adva_rbac 0.0.1

data/lib/rbac/role_type/active_record.rb

@@ -0,0 +1,47 @@
+require 'active_record'
+
+module Rbac
+  module RoleType
+    module ActiveRecord
+      class RoleTypeRelationship < ::ActiveRecord::Base
+        belongs_to :master, :class_name => "RoleType"
+        belongs_to :minion, :class_name => "RoleType"
+      end
+
+
+      class RoleType < ::ActiveRecord::Base
+        include Rbac::RoleType
+        
+        has_many :master_relationships, :foreign_key => 'master_id', :class_name => 'RoleTypeRelationship', :dependent => :destroy
+        has_many :minion_relationships, :foreign_key => 'minion_id', :class_name => 'RoleTypeRelationship', :dependent => :destroy
+
+        has_many :masters, :through => :minion_relationships
+        has_many :minions, :through => :master_relationships
+        
+        class << self
+          def build(name)
+            find_by_name(name.to_s) || raise(Rbac::UndefinedRoleType.new(name))
+          end
+        end
+
+        def requires_context?
+          !!attributes['requires_context']
+        end
+
+        def granted_to?(user, context = nil, options = {})
+          return super unless ['anonymous', 'user', 'author'].include?(name)
+          return false if options[:explicit]
+
+          case name
+          when 'anonymous'
+            true
+          when 'user'
+            user.try(:registered?)
+          when 'author'
+            context.respond_to?(:author) && context.author == user || super
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rbac/role_type/static.rb

@@ -0,0 +1,144 @@
+module Rbac
+  module RoleType
+    module Author
+      extend Rbac::RoleType
+
+      class << self
+        def minions
+          [User]
+        end
+
+        def masters
+          [Moderator]
+        end
+
+        def granted_to?(user, context = nil, options = {})
+          options[:explicit] ? false : context.respond_to?(:author) && context.author == user || super
+        end
+      end
+    end
+
+    module Static
+      mattr_accessor :role_types
+      self.role_types = [:editor, :superuser, :moderator, :author, :user, :anonymous]
+
+      class << self
+        def build(name)
+          const_get(name.to_s.camelize)
+        end
+
+        def all
+          @role_types ||= role_types.map { |type| build(type) }
+        end
+      end
+
+      module Anonymous
+        extend Rbac::RoleType
+
+        class << self
+          def requires_context?
+            false
+          end
+
+          def masters
+            [User]
+          end
+
+          def minions
+            []
+          end
+
+          def granted_to?(user, context = nil, options = {})
+            options[:explicit] ? false : true
+          end
+        end
+      end
+
+      module User
+        extend Rbac::RoleType
+
+        class << self
+          def requires_context?
+            false
+          end
+
+          def minions
+            [Anonymous]
+          end
+
+          def masters
+            [Editor, Author]
+          end
+
+          def granted_to?(user, context = nil, options = {})
+            options[:explicit] ? false : user.try(:registered?)
+          end
+        end
+      end
+
+      module Author
+        extend Rbac::RoleType
+
+        class << self
+          def minions
+            [User]
+          end
+
+          def masters
+            [Moderator]
+          end
+
+          def granted_to?(user, context = nil, options = {})
+            options[:explicit] ? false : context.respond_to?(:author) && context.author == user || super
+          end
+        end
+      end
+
+      module Moderator
+        extend Rbac::RoleType
+
+        class << self
+          def minions
+            [Author]
+          end
+
+          def masters
+            [Superuser]
+          end
+        end
+      end
+
+      module Superuser
+        extend Rbac::RoleType
+
+        class << self
+          def requires_context?
+            false
+          end
+
+          def minions
+            [Moderator, Editor]
+          end
+
+          def masters
+            []
+          end
+        end
+      end
+
+      module Editor
+        extend Rbac::RoleType
+
+        class << self
+          def minions
+            [User]
+          end
+
+          def masters
+            [Superuser]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rbac/subject.rb

@@ -0,0 +1,52 @@
+module Rbac
+  class Subject
+    class << self
+      def define_class(model, options)
+        Class.new(Base).tap do |klass|
+          model.const_set('RoleSubject', klass)
+        end
+      end
+    end
+
+    class Base
+      attr_accessor :object
+
+      def initialize(object = nil)
+        self.object = object
+      end
+
+      def has_permission?(action, context)
+        # puts "============== action = #{action}"
+        # puts "============== context = #{context}"
+        types = context.authorizing_role_types_for(action)
+        # puts "============== authorizing_role_types_for #{types}"
+        has_role?(types, context)
+      end
+
+      def has_role?(types, context = nil)
+        Array(types).any? do |type|
+          type = Rbac::RoleType.build(type) unless type.respond_to?(:granted_to?)
+          type.granted_to?(self, context)
+        end
+      end
+
+      def has_explicit_role?(type, context = nil)
+        type = Rbac::RoleType.build(type) unless type.respond_to?(:granted_to?)
+        type.granted_to?(self, context, :explicit => true)
+      end
+
+      def ==(other)
+        super || object == other # hmmmm ...
+      end
+
+      def respond_to?(method)
+        object.respond_to?(method) || super
+      end
+
+      def method_missing(method, *args, &block)
+        return object.send(method, *args, &block) if object.respond_to?(method)
+        super
+      end
+    end
+  end
+end

data/test/functional/roles_controller_test.rb

@@ -0,0 +1,21 @@
+require File.expand_path(File.dirname(__FILE__) + "/../test_helper")
+
+class RolesControllerTest < ActionController::TestCase
+  with_common :a_site, :a_user
+
+  test "is an BaseController" do
+    @controller.should be_kind_of(BaseController)
+  end
+
+  describe "GET to :index" do
+    action { get :index, { :user_id => @user.id } }
+    
+    it_assigns :site, :user, :roles
+    it_renders_template :index, :format => :js
+    it_caches_the_page # FIXME should track user references, eh?
+    
+    it "always includes the user role" do
+      assigns(:roles).map(&:name).should include('user')
+    end
+  end
+end

data/test/integration/user_rbac_test.rb

@@ -0,0 +1,34 @@
+require File.expand_path(File.join(File.dirname(__FILE__), '..', 'test_helper' ))
+
+module IntegrationTests
+  class UserRbacTest < ActionController::IntegrationTest
+    def setup
+      super
+      @site = use_site! 'site with pages'
+      @superuser = User.find_by_email('a-superuser@example.com')
+    end
+    
+    test "Updating the user account does not remove users roles" do
+      login_as_superuser
+      visit_user_edit_form
+      fill_and_submit_user_edit_form
+    end
+    
+    def visit_user_edit_form
+      visit "admin/sites/#{@site.id}/users/#{@superuser.id}/edit"
+      assert 'admin/users/edit'
+    end
+    
+    def fill_and_submit_user_edit_form
+      assert @superuser.has_role?(:superuser)
+      
+      fill_in 'user_first_name', :with => "the awesome"
+      fill_in 'user_last_name', :with => "superuser"
+      click_button 'Save'
+      
+      @superuser.reload
+      assert @superuser.name == "the awesome superuser"
+      assert @superuser.has_role?(:superuser)
+    end
+  end
+end

data/test/rbac/all.rb

@@ -0,0 +1,3 @@
+Dir[File.dirname(__FILE__) + '/**/*_test.rb'].each do |filename|
+  require filename
+end

data/test/rbac/database.rb

@@ -0,0 +1,155 @@
+require File.expand_path(File.dirname(__FILE__) + "/test_helper")
+
+config = YAML::load(IO.read(File.dirname(__FILE__) + '/database.yml'))
+ActiveRecord::Base.establish_connection(config['test'])
+
+ActiveRecord::Base.connection.create_table :users do |t|
+  t.string :name
+  t.boolean :anonymous
+end
+
+ActiveRecord::Base.connection.create_table :sites do |t|
+  t.string  :name
+end
+
+ActiveRecord::Base.connection.create_table :sections do |t|
+  t.string :title
+  t.text :permissions
+  t.references  :site
+end
+
+ActiveRecord::Base.connection.create_table :contents do |t|
+  t.references :section
+  t.references :author
+  t.string :title
+  t.text :permissions
+end
+
+ActiveRecord::Base.connection.create_table :roles do |t|
+  t.references :subject, :polymorphic => true
+  t.references :context, :polymorphic => true
+  t.string :name
+end
+
+ActiveRecord::Base.connection.create_table :groups do |t|
+  t.string :name
+end
+
+ActiveRecord::Base.connection.create_table :group_memberships do |t|
+  t.references :user
+  t.references :group
+end
+
+ActiveRecord::Base.connection.create_table :role_types do |t|
+  t.string :name
+  t.boolean :requires_context, :default => true
+end
+
+ActiveRecord::Base.connection.create_table :role_type_relationships do |t|
+  t.references :master
+  t.references :minion
+end
+
+class User < ActiveRecord::Base
+  class RoleSubject < Rbac::Subject::Base
+    def roles
+      (object.roles + object.groups.map(&:roles).flatten).uniq # should obviously happen in a single query
+    end
+  end
+
+  acts_as_role_subject
+  has_many :roles, :as => :subject, :class_name => 'Rbac::Role'
+  has_many :group_memberships
+  has_many :groups, :through => :group_memberships
+
+  def registered?
+    !new_record? && !anonymous?
+  end
+end
+
+class GroupMembership < ActiveRecord::Base
+  belongs_to :user
+  belongs_to :group
+end
+
+class Group < ActiveRecord::Base
+  acts_as_role_subject
+
+  has_many :group_memberships
+  has_many :members, :through => :group_memberships, :source => :user, :class_name => 'User'
+  has_many :roles, :as => :subject, :class_name => 'Rbac::Role'
+end
+
+class Site < ActiveRecord::Base
+  acts_as_role_context
+end
+
+class Section < ActiveRecord::Base
+  acts_as_role_context
+
+  belongs_to :site
+
+  def include?(other)
+    !!other
+  end
+end
+
+class Content < ActiveRecord::Base
+  acts_as_role_context :parent => :owner
+
+  belongs_to :section
+  belongs_to :author, :class_name => 'User'
+
+  def owner
+    section
+  end
+
+  def include?(other)
+    false
+  end
+end
+
+
+RoleType = Rbac::RoleType::ActiveRecord::RoleType
+
+site         = Site.create!(:name => 'a site')
+another_site = Site.create!(:name => 'another site')
+
+anonymous_type = RoleType.create!(:name => 'anonymous', :requires_context => false)
+user_type      = RoleType.create!(:name => 'user',      :requires_context => false, :minions => [anonymous_type])
+author_type    = RoleType.create!(:name => 'author',    :requires_context => true , :minions => [user_type])
+moderator_type = RoleType.create!(:name => 'moderator', :requires_context => true , :minions => [author_type])
+editor_type    = RoleType.create!(:name => 'editor',    :requires_context => true , :minions => [user_type])
+superuser_type = RoleType.create!(:name => 'superuser', :requires_context => false, :minions => [moderator_type, editor_type])
+pizzaboy_type  = RoleType.create!(:name => 'pizzaboy',  :requires_context => true)
+
+superuser         = User.create!(:name => 'superuser')
+admin             = User.create!(:name => 'site admin')
+editor            = User.create!(:name => 'editor')
+moderator         = User.create!(:name => 'moderator')
+site_moderator    = User.create!(:name => 'site moderator')
+author            = User.create!(:name => 'author')
+user              = User.create!(:name => 'user')
+anonymous         = User.create!(:name => 'anonymous', :anonymous => true)
+site_designer     = User.create!(:name => 'designer')
+
+blog           = Section.create!(:title => 'blog', :site => site)
+content        = Content.create!(:title => 'content', :section => blog, :author => author)
+
+john  = User.create!(:name => 'john')
+paul  = User.create!(:name => 'paul')
+mick  = User.create!(:name => 'mick')
+keith = User.create!(:name => 'keith')
+
+beatles = Group.create!(:name => 'beatles', :members => [john, paul])
+stones  = Group.create!(:name => 'stones', :members => [mick, keith])
+
+beatles.roles.create!(:name => 'superuser')
+stones.roles.create!(:name => 'pizzaboy')
+editor.roles.create!(:name => 'editor')
+superuser.roles.create!(:name => 'superuser')
+admin.roles.create!(:name => 'admin', :context => site)
+moderator.roles.create!(:name => 'moderator', :context => blog)
+author.roles.create!(:name => 'author', :context => site)
+site_moderator.roles.create!(:name => 'moderator', :context => site)
+site_designer.roles.create!(:name => 'designer', :context => site)