simple_authorize 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 79902cf5162234cb48b57c7a0584265292141771e59594199c7adee9dea7b1c7
+  data.tar.gz: 3022a11895f81c9a02918d88bb1929c4c75afb13eec0b0315e36cbdbaecc0745
+SHA512:
+  metadata.gz: 24db25e4450b4f5cb060b902f6bb99b9544aaf39397757ad0403b2feeb4ee99a678632219eec710cce36c0923fad9cb0da9465e85fa9edf60de7028e99a524a9
+  data.tar.gz: 2cffd9ff55d8a33d6093297d8c2beea976403cdf5c2d0c5b77a1f40990fff673ee43c763264964d721be1d97c68d74190bbf35c4674419ee6da999ea19a25262

data/CHANGELOG.md

@@ -0,0 +1,38 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+- Initial release of SimpleAuthorize
+- Policy-based authorization system
+- Controller concern with authorization methods
+- Base policy class with default deny-all policies
+- Policy scope support for filtering collections
+- Strong parameters integration via `permitted_attributes` and `policy_params`
+- Automatic verification module (opt-in)
+- Headless policy support for policies without models
+- Namespace support for policies
+- Role-based helper methods (`admin_user?`, `contributor_user?`, `viewer_user?`)
+- Custom error handling with `NotAuthorizedError`
+- Install generator (`rails generate simple_authorize:install`)
+- Configuration system via initializer
+- Comprehensive documentation and examples
+- Test helper methods for easy testing
+- Backwards compatibility aliases for Pundit-style usage
+
+## [0.1.0] - 2025-11-01
+
+### Added
+- Initial gem structure
+- Core authorization framework extracted from production Rails application
+- MIT license
+- README with comprehensive documentation
+- Generator templates for installation
+
+[Unreleased]: https://github.com/scottlaplant/simple_authorize/compare/v0.1.0...HEAD
+[0.1.0]: https://github.com/scottlaplant/simple_authorize/releases/tag/v0.1.0

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2025 Scott
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,321 @@
+# SimpleAuthorize
+
+[![Gem Version](https://badge.fury.io/rb/simple_authorize.svg)](https://badge.fury.io/rb/simple_authorize)
+[![Ruby](https://github.com/scottlaplant/simple_authorize/workflows/Ruby/badge.svg)](https://github.com/scottlaplant/simple_authorize/actions)
+
+SimpleAuthorize is a lightweight, powerful authorization framework for Rails that provides policy-based access control without external dependencies. Inspired by Pundit, it offers a clean API for managing permissions in your Rails applications.
+
+## Features
+
+- 🔒 **Policy-Based Authorization** - Define authorization rules in dedicated policy classes
+- 🎯 **Scope Filtering** - Automatically filter collections based on user permissions
+- 🔑 **Role-Based Access** - Built-in support for role-based authorization
+- 🚀 **Zero Dependencies** - No external gems required (only Rails)
+- ✅ **Strong Parameters Integration** - Automatically build permitted params from policies
+- 🧪 **Test Friendly** - Easy to test policies in isolation
+- 📝 **Rails Generators** - Quickly scaffold policies for your models
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'simple_authorize'
+```
+
+And then execute:
+
+```bash
+bundle install
+rails generate simple_authorize:install
+```
+
+This will create:
+- `config/initializers/simple_authorize.rb` - Configuration file
+- `app/policies/application_policy.rb` - Base policy class
+
+## Quick Start
+
+### 1. Include SimpleAuthorize in your ApplicationController
+
+```ruby
+class ApplicationController < ActionController::Base
+  include SimpleAuthorize::Controller
+  rescue_from_authorization_errors
+end
+```
+
+### 2. Create a Policy
+
+Create a policy class for your model in `app/policies/`:
+
+```ruby
+# app/policies/post_policy.rb
+class PostPolicy < ApplicationPolicy
+  def index?
+    true
+  end
+
+  def show?
+    true
+  end
+
+  def create?
+    user.present?
+  end
+
+  def update?
+    user.present? && (record.user_id == user.id || user.admin?)
+  end
+
+  def destroy?
+    update?
+  end
+
+  class Scope < ApplicationPolicy::Scope
+    def resolve
+      if user&.admin?
+        scope.all
+      else
+        scope.where(published: true)
+      end
+    end
+  end
+end
+```
+
+### 3. Use Authorization in Your Controllers
+
+```ruby
+class PostsController < ApplicationController
+  def index
+    @posts = policy_scope(Post)
+  end
+
+  def show
+    @post = Post.find(params[:id])
+    authorize @post
+  end
+
+  def create
+    @post = Post.new(post_params)
+    authorize @post
+
+    if @post.save
+      redirect_to @post
+    else
+      render :new
+    end
+  end
+
+  private
+
+  def post_params
+    params.require(:post).permit(:title, :body, :published)
+  end
+end
+```
+
+### 4. Use in Views
+
+Check permissions in your views:
+
+```erb
+<% if policy(@post).update? %>
+  <%= link_to "Edit", edit_post_path(@post) %>
+<% end %>
+
+<% if policy(@post).destroy? %>
+  <%= link_to "Delete", post_path(@post), method: :delete %>
+<% end %>
+```
+
+## Core Concepts
+
+### Policies
+
+Policies are plain Ruby objects that encapsulate authorization logic. Each policy corresponds to a model and defines what actions users can perform.
+
+```ruby
+class PostPolicy < ApplicationPolicy
+  def update?
+    # Only the owner or an admin can update
+    user.present? && (record.user_id == user.id || user.admin?)
+  end
+end
+```
+
+### Scopes
+
+Scopes filter collections based on user permissions:
+
+```ruby
+class PostPolicy < ApplicationPolicy
+  class Scope < ApplicationPolicy::Scope
+    def resolve
+      if user&.admin?
+        scope.all
+      else
+        scope.where(published: true)
+      end
+    end
+  end
+end
+```
+
+Use in controllers:
+
+```ruby
+def index
+  @posts = policy_scope(Post)
+end
+```
+
+### Strong Parameters
+
+SimpleAuthorize can automatically build permitted parameters from policies:
+
+```ruby
+class PostPolicy < ApplicationPolicy
+  def permitted_attributes
+    if user&.admin?
+      [:title, :body, :published, :featured]
+    else
+      [:title, :body]
+    end
+  end
+end
+```
+
+Use in controllers:
+
+```ruby
+def post_params
+  policy_params(Post, :post)
+  # Or manually:
+  # params.require(:post).permit(*permitted_attributes(Post.new))
+end
+```
+
+## Advanced Features
+
+### Headless Policies
+
+For policies that don't correspond to a model:
+
+```ruby
+class DashboardPolicy < ApplicationPolicy
+  def show?
+    user&.admin?
+  end
+end
+
+# In controller:
+def show
+  authorize_headless(DashboardPolicy)
+end
+```
+
+### Custom Query Methods
+
+Define custom authorization queries:
+
+```ruby
+class PostPolicy < ApplicationPolicy
+  def publish?
+    user&.admin? || (user&.contributor? && owner?)
+  end
+end
+
+# In controller:
+authorize @post, :publish?
+```
+
+### Automatic Verification
+
+Ensure every action is authorized:
+
+```ruby
+class ApplicationController < ActionController::Base
+  include SimpleAuthorize::Controller
+  include SimpleAuthorize::Controller::AutoVerify  # Enable auto-verification
+  rescue_from_authorization_errors
+end
+```
+
+This will require `authorize` or `policy_scope` in all actions.
+
+Skip verification when needed:
+
+```ruby
+class PublicController < ApplicationController
+  skip_authorization_check :index, :show
+end
+```
+
+## Testing
+
+Test policies in isolation:
+
+```ruby
+require 'test_helper'
+
+class PostPolicyTest < ActiveSupport::TestCase
+  test "admin can update any post" do
+    admin = users(:admin)
+    post = posts(:one)
+    policy = PostPolicy.new(admin, post)
+
+    assert policy.update?
+  end
+
+  test "user can only update their own posts" do
+    user = users(:regular)
+    own_post = posts(:user_post)
+    other_post = posts(:other_post)
+
+    assert PostPolicy.new(user, own_post).update?
+    refute PostPolicy.new(user, other_post).update?
+  end
+end
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Comparison with Pundit
+
+SimpleAuthorize is heavily inspired by Pundit and offers a similar API. Key differences:
+
+| Feature | SimpleAuthorize | Pundit |
+|---------|----------------|--------|
+| Dependencies | None (Rails only) | Standalone gem |
+| Base class | `SimpleAuthorize::Policy` | `ApplicationPolicy` (user-defined) |
+| Installation | Generator creates base policy | Manual setup required |
+| Module name | `SimpleAuthorize::Controller` | `Pundit` |
+| Compatibility | Rails 6.0+ | Rails 4.0+ |
+
+Migration from Pundit is straightforward - most code will work with minimal changes.
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/scottlaplant/simple_authorize.
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+## Credits
+
+Created by Scott LaPlant
+
+Inspired by [Pundit](https://github.com/varvet/pundit) by Elabs

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "minitest/test_task"
+
+Minitest::TestTask.create
+
+require "rubocop/rake_task"
+
+RuboCop::RakeTask.new
+
+task default: %i[test rubocop]

data/lib/generators/simple_authorize/install/install_generator.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+
+module SimpleAuthorize
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      source_root File.expand_path("templates", __dir__)
+
+      desc "Creates a SimpleAuthorize initializer and ApplicationPolicy base class"
+
+      def copy_initializer
+        template "simple_authorize.rb", "config/initializers/simple_authorize.rb"
+      end
+
+      def copy_application_policy
+        template "application_policy.rb", "app/policies/application_policy.rb"
+      end
+
+      def show_readme
+        readme "README" if behavior == :invoke
+      end
+    end
+  end
+end

data/lib/generators/simple_authorize/install/templates/README

@@ -0,0 +1,80 @@
+===============================================================================
+
+  SimpleAuthorize has been installed!
+
+===============================================================================
+
+Next steps:
+
+  1. Include SimpleAuthorize::Controller in your ApplicationController:
+
+     class ApplicationController < ActionController::Base
+       include SimpleAuthorize::Controller
+       rescue_from_authorization_errors
+     end
+
+  2. Create policies for your models in app/policies/:
+
+     # app/policies/post_policy.rb
+     class PostPolicy < ApplicationPolicy
+       def index?
+         true
+       end
+
+       def show?
+         true
+       end
+
+       def create?
+         user.present?
+       end
+
+       def update?
+         user.present? && (record.user_id == user.id || user.admin?)
+       end
+
+       def destroy?
+         update?
+       end
+
+       class Scope < ApplicationPolicy::Scope
+         def resolve
+           if user&.admin?
+             scope.all
+           else
+             scope.where(published: true)
+           end
+         end
+       end
+     end
+
+  3. Use authorization in your controllers:
+
+     class PostsController < ApplicationController
+       def index
+         @posts = policy_scope(Post)
+       end
+
+       def show
+         @post = Post.find(params[:id])
+         authorize @post
+       end
+
+       def create
+         @post = Post.new(post_params)
+         authorize @post
+         # ...
+       end
+     end
+
+  4. (Optional) Enable automatic verification:
+
+     class ApplicationController < ActionController::Base
+       include SimpleAuthorize::Controller
+       include SimpleAuthorize::Controller::AutoVerify
+       rescue_from_authorization_errors
+     end
+
+For more information, see: https://github.com/yourusername/simple_authorize
+
+===============================================================================

data/lib/generators/simple_authorize/install/templates/application_policy.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+# Base policy class that all other policies inherit from
+# Inherits from SimpleAuthorize::Policy which provides default deny-all policies
+class ApplicationPolicy < SimpleAuthorize::Policy
+  # Override default policies here if needed
+  # For example, allow all logged-in users to view index:
+  # def index?
+  #   logged_in?
+  # end
+
+  # Add custom helper methods here
+  # protected
+  #
+  # def owned_by_user?
+  #   record.user_id == user&.id
+  # end
+
+  # Scope class for filtering collections
+  class Scope < SimpleAuthorize::Policy::Scope
+    # Override the resolve method to customize collection filtering
+    # def resolve
+    #   if admin?
+    #     scope.all
+    #   else
+    #     scope.where(published: true)
+    #   end
+    # end
+  end
+end

data/lib/generators/simple_authorize/install/templates/simple_authorize.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+# Configure SimpleAuthorize
+SimpleAuthorize.configure do |config|
+  # Default error message shown to users when not authorized
+  # config.default_error_message = "You are not authorized to perform this action."
+
+  # Enable automatic verification (requires including SimpleAuthorize::Controller::AutoVerify)
+  # config.auto_verify = false
+
+  # The method to call to get the current user (default: current_user)
+  # config.current_user_method = :current_user
+
+  # Custom redirect path for unauthorized access (default: uses referrer or root_path)
+  # config.unauthorized_redirect_path = "/unauthorized"
+end

data/lib/simple_authorize/configuration.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module SimpleAuthorize
+  class Configuration
+    # Default error message shown to users when not authorized
+    attr_accessor :default_error_message
+
+    # Whether to enable automatic verification (opt-in)
+    attr_accessor :auto_verify
+
+    # The method to call to get the current user (default: current_user)
+    attr_accessor :current_user_method
+
+    # Custom redirect path for unauthorized access
+    attr_accessor :unauthorized_redirect_path
+
+    def initialize
+      @default_error_message = "You are not authorized to perform this action."
+      @auto_verify = false
+      @current_user_method = :current_user
+      @unauthorized_redirect_path = nil
+    end
+  end
+
+  class << self
+    attr_writer :configuration
+
+    def configuration
+      @configuration ||= Configuration.new
+    end
+
+    def configure
+      yield(configuration)
+    end
+
+    def reset_configuration!
+      @configuration = Configuration.new
+    end
+  end
+end

data/lib/simple_authorize/controller.rb

@@ -0,0 +1,320 @@
+# frozen_string_literal: true
+
+module SimpleAuthorize
+  # Enhanced authorization system with full feature parity
+  # Provides comprehensive authorization without external dependencies
+  module Controller
+    extend ActiveSupport::Concern
+
+    # Custom error classes for authorization
+    class NotAuthorizedError < StandardError
+      attr_reader :query, :record, :policy
+
+      def initialize(options = {})
+        if options.is_a?(String)
+          # Handle plain string message
+          super(options)
+        else
+          # Handle hash options
+          @query = options[:query]
+          @record = options[:record]
+          @policy = options[:policy]
+
+          message = options[:message] || "not allowed to #{@query} this #{@record.class}"
+          super(message)
+        end
+      end
+    end
+
+    class PolicyNotDefinedError < StandardError; end
+    class AuthorizationNotPerformedError < StandardError; end
+    class PolicyScopingNotPerformedError < StandardError; end
+    # Alias for backwards compatibility
+    ScopingNotPerformedError = PolicyScopingNotPerformedError
+
+    included do
+      # Make these available as helper methods in views
+      helper_method :policy, :policy_scope, :authorized_user if respond_to?(:helper_method)
+    end
+
+    # Module to enable automatic verification - opt-in for safety
+    module AutoVerify
+      extend ActiveSupport::Concern
+
+      included do
+        # Track whether authorization was performed
+        after_action :verify_authorized, except: :index
+        after_action :verify_policy_scoped, only: :index
+      end
+    end
+
+    # Core authorization methods
+
+    def authorize(record, query = nil, policy_class: nil)
+      query ||= "#{action_name}?"
+      @_policy = policy(record, policy_class: policy_class)
+
+      unless @_policy.public_send(query)
+        raise NotAuthorizedError.new(query: query, record: record, policy: @_policy)
+      end
+
+      @authorization_performed = true
+      record
+    end
+
+    # Authorize and raise exception if not authorized
+    def authorize!(record, query = nil, policy_class: nil)
+      authorize(record, query, policy_class: policy_class)
+    end
+
+    # Get or instantiate policy for a record
+    def policy(record, policy_class: nil, namespace: nil)
+      policy_class ||= if namespace
+        policy_class_for(record, namespace: namespace)
+      else
+        policy_class_for(record)
+      end
+      policy_class.new(authorized_user, record)
+    rescue NameError
+      raise PolicyNotDefinedError, "unable to find policy `#{policy_class}` for `#{record}`"
+    end
+
+    # Ensure policy exists, raising if not found
+    def policy!(record, policy_class: nil)
+      policy(record, policy_class: policy_class)
+    end
+
+    # Scope a relation using the policy scope
+    def policy_scope(scope, policy_scope_class: nil)
+      @policy_scoping_performed = true
+
+      policy_scope_class ||= policy_scope_class_for(scope)
+      policy_scope_class.new(authorized_user, scope).resolve
+    rescue NameError
+      raise PolicyNotDefinedError, "unable to find scope `#{policy_scope_class}` for `#{scope}`"
+    end
+
+    # Ensure scope exists, raising if not found
+    def policy_scope!(scope, policy_scope_class: nil)
+      policy_scope(scope, policy_scope_class: policy_scope_class)
+    end
+
+    # Get permitted attributes for strong parameters
+    def permitted_attributes(record, action = nil)
+      action ||= action_name
+      policy = policy(record)
+      method_name = "permitted_attributes_for_#{action}"
+
+      if policy.respond_to?(method_name)
+        policy.public_send(method_name)
+      elsif policy.respond_to?(:permitted_attributes)
+        policy.permitted_attributes
+      else
+        raise PolicyNotDefinedError, "unable to find permitted attributes for #{record}"
+      end
+    end
+
+    # Automatically build permitted params from policy
+    def policy_params(record, param_key = nil)
+      param_key ||= record.model_name.param_key
+      params.require(param_key).permit(*permitted_attributes(record))
+    end
+
+    # Verify that authorization was performed
+    def verify_authorized
+      return if authorization_performed?
+      raise AuthorizationNotPerformedError, "#{self.class}##{action_name} is missing authorization"
+    end
+
+    # Verify that scoping was performed for index actions
+    def verify_policy_scoped
+      return if policy_scoped?
+      raise PolicyScopingNotPerformedError, "#{self.class}##{action_name} is missing policy scope"
+    end
+
+    # Skip authorization verification for specific actions
+    def skip_authorization
+      @authorization_performed = true
+    end
+
+    # Skip policy scope verification for specific actions
+    def skip_policy_scope
+      @policy_scoping_performed = true
+    end
+
+    # Check if authorization was performed
+    def authorization_performed?
+      @authorization_performed == true
+    end
+
+    # Check if policy scoping was performed
+    def policy_scoped?
+      @policy_scoping_performed == true
+    end
+
+    # Get the user for authorization (can be overridden)
+    def authorized_user
+      current_user
+    end
+
+    # Reset authorization tracking (useful in tests)
+    def reset_authorization
+      @authorization_performed = nil
+      @policy_scoping_performed = nil
+      @_policy = nil
+    end
+
+    # Support for headless policies (policies without a model)
+    def authorize_headless(policy_class, query = nil)
+      query ||= "#{action_name}?"
+      policy = policy_class.new(authorized_user, nil)
+
+      unless policy.public_send(query)
+        raise NotAuthorizedError.new(query: query, record: policy_class, policy: policy)
+      end
+
+      @authorization_performed = true
+      true
+    end
+
+    # Check if user can perform action without raising
+    def allowed_to?(action, record, policy_class: nil)
+      policy = policy(record, policy_class: policy_class)
+      policy.public_send("#{action}?")
+    rescue PolicyNotDefinedError
+      false
+    end
+
+    # Get all allowed actions for a record
+    def allowed_actions(record)
+      policy = policy(record)
+      actions = []
+
+      %i[index? show? create? update? destroy?].each do |method|
+        actions << method.to_s.delete("?").to_sym if policy.respond_to?(method) && policy.public_send(method)
+      end
+
+      actions
+    end
+
+    # Role helper methods
+    def admin_user?
+      current_user&.admin?
+    end
+
+    def contributor_user?
+      current_user&.contributor?
+    end
+
+    def viewer_user?
+      current_user&.viewer?
+    end
+
+    # Alias for handle_unauthorized that matches common convention
+    def user_not_authorized(exception = nil)
+      handle_unauthorized(exception)
+    end
+
+    protected
+
+    def policy_class_for(record, namespace: nil)
+      klass = record.class
+      record_class = if record.is_a?(Class)
+        record.name
+      elsif record.respond_to?(:model_name)
+        record.model_name.to_s
+      elsif klass.respond_to?(:model_name)
+        klass.model_name.to_s
+      else
+        klass.name
+      end
+
+      policy_class_name = if namespace
+        "#{namespace.to_s.camelize}::#{record_class}Policy"
+      else
+        "#{record_class}Policy"
+      end
+
+      begin
+        policy_class_name.constantize
+      rescue NameError
+        # Fall back to non-namespaced policy if namespaced one doesn't exist
+        if namespace
+          "#{record_class}Policy".constantize
+        else
+          raise
+        end
+      end
+    end
+
+    def policy_scope_class_for(scope)
+      if scope.respond_to?(:model_name)
+        "#{scope.model_name}Policy::Scope".constantize
+      elsif scope.is_a?(Class)
+        "#{scope}Policy::Scope".constantize
+      else
+        "#{scope.class}Policy::Scope".constantize
+      end
+    end
+
+    # Handle authorization errors
+    def handle_unauthorized(exception = nil)
+      flash[:alert] = "You are not authorized to perform this action."
+      safe_redirect_path = safe_referrer_path || root_path
+
+      if exception
+        redirect_to(safe_redirect_path, status: :see_other)
+      else
+        redirect_to(safe_redirect_path)
+      end
+    end
+
+    # Safely get referrer path, only if it's from our own domain
+    def safe_referrer_path
+      referrer = request.referrer
+      return nil unless referrer.present?
+
+      referrer_uri = URI.parse(referrer)
+      request_uri = URI.parse(request.url)
+
+      # Only allow referrers from the same host
+      if referrer_uri.host == request_uri.host
+        referrer_uri.path
+      else
+        nil
+      end
+    rescue URI::InvalidURIError
+      nil
+    end
+
+    # Class methods for controller configuration
+    class_methods do
+      # Rescue from authorization errors
+      def rescue_from_authorization_errors
+        rescue_from SimpleAuthorize::Controller::NotAuthorizedError, with: :handle_unauthorized
+      end
+
+      # Skip authorization for specific actions
+      def skip_authorization_check(*actions)
+        skip_after_action :verify_authorized, only: actions
+        skip_after_action :verify_policy_scoped, only: actions
+      end
+
+      # Skip all authorization checks for controller
+      def skip_all_authorization_checks
+        skip_after_action :verify_authorized
+        skip_after_action :verify_policy_scoped
+      end
+
+      # Configure which actions need authorization
+      def authorize_actions(*actions)
+        after_action :verify_authorized, only: actions
+      end
+
+      # Configure which actions need policy scoping
+      def scope_actions(*actions)
+        after_action :verify_policy_scoped, only: actions
+      end
+    end
+  end
+end

data/lib/simple_authorize/policy.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+module SimpleAuthorize
+  # Base policy class that all other policies inherit from
+  class Policy
+    attr_reader :user, :record
+
+    def initialize(user, record)
+      @user = user
+      @record = record
+    end
+
+    # Default policies - deny everything by default
+    def index?
+      false
+    end
+
+    def show?
+      false
+    end
+
+    def create?
+      false
+    end
+
+    def new?
+      create?
+    end
+
+    def update?
+      false
+    end
+
+    def edit?
+      update?
+    end
+
+    def destroy?
+      false
+    end
+
+    # Helper methods
+    protected
+
+    def admin?
+      user&.admin?
+    end
+
+    def contributor?
+      user&.contributor?
+    end
+
+    def viewer?
+      user&.viewer?
+    end
+
+    def owner?
+      record.respond_to?(:user_id) && record.user_id == user&.id
+    end
+
+    def logged_in?
+      user.present?
+    end
+
+    def can_create_content?
+      user&.can_create_content?
+    end
+
+    def can_manage_content?
+      user&.can_manage_content?
+    end
+
+    # Scope class for filtering collections
+    class Scope
+      attr_reader :user, :scope
+
+      def initialize(user, scope)
+        @user = user
+        @scope = scope
+      end
+
+      def resolve
+        scope.all
+      end
+
+      protected
+
+      def admin?
+        user&.admin?
+      end
+    end
+  end
+end

data/lib/simple_authorize/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module SimpleAuthorize
+  VERSION = "0.1.0"
+end

data/lib/simple_authorize.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require "active_support/all"
+require_relative "simple_authorize/version"
+require_relative "simple_authorize/configuration"
+require_relative "simple_authorize/controller"
+require_relative "simple_authorize/policy"
+
+module SimpleAuthorize
+  class Error < StandardError; end
+
+  # Railtie for automatic integration with Rails
+  class Railtie < Rails::Railtie
+    initializer "simple_authorize.configure" do
+      ActiveSupport.on_load(:action_controller) do
+        # Make SimpleAuthorize::Controller available as Authorization for backwards compatibility
+        ::Authorization = SimpleAuthorize::Controller unless defined?(::Authorization)
+        # Make SimpleAuthorize::Policy available as ApplicationPolicy for backwards compatibility
+        ::ApplicationPolicy = SimpleAuthorize::Policy unless defined?(::ApplicationPolicy)
+      end
+    end
+
+    # Generate initializer template
+    generators do
+      require_relative "generators/simple_authorize/install/install_generator"
+    end
+  end
+end

data/sig/simple_authorize.rbs

@@ -0,0 +1,4 @@
+module SimpleAuthorize
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end

metadata

@@ -0,0 +1,102 @@
+--- !ruby/object:Gem::Specification
+name: simple_authorize
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Scott
+bindir: exe
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+description: SimpleAuthorize is a lightweight authorization framework for Rails that
+  provides policy-based access control, role management, and scope filtering without
+  requiring external gems. Inspired by Pundit but completely standalone.
+email:
+- scottlaplant@users.noreply.github.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/generators/simple_authorize/install/install_generator.rb
+- lib/generators/simple_authorize/install/templates/README
+- lib/generators/simple_authorize/install/templates/application_policy.rb
+- lib/generators/simple_authorize/install/templates/simple_authorize.rb
+- lib/simple_authorize.rb
+- lib/simple_authorize/configuration.rb
+- lib/simple_authorize/controller.rb
+- lib/simple_authorize/policy.rb
+- lib/simple_authorize/version.rb
+- sig/simple_authorize.rbs
+homepage: https://github.com/scottlaplant/simple_authorize
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/scottlaplant/simple_authorize
+  source_code_uri: https://github.com/scottlaplant/simple_authorize
+  changelog_uri: https://github.com/scottlaplant/simple_authorize/blob/main/CHANGELOG.md
+  bug_tracker_uri: https://github.com/scottlaplant/simple_authorize/issues
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.0.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: Simple, powerful authorization for Rails without external dependencies
+test_files: []