rails_ops 1.6.0 → 1.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d3115a85d7a5312b46e27d0f722639fb27eb4e8ff1bfff18c3243bad537ac7ec
-  data.tar.gz: e916bfcc1f675d24ace13fd7d26fd5790f9e1e78f12c6de7a25c8e75be974a68
+  metadata.gz: 2daa2888b099269858b2d97722dd19316f1547633f26f76c840fa3ceb5188705
+  data.tar.gz: 487627e4cf995b265a2b3b70711c915bad37149982acd805d863208eaf579def
 SHA512:
-  metadata.gz: '084ab4ade5ecb7545d0e89258f5ce586310e73c2fa9979a2d4365a870ccf9e50c43edba63d8c137220d955e78ef22e83b8ca8415d758d50ecc472a2dd1812a3a'
-  data.tar.gz: 37cb59996c9577937971ccc6a56dbd6e12ac8f2eb57a68943bad660432003c2fbe70dd15a59cd33919a52d50000e09f8505a92eec512f08ba0a693d32c6a1d70
+  metadata.gz: fe5df67fda43b85dd4bd069fc764b0850b78caf03d5610b889bbe2566ca083eb67b9237ae0cb3bca78dee66b6b671c0ef07a2b673f9b5507ce4ac61a0d40af55
+  data.tar.gz: 118a98a329619d2c829f5ae89f7d9347d492bcfd4972b5b93832ca6b611f12f10febba81a41dc2cde56d9c8043846f18ec4d3a8ad20582c22486895f771324dd

data/CHANGELOG.md

@@ -1,5 +1,73 @@
 # Changelog
 
+## 1.7.1 (2025-01-31)
+
+* Raise exception when using `model_authorization_action` in operations inheriting
+  directly from `RailsOps::Operation::Model::Load`. In `1.6.0`, this method was
+  renamed to `load_model_authorization_action` for these operations. Using
+  `model_authorization_action` was still possible, but RailsOps silently ignored
+  this. This release ensures that Load operations use the correct DSL method to
+  change authorization actions.
+
+## 1.7.0 (2025-01-30)
+
+* Introduce new `:before_attr_assign` policy chain which allows to
+  access the `model` instance before the parameters are assigned.
+
+* Introduce new `model_includes` DSL method which can be used to eager load
+  associations in Model operations. See the [corresponding section in the README](README.md#including-associated-records)
+  for more information.
+
+* Fix bug with lazy authorization in `RailsOps::Operation::Model::Update`
+  operation which used a version of the `model` which was missing some
+  attributes.
+
+* Deprecate lazy authorization in `RailsOps::Operation::Model::Update`
+  operations.
+
+### Migrating from earlier versions
+
+* Make sure you use the correct policy chains, depending on the state you
+  need the `model` to be in. If you need the model before the attributes are
+  assigned to the passed-in params, use the `:before_attr_assign` chain.
+  In all other chains, the `model` instance has its attributes assigned to the
+  params you supplied to the operation.
+
+* If you use `lazy` authorizaion in any of your `Update` operations, you are
+  advised to remove them and replace the lazy authorization by a custom functionality.
+  For example, this is the operation before:
+
+  ```ruby
+  class Operations::User::Update < RailsOps::Operation::Model::Update
+    model User
+
+    model_authorization_action :update, lazy: true
+  end
+  ```
+
+  and this is the operation afterwards:
+
+  ```ruby
+  class Operations::User::Update < RailsOps::Operation::Model::Update
+    model User
+
+    # Disable automatically authorizing against the `:update` action
+    model_authorization_action nil
+
+    policy :before_perform do
+      # Using "find_model" to retrieve the model from the database with
+      # the attributes before assigning the params to the model instance.
+      authorize_model! :update, find_model
+    end
+  end
+  ```
+
+## 1.6.1 (2025-01-24)
+
+* Fix lazy authorization in `RailsOps::Operation::Model::Update` operation
+
+Internal reference: `#133962`.
+
 ## 1.6.0 (2025-01-23)
 
 * Stable release based on previous RC releases

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rails_ops (1.6.0)
+    rails_ops (1.7.1)
       active_type (>= 1.3.0)
       minitest
       rails (> 4)

data/README.md

@@ -454,6 +454,14 @@ an appropriate exception.
 As mentioned above, policies can be executed at various points in your
 operation's lifecycle. This is possible using *policy chains*:
 
+- `:before_attr_assign`
+
+  Policies in this chain run before assigning the attributes to the model. This chain is only run
+  in `Model` operations, which at some point call the `assign_attributes` method. This chain is
+  the only chain in which the model is in the state *before* the passed in params are assigned.
+  If you need to run any code which needs the state of the model from the database (e.g. to run
+  custom authentications), this is the correct place.
+
 - `:on_init`
 
   Policies in this chain run after the operation class is instantiated.
@@ -1318,6 +1326,34 @@ end
 As this base class is very minimalistic, it is recommended to fully read and
 comprehend its source code.
 
+### Including associated records
+
+Normaly, when inheriting from `RailsOps::Operation::Model::Load` (as well as from the
+`Update` and the `Destroy` operations respectively), RailsOps only loads the instance
+of the model specified by the `id` parameter. In some cases, you'd want to eagerly load
+associations of the model, e.g. when you need to access associated records.
+
+For this, RailsOps provides the `model_includes` DSL method, with which you can
+pass-in associations to eager load (the value will simply be passed on to an `includes`
+call). See the following code snipped for an example:
+
+```ruby
+class Operations::User::Load < RailsOps::Operation::Model::Load
+  schema3 do
+    int! :id, cast_str: true
+  end
+
+  model ::User
+
+  # This will result in RailsOps eagerly loading the `posts`
+  # association, as well as the comments and authors of the
+  # comments.
+  # The call that RailsOps will create is:
+  # User.includes(posts: { comments: :author }).find_by(id: params[:id])
+  model_includes posts: { comments: :author }
+end
+```
+
 ### Parameter extraction for create and update
 
 As mentioned before, the `Create` and `Update` base classes provide an
@@ -1392,6 +1428,10 @@ sensible default. See the respective class' source code for details.
 
 #### Lazy model update authorization
 
+*Please note that using lazy model update authorization is deprecated any may
+be removed in a future release. See the changelog for instructions on how to
+adapt your application.*
+
 In case of operations inheriting from `RailsOps::Operation::Model::Update`, you
 can specify the `model_authorization_action` to be `lazy`, meaning that it will
 only be checked when *performing* the operation, but not on initialization. This

data/VERSION

@@ -1 +1 @@
-1.6.0
+1.7.1

data/lib/rails_ops/mixins/model/authorization.rb

@@ -12,6 +12,8 @@ module RailsOps::Mixins::Model::Authorization
   module ClassMethods
     # Gets or sets the action verb used for authorizing models.
     def model_authorization_action(*action, lazy: false)
+      RailsOps.deprecator.warn('Using `lazy` model authorization is deprecated and will be removed in a future version.') if lazy
+
       if action.size == 1
         self._model_authorization_action = action.first
         self._model_authorization_lazy = lazy
@@ -22,6 +24,8 @@ module RailsOps::Mixins::Model::Authorization
       return _model_authorization_action
     end
 
+    alias original_authorization_action model_authorization_action
+
     # This wraps the original method
     # {RailsOps::Mixins::ParamAuthorization::ClassClassMethods.authorize_param}
     # to automatically use `authorize_model_with_authorize_only` and pass the

data/lib/rails_ops/mixins/policies.rb

@@ -6,6 +6,7 @@ module RailsOps::Mixins::Policies
   extend ActiveSupport::Concern
 
   POLICY_CHAIN_KEYS = %i[
+    before_attr_assign
     on_init
     before_perform
     after_perform
@@ -26,6 +27,12 @@ module RailsOps::Mixins::Policies
         fail "Unknown policy chain #{chain.inspect}, available are #{POLICY_CHAIN_KEYS.inspect}."
       end
 
+      # The `before_attr_assign` chain is only allowed if the operation is a model
+      # operation, i.e. it needs to implement the `build_model` method.
+      if chain == :before_attr_assign && !method_defined?(:assign_attributes)
+        fail 'Policy :before_attr_assign may not be used unless your operation defines the `assign_attributes` method!'
+      end
+
       self._policy_chains = _policy_chains.dup
       if prepend_action
         _policy_chains[chain] = [block] + _policy_chains[chain]

data/lib/rails_ops/operation/model/destroy.rb

@@ -1,4 +1,8 @@
 class RailsOps::Operation::Model::Destroy < RailsOps::Operation::Model::Load
+  def self.model_authorization_action(*args, **kwargs, &block)
+    original_authorization_action(*args, **kwargs, &block)
+  end
+
   model_authorization_action :destroy
   lock_mode :exclusive
 

data/lib/rails_ops/operation/model/load.rb

@@ -2,6 +2,7 @@ class RailsOps::Operation::Model::Load < RailsOps::Operation::Model
   class_attribute :_lock_model_at_build
   class_attribute :_load_model_authorization_action
   class_attribute :_lock_mode
+  class_attribute :_model_includes
 
   policy :on_init do
     model
@@ -30,6 +31,11 @@ class RailsOps::Operation::Model::Load < RailsOps::Operation::Model
 
   load_model_authorization_action :read
 
+  def self.model_authorization_action(*args, **kwargs, &block)
+    fail 'Using `model_authorization_action` in operations inheriting from RailsOps::Operation::Model::Load ' \
+         'is not allowed, as this action will not be checked in `Load` operations. Use `load_model_authorization_action` instead.'
+  end
+
   def self.lock_model_at_build(enabled = true)
     self._lock_model_at_build = enabled
   end
@@ -64,6 +70,10 @@ class RailsOps::Operation::Model::Load < RailsOps::Operation::Model
     :id
   end
 
+  def self.model_includes(includes)
+    self._model_includes = includes
+  end
+
   def find_model
     unless params[model_id_field]
       fail "Param #{model_id_field.inspect} must be given."
@@ -75,6 +85,9 @@ class RailsOps::Operation::Model::Load < RailsOps::Operation::Model
     # Express intention to lock if required
     relation = lock_relation(relation)
 
+    # Apply includes if given in the operation
+    relation = relation.includes(self.class._model_includes) if self.class._model_includes.present?
+
     # Fetch (and possibly lock) model
     model = relation.find_by!(model_id_field => params[model_id_field])
 
@@ -116,7 +129,7 @@ class RailsOps::Operation::Model::Load < RailsOps::Operation::Model
     adapter_type = ActiveRecord::Base.connection.adapter_name.downcase.to_sym
 
     case adapter_type
-    when :mysql, :mysql2, :oracleenhanced
+    when :mysql, :mysql2, :oracleenhanced, :trilogy
       return 'LOCK IN SHARE MODE'
     when :postgresql
       return 'FOR SHARE'

data/lib/rails_ops/operation/model/update.rb

@@ -1,4 +1,8 @@
 class RailsOps::Operation::Model::Update < RailsOps::Operation::Model::Load
+  def self.model_authorization_action(*args, **kwargs, &block)
+    original_authorization_action(*args, **kwargs, &block)
+  end
+
   model_authorization_action :update
   lock_mode :exclusive
 
@@ -19,8 +23,17 @@ class RailsOps::Operation::Model::Update < RailsOps::Operation::Model::Load
 
   policy :before_perform do
     # If the authorization is configured to be lazy, we need to call the authorization
-    # on the copy of the model that we made before assigning the new attributes.
-    authorize_model! model_authorization_action, @model_before_assigning_attributes if self.class._model_authorization_lazy
+    # on a fresh copy of the model, before assigning the attributes. We simply use the `find_model`
+    # method from our parent class and then run the authorization on this instance.
+    if self.class._model_authorization_lazy
+      model_from_database = find_model
+
+      if model_from_database.respond_to?(:parent_op=)
+        model_from_database.parent_op = self
+      end
+
+      authorize_model! model_authorization_action, model_from_database
+    end
   end
 
   def model_authorization
@@ -37,13 +50,8 @@ class RailsOps::Operation::Model::Update < RailsOps::Operation::Model::Load
     build_nested_model_ops :update
 
     # Perform update authorization BEFORE assigning attributes. If the authorization is lazy,
-    # we copy the model before assigning the attributes, such that we can call the authorization
-    # later on.
-    if self.class._model_authorization_lazy
-      @model_before_assigning_attributes = @model.dup
-    else
-      model_authorization
-    end
+    # we'll call the authorization later on in the `before_perform` block.
+    model_authorization unless self.class._model_authorization_lazy
 
     # Assign attributes
     assign_attributes

data/lib/rails_ops/operation/model.rb

@@ -131,6 +131,8 @@ class RailsOps::Operation::Model < RailsOps::Operation
   #   are meant for nested models (registered via `nested_model_op`) will not
   #   be assigned. You can turn this filtering off by passing `false`.
   def assign_attributes(attributes = nil, model: nil, without_protection: false, without_nested_models: true)
+    run_policies :before_attr_assign
+
     model ||= self.model
 
     attributes ||= extract_attributes_from_params(model)

data/rails_ops.gemspec

@@ -1,14 +1,14 @@
 # -*- encoding: utf-8 -*-
-# stub: rails_ops 1.6.0 ruby lib
+# stub: rails_ops 1.7.1 ruby lib
 
 Gem::Specification.new do |s|
   s.name = "rails_ops".freeze
-  s.version = "1.6.0"
+  s.version = "1.7.1"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib".freeze]
   s.authors = ["Sitrox".freeze]
-  s.date = "2025-01-23"
+  s.date = "2025-01-31"
   s.files = [".github/workflows/rubocop.yml".freeze, ".github/workflows/ruby.yml".freeze, ".gitignore".freeze, ".releaser_config".freeze, ".rubocop.yml".freeze, "Appraisals".freeze, "CHANGELOG.md".freeze, "Gemfile".freeze, "Gemfile.lock".freeze, "LICENSE".freeze, "README.md".freeze, "Rakefile".freeze, "VERSION".freeze, "gemfiles/rails_6.0.gemfile".freeze, "gemfiles/rails_6.1.gemfile".freeze, "gemfiles/rails_7.0.gemfile".freeze, "gemfiles/rails_7.1.gemfile".freeze, "gemfiles/rails_7.2.gemfile".freeze, "gemfiles/rails_8.0.gemfile".freeze, "lib/generators/operation/USAGE".freeze, "lib/generators/operation/operation_generator.rb".freeze, "lib/generators/operation/templates/controller.erb".freeze, "lib/generators/operation/templates/controller_wrapper.erb".freeze, "lib/generators/operation/templates/create.erb".freeze, "lib/generators/operation/templates/destroy.erb".freeze, "lib/generators/operation/templates/load.erb".freeze, "lib/generators/operation/templates/update.erb".freeze, "lib/generators/operation/templates/view.erb".freeze, "lib/rails_ops.rb".freeze, "lib/rails_ops/authorization_backend/abstract.rb".freeze, "lib/rails_ops/authorization_backend/can_can_can.rb".freeze, "lib/rails_ops/configuration.rb".freeze, "lib/rails_ops/context.rb".freeze, "lib/rails_ops/controller_mixin.rb".freeze, "lib/rails_ops/exceptions.rb".freeze, "lib/rails_ops/hooked_job.rb".freeze, "lib/rails_ops/hookup.rb".freeze, "lib/rails_ops/hookup/dsl.rb".freeze, "lib/rails_ops/hookup/dsl_validator.rb".freeze, "lib/rails_ops/hookup/hook.rb".freeze, "lib/rails_ops/log_subscriber.rb".freeze, "lib/rails_ops/mixins.rb".freeze, "lib/rails_ops/mixins/authorization.rb".freeze, "lib/rails_ops/mixins/log_settings.rb".freeze, "lib/rails_ops/mixins/model.rb".freeze, "lib/rails_ops/mixins/model/authorization.rb".freeze, "lib/rails_ops/mixins/model/nesting.rb".freeze, "lib/rails_ops/mixins/param_authorization.rb".freeze, "lib/rails_ops/mixins/policies.rb".freeze, "lib/rails_ops/mixins/require_context.rb".freeze, "lib/rails_ops/mixins/routes.rb".freeze, "lib/rails_ops/mixins/schema_validation.rb".freeze, "lib/rails_ops/mixins/sub_ops.rb".freeze, "lib/rails_ops/model_mixins.rb".freeze, "lib/rails_ops/model_mixins/ar_extension.rb".freeze, "lib/rails_ops/model_mixins/marshalling.rb".freeze, "lib/rails_ops/model_mixins/parent_op.rb".freeze, "lib/rails_ops/model_mixins/sti_fixes.rb".freeze, "lib/rails_ops/model_mixins/virtual_attributes.rb".freeze, "lib/rails_ops/model_mixins/virtual_attributes/virtual_column_wrapper.rb".freeze, "lib/rails_ops/model_mixins/virtual_has_one.rb".freeze, "lib/rails_ops/model_mixins/virtual_model_name.rb".freeze, "lib/rails_ops/operation.rb".freeze, "lib/rails_ops/operation/model.rb".freeze, "lib/rails_ops/operation/model/create.rb".freeze, "lib/rails_ops/operation/model/destroy.rb".freeze, "lib/rails_ops/operation/model/load.rb".freeze, "lib/rails_ops/operation/model/update.rb".freeze, "lib/rails_ops/profiler.rb".freeze, "lib/rails_ops/profiler/node.rb".freeze, "lib/rails_ops/railtie.rb".freeze, "lib/rails_ops/scoped_env.rb".freeze, "lib/rails_ops/virtual_model.rb".freeze, "rails_ops.gemspec".freeze, "test/db/models.rb".freeze, "test/db/schema.rb".freeze, "test/dummy/Rakefile".freeze, "test/dummy/app/assets/config/manifest.js".freeze, "test/dummy/app/assets/images/.keep".freeze, "test/dummy/app/assets/javascripts/application.js".freeze, "test/dummy/app/assets/javascripts/cable.js".freeze, "test/dummy/app/assets/javascripts/channels/.keep".freeze, "test/dummy/app/assets/stylesheets/application.css".freeze, "test/dummy/app/channels/application_cable/channel.rb".freeze, "test/dummy/app/channels/application_cable/connection.rb".freeze, "test/dummy/app/controllers/application_controller.rb".freeze, "test/dummy/app/controllers/concerns/.keep".freeze, "test/dummy/app/controllers/group_controller.rb".freeze, "test/dummy/app/helpers/application_helper.rb".freeze, "test/dummy/app/jobs/application_job.rb".freeze, "test/dummy/app/mailers/application_mailer.rb".freeze, "test/dummy/app/models/ability.rb".freeze, "test/dummy/app/models/animal.rb".freeze, "test/dummy/app/models/application_record.rb".freeze, "test/dummy/app/models/bird.rb".freeze, "test/dummy/app/models/cat.rb".freeze, "test/dummy/app/models/computer.rb".freeze, "test/dummy/app/models/concerns/.keep".freeze, "test/dummy/app/models/cpu.rb".freeze, "test/dummy/app/models/dog.rb".freeze, "test/dummy/app/models/flower.rb".freeze, "test/dummy/app/models/group.rb".freeze, "test/dummy/app/models/mainboard.rb".freeze, "test/dummy/app/models/nightingale.rb".freeze, "test/dummy/app/models/phoenix.rb".freeze, "test/dummy/app/models/user.rb".freeze, "test/dummy/app/views/layouts/application.html.erb".freeze, "test/dummy/app/views/layouts/mailer.html.erb".freeze, "test/dummy/app/views/layouts/mailer.text.erb".freeze, "test/dummy/bin/bundle".freeze, "test/dummy/bin/rails".freeze, "test/dummy/bin/rake".freeze, "test/dummy/bin/setup".freeze, "test/dummy/bin/update".freeze, "test/dummy/bin/yarn".freeze, "test/dummy/config.ru".freeze, "test/dummy/config/application.rb".freeze, "test/dummy/config/boot.rb".freeze, "test/dummy/config/cable.yml".freeze, "test/dummy/config/database.yml".freeze, "test/dummy/config/environment.rb".freeze, "test/dummy/config/environments/development.rb".freeze, "test/dummy/config/environments/production.rb".freeze, "test/dummy/config/environments/test.rb".freeze, "test/dummy/config/hookup.rb".freeze, "test/dummy/config/initializers/application_controller_renderer.rb".freeze, "test/dummy/config/initializers/assets.rb".freeze, "test/dummy/config/initializers/backtrace_silencers.rb".freeze, "test/dummy/config/initializers/cookies_serializer.rb".freeze, "test/dummy/config/initializers/filter_parameter_logging.rb".freeze, "test/dummy/config/initializers/inflections.rb".freeze, "test/dummy/config/initializers/mime_types.rb".freeze, "test/dummy/config/initializers/rails_ops.rb".freeze, "test/dummy/config/initializers/wrap_parameters.rb".freeze, "test/dummy/config/locales/en.yml".freeze, "test/dummy/config/puma.rb".freeze, "test/dummy/config/routes.rb".freeze, "test/dummy/config/secrets.yml".freeze, "test/dummy/config/spring.rb".freeze, "test/dummy/db/schema.rb".freeze, "test/dummy/lib/assets/.keep".freeze, "test/dummy/log/.keep".freeze, "test/dummy/package.json".freeze, "test/dummy/public/404.html".freeze, "test/dummy/public/422.html".freeze, "test/dummy/public/500.html".freeze, "test/dummy/public/apple-touch-icon-precomposed.png".freeze, "test/dummy/public/apple-touch-icon.png".freeze, "test/dummy/public/favicon.ico".freeze, "test/dummy/tmp/.keep".freeze, "test/test_helper.rb".freeze, "test/unit/rails_ops/generators/operation_generator_test.rb".freeze, "test/unit/rails_ops/hookup_test.rb".freeze, "test/unit/rails_ops/mixins/controller_test.rb".freeze, "test/unit/rails_ops/mixins/model/deep_nesting_test.rb".freeze, "test/unit/rails_ops/mixins/model/marshalling_test.rb".freeze, "test/unit/rails_ops/mixins/param_authorization_test.rb".freeze, "test/unit/rails_ops/mixins/policies_test.rb".freeze, "test/unit/rails_ops/operation/auth_test.rb".freeze, "test/unit/rails_ops/operation/model/create_test.rb".freeze, "test/unit/rails_ops/operation/model/destroy_test.rb".freeze, "test/unit/rails_ops/operation/model/load_test.rb".freeze, "test/unit/rails_ops/operation/model/sti_test.rb".freeze, "test/unit/rails_ops/operation/model/update_test.rb".freeze, "test/unit/rails_ops/operation/model_test.rb".freeze, "test/unit/rails_ops/operation/update_lazy_auth_test.rb".freeze, "test/unit/rails_ops/operation_test.rb".freeze, "test/unit/rails_ops/profiler_test.rb".freeze]
   s.licenses = ["MIT".freeze]
   s.rubygems_version = "3.4.6".freeze

data/test/unit/rails_ops/mixins/policies_test.rb

@@ -33,6 +33,58 @@ class RailsOps::Mixins::PoliciesTest < ActiveSupport::TestCase
                  op.run!.sequence
   end
 
+  def test_basic_policies_with_model
+    group = Group.create!
+
+    op = Class.new(RailsOps::Operation::Model::Update) do
+      attr_reader :sequence
+
+      model Group
+
+      policy do
+        @sequence << :default
+      end
+
+      policy :before_attr_assign do
+        @sequence = []
+        @sequence << :before_attr_assign
+      end
+
+      policy :on_init do
+        @sequence << :on_init
+      end
+
+      policy :before_perform do
+        @sequence << :before_perform
+      end
+
+      policy :after_perform do
+        @sequence << :after_perform
+      end
+
+      def perform
+        @sequence << :perform
+      end
+    end
+
+    assert_equal %i[before_attr_assign on_init default before_perform perform after_perform],
+                 op.run!(id: group.id).sequence
+  end
+
+  def test_before_attr_assign_needs_build_model
+    # When trying to use the `:before_attr_assign` chain, we need
+    # to have the `assign_attributes` method implemented, which usually
+    # is implemented in the `RailsOps::Operation::Model` base class
+    # and runs the `before_attr_assign` policy chain.
+    assert_raises RuntimeError, match: /Policy :before_attr_assign may not be used unless your operation defines the `assign_attributes` method!/ do
+      Class.new(RailsOps::Operation) do
+        policy :before_attr_assign do
+          # Nothing needed here
+        end
+      end
+    end
+  end
+
   def test_prepend_action
     op = Class.new(RailsOps::Operation) do
       attr_reader :sequence

data/test/unit/rails_ops/operation/model/create_test.rb

@@ -65,4 +65,51 @@ class RailsOps::Operation::Model::CreateTest < ActiveSupport::TestCase
       op.build_model
     end
   end
+
+  def test_policies
+    op_klass = Class.new(RailsOps::Operation::Model::Create) do
+      model ::Group
+
+      policy do
+        # Here, we need the model to have the new name assigned
+        fail 'Attribute should be assigned to new value' unless model.name == 'new_name'
+
+        # However, the model should not be persisted yet
+        fail 'Model should not be persisted to the database yet' if model.persisted?
+      end
+
+      policy :before_attr_assign do
+        # The name of the model itself should still be nil
+        fail 'Attribute should not be assigned to a value yet' if model.name.present?
+      end
+
+      policy :on_init do
+        # Here, we need the model to have the new name assigned
+        fail 'Attribute should be assigned to new value' unless model.name == 'new_name'
+
+        # However, the model should not be persisted yet
+        fail 'Model should not be persisted to the database yet' if model.persisted?
+      end
+
+      policy :before_perform do
+        # Here, we need the model to have the new name assigned
+        fail 'Attribute should be assigned to new value' unless model.name == 'new_name'
+
+        # However, the model should not be persisted yet
+        fail 'Model should not be persisted to the database yet' if model.persisted?
+      end
+
+      policy :after_perform do
+        # Here, we need the model to have the new name assigned
+        fail 'Attribute should be assigned to new value' unless model.name == 'new_name'
+
+        # Now, the model should be persisted to the database
+        fail 'Model should not be persisted to the database yet' unless model.persisted?
+      end
+    end
+
+    assert_nothing_raised do
+      op_klass.run!(group: { name: 'new_name' })
+    end
+  end
 end

data/test/unit/rails_ops/operation/model/destroy_test.rb

@@ -28,4 +28,14 @@ class RailsOps::Operation::Model::DestroyTest < ActiveSupport::TestCase
       op.run!
     end
   end
+
+  def test_model_authorization_action_permitted
+    assert_nothing_raised do
+      Class.new(RailsOps::Operation::Model::Destroy) do
+        model Group
+        load_model_authorization_action :foobar
+        model_authorization_action :barfoo
+      end
+    end
+  end
 end

data/test/unit/rails_ops/operation/model/load_test.rb

@@ -52,6 +52,15 @@ class RailsOps::Operation::Model::LoadTest < ActiveSupport::TestCase
 
   def test_too_many_authorization_actions
     assert_raises_with_message ArgumentError, 'Too many arguments' do
+      Class.new(RailsOps::Operation::Model::Load) do
+        model Group
+        load_model_authorization_action :read, :update
+      end
+    end
+  end
+
+  def test_model_authorization_action_not_permitted
+    assert_raises_with_message RuntimeError, /Use `load_model_authorization_action` instead/ do
       Class.new(RailsOps::Operation::Model::Load) do
         model Group
         model_authorization_action :read, :update

data/test/unit/rails_ops/operation/model/update_test.rb

@@ -163,4 +163,62 @@ class RailsOps::Operation::Model::UpdateTest < ActiveSupport::TestCase
   ensure
     RailsOps.config.authorization_backend = nil
   end
+
+  def test_policies
+    op_klass = Class.new(RailsOps::Operation::Model::Update) do
+      model ::Group
+
+      policy do
+        # Here, we need the model to have the new name assigned
+        fail 'Attribute should be assigned to new value' unless model.name == 'new_name'
+
+        # However, the new name should not be persisted to the database yet
+        fail 'Attribute change should not be persisted yet' unless Group.find(model.id).name == 'foobar'
+      end
+
+      policy :before_attr_assign do
+        # The name of the model itself should still be the initial value
+        fail 'Attribute should not be assigned to new value yet' unless model.name == 'foobar'
+      end
+
+      policy :on_init do
+        # Here, we need the model to have the new name assigned
+        fail 'Attribute should be assigned to new value' unless model.name == 'new_name'
+
+        # However, the new name should not be persisted to the database yet
+        fail 'Attribute change should not be persisted yet' unless Group.find(model.id).name == 'foobar'
+      end
+
+      policy :before_perform do
+        # Here, we need the model to have the new name assigned
+        fail 'Attribute should be assigned to new value' unless model.name == 'new_name'
+
+        # However, the new name should not be persisted to the database yet
+        fail 'Attribute change should not be persisted yet' unless Group.find(model.id).name == 'foobar'
+      end
+
+      policy :after_perform do
+        # Here, we need the model to have the new name assigned
+        fail 'Attribute should be assigned to new value' unless model.name == 'new_name'
+
+        # Also, the new name should be persisted to the database
+        fail 'Attribute change should not be persisted yet' unless Group.find(model.id).name == 'new_name'
+      end
+    end
+
+    model = Group.create!(name: 'foobar')
+    assert_nothing_raised do
+      op_klass.run!(id: model.id, group: { name: 'new_name' })
+    end
+  end
+
+  def test_model_authorization_action_permitted
+    assert_nothing_raised do
+      Class.new(RailsOps::Operation::Model::Update) do
+        model Group
+        load_model_authorization_action :foobar
+        model_authorization_action :barfoo
+      end
+    end
+  end
 end

data/test/unit/rails_ops/operation/update_lazy_auth_test.rb

@@ -89,9 +89,21 @@ class RailsOps::Operation::UpdateLazyAuthTest < ActiveSupport::TestCase
 
   def test_permitted_update_unpermitted_color
     ctx = RailsOps::Context.new(ability: ABILITY.new(read: true, update: true))
-    op = BASIC_OP.new(ctx, id: 3, group: { color: 'red' })
+    op = BASIC_OP.new(ctx, id: 3)
     assert_raises CanCan::AccessDenied do
       op.run!
     end
   end
+
+  def test_permitted_update_permitted_color_other_color_target_state
+    # Here, we test that we can update a record where the ability
+    # allows us the `:update` action on the current state of the model,
+    # despite bringing the object to a state where we won't have the
+    # ability to update the object anymore afterwards.
+    ctx = RailsOps::Context.new(ability: ABILITY.new(read: true, update: true))
+    op = BASIC_OP.new(ctx, id: 1, group: { color: 'blue' })
+    assert_nothing_raised do
+      op.run!
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails_ops
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 1.7.1
 platform: ruby
 authors:
 - Sitrox
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2025-01-23 00:00:00.000000000 Z
+date: 2025-01-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: active_type