pundit_roles 0.5.1 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 73b78e648f853870e204510432f843c7a003b32f
-  data.tar.gz: 5ca295739ef6482eeceffc70b2d49726bb672fcd
+  metadata.gz: 3adfc7de31b2f6a060d158f0106328f4bf86f68b
+  data.tar.gz: 95c046a4a1fa112a76823146c83421229f6aaf8b
 SHA512:
-  metadata.gz: 9d37558263e616455f8fd07e155fa7529ff1e0a262c38978b6a4cc04a85f2dd91f42a17f68c8bfcda0012f3594ec2226393b644176ee81c79590103481436e53
-  data.tar.gz: '084bd79f07ce70c8d583dc8c460b2fd6e22940854886dcf2970633c220be539ac98902c630db5575a1e71e981759d285ac6d68d4f1f5598af4ed828c5e337fee'
+  metadata.gz: 04a8d8ec524eecc18998b74c346200ff5e00b1c9c913f8cab8e292f80885f9c575f8cc1d8cce10586ade02a7621e4685b9725bee8a2ea0ffc1e445648adb07c9
+  data.tar.gz: 3bca92b85679f634a4317df69bd60e59dcb36c75d4fa009dcb5308e51dd5e6c5a79e1b85f4d6e5c6dc34257bb0e32d88d0de1779be6bddea28a0e6a28a1067eb

data/CHANGELOG.md

@@ -14,3 +14,5 @@
 
 - `authorize` method has been renamed to `authorize!`
 - added support for limiting scopes, can be called with `policy_scope!`
+
+## 0.6.0 

data/Gemfile

@@ -8,6 +8,8 @@ gem 'activemodel'
 gem 'pundit', '~> 1.1.0'
 
 group :development, :test do
+  # gem 'simplecov', :require => false
+
   gem "bundler"
   gem "pry"
   gem "rake"

data/lib/pundit_roles.rb

@@ -8,6 +8,7 @@ require 'pundit_roles/pundit'
 require 'pundit_roles/policy/base'
 require 'pundit'
 
+
 # Enhances Pundit with roles, allows definition of attribute and association level authorization
 module PunditRoles
   include Pundit

data/lib/pundit_roles/policy/base.rb

@@ -5,10 +5,10 @@ require_relative 'policy_defaults'
 module Policy
 
   # Base policy class to be extended by all other policies, authorizes users based on roles they fall into,
-  # return a uniquely merged hash of permitted attributes and associations of each role the @user has.
+  # Can be used to get the attributes or scope of roles.
   #
   # @attr_reader user [Object] the user that initiated the action
-  # @attr_reader resource [Object] the object we're checking permissions of
+  # @attr_reader resource [Object] the object we're checking @permissions of
   class Base
     extend Role
     include PolicyDefaults
@@ -17,10 +17,11 @@ module Policy
     def initialize(user, resource)
       @user = user
       @resource = resource
+      freeze
     end
 
     # Retrieves the permitted roles for the current query, checks if user is one or more of these roles
-    # and return a hash of attributes and associations that the user has access to.
+    # and return a hash of attributes that the user has access to.
     #
     # @param query [Symbol, String] the predicate method to check on the policy (e.g. `:show?`)
     def resolve_query(query)
@@ -35,9 +36,7 @@ module Policy
       end
 
       current_roles = determine_current_roles(permitted_roles)
-      return false unless current_roles.present?
-
-      return options_or_merge(current_roles, permissions)
+      return unique_merge(current_roles, permissions)
     end
 
     # Retrieves the permitted roles for the current query and checks each role, until it finds one that
@@ -61,6 +60,14 @@ module Policy
       return instance_eval &scopes[current_roles[0]]
     end
 
+    def resolve_as_association(roles, actions)
+      permissions = self.class.permissions
+      default_roles = self.class::DEFAULT_ASSOCIATED_ROLES
+      associated_roles = roles.present? ? roles|default_roles : default_roles
+
+      return unique_merge(associated_roles, permissions, actions)
+    end
+
     private
 
     # Return the default :guest role if guest is present in permitted_roles. Return false otherwise
@@ -69,7 +76,14 @@ module Policy
     # @param permissions [Hash] unrefined hash of options defined by all permitted_for methods
     def handle_guest_options(permitted_roles, permissions)
       if permitted_roles.include? :guest
-        return permissions[:guest].merge({roles: [:guest]})
+        guest_associations = self.class.role_associations[:guest] ? self.class.role_associations[:guest] : {}
+        return permissions[:guest].merge(
+          {roles:
+             {
+               for_current_model: [:guest],
+               for_associated_models: guest_associations
+             }
+          })
       end
       return false
     end
@@ -81,18 +95,47 @@ module Policy
       return false
     end
 
-    # inspects the current_roles and returns the appropriate option
+    # Uniquely merge the options of all roles that the user fulfills
+    # Returns only the action(i.e. show, create) that was requested, by default this is all actions
     #
-    # @param current_roles [Hash] roles that the current user fulfills
-    # @param permissions [Hash] unrefined hash of options defined by all permitted_for methods
-    def options_or_merge(current_roles, permissions)
-      return false unless current_roles.present?
+    # @param roles [Hash] roles that the user fulfills
+    # @param permissions [Hash] the options for all roles
+    # @param requested_actions [Array] the requested actions
+    def unique_merge(roles, permissions, requested_actions = [:show, :create, :update, :save])
+      return false unless roles.present?
+      merged_hash = {attributes: {}, associations: {}, roles: {for_current_model: [], for_associated_models: {}}}
+
+      roles.each do |role|
+        merged_hash[:roles][:for_current_model] |= [role]
+        merged_hash[:roles][:for_associated_models] = merge_associated_roles(role, merged_hash[:roles][:for_associated_models])
 
-      if current_roles.length == 1
-        return permissions[current_roles[0]].merge({roles: [current_roles[0]]})
+        raise ArgumentError, "Role #{role} is not defined" unless permissions[role].present?
+
+        permissions[role].each do |type, permitted_actions|
+          actions = permitted_actions.slice(*requested_actions)
+          actions.each do |key, value|
+            unless merged_hash[type][key]
+              merged_hash[type][key] = []
+            end
+            merged_hash[type][key] |= value
+          end
+        end
       end
 
-      return unique_merge(current_roles, permissions)
+      return merged_hash
+    end
+
+    def merge_associated_roles(role, merged_opts)
+      associated_roles = self.class.role_associations
+
+      return {} unless associated_roles[role].present?
+
+      associated_roles[role].each do |k, v|
+        assoc_role = {k => v}
+        merged_opts = merged_opts.merge(assoc_role){ | key, old, new | old | new}
+      end
+
+      return merged_opts
     end
 
     # Build an Array of the roles that the user fulfills.
@@ -114,27 +157,6 @@ module Policy
       return current_roles
     end
 
-    # Uniquely merge the options of all roles that the user fulfills
-    #
-    # @param roles [Hash] roles that the user fulfills
-    # @param permissions [Hash] the options for all roles
-    def unique_merge(roles, permissions)
-      merged_hash = {attributes: {}, associations: {}, roles: roles}
-
-      roles.each do |role|
-        permissions[role].each do |type, actions|
-          actions.each do |key, value|
-            unless merged_hash[type][key]
-              merged_hash[type][key] = []
-            end
-            merged_hash[type][key] |= value
-          end
-        end
-      end
-
-      return merged_hash
-    end
-
     # Helper method for testing the conditional of a role
     #
     # @param role [Symbol] the role to be tested
@@ -180,20 +202,6 @@ module Policy
     def _allowed_permission_types
       [Array, FalseClass, TrueClass]
     end
-
-    # Scope class from Pundit, not used in this gem
-    class Scope
-      attr_reader :user, :scope
-
-      def initialize(user, scope)
-        @user = user
-        @scope = scope
-      end
-
-      def resolve
-        scope
-      end
-
-    end
   end
+  
 end

data/lib/pundit_roles/policy/policy_defaults.rb

@@ -25,6 +25,9 @@ module PolicyDefaults
     false
   end
 
+  # defaults to this when no associated_as roles have been provided. It is also merged to the provided roles
+  DEFAULT_ASSOCIATED_ROLES = []
+
   # restricted attributes for show
   RESTRICTED_SHOW_ATTRIBUTES = []
 

data/lib/pundit_roles/policy/role.rb

@@ -2,50 +2,71 @@ require_relative 'role/option_builder'
 
 # Extended by Policy::Base. Defines the methods necessary for declaring roles.
 module Role
-
   attr_accessor :permissions
+  attr_accessor :role_associations
   attr_accessor :scopes
 
   # Builds a new role by saving it into the #permissions class instance variable
-  # Valid options are :attributes, :associations, :scope, :uses_db, :extend
+  # Valid options are :attributes, :associations, :associated_as, :scope
   #
   # @param *opts [Array] the roles, and the options which define the roles
   # @raise [ArgumentError] if the options are incorrectly defined, or no options are present
   def role(*opts)
-    user_opts = opts.extract_options!.dup
-    options = user_opts.slice(*_role_default_keys)
+    role_opts = opts.extract_options!.dup
+    options = role_opts.slice(*_role_default_keys)
 
     raise ArgumentError, 'Please provide at least one role' unless opts.present?
+    raise_if_options_are_invalid(options)
 
     @permissions = {} if @permissions.nil?
     @scopes = {} if @scopes.nil?
-
-    options.each do |key, value|
-      if value.present?
-        expected = _role_option_validations[key]
-        do_raise = true
-        expected.each do |type|
-          do_raise = false if value.is_a? type
-        end
-        raise ArgumentError, "Expected #{expected} for #{key}, got #{value.class}" if do_raise
-      end
-    end
+    @role_associations = {} if @role_associations.nil?
 
     opts.each do |role|
       raise ArgumentError, "Expected Symbol for #{role}, got #{role.class}" unless role.is_a? Symbol
+
+      if options[:associated_as].present?
+        build_associated_roles(role, options[:associated_as])
+      end
+
       @permissions[role] = OptionBuilder.new(self, options[:attributes], options[:associations],  options[:scope]).permitted
       @scopes[role] = options[:scope]
     end
   end
 
+  # @api private
+  private def build_associated_roles(role, associated_as)
+    associated_as.each do |key, value|
+      unless associated_as[key].is_a? Array
+        associated_as[key] = [value]
+      end
+    end
+    @role_associations[role] = associated_as
+  end
+
+  # @api private
+  private def raise_if_options_are_invalid(options)
+    options.each do |key, value|
+      if value.present?
+        will_raise = true
+        _role_option_validations[key].each do |type|
+          will_raise = false if value.is_a? type
+        end
+        raise ArgumentError, "Expected #{expected} for #{key}, got #{value.class}" if will_raise
+      end
+    end
+  end
+
   # @api private
   private def _role_default_keys
-    [:attributes, :associations, :scope, :uses_db, :extend]
+    [:attributes, :associations, :associated_as, :scope]
   end
 
   # @api private
   private def _role_option_validations
-    {attributes: [Hash, Symbol], associations: [Hash, Symbol], scope: [Proc], uses_db: [Symbol], extend: [Symbol]}
+    {attributes: [Hash, Symbol], associations: [Hash, Symbol], associated_as: [Hash], scope: [Proc]}
   end
 
+
+
 end

data/lib/pundit_roles/policy/role/option_builder.rb

@@ -50,10 +50,6 @@ module Role
     # @param options [Hash] unrefined hash containing either attributes or associations
     # @param type [String] the type of option to be built, can be 'attributes' or 'associations'
     def init_options(options, type)
-      unless options.present?
-        return {}
-      end
-
       raise ArgumentError, "Permitted #{type}, if declared, must be declared as a Hash or Symbol, expected something along the lines of
                             {show: [:id, :name], create: [:name], update: :all} or :all, got #{options}" unless options.is_a? Hash
 
