adva_rbac 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 8601befb94e314af526920008bc499db4c524607
+  data.tar.gz: c067b09f9c1171b501156c809bf795520b2095fc
+SHA512:
+  metadata.gz: 1ff6836c3ebd7b261f67cf1a6a8d6806bb68c8113ae5e625c02546c981c0f9fa8eb2cda52c33797a1033036e36737dbb377d182a8095b0a6f15f3930f8dcff34
+  data.tar.gz: d5a020b59751c73437dc5473d94873d452034097f55ce0be09564bb7e0edfa3ff97ad1d18d52dcc6057b2278c0fee9f71e43fa828ddc6703143b97ccc9f3cc5c

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in adva_rbac.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2012 Micah Geisel
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/NOTES

@@ -0,0 +1,98 @@
+1. negotiating required vs. granted roles
+
+	required_roles = context.required_roles_for(action)
+	has_role?(required_roles, context)
+
+2. expand roles/contexts so we can create css classes from it
+
+	roles = context.required_role_for('edit article').expand
+	quoted_role_names(roles)
+	# => "article-1-author blog-1-moderator site-1-moderator site-1-admin"
+	
+	"article-1-author blog-1-author site-1-author 
+	 article-1-moderator blog-1-moderator site-1-moderator 
+	 article-1-admin blog-1-admin site-1-admin"
+	
+	=> brauchen wir konzept "minimum context type" für roles?
+
+3. displaying roles per virtual actions per context type
+
+	Blog permissions settings form:
+	[moderator] is allowed to [create] an article     [+]
+	[author]    is allowed to [edit]   an article     [+][-]
+
+	=> kein problem
+
+
+Manage roles
+
+	Role name: ...
+	Role context: (o) Site (o) Section <= ???
+
+
+
+
+RBAC
+
+# things to improve
+
+- we must be able to define "everything" (roles, contexts, hierarchies) more
+  flexibly. i.e.: provide sensible defaults in adva-cms, overwrite/extend them
+  at startup time (initializer) in adva-best or facility-best
+
+- we must be able to define additional/custom roles at runtime dynamically, 
+  these must behave the same way as predefined roles do
+
+- roles should not be tied to particular contexts as they are now
+
+- the system should be able to grant users roles/permissions based on their
+  membership in a group
+
+# notes
+
+- acl9's wording of roles being "scoped" to contexts makes sense. they should
+  not be scoped/tied to particular types of contexts though. why not just let
+  the user choose? because potentially not all roles make sense in all contexts?
+
+# concepts we need
+
+- contexts require roles for actions to be allowed. e.g. a Blog requires users
+  to be at least a :moderator in the scope of the Site when they want to create
+  an Article
+
+- roles can include other roles. e.g. the :superuser role includes all other 
+  roles. the site :admin role includes all other roles in the context of the
+  site
+
+# use cases
+
+- saas adva-cms: manager has an account and 2 sites. he adds a role :editor
+  to his sites, makes two members of his account editor in the context of each 
+  site and defines article create/edit permissions for editors. the editors should
+  then be able to create/edit articles on the sites they are editors on.
+
+- facility-best: manager owns an account and has tons of renters. the application
+  defines that each renter has view access to his own contracts
+  
+- facility-best: manager owns an account and has an accountant. the admin defines
+  a role :accountant and defines that only accountants may view + manage accounts
+
+- facility-best: manager owns an account and adds an owner to a facility or unit.
+  the owner can not update attributes on the facility or unit and related objects.
+
+- facility-best: renter can only view the units (and associated objects) he has 
+  rented.
+
+- facility-best: renter can view tickets that belong to his unit or his unit's 
+  facility. owner can view all tickets for his facilities. manager can view all
+  tickets for all facilities belonging to his account.
+
+
+# adva-cms
+
+	ohne saas: superuser > 
+
+
+
+
+

data/README.md

@@ -0,0 +1,29 @@
+# AdvaRbac
+
+TODO: Write a gem description
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'adva_rbac'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install adva_rbac
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Added some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,2 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"

data/adva_rbac.gemspec

@@ -0,0 +1,17 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/adva_rbac/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Micah Geisel"]
+  gem.email         = ["micah@botandrose.com"]
+  gem.description   = %q{Adva RBAC}
+  gem.summary       = %q{Engine for role-based authorization in Adva CMS}
+  gem.homepage      = ""
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "adva_rbac"
+  gem.require_paths = ["lib"]
+  gem.version       = AdvaRbac::VERSION
+end

data/app/controllers/roles_controller.rb

@@ -0,0 +1,28 @@
+class RolesController < BaseController
+  layout false
+  helper :users, :roles
+  before_filter :set_section # ?!
+  before_filter :set_user, :set_object, :set_roles
+
+  def index
+    respond_to do |format|
+      format.js
+    end
+  end
+
+  protected
+
+    def set_user
+      @user = User.find(params[:user_id])
+    end
+
+    def set_object
+      @object = params[:object_type].classify.constantize.find(params[:object_id]) if params[:object_type]
+    end
+
+    def set_roles
+      @roles = @user.roles.by_context(@object || @site)
+      @roles << Role.new(:name => 'user')
+      # @roles.create!(:name => 'user')
+    end
+end

data/app/helpers/roles_helper.rb

@@ -0,0 +1,64 @@
+module RolesHelper
+  def role_to_default_css_class(role)
+    return unless role
+    role.has_context? ? [role.context_type, role.context_id, role.name.to_s].join('-').downcase : role.name.to_s
+  end
+
+  def role_to_css_class(role)
+    return unless role
+    roles = ''
+    if role.name == 'author' && role.context.author_type
+      roles << [role.context.author_type.underscore, role.context.author_id].join('-') + ' ' 
+    end
+    roles << role_to_default_css_class(role)
+  end
+
+  # Includes a javascript tag that will load a javascript snippet
+  # generated by the RolesController. This snippet will contain roles data
+  # for the current user and toggle visibility for authorized elements.
+  def authorize_elements(object = nil)
+    object_path = object ? "/#{object.class.name.downcase.pluralize}/#{object.id}" : ''
+    javascript_tag <<-js
+      var uid = Cookie.get('uid');
+      if(uid) {
+        $.ajax({
+          url: '/users/' + uid + '/roles#{object_path}.js',
+          type: 'get',
+          async: false,
+          dataType: 'script'
+        });
+      }
+      var aid = Cookie.get('aid');
+      if(aid) {
+        $(document).ready(function() { authorize_elements(['anonymous-' + aid]); });
+      }
+    js
+  end
+
+  def authorized_tag(name, action, object, options = {}, &block)
+    add_authorizing_css_classes! options, action, object
+    content_tag(name, options, &block)
+  end
+
+  def authorized_link_to(text, url, action, object, options = {})
+    add_authorizing_css_classes!(options, action, object)
+    link_to(text, url, options)
+  end
+
+  # Adds the css class required-roles as well as a couple of css classes that
+  # can be matched with the current user's roles in order to toggle the visibility
+  # of an element
+  def add_authorizing_css_classes!(options, action, object)
+    action = :"#{action} #{object.class.name.underscore.downcase}"
+    roles = object.role_context.expand_roles_for(action)
+    options[:class] ||= ''
+    options[:class] = options[:class].split(/ /)
+    options[:class] << 'visible_for' << roles # roles.map { |role| role_to_css_class(role) }.join(' ')
+    options[:class] = options[:class].flatten.uniq.join(' ')
+  end
+
+  def quoted_role_names(roles, options = {})
+    separator = options[:separator] || ''
+    roles.map { |role| options[:quote] ? "'#{role.name}'" : role.name }.join(separator)
+  end
+end

data/app/views/admin/sections/settings/_permissions.html.erb

@@ -0,0 +1,16 @@
+<!-- <h2><%= t(:'adva.titles.permissions') %></h2>
+<fieldset class="clearfix">
+  <div class="col">
+    <%# @section.permissions.sorted.each do |type, permissions| %>
+    <% [].each do |type, permissions| %>
+    <h4><%= type.to_s.camelize.pluralize %></h4>
+    <% permissions.each do |action, role| %>
+      <%# permissions.reject { |action, role| action.to_sym == :show }.each do |action, role| # <-- maybe this is cleaner? %>
+      <% next if action.to_sym == :show # TODO :show permissions do not make any sense right now, so we completely deactivate them %> 
+        <%= select_tag "section[permissions][#{type}][#{action}]", options_for_select(Role.names.zip(Role.names.map(&:downcase)), role.to_s), :id => "section_required_roles_#{action}" %>
+        can <%= action %>.
+        <%#= label_tag "section_permissions_#{permission}", permission.to_s.titleize %>
+    <% end %>
+  <% end %>
+  </div>
+</fieldset> -->

data/app/views/roles/index.js.erb

@@ -0,0 +1,3 @@
+$(document).ready(function() {
+  authorize_elements([<%= quoted_role_names(@roles, :separator => ', ', :quote => true) %>]);
+});

data/config/initializers/base_controller.rb

@@ -0,0 +1,4 @@
+ActionDispatch::Callbacks.to_prepare do
+  BaseController.class_eval { helper :roles }
+  Admin::BaseController.class_eval { helper :roles }
+end

data/config/initializers/rbac.rb

@@ -0,0 +1,60 @@
+ActionDispatch::Callbacks.to_prepare do
+  Site.acts_as_role_context
+  Section.acts_as_role_context :parent => :site
+  Content.acts_as_role_context :parent => :section
+  # Comment.acts_as_role_context :parent => :commentable
+
+  # CalendarEvent.acts_as_role_context :parent => :section  if Rails.plugin?(:adva_calendar)
+  # Photo.acts_as_role_context :parent => :section          if Rails.plugin?(:adva_photos)
+
+  # if Rails.plugin?(:adva_forum)
+  #   Board.acts_as_role_context :parent => :section
+  #   Topic.acts_as_role_context :parent => :section
+  # end
+
+  Rbac::Role.class_eval do
+    belongs_to :ancestor_context, :polymorphic => true
+
+    before_save do |role|
+      role.ancestor_context = role.context.owners.detect do |context|
+        context.is_a?(Site) || context.is_a?(Account)
+      end if role.context
+    end
+  end
+
+  Account.class_eval do
+    def members
+      User.members_of(self).exclude_role_types('author', 'user')
+    end
+  end
+
+  Site.class_eval do
+    def members
+      User.members_of(self)
+    end
+  end
+
+  User.class_eval do
+    scope :members_of, lambda { |context|
+      {
+        :include => :roles,
+        :conditions => "(roles.ancestor_context_type = '#{context.class}' AND roles.ancestor_context_id = #{context.id}) OR
+                        (roles.context_type = '#{context.class}' AND roles.context_id = #{context.id})"
+      }
+    }
+
+    scope :by_role_types, lambda { |*role_types|
+      { 
+        :include => :roles, 
+        :conditions => ["roles.name IN (?)", role_types]
+      }
+    }
+
+    scope :exclude_role_types, lambda { |*role_types|
+      { 
+        :include => :roles, 
+        :conditions => ["roles.name NOT IN (?)", role_types]
+      }
+    }
+  end
+end

data/config/initializers/user.rb

@@ -0,0 +1,80 @@
+Role = Rbac::Role
+
+ActionDispatch::Callbacks.to_prepare do
+  User.class_eval do
+    acts_as_role_subject
+
+    has_many :roles, :dependent => :delete_all, :class_name => 'Rbac::Role' do
+      def by_context(object)
+        roles = by_site object
+        # TODO in theory we could skip the implicit roles here if roles were already found
+        # ... assuming that any site roles always include any implicit roles.
+        # roles += object.implicit_roles(proxy_owner) if object.respond_to? :implicit_roles
+        roles
+      end
+    
+      def by_site(object)
+        site = object.is_a?(Site) ? object : object.site
+        sql = "name = 'superuser' OR
+               context_id = ? AND context_type = 'Site' OR
+               context_id IN (?) AND context_type = 'Section'"
+        where([sql, site.id, site.section_ids])
+      end
+    end
+    
+    class << self
+      def admins_and_superusers
+        includes(:roles).where(['roles.name IN (?)', ['superuser', 'admin']])
+      end
+
+      def create_superuser(params)
+        user             = User.new(params)
+        user.verified_at = Time.zone.now
+      
+        user.email       = 'admin@example.org' if user.email.blank?
+        user.password    = 'admin' if user.password.blank?
+        user.first_name  = user.first_name_from_email
+      
+        user.send(:assign_password) # necessary because we bypass the validation hook
+        user.save(validate: false)
+        user.roles.create!(:name => 'superuser') # FIXME?
+        user
+      end
+
+      def by_role_and_context(role, context = nil)
+        type = Rbac::RoleType.build(role)
+        conditions = if type.requires_context?
+          ["roles.context_type = ? AND roles.context_id = ? AND roles.name = ?", context.class.to_s, context.id, type.name]
+        else
+          ["roles.name = ?", type.name]
+        end
+        includes(:roles).where(conditions)
+      end
+    
+      def role_matches_attributes?(attrs, role)
+        # FIXME remove symbolize_keys here
+        keys = [:name, :context_type, :context_id]
+        attrs.symbolize_keys.values_at(*keys).compact.map(&:to_s) == role.attributes.symbolize_keys.values_at(*keys).compact.map(&:to_s)
+      end
+    end
+
+    def roles_attributes=(roles_attributes)
+      selected_roles(roles_attributes).each { |role| self.roles << role }
+      unselected_roles(roles_attributes).each { |role| role.destroy }
+    end
+    
+    def selected_roles(roles_attributes = [])
+      # FIXME deep_stringify roles_attributes here
+      roles_attributes.collect do |attrs|
+        next unless attrs['selected'].to_i == 1
+        Rbac::Role.new(attrs.except('selected')) unless roles.any? { |role| self.class.role_matches_attributes?(attrs, role) }
+      end.compact
+    end
+    
+    def unselected_roles(roles_attributes = [])
+      roles.select do |role|
+        roles_attributes.any? { |attrs| attrs['selected'].to_i == 0 && self.class.role_matches_attributes?(attrs, role) }
+      end
+    end
+  end
+end