #=> false
     #
     def policy
-      klass = find
-      klass = klass.constantize if klass.is_a?(String)
-      klass
-    rescue NameError
-      nil
+      klass = find(object)
+      klass.is_a?(String) ? klass.safe_constantize : klass
     end
 
     # @return [Scope{#resolve}] scope class which can resolve to a scope
     # @raise [NotDefinedError] if scope could not be determined
     #
     def scope!
-      raise NotDefinedError, "unable to find policy scope of nil" if object.nil?
-      scope or raise NotDefinedError, "unable to find scope `#{find}::Scope` for `#{object.inspect}`"
+      scope or raise NotDefinedError, "unable to find scope `#{find(object)}::Scope` for `#{object.inspect}`"
     end
 
     # @return [Class] policy class with query methods
     # @raise [NotDefinedError] if policy could not be determined
     #
     def policy!
-      raise NotDefinedError, "unable to find policy of nil" if object.nil?
-      policy or raise NotDefinedError, "unable to find policy `#{find}` for `#{object.inspect}`"
+      policy or raise NotDefinedError, "unable to find policy `#{find(object)}` for `#{object.inspect}`"
     end
 
     # @return [String] the name of the key this object would have in a params hash
     #
     def param_key
-      if object.respond_to?(:model_name)
-        object.model_name.param_key.to_s
-      elsif object.is_a?(Class)
-        object.to_s.demodulize.underscore
+      model = object.is_a?(Array) ? object.last : object
+
+      if model.respond_to?(:model_name)
+        model.model_name.param_key.to_s
+      elsif model.is_a?(Class)
+        model.to_s.demodulize.underscore
       else
-        object.class.to_s.demodulize.underscore
+        model.class.to_s.demodulize.underscore
       end
     end
 
   private
 
-    def find
-      if object.nil?
-        nil
-      elsif object.respond_to?(:policy_class)
-        object.policy_class
-      elsif object.class.respond_to?(:policy_class)
-        object.class.policy_class
+    def find(subject)
+      if subject.is_a?(Array)
+        modules = subject.dup
+        last = modules.pop
+        context = modules.map { |x| find_class_name(x) }.join("::")
+        [context, find(last)].join("::")
+      elsif subject.respond_to?(:policy_class)
+        subject.policy_class
+      elsif subject.class.respond_to?(:policy_class)
+        subject.class.policy_class
       else
-        klass = if object.is_a?(Array)
-          object.map { |x| find_class_name(x) }.join("::")
-        else
-          find_class_name(object)
-        end
+        klass = find_class_name(subject)
         "#{klass}#{SUFFIX}"
       end
     end