action_access 0.0.3 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8064bbe60e63e09b2aff74ea089abdf60d3bfaf9
-  data.tar.gz: 4e4568f7bf4292c9e83c314b6dc21ce2db04cdd1
+  metadata.gz: 3018e5d68f21d4a6f66e15a29edc67b654b8f82a
+  data.tar.gz: 0cf2e285d1f2116733bb9ec8c5e99862de9b300a
 SHA512:
-  metadata.gz: f1ee3d030dafa6cff846430ec1ac922c2dea3ced3082eb6f07087df49c2e13c6068d1cda14d1120c8c9892f116ae55cb2e078a2b3359bbe1aad2ca14fd32829f
-  data.tar.gz: a889877401c7eb09577c8b29cc8387f36b404c5fc8a0a13d2f1e7ab0e1bcc1fd0c386bb8cc8a0dedb6d234c9cf6111867b36b06c3c5a3d5c8f4bce8a78d7ebf7
+  metadata.gz: daa68edbd6d9f3a91e96d20c4e4e957eb7873b637eac6b0639b20d83069a9d2187152d005a059c34e68512c0be3bded5143f91d8b72919d6e4fd6bec0156f141
+  data.tar.gz: 4578a0f74cf68ab2b9687a710b36991b950073cddfcaf7b31cdcae37444407cc3f755592c9eb481d38a375b3540f7861d4dbbe91698f73a14a7e4f2db1a965ed

data/CHANGELOG.md

@@ -0,0 +1,34 @@
+Changelog
+=========
+
+0.1.0
+-----
+
+**Features:**
+
+- Support sessions with multiple clearance levels (e.g. users with many roles).
+- Avoid repetition when defining clearance levels with the same permissions.
+
+**API:**
+
+- Use `current_clearance_levels` (plural) instead of `current_clearance_level`.
+- Use `clearance_levels` (plural) instead of `clearance_level` (model method).
+
+
+0.0.3
+-----
+
+- Update dependencies.
+- Support Rails 2.2.2.
+
+
+0.0.2
+-----
+
+- Speed up tests with in-memory database.
+
+
+0.0.1
+-----
+
+- Initial release.

data/CONTRIBUTING.md

@@ -1,24 +1,29 @@
 ## Please read before contributing
 
 1. If you have questions about Action Access, use the
-[Mailing List](https://groups.google.com/d/forum/action_access),
-[Gitter's chat](https://gitter.im/matiasgagliano/action_access) or
-[Stack Overflow](https://stackoverflow.com/questions/tagged/action_access).
-**DO NOT** post questions here.
+   [Mailing List](https://groups.google.com/d/forum/action_access),
+   [Gitter's chat](https://gitter.im/matiasgagliano/action_access) or
+   [Stack Overflow](https://stackoverflow.com/questions/tagged/action_access).
+   **DO NOT** post questions here.
 
 2. If you find a security bug, **DO NOT** submit an issue here.
-Please send an e-mail to [mgag.issues@gmail.com](mailto:mgag.issues@gmail.com)
-instead.
+   Please send an e-mail to [mgag.issues@gmail.com](mailto:mgag.issues@gmail.com)
+   instead.
 
 3. Do a small search on the issues tracker before submitting your issue to
-see if it was already reported or fixed. In case it wasn't, create your report
-with a **clear description** of the issue and a **code sample** that
-demonstrates it. Include Rails and Action Access versions, and as much relevant
-information as possible. Tests or a sample application showing how the
-expected behavior is not occurring will be much appreciated.
+   see if it was already reported or fixed. In case it wasn't, create your
+   report with a **clear description** of the issue and a **code sample** that
+   demonstrates it. Include Rails and Action Access versions, and as much
+   relevant information as possible. Tests or a sample application showing how
+   the expected behavior is not occurring will be much appreciated.
 
-The more information you give, the easier it becomes to track the issue and fix
-it. Your goal should be to make it easy for yourself and others to replicate
-the bug and figure out a fix.
+   The more information you give, the easier it becomes to track the issue and
+   fix it. Your goal should be to make it easy for yourself and others to
+   replicate the bug and figure out a fix.
+
+4. **ALWAYS** open an issue (issue tracker) before submitting a pull request to
+   discuss the changes and the best ways to implement them, it won't be accepted
+   otherwise. Describe your proposal, why is it relevant? For which cases are
+   those changes or new features needed?
 
 Thanks for your time and support!

data/Gemfile.lock

@@ -1,94 +1,94 @@
 PATH
   remote: .
   specs:
-    action_access (0.0.3)
+    action_access (0.1.0)
       rails (~> 4.1)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (4.2.2)
-      actionpack (= 4.2.2)
-      actionview (= 4.2.2)
-      activejob (= 4.2.2)
+    actionmailer (4.2.4)
+      actionpack (= 4.2.4)
+      actionview (= 4.2.4)
+      activejob (= 4.2.4)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 1.0, >= 1.0.5)
-    actionpack (4.2.2)
-      actionview (= 4.2.2)
-      activesupport (= 4.2.2)
+    actionpack (4.2.4)
+      actionview (= 4.2.4)
+      activesupport (= 4.2.4)
       rack (~> 1.6)
       rack-test (~> 0.6.2)
       rails-dom-testing (~> 1.0, >= 1.0.5)
-      rails-html-sanitizer (~> 1.0, >= 1.0.1)
-    actionview (4.2.2)
-      activesupport (= 4.2.2)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (4.2.4)
+      activesupport (= 4.2.4)
       builder (~> 3.1)
       erubis (~> 2.7.0)
       rails-dom-testing (~> 1.0, >= 1.0.5)
-      rails-html-sanitizer (~> 1.0, >= 1.0.1)
-    activejob (4.2.2)
-      activesupport (= 4.2.2)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    activejob (4.2.4)
+      activesupport (= 4.2.4)
       globalid (>= 0.3.0)
-    activemodel (4.2.2)
-      activesupport (= 4.2.2)
+    activemodel (4.2.4)
+      activesupport (= 4.2.4)
       builder (~> 3.1)
-    activerecord (4.2.2)
-      activemodel (= 4.2.2)
-      activesupport (= 4.2.2)
+    activerecord (4.2.4)
+      activemodel (= 4.2.4)
+      activesupport (= 4.2.4)
       arel (~> 6.0)
-    activesupport (4.2.2)
+    activesupport (4.2.4)
       i18n (~> 0.7)
       json (~> 1.7, >= 1.7.7)
       minitest (~> 5.1)
       thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
-    arel (6.0.0)
+    arel (6.0.3)
     builder (3.2.2)
     erubis (2.7.0)
-    globalid (0.3.5)
+    globalid (0.3.6)
       activesupport (>= 4.1.0)
     i18n (0.7.0)
     json (1.8.3)
-    loofah (2.0.2)
+    loofah (2.0.3)
       nokogiri (>= 1.5.9)
     mail (2.6.3)
       mime-types (>= 1.16, < 3)
-    mime-types (2.6.1)
+    mime-types (2.6.2)
     mini_portile (0.6.2)
-    minitest (5.7.0)
+    minitest (5.8.1)
     nokogiri (1.6.6.2)
       mini_portile (~> 0.6.0)
     rack (1.6.4)
     rack-test (0.6.3)
       rack (>= 1.0)
-    rails (4.2.2)
-      actionmailer (= 4.2.2)
-      actionpack (= 4.2.2)
-      actionview (= 4.2.2)
-      activejob (= 4.2.2)
-      activemodel (= 4.2.2)
-      activerecord (= 4.2.2)
-      activesupport (= 4.2.2)
+    rails (4.2.4)
+      actionmailer (= 4.2.4)
+      actionpack (= 4.2.4)
+      actionview (= 4.2.4)
+      activejob (= 4.2.4)
+      activemodel (= 4.2.4)
+      activerecord (= 4.2.4)
+      activesupport (= 4.2.4)
       bundler (>= 1.3.0, < 2.0)
-      railties (= 4.2.2)
+      railties (= 4.2.4)
       sprockets-rails
     rails-deprecated_sanitizer (1.0.3)
       activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.6)
+    rails-dom-testing (1.0.7)
       activesupport (>= 4.2.0.beta, < 5.0)
       nokogiri (~> 1.6.0)
       rails-deprecated_sanitizer (>= 1.0.1)
     rails-html-sanitizer (1.0.2)
       loofah (~> 2.0)
-    railties (4.2.2)
-      actionpack (= 4.2.2)
-      activesupport (= 4.2.2)
+    railties (4.2.4)
+      actionpack (= 4.2.4)
+      activesupport (= 4.2.4)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
     rake (10.4.2)
-    sprockets (3.2.0)
-      rack (~> 1.0)
-    sprockets-rails (2.3.1)
+    sprockets (3.4.0)
+      rack (> 1, < 3)
+    sprockets-rails (2.3.3)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       sprockets (>= 2.8, < 4.0)

data/README.md

@@ -6,7 +6,7 @@ Action Access is an access control system for Ruby on Rails. It provides a
 modular and easy way to secure applications and handle permissions.
 
 It works at controller level focusing on what **actions** are accessible for
-the current user instead of handling models and their attributes.
+the current user instead of messing with models and their attributes.
 
 It also provides utilities for thorough control and some useful view helpers.
 
@@ -24,45 +24,62 @@ gem 'action_access'
 
 ## Basic configuration
 
-The most important setting is the way to get the **clearance level** (role,
-user group, etc.), other than that it works out of the box.
+The most important setting is how to get the **clearance levels** (roles,
+credentials, user groups, etc.) for the current session, other than that it
+works out of the box.
 
 Action Access doesn't require users or authentication at all to function so
 you can get creative with the way you set and identify clearance levels.
 
-It only needs a `current_clearance_level` method that returns the proper
-clearance level for the current request. It can be a string or symbol and
-it doesn't matter if it's singular or plural, it'll be singularized.
+It only needs a `current_clearance_levels` method that returns the
+clearance levels granted for the current request. It can be a single clearance
+level (string or symbol) or a list of them (array), and it doesn't matter if
+they're singular or plural (they'll be singularized).
 
   * With `current_user`:
 
-    The default `current_clearance_level` method tests if it can get
-    `current_user.clearance_level` and defaults to `:guest` if not.
+    The default `current_clearance_levels` method tests if it can get
+    `current_user.clearance_levels` and defaults to `:guest` if not.
 
     So, if you already have a `current_user` method you just need to add a
-    `clearance_level` method to the user. With a role based authorization you
+    `clearance_levels` method to the user. With a role based authorization you
     may add the following to your `User` model:
 
     ```ruby
     class User < ActiveRecord::Base
       belongs_to :role
 
-      def clearance_level
+      def clearance_levels
+        # Single role name
         role.name
       end
     end
     ```
 
+    or
+
+    ```ruby
+    class User < ActiveRecord::Base
+      has_and_belongs_to_many :roles
+
+      def clearance_levels
+        # Array of role names
+        roles.pluck(:name)
+      end
+    end
+    ```
+
+
   * No `current_user`:
 
-    If there's no `current_user` you need to override `current_clearance_level`
-    with whatever logic that applies to your application.
+    If there's no `current_user` you need to override `current_clearance_levels`
+    with whatever logic applies to your application.
 
     Continuing with the role based example, you might do something like this:
 
     ```ruby
     class ApplicationController < ActionController::Base
-      def current_clearance_level
+      def current_clearance_levels
         session[:role] || :guest
       end
     end
@@ -72,8 +89,8 @@ it doesn't matter if it's singular or plural, it'll be singularized.
 ## Setting permissions
 
 Permissions are set through authorization statements using the **let** class
-method available in every controller. The first parameter is the clearance
-level (plural or singular) and the second is the action or list of actions.
+method available in every controller. It takes the clearance levels (plural or
+singular) first and the action or list of actions (array) as the last parameter.
 
 As a simple example, to allow administrators (and only administrators in this
 case) to delete articles you'd add the following to `ArticlesController`:
@@ -94,12 +111,14 @@ This will automatically **lock** the controller and only allow administrators
 accessing the destroy action. **Every other request** pointing to the controller
 **will be rejected** and redirected with an alert.
 
+
 ### Real-life example:
 
 ```ruby
 class ArticlesController < ApplicationController
   let :admins, :all
-  let :editors, [:index, :show, :edit, :update]
+  let :editors, :reviewers, [:edit, :update]
+  let :editors, :destroy
   let :all, [:index, :show]
 
   def index
@@ -112,21 +131,27 @@ end
 
 These statements lock the controller and set the following:
  * _Administrators_ (admins) are authorized to access any action.
- * _Editors_ can list, view and edit articles.
+ * _Editors_ can list, view, edit and destroy articles (can't create).
+ * _Reviewers_ can list, view and edit articles.
  * _Anyone else_ can **only** list and view articles.
 
 This case uses the special keyword `:all`, it means everyone if passed as the
-first argument or every action if passed as the second one.
+first argument or every action if passed as the last one.
 
 Again, any unauthorized request will be rejected and redirected with an alert.
 
+
 ### Note about clearance levels
 
 Notice that in the previous examples we didn't need to define clearance levels
-or roles anywhere else in the application. With the authorization statement you
-both **define** them and **set their permissions**. The only requirement is
-that the clearance levels from the authorizations match the one returned by
-`current_clearance_level`.
+or roles anywhere else in the application. With the authorization statements
+you both **define** them and **set their permissions**. The only requirement is
+that the clearance levels from the authorizations match at least one from the
+list returned by `current_clearance_levels`.
+
+This makes it easier to embrace modular designs, makes controllers
+self-contained because everything related to a controller is within the
+controller and avoids leaving unnecessary or unused code after refactoring.
 
 
 ## Advanced configuration
@@ -151,6 +176,7 @@ end
 To **unlock** a single controller (to make it "public") add `let :all, :all`,
 this will allow anyone to access any action in the controller.
 
+
 ### Redirection path
 
 By default any unauthorized (or not explicitly authorized) access will be
@@ -162,18 +188,21 @@ very clear `unauthorized_access_redirection_path` method.
 ```ruby
 class ApplicationController < ActionController::Base
 
-  def unathorized_access_redirection_path
-    case current_user.clearance_level.to_sym
-      when :admin then admin_root_path
-      when :user  then user_root_path
-      else root_path
-    end
+  def unauthorized_access_redirection_path
+    # Ensure an array of symbols
+    clearance_levels = Array(current_user.clearance_levels).map(&:to_sym)
+
+    # Choose a redirection path
+    return admin_root_path if clearance_levels.include?(:admin)
+    return user_root_path  if clearance_levels.include?(:user)
+    root_path
   end
 
   # ...
 end
 ```
 
+
 ### Alert message
 
 Redirections have a default alert message of "Not authorized.". To customize it
@@ -215,6 +244,7 @@ end
 There are better ways to handle this particular case but it serves to outline
 the use of `not_authorized!` inside actions.
 
+
 ### Model additions
 
 Action Access is bundled with some model utilities too. By calling
@@ -233,20 +263,24 @@ of the resource and the namespace (optional). In the end it returns a boolean.
 @user.can? :edit, :articles, namespace: :admin
 @user.can? :edit, @admin_article                       # Admin::Article instance
 @user.can? :edit, Admin::ArticlesController
-# True if the user's clearance level allows her to access 'admin/articles#edit'.
+# True if the user's clearance levels allow her to access 'admin/articles#edit'.
 ```
 
-`can?` depends on a `clearance_level` method in the model so don't forget it.
-Continuing with the `User` model from before:
+Just like the default `current_clearance_levels` in controllers, `can?`
+depends on the `clearance_levels` method in the model too.
+
+Following up the `User` model from before:
 
 ```ruby
 class User < ActiveRecord::Base
   add_access_utilities
 
-  belongs_to :role
+  has_and_belongs_to_many :roles
 
-  def clearance_level
-    role.name
+  # Don't forget this!
+  def clearance_levels
+    # Array of role names
+    roles.pluck(:name)
   end
 end
 ```
@@ -264,12 +298,12 @@ permissions and who decides if a clearance level grants access or not.
 
 It's available as `keeper` within controllers and views and as
 `ActionAccess::Keeper.instance` anywhere else. You can use it to check
-permissions with the `lets?` method, which takes the clearance level as the
-first argument and the rest are the same as for `can?`.
+permissions with the `lets?` method, which takes the clearance level (only one)
+as the first argument and the rest are the same as for `can?`.
 
 ```ruby
-# Filter a list of users to only those allowed to edit articles.
-@users.select { |user| keeper.lets? user.role.name, :edit, :articles }
+# Filter a list of roles to only those that allow to edit articles.
+roles.select { |role| keeper.lets? role, :edit, :articles }
 ```
 
 
@@ -282,4 +316,12 @@ Copyright (c) 2014 Matías A. Gagliano.
 
 ## Contributing
 
-See [CONTRIBUTING.md](CONTRIBUTING.md).
+If you have *questions*, found an *issue* or want to submit a *pull request* you
+must read the [CONTRIBUTING file](CONTRIBUTING.md).
+
+- **DO NOT** use the issue tracker for **questions** or to require help, there
+are other means for that (see the CONTRIBUTING file).
+
+- **ALWAYS** open an issue before submitting a **pull request**, it won't be
+accepted otherwise. Discussing changes beforehand will make your work much
+more relevant.

data/action_access.gemspec

@@ -23,4 +23,3 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'bundler', '~> 1.6'
   s.add_development_dependency 'rake', '~> 10.0'
 end
-

data/lib/action_access/controller_additions.rb

@@ -16,14 +16,32 @@ module ActionAccess
       # Set an access rule for the current controller.
       # It will automatically lock the controller if it wasn't already.
       #
+      #
+      # == Parameters
+      #
+      # +clearance_levels+:: single clearance level (string or symbol) or list
+      #   of them (list of parameters or array), either singular or plural.
+      #   Accepts the special keyword +:all+ (every clearance level, even none).
+      #
+      # +permissions+:: controller action (string or symbol) or list of them (array).
+      #   Accepts the special keyword +:all+ (every action in the controller).
+      #
+      #
       # == Example:
-      # Add the following to ArticlesController to allow admins to edit articles.
-      #   let :admin, [:edit, :update]
       #
-      def let(clearance_level, permissions)
+      #   class ArticlesControler < ApplicationController
+      #     let :admins, :all                           # admins can do anything
+      #     let :editors, :reviewers, [:edit, :update]  # editors and reviewers can edit articles
+      #     let :all, [:index, :show]                   # anyone can view articles
+      #
+      #     # ...
+      #   end
+      #
+      def let(*clearance_levels, permissions)
         lock_access unless access_locked?
         keeper = ActionAccess::Keeper.instance
-        keeper.let clearance_level, permissions, self
+        clearance_levels = Array(clearance_levels).flatten
+        clearance_levels.each { |c| keeper.let c, permissions, self }
       end
     end
 
@@ -41,10 +59,19 @@ module ActionAccess
         ActionAccess::Keeper.instance
       end
 
-      # Clearance level of the current user (override to customize).
-      def current_clearance_level
-        if defined? current_user and current_user.respond_to?(:clearance_level)
-          current_user.clearance_level.to_s.to_sym
+      # Current user's clearance levels (override to customize).
+      def current_clearance_levels
+        # Notify deprecation of `current_clearance_level` (singular)
+        if defined? current_clearance_level
+          ActiveSupport::Deprecation.warn \
+            '[Action Access] The use of "current_clearance_level" '   +
+            'is going to be deprecated in the next release, rename ' +
+            'it to "current_clearance_levels" (plural).'
+          return current_clearance_level
+        end
+
+        if defined?(current_user) and current_user.respond_to?(:clearance_levels)
+          current_user.clearance_levels
         else
           :guest
         end
@@ -57,9 +84,10 @@ module ActionAccess
 
       # Validate access to the current route.
       def validate_access!
-        clearance_level = current_clearance_level
         action = self.action_name
-        not_authorized! unless keeper.lets? clearance_level, action, self.class
+        clearance_levels = Array(current_clearance_levels)
+        authorized = clearance_levels.any? { |c| keeper.lets? c, action, self.class }
+        not_authorized! unless authorized
       end
 
       # Redirect if not authorized.

data/lib/action_access/keeper.rb

@@ -7,10 +7,10 @@ module ActionAccess
     end
 
     # Set clearance to perform actions over a resource.
-    #
     # Clearance level and resource can be either plural or singular.
     #
     # == Examples:
+    #
     #   let :user, :show, :profile
     #   let :user, :show, @profile
     #   let :user, :show, ProfilesController
@@ -26,15 +26,17 @@ module ActionAccess
       actions = Array(actions).map(&:to_sym)
       controller = get_controller_name(resource, options)
       @rules[controller] ||= {}
-      @rules[controller][clearance_level] = actions
+      @rules[controller][clearance_level] ||= []
+      @rules[controller][clearance_level] += actions
+      @rules[controller][clearance_level].uniq!
       return nil
     end
 
-    # Check if a given clearance level allows to perform certain action on a resource.
-    #
+    # Check if a given clearance level allows to perform an action on a resource.
     # Clearance level and resource can be either plural or singular.
     #
     # == Examples:
+    #
     #   lets? :users, :create, :profiles
     #   lets? :users, :create, @profile
     #   lets? :users, :create, ProfilesController

data/lib/action_access/user_utilities.rb

@@ -1,39 +1,54 @@
 module ActionAccess
   module UserUtilities
     # Check if the user is authorized to perform a given action.
-    #
     # Resource can be either plural or singular.
     #
     # == Examples:
+    #
     #   user.can? :show, :articles
     #   user.can? :show, @article
     #   user.can? :show, ArticlesController
-    #   # True if the user's clearance level allows to access 'articles#show'
+    #   # True if any of the user's clearance levels allows to access 'articles#show'
     #
     #   user.can? :edit, :articles, namespace: :admin
     #   user.can? :edit, @admin_article
     #   user.can? :edit, Admin::ArticlesController
-    #   # True if the user's clearance level allows to access 'admin/articles#edit'
+    #   # True if any of the user's clearance levels allows to access 'admin/articles#edit'
     #
     def can?(action, resource, options = {})
       keeper = ActionAccess::Keeper.instance
-      keeper.lets? clearance_level, action, resource, options
+      clearance_levels = Array(clearance_levels())
+      clearance_levels.any? { |c| keeper.lets? c, action, resource, options }
     end
 
 
-    private
-
-      # Accessor for the user's clearance level.
-      #
-      # Must be overridden to set the proper clearance level.
-      #
-      # == Example:
-      #   def clearance_level
-      #     role.name
-      #   end
-      #
-      def clearance_level
-        :guest
+    # Accessor for the user's clearance levels.
+    #
+    # Must be *overridden* to set the proper clearance levels.
+    #
+    # == Examples:
+    #
+    #   # Single clearance level (returns string)
+    #   def clearance_levels
+    #     role.name
+    #   end
+    #
+    #   # Multiple clearance levels (returns array)
+    #   def clearance_levels
+    #     roles.pluck(:name)
+    #   end
+    #
+    def clearance_levels
+      # Notify deprecation of `clearance_level` (singular)
+      if defined? clearance_level
+        ActiveSupport::Deprecation.warn \
+          '[Action Access] The use of "clearance_level" in models ' +
+          'is going to be deprecated in the next release, rename ' +
+          'it to "clearance_levels" (plural).'
+        return clearance_level
       end
+
+      :guest
+    end
   end
 end

data/lib/action_access/version.rb

@@ -1,3 +1,3 @@
 module ActionAccess
-  VERSION = '0.0.3'
+  VERSION = '0.1.0'
 end

data/test/controllers/articles_controller_test.rb

@@ -1,7 +1,7 @@
 require 'test_helper'
 
 class ArticlesControllerTest < ActionController::TestCase
-  test "any access with no clearance level gets redirected" do
+  test "accesses with no clearance level get redirected" do
     # Undefined role
     get :new
     assert_redirected_to root_url
@@ -10,32 +10,54 @@ class ArticlesControllerTest < ActionController::TestCase
     assert_redirected_to root_url
   end
 
-  test "any access with undefined clearance level gets redirected" do
-    # The role doesn't exist (undefined)
-    get :new, nil, {role: :super}
+  test "accesses with undefined clearance level get redirected" do
+    # The role doesn't exist (haven't been defined)
+    get :new, nil, {roles: :root}
     assert_redirected_to root_url
 
-    post :create, nil, {role: :super}
+    post :create, nil, {roles: :root}
     assert_redirected_to root_url
   end
 
-  test "any unauthorized access gets redirected" do
+  test "unauthorized accesses get redirected" do
     # The roles exist but aren't authorized.
-    get :new, nil, {role: :user}
+    post :create, nil, {roles: :editor}
     assert_redirected_to root_url
 
-    post :create, nil, {role: :editor}
+    get :edit, {id: 1}, {roles: :user}
     assert_redirected_to root_url
   end
 
   test "authorized accesses aren't redirected" do
-    get :new, nil, {role: :admin}        # Admins can create articles
+    get :new, nil, {roles: :admin}
     assert_response :success
 
-    get :edit, {id: 1}, {role: :editor}  # Editors can edit articles
+    get :edit, {id: 1}, {roles: :editor}
+    assert_response :success
+  end
+
+  test "many clearance levels can be defined in one statement" do
+    get :index, nil, {roles: :editor}
     assert_response :success
 
-    get :show, {id: 1}, {role: :user}    # Users can view articles
+    get :index, nil, {roles: :cleaner}
     assert_response :success
+
+    get :index, nil, {roles: :user}
+    assert_response :success
+  end
+
+  test "users can have many clearance levels" do
+    post :create, nil, {roles: [:editor, :cleaner]}
+    assert_redirected_to root_url
+
+    get :index, nil, {roles: [:editor, :cleaner]}
+    assert_response :success
+
+    get :edit, {id: 1}, {roles: [:editor, :cleaner]}
+    assert_response :success
+
+    delete :destroy, {id: 1}, {roles: [:editor, :cleaner]}
+    assert_redirected_to articles_url
   end
 end

data/test/controllers/secrets_controller_test.rb

@@ -4,7 +4,13 @@ class SecretsControllerTest < ActionController::TestCase
   test "controllers are locked by default" do
     # Test that the "lock_access" call in ApplicationController works properly.
     # There are no access rules in SecretsController but it should be locked anyway.
-    get :index, nil, {role: :admin}
+    get :index, nil, {roles: :admin}
+    assert_redirected_to root_url
+
+    get :index, nil, {roles: :editor}
+    assert_redirected_to root_url
+
+    get :index
     assert_redirected_to root_url
   end
 end

data/test/controllers/static_controller_test.rb

@@ -1,12 +1,12 @@
 require 'test_helper'
 
 class StaticControllerTest < ActionController::TestCase
-  # Test that the :all key works properly
+  # Test that the :all keyword works properly
   test "anyone can do anything" do
-    get :home, nil, {role: :admin}
+    get :home, nil, {roles: :admin}
     assert_response :success
 
-    get :home, nil, {role: :undefined}
+    get :home, nil, {roles: :undefined}
     assert_response :success
 
     get :home

data/test/dummy/app/controllers/application_controller.rb

@@ -9,7 +9,7 @@ class ApplicationController < ActionController::Base
 
   private
 
-    def current_clearance_level
-      session[:role] || :guest
+    def current_clearance_levels
+      session[:roles] || :guest
     end
 end

data/test/dummy/app/controllers/articles_controller.rb

@@ -1,7 +1,8 @@
 class ArticlesController < ApplicationController
   let :admin, :all
-  let :editor, [:index, :show, :edit, :update]
-  let :user, [:index, :show]
+  let :editor, [:edit, :update]
+  let :cleaner, :destroy
+  let :editor, :cleaner, :user, [:index, :show]
 
   # GET /articles
   def index

data/test/dummy/app/models/user.rb

@@ -1,7 +1,7 @@
 class User < ActiveRecord::Base
   add_access_utilities
 
-  def clearance_level
-    role
+  def clearance_levels
+    roles.split(',')
   end
 end

data/test/dummy/db/migrate/20140926071026_create_users.rb

@@ -2,7 +2,7 @@ class CreateUsers < ActiveRecord::Migration
   def change
     create_table :users do |t|
       t.string :username
-      t.string :role
+      t.string :roles
 
       t.timestamps null: false
     end

data/test/dummy/db/schema.rb

@@ -13,11 +13,11 @@
 
 ActiveRecord::Schema.define(version: 20140926071026) do
 
-  create_table "users", force: true do |t|
+  create_table "users", force: :cascade do |t|
     t.string   "username"
-    t.string   "role"
-    t.datetime "created_at"
-    t.datetime "updated_at"
+    t.string   "roles"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
   end
 
 end

data/test/models/user_test.rb

@@ -1,22 +1,43 @@
 require 'test_helper'
 
 class UserTest < ActiveSupport::TestCase
-  setup do
-    @admin ||= User.where({ username: 'flynn', role: 'admin' }).first_or_create
-    @user  ||= User.where({ username: 'sam', role: 'user' }).first_or_create
-  end
-
   test "the model gets extended" do
-    assert @user.respond_to? :can?
+    assert user.respond_to? :can?
   end
 
   test "it allows to check permissions" do
     # User
-    assert @user.can?(:show, :articles)
-    assert_not @user.can?(:create, :articles)
+    assert user.can?(:show, :articles)
+    assert_not user.can?(:create, :articles)
 
     # Admin
-    assert @admin.can?(:create, :articles)
-    assert @admin.can?(:edit, :articles)
+    assert admin.can?(:show, :articles)
+    assert admin.can?(:create, :articles)
+  end
+
+  test "users can have more than one role" do
+    # Assert the mixed user is both an 'editor' and a 'cleaner'
+    assert mixed.can?(:show, :articles)     # Editors and cleaners
+    assert mixed.can?(:edit, :articles)     # Editors only
+    assert mixed.can?(:destroy, :articles)  # Cleaners only
+
+    # Assert the mixed user is not an 'admin'
+    assert_not mixed.can?(:new, :articles)
+    assert_not mixed.can?(:create, :articles)
   end
+
+
+  private
+
+    def admin
+      @admin ||= User.where({ username: 'flynn', roles: 'admin' }).first_or_create
+    end
+
+    def mixed
+      @mixed ||= User.where({ username: 'clu', roles: 'editor,cleaner' }).first_or_create
+    end
+
+    def user
+      @user ||= User.where({ username: 'sam', roles: 'user' }).first_or_create
+    end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: action_access
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.1.0
 platform: ruby
 authors:
 - Matías A. Gagliano
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-06-22 00:00:00.000000000 Z
+date: 2015-10-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -75,6 +75,7 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".travis.yml"
+- CHANGELOG.md
 - CONTRIBUTING.md
 - Gemfile
 - Gemfile.lock