rails_authorize 1.4.0 → 1.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +38 -38
- data/README.md +53 -30
- data/lib/rails_authorize.rb +5 -1
- data/lib/rails_authorize/version.rb +1 -1
- data/rails_authorize.gemspec +2 -2
- metadata +7 -8
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a84a4e7ebae1410009ffac8f0a7728eb6644f4eaa90b07724a59f469edc746ae
|
4
|
+
data.tar.gz: 9d28518dd6f5b0e3f647ba7977c6ffddd87d2a83f39255cc166b2c88bb1d7c92
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b2df0ac9bb1dd40b902062b1557acf9ead2881a55d4580e289364ec7e69bf5a2ed8b9046e256d59bc77d9332e16d8d91fd491886bd4c9551941193bed0df6f0b
|
7
|
+
data.tar.gz: 5022ee3cf9f35e3d4f8b9b9081312ec5cdff05b9f16d6afe1a119f02e72e71ba9165d8f4a193456c2d08a0805d24dcaa43177ab3f1230fc3cf7626097ab61f0a
|
data/Gemfile.lock
CHANGED
@@ -1,70 +1,70 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
rails_authorize (1.
|
4
|
+
rails_authorize (1.5.0)
|
5
5
|
|
6
6
|
GEM
|
7
7
|
remote: https://rubygems.org/
|
8
8
|
specs:
|
9
|
-
actionpack (6.0.
|
10
|
-
actionview (= 6.0.
|
11
|
-
activesupport (= 6.0.
|
12
|
-
rack (~> 2.0)
|
9
|
+
actionpack (6.0.3.2)
|
10
|
+
actionview (= 6.0.3.2)
|
11
|
+
activesupport (= 6.0.3.2)
|
12
|
+
rack (~> 2.0, >= 2.0.8)
|
13
13
|
rack-test (>= 0.6.3)
|
14
14
|
rails-dom-testing (~> 2.0)
|
15
15
|
rails-html-sanitizer (~> 1.0, >= 1.2.0)
|
16
|
-
actionview (6.0.
|
17
|
-
activesupport (= 6.0.
|
16
|
+
actionview (6.0.3.2)
|
17
|
+
activesupport (= 6.0.3.2)
|
18
18
|
builder (~> 3.1)
|
19
19
|
erubi (~> 1.4)
|
20
20
|
rails-dom-testing (~> 2.0)
|
21
21
|
rails-html-sanitizer (~> 1.1, >= 1.2.0)
|
22
|
-
activesupport (6.0.
|
22
|
+
activesupport (6.0.3.2)
|
23
23
|
concurrent-ruby (~> 1.0, >= 1.0.2)
|
24
24
|
i18n (>= 0.7, < 2)
|
25
25
|
minitest (~> 5.1)
|
26
26
|
tzinfo (~> 1.1)
|
27
|
-
zeitwerk (~> 2.
|
28
|
-
builder (3.2.
|
29
|
-
concurrent-ruby (1.1.
|
30
|
-
crass (1.0.
|
31
|
-
diff-lcs (1.
|
32
|
-
erubi (1.
|
33
|
-
i18n (1.
|
27
|
+
zeitwerk (~> 2.2, >= 2.2.2)
|
28
|
+
builder (3.2.4)
|
29
|
+
concurrent-ruby (1.1.6)
|
30
|
+
crass (1.0.6)
|
31
|
+
diff-lcs (1.4.4)
|
32
|
+
erubi (1.9.0)
|
33
|
+
i18n (1.8.3)
|
34
34
|
concurrent-ruby (~> 1.0)
|
35
|
-
loofah (2.
|
35
|
+
loofah (2.6.0)
|
36
36
|
crass (~> 1.0.2)
|
37
37
|
nokogiri (>= 1.5.9)
|
38
38
|
mini_portile2 (2.4.0)
|
39
|
-
minitest (5.
|
40
|
-
nokogiri (1.10.
|
39
|
+
minitest (5.14.1)
|
40
|
+
nokogiri (1.10.10)
|
41
41
|
mini_portile2 (~> 2.4.0)
|
42
|
-
rack (2.
|
42
|
+
rack (2.2.3)
|
43
43
|
rack-test (1.1.0)
|
44
44
|
rack (>= 1.0, < 3)
|
45
45
|
rails-dom-testing (2.0.3)
|
46
46
|
activesupport (>= 4.2.0)
|
47
47
|
nokogiri (>= 1.6)
|
48
|
-
rails-html-sanitizer (1.
|
49
|
-
loofah (~> 2.
|
50
|
-
rake (
|
51
|
-
rspec (3.
|
52
|
-
rspec-core (~> 3.
|
53
|
-
rspec-expectations (~> 3.
|
54
|
-
rspec-mocks (~> 3.
|
55
|
-
rspec-core (3.
|
56
|
-
rspec-support (~> 3.
|
57
|
-
rspec-expectations (3.
|
48
|
+
rails-html-sanitizer (1.3.0)
|
49
|
+
loofah (~> 2.3)
|
50
|
+
rake (13.0.1)
|
51
|
+
rspec (3.9.0)
|
52
|
+
rspec-core (~> 3.9.0)
|
53
|
+
rspec-expectations (~> 3.9.0)
|
54
|
+
rspec-mocks (~> 3.9.0)
|
55
|
+
rspec-core (3.9.2)
|
56
|
+
rspec-support (~> 3.9.3)
|
57
|
+
rspec-expectations (3.9.2)
|
58
58
|
diff-lcs (>= 1.2.0, < 2.0)
|
59
|
-
rspec-support (~> 3.
|
60
|
-
rspec-mocks (3.
|
59
|
+
rspec-support (~> 3.9.0)
|
60
|
+
rspec-mocks (3.9.1)
|
61
61
|
diff-lcs (>= 1.2.0, < 2.0)
|
62
|
-
rspec-support (~> 3.
|
63
|
-
rspec-support (3.
|
62
|
+
rspec-support (~> 3.9.0)
|
63
|
+
rspec-support (3.9.3)
|
64
64
|
thread_safe (0.3.6)
|
65
|
-
tzinfo (1.2.
|
65
|
+
tzinfo (1.2.7)
|
66
66
|
thread_safe (~> 0.1)
|
67
|
-
zeitwerk (2.
|
67
|
+
zeitwerk (2.4.0)
|
68
68
|
|
69
69
|
PLATFORMS
|
70
70
|
ruby
|
@@ -72,10 +72,10 @@ PLATFORMS
|
|
72
72
|
DEPENDENCIES
|
73
73
|
actionpack (>= 5.0.0)
|
74
74
|
activesupport (>= 5.0.0)
|
75
|
-
bundler (~> 1
|
75
|
+
bundler (~> 2.1)
|
76
76
|
rails_authorize!
|
77
|
-
rake (~>
|
77
|
+
rake (~> 13)
|
78
78
|
rspec (~> 3.0)
|
79
79
|
|
80
80
|
BUNDLED WITH
|
81
|
-
1.
|
81
|
+
2.1.4
|
data/README.md
CHANGED
@@ -166,35 +166,6 @@ class PostPolicy < ApplicationPolicy
|
|
166
166
|
end
|
167
167
|
```
|
168
168
|
|
169
|
-
## Use without target
|
170
|
-
|
171
|
-
Sometimes you need to authorize a controller action that it doesn't use a model to authorize.
|
172
|
-
|
173
|
-
For this situations you can omit `target` and pass only options with `policy` to `authorize`:
|
174
|
-
|
175
|
-
```ruby
|
176
|
-
# app/controllers/custom_controller.rb
|
177
|
-
|
178
|
-
class CustomController
|
179
|
-
def show
|
180
|
-
authorize policy: CustomPolicy
|
181
|
-
...
|
182
|
-
end
|
183
|
-
end
|
184
|
-
```
|
185
|
-
|
186
|
-
```ruby
|
187
|
-
# app/policies/custom_policy.rb
|
188
|
-
|
189
|
-
class CustomPolicy < ApplicationPolicy
|
190
|
-
def show?
|
191
|
-
# target is nil
|
192
|
-
...
|
193
|
-
end
|
194
|
-
end
|
195
|
-
```
|
196
|
-
|
197
|
-
|
198
169
|
## Strong parameters
|
199
170
|
|
200
171
|
Rails uses [strong_parameters](http://edgeguides.rubyonrails.org/action_controller_overview.html#strong-parameters) to handle mass-assignment protection in the controller. With this gem you can control which attributes a user has access via your policies.
|
@@ -233,7 +204,7 @@ class PostController
|
|
233
204
|
end
|
234
205
|
```
|
235
206
|
|
236
|
-
By default `permitted_attributes` makes `params.require(:post)` if you want to personalize what attribute is required in params, your policy must define a `param_key
|
207
|
+
By default `permitted_attributes` makes `params.require(:post)` if you want to personalize what attribute is required in params, your policy must define a `param_key`:
|
237
208
|
|
238
209
|
```ruby
|
239
210
|
# app/policies/post_policy.rb
|
@@ -245,6 +216,18 @@ class PostPolicy < ApplicationPolicy
|
|
245
216
|
end
|
246
217
|
```
|
247
218
|
|
219
|
+
Also, you can pass custom key as option using `param_key` for specific situations:
|
220
|
+
|
221
|
+
```ruby
|
222
|
+
# app/controllers/posts_controller.rb
|
223
|
+
|
224
|
+
class PostController
|
225
|
+
def update
|
226
|
+
@post.update(permitted_attributes(@post, param_key: 'custom_key'))
|
227
|
+
end
|
228
|
+
end
|
229
|
+
```
|
230
|
+
|
248
231
|
If you want to permit different attributes based on the current action, you can define a `permitted_attributes_for_#{action_name}` method on your policy:
|
249
232
|
|
250
233
|
```ruby
|
@@ -260,6 +243,46 @@ class PostPolicy < ApplicationPolicy
|
|
260
243
|
end
|
261
244
|
end
|
262
245
|
```
|
246
|
+
|
247
|
+
## Use without target
|
248
|
+
|
249
|
+
Sometimes you need to authorize a controller action that it doesn't use a model to authorize.
|
250
|
+
|
251
|
+
For this situations you can omit `target` and pass only options with `policy` to `authorize` or `permitted_attributes`:
|
252
|
+
|
253
|
+
```ruby
|
254
|
+
# app/controllers/custom_controller.rb
|
255
|
+
|
256
|
+
class CustomController
|
257
|
+
def show
|
258
|
+
authorize policy: CustomPolicy
|
259
|
+
...
|
260
|
+
end
|
261
|
+
|
262
|
+
def create
|
263
|
+
resource = Resource.new(permitted_attributes(policy: CustomPolicy))
|
264
|
+
...
|
265
|
+
end
|
266
|
+
end
|
267
|
+
```
|
268
|
+
|
269
|
+
```ruby
|
270
|
+
# app/policies/custom_policy.rb
|
271
|
+
|
272
|
+
class CustomPolicy < ApplicationPolicy
|
273
|
+
def show?
|
274
|
+
# target is nil
|
275
|
+
...
|
276
|
+
end
|
277
|
+
|
278
|
+
def permitted_attributes
|
279
|
+
[:title, :body]
|
280
|
+
end
|
281
|
+
end
|
282
|
+
```
|
283
|
+
|
284
|
+
|
285
|
+
|
263
286
|
## Ensuring authorization and scoping are performed
|
264
287
|
|
265
288
|
In certain kind of applications where almost all or even the whole application is private, in each of the actions you have to make sure that authorization is performed. To make sure that developers perform authorization, RailsAuthorize provides two methods. `verify_authorized` makes sure that authorization is performed, and likewise `verify_policy_scoped` checks that scoping is performed
|
data/lib/rails_authorize.rb
CHANGED
@@ -93,6 +93,8 @@ module RailsAuthorize
|
|
93
93
|
# @param options[:action] [String] the method to check on the policy (e.g. `:show?`)
|
94
94
|
# @return [Hash{String => Object}] the permitted attributes
|
95
95
|
def permitted_attributes(target, options={})
|
96
|
+
return permitted_attributes(nil, target) if target.is_a?(Hash)
|
97
|
+
|
96
98
|
action = options.delete(:action) || action_name
|
97
99
|
policy = policy(target, options)
|
98
100
|
|
@@ -102,7 +104,9 @@ module RailsAuthorize
|
|
102
104
|
'permitted_attributes'
|
103
105
|
end
|
104
106
|
|
105
|
-
param_key = if
|
107
|
+
param_key = if options[:param_key]
|
108
|
+
options[:param_key]
|
109
|
+
elsif policy.try(:param_key).present?
|
106
110
|
policy.param_key
|
107
111
|
else
|
108
112
|
target.model_name.name.underscore
|
data/rails_authorize.gemspec
CHANGED
@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
|
|
20
20
|
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
21
21
|
spec.require_paths = ['lib']
|
22
22
|
|
23
|
-
spec.add_development_dependency 'bundler', '~> 1
|
24
|
-
spec.add_development_dependency 'rake', '~>
|
23
|
+
spec.add_development_dependency 'bundler', '~> 2.1'
|
24
|
+
spec.add_development_dependency 'rake', '~> 13'
|
25
25
|
spec.add_development_dependency 'rspec', '~> 3.0'
|
26
26
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rails_authorize
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.5.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- rjurado01
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2020-07-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -16,28 +16,28 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - "~>"
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: '1
|
19
|
+
version: '2.1'
|
20
20
|
type: :development
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - "~>"
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: '1
|
26
|
+
version: '2.1'
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: rake
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
31
|
- - "~>"
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: '
|
33
|
+
version: '13'
|
34
34
|
type: :development
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - "~>"
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: '
|
40
|
+
version: '13'
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: rspec
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
@@ -92,8 +92,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
92
92
|
- !ruby/object:Gem::Version
|
93
93
|
version: '0'
|
94
94
|
requirements: []
|
95
|
-
|
96
|
-
rubygems_version: 2.7.3
|
95
|
+
rubygems_version: 3.1.2
|
97
96
|
signing_key:
|
98
97
|
specification_version: 4
|
99
98
|
summary: Simple and flexible authorization Rails system
|