pundit 2.0.1 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: dffd7b483c73feb3955b9f1eb6767d9fedb72eaf
-  data.tar.gz: 5de4a5628f75bfcd87879c52917634f1ddde7072
+SHA256:
+  metadata.gz: 74f2f6efff0c12342afad4bb45dc75f12443e20f6ab5a9ed40274f2f842f2441
+  data.tar.gz: ad984e338045f040964301fdf2c79323d2e1a1ebffad16fc332d49315de14da2
 SHA512:
-  metadata.gz: f21abdc81639b1d05209f1dfc71579294ba5226372493936ea9e6cfc2cc356e620223042f9f58679a2bb276dabab3f81e793a22d4b6e4bb69ef7edb467d399c1
-  data.tar.gz: fe50e431d42e21e415ad361a1a0f536373e4a90b6f0631321dce3ba1b8e804c13b3e1d44f0446b3b1e71c68dbd868b5881b7bbaf6367e69b92bf23acf34a1022
+  metadata.gz: 106c8df42fc14b485dc4ea3951fba00232b6fa739b0a5910d9c33a33dde04cb1c015ecbf77f07a38274b9f9ae43ea5cfbbafb283f5eddc42fbf9454820ab87af
+  data.tar.gz: 4ab2a989938496acf224a9b20c247010e8d5882de168a995a02dbde021d308d7602f6305d675b26d461dcfb171346b02a1979325471f8713644aab8aac2dab9a

data/.gitignore

@@ -2,6 +2,7 @@
 *.rbc
 .bundle
 .config
+.coverage
 .yardoc
 Gemfile.lock
 InstalledFiles

data/.rubocop.yml

@@ -1,10 +1,9 @@
 AllCops:
-  DisplayCopNames: true
-  TargetRubyVersion: 2.2
+  TargetRubyVersion: 2.6
   Exclude:
-    - "gemfiles/**/*"
-    - "vendor/**/*"
-    - "lib/generators/**/*"
+    - "lib/generators/**/templates/**/*"
+  SuggestExtensions: false
+  NewCops: disable
 
 Metrics/BlockLength:
   Exclude:
@@ -18,7 +17,7 @@ Metrics/ModuleLength:
   Exclude:
     - "**/*_spec.rb"
 
-Metrics/LineLength:
+Layout/LineLength:
   Max: 120
 
 Metrics/AbcSize:
@@ -30,33 +29,12 @@ Metrics/CyclomaticComplexity:
 Metrics/PerceivedComplexity:
   Enabled: false
 
-Style/StructInheritance:
-  Enabled: false
+Gemspec/RequiredRubyVersion:
+ Enabled: false
 
-Layout/AlignParameters:
+Layout/ParameterAlignment:
   EnforcedStyle: with_fixed_indentation
 
-Style/StringLiterals:
-  EnforcedStyle: double_quotes
-
-Style/StringLiteralsInInterpolation:
-  EnforcedStyle: double_quotes
-
-Layout/ClosingParenthesisIndentation:
-  Enabled: false
-
-Style/OneLineConditional:
-  Enabled: false
-
-Style/AndOr:
-  Enabled: false
-
-Style/Not:
-  Enabled: false
-
-Documentation:
-  Enabled: false # TODO: Enable again once we have more docs
-
 Layout/CaseIndentation:
   EnforcedStyle: case
   SupportedStyles:
@@ -64,40 +42,31 @@ Layout/CaseIndentation:
     - end
   IndentOneStep: true
 
+Layout/EndAlignment:
+  EnforcedStyleAlignWith: variable
+
 Style/PercentLiteralDelimiters:
   PreferredDelimiters:
     '%w': "[]"
     '%W': "[]"
 
-Layout/AccessModifierIndentation:
-  EnforcedStyle: outdent
-
-Style/SignalException:
-  Enabled: false
-
-Layout/IndentationWidth:
-  Enabled: false
-
-Style/TrivialAccessors:
-  ExactNameMatch: true
-
-Layout/EndAlignment:
-  EnforcedStyleAlignWith: variable
-
-Layout/DefEndAlignment:
-  Enabled: false
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
 
-Lint/HandleExceptions:
-  Enabled: false
+Style/StringLiteralsInInterpolation:
+  EnforcedStyle: double_quotes
 
-Style/SpecialGlobalVars:
+Style/StructInheritance:
   Enabled: false
 
-Style/TrivialAccessors:
+Style/AndOr:
   Enabled: false
 
-Layout/IndentHash:
+Style/Not:
   Enabled: false
 
 Style/DoubleNegation:
   Enabled: false
+
+Style/Documentation:
+  Enabled: false # TODO: Enable again once we have more docs

data/.travis.yml

@@ -1,20 +1,26 @@
 language: ruby
-before_install:
-  - gem install bundler -v 1.17.3
+dist: focal
 
 matrix:
   include:
-    - rvm: 2.5.1
+    - name: "RuboCop lint on pre-installed Ruby version"
+      rvm: 2.7.1 # Pre-installed Ruby version
+      before_install:
+        - gem install bundler
       script: bundle exec rake rubocop # ONLY lint once, first
-    - rvm: 2.1
-    - rvm: 2.2
-    - rvm: 2.3.5
-    - rvm: 2.4.2
-    - rvm: 2.5.1
-    - rvm: 2.6.0
-    - rvm: jruby-9.1.8.0
-      env:
-        - JRUBY_OPTS="--debug"
-    - rvm: jruby-9.2.5.0
+    - rvm: 2.6.7
+      before_script:
+        - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
+        - chmod +x ./cc-test-reporter
+        - ./cc-test-reporter before-build
+      after_script:
+        - ./cc-test-reporter after-build --exit-code $TRAVIS_TEST_RESULT
+    - rvm: 2.7.3
+    - rvm: 3.0.1
+    - rvm: 3.1.0
+    - rvm: jruby-9.2.17.0
       env:
         - JRUBY_OPTS="--debug"
+    - rvm: truffleruby-head
+  allow_failures:
+    - rvm: truffleruby-head

data/CHANGELOG.md

@@ -1,5 +1,59 @@
 # Pundit
 
+## 2.3.0 (2022-12-19)
+
+### Added
+
+- add support for rubocop-rspec syntax extensions (#745)
+
+## 2.2.0 (2022-02-11)
+
+### Fixed
+
+- Using `policy_class` and a namespaced record now passes only the record when instantiating the policy. (#697, #689, #694, #666)
+
+### Changed
+
+- Require users to explicitly define Scope#resolve in generated policies (#711, #722)
+
+### Deprecated
+
+- Deprecate `include Pundit` in favor of `include Pundit::Authorization` (#621)
+
+## 2.1.1 (2021-08-13)
+
+Friday 13th-release!
+
+Careful! The bugfix below (#626) could break existing code. If you rely on the
+return value for `authorize` and namespaced policies you might need to do some
+changes.
+
+### Fixed
+
+- `.authorize` and `#authorize` return the instance, even for namespaced
+  policies (#626)
+
+### Changed
+
+- Generate application scope with `protected` attr_readers. (#616)
+
+### Removed
+
+- Dropped support for Ruby end-of-life versions: 2.1 and 2.2. (#604)
+- Dropped support for Ruby end-of-life versions: 2.3 (#633)
+- Dropped support for Ruby end-of-life versions: 2.4, 2.5 and JRuby 9.1 (#676)
+- Dropped support for RSpec 2 (#615)
+
+## 2.1.0 (2019-08-14)
+
+### Fixed
+
+- Avoid name clashes with the Error class. (#590)
+
+### Changed
+
+- Return a safer default NotAuthorizedError message. (#583)
+
 ## 2.0.1 (2019-01-18)
 
 ### Breaking changes

data/Gemfile

@@ -1,16 +1,7 @@
+# frozen_string_literal: true
+
 source "https://rubygems.org"
 
 ruby RUBY_VERSION
 
 gemspec
-
-group :development, :test do
-  gem "actionpack"
-  gem "activemodel"
-  gem "bundler"
-  gem "pry"
-  gem "rake"
-  gem "rspec"
-  gem "rubocop"
-  gem "yard"
-end

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2018 Jonas Nicklas, Varvet AB
+Copyright (c) 2019 Jonas Nicklas, Varvet AB
 
 MIT License
 

data/README.md

@@ -7,11 +7,11 @@
 
 Pundit provides a set of helpers which guide you in leveraging regular Ruby
 classes and object oriented design patterns to build a simple, robust and
-scaleable authorization system.
+scalable authorization system.
 
 Links:
 
-- [API documentation](http://www.rubydoc.info/gems/pundit)
+- [API documentation for the most recent version](http://www.rubydoc.info/gems/pundit)
 - [Source Code](https://github.com/varvet/pundit)
 - [Contributing](https://github.com/varvet/pundit/blob/master/CONTRIBUTING.md)
 - [Code of Conduct](https://github.com/varvet/pundit/blob/master/CODE_OF_CONDUCT.md)
@@ -22,16 +22,17 @@ Sponsored by:
 
 ## Installation
 
-``` ruby
-gem "pundit"
+> **Please note** that the README on GitHub is accurate with the _latest code on GitHub_. You are most likely using a released version of Pundit, so please refer to the [documentation for the latest released version of Pundit](https://www.rubydoc.info/gems/pundit).
+
+``` sh
+bundle add pundit
 ```
 
-Include Pundit in your application controller:
+Include `Pundit::Authorization` in your application controller:
 
 ``` ruby
 class ApplicationController < ActionController::Base
-  include Pundit
-  protect_from_forgery
+  include Pundit::Authorization
 end
 ```
 
@@ -61,7 +62,7 @@ class PostPolicy
   end
 
   def update?
-    user.admin? or not post.published?
+    user.admin? || !post.published?
   end
 end
 ```
@@ -165,13 +166,18 @@ def admin_list
 end
 ```
 
-`authorize` returns the object passed to it, so you can chain it like this:
+`authorize` returns the instance passed to it, so you can chain it like this:
 
 Controller:
 ```ruby
 def show
   @user = authorize User.find(params[:id])
 end
+
+# return the record even for namespaced policies
+def show
+  @user = authorize [:admin, User.find(params[:id])]
+end
 ```
 
 You can easily get a hold of an instance of the policy through the `policy`
@@ -190,8 +196,17 @@ you can retrieve it by passing a symbol.
 
 ```ruby
 # app/policies/dashboard_policy.rb
-class DashboardPolicy < Struct.new(:user, :dashboard)
-  # ...
+class DashboardPolicy
+  attr_reader :user
+
+  # _record in this example will just be :dashboard
+  def initialize(user, _record)
+    @user = user
+  end
+
+  def show?
+    user.admin?
+  end
 end
 ```
 
@@ -201,7 +216,10 @@ is what is passed as the record to `authorize` below.
 
 ```ruby
 # In controllers
-authorize :dashboard, :show?
+def show
+  authorize :dashboard, :show?
+  ...
+end
 ```
 
 ```erb
@@ -220,8 +238,6 @@ define a class called a policy scope. It can look something like this:
 ``` ruby
 class PostPolicy < ApplicationPolicy
   class Scope
-    attr_reader :user, :scope
-
     def initialize(user, scope)
       @user  = user
       @scope = scope
@@ -234,6 +250,10 @@ class PostPolicy < ApplicationPolicy
         scope.where(published: true)
       end
     end
+
+    private
+
+    attr_reader :user, :scope
   end
 
   def update?
@@ -296,13 +316,11 @@ def index
 end
 ```
 
-Just as with your policy, this will automatically infer that you want to use
-the `PostPolicy::Scope` class, it will instantiate this class and call
-`resolve` on the instance. In this case it is a shortcut for doing:
+In this case it is a shortcut for doing:
 
 ``` ruby
 def index
-  @posts = PostPolicy::Scope.new(current_user, Post).resolve
+  @publications = PublicationPolicy::Scope.new(current_user, Post).resolve
 end
 ```
 
@@ -330,7 +348,7 @@ that you haven't forgotten to authorize the action. For example:
 
 ``` ruby
 class ApplicationController < ActionController::Base
-  include Pundit
+  include Pundit::Authorization
   after_action :verify_authorized
 end
 ```
@@ -343,7 +361,7 @@ authorize individual instances.
 
 ``` ruby
 class ApplicationController < ActionController::Base
-  include Pundit
+  include Pundit::Authorization
   after_action :verify_authorized, except: :index
   after_action :verify_policy_scoped, only: :index
 end
@@ -391,6 +409,16 @@ class Post
 end
 ```
 
+Alternatively, you can declare an instance method:
+
+``` ruby
+class Post
+  def policy_class
+    PostablePolicy
+  end
+end
+```
+
 ## Just plain old Ruby
 
 As you can see, Pundit doesn't do anything you couldn't have easily done
@@ -476,8 +504,7 @@ method in every controller.
 
 ```ruby
 class ApplicationController < ActionController::Base
-  protect_from_forgery
-  include Pundit
+  include Pundit::Authorization
 
   rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
 
@@ -485,7 +512,7 @@ class ApplicationController < ActionController::Base
 
   def user_not_authorized
     flash[:alert] = "You are not authorized to perform this action."
-    redirect_to(request.referrer || root_path)
+    redirect_back(fallback_location: root_path)
   end
 end
 ```
@@ -514,7 +541,7 @@ class ApplicationController < ActionController::Base
    policy_name = exception.policy.class.to_s.underscore
 
    flash[:error] = t "#{policy_name}.#{exception.query}", scope: "pundit", default: :default
-   redirect_to(request.referrer || root_path)
+   redirect_back(fallback_url: root_path)
  end
 end
 ```
@@ -597,8 +624,7 @@ class Admin::PostController < AdminController
   end
 
   def show
-    post = Post.find(params[:id])
-    authorize(post)
+    post = authorize Post.find(params[:id])
   end
 end
 ```
@@ -631,7 +657,7 @@ class UserContext
 end
 
 class ApplicationController
-  include Pundit
+  include Pundit::Authorization
 
   def pundit_user
     UserContext.new(current_user, request.ip)
@@ -641,9 +667,8 @@ end
 
 ## Strong parameters
 
-In Rails 4 (or Rails 3.2 with the
-[strong_parameters](https://github.com/rails/strong_parameters) gem),
-mass-assignment protection is handled in the controller.  With Pundit you can
+In Rails,
+mass-assignment protection is handled in the controller. With Pundit you can
 control which attributes a user has access to update via your policies. You can
 set up a `permitted_attributes` method in your policy like this:
 
@@ -667,7 +692,7 @@ You can now retrieve these attributes from the policy:
 class PostsController < ApplicationController
   def update
     @post = Post.find(params[:id])
-    if @post.update_attributes(post_params)
+    if @post.update(post_params)
       redirect_to @post
     else
       render :edit
@@ -689,7 +714,7 @@ However, this is a bit cumbersome, so Pundit provides a convenient helper method
 class PostsController < ApplicationController
   def update
     @post = Post.find(params[:id])
-    if @post.update_attributes(permitted_attributes(@post))
+    if @post.update(permitted_attributes(@post))
       redirect_to @post
     else
       render :edit
@@ -777,14 +802,29 @@ An alternative approach to Pundit policy specs is scoping them to a user context
 
 Pundit does not provide a DSL for testing scopes. Just test it like a regular Ruby class!
 
+### Linting with RuboCop RSpec
+
+When you lint your RSpec spec files with `rubocop-rspec`, it will fail to properly detect RSpec constructs that Pundit defines, `permissions`.
+Make sure to use `rubocop-rspec` 2.0 or newer and add the following to your `.rubocop.yml`:
+
+```yaml
+inherit_gem:
+  pundit: config/rubocop-rspec.yml
+```
+
 # External Resources
 
 - [RailsApps Example Application: Pundit and Devise](https://github.com/RailsApps/rails-devise-pundit)
 - [Migrating to Pundit from CanCan](http://blog.carbonfive.com/2013/10/21/migrating-to-pundit-from-cancan/)
 - [Testing Pundit Policies with RSpec](http://thunderboltlabs.com/blog/2013/03/27/testing-pundit-policies-with-rspec/)
+- [Testing Pundit with Minitest](https://github.com/varvet/pundit/issues/204#issuecomment-60166450)
 - [Using Pundit outside of a Rails controller](https://github.com/varvet/pundit/pull/136)
 - [Straightforward Rails Authorization with Pundit](http://www.sitepoint.com/straightforward-rails-authorization-with-pundit/)
 
+## Other implementations
+
+- [Flask-Pundit](https://github.com/anurag90x/flask-pundit) (Python) is a [Flask](http://flask.pocoo.org/) extension "heavily inspired by" Pundit
+
 # License
 
 Licensed under the MIT license, see the separate LICENSE.txt file.

data/Rakefile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "rubygems"
 require "bundler/gem_tasks"
 require "rspec/core/rake_task"

data/config/rubocop-rspec.yml

@@ -0,0 +1,5 @@
+RSpec:
+  Language:
+    ExampleGroups:
+      Regular:
+        - permissions

data/lib/generators/pundit/install/install_generator.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 module Pundit
   module Generators
     class InstallGenerator < ::Rails::Generators::Base
-      source_root File.expand_path('templates', __dir__)
+      source_root File.expand_path("templates", __dir__)
 
       def copy_application_policy
-        template 'application_policy.rb', 'app/policies/application_policy.rb'
+        template "application_policy.rb", "app/policies/application_policy.rb"
       end
     end
   end

data/lib/generators/pundit/install/templates/application_policy.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class ApplicationPolicy
   attr_reader :user, :record
 
@@ -35,15 +37,17 @@ class ApplicationPolicy
   end
 
   class Scope
-    attr_reader :user, :scope
-
     def initialize(user, scope)
       @user = user
       @scope = scope
     end
 
     def resolve
-      scope.all
+      raise NotImplementedError, "You must define #resolve in #{self.class}"
     end
+
+    private
+
+    attr_reader :user, :scope
   end
 end

data/lib/generators/pundit/policy/policy_generator.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 module Pundit
   module Generators
     class PolicyGenerator < ::Rails::Generators::NamedBase
-      source_root File.expand_path('templates', __dir__)
+      source_root File.expand_path("templates", __dir__)
 
       def create_policy
-        template 'policy.rb', File.join('app/policies', class_path, "#{file_name}_policy.rb")
+        template "policy.rb", File.join("app/policies", class_path, "#{file_name}_policy.rb")
       end
 
       hook_for :test_framework

data/lib/generators/pundit/policy/templates/policy.rb

@@ -1,9 +1,10 @@
 <% module_namespacing do -%>
 class <%= class_name %>Policy < ApplicationPolicy
   class Scope < Scope
-    def resolve
-      scope.all
-    end
+    # NOTE: Be explicit about which records you allow access to!
+    # def resolve
+    #   scope.all
+    # end
   end
 end
 <% end -%>

data/lib/generators/rspec/policy_generator.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 module Rspec
   module Generators
     class PolicyGenerator < ::Rails::Generators::NamedBase
-      source_root File.expand_path('templates', __dir__)
+      source_root File.expand_path("templates", __dir__)
 
       def create_policy_spec
-        template 'policy_spec.rb', File.join('spec/policies', class_path, "#{file_name}_policy_spec.rb")
+        template "policy_spec.rb", File.join("spec/policies", class_path, "#{file_name}_policy_spec.rb")
       end
     end
   end

data/lib/generators/test_unit/policy_generator.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 module TestUnit
   module Generators
     class PolicyGenerator < ::Rails::Generators::NamedBase
-      source_root File.expand_path('templates', __dir__)
+      source_root File.expand_path("templates", __dir__)
 
       def create_policy_test
-        template 'policy_test.rb', File.join('test/policies', class_path, "#{file_name}_policy_test.rb")
+        template "policy_test.rb", File.join("test/policies", class_path, "#{file_name}_policy_test.rb")
       end
     end
   end