access_checker 0.0.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: e5456d21655f8835826452eef2cdac90fa87f1eb
+  data.tar.gz: ebd45557dee969efa672eab0145adae09a395574
+SHA512:
+  metadata.gz: 06c5baa53ad4ba070432132ddd295812d1c1ef73fb58e99df38f75585ccd4a060be64fe9d4df3b45615fe96e0d4ee4cd697f8787ed50ce6e99d664fa9068fdb5
+  data.tar.gz: 1a86f0b714bd1173ad30954dcdbac8900504a53af2d4d756f1c422d65d751d204d1a3b94c64e174ffb3ab6facb537aba9289ddf93c4adcfcdcf469b766fd42ed

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in access_checker.gemspec
+gemspec

data/README.md

@@ -0,0 +1,142 @@
+# AccessChecker
+
+AccessChecker is a simple replacement for ACL9, a role-based authentication gem.
+AccessChecker is primarily oriented for functioning as a before\_action role authentication 
+scheme for Rails controllers.
+
+## Basic concepts
+Authentication is often called for on a controller-by-controller basis, restricting
+actions to users who possess certain roles. AccessChecker (current version) assumes only one role
+per user. AccessChecker requires a _current\_user_ method accessible at the controller level
+and which returns a User object.
+
+AccessChecker adds, to the User model, role accessor methods: has\_role?, has\_role!, get\_role
+
+## Structure
+
+* necessary models: user, roles, roles\_users (join table)
+* necessary migrations (for access_checker): roles, roles\_users (join table)
+
+
+### Defaults assumed
+
+**User** is the subject model: 
+indicate by inserting the following macro after the class definition:
+
+```
+    acts_as_authorization_subject
+```
+
+**Role** is the role model: 
+indicate by inserting the following macro after the class definition:
+
+```
+   acts_as_authorization_role
+```
+
+Note: the gem allows the default model/table names to be changed, but I haven't built tests
+for verifying that the changes will work.
+
+```
+   class Role < ActiveRecord::Base
+     acts_as_authorization_role
+   end
+
+   class User < ActiveRecord::Base
+     acts_as_authorization_subject
+   end
+```
+
+### Migrations required
+
+The roles table must be created (sorry, no generator yet)
+Some of the fields are legacy from acl9 and currently are not used.
+
+```
+  create_table "roles", :force => true do |t|
+    t.string   "name",              :limit => 40
+    t.string   "authorizable_type", :limit => 40
+    t.string  "authorizable_id"
+    t.boolean "system", :default=>false
+    t.datetime "created_at"
+    t.datetime "updated_at"
+  end
+```
+
+and the join table
+
+```
+    create_table :roles_users, :id => false, :force => true do |t|
+      t.column  :user_id, :integer
+      t.column  :role_id, :integer
+    end
+      add_index :roles_users, :user_id
+```
+ 
+
+## Usage
+
+At the head of every controller for which you wish to control user access,
+you'll need to place an _access_control_ macro which is used to generate a 
+before_action for the authorization checks. The macro takes a hash of role
+specification parameters. These must be specified prior to the macro and
+then referenced as the macro's parameter parameter. I cannot be specified
+in-line because Rails is treating it as a before_action and so expects a
+before_action type of ( :only =>, :except => ) hash which would then apply
+to the before_action itself and thus bypass any explicit checking.
+
+Unauthorized access yields an exception: AccessChecker::AccessDenied .
+Syntax errors in formulating the control parameters will also raise an exception: AccessChecker::SyntaxError .
+You'll probably want to catch those exceptions and handle them gracefully, probably in your ApplicationController.
+
+Notice that roles, limit_types, and controller actions are all expected to be symbols.
+
+You have complete freedom to define roles to be whatever you want: except for the reserved words: :all, :anonymous.
+The usage of :all, :anonymous is explained with the following logic.
+
+* if current_user.nil?, then proceed as :anonymous if :anonymous is referenced in the role_control_hash
+* if user's role is not referenced, then proceed as :all if :all is referenced in the role_control_hash
+* else proceed and evaluate the role_control_hash with user's role
+
+This means that :all will **only** be invoked if a user has a role which is **NOT** specified in the role_control_hash and
+if :all **is** specified in the hash. In that sense :unspecified would be more accurate than :all, but :all is shorter and 
+handier to work with.
+And it means that :anonymous will **only** be invoked if current_user.nil? is true and
+if :anonymous **is** specified in the hash.
+ 
+The access limitation types are: 
+
+* :allow, :to, :only -- control what access is allowed; all else will be denied
+* :deny, :except -- control what is denied; all else will be permitted
+
+The action list can be empty; in which case, for :allow, all actions are permitted; and for :deny, no actions are permitted.
+If both limit_type and action_list are missing, then :allow => [] will be assumed.
+
+```
+class AnyController < ApplicationController
+
+   control_parameters = {
+       :admin   => { :allow => [] },
+       :manager => { :deny  => [ :delete, :edit ] },
+       :member  => { :allow => [ :index, :show  ] },
+       :anonymous => { :allow => [:index ] },
+       :all       => { :deny  => [:edit, :update] }
+   }
+
+   access_control control_parameters
+```
+ 
+Catch exceptions:
+
+```
+class ApplicationController < ActionController::Base
+   rescue_from AccessChecker::AccessDenied do |e|
+     # do something here
+   end
+```
+ 
+## Acknowledgements
+
+AccessChecker was influenced by the acl9 gem (https://github.com/be9/acl9). 
+
+

data/Rakefile

@@ -0,0 +1,24 @@
+# encoding: utf-8
+require "bundler/gem_tasks"
+require 'bundler'
+
+  begin
+    Bundler.setup(:default, :development)
+  rescue Bundler::BundlerError => e
+    $stderr.puts e.message
+    $stderr.puts "Run `bundle install` to install missing gems"
+    exit e.status_code
+  end
+
+require 'rake'
+
+# ------------------------------------------------------------------------
+# don't use normal Rake test routine because of double factory_bot
+# ------------------------------------------------------------------------
+task :test do
+   ruby '-I test "test/test_access_checker.rb"'
+end # test task
+
+task :default => :test
+
+

data/VERSION

@@ -0,0 +1 @@
+0.0.2

data/access_checker.gemspec

@@ -0,0 +1,36 @@
+Gem::Specification.new do |s|
+  s.name = "access_checker"
+  s.version = "0.0.2"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Markus Hediger"]
+  s.date = "2018-01-01"
+  s.description = "Simple access control on controller basis"
+  s.email = "m.hed@gmx.ch"
+  s.files = [
+    "Gemfile",
+    "README.md",
+    "Rakefile",
+    "VERSION",
+    "lib/access_checker/access_control.rb",
+    "lib/access_checker/base.rb",
+    "lib/access_checker/control.rb",
+    "lib/access_checker/subject_extensions.rb",
+    "lib/access_checker.rb",
+    "access_checker.gemspec"
+  ]
+  s.homepage = "http://github.com/kusihed/access_checker"
+  s.licenses = ["MIT"]
+  s.require_paths = ["lib"]
+  s.summary = "Simple access control on controller basis"
+
+  s.add_development_dependency "rails", "~> 5.0"
+  s.add_development_dependency "bundler"
+  s.add_development_dependency "rake"
+  s.add_development_dependency "sqlite3"
+  s.add_development_dependency "test-unit"
+  s.add_development_dependency "factory_bot"
+  s.add_development_dependency "shoulda"
+  s.add_development_dependency "turn"
+end
+

data/lib/access_checker.rb

@@ -0,0 +1,30 @@
+require File.dirname(__FILE__) + '/access_checker/base'
+require File.dirname(__FILE__) + '/access_checker/control'
+require File.dirname(__FILE__) + '/access_checker/subject_extensions'
+require File.dirname(__FILE__) + '/access_checker/access_control'
+
+module AccessChecker
+  @@configurator = {
+    :default_role_class_name        => 'Role',
+    :default_subject_class_name     => 'User',
+    :default_subject_method         => :current_user,
+    :default_roles_collection_name  => :roles,
+    :default_users_collection_name  => :users,
+    :default_join_table_name        => "roles_users"
+  }
+
+  mattr_reader :configurator
+
+    class AccessDenied < SecurityError; end
+    class EmptyRoles   < RuntimeError; end
+    class SyntaxError  < ArgumentError; end
+end
+
+# coding: utf-8
+ActiveRecord::Base.class_eval do
+  include AccessChecker::Base
+end
+ActionController::Base.class_eval do
+  include AccessChecker::Control
+end
+

data/lib/access_checker/access_control.rb

@@ -0,0 +1,83 @@
+module AccessChecker
+  class AccessControl < Struct.new( :role_control_hash )
+
+    # ------------------------------------------------------------------------------
+    # EXCEPTION: 
+         # AccessChecker::AccessDenied -- execution denied
+         # AccessChecker::SyntaxError -- unexpected limit_type, or action_type
+    # #############################################################################
+
+         # ---------------------------------------------------------------------------------
+         # possible states and resultant handlings
+         #   limit_type           action_list                  permitted handling
+         # ---------------------------------------------------------------------------------
+         #  :allow, :to, :only    [] empty, action matched     permitted
+         #                           action not matched        denied
+         #
+         #   :deny, :except       [] empty, action matched     denied
+         #                           action not matched        permitted
+         #
+         # ---------------------------------------------------------------------------------
+         # if current_user.nil?, proceed as :anonymous if so referenced in role_control_hash
+         # if user's role is not referenced, proceed as :all if so referenced in role_control_hash
+         # else proceed with user's role
+     # ------------------------------------------------------------------------------
+    def before( controller )
+
+       if controller.current_user.nil?   # no user defined; anonymous permitted?
+         
+          if self.role_control_hash.member?( :anonymous )  # if anonymous is referenced, continue...
+             my_role = :anonymous    # ...then handle anonymously
+          else   # unauthorized access of controller
+             raise AccessChecker::AccessDenied 
+          end   # if..then..else anonymous check
+
+       elsif !self.role_control_hash.member?( my_role = controller.current_user.get_role.name.to_sym )
+         
+          if self.role_control_hash.member?( :all )  # if all is referenced, continue...
+             my_role = :all    # ...then handle as all
+          else   # unauthorized access of controller
+             raise AccessChecker::AccessDenied 
+          end   # if..then..else anonymous check
+
+       end   # if..elsif check for anonymous or role not allowed
+
+       expected_action = controller.action_name.to_sym  # action being attempted
+
+       permitted = true   # presume authorized
+
+           # now check the action_hash for action access
+           # shown as a loop, but only the first entry is meaningful
+       self.role_control_hash[my_role].each do |limit_type, action_list|
+
+          unless action_list.kind_of?( Array )
+             raise AccessChecker::SyntaxError, "all action lists should be arrays of symbols"
+          end
+
+          permitted = ( action_list.empty? || action_list.include?( expected_action ) )
+        
+          case limit_type
+             when :allow, :to, :only then  permitted
+             when :deny, :except then permitted = !permitted
+          else
+             raise AccessChecker::SyntaxError, "Unrecognized access_control limit_type: #{limit_type}"
+          end  # case
+
+        
+          unless permitted      # ... figure out the type of exception
+             if action_list.any?{ |actn|  actn.class.name != "Symbol" }
+                raise AccessChecker::SyntaxError, "all actions should be symbols"
+             else
+                raise AccessChecker::AccessDenied 
+             end  # syntax checking
+          end  # unless
+
+          break   # always break the loop at success
+
+       end  # do check if role
+
+       return permitted
+    end
+    
+  end
+end 

data/lib/access_checker/base.rb

@@ -0,0 +1,64 @@
+module AccessChecker
+  module Base
+
+    def self.included(base)
+      base.extend ClassMethods
+    end
+
+    # #############################################################################
+    # @example
+    #   class Role < ActiveRecord::Base
+    #     acts_as_authorization_role
+    #   end
+    #
+    # @see AccessChecker::ModelExtensions::Subject#has_role!
+    # @see AccessChecker::ModelExtensions::Subject#has_role?
+    # @see AccessChecker::ModelExtensions::Subject#has_no_role!
+    # #############################################################################
+
+    module ClassMethods
+
+      # ------------------------------------------------------------------------
+      # acts_as_authorization_subject -- designates model to be user subject
+      # ------------------------------------------------------------------------
+       def acts_as_authorization_subject(options = {})
+
+         assoc      = options[:association_name] || AccessChecker::configurator[:default_roles_collection_name]
+         role       = options[:role_class_name]  || AccessChecker::configurator[:default_role_class_name]
+         join_table = options[:join_table_name]  || AccessChecker::configurator[:default_join_table_name]
+
+         has_and_belongs_to_many    assoc, :class_name => role, :join_table => join_table
+
+         cattr_accessor :_auth_role_class_name, :_auth_subject_class_name, :_auth_role_assoc_name
+
+         self._auth_role_class_name    = role
+         self._auth_subject_class_name = self.to_s
+         self._auth_role_assoc_name    = assoc
+
+         include AccessChecker::SubjectExtensions
+
+       end
+
+
+       def acts_as_authorization_role(options = {})
+
+         assoc      = options[:association_name]    || AccessChecker::configurator[:default_users_collection_name]
+         subject    = options[:subject_class_name]  || AccessChecker::configurator[:default_subject_class_name]
+         join_table = options[:join_table_name]     || AccessChecker::configurator[:default_join_table_name]
+
+         has_and_belongs_to_many    assoc, :class_name => subject, :join_table => join_table
+
+         cattr_accessor :_auth_role_class_name, :_auth_subject_class_name, :_auth_role_assoc_name
+
+         self._auth_role_class_name    = self.to_s
+         self._auth_subject_class_name = subject
+         self._auth_role_assoc_name    = assoc
+
+         scope :named_role, lambda { |role_name| where(["name = ?", role_name.to_s]) }
+
+       end
+
+    end  # module ClassMethods
+
+  end  # module Base
+end

data/lib/access_checker/control.rb

@@ -0,0 +1,14 @@
+module AccessChecker
+  module Control
+
+    def self.included(base)
+      base.extend ClassMethods
+    end
+
+    module ClassMethods
+       def access_control( role_control_hash, options = {} )
+          before_action  AccessChecker::AccessControl.new( role_control_hash ), options
+       end
+    end 
+  end 
+end

data/lib/access_checker/subject_extensions.rb

@@ -0,0 +1,68 @@
+module AccessChecker
+  module SubjectExtensions
+
+      # ------------------------------------------------------------------------------
+      # has_role? -- returns true if subject has the given role
+      # ------------------------------------------------------------------------------
+      def has_role?(role_name)
+        !get_role( role_name ).nil?
+      end
+ 
+      # ------------------------------------------------------------------------------
+      # has_role! -- forces subject to have the given role
+      # ------------------------------------------------------------------------------
+      def has_role!(role_name)
+        role = _auth_role_class.where( :name => role_name.to_s ).   # acts as the find part
+               first_or_create( :name => role_name.to_s )           # acts as the create part
+        role_objects << role unless self.role_objects.member?(role)
+        role
+      end
+
+      # ------------------------------------------------------------------------------
+      # remove_role! -- foreces subject to NOT have the given role
+      # ------------------------------------------------------------------------------
+      def remove_role!(role_name)
+        role_objects.delete( get_role( role_name ) )
+      end
+
+      # ------------------------------------------------------------------------------
+      # get_role -- returns a role obj for subject; else nil
+      # EXCEPTION: EmptyRolesException if role_objects collection is empty
+      # ------------------------------------------------------------------------------
+      def get_role( role_name=nil )
+
+        raise AccessChecker::EmptyRoles  if role_objects.empty?
+
+        if role_name.nil?
+           role_objects.first
+        else
+           role_objects.where( :name => role_name.to_s ).first
+        end
+
+      end
+
+      protected
+
+      # ------------------------------------------------------------------------------
+      # _auth_role_class -- retuns the Klass for the Role model
+      # ------------------------------------------------------------------------------
+      def _auth_role_class
+        self.class._auth_role_class_name.constantize
+      end
+
+      # ------------------------------------------------------------------------------
+      # _auth_role_assoc -- returns the habtm symbol for the array of subject.roles
+      # ------------------------------------------------------------------------------
+      def _auth_role_assoc
+        self.class._auth_role_assoc_name
+      end
+
+      # ------------------------------------------------------------------------------
+      # role_objects -- returns the habtm array of roles for the subject
+      # ------------------------------------------------------------------------------
+      def role_objects
+        send(self._auth_role_assoc)
+      end
+
+  end
+end

metadata

@@ -0,0 +1,165 @@
+--- !ruby/object:Gem::Specification
+name: access_checker
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+platform: ruby
+authors:
+- Markus Hediger
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-01-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: test-unit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: factory_bot
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: shoulda
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: turn
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Simple access control on controller basis
+email: m.hed@gmx.ch
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- README.md
+- Rakefile
+- VERSION
+- access_checker.gemspec
+- lib/access_checker.rb
+- lib/access_checker/access_control.rb
+- lib/access_checker/base.rb
+- lib/access_checker/control.rb
+- lib/access_checker/subject_extensions.rb
+homepage: http://github.com/kusihed/access_checker
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.13
+signing_key: 
+specification_version: 4
+summary: Simple access control on controller basis
+test_files: []