pundit_roles 0.1.2 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f9a596e75302e60e5ac89fbd28e1d411f1e80e85
-  data.tar.gz: 70ef89deb9dbc45c8c3c3a3386f858662a1480ab
+  metadata.gz: 37198b58ba83c3e0f973f544dcdc7d202159820d
+  data.tar.gz: febd757aadd6d847ce4fa5997ddc3d7ba8248cf4
 SHA512:
-  metadata.gz: 8f1e0eea9562fa2add0c1c9faebba5cd4a8ccb1441dde646c58eabd76193691da924eb3775cd251ce6658dfe90f5a1eb879f767944032aa5f4b75d3f4cebcf83
-  data.tar.gz: 2dcef9da90cad672759c3d315b1259b1a999bd0445fc5a4139d272aef0b1e78ce9fc445fe9ab9260329c773af0a5ecc0924c14af11768dd92000736df00b8558
+  metadata.gz: fc8990e3c886ff9f425359896c99518813db8d7dc93c71503f25927cc6eb7d056a3c0c408943a726ebffef28949770fee765288ff29537d6405d3e20325b48db
+  data.tar.gz: e5b8efa011b23dfebd9f9bf324b4907e808d5a28626c0f04da8d3efffc34fd3d36d9b0e00372be7fc0d6f31098ff675ee1473df852eec29e2d2cff7645151d17

data/.coveralls.yml

@@ -0,0 +1 @@
+service_name: travis-ci

data/.travis.yml

@@ -1,5 +1,8 @@
-sudo: false
 language: ruby
+cache: bundler
+
 rvm:
   - 2.4.0
 before_install: gem install bundler -v 1.14.6
+
+script: 'bundle exec rake'

data/CHANGELOG.md

@@ -0,0 +1,10 @@
+# PunditRoles
+
+## 0.2.0 (2017-10-30)
+
+- Roles and permitted options are no longer separately declared with `role` and 
+  `permitted_for` methods. Declaration of options has been consolidated into the 
+  `role` method.
+- Roles can no longer be inherited from the superclass.
+- Test conditions for the roles are now guessed from the name of the role, 
+  instead of being declared explicitly with the `authorize_with` option.

data/Gemfile

@@ -8,10 +8,9 @@ gem 'activemodel'
 gem 'pundit', '~> 1.1.0'
 
 group :development, :test do
-  gem "actionpack"
-  gem "activemodel"
   gem "bundler"
   gem "pry"
   gem "rake"
   gem "rspec"
+  gem 'coveralls', require: false
 end

data/README.md

@@ -1,5 +1,10 @@
 # PunditRoles
 
+[![Gem Version](https://badge.fury.io/rb/pundit_roles.svg)](https://badge.fury.io/rb/pundit_roles.svg)
+[![Build Status](https://travis-ci.org/StairwayB/pundit_roles.svg?branch=master)](https://travis-ci.org/StairwayB/pundit_roles)
+[![Coverage Status](https://coveralls.io/repos/github/StairwayB/pundit_roles/badge.svg?branch=master)](https://coveralls.io/github/StairwayB/pundit_roles?branch=master)
+[![Maintainability](https://api.codeclimate.com/v1/badges/030ffce3612160c8e7f0/maintainability)](https://codeclimate.com/github/StairwayB/pundit_roles/maintainability)
+
 PunditRoles is a helper gem which works on top of [Pundit](https://github.com/elabs/pundit)
 (if you are not familiar with Pundit, it is recommended you read it's documentation before continuing).
 It allows you to extend Pundit's authorization system to include attributes and associations.
@@ -10,10 +15,9 @@ You may use Pundit's features as well as the features from this gem interchangea
 Please note that this gem is not affiliated with Pundit or it's creators, but it very much
 appreciates the work that they did with their great authorization system. 
 
-* **Important** This is still early in it's development and is **NOT** considered production 
-ready. Consider what is here as a prototype for what will, in the future, be a reliable gem.
-As of yet, bugs and unforeseen issues may be present. If you happen to find any, please feel free
-to raise an issue. 
+* **Important**: This gem is **not** yet considered production ready.
+
+* [**_Changelog_**](https://github.com/StairwayB/pundit_roles/blob/master/CHANGELOG.md)
 
 ## Installation
 
@@ -34,43 +38,40 @@ end
 And inherit your ApplicationPolicy from Policy::Base
 ```ruby
 class ApplicationPolicy < Policy::Base
-  # def show?
-  #   [...]
-  # end
 end
 ```
 
 ## Roles
 
 PunditRoles operates around the notion of _**roles**_. Each role needs to be defined at the Policy level
-and provided with a conditional method that determines whether the `@user`(`current_user` in the context of a Policy) 
+and provided with a conditional method that determines whether the `@user`(the `current_user` in the context of a Policy) 
 falls into this role. Additionally, each role can have a set of permitted 
-_**attributes**_ and _**associations**_(from here on collectively referred to as **_options_**) 
+_**attributes**_ and _**associations**_(from here on collectively referred to as _**options**_) 
 defined for it. A basic example for a UserPolicy would be:
 ```ruby
-role :user, authorize_with: :logged_in_user
-permitted_for :user,
-              attributes: {
-                show: %i(username name avatar is_confirmed created_at)
-              },
-              associations: {
-                show: %i(posts followers following)
-              }
-
-role :correct_user, authorize_with: :correct_user
-permitted_for :correct_user,
-              attributes: {
-                show: %i(email phone_number confirmed_at updated_at sign_in_count),
-                update: %i(username email password password_confirmation current_password name avatar)
-              },
-              associations: {
-                show: %i(settings),
-                save: %i(settings)
-              }
+  role :regular_user,
+       attributes: {
+         show: %i(username name avatar is_confirmed created_at)
+       },
+       associations: {
+         show: %i(posts followers following)
+       }
+
+role :correct_user,
+       attributes: {
+         show: %i(email phone_number confirmed_at updated_at sign_in_count),
+         update: %i(username email password password_confirmation current_password name avatar)
+       },
+       associations: {
+         show: %i(settings),
+         save: %i(settings)
+       }
 ```
 
-This assumes that there are two methods defined in the UserPolicy called `logged_in_user?` and
-`correct_user?`. More on that later. 
+This assumes that there are two methods defined in the UserPolicy called `regular_user?` and
+`correct_user?`.
+
+* Please note, that there was a breaking change since `0.1.2`. View the changelog for additional details.
 
 And then in you query method, you simply say:
 ```ruby
@@ -104,124 +105,124 @@ end
 The `authorize` method will return a hash of permitted attributes and associations for the corresponding action that the
 user has access to. What you do with that is your business. Accessors for each segment look like this: 
 ```ruby
-permitted[:attributes][:show]
-permitted[:attributes][:create]
+permitted[:attributes][:show] # ex. returns => [:username, :name, :avatar, :is_confirmed, :created_at]
+permitted[:attributes][:create] # ex. returns => [:username, :email, :password, :password_confirmation]
 
 permitted[:associations][:show]
 permitted[:associations][:update]
 ```
 
+It hash also contains the roles that the user has fulfilled:
+```ruby
+permitted[:roles] # ex. returns => [:regular_user, :correct_user]
+```
+
 If the user does not fall into any roles permitted by a query, the `authorize` method will raise `Pundit::NotAuthorizedError`
 
 ### Defining roles
 
 Roles are defined with the `role` method. It receives the name of the role as it's first argument and the
-options for the role as it's second. The required option is the `authorize_with` attribute, which is the method
-that validates the role. The validation method must be passed as a symbol without the question mark, and declared
-as a method with a question mark.
+options for the role as it's second(multiple `roles` can be defined at once, if you wish to do that, 
+but all of these will have identical options, so what's the point, really). Valid options for the role are:
+`:attributes, :associations, :scope, :uses_db, :extend`. 
 
-Currently there are no more options, but some, like database permissions, are planned for future updates.
+Currently only attributes and associations are supported, scopes and db permissions will be coming Soon&trade;.
 
 ```ruby
-role :user, authorize_with: :logged_in_user
+role :regular_user,
+      attributes: {show: [:name]},
+      associations: {show: [:posts]}
 
-def logged_in_user?
+def regular_user?
   @user.present?
 end
 ```
 
+One thing to watch out for is that roles are not inherited, because each is unique to the model in question. 
+But since the name of the role is just the conditional method for the role,
+without the '?' question mark, it is encouraged to inherit from an `ApplicationPolicy`, 
+and define common `role` conditional methods there.
+
 ### Users with multiple roles
 
 You may have noticed that in the first example `correct_user` has fewer permitted options
-defined than `user`. That is because PunditRoles does not treat roles as exclusionary.
+defined than `regular_user`. That is because PunditRoles does not treat roles as exclusionary.
 Users may have a single role or they may have multiple roles, within the context of the model they are trying to access.
-In the previous example, a `correct_user`, meaning a `user` trying to access it's own model, is naturally 
-also a regular `user`, so it will have access to all options a regular `user` has access to plus the 
+In the previous example, a `correct_user`, meaning a `regular_user` trying to access it's own model, is naturally 
+also a `regular_user`, so it will have access to all options a `regular_user` has access to plus the 
 options that a `correct_user` has access to. 
 
 Take this example, to better illustrate what is happening: 
 
 ```ruby
-role :user, authorize_with: :logged_in_user
-permitted_for :user,
-              attributes: {
-                show: %i(username name avatar)
-              }
-
-role :correct_user, authorize_with: :correct_user
-permitted_for :correct_user,
-              attributes: {
-                show: %i(email phone_number)
-              }
-              
-role :admin, authorize_with: :admin
-permitted_for :admin,
-              attributes: {
-                show: %i(email is_admin)
-              }
+role :regular_user,
+     attributes: {
+       show: %i(username name avatar)
+     }
+
+role :correct_user,
+     attributes: {
+       show: %i(email phone_number)
+     }
+
+role :admin_user,
+     attributes: {
+       show: %i(email is_admin)
+     }
 ```
 
-Here, a user which fulfills the `admin` condition trying to access it's own model, would receive the 
-options of all three roles, meaning the `permitted[:attributes][:show]` would look like: 
+Here, a user which fulfills the `admin_user` condition trying to access it's own model, would receive the 
+options of all three roles, without any duplicates, meaning the `permitted[:attributes][:show]` would look like: 
 ```ruby
 [:username, :name, :avatar, :email, :phone_number, :is_admin]
 ```
-Notice that there are no duplicates. This is because whenever a user tries to access an action, 
-PunditRoles will evaluate whether the user falls into the roles permitted to perform said action, 
-and if they do, it will uniquely merge the options hashes of all of these.
 
 If the user is an `admin`, but is not a `correct_user`, it will not receive the `phone_number` attribute,
 because that is unique to `correct_user` and vice versa.
 
 At present, there is no way to prevent merging of roles. Such a feature may be coming in a future update.
 
-### Inheritance and the default Guest role
-
-One thing to watch out for is that roles are inherited but options are not.
-This means that you may declare commonly used roles(whose validations are 
-independent of the `@record` of the Policy) in the ApplicationPolicy, and may reuse them
-further down the line. You may also overwrite roles defined in a parent class(these will not affect those in the parent).
+### The :guest role
 
-However, it is important to declare the options with the `permitted_for` method for each role that you permit
-in your Policy, otherwise the role will return an empty hash.
-
-With that in mind, PunditRoles comes with a default `:guest` role, which simply checks if
+PunditRoles comes with a default `:guest` role, which simply checks if
 the user is nil. If you wish to permit guest users for a particular action, simply define the
 options for it and allow it in your query method. 
 
 ```ruby
 class UserPolicy < ApplicationPolicy
-  permitted_for :guest,
-                 attributes: {
-                   show: %i(username first_name last_name avatar),
-                   create: %i(username email password password_confirmation first_name last_name avatar)
-                 },
-                 associations: {}
+
+  role :guest,
+       attributes: {
+         show: %i(username first_name last_name avatar),
+         create: %i(username email password password_confirmation first_name last_name avatar)
+       },
+       associations: {}
   
   def show?
-    allow :guest
+    allow :guest, :some, :other, :roles
   end
   
   def create?
-    allow :guest
+    allow :guest, :admin_user
   end
   
 end
 ```
 
-* **Important!** The `:guest` role is exclusionary by default, meaning it cannot be merged
+**Important** 
+
+* The `:guest` role is exclusionary by default, meaning it cannot be merged
 with other roles. It is also the first role that is evaluated, and if the user is a `:guest`, it will return the guest
-attributes if `:guest` is allowed, or raise `PunditNotAuthorized` if not. 
-Do **NOT** overwrite the `:guest` role, that can lead to unexpected side effects, and if you wish to allow guest, use
-the existing role and not a custom one. 
+attributes if `:guest` is allowed, or raise `Pundit::NotAuthorizedError` if not. 
+
+* Do **not** use a custom role for `nil` or `undefined` `@user`, use `:guest`. 
+If you do, it will most likely lead to unwanted exceptions.
 
 ### Explicit declaration of options
 
-Options are declared with the `permitted_for` method, which receives the role as it's first argument,
-and the options as it's second.
+Options are declared with the `attributes` and `associations` options of the role method.
 
-Valid options for the `permitted_for` method are `:attributes` and `:associations`. 
-Within these, valid options are `:show`,`:create`,`:update` and `:save` or the implicit options.
+Valid options for both `:attributes` and `:associations` are `:show`,`:create`,`:update` and `:save` or the implicit options.
 
 ### Implicit declaration of options
 
@@ -239,46 +240,42 @@ attribute that is added to a model later down the line.
     Will be able to view all non-restricted options.
     
     ```ruby
-    role :admin, authorize_with: :admin
-    permitted_for :admin,
-                  attributes: :show_all,
-                  associations: :show_all
+    role :admin,
+         attributes: :show_all,
+         associations: :show_all
     ```
 * **create_all, update_all, save_all**
 
     Will be able to create, update or save all non-restricted attributes. These options also
     imply that the role will be able to `show_all` options. 
     ```ruby
-    role :admin, authorize_with: :admin
-    permitted_for :admin,
-                  attributes: :save_all,
-                  associations: :update_all
+    role :admin,
+         attributes: :save_all,
+         associations: :update_all
     ```
 
 * **all**
 
     Declare on a per-action basis whether the role has access to all options. 
     ```ruby
-    role :admin, authorize_with: :admin
-    permitted_for :admin,
-                  attributes: {
-                    show: :all,
-                    save: %i(name username email)
-                  },
-                  associations: {
-                    show: :all
-                  }
+    role :admin,
+          attributes: {
+            show: :all,
+            save: %i(name username email)
+          },
+          associations: {
+            show: :all
+          }
     ```
 
 * **all_minus**
 
     Can be used to allow all attributes, except those declared. 
     ```ruby
-    role :admin, authorize_with: :admin
-    permitted_for :admin,
-                  attributes: {
-                    show: [:all_minus, :password_digest]
-                  }
+    role :admin,
+          attributes: {
+            show: [:all_minus, :password_digest]
+          }
     ```
     The `:admin` role will now be able to view all attributes, except `password_digest`.
 
@@ -287,36 +284,24 @@ attribute that is added to a model later down the line.
 PunditRoles allows you to define restricted options which will be removed when declaring 
 implicitly. By default, only the `:id`, `:created_at`, `:updated_at` attributes are restricted
 for `create`,`update` and `save` actions. You may overwrite this behaviour on a per-policy basis: 
-```ruby
-private
 
-def restricted_show_attributes
-  [:attr_one, :attr_two]
-end
+```ruby
+RESTRICTED_SHOW_ATTRIBUTES = [:attr_one, :attr_two]
 ```
-Or if you want to add to it, instead of overwriting, use `super`:
+Or if you want to add to it, instead of overwriting(here, 
+the second `RESTRICTED_SHOW_ATTRIBUTES` resolves to the one declared on the parent):
 ```ruby
-private
-
-def restricted_create_attributes
-  super + [:attr_one, :attr_two]
-end
+RESTRICTED_SHOW_ATTRIBUTES = RESTRICTED_SHOW_ATTRIBUTES + [:attr_one, :attr_two]
 ```
 
-There are 8 `restricted_#{action}_#{option_type}` methods in total, where `option_type` refers
-to either `attributes` or `associations` and `action` refers to `show`, `create`, `update` or `save`.
+There are 8 `RESTRICTED_#{action}_#{option_type}` constants in total, where `option_type` refers
+to either `ATTRIBUTES` or `ASSOCIATIONS` and `action` refers to `SHOW`, `CREATE`, `UPDATE` or `SAVE`.
 
 ## Planned updates
 
 Support for Pundit's scope method should be added in the near future, along with authorizing associations, 
-generators, and rspec helpers. And once the test suite is finished for this gem, it should be production
-ready. 
-
-## Development
-
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake 'spec'` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+generators, and possibly rspec helpers.
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
 ## Contributing
 

data/Rakefile

@@ -1,2 +1,9 @@
-require "bundler/gem_tasks"
-task :default => :spec
+require 'rspec/core/rake_task'
+require 'bundler/gem_tasks'
+
+# Run with `rake spec`
+RSpec::Core::RakeTask.new(:spec) do |task|
+  task.rspec_opts = %w(--color)
+end
+
+task :default => :spec

data/lib/pundit_roles/policy/base.rb

@@ -1,35 +1,26 @@
 require_relative 'role'
-require_relative 'policy_defaults/defaults'
-
+require_relative 'policy_defaults'
 
+# Namespace for aesthetic reasons
 module Policy
 
   # Base policy class to be extended by all other policies, authorizes users based on roles they fall into,
   # return a uniquely merged hash of permitted attributes and associations of each role the @user has.
   #
-  # @param user [Object] the user that initiated the action
-  # @param record [Object] the object we're checking permissions of
+  # @attr_reader user [Object] the user that initiated the action
+  # @attr_reader record [Object] the object we're checking permissions of
   class Base
     extend Role
+    include PolicyDefaults
 
-    include PolicyDefaults::Defaults
-
-    role :guest, authorize_with: :user_guest
-
-    attr_reader :user, :record
-
-    def initialize(user, record)
+    attr_reader :user, :resource
+    def initialize(user, resource)
       @user = user
-      @record = record
-    end
-
-    # Is here
-    def scope
-      Pundit.authorize_scope!(user, record.class, fields)
+      @resource = resource
     end
 
-    # Retrieves the permitted roles for the current @query, checks if @user is one or more of these roles
-    # and return a hash of attributes and associations that the @user has access to.
+    # Retrieves the permitted roles for the current query, checks if user is one or more of these roles
+    # and return a hash of attributes and associations that the user has access to.
     #
     # @param query [Symbol, String] the predicate method to check on the policy (e.g. `:show?`)
     def resolve_query(query)
@@ -40,16 +31,11 @@ module Policy
 
       permissions_hash = self.class.permissions_hash
 
-      # Always checks if the @user is a :guest first. :guest users cannot only have the one :guest role
-      guest = self.class::Guest.new(self, permissions_hash[:guest])
-      if guest.test_condition
-        if permitted_roles.include? :guest
-          return guest.permitted
-        else
-          return false
-        end
+      # Always checks if user is a guest, and return the appropriate permission if true
+      # the guest role cannot be merged with other roles
+      if guest?
+        return handle_guest_user(permitted_roles, permissions_hash)
       end
-
       current_roles = determine_current_roles(permitted_roles, permissions_hash)
 
       unless current_roles.present?
@@ -57,8 +43,7 @@ module Policy
       end
 
       if current_roles.length == 1
-        current_roles.values[0][:roles] = current_roles.keys[0]
-        return current_roles.values[0]
+        return current_roles.values[0].merge({roles: [current_roles.keys[0]]})
       end
 
       return unique_merge(current_roles)
@@ -66,6 +51,17 @@ module Policy
 
     private
 
+    # Return the default :guest role if guest is present in @permitted_roles. Return false otherwise
+    #
+    # @param permitted_roles [Hash] roles returned by the query
+    # @param permissions_hash [Hash] unrefined hash of options defined by all permitted_for methods
+    def handle_guest_user(permitted_roles, permissions_hash)
+      if permitted_roles.include? :guest
+        return permissions_hash[:guest].merge({roles: [:guest]})
+      end
+      return false
+    end
+
     # Build a hash of the roles that the user fulfills and the roles' attributes and associations,
     # based on the test_condition of the role.
     #
@@ -75,20 +71,16 @@ module Policy
       current_roles = {}
 
       permitted_roles.each do |permitted_role|
-        if permitted_role == :guest
+        if permitted_role == :guest or permitted_role == :guest_user
           next
         end
 
         begin
-          current_role = {class: "#{self.class}::#{permitted_role.to_s.classify}".constantize}
-          current_role_obj = current_role[:class].new(self, permissions_hash[permitted_role])
-          if current_role_obj.test_condition
-            current_roles[permitted_role] = current_role_obj.permitted
+          if send("#{permitted_role}?")
+            current_roles[permitted_role] = permissions_hash[permitted_role]
           end
-        rescue NoMethodError =>e
-          raise NoMethodError, "Could not find test condition, needs to be defined as 'test_condition?' and passed to the role as 'authorize_with: :test_condition' => #{e.message}"
-        rescue NameError => e
-          raise NameError, "#{current_role[:role]} not defined => #{e.message} "
+        rescue NoMethodError => e
+          raise NoMethodError, "Undefined test condition, it must be defined as 'role?', where, role is :#{permitted_role}, => #{e.message}"
         end
       end
 
@@ -102,14 +94,8 @@ module Policy
       merged_hash = {attributes: {}, associations: {}, roles: []}
 
       roles.each do |role, option|
-        unless option.present?
-          next
-        end
         merged_hash[:roles] << role
         option.each do |type, actions|
-          unless actions.present?
-            next
-          end
           actions.each do |key, value|
             unless merged_hash[type][key]
               merged_hash[type][key] = []
@@ -129,6 +115,11 @@ module Policy
       return roles
     end
 
+    # Default :guest role
+    def guest?
+      @user.nil?
+    end
+
     # Scope class from Pundit, to be used for limiting scopes. Unchanged from Pundit,
     # possible implementation forthcoming in a future update
     class Scope

data/lib/pundit_roles/policy/policy_defaults.rb

@@ -0,0 +1,52 @@
+# Defaults for Policy::Base
+module PolicyDefaults
+  # default index? method
+  def index?
+    false
+  end
+
+  # default show? method
+  def show?
+    false
+  end
+
+  # default create? method
+  def create?
+    false
+  end
+
+  # default update? method
+  def update?
+    false
+  end
+
+  # default destroy? method
+  def destroy?
+    false
+  end
+
+  # restricted attributes for show
+  RESTRICTED_SHOW_ATTRIBUTES = []
+
+  # restricted attributes for save
+  RESTRICTED_SAVE_ATTRIBUTES = [:id, :created_at, :updated_at]
+
+  # restricted attributes for create
+  RESTRICTED_CREATE_ATTRIBUTES = [:id, :created_at, :updated_at]
+
+  # restricted attributes for update
+  RESTRICTED_UPDATE_ATTRIBUTES = [:id, :created_at, :updated_at]
+
+
+  # restricted associations for show
+  RESTRICTED_SHOW_ASSOCIATIONS = []
+
+  # restricted associations for save
+  RESTRICTED_SAVE_ASSOCIATIONS = []
+
+  # restricted associations for create
+  RESTRICTED_CREATE_ASSOCIATIONS = []
+
+  # restricted associations for update
+  RESTRICTED_UPDATE_ASSOCIATIONS = []
+end

data/lib/pundit_roles/policy/role/{base.rb → option_builder.rb}

@@ -1,59 +1,50 @@
 module Role
-  # Base class that all roles inherit, stores role options in class instance variables
-  # and creates a hash of attributes and associations from the options defined in permitted_for methods
+  # Helper class, which handles building of a role's #permissions_hash.
   #
-  # @param authorize_with [Symbol, String] class instance attribute which stores the method that is used to
-  # authorize users
-  # @param disable_merge [TrueClass, FalseClass] unused as of yet
-  # @param policy [Object] instance variable used to store a reference to the policy which instantiated the class
-  # @param permission_options [Hash] unrefined hash of options to be refined by the permitted method
-  class Base
-
-    # Class instance variable accessors
-    class << self
-      attr_accessor :authorize_with, :disable_merge
-    end
+  # @param policy [Class] the class used to store a reference to the policy which instantiated this
+  # @param attr_opts [Hash, :Symbol] the requested options for attributes to be refined by the permitted method
+  # @param assoc_opts [Hash, :Symbol] the requested options for associations to be refined by the permitted method
+  # @param scope [String] the scope for the role in String format
 
-    @authorize_with = :default_authorization
-    @disable_merge = nil
+  class OptionBuilder
 
     attr_reader :policy
 
-    def initialize(policy, permission_options)
+    def initialize(policy, attr_opts, assoc_opts, scope)
       @policy = policy
-      @permission_options = permission_options
+      @attr_opts = attr_opts
+      @assoc_opts = assoc_opts
+      @scope = scope
       freeze
     end
 
-    # Helper instance method to retrieve the class instance variable @authorize_with
-    def authorize_with
-      return self.class.authorize_with
-    end
-
-    # Send the method to the policy to check if user falls into this role
-    def test_condition
-      @policy.send(authorize_with)
+    # Returns a refined hash of attributes and associations the current_user has access to
+    def permitted
+      return {
+        attributes: permitted_options(@attr_opts, 'attributes'),
+        associations: permitted_options(@assoc_opts, 'associations')
+      }
     end
 
-    # Returns a refined hash of attributes and associations this user has access to
-    def permitted
-      if not @permission_options
-        permitted =  {attributes: {},
-                      associations: {}}
+    private
 
-      elsif @permission_options.is_a? Symbol
-        permitted =  {attributes: handle_default_options(@permission_options, 'attributes'),
-                      associations: handle_default_options(@permission_options, 'associations')}
+    # Determines the the kind of method used to declare the option
+    #
+    # @param *opts [Hash] the hash of attributes or associations for the role
+    # @param type [String] the kind of option, can be 'attributes' or 'associations'
+    def permitted_options(opts, type)
+      if not opts
+        permitted =  {}
+
+      elsif opts.is_a? Symbol
+        permitted =  handle_default_options(opts, type)
       else
-        permitted =  {attributes: init_options(@permission_options[:attributes], 'attributes'),
-                      associations: init_options(@permission_options[:associations], 'associations')}
+        permitted =  init_options(opts, type)
       end
 
       return permitted
     end
 
-    private
-
     # Build hash of options when options are explicitly declared as a Hash
     #
     # @param options [Hash] unrefined hash containing either attributes or associations
@@ -63,10 +54,6 @@ module Role
         return {}
       end
 
-      if options.is_a? Symbol
-        return handle_default_options(options, type)
-      end
-
       raise ArgumentError, "Permitted #{type}, if declared, must be declared as a Hash or Symbol, expected something along the lines of
                             {show: [:id, :name], create: [:name], update: :all} or :all, got #{options}" unless options.is_a? Hash
 
@@ -79,6 +66,7 @@ module Role
           next
         end
 
+        # todo: This needs some rethinking
         if value.is_a? Array
           case value.first
             when :all_minus
@@ -103,18 +91,17 @@ module Role
       parsed_options = {}
       case option
         when :show_all
-          parsed_options[:show] = send("get_all_#{type}")
+          parsed_options[:show] = get_all(type)
         else
           of_type = option.to_s.gsub('_all', '').to_sym
-          parsed_options[:show] = send("get_all_#{type}")
-          parsed_options[of_type] = send("get_all_#{type}")
+          parsed_options[:show] = get_all(type)
+          parsed_options[of_type] = get_all(type)
       end
 
       return remove_restricted(parsed_options, type)
     end
 
-    # Remove restricted attributes declared in the @policy restricted_#{key}_#{type} methods,
-    # ex: restricted_show_attributes
+    # Remove restricted attributes declared in the #policy RESTRICTED_#{key}_#{type} constants
     #
     # @param obj [Hash] refined hash containing either attributes or associations
     # @param type [String] the type of option to be built, can be 'attributes' or 'associations'
@@ -122,36 +109,28 @@ module Role
       permitted_obj_values = {}
 
       obj.each do |key, value|
-        restricted = @policy.send("restricted_#{key}_#{type}")
+        restricted = "#{@policy}::RESTRICTED_#{key.upcase}_#{type.upcase}".constantize
         permitted_obj_values[key] = restricted.present? ? value - restricted : value
       end
 
       return permitted_obj_values
     end
 
-    # Returns all attributes of a record or scope defined in the @policy
+    # Returns all attributes of a record or scope defined in the #policy
     def get_all_attributes
-      begin
-        @policy.record.class.column_names.map(&:to_sym)
-      rescue NoMethodError
-        begin
-          @policy.scope.column_names.map(&:to_sym)
-        rescue NoMethodError
-          raise NoMethodError, "#{@policy} does not have a record or scope defined(or scope is not an ActiveRecord::Association), this is a problem."
-        end
-      end
+      @policy.to_s.gsub('Policy', '').constantize.column_names.map(&:to_sym)
     end
 
-    # Returns all associations of a record or scope defined in the @policy
+    # Returns all associations of a record or scope defined in the #policy
     def get_all_associations
+      @policy.to_s.gsub('Policy', '').constantize.reflect_on_all_associations.map(&:name)
+    end
+
+    def get_all(type)
       begin
-        @policy.record.class.reflect_on_all_associations.map(&:name)
-      rescue NoMethodError
-        begin
-          @policy.scope.reflect_on_all_associations.map(&:name)
-        rescue NoMethodError
-          raise NoMethodError, "#{@policy} does not have a record or scope defined(or scope is not an ActiveRecord::Association), this is a problem."
-        end
+        send("get_all_#{type}")
+      rescue NameError => e
+        raise ArgumentError, "#{@policy} does not have a corresponding model: #{@policy.to_s.gsub('Policy', '')}, implicit declarations are not allowed => #{e.message}"
       end
     end
 

data/lib/pundit_roles/policy/role.rb

@@ -1,99 +1,49 @@
-require_relative 'role/base'
+require_relative 'role/option_builder'
 
-# Module which handles all class-level methods-and-instance variables. Add the ability for a class to define roles
-# as dynamically generated classes and permitted options for those roles as class instance variables on the @policy.
-#
-# @param permission_hash [Hash] hash containing the unrefined attributes and association options
-# @param scope_hash [Hash] unused as of yet
+# Extended by Policy::Base. Defines the methods necessary for declaring roles.
 module Role
-  attr_accessor :permissions_hash, :scope_hash
-  @permissions_hash = {}
-  @scope_hash = {}
 
-  # Method to define a role with the opts used for those roles, checks if all is kosher and calls the the method
-  # to create the role
-  #
-  # @param role [Symbol, String] the role name
-  # @param opts [Hash] options for the role
-  def role(role, opts)
-    options = opts.slice(*_role_default_keys)
-
-    raise ArgumentError, 'You need to supply :authorize_with' unless options.slice(*_required_attributes).present?
-
-    unless role.is_a? Symbol or role.is_a? String
-      raise ArgumentError, "Expected Symbol or String for role, got #{role.class}"
-    end
-
-    create_role(role, self, options)
-  end
+  attr_accessor :permissions_hash
 
-  # Dynamically generates a class with the options and sets the constant on the @policy
+  # Builds a new role by saving it into the #permissions_hash class instance variable
+  # Valid options are :attributes, :associations, :scope, :uses_db, :extend
   #
-  # @param role [Symbol, String] the name of the role
-  # @param policy [Object] the reference to the policy to set the constant on, should be passed a 'self' reference
-  # @param opts [Hash] options for the role
-  def create_role(role, policy, opts)
-    begin
-      policy.const_set role.to_s.classify, Class.new(Role::Base) {
-        @authorize_with = "#{opts[:authorize_with]}?"
-        @disable_merge = opts[:disable_merge]
-      }
-    rescue NameError => e
-      raise ArgumentError, "Something went wrong, possible NameError with #{policy} or #{role} => #{e.message}"
-    end
-  end
+  # @param *opts [Array] the roles, and the options which define the roles
+  # @raise [ArgumentError] if the options are incorrectly defined, or no options are present
+  # @return [Hash] Returns the permissions hash or the record
+  def role(*opts)
+    user_opts = opts.extract_options!.dup
+    options = user_opts.slice(*_role_default_keys)
 
-  # Saves the unrefined options into the @permission_hash class instance variable
-  #
-  # @param role [Symbol, String] the name of the role to which the opts are associated
-  # @param opts [Hash] the hash of options
-  def permitted_for(role, opts)
-    options = opts.slice(*_permitted_for_keys)
+    raise ArgumentError, 'Please provide at least one role' unless opts.present?
 
     @permissions_hash = {} if @permissions_hash.nil?
-    @permissions_hash[role] = options
-  end
-
-  # Helper method to declare attributes directly
-  #
-  # @param role [Symbol, String] the name of the role to which the opts are associated
-  # @param attr [Hash] the hash of attributes
-  def permitted_attr_for(role, attr)
-    options = attr.slice(*_permitted_opt_for_keys)
 
-    @permissions_hash = {} if @permissions_hash.nil?
-    @permissions_hash[role] = {:attributes => options}
-  end
-
-  # Helper method to declare associations directly
-  #
-  # @param role [Symbol, String] the name of the role to which the opts are associated
-  # @param assoc [Hash] the hash of associations
-  def permitted_assoc_for(role, assoc)
-    options = assoc.slice(*_permitted_opt_for_keys)
+    options.each do |key, value|
+      if value.present?
+        expected = _role_option_validations[key]
+        do_raise = true
+        expected.each do |type|
+          do_raise = false if value.is_a? type
+        end
+        raise ArgumentError, "Expected #{expected} for #{key}, got #{value.class}" if do_raise
+      end
+    end
 
-    @permissions_hash = {} if @permissions_hash.nil?
-    @permissions_hash[role] = {:associations => options}
+    opts.each do |role|
+      raise ArgumentError, "Expected Symbol for #{role}, got #{role.class}" unless role.is_a? Symbol
+      @permissions_hash[role] = OptionBuilder.new(self, options[:attributes], options[:associations],  options[:scope]).permitted
+    end
   end
 
-  # default options for role declaration
+  # @api private
   private def _role_default_keys
-    [:authorize_with, :disable_merge]
-  end
-
-  # required options for role declaration
-  private def _required_attributes
-    [:authorize_with]
-  end
-
-  # permitted options for permitted_for declaration
-  private def _permitted_for_keys
-    [:attributes, :associations]
+    [:attributes, :associations, :scope, :uses_db, :extend]
   end
 
-  # permitted options for permitted_assoc_for and permitted_attr_for declaration
-  private def _permitted_opt_for_keys
-    [:show, :create, :update, :save]
+  # @api private
+  private def _role_option_validations
+    {attributes: [Hash, Symbol], associations: [Hash, Symbol], scope: [String], uses_db: [Symbol], extend: [Symbol]}
   end
 
-end
+end

data/lib/pundit_roles/pundit.rb

@@ -1,34 +1,36 @@
+# Contains the overwritten #authorize method
 module PunditOverwrite
 
   # Overwrite for Pundit's default authorization, to be able to use PunditRoles. Does not conflict with existing
   # Pundit implementations
   #
-  # @param record [Object] the object we're checking permissions of
+  # @param resource [Object] the object we're checking permissions of
   # @param query [Symbol, String] the predicate method to check on the policy (e.g. `:show?`).
   #   If omitted then this defaults to the Rails controller action name.
   # @raise [NotAuthorizedError] if the given query method returned false
-  # @return [Object] Always returns the passed object record
-  def authorize(record, query = nil)
+  # @return [Object, Hash] Returns the permissions hash or the record
+  def authorize(resource, query = nil)
     query ||= params[:action].to_s + '?'
 
     @_pundit_policy_authorized = true
 
-    policy = policy(record)
+    policy = policy(resource)
 
     permitted_records = policy.resolve_query(query)
 
     unless permitted_records
-      raise Pundit::NotAuthorizedError, query: query, record: record, policy: policy
+      raise Pundit::NotAuthorizedError, query: query, record: resource, policy: policy
     end
 
     if permitted_records.is_a? TrueClass
-      return record
+      return resource
     end
 
     return permitted_records
   end
 end
 
+# Prepends the PunditOverwrite to Pundit, in order to overwrite the default Pundit #authorize method
 module Pundit
   prepend PunditOverwrite
 end

data/lib/pundit_roles/version.rb

@@ -1,3 +1,3 @@
 module PunditRoles
-  VERSION = "0.1.2"
+  VERSION = "0.2.0"
 end

data/lib/pundit_roles.rb

@@ -8,6 +8,7 @@ require 'pundit_roles/pundit'
 require 'pundit_roles/policy/base'
 require 'pundit'
 
+# Enhances Pundit with roles, allows definition of attribute and association level authorization
 module PunditRoles
   include Pundit
 end

data/pundit_roles.gemspec

@@ -23,4 +23,5 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = '>= 2.3.1'
   spec.add_dependency "activesupport", ">= 3.0.0"
+  spec.add_dependency 'pundit', '>=1.1.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pundit_roles
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.2.0
 platform: ruby
 authors:
 - Daniel Balogh
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-10-24 00:00:00.000000000 Z
+date: 2017-10-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -24,6 +24,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: pundit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.1.0
 description: Extends Pundit with roles
 email:
 - danielferencbalogh@gmail.com
@@ -31,8 +45,10 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".coveralls.yml"
 - ".gitignore"
 - ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -41,9 +57,9 @@ files:
 - bin/setup
 - lib/pundit_roles.rb
 - lib/pundit_roles/policy/base.rb
-- lib/pundit_roles/policy/policy_defaults/defaults.rb
+- lib/pundit_roles/policy/policy_defaults.rb
 - lib/pundit_roles/policy/role.rb
-- lib/pundit_roles/policy/role/base.rb
+- lib/pundit_roles/policy/role/option_builder.rb
 - lib/pundit_roles/pundit.rb
 - lib/pundit_roles/version.rb
 - pundit_roles.gemspec

data/lib/pundit_roles/policy/policy_defaults/defaults.rb

@@ -1,78 +0,0 @@
-module PolicyDefaults
-  module Defaults
-    # default index? method
-    def index?
-      false
-    end
-
-    # default show? method
-    def show?
-      false
-    end
-
-    # default create? method
-    def create?
-      false
-    end
-
-    # default update? method
-    def update?
-      false
-    end
-
-    # default destroy? method
-    def destroy?
-      false
-    end
-
-    # default authorization method
-    def default_authorization?
-      return false
-    end
-
-    # @authorize_with method for :guest role
-    def user_guest?
-      @user.nil?
-    end
-
-    # restricted attributes for show
-    def restricted_show_attributes
-      []
-    end
-
-    # restricted attributes for save
-    def restricted_save_attributes
-      [:id, :created_at, :updated_at]
-    end
-
-    # restricted attributes for create
-    def restricted_create_attributes
-      [:id, :created_at, :updated_at]
-    end
-
-    # restricted attributes for update
-    def restricted_update_attributes
-      [:id, :created_at, :updated_at]
-    end
-
-    # restricted associations for show
-    def restricted_show_associations
-      []
-    end
-
-    # restricted associations for save
-    def restricted_save_associations
-      []
-    end
-
-    # restricted associations for create
-    def restricted_create_associations
-      []
-    end
-
-    # restricted associations for update
-    def restricted_update_associations
-      []
-    end
-  end
-end