pundit 1.1.0 → 2.3.0

data/lib/generators/pundit/policy/templates/policy.rb

@@ -1,9 +1,10 @@
 <% module_namespacing do -%>
 class <%= class_name %>Policy < ApplicationPolicy
   class Scope < Scope
-    def resolve
-      scope
-    end
+    # NOTE: Be explicit about which records you allow access to!
+    # def resolve
+    #   scope.all
+    # end
   end
 end
 <% end -%>

data/lib/generators/rspec/policy_generator.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 module Rspec
   module Generators
     class PolicyGenerator < ::Rails::Generators::NamedBase
-      source_root File.expand_path(File.join(File.dirname(__FILE__), 'templates'))
+      source_root File.expand_path("templates", __dir__)
 
       def create_policy_spec
-        template 'policy_spec.rb', File.join('spec/policies', class_path, "#{file_name}_policy_spec.rb")
+        template "policy_spec.rb", File.join("spec/policies", class_path, "#{file_name}_policy_spec.rb")
       end
     end
   end

data/lib/generators/rspec/templates/policy_spec.rb

@@ -1,7 +1,6 @@
 require '<%= File.exists?('spec/rails_helper.rb') ? 'rails_helper' : 'spec_helper' %>'
 
-RSpec.describe <%= class_name %>Policy do
-
+RSpec.describe <%= class_name %>Policy, type: :policy do
   let(:user) { User.new }
 
   subject { described_class }

data/lib/generators/test_unit/policy_generator.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 module TestUnit
   module Generators
     class PolicyGenerator < ::Rails::Generators::NamedBase
-      source_root File.expand_path(File.join(File.dirname(__FILE__), 'templates'))
+      source_root File.expand_path("templates", __dir__)
 
       def create_policy_test
-        template 'policy_test.rb', File.join('test/policies', class_path, "#{file_name}_policy_test.rb")
+        template "policy_test.rb", File.join("test/policies", class_path, "#{file_name}_policy_test.rb")
       end
     end
   end

data/lib/generators/test_unit/templates/policy_test.rb

@@ -1,7 +1,6 @@
 require 'test_helper'
 
 class <%= class_name %>PolicyTest < ActiveSupport::TestCase
-
   def test_scope
   end
 

data/lib/pundit/authorization.rb

@@ -0,0 +1,168 @@
+# frozen_string_literal: true
+
+module Pundit
+  module Authorization
+    extend ActiveSupport::Concern
+
+    included do
+      helper Helper if respond_to?(:helper)
+      if respond_to?(:helper_method)
+        helper_method :policy
+        helper_method :pundit_policy_scope
+        helper_method :pundit_user
+      end
+    end
+
+    protected
+
+    # @return [Boolean] whether authorization has been performed, i.e. whether
+    #                   one {#authorize} or {#skip_authorization} has been called
+    def pundit_policy_authorized?
+      !!@_pundit_policy_authorized
+    end
+
+    # @return [Boolean] whether policy scoping has been performed, i.e. whether
+    #                   one {#policy_scope} or {#skip_policy_scope} has been called
+    def pundit_policy_scoped?
+      !!@_pundit_policy_scoped
+    end
+
+    # Raises an error if authorization has not been performed, usually used as an
+    # `after_action` filter to prevent programmer error in forgetting to call
+    # {#authorize} or {#skip_authorization}.
+    #
+    # @see https://github.com/varvet/pundit#ensuring-policies-and-scopes-are-used
+    # @raise [AuthorizationNotPerformedError] if authorization has not been performed
+    # @return [void]
+    def verify_authorized
+      raise AuthorizationNotPerformedError, self.class unless pundit_policy_authorized?
+    end
+
+    # Raises an error if policy scoping has not been performed, usually used as an
+    # `after_action` filter to prevent programmer error in forgetting to call
+    # {#policy_scope} or {#skip_policy_scope} in index actions.
+    #
+    # @see https://github.com/varvet/pundit#ensuring-policies-and-scopes-are-used
+    # @raise [AuthorizationNotPerformedError] if policy scoping has not been performed
+    # @return [void]
+    def verify_policy_scoped
+      raise PolicyScopingNotPerformedError, self.class unless pundit_policy_scoped?
+    end
+
+    # Retrieves the policy for the given record, initializing it with the record
+    # and current user and finally throwing an error if the user is not
+    # authorized to perform the given action.
+    #
+    # @param record [Object, Array] the object we're checking permissions of
+    # @param query [Symbol, String] the predicate method to check on the policy (e.g. `:show?`).
+    #   If omitted then this defaults to the Rails controller action name.
+    # @param policy_class [Class] the policy class we want to force use of
+    # @raise [NotAuthorizedError] if the given query method returned false
+    # @return [Object] Always returns the passed object record
+    def authorize(record, query = nil, policy_class: nil)
+      query ||= "#{action_name}?"
+
+      @_pundit_policy_authorized = true
+
+      Pundit.authorize(pundit_user, record, query, policy_class: policy_class, cache: policies)
+    end
+
+    # Allow this action not to perform authorization.
+    #
+    # @see https://github.com/varvet/pundit#ensuring-policies-and-scopes-are-used
+    # @return [void]
+    def skip_authorization
+      @_pundit_policy_authorized = :skipped
+    end
+
+    # Allow this action not to perform policy scoping.
+    #
+    # @see https://github.com/varvet/pundit#ensuring-policies-and-scopes-are-used
+    # @return [void]
+    def skip_policy_scope
+      @_pundit_policy_scoped = :skipped
+    end
+
+    # Retrieves the policy scope for the given record.
+    #
+    # @see https://github.com/varvet/pundit#scopes
+    # @param scope [Object] the object we're retrieving the policy scope for
+    # @param policy_scope_class [Class] the policy scope class we want to force use of
+    # @return [Scope{#resolve}, nil] instance of scope class which can resolve to a scope
+    def policy_scope(scope, policy_scope_class: nil)
+      @_pundit_policy_scoped = true
+      policy_scope_class ? policy_scope_class.new(pundit_user, scope).resolve : pundit_policy_scope(scope)
+    end
+
+    # Retrieves the policy for the given record.
+    #
+    # @see https://github.com/varvet/pundit#policies
+    # @param record [Object] the object we're retrieving the policy for
+    # @return [Object, nil] instance of policy class with query methods
+    def policy(record)
+      policies[record] ||= Pundit.policy!(pundit_user, record)
+    end
+
+    # Retrieves a set of permitted attributes from the policy by instantiating
+    # the policy class for the given record and calling `permitted_attributes` on
+    # it, or `permitted_attributes_for_{action}` if `action` is defined. It then infers
+    # what key the record should have in the params hash and retrieves the
+    # permitted attributes from the params hash under that key.
+    #
+    # @see https://github.com/varvet/pundit#strong-parameters
+    # @param record [Object] the object we're retrieving permitted attributes for
+    # @param action [Symbol, String] the name of the action being performed on the record (e.g. `:update`).
+    #   If omitted then this defaults to the Rails controller action name.
+    # @return [Hash{String => Object}] the permitted attributes
+    def permitted_attributes(record, action = action_name)
+      policy = policy(record)
+      method_name = if policy.respond_to?("permitted_attributes_for_#{action}")
+        "permitted_attributes_for_#{action}"
+      else
+        "permitted_attributes"
+      end
+      pundit_params_for(record).permit(*policy.public_send(method_name))
+    end
+
+    # Retrieves the params for the given record.
+    #
+    # @param record [Object] the object we're retrieving params for
+    # @return [ActionController::Parameters] the params
+    def pundit_params_for(record)
+      params.require(PolicyFinder.new(record).param_key)
+    end
+
+    # Cache of policies. You should not rely on this method.
+    #
+    # @api private
+    # rubocop:disable Naming/MemoizedInstanceVariableName
+    def policies
+      @_pundit_policies ||= {}
+    end
+    # rubocop:enable Naming/MemoizedInstanceVariableName
+
+    # Cache of policy scope. You should not rely on this method.
+    #
+    # @api private
+    # rubocop:disable Naming/MemoizedInstanceVariableName
+    def policy_scopes
+      @_pundit_policy_scopes ||= {}
+    end
+    # rubocop:enable Naming/MemoizedInstanceVariableName
+
+    # Hook method which allows customizing which user is passed to policies and
+    # scopes initialized by {#authorize}, {#policy} and {#policy_scope}.
+    #
+    # @see https://github.com/varvet/pundit#customize-pundit-user
+    # @return [Object] the user object to be used with pundit
+    def pundit_user
+      current_user
+    end
+
+    private
+
+    def pundit_policy_scope(scope)
+      policy_scopes[scope] ||= Pundit.policy_scope!(pundit_user, scope)
+    end
+  end
+end

data/lib/pundit/policy_finder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Pundit
   # Finds policy and scope classes for given object.
   # @api public
@@ -17,75 +19,69 @@ module Pundit
     end
 
     # @return [nil, Scope{#resolve}] scope class which can resolve to a scope
-    # @see https://github.com/elabs/pundit#scopes
+    # @see https://github.com/varvet/pundit#scopes
     # @example
     #   scope = finder.scope #=> UserPolicy::Scope
     #   scope.resolve #=> <#ActiveRecord::Relation ...>
     #
     def scope
-      policy::Scope if policy
-    rescue NameError
-      nil
+      "#{policy}::Scope".safe_constantize
     end
 
     # @return [nil, Class] policy class with query methods
-    # @see https://github.com/elabs/pundit#policies
+    # @see https://github.com/varvet/pundit#policies
     # @example
     #   policy = finder.policy #=> UserPolicy
     #   policy.show? #=> true
     #   policy.update? #=> false
     #
     def policy
-      klass = find
-      klass = klass.constantize if klass.is_a?(String)
-      klass
-    rescue NameError
-      nil
+      klass = find(object)
+      klass.is_a?(String) ? klass.safe_constantize : klass
     end
 
