pundit 2.1.0 → 2.5.0

data/spec/pundit_spec.rb

@@ -2,7 +2,7 @@
 
 require "spec_helper"
 
-describe Pundit do
+RSpec.describe Pundit do
   let(:user) { double }
   let(:post) { Post.new(user) }
   let(:customer_post) { Customer::Post.new(user) }
@@ -10,23 +10,37 @@ describe Pundit do
   let(:comment) { Comment.new }
   let(:comment_four_five_six) { CommentFourFiveSix.new }
   let(:article) { Article.new }
-  let(:controller) { Controller.new(user, "update", {}) }
   let(:artificial_blog) { ArtificialBlog.new }
   let(:article_tag) { ArticleTag.new }
-  let(:comments_relation) { CommentsRelation.new }
-  let(:empty_comments_relation) { CommentsRelation.new(true) }
+  let(:comments_relation) { CommentsRelation.new(empty: false) }
+  let(:empty_comments_relation) { CommentsRelation.new(empty: true) }
   let(:tag_four_five_six) { ProjectOneTwoThree::TagFourFiveSix.new(user) }
   let(:avatar_four_five_six) { ProjectOneTwoThree::AvatarFourFiveSix.new }
   let(:wiki) { Wiki.new }
-  let(:thread) { Thread.new }
 
   describe ".authorize" do
     it "infers the policy and authorizes based on it" do
       expect(Pundit.authorize(user, post, :update?)).to be_truthy
     end
 
-    it "can be given a different policy class" do
-      expect(Pundit.authorize(user, post, :create?, policy_class: PublicationPolicy)).to be_truthy
+    it "returns the record on successful authorization" do
+      expect(Pundit.authorize(user, post, :update?)).to eq(post)
+    end
+
+    it "returns the record when passed record with namespace " do
+      expect(Pundit.authorize(user, [:project, comment], :update?)).to eq(comment)
+    end
+
+    it "returns the record when passed record with nested namespace " do
+      expect(Pundit.authorize(user, [:project, :admin, comment], :update?)).to eq(comment)
+    end
+
+    it "returns the policy name symbol when passed record with headless policy" do
+      expect(Pundit.authorize(user, :publication, :create?)).to eq(:publication)
+    end
+
+    it "returns the class when passed record not a particular instance" do
+      expect(Pundit.authorize(user, Post, :show?)).to eq(Post)
     end
 
     it "works with anonymous class policies" do
@@ -34,14 +48,51 @@ describe Pundit do
       expect { Pundit.authorize(user, article_tag, :destroy?) }.to raise_error(Pundit::NotAuthorizedError)
     end
 
-    it "raises an error with a query and action" do
+    it "raises an error with the policy, query and record" do
       # rubocop:disable Style/MultilineBlockChain
       expect do
         Pundit.authorize(user, post, :destroy?)
-      end.to raise_error(Pundit::NotAuthorizedError, "not allowed to destroy? this Post") do |error|
+      end.to raise_error(Pundit::NotAuthorizedError, "not allowed to PostPolicy#destroy? this Post") do |error|
         expect(error.query).to eq :destroy?
         expect(error.record).to eq post
-        expect(error.policy).to eq Pundit.policy(user, post)
+        expect(error.policy).to have_attributes(
+          user: user,
+          record: post
+        )
+        expect(error.policy).to be_a(PostPolicy)
+      end
+      # rubocop:enable Style/MultilineBlockChain
+    end
+
+    it "raises an error with the policy, query and record when the record is namespaced" do
+      # rubocop:disable Style/MultilineBlockChain
+      expect do
+        Pundit.authorize(user, [:project, :admin, comment], :destroy?)
+      end.to raise_error(Pundit::NotAuthorizedError,
+                         "not allowed to Project::Admin::CommentPolicy#destroy? this Comment") do |error|
+        expect(error.query).to eq :destroy?
+        expect(error.record).to eq comment
+        expect(error.policy).to have_attributes(
+          user: user,
+          record: comment
+        )
+        expect(error.policy).to be_a(Project::Admin::CommentPolicy)
+      end
+      # rubocop:enable Style/MultilineBlockChain
+    end
+
+    it "raises an error with the policy, query and the class name when a Class is given" do
+      # rubocop:disable Style/MultilineBlockChain
+      expect do
+        Pundit.authorize(user, Post, :destroy?)
+      end.to raise_error(Pundit::NotAuthorizedError, "not allowed to PostPolicy#destroy? Post") do |error|
+        expect(error.query).to eq :destroy?
+        expect(error.record).to eq Post
+        expect(error.policy).to have_attributes(
+          user: user,
+          record: Post
+        )
+        expect(error.policy).to be_a(PostPolicy)
       end
       # rubocop:enable Style/MultilineBlockChain
     end
@@ -51,6 +102,41 @@ describe Pundit do
         Pundit.authorize(user, wiki, :update?)
       end.to raise_error(Pundit::InvalidConstructorError, "Invalid #<WikiPolicy> constructor is called")
     end
+
+    context "when passed a policy class" do
+      it "uses the passed policy class" do
+        expect(Pundit.authorize(user, post, :create?, policy_class: PublicationPolicy)).to be_truthy
+      end
+
+      # This is documenting past behaviour.
+      it "doesn't cache the policy class" do
+        cache = {}
+
+        expect do
+          Pundit.authorize(user, post, :create?, policy_class: PublicationPolicy, cache: cache)
+          Pundit.authorize(user, post, :create?, policy_class: PublicationPolicy, cache: cache)
+        end.to change { PublicationPolicy.instances }.by(2)
+      end
+    end
+
+    context "when passed a policy class while simultaenously passing a namespace" do
+      it "uses the passed policy class" do
+        expect(PublicationPolicy).to receive(:new).with(user, comment).and_call_original
+        expect(Pundit.authorize(user, [:project, comment], :create?, policy_class: PublicationPolicy)).to be_truthy
+      end
+    end
+
+    context "when passed an explicit cache" do
+      it "uses the hash assignment interface on the cache" do
+        custom_cache = CustomCache.new
+
+        Pundit.authorize(user, post, :update?, cache: custom_cache)
+
+        expect(custom_cache.to_h).to match({
+          post => kind_of(PostPolicy)
+        })
+      end
+    end
   end
 
   describe ".policy_scope" do
@@ -94,8 +180,8 @@ describe Pundit do
 
     it "raises an original error with a policy scope that contains error" do
       expect do
-        Pundit.policy_scope(user, Thread)
-      end.to raise_error(ArgumentError)
+        Pundit.policy_scope(user, DefaultScopeContainsError)
+      end.to raise_error(RuntimeError, "This is an arbitrary error that should bubble up")
     end
   end
 
@@ -360,231 +446,22 @@ describe Pundit do
     end
   end
 
-  describe "#verify_authorized" do
-    it "does nothing when authorized" do
-      controller.authorize(post)
-      controller.verify_authorized
-    end
-
-    it "raises an exception when not authorized" do
-      expect { controller.verify_authorized }.to raise_error(Pundit::AuthorizationNotPerformedError)
-    end
-  end
-
-  describe "#verify_policy_scoped" do
-    it "does nothing when policy_scope is used" do
-      controller.policy_scope(Post)
-      controller.verify_policy_scoped
-    end
-
-    it "raises an exception when policy_scope is not used" do
-      expect { controller.verify_policy_scoped }.to raise_error(Pundit::PolicyScopingNotPerformedError)
-    end
-  end
-
-  describe "#pundit_policy_authorized?" do
-    it "is true when authorized" do
-      controller.authorize(post)
-      expect(controller.pundit_policy_authorized?).to be true
-    end
-
-    it "is false when not authorized" do
-      expect(controller.pundit_policy_authorized?).to be false
-    end
-  end
-
-  describe "#pundit_policy_scoped?" do
-    it "is true when policy_scope is used" do
-      controller.policy_scope(Post)
-      expect(controller.pundit_policy_scoped?).to be true
-    end
+  describe ".included" do
+    it "includes Authorization module" do
+      klass = Class.new
 
-    it "is false when policy scope is not used" do
-      expect(controller.pundit_policy_scoped?).to be false
-    end
-  end
-
-  describe "#authorize" do
-    it "infers the policy name and authorizes based on it" do
-      expect(controller.authorize(post)).to be_truthy
-    end
-
-    it "returns the record on successful authorization" do
-      expect(controller.authorize(post)).to be(post)
-    end
-
-    it "can be given a different permission to check" do
-      expect(controller.authorize(post, :show?)).to be_truthy
-      expect { controller.authorize(post, :destroy?) }.to raise_error(Pundit::NotAuthorizedError)
-    end
-
-    it "can be given a different policy class" do
-      expect(controller.authorize(post, :create?, policy_class: PublicationPolicy)).to be_truthy
-    end
-
-    it "works with anonymous class policies" do
-      expect(controller.authorize(article_tag, :show?)).to be_truthy
-      expect { controller.authorize(article_tag, :destroy?) }.to raise_error(Pundit::NotAuthorizedError)
-    end
-
-    it "throws an exception when the permission check fails" do
-      expect { controller.authorize(Post.new) }.to raise_error(Pundit::NotAuthorizedError)
-    end
-
-    it "throws an exception when a policy cannot be found" do
-      expect { controller.authorize(Article) }.to raise_error(Pundit::NotDefinedError)
-    end
-
-    it "caches the policy" do
-      expect(controller.policies[post]).to be_nil
-      controller.authorize(post)
-      expect(controller.policies[post]).not_to be_nil
-    end
-
-    it "raises an error when the given record is nil" do
-      expect { controller.authorize(nil, :destroy?) }.to raise_error(Pundit::NotAuthorizedError)
-    end
-
-    it "raises an error with a invalid policy constructor" do
-      expect { controller.authorize(wiki, :destroy?) }.to raise_error(Pundit::InvalidConstructorError)
-    end
-  end
-
-  describe "#skip_authorization" do
-    it "disables authorization verification" do
-      controller.skip_authorization
-      expect { controller.verify_authorized }.not_to raise_error
-    end
-  end
-
-  describe "#skip_policy_scope" do
-    it "disables policy scope verification" do
-      controller.skip_policy_scope
-      expect { controller.verify_policy_scoped }.not_to raise_error
-    end
-  end
-
-  describe "#pundit_user" do
-    it "returns the same thing as current_user" do
-      expect(controller.pundit_user).to eq controller.current_user
-    end
-  end
-
-  describe "#policy" do
-    it "returns an instantiated policy" do
-      policy = controller.policy(post)
-      expect(policy.user).to eq user
-      expect(policy.post).to eq post
-    end
-
-    it "throws an exception if the given policy can't be found" do
-      expect { controller.policy(article) }.to raise_error(Pundit::NotDefinedError)
-    end
-
-    it "raises an error with a invalid policy constructor" do
-      expect { controller.policy(wiki) }.to raise_error(Pundit::InvalidConstructorError)
-    end
-
-    it "allows policy to be injected" do
-      new_policy = OpenStruct.new
-      controller.policies[post] = new_policy
-
-      expect(controller.policy(post)).to eq new_policy
-    end
-  end
-
-  describe "#policy_scope" do
-    it "returns an instantiated policy scope" do
-      expect(controller.policy_scope(Post)).to eq :published
-    end
-
-    it "allows policy scope class to be overriden" do
-      expect(controller.policy_scope(Post, policy_scope_class: PublicationPolicy::Scope)).to eq :published
-    end
-
-    it "throws an exception if the given policy can't be found" do
-      expect { controller.policy_scope(Article) }.to raise_error(Pundit::NotDefinedError)
-    end
-
-    it "raises an error with a invalid policy scope constructor" do
-      expect { controller.policy_scope(Wiki) }.to raise_error(Pundit::InvalidConstructorError)
-    end
-
-    it "allows policy_scope to be injected" do
-      new_scope = OpenStruct.new
-      controller.policy_scopes[Post] = new_scope
-
-      expect(controller.policy_scope(Post)).to eq new_scope
-    end
-  end
+      expect do
+        klass.include Pundit
+      end.to output.to_stderr
 
-  describe "#permitted_attributes" do
-    it "checks policy for permitted attributes" do
-      params = ActionController::Parameters.new(
-        post: {
-          title: "Hello",
-          votes: 5,
-          admin: true
-        }
-      )
-
-      action = "update"
-
-      expect(Controller.new(user, action, params).permitted_attributes(post).to_h).to eq(
-        "title" => "Hello",
-        "votes" => 5
-      )
-      expect(Controller.new(double, action, params).permitted_attributes(post).to_h).to eq("votes" => 5)
-    end
-
-    it "checks policy for permitted attributes for record of a ActiveModel type" do
-      params = ActionController::Parameters.new(
-        customer_post: {
-          title: "Hello",
-          votes: 5,
-          admin: true
-        }
-      )
-
-      action = "update"
-
-      expect(Controller.new(user, action, params).permitted_attributes(customer_post).to_h).to eq(
-        "title" => "Hello",
-        "votes" => 5
-      )
-      expect(Controller.new(double, action, params).permitted_attributes(customer_post).to_h).to eq(
-        "votes" => 5
-      )
+      expect(klass).to include Pundit::Authorization
     end
-  end
 
-  describe "#permitted_attributes_for_action" do
-    it "is checked if it is defined in the policy" do
-      params = ActionController::Parameters.new(
-        post: {
-          title: "Hello",
-          body: "blah",
-          votes: 5,
-          admin: true
-        }
-      )
-
-      action = "revise"
-      expect(Controller.new(user, action, params).permitted_attributes(post).to_h).to eq("body" => "blah")
-    end
-
-    it "can be explicitly set" do
-      params = ActionController::Parameters.new(
-        post: {
-          title: "Hello",
-          body: "blah",
-          votes: 5,
-          admin: true
-        }
-      )
-
-      action = "update"
-      expect(Controller.new(user, action, params).permitted_attributes(post, :revise).to_h).to eq("body" => "blah")
+    it "warns about deprecation" do
+      klass = Class.new
+      expect do
+        klass.include Pundit
+      end.to output(a_string_starting_with("'include Pundit' is deprecated")).to_stderr
     end
   end
 

