closes #61 closes #59 closes #75

Author: catmando

lib/active_record_base.rb

@@ -193,7 +193,8 @@ def regulate_scope(name, &block)
 
         # regulate_default_scope
 
-        def regulate_default_scope(&block)
+        def regulate_default_scope(*args, &block)
+          block = __synchromesh_parse_regulator_params({ all: args[0] }, block).last unless args.empty?
           regulate_scope(:all, &block)
         end
 
@@ -311,6 +312,12 @@ def synchromesh_after_destroy
         return if do_not_synchronize?
         ReactiveRecord::Broadcast.after_commit :destroy, self
       end
+
+      def __hyperloop_secure_attributes(acting_user)
+        accessible_attributes =
+          Hyperloop::InternalPolicy.accessible_attributes_for(self, acting_user)
+        attributes.select { |attr| accessible_attributes.include? attr.to_sym }
+      end
     end
   end
 

lib/reactive_record/active_record/reactive_record/isomorphic_base.rb

@@ -447,23 +447,23 @@ def self.save_records(models, associations, acting_user, validate, save)
 
           saved_models = reactive_records.collect do |reactive_record_id, model|
             #puts "saving rr_id: #{reactive_record_id} model.object_id: #{model.object_id} frozen? <#{model.frozen?}>"
-            if model and (model.frozen? or dont_save_list.include?(model) or model.changed.include?(model.class.primary_key))
+            if model && (model.frozen? || dont_save_list.include?(model) || model.changed.include?(model.class.primary_key))
               # the above check for changed including the private key happens if you have an aggregate that includes its own id
-              #puts "validating frozen model #{model.class.name} #{model} (reactive_record_id = #{reactive_record_id})"
+              # puts "validating frozen model #{model.class.name} #{model} (reactive_record_id = #{reactive_record_id})"
               valid = model.valid?
-              #puts "has_errors before = #{has_errors}, validate= #{validate}, !valid= #{!valid}  (validate and !valid) #{validate and !valid}"
+              # puts "has_errors before = #{has_errors}, validate= #{validate}, !valid= #{!valid}  (validate and !valid) #{validate and !valid}"
               has_errors ||= (validate and !valid)
-              #puts "validation complete errors = <#{!valid}>, #{model.errors.messages} has_errors #{has_errors}"
+              # puts "validation complete errors = <#{!valid}>, #{model.errors.messages} has_errors #{has_errors}"
               error_messages << [model, model.errors.messages] unless valid
-              [reactive_record_id, model.class.name, model.attributes,  (valid ? nil : model.errors.messages)]
+              [reactive_record_id, model.class.name, model.__hyperloop_secure_attributes(acting_user), (valid ? nil : model.errors.messages)]
             elsif model and (!model.id or model.changed?)
-              #puts "saving #{model.class.name} #{model} (reactive_record_id = #{reactive_record_id})"
+              # puts "saving #{model.class.name} #{model} (reactive_record_id = #{reactive_record_id})"
               saved = model.check_permission_with_acting_user(acting_user, new_models.include?(model) ? :create_permitted? : :update_permitted?).save(validate: validate)
               has_errors ||= !saved
               messages = model.errors.messages if (validate and !saved) or (!validate and !model.valid?)
               error_messages << [model, messages] if messages
-              #puts "saved complete errors = <#{!saved}>, #{messages} has_errors #{has_errors}"
-              [reactive_record_id, model.class.name, model.attributes, messages]
+              # puts "saved complete errors = <#{!saved}>, #{messages} has_errors #{has_errors}"
+              [reactive_record_id, model.class.name, model.__hyperloop_secure_attributes(acting_user), messages]
             end
           end.compact
 

lib/reactive_record/permissions.rb

@@ -103,7 +103,7 @@ def check_permission_with_acting_user(user, permission, *args)
       self.acting_user = old
       self
     else
-      raise ReactiveRecord::AccessViolation, "for #{permission}(#{args})"
+      raise Hyperloop::AccessViolation, "for #{permission}(#{args})"
     end
   end
 

spec/batch1/crud_access_regulation/broadcast_controls_access_spec.rb

@@ -33,17 +33,17 @@
     it "will disallow access if acting_user is not allowed to connect" do
       m = FactoryBot.create(:test_model, test_attribute: "hello")
       expect { m.check_permission_with_acting_user(nil, :view_permitted?, :test_attribute) }.
-      to raise_error(ReactiveRecord::AccessViolation)
+      to raise_error(Hyperloop::AccessViolation)
       expect { m.check_permission_with_acting_user(nil, :view_permitted?, :created_at) }.
-      to raise_error(ReactiveRecord::AccessViolation)
+      to raise_error(Hyperloop::AccessViolation)
     end
 
     it "will disallow access to attributes not broadcast by the model" do
       m = FactoryBot.create(:test_model, test_attribute: "bogus")
       expect { m.check_permission_with_acting_user("user", :view_permitted?, :test_attribute) }.
       not_to raise_error
       expect { m.check_permission_with_acting_user("user", :view_permitted?, :created_at) }.
-      to raise_error(ReactiveRecord::AccessViolation)
+      to raise_error(Hyperloop::AccessViolation)
     end
 
