access-granted 0.0.2 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 990382c04aeeeb43c67adcd3adc1fc0e4ac6b7ac
-  data.tar.gz: d9970ae5c29e073953f41ec55c3f19b8a0d18225
+  metadata.gz: e569e46f4095287086e980979eb59cb48bb8d671
+  data.tar.gz: 12579f6c1242101c5dfdab73bda111170fd719be
 SHA512:
-  metadata.gz: 6ddcadc2b5e812ae350e91479047c344d705e6cb7f3011f35e695aab0ca545402a550c1e9f8c45661e64cce0228b0f44334c384615721eb2eca38938d0ea501e
-  data.tar.gz: 9060e6c5d8243a43f33dfe9a4b6274a68edd748d1e32930939c5c7097db0679be03f21a168ae98f031806696da654a4806c3844f866ac2aadc4ccde6f5102b51
+  metadata.gz: b3bdef4853790d402a621cc1eae254d4fed2dc12a2273c704379bb84d7dce6f4a03d6c7b071a6b1a74d27bdf319cc98b0372490b164dd8ef3eaaa7edc2af3fe8
+  data.tar.gz: 4baac040d13e99a97aae7c3e160a3dc6e506350195b148e6c2737c8ee5b51c141b45e6e6f1e4b791a07e077abdf7552cfda87eab22c1a9c2b162fd14f7e6a2c2

data/.travis.yml

@@ -2,3 +2,9 @@ language: ruby
 rvm:
   - 1.9.3
   - 2.0.0
+  - 2.1.0
+  - rbx-2.1.1
+  - rbx-2.2.3
+  - rbx
+  - jruby-1.7.6
+  - jruby

data/Gemfile

@@ -3,7 +3,13 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in access-granted.gemspec
 gemspec
 
-group :test do
+group :test, :development do
+  gem 'rb-readline'
   gem 'simplecov', require: false
   gem 'rake'
+  gem 'pry'
+end
+
+platforms :rbx do
+  gem 'rubysl', '~> 2.0'
 end

data/README.md

@@ -2,14 +2,18 @@
 
 Multi-role and whitelist based authorization gem for Rails. And it's lightweight (~300 lines of code)!
 
+### Supported Ruby versions
+
+Guaranteed to work on MRI 1.9.3/2.0/2.1, Rubinius >= 2.1.1 and JRuby >= 1.7.6.
+
 # Summary
 
 AccessGranted is meant as replacement for CanCan to solve three major problems:
 
 1. built-in support for roles
 
-  Easy to read acess policy code where permissions are cleanly grouped into roles which may or may not apply to a user.
-  Additionally permissions are forced to be unique in the scope a role greatly simplifying the
+  Easy to read access policy code where permissions are cleanly grouped into roles which may or may not apply to a user.
+  Additionally permissions are forced to be unique in the scope a role. Thus greatly simplifying the
   permission resolving and extremely reducing the code-base.
 
 2. white-list based
@@ -17,23 +21,34 @@ AccessGranted is meant as replacement for CanCan to solve three major problems:
   This means that you define what a role **can** do,
   not overidding permissions with `cannot` in a specific order which results in an ugly and unmaintainable code.
 
+  **Note**: `cannot` is still possible, but has a specifc use. See [Usage](#usage) below.
+
 3. Permissions can work on basically any object and AccessGranted is framework-agnostic,
-   (the only Rails-specific methods are `can?`/`cannot?`/`authorize!` helpers injected
+   (the Rails-specific methods are `can?`/`cannot?`/`authorize!` helpers injected
    into the framework only when it's present).
 
 See [Usage](#usage) for an example of a complete AccessPolicy file.
 
-## Compatibility
+## Compatibility with CanCan
 
 This gem was created as a replacement for CanCan and therefore it requires minimum work to switch.
 
-1. Both `can?`/`cannot?` and `authorize!` methods work in Rails controllers and views, so
-   **you don't have to adjust your views at all**.
-2. Syntax for defining permissions in AccessPolicy file (Ability in CanCan) is exactly the same,
+### Main differences
+
+1. AccessGranted does not extend ActiveRecord in any way, so it does not have the `accessible_by?`
+   method which could be used for querying objects available to current user.
+   This was very complex and only worked with permissions defined using hash conditions, so
+   I decided to not implement this functionality as it was mostly ignored by CanCan users.
+
+2. Both `can?`/`cannot?` and `authorize!` methods work in Rails controllers and views, just like in CanCan.
+   The only change you have to make is replace all `can? :manage, Class` with precise action.
+   `can :manage` is stil available for **defining** methods and serves as a shortcut for defining `:read`, `:create`, `:update`, `:destroy`
+   in one line.
+
+   Due to introduction of Roles checking for generic `:manage` permission is very complicated and also confusing for developers.
+
+3. Syntax for defining permissions in AccessPolicy file (Ability in CanCan) is exactly the same,
    with added roles on top. See [Usage](#usage) below.
-3. **Main difference**: AccessGranted does not extend ActiveRecord in any way, so it does not have the `accessible_by?`
-   method to keep the code as simple as possible.
-   That is because `accessible_by?` was very limited making it useless in most cases (complex permissions with lambdas).
 
 
 ## Installation
@@ -70,12 +85,12 @@ class Policy
       cannot [:create, :update, :destroy], Post
 
       # same as above, :manage is just a shortcut for
-      # `[:create, :update, :destroy]`
+      # `[:read, :create, :update, :destroy]`
       cannot :manage, Comment
     end
 
     # Takes precedences over roles placed lower
-    # and explicitly lets admin mamange everything.
+    # and explicitly lets admin manage everything.
     role :admin, { is_admin: true } do
       can :manage, Post
       can :manage, Comment
@@ -84,7 +99,8 @@ class Policy
     # You can also use Procs to determine
     # if the role should apply to a given user.
     role :moderator, proc {|u| u.moderator? } do
-      # overwrites permission that only allows removing own content in :member
+      # takes precedence over :update/:destroy
+      # permissions defined in member role below
       # and lets moderators edit and delete all posts
       can [:update, :destroy], Post
 
@@ -93,8 +109,8 @@ class Policy
       can :update, User
     end
 
-    # Applies to everyone logged in.
     # The basic role.
+    # Applies to everyone logged in.
     role :member do
       can :create, Post
 

data/access-granted.gemspec

@@ -8,7 +8,7 @@ Gem::Specification.new do |spec|
   spec.version       = AccessGranted::VERSION
   spec.authors       = ["Piotrek Okoński"]
   spec.email         = ["piotrek@okonski.org"]
-  spec.description   = %q{Whitelist and role based authorization gem}
+  spec.description   = %q{Role based authorization gem}
   spec.summary       = %q{Elegant whitelist and role based authorization with ability to prioritize roles.}
   spec.homepage      = "https://github.com/pokonski/access-granted"
   spec.license       = "MIT"
@@ -19,8 +19,5 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_development_dependency "bundler", "~> 1.3"
-  spec.add_development_dependency "rake"
   spec.add_development_dependency "rspec"
-  spec.add_development_dependency "pry"
-  spec.add_development_dependency "text-table"
 end

data/lib/access-granted/controller_methods.rb

@@ -5,7 +5,7 @@ module AccessGranted
     end
 
     def self.included(base)
-      base.helper_method :can?, :cannot?, :current_ability
+      base.helper_method :can?, :cannot?, :current_policy
     end
 
     def can?(*args)

data/lib/access-granted/permission.rb

@@ -35,9 +35,9 @@ module AccessGranted
 
     def eql?(other)
       other.class == self.class &&
-        @action   == other.action &&
-          @subject  == other.subject &&
-            @granted  == other.granted
+        @action == other.action &&
+          @subject == other.subject &&
+            @granted == other.granted
     end
 
     def ==(other)

data/lib/access-granted/role.rb

@@ -28,11 +28,6 @@ module AccessGranted
       add_permission(false, action, subject, conditions, block)
     end
 
-    def can?(action, subject)
-      permission = find_permission(action, subject)
-      permission ? permission.granted : false
-    end
-
     def find_permission(action, subject)
       relevant_permissions(action, subject).detect do |permission|
         permission.matches_conditions?(subject)
@@ -42,7 +37,7 @@ module AccessGranted
     def applies_to?(user)
       case @conditions
       when Hash
-        matches_hash(user, @conditions)
+        matches_hash?(user, @conditions)
       when Proc
         @conditions.call(user)
       else
@@ -57,7 +52,7 @@ module AccessGranted
       end
     end
 
-    def matches_hash(user, conditions = {})
+    def matches_hash?(user, conditions = {})
       conditions.all? do |name, value|
         user.send(name) == value
       end
@@ -76,7 +71,7 @@ module AccessGranted
 
     def prepare_actions(action)
       if action == :manage
-        actions = [:create, :update, :destroy]
+        actions = [:read, :create, :update, :destroy]
       else
         actions = [action].flatten
       end

data/lib/access-granted/version.rb

@@ -1,3 +1,3 @@
 module AccessGranted
-  VERSION = "0.0.2"
+  VERSION = "0.1.0"
 end

data/spec/controller_methods_spec.rb

@@ -5,7 +5,7 @@ describe AccessGranted::ControllerMethods do
     @current_user = double("User")
     @controller_class = Class.new
     @controller = @controller_class.new
-    @controller_class.stub(:helper_method).with(:can?, :cannot?, :current_ability)
+    @controller_class.stub(:helper_method).with(:can?, :cannot?, :current_policy)
     @controller_class.send(:include, AccessGranted::ControllerMethods)
     @controller.stub(:current_user).and_return(@current_user)
   end

data/spec/policy_spec.rb

@@ -9,10 +9,10 @@ describe AccessGranted::Policy do
 
   describe "#configure" do
     before :each do
-      @member = double("member",        is_moderator: false, is_admin: false, is_banned: false)
-      @mod    = double("moderator",     is_moderator: true,  is_admin: false, is_banned: false)
-      @admin  = double("administrator", is_moderator: false, is_admin: true,  is_banned: false)
-      @banned = double("banned",        is_moderator: false, is_admin: true,  is_banned: true)
+      @member = double("member",        id: 1, is_moderator: false, is_admin: false, is_banned: false)
+      @mod    = double("moderator",     id: 2, is_moderator: true,  is_admin: false, is_banned: false)
+      @admin  = double("administrator", id: 3, is_moderator: false, is_admin: true,  is_banned: false)
+      @banned = double("banned",        id: 4, is_moderator: false, is_admin: true,  is_banned: true)
     end
 
     it "selects permission based on role priority" do
@@ -20,27 +20,55 @@ describe AccessGranted::Policy do
         include AccessGranted::Policy
 
         def configure(user)
-          role :member do
-            can :read, String
+          role :administrator, { is_admin: true } do
+            can :destroy, String
           end
 
           role :moderator, { is_moderator: true } do
-            can :edit, String
+            can :update, String
           end
 
-          role :administrator, { is_admin: true } do
-            can :destroy, String
+          role :member do
+            can :read, String
           end
         end
       end
-      klass.new(@member).cannot?(:destroy, String).should be_true
       klass.new(@admin).can?(:destroy, String).should     be_true
       klass.new(@admin).can?(:read, String).should        be_true
+
+      klass.new(@member).cannot?(:destroy, String).should be_true
+      klass.new(@member).can?(:read, String).should       be_true
+
+      klass.new(@mod).can?(:read, String).should          be_true
       klass.new(@mod).cannot?(:destroy, String).should    be_true
     end
 
+    context "when multiple roles define the same permission" do
+      it "checks all roles until conditions are met" do
+        user_post = FakePost.new(@member.id)
+        other_post = FakePost.new(66)
+
+        klass = Class.new do
+          include AccessGranted::Policy
+
+          def configure(user)
+            role :administrator, { is_admin: true } do
+              can :destroy, FakePost
+            end
+
+            role :member do
+              can :destroy, FakePost, user_id: user.id
+            end
+          end
+        end
+
+        klass.new(@admin).can?(:destroy, user_post).should be_true
+        klass.new(@member).can?(:destroy, user_post).should be_true
+        klass.new(@member).cannot?(:destroy, other_post).should be_true
+      end
+    end
     describe "#cannot" do
-      it "forbids action when used in higher role" do
+      it "forbids action when used in superior role" do
         klass = Class.new do
           include AccessGranted::Policy
 
@@ -54,8 +82,8 @@ describe AccessGranted::Policy do
             end
           end
         end
-        klass.new(@member).can?(:create, String).should be_true
-        klass.new(@banned).can?(:create, String).should be_false
+        klass.new(@member).can?(:create, String).should    be_true
+        klass.new(@banned).cannot?(:create, String).should be_true
       end
     end
   end
@@ -86,7 +114,7 @@ describe AccessGranted::Policy do
         can :read, String
       end
 
-      role.can?(:read, String).should be_true
+      role.find_permission(:read, String).granted.should be_true
     end
   end
 

data/spec/role_spec.rb

@@ -62,7 +62,7 @@ describe AccessGranted::Role do
 
     it "accepts :manage shortcut for CRUD actions" do
       @role.can :manage, String
-      @role.permissions.map(&:action).should include(:create, :update, :destroy)
+      @role.permissions.map(&:action).should include(:read, :create, :update, :destroy)
     end
 
     describe "when action is an Array" do
@@ -75,12 +75,12 @@ describe AccessGranted::Role do
     describe "when no conditions given" do
       it "should be able to read a class" do
         @role.can :read, String
-        @role.can?(:read, String).should be_true
+        @role.find_permission(:read, String).should be_true
       end
 
       it "should be able to read instance of class" do
         @role.can :read, String
-        @role.can?(:read, "text").should be_true
+        @role.find_permission(:read, "text").should be_true
       end
     end
 
@@ -88,7 +88,7 @@ describe AccessGranted::Role do
       it "should be able to read when conditions match" do
         sub = double("Element", published: true)
         @role.can :read, sub.class, { published: true }
-        @role.can?(:read, sub).should be_true
+        @role.find_permission(:read, sub).should be_true
       end
     end
   end

data/spec/spec_helper.rb

@@ -1,7 +1,9 @@
 require 'rubygems'
 require 'bundler/setup'
-require 'simplecov'
-SimpleCov.start
+if ENV["COV"]
+  require 'simplecov'
+  SimpleCov.start
+end
 require 'pry'
 
 RSpec.configure do |config|
@@ -20,6 +22,9 @@ module ActionController
 end
 require 'access-granted'
 
+class FakePost < Struct.new(:user_id)
+end
+
 class Policy
   include AccessGranted::Policy
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: access-granted
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.1.0
 platform: ruby
 authors:
 - Piotrek Okoński
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-11-17 00:00:00.000000000 Z
+date: 2014-02-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -24,20 +24,6 @@ dependencies:
     - - ~>
       - !ruby/object:Gem::Version
         version: '1.3'
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -52,35 +38,7 @@ dependencies:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: pry
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: text-table
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-description: Whitelist and role based authorization gem
+description: Role based authorization gem
 email:
 - piotrek@okonski.org
 executables: []
@@ -127,7 +85,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.3
+rubygems_version: 2.1.11
 signing_key: 
 specification_version: 4
 summary: Elegant whitelist and role based authorization with ability to prioritize