pundit 2.3.1 → 2.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b5c9e118c59bc3a683734817ac6fb9036a2b909df7abce2dbbdc00fc16aebdf7
-  data.tar.gz: 843cc1b7652e88d598a37a28f93bf13c41710bf3dddefeb96acf74e659279581
+  metadata.gz: aa554bffd828649aeac4e79a802070d4e68948beacbc9c991fddab7141a965c9
+  data.tar.gz: edf9be8366e5dfcb541eff929e99a04c2bfb23b800214bc39d68c790b32d7365
 SHA512:
-  metadata.gz: f2430ece33471f7a321a124aeafab7dbc3be4688fbda581b758d90649f4ae06d0cbaf86df768e881d0a2f1c0ab55581cb5dc0f1d3012ab7611b2fd81b8a0f321
-  data.tar.gz: 3432cc545ca5139cfcd7e1fc26a17d0882c11de71a3c6949c1d1da232183eba495de18aa06b64462c1233b820099788b43feeb0e9b439911bc9761dc7bd1e141
+  metadata.gz: 555ccc09f0cc62c3e1da52a7eafb2c3e4805a303c884da39c2ed1c8fc13583727d3e060381ed761f5dd06fdcc71cc3f98c4c991e64db8ac3ff5ff5a460f64aac
+  data.tar.gz: be290f6d6253367e0911525969fc8bb8972db670626bd9803ccd6e7fc1a1504afd1c921a5aac506ee9cfe559a9863bfb469dca3a656909b7ffa1d74aa4c6ea36

data/.github/PULL_REQUEST_TEMPLATE/gem_release_template.md

@@ -0,0 +1,8 @@
+## To do
+
+- [ ] Commit changes:
+  - [ ] Bump `Pundit::VERSION` in `lib/pundit/version.rb`.
+  - [ ] Update `CHANGELOG.md`.
+- [ ] Run `rake release`.
+- [ ] Open pull request 🚀
+- [ ] Make an announcement in [Pundit discussions](https://github.com/varvet/pundit/discussions/categories/announcements).

data/.github/workflows/main.yml

@@ -0,0 +1,107 @@
+name: Main
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  CC_TEST_REPORTER_ID: "ac477089fe20ab4fc7e0d304cab75f72d73d58a7596d366935d18fcc7d51f8f9"
+
+  # `github.ref` points to the *merge commit* when running tests on a pull request, which will be a commit
+  # that doesn't exists in our code base. Since this workflow triggers from a PR, we use the HEAD SHA instead.
+  #
+  # NOTE: These are both used by Code Climate (cc-test-reporter).
+  GIT_COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
+  GIT_BRANCH: ${{ github.head_ref }}
+
+jobs:
+  matrix-test:
+    runs-on: ubuntu-latest
+    continue-on-error: ${{ matrix.allow-failure || false }}
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby-version:
+          - '3.1'
+          - '3.2'
+          - '3.3'
+          - 'jruby-9.3.10' # oldest supported jruby
+          - 'jruby'
+        include: # HEAD-versions
+          - ruby-version: 'head'
+            allow-failure: true
+          - ruby-version: 'jruby-head'
+            allow-failure: true
+          - ruby-version: 'truffleruby-head'
+            allow-failure: true
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        rubygems: latest
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true
+    - name: Run tests
+      run: bundle exec rspec
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        rubygems: latest
+        ruby-version: 'ruby'
+        bundler-cache: true
+    - name: "Download cc-test-reporter from codeclimate.com"
+      run: |
+        curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
+        chmod +x ./cc-test-reporter
+    - name: "Report to Code Climate that we will send a coverage report."
+      run: ./cc-test-reporter before-build
+    - name: Run tests
+      run: bundle exec rspec
+      env:
+        COVERAGE: 1
+    - name: Upload code coverage to Code Climate
+      run: |
+        ./cc-test-reporter after-build \
+          --coverage-input-type simplecov \
+          ./coverage/.resultset.json
+
+  rubocop:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        rubygems: default
+        ruby-version: 'ruby'
+        bundler-cache: false
+    - run: bundle install
+    - name: Run RuboCop
+      run: bundle exec rubocop
+
+  required-checks:
+    runs-on: ubuntu-latest
+    if: ${{ always() }}
+    needs:
+      - test
+      - matrix-test
+      - rubocop
+    steps:
+      - name: failure
+        if: ${{ failure() || contains(needs.*.result, 'failure') }}
+        run: exit 1
+      - name: success
+        run: exit 0

data/.github/workflows/push_gem.yml

@@ -0,0 +1,33 @@
+name: Push Gem
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  push:
+    if: github.repository == 'varvet/pundit'
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      id-token: write
+
+    steps:
+      # Set up
+      - name: Harden Runner
+        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # v1.176.0
+        with:
+          bundler-cache: true
+          ruby-version: ruby
+
+      # Release
+      - uses: rubygems/release-gem@612653d273a73bdae1df8453e090060bb4db5f31 # v1

data/.rubocop.yml

@@ -1,7 +1,10 @@
 AllCops:
-  TargetRubyVersion: 2.6
+  TargetRubyVersion: 3.1
   Exclude:
     - "lib/generators/**/templates/**/*"
+    <% `git status --ignored --porcelain`.lines.grep(/^!! /).each do |path| %>
+    - <%= path.sub(/^!! /, '').sub(/\/$/, '/**/*') %>
+    <% end %>
   SuggestExtensions: false
   NewCops: disable
 
@@ -20,15 +23,6 @@ Metrics/ModuleLength:
 Layout/LineLength:
   Max: 120
 
-Metrics/AbcSize:
-  Enabled: false
-
-Metrics/CyclomaticComplexity:
-  Enabled: false
-
-Metrics/PerceivedComplexity:
-  Enabled: false
-
 Gemspec/RequiredRubyVersion:
  Enabled: false
 
@@ -59,14 +53,11 @@ Style/StringLiteralsInInterpolation:
 Style/StructInheritance:
   Enabled: false
 
-Style/AndOr:
-  Enabled: false
-
-Style/Not:
-  Enabled: false
-
 Style/DoubleNegation:
   Enabled: false
 
 Style/Documentation:
   Enabled: false # TODO: Enable again once we have more docs
+
+Style/HashSyntax:
+  EnforcedShorthandSyntax: never

data/CHANGELOG.md

@@ -2,7 +2,18 @@
 
 ## Unreleased
 
-Nothing.
+## 2.3.2 (2024-05-08)
+
+- Refactor: First pass of Pundit::Context (#797)
+
+## Changed
+
+- Update `ApplicationPolicy` generator to qualify the `Scope` class name (#792)
+- Policy generator uses `NoMethodError` to indicate `#resolve` is not implemented (#776)
+
+## Deprecated
+
+- Dropped support for Ruby 3.0 (#796)
 
 ## 2.3.1 (2023-07-17)
 

data/CONTRIBUTING.md

@@ -20,7 +20,7 @@ Pundit version, OS version and any stack traces you have are very valuable.
 - **Document any change in behaviour**. Make sure the README and any other
   relevant documentation are kept up-to-date.
 
-- **Create topic branches**. Please don't ask us to pull from your master branch.
+- **Create topic branches**. Please don't ask us to pull from your main branch.
 
 - **One pull request per feature**. If you want to do more than one thing, send
   multiple pull requests.

data/Gemfile

@@ -2,6 +2,7 @@
 
 source "https://rubygems.org"
 
-ruby RUBY_VERSION
-
 gemspec
+
+# https://github.com/ruby/psych/issues/655
+gem "psych", "!= 5.1.1", platforms: %i[jruby]

data/README.md

@@ -1,24 +1,22 @@
 # Pundit
 
-[![Build Status](https://app.travis-ci.com/varvet/pundit.svg?branch=main)](https://app.travis-ci.com/varvet/pundit)
-[![Code Climate](https://codeclimate.com/github/varvet/pundit.svg)](https://codeclimate.com/github/varvet/pundit)
-[![Inline docs](http://inch-ci.org/github/varvet/pundit.svg?branch=master)](http://inch-ci.org/github/varvet/pundit)
+[![Main](https://github.com/varvet/pundit/actions/workflows/main.yml/badge.svg)](https://github.com/varvet/pundit/actions/workflows/main.yml)
+[![Code Climate](https://api.codeclimate.com/v1/badges/a940030f96c9fb43046a/maintainability)](https://codeclimate.com/github/varvet/pundit/maintainability)
+[![Inline docs](http://inch-ci.org/github/varvet/pundit.svg?branch=main)](http://inch-ci.org/github/varvet/pundit)
 [![Gem Version](https://badge.fury.io/rb/pundit.svg)](http://badge.fury.io/rb/pundit)
 
 Pundit provides a set of helpers which guide you in leveraging regular Ruby
 classes and object oriented design patterns to build a straightforward, robust, and
 scalable authorization system.
 
-Links:
+## Links:
 
 - [API documentation for the most recent version](http://www.rubydoc.info/gems/pundit)
 - [Source Code](https://github.com/varvet/pundit)
-- [Contributing](https://github.com/varvet/pundit/blob/master/CONTRIBUTING.md)
-- [Code of Conduct](https://github.com/varvet/pundit/blob/master/CODE_OF_CONDUCT.md)
+- [Contributing](https://github.com/varvet/pundit/blob/main/CONTRIBUTING.md)
+- [Code of Conduct](https://github.com/varvet/pundit/blob/main/CODE_OF_CONDUCT.md)
 
-Sponsored by:
-
-[<img src="https://www.varvet.com/images/wordmark-red.svg" alt="Varvet" height="50px"/>](https://www.varvet.com)
+<strong>Sponsored by:</strong> <a href="https://www.varvet.com">Varvet<br><br><img src="https://github.com/varvet/pundit/assets/99166/aa9efa0a-6903-4037-abee-1824edc57f1a" alt="Varvet logo" height="120"></div>
 
 ## Installation
 
@@ -279,7 +277,7 @@ generator, or create your own base class to inherit from:
 
 ``` ruby
 class PostPolicy < ApplicationPolicy
-  class Scope < Scope
+  class Scope < ApplicationPolicy::Scope
     def resolve
       if user.admin?
         scope.all
@@ -476,7 +474,7 @@ example, associations which might be `nil`.
 
 ```ruby
 class NilClassPolicy < ApplicationPolicy
-  class Scope < Scope
+  class Scope < ApplicationPolicy::Scope
     def resolve
       raise Pundit::NotDefinedError, "Cannot scope NilClass"
     end

data/lib/generators/pundit/install/templates/application_policy.rb

@@ -43,7 +43,7 @@ class ApplicationPolicy
     end
 
     def resolve
-      raise NotImplementedError, "You must define #resolve in #{self.class}"
+      raise NoMethodError, "You must define #resolve in #{self.class}"
     end
 
     private

data/lib/generators/pundit/policy/templates/policy.rb

@@ -1,6 +1,12 @@
 <% module_namespacing do -%>
 class <%= class_name %>Policy < ApplicationPolicy
-  class Scope < Scope
+  # NOTE: Up to Pundit v2.3.1, the inheritance was declared as
+  # `Scope < Scope` rather than `Scope < ApplicationPolicy::Scope`.
+  # In most cases the behavior will be identical, but if updating existing
+  # code, beware of possible changes to the ancestors:
+  # https://gist.github.com/Burgestrand/4b4bc22f31c8a95c425fc0e30d7ef1f5
+
+  class Scope < ApplicationPolicy::Scope
     # NOTE: Be explicit about which records you allow access to!
     # def resolve
     #   scope.all

data/lib/pundit/authorization.rb

@@ -15,6 +15,14 @@ module Pundit
 
     protected
 
+    # @return [Pundit::Context] a new instance of {Pundit::Context} with the current user
+    def pundit
+      @pundit ||= Pundit::Context.new(
+        user: pundit_user,
+        policy_cache: Pundit::CacheStore::LegacyStore.new(policies)
+      )
+    end
+
     # @return [Boolean] whether authorization has been performed, i.e. whether
     #                   one {#authorize} or {#skip_authorization} has been called
     def pundit_policy_authorized?
@@ -64,7 +72,7 @@ module Pundit
 
       @_pundit_policy_authorized = true
 
-      Pundit.authorize(pundit_user, record, query, policy_class: policy_class, cache: policies)
+      pundit.authorize(record, query: query, policy_class: policy_class)
     end
 
     # Allow this action not to perform authorization.
@@ -98,9 +106,9 @@ module Pundit
     #
     # @see https://github.com/varvet/pundit#policies
     # @param record [Object] the object we're retrieving the policy for
-    # @return [Object, nil] instance of policy class with query methods
+    # @return [Object] instance of policy class with query methods
     def policy(record)
-      policies[record] ||= Pundit.policy!(pundit_user, record)
+      pundit.policy!(record)
     end
 
     # Retrieves a set of permitted attributes from the policy by instantiating
@@ -162,7 +170,7 @@ module Pundit
     private
 
     def pundit_policy_scope(scope)
-      policy_scopes[scope] ||= Pundit.policy_scope!(pundit_user, scope)
+      policy_scopes[scope] ||= pundit.policy_scope!(scope)
     end
   end
 end

data/lib/pundit/cache_store/legacy_store.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Pundit
+  module CacheStore
+    # @api private
+    class LegacyStore
+      def initialize(hash = {})
+        @store = hash
+      end
+
+      def fetch(user:, record:)
+        _ = user
+        @store[record] ||= yield
+      end
+    end
+  end
+end

data/lib/pundit/cache_store/null_store.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Pundit
+  module CacheStore
+    # @api private
+    class NullStore
+      @instance = new
+
+      class << self
+        attr_reader :instance
+      end
+
+      def fetch(*, **)
+        yield
+      end
+    end
+  end
+end

data/lib/pundit/context.rb

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+
+module Pundit
+  class Context
+    def initialize(user:, policy_cache: CacheStore::NullStore.instance)
+      @user = user
+      @policy_cache = policy_cache
+    end
+
+    attr_reader :user
+
+    # @api private
+    attr_reader :policy_cache
+
+    # Retrieves the policy for the given record, initializing it with the
+    # record and user and finally throwing an error if the user is not
+    # authorized to perform the given action.
+    #
+    # @param user [Object] the user that initiated the action
+    # @param possibly_namespaced_record [Object, Array] the object we're checking permissions of
+    # @param query [Symbol, String] the predicate method to check on the policy (e.g. `:show?`)
+    # @param policy_class [Class] the policy class we want to force use of
+    # @raise [NotAuthorizedError] if the given query method returned false
+    # @return [Object] Always returns the passed object record
+    def authorize(possibly_namespaced_record, query:, policy_class:)
+      record = pundit_model(possibly_namespaced_record)
+      policy = if policy_class
+        policy_class.new(user, record)
+      else
+        policy!(possibly_namespaced_record)
+      end
+
+      raise NotAuthorizedError, query: query, record: record, policy: policy unless policy.public_send(query)
+
+      record
+    end
+
+    # Retrieves the policy scope for the given record.
+    #
+    # @see https://github.com/varvet/pundit#scopes
+    # @param user [Object] the user that initiated the action
+    # @param scope [Object] the object we're retrieving the policy scope for
+    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
+    # @return [Scope{#resolve}, nil] instance of scope class which can resolve to a scope
+    def policy_scope(scope)
+      policy_scope_class = policy_finder(scope).scope
+      return unless policy_scope_class
+
+      begin
+        policy_scope = policy_scope_class.new(user, pundit_model(scope))
+      rescue ArgumentError
+        raise InvalidConstructorError, "Invalid #<#{policy_scope_class}> constructor is called"
+      end
+
+      policy_scope.resolve
+    end
+
+    # Retrieves the policy scope for the given record. Raises if not found.
+    #
+    # @see https://github.com/varvet/pundit#scopes
+    # @param user [Object] the user that initiated the action
+    # @param scope [Object] the object we're retrieving the policy scope for
+    # @raise [NotDefinedError] if the policy scope cannot be found
+    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
+    # @return [Scope{#resolve}] instance of scope class which can resolve to a scope
+    def policy_scope!(scope)
+      policy_scope_class = policy_finder(scope).scope!
+      return unless policy_scope_class
+
+      begin
+        policy_scope = policy_scope_class.new(user, pundit_model(scope))
+      rescue ArgumentError
+        raise InvalidConstructorError, "Invalid #<#{policy_scope_class}> constructor is called"
+      end
+
+      policy_scope.resolve
+    end
+
+    # Retrieves the policy for the given record.
+    #
+    # @see https://github.com/varvet/pundit#policies
+    # @param user [Object] the user that initiated the action
+    # @param record [Object] the object we're retrieving the policy for
+    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
+    # @return [Object, nil] instance of policy class with query methods
+    def policy(record)
+      cached_find(record, &:policy)
+    end
+
+    # Retrieves the policy for the given record. Raises if not found.
+    #
+    # @see https://github.com/varvet/pundit#policies
+    # @param user [Object] the user that initiated the action
+    # @param record [Object] the object we're retrieving the policy for
+    # @raise [NotDefinedError] if the policy cannot be found
+    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
+    # @return [Object] instance of policy class with query methods
+    def policy!(record)
+      cached_find(record, &:policy!)
+    end
+
+    private
+
+    def cached_find(record)
+      policy_cache.fetch(user: user, record: record) do
+        klass = yield policy_finder(record)
+        next unless klass
+
+        model = pundit_model(record)
+
+        begin
+          klass.new(user, model)
+        rescue ArgumentError
+          raise InvalidConstructorError, "Invalid #<#{klass}> constructor is called"
+        end
+      end
+    end
+
+    def policy_finder(record)
+      PolicyFinder.new(record)
+    end
+
+    def pundit_model(record)
+      record.is_a?(Array) ? record.last : record
+    end
+  end
+end

data/lib/pundit/policy_finder.rb

@@ -56,7 +56,7 @@ module Pundit
 
     # @return [String] the name of the key this object would have in a params hash
     #
-    def param_key
+    def param_key # rubocop:disable Metrics/AbcSize
       model = object.is_a?(Array) ? object.last : object
 
       if model.respond_to?(:model_name)

data/lib/pundit/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Pundit
-  VERSION = "2.3.1"
+  VERSION = "2.3.2"
 end

data/lib/pundit.rb

@@ -8,6 +8,9 @@ require "active_support/core_ext/object/blank"
 require "active_support/core_ext/module/introspection"
 require "active_support/dependencies/autoload"
 require "pundit/authorization"
+require "pundit/context"
+require "pundit/cache_store/null_store"
+require "pundit/cache_store/legacy_store"
 
 # @api private
 # To avoid name clashes with common Error naming when mixing in Pundit,
@@ -64,104 +67,35 @@ module Pundit
   end
 
   class << self
-    # Retrieves the policy for the given record, initializing it with the
-    # record and user and finally throwing an error if the user is not
-    # authorized to perform the given action.
-    #
-    # @param user [Object] the user that initiated the action
-    # @param possibly_namespaced_record [Object, Array] the object we're checking permissions of
-    # @param query [Symbol, String] the predicate method to check on the policy (e.g. `:show?`)
-    # @param policy_class [Class] the policy class we want to force use of
-    # @param cache [#[], #[]=] a Hash-like object to cache the found policy instance in
-    # @raise [NotAuthorizedError] if the given query method returned false
-    # @return [Object] Always returns the passed object record
-    def authorize(user, possibly_namespaced_record, query, policy_class: nil, cache: {})
-      record = pundit_model(possibly_namespaced_record)
-      policy = if policy_class
-        policy_class.new(user, record)
+    # @see [Pundit::Context#authorize]
+    def authorize(user, record, query, policy_class: nil, cache: nil)
+      context = if cache
+        Context.new(user: user, policy_cache: cache)
       else
-        cache[possibly_namespaced_record] ||= policy!(user, possibly_namespaced_record)
+        Context.new(user: user)
       end
 
-      raise NotAuthorizedError, query: query, record: record, policy: policy unless policy.public_send(query)
-
-      record
-    end
-
-    # Retrieves the policy scope for the given record.
-    #
-    # @see https://github.com/varvet/pundit#scopes
-    # @param user [Object] the user that initiated the action
-    # @param scope [Object] the object we're retrieving the policy scope for
-    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
-    # @return [Scope{#resolve}, nil] instance of scope class which can resolve to a scope
-    def policy_scope(user, scope)
-      policy_scope_class = PolicyFinder.new(scope).scope
-      return unless policy_scope_class
-
-      begin
-        policy_scope = policy_scope_class.new(user, pundit_model(scope))
-      rescue ArgumentError
-        raise InvalidConstructorError, "Invalid #<#{policy_scope_class}> constructor is called"
-      end
-
-      policy_scope.resolve
+      context.authorize(record, query: query, policy_class: policy_class)
     end
 
-    # Retrieves the policy scope for the given record.
-    #
-    # @see https://github.com/varvet/pundit#scopes
-    # @param user [Object] the user that initiated the action
-    # @param scope [Object] the object we're retrieving the policy scope for
-    # @raise [NotDefinedError] if the policy scope cannot be found
-    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
-    # @return [Scope{#resolve}] instance of scope class which can resolve to a scope
-    def policy_scope!(user, scope)
-      policy_scope_class = PolicyFinder.new(scope).scope!
-      return unless policy_scope_class
-
-      begin
-        policy_scope = policy_scope_class.new(user, pundit_model(scope))
-      rescue ArgumentError
-        raise InvalidConstructorError, "Invalid #<#{policy_scope_class}> constructor is called"
-      end
-
-      policy_scope.resolve
+    # @see [Pundit::Context#policy_scope]
+    def policy_scope(user, *args, **kwargs, &block)
+      Context.new(user: user).policy_scope(*args, **kwargs, &block)
     end
 
-    # Retrieves the policy for the given record.
-    #
-    # @see https://github.com/varvet/pundit#policies
-    # @param user [Object] the user that initiated the action
-    # @param record [Object] the object we're retrieving the policy for
-    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
-    # @return [Object, nil] instance of policy class with query methods
-    def policy(user, record)
-      policy = PolicyFinder.new(record).policy
-      policy&.new(user, pundit_model(record))
-    rescue ArgumentError
-      raise InvalidConstructorError, "Invalid #<#{policy}> constructor is called"
+    # @see [Pundit::Context#policy_scope!]
+    def policy_scope!(user, *args, **kwargs, &block)
+      Context.new(user: user).policy_scope!(*args, **kwargs, &block)
     end
 
-    # Retrieves the policy for the given record.
-    #
-    # @see https://github.com/varvet/pundit#policies
-    # @param user [Object] the user that initiated the action
-    # @param record [Object] the object we're retrieving the policy for
-    # @raise [NotDefinedError] if the policy cannot be found
-    # @raise [InvalidConstructorError] if the policy constructor called incorrectly
-    # @return [Object] instance of policy class with query methods
-    def policy!(user, record)
-      policy = PolicyFinder.new(record).policy!
-      policy.new(user, pundit_model(record))
-    rescue ArgumentError
-      raise InvalidConstructorError, "Invalid #<#{policy}> constructor is called"
+    # @see [Pundit::Context#policy]
+    def policy(user, *args, **kwargs, &block)
+      Context.new(user: user).policy(*args, **kwargs, &block)
     end
 
-    private
-
-    def pundit_model(record)
-      record.is_a?(Array) ? record.last : record
+    # @see [Pundit::Context#policy!]
+    def policy!(user, *args, **kwargs, &block)
+      Context.new(user: user).policy!(*args, **kwargs, &block)
     end
   end
 

data/pundit.gemspec

@@ -29,7 +29,7 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency "railties", ">= 3.0.0"
   gem.add_development_dependency "rake"
   gem.add_development_dependency "rspec", ">= 3.0.0"
-  gem.add_development_dependency "rubocop", "1.24.0"
+  gem.add_development_dependency "rubocop"
   gem.add_development_dependency "simplecov", ">= 0.17.0"
   gem.add_development_dependency "yard"
 end

data/spec/authorization_spec.rb

@@ -3,10 +3,13 @@
 require "spec_helper"
 
 describe Pundit::Authorization do
-  let(:controller) { Controller.new(user, "update", {}) }
+  def to_params(*args, **kwargs, &block)
+    ActionController::Parameters.new(*args, **kwargs, &block)
+  end
+
+  let(:controller) { Controller.new(user, "update", to_params({})) }
   let(:user) { double }
   let(:post) { Post.new(user) }
-  let(:customer_post) { Customer::Post.new(user) }
   let(:comment) { Comment.new }
   let(:article) { Article.new }
   let(:article_tag) { ArticleTag.new }
@@ -188,7 +191,7 @@ describe Pundit::Authorization do
 
   describe "#permitted_attributes" do
     it "checks policy for permitted attributes" do
-      params = ActionController::Parameters.new(
+      params = to_params(
         post: {
           title: "Hello",
           votes: 5,
@@ -206,7 +209,8 @@ describe Pundit::Authorization do
     end
 
     it "checks policy for permitted attributes for record of a ActiveModel type" do
-      params = ActionController::Parameters.new(
+      customer_post = Customer::Post.new(user)
+      params = to_params(
         customer_post: {
           title: "Hello",
           votes: 5,
@@ -224,11 +228,23 @@ describe Pundit::Authorization do
         "votes" => 5
       )
     end
+
+    it "goes through the policy cache" do
+      params = to_params(post: { title: "Hello" })
+      user = double
+      post = Post.new(user)
+      controller = Controller.new(user, "update", params)
+
+      expect do
+        expect(controller.permitted_attributes(post)).to be_truthy
+        expect(controller.permitted_attributes(post)).to be_truthy
+      end.to change { PostPolicy.instances }.by(1)
+    end
   end
 
   describe "#permitted_attributes_for_action" do
     it "is checked if it is defined in the policy" do
-      params = ActionController::Parameters.new(
+      params = to_params(
         post: {
           title: "Hello",
           body: "blah",
@@ -242,7 +258,7 @@ describe Pundit::Authorization do
     end
 
     it "can be explicitly set" do
-      params = ActionController::Parameters.new(
+      params = to_params(
         post: {
           title: "Hello",
           body: "blah",

data/spec/generators_spec.rb

@@ -35,7 +35,7 @@ RSpec.describe "generators" do
       describe "#resolve" do
         it "raises a descriptive error" do
           scope = WidgetPolicy::Scope.new(double("User"), double("User.all"))
-          expect { scope.resolve }.to raise_error(NotImplementedError, /WidgetPolicy::Scope/)
+          expect { scope.resolve }.to raise_error(NoMethodError, /WidgetPolicy::Scope/)
         end
       end
     end

data/spec/pundit_spec.rb

@@ -64,7 +64,11 @@ RSpec.describe Pundit do
       end.to raise_error(Pundit::NotAuthorizedError, "not allowed to destroy? this Post") do |error|
         expect(error.query).to eq :destroy?
         expect(error.record).to eq post
-        expect(error.policy).to eq Pundit.policy(user, post)
+        expect(error.policy).to have_attributes(
+          user: user,
+          record: post
+        )
+        expect(error.policy).to be_a(PostPolicy)
       end
       # rubocop:enable Style/MultilineBlockChain
     end
@@ -76,7 +80,11 @@ RSpec.describe Pundit do
       end.to raise_error(Pundit::NotAuthorizedError, "not allowed to destroy? this Comment") do |error|
         expect(error.query).to eq :destroy?
         expect(error.record).to eq comment
-        expect(error.policy).to eq Pundit.policy(user, [:project, :admin, comment])
+        expect(error.policy).to have_attributes(
+          user: user,
+          record: comment
+        )
+        expect(error.policy).to be_a(Project::Admin::CommentPolicy)
       end
       # rubocop:enable Style/MultilineBlockChain
     end

data/spec/spec_helper.rb

@@ -1,8 +1,10 @@
 # frozen_string_literal: true
 
-require "simplecov"
-SimpleCov.start do
-  add_filter "/spec/"
+if ENV["COVERAGE"]
+  require "simplecov"
+  SimpleCov.start do
+    add_filter "/spec/"
+  end
 end
 
 require "pundit"
@@ -16,13 +18,56 @@ require "active_support/core_ext"
 require "active_model/naming"
 require "action_controller/metal/strong_parameters"
 
-class PostPolicy < Struct.new(:user, :post)
-  class Scope < Struct.new(:user, :scope)
+module InstanceTracking
+  module ClassMethods
+    def instances
+      @instances || 0
+    end
+
+    attr_writer :instances
+  end
+
+  def self.prepended(other)
+    other.extend(ClassMethods)
+  end
+
+  def initialize(*args, **kwargs, &block)
+    self.class.instances += 1
+    super(*args, **kwargs, &block)
+  end
+end
+
+class BasePolicy
+  prepend InstanceTracking
+
+  class BaseScope
+    prepend InstanceTracking
+
+    def initialize(user, scope)
+      @user = user
+      @scope = scope
+    end
+
+    attr_reader :user, :scope
+  end
+
+  def initialize(user, record)
+    @user = user
+    @record = record
+  end
+
+  attr_reader :user, :record
+end
+
+class PostPolicy < BasePolicy
+  class Scope < BaseScope
     def resolve
       scope.published
     end
   end
 
+  alias post record
+
   def update?
     post.user == user
   end
@@ -48,7 +93,13 @@ class PostPolicy < Struct.new(:user, :post)
   end
 end
 
-class Post < Struct.new(:user)
+class Post
+  def initialize(user = nil)
+    @user = user
+  end
+
+  attr_reader :user
+
   def self.published
     :published
   end
@@ -67,7 +118,7 @@ class Post < Struct.new(:user)
 end
 
 module Customer
-  class Post < Post
+  class Post < ::Post
     def model_name
       OpenStruct.new(param_key: "customer_post")
     end
@@ -90,16 +141,18 @@ class CommentScope
   end
 end
 
-class CommentPolicy < Struct.new(:user, :comment)
-  class Scope < Struct.new(:user, :scope)
+class CommentPolicy < BasePolicy
+  class Scope < BaseScope
     def resolve
       CommentScope.new(scope)
     end
   end
+
+  alias comment record
 end
 
-class PublicationPolicy < Struct.new(:user, :publication)
-  class Scope < Struct.new(:user, :scope)
+class PublicationPolicy < BasePolicy
+  class Scope < BaseScope
     def resolve
       scope.published
     end
@@ -130,7 +183,9 @@ end
 
 class Article; end
 
-class BlogPolicy < Struct.new(:user, :blog); end
+class BlogPolicy < BasePolicy
+  alias blog record
+end
 
 class Blog; end
 
@@ -140,7 +195,7 @@ class ArtificialBlog < Blog
   end
 end
 
-class ArticleTagOtherNamePolicy < Struct.new(:user, :tag)
+class ArticleTagOtherNamePolicy < BasePolicy
   def show?
     true
   end
@@ -148,6 +203,8 @@ class ArticleTagOtherNamePolicy < Struct.new(:user, :tag)
   def destroy?
     false
   end
+
+  alias tag record
 end
 
 class ArticleTag
@@ -156,33 +213,41 @@ class ArticleTag
   end
 end
 
-class CriteriaPolicy < Struct.new(:user, :criteria); end
+class CriteriaPolicy < BasePolicy
+  alias criteria record
+end
 
 module Project
-  class CommentPolicy < Struct.new(:user, :comment)
-    def update?
-      true
-    end
-
-    class Scope < Struct.new(:user, :scope)
+  class CommentPolicy < BasePolicy
+    class Scope < BaseScope
       def resolve
         scope
       end
     end
+
+    def update?
+      true
+    end
+
+    alias comment record
   end
 
-  class CriteriaPolicy < Struct.new(:user, :criteria); end
+  class CriteriaPolicy < BasePolicy
+    alias criteria record
+  end
 
-  class PostPolicy < Struct.new(:user, :post)
-    class Scope < Struct.new(:user, :scope)
+  class PostPolicy < BasePolicy
+    class Scope < BaseScope
       def resolve
         scope.read
       end
     end
+
+    alias post record
   end
 
   module Admin
-    class CommentPolicy < Struct.new(:user, :comment)
+    class CommentPolicy < BasePolicy
       def update?
         true
       end
@@ -194,7 +259,7 @@ module Project
   end
 end
 
-class DenierPolicy < Struct.new(:user, :record)
+class DenierPolicy < BasePolicy
   def update?
     false
   end
@@ -216,7 +281,7 @@ class Controller
   end
 end
 
-class NilClassPolicy < Struct.new(:user, :record)
+class NilClassPolicy < BasePolicy
   class Scope
     def initialize(*)
       raise Pundit::NotDefinedError, "Cannot scope NilClass"
@@ -245,8 +310,8 @@ class Thread
   def self.all; end
 end
 
-class ThreadPolicy < Struct.new(:user, :thread)
-  class Scope < Struct.new(:user, :scope)
+class ThreadPolicy < BasePolicy
+  class Scope < BaseScope
     def resolve
       # deliberate wrong useage of the method
       scope.all(:unvalid, :parameters)
@@ -254,22 +319,34 @@ class ThreadPolicy < Struct.new(:user, :thread)
   end
 end
 
-class PostFourFiveSix < Struct.new(:user); end
+class PostFourFiveSix
+  def initialize(user)
+    @user = user
+  end
+
+  attr_reader(:user)
+end
 
 class CommentFourFiveSix; extend ActiveModel::Naming; end
 
 module ProjectOneTwoThree
-  class CommentFourFiveSixPolicy < Struct.new(:user, :post); end
+  class CommentFourFiveSixPolicy < BasePolicy; end
 
-  class CriteriaFourFiveSixPolicy < Struct.new(:user, :criteria); end
+  class CriteriaFourFiveSixPolicy < BasePolicy; end
 
-  class PostFourFiveSixPolicy < Struct.new(:user, :post); end
+  class PostFourFiveSixPolicy < BasePolicy; end
 
-  class TagFourFiveSix < Struct.new(:user); end
+  class TagFourFiveSix
+    def initialize(user)
+      @user = user
+    end
+
+    attr_reader(:user)
+  end
 
-  class TagFourFiveSixPolicy < Struct.new(:user, :tag); end
+  class TagFourFiveSixPolicy < BasePolicy; end
 
   class AvatarFourFiveSix; extend ActiveModel::Naming; end
 
-  class AvatarFourFiveSixPolicy < Struct.new(:user, :avatar); end
+  class AvatarFourFiveSixPolicy < BasePolicy; end
 end

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: pundit
 version: !ruby/object:Gem::Version
-  version: 2.3.1
+  version: 2.3.2
 platform: ruby
 authors:
 - Jonas Nicklas
 - Varvet AB
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-07-17 00:00:00.000000000 Z
+date: 2024-05-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -127,16 +127,16 @@ dependencies:
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.24.0
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.24.0
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -173,10 +173,12 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".github/pull_request_template.md"
+- ".github/PULL_REQUEST_TEMPLATE/gem_release_template.md"
+- ".github/PULL_REQUEST_TEMPLATE/pull_request_template.md"
+- ".github/workflows/main.yml"
+- ".github/workflows/push_gem.yml"
 - ".gitignore"
 - ".rubocop.yml"
-- ".travis.yml"
 - ".yardopts"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
@@ -199,6 +201,9 @@ files:
 - lib/generators/test_unit/templates/policy_test.rb
 - lib/pundit.rb
 - lib/pundit/authorization.rb
+- lib/pundit/cache_store/legacy_store.rb
+- lib/pundit/cache_store/null_store.rb
+- lib/pundit/context.rb
 - lib/pundit/policy_finder.rb
 - lib/pundit/rspec.rb
 - lib/pundit/version.rb
@@ -214,7 +219,7 @@ licenses:
 - MIT
 metadata:
   rubygems_mfa_required: 'true'
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -229,8 +234,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
-signing_key:
+rubygems_version: 3.5.9
+signing_key: 
 specification_version: 4
 summary: OO authorization for Rails
 test_files:

data/.travis.yml

@@ -1,27 +0,0 @@
-language: ruby
-dist: focal
-
-matrix:
-  include:
-    - name: "RuboCop lint on pre-installed Ruby version"
-      rvm: 2.7.1 # Pre-installed Ruby version
-      before_install:
-        - gem install bundler
-      script: bundle exec rake rubocop # ONLY lint once, first
-    - rvm: 2.6.7
-      before_script:
-        - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
-        - chmod +x ./cc-test-reporter
-        - ./cc-test-reporter before-build
-      after_script:
-        - ./cc-test-reporter after-build --exit-code $TRAVIS_TEST_RESULT
-    - rvm: 2.7.3
-    - rvm: 3.0.1
-    - rvm: 3.1.0
-    - rvm: 3.2.0
-    - rvm: jruby-9.3.10.0
-      env:
-        - JRUBY_OPTS="--debug"
-    - rvm: truffleruby-head
-  allow_failures:
-    - rvm: truffleruby-head