acl9 0.12.3 → 1.0.0

data/test/controller_extensions/multiple_role_arguments_test.rb

@@ -0,0 +1,135 @@
+require_relative 'base'
+
+module ControllerExtensions
+  class MultipleRoleArgumentsTest < Base
+    test "#allow should be able to receive a role list (global roles)" do
+      assert ( bzz = User.create ).has_role! :bzz
+      assert ( whoa = User.create ).has_role! :whoa
+
+      @tester.acl_block! do
+        allow :bzz, :whoa
+      end
+      assert_permitted bzz
+      assert_permitted whoa
+      assert_forbidden nil
+      assert_forbidden User.create
+    end
+
+    test "#allow should be able to receive a role list (object roles)" do
+      assert foo = Foo.create
+      assert foo_too = Foo.create
+
+      assert ( maker = User.create ).has_role! :maker, foo
+      assert ( faker = User.create ).has_role! :faker, foo_too
+
+      @tester.acl_block! do
+        allow :maker, :faker, :of => :foo
+      end
+
+      assert_permitted maker, :foo => foo
+      assert_forbidden maker, :foo => foo_too
+      assert_permitted faker, :foo => foo_too
+      assert_forbidden faker, :foo => foo
+
+      assert other = User.create
+      assert_forbidden other, :foo => foo
+      assert_forbidden other, :foo => foo_too
+      assert_forbidden nil
+    end
+
+    test "#allow should be able to receive a role list (class roles)" do
+      assert ( frooble = User.create ).has_role! :frooble, Foo
+      assert ( oombigle = User.create ).has_role! :oombigle, Foo
+      assert ( lame_frooble = User.create ).has_role! :frooble
+
+      @tester.acl_block! do
+        allow :frooble, :oombigle, :by => Foo
+      end
+      assert_permitted frooble
+      assert_permitted oombigle
+      assert_forbidden lame_frooble
+      assert_forbidden nil
+    end
+
+    test "#deny should be able to receive a role list (global roles)" do
+      assert ( bzz = User.create ).has_role! :bzz
+      assert ( whoa = User.create ).has_role! :whoa
+
+      @tester.acl_block! do
+        default :allow
+        deny :bzz, :whoa
+      end
+      
+      assert_forbidden bzz
+      assert_forbidden whoa
+      assert_permitted nil
+      assert_permitted User.create
+    end
+
+    test "#deny should be able to receive a role list (object roles)" do
+      assert foo = Foo.create
+      assert foo_too = Foo.create
+
+      assert ( maker = User.create ).has_role! :maker, foo
+      assert ( faker = User.create ).has_role! :faker, foo_too
+
+      @tester.acl_block! do
+        default :allow
+        deny :maker, :faker, :of => :foo
+      end
+
+      assert_forbidden maker, :foo => foo
+      assert_permitted maker, :foo => foo_too
+      assert_forbidden faker, :foo => foo_too
+      assert_permitted faker, :foo => foo
+
+      assert other = User.create
+      assert_permitted other, :foo => foo
+      assert_permitted other, :foo => foo_too
+      assert_permitted nil
+    end
+
+    test "#deny should be able to receive a role list (class roles)" do
+      assert ( frooble = User.create ).has_role! :frooble, Foo
+      assert ( oombigle = User.create ).has_role! :oombigle, Foo
+      assert ( lame_frooble = User.create ).has_role! :frooble
+
+      @tester.acl_block! do
+        default :allow
+        deny :frooble, :oombigle, :by => Foo
+      end
+
+      assert_forbidden frooble
+      assert_forbidden oombigle
+      assert_permitted lame_frooble
+      assert_permitted nil
+    end
+
+    test "should also respect :to and :except" do
+      assert foo = Foo.create
+
+      assert ( foo = User.create ).has_role! :foo
+      assert ( joo = User.create ).has_role! :joo, foo
+      assert ( qoo = User.create ).has_role! :qoo, Bar
+
+      @tester.acl_block! do
+        allow :foo, :boo,              :to => [:index, :show]
+        allow :zoo, :joo, :by => :foo, :to => [:edit, :update]
+        allow :qoo, :woo, :of => Bar
+        deny  :qoo, :woo, :of => Bar,  :except => [:delete, :destroy]
+      end
+
+      assert_permitted foo, 'index'
+      assert_permitted foo, 'show'
+      assert_forbidden foo, 'edit'
+      assert_permitted joo, 'edit', :foo => foo
+      assert_permitted joo, 'update', :foo => foo
+      assert_forbidden joo, 'show', :foo => foo
+      assert_forbidden joo, 'show'
+      assert_permitted qoo, 'delete'
+      assert_permitted qoo, 'destroy'
+      assert_forbidden qoo, 'edit'
+      assert_forbidden qoo, 'show'
+    end
+  end
+end

