ae_declarative_authorization 0.7.1 → 0.8.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (56) hide show
  1. checksums.yaml +5 -5
  2. data/Appraisals +31 -21
  3. data/CHANGELOG +189 -189
  4. data/Gemfile +7 -7
  5. data/Gemfile.lock +68 -60
  6. data/LICENSE.txt +20 -20
  7. data/README.md +620 -620
  8. data/README.rdoc +597 -597
  9. data/Rakefile +35 -33
  10. data/authorization_rules.dist.rb +20 -20
  11. data/declarative_authorization.gemspec +24 -24
  12. data/gemfiles/rails4252.gemfile +10 -10
  13. data/gemfiles/rails4252.gemfile.lock +126 -0
  14. data/gemfiles/rails4271.gemfile +10 -10
  15. data/gemfiles/rails4271.gemfile.lock +126 -0
  16. data/gemfiles/rails507.gemfile +11 -11
  17. data/gemfiles/rails507.gemfile.lock +136 -0
  18. data/gemfiles/rails516.gemfile +11 -0
  19. data/gemfiles/rails516.gemfile.lock +136 -0
  20. data/gemfiles/rails521.gemfile +11 -0
  21. data/gemfiles/rails521.gemfile.lock +144 -0
  22. data/init.rb +5 -5
  23. data/lib/declarative_authorization.rb +18 -18
  24. data/lib/declarative_authorization/authorization.rb +821 -821
  25. data/lib/declarative_authorization/helper.rb +78 -78
  26. data/lib/declarative_authorization/in_controller.rb +713 -713
  27. data/lib/declarative_authorization/in_model.rb +156 -156
  28. data/lib/declarative_authorization/maintenance.rb +215 -215
  29. data/lib/declarative_authorization/obligation_scope.rb +348 -345
  30. data/lib/declarative_authorization/railsengine.rb +5 -5
  31. data/lib/declarative_authorization/reader.rb +549 -549
  32. data/lib/declarative_authorization/test/helpers.rb +261 -261
  33. data/lib/declarative_authorization/version.rb +3 -3
  34. data/lib/generators/authorization/install/install_generator.rb +77 -77
  35. data/lib/generators/authorization/rules/rules_generator.rb +13 -13
  36. data/lib/generators/authorization/rules/templates/authorization_rules.rb +27 -27
  37. data/lib/tasks/authorization_tasks.rake +89 -89
  38. data/log/test.log +15246 -0
  39. data/pkg/ae_declarative_authorization-0.7.1.gem +0 -0
  40. data/pkg/ae_declarative_authorization-0.8.0.gem +0 -0
  41. data/test/authorization_test.rb +1121 -1121
  42. data/test/controller_filter_resource_access_test.rb +573 -573
  43. data/test/controller_test.rb +478 -478
  44. data/test/database.yml +3 -3
  45. data/test/dsl_reader_test.rb +178 -178
  46. data/test/functional/filter_access_to_with_id_in_scope_test.rb +88 -88
  47. data/test/functional/no_filter_access_to_test.rb +79 -79
  48. data/test/functional/params_block_arity_test.rb +39 -39
  49. data/test/helper_test.rb +248 -248
  50. data/test/maintenance_test.rb +46 -46
  51. data/test/model_test.rb +1840 -1840
  52. data/test/profiles/access_checking +20 -0
  53. data/test/schema.sql +60 -60
  54. data/test/test_helper.rb +174 -174
  55. data/test/test_support/minitest_compatibility.rb +26 -26
  56. metadata +17 -5
@@ -1,46 +1,46 @@
1
- require 'test_helper'
2
- require File.join(File.dirname(__FILE__), %w{.. lib declarative_authorization maintenance})
3
-
4
- class MaintenanceTest < Test::Unit::TestCase
5
- include Authorization::TestHelper
6
-
7
- def test_usages_by_controllers
8
- usage_test_controller = Class.new(ActionController::Base)
9
- usage_test_controller.send(:define_method, :an_action) {}
10
- usage_test_controller.filter_access_to :an_action
11
-
12
- assert Authorization::Maintenance::Usage::usages_by_controller.
13
- include?(usage_test_controller)
14
- end
15
-
16
- def test_without_access_control
17
- reader = Authorization::Reader::DSLReader.new
18
- reader.parse %{
19
- authorization do
20
- role :test_role do
21
- has_permission_on :permissions, :to => :test
22
- end
23
- end
24
- }
25
- engine = Authorization::Engine.new(reader)
26
- assert !engine.permit?(:test_2, :context => :permissions,
27
- :user => MockUser.new(:test_role))
28
- Authorization::Maintenance::without_access_control do
29
- assert engine.permit!(:test_2, :context => :permissions,
30
- :user => MockUser.new(:test_role))
31
- end
32
- without_access_control do
33
- assert engine.permit?(:test_2, :context => :permissions,
34
- :user => MockUser.new(:test_role))
35
- end
36
- Authorization::Maintenance::without_access_control do
37
- Authorization::Maintenance::without_access_control do
38
- assert engine.permit?(:test_2, :context => :permissions,
39
- :user => MockUser.new(:test_role))
40
- end
41
- assert engine.permit?(:test_2, :context => :permissions,
42
- :user => MockUser.new(:test_role))
43
- end
44
- end
45
-
46
- end
1
+ require 'test_helper'
2
+ require File.join(File.dirname(__FILE__), %w{.. lib declarative_authorization maintenance})
3
+
4
+ class MaintenanceTest < Test::Unit::TestCase
5
+ include Authorization::TestHelper
6
+
7
+ def test_usages_by_controllers
8
+ usage_test_controller = Class.new(ActionController::Base)
9
+ usage_test_controller.send(:define_method, :an_action) {}
10
+ usage_test_controller.filter_access_to :an_action
11
+
12
+ assert Authorization::Maintenance::Usage::usages_by_controller.
13
+ include?(usage_test_controller)
14
+ end
15
+
16
+ def test_without_access_control
17
+ reader = Authorization::Reader::DSLReader.new
18
+ reader.parse %{
19
+ authorization do
20
+ role :test_role do
21
+ has_permission_on :permissions, :to => :test
22
+ end
23
+ end
24
+ }
25
+ engine = Authorization::Engine.new(reader)
26
+ assert !engine.permit?(:test_2, :context => :permissions,
27
+ :user => MockUser.new(:test_role))
28
+ Authorization::Maintenance::without_access_control do
29
+ assert engine.permit!(:test_2, :context => :permissions,
30
+ :user => MockUser.new(:test_role))
31
+ end
32
+ without_access_control do
33
+ assert engine.permit?(:test_2, :context => :permissions,
34
+ :user => MockUser.new(:test_role))
35
+ end
36
+ Authorization::Maintenance::without_access_control do
37
+ Authorization::Maintenance::without_access_control do
38
+ assert engine.permit?(:test_2, :context => :permissions,
39
+ :user => MockUser.new(:test_role))
40
+ end
41
+ assert engine.permit?(:test_2, :context => :permissions,
42
+ :user => MockUser.new(:test_role))
43
+ end
44
+ end
45
+
46
+ end
@@ -1,1840 +1,1840 @@
1
- require 'test_helper'
2
- require File.join(File.dirname(__FILE__), %w{.. lib declarative_authorization in_model})
3
-
4
- ActiveRecord::Base.send :include, Authorization::AuthorizationInModel
5
- #ActiveRecord::Base.logger = Logger.new(STDOUT)
6
-
7
- options = {:adapter => 'sqlite3', :timeout => 500, :database => ':memory:'}
8
- ActiveRecord::Base.establish_connection(options)
9
- ActiveRecord::Base.configurations = { 'sqlite3_ar_integration' => options }
10
- ActiveRecord::Base.connection
11
-
12
- File.read(File.dirname(__FILE__) + "/schema.sql").split(';').each do |sql|
13
- ActiveRecord::Base.connection.execute(sql) unless sql.blank?
14
- end
15
-
16
- class TestModel < ActiveRecord::Base
17
- has_many :test_attrs
18
- has_many :test_another_attrs, :class_name => "TestAttr", :foreign_key => :test_another_model_id
19
- has_many :test_attr_throughs, :through => :test_attrs
20
- has_one :test_attr_has_one, :class_name => "TestAttr"
21
- has_many :branches
22
-
23
- has_many :test_attrs_with_attr,
24
- lambda { where(:attr => 1) },
25
- :class_name => "TestAttr"
26
-
27
- has_many :test_attr_throughs_with_attr,
28
- lambda { where("test_attrs.attr = 1") },
29
- :through => :test_attrs,
30
- :class_name => "TestAttrThrough", :source => :test_attr_throughs
31
-
32
- has_one :test_attr_throughs_with_attr_and_has_one,
33
- lambda { where("test_attrs.attr = 1") },
34
- :through => :test_attrs,
35
- :class_name => "TestAttrThrough",
36
- :source => :test_attr_throughs
37
-
38
- scope :with_content, lambda { where("test_models.content IS NOT NULL") }
39
-
40
- # Primary key test
41
- has_many :test_attrs_with_primary_id,
42
- :class_name => "TestAttr",
43
- :primary_key => :test_attr_through_id,
44
- :foreign_key => :test_attr_through_id
45
- has_many :test_attr_throughs_with_primary_id,
46
- :through => :test_attrs_with_primary_id,
47
- :class_name => "TestAttrThrough",
48
- :source => :n_way_join_item
49
-
50
- # for checking for unnecessary queries
51
- mattr_accessor :query_count
52
- def self.find(*args)
53
- self.query_count ||= 0
54
- self.query_count += 1
55
- super(*args)
56
- end
57
- end
58
-
59
- class NWayJoinItem < ActiveRecord::Base
60
- has_many :test_attrs
61
- has_many :others, :through => :test_attrs, :source => :n_way_join_item
62
- end
63
-
64
- class TestAttr < ActiveRecord::Base
65
- belongs_to :test_model
66
- belongs_to :test_another_model, :class_name => "TestModel", :foreign_key => :test_another_model_id
67
- belongs_to :test_a_third_model, :class_name => "TestModel", :foreign_key => :test_a_third_model_id
68
- belongs_to :n_way_join_item
69
- belongs_to :test_attr
70
- belongs_to :branch
71
- belongs_to :company
72
- has_many :test_attr_throughs
73
- has_many :test_model_security_model_with_finds
74
- attr_reader :role_symbols
75
-
76
- def initialize(*args)
77
- @role_symbols = []
78
- super(*args)
79
- end
80
- end
81
-
82
- class TestAttrThrough < ActiveRecord::Base
83
- belongs_to :test_attr
84
- end
85
-
86
- class TestModelSecurityModel < ActiveRecord::Base
87
- has_many :test_attrs
88
- using_access_control
89
- end
90
- class TestModelSecurityModelWithFind < ActiveRecord::Base
91
- self.table_name = 'test_model_security_models'
92
-
93
- has_many :test_attrs
94
- belongs_to :test_attr
95
- using_access_control :include_read => true,
96
- :context => :test_model_security_models
97
- end
98
-
99
- class Branch < ActiveRecord::Base
100
- has_many :test_attrs
101
- belongs_to :company
102
- belongs_to :test_model
103
- end
104
- class Company < ActiveRecord::Base
105
- has_many :test_attrs
106
- has_many :branches
107
- belongs_to :country
108
- end
109
- class SmallCompany < Company
110
- def self.decl_auth_context
111
- :companies
112
- end
113
- end
114
- class Country < ActiveRecord::Base
115
- has_many :test_models
116
- has_many :companies
117
- end
118
-
119
- class NamedScopeModelTest < Test::Unit::TestCase
120
- def test_multiple_deep_ored_belongs_to
121
- reader = Authorization::Reader::DSLReader.new
122
- reader.parse %{
123
- authorization do
124
- role :test_role do
125
- has_permission_on :test_attrs, :to => :read do
126
- if_attribute :test_model => {:test_attrs => contains {user}}
127
- if_attribute :test_another_model => {:test_attrs => contains {user}}
128
- end
129
- end
130
- end
131
- }
132
- Authorization::Engine.instance(reader)
133
-
134
- test_model_1 = TestModel.create!
135
- test_model_2 = TestModel.create!
136
- test_attr_1 = TestAttr.create! :test_model_id => test_model_1.id,
137
- :test_another_model_id => test_model_2.id
138
-
139
- user = MockUser.new(:test_role, :id => test_attr_1)
140
- assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).references(:test_attrs, :test_attrs_test_models, :test_attrs_test_models_2).length
141
-
142
- TestAttr.delete_all
143
- TestModel.delete_all
144
- end
145
-
146
- def test_with_belongs_to_and_has_many_with_contains
147
- reader = Authorization::Reader::DSLReader.new
148
- reader.parse %{
149
- authorization do
150
- role :test_role do
151
- has_permission_on :test_attrs, :to => :read do
152
- if_attribute :test_model => { :test_attrs => contains { user.test_attr_value } }
153
- end
154
- end
155
- end
156
- }
157
- Authorization::Engine.instance(reader)
158
-
159
- test_attr_1 = TestAttr.create!
160
- test_model_1 = TestModel.create!
161
- test_model_1.test_attrs.create!
162
-
163
- user = MockUser.new(:test_role, :test_attr_value => test_model_1.test_attrs.first.id )
164
- assert_equal 1, TestAttr.with_permissions_to( :read, :context => :test_attrs, :user => user ).length
165
- assert_equal 1, TestAttr.with_permissions_to( :read, :user => user ).length
166
- assert_raise Authorization::NotAuthorized do
167
- TestAttr.with_permissions_to( :update_test_attrs, :user => user )
168
- end
169
- TestAttr.delete_all
170
- TestModel.delete_all
171
- end
172
-
173
- def test_with_nested_has_many
174
- reader = Authorization::Reader::DSLReader.new
175
- reader.parse %{
176
- authorization do
177
- role :test_role do
178
- has_permission_on :companies, :to => :read do
179
- if_attribute :branches => { :test_attrs => { :attr => is { user.test_attr_value } } }
180
- end
181
- end
182
- end
183
- }
184
- Authorization::Engine.instance(reader)
185
-
186
- allowed_company = Company.create!
187
- allowed_company.branches.create!.test_attrs.create!(:attr => 1)
188
- allowed_company.branches.create!.test_attrs.create!(:attr => 2)
189
-
190
- prohibited_company = Company.create!
191
- prohibited_company.branches.create!.test_attrs.create!(:attr => 3)
192
-
193
- user = MockUser.new(:test_role, :test_attr_value => 1)
194
- prohibited_user = MockUser.new(:test_role, :test_attr_value => 4)
195
- assert_equal 1, Company.with_permissions_to(:read, :user => user).length
196
- assert_equal 0, Company.with_permissions_to(:read, :user => prohibited_user).length
197
-
198
- Company.delete_all
199
- Branch.delete_all
200
- TestAttr.delete_all
201
- end
202
-
203
- def test_with_nested_has_many_through
204
- reader = Authorization::Reader::DSLReader.new
205
- reader.parse %{
206
- authorization do
207
- role :test_role do
208
- has_permission_on :test_models, :to => :read do
209
- if_attribute :test_attr_throughs => { :test_attr => { :attr => is { user.test_attr_value } } }
210
- end
211
- end
212
- end
213
- }
214
- Authorization::Engine.instance(reader)
215
- TestModel.delete_all
216
- TestAttrThrough.delete_all
217
- TestAttr.delete_all
218
-
219
- allowed_model = TestModel.create!
220
- allowed_model.test_attrs.create!(:attr => 1).test_attr_throughs.create!
221
- allowed_model.test_attrs.create!(:attr => 2).test_attr_throughs.create!
222
-
223
- prohibited_model = TestModel.create!
224
- prohibited_model.test_attrs.create!(:attr => 3).test_attr_throughs.create!
225
-
226
- user = MockUser.new(:test_role, :test_attr_value => 1)
227
- prohibited_user = MockUser.new(:test_role, :test_attr_value => 4)
228
- assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
229
- assert_equal 0, TestModel.with_permissions_to(:read, :user => prohibited_user).length
230
-
231
- TestModel.delete_all
232
- TestAttrThrough.delete_all
233
- TestAttr.delete_all
234
- end
235
-
236
- def test_with_is
237
- reader = Authorization::Reader::DSLReader.new
238
- reader.parse %{
239
- authorization do
240
- role :test_role do
241
- has_permission_on :test_models, :to => :read do
242
- if_attribute :id => is { user.test_attr_value }
243
- end
244
- end
245
- end
246
- }
247
- Authorization::Engine.instance(reader)
248
-
249
- test_model_1 = TestModel.create!
250
- TestModel.create!
251
-
252
- user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
253
- assert_equal 1, TestModel.with_permissions_to(:read,
254
- :context => :test_models, :user => user).length
255
- assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
256
- assert_raise Authorization::NotAuthorized do
257
- TestModel.with_permissions_to(:update_test_models, :user => user)
258
- end
259
- TestModel.delete_all
260
- end
261
-
262
- def test_named_scope_on_proxy
263
- reader = Authorization::Reader::DSLReader.new
264
- reader.parse %{
265
- authorization do
266
- role :test_role do
267
- has_permission_on :test_attrs, :to => :read do
268
- if_attribute :id => is { user.test_attr_value }
269
- end
270
- end
271
- end
272
- }
273
- Authorization::Engine.instance(reader)
274
-
275
- test_model_1 = TestModel.create!
276
- test_attr_1 = test_model_1.test_attrs.create!
277
- test_model_1.test_attrs.create!
278
- TestAttr.create!
279
-
280
- user = MockUser.new(:test_role, :test_attr_value => test_attr_1.id)
281
- assert_equal 1, test_model_1.test_attrs.with_permissions_to(:read, :user => user).length
282
- TestModel.delete_all
283
- TestAttr.delete_all
284
- end
285
-
286
- def test_named_scope_on_named_scope
287
- reader = Authorization::Reader::DSLReader.new
288
- reader.parse %{
289
- authorization do
290
- role :test_role do
291
- has_permission_on :test_models, :to => :read do
292
- if_attribute :test_attr_through_id => 1
293
- end
294
- has_permission_on :test_attrs, :to => :read do
295
- if_permitted_to :read, :test_model
296
- end
297
- end
298
- end
299
- }
300
- Authorization::Engine.instance(reader)
301
-
302
- country = Country.create!
303
- model_1 = TestModel.create!(:test_attr_through_id => 1, :content => "Content")
304
- country.test_models << model_1
305
- TestModel.create!(:test_attr_through_id => 1)
306
- TestModel.create!(:test_attr_through_id => 2, :content => "Content")
307
-
308
- user = MockUser.new(:test_role)
309
-
310
- TestModel.query_count = 0
311
- assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
312
-
313
- TestModel.query_count = 0
314
- assert_equal 1, TestModel.with_content.with_permissions_to(:read, :user => user).length
315
-
316
- TestModel.query_count = 0
317
- assert_equal 1, country.test_models.with_permissions_to(:read, :user => user).length
318
-
319
- TestModel.delete_all
320
- Country.delete_all
321
- end
322
-
323
- def test_with_modified_context
324
- reader = Authorization::Reader::DSLReader.new
325
- reader.parse %{
326
- authorization do
327
- role :test_role do
328
- has_permission_on :companies, :to => :read do
329
- if_attribute :id => is { user.test_company_id }
330
- end
331
- end
332
- end
333
- }
334
- Authorization::Engine.instance(reader)
335
-
336
- test_company = SmallCompany.create!
337
-
338
- user = MockUser.new(:test_role, :test_company_id => test_company.id)
339
- assert_equal 1, SmallCompany.with_permissions_to(:read,
340
- :user => user).length
341
- SmallCompany.delete_all
342
- end
343
-
344
- def test_with_is_nil
345
- reader = Authorization::Reader::DSLReader.new
346
- reader.parse %{
347
- authorization do
348
- role :test_role do
349
- has_permission_on :test_models, :to => :read do
350
- if_attribute :content => nil
351
- end
352
- end
353
- role :test_role_not_nil do
354
- has_permission_on :test_models, :to => :read do
355
- if_attribute :content => is_not { nil }
356
- end
357
- end
358
- end
359
- }
360
- Authorization::Engine.instance(reader)
361
-
362
- test_model_1 = TestModel.create!
363
- test_model_2 = TestModel.create! :content => "Content"
364
-
365
- assert_equal test_model_1, TestModel.with_permissions_to(:read,
366
- :context => :test_models, :user => MockUser.new(:test_role)).first
367
- assert_equal test_model_2, TestModel.with_permissions_to(:read,
368
- :context => :test_models, :user => MockUser.new(:test_role_not_nil)).first
369
- TestModel.delete_all
370
- end
371
-
372
- def test_with_not_is
373
- reader = Authorization::Reader::DSLReader.new
374
- reader.parse %{
375
- authorization do
376
- role :test_role do
377
- has_permission_on :test_models, :to => :read do
378
- if_attribute :id => is_not { user.test_attr_value }
379
- end
380
- end
381
- end
382
- }
383
- Authorization::Engine.instance(reader)
384
- TestModel.delete_all
385
-
386
- test_model_1 = TestModel.create!
387
- TestModel.create!
388
-
389
- user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
390
- assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
391
- TestModel.delete_all
392
- end
393
-
394
- def test_with_lt
395
- reader = Authorization::Reader::DSLReader.new
396
- reader.parse %{
397
- authorization do
398
- role :test_role do
399
- has_permission_on :test_models, :to => :read do
400
- if_attribute :id => lt { user.test_attr_value }
401
- end
402
- end
403
- end
404
- }
405
- Authorization::Engine.instance(reader)
406
-
407
- test_model_1 = TestModel.create!
408
- TestModel.create!
409
-
410
- user = MockUser.new(:test_role, :test_attr_value => test_model_1.id + 1)
411
- assert_equal 1, TestModel.with_permissions_to(:read,
412
- :context => :test_models, :user => user).length
413
- assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
414
- assert_raise Authorization::NotAuthorized do
415
- TestModel.with_permissions_to(:update_test_models, :user => user)
416
- end
417
- TestModel.delete_all
418
- end
419
-
420
- def test_with_lte
421
- reader = Authorization::Reader::DSLReader.new
422
- reader.parse %{
423
- authorization do
424
- role :test_role do
425
- has_permission_on :test_models, :to => :read do
426
- if_attribute :id => lte { user.test_attr_value }
427
- end
428
- end
429
- end
430
- }
431
- Authorization::Engine.instance(reader)
432
-
433
- test_model_1 = TestModel.create!
434
- 2.times { TestModel.create! }
435
-
436
- user = MockUser.new(:test_role, :test_attr_value => test_model_1.id + 1)
437
- assert_equal 2, TestModel.with_permissions_to(:read,
438
- :context => :test_models, :user => user).length
439
- assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
440
- assert_raise Authorization::NotAuthorized do
441
- TestModel.with_permissions_to(:update_test_models, :user => user)
442
- end
443
- TestModel.delete_all
444
- end
445
-
446
- def test_with_gt
447
- reader = Authorization::Reader::DSLReader.new
448
- reader.parse %{
449
- authorization do
450
- role :test_role do
451
- has_permission_on :test_models, :to => :read do
452
- if_attribute :id => gt { user.test_attr_value }
453
- end
454
- end
455
- end
456
- }
457
- Authorization::Engine.instance(reader)
458
-
459
- TestModel.create!
460
- test_model_1 = TestModel.create!
461
-
462
- user = MockUser.new(:test_role, :test_attr_value => test_model_1.id - 1)
463
- assert_equal 1, TestModel.with_permissions_to(:read,
464
- :context => :test_models, :user => user).length
465
- assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
466
- assert_raise Authorization::NotAuthorized do
467
- TestModel.with_permissions_to(:update_test_models, :user => user)
468
- end
469
- TestModel.delete_all
470
- end
471
-
472
- def test_with_gte
473
- reader = Authorization::Reader::DSLReader.new
474
- reader.parse %{
475
- authorization do
476
- role :test_role do
477
- has_permission_on :test_models, :to => :read do
478
- if_attribute :id => gte { user.test_attr_value }
479
- end
480
- end
481
- end
482
- }
483
- Authorization::Engine.instance(reader)
484
-
485
- 2.times { TestModel.create! }
486
- test_model_1 = TestModel.create!
487
-
488
- user = MockUser.new(:test_role, :test_attr_value => test_model_1.id - 1)
489
- assert_equal 2, TestModel.with_permissions_to(:read,
490
- :context => :test_models, :user => user).length
491
- assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
492
- assert_raise Authorization::NotAuthorized do
493
- TestModel.with_permissions_to(:update_test_models, :user => user)
494
- end
495
- TestModel.delete_all
496
- end
497
-
498
- def test_with_empty_obligations
499
- reader = Authorization::Reader::DSLReader.new
500
- reader.parse %{
501
- authorization do
502
- role :test_role do
503
- has_permission_on :test_models, :to => :read
504
- end
505
- end
506
- }
507
- Authorization::Engine.instance(reader)
508
-
509
- TestModel.create!
510
-
511
- user = MockUser.new(:test_role)
512
- assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
513
- assert_raise Authorization::NotAuthorized do
514
- TestModel.with_permissions_to(:update, :user => user)
515
- end
516
- TestModel.delete_all
517
- end
518
-
519
- def test_multiple_obligations
520
- reader = Authorization::Reader::DSLReader.new
521
- reader.parse %{
522
- authorization do
523
- role :test_role do
524
- has_permission_on :test_models, :to => :read do
525
- if_attribute :id => is { user.test_attr_value }
526
- end
527
- has_permission_on :test_models, :to => :read do
528
- if_attribute :id => is { user.test_attr_value_2 }
529
- end
530
- end
531
- end
532
- }
533
- Authorization::Engine.instance(reader)
534
-
535
- test_model_1 = TestModel.create!
536
- test_model_2 = TestModel.create!
537
-
538
- user = MockUser.new(:test_role, :test_attr_value => test_model_1.id,
539
- :test_attr_value_2 => test_model_2.id)
540
- assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
541
- TestModel.delete_all
542
- end
543
-
544
- def test_multiple_roles
545
- reader = Authorization::Reader::DSLReader.new
546
- reader.parse %{
547
- authorization do
548
- role :test_role do
549
- has_permission_on :test_attrs, :to => :read do
550
- if_attribute :attr => [1,2]
551
- end
552
- end
553
-
554
- role :test_role_2 do
555
- has_permission_on :test_attrs, :to => :read do
556
- if_attribute :attr => [2,3]
557
- end
558
- end
559
- end
560
- }
561
- Authorization::Engine.instance(reader)
562
-
563
- TestAttr.create! :attr => 1
564
- TestAttr.create! :attr => 2
565
- TestAttr.create! :attr => 3
566
-
567
- user = MockUser.new(:test_role)
568
- assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
569
- TestAttr.delete_all
570
- end
571
-
572
- def test_multiple_and_empty_obligations
573
- reader = Authorization::Reader::DSLReader.new
574
- reader.parse %{
575
- authorization do
576
- role :test_role do
577
- has_permission_on :test_models, :to => :read do
578
- if_attribute :id => is { user.test_attr_value }
579
- end
580
- has_permission_on :test_models, :to => :read
581
- end
582
- end
583
- }
584
- Authorization::Engine.instance(reader)
585
-
586
- test_model_1 = TestModel.create!
587
- TestModel.create!
588
-
589
- user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
590
- assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
591
- TestModel.delete_all
592
- end
593
-
594
- def test_multiple_attributes
595
- reader = Authorization::Reader::DSLReader.new
596
- reader.parse %{
597
- authorization do
598
- role :test_role do
599
- has_permission_on :test_models, :to => :read do
600
- if_attribute :id => is { user.test_attr_value }, :content => "bla"
601
- end
602
- end
603
- end
604
- }
605
- Authorization::Engine.instance(reader)
606
-
607
- test_model_1 = TestModel.create! :content => 'bla'
608
- TestModel.create! :content => 'bla'
609
- TestModel.create!
610
-
611
- user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
612
- assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
613
- TestModel.delete_all
614
- end
615
-
616
- def test_multiple_belongs_to
617
- reader = Authorization::Reader::DSLReader.new
618
- reader.parse %{
619
- authorization do
620
- role :test_role do
621
- has_permission_on :test_attrs, :to => :read do
622
- if_attribute :test_model => is {user}
623
- if_attribute :test_another_model => is {user}
624
- end
625
- end
626
- end
627
- }
628
- Authorization::Engine.instance(reader)
629
-
630
- test_attr_1 = TestAttr.create! :test_model_id => 1, :test_another_model_id => 2
631
-
632
- user = MockUser.new(:test_role, :id => 1)
633
- assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
634
- TestAttr.delete_all
635
- end
636
-
637
- def test_with_is_and_priv_hierarchy
638
- reader = Authorization::Reader::DSLReader.new
639
- reader.parse %{
640
- privileges do
641
- privilege :read do
642
- includes :list, :show
643
- end
644
- end
645
- authorization do
646
- role :test_role do
647
- has_permission_on :test_models, :to => :read do
648
- if_attribute :id => is { user.test_attr_value }
649
- end
650
- end
651
- end
652
- }
653
- Authorization::Engine.instance(reader)
654
-
655
- test_model_1 = TestModel.create!
656
- TestModel.create!
657
-
658
- user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
659
- assert_equal 1, TestModel.with_permissions_to(:list,
660
- :context => :test_models, :user => user).length
661
- assert_equal 1, TestModel.with_permissions_to(:list, :user => user).length
662
-
663
- TestModel.delete_all
664
- end
665
-
666
- def test_with_is_and_belongs_to
667
- reader = Authorization::Reader::DSLReader.new
668
- reader.parse %{
669
- authorization do
670
- role :test_role do
671
- has_permission_on :test_attrs, :to => :read do
672
- if_attribute :test_model => is { user.test_model }
673
- end
674
- end
675
- end
676
- }
677
- Authorization::Engine.instance(reader)
678
-
679
- test_model_1 = TestModel.create!
680
- test_model_1.test_attrs.create!
681
- TestModel.create!.test_attrs.create!
682
-
683
- user = MockUser.new(:test_role, :test_model => test_model_1)
684
- assert_equal 1, TestAttr.with_permissions_to(:read,
685
- :context => :test_attrs, :user => user).length
686
-
687
- TestModel.delete_all
688
- TestAttr.delete_all
689
- end
690
-
691
- def test_with_deep_attribute
692
- reader = Authorization::Reader::DSLReader.new
693
- reader.parse %{
694
- authorization do
695
- role :test_role do
696
- has_permission_on :test_attrs, :to => :read do
697
- if_attribute :test_model => {:id => is { user.test_model_id } }
698
- end
699
- end
700
- end
701
- }
702
- Authorization::Engine.instance(reader)
703
-
704
- test_model_1 = TestModel.create!
705
- test_model_1.test_attrs.create!
706
- TestModel.create!.test_attrs.create!
707
-
708
- user = MockUser.new(:test_role, :test_model_id => test_model_1.id)
709
- assert_equal 1, TestAttr.with_permissions_to(:read,
710
- :context => :test_attrs, :user => user).length
711
-
712
- TestModel.delete_all
713
- TestAttr.delete_all
714
- end
715
-
716
- def test_with_multiple_conditions
717
- reader = Authorization::Reader::DSLReader.new
718
- reader.parse %{
719
- authorization do
720
- role :test_role do
721
- has_permission_on :test_attrs, :to => :read do
722
- if_attribute :test_model => {:content => is { "pickle" } }
723
- if_attribute :test_model => {:content => is { "hotdog" } }
724
- end
725
- end
726
- end
727
- }
728
- Authorization::Engine.instance(reader)
729
-
730
- test_model_1 = TestModel.create!(content: "pickle")
731
- test_model_1.test_attrs.create!
732
- TestModel.create!.test_attrs.create!
733
-
734
- user = MockUser.new(:test_role, :test_model_id => test_model_1.id)
735
- assert_equal 1, TestAttr.with_permissions_to(:read,
736
- :context => :test_attrs, :user => user).length
737
-
738
- TestModel.delete_all
739
- TestAttr.delete_all
740
- end
741
-
742
- def test_with_anded_rules
743
- reader = Authorization::Reader::DSLReader.new
744
- reader.parse %{
745
- authorization do
746
- role :test_role do
747
- has_permission_on :test_attrs, :to => :read, :join_by => :and do
748
- if_attribute :test_model => is { user.test_model }
749
- if_attribute :attr => 1
750
- end
751
- end
752
- end
753
- }
754
- Authorization::Engine.instance(reader)
755
-
756
- test_model_1 = TestModel.create!
757
- test_model_1.test_attrs.create!(:attr => 1)
758
- TestModel.create!.test_attrs.create!(:attr => 1)
759
- TestModel.create!.test_attrs.create!
760
-
761
- user = MockUser.new(:test_role, :test_model => test_model_1)
762
- assert_equal 1, TestAttr.with_permissions_to(:read,
763
- :context => :test_attrs, :user => user).length
764
-
765
- TestModel.delete_all
766
- TestAttr.delete_all
767
- end
768
-
769
- def test_with_contains
770
- reader = Authorization::Reader::DSLReader.new
771
- reader.parse %{
772
- authorization do
773
- role :test_role do
774
- has_permission_on :test_models, :to => :read do
775
- if_attribute :test_attrs => contains { user }
776
- end
777
- end
778
- end
779
- }
780
- Authorization::Engine.instance(reader)
781
-
782
- test_model_1 = TestModel.create!
783
- test_model_2 = TestModel.create!
784
- test_model_1.test_attrs.create!
785
- test_model_1.test_attrs.create!
786
- test_model_2.test_attrs.create!
787
-
788
- user = MockUser.new(:test_role,
789
- :id => test_model_1.test_attrs.first.id)
790
- assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
791
- assert_equal 1, TestModel.with_permissions_to(:read, :user => user).where(:id => test_model_1.id).length
792
-
793
- TestModel.delete_all
794
- TestAttr.delete_all
795
- end
796
-
797
- def test_with_does_not_contain
798
- reader = Authorization::Reader::DSLReader.new
799
- reader.parse %{
800
- authorization do
801
- role :test_role do
802
- has_permission_on :test_models, :to => :read do
803
- if_attribute :test_attrs => does_not_contain { user }
804
- end
805
- end
806
- end
807
- }
808
- Authorization::Engine.instance(reader)
809
-
810
- test_model_1 = TestModel.create!
811
- test_model_2 = TestModel.create!
812
- test_model_1.test_attrs.create!
813
- test_model_2.test_attrs.create!
814
-
815
- user = MockUser.new(:test_role,
816
- :id => test_model_1.test_attrs.first.id)
817
- assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
818
-
819
- TestModel.delete_all
820
- TestAttr.delete_all
821
- end
822
-
823
- def test_with_contains_conditions
824
- reader = Authorization::Reader::DSLReader.new
825
- reader.parse %{
826
- authorization do
827
- role :test_role do
828
- has_permission_on :test_models, :to => :read do
829
- if_attribute :test_attrs_with_attr => contains { user }
830
- end
831
- end
832
- end
833
- }
834
- Authorization::Engine.instance(reader)
835
-
836
- test_model_1 = TestModel.create!
837
- test_model_2 = TestModel.create!
838
- test_model_1.test_attrs_with_attr.create!
839
- test_model_1.test_attrs.create!(:attr => 2)
840
- test_model_2.test_attrs_with_attr.create!
841
- test_model_2.test_attrs.create!(:attr => 2)
842
-
843
- #assert_equal 1, test_model_1.test_attrs_with_attr.length
844
- user = MockUser.new(:test_role,
845
- :id => test_model_1.test_attrs.first.id)
846
- assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
847
- user = MockUser.new(:test_role,
848
- :id => test_model_1.test_attrs.last.id)
849
- assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
850
-
851
- TestModel.delete_all
852
- TestAttr.delete_all
853
- end
854
-
855
- def test_with_contains_through_primary_key
856
- reader = Authorization::Reader::DSLReader.new
857
- reader.parse %{
858
- authorization do
859
- role :test_role do
860
- has_permission_on :test_models, :to => :read do
861
- if_attribute :test_attr_throughs_with_primary_id => contains { user }
862
- end
863
- end
864
- end
865
- }
866
- Authorization::Engine.instance(reader)
867
- TestModel.delete_all
868
- TestAttrThrough.delete_all
869
- TestAttr.delete_all
870
-
871
- test_attr_through_1 = TestAttrThrough.create!
872
- test_item = NWayJoinItem.create!
873
- test_model_1 = TestModel.create!(:test_attr_through_id => test_attr_through_1.id)
874
- test_attr_1 = TestAttr.create!(:test_attr_through_id => test_attr_through_1.id,
875
- :n_way_join_item_id => test_item.id)
876
-
877
- user = MockUser.new(:test_role,
878
- :id => test_attr_through_1.id)
879
- assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
880
-
881
- TestModel.delete_all
882
- TestAttrThrough.delete_all
883
- TestAttr.delete_all
884
- end
885
-
886
- def test_with_intersects_with
887
- reader = Authorization::Reader::DSLReader.new
888
- reader.parse %{
889
- authorization do
890
- role :test_role do
891
- has_permission_on :test_models, :to => :read do
892
- if_attribute :test_attrs => intersects_with { user.test_attrs }
893
- end
894
- end
895
- end
896
- }
897
- Authorization::Engine.instance(reader)
898
-
899
- test_model_1 = TestModel.create!
900
- test_model_2 = TestModel.create!
901
- test_model_1.test_attrs.create!
902
- test_model_1.test_attrs.create!
903
- test_model_1.test_attrs.create!
904
- test_model_2.test_attrs.create!
905
-
906
- user = MockUser.new(:test_role,
907
- :test_attrs => [test_model_1.test_attrs.first, TestAttr.create!])
908
- assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
909
-
910
- user = MockUser.new(:test_role,
911
- :test_attrs => [TestAttr.create!])
912
- assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
913
-
914
- TestModel.delete_all
915
- TestAttr.delete_all
916
- end
917
-
918
- def test_with_is_and_has_one
919
- reader = Authorization::Reader::DSLReader.new
920
- reader.parse %{
921
- authorization do :test_attr_has_one
922
- role :test_role do
923
- has_permission_on :test_models, :to => :read do
924
- if_attribute :test_attr_has_one => is { user.test_attr }
925
- end
926
- end
927
- end
928
- }
929
- Authorization::Engine.instance(reader)
930
-
931
- test_model_1 = TestModel.create!
932
- test_attr_1 = test_model_1.test_attrs.create!
933
- TestModel.create!.test_attrs.create!
934
-
935
- user = MockUser.new(:test_role, :test_attr => test_attr_1)
936
- assert_equal 1, TestModel.with_permissions_to(:read,
937
- :context => :test_models, :user => user).length
938
-
939
- TestModel.delete_all
940
- TestAttr.delete_all
941
- end
942
-
943
- def test_with_is_in
944
- reader = Authorization::Reader::DSLReader.new
945
- reader.parse %{
946
- authorization do
947
- role :test_role do
948
- has_permission_on :test_attrs, :to => :read do
949
- if_attribute :test_model => is_in { [user.test_model, user.test_model_2] }
950
- end
951
- end
952
- end
953
- }
954
- Authorization::Engine.instance(reader)
955
-
956
- test_model_1 = TestModel.create!
957
- test_model_2 = TestModel.create!
958
- test_model_1.test_attrs.create!
959
- TestModel.create!.test_attrs.create!
960
-
961
- user = MockUser.new(:test_role, :test_model => test_model_1,
962
- :test_model_2 => test_model_2)
963
- assert_equal 1, TestAttr.with_permissions_to(:read,
964
- :context => :test_attrs, :user => user).length
965
-
966
- TestModel.delete_all
967
- TestAttr.delete_all
968
- end
969
-
970
- def test_with_not_is_in
971
- reader = Authorization::Reader::DSLReader.new
972
- reader.parse %{
973
- authorization do
974
- role :test_role do
975
- has_permission_on :test_attrs, :to => :read do
976
- if_attribute :test_model => is_not_in { [user.test_model, user.test_model_2] }
977
- end
978
- end
979
- end
980
- }
981
- Authorization::Engine.instance(reader)
982
- TestModel.delete_all
983
- TestAttr.delete_all
984
-
985
- test_model_1 = TestModel.create!
986
- test_model_2 = TestModel.create!
987
- test_model_1.test_attrs.create!
988
- TestModel.create!.test_attrs.create!
989
-
990
- user = MockUser.new(:test_role, :test_model => test_model_1,
991
- :test_model_2 => test_model_2)
992
- assert_equal 1, TestAttr.with_permissions_to(:read,
993
- :context => :test_attrs, :user => user).length
994
-
995
- TestModel.delete_all
996
- TestAttr.delete_all
997
- end
998
-
999
- def test_with_if_permitted_to
1000
- reader = Authorization::Reader::DSLReader.new
1001
- reader.parse %{
1002
- authorization do
1003
- role :test_role do
1004
- has_permission_on :test_models, :to => :read do
1005
- if_attribute :test_attrs => contains { user }
1006
- end
1007
- has_permission_on :test_attrs, :to => :read do
1008
- if_permitted_to :read, :test_model
1009
- end
1010
- end
1011
- end
1012
- }
1013
- Authorization::Engine.instance(reader)
1014
-
1015
- test_model_1 = TestModel.create!
