acl9 0.12.0 → 2.1.2

data/lib/acl9/controller_extensions/dsl_base.rb

@@ -1,14 +1,16 @@
+require_relative "../prepositions"
+
 module Acl9
   module Dsl
     class Base
+      include Prepositions
+
       attr_reader :allows, :denys
 
       def initialize(*args)
         @default_action = nil
-
         @allows = []
-        @denys = []
-
+        @denys  = []
         @original_args = args
       end
 
@@ -17,21 +19,12 @@ module Acl9
       end
 
       def default_action
-        if @default_action.nil? then :deny else @default_action end
+        @default_action.nil? ? :deny : @default_action
       end
 
       def allowance_expression
-        allowed_expr = if @allows.size > 0
-                         @allows.map { |clause| "(#{clause})" }.join(' || ')
-                       else
-                         "false"
-                       end
-
-        not_denied_expr = if @denys.size > 0
-                            @denys.map { |clause| "!(#{clause})" }.join(' && ')
-                          else
-                            "true"
-                          end
+        allowed_expr    = @allows.any?  ? @allows.map { |clause| "(#{clause})" }.join(' || ') : 'false'
+        not_denied_expr = @denys.any?   ? @denys.map { |clause| "!(#{clause})" }.join(' && ') : 'true'
 
         [allowed_expr, not_denied_expr].
           map { |expr| "(#{expr})" }.
@@ -76,18 +69,14 @@ module Acl9
             raise ArgumentError, "You cannot use default inside an actions block"
           end
 
-          def _set_action_clause(to, except)
-            raise ArgumentError, "You cannot use :to/:except inside actions block" if to || except
+          def _set_action_clause(only, except)
+            raise ArgumentError, "You cannot use :only (:to) or :except inside actions block" if only || except
           end
         end
 
         subsidiary.acl_block!(&block)
-
         action_check = _action_check_expression(args)
-
-        squash = lambda do |rules|
-          _either_of(rules) + ' && ' + action_check
-        end
+        squash = lambda { |rules| action_check + ' && ' + _either_of(rules) }
 
         @allows << squash.call(subsidiary.allows) if subsidiary.allows.size > 0
         @denys  << squash.call(subsidiary.denys)  if subsidiary.denys.size > 0
@@ -103,20 +92,31 @@ module Acl9
       alias everybody all
       alias anyone all
 
+      def _permitted_allow_deny_option!(key)
+        raise ArgumentError, "#{key} is not a valid option" unless [:to, :only, :except, :if, :unless, *VALID_PREPOSITIONS].include?(key.to_sym)
+      end
+
+      def _retrieve_only options
+        only = [ options.delete(:only) ].flatten.compact
+        only |= [ options.delete(:to) ].flatten.compact
+        only if only.present?
+      end
+
       def _parse_and_add_rule(*args)
         options = args.extract_options!
+        options.keys.each { |key| _permitted_allow_deny_option!(key) }
 
-        _set_action_clause(options.delete(:to), options.delete(:except))
+        _set_action_clause( _retrieve_only(options), options.delete(:except))
 
         object = _role_object(options)
 
         role_checks = args.map do |who|
           case who
-          when anonymous() then "#{_subject_ref}.nil?"
-          when logged_in() then "!#{_subject_ref}.nil?"
-          when all()       then "true"
+          when anonymous then "#{_subject_ref}.nil?"
+          when logged_in then "!#{_subject_ref}.nil?"
+          when all       then "true"
           else
-            "!#{_subject_ref}.nil? && #{_subject_ref}.has_role?('#{who.to_s.singularize}', #{object})"
+            "!#{_subject_ref}.nil? && #{_subject_ref}.has_role?('#{who}', #{object})"
           end
         end
 
@@ -153,21 +153,15 @@ module Acl9
         (@current_rule == :allow ? @allows : @denys) << anded.join(' && ')
       end
 
-      def _set_action_clause(to, except)
-        raise ArgumentError, "both :to and :except cannot be specified in the rule" if to && except
-
-        @action_clause = nil
+      def _set_action_clause(only, except)
+        raise ArgumentError, "both :only (:to) and :except cannot be specified in the rule" if only && except
 
-        action_list = to || except
+        @action_clause  = nil
+        action_list     = only || except
         return unless action_list
 
         expr = _action_check_expression(action_list)
-
-        @action_clause = if to
-                           "#{expr}"
-                         else
-                           "!#{expr}"
-                         end
+        @action_clause = only ? "#{expr}" : "!#{expr}"
       end
 
       def _action_check_expression(action_list)
@@ -185,26 +179,13 @@ module Acl9
         end
       end
 
-      VALID_PREPOSITIONS = %w(of for in on at by).freeze unless defined? VALID_PREPOSITIONS
-
       def _role_object(options)
-        object = nil
-
-        VALID_PREPOSITIONS.each do |prep|
-          if options[prep.to_sym]
-            raise ArgumentError, "You may only use one preposition to specify object" if object
-
-            object = options[prep.to_sym]
-          end
-        end
+        object = _by_preposition options
 
         case object
-        when Class
-          object.to_s
-        when Symbol
-          _object_ref object
-        when nil
-          "nil"
+        when Class  then object.to_s
+        when Symbol then _object_ref object
+        when nil    then "nil"
         else
           raise ArgumentError, "object specified by preposition can only be a Class or a Symbol"
         end

data/lib/acl9/controller_extensions/generators.rb

@@ -1,4 +1,4 @@
-require File.join(File.dirname(__FILE__), 'dsl_base')
+require_relative "dsl_base"
 
 module Acl9
   ##

data/lib/acl9/controller_extensions.rb

@@ -1,4 +1,4 @@
-require File.join(File.dirname(__FILE__), 'controller_extensions', 'generators')
+require_relative "controller_extensions/generators"
 
 module Acl9
   module ControllerExtensions

data/lib/acl9/helpers.rb

@@ -19,13 +19,13 @@ module Acl9
 
     # Usage:
     #
-    #     <% show_to(:owner, :supervisor, :of => :account) do -%>
+    #     <%=show_to(:owner, :supervisor, :of => :account) do %>
     #       <%= 'hello' %>
-    #     <%- end -%>
+    #     <% end %>
     #
     def show_to(*args, &block)
-      user = eval(Acl9.config[:default_subject_method].to_s)
-      return '' if user.nil?
+      user = send(Acl9.config[:default_subject_method])
+      return if user.nil?
 
       has_any = false
 
@@ -36,7 +36,14 @@ module Acl9
         has_any = args.detect { |role| user.has_role?(role) }
       end
 
-      has_any ? yield(:block) : ''
+      if has_any
+        begin
+          capture( &block )
+        rescue NoMethodError
+          yield( :block )
+        end
+      end
+
     end
   end
 end

data/lib/acl9/model_extensions/for_object.rb

@@ -10,7 +10,10 @@ module Acl9
       # @param [Subject] subject Subject to add role for
       # @see Acl9::ModelExtensions::Subject#has_role?
       def accepts_role?(role_name, subject)
-        subject.has_role? role_name, self
+        if not subject.nil?
+          return subject.has_role? role_name, self
+        end
+        false
       end
 
       ##
@@ -20,7 +23,10 @@ module Acl9
       # @param [Subject] subject Subject to add role for
       # @see Acl9::ModelExtensions::Subject#has_role!
       def accepts_role!(role_name, subject)
-        subject.has_role! role_name, self
+        if not subject.nil?
+          return subject.has_role! role_name, self
+        end
+        false
       end
 
       ##
@@ -30,7 +36,10 @@ module Acl9
       # @param [Subject] subject Subject to remove role from
       # @see Acl9::ModelExtensions::Subject#has_no_role!
       def accepts_no_role!(role_name, subject)
-        subject.has_no_role! role_name, self
+        if not subject.nil?
+          return subject.has_no_role! role_name, self
+        end
+        false
       end
 
       ##
@@ -40,7 +49,10 @@ module Acl9
       # @return [Boolean] Returns true if +subject+ has any roles on this object.
       # @see Acl9::ModelExtensions::Subject#has_roles_for?
       def accepts_roles_by?(subject)
-        subject.has_roles_for? self
+        if not subject.nil?
+          return subject.has_roles_for? self
+        end
+        false
       end
 
       alias :accepts_role_by? :accepts_roles_by?
@@ -52,7 +64,10 @@ module Acl9
       # @param [Subject] subject Subject to query roles
       # @see Acl9::ModelExtensions::Subject#roles_for
       def accepted_roles_by(subject)
-        subject.roles_for self
+        if not subject.nil?
+          return subject.roles_for self
+        end
+        false
       end
     end
   end

data/lib/acl9/model_extensions/for_subject.rb

@@ -1,6 +1,10 @@
+require_relative "../prepositions"
+
 module Acl9
   module ModelExtensions
     module ForSubject
+      include Prepositions
+
       ##
       # Role check.
       #
@@ -17,7 +21,7 @@ module Acl9
       #
       # In this case manager is anyone who "manages" at least one object.
       #
-      # However, if protect_global_roles option set to +true+, you'll need to 
+      # However, if protect_global_roles option set to +true+, you'll need to
       # explicitly grant global role with same name.
       #
       #   Acl9.config[:protect_global_roles] = true
@@ -26,7 +30,7 @@ module Acl9
       #   user.has_role!(:manager)
       #   user.has_role?(:manager)        # => true
       #
-      # protect_global_roles option is +false+ by default as for now, but this 
+      # protect_global_roles option is +false+ by default as for now, but this
       # may change in future!
       #
       # @return [Boolean] Whether +self+ has a role +role_name+ on +object+.
@@ -35,12 +39,15 @@ module Acl9
       #
       # @see Acl9::ModelExtensions::Object#accepts_role?
       def has_role?(role_name, object = nil)
+        role_name = normalize role_name
+        object = _by_preposition object
+
         !! if object.nil? && !::Acl9.config[:protect_global_roles]
-          self.role_objects.find_by_name(role_name.to_s) ||
-          self.role_objects.member?(get_role(role_name, nil))
+          self._role_objects.find_by_name(role_name.to_s) ||
+          self._role_objects.member?(get_role(role_name, nil))
         else
           role = get_role(role_name, object)
-          role && self.role_objects.exists?(role.id)
+          role && self._role_objects.exists?(role.id)
         end
       end
 
@@ -51,6 +58,9 @@ module Acl9
       # @param [Object] object Object to add a role for
       # @see Acl9::ModelExtensions::Object#accepts_role!
       def has_role!(role_name, object = nil)
+        role_name = normalize role_name
+        object = _by_preposition object
+
         role = get_role(role_name, object)
 
         if role.nil?
@@ -63,7 +73,7 @@ module Acl9
           role = self._auth_role_class.create(role_attrs)
         end
 
-        self.role_objects << role if role && !self.role_objects.exists?(role.id)
+        self._role_objects << role if role && !self._role_objects.exists?(role.id)
       end
 
       ##
@@ -73,6 +83,8 @@ module Acl9
       # @param [Object] object Object to remove a role on
       # @see Acl9::ModelExtensions::Object#accepts_no_role!
       def has_no_role!(role_name, object = nil)
+        role_name = normalize role_name
+        object = _by_preposition object
         delete_role(get_role(role_name, object))
       end
 
@@ -83,7 +95,7 @@ module Acl9
       # @return [Boolean] Returns true if +self+ has any roles on +object+.
       # @see Acl9::ModelExtensions::Object#accepts_roles_by?
       def has_roles_for?(object)
-        !!self.role_objects.detect(&role_selecting_lambda(object))
+        !!self._role_objects.detect(&role_selecting_lambda(object))
       end
 
       alias :has_role_for? :has_roles_for?
@@ -100,7 +112,7 @@ module Acl9
       #
       #   user.roles_for(product).map(&:name).sort  #=> role names in alphabetical order
       def roles_for(object)
-        self.role_objects.select(&role_selecting_lambda(object))
+        self._role_objects.select(&role_selecting_lambda(object))
       end
 
       ##
@@ -119,7 +131,7 @@ module Acl9
         #   self.roles.each { |role| delete_role(role) }
         #
         # doesn't work. seems like a bug in ActiveRecord
-        self.role_objects.map(&:id).each do |role_id|
+        self._role_objects.map(&:id).each do |role_id|
           delete_role self._auth_role_class.find(role_id)
         end
       end
@@ -134,13 +146,14 @@ module Acl9
           lambda { |role| role.authorizable.nil? }
         else
           lambda do |role|
-            role.authorizable_type == object.class.base_class.to_s && role.authorizable == object
+            auth_id = role.authorizable_id.kind_of?(String) ? object.id.to_s : object.id
+            role.authorizable_type == object.class.base_class.to_s && role.authorizable_id == auth_id
           end
         end
       end
 
       def get_role(role_name, object)
-        role_name = role_name.to_s
+        role_name = normalize role_name
 
         cond = case object
                when Class
@@ -154,31 +167,45 @@ module Acl9
                  ]
                end
 
-        self._auth_role_class.first :conditions => cond
+        if self._auth_role_class.respond_to?(:where)
+          self._auth_role_class.where(cond).first
+        else
+          self._auth_role_class.find(:first, :conditions => cond)
+        end
       end
 
       def delete_role(role)
         if role
-          self.role_objects.delete role
-
-          role.destroy if role.send(self._auth_subject_class_name.demodulize.tableize).empty?
+          if ret = self._role_objects.delete(role)
+            if role.send(self._auth_subject_class_name.demodulize.tableize).empty?
+              ret &&= role.destroy unless role.respond_to?(:system?) && role.system?
+            end
+          end
+          ret
         end
       end
-      
+
+      def normalize role_name
+        Acl9.config[:normalize_role_names] ? role_name.to_s.underscore.singularize : role_name.to_s
+      end
+
       protected
 
+      def _by_preposition object
+        object.is_a?(Hash) ? super : object
+      end
+
       def _auth_role_class
         self.class._auth_role_class_name.constantize
       end
-      
+
       def _auth_role_assoc
-      	self.class._auth_role_assoc_name
+        self.class._auth_role_assoc_name
       end
 
-      def role_objects
-      	send(self._auth_role_assoc)
+      def _role_objects
+        send(self._auth_role_assoc)
       end
-
     end
   end
 end

data/lib/acl9/model_extensions.rb

@@ -1,5 +1,5 @@
-require File.join(File.dirname(__FILE__), 'model_extensions', 'for_subject')
-require File.join(File.dirname(__FILE__), 'model_extensions', 'for_object')
+require_relative "model_extensions/for_subject"
+require_relative "model_extensions/for_object"
 
 module Acl9
   module ModelExtensions  #:nodoc:
@@ -24,7 +24,7 @@ module Acl9
       #   end
       #
       #   user = User.new
-      #   user.roles             #=> returns Role objects, associated with the user
+      #   user.role_objects      #=> returns Role objects, associated with the user
       #   user.has_role!(...)
       #   user.has_no_role!(...)
       #
@@ -33,12 +33,13 @@ module Acl9
       # @see Acl9::ModelExtensions::Subject
       #
       def acts_as_authorization_subject(options = {})
-      	assoc = options[:association_name] || Acl9::config[:default_association_name]
+        assoc = options[:association_name] || Acl9::config[:default_association_name]
         role = options[:role_class_name] || Acl9::config[:default_role_class_name]
-        join_table = options[:join_table_name] || Acl9::config[:default_join_table_name] ||
-                    join_table_name(undecorated_table_name(self.to_s), undecorated_table_name(role))
+        join_table = options[:join_table_name] || Acl9::config[:default_join_table_name] || self.table_name_prefix + [undecorated_table_name(self.to_s), undecorated_table_name(role)].sort.join("_") + self.table_name_suffix
+
+        has_and_belongs_to_many assoc.to_sym, :class_name => role, :join_table => join_table
 
-        has_and_belongs_to_many assoc, :class_name => role, :join_table => join_table
+        before_destroy :has_no_roles!
 
         cattr_accessor :_auth_role_class_name, :_auth_subject_class_name,
                        :_auth_role_assoc_name
@@ -74,28 +75,22 @@ module Acl9
       def acts_as_authorization_object(options = {})
         subject = options[:subject_class_name] || Acl9::config[:default_subject_class_name]
         subj_table = subject.constantize.table_name
-        subj_col = subject.underscore
 
-        role       = options[:role_class_name] || Acl9::config[:default_role_class_name]
-        role_table = role.constantize.table_name
+        role = options[:role_class_name] || Acl9::config[:default_role_class_name]
 
-        sql_tables = <<-EOS
-          FROM #{subj_table}
-          INNER JOIN #{role_table}_#{subj_table} ON #{subj_col}_id = #{subj_table}.id
-          INNER JOIN #{role_table}               ON #{role_table}.id = #{role.underscore}_id
-        EOS
+        has_many :accepted_roles, :as => :authorizable, :class_name => role, :dependent => :destroy
 
-        sql_where = <<-'EOS'
-          WHERE authorizable_type = '#{self.class.base_class.to_s}'
-          AND authorizable_id = #{column_for_attribute(self.class.primary_key).text? ? "'#{id}'": id}
-        EOS
+        subj_assoc = "assoc_#{subj_table}".to_sym
+        has_many subj_assoc, -> { distinct.readonly }, source: subj_table.to_sym, through: :accepted_roles
 
-        has_many :accepted_roles, :as => :authorizable, :class_name => role, :dependent => :destroy
+        define_method subj_table.to_sym do |role_name=nil|
+          rel = send subj_assoc
 
-        has_many :"#{subj_table}",
-          :finder_sql  => ("SELECT DISTINCT #{subj_table}.*" + sql_tables + sql_where),
-          :counter_sql => ("SELECT COUNT(DISTINCT #{subj_table}.id)" + sql_tables + sql_where),
-          :readonly => true
+          if role_name
+            rel = rel.where role.constantize.table_name.to_sym => { name: role_name }
+          end
+          rel
+        end
 
         include Acl9::ModelExtensions::ForObject
       end
@@ -126,7 +121,9 @@ module Acl9
       def acts_as_authorization_role(options = {})
         subject = options[:subject_class_name] || Acl9::config[:default_subject_class_name]
         join_table = options[:join_table_name] || Acl9::config[:default_join_table_name] ||
-                     join_table_name(undecorated_table_name(self.to_s), undecorated_table_name(subject))
+                    self.table_name_prefix + [undecorated_table_name(self.to_s), undecorated_table_name(subject)].sort.join("_") + self.table_name_suffix
+                    # comment out use deprecated API
+                    #join_table_name(undecorated_table_name(self.to_s), undecorated_table_name(subject))
 
         has_and_belongs_to_many subject.demodulize.tableize.to_sym,
           :class_name => subject,

data/lib/acl9/prepositions.rb

@@ -0,0 +1,18 @@
+module Acl9
+  module Prepositions
+    VALID_PREPOSITIONS = %i(of for in on at by).freeze unless defined? VALID_PREPOSITIONS
+
+    def _by_preposition options
+      object = nil
+
+      VALID_PREPOSITIONS.each do |prep|
+        if options[prep]
+          raise ArgumentError, "You may only use one preposition to specify object" if object
+
+          object = options[prep]
+        end
+      end
+      object
+    end
+  end
+end

data/lib/acl9/version.rb

@@ -0,0 +1,3 @@
+module Acl9
+  VERSION = "2.1.2"
+end

data/lib/acl9.rb

@@ -1,16 +1,42 @@
-require File.join(File.dirname(__FILE__), 'acl9', 'config')
+require 'acl9/version'
+require 'acl9/model_extensions'
+require 'acl9/controller_extensions'
+require 'acl9/helpers'
 
-if defined? ActiveRecord::Base
-  require File.join(File.dirname(__FILE__), 'acl9', 'model_extensions')
+module Acl9
+  CONFIG = {
+    :default_role_class_name    => 'Role',
+    :default_subject_class_name => 'User',
+    :default_subject_method     => :current_user,
+    :default_association_name   => :role_objects,
+    :default_join_table_name    => nil,
+    :protect_global_roles       => true,
+    :normalize_role_names       => true,
+  }.freeze
 
-  ActiveRecord::Base.send(:include, Acl9::ModelExtensions)
-end
+  class Config < Struct.new(*CONFIG.keys )
+    def [] k; send k.to_sym; end
+    def []= k, v; send "#{k}=", v; end
+    def reset!
+      Acl9::CONFIG.each do |k,v|
+        send "#{k}=", v
+      end
+    end
+
+    def merge! h
+      h.each { |k,v| self[k.to_sym] = v }
+    end
+  end
 
+  @@config = Config.new( *CONFIG.values_at(*Config.members))
 
-if defined? ActionController::Base
-  require File.join(File.dirname(__FILE__), 'acl9', 'controller_extensions')
-  require File.join(File.dirname(__FILE__), 'acl9', 'helpers')
+  mattr_reader :config
 
-  ActionController::Base.send(:include, Acl9::ControllerExtensions)
-  Acl9Helpers = Acl9::Helpers unless defined?(Acl9Helpers)
+  def self.configure
+    yield config
+  end
 end
+
+ActiveRecord::Base.send(:include, Acl9::ModelExtensions)
+AbstractController::Base.send :include, Acl9::ControllerExtensions
+Acl9Helpers = Acl9::Helpers unless defined?(Acl9Helpers)

data/lib/generators/acl9/setup/USAGE

@@ -0,0 +1,35 @@
+Description:
+    Installs the basic framework for Acl9. Creates the necessary migration for
+    your new roles table and the join table for associating roles with users.
+
+    The optional arguments are as follows:
+
+        subject:  if you want something other than 'User'
+        role:     if you want something other than 'Role'
+        objects:  space separated list of class names of objects that you can
+                  attach roles to (see the docs)
+
+Examples:
+    `rails g acl9:setup`
+
+        This will create:
+            Migration:      db/migrate/XXX_create_role_tables.rb
+            Role Model:     app/models/role.rb
+            Config:         config/initializers/acl9.rb
+
+        And it will update (or create a skeleton):
+            Subject Model:  app/models/user.rb
+
+    `rails g acl9:setup account permission school classroom department`
+
+        This will create:
+            Migration:      db/migrate/XXX_create_permission_tables.rb
+            Role Model:     app/models/permission.rb
+            Config:         config/initializers/acl9.rb
+
+        And it will update (or create a skeleton):
+            Subject Model:  app/models/account.rb
+            Object Models:  app/models/school.rb
+                            app/models/classroom.rb
+                            app/models/department.rb
+