adriand-restful_acl 2.0.7

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2008 Matt Darby
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.textile

@@ -0,0 +1,205 @@
+h2. RESTful_ACL
+
+A Ruby on Rails plugin that provides fine grained access control through the MVC stack to RESTful resources in a Ruby on Rails 2.0+ application. Authorization is as simple as true or false.
+
+This is a fork of "mdarby's version":http://github.com/mdarby/restful_acl/tree/master
+
+h3. Differences From mdarby's version
+
+h4. Handling Resources Accessible As Nested And As Unnested
+
+It handles cases where a logical parent id may not exist in the URL for a resource that is sometimes accessed via a nested route, and sometimes not.
+
+Suppose you provide a nested and an unnested way to access a resource:
+
+<pre>
+map.resources :providers do |provider|
+ provider.resources :locations, :name_prefix => "provider_" 
+end
+map.resources :locations
+</pre>
+
+"Idea for this is outlined here":http://weblog.jamisbuck.org/2007/2/5/nesting-resources
+
+In this case, Location has Provider as its logical parent. However, both of these URLs are acceptable for accessing locations:
+
+/locations (all locations) AND /providers/1/locations (locations scoped down to a particular provider).
+
+Formerly, restful_acl would break in this instance, now, it does not - if a logical parent cannot be determined from the URL, it returns nil as the parent. You will need to check for parent == nil in your authentication methods, in your models.
+
+h4. Added Ability to Specify Class in View Helpers
+
+In restful_acl, you can check for indexable and createable in your views, eg.:
+
+<pre>= link_to "Users", if indexable</pre>
+
+If you are in a view that corresponds with the users controller, this works fine. However, what if you wish to display a link to users somewhere else?
+
+This change allows you to optionally specify the class you are concerned with:
+
+<pre>= link_to "Users", if indexable(User)</pre>
+
+h3. What it does
+
+RESTful_ACL is a simple Access Control Layer for Ruby on Rails. It restricts access on a fine-grained level to any RESTful MVC stack. Every application is different and everyone likes to setup their User / Account / Role resources differently; this plugin will allow you to do your thing and keep that thing locked down.
+
+h3. Requirements
+
+RESTful_ACL requires the super amazing "RESTful_Authentication":https://github.com/technoweenie/restful-authentication plugin.
+
+h3. How to Install
+
+Install the RESTful_ACL gem:
+<pre>sudo gem install adriand-restful_acl -s http://gems.github.com</pre>
+
+Add the gem to your environment.rb file as thus:
+<pre>config.gem "adriand-restful_acl", :lib => 'restful_acl_controller'</pre>
+
+RESTful_ACL requires two named routes: "error" and "denied". Add the following to your routes.rb file:
+<pre>
+  map.error '/error', :controller => 'some_controller', :action => 'error_action'
+  map.denied '/denied', :controller => 'some_controller', :action => 'denied_action'
+</pre>
+
+h3. How to Use
+
+h4. Controllers
+
+Add @before_filter :has_permission?@ into any controller that you'd like to restrict access to (or application_controller.rb for your entire app).
+
+h4. Models
+
+Define a parent resource (if one exists) by using the @logical_parent@ method, and define the following five methods in the model of every resource you'd like to restrict access to. The five methods can contain anything you'd like so long as they return a boolean true or false. This allows you to define your User's roles any way you wish. 
+
+<pre>
+  class Issue < ActiveRecord::Base
+    logical_parent :some_model_name
+    
+    # This method checks permissions for the :index action
+    def self.is_indexable_by(user, parent = nil)
+      
+    end
+
+    # This method checks permissions for the :create and :new action
+    def self.is_creatable_by(user, parent = nil)
+
+    end
+
+    # This method checks permissions for the :show action
+    def is_readable_by(user, parent = nil)
+
+    end
+
+    # This method checks permissions for the :update and :edit action
+    def is_updatable_by(user, parent = nil)
+
+    end
+
+    # This method checks permissions for the :destroy action
+    def is_deletable_by(user, parent = nil)
+
+    end
+  end
+</pre>
+
+h4. View Helpers
+
+There are five view helpers also included in RESTful_ACL: @#indexable@, @#creatable@, @#readable@, @#updatable@, and @#deletable@. These enable you to do nifty things like:
+<pre>
+  <%= link_to ‘Foo Index’, foos_path if indexable %>
+  <%= link_to 'Edit Foo', edit_foo_path(@foo) if updatable(@foo) %>
+  <%= link_to 'Create Foo', new_foo_path if creatable %>
+  <%= link_to 'View Foo', foo_path(@foo) if readable(@foo) %>
+  <%= link_to 'Delete Foo', foo_path(@foo) if deletable(@foo), :method => :destroy %>
+</pre>
+
+h3. Huh? Here's an example
+
+Let's say that you have two resources: Project and Issue. A Project has many Issues, an Issue belongs to a Project. I'd like to make sure that the current user is a member of the Project before they can create a new Issue in that Project:
+
+<pre>
+  class Issue < ActiveRecord::Base
+    logical_parent :project
+    
+    belongs_to :author
+    belongs_to :project
+
+    def self.is_indexable_by(user, parent = nil)
+      user.projects.include?(parent)
+    end
+  
+    def self.is_creatable_by(user, parent = nil)
+      user.projects.include?(parent)
+    end
+  
+    def is_updatable_by(user, parent = nil)
+      user == author && parent.is_active?
+    end
+
+    def is_deletable_by(user, parent = nil)
+      user == author
+    end
+
+    def is_readable_by(user, parent = nil)
+      user.projects.include?(parent)
+    end
+  end
+</pre>
+
+h3. Admins RULE!
+
+RESTful_ACL grants global access to all actions to site administrators. To enable this, make sure that your User model defines an @is_admin?@ method *and/or* an @is_admin@ attribute. If the @current_user.is_admin?@ returns true, access will be granted automatically.
+
+h3. How to Test
+
+I normally do something along these lines in RSpec:
+<pre>
+  describe "Issue" do
+    before do
+      @project = mock_model(Project)
+      @author  = mock_model(User, :projects => [@project])
+    
+      @issue = Issue.factory_girl(:issue, :author => @author, :project => @project)
+    end
+
+    it "should be modifiable by the author when the Project is active" do
+      @project.stub!(:is_active? => true)
+      @issue.is_updatable_by(@author, @project).should be_true
+    end
+
+    it "should be deletable by the author" do
+      @issue.is_deletable_by(@author, @project).should be_true
+    end
+
+    it "should be readable by those assigned to the Project" do
+      Issue.is_readable_by(@author, @project).should be_true
+    end
+
+    it "should be creatable by those assigned to the Project" do
+      Issue.is_creatable_by(@author, @project).should be_true
+    end
+  end
+</pre>
+
+h3. Caveats
+
+RESTful_ACL doesn't work with nested singleton resources. Wha? Yeah. Those are things in routes.rb like:
+
+<pre>
+  # Note the singular forms in 'user.resource :profile'
+  map.resources :users do |user|
+    user.resource :profile
+  end
+</pre>
+
+In these situations I normally skip permission checking altogether as a Profile will always be mapped to the currently logged in User, regardless of the @params[:user_id]@ passed in. You don't trust those either right? Good.
+
+h3. Help
+
+Add a ticket to "RESTful_ACL's Lighthouse Account":http://mdarby.lighthouseapp.com/projects/28698-restful_acl/overview
+
+h3. About the Author
+
+My name is "Matt Darby.":http://blog.matt-darby.com I’m an IT Manager and pro-web-dev at for "Dynamix Engineering":http://dynamix-ltd.com and hold a Master’s Degree in Computer Science from "Franklin University":http://www.franklin.edu in sunny "Columbus, OH.":http://en.wikipedia.org/wiki/Columbus,_Ohio
+
+Feel free to check out my "blog":http://blog.matt-darby.com or "recommend me":http://www.workingwithrails.com/person/10908-matt-darby

data/Rakefile

@@ -0,0 +1,22 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the restful_acl plugin.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+desc 'Generate documentation for the restful_acl plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'RestfulAcl'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/init.rb

@@ -0,0 +1 @@
+require File.dirname(__FILE__) + "/rails/init"

data/install.rb

@@ -0,0 +1 @@
+# Install hook code here

data/lib/restful_acl_controller.rb

@@ -0,0 +1,104 @@
+module RestfulAclController
+
+  def self.included(base)
+    base.extend(ClassMethods)
+    base.send :include, ClassMethods
+  end
+
+  module ClassMethods
+
+    def has_permission?
+      return true if administrator?
+
+      begin        
+        # Load the Model based on the controller name
+        klass = self.controller_name.classify.constantize
+
+        if params[:id]
+          # Load the object and possible parent requested
+          object = klass.find(params[:id])
+          parent = object.get_mom rescue nil
+        else
+          # No object was requested, so we need to go to the URI to figure out the parent
+          object = nil
+          parent = get_parent_from_request_uri(klass) if klass.has_parent?
+        end
+
+        # Let's let the Model decide what is acceptable
+        permission_denied unless case params[:action]
+          when "index"          then klass.is_indexable_by(current_user, parent)
+          when "new", "create"  then klass.is_creatable_by(current_user, parent)
+          when "show"           then object.is_readable_by(current_user, parent)
+          when "edit", "update" then object.is_updatable_by(current_user, parent)
+          when "destroy"        then object.is_deletable_by(current_user, parent)
+          else check_non_restful_route(current_user, klass, object, parent)
+        end
+
+      rescue NoMethodError => e
+        # Misconfiguration: A RESTful_ACL specific method is missing.
+        raise_error(klass, e)
+      rescue
+        # Failsafe: If any funny business is going on, log and redirect
+        routing_error
+      end
+    end
+
+    private
+
+      def check_non_restful_route(user, klass, object, parent)
+        if object
+          object.is_readable_by(user, parent)
+        elsif klass
+          klass.is_indexable_by(user, parent)
+        else
+          # If all else fails, deny access
+          false
+        end
+      end
+
+      def get_method_from_error(error)
+        error.message.gsub('`', "'").split("'").at(1)
+      end
+
+      def raise_error(klass, error)
+        method = get_method_from_error(error)
+        message = (is_class_method?(method)) ? "#{klass}#self.#{method}" : "#{klass}##{method}"
+        raise NoMethodError, "[RESTful_ACL] #{message}(user, parent = nil) seems to be missing?"
+      end
+
+      def is_class_method?(method)
+        method =~ /(indexable|creatable)/
+      end
+
+      def get_parent_from_request_uri(child_klass)
+        parent_klass = child_klass.mom.to_s
+        bits         = request.request_uri.split('/')
+        p_index      = bits.index(parent_klass.pluralize)
+        if p_index
+          parent_id = bits.at(p_index + 1)
+          parent_klass.classify.constantize.find(parent_id)
+        else
+          nil
+        end
+      end
+      
+      def administrator?
+        current_user.respond_to?("is_admin?") && current_user.is_admin?
+      end
+
+      def permission_denied
+        logger.info("[RESTful_ACL] Permission denied to %s at %s for %s" %
+        [(logged_in? ? current_user.login : 'guest'), Time.now, request.request_uri])
+
+        redirect_to denied_url
+      end
+
+      def routing_error
+        logger.info("[RESTful_ACL] Routing error by %s at %s for %s" %
+        [(logged_in? ? current_user.login : 'guest'), Time.now, request.request_uri])
+
+        redirect_to error_url
+      end
+
+  end
+end

data/lib/restful_acl_helper.rb

@@ -0,0 +1,67 @@
+module RestfulAclHelper
+  # Adrian: sometimes, we want links to create a resource in a view that belongs to a different controller than the resource's
+  # controller.  E.g. on a company page, I may want a link to create a new user at that company, in which case I can now use
+  # if creatable(User), or if indexable(User)  
+  
+  def indexable(specified_klass = nil)
+    return true if admin_enabled
+    (specified_klass || klass).is_indexable_by(current_user, parent_obj)
+  end
+
+  
+  def creatable(specified_klass = nil)
+    return true if admin_enabled
+    (specified_klass || klass).is_creatable_by(current_user, parent_obj)
+  end
+  alias_method :createable, :creatable
+  
+  
+  def updatable(object)
+    return true if admin_enabled
+
+    parent = object.get_mom rescue nil
+    object.is_updatable_by(current_user, parent)
+  end
+  alias_method :updateable, :updatable
+
+
+  def deletable(object)
+    return true if admin_enabled
+
+    parent = object.get_mom rescue nil
+    object.is_deletable_by(current_user, parent)
+  end
+  alias_method :deleteable, :deletable
+
+
+  def readable(object)
+    return true if admin_enabled
+
+    parent = object.get_mom rescue nil
+    object.is_readable_by(current_user, parent)
+  end
+
+
+  private
+
+    def klass
+      params[:controller].classify.constantize
+    end
+
+    def parent_obj
+      parent_klass.find(parent_id) rescue nil
+    end
+
+    def parent_klass
+      klass.mom.to_s.classify.constantize
+    end
+
+    def parent_id
+      params["#{klass.mom.to_s}_id"]
+    end
+
+    def admin_enabled
+      current_user.respond_to?("is_admin?") && current_user.is_admin?
+    end
+
+end

data/lib/restful_acl_model.rb

@@ -0,0 +1,52 @@
+module RestfulAclModel
+
+  def self.included(base)
+    base.extend(ClassMethods)
+    base.send :include, ClassMethods
+  end
+
+  module ClassMethods
+    attr_accessor :mom
+
+    def logical_parent(model)
+      self.mom = model
+      include RestfulAclModel::InstanceMethods
+    end
+
+    def has_parent?
+      !self.mom.nil?
+    end
+
+  end
+
+
+  module InstanceMethods
+
+    def get_mom
+      parent_klass.find(parent_id) if has_parent?
+    end
+
+    private
+
+      def klass
+        self.class
+      end
+
+      def mom
+        klass.mom
+      end
+
+      def has_parent?
+        !mom.nil?
+      end
+
+      def parent_klass
+        mom.to_s.classify.constantize
+      end
+
+      def parent_id
+        self.instance_eval("#{mom}_id")
+      end
+  end
+
+end

data/rails/init.rb

@@ -0,0 +1,9 @@
+require 'restful_acl_controller'
+require 'restful_acl_helper'
+require 'restful_acl_model'
+
+ActionController::Base.send :include, RestfulAclController
+ActionView::Base.send :include, RestfulAclHelper
+ActiveRecord::Base.send :include, RestfulAclModel
+
+RAILS_DEFAULT_LOGGER.debug "** [RESTful_ACL] loaded"

data/uninstall.rb

@@ -0,0 +1 @@
+# Uninstall hook code here

metadata

@@ -0,0 +1,63 @@
+--- !ruby/object:Gem::Specification 
+name: adriand-restful_acl
+version: !ruby/object:Gem::Version 
+  version: 2.0.7
+platform: ruby
+authors: 
+- Matt Darby
+- Adrian Duyzer
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-04-16 00:00:00 -07:00
+default_executable: 
+dependencies: []
+
+description: A Rails gem that provides fine grained access control to RESTful resources in a Rails 2.0+ application.
+email: adrianduyzer@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- MIT-LICENSE
+- README.textile
+- Rakefile
+- init.rb
+- install.rb
+- lib/restful_acl_controller.rb
+- lib/restful_acl_helper.rb
+- lib/restful_acl_model.rb
+- rails/init.rb
+- uninstall.rb
+has_rdoc: false
+homepage: http://github.com/adriand/restful_acl
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.2.0
+signing_key: 
+specification_version: 2
+summary: Object-level access control
+test_files: []
+