rolypoly 1.0.4 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 1edb5688538c2b284ffedf79a379a70e92073484
-  data.tar.gz: b1e672c8bb90ce9b2061a4ffb3c3aa93f9696865
+SHA256:
+  metadata.gz: 8e4740fb3c4333e32b0fa17cd46c6069ac7f4e5a9fb8fd0d634f37a372b1cb58
+  data.tar.gz: f95e52673fc7211cc17ec683f5727bfd5b4d3b4b653c1db571e7eace3ce91a39
 SHA512:
-  metadata.gz: 1fdab74446c185aff377f3cb4ef238cea5ff23237001d4401d11ceb34b102ffa16d2661272084a42e04b992011e074dcd296920a4ed7e17ff04e5927eeab6f5e
-  data.tar.gz: 54e68d95397017a05f272ef9d708d808d4f8c2c456f8b81d6837e9f4ab2e81f649bf9f6a31661d811a5e3094393c73125a1accf5af8ac85f6de061396445fe71
+  metadata.gz: 6f34a19e2704d544039bcbe4c8ec95647a3a2498be2bac9d8d91fe9e97222b164f026dd171ba7f3fc7019d445297d11a465835c17efe4e63a9712be11d788d3b
+  data.tar.gz: ccd41a27601cb2b182cbd4363da214f6c63dd54864a148a6753f2cbd07257daf78d3e72d34b77a017793a6422d85804ee67011c832b7e033bcf6234301dc6de4

data/.ruby-version

@@ -1 +1 @@
-2.2.0
+2.6.5

data/README.md

@@ -19,6 +19,8 @@ And then execute:
 $> bundle
 ```
 
+NOTE: If your application is running Rails 4.X.X or lower, please ensure your application also includes the `where-or` gem.
+
 ## Custom Usage
 
 ```ruby

data/lib/rolypoly.rb

@@ -1,5 +1,6 @@
 require "rolypoly/version"
 require 'rolypoly/controller_role_dsl'
+require 'rolypoly/resource_index_query_builder'
 
 module Rolypoly
 

data/lib/rolypoly/controller_role_dsl.rb

@@ -5,11 +5,15 @@ module Rolypoly
   module ControllerRoleDSL
 
     def self.included(sub)
-      sub.before_filter(:rolypoly_check_role_access!) if sub.respond_to? :before_filter
-      if sub.respond_to? :rescue_from
+      if sub.respond_to? :before_filter
+        sub.before_filter(:rolypoly_check_role_access!)
+      elsif sub.respond_to? :before_action
+        sub.before_action(:rolypoly_check_role_access!)
+      end
+        if sub.respond_to? :rescue_from
         sub.rescue_from(FailedRoleCheckError) do
           respond_to do |f|
-            f.html { render text: "Not Authorized", status: 401 }
+            f.html { render plain: "Not Authorized", status: 401 }
             f.json { render json: { error: "Not Authorized" }, status: 401 }
             f.xml { render xml: { error: "Not Authorized" }, status: 401 }
           end

data/lib/rolypoly/index_role_dsl.rb

@@ -0,0 +1,86 @@
+require 'forwardable'
+require 'rolypoly/role_scopes'
+
+module Rolypoly
+  module IndexRoleDSL
+
+    def self.included(base)
+      base.extend(ClassMethods)
+      base.send(:include, InstanceMethods)
+    end
+
+    module InstanceMethods
+      extend Forwardable
+
+      def self.included(base)
+        unless base.method_defined?(:current_user_roles)
+          base.send(:define_method, :current_user_roles) do
+            raise NotImplementedError
+          end
+        end
+      end
+
+      def_delegators 'self.class', :role_scopes
+      def_delegators :role_scopes, :public?
+
+      def apply_scopes
+        return query if role_scopes.all_access?(current_user_roles)
+        return query.none if scope_hash.empty?
+        if scope_hash.keys.length == 1
+          scope_hash.inject(query) { |query, (scope_name, ids)| query.public_send(scope_name, ids) }
+        else
+          # This block is designed to handle cases of more than one scope.
+          # The following code has been demonstrated to perform on most "simple"...
+          #...objects and scopes. However, there are certain complex objects...
+          #...and scopes that cause permission checks to fail.
+          object_query = query
+          object_query = join_tables.inject(object_query) do |q, join_table|
+            q.joins(join_table)
+          end
+
+          scope_hash.inject(object_query) do |object_query, (scope_name, ids)|
+            object_query.or(query.public_send(scope_name, ids))
+          end
+        end
+      end
+
+      def join_tables
+        scope_hash.map do |scope_name, ids|
+          query.public_send(scope_name, ids).values[:joins]
+        end
+          .flatten
+          .uniq
+          .reject { |join_table| query_join_tables.include?(join_table) }
+      end
+
+      def query_join_tables
+         values = query.try(:values) || {}
+         values.fetch(:joins, [])
+      end
+
+
+      def scope_hash
+        @scope_hash ||= role_scopes.scope_hash(current_user_roles)
+      end
+
+      def allowed_roles(scope_name)
+        role_scopes.allowed_roles(current_user_roles, scope_name)
+      end
+    end
+
+    module ClassMethods
+      extend Forwardable
+
+      def inherited(subclass)
+        super
+        subclass.instance_variable_set('@role_scopes', role_scopes.dup)
+      end
+
+      def_delegators :role_scopes, :all_public, :allow, :allowed_roles, :on
+
+      def role_scopes
+        @role_scopes ||= Rolypoly::RoleScopes.new
+      end
+    end
+  end
+end

data/lib/rolypoly/resource_index_query_builder.rb

@@ -0,0 +1,22 @@
+require 'rolypoly/index_role_dsl'
+
+module Rolypoly
+  class ResourceIndexQueryBuilder
+    include Rolypoly::IndexRoleDSL
+
+    attr_reader :query, :user
+
+    allow(:third_north).to_all
+    allow(:org_admin).on(:organization).to_access(:org_id)
+    allow(:tournament_director).on(:organization).to_access(:org_id)
+
+    def initialize(query, user)
+      @query = query
+      @user = user
+    end
+
+    private def current_user_roles
+      user.role_assignments
+    end
+  end
+end

data/lib/rolypoly/role_gatekeeper.rb

@@ -84,10 +84,18 @@ module Rolypoly
 
     private def allowed_resource?(check_role, required_resource)
       return true unless require_resource?
-      return false unless check_role.respond_to?(:resource?)
 
-      required_resources = type_id_resource?(required_resource) ? [required_resource] : Array(required_resource)
-      required_resources.any? {|r| check_role.resource?(r) }
+      case required_resource
+      when ->(r) { r.is_a?(Hash) && r.keys == [:resource_type] }
+        check_role.respond_to?(:resource_type) &&
+          check_role.resource_type == required_resource[:resource_type]
+      when Hash, ->(r) { type_id_resource?(r) }
+        check_role.respond_to?(:resource?) &&
+          check_role.resource?(required_resource)
+      else
+        check_role.respond_to?(:resource?) &&
+          Array(required_resource).any? {|r| check_role.resource?(r) }
+      end
     end
 
     private def type_id_resource?(required_resource)

data/lib/rolypoly/role_scope.rb

@@ -0,0 +1,92 @@
+require 'set'
+
+module Rolypoly
+  class RoleScope
+    attr_reader :roles, :actions
+    def initialize(roles, actions, resource = nil)
+      self.roles = Set.new Array(roles).map(&:to_s)
+      self.actions = Set.new Array(actions).map(&:to_s)
+      self.resource = resource
+      self.all_actions = false
+    end
+
+    def initialize_copy(other)
+      @roles = @roles.dup
+      @actions = @actions.dup
+    end
+
+    # on(resource).allow(*roles).to_access(*actions)
+    def allow(*roles)
+      self.roles = self.roles.merge(roles.flatten.compact.map(&:to_s))
+      self
+    end
+
+    # allow(*roles).on(resource).to_access(*actions)
+    def on(resource)
+      self.resource = resource
+      self
+    end
+
+    # allow(*roles).to_access *actions
+    def to_access(*actions)
+      self.actions = self.actions.merge actions.flatten.compact.map(&:to_s)
+    end
+
+    # allow role access to all actions
+    # allow(*roles).to_all
+    def to_all
+      self.all_actions = true
+    end
+
+    def allow?(current_roles, action)
+      action?(action) && role?(current_roles)
+    end
+
+    def allowed_roles(current_roles, action)
+      return [] unless action?(action)
+      match_roles(current_roles)
+    end
+
+    def role?(check_roles)
+      Array(check_roles).any? { |check_role| allowed_role?(check_role) }
+    end
+
+    def action?(check_actions)
+      check_actions = Set.new Array(check_actions).map(&:to_s)
+      all_actions? || !(check_actions & actions).empty?
+    end
+
+    def all_actions?
+      !!all_actions
+    end
+
+    private def allowed_resource?(check_role, required_resource)
+      return false unless check_role.respond_to?(:resource?)
+
+      required_resources = type_id_resource?(required_resource) ? [required_resource] : Array(required_resource)
+      required_resources.any? { |r| check_role.resource?(r) }
+    end
+
+    private def type_id_resource?(required_resource)
+      required_resource.is_a?(Array) && %w(String Symbol).include?(required_resource.first.class.name)
+    end
+
+    protected
+    attr_writer :roles
+    attr_writer :actions
+    attr_accessor :all_actions
+    attr_accessor :resource
+
+    private def match_roles(check_roles)
+      Array(check_roles).select do |check_role|
+        allowed_role?(check_role)
+      end
+    end
+
+    private def allowed_role?(role_object)
+      role_string = role_object.respond_to?(:to_role_string) ? role_object.to_role_string : role_object.to_s
+
+      roles.include?(role_string.to_s)
+    end
+  end
+end

data/lib/rolypoly/role_scopes.rb

@@ -0,0 +1,51 @@
+require 'forwardable'
+require 'rolypoly/role_scope'
+
+module Rolypoly
+  class RoleScopes
+    extend Forwardable
+    include Enumerable
+
+    def_delegators :build_role_scope, :allow, :on
+    def_delegators :@role_scopes, :clear, :each, :empty?
+
+    def initialize(role_scopes = [])
+      @role_scopes = Array(role_scopes)
+    end
+
+    def initialize_copy(other)
+      @role_scopes = @role_scopes.map(&:dup)
+    end
+
+    def allowed_roles(user_role_objects, action)
+      return [] if empty?
+
+      reduce([]) do |allowed_role_objects, role_scope|
+        allowed_role_objects | role_scope.allowed_roles(user_role_objects, action)
+      end
+    end
+
+    def scope_hash(user_role_objects)
+      actions.each_with_object({}) do |action, memo|
+        roles = allowed_roles(user_role_objects, action)
+        ids = roles.map(&:resource_id).compact.uniq
+        memo[action] = ids if ids.any?
+        memo
+      end
+    end
+
+    def all_access?(current_user_roles)
+      any? { |role_scope| role_scope.allow?(current_user_roles, nil) }
+    end
+
+    def actions
+      map(&:actions).each_with_object(Set.new) { |action_set, memo| memo.merge(action_set) }
+    end
+
+    private def build_role_scope(roles = nil, actions = nil, resource = nil)
+      new_role_scope = Rolypoly::RoleScope.new(roles, actions, resource)
+      @role_scopes << new_role_scope
+      new_role_scope
+    end
+  end
+end

data/lib/rolypoly/version.rb

@@ -1,3 +1,3 @@
 module Rolypoly
-  VERSION = "1.0.4"
+  VERSION = "1.3.0"
 end

data/spec/lib/rolypoly/role_gatekeeper_spec.rb

@@ -189,5 +189,47 @@ module Rolypoly
       end
 
     end
+
+    context 'allowed_roles' do
+      let(:roles) do
+        [double('admin', to_role_string: 'admin', resource?: nil),
+         double('org 1 admin',  resource_id: '1', resource_type: 'Organization', to_role_string: 'org_admin', resource?: nil),
+         double('org 2 admin',  resource_id: '2', resource_type: 'Organization', to_role_string: 'org_admin', resource?: nil),
+         double('tenant admin', resource_id: '3', resource_type: 'Tenant',       to_role_string: 'org_admin', resource?: nil)]
+      end
+
+      context 'with unscoped gatekeeper' do
+        subject { described_class.new(['admin'], ['index']) }
+
+        it 'returns the unscoped role' do
+          expect(subject.allowed_roles(roles, 'index')).to eq([roles[0]])
+        end
+      end
+
+      context 'with resource-scoped gatekeeper' do
+        subject { described_class.new(['org_admin'], ['index'], :organization) }
+
+        it 'returns no roles' do
+          expect(subject.allowed_roles(roles, 'index')).to be_empty
+        end
+
+        it 'returns the matching role' do
+          query = ['Organization', '1']
+          expect(roles[1]).to receive(:resource?).with(query).and_return(true)
+          expect(subject.allowed_roles(roles, 'index', organization: query)).to eq([roles[1]])
+        end
+
+        it 'returns all roles with the same resource_type' do
+          query = { resource_type: 'Organization' }
+          expect(subject.allowed_roles(roles, 'index', organization: query)).to eq([roles[1], roles[2]])
+        end
+
+        it 'returns only the role matching the resource? call' do
+          query = { resource_id: '1', resource_type: 'Organization' }
+          expect(roles[1]).to receive(:resource?).with(query).and_return(true)
+          expect(subject.allowed_roles(roles, 'index', organization: query)).to eq([roles[1]])
+        end
+      end
+    end
   end
 end

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: rolypoly
 version: !ruby/object:Gem::Version
-  version: 1.0.4
+  version: 1.3.0
 platform: ruby
 authors:
 - Jon Phenow
 - Jake Waletzko
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-10-19 00:00:00.000000000 Z
+date: 2020-10-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -58,9 +58,13 @@ files:
 - Rakefile
 - lib/rolypoly.rb
 - lib/rolypoly/controller_role_dsl.rb
+- lib/rolypoly/index_role_dsl.rb
+- lib/rolypoly/resource_index_query_builder.rb
 - lib/rolypoly/role_dsl.rb
 - lib/rolypoly/role_gatekeeper.rb
 - lib/rolypoly/role_gatekeepers.rb
+- lib/rolypoly/role_scope.rb
+- lib/rolypoly/role_scopes.rb
 - lib/rolypoly/version.rb
 - rolypoly.gemspec
 - spec/lib/rolypoly/controller_role_dsl_spec.rb
@@ -72,7 +76,7 @@ homepage: https://github.com/sportngin/rolypoly
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -87,9 +91,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.4.8
-signing_key: 
+rubygems_version: 3.0.3
+signing_key:
 specification_version: 4
 summary: Tools for handling per-action and per-app Role authorization
 test_files: