acl9 0.12.0 → 1.0.0

data/lib/acl9/model_extensions/for_object.rb

@@ -10,7 +10,10 @@ module Acl9
       # @param [Subject] subject Subject to add role for
       # @see Acl9::ModelExtensions::Subject#has_role?
       def accepts_role?(role_name, subject)
-        subject.has_role? role_name, self
+        if not subject.nil?
+          return subject.has_role? role_name, self
+        end
+        false
       end
 
       ##
@@ -20,7 +23,10 @@ module Acl9
       # @param [Subject] subject Subject to add role for
       # @see Acl9::ModelExtensions::Subject#has_role!
       def accepts_role!(role_name, subject)
-        subject.has_role! role_name, self
+        if not subject.nil?
+          return subject.has_role! role_name, self
+        end
+        false
       end
 
       ##
@@ -30,7 +36,10 @@ module Acl9
       # @param [Subject] subject Subject to remove role from
       # @see Acl9::ModelExtensions::Subject#has_no_role!
       def accepts_no_role!(role_name, subject)
-        subject.has_no_role! role_name, self
+        if not subject.nil?
+          return subject.has_no_role! role_name, self
+        end
+        false
       end
 
       ##
@@ -40,7 +49,10 @@ module Acl9
       # @return [Boolean] Returns true if +subject+ has any roles on this object.
       # @see Acl9::ModelExtensions::Subject#has_roles_for?
       def accepts_roles_by?(subject)
-        subject.has_roles_for? self
+        if not subject.nil?
+          return subject.has_roles_for? self
+        end
+        false
       end
 
       alias :accepts_role_by? :accepts_roles_by?
@@ -52,7 +64,10 @@ module Acl9
       # @param [Subject] subject Subject to query roles
       # @see Acl9::ModelExtensions::Subject#roles_for
       def accepted_roles_by(subject)
-        subject.roles_for self
+        if not subject.nil?
+          return subject.roles_for self
+        end
+        false
       end
     end
   end

data/lib/acl9/model_extensions/for_subject.rb

@@ -17,7 +17,7 @@ module Acl9
       #
       # In this case manager is anyone who "manages" at least one object.
       #
-      # However, if protect_global_roles option set to +true+, you'll need to 
+      # However, if protect_global_roles option set to +true+, you'll need to
       # explicitly grant global role with same name.
       #
       #   Acl9.config[:protect_global_roles] = true
@@ -26,7 +26,7 @@ module Acl9
       #   user.has_role!(:manager)
       #   user.has_role?(:manager)        # => true
       #
-      # protect_global_roles option is +false+ by default as for now, but this 
+      # protect_global_roles option is +false+ by default as for now, but this
       # may change in future!
       #
       # @return [Boolean] Whether +self+ has a role +role_name+ on +object+.
@@ -36,11 +36,11 @@ module Acl9
       # @see Acl9::ModelExtensions::Object#accepts_role?
       def has_role?(role_name, object = nil)
         !! if object.nil? && !::Acl9.config[:protect_global_roles]
-          self.role_objects.find_by_name(role_name.to_s) ||
-          self.role_objects.member?(get_role(role_name, nil))
+          self._role_objects.find_by_name(role_name.to_s) ||
+          self._role_objects.member?(get_role(role_name, nil))
         else
           role = get_role(role_name, object)
-          role && self.role_objects.exists?(role.id)
+          role && self._role_objects.exists?(role.id)
         end
       end
 
@@ -63,7 +63,7 @@ module Acl9
           role = self._auth_role_class.create(role_attrs)
         end
 
-        self.role_objects << role if role && !self.role_objects.exists?(role.id)
+        self._role_objects << role if role && !self._role_objects.exists?(role.id)
       end
 
       ##
@@ -83,7 +83,7 @@ module Acl9
       # @return [Boolean] Returns true if +self+ has any roles on +object+.
       # @see Acl9::ModelExtensions::Object#accepts_roles_by?
       def has_roles_for?(object)
-        !!self.role_objects.detect(&role_selecting_lambda(object))
+        !!self._role_objects.detect(&role_selecting_lambda(object))
       end
 
       alias :has_role_for? :has_roles_for?
@@ -100,7 +100,7 @@ module Acl9
       #
       #   user.roles_for(product).map(&:name).sort  #=> role names in alphabetical order
       def roles_for(object)
-        self.role_objects.select(&role_selecting_lambda(object))
+        self._role_objects.select(&role_selecting_lambda(object))
       end
 
       ##
@@ -119,7 +119,7 @@ module Acl9
         #   self.roles.each { |role| delete_role(role) }
         #
         # doesn't work. seems like a bug in ActiveRecord
-        self.role_objects.map(&:id).each do |role_id|
+        self._role_objects.map(&:id).each do |role_id|
           delete_role self._auth_role_class.find(role_id)
         end
       end
@@ -134,7 +134,8 @@ module Acl9
           lambda { |role| role.authorizable.nil? }
         else
           lambda do |role|
-            role.authorizable_type == object.class.base_class.to_s && role.authorizable == object
+            auth_id = role.authorizable_id.kind_of?(String) ? object.id.to_s : object.id
+            role.authorizable_type == object.class.base_class.to_s && role.authorizable_id == auth_id
           end
         end
       end
@@ -154,31 +155,35 @@ module Acl9
                  ]
                end
 
-        self._auth_role_class.first :conditions => cond
+        if self._auth_role_class.respond_to?(:where)
+          self._auth_role_class.where(cond).first
+        else
+          self._auth_role_class.find(:first, :conditions => cond)
+        end
       end
 
       def delete_role(role)
         if role
-          self.role_objects.delete role
-
-          role.destroy if role.send(self._auth_subject_class_name.demodulize.tableize).empty?
+          self._role_objects.delete role
+          if role.send(self._auth_subject_class_name.demodulize.tableize).empty?
+            role.destroy unless role.respond_to?(:system?) && role.system?
+          end
         end
       end
-      
+
       protected
 
       def _auth_role_class
         self.class._auth_role_class_name.constantize
       end
-      
+
       def _auth_role_assoc
-      	self.class._auth_role_assoc_name
+        self.class._auth_role_assoc_name
       end
 
-      def role_objects
-      	send(self._auth_role_assoc)
+      def _role_objects
+        send(self._auth_role_assoc)
       end
-
     end
   end
 end

data/lib/acl9/model_extensions.rb

@@ -33,12 +33,11 @@ module Acl9
       # @see Acl9::ModelExtensions::Subject
       #
       def acts_as_authorization_subject(options = {})
-      	assoc = options[:association_name] || Acl9::config[:default_association_name]
+        assoc = options[:association_name] || Acl9::config[:default_association_name]
         role = options[:role_class_name] || Acl9::config[:default_role_class_name]
-        join_table = options[:join_table_name] || Acl9::config[:default_join_table_name] ||
-                    join_table_name(undecorated_table_name(self.to_s), undecorated_table_name(role))
+        join_table = options[:join_table_name] || Acl9::config[:default_join_table_name] || self.table_name_prefix + [undecorated_table_name(self.to_s), undecorated_table_name(role)].sort.join("_") + self.table_name_suffix
 
-        has_and_belongs_to_many assoc, :class_name => role, :join_table => join_table
+        has_and_belongs_to_many assoc.to_sym, :class_name => role, :join_table => join_table
 
         cattr_accessor :_auth_role_class_name, :_auth_subject_class_name,
                        :_auth_role_assoc_name
@@ -74,28 +73,12 @@ module Acl9
       def acts_as_authorization_object(options = {})
         subject = options[:subject_class_name] || Acl9::config[:default_subject_class_name]
         subj_table = subject.constantize.table_name
-        subj_col = subject.underscore
-
-        role       = options[:role_class_name] || Acl9::config[:default_role_class_name]
-        role_table = role.constantize.table_name
 
-        sql_tables = <<-EOS
-          FROM #{subj_table}
-          INNER JOIN #{role_table}_#{subj_table} ON #{subj_col}_id = #{subj_table}.id
-          INNER JOIN #{role_table}               ON #{role_table}.id = #{role.underscore}_id
-        EOS
-
-        sql_where = <<-'EOS'
-          WHERE authorizable_type = '#{self.class.base_class.to_s}'
-          AND authorizable_id = #{column_for_attribute(self.class.primary_key).text? ? "'#{id}'": id}
-        EOS
+        role = options[:role_class_name] || Acl9::config[:default_role_class_name]
 
         has_many :accepted_roles, :as => :authorizable, :class_name => role, :dependent => :destroy
 
-        has_many :"#{subj_table}",
-          :finder_sql  => ("SELECT DISTINCT #{subj_table}.*" + sql_tables + sql_where),
-          :counter_sql => ("SELECT COUNT(DISTINCT #{subj_table}.id)" + sql_tables + sql_where),
-          :readonly => true
+        has_many :"#{subj_table}", -> { distinct.readonly }, through: :accepted_roles
 
         include Acl9::ModelExtensions::ForObject
       end
@@ -126,7 +109,9 @@ module Acl9
       def acts_as_authorization_role(options = {})
         subject = options[:subject_class_name] || Acl9::config[:default_subject_class_name]
         join_table = options[:join_table_name] || Acl9::config[:default_join_table_name] ||
-                     join_table_name(undecorated_table_name(self.to_s), undecorated_table_name(subject))
+                    self.table_name_prefix + [undecorated_table_name(self.to_s), undecorated_table_name(subject)].sort.join("_") + self.table_name_suffix
+                    # comment out use deprecated API
+                    #join_table_name(undecorated_table_name(self.to_s), undecorated_table_name(subject))
 
         has_and_belongs_to_many subject.demodulize.tableize.to_sym,
           :class_name => subject,

data/lib/acl9/version.rb

@@ -0,0 +1,3 @@
+module Acl9
+  VERSION = "1.0.0"
+end

data/lib/acl9.rb

@@ -1,16 +1,20 @@
-require File.join(File.dirname(__FILE__), 'acl9', 'config')
+require 'acl9/version'
+require 'acl9/model_extensions'
+require 'acl9/controller_extensions'
+require 'acl9/helpers'
 
-if defined? ActiveRecord::Base
-  require File.join(File.dirname(__FILE__), 'acl9', 'model_extensions')
+module Acl9
+  @@config = {
+    :default_role_class_name    => 'Role',
+    :default_subject_class_name => 'User',
+    :default_subject_method     => :current_user,
+    :default_association_name   => :role_objects,
+    :protect_global_roles       => true,
+  }
 
-  ActiveRecord::Base.send(:include, Acl9::ModelExtensions)
+  mattr_reader :config
 end
 
-
-if defined? ActionController::Base
-  require File.join(File.dirname(__FILE__), 'acl9', 'controller_extensions')
-  require File.join(File.dirname(__FILE__), 'acl9', 'helpers')
-
-  ActionController::Base.send(:include, Acl9::ControllerExtensions)
-  Acl9Helpers = Acl9::Helpers unless defined?(Acl9Helpers)
-end
+ActiveRecord::Base.send(:include, Acl9::ModelExtensions)
+ActionController::Base.send(:include, Acl9::ControllerExtensions)
+Acl9Helpers = Acl9::Helpers unless defined?(Acl9Helpers)

data/test/controller_extensions/actions_test.rb

@@ -0,0 +1,167 @@
+require_relative 'base'
+
+module ControllerExtensions
+  class ActionTest < Base
+    test "should raise an ArgumentError when actions has no block" do
+      assert_raise ArgumentError do
+        @tester.acl_block! { actions :foo, :bar }
+      end
+    end
+
+    test "should raise an ArgumentError when actions has no arguments" do
+      assert_raise ArgumentError do
+        @tester.acl_block! { actions do end }
+      end
+    end
+
+    test "should raise an ArgumentError when actions is called inside actions block" do
+      assert_raise ArgumentError do
+        @tester.acl_block! do
+          actions :foo, :bar do
+            actions :foo, :bar do
+            end
+          end
+        end
+      end
+    end
+
+    test "should raise an ArgumentError when default is called inside actions block" do
+      assert_raise ArgumentError do
+        @tester.acl_block! do
+          actions :foo, :bar do
+            default :allow
+          end
+        end
+      end
+    end
+
+    [:to, :except].each do |opt|
+      test "should raise an ArgumentError when allow is called with #{opt} option" do
+        assert_raise ArgumentError do
+          @tester.acl_block! do
+            actions :foo do
+              allow all, opt => :bar
+            end
+          end
+        end
+      end
+
+      test "should raise an ArgumentError when deny is called with #{opt} option" do
+        assert_raise ArgumentError do
+          @tester.acl_block! do
+            actions :foo do
+              deny all, opt => :bar
+            end
+          end
+        end
+      end
+    end
+
+    test "empty actions block should do nothing" do
+      @tester.acl_block! do
+        actions :foo do
+        end
+
+        allow all
+      end
+      assert_permitted nil
+      assert_permitted nil, :foo
+    end
+
+    test "#allow should limit its scope to specified actions" do
+      assert ( bee = User.create ).has_role! :bee
+
+      @tester.acl_block! do
+        actions :edit do
+          allow :bee
+        end
+      end
+      assert_permitted bee, :edit
+      assert_forbidden bee, :update
+    end
+
+    test "#deny should limit its scope to specified actions" do
+      assert ( bee = User.create ).has_role! :bee
+
+      @tester.acl_block! do
+        default :allow
+        actions :edit do
+          deny :bee
+        end
+      end
+      assert_forbidden bee, :edit
+      assert_permitted bee, :update
+    end
+
+    test "#allow and #deny should work together inside actions block" do
+      assert foo = Foo.create
+
+      assert ( owner = User.create ).has_role! :owner, foo
+      assert ( hacker = User.create ).has_role! :hacker
+      assert hacker.has_role! :the_destroyer
+
+      assert ( another_owner = User.create ).has_role! :owner, foo
+      assert another_owner.has_role! :hacker
+
+      @tester.acl_block! do
+        actions :show, :index do
+          allow all
+        end
+
+        actions :edit, :new, :create, :update do
+          allow :owner, :of => :foo
+          deny :hacker
+        end
+
+        actions :destroy do
+          allow :owner, :of => :foo
+          allow :the_destroyer
+        end
+      end
+
+      assert set_all_actions
+      permit_some owner,  @all_actions, :foo => foo
+      permit_some hacker, %w(show index destroy)
+      permit_some another_owner, %w(show index destroy), :foo => foo
+    end
+
+    def set_all_actions
+      @all_actions = %w(index show new edit create update destroy)
+    end
+
+    test "should work with anonymous" do
+      assert ( superadmin = User.create ).has_role! :superadmin
+
+      @tester.acl_block! do
+        allow :superadmin
+
+        action :index, :show do
+          allow anonymous
+        end
+      end
+
+      assert set_all_actions
+      permit_some superadmin, @all_actions
+      permit_some nil, %w(index show)
+    end
+
+    test "should work with anonymous and other role inside" do
+      assert ( superadmin = User.create ).has_role! :superadmin
+      assert ( member = User.create ).has_role! :member
+
+      @tester.acl_block! do
+        allow :superadmin
+
+        action :index, :show do
+          allow anonymous
+          allow :member
+        end
+      end
+
+      assert set_all_actions
+      permit_some superadmin, @all_actions
+      permit_some member, %w(index show)
+      permit_some nil, %w(index show)
+    end
+  end
+end

data/test/controller_extensions/anon_test.rb

@@ -0,0 +1,39 @@
+require_relative 'base'
+
+module ControllerExtensions
+  class AnonTest < Base
+    test "allow nil permits only nil" do
+      @tester.acl_block! { allow nil }
+
+      assert_permitted nil
+      assert_user_types_forbidden
+    end
+
+    test "allow anon permits only nil" do
+      @tester.acl_block! { allow anonymous }
+
+      assert_permitted nil
+      assert_user_types_forbidden
+    end
+
+    test "default allowed, nil denied" do
+      @tester.acl_block! do
+        default :allow
+        deny nil
+      end
+
+      assert_forbidden nil
+      assert_user_types_permitted
+    end
+
+    test "default allowed, anon denied" do
+      @tester.acl_block! do
+        default :allow
+        deny anonymous
+      end
+
+      assert_forbidden nil
+      assert_user_types_permitted
+    end
+  end
+end

data/test/controller_extensions/base.rb

@@ -0,0 +1,96 @@
+require 'test_helper'
+
+module ControllerExtensions
+  class Base < ActiveSupport::TestCase
+    setup do
+      # TODO - clean this up so we don't need to create such a complex object just for a test
+      @tester = Class.new(Acl9::Dsl::Base) do
+        def check_allowance(subject, *args)
+          @_subject = subject
+          @_current_action = (args[0] || 'index').to_s
+          @_objects = args.last.is_a?(Hash) ? args.last : {}
+          @_callable = @_objects.delete(:call)
+
+          instance_eval(allowance_expression)
+        end
+
+        def _subject_ref
+          "@_subject"
+        end
+
+        def _object_ref(object)
+          "@_objects[:#{object}]"
+        end
+
+        def _action_ref
+          "@_current_action"
+        end
+
+        def _method_ref(method)
+          "@_callable.send(:#{method})"
+        end
+      end.new
+    end
+
+    def permit_some(user, actions, vars = {})
+      actions.each                  { |act| assert_permitted(user, act, vars) }
+      (@all_actions - actions).each { |act| assert_forbidden(user, act, vars) }
+    end
+
+    def assert_permitted *args
+      assert @tester.check_allowance *args
+    end
+
+    def assert_forbidden *args
+      refute @tester.check_allowance *args
+    end
+
+    def assert_all_forbidden
+      assert_forbidden nil
+      assert_user_types_forbidden
+    end
+
+    def assert_all_permitted
+      assert_permitted nil
+      assert_user_types_permitted
+    end
+
+    def assert_user_types_forbidden
+      assert @user = User.create
+      assert_forbidden @user
+      assert_admins_forbidden
+    end
+
+    def assert_admins_forbidden
+      assert @user = User.first_or_create
+
+      assert @user.has_role! :admin
+      assert_forbidden @user
+
+      assert @user.has_role! :admin, Foo
+      assert_forbidden @user
+
+      assert @user.has_role! :admin, Foo.first_or_create
+      assert_forbidden @user
+    end
+
+    def assert_user_types_permitted
+      assert @user = User.first_or_create
+      assert_permitted @user
+      assert_admins_permitted
+    end
+
+    def assert_admins_permitted
+      assert @user = User.first_or_create
+
+      assert @user.has_role! :admin
+      assert_permitted @user
+
+      assert @user.has_role! :admin, Foo
+      assert_permitted @user
+
+      assert @user.has_role! :admin, Foo.first_or_create
+      assert_permitted @user
+    end
+  end
+end

data/test/controller_extensions/basics_test.rb

@@ -0,0 +1,44 @@
+require_relative 'base'
+
+module ControllerExtensions
+  class BasicsTest < Base
+    test "empty default denies" do
+      @tester.acl_block! { }
+      assert_equal :deny, @tester.default_action
+      assert_all_forbidden
+    end
+
+    test "deny default denies" do
+      @tester.acl_block! { default :deny }
+      assert_equal :deny, @tester.default_action
+      assert_all_forbidden
+    end
+
+    test "allow default allows" do
+      @tester.acl_block! { default :allow }
+      assert_equal :allow, @tester.default_action
+      assert_all_permitted
+    end
+
+    test "error with bad args" do
+      assert_raise ArgumentError do
+        @tester.acl_block! { default 123 }
+      end
+
+      assert_raise ArgumentError do
+        @tester.acl_block! do
+          default :deny
+          default :deny
+        end
+      end
+
+      assert_raise ArgumentError do
+        @tester.acl_block! { allow }
+      end
+
+      assert_raise ArgumentError do
+        @tester.acl_block! { deny }
+      end
+    end
+  end
+end

data/test/controller_extensions/conditions_test.rb

@@ -0,0 +1,48 @@
+require_relative 'base'
+
+module ControllerExtensions
+  class ConditionsTest < Base
+    [:if, :unless].each do |cond|
+      test "should raise ArgumentError when #{cond} is not a Symbol" do
+         assert_raise ArgumentError do
+          @tester.acl_block! { allow nil, cond => 123 }
+        end
+      end
+    end
+
+    test "allow ... :if" do
+      @tester.acl_block! do
+        allow nil, :if => :meth
+      end
+      assert_permitted nil, :call => OpenStruct.new(:meth => true)
+      assert_forbidden nil, :call => OpenStruct.new(:meth => false)
+    end
+
+    test "allow ... :unless" do
+      @tester.acl_block! do
+        allow nil, :unless => :meth
+      end
+      assert_permitted nil, :call => OpenStruct.new(:meth => false)
+      assert_forbidden nil, :call => OpenStruct.new(:meth => true)
+    end
+
+    test "deny ... :if" do
+      @tester.acl_block! do
+        default :allow
+        deny nil, :if => :meth
+      end
+      assert_permitted nil, :call => OpenStruct.new(:meth => false)
+      assert_forbidden nil, :call => OpenStruct.new(:meth => true)
+    end
+
+    test "deny ... :unless" do
+      @tester.acl_block! do
+        default :allow
+        deny nil, :unless => :meth
+      end
+      assert_permitted nil, :call => OpenStruct.new(:meth => true)
+      assert_forbidden nil, :call => OpenStruct.new(:meth => false)
+    end
+
+  end
+end