data/spec/rspec_dsl_spec.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+RSpec.describe "Pundit RSpec DSL" do
+  include Pundit::RSpec::PolicyExampleGroup
+
+  let(:fake_rspec) do
+    double = class_double(RSpec::ExampleGroups)
+    double.extend(::Pundit::RSpec::DSL)
+    double
+  end
+  let(:block) { proc { "block content" } }
+
+  let(:user) { double }
+  let(:other_user) { double }
+  let(:post) { Post.new(user) }
+  let(:policy) { PostPolicy }
+
+  it "calls describe with the correct metadata and without :focus" do
+    expected_metadata = { permissions: %i[item1 item2], caller: instance_of(Array) }
+    expect(fake_rspec).to receive(:describe).with("item1 and item2", match(expected_metadata)) do |&block|
+      expect(block.call).to eq("block content")
+    end
+
+    fake_rspec.permissions(:item1, :item2, &block)
+  end
+
+  it "calls describe with the correct metadata and with :focus" do
+    expected_metadata = { permissions: %i[item1 item2], caller: instance_of(Array), focus: true }
+    expect(fake_rspec).to receive(:describe).with("item1 and item2", match(expected_metadata)) do |&block|
+      expect(block.call).to eq("block content")
+    end
+
+    fake_rspec.permissions(:item1, :item2, :focus, &block)
+  end
+
+  describe "#permit" do
+    context "when not appropriately wrapped in permissions" do
+      it "raises a descriptive error" do
+        expect do
+          expect(policy).to permit(user, post)
+        end.to raise_error(KeyError, <<~MSG.strip)
+          No permissions in example metadata, did you forget to wrap with `permissions :show?, ...`?
+        MSG
+      end
+    end
+
+    permissions :edit?, :update? do
+      it "succeeds when action is permitted" do
+        expect(policy).to permit(user, post)
+      end
+
+      context "when it fails" do
+        it "fails with a descriptive error message" do
+          expect do
+            expect(policy).to permit(other_user, post)
+          end.to raise_error(RSpec::Expectations::ExpectationNotMetError, <<~MSG.strip)
+            Expected PostPolicy to grant edit? and update? on Post but edit? and update? were not granted
+          MSG
+        end
+      end
+
+      context "when negated" do
+        it "succeeds when action is not permitted" do
+          expect(policy).not_to permit(other_user, post)
+        end
+
+        context "when it fails" do
+          it "fails with a descriptive error message" do
+            expect do
+              expect(policy).not_to permit(user, post)
+            end.to raise_error(RSpec::Expectations::ExpectationNotMetError, <<~MSG.strip)
+              Expected PostPolicy not to grant edit? and update? on Post but edit? and update? were granted
+            MSG
+          end
+        end
+      end
+    end
+  end
+end

data/spec/simple_cov_check_action_formatter.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require "simplecov"
+require "json"
+
+class SimpleCovCheckActionFormatter
+  SourceFile = Data.define(:source_file) do
+    def covered_strength = source_file.covered_strength
+    def covered_percent = source_file.covered_percent
+
+    def to_json(*args)
+      {
+        filename: source_file.filename,
+        covered_percent: covered_percent.nan? ? 0.0 : covered_percent,
+        coverage: source_file.coverage_data,
+        covered_strength: covered_strength.nan? ? 0.0 : covered_strength,
+        covered_lines: source_file.covered_lines.count,
+        lines_of_code: source_file.lines_of_code
+      }.to_json(*args)
+    end
+  end
+
+  Result = Data.define(:result) do
+    def included?(source_file) = result.filenames.include?(source_file.filename)
+
+    def files
+      result.files.filter_map do |source_file|
+        next unless result.filenames.include? source_file.filename
+
+        SourceFile.new(source_file)
+      end
+    end
+
+    def to_json(*args) # rubocop:disable Metrics/AbcSize
+      {
+        timestamp: result.created_at.to_i,
+        command_name: result.command_name,
+        files: files,
+        metrics: {
+          covered_percent: result.covered_percent,
+          covered_strength: result.covered_strength.nan? ? 0.0 : result.covered_strength,
+          covered_lines: result.covered_lines,
+          total_lines: result.total_lines
+        }
+      }.to_json(*args)
+    end
+  end
+
+  FormatterWithOptions = Data.define(:formatter) do
+    def new = formatter
+  end
+
+  class << self
+    def with_options(...)
+      FormatterWithOptions.new(new(...))
+    end
+  end
+
+  def initialize(output_filename: "coverage.json", output_directory: SimpleCov.coverage_path)
+    @output_filename = output_filename
+    @output_directory = output_directory
+  end
+
+  attr_reader :output_filename, :output_directory
+
+  def output_filepath = File.join(output_directory, output_filename)
+
+  def format(result_data)
+    result = Result.new(result_data)
+    json = JSON.generate(result)
+    File.write(output_filepath, json)
+    puts output_message(result_data)
+    json
+  end
+
+  def output_message(result)
+    "Coverage report generated for #{result.command_name} to #{output_filepath}. #{result.covered_lines} / #{result.total_lines} LOC (#{result.covered_percent.round(2)}%) covered." # rubocop:disable Layout/LineLength
+  end
+end