add allow_with_resource

[jnwaletzko]

Description and Impact

Adds an allow_with_resource method that will require a resource check when accessing the endpoint. This will act exactly the same as allow except that the CustomRoleObject used will need a method that checks if the resource matches the role. A method role_resource will need to be defined on the controller to allow the passing of the resource object.
Ex.

class SomeCustomRoleObject
  def resource?(resource)
    self.resources.includes?(resource)
  end
end

class ProfilesController < ApplicationController
  allow_with_resource(:admin).to_access(:index)
 
  ...

  private def role_resource
     { resource: params[:resource_id] }
  end
end

Deploy Plan

Does Platform Operations need to know anything special about this deploy? Are migrations present?

Rollback Plan

• To roll back this change, revert the merge with: git revert -m 1 MERGE_SHA and perform another deploy.

URLs

Links to bug tickets or user stories.

QA Plan

Fill in scenarios below in checklist format.
Consider Regression scenarios (did we break something else related to this change) in addition to Happy Path (testing the new feature directly).
Evaluate the risk level and label accordingly and ensure the QA Plan matches the risk level!

• Clone this repo and switch to this branch.

• Switch an existing rails app to point the rolypoly gem to this branch.
• Verify your existing endpoints still work for permissions checks.
• Verify you can add an allow_by_resource and a role_resource controller and the role check is working.

[vivekbisen]

All in all, I like this approach. Doesn't intervene with the existing logic and the code changes seem a lot safer. My suggestions are merely subjective and optional. With new tests for allow_with_resource method, I think we should be good. Also, I would consider raising an error and force users to define role_resource than building one for them. In the raised error, it might be helpful to mention that if you don't really care for resource for your roles, consider using allow instead of allow_with_resource.

[vivekbisen]

You could make this false by default and only pass true when you need to. So, def build_gatekeeper(roles, actions, require_resource = false) for definition and have the existing methods the same but call build_gatekeeper roles, nil, true in allow_with_resource method.

[jnwaletzko]

Yeah, I couldn't decide if I should default it or not. My thinking it make more sense to explicitly say it's false or true. But I'm not sure if that really helps, so defaulting seems good.

[vivekbisen]

You should name this differently if you intend to use the passed in param value in role?. It could get confusing very easily when you have the same name in initializer that sets the self attribute and the same name gets used in other parts of the class as local variable.

[vivekbisen]

Since you call filter_roles_by_resource only when require_resauce is true, you should move the check in the method itself. You'll save yourself from repeated conditional and since require_resauce is already is an accessor, it's available across the class.

[vivekbisen]

lol wut!

[jnwaletzko]

Right???

[jnwaletzko]

@vivekbisen could you take another look? I considered your idea of raising an error but we would have to raise it in the role_gatekeeper and I really don't like it there. I also don't want it to break any existing functionality, so if role_resource is not defined on the controller it won't break anything.

[vivekbisen]

I wonder if you need the allow here. Did you try moving the allow to your before-block. These let blocks should only execute when called.

[vivekbisen]

I like to append ! to my method names when they execute code that uses !. So, check_access!?

[vivekbisen]

👍

[vivekbisen]

Is there a be_private?

[jnwaletzko]

You wish. https://github.com/sportngin/rolypoly/blob/master/lib/rolypoly/controller_role_dsl.rb#L41

[vivekbisen]

Rest of it looks good. Sorry, these things don't pop up all at once.

[vivekbisen]

So, as we discussed, it doesn't really require a resource check. It will check resources against an empty role_resource.

[vivekbisen]

Also, you wanna change this to an empty hash.

[vivekbisen]

And again, this resource would be a hash.

[vivekbisen]

👏 Let's get this moving.

[production-status-check]

Has QA approval

[vivekbisen]