from upstream

Author: mpantel

ruby/hyper-model/lib/active_record_base.rb

@@ -129,20 +129,32 @@ def finder_method(name, &block)
           end
         end
 
-        def server_method(name, _opts = {}, &block)
-          # callable from the server internally
-          define_method(name, &block)
-          # callable remotely from the client
+        def allow_remote_access_to(*methods, &block)
+          methods = methods.collect { |meth| meth.is_a?(Hash) ? meth.keys : meth }.flatten
+          methods.each do |name|
           define_method("__secure_remote_access_to_#{name}") do |_self, acting_user, *args|
             begin
               old = self.acting_user
               self.acting_user = acting_user
-              send(name, *args)
+                allowed = !block || instance_eval(&block) rescue nil
+                return send(name, *args) if allowed
+
+                Hyperstack::InternalPolicy.raise_operation_access_violation(
+                  :illegal_remote_access, "Access denied to #{name}"
+                )
             ensure
               self.acting_user = old
             end
           end
         end
+        end
+
+        def server_method(name, _opts = {}, &block)
+          # callable from the server internally
+          define_method(name, &block)
+          # callable remotely from the client
+          allow_remote_access_to(name)
+        end
 
         # relationships (and scopes) are regulated using a tri-state system.  Each
         # remote access method will return the relationship as normal but will also set

ruby/hyper-model/lib/reactive_record/active_record/class_methods.rb

@@ -368,6 +368,18 @@ def server_method(name, default: nil)
       end
     end
 
+    def allow_remote_access_to(*methods)
+      methods.each do |meth|
+        if meth.is_a? Hash
+          puts "defining these guys: #{meth}"
+          meth.each { |name, default| server_method(name, default: default) }
+        else
+          puts "defining this guy: #{meth}"
+          server_method(meth)
+        end
+      end
+    end
+
     # define all the methods for each column.  To allow overriding the methods they will NOT
     # be defined if already defined (i.e. by the model)  See the instance_methods module for how
     # super calls are handled in this case.   The _hyperstack_internal_setter_... methods

ruby/hyper-model/spec/batch1/policies/send_access_xspec.rb

@@ -42,7 +42,7 @@ def saved_changes
   it "will allow sending a relationship to a relationship or scope"
   it "will allow sending a server method to a model"
   it "will allow sending count to model"
-  it "will allow sending count to relationship"
+  it "will allow sending count to relationship" do
     stub_const "TestModel1Policy", Class.new
     TestModel1Policy.class_eval do
       regulate_broadcast do | policy |

ruby/hyper-model/spec/batch6/server_method_spec.rb

@@ -88,4 +88,42 @@ class ServerMethodTester < HyperComponent
     expect(TestModel.count).to be_zero
     expect(ChildModel.count).to be_zero
   end
+
+  it "will allow remote access to methods" do
+    TodoItem.class_eval do
+      def foo
+        "foo"
+      end
+
+      def bar
+        "bar"
+      end
+
+      def broken
+        "broken"
+      end
+
+      def defaulted
+        "defaulted"
+      end
+    end
+    isomorphic do
+      TodoItem.class_eval do
+        allow_remote_access_to(:foo, :bar) { acting_user.nil? }
+        allow_remote_access_to(:broken) { acting_user.admin? }
+        allow_remote_access_to(:dontcallme, defaulted: "loading") { true }
+      end
+    end
+    client_option raise_on_js_errors: :off
+    expect { TodoItem.last.foo }.on_client_to be_nil
+    expect { Hyperstack::Model.load { TodoItem.last.foo } }.on_client_to eq("foo")
+    expect { TodoItem.last.bar }.on_client_to be_nil
+    expect { Hyperstack::Model.load { TodoItem.last.bar } }.on_client_to eq("bar")
+    expect { Hyperstack::Model.load { TodoItem.last.broken } }.on_client_to be_nil
+    expect { TodoItem.last.defaulted }.on_client_to eq "loading"
+    expect { Hyperstack::Model.load { TodoItem.last.defaulted } }.on_client_to eq("defaulted")
+    errors = page.driver.browser.manage.logs.get(:browser).select { |m| m.level == "SEVERE" }
+    expect(errors.count).to eq(2)
+    expect(errors.first.message).to match(/the server responded with a status of 403 \(Forbidden\)/)
+  end
 end

ruby/hyper-operation/lib/hyper-operation/transport/connection_adapter/active_record.rb

@@ -81,7 +81,7 @@ def connect_to_transport(channel, session, root_path)
         end
 
         def disconnect(channel)
-          Connection.find_by(channel: channel, session: nil).destroy
+          Connection.find_by(channel: channel, session: nil)&.destroy
         end
 
         def root_path=(path)

ruby/hyper-operation/lib/hyper-operation/transport/connection_adapter/redis.rb

@@ -63,7 +63,7 @@ def connect_to_transport(channel, session, root_path)
         end
 
         def disconnect(channel)
-          Connection.find_by(channel: channel, session: nil).destroy
+          Connection.find_by(channel: channel, session: nil)&.destroy
         end
 
         def root_path=(path)