From d72bfcebffdc8a3b1f1688cb1e587554cff604ba Mon Sep 17 00:00:00 2001 From: Martin Meier Date: Thu, 7 Jan 2021 19:08:16 +0100 Subject: [PATCH 1/4] Set no_attribute_check on additional_collection with strong_parameters --- .../controller/rails.rb | 2 +- .../controller_filter_resource_access_test.rb | 84 +++++++++++++++++++ 2 files changed, 85 insertions(+), 1 deletion(-) diff --git a/lib/declarative_authorization/controller/rails.rb b/lib/declarative_authorization/controller/rails.rb index 16974b9..a7f79af 100644 --- a/lib/declarative_authorization/controller/rails.rb +++ b/lib/declarative_authorization/controller/rails.rb @@ -200,7 +200,7 @@ def filter_resource_access(options = {}) collections = actions_from_option(options[:collection]).merge( actions_from_option(options[:additional_collection])) - no_attribute_check_actions = options[:strong_parameters] ? actions_from_option(options[:collection]).merge(actions_from_option([:create])) : collections + no_attribute_check_actions = options[:strong_parameters] ? collections.merge(actions_from_option([:create])) : collections options[:no_attribute_check] ||= no_attribute_check_actions.keys unless options[:nested_in] diff --git a/test/controller_filter_resource_access_test.rb b/test/controller_filter_resource_access_test.rb index f8acb3d..02e5fb4 100644 --- a/test/controller_filter_resource_access_test.rb +++ b/test/controller_filter_resource_access_test.rb @@ -441,6 +441,90 @@ def test_additional_members_filter_other_new end end +class AdditionalMembersCollectionsStrongParamsController < MocksController + def self.controller_name + "basic_resources" + end + filter_resource_access :additional_member => :other_show, + :additional_collection => [:search], :additional_new => {:other_new => :new}, :strong_parameters => true + define_resource_actions + define_action_methods :other_new, :search, :other_show +end +class AdditionalMembersCollectionsStrongParamsControllerTest < ActionController::TestCase + def test_additional_members_filter_search_index + reader = Authorization::Reader::DSLReader.new + reader.parse %{ + authorization do + role :allowed_role do + has_permission_on :basic_resources, :to => [:search, :index] do + if_attribute :id => is {"1"} + end + end + end + } + + request!(MockUser.new(:another_role), :search, reader) + assert !@controller.authorized? + request!(MockUser.new(:another_role), :index, reader) + assert !@controller.authorized? + request!(MockUser.new(:allowed_role), :search, reader) + assert @controller.authorized? + request!(MockUser.new(:allowed_role), :index, reader) + assert @controller.authorized? + end + + def test_additional_members_filter_other_show + reader = Authorization::Reader::DSLReader.new + reader.parse %{ + authorization do + role :allowed_role do + has_permission_on :basic_resources, :to => [:show, :other_show] do + if_attribute :id => is {"1"} + end + end + end + } + + allowed_user = MockUser.new(:allowed_role) + request!(allowed_user, :other_show, reader, :id => "2") + assert !@controller.authorized? + request!(allowed_user, :show, reader, :id => "2", :clear => [:@basic_resource]) + assert !@controller.authorized? + request!(allowed_user, :other_show, reader, :id => "1", :clear => [:@basic_resource]) + assert @controller.authorized? + request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource]) + assert @controller.authorized? + end + + def test_additional_members_filter_other_new + reader = Authorization::Reader::DSLReader.new + reader.parse %{ + authorization do + role :allowed_role do + has_permission_on :basic_resources, :to => :new do + if_attribute :id => is {"1"} + end + end + end + } + + allowed_user = MockUser.new(:allowed_role) + request!(allowed_user, :other_new, reader, :basic_resource => {:id => "2"}) + assert !@controller.authorized? + request!(allowed_user, :new, reader, :basic_resource => {:id => "2"}, + :clear => [:@basic_resource]) + assert !@controller.authorized? + + # strong_parameters (as mocked) never set parameters on new object, so attribute condition is never met + request!(allowed_user, :other_new, reader, :basic_resource => {:id => "1"}, + :clear => [:@basic_resource]) + assert !@controller.authorized? + request!(allowed_user, :new, reader, :basic_resource => {:id => "1"}, + clear: [:@basic_resource]) + assert !@controller.authorized? + end +end + class CustomMethodsResourceController < MocksController # not implemented yet From 2c0e47bbbb3b8342fe09d69c92e1566cbcc4cb1f Mon Sep 17 00:00:00 2001 From: Martin Meier Date: Tue, 2 Feb 2021 21:08:52 +0100 Subject: [PATCH 2/4] try ruby 2.7.2 --- .ruby-version | 2 +- Appraisals | 2 +- gemfiles/ruby_2.7.2_rails6.0.2.1_grape1.3.0.gemfile | 13 +++++++++++++ 3 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 gemfiles/ruby_2.7.2_rails6.0.2.1_grape1.3.0.gemfile diff --git a/.ruby-version b/.ruby-version index 4560fb9..2eb2fe9 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -ruby-2.6.3 +ruby-2.7.2 diff --git a/Appraisals b/Appraisals index f0cf421..9a6e4d4 100644 --- a/Appraisals +++ b/Appraisals @@ -3,7 +3,7 @@ GRAPE_VERSIONS = ['1.1.0', '1.2.3', '1.3.0'] case RUBY_VERSION -when '2.5.3', '2.6.3' then +when '2.5.3', '2.6.3', '2.7.2' then RAILS_VERSIONS.product(GRAPE_VERSIONS).each do |rails_version, grape_version| appraise "ruby-#{RUBY_VERSION}-rails#{rails_version}-grape#{grape_version}" do gem 'rails', rails_version diff --git a/gemfiles/ruby_2.7.2_rails6.0.2.1_grape1.3.0.gemfile b/gemfiles/ruby_2.7.2_rails6.0.2.1_grape1.3.0.gemfile new file mode 100644 index 0000000..a76a71e --- /dev/null +++ b/gemfiles/ruby_2.7.2_rails6.0.2.1_grape1.3.0.gemfile @@ -0,0 +1,13 @@ +# This file was generated by Appraisal + +source "http://rubygems.org" + +gem "appraisal", "~> 2.1" +gem "mocha", "~> 1.0", require: false +gem "sprockets", "< 4" +gem "rails-controller-testing" +gem "rails", "6.0.2.1" +gem "grape", "1.3.0" +gem "sqlite3", "~> 1.4" + +gemspec path: "../" From ff6e0e08371debf4bb0da7ac326d7dc7ce8f97a5 Mon Sep 17 00:00:00 2001 From: Martin Meier Date: Tue, 16 Nov 2021 15:29:50 +0100 Subject: [PATCH 3/4] use ruby 2.6.6 and rails 5.2.6 --- .ruby-version | 2 +- Appraisals | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.ruby-version b/.ruby-version index 2eb2fe9..f6ab44e 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -ruby-2.7.2 +ruby-2.6.6 diff --git a/Appraisals b/Appraisals index 9a6e4d4..ad67002 100644 --- a/Appraisals +++ b/Appraisals @@ -1,9 +1,9 @@ -RAILS_VERSIONS = ['5.2.2.1', '6.0.2.1'] +RAILS_VERSIONS = ['5.2.6', '6.0.2.1'] GRAPE_VERSIONS = ['1.1.0', '1.2.3', '1.3.0'] case RUBY_VERSION -when '2.5.3', '2.6.3', '2.7.2' then +when '2.5.3', '2.6.6', '2.7.2' then RAILS_VERSIONS.product(GRAPE_VERSIONS).each do |rails_version, grape_version| appraise "ruby-#{RUBY_VERSION}-rails#{rails_version}-grape#{grape_version}" do gem 'rails', rails_version From 674d082f85121b5be8a27f66dc2d0f2dea705fd0 Mon Sep 17 00:00:00 2001 From: Martin Meier Date: Mon, 28 Feb 2022 15:48:32 +0100 Subject: [PATCH 4/4] Create ruby_2.6.6_rails5.2.6_grape1.3.0.gemfile add gemfile for ruby 2.6.6 rails 5.2.6 --- gemfiles/ruby_2.6.6_rails5.2.6_grape1.3.0.gemfile | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 gemfiles/ruby_2.6.6_rails5.2.6_grape1.3.0.gemfile diff --git a/gemfiles/ruby_2.6.6_rails5.2.6_grape1.3.0.gemfile b/gemfiles/ruby_2.6.6_rails5.2.6_grape1.3.0.gemfile new file mode 100644 index 0000000..ba9cb39 --- /dev/null +++ b/gemfiles/ruby_2.6.6_rails5.2.6_grape1.3.0.gemfile @@ -0,0 +1,13 @@ +# This file was generated by Appraisal + +source "http://rubygems.org" + +gem "appraisal", "~> 2.1" +gem "mocha", "~> 1.0", require: false +gem "sprockets", "< 4" +gem "rails-controller-testing" +gem "rails", "5.2.6" +gem "grape", "1.3.0" +gem "sqlite3", "~> 1.3.0" + +gemspec path: "../"