rabarber 4.1.3 → 5.0.0

data/lib/rabarber/core/integrity_checker.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Rabarber
+  module Core
+    module IntegrityChecker
+      extend self
+
+      def run!
+        check_for_missing_class_context
+        prune_missing_instance_context
+      end
+
+      private
+
+      def check_for_missing_class_context
+        Rabarber::Role.where.not(context_type: nil).distinct.pluck(:context_type).each do |context_class|
+          context_class.constantize
+        rescue NameError => e
+          raise Rabarber::Error, "Context not found: class #{e.name} may have been renamed or deleted"
+        end
+      end
+
+      def prune_missing_instance_context
+        ids = Rabarber::Role.where.not(context_id: nil).includes(:context).filter_map do |role|
+          role.context
+          nil
+        rescue ActiveRecord::RecordNotFound
+          role.id
+        end
+
+        return if ids.empty?
+
+        ActiveRecord::Base.transaction do
+          ActiveRecord::Base.connection.execute(
+            ActiveRecord::Base.sanitize_sql(
+              ["DELETE FROM rabarber_roles_roleables WHERE role_id IN (?)", ids]
+            )
+          )
+          Rabarber::Role.where(id: ids).delete_all
+        end
+      end
+    end
+  end
+end

data/lib/rabarber/core/permissions.rb

@@ -32,6 +32,11 @@ module Rabarber
         def action_rules
           instance.storage[:action_rules]
         end
+
+        def reset!
+          instance.storage[:controller_rules].clear
+          instance.storage[:action_rules].clear
+        end
       end
     end
   end

data/lib/rabarber/core/roleable.rb

@@ -1,12 +1,19 @@
 # frozen_string_literal: true
 
-require_relative "null_roleable"
-
 module Rabarber
   module Core
     module Roleable
       def roleable
-        send(Rabarber::Configuration.instance.current_user_method) || NullRoleable.new
+        current_roleable = send(Rabarber::Configuration.instance.current_user_method)
+
+        unless current_roleable.is_a?(Rabarber::Configuration.instance.user_model)
+          raise(
+            Rabarber::Error,
+            "Expected `#{Rabarber::Configuration.instance.current_user_method}` to return an instance of #{Rabarber::Configuration.instance.user_model_name}, but got #{current_roleable.inspect}"
+          )
+        end
+
+        current_roleable
       end
 
       def roleable_roles(context: nil)

data/lib/rabarber/core/rule.rb

@@ -5,11 +5,15 @@ module Rabarber
     class Rule
       attr_reader :roles, :context, :dynamic_rule, :negated_dynamic_rule
 
+      DEFAULT_DYNAMIC_RULE = -> { true }.freeze
+      DEFAULT_NEGATED_DYNAMIC_RULE = -> { false }.freeze
+      private_constant :DEFAULT_DYNAMIC_RULE, :DEFAULT_NEGATED_DYNAMIC_RULE
+
       def initialize(roles, context, dynamic_rule, negated_dynamic_rule)
         @roles = Array(roles)
         @context = context
-        @dynamic_rule = dynamic_rule || -> { true }
-        @negated_dynamic_rule = negated_dynamic_rule || -> { false }
+        @dynamic_rule = dynamic_rule || DEFAULT_DYNAMIC_RULE
+        @negated_dynamic_rule = negated_dynamic_rule || DEFAULT_NEGATED_DYNAMIC_RULE
       end
 
       def verify_access(roleable, controller_instance)
@@ -17,8 +21,6 @@ module Rabarber
       end
 
       def roles_permitted?(roleable, controller_instance)
-        return false if Rabarber::Configuration.instance.must_have_roles && roleable.all_roles.empty?
-
         roles.empty? || roleable.has_role?(*roles, context: resolve_context(controller_instance))
       end
 

data/lib/rabarber/helpers/helpers.rb

@@ -4,12 +4,12 @@ module Rabarber
   module Helpers
     include Rabarber::Core::Roleable
 
-    def visible_to(*roles, context: nil, &block)
-      capture(&block) if roleable.has_role?(*roles, context:)
+    def visible_to(*roles, context: nil, &)
+      capture(&) if roleable.has_role?(*roles, context:)
     end
 
-    def hidden_from(*roles, context: nil, &block)
-      capture(&block) unless roleable.has_role?(*roles, context:)
+    def hidden_from(*roles, context: nil, &)
+      capture(&) unless roleable.has_role?(*roles, context:)
     end
   end
 end

data/lib/rabarber/helpers/migration_helpers.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Rabarber
+  module MigrationHelpers
+    def migrate_authorization_context!(old_context, new_context)
+      roles = Rabarber::Role.where(context_type: old_context.to_s)
+
+      raise Rabarber::InvalidArgumentError, "No roles exist in context #{old_context.inspect}" unless roles.exists?
+      raise Rabarber::InvalidArgumentError, "Cannot migrate context to #{new_context.inspect}: class does not exist" unless new_context.to_s.safe_constantize
+
+      roles.update_all(context_type: new_context.to_s)
+    end
+
+    def delete_authorization_context!(context)
+      roles = Rabarber::Role.where(context_type: context.to_s)
+
+      raise Rabarber::InvalidArgumentError, "No roles exist in context #{context.inspect}" unless roles.exists?
+
+      ActiveRecord::Base.transaction do
+        ActiveRecord::Base.connection.execute(
+          ActiveRecord::Base.sanitize_sql(
+            ["DELETE FROM rabarber_roles_roleables WHERE role_id IN (?)", roles.pluck(:id)]
+          )
+        )
+        roles.delete_all
+      end
+    end
+  end
+end

data/lib/rabarber/input/ar_model.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Rabarber
+  module Input
+    class ArModel < Rabarber::Input::Base
+      def valid?
+        processed_value < ActiveRecord::Base
+      rescue NameError
+        false
+      end
+
+      private
+
+      def processed_value
+        value.constantize
+      end
+
+      def default_error_message
+        "Value must be an ActiveRecord model"
+      end
+    end
+  end
+end

data/lib/rabarber/models/concerns/has_roles.rb

@@ -42,13 +42,6 @@ module Rabarber
       if roles_to_assign.any?
         delete_roleable_cache(context: processed_context)
         rabarber_roles << roles_to_assign
-
-        Rabarber::Audit::Events::RolesAssigned.trigger(
-          self,
-          roles_to_assign: roles_to_assign.names(context: processed_context),
-          current_roles: roles(context: processed_context),
-          context: processed_context
-        )
       end
 
       roles(context: processed_context)
@@ -65,27 +58,11 @@ module Rabarber
       if roles_to_revoke.any?
         delete_roleable_cache(context: processed_context)
         self.rabarber_roles -= roles_to_revoke
-
-        Rabarber::Audit::Events::RolesRevoked.trigger(
-          self,
-          roles_to_revoke: roles_to_revoke.names(context: processed_context),
-          current_roles: roles(context: processed_context),
-          context: processed_context
-        )
       end
 
       roles(context: processed_context)
     end
 
-    def log_identity
-      "#{model_name.human}##{roleable_id}"
-    end
-
-    def roleable_class
-      @@included.constantize
-    end
-    module_function :roleable_class
-
     private
 
     def create_new_roles(role_names, context:)

data/lib/rabarber/models/role.rb

@@ -11,7 +11,9 @@ module Rabarber
 
     belongs_to :context, polymorphic: true, optional: true
 
-    before_destroy :delete_assignments
+    has_and_belongs_to_many :roleables, class_name: Rabarber::Configuration.instance.user_model_name,
+                                        association_foreign_key: "roleable_id",
+                                        join_table: "rabarber_roles_roleables"
 
     class << self
       def names(context: nil)
@@ -19,11 +21,13 @@ module Rabarber
       end
 
       def all_names
-        includes(:context).group_by(&:context).transform_values { |roles| roles.map { _1.name.to_sym } }
-      rescue ActiveRecord::RecordNotFound => e
-        raise Rabarber::Error, "Context not found: #{e.model}##{e.id}"
+        includes(:context).each_with_object({}) do |role, hash|
+          (hash[role.context] ||= []) << role.name.to_sym
+        rescue ActiveRecord::RecordNotFound
+          next
+        end
       rescue NameError => e
-        raise Rabarber::Error, "Context not found: #{e.name}"
+        raise Rabarber::NotFoundError, "Context not found: class #{e.name} may have been renamed or deleted"
       end
 
       def add(name, context: nil)
@@ -38,9 +42,12 @@ module Rabarber
       def rename(old_name, new_name, context: nil, force: false)
         processed_context = process_context(context)
         role = find_by(name: process_role_name(old_name), **processed_context)
+
+        raise Rabarber::NotFoundError, "Role not found" unless role
+
         name = process_role_name(new_name)
 
-        return false if !role || exists?(name:, **processed_context) || assigned_to_roleables(role).any? && !force
+        return false if exists?(name:, **processed_context) || role.roleables.exists? && !force
 
         delete_roleables_cache(role, context: processed_context)
 
@@ -51,7 +58,9 @@ module Rabarber
         processed_context = process_context(context)
         role = find_by(name: process_role_name(name), **processed_context)
 
-        return false if !role || assigned_to_roleables(role).any? && !force
+        raise Rabarber::NotFoundError, "Role not found" unless role
+
+        return false if role.roleables.exists? && !force
 
         delete_roleables_cache(role, context: processed_context)
 
@@ -59,23 +68,16 @@ module Rabarber
       end
 
       def assignees(name, context: nil)
-        Rabarber::HasRoles.roleable_class.joins(:rabarber_roles).where(
-          rabarber_roles: { name: process_role_name(name), **process_context(context) }
-        )
+        find_by(name: process_role_name(name), **process_context(context))&.roleables ||
+          Rabarber::Configuration.instance.user_model.none
       end
 
       private
 
       def delete_roleables_cache(role, context:)
-        Rabarber::Core::Cache.delete(*assigned_to_roleables(role).flat_map { [[_1, context], [_1, :all]] })
-      end
-
-      def assigned_to_roleables(role)
-        ActiveRecord::Base.connection.select_values(
-          ActiveRecord::Base.sanitize_sql(
-            ["SELECT roleable_id FROM rabarber_roles_roleables WHERE role_id = ?", role.id]
-          )
-        )
+        role.roleables.in_batches(of: 1000) do |batch|
+          Rabarber::Core::Cache.delete(*batch.pluck(:id).flat_map { [[_1, context], [_1, :all]] })
+        end
       end
 
       def process_role_name(name)
@@ -96,15 +98,5 @@ module Rabarber
 
       record
     end
-
-    private
-
-    def delete_assignments
-      ActiveRecord::Base.connection.execute(
-        ActiveRecord::Base.sanitize_sql(
-          ["DELETE FROM rabarber_roles_roleables WHERE role_id = ?", id]
-        )
-      )
-    end
   end
 end

data/lib/rabarber/railtie.rb

@@ -4,9 +4,34 @@ require "rails/railtie"
 
 module Rabarber
   class Railtie < Rails::Railtie
+    initializer "rabarber.to_prepare" do |app|
+      app.config.to_prepare do
+        unless app.config.eager_load
+          Rabarber::Core::Permissions.reset!
+          ApplicationController.class_eval do
+            before_action :check_integrity
+
+            private
+
+            def check_integrity
+              Rabarber::Core::IntegrityChecker.run!
+            end
+          end
+        end
+        user_model = Rabarber::Configuration.instance.user_model
+        user_model.include Rabarber::HasRoles unless user_model < Rabarber::HasRoles
+      end
+    end
+
     initializer "rabarber.after_initialize" do |app|
       app.config.after_initialize do
-        Rabarber::Core::PermissionsIntegrityChecker.new.run! if app.config.eager_load
+        Rabarber::Core::IntegrityChecker.run! if app.config.eager_load
+      end
+    end
+
+    initializer "rabarber.extend_migration_helpers" do
+      ActiveSupport.on_load :active_record do
+        ActiveRecord::Migration.include Rabarber::MigrationHelpers
       end
     end
   end

data/lib/rabarber/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Rabarber
-  VERSION = "4.1.3"
+  VERSION = "5.0.0"
 end

data/lib/rabarber.rb

@@ -8,6 +8,7 @@ require "active_support"
 
 require_relative "rabarber/input/base"
 require_relative "rabarber/input/action"
+require_relative "rabarber/input/ar_model"
 require_relative "rabarber/input/authorization_context"
 require_relative "rabarber/input/context"
 require_relative "rabarber/input/dynamic_rule"
@@ -19,20 +20,16 @@ require_relative "rabarber/input/types/symbol"
 
 require_relative "rabarber/core/cache"
 
-require_relative "rabarber/audit/events/base"
-require_relative "rabarber/audit/events/roles_assigned"
-require_relative "rabarber/audit/events/roles_revoked"
-require_relative "rabarber/audit/events/unauthorized_attempt"
-
 require_relative "rabarber/core/roleable"
 
 require_relative "rabarber/controllers/concerns/authorization"
 require_relative "rabarber/helpers/helpers"
+require_relative "rabarber/helpers/migration_helpers"
 require_relative "rabarber/models/concerns/has_roles"
 require_relative "rabarber/models/role"
 
 require_relative "rabarber/core/permissions"
-require_relative "rabarber/core/permissions_integrity_checker"
+require_relative "rabarber/core/integrity_checker"
 
 require_relative "rabarber/railtie"
 
@@ -40,6 +37,7 @@ module Rabarber
   class Error < StandardError; end
   class ConfigurationError < Rabarber::Error; end
   class InvalidArgumentError < Rabarber::Error; end
+  class NotFoundError < Rabarber::Error; end
 
   def configure
     yield(Rabarber::Configuration.instance)

data/rabarber.gemspec

@@ -6,15 +6,14 @@ Gem::Specification.new do |spec|
   spec.name = "rabarber"
   spec.version = Rabarber::VERSION
   spec.authors = ["enjaku4", "trafium"]
-  spec.email = ["rabarber_gem@icloud.com"]
-  spec.homepage = "https://github.com/enjaku4/rabarber"
+  spec.homepage = "https://github.com/brownboxdev/rabarber"
   spec.metadata["homepage_uri"] = spec.homepage
   spec.metadata["source_code_uri"] = spec.homepage
   spec.metadata["changelog_uri"] = "#{spec.homepage}/blob/main/CHANGELOG.md"
   spec.metadata["rubygems_mfa_required"] = "true"
   spec.summary = "Simple role-based authorization library for Ruby on Rails"
   spec.license = "MIT"
-  spec.required_ruby_version = ">= 3.1", "< 3.5"
+  spec.required_ruby_version = ">= 3.2", "< 3.5"
 
   spec.files = [
     "rabarber.gemspec", "README.md", "CHANGELOG.md", "LICENSE.txt"
@@ -22,5 +21,5 @@ Gem::Specification.new do |spec|
 
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "rails", ">= 7.0", "< 8.1"
+  spec.add_dependency "rails", ">= 7.1", "< 8.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rabarber
 version: !ruby/object:Gem::Version
-  version: 4.1.3
+  version: 5.0.0
 platform: ruby
 authors:
 - enjaku4
 - trafium
 bindir: bin
 cert_chain: []
-date: 2025-03-20 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -16,7 +16,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '7.0'
+        version: '7.1'
     - - "<"
       - !ruby/object:Gem::Version
         version: '8.1'
@@ -26,12 +26,10 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '7.0'
+        version: '7.1'
     - - "<"
       - !ruby/object:Gem::Version
         version: '8.1'
-email:
-- rabarber_gem@icloud.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -42,22 +40,18 @@ files:
 - lib/generators/rabarber/roles_generator.rb
 - lib/generators/rabarber/templates/create_rabarber_roles.rb.erb
 - lib/rabarber.rb
-- lib/rabarber/audit/events/base.rb
-- lib/rabarber/audit/events/roles_assigned.rb
-- lib/rabarber/audit/events/roles_revoked.rb
-- lib/rabarber/audit/events/unauthorized_attempt.rb
-- lib/rabarber/audit/logger.rb
 - lib/rabarber/configuration.rb
 - lib/rabarber/controllers/concerns/authorization.rb
 - lib/rabarber/core/access.rb
 - lib/rabarber/core/cache.rb
-- lib/rabarber/core/null_roleable.rb
+- lib/rabarber/core/integrity_checker.rb
 - lib/rabarber/core/permissions.rb
-- lib/rabarber/core/permissions_integrity_checker.rb
 - lib/rabarber/core/roleable.rb
 - lib/rabarber/core/rule.rb
 - lib/rabarber/helpers/helpers.rb
+- lib/rabarber/helpers/migration_helpers.rb
 - lib/rabarber/input/action.rb
+- lib/rabarber/input/ar_model.rb
 - lib/rabarber/input/authorization_context.rb
 - lib/rabarber/input/base.rb
 - lib/rabarber/input/context.rb
@@ -72,13 +66,13 @@ files:
 - lib/rabarber/railtie.rb
 - lib/rabarber/version.rb
 - rabarber.gemspec
-homepage: https://github.com/enjaku4/rabarber
+homepage: https://github.com/brownboxdev/rabarber
 licenses:
 - MIT
 metadata:
-  homepage_uri: https://github.com/enjaku4/rabarber
-  source_code_uri: https://github.com/enjaku4/rabarber
-  changelog_uri: https://github.com/enjaku4/rabarber/blob/main/CHANGELOG.md
+  homepage_uri: https://github.com/brownboxdev/rabarber
+  source_code_uri: https://github.com/brownboxdev/rabarber
+  changelog_uri: https://github.com/brownboxdev/rabarber/blob/main/CHANGELOG.md
   rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:
@@ -87,7 +81,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '3.1'
+      version: '3.2'
   - - "<"
     - !ruby/object:Gem::Version
       version: '3.5'
@@ -97,7 +91,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 3.6.7
 specification_version: 4
 summary: Simple role-based authorization library for Ruby on Rails
 test_files: []

data/lib/rabarber/audit/events/base.rb

@@ -1,49 +0,0 @@
-# frozen_string_literal: true
-
-require_relative "../logger"
-
-module Rabarber
-  module Audit
-    module Events
-      class Base
-        attr_reader :roleable, :specifics
-
-        def self.trigger(roleable, specifics)
-          new(roleable, specifics).send(:log)
-        end
-
-        private
-
-        def initialize(roleable, specifics)
-          @roleable = roleable
-          @specifics = specifics
-        end
-
-        def log
-          Rabarber::Audit::Logger.log(log_level, message)
-        end
-
-        def log_level
-          raise NotImplementedError
-        end
-
-        def message
-          raise NotImplementedError
-        end
-
-        def identity
-          roleable.log_identity
-        end
-
-        def human_context
-          case context
-          in { context_type: nil, context_id: nil } then "Global"
-          in { context_type:, context_id: nil } then context_type
-          in { context_type:, context_id: } then "#{context_type}##{context_id}"
-          else raise Rabarber::Error, "Unexpected context: #{context.inspect}"
-          end
-        end
-      end
-    end
-  end
-end

data/lib/rabarber/audit/events/roles_assigned.rb

@@ -1,31 +0,0 @@
-# frozen_string_literal: true
-
-module Rabarber
-  module Audit
-    module Events
-      class RolesAssigned < Base
-        private
-
-        def log_level
-          :info
-        end
-
-        def message
-          "[Role Assignment] #{identity} | context: #{human_context} | assigned: #{roles_to_assign} | current: #{current_roles}"
-        end
-
-        def context
-          specifics.fetch(:context)
-        end
-
-        def roles_to_assign
-          specifics.fetch(:roles_to_assign)
-        end
-
-        def current_roles
-          specifics.fetch(:current_roles)
-        end
-      end
-    end
-  end
-end

data/lib/rabarber/audit/events/roles_revoked.rb

@@ -1,31 +0,0 @@
-# frozen_string_literal: true
-
-module Rabarber
-  module Audit
-    module Events
-      class RolesRevoked < Base
-        private
-
-        def log_level
-          :info
-        end
-
-        def message
-          "[Role Revocation] #{identity} | context: #{human_context} | revoked: #{roles_to_revoke} | current: #{current_roles}"
-        end
-
-        def context
-          specifics.fetch(:context)
-        end
-
-        def roles_to_revoke
-          specifics.fetch(:roles_to_revoke)
-        end
-
-        def current_roles
-          specifics.fetch(:current_roles)
-        end
-      end
-    end
-  end
-end

data/lib/rabarber/audit/events/unauthorized_attempt.rb

@@ -1,27 +0,0 @@
-# frozen_string_literal: true
-
-module Rabarber
-  module Audit
-    module Events
-      class UnauthorizedAttempt < Base
-        private
-
-        def log_level
-          :warn
-        end
-
-        def message
-          "[Unauthorized Attempt] #{identity} | request: #{request_method} #{path}"
-        end
-
-        def path
-          specifics.fetch(:path)
-        end
-
-        def request_method
-          specifics.fetch(:request_method)
-        end
-      end
-    end
-  end
-end