acl_system2 0.2.0

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*

data/Gemfile

@@ -0,0 +1,4 @@
+source :rubygems
+
+gemspec
+

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2006 Ezra Zygmuntowicz & Fabien Franzen
+  
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,129 @@
+Welcome to the acl_system plugin for rails. This plugin is designed to give you a 
+flexible declarative way of protecting your various controller actions using roles.
+It's made to sit on top of any authentication framework that follows a few conventions.
+You will need to have a `current_user` method that returns the currently logged in user. 
+And you will need to make your `User` or `Account` model(or whatever you named it) have a
+`has_and_belongs_to_many :roles`. So you need a model called `Role` that has a `title` attribute.
+Once these two things are satisfied you can use this plugin.
+
+So lets take a look at the sugar you get from using this plugin. Keep in mind that the
+`!blacklist` part isn’t really necessary here. I was just showing it as an example of how
+flexible the permissions string logic parser is. 
+
+```ruby
+class PostController < ApplicationController
+  before_filter :login_required, :except => [:list, :index]
+  access_control [:new, :create, :update, :edit] => '(admin | user | moderator)',
+                 :delete => 'admin & (!moderator & !blacklist)' 
+```
+Of course you can define them all separately if they differ at all.
+
+```ruby
+class PostController < ApplicationController
+  before_filter :login_required, :except => [:list, :index]
+  access_control :new => '(admin | user | moderator) & !blacklist',
+                 :create => 'admin & !blacklist',
+                 :edit => '(admin | moderator) & !blacklist',
+                 :update => '(admin | moderator) & !blacklist',
+                 :delete => 'admin & (!moderator | !blacklist)' 
+```
+
+And you can also use `:DEFAULT` if you have a lot of actions that need the same permissions.
+
+```ruby
+class PostController < ApplicationController
+  before_filter :login_required, :except => [:list, :index]
+  access_control :DEFAULT => '!guest' 
+                [:new, :create, :update, :edit] => '(admin | user | moderator)',
+                 :delete => 'admin & (!moderator & !blacklist)'
+```
+
+There are two callback methods you can use to define your own success and failure behaviours.
+If you define `permission_granted` and/or `permission_denied` as protected methods in your controller you
+can redirect or render and error page or whatever else you might want to do if access is allowed
+or denied.
+
+```ruby
+class PostController < ApplicationController
+  before_filter :login_required, :except => [:list, :index]
+  access_control :DEFAULT => '!guest' 
+                [:new, :create, :update, :edit] => '(admin | user | moderator)',
+                 :delete => 'admin & (!moderator & !blacklist)'
+
+  # the rest of your controller here
+
+  protected
+
+  def permission_denied
+    flash[:notice] = "You don't have privileges to access this action"
+    return redirect_to :action => 'denied'
+  end
+
+  def permission_granted
+    flash[:notice] = "Welcome to the secure area of foo.com!"
+  end
+
+end
+```
+
+There is also a helper method that can be used in the view or controller. In the view its 
+handy for conditional menus or stuff like that. 
+
+```erb
+<% restrict_to "(admin | moderator) & !blacklist" do %>
+  <%= link_to "Admin & Moderator only link", :action =>'foo' %>
+<% end %>
+```
+
+So the gist of it is that in the `access_control` controller macro, you can assign 
+permission logic strings to actions in your controller. You supply a hash of 
+`:action => 'permissions string'` pairs. Any action not in the list is left open to 
+any user. Any action with a logic string gets evaluated on each request to see if
+ the current user has the right role to access the action. The plugin has a small 
+recursive descent parser that evaluates the permission logic strings against the 
+`current_user.roles`.
+
+The way this works is that you have your `User` model and a `Role` model. `User <= habtm => Role`.
+ So when an action that is access_control’ed gets requested the permission logic string 
+gets evaluated against the `current_user.roles`. So a prerequisite of using this plugin
+ is that you add a `Role` model with a `title` attribute that `has_and_belongs_to_many :user`
+ models. And you need to have a `current_user` method defined somewhere in your controllers 
+or user system. Luckily the `acts_as_authenticated` plugin has the `current_user` defined already. 
+
+So here is the schema of this application including the `Post` model and the `User` and `Role` 
+model plus the habtm join table: 
+
+```ruby
+ActiveRecord::Schema.define(:version => 3) do
+  create_table "posts", :force => true do |t|
+    t.column "title", :string, :limit => 40
+    t.column "body", :text
+  end
+  create_table "roles", :force => true do |t|
+    t.column "title", :string
+  end
+  create_table "roles_users", :id => false, :force => true do |t|
+    t.column "role_id", :integer
+    t.column "user_id", :integer
+  end
+  create_table "users", :force => true do |t|
+    t.column "login", :string, :limit => 40
+    t.column "email", :string, :limit => 100
+    t.column "crypted_password", :string, :limit => 40 
+    t.column "salt", :string, :limit => 40
+    t.column "created_at", :datetime
+    t.column "updated_at", :datetime
+  end
+end
+```
+
+And so thats pretty much it for now. You add the roles to the `Role.title` attribute like admin,
+ moderator and blacklist like above. These can be anything you want them to be, roles, groups
+ or whatever. Then you can use as many nested parens and logic with `& | !` as you want to 
+define your complex permissions for accessing your controller. Make sure that your `access_control`
+ gets called after the `login_required` before filter because we assume that you are already 
+logged in if you made it this far and then we eval the permissions logic.
+
+You will want to define these access_control in each controller that needs specific permissions.
+ unless you want to protect the same actions in all controllers, then you can put it in 
+`application.rb` but I don't recommend it.

data/Rakefile

@@ -0,0 +1,10 @@
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+task :default => :test
+

data/acl_system2.gemspec

@@ -0,0 +1,24 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'acl_system2/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = 'acl_system2'
+  gem.version       = ACLSystem2::VERSION
+  gem.authors       = ['Ezra Zygmuntowicz', 'Fabien Franzen', 'Gareth Rees']
+  gem.email         = ['gareth@garethrees.co.uk']
+  gem.description   = %q{An access control gem for Rails. A flexible declarative way of protecting your various controller actions using roles.}
+  gem.summary       = %q{An access control gem for Rails}
+  gem.homepage      = 'https://github.com/boxuk/acl_system2'
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ['lib']
+
+  gem.add_development_dependency 'minitest'
+  gem.add_development_dependency 'turn'
+  gem.add_development_dependency 'rake'
+end
+

data/lib/acl_system2.rb

@@ -0,0 +1,5 @@
+require "#{ File.dirname(__FILE__) }/acl_system2/version"
+require "#{ File.dirname(__FILE__) }/acl_system2/caboose/logic_parser"
+require "#{ File.dirname(__FILE__) }/acl_system2/caboose/role_handler"
+require "#{ File.dirname(__FILE__) }/acl_system2/caboose/access_control"
+

data/lib/acl_system2/caboose/access_control.rb

@@ -0,0 +1,112 @@
+
+module Caboose
+
+  module AccessControl
+    
+    def self.included(subject)
+      subject.extend(ClassMethods)
+      if subject.respond_to? :helper_method
+        subject.helper_method(:permit?)
+        subject.helper_method(:restrict_to)
+      end
+    end
+    
+    module ClassMethods  
+      #  access_control [:create, :edit] => 'admin & !blacklist',
+      #                 :update => '(admin | moderator) & !blacklist',
+      #                 :list => '(admin | moderator | user) & !blacklist'
+      def access_control(actions={})
+        # Add class-wide permission callback to before_filter
+        defaults = {}  
+        if block_given?
+          yield defaults 
+          default_block_given = true  
+        end        
+        before_filter do |c|
+          c.default_access_context = defaults if default_block_given
+          @access = AccessSentry.new(c, actions)
+          if @access.allowed?(c.action_name)
+             c.send(:permission_granted)  if c.respond_to?:permission_granted
+          else    
+            if c.respond_to?:permission_denied
+              c.send(:permission_denied)
+            else  
+              c.send(:render, :text => "You have insuffient permissions to access #{c.controller_name}/#{c.action_name}")
+            end
+          end
+        end
+      end 
+    end # ClassMethods 
+
+    # return the active access handler, fallback to RoleHandler
+    # implement #retrieve_access_handler to return non-default handler
+    def access_handler
+      if respond_to?(:retrieve_access_handler)
+        @handler ||= retrieve_access_handler
+      else
+        @handler ||= RoleHandler.new
+      end
+    end
+
+    # the current access context; will be created if not setup
+    # will add current_user and merge any other elements of context
+    def access_context(context = {})     
+      default_access_context.merge(context)
+    end
+
+    def default_access_context
+      @default_access_context ||= {}
+      @default_access_context[:user] = send(:current_user) if respond_to?(:current_user)
+      @default_access_context 
+    end
+
+    def default_access_context=(defaults)
+      @default_access_context = defaults      
+    end
+
+    def permit?(logicstring, context = {})
+      access_handler.process(logicstring, access_context(context))
+    end
+  
+    # restrict_to "admin | moderator" do
+    #   link_to "foo"
+    # end   
+    def restrict_to(logicstring, context = {})
+      return false if current_user.nil?
+      result = ''    
+      if permit?(logicstring, context) 
+        result = yield if block_given?
+      end 
+      result
+    end    
+      
+    class AccessSentry
+     
+      def initialize(subject, actions={})
+        @actions = actions.inject({}) do |auth, current|
+          [current.first].flatten.each { |action| auth[action] = current.last }
+          auth
+        end 
+        @subject = subject
+      end 
+     
+      def allowed?(action)
+        if @actions.has_key? action.to_sym
+          return @subject.access_handler.process(@actions[action.to_sym].dup, @subject.access_context)
+        elsif @actions.has_key? :DEFAULT
+          return @subject.access_handler.process(@actions[:DEFAULT].dup, @subject.access_context) 
+        else
+          return true
+        end  
+      end
+   
+    end # AccessSentry
+  
+  end # AccessControl  
+  
+end # Caboose    
+
+
+
+
+

data/lib/acl_system2/caboose/logic_parser.rb

@@ -0,0 +1,48 @@
+module Caboose
+  
+  module LogicParser
+    # This module holds our recursive descent parser that take a logic string
+    # the logic string is tested by the enclosing Handler class' #check method
+    # Include this module in your Handler class.
+    
+    # recursively processes an permission string and returns true or false
+    def process(logicstring, context)
+      # if logicstring contains any parenthasized patterns, call process recursively on them
+      while logicstring =~ /\(/
+        logicstring.sub!(/\(([^\)]+)\)/) {
+          process($1, context)
+        }
+      end
+      
+      # process each operator in order of precedence
+      #!
+      while logicstring =~ /!/
+        logicstring.sub!(/!([^ &|]+)/) { 
+          (!check(logicstring[$1], context)).to_s
+        }
+      end
+      
+      #&
+      if logicstring =~ /&/
+        return (process(logicstring[/^[^&]+/], context) and process(logicstring[/^[^&]+&(.*)$/,1], context))
+      end
+      
+      #|
+      if logicstring =~ /\|/
+        return (process(logicstring[/^[^\|]+/], context) or process(logicstring[/^[^\|]+\|(.*)$/,1], context))
+      end
+      
+      # constants
+      if logicstring =~ /^\s*true\s*$/i
+        return true
+      elsif logicstring =~ /^\s*false\s*$/i
+        return false
+      end
+      
+      # single list items
+      (check(logicstring.strip, context))
+    end
+    
+  end # LogicParser
+
+end

data/lib/acl_system2/caboose/role_handler.rb

@@ -0,0 +1,20 @@
+module Caboose
+  
+  class AccessHandler   
+    include LogicParser
+
+    def check(key, context)
+      false
+    end
+  
+  end
+   
+  class RoleHandler < AccessHandler 
+    
+    def check(key, context)  
+      context[:user].roles.map{ |role| role.title.downcase}.include? key.downcase
+    end
+        
+  end # End RoleHandler
+
+end

data/lib/acl_system2/version.rb

@@ -0,0 +1,3 @@
+module ACLSystem2
+  VERSION = "0.2.0"
+end

data/rails/init.rb

@@ -0,0 +1,5 @@
+require "#{ File.dirname(__FILE__) }/../lib/acl_system2"
+
+ActionController::Base.send :include, Caboose
+ActionController::Base.send :include, Caboose::AccessControl
+

data/test/access_control_test.rb

@@ -0,0 +1,162 @@
+require 'test/unit'
+require File.dirname(__FILE__) + '/test_helper'
+require 'ostruct'
+
+# mock objects
+
+class User
+  
+  attr_accessor :name
+  
+  def name
+    @name ||= 'anon'
+    @name
+  end
+  
+  def roles
+    [OpenStruct.new(:title => 'admin'), OpenStruct.new(:title => 'user')]
+  end  
+
+end      
+
+class ControllerProxy
+
+  attr_accessor :action_name
+  
+  class << self
+  
+    attr_reader :before_block
+  
+    def before_filter(&block)
+      @before_block = block if block_given?
+    end
+  
+  end
+  
+  def before_action
+    self.class.before_block.call(self)
+  end
+    
+  include Caboose::AccessControl
+  
+  access_control([:create, :edit] => 'admin & !blacklist',
+      :update => '(admin | moderator) & !blacklist',
+      :list => '(admin | moderator | user) & !blacklist',
+      :private => 'vip') do |context|
+         context[:variable] = 'value'
+         context[:login_time] = Time.new
+      end
+  
+  def permission_granted
+    true
+  end
+  
+  def permission_denied
+    false
+  end
+  
+  def current_user
+    User.new
+  end
+  
+end
+
+class FabOnlyHandler < Caboose::AccessHandler 
+    
+  def check(key, context)
+    (context[:user].name.downcase == 'fabien' and context[:user].roles.map{ |role| role.title.downcase}.include?(key))
+  end
+      
+end
+
+class ControllerProxyWithFabHandler < ControllerProxy
+  
+  def retrieve_access_handler
+    FabOnlyHandler.new
+  end
+  
+end
+
+
+# tests         
+class AccessControlTest  < Test::Unit::TestCase
+  
+
+  def test_first
+    context = { :user => User.new }
+    @handler = Caboose::RoleHandler.new
+    assert @handler.process("(admin | moderator) & !blacklist", context)  
+    assert @handler.process("(user | moderator) & !blacklist", context)  
+    assert @handler.process("(user | moderator | user) & !blacklist", context)  
+    assert @handler.process("(user | moderator | !blacklist)", context)  
+    assert @handler.process("user & !blacklist", context)  
+    assert @handler.process("!moderator & !blacklist", context)  
+    assert @handler.process("admin & user & !blacklist", context)  
+    assert_equal @handler.process("moderator | blacklist", context), false 
+    assert_equal @handler.process("!admin | blacklist", context), false 
+    assert_equal @handler.process("moderator | unknown", context), false 
+    assert_equal @handler.process("!anon & !moderator", context), true 
+  end
+ 
+  def test_custom_access_handler
+    context = { :user => User.new }
+    controller = ControllerProxyWithFabHandler.new    
+    assert_equal controller.permit?("(admin | moderator) & !blacklist", context), false 
+   
+    context[:user].name = 'Ezra'
+    assert_equal controller.permit?("(admin | moderator) & !blacklist", context), false 
+   
+    context[:user].name = 'Fabien'
+    assert controller.permit?("(admin | moderator) & !blacklist", context)     
+  end
+  
+  def test_permit
+    context = { :user => User.new }
+    controller = ControllerProxy.new   
+    assert controller.permit?("(admin | moderator) & !blacklist", context)  
+    assert controller.permit?("(user | moderator) & !blacklist", context)  
+    assert controller.permit?("(user | moderator | user) & !blacklist", context)  
+    assert controller.permit?("(user | moderator | !blacklist)", context)  
+    assert controller.permit?("user & !blacklist", context)  
+    assert controller.permit?("!moderator & !blacklist", context)  
+    assert controller.permit?("admin & user & !blacklist", context)  
+    assert_equal controller.permit?("moderator | blacklist", context), false 
+    assert_equal controller.permit?("!admin | blacklist", context), false 
+    assert_equal controller.permit?("moderator", context), false 
+    assert_equal controller.permit?("!anon & !moderator", context), true     
+  end
+  
+  def test_restrict_to
+    controller = ControllerProxy.new
+    assert_block do
+      controller.restrict_to "admin | moderator" do
+        true
+      end
+    end
+  end
+  
+  def test_before_filter
+    context = { :user => User.new }
+    controller = ControllerProxy.new 
+    
+    controller.action_name = 'list'
+    assert_block { controller.before_action }
+    
+    controller.action_name = 'other'
+    assert_block { controller.before_action }
+    
+    controller.action_name = 'private'
+    assert_block { !controller.before_action }
+  end
+ 
+  def test_set_default_context_with_block
+    context = { :user => User.new }
+    controller = ControllerProxy.new 
+    controller.action_name = 'list'
+    controller.before_action
+    assert controller.access_context.include?(:user)
+    assert controller.access_context.include?(:variable)
+    assert controller.access_context.include?(:login_time)
+  end
+    
+end  

data/test/test_helper.rb

@@ -0,0 +1,8 @@
+require 'turn'
+
+Turn.config do |c|
+ c.format  = :dot
+end
+
+require "#{ File.dirname(__FILE__) }/../lib/acl_system2"
+

metadata

@@ -0,0 +1,123 @@
+--- !ruby/object:Gem::Specification 
+name: acl_system2
+version: !ruby/object:Gem::Version 
+  hash: 23
+  prerelease: 
+  segments: 
+  - 0
+  - 2
+  - 0
+  version: 0.2.0
+platform: ruby
+authors: 
+- Ezra Zygmuntowicz
+- Fabien Franzen
+- Gareth Rees
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2013-01-29 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: minitest
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: turn
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: rake
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id003
+description: An access control gem for Rails. A flexible declarative way of protecting your various controller actions using roles.
+email: 
+- gareth@garethrees.co.uk
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- .gitignore
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- acl_system2.gemspec
+- lib/acl_system2.rb
+- lib/acl_system2/caboose/access_control.rb
+- lib/acl_system2/caboose/logic_parser.rb
+- lib/acl_system2/caboose/role_handler.rb
+- lib/acl_system2/version.rb
+- rails/init.rb
+- test/access_control_test.rb
+- test/test_helper.rb
+homepage: https://github.com/boxuk/acl_system2
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: An access control gem for Rails
+test_files: 
+- test/access_control_test.rb
+- test/test_helper.rb