rails_authorize 1.1.0 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 06fa5c80a26f55fe4a72a7bb46abdf3a4b02986b687f72d99270a3aa35773899
-  data.tar.gz: f817fbb5397b656ca7287e270d13763219e13871be2127194d2b8bbc2af9e4bc
+  metadata.gz: 1bc7528dc0f49e6b7c2c98175fd00c9cd45f8d0cb69b17b9f223e560284415ec
+  data.tar.gz: 6454b3b867b16b01e46695399d82ecf9792419d98f8d9897aa486046972a724a
 SHA512:
-  metadata.gz: d10c16d0683504da2b6ed81b9d098dfc73f872ce09fd2a58c72685a77193c9d993a4dff8e037d1cae7d92a8462355505dd1ba48dbd7ed57d26736fc2d35d20a4
-  data.tar.gz: ea02a19dcc0a187bf34ec24aa608dce4f4af7fd8292e9df2d893dd265111f3910fbc2ad40afc2d03ce6eea852cb745dbcc76dbd34c30f179c9d97e0a8ff70d98
+  metadata.gz: 0b7dec8d13ea8a5cdbd07752d10c16a64e89d3292bd030fc67da557de10a937aca5e84c7d80d2f10209033c48630cdd43b542d22cc613b0dbac820dedbe56e8e
+  data.tar.gz: e3fc2ff683d0d0f9164e1cc19f24178be850286062270924bbc30b716c7c1c56ff7abbce7a8ac3ceaa696db98e473664c08ed72a4ea8915f33d9ea12d81149c3

data/Gemfile

@@ -4,3 +4,8 @@ git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
 
 # Specify your gem's dependencies in rails_authorize.gemspec
 gemspec
+
+group :test do
+  gem 'activesupport', '>= 3.0.0'
+  gem 'actionpack', '>= 3.0.0'
+end

data/Gemfile.lock

@@ -1,22 +1,51 @@
 PATH
   remote: .
   specs:
-    rails_authorize (1.1.0)
-      activesupport (>= 3.0.0)
+    rails_authorize (1.2.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
+    actionpack (5.2.0)
+      actionview (= 5.2.0)
+      activesupport (= 5.2.0)
+      rack (~> 2.0)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (5.2.0)
+      activesupport (= 5.2.0)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
     activesupport (5.2.0)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
+    builder (3.2.3)
     concurrent-ruby (1.0.5)
+    crass (1.0.4)
     diff-lcs (1.3)
+    erubi (1.7.1)
     i18n (1.0.0)
       concurrent-ruby (~> 1.0)
+    loofah (2.2.2)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    mini_portile2 (2.3.0)
     minitest (5.11.3)
+    nokogiri (1.8.4)
+      mini_portile2 (~> 2.3.0)
+    rack (2.0.5)
+    rack-test (1.0.0)
+      rack (>= 1.0, < 3)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
     rake (10.5.0)
     rspec (3.7.0)
       rspec-core (~> 3.7.0)
@@ -39,10 +68,12 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  actionpack (>= 3.0.0)
+  activesupport (>= 3.0.0)
   bundler (~> 1.15)
   rails_authorize!
   rake (~> 10)
   rspec (~> 3.0)
 
 BUNDLED WITH
-   1.16.1
+   1.16.2

data/README.md

@@ -60,6 +60,14 @@ class PostPolicy < ApplicationPolicy
   def scope
     target.where(published: true)
   end
+
+  def permitted_attributes
+    if user.admin?
+      %i[status body title]
+    else
+      %i[body title]
+    end
+  end
 end
 ```
 
@@ -77,11 +85,148 @@ end
 class PostController
   def index
     @posts = authorized_scope(Post)
+    ...
+  end
+
+  def update
+    @post = Post.find(params[:id])
+    @post.update(permitted_attributes(@post))
+    ...
   end
 
   def show
     @post = Post.find(params[:id])
     authorize @post
+    ...
+  end
+end
+```
+
+## Customize user
+
+Rails Authorize will call the `current_user` method to retrieve the user for authorization. If you need to customize it you can pass `user` as option to method `authorize`:
+
+```ruby
+# app/controllers/posts_controller.rb
+
+class PostController
+  def show
+    @post = Post.find(params[:id])
+    @user = User.find(params[:user_id])
+    authorize @post, user: @user
+    ...
+  end
+end
+```
+
+## Customize action
+
+Rails Authorize will use the controller action name as identifier of policy method to use for authorization. If you need to customize it you can pass `action` as option to method `authorize`:
+
+```ruby
+# app/controllers/posts_controller.rb
+
+class PostController
+  def show
+    @post = Post.find(params[:id])
+    authorize @post, action: :custom_action?
+    ...
+  end
+end
+```
+
+## Define context
+
+Rails Authorize allow you to define the context objects that you need to authorize an action:
+
+```ruby
+# app/controllers/posts_controller.rb
+
+class PostController
+  def show
+    @post = Post.find(params[:id])
+    authorize @post, context: {template: params[:template]}
+    ...
+  end
+end
+```
+
+```ruby
+# app/policies/post_policy.rb
+
+class PostPolicy < ApplicationPolicy
+  def show?
+    if context[:template] == 'complete' ?
+      user.is_admin?
+    else
+      true
+    end
+  end
+end
+```
+
+## Strong parameters
+
+Rails uses [strong_parameters](http://edgeguides.rubyonrails.org/action_controller_overview.html#strong-parameters) to handle mass-assignment protection in the controller.  With this gem you can control which attributes a user has access via your policies.
+
+You can set up a `permitted_attributes` method in your policy like this:
+
+```ruby
+# app/policies/post_policy.rb
+
+class PostPolicy < ApplicationPolicy
+  def permitted_attributes
+    if user.admin?
+      %i[status body title]
+    else
+      %i[body title]
+    end
+  end
+end
+```
+
+You can now retrieve these attributes from the policy:
+
+```ruby
+policy(@post).permitted_attributes
+```
+
+Rails Authorize provides `permitted_attributes` helper method to use it in your controllers:
+
+```ruby
+# app/controllers/posts_controller.rb
+
+class PostController
+  def update
+    @post.update(permitted_attributes(@post))
+  end
+end
+```
+
+By default `permitted_attributes` makes `params.require(:post)` if you want to personalize what attribute is required in params, your policy must define a `param_key`.
+
+```ruby
+# app/policies/post_policy.rb
+
+class PostPolicy < ApplicationPolicy
+  def param_key
+    'custom_key'
+  end
+end
+```
+
+If you want to permit different attributes based on the current action, you can define a `permitted_attributes_for_#{action_name}` method on your policy:
+
+```ruby
+# app/policies/post_policy.rb
+
+class PostPolicy < ApplicationPolicy
+  def permitted_attributes_for_create
+    [:title, :body]
+  end
+
+  def permitted_attributes_for_update
+    [:body]
   end
 end
 ```

data/lib/rails_authorize.rb

@@ -71,4 +71,33 @@ module RailsAuthorize
 
     policy.scope
   end
+
+  # Retrieves a set of permitted attributes from the policy by instantiating
+  # the policy class for the given record and calling `permitted_attributes` on
+  # it, or `permitted_attributes_for_{action}` if `action` is defined. It then infers
+  # what key the record should have in the params hash and retrieves the
+  # permitted attributes from the params hash under that key.
+  #
+  # @param record [Object] the object we're retrieving permitted attributes for
+  # @param options [Hash] key/value options (action, user, policy, context)
+  # @param options[:action] [String] the method to check on the policy (e.g. `:show?`)
+  # @return [Hash{String => Object}] the permitted attributes
+  def permitted_attributes(target, options={})
+    action = options.delete(:action) || action_name
+    policy = policy(target, options)
+
+    method_name = if policy.respond_to?("permitted_attributes_for_#{action}")
+                    "permitted_attributes_for_#{action}"
+                  else
+                    'permitted_attributes'
+                  end
+
+    param_key = if policy.try(:param_key).present?
+                  policy.param_key
+                else
+                  target.model_name.name.underscore
+                end
+
+    params.require(param_key).permit(*policy.public_send(method_name))
+  end
 end

data/lib/rails_authorize/version.rb

@@ -1,3 +1,3 @@
 module RailsAuthorize
-  VERSION = "1.1.0"
+  VERSION = "1.2.0"
 end

data/rails_authorize.gemspec

@@ -23,6 +23,4 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'bundler', '~> 1.15'
   spec.add_development_dependency 'rake', '~> 10'
   spec.add_development_dependency 'rspec', '~> 3.0'
-
-  spec.add_dependency 'activesupport', '>= 3.0.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails_authorize
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.2.0
 platform: ruby
 authors:
 - rjurado01
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-04-16 00:00:00.000000000 Z
+date: 2018-07-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -52,20 +52,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
-- !ruby/object:Gem::Dependency
-  name: activesupport
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.0.0
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.0.0
 description: Authorization system for Rails with only few helpers and regular Ruby
   classes.
 email: