acl9 0.11.0

data/test/helpers_test.rb

@@ -0,0 +1,93 @@
+require 'test_helper'
+
+require File.join(File.dirname(__FILE__), '..', 'lib', 'acl9')
+
+module SomeHelper
+  include Acl9Helpers
+
+  access_control :the_question do
+    allow :hamlet, :to => :be
+    allow :hamlet, :except => :be
+  end
+end
+
+class HelperTest < Test::Unit::TestCase
+  module Hamlet
+    def current_user
+      user = Object.new
+
+      class <<user
+        def has_role?(role, obj=nil)
+          role == 'hamlet'
+        end
+      end
+
+      user
+    end
+  end
+
+  module NotLoggedIn
+    def current_user; nil end
+  end
+  
+  module Noone
+    def current_user
+      user = Object.new
+
+      class <<user
+        def has_role?(*_); false end
+      end
+
+      user
+    end
+  end
+
+  class Base
+    include SomeHelper
+
+    attr_accessor :action_name
+    def controller
+      self
+    end
+  end
+
+  class Klass1 < Base
+    include Hamlet
+  end
+  
+  class Klass2 < Base
+    include NotLoggedIn
+  end
+  
+  class Klass3 < Base
+    include Noone
+  end
+
+  it "has :the_question method" do
+    Base.new.should respond_to(:the_question)
+  end
+  
+  it "role :hamlet is allowed to be" do
+    k = Klass1.new
+    k.action_name = 'be'
+    k.the_question.should be_true
+  end
+  
+  it "role :hamlet is allowed to not_be" do
+    k = Klass1.new
+    k.action_name = 'not_be'
+    k.the_question.should be_true
+  end
+  
+  it "not logged in is not allowed to be" do
+    k = Klass2.new
+    k.action_name = 'be'
+    k.the_question.should == false
+  end
+  
+  it "noone is not allowed to be" do
+    k = Klass3.new
+    k.action_name = 'be'
+    k.the_question.should == false
+  end
+end

data/test/roles_test.rb

@@ -0,0 +1,310 @@
+require 'test_helper'
+require File.join(File.dirname(__FILE__), '..', 'lib', 'acl9')
+require 'support/models'
+
+#Logger = ActiveRecord::Base.logger
+load 'support/schema.rb'
+
+class RolesTest < Test::Unit::TestCase
+  before do
+    Role.destroy_all
+    [User, Foo, Bar].each { |model| model.delete_all }
+
+    @user = User.create!
+    @user2 = User.create!
+    @foo = Foo.create!
+    @bar = Bar.create!
+  end
+
+  it "should not have any roles by default" do
+    %w(user manager admin owner).each do |role|
+      @user.has_role?(role).should be_false
+    end
+  end
+
+  it "#has_role! without object (global role)" do
+    lambda do
+      @user.has_role!('admin')
+    end.should change { Role.count }.from(0).to(1)
+
+    @user.has_role?('admin').should be_true
+    @user2.has_role?('admin').should be_false
+  end
+
+  it "should not count global role as object role" do
+    @user.has_role!('admin')
+
+    [@foo, @bar, Foo, Bar, @user].each do |obj|
+      @user.has_role?('admin', obj).should be_false
+      @user.has_roles_for?(obj).should be_false
+      @user.roles_for(obj).should == []
+    end
+
+    [@foo, @bar].each do |obj|
+      obj.accepts_role?('admin', @user).should be_false
+    end
+  end
+
+  it "#has_role! with object (object role)" do
+    @user.has_role!('manager', @foo)
+
+    @user.has_role?('manager', @foo).should be_true
+    @user.has_roles_for?(@foo).should be_true
+    @user.has_role_for?(@foo).should be_true
+
+    roles = @user.roles_for(@foo)
+    roles.should == @foo.accepted_roles_by(@user)
+    roles.size.should == 1
+    roles.first.name.should == "manager"
+
+    @user.has_role?('manager', @bar).should be_false
+    @user2.has_role?('manager', @foo).should be_false
+
+    @foo.accepts_role?('manager', @user).should be_true
+    @foo.accepts_role_by?(@user).should be_true
+    @foo.accepts_roles_by?(@user).should be_true
+  end
+
+  it "should count object role also as global role" do
+    @user.has_role!('manager', @foo)
+
+    @user.has_role?('manager').should be_true
+  end
+
+  it "should not count object role as object class role" do
+    @user.has_role!('manager', @foo)
+    @user.has_role?('manager', Foo).should be_false
+  end
+
+  context "protect_global_roles is true" do
+    before do
+      @saved_option = Acl9.config[:protect_global_roles]
+      Acl9.config[:protect_global_roles] = true
+    end
+
+    it "should not count object role also as global role" do
+      @user.has_role!('manager', @foo)
+
+      @user.has_role?('manager').should be_false
+    end
+
+    after do
+      Acl9.config[:protect_global_roles] = @saved_option
+    end
+  end
+
+  it "#has_role! with class" do
+    @user.has_role!('user', Bar)
+
+    @user.has_role?('user', Bar).should be_true
+    @user.has_roles_for?(Bar).should be_true
+    @user.has_role_for?(Bar).should be_true
+
+    roles = @user.roles_for(Bar)
+    roles.size.should == 1
+    roles.first.name.should == "user"
+
+    @user.has_role?('user', Foo).should be_false
+    @user2.has_role?('user', Bar).should be_false
+  end
+
+  it "should not count class role as object role" do
+    @user.has_role!('manager', Foo)
+    @user.has_role?('manager', @foo).should be_false
+  end
+
+  it "should be able to have several roles on the same object" do
+    @user.has_role!('manager', @foo)
+    @user.has_role!('user',    @foo)
+    @user.has_role!('admin',   @foo)
+
+    @user.has_role!('owner',   @bar)
+
+    @user.roles_for(@foo)        .map(&:name).sort.should == %w(admin manager user)
+    @foo.accepted_roles_by(@user).map(&:name).sort.should == %w(admin manager user)
+  end
+
+  it "should reuse existing roles" do
+    @user.has_role!('owner', @bar)
+    @user2.has_role!('owner', @bar)
+
+    @user.role_objects.should == @user2.role_objects
+  end
+
+  it "#has_no_role! should unassign a global role from user" do
+    set_some_roles
+
+    lambda do
+      @user.has_no_role!('3133t')
+    end.should change { @user.role_objects.count }.by(-1)
+
+    @user.has_role?('3133t').should be_false
+  end
+
+  it "#has_no_role! should unassign an object role from user" do
+    set_some_roles
+
+    lambda do
+      @user.has_no_role!('manager', @foo)
+    end.should change { @user.role_objects.count }.by(-1)
+
+    @user.has_role?('manager', @foo).should be_false
+    @user.has_role?('user', @foo).should be_true      # another role on the same object
+  end
+
+  it "#has_no_role! should unassign a class role from user" do
+    set_some_roles
+
+    lambda do
+      @user.has_no_role!('admin', Foo)
+    end.should change { @user.role_objects.count }.by(-1)
+
+    @user.has_role?('admin', Foo).should be_false
+    @user.has_role?('admin').should be_true           # global role
+  end
+
+  it "#has_no_roles_for! should unassign global and class roles with nil object" do
+    set_some_roles
+
+    lambda do
+      @user.has_no_roles_for!
+    end.should change { @user.role_objects.count }.by(-4)
+
+    @user.has_role?('admin').should be_false
+    @user.has_role?('3133t').should be_false
+    @user.has_role?('admin', Foo).should be_false
+    @user.has_role?('manager', Foo).should be_false
+  end
+
+  it "#has_no_roles_for! should unassign object roles" do
+    set_some_roles
+
+    lambda do
+      @user.has_no_roles_for! @foo
+    end.should change { @user.role_objects.count }.by(-2)
+
+    @user.has_role?('user', @foo).should be_false
+    @user.has_role?('manager', @foo).should be_false
+  end
+
+  it "#has_no_roles_for! should unassign both class roles and object roles for objects of that class" do
+    set_some_roles
+
+    lambda do
+      @user.has_no_roles_for! Foo
+    end.should change { @user.role_objects.count }.by(-4)
+
+    @user.has_role?('admin', Foo).should be_false
+    @user.has_role?('manager', Foo).should be_false
+    @user.has_role?('user', @foo).should be_false
+    @user.has_role?('manager', @foo).should be_false
+  end
+
+  it "#has_no_roles! should unassign all roles" do
+    set_some_roles
+
+    @user.has_no_roles!
+    @user.role_objects.count.should == 0
+  end
+
+  it "should delete unused roles from table" do
+    @user.has_role!('owner', @bar)
+    @user2.has_role!('owner', @bar)
+
+    Role.count.should == 1
+
+    @bar.accepts_no_role!('owner', @user2)
+    Role.count.should == 1
+
+    @bar.accepts_no_role!('owner', @user)
+
+    Role.count.should == 0
+  end
+
+  it "should accept :symbols as role names" do
+    @user.has_role! :admin
+    @user.has_role! :_3133t
+
+    @user.has_role! :admin, Foo
+    @user.has_role! :manager, Foo
+    @user.has_role! :user, @foo
+    @foo.accepts_role! :manager, @user
+    @bar.accepts_role! :owner,   @user
+
+    @user.has_role?(:admin).should be_true
+    @user.has_role?(:_3133t).should be_true
+    @user.has_role?(:admin, Foo).should be_true
+    @user.has_role?(:manager, @foo).should be_true
+  end
+
+  private
+
+  def set_some_roles
+    @user.has_role!('admin')
+    @user.has_role!('3133t')
+
+    @user.has_role!('admin', Foo)
+    @user.has_role!('manager', Foo)
+    @user.has_role!('user', @foo)
+    @foo.accepts_role!('manager', @user)
+    @bar.accepts_role!('owner',   @user)
+  end
+end
+
+class RolesWithCustomClassNamesTest < Test::Unit::TestCase
+  before do
+    AnotherRole.destroy_all
+    [AnotherSubject, FooBar].each { |model| model.delete_all }
+
+    @subj = AnotherSubject.create!
+    @subj2 = AnotherSubject.create!
+    @foobar = FooBar.create!
+  end
+
+  it "should basically work" do
+    lambda do
+      @subj.has_role!('admin')
+      @subj.has_role!('user', @foobar)
+    end.should change { AnotherRole.count }.from(0).to(2)
+
+    @subj.has_role?('admin').should be_true
+    @subj2.has_role?('admin').should be_false
+
+    @subj.has_role?(:user, @foobar).should be_true
+    @subj2.has_role?(:user, @foobar).should be_false
+
+    @subj.has_no_roles!
+    @subj2.has_no_roles!
+  end
+end
+
+class UsersRolesAndSubjectsWithNamespacedClassNamesTest < Test::Unit::TestCase
+  before do
+    Other::Role.destroy_all
+    [Other::User, Other::FooBar].each { |model| model.delete_all }
+
+    @user = Other::User.create!
+    @user2 = Other::User.create!
+    @foobar = Other::FooBar.create!
+
+  end
+
+  it "should basically work" do
+    lambda do
+      @user.has_role!('admin')
+      @user.has_role!('user', @foobar)
+    end.should change { Other::Role.count }.from(0).to(2)
+
+    @user.has_role?('admin').should be_true
+    @user2.has_role?('admin').should be_false
+
+    @user.has_role?(:user, @foobar).should be_true
+    @user2.has_role?(:user, @foobar).should be_false
+
+    @foobar.accepted_roles.count.should == 1
+
+    @user.has_no_roles!
+    @user2.has_no_roles!
+  end
+end
+

data/test/support/controllers.rb

@@ -0,0 +1,207 @@
+class ApplicationController < ActionController::Base
+  rescue_from Acl9::AccessDenied do |e|
+    render :text => 'AccessDenied'
+  end
+end
+
+class EmptyController < ApplicationController
+  attr_accessor :current_user
+  before_filter :set_current_user
+
+  [:index, :show, :new, :edit, :update, :delete, :destroy].each do |act|
+    define_method(act) { render :text => 'OK' }
+  end
+
+  private
+
+  def set_current_user
+    if params[:user]
+      self.current_user = params[:user]
+    end
+  end
+end
+
+module TrueFalse
+  private
+
+  def true_meth; true end
+  def false_meth; false end
+end
+
+# all these controllers behave the same way
+
+class ACLBlock < EmptyController
+  access_control :debug => true do
+    allow all, :to => [:index, :show]
+    allow :admin
+  end
+end
+
+class ACLMethod < EmptyController
+  access_control :as_method => :acl do
+    allow all, :to => [:index, :show]
+    allow :admin, :except => [:index, :show]
+  end
+end
+
+class ACLMethod2 < EmptyController
+  access_control :acl do
+    allow all, :to => [:index, :show]
+    allow :admin, :except => [:index, :show]
+  end
+end
+
+class ACLArguments < EmptyController
+  access_control :except => [:index, :show] do
+    allow :admin, :if => :true_meth, :unless => :false_meth
+  end
+
+  include TrueFalse
+end
+
+class ACLBooleanMethod < EmptyController
+  access_control :acl, :filter => false do
+    allow all, :to => [:index, :show], :if => :true_meth
+    allow :admin,                      :unless => :false_meth
+    allow all,                         :if => :false_meth
+    allow all,                         :unless => :true_meth
+  end
+
+  before_filter :check_acl
+
+  def check_acl
+    if self.acl
+      true
+    else 
+      raise Acl9::AccessDenied
+    end
+  end
+
+  include TrueFalse
+end
+
+###########################################
+class MyDearFoo
+  include Singleton 
+end
+
+class ACLIvars < EmptyController
+  class VenerableBar; end
+
+  before_filter :set_ivars
+
+  access_control do
+    action :destroy do
+      allow :owner, :of => :foo
+      allow :bartender, :at => VenerableBar
+    end
+  end
+
+  private
+
+  def set_ivars
+    @foo = MyDearFoo.instance
+  end
+end
+
+class ACLSubjectMethod < ApplicationController
+  access_control :subject_method => :the_only_user do
+    allow :the_only_one
+  end
+
+  def index
+    render :text => 'OK'
+  end
+
+  private
+
+  def the_only_user
+    params[:user]
+  end
+end
+
+class ACLObjectsHash < ApplicationController
+  access_control :allowed?, :filter => false do
+    allow :owner, :of => :foo
+  end
+
+  def allow
+    @foo = nil
+    render :text => (allowed?(:foo => MyDearFoo.instance) ? 'OK' : 'AccessDenied')
+  end
+
+  def current_user
+    params[:user]
+  end
+end
+
+class ACLActionOverride < ApplicationController
+  access_control :allowed?, :filter => false do
+    allow all, :to => :index
+    deny all, :to => :show
+    allow :owner, :of => :foo, :to => :edit
+  end
+
+  def check_allow
+    render :text => (allowed?(params[:_action]) ? 'OK' : 'AccessDenied')
+  end
+
+  def check_allow_with_foo
+    render :text => (allowed?(params[:_action], :foo => MyDearFoo.instance) ? 'OK' : 'AccessDenied')
+  end
+
+  def current_user
+    params[:user]
+  end
+end
+
+
+class ACLHelperMethod < ApplicationController
+  access_control :helper => :foo? do
+    allow :owner, :of => :foo
+  end
+
+  def allow
+    @foo = MyDearFoo.instance
+
+    render :inline => "<%= foo? ? 'OK' : 'AccessDenied' %>"
+  end
+
+  def current_user
+    params[:user]
+  end
+end
+
+class ACLQueryMethod < ApplicationController
+  attr_accessor :current_user
+
+  access_control :acl, :query_method => true do
+    allow :editor, :to => [:edit, :update, :destroy]
+    allow :viewer, :to => [:index, :show]
+    allow :owner,  :of => :foo, :to => :fooize
+  end
+end
+
+class ACLQueryMethodWithLambda < ApplicationController
+  attr_accessor :current_user
+
+  access_control :query_method => :acl? do
+    allow :editor, :to => [:edit, :update, :destroy]
+    allow :viewer, :to => [:index, :show]
+    allow :owner,  :of => :foo, :to => :fooize
+  end
+end
+
+class ACLNamedQueryMethod < ApplicationController
+  attr_accessor :current_user
+
+  access_control :acl, :query_method => 'allow_ay' do
+    allow :editor, :to => [:edit, :update, :destroy]
+    allow :viewer, :to => [:index, :show]
+    allow :owner,  :of => :foo, :to => :fooize
+  end
+
+  def acl?(*args)
+    allow_ay(*args)
+  end
+end