pundit 0.2.0 → 0.2.1

data/README.md

@@ -98,7 +98,7 @@ and the given record. It then infers from the action name, that it should call
 raise "not authorized" unless PostPolicy.new(current_user, @post).create?
 ```
 
-You can pass a second arguent to `authorize` if the name of the permission you
+You can pass a second argument to `authorize` if the name of the permission you
 want to check doesn't match the action name. For example:
 
 ``` ruby
@@ -133,6 +133,18 @@ class ApplicationController < ActionController::Base
 end
 ```
 
+Likewise, pundit also adds `verify_policy_scoped` to your controller.  This
+will raise an exception in the vein of `verify_authorized`.  However it tracks
+if `policy_scoped` is used instead of `authorize`.  This is mostly useful for
+controller actions like `index` which find collections with a scope and don't
+authorize individual instances.
+
+``` ruby
+class ApplicationController < ActionController::Base
+  after_filter :verify_policy_scoped, :only => :index
+end
+```
+
 ## Scopes
 
 Often, you will want to have some kind of view listing records which a
@@ -191,7 +203,7 @@ You can, and are encouraged to, use this method in views:
 
 ``` erb
 <% policy_scope(@user.posts).each do |post| %>
-  <p><% link_to @post.title, post_path(post) %></p>
+  <p><% link_to post.title, post_path(post) %></p>
 <% end %>
 ```
 
@@ -270,6 +282,69 @@ Pundit.policy_scope(user, Post)
 The bang methods will raise an exception if the policy does not exist, whereas
 those without the bang will return nil.
 
+## Pundit and strong_parameters
+
+In Rails 3 using [strong_parameters](https://github.com/rails/strong_parameters)
+or a standard Rails 4 setup, mass-assignment protection is handled in the controller. 
+Pundit helps you permit different attributes for different users.
+
+```ruby
+class PostPolicy < Struct.new(:user, :post)
+  def permitted_attributes
+    if user.admin? || user.owner_of?(post)
+      [:title, :body]
+    else
+      [:body]
+    end
+  end
+end
+
+class PostsController < ApplicationController
+  def update
+    # ...
+    if @post.update_attributes(post_attributes)
+    # ...
+  end
+
+  private
+
+  def post_attributes
+    params.require(:post).permit(policy(@post).permitted_attributes)
+  end
+end
+```
+
+## RSpec
+
+Pundit includes a mini-DSL for writing expressive tests for your policies in RSpec.
+Require `pundit/rspec` in your `spec_helper.rb`:
+
+``` ruby
+require "pundit/rspec"
+```
+
+Then put your policy specs in `spec/policies`, and make them look somewhat like this:
+
+``` ruby
+describe PostPolicy do
+  subject { PostPolicy }
+
+  permissions :create? do
+    it "denies access if post is published" do
+      should_not permit(User.new(:admin => false), Post.new(:published => true))
+    end
+
+    it "grants access if post is published and user is an admin" do
+      should permit(User.new(:admin => true), Post.new(:published => true))
+    end
+
+    it "grants access if post is unpublished" do
+      should permit(User.new(:admin => false), Post.new(:published => false))
+    end
+  end
+end
+```
+
 # License
 
 Licensed under the MIT license, see the separate LICENSE.txt file.

data/lib/generators/pundit/install/templates/application_policy.rb

@@ -7,7 +7,7 @@ class ApplicationPolicy
   end
 
   def index?
-    scope.exists?
+    false
   end
 
   def show?

data/lib/pundit.rb

@@ -35,12 +35,21 @@ module Pundit
       helper_method :policy_scope
       helper_method :policy
     end
+    if respond_to?(:hide_action)
+      hide_action :authorize
+      hide_action :verify_authorized
+      hide_action :verify_policy_scoped
+    end
   end
 
   def verify_authorized
     raise NotAuthorizedError unless @_policy_authorized
   end
 
+  def verify_policy_scoped
+    raise NotAuthorizedError unless @_policy_scoped
+  end
+
   def authorize(record, query=nil)
     query ||= params[:action].to_s + "?"
     @_policy_authorized = true
@@ -51,6 +60,7 @@ module Pundit
   end
 
   def policy_scope(scope)
+    @_policy_scoped = true
     Pundit.policy_scope!(current_user, scope)
   end
 

data/lib/pundit/version.rb

@@ -1,3 +1,3 @@
 module Pundit
-  VERSION = "0.2.0"
+  VERSION = "0.2.1"
 end

data/pundit.gemspec

@@ -17,7 +17,8 @@ Gem::Specification.new do |gem|
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
 
-  gem.add_dependency "rails", "~>3.0"
+  gem.add_dependency "activesupport", ">= 3.0.0"
+  gem.add_development_dependency "activerecord", ">= 3.0.0"
   gem.add_development_dependency "rspec", "~>2.0"
   gem.add_development_dependency "pry"
   gem.add_development_dependency "rake"

data/spec/pundit_spec.rb

@@ -1,5 +1,6 @@
 require "pundit"
 require "pry"
+require "active_support/core_ext"
 require "active_model/naming"
 
 class PostPolicy < Struct.new(:user, :post)
@@ -194,6 +195,17 @@ describe Pundit do
     end
   end
 
+  describe "#verify_policy_scoped" do
+    it "does nothing when policy_scope is used" do
+      controller.policy_scope(Post)
+      controller.verify_policy_scoped
+    end
+
+    it "raises an exception when policy_scope is not used" do
+      expect { controller.verify_policy_scoped }.to raise_error(Pundit::NotAuthorizedError)
+    end
+  end
+
   describe "#authorize" do
     it "infers the policy name and authorized based on it" do
       controller.authorize(post).should be_true

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pundit
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.1
   prerelease: 
 platform: ruby
 authors:
@@ -10,88 +10,104 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-01-08 00:00:00.000000000 Z
+date: 2013-06-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: rails
-  prerelease: false
+  name: activesupport
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - ~>
+    - - ! '>='
       - !ruby/object:Gem::Version
-        version: '3.0'
-    none: false
+        version: 3.0.0
   type: :runtime
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - ~>
+    - - ! '>='
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: activerecord
+  requirement: !ruby/object:Gem::Requirement
     none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.0.0
 - !ruby/object:Gem::Dependency
   name: rspec
-  prerelease: false
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '2.0'
-    none: false
   type: :development
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '2.0'
-    none: false
 - !ruby/object:Gem::Dependency
   name: pry
-  prerelease: false
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
-    none: false
   type: :development
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
-    none: false
 - !ruby/object:Gem::Dependency
   name: rake
-  prerelease: false
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
-    none: false
   type: :development
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
-    none: false
 - !ruby/object:Gem::Dependency
   name: yard
-  prerelease: false
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
-    none: false
   type: :development
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
-    none: false
 description: Object oriented authorization for Rails applications
 email:
 - jonas.nicklas@gmail.com
@@ -125,20 +141,20 @@ rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
-  none: false
 required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
-  none: false
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.24
+rubygems_version: 1.8.25
 signing_key: 
 specification_version: 3
 summary: OO authorization for Rails