Extracting scopes to separate classes/files?

[Envek]

When I was migrating some existing authorization logic to Action Policy, with some pretty lengthy scoping, I noticed that due to that scoping policy class became very huge: hundreds lines of code in total.

class ProjectPolicy < ApplicationPolicy
  pre_check :forbid_banned_user
  pre_check :forbid_banned_project

  def view?
    # few lines of code
  end
  alias_rule :fork?, to: :view?

  # some more rules

  relation_scope do |relation|
    # some logic
  end

  params_filter(:create) do |params|
    # A lot of stuff
  end

  params_filter(:update) do |params, record:|
    # A lot of stuff, partially duplicated
  end

  private

  # helpers, etc
end

It is hard to navigate, hard to test, etc.

Proposal

It would be awesome if ActioPolicy defined and suggested a way to move scopes definition to some classes (with inheritance, modules and all other goodies that can be used from classes) and allowed just to plug them into policy.

E.g. in some way like this:

class ProjectPolicy < ApplicationPolicy
  relation_scope AuthorizedProjects

  params_filter :create, ProjectParamsForCreate
  params_filter :update, ProjectParamsForUpdate
end

And scope objects could be defined like this:

class ProjectParamsForUpdate < ProjectParamsForCreate
  def call(params, record:)
    # Existing logic
  end
end

However, there are some questions about getting access to authorization scope defined in policy (because now it is kind of separate, independent class from policy) and etc.

WDYT?

[palkan]

I like the idea; should we call them "Scoping Objects" 🤔

there are some questions about getting access to authorization scope defined in policy (because now it is kind of separate, independent class from policy) and etc.

Yeah, one of the main benefits (IMO) of the current implementation is the fact that scopes are executed in the context of a policy instance.

The first idea that came into my mind is to simply pass policy as an argument:

class ProjectPolicy < ApplicationPolicy
  relation_scope AuthorizedProjects
end

module AuthorizedProjects
  def self.call(policy, target, **options)
    # ...
  end
end

In Rails, we can hide this by using delegate_missing_to:

class AuthorizedScope
  attr_reader :policy

  delegate_missing_to :policy

  def self.call(policy, target, **options)
     new(policy).call(target, **options)
  end

  def initialize(policy)
    @policy = policy
  end
end

class AuthorizedProjects < AuthorizedScope
  def call(target, **options)
    admin? ? target.all : target.none
  end
end

[killondark]

@Envek, hi. I done this feature. Look at PR

[killondark]

@palkan, can mark this discussion as resolved?

[palkan]

Sure