pundit 2.0.0 → 2.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6b973703e2b1653c804d138fb24c204807e41885a81f5b172656d032d7c2a75a
-  data.tar.gz: 01211cab222a4c16f274e041c074b2d2a1763a4943ab26b6dba938272297a48d
+  metadata.gz: def6c710d9f9d1705ca43cdad9364bb34ce5d878b8a3a9bf26d336802e40efeb
+  data.tar.gz: 0d6618cb61dfef8ae18f811a73b3f059d9945f8def7f9b2f794ae095b3a0f0cf
 SHA512:
-  metadata.gz: 812528978ec4e8d3322af071c3ebd5b31f4123be449d3fe9bfea1e1fd2845704e0fee308d4cdd6e787636987b1d7a03527f8eae5fe5968483a1f4c5f751b40ef
-  data.tar.gz: c433160a559102336b9a268ec1311a47e8f54e427ad8618b048634435259612a92d9b9187fefb6d7cc4a1ce5576a37f3e51b7adad1e3773d21c2bb6e9827c26f
+  metadata.gz: 7105cd0a84469071de9211e19f7e7a31f4ea8b5283d7b1ed007b6533805de18d105c09128a9936144612f3daa8fadfdf0698f7448d8db94e47bb459efaa11c4b
+  data.tar.gz: 3805e2664f21f30c66e9a9a05606f0d0d18b1607137e794948c7907bd33c6d6e64a45b9abb97d2f1a21df0d46497ff708679442807e152fa167abc461c8c0abe

data/.gitignore

@@ -2,6 +2,7 @@
 *.rbc
 .bundle
 .config
+.coverage
 .yardoc
 Gemfile.lock
 InstalledFiles

data/.rubocop.yml

@@ -1,10 +1,7 @@
 AllCops:
-  DisplayCopNames: true
-  TargetRubyVersion: 2.1
+  TargetRubyVersion: 2.6
   Exclude:
-    - "gemfiles/**/*"
-    - "vendor/**/*"
-    - "lib/generators/**/*"
+    - "lib/generators/**/templates/**/*"
 
 Metrics/BlockLength:
   Exclude:
@@ -30,33 +27,9 @@ Metrics/CyclomaticComplexity:
 Metrics/PerceivedComplexity:
   Enabled: false
 
-Style/StructInheritance:
-  Enabled: false
-
 Layout/AlignParameters:
   EnforcedStyle: with_fixed_indentation
 
-Style/StringLiterals:
-  EnforcedStyle: double_quotes
-
-Style/StringLiteralsInInterpolation:
-  EnforcedStyle: double_quotes
-
-Layout/ClosingParenthesisIndentation:
-  Enabled: false
-
-Style/OneLineConditional:
-  Enabled: false
-
-Style/AndOr:
-  Enabled: false
-
-Style/Not:
-  Enabled: false
-
-Documentation:
-  Enabled: false # TODO: Enable again once we have more docs
-
 Layout/CaseIndentation:
   EnforcedStyle: case
   SupportedStyles:
@@ -64,40 +37,31 @@ Layout/CaseIndentation:
     - end
   IndentOneStep: true
 
+Layout/EndAlignment:
+  EnforcedStyleAlignWith: variable
+
 Style/PercentLiteralDelimiters:
   PreferredDelimiters:
     '%w': "[]"
     '%W': "[]"
 
-Layout/AccessModifierIndentation:
-  EnforcedStyle: outdent
-
-Style/SignalException:
-  Enabled: false
-
-Layout/IndentationWidth:
-  Enabled: false
-
-Style/TrivialAccessors:
-  ExactNameMatch: true
-
-Layout/EndAlignment:
-  EnforcedStyleAlignWith: variable
-
-Layout/DefEndAlignment:
-  Enabled: false
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
 
-Lint/HandleExceptions:
-  Enabled: false
+Style/StringLiteralsInInterpolation:
+  EnforcedStyle: double_quotes
 
-Style/SpecialGlobalVars:
+Style/StructInheritance:
   Enabled: false
 
-Style/TrivialAccessors:
+Style/AndOr:
   Enabled: false
 
-Layout/IndentHash:
+Style/Not:
   Enabled: false
 
 Style/DoubleNegation:
   Enabled: false
+
+Documentation:
+  Enabled: false # TODO: Enable again once we have more docs

data/.travis.yml

@@ -1,21 +1,25 @@
 language: ruby
-sudo: false
-before_install:
-  - gem update --system
-  - gem install bundler
+dist: focal
 
