palkan_tula palkan Seattle.rb 2019 BORING DEFINITION 8 The act of giving someone official permission to do something https://dictionary.cambridge.org/dictionary/english/authorization
palkan_tula palkan Seattle.rb 2019 BY EXAMPLE 9 class ItemsController < ApplicationController def destroy item = Item.find(params[:id]) if current_user.admin? || current_user.moderator? || item.owner_id == current_user.id item.destroy! head :ok end else head :forbidden end end
palkan_tula palkan Seattle.rb 2019 class ItemsController < ApplicationController def destroy item = Item.find(params[:id]) if current_user.admin? || current_user.moderator? || item.owner_id == current_user.id item.destroy! head :ok end else head :forbidden end end authorization BY EXAMPLE 10
palkan_tula palkan Seattle.rb 2019 class ItemsController < ApplicationController def destroy item = Item.find(params[:id]) if current_user.admin? || current_user.moderator? || item.owner_id == current_user.id item.destroy! head :ok end else head :forbidden end end Is user allowed to do that? authorization BY EXAMPLE 11
palkan_tula palkan Seattle.rb 2019 AUTHORIZATION 13 How to grant/revoke access? Authorization model (roles, permission, accesses) How to verify access? Authorization layer (policies, rules)
palkan_tula palkan Seattle.rb 2019 AUTHORIZATION 14 How to grant/revoke access? Authorization model (roles, permission, accesses) How to verify access? Authorization layer (policies, rules) plan for today
palkan_tula palkan Seattle.rb 2019 class ItemsController < ApplicationController def destroy item = Item.find(params[:id]) if current_user.can?(:destroy, item) item.destroy! head :ok end else head :forbidden end end authorization layer in action BY EXAMPLE 15
palkan_tula palkan Seattle.rb 2019 class ItemsController < ApplicationController def destroy item = Item.find(params[:id]) - if current_user.admin? || - current_user.moderator? || - item.owner_id == current_user.id + if current_user.can?(:destroy, item) item.destroy! head :ok end else head :forbidden end end BY EXAMPLE 16
palkan_tula palkan Seattle.rb 2019 CANCAN 20 class Ability include CanCan ::Ability def user_abilities can :create, [Question, Answer] can :update, [Question, Answer], user_id: user.id can :destroy, [Question, Answer], user_id: user.id can :destroy, Attachment, attachable: { user_id: user.id } can [:vote_up, :vote_down], [Question, Answer] do |resource| resource.user_id != user.id end end end
palkan_tula palkan Seattle.rb 2019 PUNDIT 23 class QuestionPolicy def index? true end def create? true end def update? user.admin? || (user.id == target.user_id) end end
palkan_tula palkan Seattle.rb 2019 PUNDIT 25 You’re on your own with your policy classes authorize and policy helpers authorize item, :destroy? # raises policy(item).destroy? # predicate
palkan_tula palkan Seattle.rb 2019 class ProductsController < ApplicationController def index # non-raising predicate method if allowed_to?(:create?) @tags = current_account.tags end # scoping data @products = authorized_scope(current_account.products) end end ACTION POLICY 34
palkan_tula palkan Seattle.rb 2019 class ProductPolicy < ApplicationPolicy relation_scope do |rel| next rel if user.manager? rel.where(owner_id: user.id) end def create? user.manager? end def show? record.account_id == user.account_id end end ACTION POLICY 35
palkan_tula palkan Seattle.rb 2019 BEHAVIOUR 43 class PostUpdateAction include ActionPolicy ::Behaviour authorize :user attr_reader :user def initialize(user) @user = user end def call(post, params) authorize! post, to: :update? post.update!(params) end end
palkan_tula palkan Seattle.rb 2019 BEHAVIOUR 44 class PostUpdateAction include ActionPolicy ::Behaviour authorize :user attr_reader :user def initialize(user) @user = user end def call(post, params) authorize! post, to: :update? post.update!(params) end end connect authorization layer
palkan_tula palkan Seattle.rb 2019 BEHAVIOUR 45 class PostUpdateAction include ActionPolicy ::Behaviour authorize :user attr_reader :user def initialize(user) @user = user end def call(post, params) authorize! post, to: :update? post.update!(params) end end configure authorization context (what to pass to a policy)
palkan_tula palkan Seattle.rb 2019 BEHAVIOUR 46 class PostUpdateAction include ActionPolicy ::Behaviour authorize :user attr_reader :user def initialize(user) @user = user end def call(post, params) authorize! post, to: :update? post.update!(params) end end apply authorization (resolve policy, resolve context, invoke rule)
palkan_tula palkan Seattle.rb 2019 APPLICATION POLICY 49 class ApplicationPolicy include ActionPolicy ::Policy ::Core end implements the API required to work with behaviours
palkan_tula palkan Seattle.rb 2019 APPLICATION POLICY 50 class ApplicationPolicy include ActionPolicy ::Policy ::Core include ActionPolicy ::Policy ::Authorization authorize :user end adds API to define the required context
palkan_tula palkan Seattle.rb 2019 APPLICATION POLICY 51 class ApplicationPolicy include ActionPolicy ::Policy ::Core include ActionPolicy ::Policy ::Authorization authorize :user end requires behaviours to provide the “user” context, and adds the attr reader
palkan_tula palkan Seattle.rb 2019 BOILERPLATE 53 class RepoPolicy < ApplicationPolicy def update? user.admin? || (user.id == record.user_id) end alias edit? update? alias destroy? update? alias publish? update? alias unpublish? update? end
palkan_tula palkan Seattle.rb 2019 APPLICATION POLICY 54 class ApplicationPolicy include ActionPolicy ::Policy ::Core include ActionPolicy ::Policy ::Authorization include ActionPolicy ::Policy ::Aliases authorize :user end
palkan_tula palkan Seattle.rb 2019 APPLICATION POLICY 59 class ApplicationPolicy # ... include ActionPolicy ::Policy ::PreCheck pre_check :allow_admins def allow_admins allow! if user.admin? end end
palkan_tula palkan Seattle.rb 2019 SCOPES 62 class ProductsController < ApplicationController def index @products = authorized_scope(current_account.products) end def create @product = Product.new( authorized_scope(params.require(:product) ) # … end end Use scopes to “filter” collections according to the user’s permissions
palkan_tula palkan Seattle.rb 2019 SCOPES 63 class ProductsController < ApplicationController def index @products = authorized_scope(current_account.products) end def create @product = Product.new( authorized_scope(params.require(:product) ) # ... end end Use scopes to permit parameters
palkan_tula palkan Seattle.rb 2019 ACTION POLICY SCOPES 65 General-purpose micro-framework Use for any kind of data (different scope types) Define matchers to automatically infer the scope type
palkan_tula palkan Seattle.rb 2019 SCOPES 67 class CoursePolicy < ApplicationPolicy scope_for :relation do |scope| if user.manager? scope.where(account: account) else scope.where(account: account).assigned(user) end end scope_for :relation, :own do |scope| next target.none if user.listener? scope.where(account: account, user: user) end end
palkan_tula palkan Seattle.rb 2019 SCOPES 68 class CoursePolicy < ApplicationPolicy scope_for :relation do |scope| if user.manager? scope.where(account: account) else scope.where(account: account).assigned(user) end end scope_for :relation, :own do |scope| next target.none if user.listener? scope.where(account: account, user: user) end end
palkan_tula palkan Seattle.rb 2019 SCOPES 69 class CoursePolicy < ApplicationPolicy scope_for :relation do |scope| if user.manager? scope.where(account: account) else scope.where(account: account).assigned(user) end end scope_for :relation, :own do |scope| next target.none if user.listener? scope.where(account: account, user: user) end end
palkan_tula palkan Seattle.rb 2019 SCOPE MATCHERS 72 def lookup_type_from_target(target) self.class.scope_matchers.detect do |(_type, matcher)| matcher === target end&.first end hash of type to Module or Proc
palkan_tula palkan Seattle.rb 2019 “HEAVIER THAN HEAVEN” 76 class StagePolicy < ApplicationPolicy def show? full_access? || user.stage_permissions.where( stage_id: record.id ).exists? end def full_access? # slow SQL query we have no time to refactor end end
palkan_tula palkan Seattle.rb 2019 APPLICATION POLICY 78 class ApplicationPolicy # ... include ActionPolicy ::Policy ::Cache end cache the rule application result in the cache store
palkan_tula palkan Seattle.rb 2019 CACHE 80 class StagePolicy < ApplicationPolicy cache :show? def show? full_access? || user.stage_permissions.where( stage_id: record.id ).exists? end def full_access? # complex SQL end end use the cache store for this rule
palkan_tula palkan Seattle.rb 2019 INVALIDATION 85 class User def policy_cache_key "user :: #{id} :: #{role_id}" end end class Resource def policy_cache_key " #{resource.class.name} :: #{id} :: #{access_updated_at}" end end
palkan_tula palkan Seattle.rb 2019 ACTION POLICY 90 describe “GET #index” do subject { get :index, params: {account_slug: account.slug} } it "is authorized" do expect { subject } .to be_authorized_to(:index?).with(ApplicantPolicy) end end Action Policy tracks all calls to `authorize!` in test env, then checks for matching authorization (no mocks/stubs)
palkan_tula palkan Seattle.rb 2019 WHAT TO TEST 91 Test that the required authorization has been performed Test that the required scoping has been applied
palkan_tula palkan Seattle.rb 2019 ACTION POLICY MINITEST 94 include ActionPolicy ::TestHelper def test_authorization_performed assert_authorized_to( :index?, Applicant, with: ApplicantPolicy) do get :index, params: {account_slug: account.slug} end assert_have_authorized_scope( type: :active_record_relation, with: PostPolicy) do get :index end.with_target do |target| assert_equal Post.all, target end end
palkan_tula palkan Seattle.rb 2019 WHAT TO TEST 95 Test that the required authorization has been performed Test that the required scoping has been applied Test the authorization rules (policy classes)
palkan_tula palkan Seattle.rb 2019 TODAY 97 1 describe_rule :show? do 2 let(:record) { build_stubbed(:post, :active, global: true) } 3 succeed "when active and global" 4 failed "when non-active" do 5 before { record.active = false } 6 end 7 failed "when not for my city" do 8 before { record.city = build_stubbed :city } 9 succeed "when user is a manager" do 10 let(:user) { build_stubbed(:manager) } 11 end 12 end 13 end 13 LOC vs 19 LOC
palkan_tula palkan Seattle.rb 2019 HOW DOES IT WORK? 107 def print_method(object, method_name) ast = object.method(method_name).source.then(&Unparser.method(:parse)) # outer node is a method definition itself body = ast.children[2] Visitor.new(object).collect(body) end
palkan_tula palkan Seattle.rb 2019 HOW DOES IT WORK? 108 def print_method(object, method_name) ast = object.method(method_name).source.then(&Unparser.method(:parse)) # outer node is a method definition itself body = ast.children[2] Visitor.new(object).collect(body) end gem “method_source” (required by “pry” or “railties”)
palkan_tula palkan Seattle.rb 2019 HOW DOES IT WORK? 109 def print_method(object, method_name) ast = object.method(method_name).source.then(&Unparser.method(:parse)) # outer node is a method definition itself body = ast.children[2] Visitor.new(object).collect(body) end gem “unparser” (wrapper over “parser”, provides AST to code functionality)
palkan_tula palkan Seattle.rb 2019 HOW DOES IT WORK? 110 def print_method(object, method_name) ast = object.method(method_name).source.then(&Unparser.method(:parse)) # outer node is a method definition itself body = ast.children[2] Visitor.new(object).collect(body) end
palkan_tula palkan Seattle.rb 2019 REASONS 115 class ApplicantPolicy < ApplicationPolicy def show? user.has_permission?(:view_applicants) && allowed_to?(:show?, stage) end end Two possible rejection reasons
palkan_tula palkan Seattle.rb 2019 REASONS 116 class ApplicantPolicy < ApplicationPolicy def show? user.has_permission?(:view_applicants) && allowed_to?(:show?, stage) end end User has no required permission
palkan_tula palkan Seattle.rb 2019 REASONS 117 class ApplicantPolicy < ApplicationPolicy def show? user.has_permission?(:view_applicants) && allowed_to?(:show?, stage) end end User doesn’t have an access to the stage. The allowed_to? method tracks the failed checks.
palkan_tula palkan Seattle.rb 2019 REASONS 118 # in controller rescue_from ActionPolicy ::Unauthorized do |ex| # either p exception.reasons.details # => { stage: [:show?] } # or nothing (if the first check failed) p exception.reasons.details # => {} – that’s not good end
palkan_tula palkan Seattle.rb 2019 REASONS 120 # in controller rescue_from ActionPolicy ::Unauthorized do |ex| # either p exception.reasons.details # => { stage: [:show?] } # or p exception.reasons.details # => { applicant: [:view?] } end
palkan_tula palkan Seattle.rb 2019 GRAPHQL CASE 122 Clients want to know which actions are allowed to user Clients want to show different error messages depending on the rejection reason
palkan_tula palkan Seattle.rb 2019 GRAPHQL CASE 124 An alias for allowed_to? (i.e. also tracks the failures) def rsvp? check?(:no_rsvp_manager?) && check?(:rsvp_opened?) && show? && check?(:seats_available?) && allowed_to?(:rsvp_to_pack?) end
palkan_tula palkan Seattle.rb 2019 GRAPHQL CASE 125 module Types class Event < Base include ActionPolicy ::Behaviour expose_authorization_rules :rsvp? # ... end end
palkan_tula palkan Seattle.rb 2019 GRAPHQL CASE 126 module Types class Event < Base field :can_rsvp, Types ::AuthorizationResult, null: false def can_rsvp policy = policy_for(record: object) policy.apply(rule) policy.result end end end
palkan_tula palkan Seattle.rb 2019 I18N 130 en: action_policy: policy: event: rsvp_opened ?: "RSVP has been closed for the event" seats_available ?: "This event is sold out"
palkan_tula palkan Seattle.rb 2019 GRAPHQL CASE 134 en: action_policy: policy: event: rsvp_to_pack ?: | "You've already RSVP'd to an event “ \ “in the %{name} series, “ \ "so you cannot RSVP to this event in advance"
palkan
yusukebe
pocke
little_rubyist
koic
nanya3737
77web
mraible
alli83
beberlei
sagawa23
munetoshi
totto2727
pedronauck
lara
notwaldorf
ammeep
samanthasiow
frogandcode
erikaheidi
tanoku
geeforr
sugarenia
afnizarnur
paulrobertlloyd