@@ -61,21 +57,27 @@ module Role
       options.each do |key, value|
         raise ArgumentError, "Expected Symbol or Array, for #{key} attribute, got #{value} of kind #{value.class}" unless _permitted_value_types value
 
+        if key == :save
+          actions = [:create, :update]
+        else
+          actions = [key]
+        end
+
         if value.is_a? Symbol and value == :all
-          parsed_options[key] = send("get_all_#{type}")
+          actions.each do |action|
+            parsed_options[action] = remove_restricted(action, type)
+          end
           next
         end
 
-        # todo: This needs some rethinking
         if value.is_a? Array
-          case value.first
-            when :all_minus
-              parsed_options[key] = send("get_all_#{type}") - (value - [value.first])
-            else
-              parsed_options[key] = value
+          actions.each do |action|
+            parsed_options[action] = [] unless parsed_options[action].present?
+            parsed_options[action] |= value
           end
           next
         end
+
       end
 
       return parsed_options
@@ -91,29 +93,30 @@ module Role
       parsed_options = {}
       case option
         when :show_all
-          parsed_options[:show] = get_all(type)
+          parsed_options[:show] = remove_restricted(:show, type)
+        when :save_all
+          [:show, :create, :update].each do |action|
+            parsed_options[action] = remove_restricted(action, type)
+          end
         else
-          of_type = option.to_s.gsub('_all', '').to_sym
-          parsed_options[:show] = get_all(type)
-          parsed_options[of_type] = get_all(type)
+          option_type = option.to_s.gsub('_all', '').to_sym
+          [:show, option_type].each do |action|
+            parsed_options[action] = remove_restricted(action, type)
+          end
       end
 
-      return remove_restricted(parsed_options, type)
+      return parsed_options
     end
 
     # Remove restricted attributes declared in the #policy RESTRICTED_#{key}_#{type} constants
     #
-    # @param obj [Hash] refined hash containing either attributes or associations
+    # @param action [Hash] the action we're fetch the restricted options for
     # @param type [String] the type of option to be built, can be 'attributes' or 'associations'
-    def remove_restricted(obj, type)
-      permitted_obj_values = {}
-
-      obj.each do |key, value|
-        restricted = "#{@policy}::RESTRICTED_#{key.upcase}_#{type.upcase}".constantize
-        permitted_obj_values[key] = restricted.present? ? value - restricted : value
-      end
+    def remove_restricted(action, type)
+      all_attributes = get_all(type)
+      restricted = "#{@policy}::RESTRICTED_#{action.upcase}_#{type.upcase}".constantize
 
-      return permitted_obj_values
+      return restricted.present? ? all_attributes - restricted : all_attributes
     end
 
     # Returns all attributes of a record or scope defined in the #policy
@@ -130,7 +133,8 @@ module Role
       begin
         send("get_all_#{type}")
       rescue NameError => e
-        raise ArgumentError, "#{@policy} does not have a corresponding model: #{@policy.to_s.gsub('Policy', '')}, implicit declarations are not allowed => #{e.message}"
+        raise ArgumentError, "#{@policy} does not seem to have a corresponding model: "+
+          "#{@policy.to_s.gsub('Policy', '')}, implicit declarations are not allowed => #{e.message}"
       end
     end
 

data/lib/pundit_roles/pundit.rb

@@ -1,57 +1,99 @@
+require 'pundit_roles/pundit_associations'
+require 'pundit_roles/pundit_selectors'
+
 # Contains the overwritten #authorize method
 module PunditOverwrite
+  include PunditAssociations
+  include PunditSelectors
 
   # A modified version of Pundit's default authorization. Returns a hash of permitted attributes or raises exception
   # it the user is not authorized
   #
-  # @param resource [Object] the object we're checking permissions of
-  # @param query [Symbol, String] the predicate method to check on the policy (e.g. `:show?`).
-  #   If omitted then this defaults to the Rails controller action name.
+  # @param resource [Object] the object we're checking @permitted_attributes of
+  # @param opts [Hash] options for scopes: query, associations
+  #   query: the method which returns the permissions,
+  #     If omitted then this defaults to the Rails controller action name.
+  #   associations: associations to authorize, defaults to []
   # @raise [NotAuthorizedError] if the given query method returned false
-  # @return [Object, Hash] Returns the permissions hash or the resource
-  def authorize!(resource, query = nil)
-    query ||= params[:action].to_s + '?'
+  # @return [Object, Hash] Returns the @permitted_attributes hash or the resource
+  def authorize!(resource, opts = {query: nil, associations: []})
+    opts[:query] ||= params[:action].to_s + '?'
 
     @_pundit_policy_authorized = true
 
+    @pundit_current_options = {
+      primary_resource: resource.is_a?(Class) ? resource : resource.class,
+      current_query: opts[:query]
+    }
+
     policy = policy(resource)
-    permitted_records = policy.resolve_query(query)
+    primary_permission = policy.resolve_query(opts[:query])
+
+    unless primary_permission
+      raise_not_authorized(resource)
+    end
+
+    if primary_permission.is_a? TrueClass
+      return resource
+    end
+
+    @pundit_primary_permissions = primary_permission
+
+    primary_resource_identifier = @pundit_current_options[:primary_resource].name.underscore.to_sym
+    @pundit_attribute_lists = {
+      show: {primary_resource_identifier => primary_show_attributes},
+      create: [*primary_create_attributes],
+      update: [*primary_update_attributes]
+    }
+    @pundit_permission_table = {}
+    @pundit_permitted_associations = {show: [], create: [], update: []}
 
-    return determine_action(resource, query, policy, permitted_records)
+    if opts[:associations].present?
+      authorize_associations!(opts)
+    end
+
+    return @pundit_primary_permissions
   end
 
   # Returns the permitted scope or raises exception
   #
-  # @param resource [Object] the object we're checking permissions of
-  # @param query [Symbol, String] the predicate method to check on the policy (e.g. `:show?`).
-  #   If omitted then this defaults to the Rails controller action name.
+  # @param resource [Object] the object we're checking @permitted_attributes of
+  # @param opts [Hash] options for scopes: query, associations
+  #   query: the method which returns the permissions,
+  #     If omitted then this defaults to the Rails controller action name.
+  #   associations: associations to scope, defaults to []
   # @raise [NotAuthorizedError] if the given query method returned false
-  # @return [Object, ActiveRecord::Association] Returns the permissions hash or the resource
-  def policy_scope!(resource, query = nil)
-    query ||= params[:action].to_s + '?'
+  # @return [Object, ActiveRecord::Association] Returns the @permitted_attributes hash or the resource
+  def policy_scope!(resource, opts= {query: nil, associations: []})
+    opts[:query] ||= params[:action].to_s + '?'
 
     @_pundit_policy_scoped = true
 
-    policy = policy(resource)
-    permitted_scope = policy.resolve_scope(query)
-
-    return determine_action(resource, query, policy, permitted_scope)
-  end
+    @pundit_current_options = {
+      primary_resource: resource.is_a?(Class) ? resource : resource.class,
+      current_query: opts[:query]
+    }
 
-  private
+    policy = policy(resource)
+    permitted_scope = policy.resolve_scope(opts[:query])
 
-  # @api private
-  def determine_action(resource, query, policy, permitted)
-    unless permitted
-      raise Pundit::NotAuthorizedError, query: query, record: resource, policy: policy
+    unless permitted_scope
+      raise_not_authorized(resource)
     end
 
-    if permitted.is_a? TrueClass
+    if permitted_scope.is_a? TrueClass
       return resource
     end
 
-    return permitted
+    return permitted_scope
+  end
+
+  def raise_not_authorized(record)
+    raise Pundit::NotAuthorizedError,
+          query: @pundit_current_options[:current_query],
+          record: record
   end
+
 end
 
 # Prepends the PunditOverwrite to Pundit, in order to overwrite the default Pundit #authorize method

data/lib/pundit_roles/pundit_associations.rb

@@ -0,0 +1,186 @@
+# Module containing the methods to authorize associations
+module PunditAssociations
+
+  # authorizes associations for the primary record
+  #
+  # @param opts [Hash]
+  #   query: the method which returns the permissions,
+  #     If omitted then this defaults to the Rails controller action name.
+  #   associations: associations to authorize, defaults to []
+  def authorize_associations!(opts = {query: nil, associations: []})
+    raise ArgumentError, 'You must first call authorize!' unless @pundit_primary_permissions.present?
+
+    opts[:query] ||= params[:action].to_s + '?'
+
+    @pundit_requested_associations = Array.new(opts[:associations])
+    @pundit_allowed_associations = []
+
+    handle_associations(
+      @pundit_current_options[:primary_resource],
+      @pundit_requested_associations,
+      @pundit_primary_permissions,
+      @pundit_allowed_associations
+    )
+
+    [:show, :create, :update].each do |type|
+      determine_permitted_associations(
+        @pundit_allowed_associations,
+        @pundit_primary_permissions,
+        @pundit_permitted_associations[type],
+        type
+      )
+    end
+
+    @pundit_attribute_lists[:show].merge!(association_show_attributes)
+
+    [:create, :update].each do |type|
+      determine_save_permissions(
+        @pundit_permitted_associations[type],
+        @pundit_attribute_lists[type],
+        type
+      )
+    end
+  end
+
+  private
+
+  # @api private
+  def handle_associations(record_class, requested_assoc, pundit_permission, permitted_assoc)
+    permitted_actions = format_association_list(pundit_permission[:associations])
+
+    requested_assoc.each do |assoc|
+      if assoc.is_a? Symbol or assoc.is_a? String
+        unless permitted_actions.keys.map(&:to_sym).include? assoc.to_sym
+          next
+        end
+
+        assoc_constant = get_assoc_constant(record_class, assoc)
+        fetch_assoc_policy(
+          assoc_constant,
+          assoc,
+          pundit_permission[:roles][:for_associated_models][assoc],
+          permitted_actions[assoc]
+        )
+        permitted_assoc << assoc
+
+      elsif assoc.is_a? Hash
+        assoc.each do |current_assoc, value|
+          unless permitted_actions.keys.map(&:to_sym).include? current_assoc.to_sym
+            next
+          end
+
+          assoc_constant = get_assoc_constant(record_class, current_assoc)
+          fetch_assoc_policy(
+            assoc_constant,
+            current_assoc,
+            pundit_permission[:roles][:for_associated_models][current_assoc],
+            permitted_actions[current_assoc]
+          )
+          permitted_assoc << {current_assoc => []}
+          handle_associations(
+            assoc_constant,
+            value,
+            @pundit_permission_table[current_assoc],
+            permitted_assoc.last[current_assoc]
+          )
+        end
+      else
+        raise ArgumentError, "Invalid association parameter, expected one of #{_valid_assoc_opts}, "+
+          "got #{assoc} of class #{assoc.class}"
+      end
+    end
+  end
+
+  # @api private
+  def fetch_assoc_policy(assoc_constant, association, associated_roles, actions)
+    assoc_policy = policy(assoc_constant)
+    assoc_permission = assoc_policy.resolve_as_association(associated_roles, actions)
+
+    unless assoc_permission
+      raise_not_authorized(assoc_constant)
+    end
+
+    @pundit_permission_table[association] = assoc_permission
+  end
+
+  # @api private
+  def format_association_list(assoc)
+    permitted_actions = {}
+    assoc.each do |key, associations|
+      associations.each do |ass|
+        permitted_actions[ass] = [] unless permitted_actions[ass].present?
+        permitted_actions[ass] |= [key]
+      end
+    end
+
+    return permitted_actions
+  end
+
+  # @api private
+  def determine_permitted_associations(requested_assoc, pundit_permission, permitted_opts, type)
+    permitted_actions = pundit_permission[:associations][type]
+
+    requested_assoc.each do |assoc|
+      if assoc.is_a? Symbol or assoc.is_a? String
+        if permitted_actions and permitted_actions.include? assoc
+          permitted_opts << assoc
+        end
+      elsif assoc.is_a? Hash
+        assoc.each do |current_assoc, value|
+          if permitted_actions and permitted_actions.include? current_assoc
+            permitted_opts << {current_assoc => []}
+
+            determine_permitted_associations(
+              value,
+              @pundit_permission_table[current_assoc],
+              permitted_opts.last[current_assoc],
+              type
+            )
+          end
+        end
+      end
+    end
+  end
+
+  # @api private
+  def determine_save_permissions(permitted_assoc, save_attributes, type)
+    permitted_assoc.each do |assoc|
+      if assoc.is_a? Symbol or assoc.is_a? String
+        assoc_sym = "#{assoc}_attributes".to_sym
+        save_attributes << {assoc_sym => @pundit_permission_table[assoc][:attributes][type]}
+      elsif assoc.is_a? Hash
+        assoc.each do |current_assoc, value|
+          assoc_sym = "#{current_assoc}_attributes".to_sym
+          save_attributes << {assoc_sym => @pundit_permission_table[current_assoc][:attributes][type]}
+
+          determine_save_permissions(
+            value,
+            save_attributes.last[assoc_sym],
+            type
+          )
+        end
+      end
+    end
+  end
+
+  # @api private
+  def get_assoc_constant(record_class, assoc)
+    begin
+      return assoc.to_s.classify.constantize
+    rescue NameError
+      assoc_aliases = record_class.reflect_on_all_associations.map{|ass| {ass.name => ass.class_name}}.reduce Hash.new, :merge
+
+      if assoc_aliases.keys.include? assoc
+        return assoc_aliases[assoc].constantize
+      else
+        raise NameError, "Could not find associated class #{assoc.to_s.classify}, and #{record_class}"+
+          "does not include any associations named #{assoc}"
+      end
+    end
+  end
+
+  # @api private
+  def _valid_assoc_opts
+    [Hash, String, Symbol]
+  end
+end

data/lib/pundit_roles/pundit_selectors.rb

@@ -0,0 +1,152 @@
+# Module containing selectors for various authorized attributes, can be accessed as, ex: permitted_show_attributes
+module PunditSelectors
+
+  # returns the permission hash for the primary model
+  def permissions
+    @pundit_primary_permissions
+  end
+
+  # returns the formatted attributes for :show, :create and :update, ready to plug-and-play
+  def attribute_permissions
+    @pundit_attribute_lists
+  end
+
+  # returns the permitted associations in the form of [Array] -> [{:posts => {:comments => [:author]}}, :settings]
+  def permitted_associations
+    @pundit_permitted_associations
+  end
+
+  # returns the permission hashes of permitted associations, ex: {:posts => {:attributes => {:show => [:text]}, :associations => {:show => [:comments]}}}
+  def association_permissions
+    @pundit_permission_table
+  end
+
+  def permitted_show_attributes
+    @pundit_attribute_lists[:show]
+  end
+
+  def permitted_create_attributes
+    @pundit_attribute_lists[:create]
+  end
+
+  def permitted_update_attributes
+    @pundit_attribute_lists[:update]
+  end
+
+  def permitted_show_associations
+    @pundit_permitted_associations[:show]
+  end
+
+  def permitted_create_associations
+    @pundit_permitted_associations[:create]
+  end
+
+  def permitted_update_associations
+    @pundit_permitted_associations[:update]
+  end
+
+  # returns the permitted show attributes of the primary model
+  def primary_show_attributes
+    @pundit_primary_permissions[:attributes][:show]
+  end
+
+  # returns the permitted create attributes of the primary model
+  def primary_create_attributes
+    @pundit_primary_permissions[:attributes][:create]
+  end
+
+  # returns the permitted update attributes of the primary model
+  def primary_update_attributes
+    @pundit_primary_permissions[:attributes][:update]
+  end
+
+  # returns the permitted show associations of the primary model
+  def primary_show_associations
+    @pundit_primary_permissions[:associations][:show]
+  end
+
+  # returns the permitted create associations of the primary model
+  def primary_create_associations
+    @pundit_primary_permissions[:associations][:create]
+  end
+
+  # returns the permitted update associations of the primary model
+  def primary_update_associations
+    @pundit_primary_permissions[:associations][:update]
+  end
+
+  # returns the permitted show attributes of the associated models
+  def association_show_attributes
+    return {} unless @pundit_permission_table
+    associated_stuff = {}
+    @pundit_permission_table.each do |role, action|
+      associated_stuff[role] = action[:attributes].slice(:show)[:show]
+    end
+    return associated_stuff
+  end
+
+  # returns the permitted create attributes of the associated models
+  def association_create_attributes
+    return {} unless @pundit_permission_table
+    associated_stuff = {}
+    @pundit_permission_table.each do |role, action|
+      associated_stuff[role] = action[:attributes].slice(:create)[:create]
+    end
+    return associated_stuff
+  end
+
+  # returns the permitted update attributes of the associated models
+  def association_update_attributes
+    return {} unless @pundit_permission_table
+    associated_stuff = {}
+    @pundit_permission_table.each do |role, action|
+      associated_stuff[role] = action[:attributes].slice(:update)[:update]
+    end
+    return associated_stuff
+  end
+
+  # returns the permitted show associations of the associated models
+  def association_show_associations
+    return {} unless @pundit_permission_table
+    associated_stuff = {}
+    @pundit_permission_table.each do |role, action|
+      associated_stuff[role] = action[:associations].slice(:show)[:show]
+    end
+    return associated_stuff
+  end
+
+  # returns the permitted create associations of the associated models
+  def association_create_associations
+    return {} unless @pundit_permission_table
+    associated_stuff = {}
+    @pundit_permission_table.each do |role, action|
+      associated_stuff[role] = action[:associations].slice(:create)[:create]
+    end
+    return associated_stuff
+  end
+
+  # returns the permitted update associations of the associated models
+  def association_update_associations
+    return {} unless @pundit_permission_table
+    associated_stuff = {}
+    @pundit_permission_table.each do |role, action|
+      associated_stuff[role] = action[:associations].slice(:update)[:update]
+    end
+    return associated_stuff
+  end
+
+  #
+  # # @api private
+  # def build_next_opts(assoc_opts, save_attributes, assoc, assoc_index)
+  #   next_opts = {}
+  #   [:show, :create, :update].each do |type|
+  #     next_opts[type] = assoc_opts[type][assoc_index].present? ? assoc_opts[type][assoc_index][assoc] : nil
+  #   end
+  #
+  #   [:create, :update].each do |type|
+  #     next_opts[type] = save_attributes[type].is_a?(Hash) ? save_attributes[type].values.last : nil
+  #   end
+  #
+  #   return next_opts
+  # end
+end

data/lib/pundit_roles/version.rb

@@ -1,3 +1,3 @@
 module PunditRoles
-  VERSION = "0.5.1"
+  VERSION = "0.6.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pundit_roles
 version: !ruby/object:Gem::Version
-  version: 0.5.1
+  version: 0.6.0
 platform: ruby
 authors:
 - Daniel Balogh
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-11-08 00:00:00.000000000 Z
+date: 2018-01-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -62,6 +62,8 @@ files:
 - lib/pundit_roles/policy/role.rb
 - lib/pundit_roles/policy/role/option_builder.rb
 - lib/pundit_roles/pundit.rb
+- lib/pundit_roles/pundit_associations.rb
+- lib/pundit_roles/pundit_selectors.rb
 - lib/pundit_roles/version.rb
 - pundit_roles.gemspec
 homepage: https://github.com/StairwayB/pundit_roles