ae_declarative_authorization 0.7.0 → 0.7.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Appraisals +21 -21
- data/CHANGELOG +189 -189
- data/Gemfile +7 -7
- data/Gemfile.lock +45 -45
- data/LICENSE.txt +20 -20
- data/README.md +620 -620
- data/README.rdoc +597 -597
- data/Rakefile +33 -33
- data/authorization_rules.dist.rb +20 -20
- data/declarative_authorization.gemspec +24 -24
- data/gemfiles/rails4252.gemfile +10 -10
- data/gemfiles/rails4271.gemfile +10 -10
- data/gemfiles/rails507.gemfile +11 -11
- data/init.rb +5 -5
- data/lib/declarative_authorization.rb +18 -18
- data/lib/declarative_authorization/authorization.rb +821 -821
- data/lib/declarative_authorization/helper.rb +78 -78
- data/lib/declarative_authorization/in_controller.rb +713 -713
- data/lib/declarative_authorization/in_model.rb +156 -156
- data/lib/declarative_authorization/maintenance.rb +215 -215
- data/lib/declarative_authorization/obligation_scope.rb +345 -345
- data/lib/declarative_authorization/railsengine.rb +5 -5
- data/lib/declarative_authorization/reader.rb +549 -549
- data/lib/declarative_authorization/test/helpers.rb +261 -261
- data/lib/declarative_authorization/version.rb +3 -3
- data/lib/generators/authorization/install/install_generator.rb +77 -77
- data/lib/generators/authorization/rules/rules_generator.rb +13 -13
- data/lib/generators/authorization/rules/templates/authorization_rules.rb +27 -27
- data/lib/tasks/authorization_tasks.rake +89 -89
- data/test/authorization_test.rb +1121 -1121
- data/test/controller_filter_resource_access_test.rb +573 -573
- data/test/controller_test.rb +478 -478
- data/test/database.yml +3 -3
- data/test/dsl_reader_test.rb +178 -178
- data/test/functional/filter_access_to_with_id_in_scope_test.rb +88 -88
- data/test/functional/no_filter_access_to_test.rb +79 -79
- data/test/functional/params_block_arity_test.rb +39 -39
- data/test/helper_test.rb +248 -248
- data/test/maintenance_test.rb +46 -46
- data/test/model_test.rb +1840 -1840
- data/test/schema.sql +60 -60
- data/test/test_helper.rb +174 -174
- data/test/test_support/minitest_compatibility.rb +26 -26
- metadata +3 -9
- data/gemfiles/rails4252.gemfile.lock +0 -126
- data/gemfiles/rails4271.gemfile.lock +0 -126
- data/gemfiles/rails507.gemfile.lock +0 -136
- data/log/test.log +0 -34715
- data/test/profiles/access_checking +0 -46
data/test/database.yml
CHANGED
@@ -1,3 +1,3 @@
|
|
1
|
-
test:
|
2
|
-
adapter: sqlite3
|
3
|
-
database: ":memory:"
|
1
|
+
test:
|
2
|
+
adapter: sqlite3
|
3
|
+
database: ":memory:"
|
data/test/dsl_reader_test.rb
CHANGED
@@ -1,178 +1,178 @@
|
|
1
|
-
require 'test_helper'
|
2
|
-
|
3
|
-
class DSLReaderTest < Test::Unit::TestCase
|
4
|
-
def test_privileges
|
5
|
-
reader = Authorization::Reader::DSLReader.new
|
6
|
-
reader.parse %{
|
7
|
-
privileges do
|
8
|
-
privilege :test_priv do
|
9
|
-
includes :lower_priv
|
10
|
-
end
|
11
|
-
end
|
12
|
-
}
|
13
|
-
assert_equal 2, reader.privileges_reader.privileges.length
|
14
|
-
assert_equal [[:lower_priv, nil]],
|
15
|
-
reader.privileges_reader.privilege_hierarchy[:test_priv]
|
16
|
-
end
|
17
|
-
|
18
|
-
def test_privileges_with_context
|
19
|
-
reader = Authorization::Reader::DSLReader.new
|
20
|
-
reader.parse %{
|
21
|
-
privileges do
|
22
|
-
privilege :test_priv, :test_context do
|
23
|
-
includes :lower_priv
|
24
|
-
end
|
25
|
-
end
|
26
|
-
}
|
27
|
-
assert_equal [[:lower_priv, :test_context]],
|
28
|
-
reader.privileges_reader.privilege_hierarchy[:test_priv]
|
29
|
-
end
|
30
|
-
|
31
|
-
def test_privileges_one_line
|
32
|
-
reader = Authorization::Reader::DSLReader.new
|
33
|
-
reader.parse %{
|
34
|
-
privileges do
|
35
|
-
privilege :test_priv, :test_context, :includes => :lower_priv
|
36
|
-
privilege :test_priv_2, :test_context, :includes => [:lower_priv]
|
37
|
-
privilege :test_priv_3, :includes => [:lower_priv]
|
38
|
-
end
|
39
|
-
}
|
40
|
-
assert_equal [[:lower_priv, :test_context]],
|
41
|
-
reader.privileges_reader.privilege_hierarchy[:test_priv]
|
42
|
-
assert_equal [[:lower_priv, :test_context]],
|
43
|
-
reader.privileges_reader.privilege_hierarchy[:test_priv_2]
|
44
|
-
assert_equal [[:lower_priv, nil]],
|
45
|
-
reader.privileges_reader.privilege_hierarchy[:test_priv_3]
|
46
|
-
end
|
47
|
-
|
48
|
-
def test_auth_role
|
49
|
-
reader = Authorization::Reader::DSLReader.new
|
50
|
-
reader.parse %{
|
51
|
-
authorization do
|
52
|
-
role :test_role do
|
53
|
-
includes :lesser_role
|
54
|
-
has_permission_on :items, :to => :read
|
55
|
-
end
|
56
|
-
end
|
57
|
-
}
|
58
|
-
assert_equal 1, reader.auth_rules_reader.roles.length
|
59
|
-
assert_equal [:lesser_role], reader.auth_rules_reader.role_hierarchy[:test_role]
|
60
|
-
assert_equal 1, reader.auth_rules_reader.auth_rules.length
|
61
|
-
end
|
62
|
-
|
63
|
-
def test_auth_role_permit_on
|
64
|
-
reader = Authorization::Reader::DSLReader.new
|
65
|
-
reader.parse %|
|
66
|
-
authorization do
|
67
|
-
role :test_role do
|
68
|
-
has_permission_on :test_context do
|
69
|
-
to :test_perm, :manage
|
70
|
-
if_attribute :test_attr => is { user.test_attr }
|
71
|
-
end
|
72
|
-
end
|
73
|
-
end
|
74
|
-
|
|
75
|
-
assert_equal 1, reader.auth_rules_reader.roles.length
|
76
|
-
assert_equal 1, reader.auth_rules_reader.auth_rules.length
|
77
|
-
assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:test_perm], :test_context)
|
78
|
-
assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:manage], :test_context)
|
79
|
-
end
|
80
|
-
|
81
|
-
def test_permit_block
|
82
|
-
reader = Authorization::Reader::DSLReader.new
|
83
|
-
reader.parse %|
|
84
|
-
authorization do
|
85
|
-
role :test_role do
|
86
|
-
has_permission_on :perms, :to => :test do
|
87
|
-
if_attribute :test_attr => is { user.test_attr }
|
88
|
-
if_attribute :test_attr_2 => is_not { user.test_attr }
|
89
|
-
if_attribute :test_attr_3 => contains { user.test_attr }
|
90
|
-
if_attribute :test_attr_4 => does_not_contain { user.test_attr }
|
91
|
-
if_attribute :test_attr_5 => is_in { user.test_attr }
|
92
|
-
if_attribute :test_attr_5 => is_not_in { user.test_attr }
|
93
|
-
if_attribute :test_attr_6 => lt { user.test_attr }
|
94
|
-
if_attribute :test_attr_6 => lte { user.test_attr }
|
95
|
-
if_attribute :test_attr_6 => gt { user.test_attr }
|
96
|
-
if_attribute :test_attr_6 => gte { user.test_attr }
|
97
|
-
end
|
98
|
-
end
|
99
|
-
end
|
100
|
-
|
|
101
|
-
assert_equal 1, reader.auth_rules_reader.roles.length
|
102
|
-
assert_equal 1, reader.auth_rules_reader.auth_rules.length
|
103
|
-
assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:test], :perms)
|
104
|
-
end
|
105
|
-
|
106
|
-
def test_has_permission_to_with_context
|
107
|
-
reader = Authorization::Reader::DSLReader.new
|
108
|
-
reader.parse %|
|
109
|
-
authorization do
|
110
|
-
role :test_role do
|
111
|
-
has_permission_on :perms, :to => :test
|
112
|
-
end
|
113
|
-
end
|
114
|
-
|
|
115
|
-
assert_equal 1, reader.auth_rules_reader.roles.length
|
116
|
-
assert_equal 1, reader.auth_rules_reader.auth_rules.length
|
117
|
-
assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:test], :perms)
|
118
|
-
end
|
119
|
-
|
120
|
-
def test_context
|
121
|
-
reader = Authorization::Reader::DSLReader.new
|
122
|
-
reader.parse %{
|
123
|
-
contexts do
|
124
|
-
context :high_level_context do
|
125
|
-
includes :low_level_context_1, :low_level_context_2
|
126
|
-
end
|
127
|
-
end
|
128
|
-
}
|
129
|
-
end
|
130
|
-
|
131
|
-
def test_dsl_error
|
132
|
-
reader = Authorization::Reader::DSLReader.new
|
133
|
-
assert_raise(Authorization::Reader::DSLError) do
|
134
|
-
reader.parse %{
|
135
|
-
authorization do
|
136
|
-
includes :lesser_role
|
137
|
-
end
|
138
|
-
}
|
139
|
-
end
|
140
|
-
end
|
141
|
-
|
142
|
-
def test_syntax_error
|
143
|
-
reader = Authorization::Reader::DSLReader.new
|
144
|
-
assert_raise(Authorization::Reader::DSLSyntaxError) do
|
145
|
-
reader.parse %{
|
146
|
-
authorizations do
|
147
|
-
end
|
148
|
-
}
|
149
|
-
end
|
150
|
-
end
|
151
|
-
|
152
|
-
def test_syntax_error_2
|
153
|
-
reader = Authorization::Reader::DSLReader.new
|
154
|
-
assert_raise(Authorization::Reader::DSLSyntaxError) do
|
155
|
-
reader.parse %{
|
156
|
-
authorizations
|
157
|
-
end
|
158
|
-
}
|
159
|
-
end
|
160
|
-
end
|
161
|
-
|
162
|
-
def test_factory_returns_self
|
163
|
-
reader = Authorization::Reader::DSLReader.new
|
164
|
-
assert_equal(Authorization::Reader::DSLReader.factory(reader).object_id, reader.object_id)
|
165
|
-
end
|
166
|
-
|
167
|
-
def test_factory_loads_file
|
168
|
-
reader = Authorization::Reader::DSLReader.factory((DA_ROOT + "authorization_rules.dist.rb").to_s)
|
169
|
-
assert_equal(Authorization::Reader::DSLReader, reader.class)
|
170
|
-
end
|
171
|
-
|
172
|
-
def test_load_file_not_found
|
173
|
-
assert_raise(Authorization::Reader::DSLFileNotFoundError) do
|
174
|
-
Authorization::Reader::DSLReader.new.load!("nonexistent_file.rb")
|
175
|
-
end
|
176
|
-
end
|
177
|
-
end
|
178
|
-
|
1
|
+
require 'test_helper'
|
2
|
+
|
3
|
+
class DSLReaderTest < Test::Unit::TestCase
|
4
|
+
def test_privileges
|
5
|
+
reader = Authorization::Reader::DSLReader.new
|
6
|
+
reader.parse %{
|
7
|
+
privileges do
|
8
|
+
privilege :test_priv do
|
9
|
+
includes :lower_priv
|
10
|
+
end
|
11
|
+
end
|
12
|
+
}
|
13
|
+
assert_equal 2, reader.privileges_reader.privileges.length
|
14
|
+
assert_equal [[:lower_priv, nil]],
|
15
|
+
reader.privileges_reader.privilege_hierarchy[:test_priv]
|
16
|
+
end
|
17
|
+
|
18
|
+
def test_privileges_with_context
|
19
|
+
reader = Authorization::Reader::DSLReader.new
|
20
|
+
reader.parse %{
|
21
|
+
privileges do
|
22
|
+
privilege :test_priv, :test_context do
|
23
|
+
includes :lower_priv
|
24
|
+
end
|
25
|
+
end
|
26
|
+
}
|
27
|
+
assert_equal [[:lower_priv, :test_context]],
|
28
|
+
reader.privileges_reader.privilege_hierarchy[:test_priv]
|
29
|
+
end
|
30
|
+
|
31
|
+
def test_privileges_one_line
|
32
|
+
reader = Authorization::Reader::DSLReader.new
|
33
|
+
reader.parse %{
|
34
|
+
privileges do
|
35
|
+
privilege :test_priv, :test_context, :includes => :lower_priv
|
36
|
+
privilege :test_priv_2, :test_context, :includes => [:lower_priv]
|
37
|
+
privilege :test_priv_3, :includes => [:lower_priv]
|
38
|
+
end
|
39
|
+
}
|
40
|
+
assert_equal [[:lower_priv, :test_context]],
|
41
|
+
reader.privileges_reader.privilege_hierarchy[:test_priv]
|
42
|
+
assert_equal [[:lower_priv, :test_context]],
|
43
|
+
reader.privileges_reader.privilege_hierarchy[:test_priv_2]
|
44
|
+
assert_equal [[:lower_priv, nil]],
|
45
|
+
reader.privileges_reader.privilege_hierarchy[:test_priv_3]
|
46
|
+
end
|
47
|
+
|
48
|
+
def test_auth_role
|
49
|
+
reader = Authorization::Reader::DSLReader.new
|
50
|
+
reader.parse %{
|
51
|
+
authorization do
|
52
|
+
role :test_role do
|
53
|
+
includes :lesser_role
|
54
|
+
has_permission_on :items, :to => :read
|
55
|
+
end
|
56
|
+
end
|
57
|
+
}
|
58
|
+
assert_equal 1, reader.auth_rules_reader.roles.length
|
59
|
+
assert_equal [:lesser_role], reader.auth_rules_reader.role_hierarchy[:test_role]
|
60
|
+
assert_equal 1, reader.auth_rules_reader.auth_rules.length
|
61
|
+
end
|
62
|
+
|
63
|
+
def test_auth_role_permit_on
|
64
|
+
reader = Authorization::Reader::DSLReader.new
|
65
|
+
reader.parse %|
|
66
|
+
authorization do
|
67
|
+
role :test_role do
|
68
|
+
has_permission_on :test_context do
|
69
|
+
to :test_perm, :manage
|
70
|
+
if_attribute :test_attr => is { user.test_attr }
|
71
|
+
end
|
72
|
+
end
|
73
|
+
end
|
74
|
+
|
|
75
|
+
assert_equal 1, reader.auth_rules_reader.roles.length
|
76
|
+
assert_equal 1, reader.auth_rules_reader.auth_rules.length
|
77
|
+
assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:test_perm], :test_context)
|
78
|
+
assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:manage], :test_context)
|
79
|
+
end
|
80
|
+
|
81
|
+
def test_permit_block
|
82
|
+
reader = Authorization::Reader::DSLReader.new
|
83
|
+
reader.parse %|
|
84
|
+
authorization do
|
85
|
+
role :test_role do
|
86
|
+
has_permission_on :perms, :to => :test do
|
87
|
+
if_attribute :test_attr => is { user.test_attr }
|
88
|
+
if_attribute :test_attr_2 => is_not { user.test_attr }
|
89
|
+
if_attribute :test_attr_3 => contains { user.test_attr }
|
90
|
+
if_attribute :test_attr_4 => does_not_contain { user.test_attr }
|
91
|
+
if_attribute :test_attr_5 => is_in { user.test_attr }
|
92
|
+
if_attribute :test_attr_5 => is_not_in { user.test_attr }
|
93
|
+
if_attribute :test_attr_6 => lt { user.test_attr }
|
94
|
+
if_attribute :test_attr_6 => lte { user.test_attr }
|
95
|
+
if_attribute :test_attr_6 => gt { user.test_attr }
|
96
|
+
if_attribute :test_attr_6 => gte { user.test_attr }
|
97
|
+
end
|
98
|
+
end
|
99
|
+
end
|
100
|
+
|
|
101
|
+
assert_equal 1, reader.auth_rules_reader.roles.length
|
102
|
+
assert_equal 1, reader.auth_rules_reader.auth_rules.length
|
103
|
+
assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:test], :perms)
|
104
|
+
end
|
105
|
+
|
106
|
+
def test_has_permission_to_with_context
|
107
|
+
reader = Authorization::Reader::DSLReader.new
|
108
|
+
reader.parse %|
|
109
|
+
authorization do
|
110
|
+
role :test_role do
|
111
|
+
has_permission_on :perms, :to => :test
|
112
|
+
end
|
113
|
+
end
|
114
|
+
|
|
115
|
+
assert_equal 1, reader.auth_rules_reader.roles.length
|
116
|
+
assert_equal 1, reader.auth_rules_reader.auth_rules.length
|
117
|
+
assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:test], :perms)
|
118
|
+
end
|
119
|
+
|
120
|
+
def test_context
|
121
|
+
reader = Authorization::Reader::DSLReader.new
|
122
|
+
reader.parse %{
|
123
|
+
contexts do
|
124
|
+
context :high_level_context do
|
125
|
+
includes :low_level_context_1, :low_level_context_2
|
126
|
+
end
|
127
|
+
end
|
128
|
+
}
|
129
|
+
end
|
130
|
+
|
131
|
+
def test_dsl_error
|
132
|
+
reader = Authorization::Reader::DSLReader.new
|
133
|
+
assert_raise(Authorization::Reader::DSLError) do
|
134
|
+
reader.parse %{
|
135
|
+
authorization do
|
136
|
+
includes :lesser_role
|
137
|
+
end
|
138
|
+
}
|
139
|
+
end
|
140
|
+
end
|
141
|
+
|
142
|
+
def test_syntax_error
|
143
|
+
reader = Authorization::Reader::DSLReader.new
|
144
|
+
assert_raise(Authorization::Reader::DSLSyntaxError) do
|
145
|
+
reader.parse %{
|
146
|
+
authorizations do
|
147
|
+
end
|
148
|
+
}
|
149
|
+
end
|
150
|
+
end
|
151
|
+
|
152
|
+
def test_syntax_error_2
|
153
|
+
reader = Authorization::Reader::DSLReader.new
|
154
|
+
assert_raise(Authorization::Reader::DSLSyntaxError) do
|
155
|
+
reader.parse %{
|
156
|
+
authorizations
|
157
|
+
end
|
158
|
+
}
|
159
|
+
end
|
160
|
+
end
|
161
|
+
|
162
|
+
def test_factory_returns_self
|
163
|
+
reader = Authorization::Reader::DSLReader.new
|
164
|
+
assert_equal(Authorization::Reader::DSLReader.factory(reader).object_id, reader.object_id)
|
165
|
+
end
|
166
|
+
|
167
|
+
def test_factory_loads_file
|
168
|
+
reader = Authorization::Reader::DSLReader.factory((DA_ROOT + "authorization_rules.dist.rb").to_s)
|
169
|
+
assert_equal(Authorization::Reader::DSLReader, reader.class)
|
170
|
+
end
|
171
|
+
|
172
|
+
def test_load_file_not_found
|
173
|
+
assert_raise(Authorization::Reader::DSLFileNotFoundError) do
|
174
|
+
Authorization::Reader::DSLReader.new.load!("nonexistent_file.rb")
|
175
|
+
end
|
176
|
+
end
|
177
|
+
end
|
178
|
+
|
@@ -1,88 +1,88 @@
|
|
1
|
-
require 'test_helper'
|
2
|
-
|
3
|
-
class UsersController < MocksController
|
4
|
-
before_action :initialize_user
|
5
|
-
filter_access_to :all, attribute_check: true
|
6
|
-
define_action_methods :show
|
7
|
-
|
8
|
-
def initialize_user
|
9
|
-
@user = User.find(params[:id])
|
10
|
-
end
|
11
|
-
end
|
12
|
-
|
13
|
-
class FilterAccessToWithIdInScopeTest < ActionController::TestCase
|
14
|
-
include DeclarativeAuthorization::Test::Helpers
|
15
|
-
|
16
|
-
tests UsersController
|
17
|
-
|
18
|
-
access_tests do
|
19
|
-
params :user do |old_user, new_user|
|
20
|
-
assert_equal :old_user, old_user
|
21
|
-
assert_equal :new_user, new_user
|
22
|
-
{ id: User.create! }
|
23
|
-
end
|
24
|
-
|
25
|
-
role :users do
|
26
|
-
privilege :read do
|
27
|
-
allowed to: :show, with: :user
|
28
|
-
end
|
29
|
-
end
|
30
|
-
end
|
31
|
-
|
32
|
-
AUTHORIZATION_RULES = <<-RULES.freeze
|
33
|
-
authorization do
|
34
|
-
role :users__read do
|
35
|
-
has_permission_on :users, :to => [:show] do
|
36
|
-
if_attribute :id => id_in_scope { User.visible_by(user) }
|
37
|
-
end
|
38
|
-
end
|
39
|
-
end
|
40
|
-
RULES
|
41
|
-
|
42
|
-
setup do
|
43
|
-
@reader = Authorization::Reader::DSLReader.new
|
44
|
-
@reader.parse(AUTHORIZATION_RULES)
|
45
|
-
Authorization::Engine.instance(@reader)
|
46
|
-
end
|
47
|
-
|
48
|
-
def test_id_in_scope__filter_access_to__has_access
|
49
|
-
with_routing do |map|
|
50
|
-
setup_routes(map)
|
51
|
-
|
52
|
-
current_user = User.create!(role_symbols: [:users__read])
|
53
|
-
different_user = User.create!
|
54
|
-
|
55
|
-
request!(current_user, :show, @reader, id: current_user.id)
|
56
|
-
assert @controller.authorized?
|
57
|
-
end
|
58
|
-
end
|
59
|
-
|
60
|
-
def test_id_in_scope__filter_access_to__does_not_have_access
|
61
|
-
with_routing do |map|
|
62
|
-
setup_routes(map)
|
63
|
-
|
64
|
-
current_user = User.create!(role_symbols: [:users__read])
|
65
|
-
different_user = User.create!
|
66
|
-
|
67
|
-
request!(current_user, :show, @reader, id: different_user.id)
|
68
|
-
assert !@controller.authorized?
|
69
|
-
end
|
70
|
-
end
|
71
|
-
|
72
|
-
private
|
73
|
-
|
74
|
-
def setup_routes(map)
|
75
|
-
map.draw do
|
76
|
-
get '/users', controller: 'users', action: :show
|
77
|
-
end
|
78
|
-
end
|
79
|
-
|
80
|
-
def access_test_user(role, privilege)
|
81
|
-
User.new(role_symbols: [ :"#{role}__#{privilege}" ])
|
82
|
-
end
|
83
|
-
|
84
|
-
def access_test_params_for_param_methods
|
85
|
-
[:old_user, :new_user]
|
86
|
-
end
|
87
|
-
end
|
88
|
-
|
1
|
+
require 'test_helper'
|
2
|
+
|
3
|
+
class UsersController < MocksController
|
4
|
+
before_action :initialize_user
|
5
|
+
filter_access_to :all, attribute_check: true
|
6
|
+
define_action_methods :show
|
7
|
+
|
8
|
+
def initialize_user
|
9
|
+
@user = User.find(params[:id])
|
10
|
+
end
|
11
|
+
end
|
12
|
+
|
13
|
+
class FilterAccessToWithIdInScopeTest < ActionController::TestCase
|
14
|
+
include DeclarativeAuthorization::Test::Helpers
|
15
|
+
|
16
|
+
tests UsersController
|
17
|
+
|
18
|
+
access_tests do
|
19
|
+
params :user do |old_user, new_user|
|
20
|
+
assert_equal :old_user, old_user
|
21
|
+
assert_equal :new_user, new_user
|
22
|
+
{ id: User.create! }
|
23
|
+
end
|
24
|
+
|
25
|
+
role :users do
|
26
|
+
privilege :read do
|
27
|
+
allowed to: :show, with: :user
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
|
32
|
+
AUTHORIZATION_RULES = <<-RULES.freeze
|
33
|
+
authorization do
|
34
|
+
role :users__read do
|
35
|
+
has_permission_on :users, :to => [:show] do
|
36
|
+
if_attribute :id => id_in_scope { User.visible_by(user) }
|
37
|
+
end
|
38
|
+
end
|
39
|
+
end
|
40
|
+
RULES
|
41
|
+
|
42
|
+
setup do
|
43
|
+
@reader = Authorization::Reader::DSLReader.new
|
44
|
+
@reader.parse(AUTHORIZATION_RULES)
|
45
|
+
Authorization::Engine.instance(@reader)
|
46
|
+
end
|
47
|
+
|
48
|
+
def test_id_in_scope__filter_access_to__has_access
|
49
|
+
with_routing do |map|
|
50
|
+
setup_routes(map)
|
51
|
+
|
52
|
+
current_user = User.create!(role_symbols: [:users__read])
|
53
|
+
different_user = User.create!
|
54
|
+
|
55
|
+
request!(current_user, :show, @reader, id: current_user.id)
|
56
|
+
assert @controller.authorized?
|
57
|
+
end
|
58
|
+
end
|
59
|
+
|
60
|
+
def test_id_in_scope__filter_access_to__does_not_have_access
|
61
|
+
with_routing do |map|
|
62
|
+
setup_routes(map)
|
63
|
+
|
64
|
+
current_user = User.create!(role_symbols: [:users__read])
|
65
|
+
different_user = User.create!
|
66
|
+
|
67
|
+
request!(current_user, :show, @reader, id: different_user.id)
|
68
|
+
assert !@controller.authorized?
|
69
|
+
end
|
70
|
+
end
|
71
|
+
|
72
|
+
private
|
73
|
+
|
74
|
+
def setup_routes(map)
|
75
|
+
map.draw do
|
76
|
+
get '/users', controller: 'users', action: :show
|
77
|
+
end
|
78
|
+
end
|
79
|
+
|
80
|
+
def access_test_user(role, privilege)
|
81
|
+
User.new(role_symbols: [ :"#{role}__#{privilege}" ])
|
82
|
+
end
|
83
|
+
|
84
|
+
def access_test_params_for_param_methods
|
85
|
+
[:old_user, :new_user]
|
86
|
+
end
|
87
|
+
end
|
88
|
+
|