     # @return [Scope{#resolve}] scope class which can resolve to a scope
     # @raise [NotDefinedError] if scope could not be determined
     #
     def scope!
-      raise NotDefinedError, "unable to find policy scope of nil" if object.nil?
-      scope or raise NotDefinedError, "unable to find scope `#{find}::Scope` for `#{object.inspect}`"
+      scope or raise NotDefinedError, "unable to find scope `#{find(object)}::Scope` for `#{object.inspect}`"
     end
 
     # @return [Class] policy class with query methods
     # @raise [NotDefinedError] if policy could not be determined
     #
     def policy!
-      raise NotDefinedError, "unable to find policy of nil" if object.nil?
-      policy or raise NotDefinedError, "unable to find policy `#{find}` for `#{object.inspect}`"
+      policy or raise NotDefinedError, "unable to find policy `#{find(object)}` for `#{object.inspect}`"
     end
 
     # @return [String] the name of the key this object would have in a params hash
     #
     def param_key
-      if object.respond_to?(:model_name)
-        object.model_name.param_key.to_s
-      elsif object.is_a?(Class)
-        object.to_s.demodulize.underscore
+      model = object.is_a?(Array) ? object.last : object
+
+      if model.respond_to?(:model_name)
+        model.model_name.param_key.to_s
+      elsif model.is_a?(Class)
+        model.to_s.demodulize.underscore
       else
-        object.class.to_s.demodulize.underscore
+        model.class.to_s.demodulize.underscore
       end
     end
 
-  private
+    private
 
-    def find
-      if object.nil?
-        nil
-      elsif object.respond_to?(:policy_class)
-        object.policy_class
-      elsif object.class.respond_to?(:policy_class)
-        object.class.policy_class
+    def find(subject)
+      if subject.is_a?(Array)
+        modules = subject.dup
+        last = modules.pop
+        context = modules.map { |x| find_class_name(x) }.join("::")
+        [context, find(last)].join("::")
+      elsif subject.respond_to?(:policy_class)
+        subject.policy_class
+      elsif subject.class.respond_to?(:policy_class)
+        subject.class.policy_class
       else
-        klass = if object.is_a?(Array)
-          object.map { |x| find_class_name(x) }.join("::")
-        else
-          find_class_name(object)
-        end
+        klass = find_class_name(subject)
         "#{klass}#{SUFFIX}"
       end
     end

data/lib/pundit/rspec.rb

@@ -1,14 +1,15 @@
-require "active_support/core_ext/array/conversions"
+# frozen_string_literal: true
 
 module Pundit
   module RSpec
     module Matchers
       extend ::RSpec::Matchers::DSL
 
+      # rubocop:disable Metrics/BlockLength
       matcher :permit do |user, record|
         match_proc = lambda do |policy|
           @violating_permissions = permissions.find_all do |permission|
-            not policy.new(user, record).public_send(permission)
+            !policy.new(user, record).public_send(permission)
           end
           @violating_permissions.empty?
         end
@@ -22,14 +23,14 @@ module Pundit
 
         failure_message_proc = lambda do |policy|
           was_were = @violating_permissions.count > 1 ? "were" : "was"
-          "Expected #{policy} to grant #{permissions.to_sentence} on \
-          #{record} but #{@violating_permissions.to_sentence} #{was_were} not granted"
+          "Expected #{policy} to grant #{permissions.to_sentence} on " \
+          "#{record} but #{@violating_permissions.to_sentence} #{was_were} not granted"
         end
 
         failure_message_when_negated_proc = lambda do |policy|
           was_were = @violating_permissions.count > 1 ? "were" : "was"
-          "Expected #{policy} not to grant #{permissions.to_sentence} on \
-          #{record} but #{@violating_permissions.to_sentence} #{was_were} granted"
+          "Expected #{policy} not to grant #{permissions.to_sentence} on " \
+          "#{record} but #{@violating_permissions.to_sentence} #{was_were} granted"
         end
 
         if respond_to?(:match_when_negated)
@@ -49,6 +50,7 @@ module Pundit
           current_example.metadata[:permissions]
         end
       end
+      # rubocop:enable Metrics/BlockLength
     end
 
     module DSL
@@ -70,15 +72,9 @@ module Pundit
 end
 
 RSpec.configure do |config|
-  if RSpec::Core::Version::STRING.split(".").first.to_i >= 3
-    config.include(Pundit::RSpec::PolicyExampleGroup,
-      type: :policy,
-      file_path: %r{spec/policies}
-    )
-  else
-    config.include(Pundit::RSpec::PolicyExampleGroup,
-      type: :policy,
-      example_group: { file_path: %r{spec/policies} }
-    )
-  end
+  config.include(
+    Pundit::RSpec::PolicyExampleGroup,
+    type: :policy,
+    file_path: %r{spec/policies}
+  )
 end

data/lib/pundit/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Pundit
-  VERSION = "1.1.0"
+  VERSION = "2.3.0"
 end