simple_authorize 0.1.0 → 1.0.0

data/lib/simple_authorize/configuration.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 module SimpleAuthorize
+  # Configuration options for SimpleAuthorize
   class Configuration
     # Default error message shown to users when not authorized
     attr_accessor :default_error_message
@@ -14,11 +15,31 @@ module SimpleAuthorize
     # Custom redirect path for unauthorized access
     attr_accessor :unauthorized_redirect_path
 
+    # Enable policy caching for performance optimization (opt-in)
+    attr_accessor :enable_policy_cache
+
+    # Enable instrumentation for authorization events (default: true)
+    attr_accessor :enable_instrumentation
+
+    # Include detailed error information in API responses (default: false)
+    attr_accessor :api_error_details
+
+    # Enable I18n support for error messages (default: false)
+    attr_accessor :i18n_enabled
+
+    # I18n scope for translations (default: 'simple_authorize')
+    attr_accessor :i18n_scope
+
     def initialize
       @default_error_message = "You are not authorized to perform this action."
       @auto_verify = false
       @current_user_method = :current_user
       @unauthorized_redirect_path = nil
+      @enable_policy_cache = false
+      @enable_instrumentation = true
+      @api_error_details = false
+      @i18n_enabled = false
+      @i18n_scope = "simple_authorize"
     end
   end
 

data/lib/simple_authorize/controller.rb

@@ -13,17 +13,73 @@ module SimpleAuthorize
       def initialize(options = {})
         if options.is_a?(String)
           # Handle plain string message
-          super(options)
+          super
         else
           # Handle hash options
           @query = options[:query]
           @record = options[:record]
           @policy = options[:policy]
 
-          message = options[:message] || "not allowed to #{@query} this #{@record.class}"
+          message = options[:message] || build_error_message
           super(message)
         end
       end
+
+      private
+
+      def build_error_message
+        # Return default message if I18n is disabled
+        return "not allowed to #{@query} this #{@record.class}" unless i18n_enabled?
+
+        # Try to find translation with fallback chain
+        translate_error || default_i18n_message
+      end
+
+      def i18n_enabled?
+        SimpleAuthorize.configuration.i18n_enabled
+      end
+
+      def translate_error
+        return nil unless defined?(I18n)
+        return nil unless @policy&.class
+
+        # Extract action name from query (remove trailing ?)
+        action = @query.to_s.delete_suffix("?")
+        policy_class_name = @policy.class.name
+        return nil unless policy_class_name
+
+        policy_name = policy_class_name.underscore
+
+        # Try specific policy + action translation
+        key = "#{i18n_scope}.policies.#{policy_name}.#{action}.denied"
+        translation = I18n.t(key, **translation_options, default: nil)
+        return translation if translation.present?
+
+        nil
+      rescue StandardError
+        # If any error occurs during translation lookup, return nil to use default
+        nil
+      end
+
+      def translation_options
+        {
+          record_type: @record&.class&.name || "record",
+          record_id: @record.respond_to?(:id) ? @record.id : nil,
+          action: @query.to_s.delete_suffix("?"),
+          user_role: @policy&.user&.role || "user"
+        }.compact
+      end
+
+      def default_i18n_message
+        return "not allowed to #{@query} this #{@record.class}" unless defined?(I18n)
+
+        I18n.t("#{i18n_scope}.errors.not_authorized",
+               default: "You are not authorized to perform this action")
+      end
+
+      def i18n_scope
+        SimpleAuthorize.configuration.i18n_scope
+      end
     end
 
     class PolicyNotDefinedError < StandardError; end
@@ -54,9 +110,15 @@ module SimpleAuthorize
       query ||= "#{action_name}?"
       @_policy = policy(record, policy_class: policy_class)
 
-      unless @_policy.public_send(query)
-        raise NotAuthorizedError.new(query: query, record: record, policy: @_policy)
-      end
+      authorized = @_policy.public_send(query)
+      error = nil
+
+      error = NotAuthorizedError.new(query: query, record: record, policy: @_policy) unless authorized
+
+      # Emit instrumentation event
+      instrument_authorization(record, query, @_policy.class, authorized, error) if instrumentation_enabled?
+
+      raise error if error
 
       @authorization_performed = true
       record
@@ -70,11 +132,19 @@ module SimpleAuthorize
     # Get or instantiate policy for a record
     def policy(record, policy_class: nil, namespace: nil)
       policy_class ||= if namespace
-        policy_class_for(record, namespace: namespace)
+                         policy_class_for(record, namespace: namespace)
+                       else
+                         policy_class_for(record)
+                       end
+
+      # Return cached policy if caching is enabled
+      if SimpleAuthorize.configuration.enable_policy_cache
+        policy_cache_key = build_policy_cache_key(record, policy_class)
+        @_policy_cache ||= {}
+        @_policy_cache[policy_cache_key] ||= policy_class.new(authorized_user, record)
       else
-        policy_class_for(record)
+        policy_class.new(authorized_user, record)
       end
-      policy_class.new(authorized_user, record)
     rescue NameError
       raise PolicyNotDefinedError, "unable to find policy `#{policy_class}` for `#{record}`"
     end
@@ -89,9 +159,21 @@ module SimpleAuthorize
       @policy_scoping_performed = true
 
       policy_scope_class ||= policy_scope_class_for(scope)
-      policy_scope_class.new(authorized_user, scope).resolve
-    rescue NameError
-      raise PolicyNotDefinedError, "unable to find scope `#{policy_scope_class}` for `#{scope}`"
+      result = nil
+      error = nil
+
+      begin
+        result = policy_scope_class.new(authorized_user, scope).resolve
+      rescue NameError
+        error = PolicyNotDefinedError.new("unable to find scope `#{policy_scope_class}` for `#{scope}`")
+      end
+
+      # Emit instrumentation event
+      instrument_policy_scope(scope, policy_scope_class, error) if instrumentation_enabled?
+
+      raise error if error
+
+      result
     end
 
     # Ensure scope exists, raising if not found
@@ -114,6 +196,42 @@ module SimpleAuthorize
       end
     end
 
+    # Get visible attributes for a record
+    def visible_attributes(record, action = nil)
+      action ||= action_name
+      policy = policy(record)
+      method_name = "visible_attributes_for_#{action}"
+
+      if policy.respond_to?(method_name)
+        policy.public_send(method_name)
+      elsif policy.respond_to?(:visible_attributes)
+        policy.visible_attributes
+      else
+        []
+      end
+    end
+
+    # Get editable attributes for a record
+    def editable_attributes(record, action = nil)
+      action ||= action_name
+      policy = policy(record)
+      method_name = "editable_attributes_for_#{action}"
+
+      if policy.respond_to?(method_name)
+        policy.public_send(method_name)
+      elsif policy.respond_to?(:editable_attributes)
+        policy.editable_attributes
+      else
+        []
+      end
+    end
+
+    # Filter a hash of attributes to only include visible ones
+    def filter_attributes(record, attributes)
+      visible = visible_attributes(record)
+      attributes.select { |key, _value| visible.include?(key.to_sym) }
+    end
+
     # Automatically build permitted params from policy
     def policy_params(record, param_key = nil)
       param_key ||= record.model_name.param_key
@@ -123,12 +241,14 @@ module SimpleAuthorize
     # Verify that authorization was performed
     def verify_authorized
       return if authorization_performed?
+
       raise AuthorizationNotPerformedError, "#{self.class}##{action_name} is missing authorization"
     end
 
     # Verify that scoping was performed for index actions
     def verify_policy_scoped
       return if policy_scoped?
+
       raise PolicyScopingNotPerformedError, "#{self.class}##{action_name} is missing policy scope"
     end
 
@@ -157,11 +277,17 @@ module SimpleAuthorize
       current_user
     end
 
+    # Clear the policy cache
+    def clear_policy_cache
+      @_policy_cache = nil
+    end
+
     # Reset authorization tracking (useful in tests)
     def reset_authorization
       @authorization_performed = nil
       @policy_scoping_performed = nil
       @_policy = nil
+      clear_policy_cache
     end
 
     # Support for headless policies (policies without a model)
@@ -169,9 +295,15 @@ module SimpleAuthorize
       query ||= "#{action_name}?"
       policy = policy_class.new(authorized_user, nil)
 
-      unless policy.public_send(query)
-        raise NotAuthorizedError.new(query: query, record: policy_class, policy: policy)
-      end
+      authorized = policy.public_send(query)
+      error = nil
+
+      error = NotAuthorizedError.new(query: query, record: policy_class, policy: policy) unless authorized
+
+      # Emit instrumentation event (with nil record for headless policies)
+      instrument_authorization(nil, query, policy_class, authorized, error) if instrumentation_enabled?
+
+      raise error if error
 
