simple_authorize 1.0.1 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0016cdf20b078e1d8e9d67b037742260a3e07d8d73a8056aea027c182ed422dc
-  data.tar.gz: 4653aae4a3e588e3ebb94e6afb16518793a2e5b5c167b117f5c8bf6517e2ee7f
+  metadata.gz: 1e7ec7dc4e13ab781a1379671cb043b2a03956c29e32554ff00624ee57cd009a
+  data.tar.gz: d0fb3ae9757d4ccd93250a09847630e5f4958c32498bff21047cf1e903cc4c19
 SHA512:
-  metadata.gz: 8fdc1204e73d66f005d3f19893244712013300f12529b59a28e709f21552134e52e8efbb944197403be7832521cf983c15a7c1b8c46c3b2d3808dbbdc5511f2a
-  data.tar.gz: 5da4732fc1838f7a495336b4380f3bb90a523a5922fe6130e3e6b6c50cd0d2fd3d37f17f083de74ea8128871aac18f2d3a9ca7ef1e5196b225371c82e6ddd4cd
+  metadata.gz: ca8717f9564cdbe1fe7873e7c5c7f10452a8825d83170565f306272e9b5cfcbd18adf181081e3603c58e206eb743e6ee4b4b8d1a4fd477a11d5946a5bd793fea
+  data.tar.gz: cbe20818849f24ee61dec25ec75f08ba22c1bf75f5c9c2c1021cdaea3548aa01b084e009d16391c60568897148f13d2ba95e1c2817ae6c9697dea29fec9983a8

data/CHANGELOG.md

@@ -5,6 +5,25 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.1.0] - 2025-11-05
+
+### Added
+
+#### Policy Composition
+- **Reusable Policy Modules** - Built-in modules for common authorization patterns
+- **Ownable Module** - Ownership-based authorization helpers
+- **Publishable Module** - Publishing workflow authorization
+- **Timestamped Module** - Time-based access control
+- **Approvable Module** - Approval workflow helpers
+- **SoftDeletable Module** - Soft deletion authorization
+- **Custom Module Support** - Easy creation of custom authorization modules
+
+#### Context-Aware Policies
+- **Request Context** - Pass additional context to policies (IP, time, location, etc.)
+- **Controller Integration** - `authorization_context` method for building context
+- **Context in Scopes** - Context available in Policy::Scope classes
+- **Common Patterns** - Built-in support for geographic restrictions, time-based access, rate limiting
+
 ## [1.0.0] - 2025-11-03
 
 ### Added

data/README.md

@@ -11,6 +11,8 @@ SimpleAuthorize is a lightweight, powerful authorization framework for Rails tha
 - **Policy-Based Authorization** - Define authorization rules in dedicated policy classes
 - **Scope Filtering** - Automatically filter collections based on user permissions
 - **Role-Based Access** - Built-in support for role-based authorization
+- **Policy Composition** - Mix and match reusable authorization modules
+- **Context-Aware Policies** - Make authorization decisions based on request context (IP, time, location, etc.)
 - **Zero Dependencies** - No external gems required (only Rails)
 - **Strong Parameters Integration** - Automatically build permitted params from policies
 - **Test Friendly** - Easy to test policies in isolation
@@ -394,6 +396,217 @@ SimpleAuthorize.configure do |config|
 end
 ```
 
+## Policy Composition
+
+Policy Composition allows you to build complex authorization policies by combining reusable modules. This promotes DRY code and consistent authorization patterns across your application.
+
+### Using Built-in Policy Modules
+
+SimpleAuthorize provides several ready-to-use policy modules:
+
+```ruby
+class ArticlePolicy < ApplicationPolicy
+  include SimpleAuthorize::PolicyModules::Ownable
+  include SimpleAuthorize::PolicyModules::Publishable
+
+  def show?
+    published? || owner_or_admin?
+  end
+
+  def update?
+    owner_or_admin? && not_published?
+  end
+end
+```
+
+### Available Policy Modules
+
+#### Ownable
+Provides ownership-based authorization:
+- `owner?` - Check if user owns the record
+- `owner_or_admin?` - Check if user is owner or admin
+- `can_modify?` - Common pattern for modification rights
+
+#### Publishable
+For content with draft/published states:
+- `published?` - Check if record is published
+- `can_publish?` - Check if user can publish
+- `can_preview?` - Check if user can preview drafts
+
+#### Timestamped
+Time-based authorization:
+- `expired?` - Check if record has expired
+- `within_time_window?` - Check if record is in valid time range
+- `locked?` - Check if record is time-locked
+
+#### Approvable
+For approval workflows:
+- `approved?` - Check if record is approved
+- `can_approve?` - Check if user can approve (not their own content)
+- `can_submit_for_approval?` - Check if user can submit for approval
+
+#### SoftDeletable
+For soft deletion support:
+- `soft_deleted?` - Check if record is soft deleted
+- `can_restore?` - Check if user can restore
+- `can_permanently_destroy?` - Check if user can hard delete
+
+### Creating Custom Policy Modules
+
+```ruby
+module MyApp::PolicyModules::Subscribable
+  protected
+
+  def subscriber?
+    user&.subscriptions&.active&.any?
+  end
+
+  def premium_subscriber?
+    user&.subscription&.premium?
+  end
+
+  def can_access_premium_content?
+    premium_subscriber? || admin?
+  end
+end
+
+class PremiumContentPolicy < ApplicationPolicy
+  include MyApp::PolicyModules::Subscribable
+
+  def show?
+    can_access_premium_content?
+  end
+end
+```
+
+## Context-Aware Policies
+
+Context-Aware Policies allow you to make authorization decisions based on additional context beyond just the user and record. This is useful for IP-based restrictions, time-based access, rate limiting, and more.
+
+### Basic Usage
+
+Override the `authorization_context` method in your controller:
+
+```ruby
+class ApplicationController < ActionController::Base
+  include SimpleAuthorize::Controller
+
+  private
+
+  def authorization_context
+    {
+      ip_address: request.remote_ip,
+      user_agent: request.user_agent,
+      current_time: Time.current,
+      country: request.location&.country,
+      two_factor_verified: session[:two_factor_verified],
+      user_plan: current_user&.subscription&.plan
+    }
+  end
+end
+```
+
+### Using Context in Policies
+
+Access context in your policies through the `context` method:
+
+```ruby
+class SecureDocumentPolicy < ApplicationPolicy
+  def show?
+    # Require 2FA for sensitive documents
+    return false unless context[:two_factor_verified]
+
+    # Check IP restrictions
+    return false unless trusted_ip?
+
+    owner_or_admin?
+  end
+
+  private
+
+  def trusted_ip?
+    return true if context[:ip_address].nil?
+
+    trusted_ips = ["192.168.1.0/24", "10.0.0.0/8"]
+    trusted_ips.any? { |range| IPAddr.new(range).include?(context[:ip_address]) }
+  end
+end
+```
+
+### Common Context Patterns
+
+#### Geographic Restrictions
+```ruby
+class RegionalContentPolicy < ApplicationPolicy
+  def show?
+    allowed_countries = ["US", "CA", "UK"]
+    allowed_countries.include?(context[:country]) || admin?
+  end
+end
+```
+
+#### Time-Based Access
+```ruby
+class BusinessHoursPolicy < ApplicationPolicy
+  def create?
+    return true if admin?
+
+    hour = context[:current_time].hour
+    hour >= 9 && hour < 17  # 9 AM to 5 PM only
+  end
+end
+```
+
+#### Rate Limiting
+```ruby
+class ApiPolicy < ApplicationPolicy
+  def create?
+    return true if admin?
+
+    request_count = context[:request_count] || 0
+    request_count < 100  # Limit to 100 requests
+  end
+end
+```
+
+#### Plan-Based Features
+```ruby
+class ExportPolicy < ApplicationPolicy
+  def export?
+    case context[:user_plan]
+    when "enterprise"
+      true
+    when "pro"
+      owner_or_admin?
+    when "basic"
+      admin?
+    else
+      false
+    end
+  end
+end
+```
+
+### Context with Policy Scopes
+
+Context is also available in policy scopes:
+
+```ruby
+class DocumentPolicy < ApplicationPolicy
+  class Scope < ApplicationPolicy::Scope
+    def resolve
+      if context[:department]
+        scope.where(department: context[:department])
+      elsif user.admin?
+        scope.all
+      else
+        scope.where(user: user)
+      end
+    end
+  end
+end
+```
+
 ## Advanced Features
 
 ### Headless Policies

data/lib/simple_authorize/controller.rb

@@ -141,9 +141,9 @@ module SimpleAuthorize
       if SimpleAuthorize.configuration.enable_policy_cache
         policy_cache_key = build_policy_cache_key(record, policy_class)
         @_policy_cache ||= {}
-        @_policy_cache[policy_cache_key] ||= policy_class.new(authorized_user, record)
+        @_policy_cache[policy_cache_key] ||= policy_class.new(authorized_user, record, context: authorization_context)
       else
-        policy_class.new(authorized_user, record)
+        policy_class.new(authorized_user, record, context: authorization_context)
       end
     rescue NameError
       raise PolicyNotDefinedError, "unable to find policy `#{policy_class}` for `#{record}`"
@@ -163,7 +163,7 @@ module SimpleAuthorize
       error = nil
 
       begin
-        result = policy_scope_class.new(authorized_user, scope).resolve
+        result = policy_scope_class.new(authorized_user, scope, context: authorization_context).resolve
       rescue NameError
         error = PolicyNotDefinedError.new("unable to find scope `#{policy_scope_class}` for `#{scope}`")
       end
@@ -277,6 +277,26 @@ module SimpleAuthorize
       current_user
     end
 
+    # Build context for authorization (can be overridden)
+    # Override this method in your ApplicationController to provide
+    # context data for policies
+    #
+    # Example:
+    #   def authorization_context
+    #     {
+    #       ip_address: request.remote_ip,
+    #       user_agent: request.user_agent,
+    #       subdomain: request.subdomain,
+    #       current_time: Time.current,
+    #       request_count: rate_limiter.count_for(current_user),
+    #       two_factor_verified: session[:two_factor_verified],
+    #       user_plan: current_user&.subscription&.plan
+    #     }
+    #   end
+    def authorization_context
+      {}
+    end
+
     # Clear the policy cache
     def clear_policy_cache
       @_policy_cache = nil

data/lib/simple_authorize/policy.rb

@@ -5,9 +5,10 @@ module SimpleAuthorize
   class Policy
     attr_reader :user, :record
 
-    def initialize(user, record)
+    def initialize(user, record, context: nil)
       @user = user
       @record = record
+      @context = context
     end
 
     # Default policies - deny everything by default
@@ -64,6 +65,10 @@ module SimpleAuthorize
     # Helper methods
     protected
 
+    def context
+      @context || {}
+    end
+
     def admin?
       user&.admin?
     end
@@ -96,9 +101,10 @@ module SimpleAuthorize
     class Scope
       attr_reader :user, :scope
 
-      def initialize(user, scope)
+      def initialize(user, scope, context: nil)
         @user = user
         @scope = scope
+        @context = context
       end
 
       def resolve
@@ -107,6 +113,10 @@ module SimpleAuthorize
 
       protected
 
+      def context
+        @context || {}
+      end
+
       def admin?
         user&.admin?
       end

data/lib/simple_authorize/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SimpleAuthorize
-  VERSION = "1.0.1"
+  VERSION = "1.1.0"
 end

data/lib/simple_authorize.rb

@@ -5,6 +5,7 @@ require_relative "simple_authorize/version"
 require_relative "simple_authorize/configuration"
 require_relative "simple_authorize/controller"
 require_relative "simple_authorize/policy"
+require_relative "simple_authorize/policy_modules"
 require_relative "simple_authorize/test_helpers"
 
 # SimpleAuthorize provides a lightweight authorization framework for Rails applications

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: simple_authorize
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.1.0
 platform: ruby
 authors:
 - Scott
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-11-04 00:00:00.000000000 Z
+date: 2025-11-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport