pundit_roles 0.1.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: f9a596e75302e60e5ac89fbd28e1d411f1e80e85
+  data.tar.gz: 70ef89deb9dbc45c8c3c3a3386f858662a1480ab
+SHA512:
+  metadata.gz: 8f1e0eea9562fa2add0c1c9faebba5cd4a8ccb1441dde646c58eabd76193691da924eb3775cd251ce6658dfe90f5a1eb879f767944032aa5f4b75d3f4cebcf83
+  data.tar.gz: 2dcef9da90cad672759c3d315b1259b1a999bd0445fc5a4139d272aef0b1e78ce9fc445fe9ab9260329c773af0a5ecc0924c14af11768dd92000736df00b8558

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+.idea/

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.4.0
+before_install: gem install bundler -v 1.14.6

data/Gemfile

@@ -0,0 +1,17 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in pundit_roles.gemspec
+gemspec
+
+gem 'actionpack'
+gem 'activemodel'
+gem 'pundit', '~> 1.1.0'
+
+group :development, :test do
+  gem "actionpack"
+  gem "activemodel"
+  gem "bundler"
+  gem "pry"
+  gem "rake"
+  gem "rspec"
+end

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 StairwayB
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,329 @@
+# PunditRoles
+
+PunditRoles is a helper gem which works on top of [Pundit](https://github.com/elabs/pundit)
+(if you are not familiar with Pundit, it is recommended you read it's documentation before continuing).
+It allows you to extend Pundit's authorization system to include attributes and associations.
+
+If you are already using Pundit, this should not conflict with any of Pundit's existing functionality. 
+You may use Pundit's features as well as the features from this gem interchangeably.
+
+Please note that this gem is not affiliated with Pundit or it's creators, but it very much
+appreciates the work that they did with their great authorization system. 
+
+* **Important** This is still early in it's development and is **NOT** considered production 
+ready. Consider what is here as a prototype for what will, in the future, be a reliable gem.
+As of yet, bugs and unforeseen issues may be present. If you happen to find any, please feel free
+to raise an issue. 
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'pundit_roles'
+```
+
+Add PunditRoles to your ApplicationController(Pundit is included in PunditRoles, 
+so no need to add both)
+```ruby
+class ApplicationController < ActionController::Base
+  include PunditRoles
+end
+```
+
+And inherit your ApplicationPolicy from Policy::Base
+```ruby
+class ApplicationPolicy < Policy::Base
+  # def show?
+  #   [...]
+  # end
+end
+```
+
+## Roles
+
+PunditRoles operates around the notion of _**roles**_. Each role needs to be defined at the Policy level
+and provided with a conditional method that determines whether the `@user`(`current_user` in the context of a Policy) 
+falls into this role. Additionally, each role can have a set of permitted 
+_**attributes**_ and _**associations**_(from here on collectively referred to as **_options_**) 
+defined for it. A basic example for a UserPolicy would be:
+```ruby
+role :user, authorize_with: :logged_in_user
+permitted_for :user,
+              attributes: {
+                show: %i(username name avatar is_confirmed created_at)
+              },
+              associations: {
+                show: %i(posts followers following)
+              }
+
+role :correct_user, authorize_with: :correct_user
+permitted_for :correct_user,
+              attributes: {
+                show: %i(email phone_number confirmed_at updated_at sign_in_count),
+                update: %i(username email password password_confirmation current_password name avatar)
+              },
+              associations: {
+                show: %i(settings),
+                save: %i(settings)
+              }
+```
+
+This assumes that there are two methods defined in the UserPolicy called `logged_in_user?` and
+`correct_user?`. More on that later. 
+
+And then in you query method, you simply say:
+```ruby
+def show?
+  %i(user correct_user)
+end
+
+def update?
+  %i(correct_user)
+end
+```
+Or you may use the `allow` helper method:
+```ruby
+def show?
+  allow :user, :correct_user
+end
+```
+
+Finally, in your controller you call Pundit's `authorize` method and pass it's return value
+to a variable: 
+```ruby
+class UserController < ApplicationController
+  def show
+    @user = User.find(params[:id])
+    permitted = authorize @user
+    # [...]
+  end
+end
+```
+
+The `authorize` method will return a hash of permitted attributes and associations for the corresponding action that the
+user has access to. What you do with that is your business. Accessors for each segment look like this: 
+```ruby
+permitted[:attributes][:show]
+permitted[:attributes][:create]
+
+permitted[:associations][:show]
+permitted[:associations][:update]
+```
+
+If the user does not fall into any roles permitted by a query, the `authorize` method will raise `Pundit::NotAuthorizedError`
+
+### Defining roles
+
+Roles are defined with the `role` method. It receives the name of the role as it's first argument and the
+options for the role as it's second. The required option is the `authorize_with` attribute, which is the method
+that validates the role. The validation method must be passed as a symbol without the question mark, and declared
+as a method with a question mark.
+
+Currently there are no more options, but some, like database permissions, are planned for future updates.
+
+```ruby
+role :user, authorize_with: :logged_in_user
+
+def logged_in_user?
+  @user.present?
+end
+```
+
+### Users with multiple roles
+
+You may have noticed that in the first example `correct_user` has fewer permitted options
+defined than `user`. That is because PunditRoles does not treat roles as exclusionary.
+Users may have a single role or they may have multiple roles, within the context of the model they are trying to access.
+In the previous example, a `correct_user`, meaning a `user` trying to access it's own model, is naturally 
+also a regular `user`, so it will have access to all options a regular `user` has access to plus the 
+options that a `correct_user` has access to. 
+
+Take this example, to better illustrate what is happening: 
+
+```ruby
+role :user, authorize_with: :logged_in_user
+permitted_for :user,
+              attributes: {
+                show: %i(username name avatar)
+              }
+
+role :correct_user, authorize_with: :correct_user
+permitted_for :correct_user,
+              attributes: {
+                show: %i(email phone_number)
+              }
+              
+role :admin, authorize_with: :admin
+permitted_for :admin,
+              attributes: {
+                show: %i(email is_admin)
+              }
+```
+
+Here, a user which fulfills the `admin` condition trying to access it's own model, would receive the 
+options of all three roles, meaning the `permitted[:attributes][:show]` would look like: 
+```ruby
+[:username, :name, :avatar, :email, :phone_number, :is_admin]
+```
+Notice that there are no duplicates. This is because whenever a user tries to access an action, 
+PunditRoles will evaluate whether the user falls into the roles permitted to perform said action, 
+and if they do, it will uniquely merge the options hashes of all of these.
+
+If the user is an `admin`, but is not a `correct_user`, it will not receive the `phone_number` attribute,
+because that is unique to `correct_user` and vice versa.
+
+At present, there is no way to prevent merging of roles. Such a feature may be coming in a future update.
+
+### Inheritance and the default Guest role
+
+One thing to watch out for is that roles are inherited but options are not.
+This means that you may declare commonly used roles(whose validations are 
+independent of the `@record` of the Policy) in the ApplicationPolicy, and may reuse them
+further down the line. You may also overwrite roles defined in a parent class(these will not affect those in the parent).
+
+However, it is important to declare the options with the `permitted_for` method for each role that you permit
+in your Policy, otherwise the role will return an empty hash.
+
+With that in mind, PunditRoles comes with a default `:guest` role, which simply checks if
+the user is nil. If you wish to permit guest users for a particular action, simply define the
+options for it and allow it in your query method. 
+
+```ruby
+class UserPolicy < ApplicationPolicy
+  permitted_for :guest,
+                 attributes: {
+                   show: %i(username first_name last_name avatar),
+                   create: %i(username email password password_confirmation first_name last_name avatar)
+                 },
+                 associations: {}
+  
+  def show?
+    allow :guest
+  end
+  
+  def create?
+    allow :guest
+  end
+  
+end
+```
+
+* **Important!** The `:guest` role is exclusionary by default, meaning it cannot be merged
+with other roles. It is also the first role that is evaluated, and if the user is a `:guest`, it will return the guest
+attributes if `:guest` is allowed, or raise `PunditNotAuthorized` if not. 
+Do **NOT** overwrite the `:guest` role, that can lead to unexpected side effects, and if you wish to allow guest, use
+the existing role and not a custom one. 
+
+### Explicit declaration of options
+
+Options are declared with the `permitted_for` method, which receives the role as it's first argument,
+and the options as it's second.
+
+Valid options for the `permitted_for` method are `:attributes` and `:associations`. 
+Within these, valid options are `:show`,`:create`,`:update` and `:save` or the implicit options.
+
+### Implicit declaration of options
+
+PunditRoles provides a set of helpers to be able to implicitly declare the options of a role. 
+
+ ---
+ 
+Although this is a possibility, it is _highly recommended_ that you explicitly declare 
+attributes for each role, to avoid any issues further in development, like say, an extra 
+attribute that is added to a model later down the line. 
+
+---
+* **show_all**
+
+    Will be able to view all non-restricted options.
+    
+    ```ruby
+    role :admin, authorize_with: :admin
+    permitted_for :admin,
+                  attributes: :show_all,
+                  associations: :show_all
+    ```
+* **create_all, update_all, save_all**
+
+    Will be able to create, update or save all non-restricted attributes. These options also
+    imply that the role will be able to `show_all` options. 
+    ```ruby
+    role :admin, authorize_with: :admin
+    permitted_for :admin,
+                  attributes: :save_all,
+                  associations: :update_all
+    ```
+
+* **all**
+
+    Declare on a per-action basis whether the role has access to all options. 
+    ```ruby
+    role :admin, authorize_with: :admin
+    permitted_for :admin,
+                  attributes: {
+                    show: :all,
+                    save: %i(name username email)
+                  },
+                  associations: {
+                    show: :all
+                  }
+    ```
+
+* **all_minus**
+
+    Can be used to allow all attributes, except those declared. 
+    ```ruby
+    role :admin, authorize_with: :admin
+    permitted_for :admin,
+                  attributes: {
+                    show: [:all_minus, :password_digest]
+                  }
+    ```
+    The `:admin` role will now be able to view all attributes, except `password_digest`.
+
+### Restricted options
+
+PunditRoles allows you to define restricted options which will be removed when declaring 
+implicitly. By default, only the `:id`, `:created_at`, `:updated_at` attributes are restricted
+for `create`,`update` and `save` actions. You may overwrite this behaviour on a per-policy basis: 
+```ruby
+private
+
+def restricted_show_attributes
+  [:attr_one, :attr_two]
+end
+```
+Or if you want to add to it, instead of overwriting, use `super`:
+```ruby
+private
+
+def restricted_create_attributes
+  super + [:attr_one, :attr_two]
+end
+```
+
+There are 8 `restricted_#{action}_#{option_type}` methods in total, where `option_type` refers
+to either `attributes` or `associations` and `action` refers to `show`, `create`, `update` or `save`.
+
+## Planned updates
+
+Support for Pundit's scope method should be added in the near future, along with authorizing associations, 
+generators, and rspec helpers. And once the test suite is finished for this gem, it should be production
+ready. 
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake 'spec'` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports are welcome on GitHub at [StairwayB](https://github.com/StairwayB/pundit_roles).
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "pundit_roles"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/pundit_roles/policy/base.rb

@@ -0,0 +1,148 @@
+require_relative 'role'
+require_relative 'policy_defaults/defaults'
+
+
+module Policy
+
+  # Base policy class to be extended by all other policies, authorizes users based on roles they fall into,
+  # return a uniquely merged hash of permitted attributes and associations of each role the @user has.
+  #
+  # @param user [Object] the user that initiated the action
+  # @param record [Object] the object we're checking permissions of
+  class Base
+    extend Role
+
+    include PolicyDefaults::Defaults
+
+    role :guest, authorize_with: :user_guest
+
+    attr_reader :user, :record
+
+    def initialize(user, record)
+      @user = user
+      @record = record
+    end
+
+    # Is here
+    def scope
+      Pundit.authorize_scope!(user, record.class, fields)
+    end
+
+    # Retrieves the permitted roles for the current @query, checks if @user is one or more of these roles
+    # and return a hash of attributes and associations that the @user has access to.
+    #
+    # @param query [Symbol, String] the predicate method to check on the policy (e.g. `:show?`)
+    def resolve_query(query)
+      permitted_roles = public_send(query)
+      if permitted_roles.is_a? TrueClass or permitted_roles.is_a? FalseClass
+        return permitted_roles
+      end
+
+      permissions_hash = self.class.permissions_hash
+
+      # Always checks if the @user is a :guest first. :guest users cannot only have the one :guest role
+      guest = self.class::Guest.new(self, permissions_hash[:guest])
+      if guest.test_condition
+        if permitted_roles.include? :guest
+          return guest.permitted
+        else
+          return false
+        end
+      end
+
+      current_roles = determine_current_roles(permitted_roles, permissions_hash)
+
+      unless current_roles.present?
+        return false
+      end
+
+      if current_roles.length == 1
+        current_roles.values[0][:roles] = current_roles.keys[0]
+        return current_roles.values[0]
+      end
+
+      return unique_merge(current_roles)
+    end
+
+    private
+
+    # Build a hash of the roles that the user fulfills and the roles' attributes and associations,
+    # based on the test_condition of the role.
+    #
+    # @param permitted_roles [Hash] roles returned by the query
+    # @param permissions_hash [Hash] unrefined hash of options defined by all permitted_for methods
+    def determine_current_roles(permitted_roles, permissions_hash)
+      current_roles = {}
+
+      permitted_roles.each do |permitted_role|
+        if permitted_role == :guest
+          next
+        end
+
+        begin
+          current_role = {class: "#{self.class}::#{permitted_role.to_s.classify}".constantize}
+          current_role_obj = current_role[:class].new(self, permissions_hash[permitted_role])
+          if current_role_obj.test_condition
+            current_roles[permitted_role] = current_role_obj.permitted
+          end
+        rescue NoMethodError =>e
+          raise NoMethodError, "Could not find test condition, needs to be defined as 'test_condition?' and passed to the role as 'authorize_with: :test_condition' => #{e.message}"
+        rescue NameError => e
+          raise NameError, "#{current_role[:role]} not defined => #{e.message} "
+        end
+      end
+
+      return current_roles
+    end
+
+    # Uniquely merge the options of all roles that the user fulfills
+    #
+    # @param roles [Hash] roles and options that the user fulfills
+    def unique_merge(roles)
+      merged_hash = {attributes: {}, associations: {}, roles: []}
+
+      roles.each do |role, option|
+        unless option.present?
+          next
+        end
+        merged_hash[:roles] << role
+        option.each do |type, actions|
+          unless actions.present?
+            next
+          end
+          actions.each do |key, value|
+            unless merged_hash[type][key]
+              merged_hash[type][key] = []
+            end
+            merged_hash[type][key] |= value
+          end
+        end
+      end
+
+      return merged_hash
+    end
+
+    # Helper method to be able to define allow: :guest, :user, etc. in the query methods
+    #
+    # @param *roles [Array] an array of permitted roles for a particular action
+    def allow(*roles)
+      return roles
+    end
+
+    # Scope class from Pundit, to be used for limiting scopes. Unchanged from Pundit,
+    # possible implementation forthcoming in a future update
+    class Scope
+      attr_reader :user, :scope
+
+      def initialize(user, scope)
+        @user = user
+        @scope = scope
+      end
+
+      def resolve
+        scope
+      end
+
+    end
+  end
+end

data/lib/pundit_roles/policy/policy_defaults/defaults.rb

@@ -0,0 +1,78 @@
+module PolicyDefaults
+  module Defaults
+    # default index? method
+    def index?
+      false
+    end
+
+    # default show? method
+    def show?
+      false
+    end
+
+    # default create? method
+    def create?
+      false
+    end
+
+    # default update? method
+    def update?
+      false
+    end
+
+    # default destroy? method
+    def destroy?
+      false
+    end
+
+    # default authorization method
+    def default_authorization?
+      return false
+    end
+
+    # @authorize_with method for :guest role
+    def user_guest?
+      @user.nil?
+    end
+
+    # restricted attributes for show
+    def restricted_show_attributes
+      []
+    end
+
+    # restricted attributes for save
+    def restricted_save_attributes
+      [:id, :created_at, :updated_at]
+    end
+
+    # restricted attributes for create
+    def restricted_create_attributes
+      [:id, :created_at, :updated_at]
+    end
+
+    # restricted attributes for update
+    def restricted_update_attributes
+      [:id, :created_at, :updated_at]
+    end
+
+    # restricted associations for show
+    def restricted_show_associations
+      []
+    end
+
+    # restricted associations for save
+    def restricted_save_associations
+      []
+    end
+
+    # restricted associations for create
+    def restricted_create_associations
+      []
+    end
+
+    # restricted associations for update
+    def restricted_update_associations
+      []
+    end
+  end
+end

data/lib/pundit_roles/policy/role/base.rb

@@ -0,0 +1,169 @@
+module Role
+  # Base class that all roles inherit, stores role options in class instance variables
+  # and creates a hash of attributes and associations from the options defined in permitted_for methods
+  #
+  # @param authorize_with [Symbol, String] class instance attribute which stores the method that is used to
+  # authorize users
+  # @param disable_merge [TrueClass, FalseClass] unused as of yet
+  # @param policy [Object] instance variable used to store a reference to the policy which instantiated the class
+  # @param permission_options [Hash] unrefined hash of options to be refined by the permitted method
+  class Base
+
+    # Class instance variable accessors
+    class << self
+      attr_accessor :authorize_with, :disable_merge
+    end
+
+    @authorize_with = :default_authorization
+    @disable_merge = nil
+
+    attr_reader :policy
+
+    def initialize(policy, permission_options)
+      @policy = policy
+      @permission_options = permission_options
+      freeze
+    end
+
+    # Helper instance method to retrieve the class instance variable @authorize_with
+    def authorize_with
+      return self.class.authorize_with
+    end
+
+    # Send the method to the policy to check if user falls into this role
+    def test_condition
+      @policy.send(authorize_with)
+    end
+
+    # Returns a refined hash of attributes and associations this user has access to
+    def permitted
+      if not @permission_options
+        permitted =  {attributes: {},
+                      associations: {}}
+
+      elsif @permission_options.is_a? Symbol
+        permitted =  {attributes: handle_default_options(@permission_options, 'attributes'),
+                      associations: handle_default_options(@permission_options, 'associations')}
+      else
+        permitted =  {attributes: init_options(@permission_options[:attributes], 'attributes'),
+                      associations: init_options(@permission_options[:associations], 'associations')}
+      end
+
+      return permitted
+    end
+
+    private
+
+    # Build hash of options when options are explicitly declared as a Hash
+    #
+    # @param options [Hash] unrefined hash containing either attributes or associations
+    # @param type [String] the type of option to be built, can be 'attributes' or 'associations'
+    def init_options(options, type)
+      unless options.present?
+        return {}
+      end
+
+      if options.is_a? Symbol
+        return handle_default_options(options, type)
+      end
+
+      raise ArgumentError, "Permitted #{type}, if declared, must be declared as a Hash or Symbol, expected something along the lines of
+                            {show: [:id, :name], create: [:name], update: :all} or :all, got #{options}" unless options.is_a? Hash
+
+      parsed_options = {}
+      options.each do |key, value|
+        raise ArgumentError, "Expected Symbol or Array, for #{key} attribute, got #{value} of kind #{value.class}" unless _permitted_value_types value
+
+        if value.is_a? Symbol and value == :all
+          parsed_options[key] = send("get_all_#{type}")
+          next
+        end
+
+        if value.is_a? Array
+          case value.first
+            when :all_minus
+              parsed_options[key] = send("get_all_#{type}") - (value - [value.first])
+            else
+              parsed_options[key] = value
+          end
+          next
+        end
+      end
+
+      return parsed_options
+    end
+
+    # Build hash of options when options are implicitly declared as a Symbol, ex: :show_all
+    #
+    # @param option [Symbol] unrefined hash containing either attributes or associations
+    # @param type [String] the type of option to be built, can be 'attributes' or 'associations'
+    def handle_default_options(option, type)
+      raise ArgumentError, "Permitted options for implicit permission declaration are #{_allowed_access_options},
+                            got #{option} instead" unless _allowed_access_options.include? option
+      parsed_options = {}
+      case option
+        when :show_all
+          parsed_options[:show] = send("get_all_#{type}")
+        else
+          of_type = option.to_s.gsub('_all', '').to_sym
+          parsed_options[:show] = send("get_all_#{type}")
+          parsed_options[of_type] = send("get_all_#{type}")
+      end
+
+      return remove_restricted(parsed_options, type)
+    end
+
+    # Remove restricted attributes declared in the @policy restricted_#{key}_#{type} methods,
+    # ex: restricted_show_attributes
+    #
+    # @param obj [Hash] refined hash containing either attributes or associations
+    # @param type [String] the type of option to be built, can be 'attributes' or 'associations'
+    def remove_restricted(obj, type)
+      permitted_obj_values = {}
+
+      obj.each do |key, value|
+        restricted = @policy.send("restricted_#{key}_#{type}")
+        permitted_obj_values[key] = restricted.present? ? value - restricted : value
+      end
+
+      return permitted_obj_values
+    end
+
+    # Returns all attributes of a record or scope defined in the @policy
+    def get_all_attributes
+      begin
+        @policy.record.class.column_names.map(&:to_sym)
+      rescue NoMethodError
+        begin
+          @policy.scope.column_names.map(&:to_sym)
+        rescue NoMethodError
+          raise NoMethodError, "#{@policy} does not have a record or scope defined(or scope is not an ActiveRecord::Association), this is a problem."
+        end
+      end
+    end
+
+    # Returns all associations of a record or scope defined in the @policy
+    def get_all_associations
+      begin
+        @policy.record.class.reflect_on_all_associations.map(&:name)
+      rescue NoMethodError
+        begin
+          @policy.scope.reflect_on_all_associations.map(&:name)
+        rescue NoMethodError
+          raise NoMethodError, "#{@policy} does not have a record or scope defined(or scope is not an ActiveRecord::Association), this is a problem."
+        end
+      end
+    end
+
+    # allowed options for implicit declaration
+    def _allowed_access_options
+      [:show_all, :save_all, :create_all, :update_all]
+    end
+
+    # allowed options for explicit declaration
+    def _permitted_value_types(value)
+      value.is_a? Symbol or value.is_a? Array
+    end
+
+  end
+end

data/lib/pundit_roles/policy/role.rb

@@ -0,0 +1,99 @@
+require_relative 'role/base'
+
+# Module which handles all class-level methods-and-instance variables. Add the ability for a class to define roles
+# as dynamically generated classes and permitted options for those roles as class instance variables on the @policy.
+#
+# @param permission_hash [Hash] hash containing the unrefined attributes and association options
+# @param scope_hash [Hash] unused as of yet
+module Role
+  attr_accessor :permissions_hash, :scope_hash
+  @permissions_hash = {}
+  @scope_hash = {}
+
+  # Method to define a role with the opts used for those roles, checks if all is kosher and calls the the method
+  # to create the role
+  #
+  # @param role [Symbol, String] the role name
+  # @param opts [Hash] options for the role
+  def role(role, opts)
+    options = opts.slice(*_role_default_keys)
+
+    raise ArgumentError, 'You need to supply :authorize_with' unless options.slice(*_required_attributes).present?
+
+    unless role.is_a? Symbol or role.is_a? String
+      raise ArgumentError, "Expected Symbol or String for role, got #{role.class}"
+    end
+
+    create_role(role, self, options)
+  end
+
+  # Dynamically generates a class with the options and sets the constant on the @policy
+  #
+  # @param role [Symbol, String] the name of the role
+  # @param policy [Object] the reference to the policy to set the constant on, should be passed a 'self' reference
+  # @param opts [Hash] options for the role
+  def create_role(role, policy, opts)
+    begin
+      policy.const_set role.to_s.classify, Class.new(Role::Base) {
+        @authorize_with = "#{opts[:authorize_with]}?"
+        @disable_merge = opts[:disable_merge]
+      }
+    rescue NameError => e
+      raise ArgumentError, "Something went wrong, possible NameError with #{policy} or #{role} => #{e.message}"
+    end
+  end
+
+  # Saves the unrefined options into the @permission_hash class instance variable
+  #
+  # @param role [Symbol, String] the name of the role to which the opts are associated
+  # @param opts [Hash] the hash of options
+  def permitted_for(role, opts)
+    options = opts.slice(*_permitted_for_keys)
+
+    @permissions_hash = {} if @permissions_hash.nil?
+    @permissions_hash[role] = options
+  end
+
+  # Helper method to declare attributes directly
+  #
+  # @param role [Symbol, String] the name of the role to which the opts are associated
+  # @param attr [Hash] the hash of attributes
+  def permitted_attr_for(role, attr)
+    options = attr.slice(*_permitted_opt_for_keys)
+
+    @permissions_hash = {} if @permissions_hash.nil?
+    @permissions_hash[role] = {:attributes => options}
+  end
+
+  # Helper method to declare associations directly
+  #
+  # @param role [Symbol, String] the name of the role to which the opts are associated
+  # @param assoc [Hash] the hash of associations
+  def permitted_assoc_for(role, assoc)
+    options = assoc.slice(*_permitted_opt_for_keys)
+
+    @permissions_hash = {} if @permissions_hash.nil?
+    @permissions_hash[role] = {:associations => options}
+  end
+
+  # default options for role declaration
+  private def _role_default_keys
+    [:authorize_with, :disable_merge]
+  end
+
+  # required options for role declaration
+  private def _required_attributes
+    [:authorize_with]
+  end
+
+  # permitted options for permitted_for declaration
+  private def _permitted_for_keys
+    [:attributes, :associations]
+  end
+
+  # permitted options for permitted_assoc_for and permitted_attr_for declaration
+  private def _permitted_opt_for_keys
+    [:show, :create, :update, :save]
+  end
+
+end

data/lib/pundit_roles/pundit.rb

@@ -0,0 +1,34 @@
+module PunditOverwrite
+
+  # Overwrite for Pundit's default authorization, to be able to use PunditRoles. Does not conflict with existing
+  # Pundit implementations
+  #
+  # @param record [Object] the object we're checking permissions of
+  # @param query [Symbol, String] the predicate method to check on the policy (e.g. `:show?`).
+  #   If omitted then this defaults to the Rails controller action name.
+  # @raise [NotAuthorizedError] if the given query method returned false
+  # @return [Object] Always returns the passed object record
+  def authorize(record, query = nil)
+    query ||= params[:action].to_s + '?'
+
+    @_pundit_policy_authorized = true
+
+    policy = policy(record)
+
+    permitted_records = policy.resolve_query(query)
+
+    unless permitted_records
+      raise Pundit::NotAuthorizedError, query: query, record: record, policy: policy
+    end
+
+    if permitted_records.is_a? TrueClass
+      return record
+    end
+
+    return permitted_records
+  end
+end
+
+module Pundit
+  prepend PunditOverwrite
+end

data/lib/pundit_roles/version.rb

@@ -0,0 +1,3 @@
+module PunditRoles
+  VERSION = "0.1.2"
+end

data/lib/pundit_roles.rb

@@ -0,0 +1,13 @@
+require 'active_support/core_ext/hash/slice'
+require 'active_support/core_ext/array/extract_options'
+require 'active_support/core_ext/string/inflections'
+require 'active_support/core_ext/object/blank'
+
+require 'pundit_roles/version'
+require 'pundit_roles/pundit'
+require 'pundit_roles/policy/base'
+require 'pundit'
+
+module PunditRoles
+  include Pundit
+end

data/pundit_roles.gemspec

@@ -0,0 +1,26 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'pundit_roles/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "pundit_roles"
+  spec.version       = PunditRoles::VERSION
+  spec.authors       = ["Daniel Balogh"]
+  spec.email         = ["danielferencbalogh@gmail.com"]
+
+  spec.summary       = %q{Extends Pundit with roles, which allow attribute and association level authorizations}
+  spec.description   = %q{Extends Pundit with roles}
+  spec.homepage      = "https://github.com/StairwayB/pundit_roles"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.required_ruby_version = '>= 2.3.1'
+  spec.add_dependency "activesupport", ">= 3.0.0"
+end

metadata

@@ -0,0 +1,74 @@
+--- !ruby/object:Gem::Specification
+name: pundit_roles
+version: !ruby/object:Gem::Version
+  version: 0.1.2
+platform: ruby
+authors:
+- Daniel Balogh
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2017-10-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+description: Extends Pundit with roles
+email:
+- danielferencbalogh@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/pundit_roles.rb
+- lib/pundit_roles/policy/base.rb
+- lib/pundit_roles/policy/policy_defaults/defaults.rb
+- lib/pundit_roles/policy/role.rb
+- lib/pundit_roles/policy/role/base.rb
+- lib/pundit_roles/pundit.rb
+- lib/pundit_roles/version.rb
+- pundit_roles.gemspec
+homepage: https://github.com/StairwayB/pundit_roles
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.3.1
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.11
+signing_key: 
+specification_version: 4
+summary: Extends Pundit with roles, which allow attribute and association level authorizations
+test_files: []