simple_authorize 1.1.0 → 1.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1e7ec7dc4e13ab781a1379671cb043b2a03956c29e32554ff00624ee57cd009a
-  data.tar.gz: d0fb3ae9757d4ccd93250a09847630e5f4958c32498bff21047cf1e903cc4c19
+  metadata.gz: d7cac68cb5e079e85692c4c66db6bfa9dad982034b215fad992c2bef9a3edbee
+  data.tar.gz: 1169e220c001ae24ee1a121b4b5dcc0eb0038f30675bdcfde281c3a8736f6d49
 SHA512:
-  metadata.gz: ca8717f9564cdbe1fe7873e7c5c7f10452a8825d83170565f306272e9b5cfcbd18adf181081e3603c58e206eb743e6ee4b4b8d1a4fd477a11d5946a5bd793fea
-  data.tar.gz: cbe20818849f24ee61dec25ec75f08ba22c1bf75f5c9c2c1021cdaea3548aa01b084e009d16391c60568897148f13d2ba95e1c2817ae6c9697dea29fec9983a8
+  metadata.gz: '003297705b5a590b92ffaa273e5d16ce9fbbc5c70f2a3b6f9eabf2bb75f9f9685378c3ff4b7556023c86c9d599cba8b318219bea56b318854d10e1032e4c9b79'
+  data.tar.gz: c3dbd9bb4c31a9ee0fc494410501c14b9710508485c4fd7d9110c2b43a33bcc0fa784738f522ea36dded888398f0629d721b3d3ac1905a6c5954f552f5fcd76d

data/CHANGELOG.md

@@ -5,6 +5,19 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.1.2] - 2025-11-05
+
+### Fixed
+- RuboCop compliance for all new policy modules
+- Method naming convention (`standard_permissions` instead of `standard_permissions?`)
+- Simplified conditional logic in Approvable module
+- Code style improvements across test files
+
+## [1.1.1] - 2025-11-05
+
+### Added
+- Initial release of Policy Composition and Context-Aware Policies (incomplete)
+
 ## [1.1.0] - 2025-11-05
 
 ### Added

data/CLAUDE.md

@@ -0,0 +1 @@
+- do not automatically commit or push to the repo, please

data/lib/simple_authorize/policy_modules/approvable.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+module SimpleAuthorize
+  module PolicyModules
+    # Provides approval workflow authorization methods
+    #
+    # Include this module for content that requires approval:
+    #
+    #   class DocumentPolicy < SimpleAuthorize::Policy
+    #     include SimpleAuthorize::PolicyModules::Approvable
+    #
+    #     def update?
+    #       not_approved? && (owner? || admin?)
+    #     end
+    #   end
+    #
+    # Assumes records have approval-related fields like approved, approved_at,
+    # approval_status, pending_approval, etc.
+    module Approvable
+      protected
+
+      # Check if the record is approved
+      def approved?
+        return false unless record
+
+        if record.respond_to?(:approved?)
+          record.approved?
+        elsif record.respond_to?(:approved)
+          record.approved == true
+        elsif record.respond_to?(:approval_status)
+          record.approval_status == "approved"
+        elsif record.respond_to?(:approved_at)
+          record.approved_at.present?
+        else
+          false
+        end
+      end
+
+      # Check if the record is pending approval
+      def pending_approval?
+        return false unless record
+
+        if record.respond_to?(:pending_approval?)
+          record.pending_approval?
+        elsif record.respond_to?(:pending_approval)
+          record.pending_approval == true
+        elsif record.respond_to?(:approval_status)
+          record.approval_status == "pending"
+        elsif record.respond_to?(:submitted_for_approval_at)
+          record.submitted_for_approval_at.present? && !approved? && !rejected?
+        else
+          false
+        end
+      end
+
+      # Check if the record is rejected
+      def rejected?
+        return false unless record
+
+        if record.respond_to?(:rejected?)
+          record.rejected?
+        elsif record.respond_to?(:rejected)
+          record.rejected == true
+        elsif record.respond_to?(:approval_status)
+          record.approval_status == "rejected"
+        elsif record.respond_to?(:rejected_at)
+          record.rejected_at.present?
+        else
+          false
+        end
+      end
+
+      # Check if the record is not approved
+      def not_approved?
+        !approved?
+      end
+
+      # Check if user can approve (cannot approve own content)
+      def can_approve?
+        return false unless logged_in?
+
+        if admin?
+          true
+        elsif contributor?
+          # Contributors can approve others' content but not their own
+          !owner?
+        else
+          false
+        end
+      end
+
+      # Check if user can reject
+      def can_reject?
+        can_approve?
+      end
+
+      # Check if user can submit for approval
+      def can_submit_for_approval?
+        owner? && not_approved? && !pending_approval?
+      end
+
+      # Check if user can withdraw from approval
+      def can_withdraw_approval?
+        owner? && pending_approval?
+      end
+
+      # Check if content can be edited (typically not after approval)
+      def can_edit_with_approval?
+        if approved?
+          admin? # Only admins can edit approved content
+        else
+          owner? || admin? # Owner can edit rejected or unapproved content
+        end
+      end
+    end
+  end
+end

data/lib/simple_authorize/policy_modules/ownable.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module SimpleAuthorize
+  module PolicyModules
+    # Provides ownership-based authorization methods
+    #
+    # Include this module in your policy to add owner-based permissions:
+    #
+    #   class PostPolicy < SimpleAuthorize::Policy
+    #     include SimpleAuthorize::PolicyModules::Ownable
+    #
+    #     def show?
+    #       published? || owner_or_admin?
+    #     end
+    #   end
+    #
+    # This module assumes your record has a `user_id` field that matches
+    # the user's ID. Override the `owner?` method if you need different logic.
+    module Ownable
+      protected
+
+      # Check if the current user owns the record
+      def owner?
+        return false unless user && record
+
+        if record.respond_to?(:user_id)
+          record.user_id == user.id
+        elsif record.respond_to?(:user)
+          record.user == user
+        elsif record.respond_to?(:owner_id)
+          record.owner_id == user.id
+        elsif record.respond_to?(:owner)
+          record.owner == user
+        else
+          false
+        end
+      end
+
+      # Check if the user is the owner or an admin
+      def owner_or_admin?
+        owner? || admin?
+      end
+
+      # Check if the user is the owner or a contributor
+      def owner_or_contributor?
+        owner? || contributor?
+      end
+
+      # Common pattern: owners and admins can modify
+      def can_modify?
+        owner_or_admin?
+      end
+
+      # Common pattern: anyone can view, but only owners/admins can modify
+      def standard_permissions
+        {
+          show: true,
+          create: logged_in?,
+          update: owner_or_admin?,
+          destroy: owner_or_admin?
+        }
+      end
+    end
+  end
+end

data/lib/simple_authorize/policy_modules/publishable.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+module SimpleAuthorize
+  module PolicyModules
+    # Provides publishing workflow authorization methods
+    #
+    # Include this module for content that has draft/published states:
+    #
+    #   class ArticlePolicy < SimpleAuthorize::Policy
+    #     include SimpleAuthorize::PolicyModules::Publishable
+    #
+    #     def show?
+    #       published? || can_preview?
+    #     end
+    #   end
+    #
+    # This module assumes your record responds to `published?` or has a
+    # `published` boolean field, and optionally `published_at` timestamp.
+    module Publishable
+      protected
+
+      # Check if the record is published
+      def published?
+        return false unless record
+
+        if record.respond_to?(:published?)
+          record.published?
+        elsif record.respond_to?(:published)
+          record.published == true
+        elsif record.respond_to?(:status)
+          record.status == "published"
+        elsif record.respond_to?(:published_at)
+          record.published_at && record.published_at <= Time.current
+        else
+          false
+        end
+      end
+
+      # Check if the record is a draft
+      def draft?
+        !published?
+      end
+
+      # Check if user can publish content
+      def can_publish?
+        admin? || (contributor? && owner?)
+      end
+
+      # Check if user can unpublish content
+      def can_unpublish?
+        admin? || (owner? && contributor?)
+      end
+
+      # Check if user can preview unpublished content
+      def can_preview?
+        owner? || admin? || contributor?
+      end
+
+      # Check if user can schedule publication
+      def can_schedule?
+        return false unless record.respond_to?(:scheduled_at) || record.respond_to?(:publish_at)
+
+        can_publish?
+      end
+
+      # Filter attributes based on published state
+      def publishable_visible_attributes(base_attributes = [])
+        if published? || can_preview?
+          base_attributes
+        else
+          base_attributes - sensitive_draft_attributes
+        end
+      end
+
+      # Attributes that should be hidden in draft state
+      def sensitive_draft_attributes
+        %i[internal_notes draft_notes review_comments]
+      end
+    end
+  end
+end

data/lib/simple_authorize/policy_modules/soft_deletable.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+module SimpleAuthorize
+  module PolicyModules
+    # Provides soft deletion authorization methods
+    #
+    # Include this module for records that support soft deletion:
+    #
+    #   class CommentPolicy < SimpleAuthorize::Policy
+    #     include SimpleAuthorize::PolicyModules::SoftDeletable
+    #
+    #     def destroy?
+    #       soft_deletable? && (owner? || admin?)
+    #     end
+    #   end
+    #
+    # Assumes records have a deleted_at timestamp or similar field.
+    module SoftDeletable
+      protected
+
+      # Check if the record is soft deleted
+      def soft_deleted?
+        return false unless record
+
+        if record.respond_to?(:deleted?)
+          record.deleted?
+        elsif record.respond_to?(:deleted_at)
+          record.deleted_at.present?
+        elsif record.respond_to?(:trashed?)
+          record.trashed?
+        elsif record.respond_to?(:archived?)
+          record.archived?
+        else
+          false
+        end
+      end
+
+      # Check if the record is not soft deleted
+      def not_deleted?
+        !soft_deleted?
+      end
+
+      # Check if the record supports soft deletion
+      def soft_deletable?
+        record && (
+          record.respond_to?(:deleted_at) ||
+          record.respond_to?(:deleted?) ||
+          record.respond_to?(:trash!) ||
+          record.respond_to?(:archive!)
+        )
+      end
+
+      # Check if user can restore soft deleted records
+      def can_restore?
+        soft_deleted? && (admin? || (owner? && within_restore_window?))
+      end
+
+      # Check if user can permanently delete
+      def can_permanently_destroy?
+        admin?
+      end
+
+      # Check if we're within the restore window (default 30 days)
+      def within_restore_window?(days = 30)
+        return true unless soft_deleted?
+        return true unless record.respond_to?(:deleted_at)
+
+        record.deleted_at > days.days.ago
+      end
+
+      # Check if user can view soft deleted records
+      def can_view_deleted?
+        admin? || (owner? && within_restore_window?)
+      end
+
+      # Standard destroy that respects soft delete
+      def safe_destroy?
+        if soft_deletable?
+          # Soft delete if supported
+          owner_or_admin?
+        else
+          # Hard delete requires admin
+          admin?
+        end
+      end
+    end
+  end
+end

data/lib/simple_authorize/policy_modules/timestamped.rb

@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+
+module SimpleAuthorize
+  module PolicyModules
+    # Provides time-based authorization methods
+    #
+    # Include this module for time-sensitive permissions:
+    #
+    #   class EventPolicy < SimpleAuthorize::Policy
+    #     include SimpleAuthorize::PolicyModules::Timestamped
+    #
+    #     def update?
+    #       not_expired? && (owner? || admin?)
+    #     end
+    #   end
+    #
+    # Works with records that have timestamp fields like expired_at,
+    # starts_at, ends_at, valid_until, etc.
+    module Timestamped
+      protected
+
+      # Check if the record has expired
+      def expired?
+        return false unless record
+
+        if record.respond_to?(:expired_at)
+          record.expired_at && record.expired_at < Time.current
+        elsif record.respond_to?(:expires_at)
+          record.expires_at && record.expires_at < Time.current
+        elsif record.respond_to?(:valid_until)
+          record.valid_until && record.valid_until < Time.current
+        elsif record.respond_to?(:ends_at)
+          record.ends_at && record.ends_at < Time.current
+        else
+          false
+        end
+      end
+
+      # Check if the record is not expired
+      def not_expired?
+        !expired?
+      end
+
+      # Check if the record is active (started but not ended)
+      def active?
+        started? && !ended?
+      end
+
+      # Check if the record has started
+      def started?
+        return true unless record
+
+        if record.respond_to?(:starts_at)
+          record.starts_at.nil? || record.starts_at <= Time.current
+        elsif record.respond_to?(:available_from)
+          record.available_from.nil? || record.available_from <= Time.current
+        elsif record.respond_to?(:valid_from)
+          record.valid_from.nil? || record.valid_from <= Time.current
+        else
+          true
+        end
+      end
+
+      # Check if the record has ended
+      def ended?
+        expired?
+      end
+
+      # Check if record is within a time window
+      def within_time_window?
+        started? && not_expired?
+      end
+
+      # Check if the record is locked (cannot be modified)
+      def locked?
+        return false unless record
+
+        if record.respond_to?(:locked_at)
+          record.locked_at && record.locked_at < Time.current
+        elsif record.respond_to?(:locked?)
+          record.locked?
+        elsif record.respond_to?(:frozen_at)
+          record.frozen_at && record.frozen_at < Time.current
+        else
+          false
+        end
+      end
+
+      # Check if record can be modified (not locked or expired)
+      def can_modify_time_based?
+        !locked? && not_expired?
+      end
+
+      # Business hours check (useful with context)
+      def within_business_hours?(time = Time.current)
+        hour = time.hour
+        weekday = time.wday
+
+        # Monday-Friday, 9 AM - 5 PM
+        weekday.between?(1, 5) && hour >= 9 && hour < 17
+      end
+    end
+  end
+end

data/lib/simple_authorize/policy_modules.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+# Require all policy modules
+require_relative "policy_modules/ownable"
+require_relative "policy_modules/publishable"
+require_relative "policy_modules/timestamped"
+require_relative "policy_modules/approvable"
+require_relative "policy_modules/soft_deletable"
+
+module SimpleAuthorize
+  # Collection of reusable policy modules for common authorization patterns
+  #
+  # These modules can be mixed into your policy classes to add common
+  # authorization functionality without duplicating code.
+  #
+  # Example:
+  #   class ArticlePolicy < SimpleAuthorize::Policy
+  #     include SimpleAuthorize::PolicyModules::Ownable
+  #     include SimpleAuthorize::PolicyModules::Publishable
+  #
+  #     def show?
+  #       published? || owner_or_admin?
+  #     end
+  #   end
+  module PolicyModules
+  end
+end

data/lib/simple_authorize/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SimpleAuthorize
-  VERSION = "1.1.0"
+  VERSION = "1.1.2"
 end

data/spec/examples.txt

@@ -1,51 +1,51 @@
 example_id                             | status | run_time        |
 -------------------------------------- | ------ | --------------- |
 ./spec/rspec_matchers_spec.rb[1:1:1:1] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:1:1:2] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:1:1:3] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:1:2:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:1:2:2] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:1:3:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:1:3:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:1:1:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:1:1:3] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:1:2:1] | passed | 0.00005 seconds |
+./spec/rspec_matchers_spec.rb[1:1:2:2] | passed | 0.00012 seconds |
+./spec/rspec_matchers_spec.rb[1:1:3:1] | passed | 0.00017 seconds |
+./spec/rspec_matchers_spec.rb[1:1:3:2] | passed | 0.00007 seconds |
 ./spec/rspec_matchers_spec.rb[1:1:4:1] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:1:4:2] | passed | 0.00012 seconds |
-./spec/rspec_matchers_spec.rb[1:2:1:1] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:1:4:2] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:2:1:1] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:2:1:2] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:2:2:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:2:2:1] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:2:2:2] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:2:3:1] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:2:3:2] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:2:4:1] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:2:4:1] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:2:4:2] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:3:1:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:3:1:2] | passed | 0.00011 seconds |
-./spec/rspec_matchers_spec.rb[1:3:1:3] | passed | 0.00005 seconds |
-./spec/rspec_matchers_spec.rb[1:3:2:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:3:1:2] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:3:1:3] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:3:2:1] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:3:3:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:3:3:2] | passed | 0.00005 seconds |
+./spec/rspec_matchers_spec.rb[1:3:3:2] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:3:4:1] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:3:4:2] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:4:1:1] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:4:2:1] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:4:1:1] | passed | 0.00005 seconds |
+./spec/rspec_matchers_spec.rb[1:4:2:1] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:4:2:2] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:4:3:1] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:4:4:1] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:4:4:2] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:5:1:1] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:5:1:2] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:5:1:2] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:5:2:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:5:3:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:5:3:2] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:5:3:1] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:5:3:2] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:5:4:1] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:5:4:2] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:6:1:1] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:6:2:1] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:6:2:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:6:2:2] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:6:3:1] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:6:3:2] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:6:4:1] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:6:4:2] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:7:1:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:7:1:1] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:7:1:2] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:7:1:3] | passed | 0.00005 seconds |
-./spec/rspec_matchers_spec.rb[1:7:2:1] | passed | 0.00118 seconds |
+./spec/rspec_matchers_spec.rb[1:7:1:3] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:7:2:1] | passed | 0.00096 seconds |

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: simple_authorize
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.1.2
 platform: ruby
 authors:
 - Scott
@@ -92,6 +92,7 @@ files:
 - ".overcommit.yml"
 - ".simplecov"
 - CHANGELOG.md
+- CLAUDE.md
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
 - LICENSE.txt
@@ -110,6 +111,12 @@ files:
 - lib/simple_authorize/configuration.rb
 - lib/simple_authorize/controller.rb
 - lib/simple_authorize/policy.rb
+- lib/simple_authorize/policy_modules.rb
+- lib/simple_authorize/policy_modules/approvable.rb
+- lib/simple_authorize/policy_modules/ownable.rb
+- lib/simple_authorize/policy_modules/publishable.rb
+- lib/simple_authorize/policy_modules/soft_deletable.rb
+- lib/simple_authorize/policy_modules/timestamped.rb
 - lib/simple_authorize/railtie.rb
 - lib/simple_authorize/rspec.rb
 - lib/simple_authorize/test_helpers.rb