       @authorization_performed = true
       true
@@ -180,11 +312,43 @@ module SimpleAuthorize
     # Check if user can perform action without raising
     def allowed_to?(action, record, policy_class: nil)
       policy = policy(record, policy_class: policy_class)
-      policy.public_send("#{action}?")
+      query = action.to_s.end_with?("?") ? action.to_s : "#{action}?"
+      policy.public_send(query)
     rescue PolicyNotDefinedError
       false
     end
 
+    # Batch Authorization Methods
+
+    # Authorize all records or raise on first failure
+    def authorize_all(records, query = nil, policy_class: nil)
+      query ||= "#{action_name}?"
+
+      records.each do |record|
+        authorize(record, query, policy_class: policy_class)
+      end
+
+      records
+    end
+
+    # Return only authorized records
+    def authorized_records(records, query = nil, policy_class: nil)
+      query ||= "#{action_name}?"
+
+      records.select do |record|
+        allowed_to?(query, record, policy_class: policy_class)
+      end
+    end
+
+    # Partition records into [authorized, unauthorized]
+    def partition_records(records, query = nil, policy_class: nil)
+      query ||= "#{action_name}?"
+
+      records.partition do |record|
+        allowed_to?(query, record, policy_class: policy_class)
+      end
+    end
+
     # Get all allowed actions for a record
     def allowed_actions(record)
       policy = policy(record)
@@ -215,35 +379,165 @@ module SimpleAuthorize
       handle_unauthorized(exception)
     end
 
+    # Check if current request is an API request (JSON/XML)
+    def api_request?
+      return false unless respond_to?(:request)
+
+      # Check request format
+      return true if request.respond_to?(:format) && (request.format.json? || request.format.xml?)
+
+      # Check Accept header
+      if request.respond_to?(:headers) && request.headers["Accept"]
+        accept = request.headers["Accept"].to_s
+        return true if accept.include?("application/json") || accept.include?("application/xml")
+      end
+
+      # Check Content-Type header
+      if request.respond_to?(:headers) && request.headers["Content-Type"]
+        content_type = request.headers["Content-Type"].to_s
+        return true if content_type.include?("application/json") || content_type.include?("application/xml")
+      end
+
+      false
+    end
+
+    # Handle API authorization errors with JSON response
+    def handle_api_authorization_error(exception)
+      status = exception.record.nil? || authorized_user.nil? ? 401 : 403
+      message = SimpleAuthorize.configuration.default_error_message
+
+      body = {
+        error: "not_authorized",
+        message: message
+      }
+
+      # Add detailed information if configured
+      if SimpleAuthorize.configuration.api_error_details
+        body[:query] = exception.query.to_s
+        body[:record_type] = exception.record&.class&.name
+        body[:policy] = exception.policy&.class&.name
+      end
+
+      {
+        status: status,
+        content_type: "application/json",
+        body: body
+      }
+    end
+
+    # Build an API error response
+    def api_error_response(message:, status: 403, details: nil)
+      body = {
+        error: "not_authorized",
+        message: message
+      }
+
+      body[:details] = details if details
+
+      {
+        status: status,
+        content_type: "application/json",
+        body: body
+      }
+    end
+
     protected
 
+    # Build a cache key for a policy instance
+    # The key is based on user, record, and policy class to ensure proper scoping
+    def build_policy_cache_key(record, policy_class)
+      user_key = authorized_user&.id || authorized_user.object_id
+      record_key = if record.respond_to?(:id) && record.id.present?
+                     "#{record.class.name}-#{record.id}"
+                   else
+                     "#{record.class.name}-#{record.object_id}"
+                   end
+      policy_key = policy_class.name
+
+      "#{user_key}/#{record_key}/#{policy_key}"
+    end
+
+    # Check if instrumentation is enabled
+    def instrumentation_enabled?
+      SimpleAuthorize.configuration.enable_instrumentation
+    end
+
+    # Emit authorization instrumentation event
+    def instrument_authorization(record, query, policy_class, authorized, error)
+      ActiveSupport::Notifications.instrument("authorize.simple_authorize",
+                                              build_instrumentation_payload(record, query, policy_class, authorized,
+                                                                            error))
+    end
+
+    # Emit policy scope instrumentation event
+    def instrument_policy_scope(scope, policy_scope_class, error)
+      ActiveSupport::Notifications.instrument("policy_scope.simple_authorize",
+                                              build_scope_payload(scope, policy_scope_class, error))
+    end
+
+    # Build payload for authorization events
+    def build_instrumentation_payload(record, query, policy_class, authorized, error)
+      payload = {
+        user: authorized_user,
+        user_id: authorized_user&.id,
+        record: record,
+        record_id: record.respond_to?(:id) ? record&.id : nil,
+        record_class: record&.class&.name,
+        query: query.to_s,
+        policy_class: policy_class,
+        authorized: authorized,
+        error: error
+      }
+
+      # Add controller and action info if available
+      payload[:controller] = controller_name if respond_to?(:controller_name)
+      payload[:action] = action_name if respond_to?(:action_name)
+
+      payload
+    end
+
+    # Build payload for policy scope events
+    def build_scope_payload(scope, policy_scope_class, error)
+      payload = {
+        user: authorized_user,
+        user_id: authorized_user&.id,
+        scope: scope,
+        policy_scope_class: policy_scope_class,
+        error: error
+      }
+
+      # Add controller and action info if available
+      payload[:controller] = controller_name if respond_to?(:controller_name)
+      payload[:action] = action_name if respond_to?(:action_name)
+
+      payload
+    end
+
     def policy_class_for(record, namespace: nil)
       klass = record.class
       record_class = if record.is_a?(Class)
-        record.name
-      elsif record.respond_to?(:model_name)
-        record.model_name.to_s
-      elsif klass.respond_to?(:model_name)
-        klass.model_name.to_s
-      else
-        klass.name
-      end
+                       record.name
+                     elsif record.respond_to?(:model_name)
+                       record.model_name.to_s
+                     elsif klass.respond_to?(:model_name)
+                       klass.model_name.to_s
+                     else
+                       klass.name
+                     end
 
       policy_class_name = if namespace
-        "#{namespace.to_s.camelize}::#{record_class}Policy"
-      else
-        "#{record_class}Policy"
-      end
+                            "#{namespace.to_s.camelize}::#{record_class}Policy"
+                          else
+                            "#{record_class}Policy"
+                          end
 
       begin
         policy_class_name.constantize
       rescue NameError
         # Fall back to non-namespaced policy if namespaced one doesn't exist
-        if namespace
-          "#{record_class}Policy".constantize
-        else
-          raise
-        end
+        raise unless namespace
+
+        "#{record_class}Policy".constantize
       end
     end
 
@@ -259,7 +553,15 @@ module SimpleAuthorize
 
     # Handle authorization errors
     def handle_unauthorized(exception = nil)
-      flash[:alert] = "You are not authorized to perform this action."
+      # Handle API requests with JSON response
+      if api_request? && exception.is_a?(NotAuthorizedError)
+        response = handle_api_authorization_error(exception)
+        render json: response[:body], status: response[:status]
+        return
+      end
+
+      # Handle traditional HTML requests with redirect
+      flash[:alert] = SimpleAuthorize.configuration.default_error_message
       safe_redirect_path = safe_referrer_path || root_path
 
       if exception
@@ -278,11 +580,7 @@ module SimpleAuthorize
       request_uri = URI.parse(request.url)
 
       # Only allow referrers from the same host
-      if referrer_uri.host == request_uri.host
-        referrer_uri.path
-      else
-        nil
-      end
+      referrer_uri.path if referrer_uri.host == request_uri.host
     rescue URI::InvalidURIError
       nil
     end

data/lib/simple_authorize/policy.rb

@@ -39,6 +39,28 @@ module SimpleAuthorize
       false
     end
 
+    # Attribute-level authorization
+
+    # Returns array of attributes visible to the user
+    def visible_attributes
+      []
+    end
+
+    # Returns array of attributes editable by the user
+    def editable_attributes
+      []
+    end
+
+    # Check if a specific attribute is visible
+    def attribute_visible?(attribute)
+      visible_attributes.include?(attribute.to_sym)
+    end
+
+    # Check if a specific attribute is editable
+    def attribute_editable?(attribute)
+      editable_attributes.include?(attribute.to_sym)
+    end
+
     # Helper methods
     protected
 

data/lib/simple_authorize/railtie.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module SimpleAuthorize
+  # Railtie for automatic integration with Rails
+  class Railtie < Rails::Railtie
+    initializer "simple_authorize.configure" do
+      ActiveSupport.on_load(:action_controller) do
+        # Make SimpleAuthorize::Controller available as Authorization for backwards compatibility
+        ::Authorization = SimpleAuthorize::Controller unless defined?(::Authorization)
+        # Make SimpleAuthorize::Policy available as ApplicationPolicy for backwards compatibility
+        ::ApplicationPolicy = SimpleAuthorize::Policy unless defined?(::ApplicationPolicy)
+      end
+    end
+
+    # Generate initializer template
+    generators do
+      require_relative "../generators/simple_authorize/install/install_generator"
+    end
+  end
+end