restrict 0.0.8 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 4c64d62099175f3a9b75038ddb7194f9194b6a9f
-  data.tar.gz: 062a5d223b9ca341d424eceabe63549306b26c40
+SHA256:
+  metadata.gz: b012524d4112ddfce7cef1066511516b69019acf727b577cb271d36355edc6e5
+  data.tar.gz: 161638aee7c62d34da01168eeb8e7aec23cacef01a9e0b596209f3f4cf0ed8ac
 SHA512:
-  metadata.gz: 7f20340ac055884a14dde1e86d3487493ed289bd483414918461402bf1f8563f55b1df07390b7ba0a4faa2bb689dcfc61fb2cfde03b82e96bea4ec01269e977f
-  data.tar.gz: f4cb556ccee44018cb568512a7590a3383cc833340b4cb5cd96432447a817f7550118506436e3709acf1aacb55c3e3d6e2dd51011797c5a42deedf28c265ce68
+  metadata.gz: 0130142f698da26e48c9d986782f080e4f457a5833ca83a54846d79dbb6a96a5f751e7ff96d08c0bee6cfa99325f9414ba7f74bbed951629965f89d460981cae
+  data.tar.gz: c83f370a57e3f73874000ac806e28f08e22ccfc2247c0c2954b1a329a34f902c71f5aaf60d0a98e61c66d22320ff2b649b3c295a611215f97bc33e48e7f36b7a

data/.github/workflows/specs.yml

@@ -0,0 +1,34 @@
+name: Specs
+
+on:
+  pull_request:
+    branches:
+      - 'master'
+  push:
+    branches:
+      - 'master'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v1
+
+    - name: Set up Ruby 2.7
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: 2.7.x
+
+    - name: bundle
+      env:
+        RAILS_ENV: test
+      run: |
+        gem install bundler
+        bundle install --jobs 4 --retry 3
+
+    - name: Run Tests
+      env:
+        RAILS_ENV: test
+      run: |
+        bundle exec rspec

data/.ruby-version

@@ -0,0 +1 @@
+2.7.1

data/CHANGELOG.md

@@ -1,3 +1,15 @@
+[0.2.1] - 2021-04-24
+  * Fix rails autoloading issue (@jaynetics)
+
+[0.2.0] - 2020-05-18
+  * Implement `:on` parameter for `restrict` calls
+
+[0.1.1] - 2019-11-26
+  * Bug fix release to actually work in rails ¯\_(ツ)_/¯
+
+[0.1.0] - 2019-11-25
+  * Support controller inheritance
+
 [0.0.7] - 2014-08-25
   * Breaking change part 2: restrict without action names will now implicitly restrict all actions
   * :all_actions modifier is gone

data/README.md

@@ -2,7 +2,7 @@
 
 A rails controller extension, that gives you the possibility to restrict access to your controller actions.
 
-[![Build Status](https://secure.travis-ci.org/xijo/restrict.png?branch=master)](https://travis-ci.org/xijo/restrict) [![Gem Version](https://badge.fury.io/rb/restrict.png)](http://badge.fury.io/rb/restrict) [![Code Climate](https://codeclimate.com/github/xijo/restrict.png)](https://codeclimate.com/github/xijo/restrict) [![Code Climate](https://codeclimate.com/github/xijo/restrict/coverage.png)](https://codeclimate.com/github/xijo/restrict)
+![Specs](https://github.com/xijo/restrict/workflows/Specs/badge.svg) [![Gem Version](https://badge.fury.io/rb/restrict.png)](http://badge.fury.io/rb/restrict) [![Code Climate](https://codeclimate.com/github/xijo/restrict.png)](https://codeclimate.com/github/xijo/restrict) [![Code Climate](https://codeclimate.com/github/xijo/restrict/coverage.png)](https://codeclimate.com/github/xijo/restrict)
 
 ## Installation
 
@@ -49,6 +49,38 @@ restrict
 
 This one will apply to all actions on this controller. It takes the `unless` option as well.
 
+### Restrict with specific object
+
+One may pass `on` to a `restrict` call in a controller.
+
+If `on` is set, it evaluates the given method.
+If it returns nil, it raises an error.
+If an object is returned, it will be send while evaluating the `unless`
+condition.
+
+Example
+
+```
+class ItemController
+  restrict :show, unless: :manager_of?, on: :load_item
+
+  def show
+  end
+
+  private
+
+  def manager_of?(item)
+    current_user == item.manager
+  end
+
+  def load_item
+    @item = Item.find(params[:id])
+  end
+end
+```
+
+Aliases for `on` are: `of`, `object`
+
 ### Configuration
 
 ```ruby
@@ -58,6 +90,15 @@ Restrict.config.authentication_validation_method = :admin_session_exists?
 
 You may set the method that is used to figure out whether a user is signed in or not to whatever you like, however it's default is `:user_signed_in?` which is the most common (devise) method in use.
 
+### Inheritance
+
+A controller will respect all restrictions that are applied to its ancestors.
+
+You may implement a set of rules in a `BaseController` and refine them in subclasses later on.
+
+Please note: it is not possible yet to revert previously added restrictions, that means
+if a restriction on `show` is added in a class and another one in the subclass **BOTH** apply.
+
 ## Contributing
 
 You know how this works and bonus points for feature branches!

data/lib/restrict/already_restricted_error.rb

@@ -0,0 +1,4 @@
+module Restrict
+  class AlreadyRestrictedError < Error
+  end
+end

data/lib/restrict/gatekeeper.rb

@@ -15,12 +15,7 @@ module Restrict
 
     def handle_restriction(restriction, controller)
       validate_signed_in(controller)
-
-      if restriction.unless
-        unless controller.__send__(restriction.unless)
-          raise Restrict::AccessDenied, reason: restriction
-        end
-      end
+      restriction.validate(controller)
     end
 
     def concerning_restrictions(controller)

data/lib/restrict/rails/controller.rb

@@ -3,29 +3,48 @@ module Restrict
     module Controller
       extend ActiveSupport::Concern
 
-      included do
-        class_attribute :restrictions
+      def inherited(subclass)
+        subclass.extend Restrict::Rails::Controller
+      end
+
+      def restrictions
+        inherited_restrictions + self.class.__send__(:restrict_restrictions)
       end
 
       module ClassMethods
         def restrict(*args)
           install_gatekeeper
-          self.restrictions ||= []
-          restrictions << Restrict::Restriction.new(*args)
+          restrict_restrictions << Restrict::Restriction.new(*args)
+        end
+
+        # Access the class instance variable. Do not mistake this method with
+        # the instance method `#restrictions` which is actually used to determine
+        # access and that respects inherited restrictions.
+        # Hence the `__` name.
+        private def restrict_restrictions
+          @restrictions ||= []
         end
 
         # This could happen in included block as well, but often you need
         # other before filters to happen before you actually check the
         # restrictions, so lets set it where it is used in the code as well.
         def install_gatekeeper
-          return if @gatekeeper_installed
+          return if @restrict_gatekeeper_installed
           before_action :invoke_gatekeeper
-          @gatekeeper_installed = true
+          @restrict_gatekeeper_installed = true
         end
       end
 
       private
 
+      def inherited_restrictions
+        self.class.ancestors.map do |ancestor|
+          if ancestor.instance_variable_get(:@restrict_gatekeeper_installed)
+            ancestor.__send__(:restrict_restrictions)
+          end
+        end.compact.flatten
+      end
+
       def invoke_gatekeeper
         Restrict::Gatekeeper.new.eye(self)
       end

data/lib/restrict/rails/railtie.rb

@@ -2,7 +2,9 @@ module Restrict
   module Rails
     class Railtie < ::Rails::Railtie
       initializer 'restrict.add_controller_extension' do
-        ActionController::Base.send :include, Restrict::Rails::Controller
+        ActiveSupport.on_load(:action_controller_base) do
+          ActionController::Base.include Restrict::Rails::Controller
+        end
       end
     end
   end

data/lib/restrict/restriction.rb

@@ -1,17 +1,32 @@
 module Restrict
   class Restriction
-    attr_accessor :actions, :unless
+    attr_accessor :actions, :options, :unless, :on
 
     def initialize(*args)
-      options  = args.extract_options!
-      @unless  = options[:unless]
-      @actions = args
+      @options  = args.extract_options!
+      @unless   = @options[:unless]
+      @on       = @options[:on] || options[:of] || options[:object]
+      @actions  = args
     end
 
     def applies_to?(action)
       applies_to_action?(action) || applies_to_all_actions?
     end
 
+    def validate(controller)
+      @unless or return
+
+      unless_args = []
+      if @on
+        object = controller.__send__(on)
+        unless_args << object or raise Restrict::AccessDenied, reason: 'object given was #{object.inspect}'
+      end
+
+      unless controller.__send__(@unless, *unless_args)
+        raise Restrict::AccessDenied, reason: self
+      end
+    end
+
     private
 
     def applies_to_all_actions?

data/lib/restrict/rspec/matcher.rb

@@ -4,24 +4,23 @@ RSpec::Matchers.define :have_restriction_on do |given_action_name|
     @given_controller = given_controller
 
     @restriction = given_controller.restrictions.find do |restriction|
-      restriction.applies_to?(given_action_name)
-    end
-
-    if @restriction
-      if @given_unless
-        @restriction.unless == @given_unless
-      else
-        true
+      if restriction.applies_to?(given_action_name) && matching_unless(restriction, @given_unless)
+        restriction
       end
-    else
-      false
     end
+
+    !!@restriction
   end
 
   chain :unless do |given_unless|
     @given_unless = given_unless
   end
 
+  def matching_unless(restriction, given_unless)
+    given_unless or return true
+    restriction.unless == given_unless
+  end
+
   failure_message do |actual|
     if @restriction && @given_unless
       "Expected restriction to call #{@given_unless.inspect}, but calls #{@restriction.unless.inspect}"
@@ -38,7 +37,6 @@ RSpec::Matchers.define :have_restriction_on do |given_action_name|
     end
   end
 
-  # :nocov:
   def description
     "Checks if a restriction for a given action is defined on the controller"
   end

data/lib/restrict/rspec/matcher_rspec2.rb

@@ -4,25 +4,24 @@ RSpec::Matchers.define :have_restriction_on do |given_action_name|
     @given_controller = given_controller
 
     @restriction = given_controller.restrictions.find do |restriction|
-      restriction.applies_to?(given_action_name)
-    end
-
-    if @restriction
-      if @given_unless
-        @restriction.unless == @given_unless
-      else
-        true
+      if restriction.applies_to?(given_action_name) && matching_unless(restriction, @given_unless)
+        restriction
       end
-    else
-      false
     end
+
+    !!@restriction
   end
 
   chain :unless do |given_unless|
     @given_unless = given_unless
   end
 
-  failure_message_for_should do |actual|
+  def matching_unless(restriction, given_unless)
+    given_unless or return true
+    restriction.unless == given_unless
+  end
+
+  failure_message do |actual|
     if @restriction && @given_unless
       "Expected restriction to call #{@given_unless.inspect}, but calls #{@restriction.unless.inspect}"
     else
@@ -30,7 +29,7 @@ RSpec::Matchers.define :have_restriction_on do |given_action_name|
     end
   end
 
-  failure_message_for_should_not do |actual|
+  failure_message_when_negated do |actual|
     if @given_unless
       "Expected restriction not to call #{@given_unless.inspect}, but calls #{@restriction.unless.inspect}"
     else

data/lib/restrict/rspec/shared_example.rb

@@ -0,0 +1,5 @@
+RSpec.shared_examples "restricts access to" do |action_name, unless_condition|
+  it "restricts #{action_name}#{unless_condition && " unless #{unless_condition}"}" do
+    expect(controller).to have_restriction_on(action_name).unless(unless_condition)
+  end
+end

data/lib/restrict/version.rb

@@ -1,3 +1,3 @@
 module Restrict
-  VERSION = "0.0.8"
+  VERSION = "0.2.1"
 end

data/restrict.gemspec

@@ -20,10 +20,9 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'rails', '> 3.0'
 
-  spec.add_development_dependency 'bundler', '~> 1.5'
+  spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rspec'
   spec.add_development_dependency 'simplecov'
   spec.add_development_dependency 'rake'
   spec.add_development_dependency 'byebug'
-  spec.add_development_dependency 'codeclimate-test-reporter'
 end

data/spec/lib/restrict/rails/controller_spec.rb

@@ -1,7 +1,6 @@
 require 'spec_helper'
 
 describe Restrict::Rails::Controller do
-
   let(:controller) { ExampleController.new }
 
   before do
@@ -17,6 +16,8 @@ describe Restrict::Rails::Controller do
     it 'builds and adds a conditional restriction' do
       expect(controller).to have_restriction_on(:show).unless(:access_allowed?)
     end
+
+    include_examples 'restricts access to', :show, :access_allowed?
   end
 
   describe '#included' do
@@ -32,4 +33,47 @@ describe Restrict::Rails::Controller do
     end
   end
 
+  describe 'in inherited mode' do
+    let(:base)       { ExampleController.new }
+    let(:controller) { InheritingController.new }
+    let(:child)      { BottomLineController.new }
+
+    before do
+      base.class.restrict       :show, unless: :level1?
+      controller.class.restrict :show, unless: :level2?
+      child.class.restrict      :show, unless: :level3?
+    end
+
+    it 'does not leak restrictions into superclass' do
+      expect(base).to have_restriction_on(:show).unless(:level1?)
+      expect(base).not_to have_restriction_on(:show).unless(:level2?)
+      expect(base).not_to have_restriction_on(:show).unless(:level3?)
+
+      expect(controller).to have_restriction_on(:show).unless(:level1?)
+      expect(controller).to have_restriction_on(:show).unless(:level2?)
+      expect(controller).not_to have_restriction_on(:show).unless(:level3?)
+
+      expect(child).to have_restriction_on(:show).unless(:level1?)
+      expect(child).to have_restriction_on(:show).unless(:level2?)
+      expect(child).to have_restriction_on(:show).unless(:level3?)
+    end
+  end
+
+  describe 'applies inherited general restrictions additionally to explizit restrictions' do
+    let(:base)       { ExampleController.new }
+    let(:controller) { InheritingController.new }
+
+    before do
+      base.class.restrict              unless: :level1?
+      controller.class.restrict :show, unless: :level2?
+    end
+
+    it 'does not leak restrictions into superclass' do
+      expect(base).to have_restriction_on(:show).unless(:level1?)
+      expect(base).not_to have_restriction_on(:show).unless(:level2?)
+
+      expect(controller).to have_restriction_on(:show).unless(:level1?)
+      expect(controller).to have_restriction_on(:show).unless(:level2?)
+    end
+  end
 end

data/spec/lib/restrict/restriction_spec.rb

@@ -28,4 +28,52 @@ describe Restrict::Restriction do
       expect(restriction).to be_applies_to(:bar)
     end
   end
+
+  describe '#validate' do
+    describe 'with :on option' do
+      let(:controller) { ObjectController.new }
+
+      it 'does not raise if no condition was given' do
+        restriction = Restrict::Restriction.new on: :managed_object
+        expect { restriction.validate(controller) }.not_to raise_error
+      end
+
+      it 'does not raise an error if `on` and `unless` match' do
+        restriction = Restrict::Restriction.new on: :managed_object, unless: :manager_of?
+        expect { restriction.validate(controller) }.not_to raise_error
+      end
+
+      it 'raises an error if `unless` does not work on `on`' do
+        restriction = Restrict::Restriction.new on: :rougue_object, unless: :manager_of?
+        expect { restriction.validate(controller) }.to raise_error(Restrict::AccessDenied)
+      end
+
+      it 'raises an error if `on` is nil' do
+        restriction = Restrict::Restriction.new on: :nil_object, unless: :manager_of?
+        expect { restriction.validate(controller) }.to raise_error(Restrict::AccessDenied)
+      end
+
+      it 'works with aliases' do
+        restriction = Restrict::Restriction.new of: :managed_object, unless: :manager_of?
+        expect { restriction.validate(controller) }.not_to raise_error
+
+        restriction = Restrict::Restriction.new object: :managed_object, unless: :manager_of?
+        expect { restriction.validate(controller) }.not_to raise_error
+      end
+    end
+
+    describe 'without :on option' do
+      let(:controller) { ExampleController.new }
+
+      it 'does not raise an error if `unless` works' do
+        restriction = Restrict::Restriction.new unless: :truthy
+        expect { restriction.validate(controller) }.not_to raise_error
+      end
+
+      it 'raises an error if `unless` does not work' do
+      restriction = Restrict::Restriction.new unless: :falsy
+        expect { restriction.validate(controller) }.to raise_error(Restrict::AccessDenied)
+      end
+    end
+  end
 end

data/spec/lib/restrict_spec.rb

@@ -1,7 +1,6 @@
 require 'spec_helper'
 
 describe Restrict do
-
   describe '#config' do
     it 'returns a configuration' do
       expect(Restrict.config).to be_a Restrict::Configuration
@@ -17,5 +16,4 @@ describe Restrict do
       expect(Restrict.config).to eq Restrict.config
     end
   end
-
 end

data/spec/spec_helper.rb

@@ -1,8 +1,7 @@
-require 'codeclimate-test-reporter'
-CodeClimate::TestReporter.start
-
 require 'simplecov'
 require 'byebug'
+require 'active_support'
+require 'active_support/core_ext'
 
 SimpleCov.profiles.define 'gem' do
   add_filter '/spec/'
@@ -13,10 +12,13 @@ SimpleCov.start 'gem'
 
 require 'restrict'
 require 'restrict/rspec/matcher'
+require 'restrict/rspec/shared_example'
 
 RSpec.configure do |config|
   config.after do
-    ExampleController.restrictions = []
+    ExampleController.__send__(:restrict_restrictions).clear
+    InheritingController.__send__(:restrict_restrictions).clear
+    BottomLineController.__send__(:restrict_restrictions).clear
   end
 end
 
@@ -47,3 +49,30 @@ class ExampleController < FakeController
     true
   end
 end
+
+class InheritingController < ExampleController
+  include Restrict::Rails::Controller
+end
+
+class BottomLineController < InheritingController
+  include Restrict::Rails::Controller
+end
+
+class ObjectController < ExampleController
+  def manager_of?(obj)
+    obj == :managed
+  end
+
+  private
+
+  def managed_object
+    :managed
+  end
+
+  def rougue_object
+    :other
+  end
+
+  def nil_object
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: restrict
 version: !ruby/object:Gem::Version
-  version: 0.0.8
+  version: 0.2.1
 platform: ruby
 authors:
 - Johannes Opper
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-07-02 00:00:00.000000000 Z
+date: 2021-04-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -26,20 +26,6 @@ dependencies:
         version: '3.0'
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.5'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.5'
-- !ruby/object:Gem::Dependency
-  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -53,7 +39,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: simplecov
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -67,7 +53,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -81,7 +67,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: byebug
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -95,7 +81,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: codeclimate-test-reporter
+  name: byebug
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -115,9 +101,10 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/specs.yml"
 - ".gitignore"
 - ".rspec"
-- ".travis.yml"
+- ".ruby-version"
 - CHANGELOG.md
 - Gemfile
 - LICENSE.txt
@@ -125,6 +112,7 @@ files:
 - Rakefile
 - lib/restrict.rb
 - lib/restrict/access_denied.rb
+- lib/restrict/already_restricted_error.rb
 - lib/restrict/configuration.rb
 - lib/restrict/error.rb
 - lib/restrict/gatekeeper.rb
@@ -134,6 +122,7 @@ files:
 - lib/restrict/restriction.rb
 - lib/restrict/rspec/matcher.rb
 - lib/restrict/rspec/matcher_rspec2.rb
+- lib/restrict/rspec/shared_example.rb
 - lib/restrict/version.rb
 - restrict.gemspec
 - spec/lib/restrict/configuration_spec.rb
@@ -162,8 +151,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.4
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Simple access control dsl for controllers.
@@ -175,4 +163,3 @@ test_files:
 - spec/lib/restrict/rspec/matcher_spec.rb
 - spec/lib/restrict_spec.rb
 - spec/spec_helper.rb
-has_rdoc: 

data/.travis.yml

@@ -1,11 +0,0 @@
-rvm:
-  - 2.0.0
-  - 2.1.0
-  - 2.1.1
-
-script: 'bundle exec rake spec'
-
-notifications:
-  disabled: false
-  recipients:
-    - johannes.opper@gmail.com