varvet--pundit/lib/pundit.rb

require "pundit/version"
require "pundit/policy_finder"
require "active_support/concern"
require "active_support/core_ext/string/inflections"
require "active_support/core_ext/object/blank"
require "active_support/core_ext/module/introspection"
require "active_support/dependencies/autoload"

module Pundit
  class NotAuthorizedError < StandardError
    attr_reader :query, :record, :policy

    def initialize(options = {})
      @query  = options[:query]
      @record = options[:record]
      @policy = options[:policy]

      message = options.fetch(:message) { "not allowed to #{query} this #{record.inspect}" }

      super(message)
    end
  end
  class AuthorizationNotPerformedError < StandardError; end
  class PolicyScopingNotPerformedError < AuthorizationNotPerformedError; end
  class NotDefinedError < StandardError; end

  extend ActiveSupport::Concern

  class << self
    def authorize(user, record, query)
      policy = policy!(user, record)

      unless policy.public_send(query)
        raise NotAuthorizedError.new(query: query, record: record, policy: policy)
      end

      true
    end

    def policy_scope(user, scope)
      policy_scope = PolicyFinder.new(scope).scope
      policy_scope.new(user, scope).resolve if policy_scope
    end

    def policy_scope!(user, scope)
      PolicyFinder.new(scope).scope!.new(user, scope).resolve
    end

    def policy(user, record)
      policy = PolicyFinder.new(record).policy
      policy.new(user, record) if policy
    end

    def policy!(user, record)
      PolicyFinder.new(record).policy!.new(user, record)
    end
  end

  module Helper
    def policy_scope(scope)
      pundit_policy_scope(scope)
    end
  end

  included do
    helper Helper if respond_to?(:helper)
    if respond_to?(:helper_method)
      helper_method :policy
      helper_method :pundit_policy_scope
      helper_method :pundit_user
    end
    if respond_to?(:hide_action)
      hide_action :policy
      hide_action :policy_scope
      hide_action :policies
      hide_action :policy_scopes
      hide_action :authorize
      hide_action :verify_authorized
      hide_action :verify_policy_scoped
      hide_action :permitted_attributes
      hide_action :pundit_user
    end
  end

  def verify_authorized
    raise AuthorizationNotPerformedError unless @_pundit_policy_authorized
  end

  def verify_policy_scoped
    raise PolicyScopingNotPerformedError unless @_pundit_policy_scoped
  end

  def authorize(record, query=nil)
    query ||= params[:action].to_s + "?"

    @_pundit_policy_authorized = true

    policy = policy(record)
    unless policy.public_send(query)
      raise NotAuthorizedError.new(query: query, record: record, policy: policy)
    end

    true
  end

  def skip_authorization
    @_pundit_policy_authorized = true
  end

  def policy_scope(scope)
    @_pundit_policy_scoped = true
    pundit_policy_scope(scope)
  end

  def policy(record)
    policies[record] ||= Pundit.policy!(pundit_user, record)
  end

  def permitted_attributes(record)
    name = record.class.to_s.demodulize.underscore
    params.require(name).permit(policy(record).permitted_attributes)
  end

  def policies
    @_pundit_policies ||= {}
  end

  def policy_scopes
    @_pundit_policy_scopes ||= {}
  end

  def pundit_user
    current_user
  end

private

  def pundit_policy_scope(scope)
    policy_scopes[scope] ||= Pundit.policy_scope!(pundit_user, scope)
  end
end
initial 2012-11-04 04:20:45 -05:00			`require "pundit/version"`
Extract the actual code 2012-11-19 04:57:17 -05:00			`require "pundit/policy_finder"`
Add specs and dependencies 2012-11-19 07:02:42 -05:00			`require "active_support/concern"`
			`require "active_support/core_ext/string/inflections"`
			`require "active_support/core_ext/object/blank"`
Lookup policies in the current namespace Addresses #12. If the policy is not defined in `namespace`, `const_get` will search through the inheritance change of `namespace` to find the policy. 2014-05-21 22:09:17 -04:00			`require "active_support/core_ext/module/introspection"`
Add autoload require for jruby. 2014-04-23 00:02:03 -04:00			`require "active_support/dependencies/autoload"`
initial 2012-11-04 04:20:45 -05:00
			`module Pundit`
Add #query, #record, and #policy properties to Pundit::NotAuthorizedError. Exceptions raised by #authorize now provide the query (e.g. 'create?') and record (e.g. an instance of 'Post') that caused the exception to be raised, as well as the relevant policy (e.g. an instance of 'PostPolicy'). NotAuthorizedError is modified to continue to inherit from StandardError, but now also has attr_accessor values for :query, :record, and :policy. 2014-02-25 21:54:22 -05:00			`class NotAuthorizedError < StandardError`
Don't look for NilClassPolicy Fixes #251 Contains little refactoring, to avoid duplication in setting error. 2015-02-25 14:30:08 -05:00			`attr_reader :query, :record, :policy`

			`def initialize(options = {})`
			`@query = options[:query]`
			`@record = options[:record]`
			`@policy = options[:policy]`

Use `#inspect` over `#to_s`, closes #200 2015-03-27 05:22:30 -04:00			`message = options.fetch(:message) { "not allowed to #{query} this #{record.inspect}" }`
Don't look for NilClassPolicy Fixes #251 Contains little refactoring, to avoid duplication in setting error. 2015-02-25 14:30:08 -05:00
			`super(message)`
			`end`
Add #query, #record, and #policy properties to Pundit::NotAuthorizedError. Exceptions raised by #authorize now provide the query (e.g. 'create?') and record (e.g. an instance of 'Post') that caused the exception to be raised, as well as the relevant policy (e.g. an instance of 'PostPolicy'). NotAuthorizedError is modified to continue to inherit from StandardError, but now also has attr_accessor values for :query, :record, and :policy. 2014-02-25 21:54:22 -05:00			`end`
Raise a different error when authorization is not performed closes #108 2014-02-14 07:57:13 -05:00			`class AuthorizationNotPerformedError < StandardError; end`
Raise more description exception for verify_policy_scoped * The AuthorizationNotPerformedError is very descriptive of the situation when authorization is forgotten. In the case of no scoping, it can be a head scratcher. * This new error type is implemented as a subclass of the current error type to prevent regressions in existing code. While this is not ideal, it is the simplest solution I could come up with for compatibility. 2014-07-07 21:50:22 -04:00			`class PolicyScopingNotPerformedError < AuthorizationNotPerformedError; end`
Extract the actual code 2012-11-19 04:57:17 -05:00			`class NotDefinedError < StandardError; end`

			`extend ActiveSupport::Concern`

			`class << self`
Implement authorize class method separately This is a little less DRY, but `Pundit.authorize` doesn't have to take an extra policy as an argument. Conflicts: lib/pundit.rb spec/spec_helper.rb 2015-03-26 05:32:20 -04:00			`def authorize(user, record, query)`
			`policy = policy!(user, record)`

			`unless policy.public_send(query)`
			`raise NotAuthorizedError.new(query: query, record: record, policy: policy)`
			`end`

			`true`
			`end`

Revert namespaces 2014-08-22 05:19:36 -04:00			`def policy_scope(user, scope)`
			`policy_scope = PolicyFinder.new(scope).scope`
Clarify meaning of a few variables 2013-11-05 12:26:38 -05:00			`policy_scope.new(user, scope).resolve if policy_scope`
Extract the actual code 2012-11-19 04:57:17 -05:00			`end`

Revert namespaces 2014-08-22 05:19:36 -04:00			`def policy_scope!(user, scope)`
			`PolicyFinder.new(scope).scope!.new(user, scope).resolve`
Extract the actual code 2012-11-19 04:57:17 -05:00			`end`

Revert namespaces 2014-08-22 05:19:36 -04:00			`def policy(user, record)`
			`policy = PolicyFinder.new(record).policy`
Clarify meaning of a few variables 2013-11-05 12:26:38 -05:00			`policy.new(user, record) if policy`
Extract the actual code 2012-11-19 04:57:17 -05:00			`end`

Revert namespaces 2014-08-22 05:19:36 -04:00			`def policy!(user, record)`
			`PolicyFinder.new(record).policy!.new(user, record)`
Extract the actual code 2012-11-19 04:57:17 -05:00			`end`
			`end`

Don't verify policy scope if called from view closes #207 2015-03-27 08:51:02 -04:00			`module Helper`
			`def policy_scope(scope)`
			`pundit_policy_scope(scope)`
			`end`
			`end`

Extract the actual code 2012-11-19 04:57:17 -05:00			`included do`
Don't verify policy scope if called from view closes #207 2015-03-27 08:51:02 -04:00			`helper Helper if respond_to?(:helper)`
Extract the actual code 2012-11-19 04:57:17 -05:00			`if respond_to?(:helper_method)`
			`helper_method :policy`
Don't verify policy scope if called from view closes #207 2015-03-27 08:51:02 -04:00			`helper_method :pundit_policy_scope`
pundit_user should be a helper and hidden as an action 2013-07-13 18:50:39 -04:00			`helper_method :pundit_user`
Extract the actual code 2012-11-19 04:57:17 -05:00			`end`
Hide authorize and verify_authorized, closes #23 2013-03-28 12:26:24 -04:00			`if respond_to?(:hide_action)`
hide unused actions 2014-03-09 15:01:53 -04:00			`hide_action :policy`
Clean up after caching 2014-08-22 07:25:50 -04:00			`hide_action :policy_scope`
			`hide_action :policies`
			`hide_action :policy_scopes`
Hide authorize and verify_authorized, closes #23 2013-03-28 12:26:24 -04:00			`hide_action :authorize`
			`hide_action :verify_authorized`
Add #verify_policy_scoped for controller usage. See the readme changes for an example. In short, this behaves like verify_authorized but is useful for actions that find a collection (like index) and don't authorize instances. 2013-04-18 01:05:24 -04:00			`hide_action :verify_policy_scoped`
Add permitted attributes helper, closes #141 See discussion in #141. This provides a convenient helper which aids in permitting attributes in the controller. 2015-03-27 05:14:09 -04:00			`hide_action :permitted_attributes`
pundit_user should be a helper and hidden as an action 2013-07-13 18:50:39 -04:00			`hide_action :pundit_user`
Hide authorize and verify_authorized, closes #23 2013-03-28 12:26:24 -04:00			`end`
Extract the actual code 2012-11-19 04:57:17 -05:00			`end`

			`def verify_authorized`
Add 'pundit' prefix to instance variables to avoid collisions. 2014-08-26 11:57:27 -04:00			`raise AuthorizationNotPerformedError unless @_pundit_policy_authorized`
Extract the actual code 2012-11-19 04:57:17 -05:00			`end`

Add #verify_policy_scoped for controller usage. See the readme changes for an example. In short, this behaves like verify_authorized but is useful for actions that find a collection (like index) and don't authorize instances. 2013-04-18 01:05:24 -04:00			`def verify_policy_scoped`
Add 'pundit' prefix to instance variables to avoid collisions. 2014-08-26 11:57:27 -04:00			`raise PolicyScopingNotPerformedError unless @_pundit_policy_scoped`
Add #verify_policy_scoped for controller usage. See the readme changes for an example. In short, this behaves like verify_authorized but is useful for actions that find a collection (like index) and don't authorize instances. 2013-04-18 01:05:24 -04:00			`end`

Extract the actual code 2012-11-19 04:57:17 -05:00			`def authorize(record, query=nil)`
			`query \|\|= params[:action].to_s + "?"`
Don't look for NilClassPolicy Fixes #251 Contains little refactoring, to avoid duplication in setting error. 2015-02-25 14:30:08 -05:00
Add 'pundit' prefix to instance variables to avoid collisions. 2014-08-26 11:57:27 -04:00			`@_pundit_policy_authorized = true`
Add #query, #record, and #policy properties to Pundit::NotAuthorizedError. Exceptions raised by #authorize now provide the query (e.g. 'create?') and record (e.g. an instance of 'Post') that caused the exception to be raised, as well as the relevant policy (e.g. an instance of 'PostPolicy'). NotAuthorizedError is modified to continue to inherit from StandardError, but now also has attr_accessor values for :query, :record, and :policy. 2014-02-25 21:54:22 -05:00
			`policy = policy(record)`
			`unless policy.public_send(query)`
Don't look for NilClassPolicy Fixes #251 Contains little refactoring, to avoid duplication in setting error. 2015-02-25 14:30:08 -05:00			`raise NotAuthorizedError.new(query: query, record: record, policy: policy)`
Extract the actual code 2012-11-19 04:57:17 -05:00			`end`
Add #query, #record, and #policy properties to Pundit::NotAuthorizedError. Exceptions raised by #authorize now provide the query (e.g. 'create?') and record (e.g. an instance of 'Post') that caused the exception to be raised, as well as the relevant policy (e.g. an instance of 'PostPolicy'). NotAuthorizedError is modified to continue to inherit from StandardError, but now also has attr_accessor values for :query, :record, and :policy. 2014-02-25 21:54:22 -05:00
Add specs and dependencies 2012-11-19 07:02:42 -05:00			`true`
Extract the actual code 2012-11-19 04:57:17 -05:00			`end`

Add `#skip_authorization` helper Allows users to skip authorization and prevent exceptions that result from having `#verify_authorized` enabled. There are some times when you'd only conditionally want to skip authorization, but you still want to keep verification enabled for that action. 2015-02-20 14:38:08 -05:00			`def skip_authorization`
			`@_pundit_policy_authorized = true`
			`end`

Extract the actual code 2012-11-19 04:57:17 -05:00			`def policy_scope(scope)`
Add 'pundit' prefix to instance variables to avoid collisions. 2014-08-26 11:57:27 -04:00			`@_pundit_policy_scoped = true`
Don't verify policy scope if called from view closes #207 2015-03-27 08:51:02 -04:00			`pundit_policy_scope(scope)`
Extract the actual code 2012-11-19 04:57:17 -05:00			`end`

			`def policy(record)`
Cache policies and policy scopes, closes #134 2014-08-22 07:20:32 -04:00			`policies[record] \|\|= Pundit.policy!(pundit_user, record)`
Change @policy instance variable to @_policy. 2014-05-19 01:05:09 -04:00			`end`

Add permitted attributes helper, closes #141 See discussion in #141. This provides a convenient helper which aids in permitting attributes in the controller. 2015-03-27 05:14:09 -04:00			`def permitted_attributes(record)`
			`name = record.class.to_s.demodulize.underscore`
			`params.require(name).permit(policy(record).permitted_attributes)`
			`end`

Cache policies and policy scopes, closes #134 2014-08-22 07:20:32 -04:00			`def policies`
Add 'pundit' prefix to instance variables to avoid collisions. 2014-08-26 11:57:27 -04:00			`@_pundit_policies \|\|= {}`
Cache policies and policy scopes, closes #134 2014-08-22 07:20:32 -04:00			`end`

			`def policy_scopes`
Add 'pundit' prefix to instance variables to avoid collisions. 2014-08-26 11:57:27 -04:00			`@_pundit_policy_scopes \|\|= {}`
Custom pundit user 2013-07-12 23:42:34 -04:00			`end`

			`def pundit_user`
Let pundit_user raise a name error if current_user is not present. 2013-07-13 10:24:13 -04:00			`current_user`
Extract the actual code 2012-11-19 04:57:17 -05:00			`end`
Don't verify policy scope if called from view closes #207 2015-03-27 08:51:02 -04:00
			`private`

			`def pundit_policy_scope(scope)`
			`policy_scopes[scope] \|\|= Pundit.policy_scope!(pundit_user, scope)`
			`end`
initial 2012-11-04 04:20:45 -05:00			`end`