pundit 2.0.0 → 2.3.1

data/spec/pundit_spec.rb

@@ -1,6 +1,8 @@
+# frozen_string_literal: true
+
 require "spec_helper"
 
-describe Pundit do
+RSpec.describe Pundit do
   let(:user) { double }
   let(:post) { Post.new(user) }
   let(:customer_post) { Customer::Post.new(user) }
@@ -8,11 +10,10 @@ describe Pundit do
   let(:comment) { Comment.new }
   let(:comment_four_five_six) { CommentFourFiveSix.new }
   let(:article) { Article.new }
-  let(:controller) { Controller.new(user, "update", {}) }
   let(:artificial_blog) { ArtificialBlog.new }
   let(:article_tag) { ArticleTag.new }
-  let(:comments_relation) { CommentsRelation.new }
-  let(:empty_comments_relation) { CommentsRelation.new(true) }
+  let(:comments_relation) { CommentsRelation.new(empty: false) }
+  let(:empty_comments_relation) { CommentsRelation.new(empty: true) }
   let(:tag_four_five_six) { ProjectOneTwoThree::TagFourFiveSix.new(user) }
   let(:avatar_four_five_six) { ProjectOneTwoThree::AvatarFourFiveSix.new }
   let(:wiki) { Wiki.new }
@@ -22,10 +23,35 @@ describe Pundit do
       expect(Pundit.authorize(user, post, :update?)).to be_truthy
     end
 
+    it "returns the record on successful authorization" do
+      expect(Pundit.authorize(user, post, :update?)).to eq(post)
+    end
+
+    it "returns the record when passed record with namespace " do
+      expect(Pundit.authorize(user, [:project, comment], :update?)).to eq(comment)
+    end
+
+    it "returns the record when passed record with nested namespace " do
+      expect(Pundit.authorize(user, [:project, :admin, comment], :update?)).to eq(comment)
+    end
+
+    it "returns the policy name symbol when passed record with headless policy" do
+      expect(Pundit.authorize(user, :publication, :create?)).to eq(:publication)
+    end
+
+    it "returns the class when passed record not a particular instance" do
+      expect(Pundit.authorize(user, Post, :show?)).to eq(Post)
+    end
+
     it "can be given a different policy class" do
       expect(Pundit.authorize(user, post, :create?, policy_class: PublicationPolicy)).to be_truthy
     end
 
+    it "can be given a different policy class using namespaces" do
+      expect(PublicationPolicy).to receive(:new).with(user, comment).and_call_original
+      expect(Pundit.authorize(user, [:project, comment], :create?, policy_class: PublicationPolicy)).to be_truthy
+    end
+
     it "works with anonymous class policies" do
       expect(Pundit.authorize(user, article_tag, :show?)).to be_truthy
       expect { Pundit.authorize(user, article_tag, :destroy?) }.to raise_error(Pundit::NotAuthorizedError)
@@ -35,7 +61,7 @@ describe Pundit do
       # rubocop:disable Style/MultilineBlockChain
       expect do
         Pundit.authorize(user, post, :destroy?)
-      end.to raise_error(Pundit::NotAuthorizedError, "not allowed to destroy? this #<Post>") do |error|
+      end.to raise_error(Pundit::NotAuthorizedError, "not allowed to destroy? this Post") do |error|
         expect(error.query).to eq :destroy?
         expect(error.record).to eq post
         expect(error.policy).to eq Pundit.policy(user, post)
@@ -43,6 +69,18 @@ describe Pundit do
       # rubocop:enable Style/MultilineBlockChain
     end
 
+    it "raises an error with a the record, query and action when the record is namespaced" do
+      # rubocop:disable Style/MultilineBlockChain
+      expect do
+        Pundit.authorize(user, [:project, :admin, comment], :destroy?)
+      end.to raise_error(Pundit::NotAuthorizedError, "not allowed to destroy? this Comment") do |error|
+        expect(error.query).to eq :destroy?
+        expect(error.record).to eq comment
+        expect(error.policy).to eq Pundit.policy(user, [:project, :admin, comment])
+      end
+      # rubocop:enable Style/MultilineBlockChain
+    end
+
     it "raises an error with a invalid policy constructor" do
       expect do
         Pundit.authorize(user, wiki, :update?)
@@ -88,6 +126,12 @@ describe Pundit do
         Pundit.policy_scope(user, Wiki)
       end.to raise_error(Pundit::InvalidConstructorError, "Invalid #<WikiPolicy::Scope> constructor is called")
     end
+
+    it "raises an original error with a policy scope that contains error" do
+      expect do
+        Pundit.policy_scope(user, Thread)
+      end.to raise_error(ArgumentError)
+    end
   end
 
   describe ".policy_scope!" do
@@ -351,223 +395,22 @@ describe Pundit do
     end
   end
 
-  describe "#verify_authorized" do
-    it "does nothing when authorized" do
-      controller.authorize(post)
-      controller.verify_authorized
-    end
+  describe ".included" do
+    it "includes Authorization module" do
+      klass = Class.new
 
-    it "raises an exception when not authorized" do
-      expect { controller.verify_authorized }.to raise_error(Pundit::AuthorizationNotPerformedError)
-    end
-  end
-
-  describe "#verify_policy_scoped" do
-    it "does nothing when policy_scope is used" do
-      controller.policy_scope(Post)
-      controller.verify_policy_scoped
-    end
-
-    it "raises an exception when policy_scope is not used" do
-      expect { controller.verify_policy_scoped }.to raise_error(Pundit::PolicyScopingNotPerformedError)
-    end
-  end
-
-  describe "#pundit_policy_authorized?" do
-    it "is true when authorized" do
-      controller.authorize(post)
-      expect(controller.pundit_policy_authorized?).to be true
-    end
-
-    it "is false when not authorized" do
-      expect(controller.pundit_policy_authorized?).to be false
-    end
-  end
-
-  describe "#pundit_policy_scoped?" do
-    it "is true when policy_scope is used" do
-      controller.policy_scope(Post)
-      expect(controller.pundit_policy_scoped?).to be true
-    end
-
-    it "is false when policy scope is not used" do
-      expect(controller.pundit_policy_scoped?).to be false
-    end
-  end
-
-  describe "#authorize" do
-    it "infers the policy name and authorizes based on it" do
-      expect(controller.authorize(post)).to be_truthy
-    end
-
-    it "returns the record on successful authorization" do
-      expect(controller.authorize(post)).to be(post)
-    end
-
-    it "can be given a different permission to check" do
-      expect(controller.authorize(post, :show?)).to be_truthy
-      expect { controller.authorize(post, :destroy?) }.to raise_error(Pundit::NotAuthorizedError)
-    end
-
-    it "can be given a different policy class" do
-      expect(controller.authorize(post, :create?, policy_class: PublicationPolicy)).to be_truthy
-    end
-
-    it "works with anonymous class policies" do
-      expect(controller.authorize(article_tag, :show?)).to be_truthy
-      expect { controller.authorize(article_tag, :destroy?) }.to raise_error(Pundit::NotAuthorizedError)
-    end
-
-    it "throws an exception when the permission check fails" do
-      expect { controller.authorize(Post.new) }.to raise_error(Pundit::NotAuthorizedError)
-    end
-
-    it "throws an exception when a policy cannot be found" do
-      expect { controller.authorize(Article) }.to raise_error(Pundit::NotDefinedError)
-    end
-
-    it "caches the policy" do
-      expect(controller.policies[post]).to be_nil
-      controller.authorize(post)
-      expect(controller.policies[post]).not_to be_nil
-    end
-
-    it "raises an error when the given record is nil" do
-      expect { controller.authorize(nil, :destroy?) }.to raise_error(Pundit::NotAuthorizedError)
-    end
-
-    it "raises an error with a invalid policy constructor" do
-      expect { controller.authorize(wiki, :destroy?) }.to raise_error(Pundit::InvalidConstructorError)
-    end
-  end
-
-  describe "#skip_authorization" do
-    it "disables authorization verification" do
-      controller.skip_authorization
-      expect { controller.verify_authorized }.not_to raise_error
-    end
-  end
-
-  describe "#skip_policy_scope" do
-    it "disables policy scope verification" do
-      controller.skip_policy_scope
-      expect { controller.verify_policy_scoped }.not_to raise_error
-    end
-  end
-
-  describe "#pundit_user" do
-    it "returns the same thing as current_user" do
-      expect(controller.pundit_user).to eq controller.current_user
-    end
-  end
-
-  describe "#policy" do
-    it "returns an instantiated policy" do
-      policy = controller.policy(post)
-      expect(policy.user).to eq user
-      expect(policy.post).to eq post
-    end
-
-    it "throws an exception if the given policy can't be found" do
-      expect { controller.policy(article) }.to raise_error(Pundit::NotDefinedError)
-    end
-
-    it "raises an error with a invalid policy constructor" do
-      expect { controller.policy(wiki) }.to raise_error(Pundit::InvalidConstructorError)
-    end
-
-    it "allows policy to be injected" do
-      new_policy = OpenStruct.new
-      controller.policies[post] = new_policy
-
-      expect(controller.policy(post)).to eq new_policy
-    end
-  end
-
-  describe "#policy_scope" do
-    it "returns an instantiated policy scope" do
-      expect(controller.policy_scope(Post)).to eq :published
-    end
-
-    it "allows policy scope class to be overriden" do
-      expect(controller.policy_scope(Post, policy_scope_class: PublicationPolicy::Scope)).to eq :published
-    end
-
-    it "throws an exception if the given policy can't be found" do
-      expect { controller.policy_scope(Article) }.to raise_error(Pundit::NotDefinedError)
-    end
-
-    it "raises an error with a invalid policy scope constructor" do
-      expect { controller.policy_scope(Wiki) }.to raise_error(Pundit::InvalidConstructorError)
-    end
-
-    it "allows policy_scope to be injected" do
-      new_scope = OpenStruct.new
-      controller.policy_scopes[Post] = new_scope
-
-      expect(controller.policy_scope(Post)).to eq new_scope
-    end
-  end
-
-  describe "#permitted_attributes" do
-    it "checks policy for permitted attributes" do
-      params = ActionController::Parameters.new(post: {
-        title: "Hello",
-        votes: 5,
-        admin: true
-      })
-
-      action = "update"
-
-      expect(Controller.new(user, action, params).permitted_attributes(post).to_h).to eq(
-        "title" => "Hello",
-        "votes" => 5
-      )
-      expect(Controller.new(double, action, params).permitted_attributes(post).to_h).to eq("votes" => 5)
-    end
-
-    it "checks policy for permitted attributes for record of a ActiveModel type" do
-      params = ActionController::Parameters.new(customer_post: {
-        title: "Hello",
-        votes: 5,
-        admin: true
-      })
-
-      action = "update"
+      expect do
+        klass.include Pundit
+      end.to output.to_stderr
 
-      expect(Controller.new(user, action, params).permitted_attributes(customer_post).to_h).to eq(
-        "title" => "Hello",
-        "votes" => 5
-      )
-      expect(Controller.new(double, action, params).permitted_attributes(customer_post).to_h).to eq(
-        "votes" => 5
-      )
+      expect(klass).to include Pundit::Authorization
     end
-  end
 
-  describe "#permitted_attributes_for_action" do
-    it "is checked if it is defined in the policy" do
-      params = ActionController::Parameters.new(post: {
-        title: "Hello",
-        body: "blah",
-        votes: 5,
-        admin: true
-      })
-
-      action = "revise"
-      expect(Controller.new(user, action, params).permitted_attributes(post).to_h).to eq("body" => "blah")
-    end
-
-    it "can be explicitly set" do
-      params = ActionController::Parameters.new(post: {
-        title: "Hello",
-        body: "blah",
-        votes: 5,
-        admin: true
-      })
-
-      action = "update"
-      expect(Controller.new(user, action, params).permitted_attributes(post, :revise).to_h).to eq("body" => "blah")
+    it "warns about deprecation" do
+      klass = Class.new
+      expect do
+        klass.include Pundit
+      end.to output(a_string_starting_with("'include Pundit' is deprecated")).to_stderr
     end
   end
 

data/spec/spec_helper.rb

@@ -1,3 +1,10 @@
+# frozen_string_literal: true
+
+require "simplecov"
+SimpleCov.start do
+  add_filter "/spec/"
+end
+
 require "pundit"
 require "pundit/rspec"
 
@@ -9,22 +16,6 @@ require "active_support/core_ext"
 require "active_model/naming"
 require "action_controller/metal/strong_parameters"
 
-I18n.enforce_available_locales = false
-
-module PunditSpecHelper
-  extend RSpec::Matchers::DSL
-
-  matcher :be_truthy do
-    match do |actual|
-      actual
-    end
-  end
-end
-
-RSpec.configure do |config|
-  config.include PunditSpecHelper
-end
-
 class PostPolicy < Struct.new(:user, :post)
   class Scope < Struct.new(:user, :scope)
     def resolve
@@ -84,15 +75,12 @@ module Customer
     def self.policy_class
       PostPolicy
     end
-
-    def policy_class
-      self.class.policy_class
-    end
   end
 end
 
 class CommentScope
   attr_reader :original_object
+
   def initialize(original_object)
     @original_object = original_object
   end
@@ -127,7 +115,7 @@ class Comment
 end
 
 class CommentsRelation
-  def initialize(empty = false)
+  def initialize(empty: false)
     @empty = empty
   end
 
@@ -135,7 +123,7 @@ class CommentsRelation
     @empty
   end
 
-  def model_name
+  def self.model_name
     Comment.model_name
   end
 end
@@ -172,6 +160,10 @@ class CriteriaPolicy < Struct.new(:user, :criteria); end
 
 module Project
   class CommentPolicy < Struct.new(:user, :comment)
+    def update?
+      true
+    end
+
     class Scope < Struct.new(:user, :scope)
       def resolve
         scope
@@ -188,6 +180,18 @@ module Project
       end
     end
   end
+
+  module Admin
+    class CommentPolicy < Struct.new(:user, :comment)
+      def update?
+        true
+      end
+
+      def destroy?
+        false
+      end
+    end
+  end
 end
 
 class DenierPolicy < Struct.new(:user, :record)
@@ -197,11 +201,11 @@ class DenierPolicy < Struct.new(:user, :record)
 end
 
 class Controller
-  include Pundit
+  include Pundit::Authorization
   # Mark protected methods public so they may be called in test
-  # rubocop:disable Layout/AccessModifierIndentation, Style/AccessModifierDeclarations
-  public(*Pundit.protected_instance_methods)
-  # rubocop:enable Layout/AccessModifierIndentation, Style/AccessModifierDeclarations
+  # rubocop:disable Style/AccessModifierDeclarations
+  public(*Pundit::Authorization.protected_instance_methods)
+  # rubocop:enable Style/AccessModifierDeclarations
 
   attr_reader :current_user, :action_name, :params
 
@@ -229,6 +233,7 @@ class NilClassPolicy < Struct.new(:user, :record)
 end
 
 class Wiki; end
+
 class WikiPolicy
   class Scope
     # deliberate typo method
@@ -236,6 +241,19 @@ class WikiPolicy
   end
 end
 
+class Thread
+  def self.all; end
+end
+
+class ThreadPolicy < Struct.new(:user, :thread)
+  class Scope < Struct.new(:user, :scope)
+    def resolve
+      # deliberate wrong useage of the method
+      scope.all(:unvalid, :parameters)
+    end
+  end
+end
+
 class PostFourFiveSix < Struct.new(:user); end
 
 class CommentFourFiveSix; extend ActiveModel::Naming; end

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: pundit
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.3.1
 platform: ruby
 authors:
 - Jonas Nicklas
-- Elabs AB
-autorequire: 
+- Varvet AB
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-07-21 00:00:00.000000000 Z
+date: 2023-07-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -25,14 +25,155 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: actionpack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: activemodel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.24.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.24.0
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.17.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.17.0
+- !ruby/object:Gem::Dependency
+  name: yard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Object oriented authorization for Rails applications
 email:
 - jonas.nicklas@gmail.com
-- dev@elabs.se
+- info@varvet.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/pull_request_template.md"
 - ".gitignore"
 - ".rubocop.yml"
 - ".travis.yml"
@@ -44,6 +185,8 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- SECURITY.md
+- config/rubocop-rspec.yml
 - lib/generators/pundit/install/USAGE
 - lib/generators/pundit/install/install_generator.rb
 - lib/generators/pundit/install/templates/application_policy.rb
@@ -55,10 +198,13 @@ files:
 - lib/generators/test_unit/policy_generator.rb
 - lib/generators/test_unit/templates/policy_test.rb
 - lib/pundit.rb
+- lib/pundit/authorization.rb
 - lib/pundit/policy_finder.rb
 - lib/pundit/rspec.rb
 - lib/pundit/version.rb
 - pundit.gemspec
+- spec/authorization_spec.rb
+- spec/generators_spec.rb
 - spec/policies/post_policy_spec.rb
 - spec/policy_finder_spec.rb
 - spec/pundit_spec.rb
@@ -66,8 +212,9 @@ files:
 homepage: https://github.com/varvet/pundit
 licenses:
 - MIT
-metadata: {}
-post_install_message: 
+metadata:
+  rubygems_mfa_required: 'true'
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -82,12 +229,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
-signing_key: 
+rubygems_version: 3.4.10
+signing_key:
 specification_version: 4
 summary: OO authorization for Rails
 test_files:
+- spec/authorization_spec.rb
+- spec/generators_spec.rb
 - spec/policies/post_policy_spec.rb
 - spec/policy_finder_spec.rb
 - spec/pundit_spec.rb