acl9 0.12.3 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9cf5698a2cdcb08b487fcf12489cd1c81ad11632
-  data.tar.gz: 6bc6c991ab649844d121a7d6cb44c1cbfe2cbed9
+  metadata.gz: d257d3fbf2e9facce72082825fae4bf4ab77245c
+  data.tar.gz: bb2d0e3c004d4c426f55893adf342abaa28f822c
 SHA512:
-  metadata.gz: 6de6962b498a7a45b816adf1af36d899e353394995d448aea35fc66de34f12fd5f5bf94c259ed7a8a8154b727b46eca552b91e3db3f5b48f4e8dbcd297ade3f7
-  data.tar.gz: 4519cbc997338a70ab3d1c1083ef9ae1f2fa7496883c4b7e5af9621d2d126c6a286f3d22d7a01f193fd9ef96a36d1cd5fdffe67c25f076b0d06b3df438f68c46
+  metadata.gz: 67dbfd73321644d1a4758100ca477233f4c07eee3f0e3c0effc02be909c166d62f2a763e8b68e12d04e9c1d64b9bbe93b1d588960a45a3fad0e5667395ac72c3
+  data.tar.gz: 165cf932d81dd5fbf2d37499f6a43429a118285d0fd3e91db72f253ec603279cf35f92764a944f2816f88265258e2db86d459db7e0ed1137e32d7845a54ae92a

data/.gitignore

@@ -1,7 +1,21 @@
-*.sqlite3
-*.html
-pkg
-*.sw?
-*.log
-.yardoc
-doc
+# See https://help.github.com/articles/ignoring-files for more about ignoring files.
+#
+# If you find yourself ignoring temporary files generated by your text editor
+# or operating system, you probably want to add a global ignore instead:
+#   git config --global core.excludesfile '~/.gitignore_global'
+
+# Ignore bundler config.
+/.bundle
+
+# Ignore the default SQLite database.
+/db/*.sqlite3
+/db/*.sqlite3-journal
+
+# Ignore all logfiles and tempfiles.
+**/log/*.log
+**/tmp
+
+/gemfiles/*.lock
+
+/doc
+/.yardoc

data/.travis.yml

@@ -0,0 +1,19 @@
+cache: bundler
+language: ruby
+rvm:
+  - 2.0.0
+  - 2.1.2
+  - ruby-head
+
+gemfile:
+  - gemfiles/rails_4.0.gemfile
+  - gemfiles/rails_4.1.gemfile
+
+matrix:
+  fast_finish: true
+  allow_failures:
+    - rvm: ruby-head
+
+addons:
+  code_climate:
+    repo_token: 6701faf591ff926cd9b3ea7f07c5e72984d2b1e26b33caba26114a6bfe859a11

data/Appraisals

@@ -0,0 +1,8 @@
+appraise "rails-4.0" do
+  gem "rails", "~> 4.0.0"
+end
+
+appraise "rails-4.1" do
+  gem "rails", "~> 4.1.0"
+end
+

data/CONTRIBUTING.md

@@ -0,0 +1,58 @@
+# Contributing
+
+Hi, I'm Jason, my online nickname is "smathy" which I use on IRC, twitter,
+StackOverflow, here on github, and a few other places on the internet.
+
+Oleg is the creator of acl9, but other commitments have meant that he's had
+very little time to maintain this project and so I've basically taken over as
+the primary maintainer.
+
+I like to start by introducing myself so that you know that I'm just a human
+being, a normal guy, and that if you have something you want to contribute to
+acl9 then I'm more than happy to hear from you.
+
+There really aren't any hard and fast rules here for contributing. Feel free to
+raise issues, you can even just ask questions in an issue if you'd like,
+although IRC or StackOverflow is probably a much better forum for that. You can
+ping me on twitter, or even email me at jk@handle.it
+
+Also see the README for information on getting in contact with the rest of the
+community.
+
+## Dev Stuff
+
+If you're going to contribute code then just fork our repo, write your thing,
+and submit a pull request.
+
+### Setup
+
+You should be able to just fork the repo and run `bundle && rake` to see the
+tests running.
+
+We use [Appraisal](//github.com/thoughtbot/appraisal) to test against multiple versions of
+Rails, so you can read up on that and use it to test against all the Rails
+versions we support or against a specific one.
+
+### How to
+
+If you're fixing a bug then please arrange your pull request in two commits, the
+first one will be a test that demonstrates the bug, that test will be failing
+when you create it. The second commit will be the code change that fixes the
+bug.
+
+Don't let this be a blocker for you, I'm not saying you have to do TDD. I don't
+care whether you actually write the test first, or the code first, I just care
+about the order of the commits. Those with experience in reviewing PRs will know
+why. I can grab your PR, roll it back to `HEAD^` and run the test, seeing it
+fail and confirming that your test works, then roll it back to the head of your
+branch and see your code fixing the test. It makes it very easy to review a PR.
+
+You _can_ submit a bugfix without a test, although those take **MUCH** longer to
+review because it's often hard to work out what problem you're solving.
+
+Also, it's up to you whether you want to create an issue in github first. I'd
+recommend that you do because it gives a good place to discuss the details of
+the issue.
+
+Also, feel free to submit ideas as PRs, just make sure you put it clearly in the
+text that this is not ready for merge yet.

data/Gemfile

@@ -2,3 +2,5 @@ source "http://rubygems.org"
 
 # Specify your gem's dependencies in csvision.gemspec
 gemspec
+
+gem 'appraisal'

data/Gemfile.lock

@@ -1,47 +1,103 @@
 PATH
   remote: .
   specs:
-    acl9 (0.12.0)
-      rails (= 2.3.12)
+    acl9 (1.0.0)
+      rails (~> 4.0)
 
 GEM
   remote: http://rubygems.org/
   specs:
-    actionmailer (2.3.12)
-      actionpack (= 2.3.12)
-    actionpack (2.3.12)
-      activesupport (= 2.3.12)
-      rack (~> 1.1.0)
-    activerecord (2.3.12)
-      activesupport (= 2.3.12)
-    activeresource (2.3.12)
-      activesupport (= 2.3.12)
-    activesupport (2.3.12)
-    ansi (1.3.0)
-    be9-context (0.5.5)
-    jnunemaker-matchy (0.4.0)
-    rack (1.1.3)
-    rails (2.3.12)
-      actionmailer (= 2.3.12)
-      actionpack (= 2.3.12)
-      activerecord (= 2.3.12)
-      activeresource (= 2.3.12)
-      activesupport (= 2.3.12)
-      rake (>= 0.8.3)
-    rake (0.9.2.2)
-    sqlite3 (1.3.5)
-    turn (0.8.3)
-      ansi
-    yard (0.7.5)
+    actionmailer (4.1.7)
+      actionpack (= 4.1.7)
+      actionview (= 4.1.7)
+      mail (~> 2.5, >= 2.5.4)
+    actionpack (4.1.7)
+      actionview (= 4.1.7)
+      activesupport (= 4.1.7)
+      rack (~> 1.5.2)
+      rack-test (~> 0.6.2)
+    actionview (4.1.7)
+      activesupport (= 4.1.7)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+    activemodel (4.1.7)
+      activesupport (= 4.1.7)
+      builder (~> 3.1)
+    activerecord (4.1.7)
+      activemodel (= 4.1.7)
+      activesupport (= 4.1.7)
+      arel (~> 5.0.0)
+    activesupport (4.1.7)
+      i18n (~> 0.6, >= 0.6.9)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.1)
+      tzinfo (~> 1.1)
+    appraisal (1.0.2)
+      bundler
+      rake
+      thor (>= 0.14.0)
+    arel (5.0.1.20140414130214)
+    builder (3.2.2)
+    codeclimate-test-reporter (0.4.1)
+      simplecov (>= 0.7.1, < 1.0.0)
+    docile (1.1.5)
+    erubis (2.7.0)
+    hike (1.2.3)
+    i18n (0.6.11)
+    json (1.8.1)
+    mail (2.6.3)
+      mime-types (>= 1.16, < 3)
+    mime-types (2.4.3)
+    minitest (5.4.3)
+    multi_json (1.10.1)
+    rack (1.5.2)
+    rack-test (0.6.2)
+      rack (>= 1.0)
+    rails (4.1.7)
+      actionmailer (= 4.1.7)
+      actionpack (= 4.1.7)
+      actionview (= 4.1.7)
+      activemodel (= 4.1.7)
+      activerecord (= 4.1.7)
+      activesupport (= 4.1.7)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 4.1.7)
+      sprockets-rails (~> 2.0)
+    railties (4.1.7)
+      actionpack (= 4.1.7)
+      activesupport (= 4.1.7)
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+    rake (10.3.2)
+    simplecov (0.9.1)
+      docile (~> 1.1.0)
+      multi_json (~> 1.0)
+      simplecov-html (~> 0.8.0)
+    simplecov-html (0.8.0)
+    sprockets (2.12.3)
+      hike (~> 1.2)
+      multi_json (~> 1.0)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
+    sprockets-rails (2.2.0)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      sprockets (>= 2.8, < 4.0)
+    sqlite3 (1.3.10)
+    thor (0.19.1)
+    thread_safe (0.3.4)
+    tilt (1.4.1)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    yard (0.8.7.6)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
   acl9!
-  be9-context (>= 0.5.5)
-  jnunemaker-matchy (>= 0.4.0)
-  rake
+  appraisal
+  codeclimate-test-reporter
   sqlite3
-  turn
   yard

data/LICENSE

@@ -0,0 +1,9 @@
+MIT License
+
+Copyright (c) 2014 Oleg Dashevskii
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,156 @@
+# acl9
+
+[![Travis-CI](https://travis-ci.org/be9/acl9.svg?branch=master)](https://travis-ci.org/be9/acl9) [![Code Climate](https://codeclimate.com/github/be9/acl9/badges/gpa.svg)](https://codeclimate.com/github/be9/acl9) [![Test Coverage](https://codeclimate.com/github/be9/acl9/badges/coverage.svg)](https://codeclimate.com/github/be9/acl9)
+
+Acl9 is a role-based authorization system that provides a concise DSL for
+securing your Rails application.
+
+Access control is pointless if you're not sure you've done it right.  The
+fundamental goal of acl9 is to ensure that your rules are easy to understand and
+easy to test - in other words acl9 makes it easy to ensure you've got your
+permissions correct.
+
+## Installation
+
+Acl9 is [Semantically Versioned](http://semver.org/), so just add this to your
+`Gemfile`:
+
+```ruby
+gem 'acl9', '~> 1.0'
+```
+
+We dropped support for Rails < 4 in the 1.x releases, so if you're still using
+Rails 2.x or 3.x then you'll want this:
+
+```ruby
+gem 'acl9', '~> 0.12'
+```
+
+## Getting Started
+
+The simplest way to demonstrate this is with some examples.
+
+### Access Control
+
+You declare the access control directly in your controller, so it's visible and
+obvious for any developer looking at the controller:
+
+```ruby
+class Admin::SchoolsController < ApplicationController
+  access_control do
+    allow :support, School
+    allow :admins, :managers, :teachers, :of => :school
+    deny :teachers, :to => :destroy
+
+    action :index do
+      allow anonymous, logged_in
+    end
+
+    allow logged_in, :to => :show
+    deny :students
+  end
+
+  def index
+    # ...
+  end
+
+  # ...
+end
+```
+
+You can see more about all this stuff in the wiki under [Access Control
+Subsystem](//github.com/be9/acl9/wiki/Access-Control-Subsystem)
+
+### Roles
+
+The other side of acl9 is where you give and remove roles to and from a user. As
+you're looking through these examples refer back to the [Access
+Control](#access-control) example and you should be able to see which access
+control rule each role corresponds to.
+
+Let's say we want to create an admin of a given school, not a global admin, just
+the admin for a particular school:
+
+```ruby
+user.has_role! :admin, school
+```
+
+Then let's say we have some support people in our organization who are dedicated
+to supporting all the schools. We could do two things, either we could come up
+with a new role name like `:school_support` or we can use the fact that we can
+assign roles to any object, including a class, and do this:
+
+```ruby
+user.has_role! :support, School
+```
+
+You can see the `allow` line in our `access_control` block that this corresponds
+with. If we had used `:school_support` instead then that line would have to be:
+`allow :school_support`
+
+Now, when a support person leaves that team, we need to remove that role:
+
+```ruby
+user.has_no_role! :support, School
+```
+
+You can see more about all this stuff in the wiki under [Role
+Subsystem](//github.com/be9/acl9/wiki/Role-Subsystem)
+
+## Upgrade Notes
+
+Please, PLEASE, **PLEASE** note. If you're upgrading from the `0.x` series of acl9
+then there's an important change in one of the defaults for `1.x`. We flipped
+the default value of `:protect_global_roles` from `false` to `true`.
+
+Say you had a role on an object:
+
+```ruby
+user.has_role! :manager, department
+```
+
+We all know that this means:
+
+```ruby
+user.has_role? :manager, department    # => true
+```
+
+With `:protect_global_roles` set to `false`, as it was in `0.x` then the above
+role would mean that the global `:manager` role would also be `true`.
+
+Ie. this is how `0.x` behaved:
+
+```ruby
+user.has_role? :manager      # => true
+```
+
+Now in `1.x` we default `:protect_global_roles` to `true` which means that the
+global `:manager` role is protected, ie:
+
+```ruby
+user.has_role? :manager      # => false
+```
+
+In words, in 1.x just because you're the `:manager` of a `department` that
+doesn't make you a global `:manager` (anymore).
+
+## Community
+
+**IRC:** Please drop in for a chat on #acl9 on Freenode, [use
+this](http://webchat.freenode.net/) if you have no other option.
+
+**docs:** Rdocs are available [here](http://rdoc.info/projects/be9/acl9).
+
+**StackOverflow:** Go ask (or answer) a question [on
+StackOverflow](http://stackoverflow.com/questions/tagged/acl9)
+
+**Mailing list:** We have an old skule mailing list as well [acl9-discuss
+group](http://groups.google.com/group/acl9-discuss)
+
+**Contributing:** Last but not least, check out the [Contributing
+Guide](./CONTRIBUTING.md) if you want to get even more involved
+
+## Acknowledgements
+
+[All these people are awesome!](//github.com/be9/acl9/graphs/contributors) as are all the
+people who have raised or investigated issues.

data/Rakefile

@@ -1,18 +1,21 @@
 #!/usr/bin/env rake
+require 'bundler/setup'
 require 'bundler/gem_tasks'
-require 'rake'
-require 'rake/testtask'
-require 'yard'
 
 desc 'Default: run tests.'
 task :default => :test
 
+require 'rake/testtask'
+
 Rake::TestTask.new(:test) do |test|
   test.libs << 'lib' << 'test'
   test.pattern = 'test/**/*_test.rb'
   test.verbose = false
 end
 
+require 'yard'
+
 YARD::Rake::YardocTask.new do |t|
   t.files   = ['lib/**/*.rb']
 end
+

data/acl9.gemspec

@@ -3,30 +3,27 @@ $:.unshift File.expand_path("../lib", __FILE__)
 require "acl9/version"
 
 Gem::Specification.new do |s|
-  s.authors           = ["oleg dashevskii"]
-  s.email             = ["olegdashevskii@gmail.com"]
-  s.description       = %q{Role-based authorization system for Rails with a nice DSL for access control lists}
-  s.summary           = %q{Yet another role-based authorization system for Rails}
+  s.authors           = ["oleg dashevskii", "Jason King"]
+  s.email             = ["olegdashevskii@gmail.com", "jk@handle.it"]
+  s.description       = "Role-based authorization system for Rails with a concise DSL for securing your Rails application. Acl9 makes it easy to get security right for your app, the access control code sits right in your controller, the syntax is very easy to understand, and acl9 makes it easy to test your access rules."
+  s.summary           = "Role-based authorization system for Rails with a concise DSL for securing your Rails application."
   s.homepage          = "http://github.com/be9/acl9"
 
   s.files             = `git ls-files`.split($\)
-  s.executables       = s.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
-  s.test_files        = s.files.grep(%r{^(test|spec|features)/})
+  s.test_files        = s.files.grep(%r{^test/})
   s.name              = "acl9"
   s.require_paths     = ["lib"]
   s.version           = Acl9::VERSION
+  s.license           = 'MIT'
+
+  s.required_ruby_version = ">= 2"
 
-  s.date              = %q{2010-11-02}
-  s.extra_rdoc_files  = %w/README.textile TODO/
   s.rdoc_options      = ["--charset=UTF-8"]
 
-  s.add_dependency "rails", ">= 2.3.12"
+  s.add_dependency "rails", '~> 4.0'
 
-  s.add_development_dependency "be9-context",       ">= 0.5.5"
-  s.add_development_dependency "jnunemaker-matchy", ">= 0.4.0"
-  s.add_development_dependency "rake"
+  s.add_development_dependency "codeclimate-test-reporter"
   s.add_development_dependency "yard"
   s.add_development_dependency 'sqlite3'
-  s.add_development_dependency 'turn'
 end
 

data/gemfiles/rails_4.0.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "http://rubygems.org"
+
+gem "appraisal"
+gem "rails", "~> 4.0.0"
+
+gemspec :path => "../"

data/gemfiles/rails_4.1.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "http://rubygems.org"
+
+gem "appraisal"
+gem "rails", "~> 4.1.0"
+
+gemspec :path => "../"

data/lib/acl9/model_extensions/for_subject.rb

@@ -155,7 +155,11 @@ module Acl9
                  ]
                end
 
-        self._auth_role_class.where(cond).first
+        if self._auth_role_class.respond_to?(:where)
+          self._auth_role_class.where(cond).first
+        else
+          self._auth_role_class.find(:first, :conditions => cond)
+        end
       end
 
       def delete_role(role)

data/lib/acl9/model_extensions.rb

@@ -37,7 +37,7 @@ module Acl9
         role = options[:role_class_name] || Acl9::config[:default_role_class_name]
         join_table = options[:join_table_name] || Acl9::config[:default_join_table_name] || self.table_name_prefix + [undecorated_table_name(self.to_s), undecorated_table_name(role)].sort.join("_") + self.table_name_suffix
 
-        has_and_belongs_to_many assoc, :class_name => role, :join_table => join_table
+        has_and_belongs_to_many assoc.to_sym, :class_name => role, :join_table => join_table
 
         cattr_accessor :_auth_role_class_name, :_auth_subject_class_name,
                        :_auth_role_assoc_name
@@ -73,33 +73,12 @@ module Acl9
       def acts_as_authorization_object(options = {})
         subject = options[:subject_class_name] || Acl9::config[:default_subject_class_name]
         subj_table = subject.constantize.table_name
-        subj_col = subject.underscore
 
-        role       = options[:role_class_name] || Acl9::config[:default_role_class_name]
-        role_table = role.constantize.table_name
-
-        join_table = options[:join_table_name]
-        join_table ||= ActiveRecord::Base.send(:join_table_name,
-          role_table, subj_table) if ActiveRecord::Base.private_methods \
-          .include?('join_table_name')
-        join_table ||= Acl9::config[:default_join_table_name]
-        join_table ||= self.table_name_prefix \
-            + [undecorated_table_name(self.to_s),
-            undecorated_table_name(role)].sort.join("_") \
-            + self.table_name_suffix
+        role = options[:role_class_name] || Acl9::config[:default_role_class_name]
 
         has_many :accepted_roles, :as => :authorizable, :class_name => role, :dependent => :destroy
 
-        has_many :"#{subj_table}",
-          :finder_sql => proc { "SELECT DISTINCT #{subj_table}.* " +
-                                "FROM #{subj_table} INNER JOIN #{join_table} ON #{subj_col}_id = #{subj_table}.id " +
-                                "INNER JOIN #{role_table} ON #{role_table}.id = #{role.underscore}_id " +
-                                "WHERE authorizable_type = '#{self.class.base_class.to_s}' AND authorizable_id = #{id} "},
-          :counter_sql => proc { "SELECT COUNT(DISTINCT #{subj_table}.id)" + 
-                                 "FROM #{subj_table} INNER JOIN #{join_table} ON #{subj_col}_id = #{subj_table}.id " +
-                                 "INNER JOIN #{role_table} ON #{role_table}.id = #{role.underscore}_id " +
-                                 "WHERE authorizable_type = '#{self.class.base_class.to_s}' AND authorizable_id = #{id} "},
-          :readonly => true
+        has_many :"#{subj_table}", -> { distinct.readonly }, through: :accepted_roles
 
         include Acl9::ModelExtensions::ForObject
       end

data/lib/acl9/version.rb

@@ -1,3 +1,3 @@
 module Acl9
-  VERSION = "0.12.3"
+  VERSION = "1.0.0"
 end

data/lib/acl9.rb

@@ -9,7 +9,7 @@ module Acl9
     :default_subject_class_name => 'User',
     :default_subject_method     => :current_user,
     :default_association_name   => :role_objects,
-    :protect_global_roles       => false,
+    :protect_global_roles       => true,
   }
 
   mattr_reader :config