 matrix:
   include:
-    - rvm: 2.5.1
+    - name: "RuboCop lint on pre-installed Ruby version"
+      rvm: 2.7.1 # Pre-installed Ruby version
+      before_install:
+        - gem install bundler
       script: bundle exec rake rubocop # ONLY lint once, first
-    - rvm: 2.1
-    - rvm: 2.2.8
-    - rvm: 2.3.5
-    - rvm: 2.4.2
-    - rvm: 2.5.1
-    - rvm: jruby-9.1.8.0
-      env:
-        - JRUBY_OPTS="--debug"
-    - rvm: jruby-9.2.0.0
+    - rvm: 2.6.7
+      before_script:
+        - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
+        - chmod +x ./cc-test-reporter
+        - ./cc-test-reporter before-build
+      after_script:
+        - ./cc-test-reporter after-build --exit-code $TRAVIS_TEST_RESULT
+    - rvm: 2.7.3
+    - rvm: 3.0.1
+    - rvm: jruby-9.2.17.0
       env:
         - JRUBY_OPTS="--debug"
+    - rvm: truffleruby-head
+  allow_failures:
+    - rvm: truffleruby-head

data/CHANGELOG.md

@@ -1,21 +1,74 @@
 # Pundit
 
+## Unreleased
+
+## 2.1.1 (2021-08-13)
+
+Friday 13th-release!
+
+Careful! The bugfix below (#626) could break existing code. If you rely on the
+return value for `authorize` and namespaced policies you might need to do some
+changes.
+
+### Fixed
+
+- `.authorize` and `#authorize` return the instance, even for namespaced
+  policies (#626)
+
+### Changed
+
+- Generate application scope with `protected` attr_readers. (#616)
+
+### Removed
+
+- Dropped support for Ruby end-of-life versions: 2.1 and 2.2. (#604)
+- Dropped support for Ruby end-of-life versions: 2.3 (#633)
+- Dropped support for Ruby end-of-life versions: 2.4, 2.5 and JRuby 9.1 (#676)
+- Dropped support for RSpec 2 (#615)
+
+## 2.1.0 (2019-08-14)
+
+### Fixed
+
+- Avoid name clashes with the Error class. (#590)
+
+### Changed
+
+- Return a safer default NotAuthorizedError message. (#583)
+
+## 2.0.1 (2019-01-18)
+
+### Breaking changes
+
+None
+
+### Other changes
+
+- Improve exception handling for `#policy_scope` and `#policy_scope!`. (#550)
+- Add `:policy` metadata to RSpec template. (#566)
+
 ## 2.0.0 (2018-07-21)
 
 No changes since beta1
 
 ## 2.0.0.beta1 (2018-07-04)
 
+### Breaking changes
+
+- Only pass last element of "namespace array" to policy and scope. (#529)
+- Raise `InvalidConstructorError` if a policy or policy scope with an invalid constructor is called. (#462)
+- Return passed object from `#authorize` method to make chaining possible. (#385)
+
+### Other changes
+
 - Add `policy_class` option to `authorize` to be able to override the policy. (#441)
 - Add `policy_scope_class` option to `authorize` to be able to override the policy scope. (#441)
 - Fix `param_key` issue when passed an array. (#529)
-- Only pass last element of "namespace array" to policy and scope. (#529)
 - Allow specification of a `NilClassPolicy`. (#525)
 - Make sure `policy_class` override is called when passed an array. (#475)
-- Raise `InvalidConstructorError` if a policy or policy scope with an invalid constructor is called. (#462)
+
 - Use `action_name` instead of `params[:action]`. (#419)
 - Add `pundit_params_for` method to make it easy to customize params fetching. (#502)
-- Return passed object from `#authorize` method to make chaining possible. (#385)
 
 ## 1.1.0 (2016-01-14)
 

data/Gemfile

@@ -1,16 +1,7 @@
+# frozen_string_literal: true
+
 source "https://rubygems.org"
 
 ruby RUBY_VERSION
 
 gemspec
-
-group :development, :test do
-  gem "actionpack"
-  gem "activemodel"
-  gem "bundler"
-  gem "pry"
-  gem "rake"
-  gem "rspec"
-  gem "rubocop"
-  gem "yard"
-end

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2012 Jonas Nicklas, Elabs AB
+Copyright (c) 2019 Jonas Nicklas, Varvet AB
 
 MIT License
 

data/README.md

@@ -7,7 +7,7 @@
 
 Pundit provides a set of helpers which guide you in leveraging regular Ruby
 classes and object oriented design patterns to build a simple, robust and
-scaleable authorization system.
+scalable authorization system.
 
 Links:
 
@@ -31,7 +31,6 @@ Include Pundit in your application controller:
 ``` ruby
 class ApplicationController < ActionController::Base
   include Pundit
-  protect_from_forgery
 end
 ```
 
@@ -61,7 +60,7 @@ class PostPolicy
   end
 
   def update?
-    user.admin? or not post.published?
+    user.admin? || !post.published?
   end
 end
 ```
@@ -165,13 +164,18 @@ def admin_list
 end
 ```
 
-`authorize` returns the object passed to it, so you can chain it like this:
+`authorize` returns the instance passed to it, so you can chain it like this:
 
 Controller:
 ```ruby
 def show
   @user = authorize User.find(params[:id])
 end
+
+# return the record even for namespaced policies
+def show
+  @user = authorize [:admin, User.find(params[:id])]
+end
 ```
 
 You can easily get a hold of an instance of the policy through the `policy`
@@ -195,6 +199,10 @@ class DashboardPolicy < Struct.new(:user, :dashboard)
 end
 ```
 
+Note that the headless policy still needs to accept two arguments. The
+second argument will just be the symbol `:dashboard` in this case which
+is what is passed as the record to `authorize` below.
+
 ```ruby
 # In controllers
 authorize :dashboard, :show?
@@ -216,8 +224,6 @@ define a class called a policy scope. It can look something like this:
 ``` ruby
 class PostPolicy < ApplicationPolicy
   class Scope
-    attr_reader :user, :scope
-
     def initialize(user, scope)
       @user  = user
       @scope = scope
@@ -230,6 +236,10 @@ class PostPolicy < ApplicationPolicy
         scope.where(published: true)
       end
     end
+
+    private
+
+    attr_reader :user, :scope
   end
 
   def update?
@@ -292,13 +302,11 @@ def index
 end
 ```
 
-Just as with your policy, this will automatically infer that you want to use
-the `PostPolicy::Scope` class, it will instantiate this class and call
-`resolve` on the instance. In this case it is a shortcut for doing:
+In this case it is a shortcut for doing:
 
 ``` ruby
 def index
-  @posts = PostPolicy::Scope.new(current_user, Post).resolve
+  @publications = PublicationPolicy::Scope.new(current_user, Post).resolve
 end
 ```
 
@@ -387,6 +395,16 @@ class Post
 end
 ```
 
+Alternatively, you can declare an instance method:
+
+``` ruby
+class Post
+  def policy_class
+    PostablePolicy
+  end
+end
+```
+
 ## Just plain old Ruby
 
 As you can see, Pundit doesn't do anything you couldn't have easily done
@@ -472,7 +490,6 @@ method in every controller.
 
 ```ruby
 class ApplicationController < ActionController::Base
-  protect_from_forgery
   include Pundit
 
   rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
@@ -593,8 +610,7 @@ class Admin::PostController < AdminController
   end
 
   def show
-    post = Post.find(params[:id])
-    authorize(post)
+    post = authorize Post.find(params[:id])
   end
 end
 ```
@@ -637,9 +653,8 @@ end
 
 ## Strong parameters
 
-In Rails 4 (or Rails 3.2 with the
-[strong_parameters](https://github.com/rails/strong_parameters) gem),
-mass-assignment protection is handled in the controller.  With Pundit you can
+In Rails,
+mass-assignment protection is handled in the controller. With Pundit you can
 control which attributes a user has access to update via your policies. You can
 set up a `permitted_attributes` method in your policy like this:
 
@@ -778,9 +793,14 @@ Pundit does not provide a DSL for testing scopes. Just test it like a regular Ru
 - [RailsApps Example Application: Pundit and Devise](https://github.com/RailsApps/rails-devise-pundit)
 - [Migrating to Pundit from CanCan](http://blog.carbonfive.com/2013/10/21/migrating-to-pundit-from-cancan/)
 - [Testing Pundit Policies with RSpec](http://thunderboltlabs.com/blog/2013/03/27/testing-pundit-policies-with-rspec/)
+- [Testing Pundit with Minitest](https://github.com/varvet/pundit/issues/204#issuecomment-60166450)
 - [Using Pundit outside of a Rails controller](https://github.com/varvet/pundit/pull/136)
 - [Straightforward Rails Authorization with Pundit](http://www.sitepoint.com/straightforward-rails-authorization-with-pundit/)
 
+## Other implementations
+
+- [Flask-Pundit](https://github.com/anurag90x/flask-pundit) (Python) is a [Flask](http://flask.pocoo.org/) extension "heavily inspired by" Pundit
+
 # License
 
 Licensed under the MIT license, see the separate LICENSE.txt file.

data/Rakefile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "rubygems"
 require "bundler/gem_tasks"
 require "rspec/core/rake_task"

data/lib/generators/pundit/install/install_generator.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 module Pundit
   module Generators
     class InstallGenerator < ::Rails::Generators::Base
-      source_root File.expand_path('templates', __dir__)
+      source_root File.expand_path("templates", __dir__)
 
       def copy_application_policy
-        template 'application_policy.rb', 'app/policies/application_policy.rb'
+        template "application_policy.rb", "app/policies/application_policy.rb"
       end
     end
   end

data/lib/generators/pundit/install/templates/application_policy.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class ApplicationPolicy
   attr_reader :user, :record
 
@@ -35,8 +37,6 @@ class ApplicationPolicy
   end
 
   class Scope
-    attr_reader :user, :scope
-
     def initialize(user, scope)
       @user = user
       @scope = scope
@@ -45,5 +45,9 @@ class ApplicationPolicy
     def resolve
       scope.all
     end
+
+    private
+
+    attr_reader :user, :scope
   end
 end

data/lib/generators/pundit/policy/policy_generator.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 module Pundit
   module Generators
     class PolicyGenerator < ::Rails::Generators::NamedBase
-      source_root File.expand_path('templates', __dir__)
+      source_root File.expand_path("templates", __dir__)
 
       def create_policy
-        template 'policy.rb', File.join('app/policies', class_path, "#{file_name}_policy.rb")
+        template "policy.rb", File.join("app/policies", class_path, "#{file_name}_policy.rb")
       end
 
       hook_for :test_framework

data/lib/generators/rspec/policy_generator.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 module Rspec
   module Generators
     class PolicyGenerator < ::Rails::Generators::NamedBase
-      source_root File.expand_path('templates', __dir__)
+      source_root File.expand_path("templates", __dir__)
 
       def create_policy_spec
-        template 'policy_spec.rb', File.join('spec/policies', class_path, "#{file_name}_policy_spec.rb")
+        template "policy_spec.rb", File.join("spec/policies", class_path, "#{file_name}_policy_spec.rb")
       end
     end
   end

data/lib/generators/rspec/templates/policy_spec.rb

@@ -1,6 +1,6 @@
 require '<%= File.exists?('spec/rails_helper.rb') ? 'rails_helper' : 'spec_helper' %>'
 
-RSpec.describe <%= class_name %>Policy do
+RSpec.describe <%= class_name %>Policy, type: :policy do
   let(:user) { User.new }
 
   subject { described_class }

data/lib/generators/test_unit/policy_generator.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 module TestUnit
   module Generators
     class PolicyGenerator < ::Rails::Generators::NamedBase
-      source_root File.expand_path('templates', __dir__)
+      source_root File.expand_path("templates", __dir__)
 
       def create_policy_test
-        template 'policy_test.rb', File.join('test/policies', class_path, "#{file_name}_policy_test.rb")
+        template "policy_test.rb", File.join("test/policies", class_path, "#{file_name}_policy_test.rb")
       end
     end
   end

data/lib/pundit/policy_finder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Pundit
   # Finds policy and scope classes for given object.
   # @api public
@@ -66,7 +68,7 @@ module Pundit
       end
     end
 
-  private
+    private
 
     def find(subject)
       if subject.is_a?(Array)

data/lib/pundit/rspec.rb

@@ -1,4 +1,4 @@
-require "active_support/core_ext/array/conversions"
+# frozen_string_literal: true
 
 module Pundit
   module RSpec
@@ -72,17 +72,9 @@ module Pundit
 end
 
 RSpec.configure do |config|
-  if RSpec::Core::Version::STRING.split(".").first.to_i >= 3
-    config.include(
-      Pundit::RSpec::PolicyExampleGroup,
-      type: :policy,
-      file_path: %r{spec/policies}
-    )
-  else
-    config.include(
-      Pundit::RSpec::PolicyExampleGroup,
-      type: :policy,
-      example_group: { file_path: %r{spec/policies} }
-    )
-  end
+  config.include(
+    Pundit::RSpec::PolicyExampleGroup,
+    type: :policy,
+    file_path: %r{spec/policies}
+  )
 end

data/lib/pundit/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Pundit
-  VERSION = "2.0.0".freeze
+  VERSION = "2.1.1"
 end

data/lib/pundit.rb

@@ -8,16 +8,18 @@ require "active_support/core_ext/object/blank"
 require "active_support/core_ext/module/introspection"
 require "active_support/dependencies/autoload"
 
+# @api private
+# To avoid name clashes with common Error naming when mixing in Pundit,
+# keep it here with compact class style definition.
+class Pundit::Error < StandardError; end # rubocop:disable Style/ClassAndModuleChildren
+
 # @api public
 module Pundit
-  SUFFIX = "Policy".freeze
+  SUFFIX = "Policy"
 
   # @api private
   module Generators; end
 
-  # @api private
-  class Error < StandardError; end
-
   # Error that will be raised when authorization has failed
   class NotAuthorizedError < Error
     attr_reader :query, :record, :policy
@@ -30,7 +32,7 @@ module Pundit
         @record = options[:record]
         @policy = options[:policy]
 
-        message = options.fetch(:message) { "not allowed to #{query} this #{record.inspect}" }
+        message = options.fetch(:message) { "not allowed to #{query} this #{record.class}" }
       end
 
       super(message)
@@ -69,7 +71,7 @@ module Pundit
 
       raise NotAuthorizedError, query: query, record: record, policy: policy unless policy.public_send(query)
 
-      record
+      record.is_a?(Array) ? record.last : record
     end
 
     # Retrieves the policy scope for the given record.
@@ -80,10 +82,16 @@ module Pundit
     # @raise [InvalidConstructorError] if the policy constructor called incorrectly
     # @return [Scope{#resolve}, nil] instance of scope class which can resolve to a scope
     def policy_scope(user, scope)
-      policy_scope = PolicyFinder.new(scope).scope
-      policy_scope.new(user, pundit_model(scope)).resolve if policy_scope
-    rescue ArgumentError
-      raise InvalidConstructorError, "Invalid #<#{policy_scope}> constructor is called"
+      policy_scope_class = PolicyFinder.new(scope).scope
+      return unless policy_scope_class
+
+      begin
+        policy_scope = policy_scope_class.new(user, pundit_model(scope))
+      rescue ArgumentError
+        raise InvalidConstructorError, "Invalid #<#{policy_scope_class}> constructor is called"
+      end
+
+      policy_scope.resolve
     end
 
     # Retrieves the policy scope for the given record.
@@ -95,10 +103,16 @@ module Pundit
     # @raise [InvalidConstructorError] if the policy constructor called incorrectly
     # @return [Scope{#resolve}] instance of scope class which can resolve to a scope
     def policy_scope!(user, scope)
-      policy_scope = PolicyFinder.new(scope).scope!
-      policy_scope.new(user, pundit_model(scope)).resolve
-    rescue ArgumentError
-      raise InvalidConstructorError, "Invalid #<#{policy_scope}> constructor is called"
+      policy_scope_class = PolicyFinder.new(scope).scope!
+      return unless policy_scope_class
+
+      begin
+        policy_scope = policy_scope_class.new(user, pundit_model(scope))
+      rescue ArgumentError
+        raise InvalidConstructorError, "Invalid #<#{policy_scope_class}> constructor is called"
+      end
+
+      policy_scope.resolve
     end
 
     # Retrieves the policy for the given record.
@@ -110,7 +124,7 @@ module Pundit
     # @return [Object, nil] instance of policy class with query methods
     def policy(user, record)
       policy = PolicyFinder.new(record).policy
-      policy.new(user, pundit_model(record)) if policy
+      policy&.new(user, pundit_model(record))
     rescue ArgumentError
       raise InvalidConstructorError, "Invalid #<#{policy}> constructor is called"
     end
@@ -130,7 +144,7 @@ module Pundit
       raise InvalidConstructorError, "Invalid #<#{policy}> constructor is called"
     end
 
-  private
+    private
 
     def pundit_model(record)
       record.is_a?(Array) ? record.last : record
@@ -153,7 +167,7 @@ module Pundit
     end
   end
 
-protected
+  protected
 
   # @return [Boolean] whether authorization has been performed, i.e. whether
   #                   one {#authorize} or {#skip_authorization} has been called
@@ -208,7 +222,7 @@ protected
 
     raise NotAuthorizedError, query: query, record: record, policy: policy unless policy.public_send(query)
 
-    record
+    record.is_a?(Array) ? record.last : record
   end
 
   # Allow this action not to perform authorization.
@@ -303,7 +317,7 @@ protected
     current_user
   end
 
-private
+  private
 
   def pundit_policy_scope(scope)
     policy_scopes[scope] ||= Pundit.policy_scope!(pundit_user, scope)

data/pundit.gemspec

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 lib = File.expand_path("lib", __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require "pundit/version"
@@ -5,17 +7,26 @@ require "pundit/version"
 Gem::Specification.new do |gem|
   gem.name          = "pundit"
   gem.version       = Pundit::VERSION
-  gem.authors       = ["Jonas Nicklas", "Elabs AB"]
+  gem.authors       = ["Jonas Nicklas", "Varvet AB"]
   gem.email         = ["jonas.nicklas@gmail.com", "dev@elabs.se"]
   gem.description   = "Object oriented authorization for Rails applications"
   gem.summary       = "OO authorization for Rails"
   gem.homepage      = "https://github.com/varvet/pundit"
   gem.license       = "MIT"
 
-  gem.files         = `git ls-files`.split($/)
+  gem.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
   gem.executables   = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
 
   gem.add_dependency "activesupport", ">= 3.0.0"
+  gem.add_development_dependency "actionpack", ">= 3.0.0"
+  gem.add_development_dependency "activemodel", ">= 3.0.0"
+  gem.add_development_dependency "bundler"
+  gem.add_development_dependency "pry"
+  gem.add_development_dependency "rake"
+  gem.add_development_dependency "rspec", ">= 3.0.0"
+  gem.add_development_dependency "rubocop", "0.74.0"
+  gem.add_development_dependency "simplecov", ">= 0.17.0"
+  gem.add_development_dependency "yard"
 end

data/spec/policies/post_policy_spec.rb

@@ -1,6 +1,8 @@
+# frozen_string_literal: true
+
 require "spec_helper"
 
-describe PostPolicy do
+RSpec.describe PostPolicy do
   let(:user) { double }
   let(:own_post) { double(user: user) }
   let(:other_post) { double(user: double) }

data/spec/policy_finder_spec.rb

@@ -1,6 +1,8 @@
+# frozen_string_literal: true
+
 require "spec_helper"
 
-describe Pundit::PolicyFinder do
+RSpec.describe Pundit::PolicyFinder do
   let(:user) { double }
   let(:post) { Post.new(user) }
   let(:comment) { CommentFourFiveSix.new }
@@ -22,37 +24,100 @@ describe Pundit::PolicyFinder do
   end
 
   describe "#policy" do
-    subject { described_class.new(post) }
+    context "with an instance" do
+      it "returns the associated policy" do
+        object = described_class.new(post)
+
+        expect(object.policy).to eq PostPolicy
+      end
+    end
+
+    context "with an array of symbols" do
+      it "returns the associated namespaced policy" do
+        object = described_class.new(%i[project post])
+
+        expect(object.policy).to eq Project::PostPolicy
+      end
+    end
 
-    it "returns a policy" do
-      expect(subject.policy).to eq PostPolicy
+    context "with an array of a symbol and an instance" do
+      it "returns the associated namespaced policy" do
+        object = described_class.new([:project, post])
+
+        expect(object.policy).to eq Project::PostPolicy
+      end
     end
 
-    context "with a string" do
-      it "returns a policy" do
-        allow(subject).to receive(:find).and_return "PostPolicy"
-        expect(subject.policy).to eq PostPolicy
+    context "with an array of a symbol and a class with a specified policy class" do
+      it "returns the associated namespaced policy" do
+        object = described_class.new([:project, Customer::Post])
+
+        expect(object.policy).to eq Project::PostPolicy
+      end
+    end
+
+    context "with an array of a symbol and a class with a specified model name" do
+      it "returns the associated namespaced policy" do
+        object = described_class.new([:project, CommentsRelation])
+
+        expect(object.policy).to eq Project::CommentPolicy
       end
     end
 
     context "with a class" do
-      it "returns a policy" do
-        allow(subject).to receive(:find).and_return PostPolicy
-        expect(subject.policy).to eq PostPolicy
+      it "returns the associated policy" do
+        object = described_class.new(Post)
+
+        expect(object.policy).to eq PostPolicy
+      end
+    end
+
+    context "with a class which has a specified policy class" do
+      it "returns the associated policy" do
+        object = described_class.new(Customer::Post)
+
+        expect(object.policy).to eq PostPolicy
+      end
+    end
+
+    context "with an instance which has a specified policy class" do
+      it "returns the associated policy" do
+        object = described_class.new(Customer::Post.new(user))
+
+        expect(object.policy).to eq PostPolicy
+      end
+    end
+
+    context "with a class which has a specified model name" do
+      it "returns the associated policy" do
+        object = described_class.new(CommentsRelation)
+
+        expect(object.policy).to eq CommentPolicy
+      end
+    end
+
+    context "with an instance which has a specified policy class" do
+      it "returns the associated policy" do
+        object = described_class.new(CommentsRelation.new)
+
+        expect(object.policy).to eq CommentPolicy
       end
     end
 
     context "with nil" do
-      it "returns nil" do
-        allow(subject).to receive(:find).and_return nil
-        expect(subject.policy).to eq nil
+      it "returns a NilClassPolicy" do
+        object = described_class.new(nil)
+
+        expect(object.policy).to eq NilClassPolicy
       end
     end
 
-    context "with a string that can't be constantized" do
+    context "with a class that doesn't have an associated policy" do
       it "returns nil" do
-        allow(subject).to receive(:find).and_return "FooPolicy"
-        expect(subject.policy).to eq nil
+        class Foo; end
+        object = described_class.new(Foo)
+
+        expect(object.policy).to eq nil
       end
     end
   end

data/spec/pundit_spec.rb

@@ -1,6 +1,8 @@
+# frozen_string_literal: true
+
 require "spec_helper"
 
-describe Pundit do
+RSpec.describe Pundit do
   let(:user) { double }
   let(:post) { Post.new(user) }
   let(:customer_post) { Customer::Post.new(user) }
@@ -16,12 +18,33 @@ describe Pundit do
   let(:tag_four_five_six) { ProjectOneTwoThree::TagFourFiveSix.new(user) }
   let(:avatar_four_five_six) { ProjectOneTwoThree::AvatarFourFiveSix.new }
   let(:wiki) { Wiki.new }
+  let(:thread) { Thread.new }
 
   describe ".authorize" do
     it "infers the policy and authorizes based on it" do
       expect(Pundit.authorize(user, post, :update?)).to be_truthy
     end
 
+    it "returns the record on successful authorization" do
+      expect(Pundit.authorize(user, post, :update?)).to eq(post)
+    end
+
+    it "returns the record when passed record with namespace " do
+      expect(Pundit.authorize(user, [:project, comment], :update?)).to eq(comment)
+    end
+
+    it "returns the record when passed record with nested namespace " do
+      expect(Pundit.authorize(user, [:project, :admin, comment], :update?)).to eq(comment)
+    end
+
+    it "returns the policy name symbol when passed record with headless policy" do
+      expect(Pundit.authorize(user, :publication, :create?)).to eq(:publication)
+    end
+
+    it "returns the class when passed record not a particular instance" do
+      expect(Pundit.authorize(user, Post, :show?)).to eq(Post)
+    end
+
     it "can be given a different policy class" do
       expect(Pundit.authorize(user, post, :create?, policy_class: PublicationPolicy)).to be_truthy
     end
@@ -35,7 +58,7 @@ describe Pundit do
       # rubocop:disable Style/MultilineBlockChain
       expect do
         Pundit.authorize(user, post, :destroy?)
-      end.to raise_error(Pundit::NotAuthorizedError, "not allowed to destroy? this #<Post>") do |error|
+      end.to raise_error(Pundit::NotAuthorizedError, "not allowed to destroy? this Post") do |error|
         expect(error.query).to eq :destroy?
         expect(error.record).to eq post
         expect(error.policy).to eq Pundit.policy(user, post)
@@ -88,6 +111,12 @@ describe Pundit do
         Pundit.policy_scope(user, Wiki)
       end.to raise_error(Pundit::InvalidConstructorError, "Invalid #<WikiPolicy::Scope> constructor is called")
     end
+
+    it "raises an original error with a policy scope that contains error" do
+      expect do
+        Pundit.policy_scope(user, Thread)
+      end.to raise_error(ArgumentError)
+    end
   end
 
   describe ".policy_scope!" do
@@ -401,7 +430,23 @@ describe Pundit do
     end
 
     it "returns the record on successful authorization" do
-      expect(controller.authorize(post)).to be(post)
+      expect(controller.authorize(post)).to eq(post)
+    end
+
+    it "returns the record when passed record with namespace " do
+      expect(controller.authorize([:project, comment], :update?)).to eq(comment)
+    end
+
+    it "returns the record when passed record with nested namespace " do
+      expect(controller.authorize([:project, :admin, comment], :update?)).to eq(comment)
+    end
+
+    it "returns the policy name symbol when passed record with headless policy" do
+      expect(controller.authorize(:publication, :create?)).to eq(:publication)
+    end
+
+    it "returns the class when passed record not a particular instance" do
+      expect(controller.authorize(Post, :show?)).to eq(Post)
     end
 
     it "can be given a different permission to check" do
@@ -511,11 +556,13 @@ describe Pundit do
 
   describe "#permitted_attributes" do
     it "checks policy for permitted attributes" do
-      params = ActionController::Parameters.new(post: {
-        title: "Hello",
-        votes: 5,
-        admin: true
-      })
+      params = ActionController::Parameters.new(
+        post: {
+          title: "Hello",
+          votes: 5,
+          admin: true
+        }
+      )
 
       action = "update"
 
@@ -527,11 +574,13 @@ describe Pundit do
     end
 
     it "checks policy for permitted attributes for record of a ActiveModel type" do
-      params = ActionController::Parameters.new(customer_post: {
-        title: "Hello",
-        votes: 5,
-        admin: true
-      })
+      params = ActionController::Parameters.new(
+        customer_post: {
+          title: "Hello",
+          votes: 5,
+          admin: true
+        }
+      )
 
       action = "update"
 
@@ -547,24 +596,28 @@ describe Pundit do
 
   describe "#permitted_attributes_for_action" do
     it "is checked if it is defined in the policy" do
-      params = ActionController::Parameters.new(post: {
-        title: "Hello",
-        body: "blah",
-        votes: 5,
-        admin: true
-      })
+      params = ActionController::Parameters.new(
+        post: {
+          title: "Hello",
+          body: "blah",
+          votes: 5,
+          admin: true
+        }
+      )
 
       action = "revise"
       expect(Controller.new(user, action, params).permitted_attributes(post).to_h).to eq("body" => "blah")
     end
 
     it "can be explicitly set" do
-      params = ActionController::Parameters.new(post: {
-        title: "Hello",
-        body: "blah",
-        votes: 5,
-        admin: true
-      })
+      params = ActionController::Parameters.new(
+        post: {
+          title: "Hello",
+          body: "blah",
+          votes: 5,
+          admin: true
+        }
+      )
 
       action = "update"
       expect(Controller.new(user, action, params).permitted_attributes(post, :revise).to_h).to eq("body" => "blah")

data/spec/spec_helper.rb

@@ -1,3 +1,10 @@
+# frozen_string_literal: true
+
+require "simplecov"
+SimpleCov.start do
+  add_filter "/spec/"
+end
+
 require "pundit"
 require "pundit/rspec"
 
@@ -9,22 +16,6 @@ require "active_support/core_ext"
 require "active_model/naming"
 require "action_controller/metal/strong_parameters"
 
-I18n.enforce_available_locales = false
-
-module PunditSpecHelper
-  extend RSpec::Matchers::DSL
-
-  matcher :be_truthy do
-    match do |actual|
-      actual
-    end
-  end
-end
-
-RSpec.configure do |config|
-  config.include PunditSpecHelper
-end
-
 class PostPolicy < Struct.new(:user, :post)
   class Scope < Struct.new(:user, :scope)
     def resolve
@@ -84,10 +75,6 @@ module Customer
     def self.policy_class
       PostPolicy
     end
-
-    def policy_class
-      self.class.policy_class
-    end
   end
 end
 
@@ -135,7 +122,7 @@ class CommentsRelation
     @empty
   end
 
-  def model_name
+  def self.model_name
     Comment.model_name
   end
 end
@@ -172,6 +159,10 @@ class CriteriaPolicy < Struct.new(:user, :criteria); end
 
 module Project
   class CommentPolicy < Struct.new(:user, :comment)
+    def update?
+      true
+    end
+
     class Scope < Struct.new(:user, :scope)
       def resolve
         scope
@@ -188,6 +179,14 @@ module Project
       end
     end
   end
+
+  module Admin
+    class CommentPolicy < Struct.new(:user, :comment)
+      def update?
+        true
+      end
+    end
+  end
 end
 
 class DenierPolicy < Struct.new(:user, :record)
@@ -199,9 +198,9 @@ end
 class Controller
   include Pundit
   # Mark protected methods public so they may be called in test
-  # rubocop:disable Layout/AccessModifierIndentation, Style/AccessModifierDeclarations
+  # rubocop:disable Style/AccessModifierDeclarations
   public(*Pundit.protected_instance_methods)
-  # rubocop:enable Layout/AccessModifierIndentation, Style/AccessModifierDeclarations
+  # rubocop:enable Style/AccessModifierDeclarations
 
   attr_reader :current_user, :action_name, :params
 
@@ -236,6 +235,18 @@ class WikiPolicy
   end
 end
 
+class Thread
+  def self.all; end
+end
+class ThreadPolicy < Struct.new(:user, :thread)
+  class Scope < Struct.new(:user, :scope)
+    def resolve
+      # deliberate wrong useage of the method
+      scope.all(:unvalid, :parameters)
+    end
+  end
+end
+
 class PostFourFiveSix < Struct.new(:user); end
 
 class CommentFourFiveSix; extend ActiveModel::Naming; end

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: pundit
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.1.1
 platform: ruby
 authors:
 - Jonas Nicklas
-- Elabs AB
+- Varvet AB
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-07-21 00:00:00.000000000 Z
+date: 2021-08-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -25,6 +25,132 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: actionpack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: activemodel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.74.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.74.0
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.17.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.17.0
+- !ruby/object:Gem::Dependency
+  name: yard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Object oriented authorization for Rails applications
 email:
 - jonas.nicklas@gmail.com
@@ -82,8 +208,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.2.25
 signing_key: 
 specification_version: 4
 summary: OO authorization for Rails