acl9 0.12.0 → 2.1.2

data/test/controller_extensions/multi_match_test.rb

@@ -0,0 +1,142 @@
+require_relative 'base'
+
+module ControllerExtensions
+  class MultiMatchTest < Base
+    test "default when nothing else matches" do
+      @tester.acl_block! do
+        default :allow
+        allow :blah
+        deny :bzz
+      end
+
+      assert_equal :allow, @tester.default_action
+      assert_all_permitted
+    end
+
+    test "should deny when deny is matched, but allow is not" do
+      @tester.acl_block! do
+        default :allow
+        deny all
+        allow :blah
+      end
+      
+      assert_all_forbidden
+    end
+
+    test "allow allowed and deny denied and default for unmatched" do
+      assert ( cool_user = User.create ).has_role! :cool
+      assert ( jerk_user = User.create ).has_role! :jerk
+
+      @tester.acl_block! do
+        default :allow
+        deny :jerk
+        allow :cool
+      end
+      
+      assert_forbidden jerk_user
+      assert_permitted cool_user
+      assert_all_permitted
+    end
+
+    test "allowed by default when both match" do
+      assert ( cool_user = User.create ).has_role! :cool
+      assert ( jerk_user = User.create ).has_role! :jerk
+
+      @tester.acl_block! do
+        default :allow
+        deny :cool
+        allow :cool
+      end
+
+      assert_permitted cool_user
+      assert_permitted jerk_user
+      assert_all_permitted
+    end
+
+    test "allowed by default when both all" do
+      assert ( cool_user = User.create ).has_role! :cool
+      assert ( jerk_user = User.create ).has_role! :jerk
+
+      @tester.acl_block! do
+        default :allow
+        deny all
+        allow all
+      end
+
+      assert_permitted cool_user
+      assert_permitted jerk_user
+      assert_all_permitted
+    end
+
+    test "allow logged_in allows user not anon" do
+      @tester.acl_block! do
+        allow logged_in
+      end
+      
+      assert_forbidden nil
+      assert_user_types_permitted
+    end
+
+    test "deny logged_in denies user not anon" do
+      @tester.acl_block! do
+        default :allow
+        deny logged_in
+      end
+      
+      assert_permitted nil
+      assert_user_types_forbidden
+    end
+
+    test "denies unmatched when default deny" do
+      @tester.acl_block! do
+        default :deny
+        allow :blah
+        deny :bzz
+      end
+      
+      assert_all_forbidden
+    end
+
+    test "deny all when allow unmatched" do
+      @tester.acl_block! do
+        default :allow
+        deny all
+        allow :blah
+      end
+
+      assert_all_forbidden
+    end
+
+    test "allow when allow matches and deny doesn't" do
+      @tester.acl_block! do
+        default :deny
+        deny nil
+        allow :admin
+      end
+
+      assert_admins_permitted
+    end
+
+    test "denied by default when both match" do
+      assert ( user = User.create ).has_role! :cool
+
+      @tester.acl_block! do
+        default :deny
+        deny :cool
+        allow :cool
+      end
+      
+      assert_forbidden user
+    end
+
+    test "denied by default when both all" do
+      @tester.acl_block! do
+        default :deny
+        deny all
+        allow all
+      end
+
+      assert_all_forbidden
+    end
+  end
+end

data/test/controller_extensions/multiple_role_arguments_test.rb

@@ -0,0 +1,135 @@
+require_relative 'base'
+
+module ControllerExtensions
+  class MultipleRoleArgumentsTest < Base
+    test "#allow should be able to receive a role list (global roles)" do
+      assert ( bzz = User.create ).has_role! :bzz
+      assert ( whoa = User.create ).has_role! :whoa
+
+      @tester.acl_block! do
+        allow :bzz, :whoa
+      end
+      assert_permitted bzz
+      assert_permitted whoa
+      assert_forbidden nil
+      assert_forbidden User.create
+    end
+
+    test "#allow should be able to receive a role list (object roles)" do
+      assert foo = Foo.create
+      assert foo_too = Foo.create
+
+      assert ( maker = User.create ).has_role! :maker, foo
+      assert ( faker = User.create ).has_role! :faker, foo_too
+
+      @tester.acl_block! do
+        allow :maker, :faker, :of => :foo
+      end
+
+      assert_permitted maker, :foo => foo
+      assert_forbidden maker, :foo => foo_too
+      assert_permitted faker, :foo => foo_too
+      assert_forbidden faker, :foo => foo
+
+      assert other = User.create
+      assert_forbidden other, :foo => foo
+      assert_forbidden other, :foo => foo_too
+      assert_forbidden nil
+    end
+
+    test "#allow should be able to receive a role list (class roles)" do
+      assert ( frooble = User.create ).has_role! :frooble, Foo
+      assert ( oombigle = User.create ).has_role! :oombigle, Foo
+      assert ( lame_frooble = User.create ).has_role! :frooble
+
+      @tester.acl_block! do
+        allow :frooble, :oombigle, :by => Foo
+      end
+      assert_permitted frooble
+      assert_permitted oombigle
+      assert_forbidden lame_frooble
+      assert_forbidden nil
+    end
+
+    test "#deny should be able to receive a role list (global roles)" do
+      assert ( bzz = User.create ).has_role! :bzz
+      assert ( whoa = User.create ).has_role! :whoa
+
+      @tester.acl_block! do
+        default :allow
+        deny :bzz, :whoa
+      end
+      
+      assert_forbidden bzz
+      assert_forbidden whoa
+      assert_permitted nil
+      assert_permitted User.create
+    end
+
+    test "#deny should be able to receive a role list (object roles)" do
+      assert foo = Foo.create
+      assert foo_too = Foo.create
+
+      assert ( maker = User.create ).has_role! :maker, foo
+      assert ( faker = User.create ).has_role! :faker, foo_too
+
+      @tester.acl_block! do
+        default :allow
+        deny :maker, :faker, :of => :foo
+      end
+
+      assert_forbidden maker, :foo => foo
+      assert_permitted maker, :foo => foo_too
+      assert_forbidden faker, :foo => foo_too
+      assert_permitted faker, :foo => foo
+
+      assert other = User.create
+      assert_permitted other, :foo => foo
+      assert_permitted other, :foo => foo_too
+      assert_permitted nil
+    end
+
+    test "#deny should be able to receive a role list (class roles)" do
+      assert ( frooble = User.create ).has_role! :frooble, Foo
+      assert ( oombigle = User.create ).has_role! :oombigle, Foo
+      assert ( lame_frooble = User.create ).has_role! :frooble
+
+      @tester.acl_block! do
+        default :allow
+        deny :frooble, :oombigle, :by => Foo
+      end
+
+      assert_forbidden frooble
+      assert_forbidden oombigle
+      assert_permitted lame_frooble
+      assert_permitted nil
+    end
+
+    test "should also respect :to and :except" do
+      assert foo = Foo.create
+
+      assert ( foo = User.create ).has_role! :foo
+      assert ( joo = User.create ).has_role! :joo, foo
+      assert ( qoo = User.create ).has_role! :qoo, Bar
+
+      @tester.acl_block! do
+        allow :foo, :boo,              :to => [:index, :show]
+        allow :zoo, :joo, :by => :foo, :to => [:edit, :update]
+        allow :qoo, :woo, :of => Bar
+        deny  :qoo, :woo, :of => Bar,  :except => [:delete, :destroy]
+      end
+
+      assert_permitted foo, 'index'
+      assert_permitted foo, 'show'
+      assert_forbidden foo, 'edit'
+      assert_permitted joo, 'edit', :foo => foo
+      assert_permitted joo, 'update', :foo => foo
+      assert_forbidden joo, 'show', :foo => foo
+      assert_forbidden joo, 'show'
+      assert_permitted qoo, 'delete'
+      assert_permitted qoo, 'destroy'
+      assert_forbidden qoo, 'edit'
+      assert_forbidden qoo, 'show'
+    end
+  end
+end

data/test/controller_extensions/prepositions_test.rb

@@ -0,0 +1,108 @@
+require_relative 'base'
+
+module ControllerExtensions
+  class PrepositionsTest < Base
+
+    %i[of for in on at by].each do |prep|
+      test "allow :#{prep} => :foo checks @foo" do
+        assert @foo = Foo.first_or_create
+        assert ( user = User.create ).has_role! :manager, @foo
+
+        @tester.acl_block! do
+          allow :manager, prep => :foo
+        end
+
+        assert other_foo = Foo.create
+
+        assert_permitted user, :foo => @foo
+        assert_forbidden user, :foo => other_foo
+        assert_forbidden user, :foo => Foo
+        assert_forbidden nil, :foo => @foo
+        assert_forbidden User.create, :foo => @foo
+      end
+
+      test "invalid allow :#{prep} arg raises ArgumentError" do
+        assert_raise ArgumentError do
+          @tester.acl_block! { allow :hom, :by => 1 }
+        end
+      end
+    end
+
+    test "invalid option raises ArgumentError" do
+      assert @foo = Foo.first_or_create
+      assert ( user = User.create).has_role! :manager, of: @foo
+
+      assert_raise ArgumentError do
+        @tester.acl_block! { allow :manager, of: :foo, something_bad: :foo }
+      end
+    end
+
+    test "allow class role allowed" do
+      assert ( user = User.create ).has_role! :owner, Foo
+
+      @tester.acl_block! do
+        allow :owner, :of => Foo
+      end
+
+      assert_permitted user
+      assert_forbidden nil
+      assert_forbidden User.create
+    end
+
+    %i[of for in on at by].each do |prep|
+      test "deny :#{prep} => :foo checks @foo" do
+        assert @foo = Foo.first_or_create
+        assert ( user = User.create ).has_role! :thief, @foo
+
+        @tester.acl_block! do
+          default :allow
+          deny :thief, prep => :foo
+        end
+
+        assert_forbidden user, :foo => @foo
+        assert_permitted user, :foo => Foo.create
+        assert_permitted user, :foo => Foo
+        assert_permitted nil, :foo => @foo
+        assert_permitted User.create, :foo => @foo
+      end
+
+      test "invalid deny :#{prep} arg raises ArgumentError" do
+        assert_raise ArgumentError do
+          @tester.acl_block! { deny :her, :for => "him" }
+        end
+      end
+    end
+
+    test "deny class role denied" do
+      assert ( user = User.create ).has_role! :ignorant, Foo
+
+      @tester.acl_block! do
+        default :allow
+        deny :ignorant, :of => Foo
+      end
+      
+      assert_forbidden user, Foo
+      assert_permitted nil
+      assert_permitted User.create
+    end
+
+    test "> 1 allow prepositions raises ArgumentError" do
+      assert_raise ArgumentError do
+        @tester.acl_block! { allow :some, :by => :one, :for => :another }
+      end
+    end
+
+    test "> 1 deny prepositions raises ArgumentError" do
+      assert_raise ArgumentError do
+        @tester.acl_block! { deny :some, :in => :here, :on => :today }
+      end
+    end
+
+    test "should raise an ArgumentError when both :to and :except are specified" do
+      assert_raise ArgumentError do
+        @tester.acl_block! { allow all, :to => :index, :except => ['show', 'edit'] }
+      end
+    end
+
+  end
+end

data/test/controller_extensions/pseudo_role_test.rb

@@ -0,0 +1,26 @@
+require_relative 'base'
+
+module ControllerExtensions
+  class PseudoRoleTest < Base
+    %i[all everyone everybody anyone].each do |pseudorole|
+      test "allow #{pseudorole} allows all" do
+        @tester.acl_block! do
+          allow send pseudorole
+        end
+
+        assert_equal :deny, @tester.default_action
+        assert_all_permitted
+      end
+
+      test "deny #{pseudorole} denies all" do
+        @tester.acl_block! do
+          default :allow
+          deny send pseudorole
+        end
+
+        assert_equal :allow, @tester.default_action
+        assert_all_forbidden
+      end
+    end
+  end
+end

data/test/controller_extensions/role_test.rb

@@ -0,0 +1,75 @@
+require_relative 'base'
+
+module ControllerExtensions
+  class RoleTest < Base
+    test "allows admin implicit default" do
+      @tester.acl_block! { allow :admin }
+      
+      assert_admins_permitted
+      assert_forbidden nil
+
+      assert ( user = User.create ).has_role! :cool
+      assert_forbidden user
+    end
+
+    test "allow plural admins implicit default" do
+      @tester.acl_block! do
+        allow :admins
+      end
+
+      assert_admins_permitted
+      assert_forbidden nil
+
+      assert ( user = User.create ).has_role! :cool
+      assert_forbidden user
+    end
+
+    test "allow with several roles" do
+      assert ( cool1_user = User.create ).has_role! :cool
+      assert ( cool2_user = User.create ).has_role! :cool
+      assert ( super_user = User.create ).has_role! :super
+
+      @tester.acl_block! do
+        allow :admin
+        allow :cool
+      end
+      
+      assert_admins_permitted
+
+      assert_permitted cool1_user
+      assert_permitted cool2_user
+
+      assert_forbidden nil
+      assert_forbidden super_user
+    end
+
+    test "deny plural admins" do
+      @tester.acl_block! do
+        default :allow
+        deny :admins
+      end
+      
+      assert_permitted nil
+      assert_permitted User.create
+      assert_admins_forbidden
+    end
+
+    test "deny several roles" do
+      assert ( cool1_user = User.create ).has_role! :cool
+      assert ( cool2_user = User.create ).has_role! :cool
+      assert ( super_user = User.create ).has_role! :super
+
+      @tester.acl_block! do
+        default :allow
+        deny :admin
+        deny :cool
+      end
+      
+      assert_permitted nil
+      assert_admins_forbidden
+      assert_forbidden cool1_user
+      assert_forbidden cool2_user
+      assert_permitted super_user
+    end
+  end
+end

data/test/controllers/acl_action_override_test.rb

@@ -0,0 +1,24 @@
+require 'test_helper'
+
+class ACLActionOverrideTest < ActionController::TestCase
+  test "anon can index" do
+    assert get :check_allow, :_action => :index
+    assert_response :ok
+  end
+
+  test "anon can't show" do
+    assert get :check_allow, :_action => :show
+    assert_response :unauthorized
+  end
+
+  test "normal user can't edit" do
+    assert get :check_allow_with_foo, :_action => :edit, :user_id => User.create.id
+    assert_response :unauthorized
+  end
+
+  test "foo owner can edit" do
+    assert ( user = User.create ).has_role! :owner, Foo.first_or_create
+    assert get :check_allow_with_foo, :_action => :edit, :user_id => user.id
+    assert_response :ok
+  end
+end

data/test/controllers/acl_arguments_test.rb

@@ -0,0 +1,5 @@
+require 'test_helper'
+
+class ACLArgumentsTest < ActionController::TestCase
+  include BaseTests
+end

data/test/controllers/acl_block_test.rb

@@ -0,0 +1,5 @@
+require 'test_helper'
+
+class ACLBlockTest < ActionController::TestCase
+  include BaseTests
+end

data/test/controllers/acl_boolean_method_test.rb

@@ -0,0 +1,5 @@
+require 'test_helper'
+
+class ACLBooleanMethodTest < ActionController::TestCase
+  include BaseTests
+end

data/test/controllers/acl_helper_method_test.rb

@@ -0,0 +1,26 @@
+require 'test_helper'
+
+class ACLHelperMethodTest < ActionController::TestCase
+  setup do
+    assert @user = User.create
+  end
+
+  test "foo owner allowed" do
+    assert @user.has_role! :owner, Foo.first_or_create
+
+    assert get :allow, :user_id => @user.id
+    assert_select 'div', 'OK'
+  end
+
+  test "another user denied" do
+    assert @user.has_role! :owner
+
+    assert get :allow, :user_id => @user.id
+    assert_select 'div', 'OK'
+  end
+
+  test "anon denied" do
+    assert get :allow
+    assert_select 'div', 'AccessDenied'
+  end
+end

data/test/controllers/acl_ivars_test.rb

@@ -0,0 +1,15 @@
+require 'test_helper'
+
+class ACLIvarsTest < ActionController::TestCase
+  test "owner of foo destroys" do
+    assert ( user = User.create ).has_role! :owner, Bar
+    assert delete :destroy, :id => 1, :user_id => user.id
+    assert_response :ok
+  end
+
+  test "bartender at Foo destroys" do
+    assert ( user = User.create ).has_role! :bartender, Foo
+    assert delete :destroy, :id => 1, :user_id => user.id
+    assert_response :ok
+  end
+end

data/test/controllers/acl_method2_test.rb

@@ -0,0 +1,6 @@
+require 'test_helper'
+
+class ACLMethod2Test < ActionController::TestCase
+  include BaseTests
+  include ShouldRespondToAcl
+end

data/test/controllers/acl_method_test.rb

@@ -0,0 +1,6 @@
+require 'test_helper'
+
+class ACLMethodTest < ActionController::TestCase
+  include BaseTests
+  include ShouldRespondToAcl
+end

data/test/controllers/acl_object_hash_test.rb

@@ -0,0 +1,18 @@
+require 'test_helper'
+
+class ACLObjectsHashTest < ActionController::TestCase
+  setup do
+    assert @user = User.create
+    assert @user.has_role! :owner, Foo.first_or_create
+  end
+
+  test "objects hash preferred to @ivar" do
+    assert get :allow, :user_id => @user.id
+    assert_response :ok
+  end
+
+  test "unauthed for no user" do
+    assert get :allow
+    assert_response :unauthorized
+  end
+end

data/test/controllers/acl_query_method_named_test.rb

@@ -0,0 +1,9 @@
+require_relative 'acl_query_mixin'
+
+class ACLQueryMethodNamedTest < ActionController::TestCase
+  test "should respond to :allow_ay" do
+    assert @controller.respond_to? :allow_ay
+  end
+
+  include ACLQueryMixin
+end

data/test/controllers/acl_query_method_test.rb

@@ -0,0 +1,9 @@
+require_relative 'acl_query_mixin'
+
+class ACLQueryMethodTest < ActionController::TestCase
+  test "should respond to :acl?" do
+    assert @controller.respond_to? :acl?
+  end
+
+  include ACLQueryMixin
+end

data/test/controllers/acl_query_method_with_lambda_test.rb

@@ -0,0 +1,9 @@
+require_relative 'acl_query_mixin'
+
+class ACLQueryMethodWithLambdaTest < ActionController::TestCase
+  test "should respond to :acl?" do
+    assert @controller.respond_to? :acl?
+  end
+
+  include ACLQueryMixin
+end

data/test/controllers/acl_query_mixin.rb

@@ -0,0 +1,51 @@
+require 'test_helper'
+
+module ACLQueryMixin
+  def self.included base
+    base.class_eval do
+      setup do
+        assert ( @editor = User.create ).has_role! :editor
+        assert ( @viewer = User.create ).has_role! :viewer
+        assert ( @owneroffoo = User.create ).has_role! :owner, Foo.first_or_create
+      end
+
+      %i[edit update destroy].each do |meth|
+        test "should return true for editor/#{meth}" do
+          assert @controller.current_user = @editor
+          assert @controller.acl? meth
+          assert @controller.acl? meth.to_s
+        end
+
+        test "should return false for viewer/#{meth}" do
+          assert @controller.current_user = @viewer
+          refute @controller.acl? meth
+          refute @controller.acl? meth.to_s
+        end
+      end
+
+      %i[index show].each do |meth|
+        test "should return false for editor/#{meth}" do
+          assert @controller.current_user = @editor
+          refute @controller.acl? meth
+          refute @controller.acl? meth.to_s
+        end
+
+        test "should return true for viewer/#{meth}" do
+          assert @controller.current_user = @viewer
+          assert @controller.acl? meth
+          assert @controller.acl? meth.to_s
+        end
+      end
+
+      test "should return false for editor/fooize" do
+        assert @controller.current_user = @editor
+        refute @controller.acl? :fooize
+      end
+
+      test "should return true for foo owner" do
+        assert @controller.current_user = @owneroffoo
+        assert @controller.acl? :fooize, :foo => Foo.first
+      end
+    end
+  end
+end