ae_declarative_authorization 0.7.1 → 0.8.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (56) hide show
  1. checksums.yaml +5 -5
  2. data/Appraisals +31 -21
  3. data/CHANGELOG +189 -189
  4. data/Gemfile +7 -7
  5. data/Gemfile.lock +68 -60
  6. data/LICENSE.txt +20 -20
  7. data/README.md +620 -620
  8. data/README.rdoc +597 -597
  9. data/Rakefile +35 -33
  10. data/authorization_rules.dist.rb +20 -20
  11. data/declarative_authorization.gemspec +24 -24
  12. data/gemfiles/rails4252.gemfile +10 -10
  13. data/gemfiles/rails4252.gemfile.lock +126 -0
  14. data/gemfiles/rails4271.gemfile +10 -10
  15. data/gemfiles/rails4271.gemfile.lock +126 -0
  16. data/gemfiles/rails507.gemfile +11 -11
  17. data/gemfiles/rails507.gemfile.lock +136 -0
  18. data/gemfiles/rails516.gemfile +11 -0
  19. data/gemfiles/rails516.gemfile.lock +136 -0
  20. data/gemfiles/rails521.gemfile +11 -0
  21. data/gemfiles/rails521.gemfile.lock +144 -0
  22. data/init.rb +5 -5
  23. data/lib/declarative_authorization.rb +18 -18
  24. data/lib/declarative_authorization/authorization.rb +821 -821
  25. data/lib/declarative_authorization/helper.rb +78 -78
  26. data/lib/declarative_authorization/in_controller.rb +713 -713
  27. data/lib/declarative_authorization/in_model.rb +156 -156
  28. data/lib/declarative_authorization/maintenance.rb +215 -215
  29. data/lib/declarative_authorization/obligation_scope.rb +348 -345
  30. data/lib/declarative_authorization/railsengine.rb +5 -5
  31. data/lib/declarative_authorization/reader.rb +549 -549
  32. data/lib/declarative_authorization/test/helpers.rb +261 -261
  33. data/lib/declarative_authorization/version.rb +3 -3
  34. data/lib/generators/authorization/install/install_generator.rb +77 -77
  35. data/lib/generators/authorization/rules/rules_generator.rb +13 -13
  36. data/lib/generators/authorization/rules/templates/authorization_rules.rb +27 -27
  37. data/lib/tasks/authorization_tasks.rake +89 -89
  38. data/log/test.log +15246 -0
  39. data/pkg/ae_declarative_authorization-0.7.1.gem +0 -0
  40. data/pkg/ae_declarative_authorization-0.8.0.gem +0 -0
  41. data/test/authorization_test.rb +1121 -1121
  42. data/test/controller_filter_resource_access_test.rb +573 -573
  43. data/test/controller_test.rb +478 -478
  44. data/test/database.yml +3 -3
  45. data/test/dsl_reader_test.rb +178 -178
  46. data/test/functional/filter_access_to_with_id_in_scope_test.rb +88 -88
  47. data/test/functional/no_filter_access_to_test.rb +79 -79
  48. data/test/functional/params_block_arity_test.rb +39 -39
  49. data/test/helper_test.rb +248 -248
  50. data/test/maintenance_test.rb +46 -46
  51. data/test/model_test.rb +1840 -1840
  52. data/test/profiles/access_checking +20 -0
  53. data/test/schema.sql +60 -60
  54. data/test/test_helper.rb +174 -174
  55. data/test/test_support/minitest_compatibility.rb +26 -26
  56. metadata +17 -5
@@ -1,1121 +1,1121 @@
1
- require 'test_helper'
2
-
3
- class AuthorizationTest < Test::Unit::TestCase
4
-
5
- def test_permit
6
- reader = Authorization::Reader::DSLReader.new
7
- reader.parse %{
8
- authorization do
9
- role :test_role do
10
- has_permission_on :permissions, :to => :test
11
- end
12
- end
13
- }
14
- engine = Authorization::Engine.new(reader)
15
- assert engine.permit?(:test, :context => :permissions,
16
- :user => MockUser.new(:test_role, :test_role_2))
17
- assert !engine.permit?(:test_2, :context => :permissions_2,
18
- :user => MockUser.new(:test_role))
19
- assert !engine.permit?(:test, :context => :permissions,
20
- :user => MockUser.new(:test_role_2))
21
- end
22
-
23
- def test_permit_context_people
24
- reader = Authorization::Reader::DSLReader.new
25
- reader.parse %{
26
- authorization do
27
- role :test_role do
28
- has_permission_on :people, :to => :test
29
- end
30
- end
31
- }
32
- engine = Authorization::Engine.new(reader)
33
- assert engine.permit?(:test, :context => :people,
34
- :user => MockUser.new(:test_role))
35
- end
36
-
37
- def test_permit_with_has_omnipotence
38
- reader = Authorization::Reader::DSLReader.new
39
- reader.parse %{
40
- authorization do
41
- role :admin do
42
- has_omnipotence
43
- end
44
- end
45
- }
46
- engine = Authorization::Engine.new(reader)
47
- assert engine.permit?(:test, :context => :people,
48
- :user => MockUser.new(:admin))
49
- end
50
-
51
- def test_permit_multiple_contexts
52
- reader = Authorization::Reader::DSLReader.new
53
- reader.parse %{
54
- authorization do
55
- role :test_role do
56
- has_permission_on [:permissions, :permissions_2], :to => :test
57
- has_permission_on :permissions_4, :permissions_5, :to => :test
58
- end
59
- end
60
- }
61
- engine = Authorization::Engine.new(reader)
62
- assert engine.permit?(:test, :context => :permissions,
63
- :user => MockUser.new(:test_role))
64
- assert engine.permit?(:test, :context => :permissions_2,
65
- :user => MockUser.new(:test_role))
66
- assert !engine.permit?(:test, :context => :permissions_3,
67
- :user => MockUser.new(:test_role))
68
-
69
- assert engine.permit?(:test, :context => :permissions_4, :user => MockUser.new(:test_role))
70
- assert engine.permit?(:test, :context => :permissions_5, :user => MockUser.new(:test_role))
71
- end
72
-
73
- def test_permit_with_frozen_roles
74
- reader = Authorization::Reader::DSLReader.new
75
- reader.parse %{
76
- authorization do
77
- role :other_role do
78
- includes :test_role
79
- end
80
- role :test_role do
81
- has_permission_on :permissions, :to => :test
82
- end
83
- end
84
- }
85
- engine = Authorization::Engine.new(reader)
86
- roles = [:other_role].freeze
87
- assert engine.permit?(:test, :context => :permissions,
88
- :user => MockUser.new(:role_symbols => roles))
89
- end
90
-
91
- def test_obligations_without_conditions
92
- reader = Authorization::Reader::DSLReader.new
93
- reader.parse %{
94
- authorization do
95
- role :test_role do
96
- has_permission_on :permissions, :to => :test
97
- end
98
- end
99
- }
100
- engine = Authorization::Engine.new(reader)
101
- assert_equal [{}], engine.obligations(:test, :context => :permissions,
102
- :user => MockUser.new(:test_role))
103
- end
104
-
105
- def test_obligations_with_conditions
106
- reader = Authorization::Reader::DSLReader.new
107
- reader.parse %{
108
- authorization do
109
- role :test_role do
110
- has_permission_on :permissions, :to => :test do
111
- if_attribute :attr => is { user.attr }
112
- end
113
- end
114
- end
115
- }
116
- engine = Authorization::Engine.new(reader)
117
- assert_equal [{:attr => [:is, 1]}],
118
- engine.obligations(:test, :context => :permissions,
119
- :user => MockUser.new(:test_role, :attr => 1))
120
- end
121
-
122
- def test_obligations_with_omnipotence
123
- reader = Authorization::Reader::DSLReader.new
124
- reader.parse %{
125
- authorization do
126
- role :admin do
127
- has_omnipotence
128
- end
129
- role :test_role do
130
- has_permission_on :permissions, :to => :test do
131
- if_attribute :attr => is { user.attr }
132
- end
133
- end
134
- end
135
- }
136
- engine = Authorization::Engine.new(reader)
137
- assert_equal [],
138
- engine.obligations(:test, :context => :permissions,
139
- :user => MockUser.new(:test_role, :admin, :attr => 1))
140
- end
141
-
142
- def test_obligations_with_anded_conditions
143
- reader = Authorization::Reader::DSLReader.new
144
- reader.parse %{
145
- authorization do
146
- role :test_role do
147
- has_permission_on :permissions, :to => :test, :join_by => :and do
148
- if_attribute :attr => is { user.attr }
149
- if_attribute :attr_2 => is { user.attr_2 }
150
- end
151
- end
152
- end
153
- }
154
- engine = Authorization::Engine.new(reader)
155
- assert_equal [{:attr => [:is, 1], :attr_2 => [:is, 2]}],
156
- engine.obligations(:test, :context => :permissions,
157
- :user => MockUser.new(:test_role, :attr => 1, :attr_2 => 2))
158
- end
159
-
160
- def test_obligations_with_deep_anded_conditions
161
- reader = Authorization::Reader::DSLReader.new
162
- reader.parse %{
163
- authorization do
164
- role :test_role do
165
- has_permission_on :permissions, :to => :test, :join_by => :and do
166
- if_attribute :attr => { :deeper_attr => is { user.deeper_attr }}
167
- if_attribute :attr => { :deeper_attr_2 => is { user.deeper_attr_2 }}
168
- end
169
- end
170
- end
171
- }
172
- engine = Authorization::Engine.new(reader)
173
- assert_equal [{:attr => { :deeper_attr => [:is, 1], :deeper_attr_2 => [:is, 2] } }],
174
- engine.obligations(:test, :context => :permissions,
175
- :user => MockUser.new(:test_role, :deeper_attr => 1, :deeper_attr_2 => 2))
176
- end
177
-
178
- def test_obligations_with_has_many
179
- reader = Authorization::Reader::DSLReader.new
180
- reader.parse %{
181
- authorization do
182
- role :test_role do
183
- has_permission_on :permissions, :to => :test do
184
- if_attribute :attrs => { :deeper_attr => is { user.deeper_attr } }
185
- end
186
- end
187
- end
188
- }
189
- engine = Authorization::Engine.new(reader)
190
- assert_equal [{:attrs => {:deeper_attr => [:is, 1]}}],
191
- engine.obligations(:test, :context => :permissions,
192
- :user => MockUser.new(:test_role, :deeper_attr => 1))
193
- end
194
-
195
- def test_obligations_with_conditions_and_empty
196
- reader = Authorization::Reader::DSLReader.new
197
- reader.parse %{
198
- authorization do
199
- role :test_role do
200
- has_permission_on :permissions, :to => :test
201
- has_permission_on :permissions, :to => :test do
202
- if_attribute :attr => is { user.attr }
203
- end
204
- end
205
- end
206
- }
207
- engine = Authorization::Engine.new(reader)
208
- assert_equal [{}, {:attr => [:is, 1]}],
209
- engine.obligations(:test, :context => :permissions,
210
- :user => MockUser.new(:test_role, :attr => 1))
211
- end
212
-
213
- def test_obligations_with_permissions
214
- reader = Authorization::Reader::DSLReader.new
215
- reader.parse %{
216
- authorization do
217
- role :test_role do
218
- has_permission_on :permissions, :to => :test do
219
- if_attribute :attr => is { user.attr }
220
- end
221
- has_permission_on :permission_children, :to => :test do
222
- if_permitted_to :test, :permission, :context => :permissions
223
- end
224
- has_permission_on :permission_children_2, :to => :test do
225
- if_permitted_to :test, :permission
226
- end
227
- has_permission_on :permission_children_children, :to => :test do
228
- if_permitted_to :test, :permission_child => :permission,
229
- :context => :permissions
230
- end
231
- end
232
- end
233
- }
234
- engine = Authorization::Engine.new(reader)
235
- assert_equal [{:permission => {:attr => [:is, 1]}}],
236
- engine.obligations(:test, :context => :permission_children,
237
- :user => MockUser.new(:test_role, :attr => 1))
238
- assert_equal [{:permission => {:attr => [:is, 1]}}],
239
- engine.obligations(:test, :context => :permission_children_2,
240
- :user => MockUser.new(:test_role, :attr => 1))
241
- assert_equal [{:permission_child => {:permission => {:attr => [:is, 1]}}}],
242
- engine.obligations(:test, :context => :permission_children_children,
243
- :user => MockUser.new(:test_role, :attr => 1))
244
- end
245
-
246
- def test_obligations_with_has_many_permissions
247
- reader = Authorization::Reader::DSLReader.new
248
- reader.parse %{
249
- authorization do
250
- role :test_role do
251
- has_permission_on :permissions, :to => :test do
252
- if_attribute :attr => is { user.attr }
253
- end
254
- has_permission_on :permission_children, :to => :test do
255
- if_permitted_to :test, :permissions, :context => :permissions
256
- end
257
- has_permission_on :permission_children_2, :to => :test do
258
- if_permitted_to :test, :permissions
259
- end
260
- has_permission_on :permission_children_children, :to => :test do
261
- if_permitted_to :test, :permission_child => :permissions,
262
- :context => :permissions
263
- end
264
- end
265
- end
266
- }
267
- engine = Authorization::Engine.new(reader)
268
- assert_equal [{:permissions => {:attr => [:is, 1]}}],
269
- engine.obligations(:test, :context => :permission_children,
270
- :user => MockUser.new(:test_role, :attr => 1))
271
- assert_equal [{:permissions => {:attr => [:is, 1]}}],
272
- engine.obligations(:test, :context => :permission_children_2,
273
- :user => MockUser.new(:test_role, :attr => 1))
274
- assert_equal [{:permission_child => {:permissions => {:attr => [:is, 1]}}}],
275
- engine.obligations(:test, :context => :permission_children_children,
276
- :user => MockUser.new(:test_role, :attr => 1))
277
- end
278
-
279
- def test_obligations_with_permissions_multiple
280
- reader = Authorization::Reader::DSLReader.new
281
- reader.parse %{
282
- authorization do
283
- role :test_role do
284
- has_permission_on :permissions, :to => :test do
285
- if_attribute :attr => is { 1 }
286
- if_attribute :attr => is { 2 }
287
- end
288
- has_permission_on :permission_children_children, :to => :test do
289
- if_permitted_to :test, :permission_child => :permission
290
- end
291
- end
292
- end
293
- }
294
- engine = Authorization::Engine.new(reader)
295
- assert_equal [{:permission_child => {:permission => {:attr => [:is, 1]}}},
296
- {:permission_child => {:permission => {:attr => [:is, 2]}}}],
297
- engine.obligations(:test, :context => :permission_children_children,
298
- :user => MockUser.new(:test_role))
299
- end
300
-
301
- def test_obligations_with_permissions_and_anded_conditions
302
- reader = Authorization::Reader::DSLReader.new
303
- reader.parse %{
304
- authorization do
305
- role :test_role do
306
- has_permission_on :permission_children, :to => :test, :join_by => :and do
307
- if_permitted_to :test, :permission
308
- if_attribute :test_attr => 1
309
- end
310
- has_permission_on :permissions, :to => :test do
311
- if_attribute :test_attr => 1
312
- end
313
- end
314
- end
315
- }
316
- engine = Authorization::Engine.new(reader)
317
-
318
- assert_equal [{:test_attr => [:is, 1], :permission => {:test_attr => [:is, 1]}}],
319
- engine.obligations(:test, :context => :permission_children,
320
- :user => MockUser.new(:test_role))
321
- end
322
-
323
- def test_guest_user
324
- reader = Authorization::Reader::DSLReader.new
325
- reader.parse %{
326
- authorization do
327
- role :guest do
328
- has_permission_on :permissions, :to => :test
329
- end
330
- end
331
- }
332
- engine = Authorization::Engine.new(reader)
333
- Authorization.stub :current_user, MockUser.new do
334
- assert engine.permit?(:test, :context => :permissions)
335
- assert !engine.permit?(:test, :context => :permissions_2)
336
- end
337
- end
338
-
339
- def test_default_role
340
- reader = Authorization::Reader::DSLReader.new
341
- reader.parse %{
342
- authorization do
343
- role :anonymous do
344
- has_permission_on :permissions, :to => :test
345
- end
346
- end
347
- }
348
- Authorization.stub :default_role, :anonymous do
349
- engine = Authorization::Engine.new(reader)
350
- Authorization.stub :current_user, MockUser.new do
351
- assert engine.permit?(:test, :context => :permissions)
352
- end
353
- assert !engine.permit?(:test, :context => :permissions,
354
- :user => MockUser.new(:guest))
355
- end
356
- end
357
-
358
- def test_invalid_user_model
359
- reader = Authorization::Reader::DSLReader.new
360
- reader.parse %{
361
- authorization do
362
- role :guest do
363
- has_permission_on :permissions, :to => :test
364
- end
365
- end
366
- }
367
- engine = Authorization::Engine.new(reader)
368
- assert_raise(Authorization::AuthorizationUsageError) do
369
- engine.permit?(:test, :context => :permissions, :user => MockUser.new(1, 2))
370
- end
371
- assert_raise(Authorization::AuthorizationUsageError) do
372
- engine.permit?(:test, :context => :permissions, :user => MockDataObject.new)
373
- end
374
- end
375
-
376
- def test_role_hierarchy
377
- reader = Authorization::Reader::DSLReader.new
378
- reader.parse %{
379
- authorization do
380
- role :test_role do
381
- includes :lower_role
382
- has_permission_on :permissions, :to => :test
383
- end
384
- role :lower_role do
385
- has_permission_on :permissions, :to => :lower
386
- end
387
- end
388
- }
389
- engine = Authorization::Engine.new(reader)
390
- assert engine.permit?(:lower, :context => :permissions,
391
- :user => MockUser.new(:test_role))
392
- end
393
-
394
- def test_role_hierarchy_infinity
395
- reader = Authorization::Reader::DSLReader.new
396
- reader.parse %{
397
- authorization do
398
- role :test_role do
399
- includes :lower_role
400
- has_permission_on :permissions, :to => :test
401
- end
402
- role :lower_role do
403
- includes :higher_role
404
- has_permission_on :permissions, :to => :lower
405
- end
406
- end
407
- }
408
- engine = Authorization::Engine.new(reader)
409
- assert engine.permit?(:lower, :context => :permissions,
410
- :user => MockUser.new(:test_role))
411
- end
412
-
413
- def test_privilege_hierarchy
414
- reader = Authorization::Reader::DSLReader.new
415
- reader.parse %{
416
- privileges do
417
- privilege :test, :permissions do
418
- includes :lower
419
- end
420
- end
421
- authorization do
422
- role :test_role do
423
- has_permission_on :permissions, :to => :test
424
- end
425
- end
426
- }
427
- engine = Authorization::Engine.new(reader)
428
- assert engine.permit?(:lower, :context => :permissions,
429
- :user => MockUser.new(:test_role))
430
- end
431
-
432
- def test_privilege_hierarchy_without_context
433
- reader = Authorization::Reader::DSLReader.new
434
- reader.parse %{
435
- privileges do
436
- privilege :read do
437
- includes :list, :show
438
- end
439
- end
440
- authorization do
441
- role :test_role do
442
- has_permission_on :permissions, :to => :read
443
- end
444
- end
445
- }
446
- engine = Authorization::Engine.new(reader)
447
- assert engine.permit?(:list, :context => :permissions,
448
- :user => MockUser.new(:test_role))
449
- end
450
-
451
- def test_attribute_is
452
- reader = Authorization::Reader::DSLReader.new
453
- reader.parse %|
454
- authorization do
455
- role :test_role do
456
- has_permission_on :permissions, :to => :test do
457
- if_attribute :test_attr => is { user.test_attr }
458
- if_attribute :test_attr => 3
459
- end
460
- end
461
- end
462
- |
463
- engine = Authorization::Engine.new(reader)
464
- assert engine.permit?(:test, :context => :permissions,
465
- :user => MockUser.new(:test_role, :test_attr => 1),
466
- :object => MockDataObject.new(:test_attr => 1))
467
- assert engine.permit?(:test, :context => :permissions,
468
- :user => MockUser.new(:test_role, :test_attr => 2),
469
- :object => MockDataObject.new(:test_attr => 3))
470
- assert((not(engine.permit?(:test, :context => :permissions,
471
- :user => MockUser.new(:test_role, :test_attr => 2),
472
- :object => MockDataObject.new(:test_attr => 1)))))
473
- end
474
-
475
- def test_attribute_is_not
476
- reader = Authorization::Reader::DSLReader.new
477
- reader.parse %|
478
- authorization do
479
- role :test_role do
480
- has_permission_on :permissions, :to => :test do
481
- if_attribute :test_attr => is_not { user.test_attr }
482
- end
483
- end
484
- end
485
- |
486
- engine = Authorization::Engine.new(reader)
487
- assert !engine.permit?(:test, :context => :permissions,
488
- :user => MockUser.new(:test_role, :test_attr => 1),
489
- :object => MockDataObject.new(:test_attr => 1))
490
- assert engine.permit?(:test, :context => :permissions,
491
- :user => MockUser.new(:test_role, :test_attr => 2),
492
- :object => MockDataObject.new(:test_attr => 1))
493
- end
494
-
495
- def test_attribute_contains
496
- reader = Authorization::Reader::DSLReader.new
497
- reader.parse %|
498
- authorization do
499
- role :test_role do
500
- has_permission_on :permissions, :to => :test do
501
- if_attribute :test_attr => contains { user.test_attr }
502
- end
503
- end
504
- end
505
- |
506
- engine = Authorization::Engine.new(reader)
507
- assert engine.permit?(:test, :context => :permissions,
508
- :user => MockUser.new(:test_role, :test_attr => 1),
509
- :object => MockDataObject.new(:test_attr => [1,2]))
510
- assert !engine.permit?(:test, :context => :permissions,
511
- :user => MockUser.new(:test_role, :test_attr => 3),
512
- :object => MockDataObject.new(:test_attr => [1,2]))
513
- end
514
-
515
- def test_attribute_does_not_contain
516
- reader = Authorization::Reader::DSLReader.new
517
- reader.parse %|
518
- authorization do
519
- role :test_role do
520
- has_permission_on :permissions, :to => :test do
521
- if_attribute :test_attr => does_not_contain { user.test_attr }
522
- end
523
- end
524
- end
525
- |
526
- engine = Authorization::Engine.new(reader)
527
- assert !engine.permit?(:test, :context => :permissions,
528
- :user => MockUser.new(:test_role, :test_attr => 1),
529
- :object => MockDataObject.new(:test_attr => [1,2]))
530
- assert engine.permit?(:test, :context => :permissions,
531
- :user => MockUser.new(:test_role, :test_attr => 3),
532
- :object => MockDataObject.new(:test_attr => [1,2]))
533
- end
534
-
535
- def test_attribute_in_array
536
- reader = Authorization::Reader::DSLReader.new
537
- reader.parse %|
538
- authorization do
539
- role :test_role do
540
- has_permission_on :permissions, :to => :test do
541
- if_attribute :test_attr => is_in { [1,2] }
542
- if_attribute :test_attr => [2,3]
543
- end
544
- end
545
- end
546
- |
547
- engine = Authorization::Engine.new(reader)
548
- assert engine.permit?(:test, :context => :permissions,
549
- :user => MockUser.new(:test_role),
550
- :object => MockDataObject.new(:test_attr => 1))
551
- assert engine.permit?(:test, :context => :permissions,
552
- :user => MockUser.new(:test_role),
553
- :object => MockDataObject.new(:test_attr => 3))
554
- assert !engine.permit?(:test, :context => :permissions,
555
- :user => MockUser.new(:test_role),
556
- :object => MockDataObject.new(:test_attr => 4))
557
- end
558
-
559
- def test_attribute_not_in_array
560
- reader = Authorization::Reader::DSLReader.new
561
- reader.parse %|
562
- authorization do
563
- role :test_role do
564
- has_permission_on :permissions, :to => :test do
565
- if_attribute :test_attr => is_not_in { [1,2] }
566
- end
567
- end
568
- end
569
- |
570
- engine = Authorization::Engine.new(reader)
571
- assert !engine.permit?(:test, :context => :permissions,
572
- :user => MockUser.new(:test_role),
573
- :object => MockDataObject.new(:test_attr => 1))
574
- assert engine.permit?(:test, :context => :permissions,
575
- :user => MockUser.new(:test_role),
576
- :object => MockDataObject.new(:test_attr => 4))
577
- end
578
-
579
- def test_attribute_intersects_with
580
- reader = Authorization::Reader::DSLReader.new
581
- reader.parse %{
582
- authorization do
583
- role :test_role do
584
- has_permission_on :permissions, :to => :test do
585
- if_attribute :test_attrs => intersects_with { [1,2] }
586
- end
587
- end
588
- role :test_role_2 do
589
- has_permission_on :permissions, :to => :test do
590
- if_attribute :test_attrs => intersects_with { 1 }
591
- end
592
- end
593
- end
594
- }
595
-
596
- engine = Authorization::Engine.new(reader)
597
- assert_raise Authorization::AuthorizationUsageError do
598
- engine.permit?(:test, :context => :permissions,
599
- :user => MockUser.new(:test_role),
600
- :object => MockDataObject.new(:test_attrs => 1 ))
601
- end
602
- assert_raise Authorization::AuthorizationUsageError do
603
- engine.permit?(:test, :context => :permissions,
604
- :user => MockUser.new(:test_role_2),
605
- :object => MockDataObject.new(:test_attrs => [1, 2] ))
606
- end
607
- assert engine.permit?(:test, :context => :permissions,
608
- :user => MockUser.new(:test_role),
609
- :object => MockDataObject.new(:test_attrs => [1,3] ))
610
- assert !engine.permit?(:test, :context => :permissions,
611
- :user => MockUser.new(:test_role),
612
- :object => MockDataObject.new(:test_attrs => [3,4] ))
613
- end
614
-
615
- def test_attribute_lte
616
- reader = Authorization::Reader::DSLReader.new
617
- reader.parse %|
618
- authorization do
619
- role :test_role do
620
- has_permission_on :permissions, :to => :test do
621
- if_attribute :test_attr => lte { user.test_attr }
622
- if_attribute :test_attr => 3
623
- end
624
- end
625
- end
626
- |
627
- engine = Authorization::Engine.new(reader)
628
- # object < user -> pass
629
- assert engine.permit?(:test, :context => :permissions,
630
- :user => MockUser.new(:test_role, :test_attr => 2),
631
- :object => MockDataObject.new(:test_attr => 1))
632
- # object > user && object = control -> pass
633
- assert engine.permit?(:test, :context => :permissions,
634
- :user => MockUser.new(:test_role, :test_attr => 2),
635
- :object => MockDataObject.new(:test_attr => 3))
636
- # object = user -> pass
637
- assert engine.permit?(:test, :context => :permissions,
638
- :user => MockUser.new(:test_role, :test_attr => 1),
639
- :object => MockDataObject.new(:test_attr => 1))
640
- # object > user -> fail
641
- assert((not(engine.permit?(:test, :context => :permissions,
642
- :user => MockUser.new(:test_role, :test_attr => 1),
643
- :object => MockDataObject.new(:test_attr => 2)))))
644
- end
645
-
646
- def test_attribute_gt
647
- reader = Authorization::Reader::DSLReader.new
648
- reader.parse %|
649
- authorization do
650
- role :test_role do
651
- has_permission_on :permissions, :to => :test do
652
- if_attribute :test_attr => gt { user.test_attr }
653
- if_attribute :test_attr => 3
654
- end
655
- end
656
- end
657
- |
658
- engine = Authorization::Engine.new(reader)
659
- # object > user -> pass
660
- assert engine.permit?(:test, :context => :permissions,
661
- :user => MockUser.new(:test_role, :test_attr => 1),
662
- :object => MockDataObject.new(:test_attr => 2))
663
- # object < user && object = control -> pass
664
- assert engine.permit?(:test, :context => :permissions,
665
- :user => MockUser.new(:test_role, :test_attr => 4),
666
- :object => MockDataObject.new(:test_attr => 3))
667
- # object = user -> fail
668
- assert((not(engine.permit?(:test, :context => :permissions,
669
- :user => MockUser.new(:test_role, :test_attr => 1),
670
- :object => MockDataObject.new(:test_attr => 1)))))
671
- # object < user -> fail
672
- assert((not(engine.permit?(:test, :context => :permissions,
673
- :user => MockUser.new(:test_role, :test_attr => 2),
674
- :object => MockDataObject.new(:test_attr => 1)))))
675
- end
676
-
677
- def test_attribute_gte
678
- reader = Authorization::Reader::DSLReader.new
679
- reader.parse %|
680
- authorization do
681
- role :test_role do
682
- has_permission_on :permissions, :to => :test do
683
- if_attribute :test_attr => gte { user.test_attr }
684
- if_attribute :test_attr => 3
685
- end
686
- end
687
- end
688
- |
689
- engine = Authorization::Engine.new(reader)
690
- # object > user -> pass
691
- assert engine.permit?(:test, :context => :permissions,
692
- :user => MockUser.new(:test_role, :test_attr => 1),
693
- :object => MockDataObject.new(:test_attr => 2))
694
- # object < user && object = control -> pass
695
- assert engine.permit?(:test, :context => :permissions,
696
- :user => MockUser.new(:test_role, :test_attr => 4),
697
- :object => MockDataObject.new(:test_attr => 3))
698
- # object = user -> pass
699
- assert engine.permit?(:test, :context => :permissions,
700
- :user => MockUser.new(:test_role, :test_attr => 1),
701
- :object => MockDataObject.new(:test_attr => 1))
702
- # object < user -> fail
703
- assert((not(engine.permit?(:test, :context => :permissions,
704
- :user => MockUser.new(:test_role, :test_attr => 2),
705
- :object => MockDataObject.new(:test_attr => 1)))))
706
- end
707
-
708
- def test_attribute_deep
709
- reader = Authorization::Reader::DSLReader.new
710
- reader.parse %|
711
- authorization do
712
- role :test_role do
713
- has_permission_on :permissions, :to => :test do
714
- if_attribute :test_attr_1 => {:test_attr_2 => contains { 1 }}
715
- end
716
- end
717
- end
718
- |
719
- engine = Authorization::Engine.new(reader)
720
- assert engine.permit?(:test, :context => :permissions,
721
- :user => MockUser.new(:test_role),
722
- :object => MockDataObject.new(:test_attr_1 =>
723
- MockDataObject.new(:test_attr_2 => [1,2])))
724
- assert !engine.permit?(:test, :context => :permissions,
725
- :user => MockUser.new(:test_role),
726
- :object => MockDataObject.new(:test_attr_1 =>
727
- MockDataObject.new(:test_attr_2 => [3,4])))
728
- assert_equal [{:test_attr_1 => {:test_attr_2 => [:contains, 1]}}],
729
- engine.obligations(:test, :context => :permissions,
730
- :user => MockUser.new(:test_role))
731
- end
732
-
733
- def test_attribute_has_many
734
- reader = Authorization::Reader::DSLReader.new
735
- reader.parse %|
736
- authorization do
737
- role :test_role do
738
- has_permission_on :companies, :to => :read do
739
- if_attribute :branches => {:city => is { user.city } }
740
- end
741
- end
742
- end
743
- |
744
- engine = Authorization::Engine.new(reader)
745
-
746
- company = MockDataObject.new(:branches => [
747
- MockDataObject.new(:city => 'Barcelona'),
748
- MockDataObject.new(:city => 'Paris')
749
- ])
750
- assert engine.permit!(:read, :context => :companies,
751
- :user => MockUser.new(:test_role, :city => 'Paris'),
752
- :object => company)
753
- assert !engine.permit?(:read, :context => :companies,
754
- :user => MockUser.new(:test_role, :city => 'London'),
755
- :object => company)
756
- end
757
-
758
- def test_attribute_non_block
759
- reader = Authorization::Reader::DSLReader.new
760
- reader.parse %|
761
- authorization do
762
- role :test_role do
763
- has_permission_on :permissions, :to => :test do
764
- if_attribute :test_attr => 1
765
- end
766
- end
767
- end
768
- |
769
- engine = Authorization::Engine.new(reader)
770
- assert engine.permit?(:test, :context => :permissions,
771
- :user => MockUser.new(:test_role),
772
- :object => MockDataObject.new(:test_attr => 1))
773
- assert !engine.permit?(:test, :context => :permissions,
774
- :user => MockUser.new(:test_role),
775
- :object => MockDataObject.new(:test_attr => 2))
776
- end
777
-
778
- def test_attribute_multiple
779
- reader = Authorization::Reader::DSLReader.new
780
- reader.parse %{
781
- authorization do
782
- role :test_role do
783
- has_permission_on :permissions, :to => :test do
784
- if_attribute :test_attr => 1
785
- if_attribute :test_attr => 2 # or
786
- end
787
- end
788
- end
789
- }
790
- engine = Authorization::Engine.new(reader)
791
- assert engine.permit?(:test, :context => :permissions,
792
- :user => MockUser.new(:test_role),
793
- :object => MockDataObject.new(:test_attr => 1))
794
- assert engine.permit?(:test, :context => :permissions,
795
- :user => MockUser.new(:test_role),
796
- :object => MockDataObject.new(:test_attr => 2))
797
- end
798
-
799
- class PermissionMock < MockDataObject
800
- def self.name
801
- "Permission"
802
- end
803
- end
804
- def test_attribute_with_permissions
805
- reader = Authorization::Reader::DSLReader.new
806
- reader.parse %{
807
- authorization do
808
- role :test_role do
809
- has_permission_on :permissions, :to => :test do
810
- if_attribute :test_attr => 1
811
- end
812
- has_permission_on :permission_children, :to => :test do
813
- if_permitted_to :test, :permission
814
- end
815
- end
816
- end
817
- }
818
- engine = Authorization::Engine.new(reader)
819
-
820
- perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
821
- perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
822
- assert engine.permit?(:test, :context => :permission_children,
823
- :user => MockUser.new(:test_role),
824
- :object => MockDataObject.new(:permission => perm_data_attr_1))
825
- assert !engine.permit?(:test, :context => :permission_children,
826
- :user => MockUser.new(:test_role),
827
- :object => MockDataObject.new(:permission => perm_data_attr_2))
828
- end
829
-
830
- def test_attribute_with_has_many_permissions
831
- reader = Authorization::Reader::DSLReader.new
832
- reader.parse %{
833
- authorization do
834
- role :test_role do
835
- has_permission_on :permissions, :to => :test do
836
- if_attribute :test_attr => 1
837
- end
838
- has_permission_on :permission_children, :to => :test do
839
- if_permitted_to :test, :permissions
840
- end
841
- end
842
- end
843
- }
844
- engine = Authorization::Engine.new(reader)
845
-
846
- perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
847
- perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
848
- assert engine.permit?(:test, :context => :permission_children,
849
- :user => MockUser.new(:test_role),
850
- :object => MockDataObject.new(:permissions => [perm_data_attr_1]))
851
- assert !engine.permit?(:test, :context => :permission_children,
852
- :user => MockUser.new(:test_role),
853
- :object => MockDataObject.new(:permissions => [perm_data_attr_2]))
854
- end
855
-
856
- def test_attribute_with_deep_permissions
857
- reader = Authorization::Reader::DSLReader.new
858
- reader.parse %{
859
- authorization do
860
- role :test_role do
861
- has_permission_on :permissions, :to => :test do
862
- if_attribute :test_attr => 1
863
- end
864
- has_permission_on :permission_children, :to => :test do
865
- if_permitted_to :test, :shallow_permission => :permission
866
- end
867
- end
868
- end
869
- }
870
- engine = Authorization::Engine.new(reader)
871
-
872
- perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
873
- perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
874
- assert engine.permit?(:test, :context => :permission_children,
875
- :user => MockUser.new(:test_role),
876
- :object => MockDataObject.new(:shallow_permission =>
877
- MockDataObject.new(:permission => perm_data_attr_1)))
878
- assert !engine.permit?(:test, :context => :permission_children,
879
- :user => MockUser.new(:test_role),
880
- :object => MockDataObject.new(:shallow_permission =>
881
- MockDataObject.new(:permission => perm_data_attr_2)))
882
- end
883
-
884
- def test_attribute_with_deep_has_many_permissions
885
- reader = Authorization::Reader::DSLReader.new
886
- reader.parse %{
887
- authorization do
888
- role :test_role do
889
- has_permission_on :permissions, :to => :test do
890
- if_attribute :test_attr => 1
891
- end
892
- has_permission_on :permission_children, :to => :test do
893
- if_permitted_to :test, :shallow_permissions => :permission
894
- end
895
- end
896
- end
897
- }
898
- engine = Authorization::Engine.new(reader)
899
-
900
- perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
901
- perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
902
- assert engine.permit?(:test, :context => :permission_children,
903
- :user => MockUser.new(:test_role),
904
- :object => MockDataObject.new(:shallow_permissions =>
905
- [MockDataObject.new(:permission => perm_data_attr_1)]))
906
- assert !engine.permit?(:test, :context => :permission_children,
907
- :user => MockUser.new(:test_role),
908
- :object => MockDataObject.new(:shallow_permissions =>
909
- [MockDataObject.new(:permission => perm_data_attr_2)]))
910
- end
911
-
912
- def test_attribute_with_permissions_nil
913
- reader = Authorization::Reader::DSLReader.new
914
- reader.parse %{
915
- authorization do
916
- role :test_role do
917
- has_permission_on :permissions, :to => :test do
918
- if_attribute :test_attr => 1
919
- end
920
- has_permission_on :permission_children, :to => :test do
921
- if_permitted_to :test, :permission
922
- end
923
- end
924
- end
925
- }
926
- engine = Authorization::Engine.new(reader)
927
-
928
- engine.permit?(:test, :context => :permission_children,
929
- :user => MockUser.new(:test_role),
930
- :object => MockDataObject.new(:permission => nil))
931
-
932
- assert !engine.permit?(:test, :context => :permission_children,
933
- :user => MockUser.new(:test_role),
934
- :object => MockDataObject.new(:permission => nil))
935
- end
936
-
937
- def test_attribute_with_permissions_on_self
938
- reader = Authorization::Reader::DSLReader.new
939
- reader.parse %{
940
- authorization do
941
- role :test_role do
942
- has_permission_on :permissions, :to => :test do
943
- if_attribute :test_attr => 1
944
- end
945
- has_permission_on :permissions, :to => :another_test do
946
- if_permitted_to :test
947
- end
948
- end
949
- end
950
- }
951
- engine = Authorization::Engine.new(reader)
952
-
953
- perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
954
- perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
955
- assert engine.permit?(:another_test, :context => :permissions,
956
- :user => MockUser.new(:test_role),
957
- :object => perm_data_attr_1)
958
- assert !engine.permit?(:another_test, :context => :permissions,
959
- :user => MockUser.new(:test_role),
960
- :object => perm_data_attr_2)
961
- end
962
-
963
- def test_attribute_with_permissions_on_self_with_context
964
- reader = Authorization::Reader::DSLReader.new
965
- reader.parse %{
966
- authorization do
967
- role :test_role do
968
- has_permission_on :permissions, :to => :test do
969
- if_attribute :test_attr => 1
970
- end
971
- has_permission_on :permissions, :to => :another_test do
972
- if_permitted_to :test, :context => :permissions
973
- end
974
- end
975
- end
976
- }
977
- engine = Authorization::Engine.new(reader)
978
-
979
- perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
980
- perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
981
- assert engine.permit?(:another_test, :context => :permissions,
982
- :user => MockUser.new(:test_role),
983
- :object => perm_data_attr_1)
984
- assert !engine.permit?(:another_test, :context => :permissions,
985
- :user => MockUser.new(:test_role),
986
- :object => perm_data_attr_2)
987
- end
988
-
989
- def test_attribute_with_permissions_and_anded_rules
990
- reader = Authorization::Reader::DSLReader.new
991
- reader.parse %{
992
- authorization do
993
- role :test_role do
994
- has_permission_on :permissions, :to => :test do
995
- if_attribute :test_attr => 1
996
- end
997
- has_permission_on :permission_children, :to => :test, :join_by => :and do
998
- if_permitted_to :test, :permission
999
- if_attribute :test_attr => 1
1000
- end
1001
- end
1002
- end
1003
- }
1004
- engine = Authorization::Engine.new(reader)
1005
-
1006
- perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
1007
- perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
1008
- assert engine.permit?(:test, :context => :permission_children,
1009
- :user => MockUser.new(:test_role),
1010
- :object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 1))
1011
- assert !engine.permit?(:test, :context => :permission_children,
1012
- :user => MockUser.new(:test_role),
1013
- :object => MockDataObject.new(:permission => perm_data_attr_2, :test_attr => 1))
1014
- assert !engine.permit?(:test, :context => :permission_children,
1015
- :user => MockUser.new(:test_role),
1016
- :object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 2))
1017
- end
1018
-
1019
- def test_attribute_with_anded_rules
1020
- reader = Authorization::Reader::DSLReader.new
1021
- reader.parse %{
1022
- authorization do
1023
- role :test_role do
1024
- has_permission_on :permissions, :to => :test, :join_by => :and do
1025
- if_attribute :test_attr => 1
1026
- if_attribute :test_attr_2 => 2
1027
- end
1028
- end
1029
- end
1030
- }
1031
- engine = Authorization::Engine.new(reader)
1032
-
1033
- assert engine.permit?(:test, :context => :permissions,
1034
- :user => MockUser.new(:test_role),
1035
- :object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 2))
1036
- assert !engine.permit?(:test, :context => :permissions,
1037
- :user => MockUser.new(:test_role),
1038
- :object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 3))
1039
- end
1040
-
1041
- def test_raise_on_if_attribute_hash_on_collection
1042
- reader = Authorization::Reader::DSLReader.new
1043
- reader.parse %{
1044
- authorization do
1045
- role :test_role do
1046
- has_permission_on :permissions, :to => :test do
1047
- if_attribute :test_attrs => {:attr => is {1}}
1048
- end
1049
- end
1050
- end
1051
- }
1052
- engine = Authorization::Engine.new(reader)
1053
- assert_raise Authorization::AuthorizationUsageError do
1054
- engine.permit?(:test, :context => :permissions,
1055
- :user => MockUser.new(:test_role),
1056
- :object => MockDataObject.new(:test_attrs => [1, 2, 3]))
1057
- end
1058
- end
1059
-
1060
- def test_role_title_description
1061
- reader = Authorization::Reader::DSLReader.new
1062
- reader.parse %{
1063
- authorization do
1064
- role :test_role, :title => 'Test Role' do
1065
- description "Test Role Description"
1066
- end
1067
- end
1068
- }
1069
- engine = Authorization::Engine.new(reader)
1070
- assert engine.roles.include?(:test_role)
1071
- assert_equal "Test Role", engine.role_titles[:test_role]
1072
- assert_equal "Test Role", engine.title_for(:test_role)
1073
- assert_nil engine.title_for(:test_role_2)
1074
- assert_equal "Test Role Description", engine.role_descriptions[:test_role]
1075
- assert_equal "Test Role Description", engine.description_for(:test_role)
1076
- assert_nil engine.description_for(:test_role_2)
1077
- end
1078
-
1079
- def test_multithread
1080
- reader = Authorization::Reader::DSLReader.new
1081
- reader.parse %{
1082
- authorization do
1083
- role :test_role do
1084
- has_permission_on :permissions, :to => :test
1085
- end
1086
- end
1087
- }
1088
-
1089
- engine = Authorization::Engine.new(reader)
1090
- Authorization.stub :current_user, MockUser.new(:test_role) do
1091
- assert engine.permit?(:test, :context => :permissions)
1092
- Thread.new do
1093
- Authorization.current_user = MockUser.new(:test_role2)
1094
- assert !engine.permit?(:test, :context => :permissions)
1095
- end
1096
- assert engine.permit?(:test, :context => :permissions)
1097
- end
1098
- end
1099
-
1100
- def test_clone
1101
- reader = Authorization::Reader::DSLReader.new
1102
- reader.parse %{
1103
- authorization do
1104
- role :test_role do
1105
- has_permission_on :permissions, :to => :test do
1106
- if_attribute :attr => { :sub_attr => is { user } }
1107
- if_permitted_to :read, :attr_2 => :attr_3
1108
- if_permitted_to :read, :attr_2
1109
- end
1110
- end
1111
- end
1112
- }
1113
-
1114
- engine = Authorization::Engine.new(reader)
1115
- cloned_engine = engine.clone
1116
- assert_not_equal engine.auth_rules.first.contexts.object_id,
1117
- cloned_engine.auth_rules.first.contexts.object_id
1118
- assert_not_equal engine.auth_rules.first.attributes.first.send(:instance_variable_get, :@conditions_hash)[:attr].object_id,
1119
- cloned_engine.auth_rules.first.attributes.first.send(:instance_variable_get, :@conditions_hash)[:attr].object_id
1120
- end
1121
- end
1
+ require 'test_helper'
2
+
3
+ class AuthorizationTest < Test::Unit::TestCase
4
+
5
+ def test_permit
6
+ reader = Authorization::Reader::DSLReader.new
7
+ reader.parse %{
8
+ authorization do
9
+ role :test_role do
10
+ has_permission_on :permissions, :to => :test
11
+ end
12
+ end
13
+ }
14
+ engine = Authorization::Engine.new(reader)
15
+ assert engine.permit?(:test, :context => :permissions,
16
+ :user => MockUser.new(:test_role, :test_role_2))
17
+ assert !engine.permit?(:test_2, :context => :permissions_2,
18
+ :user => MockUser.new(:test_role))
19
+ assert !engine.permit?(:test, :context => :permissions,
20
+ :user => MockUser.new(:test_role_2))
21
+ end
22
+
23
+ def test_permit_context_people
24
+ reader = Authorization::Reader::DSLReader.new
25
+ reader.parse %{
26
+ authorization do
27
+ role :test_role do
28
+ has_permission_on :people, :to => :test
29
+ end
30
+ end
31
+ }
32
+ engine = Authorization::Engine.new(reader)
33
+ assert engine.permit?(:test, :context => :people,
34
+ :user => MockUser.new(:test_role))
35
+ end
36
+
37
+ def test_permit_with_has_omnipotence
38
+ reader = Authorization::Reader::DSLReader.new
39
+ reader.parse %{
40
+ authorization do
41
+ role :admin do
42
+ has_omnipotence
43
+ end
44
+ end
45
+ }
46
+ engine = Authorization::Engine.new(reader)
47
+ assert engine.permit?(:test, :context => :people,
48
+ :user => MockUser.new(:admin))
49
+ end
50
+
51
+ def test_permit_multiple_contexts
52
+ reader = Authorization::Reader::DSLReader.new
53
+ reader.parse %{
54
+ authorization do
55
+ role :test_role do
56
+ has_permission_on [:permissions, :permissions_2], :to => :test
57
+ has_permission_on :permissions_4, :permissions_5, :to => :test
58
+ end
59
+ end
60
+ }
61
+ engine = Authorization::Engine.new(reader)
62
+ assert engine.permit?(:test, :context => :permissions,
63
+ :user => MockUser.new(:test_role))
64
+ assert engine.permit?(:test, :context => :permissions_2,
65
+ :user => MockUser.new(:test_role))
66
+ assert !engine.permit?(:test, :context => :permissions_3,
67
+ :user => MockUser.new(:test_role))
68
+
69
+ assert engine.permit?(:test, :context => :permissions_4, :user => MockUser.new(:test_role))
70
+ assert engine.permit?(:test, :context => :permissions_5, :user => MockUser.new(:test_role))
71
+ end
72
+
73
+ def test_permit_with_frozen_roles
74
+ reader = Authorization::Reader::DSLReader.new
75
+ reader.parse %{
76
+ authorization do
77
+ role :other_role do
78
+ includes :test_role
79
+ end
80
+ role :test_role do
81
+ has_permission_on :permissions, :to => :test
82
+ end
83
+ end
84
+ }
85
+ engine = Authorization::Engine.new(reader)
86
+ roles = [:other_role].freeze
87
+ assert engine.permit?(:test, :context => :permissions,
88
+ :user => MockUser.new(:role_symbols => roles))
89
+ end
90
+
91
+ def test_obligations_without_conditions
92
+ reader = Authorization::Reader::DSLReader.new
93
+ reader.parse %{
94
+ authorization do
95
+ role :test_role do
96
+ has_permission_on :permissions, :to => :test
97
+ end
98
+ end
99
+ }
100
+ engine = Authorization::Engine.new(reader)
101
+ assert_equal [{}], engine.obligations(:test, :context => :permissions,
102
+ :user => MockUser.new(:test_role))
103
+ end
104
+
105
+ def test_obligations_with_conditions
106
+ reader = Authorization::Reader::DSLReader.new
107
+ reader.parse %{
108
+ authorization do
109
+ role :test_role do
110
+ has_permission_on :permissions, :to => :test do
111
+ if_attribute :attr => is { user.attr }
112
+ end
113
+ end
114
+ end
115
+ }
116
+ engine = Authorization::Engine.new(reader)
117
+ assert_equal [{:attr => [:is, 1]}],
118
+ engine.obligations(:test, :context => :permissions,
119
+ :user => MockUser.new(:test_role, :attr => 1))
120
+ end
121
+
122
+ def test_obligations_with_omnipotence
123
+ reader = Authorization::Reader::DSLReader.new
124
+ reader.parse %{
125
+ authorization do
126
+ role :admin do
127
+ has_omnipotence
128
+ end
129
+ role :test_role do
130
+ has_permission_on :permissions, :to => :test do
131
+ if_attribute :attr => is { user.attr }
132
+ end
133
+ end
134
+ end
135
+ }
136
+ engine = Authorization::Engine.new(reader)
137
+ assert_equal [],
138
+ engine.obligations(:test, :context => :permissions,
139
+ :user => MockUser.new(:test_role, :admin, :attr => 1))
140
+ end
141
+
142
+ def test_obligations_with_anded_conditions
143
+ reader = Authorization::Reader::DSLReader.new
144
+ reader.parse %{
145
+ authorization do
146
+ role :test_role do
147
+ has_permission_on :permissions, :to => :test, :join_by => :and do
148
+ if_attribute :attr => is { user.attr }
149
+ if_attribute :attr_2 => is { user.attr_2 }
150
+ end
151
+ end
152
+ end
153
+ }
154
+ engine = Authorization::Engine.new(reader)
155
+ assert_equal [{:attr => [:is, 1], :attr_2 => [:is, 2]}],
156
+ engine.obligations(:test, :context => :permissions,
157
+ :user => MockUser.new(:test_role, :attr => 1, :attr_2 => 2))
158
+ end
159
+
160
+ def test_obligations_with_deep_anded_conditions
161
+ reader = Authorization::Reader::DSLReader.new
162
+ reader.parse %{
163
+ authorization do
164
+ role :test_role do
165
+ has_permission_on :permissions, :to => :test, :join_by => :and do
166
+ if_attribute :attr => { :deeper_attr => is { user.deeper_attr }}
167
+ if_attribute :attr => { :deeper_attr_2 => is { user.deeper_attr_2 }}
168
+ end
169
+ end
170
+ end
171
+ }
172
+ engine = Authorization::Engine.new(reader)
173
+ assert_equal [{:attr => { :deeper_attr => [:is, 1], :deeper_attr_2 => [:is, 2] } }],
174
+ engine.obligations(:test, :context => :permissions,
175
+ :user => MockUser.new(:test_role, :deeper_attr => 1, :deeper_attr_2 => 2))
176
+ end
177
+
178
+ def test_obligations_with_has_many
179
+ reader = Authorization::Reader::DSLReader.new
180
+ reader.parse %{
181
+ authorization do
182
+ role :test_role do
183
+ has_permission_on :permissions, :to => :test do
184
+ if_attribute :attrs => { :deeper_attr => is { user.deeper_attr } }
185
+ end
186
+ end
187
+ end
188
+ }
189
+ engine = Authorization::Engine.new(reader)
190
+ assert_equal [{:attrs => {:deeper_attr => [:is, 1]}}],
191
+ engine.obligations(:test, :context => :permissions,
192
+ :user => MockUser.new(:test_role, :deeper_attr => 1))
193
+ end
194
+
195
+ def test_obligations_with_conditions_and_empty
196
+ reader = Authorization::Reader::DSLReader.new
197
+ reader.parse %{
198
+ authorization do
199
+ role :test_role do
200
+ has_permission_on :permissions, :to => :test
201
+ has_permission_on :permissions, :to => :test do
202
+ if_attribute :attr => is { user.attr }
203
+ end
204
+ end
205
+ end
206
+ }
207
+ engine = Authorization::Engine.new(reader)
208
+ assert_equal [{}, {:attr => [:is, 1]}],
209
+ engine.obligations(:test, :context => :permissions,
210
+ :user => MockUser.new(:test_role, :attr => 1))
211
+ end
212
+
213
+ def test_obligations_with_permissions
214
+ reader = Authorization::Reader::DSLReader.new
215
+ reader.parse %{
216
+ authorization do
217
+ role :test_role do
218
+ has_permission_on :permissions, :to => :test do
219
+ if_attribute :attr => is { user.attr }
220
+ end
221
+ has_permission_on :permission_children, :to => :test do
222
+ if_permitted_to :test, :permission, :context => :permissions
223
+ end
224
+ has_permission_on :permission_children_2, :to => :test do
225
+ if_permitted_to :test, :permission
226
+ end
227
+ has_permission_on :permission_children_children, :to => :test do
228
+ if_permitted_to :test, :permission_child => :permission,
229
+ :context => :permissions
230
+ end
231
+ end
232
+ end
233
+ }
234
+ engine = Authorization::Engine.new(reader)
235
+ assert_equal [{:permission => {:attr => [:is, 1]}}],
236
+ engine.obligations(:test, :context => :permission_children,
237
+ :user => MockUser.new(:test_role, :attr => 1))
238
+ assert_equal [{:permission => {:attr => [:is, 1]}}],
239
+ engine.obligations(:test, :context => :permission_children_2,
240
+ :user => MockUser.new(:test_role, :attr => 1))
241
+ assert_equal [{:permission_child => {:permission => {:attr => [:is, 1]}}}],
242
+ engine.obligations(:test, :context => :permission_children_children,
243
+ :user => MockUser.new(:test_role, :attr => 1))
244
+ end
245
+
246
+ def test_obligations_with_has_many_permissions
247
+ reader = Authorization::Reader::DSLReader.new
248
+ reader.parse %{
249
+ authorization do
250
+ role :test_role do
251
+ has_permission_on :permissions, :to => :test do
252
+ if_attribute :attr => is { user.attr }
253
+ end
254
+ has_permission_on :permission_children, :to => :test do
255
+ if_permitted_to :test, :permissions, :context => :permissions
256
+ end
257
+ has_permission_on :permission_children_2, :to => :test do
258
+ if_permitted_to :test, :permissions
259
+ end
260
+ has_permission_on :permission_children_children, :to => :test do
261
+ if_permitted_to :test, :permission_child => :permissions,
262
+ :context => :permissions
263
+ end
264
+ end
265
+ end
266
+ }
267
+ engine = Authorization::Engine.new(reader)
268
+ assert_equal [{:permissions => {:attr => [:is, 1]}}],
269
+ engine.obligations(:test, :context => :permission_children,
270
+ :user => MockUser.new(:test_role, :attr => 1))
271
+ assert_equal [{:permissions => {:attr => [:is, 1]}}],
272
+ engine.obligations(:test, :context => :permission_children_2,
273
+ :user => MockUser.new(:test_role, :attr => 1))
274
+ assert_equal [{:permission_child => {:permissions => {:attr => [:is, 1]}}}],
275
+ engine.obligations(:test, :context => :permission_children_children,
276
+ :user => MockUser.new(:test_role, :attr => 1))
277
+ end
278
+
279
+ def test_obligations_with_permissions_multiple
280
+ reader = Authorization::Reader::DSLReader.new
281
+ reader.parse %{
282
+ authorization do
283
+ role :test_role do
284
+ has_permission_on :permissions, :to => :test do
285
+ if_attribute :attr => is { 1 }
286
+ if_attribute :attr => is { 2 }
287
+ end
288
+ has_permission_on :permission_children_children, :to => :test do
289
+ if_permitted_to :test, :permission_child => :permission
290
+ end
291
+ end
292
+ end
293
+ }
294
+ engine = Authorization::Engine.new(reader)
295
+ assert_equal [{:permission_child => {:permission => {:attr => [:is, 1]}}},
296
+ {:permission_child => {:permission => {:attr => [:is, 2]}}}],
297
+ engine.obligations(:test, :context => :permission_children_children,
298
+ :user => MockUser.new(:test_role))
299
+ end
300
+
301
+ def test_obligations_with_permissions_and_anded_conditions
302
+ reader = Authorization::Reader::DSLReader.new
303
+ reader.parse %{
304
+ authorization do
305
+ role :test_role do
306
+ has_permission_on :permission_children, :to => :test, :join_by => :and do
307
+ if_permitted_to :test, :permission
308
+ if_attribute :test_attr => 1
309
+ end
310
+ has_permission_on :permissions, :to => :test do
311
+ if_attribute :test_attr => 1
312
+ end
313
+ end
314
+ end
315
+ }
316
+ engine = Authorization::Engine.new(reader)
317
+
318
+ assert_equal [{:test_attr => [:is, 1], :permission => {:test_attr => [:is, 1]}}],
319
+ engine.obligations(:test, :context => :permission_children,
320
+ :user => MockUser.new(:test_role))
321
+ end
322
+
323
+ def test_guest_user
324
+ reader = Authorization::Reader::DSLReader.new
325
+ reader.parse %{
326
+ authorization do
327
+ role :guest do
328
+ has_permission_on :permissions, :to => :test
329
+ end
330
+ end
331
+ }
332
+ engine = Authorization::Engine.new(reader)
333
+ Authorization.stub :current_user, MockUser.new do
334
+ assert engine.permit?(:test, :context => :permissions)
335
+ assert !engine.permit?(:test, :context => :permissions_2)
336
+ end
337
+ end
338
+
339
+ def test_default_role
340
+ reader = Authorization::Reader::DSLReader.new
341
+ reader.parse %{
342
+ authorization do
343
+ role :anonymous do
344
+ has_permission_on :permissions, :to => :test
345
+ end
346
+ end
347
+ }
348
+ Authorization.stub :default_role, :anonymous do
349
+ engine = Authorization::Engine.new(reader)
350
+ Authorization.stub :current_user, MockUser.new do
351
+ assert engine.permit?(:test, :context => :permissions)
352
+ end
353
+ assert !engine.permit?(:test, :context => :permissions,
354
+ :user => MockUser.new(:guest))
355
+ end
356
+ end
357
+
358
+ def test_invalid_user_model
359
+ reader = Authorization::Reader::DSLReader.new
360
+ reader.parse %{
361
+ authorization do
362
+ role :guest do
363
+ has_permission_on :permissions, :to => :test
364
+ end
365
+ end
366
+ }
367
+ engine = Authorization::Engine.new(reader)
368
+ assert_raise(Authorization::AuthorizationUsageError) do
369
+ engine.permit?(:test, :context => :permissions, :user => MockUser.new(1, 2))
370
+ end
371
+ assert_raise(Authorization::AuthorizationUsageError) do
372
+ engine.permit?(:test, :context => :permissions, :user => MockDataObject.new)
373
+ end
374
+ end
375
+
376
+ def test_role_hierarchy
377
+ reader = Authorization::Reader::DSLReader.new
378
+ reader.parse %{
379
+ authorization do
380
+ role :test_role do
381
+ includes :lower_role
382
+ has_permission_on :permissions, :to => :test
383
+ end
384
+ role :lower_role do
385
+ has_permission_on :permissions, :to => :lower
386
+ end
387
+ end
388
+ }
389
+ engine = Authorization::Engine.new(reader)
390
+ assert engine.permit?(:lower, :context => :permissions,
391
+ :user => MockUser.new(:test_role))
392
+ end
393
+
394
+ def test_role_hierarchy_infinity
395
+ reader = Authorization::Reader::DSLReader.new
396
+ reader.parse %{
397
+ authorization do
398
+ role :test_role do
399
+ includes :lower_role
400
+ has_permission_on :permissions, :to => :test
401
+ end
402
+ role :lower_role do
403
+ includes :higher_role
404
+ has_permission_on :permissions, :to => :lower
405
+ end
406
+ end
407
+ }
408
+ engine = Authorization::Engine.new(reader)
409
+ assert engine.permit?(:lower, :context => :permissions,
410
+ :user => MockUser.new(:test_role))
411
+ end
412
+
413
+ def test_privilege_hierarchy
414
+ reader = Authorization::Reader::DSLReader.new
415
+ reader.parse %{
416
+ privileges do
417
+ privilege :test, :permissions do
418
+ includes :lower
419
+ end
420
+ end
421
+ authorization do
422
+ role :test_role do
423
+ has_permission_on :permissions, :to => :test
424
+ end
425
+ end
426
+ }
427
+ engine = Authorization::Engine.new(reader)
428
+ assert engine.permit?(:lower, :context => :permissions,
429
+ :user => MockUser.new(:test_role))
430
+ end
431
+
432
+ def test_privilege_hierarchy_without_context
433
+ reader = Authorization::Reader::DSLReader.new
434
+ reader.parse %{
435
+ privileges do
436
+ privilege :read do
437
+ includes :list, :show
438
+ end
439
+ end
440
+ authorization do
441
+ role :test_role do
442
+ has_permission_on :permissions, :to => :read
443
+ end
444
+ end
445
+ }
446
+ engine = Authorization::Engine.new(reader)
447
+ assert engine.permit?(:list, :context => :permissions,
448
+ :user => MockUser.new(:test_role))
449
+ end
450
+
451
+ def test_attribute_is
452
+ reader = Authorization::Reader::DSLReader.new
453
+ reader.parse %|
454
+ authorization do
455
+ role :test_role do
456
+ has_permission_on :permissions, :to => :test do
457
+ if_attribute :test_attr => is { user.test_attr }
458
+ if_attribute :test_attr => 3
459
+ end
460
+ end
461
+ end
462
+ |
463
+ engine = Authorization::Engine.new(reader)
464
+ assert engine.permit?(:test, :context => :permissions,
465
+ :user => MockUser.new(:test_role, :test_attr => 1),
466
+ :object => MockDataObject.new(:test_attr => 1))
467
+ assert engine.permit?(:test, :context => :permissions,
468
+ :user => MockUser.new(:test_role, :test_attr => 2),
469
+ :object => MockDataObject.new(:test_attr => 3))
470
+ assert((not(engine.permit?(:test, :context => :permissions,
471
+ :user => MockUser.new(:test_role, :test_attr => 2),
472
+ :object => MockDataObject.new(:test_attr => 1)))))
473
+ end
474
+
475
+ def test_attribute_is_not
476
+ reader = Authorization::Reader::DSLReader.new
477
+ reader.parse %|
478
+ authorization do
479
+ role :test_role do
480
+ has_permission_on :permissions, :to => :test do
481
+ if_attribute :test_attr => is_not { user.test_attr }
482
+ end
483
+ end
484
+ end
485
+ |
486
+ engine = Authorization::Engine.new(reader)
487
+ assert !engine.permit?(:test, :context => :permissions,
488
+ :user => MockUser.new(:test_role, :test_attr => 1),
489
+ :object => MockDataObject.new(:test_attr => 1))
490
+ assert engine.permit?(:test, :context => :permissions,
491
+ :user => MockUser.new(:test_role, :test_attr => 2),
492
+ :object => MockDataObject.new(:test_attr => 1))
493
+ end
494
+
495
+ def test_attribute_contains
496
+ reader = Authorization::Reader::DSLReader.new
497
+ reader.parse %|
498
+ authorization do
499
+ role :test_role do
500
+ has_permission_on :permissions, :to => :test do
501
+ if_attribute :test_attr => contains { user.test_attr }
502
+ end
503
+ end
504
+ end
505
+ |
506
+ engine = Authorization::Engine.new(reader)
507
+ assert engine.permit?(:test, :context => :permissions,
508
+ :user => MockUser.new(:test_role, :test_attr => 1),
509
+ :object => MockDataObject.new(:test_attr => [1,2]))
510
+ assert !engine.permit?(:test, :context => :permissions,
511
+ :user => MockUser.new(:test_role, :test_attr => 3),
512
+ :object => MockDataObject.new(:test_attr => [1,2]))
513
+ end
514
+
515
+ def test_attribute_does_not_contain
516
+ reader = Authorization::Reader::DSLReader.new
517
+ reader.parse %|
518
+ authorization do
519
+ role :test_role do
520
+ has_permission_on :permissions, :to => :test do
521
+ if_attribute :test_attr => does_not_contain { user.test_attr }
522
+ end
523
+ end
524
+ end
525
+ |
526
+ engine = Authorization::Engine.new(reader)
527
+ assert !engine.permit?(:test, :context => :permissions,
528
+ :user => MockUser.new(:test_role, :test_attr => 1),
529
+ :object => MockDataObject.new(:test_attr => [1,2]))
530
+ assert engine.permit?(:test, :context => :permissions,
531
+ :user => MockUser.new(:test_role, :test_attr => 3),
532
+ :object => MockDataObject.new(:test_attr => [1,2]))
533
+ end
534
+
535
+ def test_attribute_in_array
536
+ reader = Authorization::Reader::DSLReader.new
537
+ reader.parse %|
538
+ authorization do
539
+ role :test_role do
540
+ has_permission_on :permissions, :to => :test do
541
+ if_attribute :test_attr => is_in { [1,2] }
542
+ if_attribute :test_attr => [2,3]
543
+ end
544
+ end
545
+ end
546
+ |
547
+ engine = Authorization::Engine.new(reader)
548
+ assert engine.permit?(:test, :context => :permissions,
549
+ :user => MockUser.new(:test_role),
550
+ :object => MockDataObject.new(:test_attr => 1))
551
+ assert engine.permit?(:test, :context => :permissions,
552
+ :user => MockUser.new(:test_role),
553
+ :object => MockDataObject.new(:test_attr => 3))
554
+ assert !engine.permit?(:test, :context => :permissions,
555
+ :user => MockUser.new(:test_role),
556
+ :object => MockDataObject.new(:test_attr => 4))
557
+ end
558
+
559
+ def test_attribute_not_in_array
560
+ reader = Authorization::Reader::DSLReader.new
561
+ reader.parse %|
562
+ authorization do
563
+ role :test_role do
564
+ has_permission_on :permissions, :to => :test do
565
+ if_attribute :test_attr => is_not_in { [1,2] }
566
+ end
567
+ end
568
+ end
569
+ |
570
+ engine = Authorization::Engine.new(reader)
571
+ assert !engine.permit?(:test, :context => :permissions,
572
+ :user => MockUser.new(:test_role),
573
+ :object => MockDataObject.new(:test_attr => 1))
574
+ assert engine.permit?(:test, :context => :permissions,
575
+ :user => MockUser.new(:test_role),
576
+ :object => MockDataObject.new(:test_attr => 4))
577
+ end
578
+
579
+ def test_attribute_intersects_with
580
+ reader = Authorization::Reader::DSLReader.new
581
+ reader.parse %{
582
+ authorization do
583
+ role :test_role do
584
+ has_permission_on :permissions, :to => :test do
585
+ if_attribute :test_attrs => intersects_with { [1,2] }
586
+ end
587
+ end
588
+ role :test_role_2 do
589
+ has_permission_on :permissions, :to => :test do
590
+ if_attribute :test_attrs => intersects_with { 1 }
591
+ end
592
+ end
593
+ end
594
+ }
595
+
596
+ engine = Authorization::Engine.new(reader)
597
+ assert_raise Authorization::AuthorizationUsageError do
598
+ engine.permit?(:test, :context => :permissions,
599
+ :user => MockUser.new(:test_role),
600
+ :object => MockDataObject.new(:test_attrs => 1 ))
601
+ end
602
+ assert_raise Authorization::AuthorizationUsageError do
603
+ engine.permit?(:test, :context => :permissions,
604
+ :user => MockUser.new(:test_role_2),
605
+ :object => MockDataObject.new(:test_attrs => [1, 2] ))
606
+ end
607
+ assert engine.permit?(:test, :context => :permissions,
608
+ :user => MockUser.new(:test_role),
609
+ :object => MockDataObject.new(:test_attrs => [1,3] ))
610
+ assert !engine.permit?(:test, :context => :permissions,
611
+ :user => MockUser.new(:test_role),
612
+ :object => MockDataObject.new(:test_attrs => [3,4] ))
613
+ end
614
+
615
+ def test_attribute_lte
616
+ reader = Authorization::Reader::DSLReader.new
617
+ reader.parse %|
618
+ authorization do
619
+ role :test_role do
620
+ has_permission_on :permissions, :to => :test do
621
+ if_attribute :test_attr => lte { user.test_attr }
622
+ if_attribute :test_attr => 3
623
+ end
624
+ end
625
+ end
626
+ |
627
+ engine = Authorization::Engine.new(reader)
628
+ # object < user -> pass
629
+ assert engine.permit?(:test, :context => :permissions,
630
+ :user => MockUser.new(:test_role, :test_attr => 2),
631
+ :object => MockDataObject.new(:test_attr => 1))
632
+ # object > user && object = control -> pass
633
+ assert engine.permit?(:test, :context => :permissions,
634
+ :user => MockUser.new(:test_role, :test_attr => 2),
635
+ :object => MockDataObject.new(:test_attr => 3))
636
+ # object = user -> pass
637
+ assert engine.permit?(:test, :context => :permissions,
638
+ :user => MockUser.new(:test_role, :test_attr => 1),
639
+ :object => MockDataObject.new(:test_attr => 1))
640
+ # object > user -> fail
641
+ assert((not(engine.permit?(:test, :context => :permissions,
642
+ :user => MockUser.new(:test_role, :test_attr => 1),
643
+ :object => MockDataObject.new(:test_attr => 2)))))
644
+ end
645
+
646
+ def test_attribute_gt
647
+ reader = Authorization::Reader::DSLReader.new
648
+ reader.parse %|
649
+ authorization do
650
+ role :test_role do
651
+ has_permission_on :permissions, :to => :test do
652
+ if_attribute :test_attr => gt { user.test_attr }
653
+ if_attribute :test_attr => 3
654
+ end
655
+ end
656
+ end
657
+ |
658
+ engine = Authorization::Engine.new(reader)
659
+ # object > user -> pass
660
+ assert engine.permit?(:test, :context => :permissions,
661
+ :user => MockUser.new(:test_role, :test_attr => 1),
662
+ :object => MockDataObject.new(:test_attr => 2))
663
+ # object < user && object = control -> pass
664
+ assert engine.permit?(:test, :context => :permissions,
665
+ :user => MockUser.new(:test_role, :test_attr => 4),
666
+ :object => MockDataObject.new(:test_attr => 3))
667
+ # object = user -> fail
668
+ assert((not(engine.permit?(:test, :context => :permissions,
669
+ :user => MockUser.new(:test_role, :test_attr => 1),
670
+ :object => MockDataObject.new(:test_attr => 1)))))
671
+ # object < user -> fail
672
+ assert((not(engine.permit?(:test, :context => :permissions,
673
+ :user => MockUser.new(:test_role, :test_attr => 2),
674
+ :object => MockDataObject.new(:test_attr => 1)))))
675
+ end
676
+
677
+ def test_attribute_gte
678
+ reader = Authorization::Reader::DSLReader.new
679
+ reader.parse %|
680
+ authorization do
681
+ role :test_role do
682
+ has_permission_on :permissions, :to => :test do
683
+ if_attribute :test_attr => gte { user.test_attr }
684
+ if_attribute :test_attr => 3
685
+ end
686
+ end
687
+ end
688
+ |
689
+ engine = Authorization::Engine.new(reader)
690
+ # object > user -> pass
691
+ assert engine.permit?(:test, :context => :permissions,
692
+ :user => MockUser.new(:test_role, :test_attr => 1),
693
+ :object => MockDataObject.new(:test_attr => 2))
694
+ # object < user && object = control -> pass
695
+ assert engine.permit?(:test, :context => :permissions,
696
+ :user => MockUser.new(:test_role, :test_attr => 4),
697
+ :object => MockDataObject.new(:test_attr => 3))
698
+ # object = user -> pass
699
+ assert engine.permit?(:test, :context => :permissions,
700
+ :user => MockUser.new(:test_role, :test_attr => 1),
701
+ :object => MockDataObject.new(:test_attr => 1))
702
+ # object < user -> fail
703
+ assert((not(engine.permit?(:test, :context => :permissions,
704
+ :user => MockUser.new(:test_role, :test_attr => 2),
705
+ :object => MockDataObject.new(:test_attr => 1)))))
706
+ end
707
+
708
+ def test_attribute_deep
709
+ reader = Authorization::Reader::DSLReader.new
710
+ reader.parse %|
711
+ authorization do
712
+ role :test_role do
713
+ has_permission_on :permissions, :to => :test do
714
+ if_attribute :test_attr_1 => {:test_attr_2 => contains { 1 }}
715
+ end
716
+ end
717
+ end
718
+ |
719
+ engine = Authorization::Engine.new(reader)
720
+ assert engine.permit?(:test, :context => :permissions,
721
+ :user => MockUser.new(:test_role),
722
+ :object => MockDataObject.new(:test_attr_1 =>
723
+ MockDataObject.new(:test_attr_2 => [1,2])))
724
+ assert !engine.permit?(:test, :context => :permissions,
725
+ :user => MockUser.new(:test_role),
726
+ :object => MockDataObject.new(:test_attr_1 =>
727
+ MockDataObject.new(:test_attr_2 => [3,4])))
728
+ assert_equal [{:test_attr_1 => {:test_attr_2 => [:contains, 1]}}],
729
+ engine.obligations(:test, :context => :permissions,
730
+ :user => MockUser.new(:test_role))
731
+ end
732
+
733
+ def test_attribute_has_many
734
+ reader = Authorization::Reader::DSLReader.new
735
+ reader.parse %|
736
+ authorization do
737
+ role :test_role do
738
+ has_permission_on :companies, :to => :read do
739
+ if_attribute :branches => {:city => is { user.city } }
740
+ end
741
+ end
742
+ end
743
+ |
744
+ engine = Authorization::Engine.new(reader)
745
+
746
+ company = MockDataObject.new(:branches => [
747
+ MockDataObject.new(:city => 'Barcelona'),
748
+ MockDataObject.new(:city => 'Paris')
749
+ ])
750
+ assert engine.permit!(:read, :context => :companies,
751
+ :user => MockUser.new(:test_role, :city => 'Paris'),
752
+ :object => company)
753
+ assert !engine.permit?(:read, :context => :companies,
754
+ :user => MockUser.new(:test_role, :city => 'London'),
755
+ :object => company)
756
+ end
757
+
758
+ def test_attribute_non_block
759
+ reader = Authorization::Reader::DSLReader.new
760
+ reader.parse %|
761
+ authorization do
762
+ role :test_role do
763
+ has_permission_on :permissions, :to => :test do
764
+ if_attribute :test_attr => 1
765
+ end
766
+ end
767
+ end
768
+ |
769
+ engine = Authorization::Engine.new(reader)
770
+ assert engine.permit?(:test, :context => :permissions,
771
+ :user => MockUser.new(:test_role),
772
+ :object => MockDataObject.new(:test_attr => 1))
773
+ assert !engine.permit?(:test, :context => :permissions,
774
+ :user => MockUser.new(:test_role),
775
+ :object => MockDataObject.new(:test_attr => 2))
776
+ end
777
+
778
+ def test_attribute_multiple
779
+ reader = Authorization::Reader::DSLReader.new
780
+ reader.parse %{
781
+ authorization do
782
+ role :test_role do
783
+ has_permission_on :permissions, :to => :test do
784
+ if_attribute :test_attr => 1
785
+ if_attribute :test_attr => 2 # or
786
+ end
787
+ end
788
+ end
789
+ }
790
+ engine = Authorization::Engine.new(reader)
791
+ assert engine.permit?(:test, :context => :permissions,
792
+ :user => MockUser.new(:test_role),
793
+ :object => MockDataObject.new(:test_attr => 1))
794
+ assert engine.permit?(:test, :context => :permissions,
795
+ :user => MockUser.new(:test_role),
796
+ :object => MockDataObject.new(:test_attr => 2))
797
+ end
798
+
799
+ class PermissionMock < MockDataObject
800
+ def self.name
801
+ "Permission"
802
+ end
803
+ end
804
+ def test_attribute_with_permissions
805
+ reader = Authorization::Reader::DSLReader.new
806
+ reader.parse %{
807
+ authorization do
808
+ role :test_role do
809
+ has_permission_on :permissions, :to => :test do
810
+ if_attribute :test_attr => 1
811
+ end
812
+ has_permission_on :permission_children, :to => :test do
813
+ if_permitted_to :test, :permission
814
+ end
815
+ end
816
+ end
817
+ }
818
+ engine = Authorization::Engine.new(reader)
819
+
820
+ perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
821
+ perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
822
+ assert engine.permit?(:test, :context => :permission_children,
823
+ :user => MockUser.new(:test_role),
824
+ :object => MockDataObject.new(:permission => perm_data_attr_1))
825
+ assert !engine.permit?(:test, :context => :permission_children,
826
+ :user => MockUser.new(:test_role),
827
+ :object => MockDataObject.new(:permission => perm_data_attr_2))
828
+ end
829
+
830
+ def test_attribute_with_has_many_permissions
831
+ reader = Authorization::Reader::DSLReader.new
832
+ reader.parse %{
833
+ authorization do
834
+ role :test_role do
835
+ has_permission_on :permissions, :to => :test do
836
+ if_attribute :test_attr => 1
837
+ end
838
+ has_permission_on :permission_children, :to => :test do
839
+ if_permitted_to :test, :permissions
840
+ end
841
+ end
842
+ end
843
+ }
844
+ engine = Authorization::Engine.new(reader)
845
+
846
+ perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
847
+ perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
848
+ assert engine.permit?(:test, :context => :permission_children,
849
+ :user => MockUser.new(:test_role),
850
+ :object => MockDataObject.new(:permissions => [perm_data_attr_1]))
851
+ assert !engine.permit?(:test, :context => :permission_children,
852
+ :user => MockUser.new(:test_role),
853
+ :object => MockDataObject.new(:permissions => [perm_data_attr_2]))
854
+ end
855
+
856
+ def test_attribute_with_deep_permissions
857
+ reader = Authorization::Reader::DSLReader.new
858
+ reader.parse %{
859
+ authorization do
860
+ role :test_role do
861
+ has_permission_on :permissions, :to => :test do
862
+ if_attribute :test_attr => 1
863
+ end
864
+ has_permission_on :permission_children, :to => :test do
865
+ if_permitted_to :test, :shallow_permission => :permission
866
+ end
867
+ end
868
+ end
869
+ }
870
+ engine = Authorization::Engine.new(reader)
871
+
872
+ perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
873
+ perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
874
+ assert engine.permit?(:test, :context => :permission_children,
875
+ :user => MockUser.new(:test_role),
876
+ :object => MockDataObject.new(:shallow_permission =>
877
+ MockDataObject.new(:permission => perm_data_attr_1)))
878
+ assert !engine.permit?(:test, :context => :permission_children,
879
+ :user => MockUser.new(:test_role),
880
+ :object => MockDataObject.new(:shallow_permission =>
881
+ MockDataObject.new(:permission => perm_data_attr_2)))
882
+ end
883
+
884
+ def test_attribute_with_deep_has_many_permissions
885
+ reader = Authorization::Reader::DSLReader.new
886
+ reader.parse %{
887
+ authorization do
888
+ role :test_role do
889
+ has_permission_on :permissions, :to => :test do
890
+ if_attribute :test_attr => 1
891
+ end
892
+ has_permission_on :permission_children, :to => :test do
893
+ if_permitted_to :test, :shallow_permissions => :permission
894
+ end
895
+ end
896
+ end
897
+ }
898
+ engine = Authorization::Engine.new(reader)
899
+
900
+ perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
901
+ perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
902
+ assert engine.permit?(:test, :context => :permission_children,
903
+ :user => MockUser.new(:test_role),
904
+ :object => MockDataObject.new(:shallow_permissions =>
905
+ [MockDataObject.new(:permission => perm_data_attr_1)]))
906
+ assert !engine.permit?(:test, :context => :permission_children,
907
+ :user => MockUser.new(:test_role),
908
+ :object => MockDataObject.new(:shallow_permissions =>
909
+ [MockDataObject.new(:permission => perm_data_attr_2)]))
910
+ end
911
+
912
+ def test_attribute_with_permissions_nil
913
+ reader = Authorization::Reader::DSLReader.new
914
+ reader.parse %{
915
+ authorization do
916
+ role :test_role do
917
+ has_permission_on :permissions, :to => :test do
918
+ if_attribute :test_attr => 1
919
+ end
920
+ has_permission_on :permission_children, :to => :test do
921
+ if_permitted_to :test, :permission
922
+ end
923
+ end
924
+ end
925
+ }
926
+ engine = Authorization::Engine.new(reader)
927
+
928
+ engine.permit?(:test, :context => :permission_children,
929
+ :user => MockUser.new(:test_role),
930
+ :object => MockDataObject.new(:permission => nil))
931
+
932
+ assert !engine.permit?(:test, :context => :permission_children,
933
+ :user => MockUser.new(:test_role),
934
+ :object => MockDataObject.new(:permission => nil))
935
+ end
936
+
937
+ def test_attribute_with_permissions_on_self
938
+ reader = Authorization::Reader::DSLReader.new
939
+ reader.parse %{
940
+ authorization do
941
+ role :test_role do
942
+ has_permission_on :permissions, :to => :test do
943
+ if_attribute :test_attr => 1
944
+ end
945
+ has_permission_on :permissions, :to => :another_test do
946
+ if_permitted_to :test
947
+ end
948
+ end
949
+ end
950
+ }
951
+ engine = Authorization::Engine.new(reader)
952
+
953
+ perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
954
+ perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
955
+ assert engine.permit?(:another_test, :context => :permissions,
956
+ :user => MockUser.new(:test_role),
957
+ :object => perm_data_attr_1)
958
+ assert !engine.permit?(:another_test, :context => :permissions,
959
+ :user => MockUser.new(:test_role),
960
+ :object => perm_data_attr_2)
961
+ end
962
+
963
+ def test_attribute_with_permissions_on_self_with_context
964
+ reader = Authorization::Reader::DSLReader.new
965
+ reader.parse %{
966
+ authorization do
967
+ role :test_role do
968
+ has_permission_on :permissions, :to => :test do
969
+ if_attribute :test_attr => 1
970
+ end
971
+ has_permission_on :permissions, :to => :another_test do
972
+ if_permitted_to :test, :context => :permissions
973
+ end
974
+ end
975
+ end
976
+ }
977
+ engine = Authorization::Engine.new(reader)
978
+
979
+ perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
980
+ perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
981
+ assert engine.permit?(:another_test, :context => :permissions,
982
+ :user => MockUser.new(:test_role),
983
+ :object => perm_data_attr_1)
984
+ assert !engine.permit?(:another_test, :context => :permissions,
985
+ :user => MockUser.new(:test_role),
986
+ :object => perm_data_attr_2)
987
+ end
988
+
989
+ def test_attribute_with_permissions_and_anded_rules
990
+ reader = Authorization::Reader::DSLReader.new
991
+ reader.parse %{
992
+ authorization do
993
+ role :test_role do
994
+ has_permission_on :permissions, :to => :test do
995
+ if_attribute :test_attr => 1
996
+ end
997
+ has_permission_on :permission_children, :to => :test, :join_by => :and do
998
+ if_permitted_to :test, :permission
999
+ if_attribute :test_attr => 1
1000
+ end
1001
+ end
1002
+ end
1003
+ }
1004
+ engine = Authorization::Engine.new(reader)
1005
+
1006
+ perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
1007
+ perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
1008
+ assert engine.permit?(:test, :context => :permission_children,
1009
+ :user => MockUser.new(:test_role),
1010
+ :object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 1))
1011
+ assert !engine.permit?(:test, :context => :permission_children,
1012
+ :user => MockUser.new(:test_role),
1013
+ :object => MockDataObject.new(:permission => perm_data_attr_2, :test_attr => 1))
1014
+ assert !engine.permit?(:test, :context => :permission_children,
1015
+ :user => MockUser.new(:test_role),
1016
+ :object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 2))
1017
+ end
1018
+
1019
+ def test_attribute_with_anded_rules
1020
+ reader = Authorization::Reader::DSLReader.new
1021
+ reader.parse %{
1022
+ authorization do
1023
+ role :test_role do
1024
+ has_permission_on :permissions, :to => :test, :join_by => :and do
1025
+ if_attribute :test_attr => 1
1026
+ if_attribute :test_attr_2 => 2
1027
+ end
1028
+ end
1029
+ end
1030
+ }
1031
+ engine = Authorization::Engine.new(reader)
1032
+
1033
+ assert engine.permit?(:test, :context => :permissions,
1034
+ :user => MockUser.new(:test_role),
1035
+ :object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 2))
1036
+ assert !engine.permit?(:test, :context => :permissions,
1037
+ :user => MockUser.new(:test_role),
1038
+ :object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 3))
1039
+ end
1040
+
1041
+ def test_raise_on_if_attribute_hash_on_collection
1042
+ reader = Authorization::Reader::DSLReader.new
1043
+ reader.parse %{
1044
+ authorization do
1045
+ role :test_role do
1046
+ has_permission_on :permissions, :to => :test do
1047
+ if_attribute :test_attrs => {:attr => is {1}}
1048
+ end
1049
+ end
1050
+ end
1051
+ }
1052
+ engine = Authorization::Engine.new(reader)
1053
+ assert_raise Authorization::AuthorizationUsageError do
1054
+ engine.permit?(:test, :context => :permissions,
1055
+ :user => MockUser.new(:test_role),
1056
+ :object => MockDataObject.new(:test_attrs => [1, 2, 3]))
1057
+ end
1058
+ end
1059
+
1060
+ def test_role_title_description
1061
+ reader = Authorization::Reader::DSLReader.new
1062
+ reader.parse %{
1063
+ authorization do
1064
+ role :test_role, :title => 'Test Role' do
1065
+ description "Test Role Description"
1066
+ end
1067
+ end
1068
+ }
1069
+ engine = Authorization::Engine.new(reader)
1070
+ assert engine.roles.include?(:test_role)
1071
+ assert_equal "Test Role", engine.role_titles[:test_role]
1072
+ assert_equal "Test Role", engine.title_for(:test_role)
1073
+ assert_nil engine.title_for(:test_role_2)
1074
+ assert_equal "Test Role Description", engine.role_descriptions[:test_role]
1075
+ assert_equal "Test Role Description", engine.description_for(:test_role)
1076
+ assert_nil engine.description_for(:test_role_2)
1077
+ end
1078
+
1079
+ def test_multithread
1080
+ reader = Authorization::Reader::DSLReader.new
1081
+ reader.parse %{
1082
+ authorization do
1083
+ role :test_role do
1084
+ has_permission_on :permissions, :to => :test
1085
+ end
1086
+ end
1087
+ }
1088
+
1089
+ engine = Authorization::Engine.new(reader)
1090
+ Authorization.stub :current_user, MockUser.new(:test_role) do
1091
+ assert engine.permit?(:test, :context => :permissions)
1092
+ Thread.new do
1093
+ Authorization.current_user = MockUser.new(:test_role2)
1094
+ assert !engine.permit?(:test, :context => :permissions)
1095
+ end
1096
+ assert engine.permit?(:test, :context => :permissions)
1097
+ end
1098
+ end
1099
+
1100
+ def test_clone
1101
+ reader = Authorization::Reader::DSLReader.new
1102
+ reader.parse %{
1103
+ authorization do
1104
+ role :test_role do
1105
+ has_permission_on :permissions, :to => :test do
1106
+ if_attribute :attr => { :sub_attr => is { user } }
1107
+ if_permitted_to :read, :attr_2 => :attr_3
1108
+ if_permitted_to :read, :attr_2
1109
+ end
1110
+ end
1111
+ end
1112
+ }
1113
+
1114
+ engine = Authorization::Engine.new(reader)
1115
+ cloned_engine = engine.clone
1116
+ assert_not_equal engine.auth_rules.first.contexts.object_id,
1117
+ cloned_engine.auth_rules.first.contexts.object_id
1118
+ assert_not_equal engine.auth_rules.first.attributes.first.send(:instance_variable_get, :@conditions_hash)[:attr].object_id,
1119
+ cloned_engine.auth_rules.first.attributes.first.send(:instance_variable_get, :@conditions_hash)[:attr].object_id
1120
+ end
1121
+ end