pundit 2.3.0 → 2.3.2

data/lib/pundit/context.rb

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+
+module Pundit
+  class Context
+    def initialize(user:, policy_cache: CacheStore::NullStore.instance)
+      @user = user
+      @policy_cache = policy_cache
+    end
+
+    attr_reader :user
+
+    # @api private
+    attr_reader :policy_cache
+
+    # Retrieves the policy for the given record, initializing it with the
+    # record and user and finally throwing an error if the user is not
+    # authorized to perform the given action.
+    #
+    # @param user [Object] the user that initiated the action
+    # @param possibly_namespaced_record [Object, Array] the object we're checking permissions of
+    # @param query [Symbol, String] the predicate method to check on the policy (e.g. `:show?`)
+    # @param policy_class [Class] the policy class we want to force use of
+    # @raise [NotAuthorizedError] if the given query method returned false
+    # @return [Object] Always returns the passed object record
+    def authorize(possibly_namespaced_record, query:, policy_class:)
+      record = pundit_model(possibly_namespaced_record)
+      policy = if policy_class
+        policy_class.new(user, record)
+      else
+        policy!(possibly_namespaced_record)
+      end
+
+      raise NotAuthorizedError, query: query, record: record, policy: policy unless policy.public_send(query)
+
+      record
+    end
+
+    # Retrieves the policy scope for the given record.
+    #
+    # @see https://github.com/varvet/pundit#scopes
+    # @param user [Object] the user that initiated the action
+    # @param scope [Object] the object we're retrieving the policy scope for
+    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
+    # @return [Scope{#resolve}, nil] instance of scope class which can resolve to a scope
+    def policy_scope(scope)
+      policy_scope_class = policy_finder(scope).scope
+      return unless policy_scope_class
+
+      begin
+        policy_scope = policy_scope_class.new(user, pundit_model(scope))
+      rescue ArgumentError
+        raise InvalidConstructorError, "Invalid #<#{policy_scope_class}> constructor is called"
+      end
+
+      policy_scope.resolve
+    end
+
+    # Retrieves the policy scope for the given record. Raises if not found.
+    #
+    # @see https://github.com/varvet/pundit#scopes
+    # @param user [Object] the user that initiated the action
+    # @param scope [Object] the object we're retrieving the policy scope for
+    # @raise [NotDefinedError] if the policy scope cannot be found
+    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
+    # @return [Scope{#resolve}] instance of scope class which can resolve to a scope
+    def policy_scope!(scope)
+      policy_scope_class = policy_finder(scope).scope!
+      return unless policy_scope_class
+
+      begin
+        policy_scope = policy_scope_class.new(user, pundit_model(scope))
+      rescue ArgumentError
+        raise InvalidConstructorError, "Invalid #<#{policy_scope_class}> constructor is called"
+      end
+
+      policy_scope.resolve
+    end
+
+    # Retrieves the policy for the given record.
+    #
+    # @see https://github.com/varvet/pundit#policies
+    # @param user [Object] the user that initiated the action
+    # @param record [Object] the object we're retrieving the policy for
+    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
+    # @return [Object, nil] instance of policy class with query methods
+    def policy(record)
+      cached_find(record, &:policy)
+    end
+
+    # Retrieves the policy for the given record. Raises if not found.
+    #
+    # @see https://github.com/varvet/pundit#policies
+    # @param user [Object] the user that initiated the action
+    # @param record [Object] the object we're retrieving the policy for
+    # @raise [NotDefinedError] if the policy cannot be found
+    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
+    # @return [Object] instance of policy class with query methods
+    def policy!(record)
+      cached_find(record, &:policy!)
+    end
+
+    private
+
+    def cached_find(record)
+      policy_cache.fetch(user: user, record: record) do
+        klass = yield policy_finder(record)
+        next unless klass
+
+        model = pundit_model(record)
+
+        begin
+          klass.new(user, model)
+        rescue ArgumentError
+          raise InvalidConstructorError, "Invalid #<#{klass}> constructor is called"
+        end
+      end
+    end
+
+    def policy_finder(record)
+      PolicyFinder.new(record)
+    end
+
+    def pundit_model(record)
+      record.is_a?(Array) ? record.last : record
+    end
+  end
+end

data/lib/pundit/policy_finder.rb

@@ -56,7 +56,7 @@ module Pundit
 
     # @return [String] the name of the key this object would have in a params hash
     #
-    def param_key
+    def param_key # rubocop:disable Metrics/AbcSize
       model = object.is_a?(Array) ? object.last : object
 
       if model.respond_to?(:model_name)

data/lib/pundit/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Pundit
-  VERSION = "2.3.0"
+  VERSION = "2.3.2"
 end

data/lib/pundit.rb

@@ -8,6 +8,9 @@ require "active_support/core_ext/object/blank"
 require "active_support/core_ext/module/introspection"
 require "active_support/dependencies/autoload"
 require "pundit/authorization"
+require "pundit/context"
+require "pundit/cache_store/null_store"
+require "pundit/cache_store/legacy_store"
 
 # @api private
 # To avoid name clashes with common Error naming when mixing in Pundit,
@@ -55,111 +58,44 @@ module Pundit
   class NotDefinedError < Error; end
 
   def self.included(base)
-    ActiveSupport::Deprecation.warn <<~WARNING
+    location = caller_locations(1, 1).first
+    warn <<~WARNING
       'include Pundit' is deprecated. Please use 'include Pundit::Authorization' instead.
+       (called from #{location.label} at #{location.path}:#{location.lineno})
     WARNING
     base.include Authorization
   end
 
   class << self
-    # Retrieves the policy for the given record, initializing it with the
-    # record and user and finally throwing an error if the user is not
-    # authorized to perform the given action.
-    #
-    # @param user [Object] the user that initiated the action
-    # @param possibly_namespaced_record [Object, Array] the object we're checking permissions of
-    # @param query [Symbol, String] the predicate method to check on the policy (e.g. `:show?`)
-    # @param policy_class [Class] the policy class we want to force use of
-    # @param cache [#[], #[]=] a Hash-like object to cache the found policy instance in
-    # @raise [NotAuthorizedError] if the given query method returned false
-    # @return [Object] Always returns the passed object record
-    def authorize(user, possibly_namespaced_record, query, policy_class: nil, cache: {})
-      record = pundit_model(possibly_namespaced_record)
-      policy = if policy_class
-        policy_class.new(user, record)
+    # @see [Pundit::Context#authorize]
+    def authorize(user, record, query, policy_class: nil, cache: nil)
+      context = if cache
+        Context.new(user: user, policy_cache: cache)
       else
-        cache[possibly_namespaced_record] ||= policy!(user, possibly_namespaced_record)
+        Context.new(user: user)
       end
 
-      raise NotAuthorizedError, query: query, record: record, policy: policy unless policy.public_send(query)
-
-      record
-    end
-
-    # Retrieves the policy scope for the given record.
-    #
-    # @see https://github.com/varvet/pundit#scopes
-    # @param user [Object] the user that initiated the action
-    # @param scope [Object] the object we're retrieving the policy scope for
-    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
-    # @return [Scope{#resolve}, nil] instance of scope class which can resolve to a scope
-    def policy_scope(user, scope)
-      policy_scope_class = PolicyFinder.new(scope).scope
-      return unless policy_scope_class
-
-      begin
-        policy_scope = policy_scope_class.new(user, pundit_model(scope))
-      rescue ArgumentError
-        raise InvalidConstructorError, "Invalid #<#{policy_scope_class}> constructor is called"
-      end
-
-      policy_scope.resolve
+      context.authorize(record, query: query, policy_class: policy_class)
     end
 
-    # Retrieves the policy scope for the given record.
-    #
-    # @see https://github.com/varvet/pundit#scopes
-    # @param user [Object] the user that initiated the action
-    # @param scope [Object] the object we're retrieving the policy scope for
-    # @raise [NotDefinedError] if the policy scope cannot be found
-    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
-    # @return [Scope{#resolve}] instance of scope class which can resolve to a scope
-    def policy_scope!(user, scope)
-      policy_scope_class = PolicyFinder.new(scope).scope!
-      return unless policy_scope_class
-
-      begin
-        policy_scope = policy_scope_class.new(user, pundit_model(scope))
-      rescue ArgumentError
-        raise InvalidConstructorError, "Invalid #<#{policy_scope_class}> constructor is called"
-      end
-
-      policy_scope.resolve
+    # @see [Pundit::Context#policy_scope]
+    def policy_scope(user, *args, **kwargs, &block)
+      Context.new(user: user).policy_scope(*args, **kwargs, &block)
     end
 
-    # Retrieves the policy for the given record.
-    #
-    # @see https://github.com/varvet/pundit#policies
-    # @param user [Object] the user that initiated the action
-    # @param record [Object] the object we're retrieving the policy for
-    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
-    # @return [Object, nil] instance of policy class with query methods
-    def policy(user, record)
-      policy = PolicyFinder.new(record).policy
-      policy&.new(user, pundit_model(record))
-    rescue ArgumentError
-      raise InvalidConstructorError, "Invalid #<#{policy}> constructor is called"
+    # @see [Pundit::Context#policy_scope!]
+    def policy_scope!(user, *args, **kwargs, &block)
+      Context.new(user: user).policy_scope!(*args, **kwargs, &block)
     end
 
-    # Retrieves the policy for the given record.
-    #
-    # @see https://github.com/varvet/pundit#policies
-    # @param user [Object] the user that initiated the action
-    # @param record [Object] the object we're retrieving the policy for
-    # @raise [NotDefinedError] if the policy cannot be found
-    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
-    # @return [Object] instance of policy class with query methods
-    def policy!(user, record)
-      policy = PolicyFinder.new(record).policy!
-      policy.new(user, pundit_model(record))
-    rescue ArgumentError
-      raise InvalidConstructorError, "Invalid #<#{policy}> constructor is called"
+    # @see [Pundit::Context#policy]
+    def policy(user, *args, **kwargs, &block)
+      Context.new(user: user).policy(*args, **kwargs, &block)
     end
 
-    private
-
-    def pundit_model(record)
-      record.is_a?(Array) ? record.last : record
+    # @see [Pundit::Context#policy!]
+    def policy!(user, *args, **kwargs, &block)
+      Context.new(user: user).policy!(*args, **kwargs, &block)
     end
   end
 

data/pundit.gemspec

@@ -8,7 +8,7 @@ Gem::Specification.new do |gem|
   gem.name          = "pundit"
   gem.version       = Pundit::VERSION
   gem.authors       = ["Jonas Nicklas", "Varvet AB"]
-  gem.email         = ["jonas.nicklas@gmail.com", "dev@elabs.se"]
+  gem.email         = ["jonas.nicklas@gmail.com", "info@varvet.com"]
   gem.description   = "Object oriented authorization for Rails applications"
   gem.summary       = "OO authorization for Rails"
   gem.homepage      = "https://github.com/varvet/pundit"
@@ -19,6 +19,8 @@ Gem::Specification.new do |gem|
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
 
+  gem.metadata      = { "rubygems_mfa_required" => "true" }
+
   gem.add_dependency "activesupport", ">= 3.0.0"
   gem.add_development_dependency "actionpack", ">= 3.0.0"
   gem.add_development_dependency "activemodel", ">= 3.0.0"
@@ -27,7 +29,7 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency "railties", ">= 3.0.0"
   gem.add_development_dependency "rake"
   gem.add_development_dependency "rspec", ">= 3.0.0"
-  gem.add_development_dependency "rubocop", "1.24.0"
+  gem.add_development_dependency "rubocop"
   gem.add_development_dependency "simplecov", ">= 0.17.0"
   gem.add_development_dependency "yard"
 end

data/spec/authorization_spec.rb

@@ -3,10 +3,13 @@
 require "spec_helper"
 
 describe Pundit::Authorization do
-  let(:controller) { Controller.new(user, "update", {}) }
+  def to_params(*args, **kwargs, &block)
+    ActionController::Parameters.new(*args, **kwargs, &block)
+  end
+
+  let(:controller) { Controller.new(user, "update", to_params({})) }
   let(:user) { double }
   let(:post) { Post.new(user) }
-  let(:customer_post) { Customer::Post.new(user) }
   let(:comment) { Comment.new }
   let(:article) { Article.new }
   let(:article_tag) { ArticleTag.new }
@@ -188,7 +191,7 @@ describe Pundit::Authorization do
 
   describe "#permitted_attributes" do
     it "checks policy for permitted attributes" do
-      params = ActionController::Parameters.new(
+      params = to_params(
         post: {
           title: "Hello",
           votes: 5,
@@ -206,7 +209,8 @@ describe Pundit::Authorization do
     end
 
     it "checks policy for permitted attributes for record of a ActiveModel type" do
-      params = ActionController::Parameters.new(
+      customer_post = Customer::Post.new(user)
+      params = to_params(
         customer_post: {
           title: "Hello",
           votes: 5,
@@ -224,11 +228,23 @@ describe Pundit::Authorization do
         "votes" => 5
       )
     end
+
+    it "goes through the policy cache" do
+      params = to_params(post: { title: "Hello" })
+      user = double
+      post = Post.new(user)
+      controller = Controller.new(user, "update", params)
+
+      expect do
+        expect(controller.permitted_attributes(post)).to be_truthy
+        expect(controller.permitted_attributes(post)).to be_truthy
+      end.to change { PostPolicy.instances }.by(1)
+    end
   end
 
   describe "#permitted_attributes_for_action" do
     it "is checked if it is defined in the policy" do
-      params = ActionController::Parameters.new(
+      params = to_params(
         post: {
           title: "Hello",
           body: "blah",
@@ -242,7 +258,7 @@ describe Pundit::Authorization do
     end
 
     it "can be explicitly set" do
-      params = ActionController::Parameters.new(
+      params = to_params(
         post: {
           title: "Hello",
           body: "blah",

data/spec/generators_spec.rb

@@ -35,7 +35,7 @@ RSpec.describe "generators" do
       describe "#resolve" do
         it "raises a descriptive error" do
           scope = WidgetPolicy::Scope.new(double("User"), double("User.all"))
-          expect { scope.resolve }.to raise_error(NotImplementedError, /WidgetPolicy::Scope/)
+          expect { scope.resolve }.to raise_error(NoMethodError, /WidgetPolicy::Scope/)
         end
       end
     end

data/spec/pundit_spec.rb

@@ -64,7 +64,11 @@ RSpec.describe Pundit do
       end.to raise_error(Pundit::NotAuthorizedError, "not allowed to destroy? this Post") do |error|
         expect(error.query).to eq :destroy?
         expect(error.record).to eq post
-        expect(error.policy).to eq Pundit.policy(user, post)
+        expect(error.policy).to have_attributes(
+          user: user,
+          record: post
+        )
+        expect(error.policy).to be_a(PostPolicy)
       end
       # rubocop:enable Style/MultilineBlockChain
     end
@@ -76,7 +80,11 @@ RSpec.describe Pundit do
       end.to raise_error(Pundit::NotAuthorizedError, "not allowed to destroy? this Comment") do |error|
         expect(error.query).to eq :destroy?
         expect(error.record).to eq comment
-        expect(error.policy).to eq Pundit.policy(user, [:project, :admin, comment])
+        expect(error.policy).to have_attributes(
+          user: user,
+          record: comment
+        )
+        expect(error.policy).to be_a(Project::Admin::CommentPolicy)
       end
       # rubocop:enable Style/MultilineBlockChain
     end
@@ -399,22 +407,18 @@ RSpec.describe Pundit do
     it "includes Authorization module" do
       klass = Class.new
 
-      ActiveSupport::Deprecation.silence do
+      expect do
         klass.include Pundit
-      end
+      end.to output.to_stderr
 
       expect(klass).to include Pundit::Authorization
     end
 
     it "warns about deprecation" do
       klass = Class.new
-      allow(ActiveSupport::Deprecation).to receive(:warn)
-
-      ActiveSupport::Deprecation.silence do
+      expect do
         klass.include Pundit
-      end
-
-      expect(ActiveSupport::Deprecation).to have_received(:warn).with start_with("'include Pundit' is deprecated")
+      end.to output(a_string_starting_with("'include Pundit' is deprecated")).to_stderr
     end
   end