super_auth 0.2.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0e93633206ab371d51eb0519bc0afccf33a028bd1025d66ee2fc1fb17df19c20
-  data.tar.gz: f99edcddc159742adee9fcf5888d8bc438beaad627d58f8576204e695a3436fa
+  metadata.gz: d7dd44cc4a7bc63bd611b41e4f4555896c61095a279a32640831d4ff22b11628
+  data.tar.gz: bb64fa3b4cbd5059a56ef8d3aa27b372f96c7d8df15c2a42efc84d9b2f78bac9
 SHA512:
-  metadata.gz: cedd01d07d249b8b49840915eed87eb68a0f7a16a2900dad8f93168338efc12c457b8c86ea910d5fd99def2844945abd8f148bd5bb360b476b22a3942eda8b7d
-  data.tar.gz: 6158c6a1b379d27364ae97f570899fe1690ac172a9bf16732932058bf62504fd03180719fdce24974571b262ec5dfd4444d1c6dd967408e08892491791a45a6d
+  metadata.gz: de44b731731d0e9d6f86d944306e67db639a7a768416ad96bbcb5956600f6f38bd12f253ca12e30592b5e29078cbdb56078a197d89d9242017043ac8fbd4679b
+  data.tar.gz: 77ef025662b6bc4ed8110d9dd6ef77347a1744a723cb4b56a4779262010b651ece3a65af605a9cf4cea9fcf850b8d2a6c784fa2a8814f7d06787453e02b3d727

data/CHANGELOG.md

@@ -1,5 +1,18 @@
 ## [Unreleased]
 
+## [0.3.1] - 2026-03-10
+
+- Refactor: move authorization compilation logic into Authorization model (`compile!` and `from_graph` class methods)
+
+## [0.3.0]
+
+- Fix: ByCurrentUser mixin — correct subquery column, add admin wildcard, remove dead code
+- Remove unused tests
+
+## [0.2.0]
+
+- Version bump with various improvements
+
 ## [0.1.0] - 2023-12-09
 
 - Initial release

data/Gemfile.lock

@@ -1,80 +1,88 @@
 PATH
   remote: .
   specs:
-    super_auth (0.1.5)
+    super_auth (0.3.1)
       sequel
 
 GEM
   remote: https://rubygems.org/
   specs:
-    activemodel (7.2.2.1)
-      activesupport (= 7.2.2.1)
-    activerecord (7.2.2.1)
-      activemodel (= 7.2.2.1)
-      activesupport (= 7.2.2.1)
+    activemodel (8.1.2)
+      activesupport (= 8.1.2)
+    activerecord (8.1.2)
+      activemodel (= 8.1.2)
+      activesupport (= 8.1.2)
       timeout (>= 0.4.0)
-    activesupport (7.2.2.1)
+    activesupport (8.1.2)
       base64
-      benchmark (>= 0.3)
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.3.1)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
+      json
       logger (>= 1.4.2)
       minitest (>= 5.1)
       securerandom (>= 0.3)
       tzinfo (~> 2.0, >= 2.0.5)
+      uri (>= 0.13.1)
     after_commit_everywhere (1.6.0)
       activerecord (>= 4.2)
       activesupport
     base64 (0.3.0)
-    benchmark (0.4.1)
-    bigdecimal (3.2.2)
+    bigdecimal (4.0.1)
     coderay (1.1.3)
-    concurrent-ruby (1.3.5)
-    connection_pool (2.5.3)
-    diff-lcs (1.5.0)
+    concurrent-ruby (1.3.6)
+    connection_pool (3.0.2)
+    diff-lcs (1.6.2)
     drb (2.2.3)
-    i18n (1.14.7)
+    i18n (1.14.8)
       concurrent-ruby (~> 1.0)
+    io-console (0.8.2)
+    json (2.19.1)
     logger (1.7.0)
-    method_source (1.0.0)
-    minitest (6.0.1)
+    method_source (1.1.0)
+    minitest (6.0.2)
+      drb (~> 2.0)
       prism (~> 1.5)
     mysql2 (0.5.7)
       bigdecimal
-    pg (1.5.4)
+    pg (1.6.3-arm64-darwin)
+    pg (1.6.3-x86_64-linux)
     prism (1.9.0)
-    pry (0.14.2)
+    pry (0.16.0)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    rake (13.1.0)
-    rspec (3.12.0)
-      rspec-core (~> 3.12.0)
-      rspec-expectations (~> 3.12.0)
-      rspec-mocks (~> 3.12.0)
-    rspec-core (3.12.2)
-      rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.3)
+      reline (>= 0.6.0)
+    rake (13.3.1)
+    reline (0.6.3)
+      io-console (~> 0.5)
+    rspec (3.13.2)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.6)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.6)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.8)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-support (3.12.1)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.7)
     securerandom (0.4.1)
-    sequel (5.94.0)
+    sequel (5.102.0)
       bigdecimal
-    sequel-activerecord_connection (2.0.0)
-      activerecord (>= 5.0, < 8.1)
+    sequel-activerecord_connection (2.0.1)
+      activerecord (>= 5.1)
       sequel (~> 5.38)
-    sqlite3 (2.9.0-arm64-darwin)
-    sqlite3 (2.9.0-x86_64-linux-gnu)
-    timeout (0.4.3)
+    sqlite3 (2.9.1-arm64-darwin)
+    sqlite3 (2.9.1-x86_64-linux-gnu)
+    timeout (0.6.1)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    zeitwerk (2.6.12)
+    uri (1.1.1)
+    zeitwerk (2.7.5)
 
 PLATFORMS
   arm64-darwin-22

data/app/controllers/super_auth/graph_controller.rb

@@ -182,15 +182,8 @@ module SuperAuth
     end
 
     def compile_authorizations
-      # Compile all authorization paths and populate the authorizations table
       begin
-        authorization_class.delete_all
-
-        # Call the authorizations method which compiles all paths
-        authorizations = edge_class.authorizations
-        authorizations.each(&:save!)
-
-        count = authorizations.count
+        count = authorization_class.compile!
 
         render json: {
           success: true,

data/db/migrate/9_add_by_current_user_index.rb

@@ -0,0 +1,12 @@
+Sequel.migration do
+  up do
+    add_index :super_auth_authorizations,
+      [:user_external_id, :resource_external_type, :resource_external_id],
+      name: :idx_sa_auth_by_current_user
+  end
+  down do
+    drop_index :super_auth_authorizations,
+      [:user_external_id, :resource_external_type, :resource_external_id],
+      name: :idx_sa_auth_by_current_user
+  end
+end

data/db/migrate_activerecord/20250101000009_add_by_current_user_index_to_super_auth_authorizations.rb

@@ -0,0 +1,7 @@
+class AddByCurrentUserIndexToSuperAuthAuthorizations < ActiveRecord::Migration[8.0]
+  def change
+    add_index :super_auth_authorizations,
+      [:user_external_id, :resource_external_type, :resource_external_id],
+      name: :idx_sa_auth_by_current_user
+  end
+end

data/lib/super_auth/active_record/authorization.rb

@@ -1,3 +1,20 @@
 class SuperAuth::ActiveRecord::Authorization < ActiveRecord::Base
   self.table_name = 'super_auth_authorizations'
+
+  class << self
+    # Returns all computed authorization paths as Authorization AR objects.
+    # These can be saved directly to the super_auth_authorizations table.
+    def from_graph
+      from("(#{SuperAuth::Edge.authorizations.sql}) as super_auth_authorizations".squish)
+    end
+
+    # Clears and repopulates the authorizations table from the current graph.
+    def compile!
+      transaction do
+        delete_all
+        from_graph.each { |auth| create!(auth.attributes.except("id")) }
+      end
+      count
+    end
+  end
 end

data/lib/super_auth/active_record/by_current_user.rb

@@ -1,9 +1,7 @@
 module SuperAuth::ActiveRecord::ByCurrentUser
   def self.included(base)
-    base.has_many :super_auth_authorizations
-
     base.send(:default_scope, **{all_queries: true}) do
-      raise "SuperAuth.current_user not set" if SuperAuth.current_user.blank?
+      next none if SuperAuth.current_user.blank?
 
       if SuperAuth.current_user.respond_to?(:system?) && SuperAuth.current_user.system?
         self
@@ -15,25 +13,27 @@ module SuperAuth::ActiveRecord::ByCurrentUser
           { user_external_id: SuperAuth.current_user.id, user_external_type: SuperAuth.current_user.class.name }
         end
 
-        resource_where =
-        if try(:id)
-          { resource_external_id: self.id, resource_external_type: self.class.name }
+        resource_type = self.model.name
+
+        # Type-level authorization (resource_external_id IS NULL) acts as wildcard:
+        # user has access to ALL records of this type (e.g., admin with ADMIN_ACCESS).
+        type_level = SuperAuth::ActiveRecord::Authorization
+          .where(**user_where, resource_external_type: resource_type, resource_external_id: nil)
+
+        if type_level.exists?
+          self
         else
-          { resource_external_type: self.model.name }
+          # Per-record authorization: filter to specific records the user can access.
+          where(
+            id: SuperAuth::ActiveRecord::Authorization
+                .where(**user_where, resource_external_type: resource_type)
+                .where.not(resource_external_id: nil)
+                .select(:resource_external_id))
         end
-
-        # Important:
-        # We use a subquery here instead of a inner join because we don't want
-        # to potentially affect break on queries issue count queries in their app.
-        where(
-          id: SuperAuth::ActiveRecord::Authorization
-              .where(**user_where, **resource_where)
-              .select(:resource_id))
       end
     end
   end
 
   module ClassMethods
   end
-
 end

data/lib/super_auth/version.rb

@@ -1,3 +1,3 @@
 module SuperAuth
-  VERSION = "0.2.0"
+  VERSION = "0.3.1"
 end

data/super_auth.gemspec

@@ -0,0 +1,35 @@
+require_relative "lib/super_auth/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "super_auth"
+  spec.version = SuperAuth::VERSION
+  spec.authors = ["Jonathan Frias"]
+  spec.email = ["jonathan@gofrias.com"]
+
+  spec.summary = "Make Unauthenticated State Unrepresentable"
+  spec.description = "Simple, yet super powerful authorization for you application"
+  spec.homepage = "https://github.com/JonathanFrias/super_auth"
+  spec.license = "MIT"
+  spec.required_ruby_version = ">= 2.6.0"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://github.com/JonathanFrias/super_auth"
+  spec.metadata["changelog_uri"] = "https://github.com/JonathanFrias/super_auth/blob/main/CHANGELOG.md"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (f == __FILE__) || f.match(%r{\A(?:(?:bin|test|spec|features)/|\.(?:git|circleci)|appveyor)})
+    end
+  end
+  spec.bindir = "bin"
+  spec.executables = spec.files.grep(%r{\Abin/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  # Uncomment to register a new dependency of your gem
+  spec.add_dependency "sequel"
+  spec.add_development_dependency "sqlite3"
+  # For more information and examples about making a new gem, check out our
+  # guide at: https://bundler.io/guides/creating_gem.html
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: super_auth
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Jonathan Frias
@@ -65,6 +65,7 @@ files:
 - db/migrate/6_edge.rb
 - db/migrate/7_authorization.rb
 - db/migrate/8_add_indexes_to_edges.rb
+- db/migrate/9_add_by_current_user_index.rb
 - db/migrate_activerecord/20250101000001_create_super_auth_users.rb
 - db/migrate_activerecord/20250101000002_create_super_auth_groups.rb
 - db/migrate_activerecord/20250101000003_create_super_auth_permissions.rb
@@ -72,6 +73,7 @@ files:
 - db/migrate_activerecord/20250101000005_create_super_auth_resources.rb
 - db/migrate_activerecord/20250101000006_create_super_auth_edges.rb
 - db/migrate_activerecord/20250101000007_create_super_auth_authorizations.rb
+- db/migrate_activerecord/20250101000009_add_by_current_user_index_to_super_auth_authorizations.rb
 - db/seeds/sample_data.rb
 - lib/basic_loader.rb
 - lib/generators/super_auth/install/install_generator.rb
@@ -98,6 +100,7 @@ files:
 - lib/super_auth/user.rb
 - lib/super_auth/version.rb
 - lib/tasks/super_auth_tasks.rake
+- super_auth.gemspec
 - visualization.html
 homepage: https://github.com/JonathanFrias/super_auth
 licenses: