sequel-privacy 0.3 → 0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fd27576a058e95f92fd4c50fc1f5da0e058d0b7f93c3f114b88757a08651dd29
-  data.tar.gz: f429f5fc246fcd7cb043170a8166b7bc06fa04125aa4c89d6fe196b4c5bead31
+  metadata.gz: 8307cc7016667794361e143ba1a17735d2c189079af884a9928df3f67450fed1
+  data.tar.gz: f6ae84ecd2b0627deeb998d69cc7f38ec73313b5851b4e84b4367335ab6e7b06
 SHA512:
-  metadata.gz: c58b5116d0b2a0ac0acf829612cdf46ee3ec1ef08879d189bbf94170248ac8cbf6a540601de6794bf6f03086e5af4e2f555291ac5d2de22a5405f1fb61ab066a
-  data.tar.gz: bf580a74fcb95fc328f7d0564877804ef642783442254af86d436ae853b89d88f71cd5abb6cff95ba56ed38992261557049350081bad9d35d63a80ce7ebbde96
+  metadata.gz: ff39c00cfd1df723a53bca2a75a3ab6fd3657e1475f9f53c48f369de686c3c81facea4af80325b6acfa23e409e6e5fe71b5794ed9c31fad7300f19727f25e7e7
+  data.tar.gz: fa3124720cb8a285a1033fc3923d3df5f61d04685585394d94614d9bc7331ada3f8863335e91c0198229bfc7238e827b004de2cbed2c88a06fd762328753f8b2

data/README.md

@@ -31,23 +31,26 @@ module P
   AlwaysAllow = Sequel::Privacy::BuiltInPolicies::AlwaysAllow
   PassAndLog = Sequel::Privacy::BuiltInPolicies::PassAndLog
 
-  policy :AllowIfPublished, ->(subject) {
+  # State-gate policies examine only the subject. Declare
+  # `allow_anonymous: true` so logged-out viewers can still pass.
+  policy :AllowIfPublished, ->(_actor, subject) {
     allow if subject.published
-  }
+  }, allow_anonymous: true, cache_by: :subject
 
-  policy :AllowAdmins, ->(_subject, actor) {
+  # Actor-only role checks — cheap because they cache per-actor.
+  policy :AllowAdmins, ->(actor) {
     allow if actor.is_role?(:admin)
   }, 'Allow admin users', cacheable: true
-  
-  policy :AllowMembers, ->(_subject, actor) {
+
+  policy :AllowMembers, ->(actor) {
     allow if actor.is_role?(:member)
   }, cacheable: true
 
-  policy :AllowSelf, ->(subject, actor) {
+  policy :AllowSelf, ->(actor, subject) {
     allow if subject == actor
-  }, 'Allow if subject is the actor', single_match: true  
-  
-  policy :AllowFriendsOfSubject, ->(subject, actor) {
+  }, 'Allow if subject is the actor', single_match: true
+
+  policy :AllowFriendsOfSubject, ->(actor, subject) {
     allow if subject.includes_friend?(actor)
   }
 end
@@ -107,28 +110,34 @@ member.phone  # => nil if :view_phone denies
 
 ## Policy Definition
 
-Policies are lambdas that execute in the context of an `Actions` struct, giving access to `allow`, `deny`, and `pass` outcome methods, as well as the `all` combinator. `allow` and `deny` will end evaluation of the chain of policies, whereas `pass` will continue to the next policy in the chain. 
+Policies are lambdas that execute in the context of an `Actions` struct, giving access to `allow`, `deny`, and `pass` outcome methods, as well as the `all` combinator. `allow` and `deny` will end evaluation of the chain of policies, whereas `pass` will continue to the next policy in the chain.
+
+Policies are **actor-first**. Arities map to:
+- 0 args — global decision (`-> { allow if Time.now.sunday? }`)
+- 1 arg  — `(actor)`: role / identity checks
+- 2 args — `(actor, subject)`: ownership, membership
+- 3 args — `(actor, subject, direct_object)`: "can actor do X to subject with direct_object?"
 
-Policies accept up to three parameters: `actor`, `subject` & `actor` or `subject`, `actor` and `direct_object`. 
+Policies of arity ≥ 1 auto-deny for anonymous viewers (nil actor). Use `allow_anonymous: true` to opt out — meant for state-gate policies that examine only the subject.
 
 
 ```ruby
 
 policy :AlwaysAllow, -> { allow }
 
-policy :AllowIfPublished, ->(subject) {
+policy :AllowIfPublished, ->(_actor, subject) {
   allow if subject.published
-}
+}, allow_anonymous: true, cache_by: :subject
 
-policy :AllowAdmins, ->(_subject, actor) {
+policy :AllowAdmins, ->(actor) {
   allow if actor.is_role?(:admin)
 }
 
-policy :AllowOwner, ->(_subject, actor) {
+policy :AllowOwner, ->(actor, subject) {
   allow if subject.owner_id == actor.id
 }
 
-policy :AllowIfDirectObjectIsActor, ->(_subject, actor, direct_object) {
+policy :AllowIfDirectObjectIsActor, ->(actor, _subject, direct_object) {
   allow if actor.id == direct_object.id
 }
 
@@ -141,14 +150,14 @@ different modules.
 module P
   module Groups
     extend Sequel::Privacy::PolicyDSL
-    
-    policy :AllowIfOpen, -> (subject, _actor) {
+
+    policy :AllowIfOpen, ->(_actor, subject) {
       allow if subject.open?
-    }
-    
-    policy :AllowIfMember, -> (subject, actor) {
+    }, allow_anonymous: true, cache_by: :subject
+
+    policy :AllowIfMember, ->(actor, subject) {
       allow if subject.includes_member? actor
-    }      
+    }
   end
 end
 ```
@@ -159,25 +168,31 @@ end
 policy :MyPolicy, ->() { ... },
   'Human-readable description',  # For logging
   cacheable: true,               # Cache results (default: true)
-  single_match: false            # Only one subject can match
+  single_match: false,           # Only one subject can match
+  cache_by: :actor,              # Override cache-key dimensions
+  allow_anonymous: false         # Allow nil actor (opts out of auto-deny)
 ```
 
 **`cacheable: true`** (default): Results are cached for the duration of the request, keyed by policy + arguments. Use for policies that don't depend on mutable state.
 
-**`single_match: true`**: Optimization for policies for which there is only one matching Actor possible for a given Subject. For example in `AllowAuthors`, since a `Post` can have only one other, it's not worth a potentially expensive check on other combinations once you've found the winner. 
+**`single_match: true`**: Optimization for policies for which there is only one matching Actor possible for a given Subject. For example in `AllowAuthors`, since a `Post` can have only one other, it's not worth a potentially expensive check on other combinations once you've found the winner.
+
+**`cache_by:`** (Symbol or Array of `:actor`, `:subject`, `:direct_object`): Override the cache-key dimensions. By default the key uses every input the policy receives. Pass a subset when the policy ignores some of its inputs — e.g. `AllowAdmins` takes `(actor, subject)` but only examines actor, so `cache_by: :actor` shares one entry across subjects.
+
+**`allow_anonymous: true`**: Skip the auto-deny for nil actor. Use for state-gate policies that examine only the subject (e.g. "post is published").
 
 ### Policy Combinators
 
 Use `all()` to require multiple conditions:
 
 ```ruby
-policy :AllowAddSelfToOpenGroup, ->(subject, actor, direct_object) {
+policy :AllowAddSelfToOpenGroup, ->(actor, subject, direct_object) {
   all(
-    P::AllowIfGroupIsOpen    
+    P::AllowIfGroupIsOpen,
     P::AllowIfDirectObjectIsActor
   )
 }
-policy :AllowRemoveSelf, ->(subject, actor, direct_object) {
+policy :AllowRemoveSelf, ->(actor, subject, direct_object) {
   all(
     P::AllowIfIncludesMember,
     P::AllowIfDirectObjectIsActor
@@ -308,25 +323,25 @@ The `association` block supports three actions:
 - `:remove` - Wraps `remove_*` method (e.g., `remove_member`)
 - `:remove_all` - Wraps `remove_all_*` method (e.g., `remove_all_members`)
 
-Association policies receive `(subject, actor, direct_object)`:
-- `subject` - The model instance (e.g., the group)
+Association policies receive `(actor, subject, direct_object)`:
 - `actor` - The current user from the viewer context
+- `subject` - The model instance (e.g., the group)
 - `direct_object` - The object being added/removed (e.g., the user being added to the group)
 
 For `remove_all`, the direct object is `nil` since there's no specific target.
 
 ```ruby
 # Allow users to add/remove themselves
-policy :AllowSelfJoin, ->(_subject, actor, direct_object) {
+policy :AllowSelfJoin, ->(actor, _subject, direct_object) {
   allow if actor.id == direct_object.id
 }, single_match: true
 
-policy :AllowSelfRemove, ->(_subject, actor, direct_object) {
+policy :AllowSelfRemove, ->(actor, _subject, direct_object) {
   allow if actor.id == direct_object.id
 }, single_match: true
 
 # Allow group admins to add/remove anyone
-policy :AllowGroupAdmin, ->(subject, actor, direct_object) {
+policy :AllowGroupAdmin, ->(actor, subject, _direct_object) {
   allow if subject.includes_admin?(actor)
 }
 ```

data/lib/sequel/plugins/privacy.rb

@@ -191,12 +191,16 @@ module Sequel
           :"#{self}_privacy_vc"
         end
 
-        # Override Sequel's call method - this is the lowest-level instantiation point
-        # for ALL database-loaded records. Every path goes through here:
-        # - Model[id], Model.first, Model.all, associations, etc.
+        # Override Sequel's call method to act as a strict-mode gate.
+        # Every database-loaded record flows through here (Model[id],
+        # Model.first, Model.all, associations, ...). This checks that a
+        # VC is in scope (or that the class opted out via
+        # allow_unsafe_access!) and defers VC attachment and :view
+        # filtering to DatasetMethods#row_proc — those are per-row
+        # concerns and have context-dependent bypasses (policy
+        # evaluation, eager-load attachment) that don't belong here.
         sig { params(values: T.untyped).returns(T.nilable(Sequel::Model)) }
         def call(values)
-          # Check if we're in a VC context (thread-local set by for_vc)
           vc = Thread.current[privacy_vc_key]
 
           unless vc || allow_unsafe_access?
@@ -204,25 +208,7 @@ module Sequel
                          "#{self} requires a ViewerContext. Use #{self}.for_vc(vc) or call #{self}.allow_unsafe_access!"
           end
 
-          # Create the instance via parent chain
-          instance = super
-
-          # Attach VC if present
-          if vc && instance
-            instance.instance_variable_set(:@viewer_context, vc)
-
-            # During nested policy evaluation, return raw rows so the outer
-            # policy can traverse data (e.g. checking membership) without
-            # recursive :view filtering.
-            return instance if Sequel::Privacy::Enforcer.in_policy_eval?
-
-            unless T.cast(instance, InstanceMethods).allow?(vc, :view)
-              Sequel::Privacy.logger&.debug { "Privacy denied :view on #{self}[#{instance.pk}]" }
-              return nil
-            end
-          end
-
-          instance
+          super
         end
 
         # ─────────────────────────────────────────────────────────────────────
@@ -410,6 +396,8 @@ module Sequel
         # Override Sequel's associate method to wrap associations with privacy checks
         sig { params(type: Symbol, name: Symbol, opts: T.untyped, block: T.untyped).returns(T.untyped) }
         def associate(type, name, opts = {}, &block)
+          opts = _inject_privacy_eager_block(opts)
+
           # Call original to create the association
           result = super
 
@@ -426,6 +414,26 @@ module Sequel
           result
         end
 
+        # Wrap the association's eager-load dataset with for_vc() so the
+        # child rows are materialized with the current viewer context.
+        # The VC is propagated via a thread-local set by DatasetMethods#all
+        # so that it's only applied during eager loading, not during the
+        # lazy association reader path (which has its own handling).
+        sig { params(opts: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
+        def _inject_privacy_eager_block(opts)
+          original = opts[:eager_block]
+          wrapped = proc do |ds|
+            ds = original.call(ds) if original
+            vc = Thread.current[DatasetMethods::EAGER_VC_KEY]
+            if vc && T.unsafe(ds).model.respond_to?(:privacy_vc_key)
+              T.unsafe(ds).for_vc(vc)
+            else
+              ds
+            end
+          end
+          opts.merge(eager_block: wrapped)
+        end
+
         private
 
         sig { params(name: Symbol).void }
@@ -732,14 +740,27 @@ module Sequel
         has_attached_class!(:out)
         requires_ancestor { Sequel::Dataset }
 
+        # Thread-local key for propagating the current VC to eager-load
+        # datasets via the :eager_block injected in ClassMethods#associate.
+        EAGER_VC_KEY = :sequel_privacy_eager_vc
+
         # Attach viewer context to dataset for privacy enforcement on materialization
         sig { params(vc: Sequel::Privacy::ViewerContext).returns(Sequel::Dataset) }
         def for_vc(vc)
           clone(viewer_context: vc)
         end
 
-        # Override row_proc to wrap Model.call with thread-local VC.
-        # This is the single integration point that covers all iteration methods.
+        # Override row_proc to wrap Model.call with the full per-row
+        # privacy pipeline: set the thread-local VC so Model.call's
+        # strict-mode gate passes, attach the VC to the instance, and
+        # apply the :view filter — with two bypasses for materialization
+        # contexts where filtering would be wrong or break callers:
+        #   - in_policy_eval?: policies that traverse protected data
+        #     need raw rows so their checks (e.g. membership) aren't
+        #     short-circuited by recursive :view filtering.
+        #   - EAGER_VC_KEY: Sequel's eager-load attachment block
+        #     dereferences each record to bucket by FK and would crash
+        #     on nils; the association reader filters at read time.
         sig { returns(T.untyped) }
         def row_proc
           vc = opts[:viewer_context]
@@ -751,10 +772,23 @@ module Sequel
             old_vc = Thread.current[vc_key]
             Thread.current[vc_key] = vc
             begin
-              model_class.(values)
+              instance = model_class.(values)
             ensure
               Thread.current[vc_key] = old_vc
             end
+
+            next nil if instance.nil?
+
+            instance.instance_variable_set(:@viewer_context, vc)
+            next instance if Sequel::Privacy::Enforcer.in_policy_eval?
+            next instance if Thread.current[EAGER_VC_KEY]
+
+            if T.cast(instance, InstanceMethods).allow?(vc, :view)
+              instance
+            else
+              Sequel::Privacy.logger&.debug { "Privacy denied :view on #{model_class}[#{instance.pk}]" }
+              nil
+            end
           end
         end
 
@@ -765,6 +799,34 @@ module Sequel
           opts[:viewer_context] ? results.compact : results
         end
 
+        # Sequel calls post_load after rows are fetched but before any
+        # user block. Model's override of post_load triggers eager_load
+        # here. Set the thread-local VC around that call so each
+        # association's injected :eager_block can wrap its child dataset
+        # with for_vc. Children are then materialized with VC attached
+        # but without :view filtering (see Model.call), so Sequel's
+        # attachment block doesn't choke on nils; the accessor wrapper
+        # filters at read time.
+        #
+        # Parents filtered to nil by the :view policy must be dropped
+        # before eager_load runs — its attachment code dereferences each
+        # record, which nil would break.
+        sig { params(all_records: T.untyped).returns(T.untyped) }
+        def post_load(all_records)
+          vc = opts[:viewer_context]
+          return super unless vc && opts[:eager]
+
+          all_records.compact!
+
+          old = Thread.current[EAGER_VC_KEY]
+          Thread.current[EAGER_VC_KEY] = vc
+          begin
+            super
+          ensure
+            Thread.current[EAGER_VC_KEY] = old
+          end
+        end
+
         # Create a new model instance with the viewer context attached
         sig { params(values: T::Hash[Symbol, T.untyped]).returns(T.attached_class) }
         def new(values = {})

data/lib/sequel/privacy/built_in_policies.rb

@@ -25,7 +25,7 @@ module Sequel
       # Pass and log - useful for debugging policy chains.
       PassAndLog = Policy.create(
         :PassAndLog,
-        ->(subject, actor) {
+        ->(actor, subject) {
           Sequel::Privacy::Enforcer.logger&.info("PassAndLog: #{subject.class} for actor #{actor.id}")
           :pass
         },

data/lib/sequel/privacy/enforcer.rb

@@ -97,15 +97,27 @@ module Sequel
         ).returns(Integer)
       end
       def self.compute_cache_key(policy, subject, actor, viewer_context, direct_object)
+        if (keys = policy.cache_by)
+          parts = T.let([policy, viewer_context], T::Array[T.untyped])
+          keys.each do |k|
+            parts << case k
+                     when :actor then actor
+                     when :subject then subject
+                     when :direct_object then direct_object
+                     end
+          end
+          return parts.hash
+        end
+
         case policy.arity
         when 0
           [policy, viewer_context].hash
         when 1
-          [policy, subject, viewer_context].hash
+          [policy, actor, viewer_context].hash
         when 2
-          [policy, subject, actor, viewer_context].hash
+          [policy, actor, subject, viewer_context].hash
         else
-          [policy, subject, actor, direct_object, viewer_context].hash
+          [policy, actor, subject, direct_object, viewer_context].hash
         end
       end
 
@@ -211,8 +223,11 @@ module Sequel
         ).returns(T.untyped)
       end
       def self.execute_policy(policy, subject, actor, direct_object)
-        # 2+ arity policies require actor - auto-deny for anonymous
-        if !actor && policy.arity >= 2
+        # Policies with arity >= 1 expect an actor as the first arg.
+        # Anonymous viewers (no actor) auto-deny unless the policy opts in
+        # with allow_anonymous: true (for state-gate policies that examine
+        # only the subject).
+        if !actor && policy.arity >= 1 && !policy.allow_anonymous?
           return :deny
         end
 
@@ -220,11 +235,11 @@ module Sequel
         when 0
           Actions.evaluate(&policy)
         when 1
-          Actions.evaluate(subject, &policy)
+          Actions.evaluate(actor, &policy)
         when 2
-          Actions.evaluate(subject, T.must(actor), &policy)
+          Actions.evaluate(actor, subject, &policy)
         else
-          Actions.evaluate(subject, T.must(actor), direct_object, &policy)
+          Actions.evaluate(actor, subject, direct_object, &policy)
         end
       end
 

data/lib/sequel/privacy/policy.rb

@@ -5,11 +5,15 @@ module Sequel
   module Privacy
     # A Policy wraps a Proc/lambda with metadata about how it should be evaluated.
     #
-    # Policies take 0-3 arguments depending on what context they need:
-    # - 0 args: -> { allow }  # Global decision
+    # Policies are actor-first. Arities map to:
+    # - 0 args: -> { allow if Time.now.sunday? }     # Global decision
     # - 1 arg:  ->(actor) { allow if actor.is_role?(:admin) }
-    # - 2 args: ->(subject, actor) { allow if subject.owner_id == actor.id }
-    # - 3 args: ->(subject, actor, direct_object) { ... }
+    # - 2 args: ->(actor, subject) { allow if subject.owner_id == actor.id }
+    # - 3 args: ->(actor, subject, direct_object) { ... }
+    #
+    # Any policy with arity >= 1 auto-denies for anonymous viewers (nil actor)
+    # unless declared with `allow_anonymous: true`. That flag is for state-gate
+    # policies that deliberately ignore actor — e.g. "post is published."
     #
     # Policies must return :allow, :deny, :pass, or an array of policies (for combinators).
     class Policy < Proc
@@ -21,6 +25,8 @@ module Sequel
       sig { returns(T.nilable(String)) }
       attr_reader :comment
 
+      VALID_CACHE_BY = T.let(%i[actor subject direct_object].freeze, T::Array[Symbol])
+
       # Factory method for creating policies. Accepts procs of any arity
       # (0–3 args) returning :allow, :deny, :pass, or an Array of policies.
       sig do
@@ -29,15 +35,20 @@ module Sequel
           lam: Proc,
           comment: T.nilable(String),
           cacheable: T::Boolean,
-          single_match: T::Boolean
+          single_match: T::Boolean,
+          cache_by: T.nilable(T.any(Symbol, T::Array[Symbol])),
+          allow_anonymous: T::Boolean
         ).returns(T.self_type)
       end
-      def self.create(policy_name, lam, comment = nil, cacheable: true, single_match: false)
+      def self.create(policy_name, lam, comment = nil, cacheable: true, single_match: false, cache_by: nil,
+                      allow_anonymous: false)
         new(&lam).setup(
           policy_name: policy_name,
           comment: comment,
           cacheable: cacheable,
-          single_match: single_match
+          single_match: single_match,
+          cache_by: cache_by,
+          allow_anonymous: allow_anonymous
         )
       end
 
@@ -47,7 +58,20 @@ module Sequel
       # @param comment [String, nil] Description of what this policy does
       # @param cacheable [Boolean] Whether results can be cached (default: true)
       # @param single_match [Boolean] Whether only one subject/actor pair can match (default: false)
-      def setup(policy_name: nil, comment: nil, cacheable: true, single_match: false)
+      # @param cache_by [Symbol, Array<Symbol>, nil] Override the cache-key
+      #   dimensions. By default the key is derived from the policy's arity
+      #   (all inputs the policy receives). Pass a subset of
+      #   `:actor, :subject, :direct_object` to cache by only those — useful
+      #   when the policy ignores inputs it nominally receives (e.g. an
+      #   "is-admin" check that takes `(actor, subject)` but only examines
+      #   actor should use `cache_by: :actor` to share a single entry across
+      #   subjects).
+      # @param allow_anonymous [Boolean] If true, skip the auto-deny that
+      #   normally fires when a policy of arity >= 1 is evaluated for an
+      #   anonymous viewer (nil actor). Use for state-gate policies that
+      #   ignore the actor and decide purely on subject state.
+      def setup(policy_name: nil, comment: nil, cacheable: true, single_match: false, cache_by: nil,
+                allow_anonymous: false)
         raise 'Privacy Policy is frozen' if @frozen
 
         @cacheable = cacheable
@@ -55,6 +79,8 @@ module Sequel
         @comment = comment
         @frozen = true
         @single_match = single_match
+        @cache_by = normalize_cache_by(cache_by)
+        @allow_anonymous = allow_anonymous
         self
       end
 
@@ -69,6 +95,32 @@ module Sequel
       def single_match?
         @single_match || false
       end
+
+      sig { returns(T.nilable(T::Array[Symbol])) }
+      def cache_by
+        @cache_by
+      end
+
+      sig { returns(T::Boolean) }
+      def allow_anonymous?
+        @allow_anonymous || false
+      end
+
+      private
+
+      sig { params(val: T.nilable(T.any(Symbol, T::Array[Symbol]))).returns(T.nilable(T::Array[Symbol])) }
+      def normalize_cache_by(val)
+        return nil if val.nil?
+
+        keys = Array(val).map(&:to_sym)
+        invalid = keys - VALID_CACHE_BY
+        unless invalid.empty?
+          raise ArgumentError,
+                "Invalid cache_by key(s): #{invalid.inspect}. Valid keys: #{VALID_CACHE_BY.inspect}"
+        end
+
+        keys
+      end
     end
   end
 end

data/lib/sequel/privacy/policy_dsl.rb

@@ -31,21 +31,30 @@ module Sequel
       # @param comment [String, nil] Human-readable description
       # @param cacheable [Boolean] Whether results can be cached (default: true)
       # @param single_match [Boolean] Whether only one subject/actor can match (default: false)
+      # @param cache_by [Symbol, Array<Symbol>, nil] Override cache-key
+      #   dimensions. See Sequel::Privacy::Policy#setup for details.
+      # @param allow_anonymous [Boolean] Skip auto-deny for nil actor.
+      #   See Sequel::Privacy::Policy#setup for details.
       sig do
         params(
           name: Symbol,
           lam: Proc,
           comment: T.nilable(String),
           cacheable: T::Boolean,
-          single_match: T::Boolean
+          single_match: T::Boolean,
+          cache_by: T.nilable(T.any(Symbol, T::Array[Symbol])),
+          allow_anonymous: T::Boolean
         ).void
       end
-      def policy(name, lam, comment = nil, cacheable: true, single_match: false)
+      def policy(name, lam, comment = nil, cacheable: true, single_match: false, cache_by: nil,
+                 allow_anonymous: false)
         p = Policy.new(&lam).setup(
           policy_name: name,
           comment: comment,
           cacheable: cacheable,
-          single_match: single_match
+          single_match: single_match,
+          cache_by: cache_by,
+          allow_anonymous: allow_anonymous
         )
         const_set(name, p)
       end

data/lib/sequel/privacy/version.rb

@@ -3,6 +3,6 @@
 
 module Sequel
   module Privacy
-    VERSION = '0.3'
+    VERSION = '0.5'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sequel-privacy
 version: !ruby/object:Gem::Version
-  version: '0.3'
+  version: '0.5'
 platform: ruby
 authors:
 - Austin Bales