recurso 0.5.3 → 0.6.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b76502a3d8dcabffaece8ca8e0c1e180119a6f2abafe095e41aacf6bd6d916ce
-  data.tar.gz: c9f3e6241010e82e24cefa1529a23b5fbc8567e98f3820cbd9aab83de2b89816
+  metadata.gz: a46321da0a26c046aa4fbfebe14061760fe414a8f82c50ec16bb018ce99b39e1
+  data.tar.gz: e8663c77f4aebdcee48b8582f218cfb3adacbe92a65cc0c8cc33552cce08d8a4
 SHA512:
-  metadata.gz: 73c28571558f188c57a9e17f972d64d8a4abd757ef77981a045125c13742d739a8fea35dd99993c5db319b8f24ac04318630779c4f8efe1835c4d115f9f06b2c
-  data.tar.gz: 4d10393228eed9cba9aba3e5d34143343600d7ca55eff105d4c6e6b074adbf18d84298ea119e48e84ccad8fb7487db8fc3a26417f51eb999022de80445718185
+  metadata.gz: '0842b588a11c858e9f08099d6333447ee16863f11e20a68319f8f33e0644a796e5366e87fdb15f88fae1133fd93a854831d440d80316cdff4b539d539c7a37c6'
+  data.tar.gz: 20aa209fa69e2a2037f84f16c34a35e70492b15ea301c1c7aca541332aa08dd5584a225f6f33b2358ac481c71d75292f5b102d23609cd8878e9009ed6ab87c89

data/README.md

@@ -81,6 +81,15 @@ The second, which resources a user can access of a given relation:
 # ^^ which squad can I view within this team?
 ```
 
+Calling `resources_with_permission` directly on an identity will return all records in the database which that identity has access to.
+
+_(NB that these classes must be whitelisted via the `global_relations` config parameter, documented below)_
+
+```ruby
+@user.resources_with_permission(:teams)
+# ^^ which teams in the the database can I view?
+```
+
 #### 4. Authorizing resources
 
 A common use case for these permissions is to authorize actions on a certain controller action.
@@ -272,6 +281,22 @@ Recurso::Config.instance.identity_foreign_key = lambda do |model|
 end
 ```
 
+**global_relations**:
+
+The names of relations you're interested in accessing globally. This expects an array of symbols, which will be constantized in order to find a class name
+
+```ruby
+Recurso::Config.instance.global_relations = [:organizations, :teams, :squads]
+```
+
+This enables querying the `Recurso::Global` for all models of that class.
+
+e.g.:
+```ruby
+# return all teams in the database which this user can view
+user.resources_with_permission(:teams)
+```
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/lib/recurso/concerns/identity.rb

@@ -11,6 +11,15 @@ module Recurso
       (resource&.policy_class || Recurso::NilClassPolicy).new(self, resource)
     end
 
+    def resources_with_permission(relation_name, action: :view, all_columns: true, include_actions: [])
+      policy(Recurso::Global.instance).resources_with_permission(
+        relation_name,
+        action: action,
+        all_columns: all_columns,
+        include_actions: include_actions
+      )
+    end
+
     def policy_class
       Recurso::BasePolicy
     end

data/lib/recurso/config.rb

@@ -12,7 +12,8 @@ module Recurso
                   :default_level,
                   :identity_foreign_key,
                   :permission_class_name,
-                  :default_permission_class_name
+                  :default_permission_class_name,
+                  :global_relations
 
     def initialize
       @levels_for_action = {
@@ -34,6 +35,8 @@ module Recurso
       @identity_foreign_key = DEFAULT_IDENTITY_FOREIGN_KEY
 
       @permission_class_name = DEFAULT_PERMISSION_CLASS_NAME
+
+      @global_relations = []
     end
 
     def model_specific(value, model)

data/lib/recurso/models/global.rb

@@ -0,0 +1,21 @@
+module Recurso
+  class Global
+    # no-op methods to support being a Recurso::Resource
+    define_singleton_method :has_one, ->(*args) {}
+    define_singleton_method :has_many, ->(*args) {}
+    define_singleton_method :belongs_to, ->(*args) {}
+
+    include Singleton
+    include Recurso::Resource
+
+    def permission_policy
+      OpenStruct.new(policy_type: :open)
+    end
+
+    def method_missing(method)
+      super unless Recurso::Config.instance.global_relations.include?(method)
+
+      method.to_s.classify.constantize.all
+    end
+  end
+end

data/lib/recurso/policies/resource_policy.rb

@@ -7,23 +7,14 @@ module Recurso
       Recurso::Queries::Single.new(identity, resource, action).permission?
     end
 
-    def resources_with_permission(relation_name, all_columns: true, include_actions: [:modify, :administer])
-      include_actions.reduce(resource_query_for(relation_name, :view, all_columns: all_columns)) do |resources, action|
-        resources
-          .joins("LEFT OUTER JOIN(#{resource_query_for(relation_name, action).to_sql}) AS #{action} ON #{action}.id = #{relation_name}.id")
-          .select("#{action}.id IS NOT NULL AS can_#{action}")
-      end
-    end
-
-    private
-
-    def resource_query_for(relation_name, action, all_columns: false)
+    def resources_with_permission(relation_name, action: :view, all_columns: true, include_actions: [:modify, :administer])
       Recurso::Queries::Relation.new(
         identity,
         resource,
         relation_name,
         all_columns: all_columns,
-        action: action
+        action: action,
+        include_actions: include_actions,
       ).resources
     end
   end

data/lib/recurso/queries/relation.rb

@@ -2,32 +2,56 @@ module Recurso
   module Queries
     class Relation
 
-      def initialize(identity, resource, relation_name, all_columns: true, action: :view)
+      def initialize(identity, resource, relation_name, all_columns: true, action: :view, include_actions: [])
         @identity = identity
         @resource = resource
         @relation = resource.send(relation_name)
         @all_columns = all_columns
+        @include_actions = (include_actions + Array(action)).uniq
         @action = action
       end
 
       def resources
-        @resources ||= join_permissions
-          .select("#{@relation.table_name}.#{@all_columns ? :* : :id}")
-          .where(coalesce(@action))
-          .distinct
+        @relation
+          .select("#{@relation.table_name}.#{@all_columns ? :"*" : :id}")
+          .select(*@include_actions.map { |action| "included.can_#{action}"})
+          .joins("
+            INNER JOIN (#{included_permissions}) included
+            ON #{@relation.table_name}.id = included.id
+            AND included.can_#{@action} = 1
+          ")
       end
 
       private
 
-      def join_permissions
-        @relation.relevant_associations.reduce(@relation) do |result, assoc|
-          result.joins(through_join_for(assoc)).joins("
-            LEFT OUTER JOIN #{permission_class.table_name} #{assoc.name}_permissions
-            ON  #{assoc.name}_permissions.resource_type = '#{assoc.class_name}'
-            AND #{assoc.name}_permissions.resource_id   = #{resource_id_for(assoc)}
-            AND #{assoc.name}_permissions.#{identity_foreign_key} = #{@identity.id.to_i}
-          ")
-        end
+      def included_permissions
+        "
+          SELECT cascaded.id, #{included_permission_select}
+          FROM (#{cascaded_permissions}) cascaded
+          GROUP BY cascaded.id
+        "
+      end
+
+      def cascaded_permissions
+        @relation.relevant_associations.map do |assoc|
+          @relation
+            .select(:id, :level)
+            .joins(through_join_for(assoc))
+            .joins("
+              INNER join #{permission_class.table_name}
+              ON  #{permission_class.table_name}.resource_type = '#{assoc.class_name}'
+              AND #{permission_class.table_name}.resource_id   = #{resource_id_for(assoc)}
+              AND #{permission_class.table_name}.#{identity_foreign_key} = #{@identity.id.to_i}
+            ").to_sql
+        end.join(" UNION ")
+      end
+
+      def included_permission_select
+        @include_actions.map do |action|
+          level_values = @resource.relevant_levels_for(action).map { |level| permission_class.levels[level] }.join(',')
+
+          "cascaded.level IN (#{level_values}) as can_#{action}"
+        end.join(", ")
       end
 
       def resource_id_for(assoc)
@@ -42,18 +66,6 @@ module Recurso
         "
       end
 
-      def coalesce(action)
-        "coalesce(#{level_columns}) IN (#{level_values(action)})"
-      end
-
-      def level_columns
-        @relation.relevant_associations.map { |assoc| "#{assoc.name}_permissions.level" }.join(',')
-      end
-
-      def level_values(action)
-        @resource.relevant_levels_for(action).map { |level| permission_class.levels[level] }.join(',')
-      end
-
       def permission_class
         @permission_class ||= Recurso::Config.instance.permission_class_name_for(@identity.class).constantize
       end

data/lib/recurso/version.rb

@@ -1,3 +1,3 @@
 module Recurso
-  VERSION = "0.5.3"
+  VERSION = "0.6.1"
 end

data/lib/recurso.rb

@@ -4,6 +4,7 @@ require 'recurso/concerns/identity'
 require 'recurso/concerns/resource'
 require 'recurso/concerns/permission'
 require 'recurso/concerns/controller'
+require 'recurso/models/global'
 require 'recurso/models/permission'
 require 'recurso/models/permission_policy'
 require 'recurso/policies/base_policy'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: recurso
 version: !ruby/object:Gem::Version
-  version: 0.5.3
+  version: 0.6.1
 platform: ruby
 authors:
 - James Kiesel
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-07-14 00:00:00.000000000 Z
+date: 2021-09-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
@@ -152,6 +152,7 @@ files:
 - lib/recurso/concerns/permission.rb
 - lib/recurso/concerns/resource.rb
 - lib/recurso/config.rb
+- lib/recurso/models/global.rb
 - lib/recurso/models/permission.rb
 - lib/recurso/models/permission_policy.rb
 - lib/recurso/policies/base_policy.rb