Fingertips-authorization-san 1.0.0

data/LICENSE

@@ -0,0 +1,18 @@
+(c) 2009 Fingertips, Manfred Stienstra <m.stienstra@fngtps.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+  
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+   
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,21 @@
+= Authorization-San
+
+Authorization-san allows you to specify access policies in your controllers. The plugin assumes a number of things about the application.
+
+* If a user has authenticated with the application, it's stored in <tt>@authenticated</tt>. The method of authentication doesn't matter.
+* <tt>@authenticated</tt> has either a <tt>role</tt> attribute or a number of methods to query for the role: <tt>admin?</tt>, <tt>editor?</tt>, <tt>guest?</tt>. When the <tt>@authenticated</tt> object doesn't have role methods it's 
+
+== What does it look like?
+
+  class BooksController < ActionController::Base
+    # Visitors can see list of books and book pages
+    allow_access :all, :only => [:index, :show]
+    # An editor can create new books, but…
+    allow_access :editor, :only => [:new, :create]
+    # …she can only update her own books.
+    allow_access(:editor, :only => [:edit, :update]) { @book = @authenticated.books.find(params[:id]) }
+    # Admin users can do it all.
+    allow_access :admin
+  end
+
+The best place to start learning more is the <tt>examples</tt> directory in the source.

data/lib/authorization.rb

@@ -0,0 +1,2 @@
+require 'authorization/allow_access'
+require 'authorization/block_access'

data/lib/authorization/allow_access.rb

@@ -0,0 +1,78 @@
+module Authorization
+  module AllowAccess
+    # By default you block all access to the controller with <tt>block_access</tt>, with <tt>allow_access</tt> you
+    # specify who can access the actions on the controller under certain conditions. <tt>allow_access</tt> can deal
+    # with accounts with and without roles.
+    # 
+    # *Examples*
+    #
+    # Everyone can access all actions on the controller.
+    #   allow_access
+    #   allow_access :all
+    # Everyone with the admin role can access the controller.
+    #   allow_access :admin
+    # Everyone with the admin and editor role can access the controller.
+    #   allow_access :admin, :editor
+    # Everyone with the editor role can access the index. show, edit and update actions.
+    #   allow_access :editor, :only => [:index, :show, :edit, :update]
+    # A coordinator can do anything the admin can, except for delete
+    #   allow_access :coordinator, :except => :destroy
+    # Everyone with the admin and editor role can access the show action.
+    #   allow_access :admin, :editor, :action => :show
+    # A guest can view all resources if he has view permissions. The block is evaltuated in the controller's instance.
+    # Note that rules are evaluated when <tt>block_access</tt> is run.
+    #   allow_access(:guest, :only => [:index, :show]) { @authenticated.view_permission? }
+    # Specifying a role is optional, if you don't specify a role the rule is added for the default role <tt>:all</tt>.
+    #   allow_access(:only => :unsubscribe) { @authenticated.subscribed? }
+    # Only allow authenticated users, :authenticated is a special role meaning all authenticated users.
+    #   allow_access :authenticated
+    # You need to be authenticated for the secret action
+    #   allow_access :all, :except => :secret
+    #   allow_access :authenticated, :only => :secret
+    #
+    # The following special directives might be a little hard to explain, I will give the equivalent rule with the
+    # block access.
+    #
+    # Imagine we have a user controller, every user has an organization association. The users resource is nested
+    # in the organization resource like this.
+    #   map.resources :organizations { |org| org.resources :users }
+    # Now we want the user to edit his own resource (for instance to update the password).
+    #   allow_access :only => [:index, :show, :edit, :update], :user_resource => true
+    #   allow_access(:only => [:index, :show, :edit, :update]) do
+    #     @authenticated.id == params[:id].to_i
+    #   end
+    # We could also specify that a user can edit everything in his own organization.
+    #   allow_access :only => [:index, :show, :edit, :update], :scope => :organization
+    #   allow_access(:only => [:index, :show, :edit, :update]) do
+    #     @authenticated.organization.id == params[:organization_id].to_i
+    #   end
+    def allow_access(*args, &block)
+      unless self.respond_to?(:access_allowed_for)
+        self.class_inheritable_accessor(:access_allowed_for)
+        send(:protected, :access_allowed_for, :access_allowed_for=)
+      end
+      self.access_allowed_for ||= HashWithIndifferentAccess.new
+      if args.first.kind_of?(Hash) || args.empty?
+        self.access_allowed_for[:all] ||= []
+        self.access_allowed_for[:all] << {
+          :directives => args.first || {},
+          :block => block
+        }
+      else
+        directives = args.last.kind_of?(Hash) ? args.pop : {}
+        roles = args.flatten
+        if roles.delete(:authenticated) or roles.delete('authenticated')
+          roles = [:all] if roles.empty?
+          directives[:authenticated] = true
+        end
+        roles.each do |role|
+          self.access_allowed_for[role.to_s] ||= []
+          self.access_allowed_for[role.to_s] << {
+            :directives => directives,
+            :block => block
+          }
+        end
+      end
+    end
+  end
+end

data/lib/authorization/block_access.rb

@@ -0,0 +1,133 @@
+module Authorization
+  module BlockAccess
+    protected
+    
+    # Block access to all actions in the controller, designed to be used as a <tt>before_filter</tt>.
+    #   class ApplicationController < ActionController::Base
+    #     before_filter :block_access
+    #   end
+    def block_access
+      die_if_undefined
+      unless @authenticated.nil?
+        # Find the user's roles
+        roles = []
+        roles << @authenticated.role if @authenticated.respond_to?(:role)
+        access_allowed_for.keys.each do |role|
+           roles << role.to_s if @authenticated.respond_to?("#{role}?") and @authenticated.__send__("#{role}?")
+        end
+        # Check if any of the roles give her access
+        roles.each do |role|
+          return true if access_allowed?(params, role, @authenticated)
+        end
+      end
+      return true if access_allowed?(params, :all, @authenticated)
+      access_forbidden
+    end
+
+    # Checks if access is allowed for the params, role and authenticated user.
+    #   access_allowed?({:action => :show, :id => 1}, :admin, @authenticated)
+    def access_allowed?(params, role, authenticated=nil)
+      die_if_undefined
+      if (rules = access_allowed_for[role]).nil?
+        logger.debug("  \e[31mCan't find rules for `#{role}'\e[0m")
+        return false
+      end
+      !rules.detect do |rule|
+        if !action_allowed_by_rule?(rule, params, role) or !resource_allowed_by_rule?(rule, params, role, authenticated) or !block_allowed_by_rule?(rule)
+          logger.debug("  \e[31mAccess DENIED by RULE #{rule.inspect} FOR `#{role}'\e[0m")
+          false
+        else
+          logger.debug("  \e[32mAccess GRANTED by RULE #{rule.inspect} FOR `#{role}'\e[0m")
+          true
+        end
+      end.nil?
+    end
+
+    # <tt>access_forbidden</tt> is called by <tt>block_access</tt> when access is forbidden. This method does
+    # nothing by default. Make sure you return <tt>false</tt> from the method if you want to halt the filter
+    # chain.
+    def access_forbidden
+      false
+    end
+
+    # Checks if a certain action can be accessed by the role.
+    # If you want to check for <tt>action_allowed?</tt>, <tt>resource_allowed?</tt> and <tt>block_allowed?</tt>
+    # use <tt>access_allowed?</tt>.
+    #   action_allowed?({:action => :show, :id => 1}, :editor)
+    def action_allowed?(params, role=:all)
+      die_if_undefined
+      return false if (rules = access_allowed_for[role]).nil?
+      !rules.detect { |rule| action_allowed_by_rule?(rule, params, role) }.nil?
+    end
+
+    def action_allowed_by_rule?(rule, params, role) #:nodoc:
+      return false if (action = params[:action]).nil?
+      directives = rule[:directives]
+      return false if directives[:only].kind_of?(Array) and !directives[:only].include?(action.to_sym)
+      return false if directives[:only].kind_of?(Symbol) and directives[:only] != action.to_sym
+      return false if directives[:except].kind_of?(Array) and directives[:except].include?(action.to_sym)
+      return false if directives[:except].kind_of?(Symbol) and directives[:except] == action.to_sym
+      true
+    end
+
+    # Checks if the resource indicated by the params can be accessed by user.
+    # If you want to check for <tt>action_allowed?</tt>, <tt>resource_allowed?</tt> and <tt>block_allowed?</tt>
+    # use <tt>access_allowed?</tt>.
+    #   resource_allowed?({:id => 1, :organization_id => 12}, :guest, @authenticated)
+    def resource_allowed?(params, role=:all, user=nil)
+      user ||= @authenticated
+      die_if_undefined
+      return false if (rules = access_allowed_for[role]).nil?
+      !rules.detect { |rule| resource_allowed_by_rule?(rule, params, role, user) }.nil?
+    end
+
+    def resource_allowed_by_rule?(rule, params, role, user) #:nodoc:
+      directives = rule[:directives]
+      if directives[:authenticated]
+        return false unless user
+      end
+      begin
+        if directives[:user_resource]
+          return false if params[:id].nil? or user.id.nil?
+          return false if params[:id].to_i != user.id.to_i
+        end
+      rescue NoMethodError
+      end
+      begin
+        if scope = directives[:scope]
+          assoc_id = params["#{scope}_id"].to_i
+          begin
+            object_id = user.__send__(scope).id.to_i
+          rescue NoMethodError
+            return false
+          end
+          return false if assoc_id.nil? or object_id.nil?
+          return false if assoc_id != object_id
+        end
+      rescue NoMethodError
+      end
+      true
+    end
+
+    # Checks if the blocks associated with the rules doesn't stop the user from acessing the resource.
+    # If you want to check for <tt>action_allowed?</tt>, <tt>resource_allowed?</tt> and <tt>block_allowed?</tt>
+    # use <tt>access_allowed?</tt>.
+    #   block_allowed?(:guest)
+    def block_allowed?(role)
+      die_if_undefined
+      return false if (rules = access_allowed_for[role]).nil?
+      !rules.detect { |rule| block_allowed_by_rule?(rule) }.nil?
+    end
+
+    def block_allowed_by_rule?(rule) #:nodoc:
+      return false if !rule[:block].nil? and !rule[:block].bind(self).call
+      true
+    end
+
+    def die_if_undefined #:nodoc:
+      if !self.respond_to?(:access_allowed_for) or access_allowed_for.nil?
+        raise ArgumentError, "Please specify access control using `allow_access' in the controller"
+      end
+    end
+  end
+end

data/rails/init.rb

@@ -0,0 +1,4 @@
+require 'authorization'
+
+ActionController::Base.send(:include, Authorization::BlockAccess)
+ActionController::Base.send(:extend, Authorization::AllowAccess)

metadata

@@ -0,0 +1,60 @@
+--- !ruby/object:Gem::Specification 
+name: Fingertips-authorization-san
+version: !ruby/object:Gem::Version 
+  version: 1.0.0
+platform: ruby
+authors: 
+- Manfred Stienstra
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-03-09 00:00:00 -07:00
+default_executable: 
+dependencies: []
+
+description: A plugin for authorization in a ReSTful application.
+email: manfred@fngtps.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README.rdoc
+- LICENSE
+files: 
+- lib/authorization.rb
+- lib/authorization/allow_access.rb
+- lib/authorization/block_access.rb
+- rails/init.rb
+- README.rdoc
+- LICENSE
+has_rdoc: true
+homepage: http://fingertips.github.com
+post_install_message: 
+rdoc_options: 
+- --inline-source
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.2.0
+signing_key: 
+specification_version: 2
+summary: A plugin for authorization in a ReSTful application.
+test_files: []
+