     it "will allow access to attributes broadcast over an instance channel" do
@@ -61,14 +61,14 @@
     TestApplicationPolicy.class_eval do
       always_allow_connection
       regulate_broadcast(TestModel) do |policy|
-        policy.send_all_but(:created_at).to(TestApplication) 
+        policy.send_all_but(:created_at).to(TestApplication)
       end
     end
     m = FactoryBot.create(:test_model)
     expect { m.check_permission_with_acting_user(nil, :view_permitted?, :test_attribute) }.
     not_to raise_error
     expect { m.check_permission_with_acting_user(nil, :view_permitted?, :created_at) }.
-    to raise_error(ReactiveRecord::AccessViolation)
+    to raise_error(Hyperloop::AccessViolation)
   end
 
   it "will include :id as read attribute as long as any other attribute is readable" do
@@ -91,7 +91,7 @@
     end
     m = FactoryBot.create(:test_model)
     expect { m.check_permission_with_acting_user(nil, :view_permitted?, :id) }.
-    to raise_error(ReactiveRecord::AccessViolation)
+    to raise_error(Hyperloop::AccessViolation)
   end
 
   it "will ignore auto_connect: false " do

spec/batch5/authorization_spec.rb

@@ -90,6 +90,26 @@ def log(*args)
     expect_evaluate_ruby('ReactiveRecord::Base.last_log_message').to eq(['Fetch failed', 'error'])
   end
 
+  it 'will only return authorized attributes on creation' do
+    client_option raise_on_js_errors: :off
+    TestModel.class_eval do
+      def create_permitted?
+        true
+      end
+    end
+    mount 'TestComponent2'
+    wait_for_ajax
+    ApplicationController.acting_user = User.new(name: 'fred')
+    page.evaluate_ruby('Hyperloop.connect("TestApplication")')
+    TestModel.before_save { self.test_attribute ||= 'top secret' }
+    expect_promise do
+      model = TestModel.new(updated_at: 12)
+      model.save.then do
+        model.attributes.keys
+      end
+    end.to contain_exactly("id", "created_at", "updated_at", "child_models")
+  end
+
   it "will only synchronize the connected channels" do
     mount "TestComponent2"
     model1 = FactoryBot.create(:test_model, test_attribute: "hello")

spec/batch5/save_while_loading_spec.rb

@@ -22,25 +22,25 @@
     expect_promise do
       TodoItem.create(user: User.find_by_first_name('Ima'))
     end.to include('success' => true)
-    # strangely sometimes AR does not seem to be updated even though promise has returned
-    # huh?
-    wait_for(user.todo_items).to match_array([TodoItem.first])
+    expect(user.todo_items.to_a).to match_array([TodoItem.first])
   end
+
   it "with push" do
     user = FactoryBot.create(:user, first_name: 'Ima')
     expect_promise do
       User.find(1).todo_items << TodoItem.new
       User.find(1).save
     end.to include('success' => true)
-    wait_for(user.todo_items).to match_array([TodoItem.first])
+    expect(user.todo_items).to match_array([TodoItem.first])
   end
+  
   it "with assignment" do
     user = FactoryBot.create(:user, first_name: 'Ima')
     expect_promise do
       todo = TodoItem.new
       todo.user = User.find_by_first_name('Ima')
       todo.save
     end.to include('success' => true)
-    wait_for(user.todo_items).to match_array([TodoItem.first])
+    expect(user.todo_items).to match_array([TodoItem.first])
   end
 end

spec/batch5/relationship_permissions_spec.rb renamed to spec/batch5/zzz_must_be_last_relationship_permissions_spec.rb

@@ -1,14 +1,17 @@
+# Something about this spec can cause havoc on specs following.
+# somehow in the following specs AR objects are getting created in two different classes
+# so when you compare for example User.first.todos.first == Todos.first  they are NOT equal huh!
+# I suspect that its to with the fact that we remove and reload the classes
+# but I got as far as proving that you have to actually create a todoitem and an associated comment
+# once you do that the tests after will fail on stmts like this expect(user.todo_items.to_a).to match_array([TodoItem.first])
+# because the class of user.todo_items.class != TodoItems.first even though they look exactly the same!!!
+
 require 'spec_helper'
 require 'test_components'
 
 describe "relationship permissions" do#, dont_override_default_scope_permissions: true do
 
   before(:all) do
-    # Hyperloop.configuration do |config|
-    #   config.transport = :simple_poller
-    #   # slow down the polling so wait_for_ajax works
-    #   config.opts = { seconds_between_poll: 2 }
-    # end
 
     require 'pusher'
     require 'pusher-fake'
@@ -39,6 +42,7 @@
 
   before(:each) do
     ActiveRecord::Base.regulate_scope unscoped: nil
+    ActiveRecord::Base.regulate_default_scope nil
   end
 
   after(:each) do
@@ -244,7 +248,6 @@
       end
     end
   end
-
   context 'integration test', js: true do
     before(:each) do
       client_option raise_on_js_errors: :off