skinny_controllers 0.9.1 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3b575298d306f70673c3492426f7cbd3392224f6
-  data.tar.gz: 357abe13b4b4904ea205a9d85d7c9b840b7a3937
+  metadata.gz: 6cba81691573f9ad4648dcacb2733234c5ef4cd5
+  data.tar.gz: cb4d9ff187f35d0cd097da6675ed3de9f74115db
 SHA512:
-  metadata.gz: ea1b346a06c1ae864099ae64b701342d2f1ae5446611121772f997a7e385bab6805270f242656c608cf7dc38b30f66ff398f35111fc8516aa2ea5c275de44a00
-  data.tar.gz: bd92722968b07d001a70482ea035a4f490534b8cbe253164daea53c8afb10a6258a641f460d6400f573d493ae73ca50fcc8a7112153fb8162ed6a5f362c81ab3
+  metadata.gz: 64f11e00970ccbca44700ff970e54cb92a3b0e5d107b80949d03c6f2bf98deca88774f0a39c71b2b6fd3b2b4dceeae34adccba483deef8f55a7c82a2e799ea76
+  data.tar.gz: 6a96956ac79c335072e0755388bb86bd40df665454e57781553090011caa90bbf36ba51a79d1a040dd2cb15d6a59f0f11d8a7448e3f4ec405c29c3d18d7a1d6f

data/README.md

@@ -34,12 +34,14 @@ gem 'skinny_controllers'
 ```
 or
 
-`gem install skinny_controllers`
+```bash
+gem install skinny_controllers
+```
 
 
 ## Generators
 
-```
+```bash
 rails g operation event_summary
 # => create  app/operations/event_summary_operations.rb
 
@@ -65,18 +67,24 @@ and that's it!
 
 The above does a multitude of assumptions to make sure that you can type the least amount code possible.
 
-1. Your controller name is based off your model name (configurable per controller)
+1. Your controller name is the name of your _resource_.
 2. Any defined policies or operations follow the formats (though they don't have to exist):
-  - `class #{Model.name}Policy`
-  - `module #{Model.name}Operations`
+  - `class #{resource_name}Policy`
+  - `module #{resource_name}Operations`
 3. Your model responds to `find`, and `where`
-4. Your model responds to `is_accessible_to?`. This can be changed at `SkinnyControllers.accessible_to_method`
-5. If relying on the default / implicit operations for create and update, the params key for your model's changes much be formatted as `{ Model.name.underscore => { attributes }}``
-6. If using strong parameters, SkinnyControllers will look for `{action}_{model}_params` then `{model}_params` and then `params`. See the `strong_parameters_spec.rb` test to see an example.
+4. If relying on the default / implicit operations for create and update, the params key for your model's changes much be formatted as `{ Model.name.underscore => { attributes }}`
+5. If using strong parameters, SkinnyControllers will look for `{action}_{model}_params` then `{model}_params` and then `params`. See the `strong_parameters_spec.rb` test to see an example.
 
+### Per Controller Configuration
 
+```ruby
+skinny_controllers_config model_class: AClass,
+                          parent_class: ParentClass,
+                          asociation_name: :association_aclasses,
+                          model_params_key: :aclass
+```
 
-### Your model name might be different from your resource name
+#### model_class
 Lets say you have a JSON API resource that you'd like to render that has some additional/subset of data.
 Maybe the model is an `Event`, and the resource an `EventSummary` (which could do some aggregation of `Event` data).
 
@@ -90,7 +98,8 @@ In `EventSummariesController`, you would make the following additions:
 ```ruby
 class EventSummariesController < ApiController # or whatever your superclass is
   include SkinnyControllers::Diet
-  self.model_class = Event
+
+  skinny_controllers_config model_class: Event
 
   def index
     render json: model, each_serializer: EventSummariesSerializer
@@ -101,8 +110,17 @@ class EventSummariesController < ApiController # or whatever your superclass is
   end
 end
 ```
+
 Note that `each_serializer` and `serializer` is not part of `SkinnyControllers`, and is part of [ActiveModel::Serializers](https://github.com/rails-api/active_model_serializers).
 
+Also note that setting `model_class` may be required if your model is namespaced.
+
+#### parent_class
+
+#### association_name
+
+#### model_params_key
+
 
 ### What if your model is namespaced?
 
@@ -142,13 +160,13 @@ end
 
 The parameters for directly calling an operation are as follows:
 
-| # | Parameter | Default when directly calling an operation | Implicit default via `model` | Purpose |
+| # | Parameter | Default when directly calling an operation | Implicit default | Purpose |
 |---|-------------------|--------------------------------------------|------------------------------|------------------------------------------|
 | 0 | current_user | n/a | `current_user` | the user performing the action |
 | 1 | controller_params | n/a | `params` | the full params hash from the controller |
 | 2 | params_for_action | `controller_params` | `create_params`, `index_params`, etc |  e.g.: requiring a foreign key when looking up index |
 | 3 | action | `controller_params[:action]` | `action_name` | the name of the current action |
-| 4 | model_key | `nil` | underscored model class name | the underscored model class name |
+| 4 | options | `{}` | skinny_controllers_config options |
 
 ### For JSON-API
 
@@ -213,7 +231,13 @@ module UserOperations
   class Create < SkinnyControllers::Operation::Base
     def run
       @model = model_class.new(model_params)
-      @model.save if allowed?
+
+      # raising an exception here allows the corresponding resource controller to
+      # `rescue_from SkinnyControllers::DeniedByPolicy` and have a uniform error
+      # returned to the frontend
+      raise SkinnyControllers::DeniedByPolicy.new('Something Horrible') unless allowed?
+
+      @model.save
       return @model # or just `model`
     end
   end
@@ -225,7 +249,9 @@ end
 module UserOperations
   class Update < SkinnyControllers::Operation::Base
     def run
-      return unless allowed?
+      # this throws a DeniedByPolicy exception if `allowed?` returns false
+      check_allowed!
+
       model.update(model_params)
       model
     end
@@ -248,16 +274,7 @@ module UserOperations
 end
 ```
 
-And given that this method exists on the `User` model:
-```ruby
-# realistically, you'd only want users to be able to access themselves
-def is_accessible_to?(user)
-  self.id == user.id
-end
-```
-
-Making a call to the destroy action on the `UsersController` will only succeed if the user trying to delete themselves. (Possibly to 'cancel their account')
-
+NOTE: `allowed?` is `true` by default via the `SkinnyControllers.allow_by_default` option.
 
 ## Defining Policies
 
@@ -266,8 +283,8 @@ These are where you define your access logic, and how to decide if a user has ac
 
 ```ruby
 class EventPolicy < SkinnyControllers::Policy::Base
-  def read?(o = object)
-    o.is_accessible_to?(user)
+  def read?(event = object)
+    event.user == user
   end
 end
 ```
@@ -279,26 +296,20 @@ These are snippets taking from other projects.
 
 ### Finding a record when the id parameter isn't passed
 
-
-
 ```ruby
 module HostOperations
   class Read < SkinnyControllers::Operation::Base
     def run
-      model # always allowed, never restricted
+       # always allowed, never restricted
+       # (because there is now call to allowed?)
+      model
     end
 
-    # Needs to be overridden, because a 'host' can be either
-    # an Event or an Organization.
-    #
     # the params to this method should include the subdomain
     # e.g.: { subdomain: 'swingin2015' }
     def model_from_params
       subdomain = params[:subdomain]
-      # first check the events, since those are more commonly used
-      host = Event.find_by_domain(subdomain)
-      # if the event doesn't exist, see if we have an organization
-      host ||= Organization.find_by_domain(subdomain)
+      host = Host.find_by_subdomain(subdomain)
     end
   end
 end
@@ -337,7 +348,7 @@ module MembershipRenewalOperations
       # so, because the list is sorted by user id, then updated at,
       # for each user, the first renewal will be chosen...
       # and because it is descending, that means the most recent renewal
-      sorted_renewals.uniq{|r| r.user_id}
+      sorted_renewals.uniq { |r| r.user_id }
     end
   end
 
@@ -353,6 +364,7 @@ module UserOperations
   class Update < SkinnyControllers::Operation::Base
     def run
       return unless allowed_for?(current_user)
+      # update with password provided by Devise
       current_user.update_with_password(model_params)
       current_user
     end
@@ -398,9 +410,9 @@ describe HostOperations do
       let(:operation){ HostOperations::Read.new(nil, { subdomain: subdomain }) }
 
       it 'finds an event' do
-        event = create(:event, domain: subdomain)
+        host = create(:host, domain: subdomain)
         model = operation.run
-        expect(model).to eq event
+        expect(model).to eq host
       end
       #...
 ```
@@ -461,12 +473,6 @@ describe PackagePolicy do
 
 ## Globally Configurable Options
 
-All of these can be set on `SkinnyControllers`,
-e.g.:
-```ruby
-SkinnyControllers.controller_namespace = 'API'
-```
-
 The following options are available:
 
 |Option|Default|Note|
@@ -476,15 +482,9 @@ The following options are available:
 |`policy_suffix`|`'Policy'`  | Default suffix for policies classes. |
 |`controller_namespace`|`''`| Global Namespace for all controllers (e.g.: `'API'`) |
 |`allow_by_default`| `true` | Default permission |
-|`accessible_to_method`|`is_accessible_to?`| method to call an the object that the user might be able to access |
-|`accessible_to_scope`| `accessible_to`| scope / class method on an object that the user might be able to access |
 |`action_map`| see [skinny_controllers.rb](./lib/skinny_controllers.rb#L61)| |
 
 
-
-
-
-
 -------------------------------------------------------
 
 ## How is this different from trailblazer?

data/lib/skinny_controllers.rb

@@ -32,15 +32,6 @@ module SkinnyControllers
 
   POLICY_METHOD_SUFFIX = '?'
 
-  # Tells the Diet what namespace of the controller
-  # isn't going to be part of the model name
-  #
-  # @example
-  #  # config/initializers/skinny_controllers.rb
-  #  SkinnyControllers.controller_namespace = 'API'
-  #  # 'API::' would be removed from 'API::Namespace::ObjectNamesController'
-  cattr_accessor :controller_namespace
-
   # Allows integration of a search gem, like ransack.
   # The scope of this proc is within an operation, so all operation
   # instance variables will be available.
@@ -71,26 +62,10 @@ module SkinnyControllers
     'Policy'
   end
 
-  cattr_accessor :operations_namespace do
-    ''
-  end
-
-  cattr_accessor :policies_namespace do
-    ''
-  end
-
   cattr_accessor :allow_by_default do
     true
   end
 
-  cattr_accessor :accessible_to_method do
-    :is_accessible_to?
-  end
-
-  cattr_accessor :accessible_to_scope do
-    :accessible_to
-  end
-
   # the diet uses ActionController::Base's
   # `action_name` method to get the current action.
   # From that action, we map what verb we want to use for our operation

data/lib/skinny_controllers/diet.rb

@@ -3,14 +3,33 @@ module SkinnyControllers
   module Diet
     extend ActiveSupport::Concern
 
+    ALLOWED_OPTIONS = [
+      :model_class, :parent_class,
+      :asociation_name,
+      :model_params_key
+    ].freeze
+
     included do
       class << self
-        attr_accessor :model_class
-        attr_accessor :model_key
-        attr_accessor :association_name
+        attr_accessor :options
+
+        def skinny_controllers_config(options = {})
+          @options = options.select { |o| ALLOWED_OPTIONS.include?(o) }
+        end
       end
     end
 
+    def create_operation(user:, params_for_action: nil)
+      operation_class.new(
+        user,
+        params,
+        params_for_action,
+        action_name,
+        _lookup,
+        _options
+      )
+    end
+
     # TODO: what if we want multiple operations per action?
     #
     # @return an instance of the operation with default parameters
@@ -18,9 +37,9 @@ module SkinnyControllers
       @operation ||= operation_class.new(
         current_user,
         params, params_for_action,
-        action_name, self.class.model_key,
+        action_name,
         _lookup,
-        self.class.association_name
+        _options
       )
     end
 
@@ -32,11 +51,15 @@ module SkinnyControllers
       _lookup.operation_class
     end
 
+    def _options
+      self.class.options || {}
+    end
+
     def _lookup
       @_lookup ||= Lookup.from_controller(
         controller_class: self.class,
         verb:             verb_for_action,
-        model_class:      self.class.model_class
+        model_class:      _options[:model_class]
       )
     end
 
@@ -64,9 +87,9 @@ module SkinnyControllers
     def params_for_action
       return {} if action_name == 'destroy'
 
-      key = self.class.model_key
+      key = _options[:model_params_key]
       # model_class should be a class
-      klass = self.class.model_class
+      klass = _options[:model_class]
 
       model_key =
         if key.present?

data/lib/skinny_controllers/lookup.rb

@@ -17,7 +17,7 @@ module SkinnyControllers
         )
       end
 
-      def from_operation(operation_class:)
+      def from_operation(operation_class:, model_class:)
         qualified_name = operation_class.name
         parts = qualified_name.split('::')
         operation_name = parts[-2]
@@ -28,7 +28,7 @@ module SkinnyControllers
           # namespace:       parts[0..-3],
           operation_name:  operation_name,
           operation_class: operation_class,
-          model_name:      operation_parts.first,
+          model_class:     model_class,
           namespace:       qualified_name.deconstantize.deconstantize
         )
       end
@@ -87,7 +87,7 @@ module SkinnyControllers
     end
 
     def model_name
-      @model_name ||= @model_class.try(:name) || resource_parts[-1].singularize
+      @model_name ||= @model_class.try(:name) || resource_name
     end
 
     # @return [String] name of the supposed operation class
@@ -101,7 +101,7 @@ module SkinnyControllers
     def namespaced_policy_name
       @namespaced_policy_name ||= [
         namespace,
-        "#{model_name}#{SkinnyControllers.policy_suffix}"
+        "#{resource_name}#{SkinnyControllers.policy_suffix}"
       ].reject(&:blank?).join('::')
     end
 
@@ -113,7 +113,7 @@ module SkinnyControllers
     end
 
     def operation_name
-      @operation_name ||= "#{model_name}#{SkinnyControllers.operations_suffix}"
+      @operation_name ||= "#{resource_name}#{SkinnyControllers.operations_suffix}"
     end
 
     # @return [String] the namespace
@@ -123,17 +123,27 @@ module SkinnyControllers
       end
     end
 
+    def resource_name
+      @resource_name ||= resource_parts && resource_parts[-1].singularize ||
+        @model_class&.name ||
+        operation_parts && operation_parts[-1].singularize
+    end
+
     # PostsController
     # => Posts
     #
     # Api::V2::PostsController
     # => Api, V2, Posts
     def resource_parts
-      @resource_parts ||= controller_class_name.split(/::|Controller/)
+      @resource_parts ||= controller_class_name&.split(/::|Controller/)
+    end
+
+    def operation_parts
+      @operation_parts ||= operation_namespace&.split(/::|Operations/)
     end
 
     def controller_class_name
-      @controller_class_name ||= @controller_class.name
+      @controller_class_name ||= @controller_class&.name
     end
   end
 end

data/lib/skinny_controllers/lookup/model.rb

@@ -24,11 +24,9 @@ module SkinnyControllers
 
         # Namespace::ModelOperations::Verb => Namespace::ModelOperations
         namespace = operation_name.deconstantize
-        # Namespace::ModelOperations => ModelOperations
-        # nested_namespace = namespace.demodulize
-        nested_namespace = namespace.gsub(SkinnyControllers.operations_namespace, '')
+
         # ModelOperations => Model
-        nested_namespace.gsub(SkinnyControllers.operations_suffix, '')
+        namespace.gsub(SkinnyControllers.operations_suffix, '')
       end
     end
   end

data/lib/skinny_controllers/lookup/operation.rb

@@ -35,15 +35,11 @@ module SkinnyControllers
 
       # @return [Class] namespace for the default operation class
       def default_operation_namespace_for(model_name)
-        # binding.pry
         desired_namespace = namespace_from_model(model_name)
-        parent_namespace = SkinnyControllers.operations_namespace
-
-        namespace_name = "#{parent_namespace}::#{desired_namespace}"
-        namespace = namespace_name.safe_constantize
+        namespace = desired_namespace.safe_constantize
 
         unless namespace
-          SkinnyControllers.logger.warn("#{namespace_name} not found. Creating...")
+          SkinnyControllers.logger.warn("#{desired_namespace} not found. Creating...")
         end
 
         namespace || Namespace.create_namespace(desired_namespace)
@@ -61,10 +57,8 @@ module SkinnyControllers
       # @param [String] the verb/action for the operation
       # @return [String] the operation based on the model name
       def name_from_model(model_name, verb)
-        # this namespace is '' by default
-        prefix = SkinnyControllers.operations_namespace
         namespace = Lookup::Operation.namespace_from_model(model_name)
-        "#{prefix}::#{namespace}::#{verb}"
+        "#{namespace}::#{verb}"
       end
     end
   end

data/lib/skinny_controllers/lookup/policy.rb

@@ -18,8 +18,7 @@ module SkinnyControllers
       end
 
       def class_name_from_model(name)
-        parent_namespace = namespace.present? ? "#{namespace}::" : ''
-        "#{parent_namespace}#{name}" + SkinnyControllers.policy_suffix
+        "#{name}#{SkinnyControllers.policy_suffix}"
       end
 
       def define_policy_class(name)
@@ -46,10 +45,6 @@ module SkinnyControllers
       def method_name_for_operation(class_name)
         class_name.demodulize.underscore + POLICY_METHOD_SUFFIX
       end
-
-      def namespace
-        SkinnyControllers.policies_namespace
-      end
     end
   end
 end

data/lib/skinny_controllers/operation/base.rb

@@ -18,7 +18,7 @@ module SkinnyControllers
 
       attr_accessor :params, :current_user, :authorized_via_parent,
         :action, :params_for_action, :model_key,
-        :association_name,
+        :association_name, :options,
         :_lookup
 
       class << self
@@ -45,24 +45,27 @@ module SkinnyControllers
       # @param [Hash] controller_params the params hash raw from the controller
       # @param [Hash] params_for_action optional params hash, generally the result of strong parameters
       # @param [string] action the current action on the controller
-      def initialize(current_user, controller_params,
-          params_for_action = nil, action = nil,
-          model_key = nil, lookup = nil,
-          association_name = nil)
+      def initialize(current_user,
+        controller_params, params_for_action = nil,
+        action = nil,
+        lookup = nil,
+        options = {})
         self.authorized_via_parent = false
         self.current_user = current_user
         self.action = action || controller_params[:action]
         self.params = controller_params
         self.params_for_action = params_for_action || controller_params
-        self.model_key = model_key
         self._lookup = lookup
-        self.association_name = association_name
+        self.options = options
+        self.model_key = options[:model_params_key]
+        self.association_name = options[:association_name]
       end
 
       def lookup
         @lookup ||= begin
           _lookup || Lookup.from_operation(
-            operation_class: self.class
+            operation_class: self.class,
+            model_class: options[:model_class]
           )
         end
       end
@@ -104,6 +107,10 @@ module SkinnyControllers
         allowed_for?(model)
       end
 
+      def check_allowed!(*args)
+        raise DeniedByPolicy(*args.presence || action) unless allowed?
+      end
+
       # checks the policy
       def allowed_for?(object)
         policy_for(object).send(policy_method_name)

data/lib/skinny_controllers/operation/default.rb

@@ -46,7 +46,7 @@ module SkinnyControllers
       end
 
       def check_allowed!
-        raise DeniedByPolicy, action unless allowed?
+        super(action)
       end
     end
   end

data/lib/skinny_controllers/operation/model_helpers.rb

@@ -61,7 +61,15 @@ module SkinnyControllers
         unless @scoped_model
           klass_name = scoped_params[:type]
           operation_class = Lookup::Operation.operation_of(klass_name, DefaultVerbs::Read)
-          operation = operation_class.new(current_user, id: scoped_params[:id])
+
+          params = { id: scoped_params[:id] }
+          operation = operation_class.new(
+            current_user,
+            params, params,
+            'show', nil,
+            model_class: klass_name.safe_constantize
+          )
+
           @scoped_model = operation.run
           self.authorized_via_parent = !!@scoped_model
         end
@@ -70,16 +78,7 @@ module SkinnyControllers
       end
 
       def model_from_params
-        ar_proxy = model_class.where(sanitized_params)
-
-        if ar_proxy.respond_to? SkinnyControllers.accessible_to_scope
-          # It's better to filter in sql, than in the app, so if there is
-          # a way to do the filtering in active query, do that. This will help
-          # mitigate n+1 query scenarios
-          return ar_proxy.send(SkinnyControllers.accessible_to_scope, current_user)
-        end
-
-        ar_proxy
+        model_class.where(sanitized_params)
       end
 
       def model_from_named_id(key, id)
@@ -93,6 +92,7 @@ module SkinnyControllers
       def model_from_scope(scope = params[:scope])
         if scoped = scoped_model(scope)
           association = association_name_from_object
+
           scoped.send(association)
         else
           raise ActiveRecord::RecordNotFound, "Parent object of type #{scope[:type]} not accessible"

data/lib/skinny_controllers/policy/base.rb

@@ -27,7 +27,7 @@ module SkinnyControllers
         # TODO: this means that a destroy method, if defined,
         #       will never be called.... good or bad?
         #       should there be a difference between delete and destroy?
-        return send('delete?'.freeze) if action == 'destroy'.freeze
+        return send('delete?') if action == 'destroy'
 
         # we know that these methods don't take any parameters,
         # so args and block can be ignored
@@ -51,7 +51,6 @@ module SkinnyControllers
 
       # this should be used when checking access to a single object
       def read?(o = object)
-        return o.send(accessible_method, user) if o.respond_to?(accessible_method)
         default?
       end
 
@@ -72,12 +71,6 @@ module SkinnyControllers
         accessible = object.map { |ea| read?(ea) }
         accessible.all?
       end
-
-      private
-
-      def accessible_method
-        SkinnyControllers.accessible_to_method
-      end
     end
   end
 end

data/lib/skinny_controllers/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module SkinnyControllers
-  VERSION = '0.9.1'
+  VERSION = '0.10.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: skinny_controllers
 version: !ruby/object:Gem::Version
-  version: 0.9.1
+  version: 0.10.0
 platform: ruby
 authors:
 - L. Preston Sego III
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-11-26 00:00:00.000000000 Z
+date: 2016-12-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -227,7 +227,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.0'
+      version: '2.3'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
@@ -238,6 +238,6 @@ rubyforge_project:
 rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
-summary: SkinnyControllers-0.9.1
+summary: SkinnyControllers-0.10.0
 test_files: []
 has_rdoc: