aclize 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b2f95212250080779c4cd98f14d0b83073d25743
-  data.tar.gz: ec841f33a6a1e6f437e26a56cb1e28c9ad4a7d5e
+  metadata.gz: e883bc914bc0302e8ddd301838686b681420ed98
+  data.tar.gz: 0110271f53cc15fac67b6800f2bbc99de266dfc8
 SHA512:
-  metadata.gz: 023df60e150155e7a932f22b342ef5a0219b308ebcd16c2d19af882926bdeca89284a54efadc0e860019d4c391b4d0d5cbc9ebe6bcc0b1b49c29c8f636e6c71b
-  data.tar.gz: 92fed867177543f7ce28ebd27a1cab45e1189f494d5fabbc7ea03060e928e75665835de9cc67ef07470bc77d7a8399e7228b43a0f68a9d1032be16a73a6f08df
+  metadata.gz: 74e415381c8b03575c405cec1d54b74b887e3a1aef3e784b6b64e566192e637bf4bdab0c5e692c8f07a7d6903034443f4caab56eb6b054b4a226fb132f874a76
+  data.tar.gz: 67a452e4826d6450df25ed6cd5bd9272216545a0ce9a62cbecae798676c74bc79c5eb1a5d7fe3d0d1c57d619f08782ad3c31edd8ce81ea791808ca607054611d

data/README.md

@@ -33,32 +33,34 @@ class ApplicationController < ActionController::Base
   protected
 
   def setup_acl
-    if current_user.admin?
-      # setup the ACL for admin users
-      define_acl({
-        controllers: {
-          "*" => { allow: ["*"] } # grant permissions to access any action of any controller
-        }
-      })
-    else
-      # setup the ACL for other users
-      define_acl({
-        controllers: {
-          posts: {
-            allow: ["index", "show"] # allow to access only #index and #show actions of PostsController
-          }
-        }
-      })
+
+    # define ACL for :admin
+    acl_for :admin do
+      controllers do
+        permit "*" # permit to access any action of any controller
+      end
+    end
+
+    # define acl for :user
+    acl_for :user do
+      controllers do
+        permit :posts, only: [:index, :show]                  # users can access only :index and :show actions of :posts controller
+        permit :comments, except: [:edit, :update, :destroy]  # can also access all the actions of :comments controller, except for :edit, :update and :destroy actions
+      end
+
+      paths do
+        permit "path/[a-c]", "path/[0-9]+"    # permit :user to access "path/a", "path/b", "path/c" and "path/<a digit>"
+        deny   "path/b"                       # deny the access to "path/b"
+      end
     end
 
-    filter_access!
+    set_current_role(current_user.role) # assuming that current_user is returning an object representing the current user
+    filter_access! # apply the ACL for the current user
   end
 end
 ```
 
-In the example above we asume that the user passed the authentication, so that we know the type of account the user has.
-
-__N.B:__ When you define the ACL with `define_acl(...)` you're defining it only for the current user.
+__IMPORTANT:__ you have to tell __Aclize__ what is the role of the current user by calling `set_current_role(<ROLE>)` method, because if you don't specify any role, the default role `:all` will be used.
 
 Once you've defined the ACL, __Aclize__ will automatically manage the access control and will render the `403 Forbidden` page when the user doesn't have enough permissions to access it.
 

data/lib/aclize/acl/controllers_registry.rb

@@ -0,0 +1,93 @@
+# The policy adopted by Aclize is:
+#   1. By default all the controllers and paths are denied
+#   2. On rules conflict, the more restrictive rule will be used
+#   3. When permit and deny rules have the same restriction,
+#      deny rule will be used
+
+
+module Aclize
+  class Acl::ControllersRegistry
+
+    attr_reader :permitted, :denied
+
+    def initialize
+      @permitted = {"*" => []}.nested_under_indifferent_access
+      @denied    = {"*" => []}.nested_under_indifferent_access
+    end
+
+    # add a new permit rule to controllers registry
+    def permit(controller, only: nil, except: nil)
+      @permitted[controller] ||= []
+      @denied[controller]    ||= []
+
+      raise ArgumentError.new("#permit cannot accept both :only and :except. At most one of them can be specified!") if only && except
+
+      if except
+        @permitted[controller] = ["*"]
+        @denied[controller]    = normalize(except)
+      elsif only
+        @denied[controller]    = []
+        @permitted[controller] = normalize(only)
+      else
+        @permitted[controller] = ["*"]
+        @denied[controller]    = []
+      end
+    end
+
+    # check if each action in the list is allowed for the specified controller
+    def permitted?(controller, *args)
+      @permitted[controller] ||= []
+      @denied[controller]    ||= []
+      actions = normalize(args)
+
+      if actions.empty?
+        return controller_permitted?(controller)
+      elsif controller_permitted?(controller)
+        # we know the there's at least one permitted action for this controller,
+        # so return false if there's at least one denied action in the list of actions to check
+        return false unless (actions & @denied[controller]).empty?
+
+        # we know that the actions aren't denied at controller level, so we could
+        # return true if all the actions are also permitted at controller level
+        return true if @permitted[controller].include?("*") || (actions & @permitted[controller]) == actions
+
+        # the actions aren't permitted at controller level, so if any of them is
+        # denied at global level, we will return false
+        return false unless (actions & @denied["*"]).empty?
+
+        # the actions aren't denied at global level, so we have to check if them
+        # are allowed at global level and return true if so
+        return true if @permitted["*"].include?("*") || (actions & @permitted["*"]) == actions
+      end
+
+      return false
+    end
+
+    protected
+
+    # check if the controller is permitted (at least one action in the controller should be permitted)
+    def controller_permitted?(controller)
+      # the simplies case is when there's a permission for at least one action for this controller
+      if @permitted[controller].empty?
+        # check if there're wildcard permissions
+        if @permitted["*"].empty?
+          # there isn't any global permission for the user
+          return false
+        else
+          # we have global permissions (for all the controllers), so we
+          # have to check if those actions weren't denied
+          denied_actions = @denied[controller] + @denied["*"]
+          return !(@permitted["*"] - denied_actions).empty?
+        end
+      else
+        # we are sure there's at least one permission for this controller
+        return true
+      end
+    end
+
+    def normalize(items)
+      result = items.nil? ? [] : items.is_a?(Array) ? items.flatten : [items]
+      return result.map { |x| x.to_s }
+    end
+  end
+end

data/lib/aclize/acl/paths_registry.rb

@@ -0,0 +1,77 @@
+# The policy for paths ACLs is slightly different from the controllers policy, because
+# on rules conflicts, the deny rule always wins. Here is a brief description of the policy:
+#
+# 1. By default all the paths are not permitted
+# 2. On rule conflict, the deny rule always wins
+# 3. A path is permitted only if there's an explicit permit rule
+
+module Aclize
+  class Acl::PathsRegistry
+
+    attr_reader :permitted, :denied
+
+    def initialize
+      @permitted = []
+      @denied    = []
+    end
+
+
+    # permit a new path
+    def permit(*paths)
+      @permitted += normalize(paths)
+      @permitted.uniq!
+    end
+
+
+    # deny a path
+    def deny(*paths)
+      @denied += normalize(paths)
+      @denied.uniq!
+    end
+
+
+    # Check if the paths are permitted. This method should return true
+    # only if each path passed as argument is permitted (isn't denied and
+    # have an explicit permission).
+    def permitted?(*args)
+      permitted = false
+
+      return false if denied?(args)
+
+      # each path should have an explicit permission in order to return true
+      args.flatten.each do |path|
+        # we assume that the path isn't permitted
+        permitted = false
+
+        # iterate over permitted paths and check if any of them matches the current one
+        @permitted.each do |permitted_path|
+          permitted ||= !!path.match(/^#{permitted_path}$/)
+          # stop iteration if the path is permitted
+          break if permitted
+        end
+        #return false if the path isn't permitted
+        return false unless permitted
+      end
+
+      return permitted
+    end
+
+
+    # Check if any of the paths is explicitly denied
+    def denied?(*args)
+      @denied.each do |denied_path|
+        args.flatten.each do |path|
+          return true if path.match(/^#{denied_path}$/)
+        end
+      end
+
+      return false
+    end
+
+    protected
+
+    def normalize(items)
+      return items.nil? ? [] : items.is_a?(Array) ? items.flatten : [items]
+    end
+  end
+end

data/lib/aclize/acl/role.rb

@@ -0,0 +1,29 @@
+
+module Aclize
+  class Acl::Role
+    require "aclize/acl/controllers_registry"
+    require "aclize/acl/paths_registry"
+
+    def initialize(name)
+      @name        = name.to_s
+      @controllers = Aclize::Acl::ControllersRegistry.new
+      @paths       = Aclize::Acl::PathsRegistry.new
+    end
+
+    def controllers(&block)
+      if block_given?
+        @controllers.instance_eval(&block)
+      else
+        return @controllers
+      end
+    end
+
+    def paths(&block)
+      if block_given?
+        @paths.instance_eval(&block)
+      else
+        return @paths
+      end
+    end
+  end
+end

data/lib/aclize/acl.rb

@@ -0,0 +1,23 @@
+
+module Aclize
+  class Acl
+    require "aclize/acl/role"
+
+    attr_reader :roles
+
+    def initialize
+      @roles = {
+        all: Aclize::Acl::Role.new(:all)
+      }.nested_under_indifferent_access
+    end
+
+    def get_acl_for(role)
+      return @roles[role] || @roles[:all]
+    end
+
+    def setup(role = :all, &block)
+      @roles[role] ||= Aclize::Acl::Role.new(role)
+      @roles[role].instance_eval(&block)
+    end
+  end
+end

data/lib/aclize/helper.rb

@@ -7,55 +7,28 @@ module Aclize
 
     # Check if the user have permission to access the action
     def action_allowed?(controller, action)
-      actions_allowed?(controller, [action], :all)
+      actions_allowed?(controller, [action])
     end
 
 
-    # Returns a boolean that indicates if the current used have enought permissions to access the
-    # specified list of actions. The policy argument indicates the type of verification. By default,
-    # its value is :all, that means the all the actions passed as argument have to be allowed. If the
-    # policy if :any, is sufficient that at least one of the specified actions to be allowed.
-    def actions_allowed?(controller, actions = [], policy = :all)
-      acl = @_aclize_acl[:controllers]
-      # If there's an entry for this controller in @acl, use that rule for permissions check.
-      # Otherwise, check if there's an '*' entry if @acl and use that rules.
-      methods = ( acl[controller.to_s] || acl['*'] || {} )
-      allow   = methods["allow"] || []
-      deny    = methods["deny"]  || []
-
-      # If the array of methods is empty, the controller isn't allowed
-      return false if allow.empty?
-
-      # Force the list of actions to be an Array of strings
-      normalized_actions = (actions.is_a?(Array) ? actions : [actions]).map{|action| action.to_s }
-
-      # If all the methods of the current controller are allowed or the list of actions to check is empty, return true
-      return true if (allow.include?("*") && (deny & normalized_actions).empty?) || normalized_actions.empty?
-
-      case policy.to_sym
-      when :all then return (deny & normalized_actions).empty? && (allow & normalized_actions == normalized_actions) # all the actions have to be allowed
-      when :any then return !((allow & normalized_actions) - deny).empty?                                            # at least one action have to be allowed
-      else
-        logger.warn "Invalid policy: #{policy}."
-        return false
-      end
+    # Returns a boolean that indicates if the current user have enought permissions to access the
+    # specified list of actions.
+    def actions_allowed?(controller, actions = [])
+      acl = @_aclize_acl.get_acl_for(get_current_role)
+      return acl.controllers.permitted?(controller, actions)
     end
 
 
     # Verify if the path could be accessed by the user. Returns true when
     # the path is accessible
     def path_allowed?(path)
-      paths = @_aclize_acl[:paths]
-
-      (paths[:deny] || []).each do |filter|
-        return false if !path.match(Regexp(filter)).nil?
-      end
+      acl = @_aclize_acl.get_acl_for(get_current_role)
+      return acl.paths.permitted?(path)
+    end
 
-      (paths[:allow] || []).each do |filter|
-        return true if !path.match(Regexp(filter)).nil?
-      end
 
-      return false
+    def get_current_role
+      return @_aclize_current_role || :all
     end
   end
 end

data/lib/aclize/version.rb

@@ -1,3 +1,3 @@
 module Aclize
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/lib/aclize.rb

@@ -1,4 +1,5 @@
 require "aclize/version"
+require "aclize/acl"
 require "aclize/helper"
 require "i18n"
 require "action_controller"
@@ -31,33 +32,55 @@ module Aclize
   # The Initializer module will be used to initialize instance variables and to setup defaults.
   module Initializer
     def initialize
-      @_aclize_acl = {controllers: {}, paths: {} }.nested_under_indifferent_access
+      @_aclize_acl ||= Aclize::Acl.new
+      @_aclize_current_role = nil
       super
     end
   end
 
   protected
 
-  # Returns the ACL definition as a Hash
+  # Returns the ACL definition
   def get_acl_definition
     return @_aclize_acl
   end
 
-  # Defines the structure of ACL for the current user
-  # TODO: implement a better or an alternative way for ACL definition
-  def define_acl(acl)
-    raise "Invalid ACL definition type: (expected: Hash, got: #{acl.class})" unless acl.is_a? Hash
 
-    if acl.has_key?(:controllers) && acl[:controllers].is_a?(Hash)
-      @_aclize_acl[:controllers] = acl[:controllers]
-    end
+  def set_current_role(role)
+    @_aclize_current_role = role
+  end
+
+  def get_current_role
+    return @_aclize_current_role || :all
+  end
+
 
-    if acl.has_key?(:paths) && acl[:paths].is_a?(Hash)
-      @_aclize_acl[:paths] = acl[:paths]
+  # setup the ACL for a role
+  def acl_for(role = :all, &block)
+    @_aclize_acl.setup(role, &block)
+  end
+
+
+  # apply the ACL for a specific role and unauthorize if the user is not permitted
+  # to access controller action or the path
+  def treat_as(role)
+    acl = @_aclize_acl.get_acl_for(role)
+    unauthorize! unless acl
+
+    if acl.controllers.permitted?(controller_name, action_name)
+      unauthorize! if acl.paths.denied?(request.path_info)
+    else
+      unauthorize! unless acl.paths.permitted?(request.path_info)
     end
   end
 
 
+  # use the current_role value to apply ACL
+  def filter_access!
+    treat_as get_current_role
+  end
+
+
   # In no callbacks were defined for unauthorized access, Aclize will render a
   # default 403 Forbidden page. Otherwise, the control will be passed to the callback.
   def unauthorize!
@@ -74,59 +97,6 @@ module Aclize
     end
   end
 
-
-  # Check if the current user have enough permissions to access the current controller/path
-  def filter_access!
-    unauthorize! if acl_action_denied? || acl_path_denied? || !(acl_action_allowed? || acl_path_allowed?)
-  end
-
-
-  # check if the current action is denied
-  def acl_action_denied?
-    actions = (@_aclize_acl[:controllers][controller_name] || @_aclize_acl[:controllers]["*"] || {})[:deny] || []
-    actions.map!{|action| action.to_s }
-
-    return actions.include?("*") || actions.include?(action_name)
-  end
-
-
-  # check if the current action is allowed
-  def acl_action_allowed?
-    actions = (@_aclize_acl[:controllers][controller_name] || @_aclize_acl[:controllers]["*"] || {})[:allow] || []
-    actions.map!{|action| action.to_s }
-
-    return actions.include?("*") || actions.include?(action_name)
-  end
-
-
-  # check if the current path is denied
-  def acl_path_denied?
-    paths  = @_aclize_acl[:paths][:deny] || []
-    denied = false
-
-    paths.each do |path|
-      denied ||= !request.path_info.match(Regexp.new("^#{path}$")).nil?
-      break if denied
-    end
-
-    return denied
-  end
-
-
-  # check if the current path is allowed
-  def acl_path_allowed?
-    paths  = @_aclize_acl[:paths][:allow] || []
-    allowed = false
-
-    paths.each do |path|
-      allowed ||= !request.path_info.match(Regexp.new("^#{path}$")).nil?
-      break if allowed
-    end
-
-    return allowed
-  end
-
-
   # register a callback to call when the user is not authorized to access the page
   def register_callback(&block)
     @_aclize_callback = block

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aclize
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Groza Sergiu
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2015-11-19 00:00:00.000000000 Z
+date: 2015-11-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -76,6 +76,10 @@ files:
 - config/locales/en.yml
 - config/locales/it.yml
 - lib/aclize.rb
+- lib/aclize/acl.rb
+- lib/aclize/acl/controllers_registry.rb
+- lib/aclize/acl/paths_registry.rb
+- lib/aclize/acl/role.rb
 - lib/aclize/helper.rb
 - lib/aclize/version.rb
 homepage: https://github.com/serioja90/aclize