rabarber 2.0.0 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f719eb670170521e94a58a1c75d30110699ab941da6d5dae151fbf53e0eb9880
-  data.tar.gz: bd06646e15ab2eb5ff7b49d2a18316c4b539b95aa98bd2ec1b4de5c6b5fb921a
+  metadata.gz: 51c1cba47b8af312f38ff403b77ef716099101d5bed3226c3e7d2bad37c23874
+  data.tar.gz: 3da6569ceef5c624aa649240341fcb72ce879005e458044006ba547aadbe316e
 SHA512:
-  metadata.gz: 0db86c7d46337decbe9972ea3b0c1ad30e1c66f2b76b3ef27a494ef8c2ecc9bcf35ce3f135360e74045b7f20beb38149f5ca308af0cb3d3a0db829ff9dc7147b
-  data.tar.gz: d1a20c732318d12ccfe49338df7338dcf09bd1222fd574e8581d035cb38b55295e501bfa45ef63ea0a556a8c21a28abdad7d06ca765c3f14eed6e6cd98db93be
+  metadata.gz: 9d5c8fd851b43d71f0f1ca9bfe6671c5d23fe3db1c6b08b8d78ff6415e0e7528e4de1c86c1c5bb9fcdd9143ca050183268e94a981fe8bd89002e75f7e437064f
+  data.tar.gz: a11d2aa5c8bb3ff69b1db5d8d6aae6b5f2590ae03f5fe99388db8ff809cf6ff3b9d8c9461a1936f08faade2a7b7711d4010fa7d49bfad36ab582f80d14708893

data/CHANGELOG.md

@@ -1,3 +1,25 @@
+## v3.0.0
+
+### Breaking:
+
+- Changed Rabarber roles table structure
+
+To upgrade to v3.0.0, please refer to the [migration guide](https://github.com/enjaku4/rabarber/discussions/58)
+
+### Features:
+
+- Introduced the ability to define and authorize roles within a specific context
+
+### Misc:
+
+- Revised log messages in the audit trail for clarity and conciseness
+
+## v2.1.0
+
+### Features:
+
+- Added `Rabarber::Authorization.skip_authorization` method to skip authorization checks
+
 ## v2.0.0
 
 ### Breaking:
@@ -6,7 +28,7 @@
 - Replaced `when_unauthorized` configuration option with an overridable controller method
 - Renamed `Rabarber::Role.assignees_for` method to `Rabarber::Role.assignees`
 
-To upgrade to v2.0.0, please refer to the [migration guide](https://github.com/enjaku4/rabarber/discussions/52).
+To upgrade to v2.0.0, please refer to the [migration guide](https://github.com/enjaku4/rabarber/discussions/52)
 
 ### Features:
 
@@ -14,7 +36,7 @@ To upgrade to v2.0.0, please refer to the [migration guide](https://github.com/e
 
 ### Bugs:
 
-- Fixed the issue where an error would occur if the user was not authenticated
+- Fixed the issue where an error would occur when using view helpers if the user was not authenticated
 
 ### Misc:
 

data/README.md

@@ -3,7 +3,7 @@
 [![Gem Version](https://badge.fury.io/rb/rabarber.svg)](http://badge.fury.io/rb/rabarber)
 [![Github Actions badge](https://github.com/enjaku4/rabarber/actions/workflows/ci.yml/badge.svg)](https://github.com/enjaku4/rabarber/actions/workflows/ci.yml)
 
-Rabarber is a role-based authorization library for Ruby on Rails, primarily designed for use in the web layer of your application but not limited to that. It provides a set of tools for managing user roles and defining authorization rules, along with audit logging for enhanced security.
+Rabarber is a role-based authorization library for Ruby on Rails. It provides a set of tools for managing user roles and defining authorization rules, supports multi-tenancy and comes with audit logging for enhanced security.
 
 ---
 
@@ -39,7 +39,9 @@ This means that `admin` users can access everything in `TicketsController`, whil
   - [Roles](#roles)
   - [Authorization Rules](#authorization-rules)
   - [Dynamic Authorization Rules](#dynamic-authorization-rules)
+  - [Context / Multi-tenancy](#context--multi-tenancy)
   - [When Unauthorized](#when-unauthorized)
+  - [Skip Authorization](#skip-authorization)
   - [View Helpers](#view-helpers)
   - [Audit Trail](#audit-trail)
 
@@ -114,7 +116,7 @@ end
 
 This adds the following methods:
 
-**`#assign_roles(*roles, create_new: true)`**
+**`#assign_roles(*roles, context: nil, create_new: true)`**
 
 To assign roles, use:
 
@@ -127,7 +129,7 @@ user.assign_roles(:accountant, :marketer, create_new: false)
 ```
 The method returns an array of roles assigned to the user.
 
-**`#revoke_roles(*roles)`**
+**`#revoke_roles(*roles, context: nil)`**
 
 To revoke roles, use:
 
@@ -138,7 +140,7 @@ If the user doesn't have the role you want to revoke, it will be ignored.
 
 The method returns an array of roles assigned to the user.
 
-**`#has_role?(*roles)`**
+**`#has_role?(*roles, context: nil)`**
 
 To check whether the user has a role, use:
 
@@ -148,9 +150,9 @@ user.has_role?(:accountant, :marketer)
 
 It returns `true` if the user has at least one role and `false` otherwise.
 
-**`#roles`**
+**`#roles(context: nil)`**
 
-To get all the roles assigned to the user, use:
+To get the list of roles assigned to the user, use:
 
 ```rb
 user.roles
@@ -160,7 +162,7 @@ user.roles
 
 To manipulate roles directly, you can use `Rabarber::Role` methods:
 
-**`.add(role_name)`**
+**`.add(role_name, context: nil)`**
 
 To add a new role, use:
 
@@ -170,7 +172,7 @@ Rabarber::Role.add(:admin)
 
 This will create a new role with the specified name and return `true`. If the role already exists, it will return `false`.
 
-**`.rename(old_role_name, new_role_name, force: false)`**
+**`.rename(old_role_name, new_role_name, context: nil, force: false)`**
 
 To rename a role, use:
 
@@ -184,7 +186,7 @@ The method won't rename the role and will return `false` if it is assigned to an
 Rabarber::Role.rename(:admin, :administrator, force: true)
 ```
 
-**`.remove(role_name, force: false)`**
+**`.remove(role_name, context: nil, force: false)`**
 
 To remove a role, use:
 
@@ -199,15 +201,15 @@ The method won't remove the role and will return `false` if it is assigned to an
 Rabarber::Role.remove(:admin, force: true)
 ```
 
-**`.names`**
+**`.names(context: nil)`**
 
-If you need to list all the role names available in your application, use:
+If you need to list the role names available in your application, use:
 
 ```rb
 Rabarber::Role.names
 ```
 
-**`.assignees(role_name)`**
+**`.assignees(role_name, context: nil)`**
 
 To get all the users to whom the role is assigned, use:
 
@@ -225,7 +227,7 @@ class ApplicationController < ActionController::Base
   # ...
 end
 ```
-This adds `.grant_access(action: nil, roles: nil, if: nil, unless: nil)` method which allows you to define the authorization rules.
+This adds `.grant_access(action: nil, roles: nil, context: nil, if: nil, unless: nil)` method which allows you to define the authorization rules.
 
 The most basic usage of the method is as follows:
 
@@ -246,8 +248,6 @@ end
 ```
 This grants access to `index` action for users with `accountant` or `admin` role, and access to `destroy` action for `admin` users only.
 
-Please note that Rabarber does not provide any built-in data scoping mechanism as it is not a part of the authorization layer and is not necessarily role specific or has anything to do with the current user. The business logic can vary drastically depending on the application, so you're encouraged to limit the data visibility yourself, for example, in the same way as in the example above, where `accountant` role can only see paid invoices.
-
 You can also define controller-wide rules (without `action` argument):
 
 ```rb
@@ -289,11 +289,9 @@ class InvoicesController < ApplicationController
 end
 ```
 
-This allows everyone to access `OrdersController` and its children and also `index` action in `InvoicesController`. This extends to scenarios where there is no user present, i.e. when the method responsible for returning the currently authenticated user in your application returns `nil`.
-
-If the user is not authenticated (the method responsible for returning the currently authenticated user in your application returns `nil`), Rabarber will handle this situation as if the user has no roles.
+This allows everyone to access `OrdersController` and its children and also `index` action in `InvoicesController`.
 
-If you've set `must_have_roles` setting to `true`, then only the users with at least one role can gain access. This setting can be useful if your requirements are such that users without roles (or unauthenticated users) are not allowed to access anything.
+If you've set `must_have_roles` setting to `true`, then only the users with at least one role can gain access. This setting can be useful if your requirements are such that users without roles are not allowed to access anything.
 
 Also keep in mind that rules defined in child classes don't override parent rules but rather add to them:
 ```rb
@@ -349,7 +347,7 @@ class Crm::InvoicesController < ApplicationController
   end
 end
 ```
-You can pass a dynamic rule as `if` or `unless` argument. It can be a symbol, in which case the method with that name will be called. Alternatively, it can be a proc, which will be executed within the context of the controller's instance.
+You can pass a dynamic rule as `if` or `unless` argument. It can be a symbol, in which case the method with that name will be called, or alternatively it can be a proc that will be executed within the context of the controller instance at request time.
 
 You can use only dynamic rules without specifying roles if that suits your needs:
 ```rb
@@ -370,6 +368,76 @@ class InvoicesController < ApplicationController
 end
 ```
 
+## Context / Multi-tenancy
+
+Rabarber supports multi-tenancy by providing a context feature. This allows you to define and authorize roles and rules within a specific context.
+
+Every Rabarber method that accepts roles can also accept a context as an additional keyword argument. By default, the context is set to `nil`, meaning the roles are global. Thus, all examples from other sections of this README are valid for global roles. Apart from being global, the context can be an instance of ActiveRecord model or a class.
+
+E.g., consider a model named `Project`, where each project has its owner and regular members. Roles can be defined like this:
+
+```rb
+  user.assign_roles(:owner, context: project)
+  another_user.assign_roles(:member, context: project)
+```
+
+Then the roles can be verified:
+
+```rb
+  user.has_role?(:owner, context: project)
+  another_user.has_role?(:member, context: project)
+```
+
+A role can also be added using a class as a context, e.g., for project admins who can manage all projects:
+
+```rb
+  user.assign_roles(:admin, context: Project)
+```
+
+And then it can also be verified:
+
+```rb
+  user.has_role?(:admin, context: Project)
+```
+
+In authorization rules, the context can be used in the same way, but it also can be a proc or a symbol (similar to dynamic rules):
+
+```rb
+class ProjectsController < ApplicationController
+  grant_access roles: :admin, context: Project
+
+  grant_access action: :show, roles: :member, context: :project
+  def show
+    # ...
+  end
+
+  grant_access action: :update, roles: :owner, context: -> { Project.find(params[:id]) }
+  def update
+    # ...
+  end
+
+  private
+
+  def project
+    Project.find(params[:id])
+  end
+end
+```
+
+It's important to note that role names are not unique globally but are unique within the scope of their context. E.g., `user.assign_roles(:admin, context: Project)` and `user.assign_roles(:admin)` assign different roles to the user. The same as `Rabarber::Role.add(:admin, context: Project)` and `Rabarber::Role.add(:admin)` create different roles.
+
+If you want to see all the roles assigned to a user within a specific context, you can use:
+
+```rb
+  user.roles(context: project)
+```
+
+Or if you want to get all the roles available in a specific context, you can use:
+
+```rb
+  Rabarber::Role.names(context: Project)
+```
+
 ## When Unauthorized
 
 By default, in the event of an unauthorized attempt, Rabarber redirects the user back if the request format is HTML (with fallback to the root path), and returns a 401 (Unauthorized) status code otherwise.
@@ -392,6 +460,19 @@ end
 
 The method can be overridden in different controllers, providing flexibility in handling unauthorized access attempts.
 
+## Skip Authorization
+
+To skip authorization, use `.skip_authorization(options = {})` method:
+
+```rb
+class TicketsController < ApplicationController
+  skip_authorization only: :index
+  # ...
+end
+```
+
+This method accepts the same options as `skip_before_action` method in Rails.
+
 ## View Helpers
 
 Rabarber also provides a couple of helpers that can be used in views: `visible_to(*roles, &block)` and `hidden_from(*roles, &block)`. To use them, simply include `Rabarber::Helpers` in the desired helper. Usually it is `ApplicationHelper`, but it can be any helper of your choice.

data/lib/generators/rabarber/templates/create_rabarber_roles.rb.erb

@@ -3,10 +3,13 @@
 class CreateRabarberRoles < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version.to_s %>]
   def change
     create_table :rabarber_roles<%= ", id: :uuid" if options[:uuid] %> do |t|
-      t.string :name, null: false, index: { unique: true }
+      t.string :name, null: false
+      t.belongs_to :context, polymorphic: true, index: true<%= ", type: :uuid" if options[:uuid] %>
       t.timestamps
     end
 
+    add_index :rabarber_roles, [:name, :context_type, :context_id], unique: true
+
     create_table :rabarber_roles_roleables, id: false do |t|
       t.belongs_to :role, null: false, index: true, foreign_key: { to_table: :rabarber_roles }<%= ", type: :uuid" if options[:uuid] %>
       t.belongs_to :roleable, null: false, index: true, foreign_key: { to_table: <%= table_name.to_sym.inspect %> }<%= ", type: :uuid" if options[:uuid] %>

data/lib/rabarber/audit/events/base.rb

@@ -38,24 +38,22 @@ module Rabarber
         end
 
         def identity
-          roleable_identity(with_roles: identity_with_roles?)
-        end
-
-        def identity_with_roles?
-          raise NotImplementedError
-        end
-
-        def roleable_identity(with_roles:)
-          if roleable
+          if roleable.is_a?(Rabarber::Core::NullRoleable)
+            "Unauthenticated #{Rabarber::HasRoles.roleable_class.model_name.human.downcase}"
+          else
             model_name = roleable.model_name.human
-            primary_key = roleable.class.primary_key
-            roleable_id = roleable.public_send(primary_key)
+            roleable_id = roleable.public_send(roleable.class.primary_key)
 
-            roles = with_roles ? ", roles: #{roleable.roles}" : ""
+            "#{model_name}##{roleable_id}"
+          end
+        end
 
-            "#{model_name} with #{primary_key}: '#{roleable_id}'#{roles}"
-          else
-            "Unauthenticated #{Rabarber::HasRoles.roleable_class.model_name.human.downcase}"
+        def human_context
+          case context
+          in { context_type: nil, context_id: nil } then "Global"
+          in { context_type: context_type, context_id: nil } then context_type
+          in { context_type: context_type, context_id: context_id } then "#{context_type}##{context_id}"
+          else raise "Unexpected context: #{context}"
           end
         end
       end

data/lib/rabarber/audit/events/roles_assigned.rb

@@ -15,11 +15,11 @@ module Rabarber
         end
 
         def message
-          "[Role Assignment] #{identity} has been assigned the following roles: #{roles_to_assign}, current roles: #{current_roles}"
+          "[Role Assignment] #{identity} | context: #{human_context} | assigned: #{roles_to_assign} | current: #{current_roles}"
         end
 
-        def identity_with_roles?
-          false
+        def context
+          specifics.fetch(:context)
         end
 
         def roles_to_assign

data/lib/rabarber/audit/events/roles_revoked.rb

@@ -15,11 +15,11 @@ module Rabarber
         end
 
         def message
-          "[Role Revocation] #{identity} has been revoked from the following roles: #{roles_to_revoke}, current roles: #{current_roles}"
+          "[Role Revocation] #{identity} | context: #{human_context} | revoked: #{roles_to_revoke} | current: #{current_roles}"
         end
 
-        def identity_with_roles?
-          false
+        def context
+          specifics.fetch(:context)
         end
 
         def roles_to_revoke

data/lib/rabarber/audit/events/unauthorized_attempt.rb

@@ -15,16 +15,16 @@ module Rabarber
         end
 
         def message
-          "[Unauthorized Attempt] #{identity} attempted to access '#{path}'"
-        end
-
-        def identity_with_roles?
-          true
+          "[Unauthorized Attempt] #{identity} | request: #{request_method} #{path}"
         end
 
         def path
           specifics.fetch(:path)
         end
+
+        def request_method
+          specifics.fetch(:request_method)
+        end
       end
     end
   end

data/lib/rabarber/controllers/concerns/authorization.rb

@@ -11,13 +11,18 @@ module Rabarber
     end
 
     class_methods do
-      def grant_access(action: nil, roles: nil, if: nil, unless: nil)
+      def skip_authorization(options = {})
+        skip_before_action :verify_access, **options
+      end
+
+      def grant_access(action: nil, roles: nil, context: nil, if: nil, unless: nil)
         dynamic_rule, negated_dynamic_rule = binding.local_variable_get(:if), binding.local_variable_get(:unless)
 
         Rabarber::Core::Permissions.add(
           self,
           Rabarber::Input::Action.new(action).process,
           Rabarber::Input::Roles.new(roles).process,
+          Rabarber::Input::AuthorizationContext.new(context).process,
           Rabarber::Input::DynamicRule.new(dynamic_rule).process,
           Rabarber::Input::DynamicRule.new(negated_dynamic_rule).process
         )
@@ -29,9 +34,11 @@ module Rabarber
     def verify_access
       Rabarber::Core::PermissionsIntegrityChecker.new(self.class).run! unless Rails.configuration.eager_load
 
-      return if Rabarber::Core::Permissions.access_granted?(roleable_roles, self.class, action_name.to_sym, self)
+      return if Rabarber::Core::Permissions.access_granted?(roleable, action_name.to_sym, self)
 
-      Rabarber::Audit::Events::UnauthorizedAttempt.trigger(roleable, path: request.path)
+      Rabarber::Audit::Events::UnauthorizedAttempt.trigger(
+        roleable, path: request.path, request_method: request.request_method
+      )
 
       when_unauthorized
     end

data/lib/rabarber/core/access.rb

@@ -3,20 +3,19 @@
 module Rabarber
   module Core
     module Access
-      def access_granted?(roles, controller, action, dynamic_rule_receiver)
-        controller_accessible?(roles, controller, dynamic_rule_receiver) ||
-          action_accessible?(roles, controller, action, dynamic_rule_receiver)
+      def access_granted?(roleable, action, controller_instance)
+        controller_accessible?(roleable, controller_instance) || action_accessible?(roleable, action, controller_instance)
       end
 
-      def controller_accessible?(roles, controller, dynamic_rule_receiver)
+      def controller_accessible?(roleable, controller_instance)
         controller_rules.any? do |rule_controller, rule|
-          controller <= rule_controller && rule.verify_access(roles, dynamic_rule_receiver)
+          controller_instance.class <= rule_controller && rule.verify_access(roleable, controller_instance)
         end
       end
 
-      def action_accessible?(roles, controller, action, dynamic_rule_receiver)
-        action_rules[controller].any? do |rule|
-          rule.action == action && rule.verify_access(roles, dynamic_rule_receiver)
+      def action_accessible?(roleable, action, controller_instance)
+        action_rules[controller_instance.class].any? do |rule|
+          rule.action == action && rule.verify_access(roleable, controller_instance)
         end
       end
     end

data/lib/rabarber/core/cache.rb

@@ -1,19 +1,25 @@
 # frozen_string_literal: true
 
+require "digest/sha2"
+
 module Rabarber
   module Core
     module Cache
-      extend self
+      module_function
 
       CACHE_PREFIX = "rabarber"
       private_constant :CACHE_PREFIX
 
-      def fetch(roleable_id, options = { expires_in: 1.hour, race_condition_ttl: 5.seconds }, &block)
-        enabled? ? Rails.cache.fetch(key_for(roleable_id), **options, &block) : yield
+      def fetch(roleable_id, context:, &block)
+        if enabled?
+          Rails.cache.fetch(key_for(roleable_id, context), expires_in: 1.hour, race_condition_ttl: 5.seconds, &block)
+        else
+          yield
+        end
       end
 
-      def delete(*roleable_ids)
-        keys = roleable_ids.map { |roleable_id| key_for(roleable_id) }
+      def delete(*roleable_ids, context:)
+        keys = roleable_ids.map { |roleable_id| key_for(roleable_id, context) }
         Rails.cache.delete_multi(keys) if enabled? && keys.any?
       end
 
@@ -25,10 +31,8 @@ module Rabarber
         Rails.cache.delete_matched(/^#{CACHE_PREFIX}/o)
       end
 
-      private
-
-      def key_for(id)
-        "#{CACHE_PREFIX}:roles_#{id}"
+      def key_for(id, context)
+        "#{CACHE_PREFIX}:#{Digest::SHA2.hexdigest("#{id}#{context}")}"
       end
     end
   end

data/lib/rabarber/core/permissions.rb

@@ -19,8 +19,8 @@ module Rabarber
       end
 
       class << self
-        def add(controller, action, roles, dynamic_rule, negated_dynamic_rule)
-          rule = Rabarber::Core::Rule.new(action, roles, dynamic_rule, negated_dynamic_rule)
+        def add(controller, action, roles, context, dynamic_rule, negated_dynamic_rule)
+          rule = Rabarber::Core::Rule.new(action, roles, context, dynamic_rule, negated_dynamic_rule)
 
           if action
             instance.storage[:action_rules][controller] += [rule]

data/lib/rabarber/core/roleable.rb

@@ -4,11 +4,17 @@ module Rabarber
   module Core
     module Roleable
       def roleable
-        send(Rabarber::Configuration.instance.current_user_method)
+        send(Rabarber::Configuration.instance.current_user_method) || NullRoleable.new
       end
 
-      def roleable_roles
-        roleable&.roles.to_a
+      def roleable_roles(context: nil)
+        roleable.roles(context: context)
+      end
+    end
+
+    class NullRoleable
+      def roles(context:) # rubocop:disable Lint/UnusedMethodArgument
+        []
       end
     end
   end

data/lib/rabarber/core/rule.rb

@@ -3,44 +3,56 @@
 module Rabarber
   module Core
     class Rule
-      attr_reader :action, :roles, :dynamic_rule, :negated_dynamic_rule
+      attr_reader :action, :roles, :context, :dynamic_rule, :negated_dynamic_rule
 
-      def initialize(action, roles, dynamic_rule, negated_dynamic_rule)
+      def initialize(action, roles, context, dynamic_rule, negated_dynamic_rule)
         @action = action
         @roles = Array(roles)
+        @context = context
         @dynamic_rule = dynamic_rule
         @negated_dynamic_rule = negated_dynamic_rule
       end
 
-      def verify_access(roleable_roles, dynamic_rule_receiver)
-        roles_permitted?(roleable_roles) && dynamic_rule_followed?(dynamic_rule_receiver)
+      def verify_access(roleable, controller_instance)
+        roles_permitted?(roleable, controller_instance) && dynamic_rule_followed?(controller_instance)
       end
 
-      def roles_permitted?(roleable_roles)
+      def roles_permitted?(roleable, controller_instance)
+        processed_context = get_context(controller_instance)
+        roleable_roles = roleable.roles(context: processed_context)
+
         return false if Rabarber::Configuration.instance.must_have_roles && roleable_roles.empty?
 
         roles.empty? || roles.intersection(roleable_roles).any?
       end
 
-      def dynamic_rule_followed?(dynamic_rule_receiver)
-        !!(execute_dynamic_rule(dynamic_rule_receiver, false) && execute_dynamic_rule(dynamic_rule_receiver, true))
+      def dynamic_rule_followed?(controller_instance)
+        !!(execute_dynamic_rule(controller_instance, false) && execute_dynamic_rule(controller_instance, true))
       end
 
       private
 
-      def execute_dynamic_rule(dynamic_rule_receiver, is_negated)
+      def execute_dynamic_rule(controller_instance, is_negated)
         rule = is_negated ? negated_dynamic_rule : dynamic_rule
 
         return true if rule.nil?
 
         result = if rule.is_a?(Proc)
-                   dynamic_rule_receiver.instance_exec(&rule)
+                   controller_instance.instance_exec(&rule)
                  else
-                   dynamic_rule_receiver.send(rule)
+                   controller_instance.send(rule)
                  end
 
         is_negated ? !result : result
       end
+
+      def get_context(controller_instance)
+        case context
+        when Proc then Rabarber::Input::Context.new(controller_instance.instance_exec(&context)).process
+        when Symbol then Rabarber::Input::Context.new(controller_instance.send(context)).process
+        else context
+        end
+      end
     end
   end
 end

data/lib/rabarber/helpers/helpers.rb

@@ -4,14 +4,14 @@ module Rabarber
   module Helpers
     include Rabarber::Core::Roleable
 
-    def visible_to(*roles, &block)
-      return unless roleable_roles.intersection(Rabarber::Input::Roles.new(roles).process).any?
+    def visible_to(*roles, context: nil, &block)
+      return if roleable_roles(context: Rabarber::Input::Context.new(context).process).intersection(Rabarber::Input::Roles.new(roles).process).none?
 
       capture(&block)
     end
 
-    def hidden_from(*roles, &block)
-      return if roleable_roles.intersection(Rabarber::Input::Roles.new(roles).process).any?
+    def hidden_from(*roles, context: nil, &block)
+      return if roleable_roles(context: Rabarber::Input::Context.new(context).process).intersection(Rabarber::Input::Roles.new(roles).process).any?
 
       capture(&block)
     end

data/lib/rabarber/input/action.rb

@@ -11,10 +11,8 @@ module Rabarber
 
       def processed_value
         case value
-        when String, Symbol
-          value.to_sym
-        when nil
-          value
+        when String, Symbol then value.to_sym
+        when nil then value
         end
       end
 

data/lib/rabarber/input/authorization_context.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Rabarber
+  module Input
+    class AuthorizationContext < Rabarber::Input::Base
+      def valid?
+        Rabarber::Input::Context.new(value).valid? || Rabarber::Input::DynamicRule.new(value).valid?
+      end
+
+      private
+
+      def processed_value
+        case value
+        when Symbol, String then value.to_sym
+        when Proc then value
+        else Rabarber::Input::Context.new(value).process
+        end
+      end
+
+      def default_error_message
+        "Context must be a Class, an instance of ActiveRecord model, a Symbol, a String, or a Proc"
+      end
+    end
+  end
+end

data/lib/rabarber/input/context.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Rabarber
+  module Input
+    class Context < Rabarber::Input::Base
+      def valid?
+        value.nil? || value.is_a?(Class) || value.is_a?(ActiveRecord::Base) && value.persisted? || already_processed?
+      end
+
+      private
+
+      def processed_value
+        case value
+        when nil then { context_type: nil, context_id: nil }
+        when Class then { context_type: value.to_s, context_id: nil }
+        when ActiveRecord::Base then { context_type: value.class.to_s, context_id: value.public_send(value.class.primary_key) }
+        else value
+        end
+      end
+
+      def default_error_message
+        "Context must be a Class or an instance of ActiveRecord model"
+      end
+
+      def already_processed?
+        case value
+        in { context_type: NilClass | String, context_id: NilClass | String | Integer } then true
+        else false
+        end
+      end
+    end
+  end
+end

data/lib/rabarber/input/dynamic_rule.rb

@@ -11,10 +11,8 @@ module Rabarber
 
       def processed_value
         case value
-        when String, Symbol
-          value.to_sym
-        when Proc, nil
-          value
+        when String, Symbol then value.to_sym
+        when Proc, nil then value
         end
       end
 

data/lib/rabarber/models/concerns/has_roles.rb

@@ -14,43 +14,62 @@ module Rabarber
                                                join_table: "rabarber_roles_roleables"
     end
 
-    def roles
-      Rabarber::Core::Cache.fetch(roleable_id) { rabarber_roles.names }
+    def roles(context: nil)
+      processed_context = process_context(context)
+      Rabarber::Core::Cache.fetch(roleable_id, context: processed_context) { rabarber_roles.names(context: processed_context) }
     end
 
-    def has_role?(*role_names)
-      roles.intersection(process_role_names(role_names)).any?
+    def has_role?(*role_names, context: nil)
+      processed_context = process_context(context)
+      roles(context: processed_context).intersection(process_role_names(role_names)).any?
     end
 
-    def assign_roles(*role_names, create_new: true)
+    def assign_roles(*role_names, context: nil, create_new: true)
       processed_role_names = process_role_names(role_names)
+      processed_context = process_context(context)
 
-      create_new_roles(processed_role_names) if create_new
+      create_new_roles(processed_role_names, context: processed_context) if create_new
 
-      roles_to_assign = Rabarber::Role.where(name: processed_role_names - rabarber_roles.names)
+      roles_to_assign = Rabarber::Role.where(
+        name: (processed_role_names - rabarber_roles.names(context: processed_context)), **processed_context
+      )
 
       if roles_to_assign.any?
-        delete_roleable_cache
+        delete_roleable_cache(context: processed_context)
         rabarber_roles << roles_to_assign
 
-        Rabarber::Audit::Events::RolesAssigned.trigger(self, roles_to_assign: roles_to_assign.names, current_roles: roles)
+        Rabarber::Audit::Events::RolesAssigned.trigger(
+          self,
+          roles_to_assign: roles_to_assign.names(context: processed_context),
+          current_roles: roles(context: processed_context),
+          context: processed_context
+        )
       end
 
-      roles
+      roles(context: processed_context)
     end
 
-    def revoke_roles(*role_names)
+    def revoke_roles(*role_names, context: nil)
       processed_role_names = process_role_names(role_names)
-      roles_to_revoke = Rabarber::Role.where(name: processed_role_names.intersection(roles))
+      processed_context = process_context(context)
+
+      roles_to_revoke = Rabarber::Role.where(
+        name: processed_role_names.intersection(roles(context: processed_context)), **processed_context
+      )
 
       if roles_to_revoke.any?
-        delete_roleable_cache
+        delete_roleable_cache(context: processed_context)
         self.rabarber_roles -= roles_to_revoke
 
-        Rabarber::Audit::Events::RolesRevoked.trigger(self, roles_to_revoke: roles_to_revoke.names, current_roles: roles)
+        Rabarber::Audit::Events::RolesRevoked.trigger(
+          self,
+          roles_to_revoke: roles_to_revoke.names(context: processed_context),
+          current_roles: roles(context: processed_context),
+          context: processed_context
+        )
       end
 
-      roles
+      roles(context: processed_context)
     end
 
     def roleable_class
@@ -60,17 +79,21 @@ module Rabarber
 
     private
 
-    def create_new_roles(role_names)
-      new_roles = role_names - Rabarber::Role.names
-      new_roles.each { |role_name| Rabarber::Role.create!(name: role_name) }
+    def create_new_roles(role_names, context:)
+      new_roles = role_names - Rabarber::Role.names(context: context)
+      new_roles.each { |role_name| Rabarber::Role.create!(name: role_name, **context) }
     end
 
     def process_role_names(role_names)
       Rabarber::Input::Roles.new(role_names).process
     end
 
-    def delete_roleable_cache
-      Rabarber::Core::Cache.delete(roleable_id)
+    def process_context(context)
+      Rabarber::Input::Context.new(context).process
+    end
+
+    def delete_roleable_cache(context:)
+      Rabarber::Core::Cache.delete(roleable_id, context: context)
     end
 
     def roleable_id

data/lib/rabarber/models/role.rb

@@ -4,54 +4,60 @@ module Rabarber
   class Role < ActiveRecord::Base
     self.table_name = "rabarber_roles"
 
-    validates :name, presence: true, uniqueness: true, format: { with: Rabarber::Input::Role::REGEX }, strict: true
+    validates :name, presence: true,
+                     uniqueness: { scope: [:context_type, :context_id] },
+                     format: { with: Rabarber::Input::Role::REGEX },
+                     strict: true
 
     has_and_belongs_to_many :roleables, join_table: "rabarber_roles_roleables"
 
     class << self
-      def names
-        pluck(:name).map(&:to_sym)
+      def names(context: nil)
+        where(Rabarber::Input::Context.new(context).process).pluck(:name).map(&:to_sym)
       end
 
-      def add(name)
+      def add(name, context: nil)
         name = process_role_name(name)
+        processed_context = process_context(context)
 
-        return false if exists?(name: name)
+        return false if exists?(name: name, **processed_context)
 
-        !!create!(name: name)
+        !!create!(name: name, **processed_context)
       end
 
-      def rename(old_name, new_name, force: false)
-        role = find_by(name: process_role_name(old_name))
+      def rename(old_name, new_name, context: nil, force: false)
+        processed_context = process_context(context)
+        role = find_by(name: process_role_name(old_name), **processed_context)
         name = process_role_name(new_name)
 
-        return false if !role || exists?(name: name) || assigned_to_roleables(role).any? && !force
+        return false if !role || exists?(name: name, **processed_context) || assigned_to_roleables(role).any? && !force
 
-        delete_roleables_cache(role)
+        delete_roleables_cache(role, context: processed_context)
 
         role.update!(name: name)
       end
 
-      def remove(name, force: false)
-        role = find_by(name: process_role_name(name))
+      def remove(name, context: nil, force: false)
+        processed_context = process_context(context)
+        role = find_by(name: process_role_name(name), **processed_context)
 
         return false if !role || assigned_to_roleables(role).any? && !force
 
-        delete_roleables_cache(role)
+        delete_roleables_cache(role, context: processed_context)
 
         !!role.destroy!
       end
 
-      def assignees(name)
+      def assignees(name, context: nil)
         Rabarber::HasRoles.roleable_class.joins(:rabarber_roles).where(
-          rabarber_roles: { name: Rabarber::Input::Role.new(name).process }
+          rabarber_roles: { name: Rabarber::Input::Role.new(name).process, **process_context(context) }
         )
       end
 
       private
 
-      def delete_roleables_cache(role)
-        Rabarber::Core::Cache.delete(*assigned_to_roleables(role))
+      def delete_roleables_cache(role, context:)
+        Rabarber::Core::Cache.delete(*assigned_to_roleables(role), context: context)
       end
 
       def assigned_to_roleables(role)
@@ -65,6 +71,10 @@ module Rabarber
       def process_role_name(name)
         Rabarber::Input::Role.new(name).process
       end
+
+      def process_context(context)
+        Rabarber::Input::Context.new(context).process
+      end
     end
   end
 end

data/lib/rabarber/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Rabarber
-  VERSION = "2.0.0"
+  VERSION = "3.0.0"
 end

data/lib/rabarber.rb

@@ -8,6 +8,8 @@ require "active_support"
 
 require_relative "rabarber/input/base"
 require_relative "rabarber/input/action"
+require_relative "rabarber/input/authorization_context"
+require_relative "rabarber/input/context"
 require_relative "rabarber/input/dynamic_rule"
 require_relative "rabarber/input/role"
 require_relative "rabarber/input/roles"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rabarber
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 3.0.0
 platform: ruby
 authors:
 - enjaku4
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-04-25 00:00:00.000000000 Z
+date: 2024-07-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -59,7 +59,9 @@ files:
 - lib/rabarber/core/rule.rb
 - lib/rabarber/helpers/helpers.rb
 - lib/rabarber/input/action.rb
+- lib/rabarber/input/authorization_context.rb
 - lib/rabarber/input/base.rb
+- lib/rabarber/input/context.rb
 - lib/rabarber/input/dynamic_rule.rb
 - lib/rabarber/input/role.rb
 - lib/rabarber/input/roles.rb