rspec-authorization 0.0.2 → 0.0.6

data/lib/rspec/authorization/matchers/have_permission_for.rb

@@ -21,7 +21,7 @@ module RSpec::Authorization
       #     it { is_expected.to have_permission_for(:user).to(:index) }
       #   end
       #
-      # Currently this matcher only support RESTful action check, to check the
+      # Currently this matcher only support restful action check, to check the
       # controller against +config/authorization_rules.rb+. Skipping the +#to+
       # method will result in default action assigned as +:index+.
       #
@@ -29,36 +29,20 @@ module RSpec::Authorization
       #
       #   it { is_expected.to have_permission_for(:user) }
       #
-      # === RESTful methods
+      # === RESTful helper methods
       #
-      # For your convenience, there are 4 RESTful methods available to be chained
-      # from the matcher, which are:
-      #
-      # - +to_read+
-      # - +to_create+
-      # - +to_update+
-      # - +to_delete+
-      #
-      # Consider the following example:
+      # For your convenience, there are restful helper methods available to be
+      # chained from the matcher, consider the following example:
       #
       #   it { is_expected.to have_permission_for(:user).to_read }
-      #   it { is_expected.to have_permission_for(:user).to_edit }
+      #   it { is_expected.to have_permission_for(:user).to_create }
       #   it { is_expected.not_to have_permission_for(:user).to_update }
       #   it { is_expected.not_to have_permission_for(:user).to_delete }
+      #   it { is_expected.not_to have_permission_for(:user).to_manage }
       #
-      # The above method is not related to declarative_authorization privileges,
-      # and serve simply as convinience method, below is a table of RESTful actions
-      # for each method mentioned above:
-      #
-      #   Method         RESTful action
-      #   ------------------------------------
-      #   to_read       [:index, :show]
-      #   to_edit       [:edit, :update]
-      #   to_create     [:new, :create]
-      #   to_delete     [:destroy]
-      #
-      # Matcher for RESTful methods is slightly different than that of a single
-      # method, following is how RESTful methods request results evaluated:
+      # Matcher for restful helper methods is slightly different than that of
+      # a single method, following is an example of how restful helper methods
+      # request results evaluated:
       #
       #   all_requests (of #to_read)       matches?     does_not_match?
       #   -------------------------------------------------------------------
@@ -66,7 +50,48 @@ module RSpec::Authorization
       #   {index: true, show: false}       false        false
       #   {index: false, show: false}      false        true
       #
+      # === Focused RESTful helper methods
+      #
+      # There are cases where you need to focused your matching only for a given
+      # criteria, let's say only match for read actions, or match except delete
+      # action, consider the following example:
+      #
+      #   it { is_expected.to have_permission_for(:user).only_to_read }
+      #   it { is_expected.to have_permission_for(:writer).except_to_delete }
+      #
+      # The above statements have their negated counterparts, consider the
+      # following example:
+      #
+      #   it { is_expected.not_to have_permission_for(:user).only_to_read }
+      #   it { is_expected.not_to have_permission_for(:writer).only_to_delete }
+      #
+      # If you see the above negated matcher, they actually have a relationship
+      # to the other's negated counterpart instead of theirs, consider the following
+      # example:
+      #
+      #   it { is_expected.to have_permission_for(:user).only_to_read }
+      #   it { is_expected.not_to have_permission_for(:user).except_to_read }
+      #
+      # The above examples are doing exactly the same thing, so does the following
+      # example, these examples below also doing exactly the same thing and can
+      # be used in either case:
+      #
+      #   it { is_expected.to have_permission_for(:writer).except_to_delete }
+      #   it { is_expected.not_to have_permission_for(:writer).only_to_read }
+      #
+      # That means, the following example, is actually negating each other and
+      # can be used to negate your statements instead of using the negated version
+      # of the matcher:
+      #
+      #   it { is_expected.to have_permission_for(:user).only_to_read }
+      #   it { is_expected.to have_permission_for(:user).except_to_read }
+      #
+      # Even if you can have a negated matcher using a focused restful helper
+      # methods, it is better to stick with the possitive matcher, negated matcher
+      # can easily confuse you, and it only serves the purpose of completeness.
+      #
       # @param role [Symbol] role name to matched against
+      # @see RestfulHelperMethod
       def have_permission_for(role)
         HavePermissionFor.new(role)
       end
@@ -74,85 +99,83 @@ module RSpec::Authorization
       class HavePermissionFor # :nodoc: all
         include Adapters
 
-        attr_reader :controller, :role, :behave, :actions, :results
+        attr_reader :role, :prefix, :action
+        attr_reader :resource, :restful_helper_method, :privilege
+        attr_reader :actions, :negated_actions
 
         def initialize(role)
           @role = role
+
+          @actions = [:index]
+          @negated_actions = []
         end
 
         def to(action)
-          @behave  = action
-          @actions = [behave]
+          @prefix  = :to
+          @action  = action
+          @actions = [action]
 
           self
         end
 
-        def to_read
-          @behave  = :read
-          @actions = %i(index show)
-
-          self
-        end
+        def method_missing(method_name, *args, &block)
+          @restful_helper_method = RestfulHelperMethod.new(method_name)
 
-        def to_create
-          @behave  = :create
-          @actions = %i(new create)
+          @actions = restful_helper_method.actions
+          @negated_actions = restful_helper_method.negated_actions
 
           self
         end
 
-        def to_update
-          @behave  = :update
-          @actions = %i(edit update)
+        def matches?(controller)
+          build_resource(controller)
 
-          self
+          resource.run_all
+          resource.permitted?
         end
 
-        def to_delete
-          @behave  = :delete
-          @actions = %i(destroy)
+        def does_not_match?(controller)
+          build_resource(controller)
 
-          self
+          resource.run_all
+          resource.forbidden?
         end
 
-        def to_manage
-          @behave  = :manage
-          @actions = %i(index show new create edit update destroy)
-
-          self
+        def failure_message
+          "Expected #{common_failure_message}"
         end
 
-        def all_requests
-          actions.map do |action|
-            request = Request.new(controller.class, action, role)
-            [action, request.response.status != 403]
-          end
+        def failure_message_when_negated
+          "Did not expect #{common_failure_message}"
         end
 
-        def matches?(controller)
-          @controller = controller
-          @results    = Hash[all_requests]
-
-          true unless results.value? false
+        def description
+          "have permission for #{role} #{humanized_behavior}"
         end
 
-        def does_not_match?(controller)
-          @controller = controller
-          @results    = Hash[all_requests]
+        private
 
-          true unless results.value? true
+        def build_resource(controller)
+          @privilege = Privilege.new(
+            actions: actions,
+            negated_actions: negated_actions,
+            controller_class: controller.class,
+            role: role
+          )
+
+          @resource = Resource.new(privilege)
         end
 
-        def failure_message
-          "Expected #{controller.class} to have permission for #{role} to #{behave}. #{results}"
+        def humanized_behavior
+          restful_helper_method.try(:humanize) || "#{@prefix} #{action}"
         end
 
-        def failure_message_when_negated
-          "Did not expect #{controller.class} to have permission for #{role} to #{behave}. #{results}"
+        def common_failure_message
+          "#{resource.controller_class} to #{description}. #{debug_results}"
         end
 
-        def description
-          "have permission for #{role} to #{behave}"
+        def debug_results
+          "results: #{resource.results}, negated_results: #{resource.negated_results}"
         end
       end
     end

data/lib/rspec/authorization/version.rb

@@ -1,5 +1,5 @@
 module RSpec
   module Authorization
-    VERSION = "0.0.2"
+    VERSION = "0.0.6"
   end
 end

data/rspec-authorization.gemspec

@@ -18,8 +18,9 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_runtime_dependency "declarative_authorization"
-  spec.add_runtime_dependency "rspec-rails", "~> 3.0"
+  spec.add_runtime_dependency "rspec-rails", "~> 3.0", "< 3.2"
 
+  spec.add_development_dependency "appraisal"
   spec.add_development_dependency "bundler", "~> 1.7"
   spec.add_development_dependency "rails", "~> 4.0"
   spec.add_development_dependency "rake", "~> 10.0"

data/spec/controllers/articles_controller_spec.rb

@@ -7,15 +7,7 @@ describe ArticlesController do
   it { is_expected.not_to have_permission_for(:user).to_update }
   it { is_expected.not_to have_permission_for(:user).to_delete }
 
-  it { is_expected.to have_permission_for(:premium).to_read }
-  it { is_expected.not_to have_permission_for(:premium).to_create }
-  it { is_expected.not_to have_permission_for(:premium).to_update }
-  it { is_expected.not_to have_permission_for(:premium).to_delete }
-
-  it { is_expected.to have_permission_for(:writer).to_read }
-  it { is_expected.to have_permission_for(:writer).to_create }
-  it { is_expected.not_to have_permission_for(:writer).to_update }
-  it { is_expected.not_to have_permission_for(:writer).to_delete }
-
-  it { is_expected.to have_permission_for(:editor).to_manage }
+  it { is_expected.to have_permission_for(:premium).only_to_read }
+  it { is_expected.to have_permission_for(:writer ).except_to_delete }
+  it { is_expected.to have_permission_for(:editor ).to_manage }
 end

data/spec/lib/rspec/authorization/adapters/resource_spec.rb

@@ -0,0 +1,102 @@
+require 'rails_helper'
+
+include RSpec::Authorization::Adapters
+
+describe Resource do
+  let(:privilege) { :privilege }
+  let(:resource)  { Resource.new(privilege) }
+
+  subject { resource }
+
+  its(:privilege) { is_expected.to eq privilege }
+
+  specify { is_expected.to delegate_method(:actions).to(:privilege) }
+  specify { is_expected.to delegate_method(:negated_actions).to(:privilege) }
+  specify { is_expected.to delegate_method(:controller_class).to(:privilege) }
+  specify { is_expected.to delegate_method(:role).to(:privilege) }
+
+  describe "#run_all" do
+    before do
+      expect(resource).to receive(:requests)
+      expect(resource).to receive(:negated_requests)
+    end
+
+    specify { resource.run_all }
+  end
+
+  describe "#permitted?" do
+    context "no negated actions" do
+      before { allow(resource).to receive(:permitted_for?).and_return(value) }
+
+      context "permitted for actions" do
+        let(:value) { true }
+
+        specify { expect(resource.permitted?).to be_truthy }
+      end
+
+      context "not permitted for actions" do
+        let(:value) { false }
+
+        specify { expect(resource.permitted?).to be_falsy }
+      end
+    end
+
+    context "have negated actions" do
+      before do
+        allow(resource).to receive(:negated_results).and_return([:present])
+        allow(resource).to receive(:permitted_for?).and_return(permitted_value)
+        allow(resource).to receive(:forbidden_for?).and_return(true)
+      end
+
+      context "permitted for actions" do
+        let(:permitted_value) { true }
+
+        specify { expect(resource.permitted?).to be_truthy }
+      end
+
+      context "not permitted for actions" do
+        let(:permitted_value) { false }
+
+        specify { expect(resource.permitted?).to be_falsy }
+      end
+    end
+  end
+
+  describe "#forbidden?" do
+    context "no negated actions" do
+      before { allow(resource).to receive(:forbidden_for?).and_return(value) }
+
+      context "forbidden for actions" do
+        let(:value) { true }
+
+        specify { expect(resource.forbidden?).to be_truthy }
+      end
+
+      context "not forbidden for actions" do
+        let(:value) { false }
+
+        specify { expect(resource.forbidden?).to be_falsy }
+      end
+    end
+
+    context "have negated actions" do
+      before do
+        allow(resource).to receive(:negated_results).and_return([:present])
+        allow(resource).to receive(:forbidden_for?).and_return(value)
+        allow(resource).to receive(:permitted_for?).and_return(true)
+      end
+
+      context "forbidden for actions" do
+        let(:value) { true }
+
+        specify { expect(resource.forbidden?).to be_truthy }
+      end
+
+      context "not forbidden for actions" do
+        let(:value) { false }
+
+        specify { expect(resource.forbidden?).to be_falsy }
+      end
+    end
+  end
+end

data/spec/lib/rspec/authorization/adapters/restful_helper_method_spec.rb

@@ -0,0 +1,151 @@
+require 'rails_helper'
+
+include RSpec::Authorization::Adapters
+
+describe RestfulHelperMethod do
+  let(:restful_helper_method) { RestfulHelperMethod.new(name) }
+
+  subject { restful_helper_method }
+
+  describe "#humanize" do
+    let(:name) { :only_to_read }
+
+    specify { expect(restful_helper_method.humanize).to eq "only to read" }
+  end
+
+  describe "#to_a" do
+    let(:name)    { :to_read }
+    let(:actions) { %i(list of action from actions) }
+    let(:negated_actions) { %i(list of negated action from negated_actions) }
+
+    before do
+      allow(restful_helper_method).to receive(:actions).and_return(actions)
+      allow(restful_helper_method).to receive(:negated_actions).and_return(negated_actions)
+    end
+
+    context "implicitly infers to array" do
+      specify { expect([*restful_helper_method]).to eq [actions, negated_actions] }
+    end
+  end
+
+  context "method unavailable" do
+    specify { expect{ RestfulHelperMethod.new(:to_explode) }.to raise_error NoMethodError }
+  end
+
+  context "restful methods" do
+    let(:name)   { :to_read }
+    its(:prefix) { is_expected.to eq :to }
+    its(:negated_actions) { is_expected.to eq %i() }
+
+    context "to_read" do
+      let(:name) { :to_read }
+
+      its(:behavior) { is_expected.to eq :read }
+      its(:actions)  { is_expected.to eq %i(index show) }
+    end
+
+    context "to_create" do
+      let(:name) { :to_create }
+
+      its(:behavior) { is_expected.to eq :create }
+      its(:actions)  { is_expected.to eq %i(new create) }
+    end
+
+    context "to_update" do
+      let(:name) { :to_update }
+
+      its(:behavior) { is_expected.to eq :update }
+      its(:actions)  { is_expected.to eq %i(edit update) }
+    end
+
+    context "to_delete" do
+      let(:name) { :to_delete }
+
+      its(:behavior) { is_expected.to eq :delete }
+      its(:actions)  { is_expected.to eq %i(destroy) }
+    end
+
+    context "to_manage" do
+      let(:name) { :to_manage }
+
+      its(:behavior) { is_expected.to eq :manage }
+      its(:actions)  { is_expected.to eq %i(index show new create edit update destroy) }
+    end
+  end
+
+  context "focused restful methods" do
+    context "only_to" do
+      let(:name)   { :only_to_read }
+      its(:prefix) { is_expected.to eq :only_to }
+
+      context "only_to_read" do
+        let(:name) { :only_to_read }
+
+        its(:behavior) { is_expected.to eq :read }
+        its(:actions)  { is_expected.to eq %i(index show) }
+        its(:negated_actions) { is_expected.to eq %i(new create edit update destroy) }
+      end
+
+      context "only_to_create" do
+        let(:name) { :only_to_create }
+
+        its(:behavior) { is_expected.to eq :create }
+        its(:actions)  { is_expected.to eq %i(new create) }
+        its(:negated_actions) { is_expected.to eq %i(index show edit update destroy) }
+      end
+
+      context "only_to_update" do
+        let(:name) { :only_to_update }
+
+        its(:behavior) { is_expected.to eq :update }
+        its(:actions)  { is_expected.to eq %i(edit update) }
+        its(:negated_actions) { is_expected.to eq %i(index show new create destroy) }
+      end
+
+      context "only_to_delete" do
+        let(:name) { :only_to_delete }
+
+        its(:behavior) { is_expected.to eq :delete }
+        its(:actions)  { is_expected.to eq %i(destroy) }
+        its(:negated_actions) { is_expected.to eq %i(index show new create edit update) }
+      end
+    end
+
+    context "except_to" do
+      let(:name)   { :except_to_read }
+      its(:prefix) { is_expected.to eq :except_to }
+
+      context "except_to_read" do
+        let(:name) { :except_to_read }
+
+        its(:behavior) { is_expected.to eq :read }
+        its(:actions)  { is_expected.to eq %i(new create edit update destroy) }
+        its(:negated_actions) { is_expected.to eq %i(index show) }
+      end
+
+      context "except_to_create" do
+        let(:name) { :except_to_create }
+
+        its(:behavior) { is_expected.to eq :create }
+        its(:actions)  { is_expected.to eq %i(index show edit update destroy) }
+        its(:negated_actions) { is_expected.to eq %i(new create) }
+      end
+
+      context "except_to_update" do
+        let(:name) { :except_to_update }
+
+        its(:behavior) { is_expected.to eq :update }
+        its(:actions)  { is_expected.to eq %i(index show new create destroy) }
+        its(:negated_actions) { is_expected.to eq %i(edit update) }
+      end
+
+      context "except_to_delete" do
+        let(:name) { :except_to_delete }
+
+        its(:behavior) { is_expected.to eq :delete }
+        its(:actions)  { is_expected.to eq %i(index show new create edit update) }
+        its(:negated_actions) { is_expected.to eq %i(destroy) }
+      end
+    end
+  end
+end