access_schema 0.4.0 → 0.5.0

data/.gitignore

@@ -5,3 +5,4 @@ pkg/*
 *.swp
 *.swo
 .rvmrc
+coverage

data/Gemfile

@@ -7,6 +7,7 @@ group :development, :test do
   gem "rake"
 
   gem "rspec"
+  gem "simplecov", :require => false
   gem "rack-test"
   gem "guard"
   gem "guard-rspec"

data/README.md

@@ -1,7 +1,6 @@
-# AccessSchema gem - ACL/plans for your app
+# AccessSchema gem - ACL and domain policies for your app
 
-AccessSchema provides decoupled from Rails and ORM agnostic tool
-to define ACL schemas with realy simple DSL.
+AccessSchema is tool to add ACL and domain policy rules to an application. It is framework/ORM agnostic and provides declarative DSL.
 
 Inspired by [ya_acl](https://github.com/kaize/ya_acl)
 
@@ -9,104 +8,23 @@ Inspired by [ya_acl](https://github.com/kaize/ya_acl)
   gem install access_schema
 ```
 
-## An example of use
-
-
-### Accessing from application code
-
-In Rails controllers we usualy have a current_user and we can
-add some default options in helpers:
-
-```ruby
-  #access_schema_helper.rb
-
-  class AccessSchemaHelper
-
-    def role
-      AccessSchema.schema(:plans).with_options({
-        :role => Rails.development? && params[:debug_role] || current_user.try(:role) || :none
-      })
-    end
-
-    def acl
-      AccessSchema.schema(:acl).with_options({
-        :role => current_user.try(:role) || :none,
-        :user_id => current_user.try(:id)
-      })
-    end
-
-  end
-
-```
-
-So at may be used in controllers:
-
-```ruby
-  acl.require! review, :edit
-  role.require! review, :mark_privileged
-
-```
-
-Or views:
-
-```ruby
-  - if role.allow? review, :add_photo
-    = render :partial => "add_photo"
-```
-
-
-On the ather side there are no any current_user accessible. In a Service Layer for
-example. So we have to pass extra options:
-
-
-```ruby
-  #./app/services/review_service.rb
-
-  class ReviewService < BaseSevice
-
-    def mark_privileged(review_id, options)
-
-      review = Review.find(review_id)
-
-      acl = AccessSchema.schema(:acl).with_options(:roles => options[:actor].roles)
-      acl.require! review, :mark_privileged
-
-      plans = AccessSchema.schema(:plans).with_options(:plans => options[:actor].plans)
-      plans.require! review, :mark_privileged
-
-      review.privileged = true
-      review.save!
-
-    end
-
-    def update(review_id, attrs)
-
-      review = Review.find(review_id)
-
-      acl = AccessSchema.schema(:acl).with_options(:roles => options[:actor].roles)
-      acl.require! review, :edit
-
-      plans = AccessSchema.schema(:plan).with_options(:plan => options[:actor].plan)
-      plans.require! review, :edit, :new_attrs => attrs
-
-      review.update_attributes(attrs)
-
-    end
-
-  end
-
-```
+## An example of use with Rails
 
 ### Definition
 
 ```ruby
-  # config/roles.rb
+  # config/policy.rb
 
   roles do
+
+    # Tariff plans
     role :none
     role :bulb
     role :flower
     role :bouquet
+
+    # To allow admin violate tariff plan rules
+    role :admin
   end
 
   asserts do
@@ -123,9 +41,10 @@ example. So we have to pass extra options:
 
   resource "Review" do
 
-    privilege :mark_privileged, [:flower, :bouquet]
+    privilege :mark_featured, [:flower, :bouquet]
 
-    privilege :add_photo, [:bouquet] do
+    # Admin is able to add over limit
+    privilege :add_photo, [:bouquet, :admin] do
       assert :photo_limit, [:none], :limit => 1
       assert :photo_limit, [:bulb], :limit => 5
       assert :photo_limit, [:flower], :limit => 10
@@ -154,27 +73,30 @@ example. So we have to pass extra options:
 
   end
 
-  resource "Review" do
+  resource "ReviewsController" do
+
+    privilege :index
+    privilege :show
 
     privilege :edit, [:admin] do
       assert :owner, [:none]
     end
 
+    privilege :update, [:admin] do
+      assert :owner, [:none]
+    end
+
   end
 ```
 
-## Configuration
-
-Configured schema can be accessed with AccessSchema.schema(name)
-anywhere in app. Alternatively it can be assempled with ServiceLocator.
-
+### Configuration
 
 ```ruby
   #config/initializers/access_schema.rb
 
   AccessSchema.configure do
 
-    schema :plans, AccessSchema.build_file('config/plans.rb')
+    schema :policy, AccessSchema.build_file('config/policy.rb')
     schema :acl, AccessSchema.build_file('config/acl.rb')
 
     logger Rails.logger
@@ -183,4 +105,132 @@ anywhere in app. Alternatively it can be assempled with ServiceLocator.
 
 ```
 
+### Accessing from Rails application code
+
+Define a helper:
+
+```ruby
+  #access_schema_helper.rb
+
+  class AccessSchemaHelper
+
+    # Use ACL in controllers:
+    #
+    #   before_filter { required! :reviews, :delete }
+    #
+    # and views
+    #
+    #   - if can? :reviews, :delete, :subject => review
+    #     = link_to "Delete", review_path(review)
+    #
+
+    def required!(route_method, action = nil, options = {})
+
+      url_options = send "hash_for_#{route_method}_path"
+      resource = "#{url_options[:controller].to_s.camelize}Controller"
+
+      privilege = action || url_options[:action]
+      acl.require! resource, privilege, options
+
+    end
+
+    def can?(*args)
+      required!(*args)
+    rescue AccessSchema::NotAllowed => e
+      false
+    else
+      true
+    end
+
+    def acl
+
+      AccessSchema.schema(:acl).with_options({
+        roles: current_roles,
+        user_id: current_user.try(:id)
+      })
+
+    end
+
+    # Use in controllers and views
+    # tarifF plans or other domain logic policies
+    #
+    #   policy.allow? review, :add_photo
+    #
+
+
+    def policy
+
+      # Policy have to check actor roles and subject owner state (tariff plans for example)
+      # to evaluate permission. So we pass proc and deal with particular subject to
+      # calculate roles.
+      #
+      roles_calculator = proc do |options|
+
+        plan = options[:subject].try(:owner).try(:plan)
+        plan ||= [ current_user.try(:plan) || :none ]
+        current_roles | plan
+
+      end
+
+      AccessSchema.schema(:policy).with_options({
+        roles: roles_calculator,
+        user_id: current_user.try(:id)
+      })
+
+    end
+
+  end
+
+```
+
+But there are no current_user method in a Service Layer! So pass an extra option - actor:
+
+```ruby
+  #./app/services/base_service.rb
+  class BaseService
+
+    def policy(actor)
+
+      roles_calculator = proc do |options|
+
+        plan = options[:subject].try(:owner).try(:plan)
+        plan ||= [ actor.try(:plan) || :none ]
+        current_roles | plan
+
+      end
+
+      AccessSchema.schema(:policy).with_options({
+        roles: roles_calculator,
+        user_id: actor.try(:id)
+      })
+    end
+
+  end
+
+  #./app/services/review_service.rb
+
+  class ReviewService < BaseSevice
+
+    def mark_featured(review_id, actor)
+
+      review = Review.find(review_id)
+      policy(actor).require! review, :mark_featured
+
+      review.featured = true
+      review.save!
+
+    end
+
+    def update(review_id, attrs, actor)
+
+      review = Review.find(review_id)
+      policy(actor).require! review, :edit, :attrs => attrs
+
+      review.update_attributes(attrs)
+
+    end
+
+  end
+
+```
 

data/lib/access_schema/builders/asserts_builder.rb

@@ -3,7 +3,7 @@ module AccessSchema
   class AssertsBuilder < BasicBuilder
 
     def assert(name, vars = [], &block)
-      assert = Assert.new(name.to_sym, vars.map(&:to_sym), &block)
+      assert = Assert.new(name.to_s, vars.map(&:to_sym), &block)
       schema.add_assert(assert)
     end
 

data/lib/access_schema/builders/privilege_builder.rb

@@ -2,7 +2,7 @@ module AccessSchema
   class PrivilegeBuilder < BasicBuilder
 
     def assert(name, roles = [], options = {})
-      expectation = Expectation.new(name.to_sym, roles.map(&:to_sym), options)
+      expectation = Expectation.new(name.to_s, roles.map(&:to_s), options)
       schema.add_expectation(expectation)
     end
 

data/lib/access_schema/builders/resource_builder.rb

@@ -2,7 +2,7 @@ module AccessSchema
   class ResourceBuilder < BasicBuilder
 
     def privilege(name, roles = [], &block)
-      privilege = Privilege.new(name.to_sym, roles.map(&:to_sym))
+      privilege = Privilege.new(name.to_s, roles.map(&:to_s))
       if block_given?
         builder = PrivilegeBuilder.new(privilege)
         builder.instance_eval(&block)

data/lib/access_schema/builders/roles_builder.rb

@@ -2,7 +2,7 @@ module AccessSchema
   class RolesBuilder < BasicBuilder
 
     def role(role)
-      schema.add_role(role.to_sym)
+      schema.add_role(role.to_s)
     end
 
   end

data/lib/access_schema/builders/schema_builder.rb

@@ -24,7 +24,7 @@ module AccessSchema
     end
 
     def resource(name, &block)
-      resource = Resource.new(name.to_sym)
+      resource = Resource.new(name.to_s)
       builder = ResourceBuilder.new(resource)
       builder.instance_eval(&block)
       schema.add_resource(resource)

data/lib/access_schema/exceptions.rb

@@ -9,7 +9,7 @@ module AccessSchema
 
   class NotAllowedError < AccessError; end
 
-  class NoRoleError < CheckError; end
+  class InvalidRolesError < CheckError; end
   class NoResourceError < CheckError; end
   class NoPrivilegeError < CheckError; end
 

data/lib/access_schema/expectation.rb

@@ -11,7 +11,7 @@ module AccessSchema
     end
 
     def for?(roles)
-      (@roles & roles).size > 0
+      @roles.empty? || (@roles & roles).size > 0
     end
 
   end

data/lib/access_schema/privilege.rb

@@ -16,7 +16,11 @@ module AccessSchema
     def allow?(roles)
       (@roles & roles).size > 0 || begin
         checklist = @expectations.select { |exp| exp.for?(roles) }
-        checklist.length > 0 && checklist.all? { |exp| yield(exp) }
+        if checklist.length > 0
+          checklist.all? { |exp| yield(exp) }
+        else
+          @roles.empty?
+        end
       end
     end
 

data/lib/access_schema/proxy.rb

@@ -10,10 +10,6 @@ module AccessSchema
       @schema.roles
     end
 
-    def plans
-      @schema.plans
-    end
-
     def allow?(*args)
       @schema.allow?(*normalize_args(args))
     end
@@ -34,14 +30,13 @@ module AccessSchema
 
       roles, options = case args[2]
       when Hash, nil
-        [@options[:role] || @options[:plan], args[2] || {}]
+        [@options[:roles], args[2] || {}]
       else
         [args[2], args[3] || {}]
       end
 
       options_to_pass = @options.dup
-      options_to_pass.delete :plan
-      options_to_pass.delete :role
+      options_to_pass.delete :roles
 
       [resource, privilege, roles, options_to_pass.merge(options)]
     end

data/lib/access_schema/schema.rb

@@ -2,7 +2,6 @@ module AccessSchema
   class Schema
 
     attr_reader :roles
-    alias :plans :roles
 
     def initialize
       @roles = []
@@ -39,27 +38,47 @@ module AccessSchema
     def normalize_args(args)
 
       options = args.last.is_a?(Hash) ? args.pop : {}
-      privilege =  args[1].to_sym
-
+      privilege =  args[1].to_s
       roles = args[2]
-      roles = roles.respond_to?(:map) ? roles.map(&:to_sym) : [roles && roles.to_sym]
-
-      raise NoRoleError.new if (self.roles & roles).empty?
-
-      roles = normalize_roles_order(roles)
 
       case args[0]
       when String, Symbol
-        resource = args[0].to_sym
-        [resource, privilege, roles, options]
+        resource = args[0].to_s
       else
-        resource = args[0].class.name.to_sym
-        [resource, privilege, roles, options.merge(:subject => args[0])]
+        resource = args[0].class.name.to_s
+        options.merge!(:subject => args[0])
+      end
+
+      roles = calculate_roles(roles, options)
+
+      if (self.roles & roles).empty?
+        raise InvalidRolesError.new(:roles => roles)
+      end
+
+      roles = sort_roles(roles)
+
+      [resource, privilege, roles, options]
+    end
+
+    def calculate_roles(roles, check_options)
+
+      roles = if roles.respond_to?(:call)
+                roles.call(check_options.dup)
+              elsif !roles.respond_to?(:map)
+                [ roles ]
+              else
+                roles
+              end
+
+      unless roles.respond_to?(:map)
+        raise InvalidRolesError.new(:result => roles)
       end
 
+      roles.map(&:to_s)
+
     end
 
-    def normalize_roles_order(roles)
+    def sort_roles(roles)
       @roles.select do |role|
         roles.include? role
       end
@@ -67,8 +86,8 @@ module AccessSchema
 
     def check!(resource_name, privilege_name, roles, options)
 
-      resouce_name = resource_name.to_sym
-      privilege_name = privilege_name.to_sym
+      resouce_name = resource_name.to_s
+      privilege_name = privilege_name.to_s
 
       resource = @resources[resource_name]
 
@@ -110,8 +129,6 @@ module AccessSchema
 
     end
 
-    private
-
     def logger
       AccessSchema.config.logger
     end

data/lib/access_schema/version.rb

@@ -1,3 +1,3 @@
 module AccessSchema
-  VERSION = "0.4.0"
+  VERSION = "0.5.0"
 end

data/spec/access_schema/proxy_spec.rb

@@ -13,14 +13,14 @@ describe AccessSchema::Proxy do
   describe "#with_options" do
 
     before do
-      @schema = @proxy.with_options(:plan => [:flower], :user_id => 1)
+      @schema = @proxy.with_options(:roles => [:flower], :user_id => 1)
     end
 
-    it "allows to not specify plan for schema calls" do
+    it "allows to not specify roles for schema calls" do
       @schema.allow?("Review", :mark_featured).should be_true
     end
 
-    it "but it accepts plan too" do
+    it "but it accepts roles too" do
       @schema.allow?("Review", :mark_featured, :flower).should be_true
       @schema.allow?("Review", :mark_featured, :none).should be_false
     end

data/spec/access_schema/schema_builder_spec.rb

@@ -25,9 +25,6 @@ describe AccessSchema::SchemaBuilder do
 
 end
 
-
-class Review; end
-
 describe AccessSchema::SchemaBuilder, "produced schema example" do
 
   before do
@@ -37,10 +34,10 @@ describe AccessSchema::SchemaBuilder, "produced schema example" do
   end
 
   it "creates roles" do
-    @schema.roles.should == [:none, :bulb, :flower, :bouquet, :admin, :user]
+    @schema.roles.should ==%w(none bulb flower bouquet admin user)
   end
 
-  context "when checking against plan 'none'"  do
+  context "when checking against role 'none'"  do
 
     it "does not allows to mark featured" do
       @schema.allow?(@review, :mark_featured, :none).should be_false
@@ -58,7 +55,7 @@ describe AccessSchema::SchemaBuilder, "produced schema example" do
 
   end
 
-  context "when checking against plan 'bulb'"  do
+  context "when checking against role 'bulb'"  do
 
     it "does not allow to mark featured" do
       @schema.allow?(@review, :mark_featured, :bulb).should be_false
@@ -76,7 +73,7 @@ describe AccessSchema::SchemaBuilder, "produced schema example" do
 
   end
 
-  context "when checking against plan 'flower'"  do
+  context "when checking against role 'flower'"  do
 
     it "allows to mark featured" do
       @schema.allow?(@review, :mark_featured, :flower).should be_true
@@ -94,7 +91,7 @@ describe AccessSchema::SchemaBuilder, "produced schema example" do
 
   end
 
-  context "when checking against plan 'bouquet'"  do
+  context "when checking against role 'bouquet'"  do
 
     it "allows to mark featured" do
       @schema.allow?(@review, :mark_featured, :bouquet).should be_true

data/spec/access_schema/schema_spec.rb

@@ -1,12 +1,12 @@
 require 'spec_helper'
 
-describe AccessSchema::Schema, "errors rising" do
+describe AccessSchema::Schema do
 
   before do
     @schema = AccessSchema::SchemaBuilder.build_file('spec/schema_example.rb')
   end
 
-  describe "#add_plan" do
+  describe "#add_role" do
 
     it "raises error if duplicate"
 
@@ -21,7 +21,7 @@ describe AccessSchema::Schema, "errors rising" do
   describe "#add_feature" do
 
     it "raises error if duplicate"
-    it "raises error for invalid plan"
+    it "raises error for invalid role"
     it "raises error for invalid assert"
 
   end
@@ -37,15 +37,24 @@ describe AccessSchema::Schema, "errors rising" do
     it "raises exception on invalid role" do
       lambda {
         @schema.allow? "Review", :mark_featured, :invalid
-      }.should raise_error(AccessSchema::NoRoleError)
+      }.should raise_error(AccessSchema::InvalidRolesError)
 
       lambda {
         @schema.allow? "Review", :mark_featured
-      }.should raise_error(AccessSchema::NoRoleError)
+      }.should raise_error(AccessSchema::InvalidRolesError)
     end
 
     it "raises exception on invalid feature"
 
+    it "passes is no roles and asserts are specified in privilege definition" do
+      @schema.should be_allow("Review", :view, [:user])
+    end
+
+    it "checks assert if no roles specified in assert definition" do
+      @schema.should be_allow("Review", :echo_privilege, [:user], :result => true)
+      @schema.should_not be_allow("Review", :echo_privilege, [:user], :result => false)
+    end
+
   end
 
   describe "privilege union for multiple roles" do
@@ -68,6 +77,57 @@ describe AccessSchema::Schema, "errors rising" do
 
   end
 
+  describe "dynamic roles calculation" do
+
+    it "accepts proc as roles" do
+
+      lambda {
+        roles_calculator = proc { [:admin] }
+        @schema.allow? "Review", :update, roles_calculator
+      }.should_not raise_error
+
+    end
+
+    it "passes options hash with subject into proc" do
+
+      @passed_options = nil
+      roles_calculator = proc do |options|
+        @passed_options = options
+        [:admin]
+      end
+      subject = Review.new
+      @schema.allow? subject, :update, roles_calculator, :option1 => :value1
+      @passed_options.should be
+      @passed_options[:subject].should == subject
+      @passed_options[:option1].should == :value1
+
+    end
+
+    it "passes a copy of options hash" do
+
+      @passed_options = {:option1 => :value1}
+      roles_calculator = proc do |options|
+        options[:option1] = :changed_value
+        [:admin]
+      end
+
+      @schema.allow? "Review", :update, roles_calculator
+
+      @passed_options[:option1].should == :value1
+
+    end
+
+    it "raises error if none array returned from proc" do
+
+      lambda {
+        roles_calculator = proc { :admin }
+        @schema.allow? "Review", :update, roles_calculator
+      }.should raise_error(AccessSchema::InvalidRolesError)
+
+    end
+
+  end
+
   describe "#require!" do
 
     it "raises en error is feature is nt allowed"
@@ -84,13 +144,13 @@ describe AccessSchema::Schema, "errors rising" do
     it "logs check arguments with debug level" do
       @logger.log_only_level = "debug"
       @schema.allow? "Review", :mark_featured, :flower
-      @logger.output.should == "AccessSchema: check PASSED: {:resource=>:Review, :privilege=>:mark_featured, :roles=>[:flower], :options=>{}}"
+      @logger.output.should == "AccessSchema: check PASSED: {:resource=>\"Review\", :privilege=>\"mark_featured\", :roles=>[\"flower\"], :options=>{}}"
     end
 
     it "logs check fail with info level" do
       @logger.log_only_level = "info"
       @schema.allow? "Review", :mark_featured, :none
-      @logger.output.should == "AccessSchema: check FAILED: {:resource=>:Review, :privilege=>:mark_featured, :roles=>[:none], :options=>{}, :failed_asserts=>{}}"
+      @logger.output.should == "AccessSchema: check FAILED: {:resource=>\"Review\", :privilege=>\"mark_featured\", :roles=>[\"none\"], :options=>{}, :failed_asserts=>{}}"
     end
   end
 

data/spec/schema_example.rb

@@ -19,6 +19,10 @@ asserts do
     false
   end
 
+  assert :echo, [:result] do
+    result
+  end
+
 end
 
 resource "Review" do
@@ -35,4 +39,10 @@ resource "Review" do
     assert :false, [:user]
   end
 
+  privilege :view
+
+  privilege :echo_privilege do
+    assert :echo
+  end
+
 end

data/spec/spec_helper.rb

@@ -1,9 +1,14 @@
 require 'rspec'
+Dir[File.expand_path('../support/**/*', __FILE__)].each { |f| require f }
+
+require 'simplecov'
+
+SimpleCov.start
+
 require 'access_schema'
 
 require 'access_schema/loggers/test_logger'
 
-Dir[File.expand_path('../support/**/*', __FILE__)].each { |f| require f }
 
 RSpec.configure do |config|
 end

data/spec/support/review.rb

@@ -0,0 +1,3 @@
+class Review
+end
+

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: access_schema
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-03-26 00:00:00.000000000 Z
+date: 2012-04-01 00:00:00.000000000 Z
 dependencies: []
 description: AccessSchema is a tool for ACL or tariff plans schema definition and
   checks
@@ -55,6 +55,7 @@ files:
 - spec/access_schema_spec.rb
 - spec/schema_example.rb
 - spec/spec_helper.rb
+- spec/support/review.rb
 homepage: ''
 licenses: []
 post_install_message: 
@@ -69,7 +70,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -3729396007705609250
+      hash: -4292309596279283833
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -78,7 +79,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -3729396007705609250
+      hash: -4292309596279283833
 requirements: []
 rubyforge_project: access_schema
 rubygems_version: 1.8.16
@@ -94,3 +95,4 @@ test_files:
 - spec/access_schema_spec.rb
 - spec/schema_example.rb
 - spec/spec_helper.rb
+- spec/support/review.rb