simple_authorize 1.0.1 → 1.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0016cdf20b078e1d8e9d67b037742260a3e07d8d73a8056aea027c182ed422dc
-  data.tar.gz: 4653aae4a3e588e3ebb94e6afb16518793a2e5b5c167b117f5c8bf6517e2ee7f
+  metadata.gz: b16462d63472a968792e6272f876b82beba2fadb48a675a5cb2d8d03dedec42f
+  data.tar.gz: 42553420c691366876062a93597613386542b26f997b42424d4fb8233aa09802
 SHA512:
-  metadata.gz: 8fdc1204e73d66f005d3f19893244712013300f12529b59a28e709f21552134e52e8efbb944197403be7832521cf983c15a7c1b8c46c3b2d3808dbbdc5511f2a
-  data.tar.gz: 5da4732fc1838f7a495336b4380f3bb90a523a5922fe6130e3e6b6c50cd0d2fd3d37f17f083de74ea8128871aac18f2d3a9ca7ef1e5196b225371c82e6ddd4cd
+  metadata.gz: 4013198e95c910dd1377835fab2701494666217ee87081621e6121e3a9750cf41cbad210583c6ff52ef95d5d7be7c9350e5966ccb350cc877da64b1f482ac2f8
+  data.tar.gz: 5fdc05879861c05aa16763b5fa7d3331e7fed2cf6d4e8443f7109fac0570f979dd584073774a557333157544f8ec223386fe6705ea64abc80f5283abb586cbd4

data/CHANGELOG.md

@@ -5,6 +5,33 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.1.1] - 2025-11-05
+
+### Fixed
+- RuboCop compliance for all new policy modules
+- Method naming convention (`standard_permissions` instead of `standard_permissions?`)
+- Simplified conditional logic in Approvable module
+- Code style improvements across test files
+
+## [1.1.0] - 2025-11-05
+
+### Added
+
+#### Policy Composition
+- **Reusable Policy Modules** - Built-in modules for common authorization patterns
+- **Ownable Module** - Ownership-based authorization helpers
+- **Publishable Module** - Publishing workflow authorization
+- **Timestamped Module** - Time-based access control
+- **Approvable Module** - Approval workflow helpers
+- **SoftDeletable Module** - Soft deletion authorization
+- **Custom Module Support** - Easy creation of custom authorization modules
+
+#### Context-Aware Policies
+- **Request Context** - Pass additional context to policies (IP, time, location, etc.)
+- **Controller Integration** - `authorization_context` method for building context
+- **Context in Scopes** - Context available in Policy::Scope classes
+- **Common Patterns** - Built-in support for geographic restrictions, time-based access, rate limiting
+
 ## [1.0.0] - 2025-11-03
 
 ### Added

data/CLAUDE.md

@@ -0,0 +1 @@
+- do not automatically commit or push to the repo, please

data/README.md

@@ -11,6 +11,8 @@ SimpleAuthorize is a lightweight, powerful authorization framework for Rails tha
 - **Policy-Based Authorization** - Define authorization rules in dedicated policy classes
 - **Scope Filtering** - Automatically filter collections based on user permissions
 - **Role-Based Access** - Built-in support for role-based authorization
+- **Policy Composition** - Mix and match reusable authorization modules
+- **Context-Aware Policies** - Make authorization decisions based on request context (IP, time, location, etc.)
 - **Zero Dependencies** - No external gems required (only Rails)
 - **Strong Parameters Integration** - Automatically build permitted params from policies
 - **Test Friendly** - Easy to test policies in isolation
@@ -394,6 +396,217 @@ SimpleAuthorize.configure do |config|
 end
 ```
 
+## Policy Composition
+
+Policy Composition allows you to build complex authorization policies by combining reusable modules. This promotes DRY code and consistent authorization patterns across your application.
+
+### Using Built-in Policy Modules
+
+SimpleAuthorize provides several ready-to-use policy modules:
+
+```ruby
+class ArticlePolicy < ApplicationPolicy
+  include SimpleAuthorize::PolicyModules::Ownable
+  include SimpleAuthorize::PolicyModules::Publishable
+
+  def show?
+    published? || owner_or_admin?
+  end
+
+  def update?
+    owner_or_admin? && not_published?
+  end
+end
+```
+
+### Available Policy Modules
+
+#### Ownable
+Provides ownership-based authorization:
+- `owner?` - Check if user owns the record
+- `owner_or_admin?` - Check if user is owner or admin
+- `can_modify?` - Common pattern for modification rights
+
+#### Publishable
+For content with draft/published states:
+- `published?` - Check if record is published
+- `can_publish?` - Check if user can publish
+- `can_preview?` - Check if user can preview drafts
+
+#### Timestamped
+Time-based authorization:
+- `expired?` - Check if record has expired
+- `within_time_window?` - Check if record is in valid time range
+- `locked?` - Check if record is time-locked
+
+#### Approvable
+For approval workflows:
+- `approved?` - Check if record is approved
+- `can_approve?` - Check if user can approve (not their own content)
+- `can_submit_for_approval?` - Check if user can submit for approval
+
+#### SoftDeletable
+For soft deletion support:
+- `soft_deleted?` - Check if record is soft deleted
+- `can_restore?` - Check if user can restore
+- `can_permanently_destroy?` - Check if user can hard delete
+
+### Creating Custom Policy Modules
+
+```ruby
+module MyApp::PolicyModules::Subscribable
+  protected
+
+  def subscriber?
+    user&.subscriptions&.active&.any?
+  end
+
+  def premium_subscriber?
+    user&.subscription&.premium?
+  end
+
+  def can_access_premium_content?
+    premium_subscriber? || admin?
+  end
+end
+
+class PremiumContentPolicy < ApplicationPolicy
+  include MyApp::PolicyModules::Subscribable
+
+  def show?
+    can_access_premium_content?
+  end
+end
+```
+
+## Context-Aware Policies
+
+Context-Aware Policies allow you to make authorization decisions based on additional context beyond just the user and record. This is useful for IP-based restrictions, time-based access, rate limiting, and more.
+
+### Basic Usage
+
+Override the `authorization_context` method in your controller:
+
+```ruby
+class ApplicationController < ActionController::Base
+  include SimpleAuthorize::Controller
+
+  private
+
+  def authorization_context
+    {
+      ip_address: request.remote_ip,
+      user_agent: request.user_agent,
+      current_time: Time.current,
+      country: request.location&.country,
+      two_factor_verified: session[:two_factor_verified],
+      user_plan: current_user&.subscription&.plan
+    }
+  end
+end
+```
+
+### Using Context in Policies
+
+Access context in your policies through the `context` method:
+
+```ruby
+class SecureDocumentPolicy < ApplicationPolicy
+  def show?
+    # Require 2FA for sensitive documents
+    return false unless context[:two_factor_verified]
+
+    # Check IP restrictions
+    return false unless trusted_ip?
+
+    owner_or_admin?
+  end
+
+  private
+
+  def trusted_ip?
+    return true if context[:ip_address].nil?
+
+    trusted_ips = ["192.168.1.0/24", "10.0.0.0/8"]
+    trusted_ips.any? { |range| IPAddr.new(range).include?(context[:ip_address]) }
+  end
+end
+```
+
+### Common Context Patterns
+
+#### Geographic Restrictions
+```ruby
+class RegionalContentPolicy < ApplicationPolicy
+  def show?
+    allowed_countries = ["US", "CA", "UK"]
+    allowed_countries.include?(context[:country]) || admin?
+  end
+end
+```
+
+#### Time-Based Access
+```ruby
+class BusinessHoursPolicy < ApplicationPolicy
+  def create?
+    return true if admin?
+
+    hour = context[:current_time].hour
+    hour >= 9 && hour < 17  # 9 AM to 5 PM only
+  end
+end
+```
+
+#### Rate Limiting
+```ruby
+class ApiPolicy < ApplicationPolicy
+  def create?
+    return true if admin?
+
+    request_count = context[:request_count] || 0
+    request_count < 100  # Limit to 100 requests
+  end
+end
+```
+
+#### Plan-Based Features
+```ruby
+class ExportPolicy < ApplicationPolicy
+  def export?
+    case context[:user_plan]
+    when "enterprise"
+      true
+    when "pro"
+      owner_or_admin?
+    when "basic"
+      admin?
+    else
+      false
+    end
+  end
+end
+```
+
+### Context with Policy Scopes
+
+Context is also available in policy scopes:
+
+```ruby
+class DocumentPolicy < ApplicationPolicy
+  class Scope < ApplicationPolicy::Scope
+    def resolve
+      if context[:department]
+        scope.where(department: context[:department])
+      elsif user.admin?
+        scope.all
+      else
+        scope.where(user: user)
+      end
+    end
+  end
+end
+```
+
 ## Advanced Features
 
 ### Headless Policies

data/lib/simple_authorize/controller.rb

@@ -141,9 +141,9 @@ module SimpleAuthorize
       if SimpleAuthorize.configuration.enable_policy_cache
         policy_cache_key = build_policy_cache_key(record, policy_class)
         @_policy_cache ||= {}
-        @_policy_cache[policy_cache_key] ||= policy_class.new(authorized_user, record)
+        @_policy_cache[policy_cache_key] ||= policy_class.new(authorized_user, record, context: authorization_context)
       else
-        policy_class.new(authorized_user, record)
+        policy_class.new(authorized_user, record, context: authorization_context)
       end
     rescue NameError
       raise PolicyNotDefinedError, "unable to find policy `#{policy_class}` for `#{record}`"
@@ -163,7 +163,7 @@ module SimpleAuthorize
       error = nil
 
       begin
-        result = policy_scope_class.new(authorized_user, scope).resolve
+        result = policy_scope_class.new(authorized_user, scope, context: authorization_context).resolve
       rescue NameError
         error = PolicyNotDefinedError.new("unable to find scope `#{policy_scope_class}` for `#{scope}`")
       end
@@ -277,6 +277,26 @@ module SimpleAuthorize
       current_user
     end
 
+    # Build context for authorization (can be overridden)
+    # Override this method in your ApplicationController to provide
+    # context data for policies
+    #
+    # Example:
+    #   def authorization_context
+    #     {
+    #       ip_address: request.remote_ip,
+    #       user_agent: request.user_agent,
+    #       subdomain: request.subdomain,
+    #       current_time: Time.current,
+    #       request_count: rate_limiter.count_for(current_user),
+    #       two_factor_verified: session[:two_factor_verified],
+    #       user_plan: current_user&.subscription&.plan
+    #     }
+    #   end
+    def authorization_context
+      {}
+    end
+
     # Clear the policy cache
     def clear_policy_cache
       @_policy_cache = nil

data/lib/simple_authorize/policy.rb

@@ -5,9 +5,10 @@ module SimpleAuthorize
   class Policy
     attr_reader :user, :record
 
-    def initialize(user, record)
+    def initialize(user, record, context: nil)
       @user = user
       @record = record
+      @context = context
     end
 
     # Default policies - deny everything by default
@@ -64,6 +65,10 @@ module SimpleAuthorize
     # Helper methods
     protected
 
+    def context
+      @context || {}
+    end
+
     def admin?
       user&.admin?
     end
@@ -96,9 +101,10 @@ module SimpleAuthorize
     class Scope
       attr_reader :user, :scope
 
-      def initialize(user, scope)
+      def initialize(user, scope, context: nil)
         @user = user
         @scope = scope
+        @context = context
       end
 
       def resolve
@@ -107,6 +113,10 @@ module SimpleAuthorize
 
       protected
 
+      def context
+        @context || {}
+      end
+
       def admin?
         user&.admin?
       end

data/lib/simple_authorize/policy_modules/approvable.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+module SimpleAuthorize
+  module PolicyModules
+    # Provides approval workflow authorization methods
+    #
+    # Include this module for content that requires approval:
+    #
+    #   class DocumentPolicy < SimpleAuthorize::Policy
+    #     include SimpleAuthorize::PolicyModules::Approvable
+    #
+    #     def update?
+    #       not_approved? && (owner? || admin?)
+    #     end
+    #   end
+    #
+    # Assumes records have approval-related fields like approved, approved_at,
+    # approval_status, pending_approval, etc.
+    module Approvable
+      protected
+
+      # Check if the record is approved
+      def approved?
+        return false unless record
+
+        if record.respond_to?(:approved?)
+          record.approved?
+        elsif record.respond_to?(:approved)
+          record.approved == true
+        elsif record.respond_to?(:approval_status)
+          record.approval_status == "approved"
+        elsif record.respond_to?(:approved_at)
+          record.approved_at.present?
+        else
+          false
+        end
+      end
+
+      # Check if the record is pending approval
+      def pending_approval?
+        return false unless record
+
+        if record.respond_to?(:pending_approval?)
+          record.pending_approval?
+        elsif record.respond_to?(:pending_approval)
+          record.pending_approval == true
+        elsif record.respond_to?(:approval_status)
+          record.approval_status == "pending"
+        elsif record.respond_to?(:submitted_for_approval_at)
+          record.submitted_for_approval_at.present? && !approved? && !rejected?
+        else
+          false
+        end
+      end
+
+      # Check if the record is rejected
+      def rejected?
+        return false unless record
+
+        if record.respond_to?(:rejected?)
+          record.rejected?
+        elsif record.respond_to?(:rejected)
+          record.rejected == true
+        elsif record.respond_to?(:approval_status)
+          record.approval_status == "rejected"
+        elsif record.respond_to?(:rejected_at)
+          record.rejected_at.present?
+        else
+          false
+        end
+      end
+
+      # Check if the record is not approved
+      def not_approved?
+        !approved?
+      end
+
+      # Check if user can approve (cannot approve own content)
+      def can_approve?
+        return false unless logged_in?
+
+        if admin?
+          true
+        elsif contributor?
+          # Contributors can approve others' content but not their own
+          !owner?
+        else
+          false
+        end
+      end
+
+      # Check if user can reject
+      def can_reject?
+        can_approve?
+      end
+
+      # Check if user can submit for approval
+      def can_submit_for_approval?
+        owner? && not_approved? && !pending_approval?
+      end
+
+      # Check if user can withdraw from approval
+      def can_withdraw_approval?
+        owner? && pending_approval?
+      end
+
+      # Check if content can be edited (typically not after approval)
+      def can_edit_with_approval?
+        if approved?
+          admin? # Only admins can edit approved content
+        else
+          owner? || admin? # Owner can edit rejected or unapproved content
+        end
+      end
+    end
+  end
+end

data/lib/simple_authorize/policy_modules/ownable.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module SimpleAuthorize
+  module PolicyModules
+    # Provides ownership-based authorization methods
+    #
+    # Include this module in your policy to add owner-based permissions:
+    #
+    #   class PostPolicy < SimpleAuthorize::Policy
+    #     include SimpleAuthorize::PolicyModules::Ownable
+    #
+    #     def show?
+    #       published? || owner_or_admin?
+    #     end
+    #   end
+    #
+    # This module assumes your record has a `user_id` field that matches
+    # the user's ID. Override the `owner?` method if you need different logic.
+    module Ownable
+      protected
+
+      # Check if the current user owns the record
+      def owner?
+        return false unless user && record
+
+        if record.respond_to?(:user_id)
+          record.user_id == user.id
+        elsif record.respond_to?(:user)
+          record.user == user
+        elsif record.respond_to?(:owner_id)
+          record.owner_id == user.id
+        elsif record.respond_to?(:owner)
+          record.owner == user
+        else
+          false
+        end
+      end
+
+      # Check if the user is the owner or an admin
+      def owner_or_admin?
+        owner? || admin?
+      end
+
+      # Check if the user is the owner or a contributor
+      def owner_or_contributor?
+        owner? || contributor?
+      end
+
+      # Common pattern: owners and admins can modify
+      def can_modify?
+        owner_or_admin?
+      end
+
+      # Common pattern: anyone can view, but only owners/admins can modify
+      def standard_permissions
+        {
+          show: true,
+          create: logged_in?,
+          update: owner_or_admin?,
+          destroy: owner_or_admin?
+        }
+      end
+    end
+  end
+end

data/lib/simple_authorize/policy_modules/publishable.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+module SimpleAuthorize
+  module PolicyModules
+    # Provides publishing workflow authorization methods
+    #
+    # Include this module for content that has draft/published states:
+    #
+    #   class ArticlePolicy < SimpleAuthorize::Policy
+    #     include SimpleAuthorize::PolicyModules::Publishable
+    #
+    #     def show?
+    #       published? || can_preview?
+    #     end
+    #   end
+    #
+    # This module assumes your record responds to `published?` or has a
+    # `published` boolean field, and optionally `published_at` timestamp.
+    module Publishable
+      protected
+
+      # Check if the record is published
+      def published?
+        return false unless record
+
+        if record.respond_to?(:published?)
+          record.published?
+        elsif record.respond_to?(:published)
+          record.published == true
+        elsif record.respond_to?(:status)
+          record.status == "published"
+        elsif record.respond_to?(:published_at)
+          record.published_at && record.published_at <= Time.current
+        else
+          false
+        end
+      end
+
+      # Check if the record is a draft
+      def draft?
+        !published?
+      end
+
+      # Check if user can publish content
+      def can_publish?
+        admin? || (contributor? && owner?)
+      end
+
+      # Check if user can unpublish content
+      def can_unpublish?
+        admin? || (owner? && contributor?)
+      end
+
+      # Check if user can preview unpublished content
+      def can_preview?
+        owner? || admin? || contributor?
+      end
+
+      # Check if user can schedule publication
+      def can_schedule?
+        return false unless record.respond_to?(:scheduled_at) || record.respond_to?(:publish_at)
+
+        can_publish?
+      end
+
+      # Filter attributes based on published state
+      def publishable_visible_attributes(base_attributes = [])
+        if published? || can_preview?
+          base_attributes
+        else
+          base_attributes - sensitive_draft_attributes
+        end
+      end
+
+      # Attributes that should be hidden in draft state
+      def sensitive_draft_attributes
+        %i[internal_notes draft_notes review_comments]
+      end
+    end
+  end
+end

data/lib/simple_authorize/policy_modules/soft_deletable.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+module SimpleAuthorize
+  module PolicyModules
+    # Provides soft deletion authorization methods
+    #
+    # Include this module for records that support soft deletion:
+    #
+    #   class CommentPolicy < SimpleAuthorize::Policy
+    #     include SimpleAuthorize::PolicyModules::SoftDeletable
+    #
+    #     def destroy?
+    #       soft_deletable? && (owner? || admin?)
+    #     end
+    #   end
+    #
+    # Assumes records have a deleted_at timestamp or similar field.
+    module SoftDeletable
+      protected
+
+      # Check if the record is soft deleted
+      def soft_deleted?
+        return false unless record
+
+        if record.respond_to?(:deleted?)
+          record.deleted?
+        elsif record.respond_to?(:deleted_at)
+          record.deleted_at.present?
+        elsif record.respond_to?(:trashed?)
+          record.trashed?
+        elsif record.respond_to?(:archived?)
+          record.archived?
+        else
+          false
+        end
+      end
+
+      # Check if the record is not soft deleted
+      def not_deleted?
+        !soft_deleted?
+      end
+
+      # Check if the record supports soft deletion
+      def soft_deletable?
+        record && (
+          record.respond_to?(:deleted_at) ||
+          record.respond_to?(:deleted?) ||
+          record.respond_to?(:trash!) ||
+          record.respond_to?(:archive!)
+        )
+      end
+
+      # Check if user can restore soft deleted records
+      def can_restore?
+        soft_deleted? && (admin? || (owner? && within_restore_window?))
+      end
+
+      # Check if user can permanently delete
+      def can_permanently_destroy?
+        admin?
+      end
+
+      # Check if we're within the restore window (default 30 days)
+      def within_restore_window?(days = 30)
+        return true unless soft_deleted?
+        return true unless record.respond_to?(:deleted_at)
+
+        record.deleted_at > days.days.ago
+      end
+
+      # Check if user can view soft deleted records
+      def can_view_deleted?
+        admin? || (owner? && within_restore_window?)
+      end
+
+      # Standard destroy that respects soft delete
+      def safe_destroy?
+        if soft_deletable?
+          # Soft delete if supported
+          owner_or_admin?
+        else
+          # Hard delete requires admin
+          admin?
+        end
+      end
+    end
+  end
+end

data/lib/simple_authorize/policy_modules/timestamped.rb

@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+
+module SimpleAuthorize
+  module PolicyModules
+    # Provides time-based authorization methods
+    #
+    # Include this module for time-sensitive permissions:
+    #
+    #   class EventPolicy < SimpleAuthorize::Policy
+    #     include SimpleAuthorize::PolicyModules::Timestamped
+    #
+    #     def update?
+    #       not_expired? && (owner? || admin?)
+    #     end
+    #   end
+    #
+    # Works with records that have timestamp fields like expired_at,
+    # starts_at, ends_at, valid_until, etc.
+    module Timestamped
+      protected
+
+      # Check if the record has expired
+      def expired?
+        return false unless record
+
+        if record.respond_to?(:expired_at)
+          record.expired_at && record.expired_at < Time.current
+        elsif record.respond_to?(:expires_at)
+          record.expires_at && record.expires_at < Time.current
+        elsif record.respond_to?(:valid_until)
+          record.valid_until && record.valid_until < Time.current
+        elsif record.respond_to?(:ends_at)
+          record.ends_at && record.ends_at < Time.current
+        else
+          false
+        end
+      end
+
+      # Check if the record is not expired
+      def not_expired?
+        !expired?
+      end
+
+      # Check if the record is active (started but not ended)
+      def active?
+        started? && !ended?
+      end
+
+      # Check if the record has started
+      def started?
+        return true unless record
+
+        if record.respond_to?(:starts_at)
+          record.starts_at.nil? || record.starts_at <= Time.current
+        elsif record.respond_to?(:available_from)
+          record.available_from.nil? || record.available_from <= Time.current
+        elsif record.respond_to?(:valid_from)
+          record.valid_from.nil? || record.valid_from <= Time.current
+        else
+          true
+        end
+      end
+
+      # Check if the record has ended
+      def ended?
+        expired?
+      end
+
+      # Check if record is within a time window
+      def within_time_window?
+        started? && not_expired?
+      end
+
+      # Check if the record is locked (cannot be modified)
+      def locked?
+        return false unless record
+
+        if record.respond_to?(:locked_at)
+          record.locked_at && record.locked_at < Time.current
+        elsif record.respond_to?(:locked?)
+          record.locked?
+        elsif record.respond_to?(:frozen_at)
+          record.frozen_at && record.frozen_at < Time.current
+        else
+          false
+        end
+      end
+
+      # Check if record can be modified (not locked or expired)
+      def can_modify_time_based?
+        !locked? && not_expired?
+      end
+
+      # Business hours check (useful with context)
+      def within_business_hours?(time = Time.current)
+        hour = time.hour
+        weekday = time.wday
+
+        # Monday-Friday, 9 AM - 5 PM
+        weekday.between?(1, 5) && hour >= 9 && hour < 17
+      end
+    end
+  end
+end

data/lib/simple_authorize/policy_modules.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+# Require all policy modules
+require_relative "policy_modules/ownable"
+require_relative "policy_modules/publishable"
+require_relative "policy_modules/timestamped"
+require_relative "policy_modules/approvable"
+require_relative "policy_modules/soft_deletable"
+
+module SimpleAuthorize
+  # Collection of reusable policy modules for common authorization patterns
+  #
+  # These modules can be mixed into your policy classes to add common
+  # authorization functionality without duplicating code.
+  #
+  # Example:
+  #   class ArticlePolicy < SimpleAuthorize::Policy
+  #     include SimpleAuthorize::PolicyModules::Ownable
+  #     include SimpleAuthorize::PolicyModules::Publishable
+  #
+  #     def show?
+  #       published? || owner_or_admin?
+  #     end
+  #   end
+  module PolicyModules
+  end
+end

data/lib/simple_authorize/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SimpleAuthorize
-  VERSION = "1.0.1"
+  VERSION = "1.1.1"
 end

data/lib/simple_authorize.rb

@@ -5,6 +5,7 @@ require_relative "simple_authorize/version"
 require_relative "simple_authorize/configuration"
 require_relative "simple_authorize/controller"
 require_relative "simple_authorize/policy"
+require_relative "simple_authorize/policy_modules"
 require_relative "simple_authorize/test_helpers"
 
 # SimpleAuthorize provides a lightweight authorization framework for Rails applications

data/spec/examples.txt

@@ -3,49 +3,49 @@ example_id                             | status | run_time        |
 ./spec/rspec_matchers_spec.rb[1:1:1:1] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:1:1:2] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:1:1:3] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:1:2:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:1:2:1] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:1:2:2] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:1:3:1] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:1:3:2] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:1:4:1] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:1:4:2] | passed | 0.00012 seconds |
-./spec/rspec_matchers_spec.rb[1:2:1:1] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:1:4:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:2:1:1] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:2:1:2] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:2:2:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:2:2:2] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:2:2:1] | passed | 0.00005 seconds |
+./spec/rspec_matchers_spec.rb[1:2:2:2] | passed | 0.00014 seconds |
 ./spec/rspec_matchers_spec.rb[1:2:3:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:2:3:2] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:2:4:1] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:2:4:2] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:3:1:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:3:1:2] | passed | 0.00011 seconds |
+./spec/rspec_matchers_spec.rb[1:2:3:2] | passed | 0.00006 seconds |
+./spec/rspec_matchers_spec.rb[1:2:4:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:2:4:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:3:1:1] | passed | 0.00028 seconds |
+./spec/rspec_matchers_spec.rb[1:3:1:2] | passed | 0.00028 seconds |
 ./spec/rspec_matchers_spec.rb[1:3:1:3] | passed | 0.00005 seconds |
-./spec/rspec_matchers_spec.rb[1:3:2:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:3:2:1] | passed | 0.00034 seconds |
 ./spec/rspec_matchers_spec.rb[1:3:3:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:3:3:2] | passed | 0.00005 seconds |
-./spec/rspec_matchers_spec.rb[1:3:4:1] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:3:3:2] | passed | 0.00027 seconds |
+./spec/rspec_matchers_spec.rb[1:3:4:1] | passed | 0.0004 seconds  |
 ./spec/rspec_matchers_spec.rb[1:3:4:2] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:4:1:1] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:4:1:1] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:4:2:1] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:4:2:2] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:4:3:1] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:4:4:1] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:4:4:2] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:5:1:1] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:5:1:1] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:5:1:2] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:5:2:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:5:3:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:5:3:2] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:5:3:1] | passed | 0.00006 seconds |
+./spec/rspec_matchers_spec.rb[1:5:3:2] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:5:4:1] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:5:4:2] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:6:1:1] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:6:2:1] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:5:4:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:6:1:1] | passed | 0.0004 seconds  |
+./spec/rspec_matchers_spec.rb[1:6:2:1] | passed | 0.00037 seconds |
 ./spec/rspec_matchers_spec.rb[1:6:2:2] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:6:3:1] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:6:3:2] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:6:4:1] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:6:4:2] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:6:4:2] | passed | 0.00035 seconds |
 ./spec/rspec_matchers_spec.rb[1:7:1:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:7:1:2] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:7:1:3] | passed | 0.00005 seconds |
-./spec/rspec_matchers_spec.rb[1:7:2:1] | passed | 0.00118 seconds |
+./spec/rspec_matchers_spec.rb[1:7:1:2] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:7:1:3] | passed | 0.00035 seconds |
+./spec/rspec_matchers_spec.rb[1:7:2:1] | passed | 0.00128 seconds |

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: simple_authorize
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.1.1
 platform: ruby
 authors:
 - Scott
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-11-04 00:00:00.000000000 Z
+date: 2025-11-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -92,6 +92,7 @@ files:
 - ".overcommit.yml"
 - ".simplecov"
 - CHANGELOG.md
+- CLAUDE.md
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
 - LICENSE.txt
@@ -110,6 +111,12 @@ files:
 - lib/simple_authorize/configuration.rb
 - lib/simple_authorize/controller.rb
 - lib/simple_authorize/policy.rb
+- lib/simple_authorize/policy_modules.rb
+- lib/simple_authorize/policy_modules/approvable.rb
+- lib/simple_authorize/policy_modules/ownable.rb
+- lib/simple_authorize/policy_modules/publishable.rb
+- lib/simple_authorize/policy_modules/soft_deletable.rb
+- lib/simple_authorize/policy_modules/timestamped.rb
 - lib/simple_authorize/railtie.rb
 - lib/simple_authorize/rspec.rb
 - lib/simple_authorize/test_helpers.rb