acl9 0.11.0

data/lib/acl9/helpers.rb

@@ -0,0 +1,19 @@
+module Acl9
+  module Helpers
+    def self.included(base)
+      base.extend ClassMethods
+    end
+
+    module ClassMethods
+      def access_control(method, opts = {}, &block)
+        subject_method = opts.delete(:subject_method) || Acl9::config[:default_subject_method]
+        raise ArgumentError, "Block must be supplied to access_control" unless block
+
+        generator = Acl9::Dsl::Generators::HelperMethod.new(subject_method, method)
+
+        generator.acl_block!(&block)
+        generator.install_on(self, opts)
+      end
+    end
+  end
+end

data/lib/acl9/model_extensions.rb

@@ -0,0 +1,133 @@
+require File.join(File.dirname(__FILE__), 'model_extensions', 'subject')
+require File.join(File.dirname(__FILE__), 'model_extensions', 'object')
+
+module Acl9
+  module ModelExtensions  #:nodoc:
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+
+    module ClassMethods
+      # Add #has_role? and other role methods to the class.
+      # Makes a class a auth. subject class.
+      #
+      # @param [Hash] options the options for tuning
+      # @option options [String] :role_class_name (Acl9::config[:default_role_class_name])
+      #                           Class name of the role class (e.g. 'AccountRole')
+      # @option options [String] :join_table_name (Acl9::config[:default_join_table_name])
+      #                           Join table name (e.g. 'accounts_account_roles')
+      # @example
+      #   class User < ActiveRecord::Base
+      #     acts_as_authorization_subject
+      #   end
+      #
+      #   user = User.new
+      #   user.roles             #=> returns Role objects, associated with the user
+      #   user.has_role!(...)
+      #   user.has_no_role!(...)
+      #
+      #   # other functions from Acl9::ModelExtensions::Subject are made available
+      #
+      # @see Acl9::ModelExtensions::Subject
+      #
+      def acts_as_authorization_subject(options = {})
+        role = options[:role_class_name] || Acl9::config[:default_role_class_name]
+        join_table = options[:join_table_name] || Acl9::config[:default_join_table_name] ||
+                    join_table_name(undecorated_table_name(self.to_s), undecorated_table_name(role))
+
+        has_and_belongs_to_many :role_objects, :class_name => role, :join_table => join_table
+
+        cattr_accessor :_auth_role_class_name, :_auth_subject_class_name
+        self._auth_role_class_name = role
+        self._auth_subject_class_name = self.to_s
+
+        include Acl9::ModelExtensions::Subject
+      end
+
+      # Add role query and set methods to the class (making it an auth object class).
+      #
+      # @param [Hash] options the options for tuning
+      # @option options [String] :subject_class_name (Acl9::config[:default_subject_class_name])
+      #                          Subject class name (e.g. 'User', or 'Account)
+      # @option options [String] :role_class_name (Acl9::config[:default_role_class_name])
+      #                          Role class name (e.g. 'AccountRole')
+      # @example
+      #   class Product < ActiveRecord::Base
+      #     acts_as_authorization_object
+      #   end
+      #
+      #   product = Product.new
+      #   product.accepted_roles #=> returns Role objects, associated with the product
+      #   product.users          #=> returns User objects, associated with the product
+      #   product.accepts_role!(...)
+      #   product.accepts_no_role!(...)
+      #   # other functions from Acl9::ModelExtensions::Object are made available
+      #
+      # @see Acl9::ModelExtensions::Object
+      #
+      def acts_as_authorization_object(options = {})
+        subject = options[:subject_class_name] || Acl9::config[:default_subject_class_name]
+        subj_table = subject.constantize.table_name
+        subj_col = subject.underscore
+
+        role       = options[:role_class_name] || Acl9::config[:default_role_class_name]
+        role_table = role.constantize.table_name
+
+        sql_tables = <<-EOS
+          FROM #{subj_table}
+          INNER JOIN #{role_table}_#{subj_table} ON #{subj_col}_id = #{subj_table}.id
+          INNER JOIN #{role_table}               ON #{role_table}.id = #{role.underscore}_id
+        EOS
+
+        sql_where = <<-'EOS'
+          WHERE authorizable_type = '#{self.class.base_class.to_s}'
+          AND authorizable_id = #{id}
+        EOS
+
+        has_many :accepted_roles, :as => :authorizable, :class_name => role, :dependent => :destroy
+
+        has_many :"#{subj_table}",
+          :finder_sql  => ("SELECT DISTINCT #{subj_table}.*" + sql_tables + sql_where),
+          :counter_sql => ("SELECT COUNT(DISTINCT #{subj_table}.id)" + sql_tables + sql_where),
+          :readonly => true
+
+        include Acl9::ModelExtensions::Object
+      end
+
+      # Make a class an auth role class.
+      #
+      # You'll probably never create or use objects of this class directly.
+      # Various auth. subject and object methods will do that for you
+      # internally.
+      #
+      # @param [Hash] options the options for tuning
+      # @option options [String] :subject_class_name (Acl9::config[:default_subject_class_name])
+      #                          Subject class name (e.g. 'User', or 'Account)
+      # @option options [String] :join_table_name (Acl9::config[:default_join_table_name])
+      #                           Join table name (e.g. 'accounts_account_roles')
+      #
+      # @example
+      #   class Role < ActiveRecord::Base
+      #     acts_as_authorization_role
+      #   end
+      #
+      # @see Acl9::ModelExtensions::Subject#has_role!
+      # @see Acl9::ModelExtensions::Subject#has_role?
+      # @see Acl9::ModelExtensions::Subject#has_no_role!
+      # @see Acl9::ModelExtensions::Object#accepts_role!
+      # @see Acl9::ModelExtensions::Object#accepts_role?
+      # @see Acl9::ModelExtensions::Object#accepts_no_role!
+      def acts_as_authorization_role(options = {})
+        subject = options[:subject_class_name] || Acl9::config[:default_subject_class_name]
+        join_table = options[:join_table_name] || Acl9::config[:default_join_table_name] ||
+                     join_table_name(undecorated_table_name(self.to_s), undecorated_table_name(subject))
+
+        has_and_belongs_to_many subject.demodulize.tableize.to_sym,
+          :class_name => subject,
+          :join_table => join_table
+
+        belongs_to :authorizable, :polymorphic => true
+      end
+    end
+  end
+end

data/lib/acl9/model_extensions/object.rb

@@ -0,0 +1,59 @@
+module Acl9
+  module ModelExtensions
+    module Object
+      ##
+      # Role check.
+      #
+      # @return [Boolean] Returns true if +subject+ has a role +role_name+ on this object.
+      #
+      # @param [Symbol,String] role_name Role name
+      # @param [Subject] subject Subject to add role for
+      # @see Acl9::ModelExtensions::Subject#has_role?
+      def accepts_role?(role_name, subject)
+        subject.has_role? role_name, self
+      end
+
+      ##
+      # Add role on the object to specified subject.
+      #
+      # @param [Symbol,String] role_name Role name
+      # @param [Subject] subject Subject to add role for
+      # @see Acl9::ModelExtensions::Subject#has_role!
+      def accepts_role!(role_name, subject)
+        subject.has_role! role_name, self
+      end
+
+      ##
+      # Free specified subject of a role on this object.
+      #
+      # @param [Symbol,String] role_name Role name
+      # @param [Subject] subject Subject to remove role from
+      # @see Acl9::ModelExtensions::Subject#has_no_role!
+      def accepts_no_role!(role_name, subject)
+        subject.has_no_role! role_name, self
+      end
+
+      ##
+      # Are there any roles for the specified +subject+ on this object?
+      #
+      # @param [Subject] subject Subject to query roles
+      # @return [Boolean] Returns true if +subject+ has any roles on this object.
+      # @see Acl9::ModelExtensions::Subject#has_roles_for?
+      def accepts_roles_by?(subject)
+        subject.has_roles_for? self
+      end
+
+      alias :accepts_role_by? :accepts_roles_by?
+
+      ##
+      # Which roles does +subject+ have on this object?
+      #
+      # @return [Array<Role>] Role instances, associated both with +subject+ and +object+
+      # @param [Subject] subject Subject to query roles
+      # @see Acl9::ModelExtensions::Subject#roles_for
+      def accepted_roles_by(subject)
+        subject.roles_for self
+      end
+    end
+  end
+end

data/lib/acl9/model_extensions/subject.rb

@@ -0,0 +1,175 @@
+module Acl9
+  module ModelExtensions
+    module Subject
+      ##
+      # Role check.
+      #
+      # There is a global option, +Acl9.config[:protect_global_roles]+, which governs
+      # this method behavior.
+      #
+      # If protect_global_roles is +false+, an object role is automatically counted
+      # as global role. E.g.
+      #
+      #   Acl9.config[:protect_global_roles] = false
+      #   user.has_role!(:manager, @foo)
+      #   user.has_role?(:manager, @foo)  # => true
+      #   user.has_role?(:manager)        # => true
+      #
+      # In this case manager is anyone who "manages" at least one object.
+      #
+      # However, if protect_global_roles option set to +true+, you'll need to 
+      # explicitly grant global role with same name.
+      #
+      #   Acl9.config[:protect_global_roles] = true
+      #   user.has_role!(:manager, @foo)
+      #   user.has_role?(:manager)        # => false
+      #   user.has_role!(:manager)
+      #   user.has_role?(:manager)        # => true
+      #
+      # protect_global_roles option is +false+ by default as for now, but this 
+      # may change in future!
+      #
+      # @return [Boolean] Whether +self+ has a role +role_name+ on +object+.
+      # @param [Symbol,String] role_name Role name
+      # @param [Object] object Object to query a role on
+      #
+      # @see Acl9::ModelExtensions::Object#accepts_role?
+      def has_role?(role_name, object = nil)
+        !! if object.nil? && !::Acl9.config[:protect_global_roles]
+          self.role_objects.find_by_name(role_name.to_s) ||
+          self.role_objects.member?(get_role(role_name, nil))
+        else
+          role = get_role(role_name, object)
+          role && self.role_objects.exists?(role.id)
+        end
+      end
+
+      ##
+      # Add specified role on +object+ to +self+.
+      #
+      # @param [Symbol,String] role_name Role name
+      # @param [Object] object Object to add a role for
+      # @see Acl9::ModelExtensions::Object#accepts_role!
+      def has_role!(role_name, object = nil)
+        role = get_role(role_name, object)
+
+        if role.nil?
+          role_attrs = case object
+                       when Class then { :authorizable_type => object.to_s }
+                       when nil   then {}
+                       else            { :authorizable => object }
+                       end.merge(      { :name => role_name.to_s })
+
+          role = self._auth_role_class.create(role_attrs)
+        end
+
+        self.role_objects << role if role && !self.role_objects.exists?(role.id)
+      end
+
+      ##
+      # Free +self+ from a specified role on +object+.
+      #
+      # @param [Symbol,String] role_name Role name
+      # @param [Object] object Object to remove a role on
+      # @see Acl9::ModelExtensions::Object#accepts_no_role!
+      def has_no_role!(role_name, object = nil)
+        delete_role(get_role(role_name, object))
+      end
+
+      ##
+      # Are there any roles for +self+ on +object+?
+      #
+      # @param [Object] object Object to query roles
+      # @return [Boolean] Returns true if +self+ has any roles on +object+.
+      # @see Acl9::ModelExtensions::Object#accepts_roles_by?
+      def has_roles_for?(object)
+        !!self.role_objects.detect(&role_selecting_lambda(object))
+      end
+
+      alias :has_role_for? :has_roles_for?
+
+      ##
+      # Which roles does +self+ have on +object+?
+      #
+      # @return [Array<Role>] Role instances, associated both with +self+ and +object+
+      # @param [Object] object Object to query roles
+      # @see Acl9::ModelExtensions::Object#accepted_roles_by
+      # @example
+      #   user = User.find(...)
+      #   product = Product.find(...)
+      #
+      #   user.roles_for(product).map(&:name).sort  #=> role names in alphabetical order
+      def roles_for(object)
+        self.role_objects.select(&role_selecting_lambda(object))
+      end
+
+      ##
+      # Unassign any roles on +object+ from +self+.
+      #
+      # @param [Object,nil] object Object to unassign roles for. +nil+ means unassign global roles.
+      def has_no_roles_for!(object = nil)
+        roles_for(object).each { |role| delete_role(role) }
+      end
+
+      ##
+      # Unassign all roles from +self+.
+      def has_no_roles!
+        # for some reason simple
+        #
+        #   self.roles.each { |role| delete_role(role) }
+        #
+        # doesn't work. seems like a bug in ActiveRecord
+        self.role_objects.map(&:id).each do |role_id|
+          delete_role self._auth_role_class.find(role_id)
+        end
+      end
+
+      private
+
+      def role_selecting_lambda(object)
+        case object
+        when Class
+          lambda { |role| role.authorizable_type == object.to_s }
+        when nil
+          lambda { |role| role.authorizable.nil? }
+        else
+          lambda do |role|
+            role.authorizable_type == object.class.base_class.to_s && role.authorizable == object
+          end
+        end
+      end
+
+      def get_role(role_name, object)
+        role_name = role_name.to_s
+
+        cond = case object
+               when Class
+                 [ 'name = ? and authorizable_type = ? and authorizable_id IS NULL', role_name, object.to_s ]
+               when nil
+                 [ 'name = ? and authorizable_type IS NULL and authorizable_id IS NULL', role_name ]
+               else
+                 [
+                   'name = ? and authorizable_type = ? and authorizable_id = ?',
+                   role_name, object.class.base_class.to_s, object.id
+                 ]
+               end
+
+        self._auth_role_class.first :conditions => cond
+      end
+
+      def delete_role(role)
+        if role
+          self.role_objects.delete role
+
+          role.destroy if role.send(self._auth_subject_class_name.demodulize.tableize).empty?
+        end
+      end
+
+      protected
+
+      def _auth_role_class
+        self.class._auth_role_class_name.constantize
+      end
+    end
+  end
+end

data/test/access_control_test.rb

@@ -0,0 +1,338 @@
+require 'test_helper'
+require File.join(File.dirname(__FILE__), '..', 'lib', 'acl9')
+require 'support/controllers'
+
+#######################################################################
+
+class Admin
+  def has_role?(role, obj = nil)
+    role == "admin"
+  end
+end
+
+class OwnerOfFoo
+  def has_role?(role, obj)
+    role == 'owner' && obj == MyDearFoo.instance
+  end
+end
+
+class Bartender
+  def has_role?(role, obj)
+    role == 'bartender' && obj == ACLIvars::VenerableBar
+  end
+end
+
+class TheOnlyUser
+  include Singleton
+
+  def has_role?(role, subj)
+    role == "the_only_one"
+  end
+end
+
+class Beholder
+  def initialize(role)
+    @role = role.to_s
+  end
+
+  def has_role?(role, obj)
+    role.to_s == @role
+  end
+end
+
+#######################################################################
+
+module BaseTests
+  # permit anonymous to index and show and admin everywhere else
+  def self.included(klass)
+    klass.class_eval do
+      [:index, :show].each do |act|
+        it "should permit anonymous to #{act}" do
+          get act
+          @response.body.should == 'OK'
+        end
+      end
+
+      [:new, :edit, :update, :delete, :destroy].each do |act|
+        it "should forbid anonymous to #{act}" do
+          get act
+          @response.body.should == 'AccessDenied'
+        end
+      end
+
+      [:index, :show, :new, :edit, :update, :delete, :destroy].each do |act|
+        it "should permit admin to #{act}" do
+          get act, :user => Admin.new
+          @response.body.should == 'OK'
+        end
+      end
+    end
+  end
+end
+
+module ShouldRespondToAcl
+  def self.included(klass)
+    klass.class_eval do
+      it "should add :acl as a method" do
+        @controller.should respond_to(:acl)
+      end
+
+      it "should_not add :acl? as a method" do
+        @controller.should_not respond_to(:acl?)
+      end
+    end
+  end
+end
+
+#######################################################################
+
+class ACLBlockTest < ActionController::TestCase
+  tests ACLBlock
+
+  include BaseTests
+end
+
+class ACLMethodTest < ActionController::TestCase
+  tests ACLMethod
+
+  include BaseTests
+  include ShouldRespondToAcl
+end
+
+class ACLMethod2Test < ActionController::TestCase
+  tests ACLMethod2
+
+  include BaseTests
+  include ShouldRespondToAcl
+end
+
+class ACLArgumentsTest < ActionController::TestCase
+  tests ACLArguments
+
+  include BaseTests
+end
+
+class ACLBooleanMethodTest < ActionController::TestCase
+  tests ACLBooleanMethod
+
+  include BaseTests
+end
+
+class ACLIvarsTest < ActionController::TestCase
+  tests ACLIvars
+
+  it "should allow owner of foo to destroy" do
+    delete :destroy, :user => OwnerOfFoo.new
+    @response.body.should == 'OK'
+  end
+
+  it "should allow bartender to destroy" do
+    delete :destroy, :user => Bartender.new
+    @response.body.should == 'OK'
+  end
+end
+
+class ACLSubjectMethodTest < ActionController::TestCase
+  tests ACLSubjectMethod
+
+  it "should allow the only user to index" do
+    get :index, :user => TheOnlyUser.instance
+    @response.body.should == 'OK'
+  end
+
+  it "should deny anonymous to index" do
+    get :index
+    @response.body.should == 'AccessDenied'
+  end
+end
+
+class ACLObjectsHashTest < ActionController::TestCase
+  tests ACLObjectsHash
+
+  it "should consider objects hash and prefer it to @ivar" do
+    get :allow, :user => OwnerOfFoo.new
+    @response.body.should == 'OK'
+  end
+
+  it "should return AccessDenied when not logged in" do
+    get :allow
+    @response.body.should == 'AccessDenied'
+  end
+end
+
+class ACLActionOverrideTest < ActionController::TestCase
+  tests ACLActionOverride
+
+  it "should allow index action to anonymous" do
+    get :check_allow, :_action => :index
+    @response.body.should == 'OK'
+  end
+
+  it "should deny show action to anonymous" do
+    get :check_allow, :_action => :show
+    @response.body.should == 'AccessDenied'
+  end
+
+  it "should deny edit action to regular user" do
+    get :check_allow_with_foo, :_action => :edit, :user => TheOnlyUser.instance
+
+    @response.body.should == 'AccessDenied'
+  end
+
+  it "should allow edit action to owner of foo" do
+    get :check_allow_with_foo, :_action => :edit, :user => OwnerOfFoo.new
+
+    @response.body.should == 'OK'
+  end
+end
+
+class ACLHelperMethodTest < ActionController::TestCase
+  tests ACLHelperMethod
+
+  it "should return OK checking helper method" do
+    get :allow, :user => OwnerOfFoo.new
+    @response.body.should == 'OK'
+  end
+
+  it "should return AccessDenied when not logged in" do
+    get :allow
+    @response.body.should == 'AccessDenied'
+  end
+end
+
+#######################################################################
+
+module ACLQueryMixin
+  def self.included(base)
+    base.class_eval do
+      describe "#acl_question_mark" do      # describe "#acl?" doesn't work
+        before do
+          @editor = Beholder.new(:editor)
+          @viewer = Beholder.new(:viewer)
+          @owneroffoo = OwnerOfFoo.new
+        end
+
+        [:edit, :update, :destroy].each do |meth|
+          it "should return true for editor/#{meth}" do
+            @controller.current_user = @editor
+            @controller.acl?(meth).should == true
+            @controller.acl?(meth.to_s).should == true
+          end
+
+          it "should return false for viewer/#{meth}" do
+            @controller.current_user = @viewer
+            @controller.acl?(meth).should == false
+            @controller.acl?(meth.to_s).should == false
+          end
+        end
+
+        [:index, :show].each do |meth|
+          it "should return false for editor/#{meth}" do
+            @controller.current_user = @editor
+            @controller.acl?(meth).should == false
+            @controller.acl?(meth.to_s).should == false
+          end
+
+          it "should return true for viewer/#{meth}" do
+            @controller.current_user = @viewer
+            @controller.acl?(meth).should == true
+            @controller.acl?(meth.to_s).should == true
+          end
+        end
+
+        it "should return false for editor/fooize" do
+          @controller.current_user = @editor
+          @controller.acl?(:fooize).should == false
+        end
+
+        it "should return true for foo owner" do
+          @controller.current_user = @owneroffoo
+          @controller.acl?(:fooize, :foo => MyDearFoo.instance).should == true
+        end
+      end
+    end
+  end
+end
+
+class ACLQueryMethodTest < ActionController::TestCase
+  tests ACLQueryMethod
+
+  it "should respond to :acl?" do
+    @controller.should respond_to(:acl?)
+  end
+
+  include ACLQueryMixin
+end
+
+class ACLQueryMethodWithLambdaTest < ActionController::TestCase
+  tests ACLQueryMethodWithLambda
+
+  it "should respond to :acl?" do
+    @controller.should respond_to(:acl?)
+  end
+
+  include ACLQueryMixin
+end
+
+#######################################################################
+
+class ACLNamedQueryMethodTest < ActionController::TestCase
+  tests ACLNamedQueryMethod
+
+  it "should respond to :allow_ay" do
+    @controller.should respond_to(:allow_ay)
+  end
+
+  include ACLQueryMixin
+end
+
+#######################################################################
+
+class ArgumentsCheckingTest < ActiveSupport::TestCase
+  def arg_err(&block)
+    lambda do
+      block.call
+    end.should raise_error(ArgumentError)
+  end
+
+  it "should raise ArgumentError without a block" do
+    arg_err do
+      class FailureController < ApplicationController
+        access_control
+      end
+    end
+  end
+
+  it "should raise ArgumentError with 1st argument which is not a symbol" do
+    arg_err do
+      class FailureController < ApplicationController
+        access_control 123 do end
+      end
+    end
+  end
+
+  it "should raise ArgumentError with more than 1 positional argument" do
+    arg_err do
+      class FailureController < ApplicationController
+        access_control :foo, :bar do end
+      end
+    end
+  end
+
+  it "should raise ArgumentError with :helper => true and no method name" do
+    arg_err do
+      class FailureController < ApplicationController
+        access_control :helper => true do end
+      end
+    end
+  end
+
+  it "should raise ArgumentError with :helper => :method and a method name" do
+    arg_err do
+      class FailureController < ApplicationController
+        access_control :meth, :helper => :another_meth do end
+      end
+    end
+  end
+end
+