data/test/controller_extensions/prepositions_test.rb

@@ -0,0 +1,99 @@
+require_relative 'base'
+
+module ControllerExtensions
+  class PrepositionsTest < Base
+
+    %i[of for in on at by].each do |prep|
+      test "allow :#{prep} => :foo checks @foo" do
+        assert @foo = Foo.first_or_create
+        assert ( user = User.create ).has_role! :manager, @foo
+
+        @tester.acl_block! do
+          allow :manager, prep => :foo
+        end
+
+        assert other_foo = Foo.create
+
+        assert_permitted user, :foo => @foo
+        assert_forbidden user, :foo => other_foo
+        assert_forbidden user, :foo => Foo
+        assert_forbidden nil, :foo => @foo
+        assert_forbidden User.create, :foo => @foo
+      end
+
+      test "invalid allow :#{prep} arg raises ArgumentError" do
+        assert_raise ArgumentError do
+          @tester.acl_block! { allow :hom, :by => 1 }
+        end
+      end
+    end
+
+    test "allow class role allowed" do
+      assert ( user = User.create ).has_role! :owner, Foo
+
+      @tester.acl_block! do
+        allow :owner, :of => Foo
+      end
+
+      assert_permitted user
+      assert_forbidden nil
+      assert_forbidden User.create
+    end
+
+    %i[of for in on at by].each do |prep|
+      test "deny :#{prep} => :foo checks @foo" do
+        assert @foo = Foo.first_or_create
+        assert ( user = User.create ).has_role! :thief, @foo
+
+        @tester.acl_block! do
+          default :allow
+          deny :thief, prep => :foo
+        end
+
+        assert_forbidden user, :foo => @foo
+        assert_permitted user, :foo => Foo.create
+        assert_permitted user, :foo => Foo
+        assert_permitted nil, :foo => @foo
+        assert_permitted User.create, :foo => @foo
+      end
+
+      test "invalid deny :#{prep} arg raises ArgumentError" do
+        assert_raise ArgumentError do
+          @tester.acl_block! { deny :her, :for => "him" }
+        end
+      end
+    end
+
+    test "deny class role denied" do
+      assert ( user = User.create ).has_role! :ignorant, Foo
+
+      @tester.acl_block! do
+        default :allow
+        deny :ignorant, :of => Foo
+      end
+      
+      assert_forbidden user, Foo
+      assert_permitted nil
+      assert_permitted User.create
+    end
+
+    test "> 1 allow prepositions raises ArgumentError" do
+      assert_raise ArgumentError do
+        @tester.acl_block! { allow :some, :by => :one, :for => :another }
+      end
+    end
+
+    test "> 1 deny prepositions raises ArgumentError" do
+      assert_raise ArgumentError do
+        @tester.acl_block! { deny :some, :in => :here, :on => :today }
+      end
+    end
+
+    test "should raise an ArgumentError when both :to and :except are specified" do
+      assert_raise ArgumentError do
+        @tester.acl_block! { allow all, :to => :index, :except => ['show', 'edit'] }
+      end
+    end
+
+  end
+end

data/test/controller_extensions/pseudo_role_test.rb

@@ -0,0 +1,26 @@
+require_relative 'base'
+
+module ControllerExtensions
+  class PseudoRoleTest < Base
+    %i[all everyone everybody anyone].each do |pseudorole|
+      test "allow #{pseudorole} allows all" do
+        @tester.acl_block! do
+          allow send pseudorole
+        end
+
+        assert_equal :deny, @tester.default_action
+        assert_all_permitted
+      end
+
+      test "deny #{pseudorole} denies all" do
+        @tester.acl_block! do
+          default :allow
+          deny send pseudorole
+        end
+
+        assert_equal :allow, @tester.default_action
+        assert_all_forbidden
+      end
+    end
+  end
+end

data/test/controller_extensions/role_test.rb

@@ -0,0 +1,75 @@
+require_relative 'base'
+
+module ControllerExtensions
+  class RoleTest < Base
+    test "allows admin implicit default" do
+      @tester.acl_block! { allow :admin }
+      
+      assert_admins_permitted
+      assert_forbidden nil
+
+      assert ( user = User.create ).has_role! :cool
+      assert_forbidden user
+    end
+
+    test "allow plural admins implicit default" do
+      @tester.acl_block! do
+        allow :admins
+      end
+
+      assert_admins_permitted
+      assert_forbidden nil
+
+      assert ( user = User.create ).has_role! :cool
+      assert_forbidden user
+    end
+
+    test "allow with several roles" do
+      assert ( cool1_user = User.create ).has_role! :cool
+      assert ( cool2_user = User.create ).has_role! :cool
+      assert ( super_user = User.create ).has_role! :super
+
+      @tester.acl_block! do
+        allow :admin
+        allow :cool
+      end
+      
+      assert_admins_permitted
+
+      assert_permitted cool1_user
+      assert_permitted cool2_user
+
+      assert_forbidden nil
+      assert_forbidden super_user
+    end
+
+    test "deny plural admins" do
+      @tester.acl_block! do
+        default :allow
+        deny :admins
+      end
+      
+      assert_permitted nil
+      assert_permitted User.create
+      assert_admins_forbidden
+    end
+
+    test "deny several roles" do
+      assert ( cool1_user = User.create ).has_role! :cool
+      assert ( cool2_user = User.create ).has_role! :cool
+      assert ( super_user = User.create ).has_role! :super
+
+      @tester.acl_block! do
+        default :allow
+        deny :admin
+        deny :cool
+      end
+      
+      assert_permitted nil
+      assert_admins_forbidden
+      assert_forbidden cool1_user
+      assert_forbidden cool2_user
+      assert_permitted super_user
+    end
+  end
+end

data/test/controllers/acl_action_override_test.rb

@@ -0,0 +1,24 @@
+require 'test_helper'
+
+class ACLActionOverrideTest < ActionController::TestCase
+  test "anon can index" do
+    assert get :check_allow, :_action => :index
+    assert_response :ok
+  end
+
+  test "anon can't show" do
+    assert get :check_allow, :_action => :show
+    assert_response :unauthorized
+  end
+
+  test "normal user can't edit" do
+    assert get :check_allow_with_foo, :_action => :edit, :user_id => User.create.id
+    assert_response :unauthorized
+  end
+
+  test "foo owner can edit" do
+    assert ( user = User.create ).has_role! :owner, Foo.first_or_create
+    assert get :check_allow_with_foo, :_action => :edit, :user_id => user.id
+    assert_response :ok
+  end
+end

data/test/controllers/acl_arguments_test.rb

@@ -0,0 +1,5 @@
+require 'test_helper'
+
+class ACLArgumentsTest < ActionController::TestCase
+  include BaseTests
+end

data/test/controllers/acl_block_test.rb

@@ -0,0 +1,5 @@
+require 'test_helper'
+
+class ACLBlockTest < ActionController::TestCase
+  include BaseTests
+end

data/test/controllers/acl_boolean_method_test.rb

@@ -0,0 +1,5 @@
+require 'test_helper'
+
+class ACLBooleanMethodTest < ActionController::TestCase
+  include BaseTests
+end

data/test/controllers/acl_helper_method_test.rb

@@ -0,0 +1,26 @@
+require 'test_helper'
+
+class ACLHelperMethodTest < ActionController::TestCase
+  setup do
+    assert @user = User.create
+  end
+
+  test "foo owner allowed" do
+    assert @user.has_role! :owner, Foo.first_or_create
+
+    assert get :allow, :user_id => @user.id
+    assert_select 'div', 'OK'
+  end
+
+  test "another user denied" do
+    assert @user.has_role! :owner
+
+    assert get :allow, :user_id => @user.id
+    assert_select 'div', 'OK'
+  end
+
+  test "anon denied" do
+    assert get :allow
+    assert_select 'div', 'AccessDenied'
+  end
+end

data/test/controllers/acl_ivars_test.rb

@@ -0,0 +1,15 @@
+require 'test_helper'
+
+class ACLIvarsTest < ActionController::TestCase
+  test "owner of foo destroys" do
+    assert ( user = User.create ).has_role! :owner, Bar
+    assert delete :destroy, :id => 1, :user_id => user.id
+    assert_response :ok
+  end
+
+  test "bartender at Foo destroys" do
+    assert ( user = User.create ).has_role! :bartender, Foo
+    assert delete :destroy, :id => 1, :user_id => user.id
+    assert_response :ok
+  end
+end

data/test/controllers/acl_method2_test.rb

@@ -0,0 +1,6 @@
+require 'test_helper'
+
+class ACLMethod2Test < ActionController::TestCase
+  include BaseTests
+  include ShouldRespondToAcl
+end

data/test/controllers/acl_method_test.rb

@@ -0,0 +1,6 @@
+require 'test_helper'
+
+class ACLMethodTest < ActionController::TestCase
+  include BaseTests
+  include ShouldRespondToAcl
+end

data/test/controllers/acl_object_hash_test.rb

@@ -0,0 +1,18 @@
+require 'test_helper'
+
+class ACLObjectsHashTest < ActionController::TestCase
+  setup do
+    assert @user = User.create
+    assert @user.has_role! :owner, Foo.first_or_create
+  end
+
+  test "objects hash preferred to @ivar" do
+    assert get :allow, :user_id => @user.id
+    assert_response :ok
+  end
+
+  test "unauthed for no user" do
+    assert get :allow
+    assert_response :unauthorized
+  end
+end

data/test/controllers/acl_query_method_named_test.rb

@@ -0,0 +1,9 @@
+require_relative 'acl_query_mixin'
+
+class ACLQueryMethodNamedTest < ActionController::TestCase
+  test "should respond to :allow_ay" do
+    assert @controller.respond_to? :allow_ay
+  end
+
+  include ACLQueryMixin
+end

data/test/controllers/acl_query_method_test.rb

@@ -0,0 +1,9 @@
+require_relative 'acl_query_mixin'
+
+class ACLQueryMethodTest < ActionController::TestCase
+  test "should respond to :acl?" do
+    assert @controller.respond_to? :acl?
+  end
+
+  include ACLQueryMixin
+end

data/test/controllers/acl_query_method_with_lambda_test.rb

@@ -0,0 +1,9 @@
+require_relative 'acl_query_mixin'
+
+class ACLQueryMethodWithLambdaTest < ActionController::TestCase
+  test "should respond to :acl?" do
+    assert @controller.respond_to? :acl?
+  end
+
+  include ACLQueryMixin
+end

data/test/controllers/acl_query_mixin.rb

@@ -0,0 +1,51 @@
+require 'test_helper'
+
+module ACLQueryMixin
+  def self.included base
+    base.class_eval do
+      setup do
+        ( @editor = User.create ).has_role! :editor
+        ( @viewer = User.create ).has_role! :viewer
+        ( @owneroffoo = User.create ).has_role! :owner, Foo.first_or_create
+      end
+
+      %i[edit update destroy].each do |meth|
+        test "should return true for editor/#{meth}" do
+          assert @controller.current_user = @editor
+          assert @controller.acl? meth
+          assert @controller.acl? meth.to_s
+        end
+
+        test "should return false for viewer/#{meth}" do
+          assert @controller.current_user = @viewer
+          refute @controller.acl? meth
+          refute @controller.acl? meth.to_s
+        end
+      end
+
+      %i[index show].each do |meth|
+        test "should return false for editor/#{meth}" do
+          assert @controller.current_user = @editor
+          refute @controller.acl? meth
+          refute @controller.acl? meth.to_s
+        end
+
+        test "should return true for viewer/#{meth}" do
+          assert @controller.current_user = @viewer
+          assert @controller.acl? meth
+          assert @controller.acl? meth.to_s
+        end
+      end
+
+      test "should return false for editor/fooize" do
+        assert @controller.current_user = @editor
+        refute @controller.acl? :fooize
+      end
+
+      test "should return true for foo owner" do
+        assert @controller.current_user = @owneroffoo
+        assert @controller.acl? :fooize, :foo => Foo.first
+      end
+    end
+  end
+end

data/test/controllers/acl_subject_method_test.rb

@@ -0,0 +1,15 @@
+require 'test_helper'
+
+class ACLSubjectMethodTest < ActionController::TestCase
+  test "allow the only user to index" do
+    assert ( user = User.create ).has_role! :the_only_one
+    assert get :index, :user_id => user.id
+    assert_response :ok
+  end
+
+  test "deny anonymous to index" do
+    assert_raises Acl9::AccessDenied do
+      assert get :index
+    end
+  end
+end

data/test/controllers/arguments_checking_test.rb

@@ -0,0 +1,43 @@
+require 'test_helper'
+
+class ArgumentsCheckingTest < ActionController::TestCase
+  test "raise ArgumentError without a block" do
+    assert_raise ArgumentError do
+      class FailureController < ApplicationController
+        access_control
+      end
+    end
+  end
+
+  test "raise ArgumentError with 1st argument which is not a symbol" do
+    assert_raise ArgumentError do
+      class FailureController < ApplicationController
+        access_control 123 do end
+      end
+    end
+  end
+
+  test "raise ArgumentError with more than 1 positional argument" do
+    assert_raise ArgumentError do
+      class FailureController < ApplicationController
+        access_control :foo, :bar do end
+      end
+    end
+  end
+
+  test "raise ArgumentError with :helper => true and no method name" do
+    assert_raise ArgumentError do
+      class FailureController < ApplicationController
+        access_control :helper => true do end
+      end
+    end
+  end
+
+  test "raise ArgumentError with :helper => :method and a method name" do
+    assert_raise ArgumentError do
+      class FailureController < ApplicationController
+        access_control :meth, :helper => :another_meth do end
+      end
+    end
+  end
+end

data/test/dummy/app/controllers/acl_action_override.rb

@@ -0,0 +1,15 @@
+class ACLActionOverride < ApplicationController
+  access_control :allowed?, :filter => false do
+    allow all, :to => :index
+    deny all, :to => :show
+    allow :owner, :of => :foo, :to => :edit
+  end
+
+  def check_allow
+    head allowed?(params[:_action]) ? :ok : :unauthorized
+  end
+
+  def check_allow_with_foo
+    head allowed?(params[:_action], :foo => Foo.first) ? :ok : :unauthorized
+  end
+end

data/test/dummy/app/controllers/acl_arguments.rb

@@ -0,0 +1,10 @@
+class ACLArguments < EmptyController
+  access_control :except => [:index, :show] do
+    allow :admin, :if => :true_meth, :unless => :false_meth
+  end
+
+  private
+
+  def true_meth; true end
+  def false_meth; false end
+end

data/test/dummy/app/controllers/acl_block.rb

@@ -0,0 +1,6 @@
+class ACLBlock < EmptyController
+  access_control :debug => true do
+    allow all, :to => [:index, :show]
+    allow :admin
+  end
+end

data/test/dummy/app/controllers/acl_boolean_method.rb

@@ -0,0 +1,23 @@
+class ACLBooleanMethod < EmptyController
+  access_control :acl, :filter => false do
+    allow all, :to => [:index, :show], :if => :true_meth
+    allow :admin,                      :unless => :false_meth
+    allow all,                         :if => :false_meth
+    allow all,                         :unless => :true_meth
+  end
+
+  before_filter :check_acl
+
+  def check_acl
+    if self.acl
+      true
+    else 
+      raise Acl9::AccessDenied
+    end
+  end
+
+  private
+
+  def true_meth; true end
+  def false_meth; false end
+end

data/test/dummy/app/controllers/acl_helper_method.rb

@@ -0,0 +1,11 @@
+class ACLHelperMethod < ApplicationController
+  access_control :helper => :foo? do
+    allow :owner, :of => :foo
+  end
+
+  def allow
+    @foo = Foo.first
+
+    render inline: "<div><%= foo? ? 'OK' : 'AccessDenied' %></div>"
+  end
+end