adva_rbac 0.0.1

data/test/rbac/database.yml

@@ -0,0 +1,3 @@
+test:
+  adapter: sqlite3
+  database: ":memory:"

data/test/rbac/implementation/active_record_test.rb

@@ -0,0 +1,17 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+class RoleTypeActiveRecordTest < Test::Unit::TestCase
+  def setup
+    Rbac::RoleType.implementation = Rbac::RoleType::ActiveRecord::RoleType
+  end
+
+  # include Tests::ActsAsRoleContext
+  include Tests::Context
+  include Tests::HasRole
+  include Tests::RoleType
+  include Tests::Group
+  
+  # def test_foo
+  #   p superuser_type.minions
+  # end
+end

data/test/rbac/implementation/static_test.rb

@@ -0,0 +1,14 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+class RoleTypeStaticTest < Test::Unit::TestCase
+  def setup
+    Rbac::RoleType.implementation = Rbac::RoleType::Static
+  end
+
+  include Rbac::RoleType::Static
+  include Tests::ActsAsRoleContext
+  include Tests::Context
+  include Tests::HasRole
+  include Tests::RoleType
+  include Tests::Group
+end

data/test/rbac/static.rb

@@ -0,0 +1,25 @@
+module Rbac
+  module RoleType
+    module Static
+      self.role_types = [:editor, :superuser, :moderator, :author, :user, :anonymous, :pizzaboy]
+  
+      module Pizzaboy
+        extend Rbac::RoleType
+
+        class << self
+          def requires_context?
+            true
+          end
+      
+          def masters
+            []
+          end
+
+          def minions
+            []
+          end
+        end
+      end
+    end
+  end
+end

data/test/rbac/test_helper.rb

@@ -0,0 +1,62 @@
+$: << File.dirname(__FILE__) + '/../lib'
+
+require 'rubygems'
+require 'active_record'
+require 'activesupport'
+require 'test/unit'
+require 'rbac'
+
+require 'rbac/role_type/static'
+require 'rbac/role_type/active_record'
+
+require File.dirname(__FILE__) + '/database'
+require File.dirname(__FILE__) + '/static'
+
+Dir[File.dirname(__FILE__) + '/tests/*.rb'].each do |filename|
+  require filename
+end
+
+
+class Test::Unit::TestCase
+  def self.test(name, &block)
+    define_method("test: " + name, &block)
+  end
+
+  def with_default_permissions(permissions_map={}, &block)
+    original_permissions = Rbac::Context.default_permissions
+    Rbac::Context.default_permissions = permissions_map
+    yield
+    Rbac::Context.default_permissions = original_permissions
+  end
+  
+  protected
+  
+    def method_missing(method, *args)
+      return Rbac::RoleType.build(method.to_s.gsub(/_type/, '')) if method.to_s =~ /_type$/
+      return ::User.find_by_name(method.to_s) if user_names.include?(method.to_s)
+      return ::Group.find_by_name(method.to_s) if group_names.include?(method.to_s)
+      super
+    end
+    
+    def user_names
+      @user_names ||= User.scoped.map(&:name)
+    end
+    
+    def group_names
+      @group_names ||= Group.scoped.map(&:name)
+    end
+
+    def blog
+      ::Section.find_by_title('blog')
+    end
+    
+    def content
+      ::Content.find_by_title('content')
+    end
+end
+
+module TestHelper
+  def self.test(name, &block)
+    define_method("test: " + name, &block)
+  end
+end

data/test/rbac/tests/acts_as_role_context.rb

@@ -0,0 +1,37 @@
+module Tests
+  module ActsAsRoleContext
+    define_method "test: Content acts as a role context" do
+      assert_equal true, Content.acts_as_role_context?
+    end
+  
+    define_method "test: there is an Rbac root context" do
+      assert_equal true, Rbac::Context.root.is_a?(Rbac::Context::Base)
+    end
+  
+    define_method "test: content can instantiate its role context decorator" do
+      assert_equal Content::RoleContext, content.role_context.class
+    end
+  
+    define_method "test: the content's role_context's parent is the blog's role_context" do
+      assert_equal blog, content.role_context.parent.object
+    end
+  
+    define_method "test: the section's role_context's parent is the root context" do
+      assert_equal Rbac::Context.root, blog.role_context.parent
+    end
+  
+    define_method "test: the blog's role_context includes the content's role_context" do
+      assert_equal true, blog.role_context.include?(content.role_context)
+    end
+
+    protected
+  
+      def blog
+        @blog ||= ::Section.find_by_title('blog')
+      end
+    
+      def content
+        @content ||= Content.find_by_title('content')
+      end
+  end
+end

data/test/rbac/tests/context.rb

@@ -0,0 +1,35 @@
+module Tests
+  module Context
+    define_method "test: authorizing_role_types_for raises when given action is nil" do
+      assert_raises(ArgumentError) { content.role_context.authorizing_role_types_for(nil) }
+    end
+  
+    define_method "test: authorizing_role_types_for falls back to permissions from root context" do
+      with_default_permissions(:'edit content' => [:author]) do 
+        assert_equal [:author], content.role_context.authorizing_role_types_for('edit content')
+      end
+    end
+
+    define_method "test: authorizing_role_types_for uses object's permissions if given" do
+      content = self.content
+      content.permissions = { :'edit content' => [:superuser] }
+      assert_equal [:superuser], content.role_context.authorizing_role_types_for('edit content')
+    end
+
+    define_method "test: expand_roles_for permutate all roles from authorizing_role_types_for w/ all context types" do
+      content = self.content
+      with_default_permissions(:'edit content' => [:user]) do
+        content.permissions = { :'edit content' => [:moderator] }
+        expected = %w(author-content-1 author-section-1 editor-content-1 editor-section-1 moderator-content-1 moderator-section-1 superuser user)
+        actual = content.role_context.expand_roles_for('edit content')
+        assert_equal expected, actual.sort
+      end
+    end
+
+    protected
+  
+      def content
+        Content.find_by_title('content')
+      end
+  end
+end

data/test/rbac/tests/group.rb

@@ -0,0 +1,40 @@
+module Tests
+  module Group
+    define_method "test: make sure people are members of their groups" do
+      assert_equal true, beatles.members.include?(john)
+      assert_equal true, beatles.members.include?(paul)
+
+      assert_equal true, stones.members.include?(mick)
+      assert_equal true, stones.members.include?(keith)
+    end
+
+    define_method "test: make sure people aren't members of groups they don't belong to" do
+      assert_equal false, stones.members.include?(john)
+      assert_equal false, stones.members.include?(paul)
+
+      assert_equal false, beatles.members.include?(mick)
+      assert_equal false, beatles.members.include?(keith)
+    end
+
+    define_method "test: people should inherit roles from their groups" do
+      assert_equal true, beatles.has_role?(:superuser)
+      assert_equal true, john.has_role?(:superuser)
+      assert_equal true, paul.has_role?(:superuser)
+
+      assert_equal true, stones.has_role?(:pizzaboy)
+      assert_equal true, mick.has_role?(:pizzaboy)
+      assert_equal true, keith.has_role?(:pizzaboy)
+    end
+
+    define_method "test: people should inherit permissions from their groups" do
+      with_default_permissions(:'edit content' => [:editor]) do
+        content = self.content
+        content.section.permissions = { :'edit content' => [:pizzaboy] }
+
+        assert_equal true, stones.has_permission?('edit content', content)
+        assert_equal true, mick.has_permission?('edit content', content)
+        assert_equal true, keith.has_permission?('edit content', content)
+      end
+    end
+  end
+end

data/test/rbac/tests/has_role.rb

@@ -0,0 +1,126 @@
+module Tests
+  module HasRole
+
+    define_method "test: a superuser has the global role :superuser" do
+      assert_equal true, superuser.has_global_role?(:superuser)
+      assert_equal true, superuser.has_global_role?(:superuser, site)
+      assert_equal true, superuser.has_global_role?(:superuser, another_site)
+    end
+
+    define_method "test: a admin has the global role :admin on 'site'" do
+      assert_equal true, site_admin.has_global_role?(:admin, site)
+    end
+
+    define_method "test: a moderator for 'site' has the global role :moderator on 'site'" do
+      assert_equal true, site_moderator.has_global_role?(:moderator, site)
+    end
+
+    define_method "test: a author for 'site' has the global role :author on 'site'" do
+      assert_equal true, site_author.has_global_role?(:author, site)
+    end
+
+    define_method "test: a designer for 'site' has the global role :designer on 'site'" do
+      assert_equal true, site_designer.has_global_role?(:designer, site)
+    end
+
+    define_method "test: a admin does not have the global role :admin on 'another site'" do
+      assert_equal false, site_admin.has_global_role?(:admin, another_site)
+    end
+
+    define_method "test: a moderator for a section (blog) of 'site' does not have the global role :moderator on 'site'" do
+      assert_equal false, blog_moderator.has_global_role?(:moderator, site)
+    end
+
+    define_method "test: a superuser has permissions for the admin areas of all sites" do
+      assert_equal true, superuser.has_permission_for_admin_area?(site)
+      assert_equal true, superuser.has_permission_for_admin_area?(another_site)
+    end
+
+    define_method "test: a admin, moderator, author and designer for 'site' have permission for the admin area of 'site'" do
+      assert_equal true, site_admin.has_permission_for_admin_area?(site)
+      assert_equal true, site_moderator.has_permission_for_admin_area?(site)
+      assert_equal true, site_author.has_permission_for_admin_area?(site)
+      assert_equal true, site_designer.has_permission_for_admin_area?(site)
+    end
+
+    define_method "test: a admin, moderator, author and designer for 'site' do not have permissions for the admin area of 'another_site'" do
+      assert_equal false, site_admin.has_permission_for_admin_area?(another_site)
+      assert_equal false, site_moderator.has_permission_for_admin_area?(another_site)
+      assert_equal false, site_author.has_permission_for_admin_area?(another_site)
+      assert_equal false, site_designer.has_permission_for_admin_area?(another_site)
+    end
+
+    define_method "test: a moderator for a section (blog) of a 'site' does not have permission for the admin area of 'site'" do
+      assert_equal false, blog_moderator.has_permission_for_admin_area?(site)
+    end
+
+    define_method "test: has_role? (single argument)" do
+      assert_equal true, superuser.has_role?(:superuser)
+      assert_equal true, superuser.has_role?(:user)
+      assert_equal true, superuser.has_role?(:anonymous)
+    end
+
+    define_method "test: has_role? (array argument)" do
+      assert_equal false, moderator.has_role?([:superuser])
+      assert_equal false, moderator.has_role?([:moderator, :superuser])
+      assert_equal true,  moderator.has_role?([:moderator, :superuser], blog)
+      assert_equal true,  moderator.has_role?([:author, :superuser], content)
+    end
+
+    define_method "test: has_explicit_role?" do
+      assert_equal true,  superuser.has_explicit_role?(:superuser)
+      assert_equal false, superuser.has_explicit_role?(:user)
+      assert_equal false, superuser.has_explicit_role?(:anonymous)
+    end
+
+    define_method "test: has_permission? raises Rbac::AuthorizingRoleNotFound exception when authorizing role can not be found" do
+      assert_raises(Rbac::AuthorizingRoleNotFound) { superuser.has_permission?('drink redbull', Rbac::Context.root) }
+    end
+
+    define_method "test: has_permission? returns true when the user has a role that authorizes the action" do
+      with_default_permissions(:'edit content' => [:author]) do
+        assert_equal true, superuser.has_permission?('edit content', Rbac::Context.root)
+      end
+    end
+
+    define_method "test: has_permission? returns true for authorized roles that aren't part of the same role hierarchy" do
+      with_default_permissions(:'edit content' => [:editor]) do
+        content = self.content
+        content.section.permissions = { :'edit content' => [:moderator] }
+        assert_equal true, moderator.has_permission?('edit content', content)
+        assert_equal true, editor.has_permission?('edit content', content)
+      end
+    end
+
+    protected
+
+    def site
+      @site ||= ::Site.find_by_name('a site')
+    end
+
+    def another_site
+      @another_site ||= ::Site.find_by_name('another site')
+    end
+
+    def site_admin
+      @site_admin ||= ::User.find_by_name('site admin')
+    end
+
+    def blog_moderator
+      @blog_moderator ||= ::User.find_by_name('moderator')
+    end
+
+    def site_moderator
+      @site_moderator ||= ::User.find_by_name('site moderator')
+    end
+
+    def site_author
+      @site_author ||= ::User.find_by_name('author')
+    end
+
+    def site_designer
+      @site_designer ||= ::User.find_by_name('designer')
+    end
+
+  end
+end

data/test/rbac/tests/role_type.rb

@@ -0,0 +1,110 @@
+module Tests
+  module RoleType
+    define_method "test: RoleType knows all available types" do
+      expected = %w(anonymous author editor moderator superuser user)
+      actual   = Rbac::RoleType.types.map(&:name).sort
+      assert_equal expected, actual & expected
+    end
+    
+    define_method "test: masters" do
+      assert_equal [], superuser_type.masters.map(&:name)
+      assert_equal ['superuser'], moderator_type.masters.map(&:name)
+      assert_equal ['superuser'], editor_type.masters.map(&:name)
+      assert_equal ['moderator'], author_type.masters.map(&:name)
+      assert_equal ['author', 'editor'], user_type.masters.map(&:name).sort
+      assert_equal ['user'], anonymous_type.masters.map(&:name)
+    end
+    
+    define_method "test: all_masters" do
+      assert_equal [], superuser_type.all_masters.map(&:name).sort
+      assert_equal ['superuser'], moderator_type.all_masters.map(&:name).sort
+      assert_equal ['superuser'], editor_type.all_masters.map(&:name)
+      assert_equal ['moderator', 'superuser'], author_type.all_masters.map(&:name).sort
+      assert_equal ['author', 'editor', 'moderator', 'superuser'], user_type.all_masters.map(&:name).sort
+      assert_equal ['author', 'editor', 'moderator', 'superuser', 'user'], anonymous_type.all_masters.map(&:name).sort
+    end
+
+    define_method "test: self_and_masters" do
+      assert_equal ['superuser'], superuser_type.self_and_masters.map(&:name).sort
+      assert_equal ['moderator', 'superuser'], moderator_type.self_and_masters.map(&:name).sort
+      assert_equal ['editor', 'superuser'], editor_type.self_and_masters.map(&:name)
+      assert_equal ['author', 'moderator', 'superuser'], author_type.self_and_masters.map(&:name).sort
+      assert_equal ['author', 'editor', 'moderator', 'superuser', 'user'], user_type.self_and_masters.map(&:name).sort
+      assert_equal ['anonymous', 'author', 'editor', 'moderator', 'superuser', 'user'], anonymous_type.self_and_masters.map(&:name).sort
+    end
+
+    define_method "test: minions" do
+      assert_equal ['editor', 'moderator'], superuser_type.minions.map(&:name).sort
+      assert_equal ['author'], moderator_type.minions.map(&:name).sort
+      assert_equal ['user'], author_type.minions.map(&:name).sort
+      assert_equal ['user'], editor_type.minions.map(&:name).sort
+      assert_equal ['anonymous'], user_type.minions.map(&:name).sort
+      assert_equal [], anonymous_type.minions.map(&:name).sort
+    end
+
+    define_method "test: all_minions" do
+      assert_equal ['anonymous', 'author', 'editor', 'moderator', 'user'], superuser_type.all_minions.map(&:name).sort
+      assert_equal ['anonymous', 'author', 'user'], moderator_type.all_minions.map(&:name).sort
+      assert_equal ['anonymous', 'user'], author_type.all_minions.map(&:name).sort
+      assert_equal ['anonymous', 'user'], editor_type.all_minions.map(&:name).sort
+      assert_equal ['anonymous'], user_type.all_minions.map(&:name).sort
+      assert_equal [], anonymous_type.all_minions.map(&:name).sort
+    end
+
+    define_method "test: self_and_minions" do
+      assert_equal ['anonymous', 'author', 'editor', 'moderator', 'superuser', 'user'], superuser_type.self_and_minions.map(&:name).sort
+      assert_equal ['anonymous', 'author', 'moderator', 'user'], moderator_type.self_and_minions.map(&:name).sort
+      assert_equal ['anonymous', 'author', 'user'], author_type.self_and_minions.map(&:name).sort
+      assert_equal ['anonymous', 'editor', 'user'], editor_type.self_and_minions.map(&:name).sort
+      assert_equal ['anonymous', 'user'], user_type.self_and_minions.map(&:name).sort
+      assert_equal ['anonymous'], anonymous_type.self_and_minions.map(&:name).sort
+    end
+
+    define_method "test: RoleType#build returns an Rbac::RoleType" do
+      %w(anonymous author editor moderator superuser user).each do |role_type|
+        assert Rbac::RoleType.build(role_type.to_sym).respond_to?(:granted_to?)
+      end
+    end
+
+    define_method "test: RoleType#granted_to? returns true for assigned role and all minion roles" do
+      assert_equal true,  superuser_type.granted_to?(superuser)
+      assert_equal true,  moderator_type.granted_to?(superuser)
+      assert_equal true,  editor_type.granted_to?(superuser)
+      assert_equal true,  author_type.granted_to?(superuser, content)
+      assert_equal true,  user_type.granted_to?(superuser)
+      assert_equal true,  anonymous_type.granted_to?(superuser)
+    
+      assert_equal false, superuser_type.granted_to?(moderator)
+      assert_equal false, editor_type.granted_to?(moderator)
+      assert_equal false, moderator_type.granted_to?(moderator)
+      assert_equal true,  moderator_type.granted_to?(moderator, blog)
+      assert_equal true,  author_type.granted_to?(moderator, content)
+      assert_equal true,  user_type.granted_to?(moderator)
+      assert_equal true,  anonymous_type.granted_to?(moderator )
+    
+      assert_equal false, superuser_type.granted_to?(author)
+      assert_equal false, editor_type.granted_to?(author)
+      assert_equal false, moderator_type.granted_to?(author)
+      assert_equal false, moderator_type.granted_to?(author, content)
+      assert_equal true,  author_type.granted_to?(author, content)
+      assert_equal true,  user_type.granted_to?(author)
+      assert_equal true,  anonymous_type.granted_to?(author)
+    
+      assert_equal false, superuser_type.granted_to?(user)
+      assert_equal false, editor_type.granted_to?(user)
+      assert_equal false, moderator_type.granted_to?(user)
+      assert_equal false, moderator_type.granted_to?(user, content)
+      assert_equal false, author_type.granted_to?(user, content)
+      assert_equal true,  user_type.granted_to?(user)
+      assert_equal true,  anonymous_type.granted_to?(user)
+    
+      assert_equal false, superuser_type.granted_to?(anonymous)
+      assert_equal false, editor_type.granted_to?(anonymous)
+      assert_equal false, moderator_type.granted_to?(anonymous)
+      assert_equal false, moderator_type.granted_to?(anonymous, content)
+      assert_equal false, author_type.granted_to?(anonymous, content)
+      assert_equal false, user_type.granted_to?(anonymous)
+      assert_equal true,  anonymous_type.granted_to?(anonymous)
+    end
+  end
+end