action_access 0.0.1

data/Rakefile

@@ -0,0 +1,28 @@
+begin
+  require 'bundler/setup'
+  require 'bundler/gem_tasks'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+require 'rake/testtask'
+
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'ActionAccess'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+
+task default: :test

data/action_access.gemspec

@@ -0,0 +1,24 @@
+# coding: utf-8
+$:.push File.expand_path('../lib', __FILE__)
+require 'action_access/version'
+
+# Gem description and dependencies
+Gem::Specification.new do |s|
+  s.name          = 'action_access'
+  s.version       = ActionAccess::VERSION
+  s.authors       = ['Matías A. Gagliano']
+  s.email         = ['matias.gagliano@gmail.com']
+  s.homepage      = 'https://github.com/matiasgagliano/action_access'
+  s.summary       = 'Access control system for Ruby on Rails.'
+  s.description   = 'Easy and modular way to secure applications and handle permissions.'
+  s.license       = 'MIT'
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- test/*`.split("\n")
+  s.require_paths = ['lib']
+
+  s.add_dependency 'rails', '~> 4.1'
+
+  s.add_development_dependency 'sqlite3'
+end
+

data/lib/action_access.rb

@@ -0,0 +1,14 @@
+require 'singleton'
+require 'action_access/version'
+require 'action_access/railtie'
+
+module ActionAccess
+  extend ActiveSupport::Autoload
+
+  eager_autoload do
+    autoload :Keeper
+    autoload :ControllerAdditions
+    autoload :ModelAdditions
+    autoload :UserUtilities
+  end
+end

data/lib/action_access/controller_additions.rb

@@ -0,0 +1,75 @@
+module ActionAccess
+  module ControllerAdditions
+    module ClassMethods
+      # Lock actions by default, they won't be accessible unless authorized.
+      # It takes the same options as filter callbacks.
+      def lock_access(options = {})
+        before_action :validate_access!, options
+      end
+
+      # Is this controller locked?
+      def access_locked?
+        filters = _process_action_callbacks.collect(&:filter)
+        :validate_access!.in? filters
+      end
+
+      # Set an access rule for the current controller.
+      # It will automatically lock the controller if it wasn't already.
+      #
+      # == Example:
+      # Add the following to ArticlesController to allow admins to edit articles.
+      #   let :admin, [:edit, :update]
+      #
+      def let(clearance_level, permissions)
+        lock_access unless access_locked?
+        keeper = ActionAccess::Keeper.instance
+        keeper.let clearance_level, permissions, self
+      end
+    end
+
+
+    def self.included(base)
+      base.extend ClassMethods
+      base.helper_method :keeper
+    end
+
+
+    private
+
+      # Helper to access Keeper's instance.
+      def keeper
+        ActionAccess::Keeper.instance
+      end
+
+      # Clearance level of the current user (override to customize).
+      def current_clearance_level
+        if defined? current_user and current_user.respond_to?(:clearance_level)
+          current_user.clearance_level.to_s.to_sym
+        else
+          :guest
+        end
+      end
+
+      # Default path to redirect any non authorized access (override to customize).
+      def unauthorized_access_redirection_path
+        root_path
+      end
+
+      # Validate access to the current route.
+      def validate_access!
+        clearance_level = current_clearance_level
+        action = self.action_name
+        not_authorized! unless keeper.lets? clearance_level, action, self.class
+      end
+
+      # Redirect if not authorized.
+      # May be used inside action methods for finer control.
+      def not_authorized!(*args)
+        options = args.extract_options!
+        message = options[:message] ||
+          I18n.t('action_access.redirection_message', default: 'Not authorized.')
+        path = options[:path] || unauthorized_access_redirection_path
+        redirect_to path, alert: message
+      end
+  end
+end

data/lib/action_access/keeper.rb

@@ -0,0 +1,90 @@
+module ActionAccess
+  class Keeper
+    include Singleton
+
+    def initialize
+      @rules = {}
+    end
+
+    # Set clearance to perform actions over a resource.
+    #
+    # Clearance level and resource can be either plural or singular.
+    #
+    # == Examples:
+    #   let :user, :show, :profile
+    #   let :user, :show, @profile
+    #   let :user, :show, ProfilesController
+    #   # Any user can can access 'profiles#show'.
+    #
+    #   let :admins, [:edit, :update], :articles, namespace: :admin
+    #   let :admins, [:edit, :update], @admin_article
+    #   let :admins, [:edit, :update], Admin::ArticlesController
+    #   # Admins can access 'admin/articles#edit' and 'admin/articles#update'.
+    #
+    def let(clearance_level, actions, resource, options = {})
+      clearance_level = clearance_level.to_s.singularize.to_sym
+      actions = Array(actions).map(&:to_sym)
+      controller = get_controller_name(resource, options)
+      @rules[controller] ||= {}
+      @rules[controller][clearance_level] = actions
+      return nil
+    end
+
+    # Check if a given clearance level allows to perform certain action on a resource.
+    #
+    # Clearance level and resource can be either plural or singular.
+    #
+    # Examples:
+    #   lets? :users, :create, :profiles
+    #   lets? :users, :create, @profile
+    #   lets? :users, :create, ProfilesController
+    #   # True if users are allowed to access 'profiles#create'.
+    #
+    #   lets? :admin, :edit, :article, namespace: :admin
+    #   lets? :admin, :edit, @admin_article
+    #   lets? :admin, :edit, Admin::ArticlesController
+    #   # True if any admin is allowed to access 'admin/articles#edit'.
+    #
+    def lets?(clearance_level, action, resource, options = {})
+      clearance_level = clearance_level.to_s.singularize.to_sym
+      action = action.to_sym
+      controller = get_controller_name(resource, options)
+
+      # Load the controller to ensure its rules are loaded (lazy loading rules).
+      controller.constantize.new
+      rules = @rules[controller]
+      return false unless rules
+
+      # Check rules
+      Array(rules[:all]).include?(:all)               ||
+      Array(rules[:all]).include?(action)             ||
+      Array(rules[clearance_level]).include?(:all)    ||
+      Array(rules[clearance_level]).include?(action)
+    end
+
+
+    private
+
+      def get_controller_name(resource, options = {})
+        # Assume a controller if given a class
+        return resource.name if resource.is_a? Class
+
+        # Assume a model instance if not a string or symbol
+        unless resource.is_a?(String) || resource.is_a?(Symbol)
+          resource = resource.class.name
+        end
+
+        # Build controller name
+        path = options[:namespace].to_s.split(/::|\//).reject(&:blank?).map(&:camelize)
+        path << resource.to_s.camelize.pluralize + 'Controller'
+        controller = path.join('::')
+
+        # Make sure that the controller exists.
+        # Will throw a NameError exception if resource and/or namespace are wrong.
+        controller.constantize
+
+        # Return controller name
+        return controller
+      end
+  end
+end

data/lib/action_access/model_additions.rb

@@ -0,0 +1,14 @@
+module ActionAccess
+  module ModelAdditions
+    module ClassMethods
+      # Add Action Access user related utilities to the current model.
+      def add_access_utilities
+        include ActionAccess::UserUtilities
+      end
+    end
+
+    def self.included(base)
+      base.extend ClassMethods
+    end
+  end
+end

data/lib/action_access/railtie.rb

@@ -0,0 +1,19 @@
+module ActionAccess
+  class Railtie < Rails::Railtie
+    config.eager_load_namespaces << ActionAccess
+
+    initializer 'action_access.controller_additions' do
+      # Extend ActionController::Base
+      ActiveSupport.on_load :action_controller do
+        include ControllerAdditions
+      end
+    end
+
+    initializer 'action_access.model_additions' do
+      # Extend ActiveRecord::Base
+      ActiveSupport.on_load :active_record do
+        include ModelAdditions
+      end
+    end
+  end
+end

data/lib/action_access/user_utilities.rb

@@ -0,0 +1,39 @@
+module ActionAccess
+  module UserUtilities
+    # Check if the user is authorized to perform a given action.
+    #
+    # Resource can be either plural or singular.
+    #
+    # == Examples:
+    #   user.can? :show, :articles
+    #   user.can? :show, @article
+    #   user.can? :show, ArticlesController
+    #   # True if the user's clearance level allows to access 'articles#show'
+    #
+    #   user.can? :edit, :articles, namespace: :admin
+    #   user.can? :edit, @admin_article
+    #   user.can? :edit, Admin::ArticlesController
+    #   # True if the user's clearance level allows to access 'admin/articles#edit'
+    #
+    def can?(action, resource, options = {})
+      keeper = ActionAccess::Keeper.instance
+      keeper.lets? clearance_level, action, resource, options
+    end
+
+
+    private
+
+      # Accessor for the user's clearance level.
+      #
+      # Must be overridden to set the proper clearance level.
+      #
+      # == Example:
+      #   def clearance_level
+      #     role.name
+      #   end
+      #
+      def clearance_level
+        :guest
+      end
+  end
+end

data/lib/action_access/version.rb

@@ -0,0 +1,3 @@
+module ActionAccess
+  VERSION = '0.0.1'
+end

data/test/action_access_test.rb

@@ -0,0 +1,21 @@
+require 'test_helper'
+require 'support/compact_environment'
+
+class ActionAccessTest < ActiveSupport::TestCase
+  test "unauthorized accesses aren't allowed" do
+    assert_equal false, keeper.lets?(:user, :edit, :posts)
+    assert_equal false, keeper.lets?(:user, :edit, :posts, namespace: :admin)
+  end
+
+  test "authorized accesses are allowed" do
+    keeper.let :editor, [:edit, :update], :posts
+    assert_equal true, keeper.lets?(:editor, :edit, :posts)
+    assert_equal true, keeper.lets?(:editor, :update, :posts)
+  end
+
+  test "authorized accesses within namespaces are allowed" do
+    keeper.let :admin, [:new, :create], :posts, namespace: :admin
+    assert_equal true, keeper.lets?(:admin, :new, :posts, namespace: :admin)
+    assert_equal true, keeper.lets?(:admin, :create, :posts, namespace: :admin)
+  end
+end

data/test/controllers/articles_controller_test.rb

@@ -0,0 +1,41 @@
+require 'test_helper'
+
+class ArticlesControllerTest < ActionController::TestCase
+  test "any access with no clearance level gets redirected" do
+    # Undefined role
+    get :new
+    assert_redirected_to root_url
+
+    post :create
+    assert_redirected_to root_url
+  end
+
+  test "any access with undefined clearance level gets redirected" do
+    # The role doesn't exist (undefined)
+    get :new, nil, {role: :super}
+    assert_redirected_to root_url
+
+    post :create, nil, {role: :super}
+    assert_redirected_to root_url
+  end
+
+  test "any unauthorized access gets redirected" do
+    # The roles exist but aren't authorized.
+    get :new, nil, {role: :user}
+    assert_redirected_to root_url
+
+    post :create, nil, {role: :editor}
+    assert_redirected_to root_url
+  end
+
+  test "authorized accesses aren't redirected" do
+    get :new, nil, {role: :admin}        # Admins can create articles
+    assert_response :success
+
+    get :edit, {id: 1}, {role: :editor}  # Editors can edit articles
+    assert_response :success
+
+    get :show, {id: 1}, {role: :user}    # Users can view articles
+    assert_response :success
+  end
+end

data/test/controllers/secrets_controller_test.rb

@@ -0,0 +1,10 @@
+require 'test_helper'
+
+class SecretsControllerTest < ActionController::TestCase
+  test "controllers are locked by default" do
+    # Test that the "lock_access" call in ApplicationController works properly.
+    # There are no access rules in SecretsController but it should be locked anyway.
+    get :index, nil, {role: :admin}
+    assert_redirected_to root_url
+  end
+end

data/test/controllers/static_controller_test.rb

@@ -0,0 +1,15 @@
+require 'test_helper'
+
+class StaticControllerTest < ActionController::TestCase
+  # Test that the :all key works properly
+  test "anyone can do anything" do
+    get :home, nil, {role: :admin}
+    assert_response :success
+
+    get :home, nil, {role: :undefined}
+    assert_response :success
+
+    get :home
+    assert_response :success
+  end
+end

data/test/dummy/README.rdoc

@@ -0,0 +1,28 @@
+== README
+
+This README would normally document whatever steps are necessary to get the
+application up and running.
+
+Things you may want to cover:
+
+* Ruby version
+
+* System dependencies
+
+* Configuration
+
+* Database creation
+
+* Database initialization
+
+* How to run the test suite
+
+* Services (job queues, cache servers, search engines, etc.)
+
+* Deployment instructions
+
+* ...
+
+
+Please feel free to use a different markup language if you do not plan to run
+<tt>rake doc:app</tt>.