simple_authorize 0.1.0 → 1.0.0

data/lib/simple_authorize/rspec.rb

@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+
+module SimpleAuthorize
+  # RSpec matchers for SimpleAuthorize policies
+  #
+  # To use these matchers, add this to your spec/rails_helper.rb or spec/spec_helper.rb:
+  #
+  #   require "simple_authorize/rspec"
+  #
+  # @example
+  #   RSpec.describe PostPolicy do
+  #     subject { described_class.new(user, post) }
+  #
+  #     context "as an admin" do
+  #       let(:user) { build(:admin) }
+  #
+  #       it { is_expected.to permit_action(:destroy) }
+  #       it { is_expected.to forbid_action(:publish) }
+  #       it { is_expected.to permit_viewing(:user_id) }
+  #       it { is_expected.to permit_editing(:published) }
+  #     end
+  #   end
+  module RSpecMatchers
+    extend RSpec::Matchers::DSL
+
+    # Matcher for checking if a policy permits an action
+    #
+    # @example
+    #   it { is_expected.to permit_action(:show) }
+    #   expect(policy).to permit_action(:update)
+    matcher :permit_action do |action|
+      match do |policy|
+        action_method = action.to_s.end_with?("?") ? action.to_s : "#{action}?"
+        policy.public_send(action_method)
+      end
+
+      failure_message do |policy|
+        "expected #{policy.class} to permit action :#{action} but it was forbidden"
+      end
+
+      failure_message_when_negated do |policy|
+        "expected #{policy.class} to forbid action :#{action} but it was permitted"
+      end
+    end
+
+    # Matcher for checking if a policy forbids an action
+    #
+    # @example
+    #   it { is_expected.to forbid_action(:destroy) }
+    #   expect(policy).to forbid_action(:update)
+    matcher :forbid_action do |action|
+      match do |policy|
+        action_method = action.to_s.end_with?("?") ? action.to_s : "#{action}?"
+        !policy.public_send(action_method)
+      end
+
+      failure_message do |policy|
+        "expected #{policy.class} to forbid action :#{action} but it was permitted"
+      end
+
+      failure_message_when_negated do |policy|
+        "expected #{policy.class} to permit action :#{action} but it was forbidden"
+      end
+    end
+
+    # Matcher for checking if a policy permits viewing an attribute
+    #
+    # @example
+    #   it { is_expected.to permit_viewing(:title) }
+    #   expect(policy).to permit_viewing(:email)
+    matcher :permit_viewing do |attribute|
+      match do |policy|
+        policy.attribute_visible?(attribute)
+      end
+
+      failure_message do |policy|
+        "expected #{policy.class} to permit viewing :#{attribute} but it was hidden"
+      end
+
+      failure_message_when_negated do |policy|
+        "expected #{policy.class} to forbid viewing :#{attribute} but it was visible"
+      end
+    end
+
+    # Matcher for checking if a policy forbids viewing an attribute
+    #
+    # @example
+    #   it { is_expected.to forbid_viewing(:password) }
+    #   expect(policy).to forbid_viewing(:user_id)
+    matcher :forbid_viewing do |attribute|
+      match do |policy|
+        !policy.attribute_visible?(attribute)
+      end
+
+      failure_message do |policy|
+        "expected #{policy.class} to forbid viewing :#{attribute} but it was visible"
+      end
+
+      failure_message_when_negated do |policy|
+        "expected #{policy.class} to permit viewing :#{attribute} but it was hidden"
+      end
+    end
+
+    # Matcher for checking if a policy permits editing an attribute
+    #
+    # @example
+    #   it { is_expected.to permit_editing(:title) }
+    #   expect(policy).to permit_editing(:body)
+    matcher :permit_editing do |attribute|
+      match do |policy|
+        policy.attribute_editable?(attribute)
+      end
+
+      failure_message do |policy|
+        "expected #{policy.class} to permit editing :#{attribute} but it was not editable"
+      end
+
+      failure_message_when_negated do |policy|
+        "expected #{policy.class} to forbid editing :#{attribute} but it was editable"
+      end
+    end
+
+    # Matcher for checking if a policy forbids editing an attribute
+    #
+    # @example
+    #   it { is_expected.to forbid_editing(:id) }
+    #   expect(policy).to forbid_editing(:published)
+    matcher :forbid_editing do |attribute|
+      match do |policy|
+        !policy.attribute_editable?(attribute)
+      end
+
+      failure_message do |policy|
+        "expected #{policy.class} to forbid editing :#{attribute} but it was editable"
+      end
+
+      failure_message_when_negated do |policy|
+        "expected #{policy.class} to permit editing :#{attribute} but it was not editable"
+      end
+    end
+  end
+end
+
+# Auto-include matchers if RSpec is loaded
+if defined?(RSpec)
+  RSpec.configure do |config|
+    config.include SimpleAuthorize::RSpecMatchers
+  end
+end

data/lib/simple_authorize/test_helpers.rb

@@ -0,0 +1,115 @@
+# frozen_string_literal: true
+
+module SimpleAuthorize
+  # Test helpers for Minitest
+  # Include this module in your test cases to get assertion methods for authorization testing
+  #
+  # @example
+  #   class PostPolicyTest < ActiveSupport::TestCase
+  #     include SimpleAuthorize::TestHelpers
+  #
+  #     def test_admin_can_destroy
+  #       policy = PostPolicy.new(admin_user, post)
+  #       assert_permit_action(policy, :destroy)
+  #     end
+  #   end
+  module TestHelpers
+    # Assert that a policy permits a specific action
+    #
+    # @param policy [SimpleAuthorize::Policy] The policy instance to test
+    # @param action [Symbol, String] The action to check (e.g., :show, :update)
+    # @param message [String] Optional custom failure message
+    #
+    # @example
+    #   assert_permit_action(policy, :show)
+    #   assert_permit_action(policy, "update")
+    def assert_permit_action(policy, action, message = nil)
+      action_method = action.to_s.end_with?("?") ? action.to_s : "#{action}?"
+      result = policy.public_send(action_method)
+
+      message ||= "Expected #{policy.class} to permit action :#{action} but it was forbidden"
+      assert result, message
+    end
+
+    # Assert that a policy forbids a specific action
+    #
+    # @param policy [SimpleAuthorize::Policy] The policy instance to test
+    # @param action [Symbol, String] The action to check (e.g., :destroy, :update)
+    # @param message [String] Optional custom failure message
+    #
+    # @example
+    #   assert_forbid_action(policy, :destroy)
+    #   assert_forbid_action(policy, "update")
+    def assert_forbid_action(policy, action, message = nil)
+      action_method = action.to_s.end_with?("?") ? action.to_s : "#{action}?"
+      result = policy.public_send(action_method)
+
+      message ||= "Expected #{policy.class} to forbid action :#{action} but it was permitted"
+      assert_not result, message
+    end
+
+    # Assert that a policy permits viewing a specific attribute
+    #
+    # @param policy [SimpleAuthorize::Policy] The policy instance to test
+    # @param attribute [Symbol, String] The attribute to check (e.g., :title, :email)
+    # @param message [String] Optional custom failure message
+    #
+    # @example
+    #   assert_permit_viewing(policy, :title)
+    #   assert_permit_viewing(policy, "email")
+    def assert_permit_viewing(policy, attribute, message = nil)
+      result = policy.attribute_visible?(attribute)
+
+      message ||= "Expected #{policy.class} to permit viewing :#{attribute} but it was hidden"
+      assert result, message
+    end
+
+    # Assert that a policy forbids viewing a specific attribute
+    #
+    # @param policy [SimpleAuthorize::Policy] The policy instance to test
+    # @param attribute [Symbol, String] The attribute to check (e.g., :password, :secret)
+    # @param message [String] Optional custom failure message
+    #
+    # @example
+    #   assert_forbid_viewing(policy, :user_id)
+    #   assert_forbid_viewing(policy, "password")
+    def assert_forbid_viewing(policy, attribute, message = nil)
+      result = policy.attribute_visible?(attribute)
+
+      message ||= "Expected #{policy.class} to forbid viewing :#{attribute} but it was visible"
+      assert_not result, message
+    end
+
+    # Assert that a policy permits editing a specific attribute
+    #
+    # @param policy [SimpleAuthorize::Policy] The policy instance to test
+    # @param attribute [Symbol, String] The attribute to check (e.g., :title, :body)
+    # @param message [String] Optional custom failure message
+    #
+    # @example
+    #   assert_permit_editing(policy, :title)
+    #   assert_permit_editing(policy, "body")
+    def assert_permit_editing(policy, attribute, message = nil)
+      result = policy.attribute_editable?(attribute)
+
+      message ||= "Expected #{policy.class} to permit editing :#{attribute} but it was not editable"
+      assert result, message
+    end
+
+    # Assert that a policy forbids editing a specific attribute
+    #
+    # @param policy [SimpleAuthorize::Policy] The policy instance to test
+    # @param attribute [Symbol, String] The attribute to check (e.g., :id, :created_at)
+    # @param message [String] Optional custom failure message
+    #
+    # @example
+    #   assert_forbid_editing(policy, :published)
+    #   assert_forbid_editing(policy, "id")
+    def assert_forbid_editing(policy, attribute, message = nil)
+      result = policy.attribute_editable?(attribute)
+
+      message ||= "Expected #{policy.class} to forbid editing :#{attribute} but it was editable"
+      assert_not result, message
+    end
+  end
+end

data/lib/simple_authorize/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SimpleAuthorize
-  VERSION = "0.1.0"
+  VERSION = "1.0.0"
 end

data/lib/simple_authorize.rb

@@ -5,24 +5,13 @@ require_relative "simple_authorize/version"
 require_relative "simple_authorize/configuration"
 require_relative "simple_authorize/controller"
 require_relative "simple_authorize/policy"
+require_relative "simple_authorize/test_helpers"
 
+# SimpleAuthorize provides a lightweight authorization framework for Rails applications
+# without external dependencies. It offers policy-based access control inspired by Pundit.
 module SimpleAuthorize
   class Error < StandardError; end
-
-  # Railtie for automatic integration with Rails
-  class Railtie < Rails::Railtie
-    initializer "simple_authorize.configure" do
-      ActiveSupport.on_load(:action_controller) do
-        # Make SimpleAuthorize::Controller available as Authorization for backwards compatibility
-        ::Authorization = SimpleAuthorize::Controller unless defined?(::Authorization)
-        # Make SimpleAuthorize::Policy available as ApplicationPolicy for backwards compatibility
-        ::ApplicationPolicy = SimpleAuthorize::Policy unless defined?(::ApplicationPolicy)
-      end
-    end
-
-    # Generate initializer template
-    generators do
-      require_relative "generators/simple_authorize/install/install_generator"
-    end
-  end
 end
+
+# Only load Railtie if Rails is defined
+require_relative "simple_authorize/railtie" if defined?(Rails::Railtie)

data/spec/examples.txt

@@ -0,0 +1,51 @@
+example_id                             | status | run_time        |
+-------------------------------------- | ------ | --------------- |
+./spec/rspec_matchers_spec.rb[1:1:1:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:1:1:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:1:1:3] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:1:2:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:1:2:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:1:3:1] | passed | 0.00005 seconds |
+./spec/rspec_matchers_spec.rb[1:1:3:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:1:4:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:1:4:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:2:1:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:2:1:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:2:2:1] | passed | 0.00005 seconds |
+./spec/rspec_matchers_spec.rb[1:2:2:2] | passed | 0.00011 seconds |
+./spec/rspec_matchers_spec.rb[1:2:3:1] | passed | 0.00005 seconds |
+./spec/rspec_matchers_spec.rb[1:2:3:2] | passed | 0.00007 seconds |
+./spec/rspec_matchers_spec.rb[1:2:4:1] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:2:4:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:3:1:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:3:1:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:3:1:3] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:3:2:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:3:3:1] | passed | 0.00005 seconds |
+./spec/rspec_matchers_spec.rb[1:3:3:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:3:4:1] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:3:4:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:4:1:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:4:2:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:4:2:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:4:3:1] | passed | 0.00005 seconds |
+./spec/rspec_matchers_spec.rb[1:4:4:1] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:4:4:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:5:1:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:5:1:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:5:2:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:5:3:1] | passed | 0.00005 seconds |
+./spec/rspec_matchers_spec.rb[1:5:3:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:5:4:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:5:4:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:6:1:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:6:2:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:6:2:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:6:3:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:6:3:2] | passed | 0.00005 seconds |
+./spec/rspec_matchers_spec.rb[1:6:4:1] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:6:4:2] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:7:1:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:7:1:2] | passed | 0.00005 seconds |
+./spec/rspec_matchers_spec.rb[1:7:1:3] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:7:2:1] | passed | 0.00156 seconds |

data/spec/rspec_matchers_spec.rb

@@ -0,0 +1,235 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+RSpec.describe SimpleAuthorize::RSpecMatchers do
+  let(:admin) { User.new(id: 1, role: :admin) }
+  let(:contributor) { User.new(id: 2, role: :contributor) }
+  let(:viewer) { User.new(id: 3, role: :viewer) }
+  let(:post) { Post.new(id: 1, user_id: 2) }
+
+  describe "permit_action matcher" do
+    context "when action is permitted" do
+      subject { PostPolicy.new(admin, post) }
+
+      it { is_expected.to permit_action(:destroy) }
+      it { is_expected.to permit_action(:update) }
+      it { is_expected.to permit_action(:show) }
+    end
+
+    context "when action is forbidden" do
+      subject { PostPolicy.new(viewer, post) }
+
+      it { is_expected.not_to permit_action(:destroy) }
+      it { is_expected.not_to permit_action(:update) }
+    end
+
+    context "with string actions" do
+      subject { PostPolicy.new(admin, post) }
+
+      it { is_expected.to permit_action("show") }
+      it { is_expected.to permit_action("update") }
+    end
+
+    context "with explicit expect syntax" do
+      it "passes when action is permitted" do
+        policy = PostPolicy.new(admin, post)
+        expect(policy).to permit_action(:destroy)
+      end
+
+      it "fails when action is forbidden" do
+        policy = PostPolicy.new(viewer, post)
+        expect(policy).not_to permit_action(:destroy)
+      end
+    end
+  end
+
+  describe "forbid_action matcher" do
+    context "when action is forbidden" do
+      subject { PostPolicy.new(viewer, post) }
+
+      it { is_expected.to forbid_action(:destroy) }
+      it { is_expected.to forbid_action(:update) }
+    end
+
+    context "when action is permitted" do
+      subject { PostPolicy.new(admin, post) }
+
+      it { is_expected.not_to forbid_action(:show) }
+      it { is_expected.not_to forbid_action(:index) }
+    end
+
+    context "with string actions" do
+      subject { PostPolicy.new(viewer, post) }
+
+      it { is_expected.to forbid_action("destroy") }
+      it { is_expected.to forbid_action("update") }
+    end
+
+    context "with explicit expect syntax" do
+      it "passes when action is forbidden" do
+        policy = PostPolicy.new(viewer, post)
+        expect(policy).to forbid_action(:destroy)
+      end
+
+      it "fails when action is permitted" do
+        policy = PostPolicy.new(admin, post)
+        expect(policy).not_to forbid_action(:show)
+      end
+    end
+  end
+
+  describe "permit_viewing matcher" do
+    context "when attribute is visible" do
+      subject { PostPolicy.new(viewer, post) }
+
+      it { is_expected.to permit_viewing(:title) }
+      it { is_expected.to permit_viewing(:body) }
+      it { is_expected.to permit_viewing(:id) }
+    end
+
+    context "when attribute is hidden" do
+      subject { PostPolicy.new(viewer, post) }
+
+      it { is_expected.not_to permit_viewing(:user_id) }
+    end
+
+    context "with string attributes" do
+      subject { PostPolicy.new(admin, post) }
+
+      it { is_expected.to permit_viewing("title") }
+      it { is_expected.to permit_viewing("user_id") }
+    end
+
+    context "with explicit expect syntax" do
+      it "passes when attribute is visible" do
+        policy = PostPolicy.new(viewer, post)
+        expect(policy).to permit_viewing(:title)
+      end
+
+      it "fails when attribute is hidden" do
+        policy = PostPolicy.new(viewer, post)
+        expect(policy).not_to permit_viewing(:user_id)
+      end
+    end
+  end
+
+  describe "forbid_viewing matcher" do
+    context "when attribute is hidden" do
+      subject { PostPolicy.new(viewer, post) }
+
+      it { is_expected.to forbid_viewing(:user_id) }
+    end
+
+    context "when attribute is visible" do
+      subject { PostPolicy.new(admin, post) }
+
+      it { is_expected.not_to forbid_viewing(:title) }
+      it { is_expected.not_to forbid_viewing(:user_id) }
+    end
+
+    context "with string attributes" do
+      subject { PostPolicy.new(viewer, post) }
+
+      it { is_expected.to forbid_viewing("user_id") }
+    end
+
+    context "with explicit expect syntax" do
+      it "passes when attribute is hidden" do
+        policy = PostPolicy.new(viewer, post)
+        expect(policy).to forbid_viewing(:user_id)
+      end
+
+      it "fails when attribute is visible" do
+        policy = PostPolicy.new(admin, post)
+        expect(policy).not_to forbid_viewing(:title)
+      end
+    end
+  end
+
+  describe "permit_editing matcher" do
+    context "when attribute is editable" do
+      subject { PostPolicy.new(contributor, post) }
+
+      it { is_expected.to permit_editing(:title) }
+      it { is_expected.to permit_editing(:body) }
+    end
+
+    context "when attribute is not editable" do
+      subject { PostPolicy.new(contributor, post) }
+
+      it { is_expected.not_to permit_editing(:published) }
+    end
+
+    context "with string attributes" do
+      subject { PostPolicy.new(admin, post) }
+
+      it { is_expected.to permit_editing("title") }
+      it { is_expected.to permit_editing("published") }
+    end
+
+    context "with explicit expect syntax" do
+      it "passes when attribute is editable" do
+        policy = PostPolicy.new(contributor, post)
+        expect(policy).to permit_editing(:title)
+      end
+
+      it "fails when attribute is not editable" do
+        policy = PostPolicy.new(contributor, post)
+        expect(policy).not_to permit_editing(:published)
+      end
+    end
+  end
+
+  describe "forbid_editing matcher" do
+    context "when attribute is not editable" do
+      subject { PostPolicy.new(contributor, post) }
+
+      it { is_expected.to forbid_editing(:published) }
+    end
+
+    context "when attribute is editable" do
+      subject { PostPolicy.new(admin, post) }
+
+      it { is_expected.not_to forbid_editing(:title) }
+      it { is_expected.not_to forbid_editing(:published) }
+    end
+
+    context "with string attributes" do
+      subject { PostPolicy.new(viewer, post) }
+
+      it { is_expected.to forbid_editing("title") }
+      it { is_expected.to forbid_editing("published") }
+    end
+
+    context "with explicit expect syntax" do
+      it "passes when attribute is not editable" do
+        policy = PostPolicy.new(contributor, post)
+        expect(policy).to forbid_editing(:published)
+      end
+
+      it "fails when attribute is editable" do
+        policy = PostPolicy.new(admin, post)
+        expect(policy).not_to forbid_editing(:title)
+      end
+    end
+  end
+
+  describe "edge cases" do
+    context "with nil user" do
+      subject { PostPolicy.new(nil, post) }
+
+      it { is_expected.to forbid_action(:update) }
+      it { is_expected.to forbid_viewing(:title) }
+      it { is_expected.to forbid_editing(:body) }
+    end
+
+    context "with missing policy methods" do
+      subject { PostPolicy.new(admin, post) }
+
+      it "raises NoMethodError for nonexistent actions" do
+        expect { subject.nonexistent_action? }.to raise_error(NoMethodError)
+      end
+    end
+  end
+end