rails_authorize 1.0.0 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e8f0d5120896348f98b7f268593565d38a58b12478fdb9b622f429fcf76eaa28
-  data.tar.gz: 163ad731aaeaaaf3d766abc3de284f65a12e1d507e2bf67a02be8a090d25cd6e
+  metadata.gz: a84a4e7ebae1410009ffac8f0a7728eb6644f4eaa90b07724a59f469edc746ae
+  data.tar.gz: 9d28518dd6f5b0e3f647ba7977c6ffddd87d2a83f39255cc166b2c88bb1d7c92
 SHA512:
-  metadata.gz: f2ca97240e596d0a505edda8fe402f27cc2161648a166127b84e394eb111d2562b434fb0c71b08af64b2d541071b5a8017dcfcb7a22b34fcf91599f044e74790
-  data.tar.gz: 3ff394b863f95512dfd0ef6b9889ab8b5153ce452bff9a8c73f32573a9deca451004dda547f8c5f8255976b051e37049b958b9679749572d257d7687b9ba146d
+  metadata.gz: b2df0ac9bb1dd40b902062b1557acf9ead2881a55d4580e289364ec7e69bf5a2ed8b9046e256d59bc77d9332e16d8d91fd491886bd4c9551941193bed0df6f0b
+  data.tar.gz: 5022ee3cf9f35e3d4f8b9b9081312ec5cdff05b9f16d6afe1a119f02e72e71ba9165d8f4a193456c2d08a0805d24dcaa43177ab3f1230fc3cf7626097ab61f0a

data/.gitignore

@@ -6,6 +6,7 @@
 /pkg/
 /spec/reports/
 /tmp/
+*.gem
 
 # rspec failure tracking
 .rspec_status

data/.travis.yml

@@ -1,5 +1,5 @@
 sudo: false
 language: ruby
 rvm:
-  - 2.3.4
+  - 2.5.5
 before_install: gem install bundler -v 1.15.4

data/Gemfile

@@ -4,3 +4,8 @@ git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
 
 # Specify your gem's dependencies in rails_authorize.gemspec
 gemspec
+
+group :test do
+  gem 'activesupport', '>= 5.0.0'
+  gem 'actionpack', '>= 5.0.0'
+end

data/Gemfile.lock

@@ -1,48 +1,81 @@
 PATH
   remote: .
   specs:
-    rails_authorize (1.0.0)
-      activesupport (>= 3.0.0)
+    rails_authorize (1.5.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (5.2.0)
+    actionpack (6.0.3.2)
+      actionview (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
+      rack (~> 2.0, >= 2.0.8)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+    actionview (6.0.3.2)
+      activesupport (= 6.0.3.2)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+    activesupport (6.0.3.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-    concurrent-ruby (1.0.5)
-    diff-lcs (1.3)
-    i18n (1.0.0)
+      zeitwerk (~> 2.2, >= 2.2.2)
+    builder (3.2.4)
+    concurrent-ruby (1.1.6)
+    crass (1.0.6)
+    diff-lcs (1.4.4)
+    erubi (1.9.0)
+    i18n (1.8.3)
       concurrent-ruby (~> 1.0)
-    minitest (5.11.3)
-    rake (10.5.0)
-    rspec (3.7.0)
-      rspec-core (~> 3.7.0)
-      rspec-expectations (~> 3.7.0)
-      rspec-mocks (~> 3.7.0)
-    rspec-core (3.7.1)
-      rspec-support (~> 3.7.0)
-    rspec-expectations (3.7.0)
+    loofah (2.6.0)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    mini_portile2 (2.4.0)
+    minitest (5.14.1)
+    nokogiri (1.10.10)
+      mini_portile2 (~> 2.4.0)
+    rack (2.2.3)
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.3.0)
+      loofah (~> 2.3)
+    rake (13.0.1)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-mocks (3.7.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-support (3.7.1)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.3)
     thread_safe (0.3.6)
-    tzinfo (1.2.5)
+    tzinfo (1.2.7)
       thread_safe (~> 0.1)
+    zeitwerk (2.4.0)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  bundler (~> 1.15)
+  actionpack (>= 5.0.0)
+  activesupport (>= 5.0.0)
+  bundler (~> 2.1)
   rails_authorize!
-  rake (~> 10)
+  rake (~> 13)
   rspec (~> 3.0)
 
 BUNDLED WITH
-   1.16.1
+   2.1.4

data/README.md

@@ -1,4 +1,5 @@
 # RailsAuthorize
+[![Gem Version](https://badge.fury.io/rb/rails_authorize.svg)](https://badge.fury.io/rb/rails_authorize)
 ![Build Status](https://travis-ci.org/rjurado01/rails_authorize.svg?branch=master)
 
 Simple and flexible authorization Rails system inspired by Pundit.
@@ -60,6 +61,14 @@ class PostPolicy < ApplicationPolicy
   def scope
     target.where(published: true)
   end
+
+  def permitted_attributes
+    if user.admin?
+      %i[status body title]
+    else
+      %i[body title]
+    end
+  end
 end
 ```
 
@@ -77,15 +86,235 @@ end
 class PostController
   def index
     @posts = authorized_scope(Post)
+    ...
+  end
+
+  def update
+    @post = Post.find(params[:id])
+    @post.update(permitted_attributes(@post))
+    ...
   end
 
   def show
     @post = Post.find(params[:id])
     authorize @post
+    ...
+  end
+end
+```
+
+## Customize user
+
+Rails Authorize will call the `current_user` method to retrieve the user for authorization. If you need to customize it you can pass `user` as option to method `authorize`:
+
+```ruby
+# app/controllers/posts_controller.rb
+
+class PostController
+  def show
+    @post = Post.find(params[:id])
+    @user = User.find(params[:user_id])
+    authorize @post, user: @user
+    ...
+  end
+end
+```
+
+## Customize action
+
+Rails Authorize will use the controller action name as identifier of policy method to use for authorization. If you need to customize it you can pass `action` as option to method `authorize`:
+
+```ruby
+# app/controllers/posts_controller.rb
+
+class PostController
+  def show
+    @post = Post.find(params[:id])
+    authorize @post, action: :custom_action?
+    ...
+  end
+end
+```
+
+## Define context
+
+Rails Authorize allow you to define the context objects that you need to authorize an action:
+
+```ruby
+# app/controllers/posts_controller.rb
+
+class PostController
+  def show
+    @post = Post.find(params[:id])
+    authorize @post, context: {template: params[:template]}
+    ...
+  end
+end
+```
+
+```ruby
+# app/policies/post_policy.rb
+
+class PostPolicy < ApplicationPolicy
+  def show?
+    if context[:template] == 'complete' ?
+      user.is_admin?
+    else
+      true
+    end
+  end
+end
+```
+
+## Strong parameters
+
+Rails uses [strong_parameters](http://edgeguides.rubyonrails.org/action_controller_overview.html#strong-parameters) to handle mass-assignment protection in the controller.  With this gem you can control which attributes a user has access via your policies.
+
+You can set up a `permitted_attributes` method in your policy like this:
+
+```ruby
+# app/policies/post_policy.rb
+
+class PostPolicy < ApplicationPolicy
+  def permitted_attributes
+    if user.admin?
+      %i[status body title]
+    else
+      %i[body title]
+    end
   end
 end
 ```
 
+You can now retrieve these attributes from the policy:
+
+```ruby
+policy(@post).permitted_attributes
+```
+
+Rails Authorize provides `permitted_attributes` helper method to use it in your controllers:
+
+```ruby
+# app/controllers/posts_controller.rb
+
+class PostController
+  def update
+    @post.update(permitted_attributes(@post))
+  end
+end
+```
+
+By default `permitted_attributes` makes `params.require(:post)` if you want to personalize what attribute is required in params, your policy must define a `param_key`:
+
+```ruby
+# app/policies/post_policy.rb
+
+class PostPolicy < ApplicationPolicy
+  def param_key
+    'custom_key'
+  end
+end
+```
+
+Also, you can pass custom key as option using `param_key` for specific situations:
+
+```ruby
+# app/controllers/posts_controller.rb
+
+class PostController
+  def update
+    @post.update(permitted_attributes(@post, param_key: 'custom_key'))
+  end
+end
+```
+
+If you want to permit different attributes based on the current action, you can define a `permitted_attributes_for_#{action_name}` method on your policy:
+
+```ruby
+# app/policies/post_policy.rb
+
+class PostPolicy < ApplicationPolicy
+  def permitted_attributes_for_create
+    [:title, :body]
+  end
+
+  def permitted_attributes_for_update
+    [:body]
+  end
+end
+```
+
+## Use without target
+
+Sometimes you need to authorize a controller action that it doesn't use a model to authorize.
+
+For this situations you can omit `target` and pass only options with `policy` to `authorize` or `permitted_attributes`:
+
+```ruby
+# app/controllers/custom_controller.rb
+
+class CustomController
+  def show
+    authorize policy: CustomPolicy
+    ...
+  end
+
+  def create
+    resource = Resource.new(permitted_attributes(policy: CustomPolicy))
+    ...
+  end
+end
+```
+
+```ruby
+# app/policies/custom_policy.rb
+
+class CustomPolicy < ApplicationPolicy
+  def show?
+    # target is nil
+    ...
+  end
+
+  def permitted_attributes
+    [:title, :body]
+  end
+end
+```
+
+
+
+## Ensuring authorization and scoping are performed
+
+In certain kind of applications where almost all or even the whole application is private, in each of the actions you have to make sure that authorization is performed. To make sure that developers perform authorization, RailsAuthorize provides two methods. `verify_authorized` makes sure that authorization is performed, and likewise `verify_policy_scoped` checks that scoping is performed 
+
+Both methods are mainly aimed to be called on `after_action`.
+```ruby
+class ApplicationController < ActionController::Base
+  include RailsAuthorize
+  after_action :verify_authorized, except: :index
+  after_action :verify_policy_scoped, only: :index
+end
+```
+
+### Skipping verification
+
+If you're using `verify_authorized` in your controllers but need to conditionally bypass verification, you can use `skip_authorization`. For bypassing `verify_policy_scoped`, use `skip_policy_scope`.
+```ruby
+def create
+  record = Record.new(attributes)
+
+  if record.valid?
+    authorize record
+  else
+    skip_authorization
+  end
+end
+```
+
+## Rspec
+
+For writing expressive tests for your policies in RSpec you can use this gem: [rails_authorize_matchers](https://github.com/pacop/rails_authorize_matchers)
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/lib/rails_authorize.rb

@@ -3,6 +3,8 @@ require 'rails_authorize/version'
 module RailsAuthorize
   # Error that will be raised when authorization has failed
   class NotAuthorizedError < StandardError; end
+  class AuthorizationNotPerformedError < StandardError; end
+  class ScopingNotPerformedError < StandardError; end
 
   ##
   # Finds policy class for given target and returns new instance
@@ -19,7 +21,7 @@ module RailsAuthorize
     user = options[:user] || current_user
     klass = options[:policy] || "#{target.model_name.name}Policy".constantize
 
-    klass.new(user, target, options[:context])
+    klass.new(user, target, options[:context] || {})
   end
 
   ##
@@ -33,12 +35,16 @@ module RailsAuthorize
   # @return [Object] the passed target
   #
   def authorize(target, options={})
+    return authorize(nil, target) if target.is_a?(Hash)
+
     action = options.delete(:action) || "#{action_name}?"
     policy = policy(target, options)
 
     raise(NotAuthorizedError) unless policy.public_send(action)
 
-    target
+    @_policy_authorized = true
+
+    target || true
   end
 
   ##
@@ -50,6 +56,8 @@ module RailsAuthorize
   # @return [Scope] policy scope
   #
   def policy_scope(target, options={})
+    @_policy_scoped = true
+
     policy(target, options).scope
   end
 
@@ -69,6 +77,85 @@ module RailsAuthorize
 
     raise(NotAuthorizedError) unless policy.public_send(action)
 
+    @_policy_scoped = @_policy_authorized = true
+
     policy.scope
   end
+
+  # Retrieves a set of permitted attributes from the policy by instantiating
+  # the policy class for the given record and calling `permitted_attributes` on
+  # it, or `permitted_attributes_for_{action}` if `action` is defined. It then infers
+  # what key the record should have in the params hash and retrieves the
+  # permitted attributes from the params hash under that key.
+  #
+  # @param record [Object] the object we're retrieving permitted attributes for
+  # @param options [Hash] key/value options (action, user, policy, context)
+  # @param options[:action] [String] the method to check on the policy (e.g. `:show?`)
+  # @return [Hash{String => Object}] the permitted attributes
+  def permitted_attributes(target, options={})
+    return permitted_attributes(nil, target) if target.is_a?(Hash)
+
+    action = options.delete(:action) || action_name
+    policy = policy(target, options)
+
+    method_name = if policy.respond_to?("permitted_attributes_for_#{action}")
+                    "permitted_attributes_for_#{action}"
+                  else
+                    'permitted_attributes'
+                  end
+
+    param_key = if options[:param_key]
+                  options[:param_key]
+                elsif policy.try(:param_key).present?
+                  policy.param_key
+                else
+                  target.model_name.name.underscore
+                end
+
+    params.require(param_key).permit(*policy.public_send(method_name))
+  end
+
+  # Raises an error if authorization has not been performed
+  #
+  # @raise [AuthorizationNotPerformedError] if authorization has not been performed
+  # @return [void]
+  def verify_authorized
+    raise AuthorizationNotPerformedError, self.class unless policy_authorized?
+  end
+
+  # Allow this action not to perform authorization.
+  #
+  # @return [void]
+  def skip_authorization
+    @_policy_authorized = true
+  end
+
+  # Raises an error if policy scoping has not been performed
+  #
+  # @raise [AuthorizationNotPerformedError] if policy scoping has not been performed
+  # @return [void]
+  def verify_policy_scoped
+    raise ScopingNotPerformedError, self.class unless policy_scoped?
+  end
+
+  # Allow this action not to perform policy scoping.
+  #
+  # @return [void]
+  def skip_policy_scope
+    @_policy_scoped = true
+  end
+
+  protected
+
+  # @return [Boolean] whether authorization has been performed, i.e. whether
+  #                   one {#authorize} or {#skip_authorization} has been called
+  def policy_authorized?
+    @_policy_authorized == true
+  end
+
+  # @return [Boolean] whether policy scoping has been performed, i.e. whether
+  #                   one {#policy_scope} or {#skip_policy_scope} has been called
+  def policy_scoped?
+    @_policy_scoped == true
+  end
 end

data/lib/rails_authorize/version.rb

@@ -1,3 +1,3 @@
 module RailsAuthorize
-  VERSION = "1.0.0"
+  VERSION = "1.5.0"
 end

data/rails_authorize.gemspec

@@ -20,9 +20,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_development_dependency 'bundler', '~> 1.15'
-  spec.add_development_dependency 'rake', '~> 10'
+  spec.add_development_dependency 'bundler', '~> 2.1'
+  spec.add_development_dependency 'rake', '~> 13'
   spec.add_development_dependency 'rspec', '~> 3.0'
-
-  spec.add_dependency 'activesupport', '>= 3.0.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails_authorize
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.5.0
 platform: ruby
 authors:
 - rjurado01
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-04-11 00:00:00.000000000 Z
+date: 2020-07-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.15'
+        version: '2.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.15'
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10'
+        version: '13'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10'
+        version: '13'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -52,20 +52,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
-- !ruby/object:Gem::Dependency
-  name: activesupport
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.0.0
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.0.0
 description: Authorization system for Rails with only few helpers and regular Ruby
   classes.
 email:
@@ -106,8 +92,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Simple and flexible authorization Rails system