rails-action-authorization 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: a8d8a18e02c7cba715ff6d0369b2bc1463545d45062e58408ec8384d1dcbd316
+  data.tar.gz: 04ecdf2bae106d9cee8d4601f8693a7634a311a5cd12b905631954ed7e4d2be4
+SHA512:
+  metadata.gz: 81053e97cbf237ac0cf489a370d2f3c13b057838c99fecbed411e814e7d884d2f18faf73a8cd2705e2e39fa1d5bcb8555f7626dbabe5933b3fc0a8e878912709
+  data.tar.gz: 6d02f17442c5276e29de19ce8d6ba4599841847ee52b39660cdadafdbc96400801878daa4b02ca842021d3c6c6be8e0fc6cd9d351d5025b3fd5f27653e8ba41a

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2020 Andrew Luchuk
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,145 @@
+[![Build Status](https://travis-ci.org/speratus/rails-action-authorization.svg?branch=master)](https://travis-ci.org/speratus/rails-action-authorization)
+[![codecov](https://codecov.io/gh/speratus/rails-action-authorization/branch/master/graph/badge.svg)](https://codecov.io/gh/speratus/rails-action-authorization)
+[![Maintainability](https://api.codeclimate.com/v1/badges/588fbef9d8a7c39bb071/maintainability)](https://codeclimate.com/github/speratus/authorizer/maintainability)
+
+# Rails Action Authorization
+Rails Action Authorization is a rails plugin that gives developers a lightweight authorization framework.
+
+While there are lots of rails plugins designed to do authorization, Rails Action Authorization strives to 
+be the most intuitive while simultaneously allowing developers to write the smallest possible amount of code to have a functioning authorization system.
+
+## Usage
+There are two parts to using `rails-action-authorization`. The first part is defining rules.
+Rules are defined on models, and they specify how actions determine how to authorize users (or other models).
+
+The second parrt of using `rails-action-authorization` is on the controller side. In any action in which authorization is required, run the `check_authorization` method.
+
+### Step One, defining rules
+Suppose we are writing the proverbial blogging application, and we need some way to determine whether a user is permitted to edit a post.
+
+The first step is to define a rule for the action that will need authorization. In our case, we'll need authorization for the `edit` and `update` actions. To define a rule, we'll have to edit our `Post` model.
+```ruby
+# models/Post.rb
+
+class Post < ApplicationRecord
+    ...
+end
+```
+
+Rules are defined using the `define_rule` method. `define_rule` takes at least one argument that is a string or a symbol that represents the action that needs authorization in the format `controller#action`. In our case, we need to authorize the `edit` and `update` actions like so:
+```ruby
+# models/Post.rb
+class Post < ApplicationRecord
+    ...
+    define_rule 'posts#edit', 'posts#update' do |post, user|
+        # Authorization code here
+    end
+end
+```
+
+`define_rule` can take as many arguments as desired, enabling developers to define authorization rules for multiple actions simultaneously. 
+
+The block must return `true` or `false`, `true` if the user is permitted to edit the post 
+and `false` if the user is not permitted. The block itself will always yield the resource
+that is being authorized as the first argument and the actor requesting authorization as the second argument. The first argument should always be the type as the class in which `define_rule` is called (if you ever encounter a case where it is not, then please report it as a bug). The second argument could technically be any model, but will probably most often be a `User` instance.
+
+Since we only want a post's author to be able to edit a post, we'll define our rule as follows:
+```ruby
+# models/Post.rb
+class Post < ApplicationRecord
+    ...
+    define_rule 'posts#edit', 'posts#update' do |post, user|
+        post.author == user
+    end
+end
+```
+
+Next, we have to check the authorization of the user in each controller. The only thing required
+to do this is to invoke `check_authorization` somewhere in each action that requries authorization.
+```ruby
+# controllers/posts_controller.rb
+class PostsController < ApplicationController
+    before_action :authorize_user, only: [:edit, :update]
+
+    ...
+
+    def edit
+        ...
+        #You will be able to reference @post in your views as usuals.
+    end
+
+    def update
+        ...
+    end
+
+    private
+
+    def authorize_user
+        @post = check_authorization(Post.find_by(id: params[:id]), current_user) # Here, use your own method for getting the current user.
+
+    end
+end
+```
+Notice that we are able to call check_authorization in a `before_action`. This is because `check_authorization`
+knows how to identify the action it is called in without requiring developers to specify it themselves.
+
+This will work great when the owner tries to edit his own posts, but if another user attempts to edit
+a post, the server will raise an error. `rails-action-authorization` raises a `ForbiddenError` if a
+user fails to be authorized in order to eliminate potential ambiguity of returning nil or some other
+value.
+
+In order to handle authorization failures, we'll have to adapt our controller slightly:
+```ruby
+# controllers/posts_controller.rb
+class PostsController < ApplicationController
+    before_action :authorize_user, only: [:edit, :update]
+    rescue_from ActionAuthorization::ForbiddenError, with:
+        :handle_forbidden
+
+    ...
+
+    def edit
+        ...
+        #You will be able to reference @post in your views as usuals.
+    end
+
+    def update
+        ...
+    end
+
+    private
+
+    def authorize_user
+        @post = check_authorization(Post.find_by(id: params[:id]), current_user) # Here, use your own method for getting the current user.
+    end
+
+    def handle_forbidden
+        render '403', status: 403
+    end
+end
+```
+This will cause the execution of any action to cease immediately when a user fails to authorize, and
+instead run the code in `handle_forbidden`.
+
+Of course, the above example assumes that you have a template for a `403` error, but you can run
+whatever code is necessary in your case. 
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'rails-action-authorization'
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+```bash
+$ gem install rails-action-authorization
+```
+
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,27 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Authorizer'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+require 'bundler/gem_tasks'
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task default: :test

data/lib/authorizer.rb

@@ -0,0 +1,5 @@
+require "authorizer/railtie"
+
+module ActionAuthorization
+  # Your code goes here...
+end

data/lib/authorizer/action_controller_patch.rb

@@ -0,0 +1,21 @@
+module ActionAuthorization
+    OPTIONS = [:authorize_associated, :behavior]
+
+    POSSIBILITIES = [:allow_all, :deny_all, :filter]
+
+    class ActionController::Metal
+        def check_authorization(resource, authorizee, **options)
+            action = "#{params[:controller]}##{action_name}"
+
+            if resource.respond_to?(:length)
+                return resource if resource.length == 0
+                r = Resource.new(action, authorizee, *resource, **options)
+                result = r.get
+            else
+                result = resource.is_authorized(action, authorizee)
+            end
+
+            result
+        end
+    end
+end

data/lib/authorizer/active_record_patch.rb

@@ -0,0 +1,39 @@
+module ActionAuthorization
+  class ActiveRecord::Base
+    def self.get_perms
+      unless (self.class_variables.include?(:'@@perms'))
+        @@perms = {}
+      end
+      init_fallback_rule
+      return @@perms
+    end
+    
+    def self.init_fallback_rule
+      @@fallback_rule = nil unless (self.class_variable_defined?(:@@fallback_rule))
+    end
+
+    def self.define_rule(*names, &block)
+      perms = self.get_perms
+      names.each {|name| perms[name.to_sym] = block}
+    end
+
+    def self.set_fallback_rule(&rule)
+      @@fallback_rule = rule
+    end
+
+    def is_authorized(action, authorizee)
+      symbol = action.to_sym
+      perms = self.class.get_perms
+
+      authorized = false
+      authorized = perms[symbol].(self, authorizee) if perms[symbol]
+      authorized = @@fallback_rule.(self, authorizee) if @@fallback_rule && !perms[symbol]
+
+      raise ForbiddenError.new(
+        "Actor #{authorizee} is not authorized to perform action #{action} on resource #{self}."
+      ) unless authorized
+
+      self
+    end
+  end
+end

data/lib/authorizer/authorizer.rb

@@ -0,0 +1,4 @@
+require_relative './exceptions'
+require_relative './active_record_patch'
+require_relative './action_controller_patch'
+require_relative './resource'

data/lib/authorizer/exceptions.rb

@@ -0,0 +1,9 @@
+module ActionAuthorization
+    class AuthorizationError < ::StandardError
+
+    end
+
+    class ForbiddenError < AuthorizationError
+        
+    end
+end

data/lib/authorizer/railtie.rb

@@ -0,0 +1,8 @@
+require_relative './authorizer.rb'
+
+module Authorizer
+  class Railtie < ::Rails::Railtie
+    # ActiveRecord::Base.include Authorizer::ModelClassMethods
+    # ActionController::API.include Authorizer::ControllerMethods
+  end
+end

data/lib/authorizer/resource.rb

@@ -0,0 +1,49 @@
+module ActionAuthorization
+    class Resource
+        attr_reader :action, :actor, :resources, :options
+  
+        def initialize(action, actor, *resources, **options)
+            @action = action
+            @actor = actor
+            @resources = resources
+            @options = options
+        end
+  
+        def get
+          return @resources if @resources.nil?
+          return @resources if @resources.length == 0
+  
+          behavior = @options[:behavior]
+          if !behavior
+              behavior = :filter
+          end
+  
+          case behavior
+          when :allow_all
+              collect_permitted(return_res: true) {|results| results.length > 0}
+          when :deny_all
+              collect_permitted {|results| results.length == @resources.length}
+          when :filter
+              collect_permitted {|results| results.length > 0}
+          end
+        end
+  
+        private
+
+        def collect_permitted(return_res: false)
+            results = @resources.filter do |r|
+                begin
+                    r.is_authorized(@action, @actor) != nil
+                rescue
+                    false
+                end
+            end
+
+            unless yield(results)
+                raise ForbiddenError
+            end
+            return @resources if return_res
+            results
+        end
+    end
+end

data/lib/authorizer/version.rb

@@ -0,0 +1,3 @@
+module ActionAuthorization
+  VERSION = '1.0.0'
+end

data/lib/tasks/authorizer_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :authorizer do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,108 @@
+--- !ruby/object:Gem::Specification
+name: rails-action-authorization
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Andrew Luchuk
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-04-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 6.0.2
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 6.0.2.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 6.0.2
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 6.0.2.1
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: codecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Rails Action Authorization adds an authorization framework for controller
+  actions. Rails Action Authorization is designed to be extremely lightweight and
+  flexible, enabling developers to spend less time trying to build complex authorization
+  systems. It's unopinionated design makes it easy to define any kind of authorization
+  rules with minimal effort.
+email:
+- andrew.luchuk@outlook.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- lib/authorizer.rb
+- lib/authorizer/action_controller_patch.rb
+- lib/authorizer/active_record_patch.rb
+- lib/authorizer/authorizer.rb
+- lib/authorizer/exceptions.rb
+- lib/authorizer/railtie.rb
+- lib/authorizer/resource.rb
+- lib/authorizer/version.rb
+- lib/tasks/authorizer_tasks.rake
+homepage: https://github.com/speratus/rails-action-authorization
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.6
+signing_key: 
+specification_version: 4
+summary: Rails Action Authorization adds an authorization framework for controller
+  actions.
+test_files: []