pundit 2.1.1 → 2.4.0

data/spec/pundit_spec.rb

@@ -10,15 +10,13 @@ RSpec.describe Pundit do
   let(:comment) { Comment.new }
   let(:comment_four_five_six) { CommentFourFiveSix.new }
   let(:article) { Article.new }
-  let(:controller) { Controller.new(user, "update", {}) }
   let(:artificial_blog) { ArtificialBlog.new }
   let(:article_tag) { ArticleTag.new }
-  let(:comments_relation) { CommentsRelation.new }
-  let(:empty_comments_relation) { CommentsRelation.new(true) }
+  let(:comments_relation) { CommentsRelation.new(empty: false) }
+  let(:empty_comments_relation) { CommentsRelation.new(empty: true) }
   let(:tag_four_five_six) { ProjectOneTwoThree::TagFourFiveSix.new(user) }
   let(:avatar_four_five_six) { ProjectOneTwoThree::AvatarFourFiveSix.new }
   let(:wiki) { Wiki.new }
-  let(:thread) { Thread.new }
 
   describe ".authorize" do
     it "infers the policy and authorizes based on it" do
@@ -49,19 +47,61 @@ RSpec.describe Pundit do
       expect(Pundit.authorize(user, post, :create?, policy_class: PublicationPolicy)).to be_truthy
     end
 
+    it "can be given a different policy class using namespaces" do
+      expect(PublicationPolicy).to receive(:new).with(user, comment).and_call_original
+      expect(Pundit.authorize(user, [:project, comment], :create?, policy_class: PublicationPolicy)).to be_truthy
+    end
+
     it "works with anonymous class policies" do
       expect(Pundit.authorize(user, article_tag, :show?)).to be_truthy
       expect { Pundit.authorize(user, article_tag, :destroy?) }.to raise_error(Pundit::NotAuthorizedError)
     end
 
-    it "raises an error with a query and action" do
+    it "raises an error with the policy, query and record" do
       # rubocop:disable Style/MultilineBlockChain
       expect do
         Pundit.authorize(user, post, :destroy?)
-      end.to raise_error(Pundit::NotAuthorizedError, "not allowed to destroy? this Post") do |error|
+      end.to raise_error(Pundit::NotAuthorizedError, "not allowed to PostPolicy#destroy? this Post") do |error|
         expect(error.query).to eq :destroy?
         expect(error.record).to eq post
-        expect(error.policy).to eq Pundit.policy(user, post)
+        expect(error.policy).to have_attributes(
+          user: user,
+          record: post
+        )
+        expect(error.policy).to be_a(PostPolicy)
+      end
+      # rubocop:enable Style/MultilineBlockChain
+    end
+
+    it "raises an error with the policy, query and record when the record is namespaced" do
+      # rubocop:disable Style/MultilineBlockChain
+      expect do
+        Pundit.authorize(user, [:project, :admin, comment], :destroy?)
+      end.to raise_error(Pundit::NotAuthorizedError,
+                         "not allowed to Project::Admin::CommentPolicy#destroy? this Comment") do |error|
+        expect(error.query).to eq :destroy?
+        expect(error.record).to eq comment
+        expect(error.policy).to have_attributes(
+          user: user,
+          record: comment
+        )
+        expect(error.policy).to be_a(Project::Admin::CommentPolicy)
+      end
+      # rubocop:enable Style/MultilineBlockChain
+    end
+
+    it "raises an error with the policy, query and the class name when a Class is given" do
+      # rubocop:disable Style/MultilineBlockChain
+      expect do
+        Pundit.authorize(user, Post, :destroy?)
+      end.to raise_error(Pundit::NotAuthorizedError, "not allowed to PostPolicy#destroy? Post") do |error|
+        expect(error.query).to eq :destroy?
+        expect(error.record).to eq Post
+        expect(error.policy).to have_attributes(
+          user: user,
+          record: Post
+        )
+        expect(error.policy).to be_a(PostPolicy)
       end
       # rubocop:enable Style/MultilineBlockChain
     end
@@ -380,247 +420,22 @@ RSpec.describe Pundit do
     end
   end
 
-  describe "#verify_authorized" do
-    it "does nothing when authorized" do
-      controller.authorize(post)
-      controller.verify_authorized
-    end
-
-    it "raises an exception when not authorized" do
-      expect { controller.verify_authorized }.to raise_error(Pundit::AuthorizationNotPerformedError)
-    end
-  end
-
-  describe "#verify_policy_scoped" do
-    it "does nothing when policy_scope is used" do
-      controller.policy_scope(Post)
-      controller.verify_policy_scoped
-    end
-
-    it "raises an exception when policy_scope is not used" do
-      expect { controller.verify_policy_scoped }.to raise_error(Pundit::PolicyScopingNotPerformedError)
-    end
-  end
-
-  describe "#pundit_policy_authorized?" do
-    it "is true when authorized" do
-      controller.authorize(post)
-      expect(controller.pundit_policy_authorized?).to be true
-    end
-
-    it "is false when not authorized" do
-      expect(controller.pundit_policy_authorized?).to be false
-    end
-  end
-
-  describe "#pundit_policy_scoped?" do
-    it "is true when policy_scope is used" do
-      controller.policy_scope(Post)
-      expect(controller.pundit_policy_scoped?).to be true
-    end
-
-    it "is false when policy scope is not used" do
-      expect(controller.pundit_policy_scoped?).to be false
-    end
-  end
-
-  describe "#authorize" do
-    it "infers the policy name and authorizes based on it" do
-      expect(controller.authorize(post)).to be_truthy
-    end
-
-    it "returns the record on successful authorization" do
-      expect(controller.authorize(post)).to eq(post)
-    end
-
-    it "returns the record when passed record with namespace " do
-      expect(controller.authorize([:project, comment], :update?)).to eq(comment)
-    end
-
-    it "returns the record when passed record with nested namespace " do
-      expect(controller.authorize([:project, :admin, comment], :update?)).to eq(comment)
-    end
-
-    it "returns the policy name symbol when passed record with headless policy" do
-      expect(controller.authorize(:publication, :create?)).to eq(:publication)
-    end
-
-    it "returns the class when passed record not a particular instance" do
-      expect(controller.authorize(Post, :show?)).to eq(Post)
-    end
+  describe ".included" do
+    it "includes Authorization module" do
+      klass = Class.new
 
-    it "can be given a different permission to check" do
-      expect(controller.authorize(post, :show?)).to be_truthy
-      expect { controller.authorize(post, :destroy?) }.to raise_error(Pundit::NotAuthorizedError)
-    end
-
-    it "can be given a different policy class" do
-      expect(controller.authorize(post, :create?, policy_class: PublicationPolicy)).to be_truthy
-    end
-
-    it "works with anonymous class policies" do
-      expect(controller.authorize(article_tag, :show?)).to be_truthy
-      expect { controller.authorize(article_tag, :destroy?) }.to raise_error(Pundit::NotAuthorizedError)
-    end
-
-    it "throws an exception when the permission check fails" do
-      expect { controller.authorize(Post.new) }.to raise_error(Pundit::NotAuthorizedError)
-    end
-
-    it "throws an exception when a policy cannot be found" do
-      expect { controller.authorize(Article) }.to raise_error(Pundit::NotDefinedError)
-    end
-
-    it "caches the policy" do
-      expect(controller.policies[post]).to be_nil
-      controller.authorize(post)
-      expect(controller.policies[post]).not_to be_nil
-    end
-
-    it "raises an error when the given record is nil" do
-      expect { controller.authorize(nil, :destroy?) }.to raise_error(Pundit::NotAuthorizedError)
-    end
-
-    it "raises an error with a invalid policy constructor" do
-      expect { controller.authorize(wiki, :destroy?) }.to raise_error(Pundit::InvalidConstructorError)
-    end
-  end
-
-  describe "#skip_authorization" do
-    it "disables authorization verification" do
-      controller.skip_authorization
-      expect { controller.verify_authorized }.not_to raise_error
-    end
-  end
-
-  describe "#skip_policy_scope" do
-    it "disables policy scope verification" do
-      controller.skip_policy_scope
-      expect { controller.verify_policy_scoped }.not_to raise_error
-    end
-  end
-
-  describe "#pundit_user" do
-    it "returns the same thing as current_user" do
-      expect(controller.pundit_user).to eq controller.current_user
-    end
-  end
-
-  describe "#policy" do
-    it "returns an instantiated policy" do
-      policy = controller.policy(post)
-      expect(policy.user).to eq user
-      expect(policy.post).to eq post
-    end
-
-    it "throws an exception if the given policy can't be found" do
-      expect { controller.policy(article) }.to raise_error(Pundit::NotDefinedError)
-    end
-
-    it "raises an error with a invalid policy constructor" do
-      expect { controller.policy(wiki) }.to raise_error(Pundit::InvalidConstructorError)
-    end
-
-    it "allows policy to be injected" do
-      new_policy = OpenStruct.new
-      controller.policies[post] = new_policy
-
-      expect(controller.policy(post)).to eq new_policy
-    end
-  end
-
-  describe "#policy_scope" do
-    it "returns an instantiated policy scope" do
-      expect(controller.policy_scope(Post)).to eq :published
-    end
-
-    it "allows policy scope class to be overriden" do
-      expect(controller.policy_scope(Post, policy_scope_class: PublicationPolicy::Scope)).to eq :published
-    end
-
-    it "throws an exception if the given policy can't be found" do
-      expect { controller.policy_scope(Article) }.to raise_error(Pundit::NotDefinedError)
-    end
-
-    it "raises an error with a invalid policy scope constructor" do
-      expect { controller.policy_scope(Wiki) }.to raise_error(Pundit::InvalidConstructorError)
-    end
-
-    it "allows policy_scope to be injected" do
-      new_scope = OpenStruct.new
-      controller.policy_scopes[Post] = new_scope
-
-      expect(controller.policy_scope(Post)).to eq new_scope
-    end
-  end
+      expect do
+        klass.include Pundit
+      end.to output.to_stderr
 
-  describe "#permitted_attributes" do
-    it "checks policy for permitted attributes" do
-      params = ActionController::Parameters.new(
-        post: {
-          title: "Hello",
-          votes: 5,
-          admin: true
-        }
-      )
-
-      action = "update"
-
-      expect(Controller.new(user, action, params).permitted_attributes(post).to_h).to eq(
-        "title" => "Hello",
-        "votes" => 5
-      )
-      expect(Controller.new(double, action, params).permitted_attributes(post).to_h).to eq("votes" => 5)
-    end
-
-    it "checks policy for permitted attributes for record of a ActiveModel type" do
-      params = ActionController::Parameters.new(
-        customer_post: {
-          title: "Hello",
-          votes: 5,
-          admin: true
-        }
-      )
-
-      action = "update"
-
-      expect(Controller.new(user, action, params).permitted_attributes(customer_post).to_h).to eq(
-        "title" => "Hello",
-        "votes" => 5
-      )
-      expect(Controller.new(double, action, params).permitted_attributes(customer_post).to_h).to eq(
-        "votes" => 5
-      )
+      expect(klass).to include Pundit::Authorization
     end
-  end
 
-  describe "#permitted_attributes_for_action" do
-    it "is checked if it is defined in the policy" do
-      params = ActionController::Parameters.new(
-        post: {
-          title: "Hello",
-          body: "blah",
-          votes: 5,
-          admin: true
-        }
-      )
-
-      action = "revise"
-      expect(Controller.new(user, action, params).permitted_attributes(post).to_h).to eq("body" => "blah")
-    end
-
-    it "can be explicitly set" do
-      params = ActionController::Parameters.new(
-        post: {
-          title: "Hello",
-          body: "blah",
-          votes: 5,
-          admin: true
-        }
-      )
-
-      action = "update"
-      expect(Controller.new(user, action, params).permitted_attributes(post, :revise).to_h).to eq("body" => "blah")
+    it "warns about deprecation" do
+      klass = Class.new
+      expect do
+        klass.include Pundit
+      end.to output(a_string_starting_with("'include Pundit' is deprecated")).to_stderr
     end
   end
 

data/spec/spec_helper.rb

@@ -1,8 +1,10 @@
 # frozen_string_literal: true
 
-require "simplecov"
-SimpleCov.start do
-  add_filter "/spec/"
+if ENV["COVERAGE"]
+  require "simplecov"
+  SimpleCov.start do
+    add_filter "/spec/"
+  end
 end
 
 require "pundit"
@@ -16,13 +18,56 @@ require "active_support/core_ext"
 require "active_model/naming"
 require "action_controller/metal/strong_parameters"
 
-class PostPolicy < Struct.new(:user, :post)
-  class Scope < Struct.new(:user, :scope)
+module InstanceTracking
+  module ClassMethods
+    def instances
+      @instances || 0
+    end
+
+    attr_writer :instances
+  end
+
+  def self.prepended(other)
+    other.extend(ClassMethods)
+  end
+
+  def initialize(*args, **kwargs, &block)
+    self.class.instances += 1
+    super(*args, **kwargs, &block)
+  end
+end
+
+class BasePolicy
+  prepend InstanceTracking
+
+  class BaseScope
+    prepend InstanceTracking
+
+    def initialize(user, scope)
+      @user = user
+      @scope = scope
+    end
+
+    attr_reader :user, :scope
+  end
+
+  def initialize(user, record)
+    @user = user
+    @record = record
+  end
+
+  attr_reader :user, :record
+end
+
+class PostPolicy < BasePolicy
+  class Scope < BaseScope
     def resolve
       scope.published
     end
   end
 
+  alias post record
+
   def update?
     post.user == user
   end
@@ -48,7 +93,13 @@ class PostPolicy < Struct.new(:user, :post)
   end
 end
 
-class Post < Struct.new(:user)
+class Post
+  def initialize(user = nil)
+    @user = user
+  end
+
+  attr_reader :user
+
   def self.published
     :published
   end
@@ -67,7 +118,7 @@ class Post < Struct.new(:user)
 end
 
 module Customer
-  class Post < Post
+  class Post < ::Post
     def model_name
       OpenStruct.new(param_key: "customer_post")
     end
@@ -80,6 +131,7 @@ end
 
 class CommentScope
   attr_reader :original_object
+
   def initialize(original_object)
     @original_object = original_object
   end
@@ -89,16 +141,18 @@ class CommentScope
   end
 end
 
-class CommentPolicy < Struct.new(:user, :comment)
-  class Scope < Struct.new(:user, :scope)
+class CommentPolicy < BasePolicy
+  class Scope < BaseScope
     def resolve
       CommentScope.new(scope)
     end
   end
+
+  alias comment record
 end
 
-class PublicationPolicy < Struct.new(:user, :publication)
-  class Scope < Struct.new(:user, :scope)
+class PublicationPolicy < BasePolicy
+  class Scope < BaseScope
     def resolve
       scope.published
     end
@@ -114,7 +168,7 @@ class Comment
 end
 
 class CommentsRelation
-  def initialize(empty = false)
+  def initialize(empty: false)
     @empty = empty
   end
 
@@ -129,7 +183,9 @@ end
 
 class Article; end
 
-class BlogPolicy < Struct.new(:user, :blog); end
+class BlogPolicy < BasePolicy
+  alias blog record
+end
 
 class Blog; end
 
@@ -139,7 +195,7 @@ class ArtificialBlog < Blog
   end
 end
 
-class ArticleTagOtherNamePolicy < Struct.new(:user, :tag)
+class ArticleTagOtherNamePolicy < BasePolicy
   def show?
     true
   end
@@ -147,6 +203,8 @@ class ArticleTagOtherNamePolicy < Struct.new(:user, :tag)
   def destroy?
     false
   end
+
+  alias tag record
 end
 
 class ArticleTag
@@ -155,51 +213,63 @@ class ArticleTag
   end
 end
 
-class CriteriaPolicy < Struct.new(:user, :criteria); end
+class CriteriaPolicy < BasePolicy
+  alias criteria record
+end
 
 module Project
-  class CommentPolicy < Struct.new(:user, :comment)
-    def update?
-      true
-    end
-
-    class Scope < Struct.new(:user, :scope)
+  class CommentPolicy < BasePolicy
+    class Scope < BaseScope
       def resolve
         scope
       end
     end
+
+    def update?
+      true
+    end
+
+    alias comment record
   end
 
-  class CriteriaPolicy < Struct.new(:user, :criteria); end
+  class CriteriaPolicy < BasePolicy
+    alias criteria record
+  end
 
-  class PostPolicy < Struct.new(:user, :post)
-    class Scope < Struct.new(:user, :scope)
+  class PostPolicy < BasePolicy
+    class Scope < BaseScope
       def resolve
         scope.read
       end
     end
+
+    alias post record
   end
 
   module Admin
-    class CommentPolicy < Struct.new(:user, :comment)
+    class CommentPolicy < BasePolicy
       def update?
         true
       end
+
+      def destroy?
+        false
+      end
     end
   end
 end
 
-class DenierPolicy < Struct.new(:user, :record)
+class DenierPolicy < BasePolicy
   def update?
     false
   end
 end
 
 class Controller
-  include Pundit
+  include Pundit::Authorization
   # Mark protected methods public so they may be called in test
   # rubocop:disable Style/AccessModifierDeclarations
-  public(*Pundit.protected_instance_methods)
+  public(*Pundit::Authorization.protected_instance_methods)
   # rubocop:enable Style/AccessModifierDeclarations
 
   attr_reader :current_user, :action_name, :params
@@ -211,7 +281,7 @@ class Controller
   end
 end
 
-class NilClassPolicy < Struct.new(:user, :record)
+class NilClassPolicy < BasePolicy
   class Scope
     def initialize(*)
       raise Pundit::NotDefinedError, "Cannot scope NilClass"
@@ -228,6 +298,7 @@ class NilClassPolicy < Struct.new(:user, :record)
 end
 
 class Wiki; end
+
 class WikiPolicy
   class Scope
     # deliberate typo method
@@ -238,31 +309,44 @@ end
 class Thread
   def self.all; end
 end
-class ThreadPolicy < Struct.new(:user, :thread)
-  class Scope < Struct.new(:user, :scope)
+
+class ThreadPolicy < BasePolicy
+  class Scope < BaseScope
     def resolve
-      # deliberate wrong useage of the method
+      # deliberate wrong usage of the method
       scope.all(:unvalid, :parameters)
     end
   end
 end
 
-class PostFourFiveSix < Struct.new(:user); end
+class PostFourFiveSix
+  def initialize(user)
+    @user = user
+  end
+
+  attr_reader(:user)
+end
 
 class CommentFourFiveSix; extend ActiveModel::Naming; end
 
 module ProjectOneTwoThree
-  class CommentFourFiveSixPolicy < Struct.new(:user, :post); end
+  class CommentFourFiveSixPolicy < BasePolicy; end
 
-  class CriteriaFourFiveSixPolicy < Struct.new(:user, :criteria); end
+  class CriteriaFourFiveSixPolicy < BasePolicy; end
 
-  class PostFourFiveSixPolicy < Struct.new(:user, :post); end
+  class PostFourFiveSixPolicy < BasePolicy; end
 
-  class TagFourFiveSix < Struct.new(:user); end
+  class TagFourFiveSix
+    def initialize(user)
+      @user = user
+    end
+
+    attr_reader(:user)
+  end
 
-  class TagFourFiveSixPolicy < Struct.new(:user, :tag); end
+  class TagFourFiveSixPolicy < BasePolicy; end
 
   class AvatarFourFiveSix; extend ActiveModel::Naming; end
 
-  class AvatarFourFiveSixPolicy < Struct.new(:user, :avatar); end
+  class AvatarFourFiveSixPolicy < BasePolicy; end
 end