simple_authorize 0.1.0 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 79902cf5162234cb48b57c7a0584265292141771e59594199c7adee9dea7b1c7
-  data.tar.gz: 3022a11895f81c9a02918d88bb1929c4c75afb13eec0b0315e36cbdbaecc0745
+  metadata.gz: 0016cdf20b078e1d8e9d67b037742260a3e07d8d73a8056aea027c182ed422dc
+  data.tar.gz: 4653aae4a3e588e3ebb94e6afb16518793a2e5b5c167b117f5c8bf6517e2ee7f
 SHA512:
-  metadata.gz: 24db25e4450b4f5cb060b902f6bb99b9544aaf39397757ad0403b2feeb4ee99a678632219eec710cce36c0923fad9cb0da9465e85fa9edf60de7028e99a524a9
-  data.tar.gz: 2cffd9ff55d8a33d6093297d8c2beea976403cdf5c2d0c5b77a1f40990fff673ee43c763264964d721be1d97c68d74190bbf35c4674419ee6da999ea19a25262
+  metadata.gz: 8fdc1204e73d66f005d3f19893244712013300f12529b59a28e709f21552134e52e8efbb944197403be7832521cf983c15a7c1b8c46c3b2d3808dbbdc5511f2a
+  data.tar.gz: 5da4732fc1838f7a495336b4380f3bb90a523a5922fe6130e3e6b6c50cd0d2fd3d37f17f083de74ea8128871aac18f2d3a9ca7ef1e5196b225371c82e6ddd4cd

data/.overcommit.yml

@@ -0,0 +1,55 @@
+# Overcommit configuration
+# See https://github.com/sds/overcommit for full documentation
+
+# Verify signatures for overcommit config to prevent tampering
+verify_signatures: true
+
+# Run these hooks before commits
+PreCommit:
+  RuboCop:
+    enabled: true
+    description: 'Checking code style with RuboCop'
+    required: true
+    quiet: false
+    command: ['bundle', 'exec', 'rubocop']
+
+  TrailingWhitespace:
+    enabled: true
+    description: 'Checking for trailing whitespace'
+
+  YamlSyntax:
+    enabled: true
+    description: 'Checking YAML syntax'
+
+# Run these hooks before pushes (more extensive checks)
+PrePush:
+  RuboCop:
+    enabled: true
+    description: 'Running RuboCop before push'
+    required: true
+
+  Minitest:
+    enabled: true
+    description: 'Running Minitest suite'
+    required: true
+
+  RSpec:
+    enabled: true
+    description: 'Running RSpec suite'
+    required: true
+
+  # TruffleHog - scan for secrets
+  # Note: Requires truffleHog to be installed
+  # Install: brew install truffleHog (macOS) or pip install truffleHog
+  CustomScript:
+    enabled: true
+    description: 'Scanning for secrets with TruffleHog'
+    required: false  # Optional since it requires external installation
+    command: ['sh', '-c', 'if command -v trufflehog >/dev/null 2>&1; then trufflehog filesystem . --only-verified --fail; else echo "TruffleHog not installed - skipping secret scan"; fi']
+
+# Run these hooks after checkout
+PostCheckout:
+  BundleInstall:
+    enabled: true
+    description: 'Running bundle install after checkout'
+    required: false

data/.simplecov

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+SimpleCov.start do
+  add_filter "/test/"
+  add_filter "/spec/"
+  add_filter "/lib/generators/"
+  add_filter "/lib/simple_authorize/railtie.rb"
+
+  # Merge results from multiple test runs
+  use_merging true
+  merge_timeout 3600 # 1 hour
+
+  # Don't enforce minimum yet
+  # minimum_coverage line: 95, branch: 90
+end

data/CHANGELOG.md

@@ -5,34 +5,122 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
+## [1.0.0] - 2025-11-03
 
 ### Added
-- Initial release of SimpleAuthorize
-- Policy-based authorization system
-- Controller concern with authorization methods
-- Base policy class with default deny-all policies
-- Policy scope support for filtering collections
-- Strong parameters integration via `permitted_attributes` and `policy_params`
-- Automatic verification module (opt-in)
-- Headless policy support for policies without models
-- Namespace support for policies
-- Role-based helper methods (`admin_user?`, `contributor_user?`, `viewer_user?`)
-- Custom error handling with `NotAuthorizedError`
-- Install generator (`rails generate simple_authorize:install`)
-- Configuration system via initializer
-- Comprehensive documentation and examples
-- Test helper methods for easy testing
-- Backwards compatibility aliases for Pundit-style usage
-
-## [0.1.0] - 2025-11-01
+
+#### Core Authorization
+- **Policy Generator** - Rails generator for creating policy classes (`rails g simple_authorize:policy ModelName`)
+- **Install Generator** - Setup wizard creating initializer and base policy (`rails g simple_authorize:install`)
+- **Headless Policies** - Authorization for actions without a specific record
+- **Batch Authorization** - Efficiently authorize multiple records with `authorize_all`, `authorized_records`, and `partition_records`
+
+#### Performance & Caching
+- **Policy Caching** - Request-level memoization to reduce database queries and improve performance
+- **Configurable Cache** - Enable/disable policy caching via `config.enable_policy_cache`
+
+#### Instrumentation & Monitoring
+- **ActiveSupport::Notifications** - Comprehensive instrumentation for authorization events
+- **Audit Logging** - Track authorization attempts, denials, and policy scope usage
+- **Custom Event Subscribers** - Hook into `authorize.simple_authorize` and `policy_scope.simple_authorize` events
+
+#### API Support
+- **JSON/XML Error Responses** - Automatic API-friendly error responses with proper HTTP status codes
+- **API Request Detection** - Intelligent detection of API requests (JSON/XML format and headers)
+- **Configurable Error Details** - Control error detail level with `config.api_error_details`
+- **Status Code Handling** - 401 Unauthorized vs 403 Forbidden based on authentication state
+
+#### Attribute-Level Authorization
+- **Visible Attributes** - Control which attributes users can view (`visible_attributes`, `visible_attributes_for_action`)
+- **Editable Attributes** - Control which attributes users can modify (`editable_attributes`, `editable_attributes_for_action`)
+- **Filter Helpers** - Automatically filter attribute hashes based on policy rules
+- **Strong Parameters Integration** - `policy_params` method for seamless Rails strong parameters integration
+
+#### Testing Support
+- **RSpec Matchers** - `permit_action`, `forbid_action`, `permit_mass_assignment`, `forbid_mass_assignment`
+- **RSpec Helpers** - `permit_editing`, `forbid_editing`, `permit_viewing`, `forbid_viewing`
+- **Minitest Helpers** - `assert_permit_action`, `assert_forbid_action` for Minitest users
+- **Policy Testing** - Comprehensive test helpers for both testing frameworks
+
+#### Internationalization
+- **I18n Support** - Configurable error messages with internationalization support
+- **Custom Translations** - Per-policy and per-action error message translations
+- **Configurable Scope** - Customize I18n scope with `config.i18n_scope`
+- **Fallback Messages** - Graceful fallback to default messages when translations are missing
+
+#### Security & Best Practices
+- **Authorization Verification** - `verify_authorized` and `verify_policy_scoped` to catch missing authorization
+- **Skip Authorization** - Explicit `skip_authorization` and `skip_policy_scope` methods
+- **Auto-Verify Module** - Optional automatic verification with `include SimpleAuthorize::Controller::AutoVerify`
+- **Safe Redirects** - Security-conscious redirect handling preventing open redirect vulnerabilities
+
+#### Developer Experience
+- **Comprehensive Documentation** - Extensive README with examples and best practices
+- **Error Messages** - Clear, actionable error messages for common mistakes
+- **Helper Methods** - View helpers automatically included (`policy`, `policy_scope`, `authorized_user`)
+- **Role Helpers** - Convenient `admin_user?`, `contributor_user?`, `viewer_user?` methods
+
+### Changed
+- Improved error handling with detailed exception information
+- Enhanced policy class resolution with namespace support
+- Better cache key generation for policy instances
+
+### Fixed
+- Policy scope resolution for collection classes
+- Safe referrer path handling for redirects
+- API request detection edge cases
+
+### Security
+- Added protection against open redirect vulnerabilities in `safe_referrer_path`
+- Implemented proper HTTP status codes (401 vs 403) for API errors
+- Enhanced authorization verification to prevent bypass attempts
+
+## [0.1.0] - Initial Development
 
 ### Added
-- Initial gem structure
-- Core authorization framework extracted from production Rails application
-- MIT license
-- README with comprehensive documentation
-- Generator templates for installation
+- Basic policy-based authorization
+- Core authorization methods (`authorize`, `policy`, `policy_scope`)
+- Integration with Rails controllers
+- Basic test helpers
+- Initial documentation
+
+---
+
+## Upgrading
+
+### From 0.1.0 to 1.0.0
+
+**Breaking Changes:**
+None - v1.0.0 is fully backward compatible with 0.1.0.
+
+**New Features:**
+All features listed above are opt-in and won't affect existing implementations.
+
+**Recommended Updates:**
+1. Run `rails g simple_authorize:install` to generate the configuration file
+2. Enable policy caching for better performance: `config.enable_policy_cache = true`
+3. Enable instrumentation for monitoring: `config.enable_instrumentation = true`
+4. Add RSpec matchers to your spec_helper: `require 'simple_authorize/rspec'`
+
+**Configuration:**
+```ruby
+# config/initializers/simple_authorize.rb
+SimpleAuthorize.configure do |config|
+  config.enable_policy_cache = true       # Enable request-level policy caching
+  config.enable_instrumentation = true    # Enable ActiveSupport::Notifications
+  config.api_error_details = false        # Exclude sensitive details in API errors
+  config.i18n_enabled = true              # Enable I18n support
+  config.i18n_scope = "simple_authorize"  # I18n translation scope
+  config.default_error_message = "You are not authorized to perform this action."
+end
+```
+
+## Support
+
+- **Documentation**: [README.md](README.md)
+- **Issues**: [GitHub Issues](https://github.com/scottlaplant/simple_authorize/issues)
+- **Security**: [SECURITY.md](SECURITY.md)
+- **Contributing**: [CONTRIBUTING.md](CONTRIBUTING.md)
 
-[Unreleased]: https://github.com/scottlaplant/simple_authorize/compare/v0.1.0...HEAD
+[1.0.0]: https://github.com/scottlaplant/simple_authorize/releases/tag/v1.0.0
 [0.1.0]: https://github.com/scottlaplant/simple_authorize/releases/tag/v0.1.0

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,129 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+**simpleauthorize@gmail.com**.
+
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.

data/CONTRIBUTING.md

@@ -0,0 +1,182 @@
+# Contributing to SimpleAuthorize
+
+Thank you for your interest in contributing to SimpleAuthorize! We welcome contributions from everyone.
+
+## Code of Conduct
+
+This project and everyone participating in it is governed by our [Code of Conduct](CODE_OF_CONDUCT.md). By participating, you are expected to uphold this code. Please report unacceptable behavior to simpleauthorize@gmail.com.
+
+## How Can I Contribute?
+
+### Reporting Bugs
+
+Before creating bug reports, please check the existing issues to avoid duplicates. When creating a bug report, include as many details as possible:
+
+* **Use a clear and descriptive title**
+* **Describe the exact steps to reproduce the problem**
+* **Provide specific examples** to demonstrate the steps
+* **Describe the behavior you observed** and what you expected
+* **Include Ruby version, Rails version, and gem version**
+* **Include any error messages or stack traces**
+
+### Suggesting Enhancements
+
+Enhancement suggestions are tracked as GitHub issues. When creating an enhancement suggestion:
+
+* **Use a clear and descriptive title**
+* **Provide a step-by-step description** of the suggested enhancement
+* **Explain why this enhancement would be useful**
+* **List any alternative solutions** you've considered
+
+### Pull Requests
+
+* Fill in the pull request template
+* Follow the Ruby style guide (RuboCop will check this)
+* Include tests for new features or bug fixes
+* Update documentation as needed
+* Ensure all tests pass (`bundle exec rake test` and `bundle exec rspec`)
+* Ensure RuboCop passes (`bundle exec rubocop`)
+
+## Development Setup
+
+1. **Fork and clone the repository**
+   ```bash
+   git clone https://github.com/YOUR_USERNAME/simple_authorize.git
+   cd simple_authorize
+   ```
+
+2. **Install dependencies**
+   ```bash
+   bundle install
+   ```
+
+3. **Set up git hooks with Overcommit**
+   ```bash
+   # Install git hooks
+   bundle exec overcommit --install
+
+   # (Optional) Install TruffleHog for secret scanning
+   # macOS: brew install truffleHog
+   # Linux: pip install truffleHog
+   ```
+
+   This sets up automatic checks before commits and pushes:
+   * **Pre-commit**: RuboCop, trailing whitespace, YAML syntax
+   * **Pre-push**: RuboCop, Minitest, RSpec, TruffleHog (if installed)
+   * **Post-checkout**: Automatic bundle install
+
+   To skip hooks temporarily (not recommended):
+   ```bash
+   git push --no-verify
+   ```
+
+4. **Run tests**
+   ```bash
+   # Run Minitest suite
+   bundle exec rake test
+
+   # Run RSpec suite
+   bundle exec rspec
+
+   # Run RuboCop
+   bundle exec rubocop
+
+   # Run all checks
+   bundle exec rake
+   ```
+
+5. **Create a feature branch**
+   ```bash
+   git checkout -b my-new-feature
+   ```
+
+## Testing
+
+We maintain high test coverage (89%+) and use both Minitest and RSpec:
+
+* **Minitest**: `test/` directory - for integration and controller tests
+* **RSpec**: `spec/` directory - for unit tests and matchers
+
+Please ensure your changes include appropriate tests:
+
+```ruby
+# Minitest example
+test "authorize succeeds when policy allows" do
+  result = controller.authorize(post, :show?)
+  assert_equal post, result
+end
+
+# RSpec example
+it "permits action when policy allows" do
+  expect { policy.show? }.to permit_action
+end
+```
+
+## Code Style
+
+We follow the Ruby Style Guide and enforce it with RuboCop:
+
+* Use 2 spaces for indentation
+* Use double quotes for strings
+* Keep lines under 120 characters
+* Write descriptive method and variable names
+* Add comments for complex logic
+
+Run RuboCop with:
+```bash
+bundle exec rubocop
+```
+
+Auto-fix issues with:
+```bash
+bundle exec rubocop -a
+```
+
+## Documentation
+
+* Update README.md if you add features
+* Add YARD documentation to public methods
+* Update CHANGELOG.md with your changes
+* Keep comments up-to-date with code changes
+
+## Commit Messages
+
+* Use present tense ("Add feature" not "Added feature")
+* Use imperative mood ("Move cursor to..." not "Moves cursor to...")
+* Limit first line to 72 characters
+* Reference issues and pull requests after the first line
+
+Example:
+```
+Add policy caching for improved performance
+
+Implements request-level memoization for policy instances
+to reduce database queries and improve response times.
+
+Fixes #123
+```
+
+## Release Process
+
+Maintainers will handle releases:
+
+1. Update version in `lib/simple_authorize/version.rb`
+2. Update CHANGELOG.md with release notes
+3. Commit changes
+4. Run `bundle exec rake release`
+
+## Questions?
+
+Feel free to:
+* Open an issue for questions
+* Email us at simpleauthorize@gmail.com
+* Check existing documentation in the README
+
+## Recognition
+
+Contributors will be:
+* Listed in the CHANGELOG for their contributions
+* Credited in release notes
+* Added to a CONTRIBUTORS file (if created)
+
+Thank you for contributing to SimpleAuthorize! 🎉

data/LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2025 Scott
+Copyright (c) 2025 Scott LaPlant
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal