rabarber 1.2.2 → 1.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '084b409c4886e7622ee37f20b8f00c0d6e083546394bf3617bdd5277548a2764'
-  data.tar.gz: 62c3f5fb0496fc5a0cf95f04f0f04d26ba4f847bdf1e838c248361dca72744ee
+  metadata.gz: fc0447acdc988dc558859b695d24d227697258a92bb1f444944fb76bfbace526
+  data.tar.gz: 975f4377d5cc4fb2f28c42060012b67b3a85fea589aadb5106c33ecb943cde4a
 SHA512:
-  metadata.gz: 0a1b141efb53f2b863f0dbbd1fe4c03ce199b7278bc0c51f8868866b918ea3161b8aebd9920872b43d9aea8cf24c5161b0f87d6d535a7c76295aa7890ee4b337
-  data.tar.gz: b740291aba6e4d1c529453e990c30e009b5215ccbdc99a5eac6c1b8c21d354c813e5bdd3f700c37e9aa22d528b025814ce69629aedb95449108a704e233c53d2
+  metadata.gz: cbfed2814ae750ec0b2870126818cb67c6b55c28a7529d8ab2db3364adc463768853b41ac89ba4653d014aa1024622ae261f5b2c8afcc10b99194fd916a40266
+  data.tar.gz: 7b77adeb8cc95acc4b104e6c39c6366b466262a8b0df0584d9e7d99d6369d96d01779a5962c7963696bccf7a941578a82774f2af23ac76d4a515bf37f7bed2ad

data/CHANGELOG.md

@@ -1,3 +1,15 @@
+## 1.3.1
+
+- Add `Rabarber::Role.assignees_for` method
+- Fix inconsistent behavior where passing `nil` as a role name to role management methods would raise an `ActiveRecord` error instead of `Rabarber` error
+- Various minor code improvements
+
+## 1.3.0
+
+- Add methods to directly add, rename, and remove roles
+- Modify `Rabarber::HasRoles#assign_roles` and `Rabarber::HasRoles#revoke_roles` methods to return the list of roles assigned to the user
+- Minor performance improvements
+
 ## 1.2.2
 
 - Refactor to improve readability and maintainability
@@ -8,6 +20,7 @@
 - Cache roles to avoid unnecessary database queries
 - Introduce `cache_enabled` configuration option allowing to enable or disable role caching
 - Enhance the migration generator so that it can receive the table name of the model representing users in the application as an argument
+- Fix an issue where an error would be raised if the user is not authenticated
 - Various minor improvements
 
 ## 1.2.0
@@ -36,7 +49,7 @@
 ## 1.0.2
 
 - Various enhancements for gem development and release
-- Modify `HasRoles#roles` method to return an array of role names instead of `Rabarber::Role` objects
+- Modify `Rabarber::HasRoles#roles` method to return an array of role names instead of `Rabarber::Role` objects
 
 ## 1.0.1
 
@@ -55,7 +68,7 @@
 
 ## 0.1.4
 
-- Remove `HasRoles#role?` method as unnecessary
+- Remove `Rabarber::HasRoles#role?` method as unnecessary
 
 ## 0.1.3
 

data/README.md

@@ -3,9 +3,7 @@
 [![Gem Version](https://badge.fury.io/rb/rabarber.svg)](http://badge.fury.io/rb/rabarber)
 [![Github Actions badge](https://github.com/enjaku4/rabarber/actions/workflows/ci.yml/badge.svg)](https://github.com/enjaku4/rabarber/actions/workflows/ci.yml)
 
-Rabarber is a role-based authorization library for Ruby on Rails, designed primarily for use in the web layer (specifically controllers and views) but not limited to that. It provides tools for managing user roles and defining authorization rules, mainly focusing on answering the question of 'Who can access which endpoint?'.
-
-Unlike some other libraries, Rabarber does not handle data scoping. Instead, it focuses on providing a lightweight and flexible solution for role-based access control, allowing developers to implement data scoping according to their specific business rules directly within their application's code.
+Rabarber is a role-based authorization library for Ruby on Rails, designed primarily for use in the application's web layer (specifically controllers and views) but not limited to that. It provides tools for managing user roles and defining authorization rules and mainly focuses on answering the question: 'Who has access to which endpoints?'.
 
 ---
 
@@ -53,8 +51,6 @@ Next, generate a migration to create tables for storing roles in the database. M
 rails g rabarber:roles users
 ```
 
-This will create a migration file in `db/migrate` directory.
-
 Finally, run the migration to apply the changes to the database:
 
 ```
@@ -63,30 +59,30 @@ rails db:migrate
 
 ## Configuration
 
-Rabarber can be configured by using `.configure` method in an initializer:
+If specific customization is required, Rabarber can be configured by using `.configure` method in an initializer:
 
 ```rb
 Rabarber.configure do |config|
-  config.cache_enabled = false
-  config.current_user_method = :authenticated_user
-  config.must_have_roles = true
+  config.cache_enabled = true
+  config.current_user_method = :current_user
+  config.must_have_roles = false
   config.when_actions_missing = -> (missing_actions, context) { ... }
   config.when_roles_missing = -> (missing_roles, context) { ... }
   config.when_unauthorized = -> (controller) { ... }
 end
 ```
 
-- `cache_enabled` must be a boolean determining whether roles are cached. Roles are cached by default to avoid unnecessary database queries. If you want to disable caching, set this option to `false`. If caching is enabled and you need to clear the cache, use the `Rabarber::Cache.clear` method.
+- `cache_enabled` must be a boolean determining whether roles are cached. _Roles are cached by default to avoid unnecessary database queries._ If you want to disable caching, set this option to `false`. If caching is enabled and you need to clear the cache, use `Rabarber::Cache.clear` method.
 
-- `current_user_method` must be a symbol representing the method that returns the currently authenticated user. The default value is `:current_user`.
+- `current_user_method` must be a symbol representing the method that returns the currently authenticated user. _The default value is `:current_user`._
 
-- `must_have_roles` must be a boolean determining whether a user with no roles can access endpoints permitted to everyone. The default value is `false` (allowing users without roles to access endpoints permitted to everyone).
+- `must_have_roles` must be a boolean determining whether a user with no roles can access endpoints permitted to everyone. _The default value is `false` (allowing users without roles to access endpoints permitted to everyone)._
 
-- `when_actions_missing` must be a proc where you can define the behaviour when the actions specified in `grant_access` method cannot be found in the controller (`missing_actions` is an array of missing actions, `context` is a hash that looks like this: `{ controller: "InvoicesController" }`). This check is performed on every request and when the application is initialized if `eager_load` configuration is enabled in Rails. By default, an error is raised when actions are missing.
+- `when_actions_missing` must be a proc where you can define the behaviour when the actions specified in `grant_access` method cannot be found in the controller (`missing_actions` is an array of symbols e.g., `[:index]`, `context` is a hash that looks like this: `{ controller: "InvoicesController" }`). This check is performed on every request and when the application is initialized if `eager_load` configuration is enabled in Rails. _By default, an error is raised when actions are missing._
 
-- `when_roles_missing` must be a proc where you can define the behaviour when the roles specified in `grant_access` method cannot be found in the database (`missing_roles` is an array of missing roles, `context` is a hash that looks like this: `{ controller: "InvoicesController", action: "index" }`). This check is performed on every request and when the application is initialized if `eager_load` configuration is enabled in Rails. By default, only a warning is logged when roles are missing.
+- `when_roles_missing` must be a proc where you can define the behaviour when the roles specified in `grant_access` method cannot be found in the database (`missing_roles` is an array of symbols e.g., `[:admin]`, `context` is a hash that looks like this: `{ controller: "InvoicesController", action: "index" }`). This check is performed on every request and when the application is initialized if `eager_load` configuration is enabled in Rails. _By default, only a warning is logged when roles are missing._
 
-- `when_unauthorized` must be a proc where you can define the behaviour when access is not authorized (`controller` is an instance of the controller where the code is executed). By default, the user is redirected back if the request format is HTML; otherwise, a 401 Unauthorized response is sent.
+- `when_unauthorized` must be a proc where you can define the behaviour when access is not authorized (`controller` is an instance of the controller where the code is executed). _By default, the user is redirected back if the request format is HTML; otherwise, a 401 Unauthorized response is sent._
 
 ## Roles
 
@@ -103,7 +99,7 @@ This adds the following methods:
 
 **`#assign_roles`**
 
-To assign roles to the user, use:
+To assign roles, use:
 
 ```rb
 user.assign_roles(:accountant, :marketer)
@@ -112,6 +108,7 @@ By default, `#assign_roles` method will automatically create any roles that don'
 ```rb
 user.assign_roles(:accountant, :marketer, create_new: false)
 ```
+The method returns an array of roles assigned to the user.
 
 **`#revoke_roles`**
 
@@ -122,6 +119,8 @@ user.revoke_roles(:accountant, :marketer)
 ```
 If any of the specified roles doesn't exist or the user doesn't have the role you want to revoke, it will be ignored.
 
+The method returns an array of roles assigned to the user.
+
 **`#has_role?`**
 
 To check whether the user has a role, use:
@@ -140,15 +139,68 @@ To view all the roles assigned to the user, use:
 user.roles
 ```
 
+---
+
+To manipulate roles directly, you can use `Rabarber::Role` methods:
+
+**`.add`**
+
+To add a new role, use:
+
+```rb
+Rabarber::Role.add(:admin)
+```
+
+This will create a new role with the specified name and return `true`. If the role already exists, it will return `false`.
+
+**`.rename`**
+
+To rename a role, use:
+
+```rb
+Rabarber::Role.rename(:admin, :administrator)
+```
+The first argument is the old name, and the second argument is the new name. This will rename the role and return `true`. If a role with the new name already exists, it will return `false`.
+
+The method won't rename the role and will return `false` if it is assigned to any user. To force the rename, use the method with `force: true` argument:
+```rb
+Rabarber::Role.rename(:admin, :administrator, force: true)
+```
+
+**`.remove`**
+
+To remove a role, use:
+
+```rb
+Rabarber::Role.remove(:admin)
+```
+
+This will remove the role and return `true`. If the role doesn't exist, it will return `false`.
+
+The method won't remove the role and will return `false` if it is assigned to any user. To force the removal, use the method with `force: true` argument:
+```rb
+Rabarber::Role.remove(:admin, force: true)
+```
+
+**`.names`**
+
 If you need to list all the role names available in your application, use:
 
 ```rb
 Rabarber::Role.names
 ```
 
+**`.assignees_for`**
+
+To get all the users to whom the role is assigned, use:
+
+```rb
+Rabarber::Role.assignees_for(:admin)
+```
+
 ## Authorization Rules
 
-Include `Rabarber::Authorization` module into the controller that needs authorization rules to be applied (authorization rules will be applied to the controller and its children). Typically, it is `ApplicationController`, but it can be any controller.
+Include `Rabarber::Authorization` module into the controller that needs authorization rules to be applied. Typically, it is `ApplicationController`, but it can be any controller of your choice.
 
 ```rb
 class ApplicationController < ActionController::Base
@@ -216,9 +268,9 @@ class InvoicesController < ApplicationController
 end
 ```
 
-This allows everyone to access `OrdersController` and its children and `index` action in `InvoicesController`. This also extends to scenarios where there is no user present, i.e. when the method responsible for returning the currently authenticated user in your application returns `nil`.
+This allows everyone to access `OrdersController` and its children and also `index` action in `InvoicesController`. This extends to scenarios where there is no user present, i.e. when the method responsible for returning the currently authenticated user in your application returns `nil`.
 
-Be aware that if the user is not authenticated (the method responsible for returning the currently authenticated user in your application returns `nil`), Rabarber will treat this situation as if the user with no roles assigned was authenticated.
+_Be aware that if the user is not authenticated (the method responsible for returning the currently authenticated user in your application returns `nil`), Rabarber will treat this situation as if the user with no roles assigned was authenticated._
 
 If you've set `must_have_roles` setting to `true`, then, only the users with at least one role can have access. This setting can be useful if your requirements are such that users without roles are not allowed to access anything.
 
@@ -253,7 +305,7 @@ class InvoicesController < ApplicationController
   end
 end
 ```
-You can pass a dynamic rule as `if` or `unless` argument. It can be a symbol (the method with the same name will be called) or a proc.
+You can pass a dynamic rule as `if` or `unless` argument. It can be a symbol, in which case the method with the same name will be called. Alternatively, it can be a proc, which will be executed within the context of the controller's instance.
 
 Rules defined in child classes don't override parent rules but rather add to them:
 ```rb
@@ -271,7 +323,7 @@ This means that `Crm::InvoicesController` is still accessible to `admin` but is
 
 ## View Helpers
 
-Rabarber also provides a couple of helpers that can be used in views: `visible_to` and `hidden_from`. To use them, simply include `Rabarber::Helpers` in the desired helper (usually `ApplicationHelper`, but it can be any helper):
+Rabarber also provides a couple of helpers that can be used in views: `visible_to` and `hidden_from`. To use them, simply include `Rabarber::Helpers` in the desired helper. Usually it is `ApplicationHelper`, but it can be any helper of your choice.
 
 ```rb
 module ApplicationHelper
@@ -296,14 +348,18 @@ The usage is straightforward:
 
 ## Problems?
 
-Encountered a bug or facing a problem?
+Facing a problem or want to suggest an enhancement?
+
+- **Open a Discussion**: If you have a question, experience difficulties using the gem, or have an improvement suggestion, feel free to use the Discussions section.
+
+Encountered a bug?
 
-- **Create an Issue**: If you've identified a problem, please create an issue on the gem's GitHub repository. Be sure to provide detailed information about the problem, including the steps to reproduce it.
+- **Create an Issue**: If you've identified a bug, please create an issue. Be sure to provide detailed information about the problem, including the steps to reproduce it.
 - **Contribute a Solution**: Found a fix for the issue? Feel free to create a pull request with your changes.
 
 ## Contributing
 
-If you want to contribute, please read the [contributing guidelines](https://github.com/enjaku4/rabarber/blob/main/CONTRIBUTING.md).
+Before opening an issue or creating a pull request, please read the [contributing guidelines](https://github.com/enjaku4/rabarber/blob/main/CONTRIBUTING.md).
 
 ## License
 

data/lib/rabarber/cache.rb

@@ -10,16 +10,16 @@ module Rabarber
       enabled? ? Rails.cache.fetch(key, options, &block) : yield
     end
 
-    def delete(key)
-      Rails.cache.delete(key) if enabled?
+    def delete(*keys)
+      Rails.cache.delete_multi(keys) if enabled?
     end
 
     def enabled?
       Rabarber::Configuration.instance.cache_enabled
     end
 
-    def key_for(record)
-      "rabarber:roles_#{record.public_send(record.class.primary_key)}"
+    def key_for(id)
+      "rabarber:roles_#{id}"
     end
 
     def clear

data/lib/rabarber/configuration.rb

@@ -19,37 +19,37 @@ module Rabarber
     end
 
     def cache_enabled=(value)
-      @cache_enabled = Rabarber::Input::Types::Booleans.new(
+      @cache_enabled = Rabarber::Input::Types::Boolean.new(
         value, Rabarber::ConfigurationError, "Configuration 'cache_enabled' must be a Boolean"
       ).process
     end
 
     def current_user_method=(method_name)
-      @current_user_method = Rabarber::Input::Types::Symbols.new(
+      @current_user_method = Rabarber::Input::Types::Symbol.new(
         method_name, Rabarber::ConfigurationError, "Configuration 'current_user_method' must be a Symbol or a String"
       ).process
     end
 
     def must_have_roles=(value)
-      @must_have_roles = Rabarber::Input::Types::Booleans.new(
+      @must_have_roles = Rabarber::Input::Types::Boolean.new(
         value, Rabarber::ConfigurationError, "Configuration 'must_have_roles' must be a Boolean"
       ).process
     end
 
     def when_actions_missing=(callable)
-      @when_actions_missing = Rabarber::Input::Types::Procs.new(
+      @when_actions_missing = Rabarber::Input::Types::Proc.new(
         callable, Rabarber::ConfigurationError, "Configuration 'when_actions_missing' must be a Proc"
       ).process
     end
 
     def when_roles_missing=(callable)
-      @when_roles_missing = Rabarber::Input::Types::Procs.new(
+      @when_roles_missing = Rabarber::Input::Types::Proc.new(
         callable, Rabarber::ConfigurationError, "Configuration 'when_roles_missing' must be a Proc"
       ).process
     end
 
     def when_unauthorized=(callable)
-      @when_unauthorized = Rabarber::Input::Types::Procs.new(
+      @when_unauthorized = Rabarber::Input::Types::Proc.new(
         callable, Rabarber::ConfigurationError, "Configuration 'when_unauthorized' must be a Proc"
       ).process
     end

data/lib/rabarber/controllers/concerns/authorization.rb

@@ -12,12 +12,12 @@ module Rabarber
       def grant_access(action: nil, roles: nil, if: nil, unless: nil)
         dynamic_rule, negated_dynamic_rule = binding.local_variable_get(:if), binding.local_variable_get(:unless)
 
-        Rabarber::Permissions.add(
+        Rabarber::Core::Permissions.add(
           self,
-          Rabarber::Input::Actions.new(action).process,
+          Rabarber::Input::Action.new(action).process,
           Rabarber::Input::Roles.new(roles).process,
-          Rabarber::Input::DynamicRules.new(dynamic_rule).process,
-          Rabarber::Input::DynamicRules.new(negated_dynamic_rule).process
+          Rabarber::Input::DynamicRule.new(dynamic_rule).process,
+          Rabarber::Input::DynamicRule.new(negated_dynamic_rule).process
         )
       end
     end
@@ -28,7 +28,7 @@ module Rabarber
       Rabarber::Missing::Actions.new(self.class).handle
       Rabarber::Missing::Roles.new(self.class).handle
 
-      return if Rabarber::Permissions.access_granted?(rabarber_roles, self.class, action_name.to_sym, self)
+      return if Rabarber::Core::Permissions.access_granted?(rabarber_roles, self.class, action_name.to_sym, self)
 
       Rabarber::Configuration.instance.when_unauthorized.call(self)
     end

data/lib/rabarber/core/access.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Rabarber
+  module Core
+    module Access
+      def access_granted?(roles, controller, action, dynamic_rule_receiver)
+        controller_accessible?(roles, controller, dynamic_rule_receiver) ||
+          action_accessible?(roles, controller, action, dynamic_rule_receiver)
+      end
+
+      def controller_accessible?(roles, controller, dynamic_rule_receiver)
+        accessible_controllers(roles, dynamic_rule_receiver).any? do |accessible_controller|
+          controller <= accessible_controller
+        end
+      end
+
+      def action_accessible?(roles, controller, action, dynamic_rule_receiver)
+        action_rules[controller].any? { |rule| rule.verify_access(roles, dynamic_rule_receiver, action) }
+      end
+
+      private
+
+      def accessible_controllers(roles, dynamic_rule_receiver)
+        controller_rules.select { |_, rule| rule.verify_access(roles, dynamic_rule_receiver) }.keys
+      end
+    end
+  end
+end

data/lib/rabarber/core/permissions.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require_relative "access"
+require_relative "rule"
+
+module Rabarber
+  module Core
+    class Permissions
+      include Singleton
+
+      extend Access
+
+      attr_reader :storage
+
+      def initialize
+        @storage = { controller_rules: Hash.new({}), action_rules: Hash.new([]) }
+      end
+
+      class << self
+        def add(controller, action, roles, dynamic_rule, negated_dynamic_rule)
+          rule = Rabarber::Core::Rule.new(action, roles, dynamic_rule, negated_dynamic_rule)
+
+          if action
+            instance.storage[:action_rules][controller] += [rule]
+          else
+            instance.storage[:controller_rules][controller] = rule
+          end
+        end
+
+        def controller_rules
+          instance.storage[:controller_rules]
+        end
+
+        def action_rules
+          instance.storage[:action_rules]
+        end
+      end
+    end
+  end
+end

data/lib/rabarber/core/rule.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Rabarber
+  module Core
+    class Rule
+      attr_reader :action, :roles, :dynamic_rule, :negated_dynamic_rule
+
+      def initialize(action, roles, dynamic_rule, negated_dynamic_rule)
+        @action = action
+        @roles = Array(roles)
+        @dynamic_rule = dynamic_rule
+        @negated_dynamic_rule = negated_dynamic_rule
+      end
+
+      def verify_access(user_roles, dynamic_rule_receiver, action_name = nil)
+        action_accessible?(action_name) && roles_permitted?(user_roles) && dynamic_rule_followed?(dynamic_rule_receiver)
+      end
+
+      def action_accessible?(action_name)
+        action_name.nil? || action_name == action
+      end
+
+      def roles_permitted?(user_roles)
+        return false if Rabarber::Configuration.instance.must_have_roles && user_roles.empty?
+
+        roles.empty? || (roles & user_roles).any?
+      end
+
+      def dynamic_rule_followed?(dynamic_rule_receiver)
+        !!(execute_dynamic_rule(dynamic_rule_receiver, false) && execute_dynamic_rule(dynamic_rule_receiver, true))
+      end
+
+      private
+
+      def execute_dynamic_rule(dynamic_rule_receiver, is_negated)
+        rule = is_negated ? negated_dynamic_rule : dynamic_rule
+
+        return true if rule.nil?
+
+        result = if rule.is_a?(Proc)
+                   dynamic_rule_receiver.instance_exec(&rule)
+                 else
+                   dynamic_rule_receiver.send(rule)
+                 end
+
+        is_negated ? !result : result
+      end
+    end
+  end
+end

data/lib/rabarber/input/action.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Rabarber
+  module Input
+    class Action < Rabarber::Input::Base
+      def valid?
+        Rabarber::Input::Types::Symbol.new(value).valid? || value.nil?
+      end
+
+      private
+
+      def processed_value
+        case value
+        when String, Symbol
+          value.to_sym
+        when nil
+          value
+        end
+      end
+
+      def default_error_message
+        "Action name must be a Symbol or a String"
+      end
+    end
+  end
+end

data/lib/rabarber/input/base.rb

@@ -5,7 +5,7 @@ module Rabarber
     class Base
       attr_reader :value, :error_type, :error_message
 
-      def initialize(value, error_type, error_message)
+      def initialize(value, error_type = Rabarber::InvalidArgumentError, error_message = default_error_message)
         @value = value
         @error_type = error_type
         @error_message = error_message
@@ -15,16 +15,20 @@ module Rabarber
         valid? ? processed_value : raise_error
       end
 
-      private
-
       def valid?
         raise NotImplementedError
       end
 
+      private
+
       def processed_value
         raise NotImplementedError
       end
 
+      def default_error_message
+        raise NotImplementedError
+      end
+
       def raise_error
         raise error_type, error_message
       end

data/lib/rabarber/input/dynamic_rule.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Rabarber
+  module Input
+    class DynamicRule < Rabarber::Input::Base
+      def valid?
+        Rabarber::Input::Types::Symbol.new(value).valid? || Rabarber::Input::Types::Proc.new(value).valid? || value.nil?
+      end
+
+      private
+
+      def processed_value
+        case value
+        when String, Symbol
+          value.to_sym
+        when Proc, nil
+          value
+        end
+      end
+
+      def default_error_message
+        "Dynamic rule must be a Symbol, a String, or a Proc"
+      end
+    end
+  end
+end

data/lib/rabarber/input/role.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Rabarber
+  module Input
+    class Role < Rabarber::Input::Base
+      REGEX = /\A[a-z0-9_]+\z/
+
+      def valid?
+        Rabarber::Input::Types::Symbol.new(value).valid? && value.to_s.match?(REGEX)
+      end
+
+      private
+
+      def processed_value
+        value.to_sym
+      end
+
+      def default_error_message
+        "Role name must be a Symbol or a String and may only contain lowercase letters, numbers and underscores"
+      end
+    end
+  end
+end

data/lib/rabarber/input/roles.rb

@@ -3,30 +3,23 @@
 module Rabarber
   module Input
     class Roles < Rabarber::Input::Base
-      REGEX = /\A[a-z0-9_]+\z/
-
-      def initialize(
-        value,
-        error_type = Rabarber::InvalidArgumentError,
-        error_message =
-          "Role names must be Symbols or Strings and may only contain lowercase letters, numbers and underscores"
-      )
-        super
-      end
-
       def value
         Array(super)
       end
 
-      private
-
       def valid?
-        value.all? { |role_name| (role_name.is_a?(Symbol) || role_name.is_a?(String)) && role_name.to_s.match?(REGEX) }
+        value.all? { |role_name| Rabarber::Input::Role.new(role_name).valid? }
       end
 
+      private
+
       def processed_value
         value.map(&:to_sym)
       end
+
+      def default_error_message
+        "Role names must be Symbols or Strings and may only contain lowercase letters, numbers and underscores"
+      end
     end
   end
 end

data/lib/rabarber/input/types/{booleans.rb → boolean.rb}

@@ -3,16 +3,20 @@
 module Rabarber
   module Input
     module Types
-      class Booleans < Rabarber::Input::Base
-        private
-
+      class Boolean < Rabarber::Input::Base
         def valid?
           [true, false].include?(value)
         end
 
+        private
+
         def processed_value
           value
         end
+
+        def default_error_message
+          "Value must be a Boolean"
+        end
       end
     end
   end

data/lib/rabarber/input/types/{procs.rb → proc.rb}

@@ -3,16 +3,20 @@
 module Rabarber
   module Input
     module Types
-      class Procs < Rabarber::Input::Base
-        private
-
+      class Proc < Rabarber::Input::Base
         def valid?
-          value.is_a?(Proc)
+          value.is_a?(::Proc)
         end
 
+        private
+
         def processed_value
           value
         end
+
+        def default_error_message
+          "Value must be a Proc"
+        end
       end
     end
   end

data/lib/rabarber/input/types/{symbols.rb → symbol.rb}

@@ -3,16 +3,20 @@
 module Rabarber
   module Input
     module Types
-      class Symbols < Rabarber::Input::Base
-        private
-
+      class Symbol < Rabarber::Input::Base
         def valid?
-          (value.is_a?(Symbol) || value.is_a?(String)) && value.present?
+          (value.is_a?(::Symbol) || value.is_a?(String)) && value.present?
         end
 
+        private
+
         def processed_value
           value.to_sym
         end
+
+        def default_error_message
+          "Value must be a Symbol or a String"
+        end
       end
     end
   end

data/lib/rabarber/missing/base.rb

@@ -41,17 +41,17 @@ module Rabarber
 
       def controller_rules
         if controller
-          Rabarber::Permissions.controller_rules.slice(controller)
+          Rabarber::Core::Permissions.controller_rules.slice(controller)
         else
-          Rabarber::Permissions.controller_rules
+          Rabarber::Core::Permissions.controller_rules
         end
       end
 
       def action_rules
         if controller
-          Rabarber::Permissions.action_rules.slice(controller)
+          Rabarber::Core::Permissions.action_rules.slice(controller)
         else
-          Rabarber::Permissions.action_rules
+          Rabarber::Core::Permissions.action_rules
         end
       end
     end

data/lib/rabarber/models/concerns/has_roles.rb

@@ -17,7 +17,7 @@ module Rabarber
     end
 
     def roles
-      Rabarber::Cache.fetch(Rabarber::Cache.key_for(self), expires_in: 1.hour, race_condition_ttl: 5.seconds) do
+      Rabarber::Cache.fetch(Rabarber::Cache.key_for(roleable_id), expires_in: 1.hour, race_condition_ttl: 5.seconds) do
         rabarber_roles.names
       end
     end
@@ -31,17 +31,32 @@ module Rabarber
 
       create_new_roles(roles_to_assign) if create_new
 
-      rabarber_roles << Rabarber::Role.where(name: roles_to_assign) - rabarber_roles
+      new_roles = Rabarber::Role.where(name: roles_to_assign) - rabarber_roles
 
-      delete_cache
+      if new_roles.any?
+        delete_roleable_cache
+        rabarber_roles << new_roles
+      end
+
+      roles
     end
 
     def revoke_roles(*role_names)
-      self.rabarber_roles = rabarber_roles - Rabarber::Role.where(name: process_role_names(role_names))
+      new_roles = rabarber_roles - Rabarber::Role.where(name: process_role_names(role_names))
+
+      if rabarber_roles != new_roles
+        delete_roleable_cache
+        self.rabarber_roles = new_roles
+      end
 
-      delete_cache
+      roles
     end
 
+    def roleable_class
+      @@included.constantize
+    end
+    module_function :roleable_class
+
     private
 
     def create_new_roles(role_names)
@@ -53,8 +68,12 @@ module Rabarber
       Rabarber::Input::Roles.new(role_names).process
     end
 
-    def delete_cache
-      Rabarber::Cache.delete(Rabarber::Cache.key_for(self))
+    def delete_roleable_cache
+      Rabarber::Cache.delete(Rabarber::Cache.key_for(roleable_id))
+    end
+
+    def roleable_id
+      public_send(self.class.primary_key)
     end
   end
 end

data/lib/rabarber/models/role.rb

@@ -4,18 +4,74 @@ module Rabarber
   class Role < ActiveRecord::Base
     self.table_name = "rabarber_roles"
 
-    validates :name, presence: true, uniqueness: true, format: { with: Rabarber::Input::Roles::REGEX }
+    validates :name, presence: true, uniqueness: true, format: { with: Rabarber::Input::Role::REGEX }, strict: true
 
-    after_commit :delete_cache
+    has_and_belongs_to_many :roleables, join_table: "rabarber_roles_roleables"
 
-    def self.names
-      pluck(:name).map(&:to_sym)
-    end
+    class << self
+      def names
+        pluck(:name).map(&:to_sym)
+      end
+
+      def add(name)
+        name = process_role_name(name)
+
+        return false if exists?(name: name)
+
+        delete_roles_cache
+
+        !!create!(name: name)
+      end
+
+      def rename(old_name, new_name, force: false)
+        role = find_by(name: process_role_name(old_name))
+        name = process_role_name(new_name)
+
+        return false if !role || exists?(name: name) || assigned_to_roleables(role).any? && !force
+
+        delete_roles_cache
+        delete_roleables_cache(role)
+
+        role.update!(name: name)
+      end
+
+      def remove(name, force: false)
+        role = find_by(name: process_role_name(name))
+
+        return false if !role || assigned_to_roleables(role).any? && !force
+
+        delete_roles_cache
+        delete_roleables_cache(role)
+
+        !!role.destroy!
+      end
+
+      def assignees_for(name)
+        Rabarber::HasRoles.roleable_class.joins(:rabarber_roles).where(
+          rabarber_roles: { name: Rabarber::Input::Role.new(name).process }
+        )
+      end
+
+      private
+
+      def delete_roles_cache
+        Rabarber::Cache.delete(Rabarber::Cache::ALL_ROLES_KEY)
+      end
+
+      def delete_roleables_cache(role)
+        keys = assigned_to_roleables(role).map { |roleable_id| Rabarber::Cache.key_for(roleable_id) }
+        Rabarber::Cache.delete(*keys) if keys.any?
+      end
 
-    private
+      def assigned_to_roleables(role)
+        ActiveRecord::Base.connection.select_values(
+          "SELECT roleable_id FROM rabarber_roles_roleables WHERE role_id = #{role.id}"
+        )
+      end
 
-    def delete_cache
-      Rabarber::Cache.delete(Rabarber::Cache::ALL_ROLES_KEY)
+      def process_role_name(name)
+        Rabarber::Input::Role.new(name).process
+      end
     end
   end
 end

data/lib/rabarber/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Rabarber
-  VERSION = "1.2.2"
+  VERSION = "1.3.1"
 end

data/lib/rabarber.rb

@@ -8,12 +8,13 @@ require "active_record"
 require "active_support"
 
 require_relative "rabarber/input/base"
-require_relative "rabarber/input/actions"
-require_relative "rabarber/input/dynamic_rules"
+require_relative "rabarber/input/action"
+require_relative "rabarber/input/dynamic_rule"
+require_relative "rabarber/input/role"
 require_relative "rabarber/input/roles"
-require_relative "rabarber/input/types/booleans"
-require_relative "rabarber/input/types/procs"
-require_relative "rabarber/input/types/symbols"
+require_relative "rabarber/input/types/boolean"
+require_relative "rabarber/input/types/proc"
+require_relative "rabarber/input/types/symbol"
 
 require_relative "rabarber/missing/base"
 require_relative "rabarber/missing/actions"
@@ -25,7 +26,8 @@ require_relative "rabarber/controllers/concerns/authorization"
 require_relative "rabarber/helpers/helpers"
 require_relative "rabarber/models/concerns/has_roles"
 require_relative "rabarber/models/role"
-require_relative "rabarber/permissions"
+
+require_relative "rabarber/core/permissions"
 
 require_relative "rabarber/railtie"
 

data/rabarber.gemspec

@@ -8,7 +8,7 @@ Gem::Specification.new do |spec|
   spec.authors = ["enjaku4", "trafium"]
   spec.email = ["rabarber_gem@icloud.com"]
 
-  spec.summary = "Simple authorization library for Ruby on Rails."
+  spec.summary = "Simple role-based authorization library for Ruby on Rails."
   spec.homepage = "https://github.com/enjaku4/rabarber"
   spec.license = "MIT"
   spec.required_ruby_version = ">= 3.0"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rabarber
 version: !ruby/object:Gem::Version
-  version: 1.2.2
+  version: 1.3.1
 platform: ruby
 authors:
 - enjaku4
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-02-10 00:00:00.000000000 Z
+date: 2024-03-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -38,27 +38,28 @@ files:
 - lib/generators/rabarber/roles_generator.rb
 - lib/generators/rabarber/templates/create_rabarber_roles.rb.erb
 - lib/rabarber.rb
-- lib/rabarber/access.rb
 - lib/rabarber/cache.rb
 - lib/rabarber/configuration.rb
 - lib/rabarber/controllers/concerns/authorization.rb
+- lib/rabarber/core/access.rb
+- lib/rabarber/core/permissions.rb
+- lib/rabarber/core/rule.rb
 - lib/rabarber/helpers/helpers.rb
-- lib/rabarber/input/actions.rb
+- lib/rabarber/input/action.rb
 - lib/rabarber/input/base.rb
-- lib/rabarber/input/dynamic_rules.rb
+- lib/rabarber/input/dynamic_rule.rb
+- lib/rabarber/input/role.rb
 - lib/rabarber/input/roles.rb
-- lib/rabarber/input/types/booleans.rb
-- lib/rabarber/input/types/procs.rb
-- lib/rabarber/input/types/symbols.rb
+- lib/rabarber/input/types/boolean.rb
+- lib/rabarber/input/types/proc.rb
+- lib/rabarber/input/types/symbol.rb
 - lib/rabarber/logger.rb
 - lib/rabarber/missing/actions.rb
 - lib/rabarber/missing/base.rb
 - lib/rabarber/missing/roles.rb
 - lib/rabarber/models/concerns/has_roles.rb
 - lib/rabarber/models/role.rb
-- lib/rabarber/permissions.rb
 - lib/rabarber/railtie.rb
-- lib/rabarber/rule.rb
 - lib/rabarber/version.rb
 - rabarber.gemspec
 homepage: https://github.com/enjaku4/rabarber
@@ -80,8 +81,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.33
+rubygems_version: 3.3.26
 signing_key:
 specification_version: 4
-summary: Simple authorization library for Ruby on Rails.
+summary: Simple role-based authorization library for Ruby on Rails.
 test_files: []

data/lib/rabarber/access.rb

@@ -1,26 +0,0 @@
-# frozen_string_literal: true
-
-module Rabarber
-  module Access
-    def access_granted?(roles, controller, action, dynamic_rule_receiver)
-      controller_accessible?(roles, controller, dynamic_rule_receiver) ||
-        action_accessible?(roles, controller, action, dynamic_rule_receiver)
-    end
-
-    def controller_accessible?(roles, controller, dynamic_rule_receiver)
-      accessible_controllers(roles, dynamic_rule_receiver).any? do |accessible_controller|
-        controller <= accessible_controller
-      end
-    end
-
-    def action_accessible?(roles, controller, action, dynamic_rule_receiver)
-      action_rules[controller].any? { |rule| rule.verify_access(roles, dynamic_rule_receiver, action) }
-    end
-
-    private
-
-    def accessible_controllers(roles, dynamic_rule_receiver)
-      controller_rules.select { |_, rule| rule.verify_access(roles, dynamic_rule_receiver) }.keys
-    end
-  end
-end

data/lib/rabarber/input/actions.rb

@@ -1,30 +0,0 @@
-# frozen_string_literal: true
-
-module Rabarber
-  module Input
-    class Actions < Rabarber::Input::Base
-      def initialize(
-        value,
-        error_type = Rabarber::InvalidArgumentError,
-        error_message = "Action name must be a Symbol or a String"
-      )
-        super
-      end
-
-      private
-
-      def valid?
-        (value.is_a?(String) || value.is_a?(Symbol)) && value.present? || value.nil?
-      end
-
-      def processed_value
-        case value
-        when String, Symbol
-          value.to_sym
-        when nil
-          value
-        end
-      end
-    end
-  end
-end

data/lib/rabarber/input/dynamic_rules.rb

@@ -1,30 +0,0 @@
-# frozen_string_literal: true
-
-module Rabarber
-  module Input
-    class DynamicRules < Rabarber::Input::Base
-      def initialize(
-        value,
-        error_type = Rabarber::InvalidArgumentError,
-        error_message = "Dynamic rule must be a Symbol, a String, or a Proc"
-      )
-        super
-      end
-
-      private
-
-      def valid?
-        (value.is_a?(String) || value.is_a?(Symbol)) && value.present? || value.nil? || value.is_a?(Proc)
-      end
-
-      def processed_value
-        case value
-        when String, Symbol
-          value.to_sym
-        when Proc, nil
-          value
-        end
-      end
-    end
-  end
-end

data/lib/rabarber/permissions.rb

@@ -1,36 +0,0 @@
-# frozen_string_literal: true
-
-require_relative "access"
-require_relative "rule"
-
-module Rabarber
-  class Permissions
-    include Singleton
-
-    extend Access
-
-    attr_reader :storage
-
-    def initialize
-      @storage = { controller_rules: Hash.new({}), action_rules: Hash.new([]) }
-    end
-
-    def self.add(controller, action, roles, dynamic_rule, negated_dynamic_rule)
-      rule = Rabarber::Rule.new(action, roles, dynamic_rule, negated_dynamic_rule)
-
-      if action
-        instance.storage[:action_rules][controller] += [rule]
-      else
-        instance.storage[:controller_rules][controller] = rule
-      end
-    end
-
-    def self.controller_rules
-      instance.storage[:controller_rules]
-    end
-
-    def self.action_rules
-      instance.storage[:action_rules]
-    end
-  end
-end

data/lib/rabarber/rule.rb

@@ -1,48 +0,0 @@
-# frozen_string_literal: true
-
-module Rabarber
-  class Rule
-    attr_reader :action, :roles, :dynamic_rule, :negated_dynamic_rule
-
-    def initialize(action, roles, dynamic_rule, negated_dynamic_rule)
-      @action = action
-      @roles = Array(roles)
-      @dynamic_rule = dynamic_rule
-      @negated_dynamic_rule = negated_dynamic_rule
-    end
-
-    def verify_access(user_roles, dynamic_rule_receiver, action_name = nil)
-      action_accessible?(action_name) && roles_permitted?(user_roles) && dynamic_rule_followed?(dynamic_rule_receiver)
-    end
-
-    def action_accessible?(action_name)
-      action_name.nil? || action_name == action
-    end
-
-    def roles_permitted?(user_roles)
-      return false if Rabarber::Configuration.instance.must_have_roles && user_roles.empty?
-
-      roles.empty? || (roles & user_roles).any?
-    end
-
-    def dynamic_rule_followed?(dynamic_rule_receiver)
-      !!(execute_dynamic_rule(dynamic_rule_receiver, false) && execute_dynamic_rule(dynamic_rule_receiver, true))
-    end
-
-    private
-
-    def execute_dynamic_rule(dynamic_rule_receiver, is_negated)
-      rule = is_negated ? negated_dynamic_rule : dynamic_rule
-
-      return true if rule.nil?
-
-      result = if rule.is_a?(Proc)
-                 dynamic_rule_receiver.instance_exec(&rule)
-               else
-                 dynamic_rule_receiver.send(rule)
-               end
-
-      is_negated ? !result : result
-    end
-  end
-end