acl9 3.0.0 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 105b1a050bdefc20d0671c4035500f9abd99f8f588b69ed3ceb3357f61ea01e1
-  data.tar.gz: 2e5f73791a47de3e9fe4148c81868d6befcda7075163813eb86877c7e21084a5
+  metadata.gz: 7ee10c2f6e3894b825f17a575524a0343dcdf16217a3049b665e04da980bce1c
+  data.tar.gz: cd72c5c1e1983b28e8799c9792e5fa843f89415e104588feaf2dbeb72fd1f651
 SHA512:
-  metadata.gz: 9caadac85342a7885a46581b4a60fc7c83d51b23c50f85e0e2121fa2d15fd4ab0383984f5f7b48076f18dd49409ad40e5292f9d8a2615aced3088f0f004c28b0
-  data.tar.gz: edec0e425c0dfaf67f934b9a79ae37e3fad11baeedb605c04ccf0533bc59d1e3c4851f41f2d909cec855310fe69f811f0ff9aec78755ee3fb8a52c61e47a698d
+  metadata.gz: dca2492214e239e447b4de8f1874be52c617ca361fdcbc79ac5f4c58782ff92449e29db54f9618356680c96e55023412a6206e1f9b3ec9d7f20074d7cb89d76d
+  data.tar.gz: 0a8963681d65a13fd39e3d4e46d75be288fda1a3ce1a8bb05c1e6264da2e1601c0abb698dbbfd9abe10e965bd6c0491acab62131852f508ad3c2b1d852f3cdc8

data/.travis.yml

@@ -8,8 +8,10 @@ rvm:
 gemfile:
   - gemfiles/rails_5.0.gemfile
   - gemfiles/rails_5.1.gemfile
+  - gemfiles/rails_5.2.gemfile
 
 matrix:
   fast_finish: true
   allow_failures:
     - rvm: ruby-head
+    - gemfile: gemfiles/rails_5.2.gemfile

data/Appraisals

@@ -5,3 +5,7 @@ end
 appraise "rails-5.1" do
   gem 'rails', '~> 5.1.0'
 end
+
+appraise "rails-5.2" do
+  gem 'rails', '~> 5.2.0.rc1'
+end

data/Gemfile.lock

@@ -1,8 +1,8 @@
 PATH
   remote: .
   specs:
-    acl9 (2.1.2)
-      rails (>= 4.0)
+    acl9 (3.1.0)
+      rails (~> 5.0)
 
 GEM
   remote: http://rubygems.org/

data/README.md

@@ -1,6 +1,6 @@
 # acl9
 
-[![Travis-CI](https://travis-ci.org/be9/acl9.svg?branch=master)](https://travis-ci.org/be9/acl9) [![Code Climate](https://codeclimate.com/github/be9/acl9/badges/gpa.svg)](https://codeclimate.com/github/be9/acl9) [![Test Coverage](https://codeclimate.com/github/be9/acl9/badges/coverage.svg)](https://codeclimate.com/github/be9/acl9)
+[![Travis-CI](https://travis-ci.org/be9/acl9.svg?branch=master)](https://travis-ci.org/be9/acl9)
 
 Acl9 is a role-based authorization system that provides a concise DSL for
 securing your Rails application.
@@ -16,11 +16,19 @@ Acl9 is [Semantically Versioned](http://semver.org/), so just add this to your
 `Gemfile`:
 
 ```ruby
-gem 'acl9', '~> 2.0'
+gem 'acl9', '~> 3.0'
 ```
 
 You will need Ruby 2.x
 
+### Rails 4 - stick with 2.x
+
+```ruby
+gem 'acl9', '~> 2.0'
+```
+
+### Rails < 4 - upgrade Rails!
+
 We dropped support for Rails < 4 in the 1.x releases, so if you're still using
 Rails 2.x or 3.x then you'll want this:
 

data/gemfiles/.bundle/config

@@ -0,0 +1,2 @@
+---
+BUNDLE_RETRY: "1"

data/gemfiles/rails_5.0.gemfile

@@ -3,6 +3,7 @@
 source "http://rubygems.org"
 
 gem "appraisal"
+gem "byebug"
 gem "rails", "~> 5.0.0"
 
 gemspec path: "../"

data/gemfiles/rails_5.1.gemfile

@@ -3,6 +3,7 @@
 source "http://rubygems.org"
 
 gem "appraisal"
+gem "byebug"
 gem "rails", "~> 5.1.0"
 
 gemspec path: "../"

data/gemfiles/rails_5.2.gemfile

@@ -0,0 +1,9 @@
+# This file was generated by Appraisal
+
+source "http://rubygems.org"
+
+gem "appraisal"
+gem "byebug"
+gem "rails", "~> 5.2.0.rc1"
+
+gemspec path: "../"

data/lib/acl9.rb

@@ -35,6 +35,42 @@ module Acl9
   def self.configure
     yield config
   end
+
+  class ArgumentError < ArgumentError; end
+  class RuntimeError < RuntimeError; end
+  class NilObjectError < RuntimeError; end
+
+  ##
+  # This exception is raised whenever ACL block finds that the current user
+  # is not authorized for the controller action he wants to execute.
+  # @example How to catch this exception in ApplicationController
+  #   class ApplicationController < ActionController::Base
+  #     rescue_from 'Acl9::AccessDenied', :with => :access_denied
+  #
+  #     # ...other stuff...
+  #     private
+  #
+  #     def access_denied
+  #       if current_user
+  #         # It's presumed you have a template with words of pity and regret
+  #         # for unhappy user who is not authorized to do what he wanted
+  #         render :template => 'home/access_denied'
+  #       else
+  #         # In this case user has not even logged in. Might be OK after login.
+  #         flash[:notice] = 'Access denied. Try to log in first.'
+  #         redirect_to login_path
+  #       end
+  #     end
+  #   end
+  #
+  class AccessDenied < RuntimeError; end
+
+  ##
+  # This exception is raised when acl9 has generated invalid code for the
+  # filtering method or block. Should never happen, and it's a bug when it
+  # happens.
+  class FilterSyntaxError < ArgumentError; end
+
 end
 
 ActiveRecord::Base.send(:include, Acl9::ModelExtensions)

data/lib/acl9/controller_extensions/dsl_base.rb

@@ -12,6 +12,7 @@ module Acl9
         @allows = []
         @denys  = []
         @original_args = args
+        @action_clause = nil
       end
 
       def acl_block!(&acl_block)
@@ -108,7 +109,7 @@ module Acl9
 
         _set_action_clause( _retrieve_only(options), options.delete(:except))
 
-        object = _role_object(options)
+        object_s = _role_object_s(options)
 
         role_checks = args.map do |who|
           case who
@@ -116,7 +117,7 @@ module Acl9
           when logged_in then "!#{_subject_ref}.nil?"
           when all       then "true"
           else
-            "!#{_subject_ref}.nil? && #{_subject_ref}.has_role?('#{who}', #{object})"
+            "!#{_subject_ref}.nil? && #{_subject_ref}.has_role?('#{who}'#{object_s})"
           end
         end
 
@@ -179,13 +180,13 @@ module Acl9
         end
       end
 
-      def _role_object(options)
+      def _role_object_s(options)
         object = _by_preposition options
 
         case object
-        when Class  then object.to_s
-        when Symbol then _object_ref object
-        when nil    then "nil"
+        when Class  then ", #{object}"
+        when Symbol then ", #{_object_ref object}"
+        when nil    then ""
         else
           raise ArgumentError, "object specified by preposition can only be a Class or a Symbol"
         end

data/lib/acl9/controller_extensions/generators.rb

@@ -1,37 +1,6 @@
 require_relative "dsl_base"
 
 module Acl9
-  ##
-  # This exception is raised whenever ACL block finds that the current user
-  # is not authorized for the controller action he wants to execute.
-  # @example How to catch this exception in ApplicationController
-  #   class ApplicationController < ActionController::Base
-  #     rescue_from 'Acl9::AccessDenied', :with => :access_denied
-  #
-  #     # ...other stuff...
-  #     private
-  #
-  #     def access_denied
-  #       if current_user
-  #         # It's presumed you have a template with words of pity and regret
-  #         # for unhappy user who is not authorized to do what he wanted
-  #         render :template => 'home/access_denied'
-  #       else
-  #         # In this case user has not even logged in. Might be OK after login.
-  #         flash[:notice] = 'Access denied. Try to log in first.'
-  #         redirect_to login_path
-  #       end
-  #     end
-  #   end
-  #
-  class AccessDenied < StandardError; end
-
-  ##
-  # This exception is raised when acl9 has generated invalid code for the
-  # filtering method or block. Should never happen, and it's a bug when it
-  # happens.
-  class FilterSyntaxError < StandardError; end
-
   module Dsl
     module Generators
       class BaseGenerator < Acl9::Dsl::Base
@@ -171,7 +140,7 @@ module Acl9
                 raise ArgumentError, "call #{@method_name} with 0, 1 or 2 arguments"
               end
 
-              action_name = args.empty? ? self.action_name : args.first.to_s
+              self.action_name = args.first.to_s if args.present?
 
               return #{allowance_expression}
             end

data/lib/acl9/model_extensions/for_subject.rb

@@ -5,6 +5,12 @@ module Acl9
     module ForSubject
       include Prepositions
 
+      DEFAULT = Class.new do
+        def default?
+          true
+        end
+      end.new.freeze
+
       ##
       # Role check.
       #
@@ -38,16 +44,17 @@ module Acl9
       # @param [Object] object Object to query a role on
       #
       # @see Acl9::ModelExtensions::Object#accepts_role?
-      def has_role?(role_name, object = nil)
+      def has_role?(role_name, object = default)
+        check! object
         role_name = normalize role_name
         object = _by_preposition object
 
-        !! if object.nil? && !::Acl9.config[:protect_global_roles]
-          self._role_objects.find_by_name(role_name.to_s) ||
-          self._role_objects.member?(get_role(role_name, nil))
+        !! if object == default && !::Acl9.config[:protect_global_roles]
+          _role_objects.find_by_name(role_name.to_s) ||
+          _role_objects.member?(get_role(role_name, object))
         else
           role = get_role(role_name, object)
-          role && self._role_objects.exists?(role.id)
+          role && _role_objects.exists?(role.id)
         end
       end
 
@@ -57,7 +64,8 @@ module Acl9
       # @param [Symbol,String] role_name Role name
       # @param [Object] object Object to add a role for
       # @see Acl9::ModelExtensions::Object#accepts_role!
-      def has_role!(role_name, object = nil)
+      def has_role!(role_name, object = default)
+        check! object
         role_name = normalize role_name
         object = _by_preposition object
 
@@ -65,15 +73,15 @@ module Acl9
 
         if role.nil?
           role_attrs = case object
-                       when Class then { :authorizable_type => object.to_s }
-                       when nil   then {}
-                       else            { :authorizable => object }
-                       end.merge(      { :name => role_name.to_s })
+                       when Class   then { :authorizable_type => object.to_s }
+                       when default then {}
+                       else              { :authorizable => object }
+                       end.merge({ :name => role_name.to_s })
 
-          role = self._auth_role_class.create(role_attrs)
+          role = _auth_role_class.create(role_attrs)
         end
 
-        self._role_objects << role if role && !self._role_objects.exists?(role.id)
+        _role_objects << role if role && !_role_objects.exists?(role.id)
       end
 
       ##
@@ -82,7 +90,8 @@ module Acl9
       # @param [Symbol,String] role_name Role name
       # @param [Object] object Object to remove a role on
       # @see Acl9::ModelExtensions::Object#accepts_no_role!
-      def has_no_role!(role_name, object = nil)
+      def has_no_role!(role_name, object = default)
+        check! object
         role_name = normalize role_name
         object = _by_preposition object
         delete_role(get_role(role_name, object))
@@ -95,7 +104,8 @@ module Acl9
       # @return [Boolean] Returns true if +self+ has any roles on +object+.
       # @see Acl9::ModelExtensions::Object#accepts_roles_by?
       def has_roles_for?(object)
-        !!self._role_objects.detect(&role_selecting_lambda(object))
+        check! object
+        !!_role_objects.detect(&role_selecting_lambda(object))
       end
 
       alias :has_role_for? :has_roles_for?
@@ -112,14 +122,16 @@ module Acl9
       #
       #   user.roles_for(product).map(&:name).sort  #=> role names in alphabetical order
       def roles_for(object)
-        self._role_objects.select(&role_selecting_lambda(object))
+        check! object
+        _role_objects.select(&role_selecting_lambda(object))
       end
 
       ##
       # Unassign any roles on +object+ from +self+.
       #
-      # @param [Object,nil] object Object to unassign roles for. +nil+ means unassign global roles.
-      def has_no_roles_for!(object = nil)
+      # @param [Object,default] object Object to unassign roles for. Empty args means unassign global roles.
+      def has_no_roles_for!(object = default)
+        check! object
         roles_for(object).each { |role| delete_role(role) }
       end
 
@@ -128,11 +140,11 @@ module Acl9
       def has_no_roles!
         # for some reason simple
         #
-        #   self.roles.each { |role| delete_role(role) }
+        #   roles.each { |role| delete_role(role) }
         #
         # doesn't work. seems like a bug in ActiveRecord
-        self._role_objects.map(&:id).each do |role_id|
-          delete_role self._auth_role_class.find(role_id)
+        _role_objects.map(&:id).each do |role_id|
+          delete_role _auth_role_class.find(role_id)
         end
       end
 
@@ -142,7 +154,7 @@ module Acl9
         case object
         when Class
           lambda { |role| role.authorizable_type == object.to_s }
-        when nil
+        when default
           lambda { |role| role.authorizable.nil? }
         else
           lambda do |role|
@@ -152,13 +164,14 @@ module Acl9
         end
       end
 
-      def get_role(role_name, object)
+      def get_role(role_name, object = default)
+        check! object
         role_name = normalize role_name
 
         cond = case object
                when Class
                  [ 'name = ? and authorizable_type = ? and authorizable_id IS NULL', role_name, object.to_s ]
-               when nil
+               when default
                  [ 'name = ? and authorizable_type IS NULL and authorizable_id IS NULL', role_name ]
                else
                  [
@@ -167,17 +180,17 @@ module Acl9
                  ]
                end
 
-        if self._auth_role_class.respond_to?(:where)
-          self._auth_role_class.where(cond).first
+        if _auth_role_class.respond_to?(:where)
+          _auth_role_class.where(cond).first
         else
-          self._auth_role_class.find(:first, :conditions => cond)
+          _auth_role_class.find(:first, :conditions => cond)
         end
       end
 
       def delete_role(role)
         if role
-          if ret = self._role_objects.delete(role)
-            if role.send(self._auth_subject_class_name.demodulize.tableize).empty?
+          if ret = _role_objects.delete(role)
+            if role.send(_auth_subject_class_name.demodulize.tableize).empty?
               ret &&= role.destroy unless role.respond_to?(:system?) && role.system?
             end
           end
@@ -189,7 +202,11 @@ module Acl9
         Acl9.config[:normalize_role_names] ? role_name.to_s.underscore.singularize : role_name.to_s
       end
 
-      protected
+      private
+
+      def check! object
+        raise NilObjectError if object.nil?
+      end
 
       def _by_preposition object
         object.is_a?(Hash) ? super : object
@@ -204,7 +221,11 @@ module Acl9
       end
 
       def _role_objects
-        send(self._auth_role_assoc)
+        send(_auth_role_assoc)
+      end
+
+      def default
+        DEFAULT
       end
     end
   end

data/lib/acl9/version.rb

@@ -1,3 +1,3 @@
 module Acl9
-  VERSION = "3.0.0"
+  VERSION = "3.1.0"
 end

data/test/controller_extensions/actions_test.rb

@@ -121,7 +121,7 @@ module ControllerExtensions
 
       assert set_all_actions
       permit_some owner,  @all_actions, :foo => foo
-      permit_some hacker, %w(show index destroy)
+      permit_some hacker, %w(show index destroy), foo: foo
       permit_some another_owner, %w(show index destroy), :foo => foo
     end
 

data/test/controller_extensions/multiple_role_arguments_test.rb

@@ -107,29 +107,30 @@ module ControllerExtensions
 
     test "should also respect :to and :except" do
       assert foo = Foo.create
+      assert too = Foo.create
 
-      assert ( foo = User.create ).has_role! :foo
+      assert ( goo = User.create ).has_role! :goo
       assert ( joo = User.create ).has_role! :joo, foo
       assert ( qoo = User.create ).has_role! :qoo, Bar
 
       @tester.acl_block! do
-        allow :foo, :boo,              :to => [:index, :show]
+        allow :goo, :boo,              :to => [:index, :show]
         allow :zoo, :joo, :by => :foo, :to => [:edit, :update]
         allow :qoo, :woo, :of => Bar
         deny  :qoo, :woo, :of => Bar,  :except => [:delete, :destroy]
       end
 
-      assert_permitted foo, 'index'
-      assert_permitted foo, 'show'
-      assert_forbidden foo, 'edit'
+      assert_permitted goo, 'index'
+      assert_permitted goo, 'show'
+      assert_forbidden goo, 'edit', foo: too
       assert_permitted joo, 'edit', :foo => foo
       assert_permitted joo, 'update', :foo => foo
       assert_forbidden joo, 'show', :foo => foo
-      assert_forbidden joo, 'show'
-      assert_permitted qoo, 'delete'
-      assert_permitted qoo, 'destroy'
-      assert_forbidden qoo, 'edit'
-      assert_forbidden qoo, 'show'
+      assert_forbidden joo, 'show', foo: foo
+      assert_permitted qoo, 'delete', foo: too
+      assert_permitted qoo, 'destroy', foo: too
+      assert_forbidden qoo, 'edit', foo: too
+      assert_forbidden qoo, 'show', foo: too
     end
   end
 end

data/test/controllers/acl_helper_method_test.rb

@@ -13,10 +13,13 @@ class ACLHelperMethodTest < ActionController::TestCase
   end
 
   test "another user denied" do
+    assert @another = User.create
+    assert @another.has_role! :owner, Foo.first_or_create
+
     assert @user.has_role! :owner
 
     assert get :allow, params: { user_id: @user.id }
-    assert_select 'div', 'OK'
+    assert_select 'div', 'AccessDenied'
   end
 
   test "anon denied" do

data/test/controllers/acl_query_mixin.rb

@@ -6,7 +6,10 @@ module ACLQueryMixin
       setup do
         assert ( @editor = User.create ).has_role! :editor
         assert ( @viewer = User.create ).has_role! :viewer
-        assert ( @owneroffoo = User.create ).has_role! :owner, Foo.first_or_create
+        assert ( @foo = Foo.first_or_create )
+        assert ( @owneroffoo = User.create ).has_role! :owner, @foo
+
+        @controller.before_action
       end
 
       %i[edit update destroy].each do |meth|

data/test/dummy/app/controllers/acl_query_method_named.rb

@@ -8,6 +8,8 @@ class ACLQueryMethodNamed < ApplicationController
   end
 
   def acl?(*args)
+    @foo = Foo.first
+
     allow_ay(*args)
   end
 end

data/test/dummy/app/controllers/application_controller.rb

@@ -1,7 +1,13 @@
 class ApplicationController < ActionController::Base
+  before_action :before_action
+
   attr_accessor :current_user
 
   def current_user
     @current_user ||= User.find params[:user_id] if params[:user_id]
   end
+
+  def before_action
+    @foo = Foo.first
+  end
 end

data/test/models/roles_test.rb

@@ -13,6 +13,14 @@ class RolesTest < ActiveSupport::TestCase
     Acl9.config[:protect_global_roles] = true
   end
 
+  test "should not set global role with nil object" do
+
+    assert_raise Acl9::NilObjectError do
+      assert @user.has_role! :admin, nil
+    end
+    refute @user.has_role? :admin
+  end
+
   test "should not have any roles by default" do
     %w(user manager admin owner).each do |role|
       refute @user.has_role? role

data/test/test_helper.rb

@@ -8,11 +8,16 @@ require "rails/test_help"
 Rails.backtrace_cleaner.remove_silencers! if ENV["BACKTRACE"]
 
 ActiveRecord::Migration.verbose = false
+
 ActiveRecord::Migrator.migrate File.expand_path("../dummy/db/migrate/", __FILE__)
 
 $VERBOSE = nil
 
 class ActionController::TestCase
+  setup do
+    assert Foo.create
+  end
+
   class << self
     def test_allowed method, action, params={}
       test "allowed #{method} #{action}" do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: acl9
 version: !ruby/object:Gem::Version
-  version: 3.0.0
+  version: 3.1.0
 platform: ruby
 authors:
 - oleg dashevskii
@@ -92,8 +92,10 @@ files:
 - bin/yard
 - bin/yardoc
 - bin/yri
+- gemfiles/.bundle/config
 - gemfiles/rails_5.0.gemfile
 - gemfiles/rails_5.1.gemfile
+- gemfiles/rails_5.2.gemfile
 - lib/acl9.rb
 - lib/acl9/controller_extensions.rb
 - lib/acl9/controller_extensions/dsl_base.rb