1016
- test_attr_1 = test_model_1.test_attrs.create!
1017
-
1018
- user = MockUser.new(:test_role, :id => test_attr_1.id)
1019
- assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
1020
- TestModel.delete_all
1021
- TestAttr.delete_all
1022
- end
1023
-
1024
- def test_with_anded_if_permitted_to
1025
- reader = Authorization::Reader::DSLReader.new
1026
- reader.parse %{
1027
- authorization do
1028
- role :base_role do
1029
- has_permission_on :test_attrs, :to => :read, :join_by => :and do
1030
- if_permitted_to :read, :test_model
1031
- if_attribute :attr => 1
1032
- end
1033
- end
1034
- role :first_role do
1035
- includes :base_role
1036
- has_permission_on :test_models, :to => :read do
1037
- if_attribute :content => "first test"
1038
- end
1039
- end
1040
- role :second_role do
1041
- includes :base_role
1042
- has_permission_on :test_models, :to => :read do
1043
- if_attribute :country_id => 2
1044
- end
1045
- end
1046
- end
1047
- }
1048
- Authorization::Engine.instance(reader)
1049
-
1050
- test_model_1 = TestModel.create!(:content => "first test")
1051
- test_model_1.test_attrs.create!(:attr => 1)
1052
- test_model_for_second_role = TestModel.create!(:country_id => 2)
1053
- test_model_for_second_role.test_attrs.create!(:attr => 1)
1054
- test_model_for_second_role.test_attrs.create!(:attr => 2)
1055
-
1056
- user = MockUser.new(:first_role)
1057
- assert Authorization::Engine.instance.permit?(:read, :object => test_model_1.test_attrs.first, :user => user)
1058
- assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
1059
-
1060
- user_with_both_roles = MockUser.new(:first_role, :second_role)
1061
- assert Authorization::Engine.instance.permit?(:read, :object => test_model_1.test_attrs.first, :user => user_with_both_roles)
1062
- assert Authorization::Engine.instance.permit?(:read, :object => test_model_for_second_role.test_attrs.first, :user => user_with_both_roles)
1063
- assert_equal 2, TestAttr.with_permissions_to(:read, :user => user_with_both_roles).references(:test_attrs, :test_models).length
1064
-
1065
- TestModel.delete_all
1066
- TestAttr.delete_all
1067
- end
1068
-
1069
- def test_with_if_permitted_to_with_no_child_permissions
1070
- reader = Authorization::Reader::DSLReader.new
1071
- reader.parse %{
1072
- authorization do
1073
- role :another_role do
1074
- has_permission_on :test_models, :to => :read do
1075
- if_attribute :test_attrs => contains { user }
1076
- end
1077
- end
1078
- role :additional_if_attribute do
1079
- has_permission_on :test_attrs, :to => :read do
1080
- if_permitted_to :read, :test_model
1081
- if_attribute :test_model => {:test_attrs => contains { user }}
1082
- end
1083
- end
1084
- role :only_permitted_to do
1085
- has_permission_on :test_attrs, :to => :read do
1086
- if_permitted_to :read, :test_model
1087
- end
1088
- end
1089
- end
1090
- }
1091
- Authorization::Engine.instance(reader)
1092
-
1093
- test_model_1 = TestModel.create!
1094
- test_attr_1 = test_model_1.test_attrs.create!
1095
-
1096
- user = MockUser.new(:only_permitted_to, :another_role, :id => test_attr_1.id)
1097
- also_allowed_user = MockUser.new(:additional_if_attribute, :id => test_attr_1.id)
1098
- non_allowed_user = MockUser.new(:only_permitted_to, :id => test_attr_1.id)
1099
-
1100
- assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
1101
- assert_equal 1, TestAttr.with_permissions_to(:read, :user => also_allowed_user).length
1102
- assert_raise Authorization::NotAuthorized do
1103
- TestAttr.with_permissions_to(:read, :user => non_allowed_user).find(:all)
1104
- end
1105
-
1106
- TestModel.delete_all
1107
- TestAttr.delete_all
1108
- end
1109
-
1110
- def test_with_if_permitted_to_with_context_from_model
1111
- reader = Authorization::Reader::DSLReader.new
1112
- reader.parse %{
1113
- authorization do
1114
- role :test_role do
1115
- has_permission_on :test_models, :to => :read do
1116
- if_attribute :test_another_attrs => contains { user }
1117
- end
1118
- has_permission_on :test_attrs, :to => :read do
1119
- if_permitted_to :read, :test_another_model
1120
- end
1121
- end
1122
- end
1123
- }
1124
- Authorization::Engine.instance(reader)
1125
-
1126
- test_model_1 = TestModel.create!
1127
- test_attr_1 = test_model_1.test_another_attrs.create!
1128
-
1129
- user = MockUser.new(:test_role, :id => test_attr_1.id)
1130
- non_allowed_user = MockUser.new(:test_role, :id => 111)
1131
-
1132
- assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
1133
- assert_equal 0, TestAttr.with_permissions_to(:read, :user => non_allowed_user).length
1134
- TestModel.delete_all
1135
- TestAttr.delete_all
1136
- end
1137
-
1138
- def test_with_has_many_if_permitted_to
1139
- reader = Authorization::Reader::DSLReader.new
1140
- reader.parse %{
1141
- authorization do
1142
- role :test_role do
1143
- has_permission_on :test_models, :to => :read do
1144
- if_permitted_to :read, :test_attrs
1145
- end
1146
- has_permission_on :test_attrs, :to => :read do
1147
- if_attribute :attr => is { user.id }
1148
- end
1149
- end
1150
- end
1151
- }
1152
- Authorization::Engine.instance(reader)
1153
-
1154
- test_model_1 = TestModel.create!
1155
- test_attr_1 = test_model_1.test_attrs.create!(:attr => 111)
1156
-
1157
- user = MockUser.new(:test_role, :id => test_attr_1.attr)
1158
- non_allowed_user = MockUser.new(:test_role, :id => 333)
1159
- assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
1160
- assert_equal 0, TestModel.with_permissions_to(:read, :user => non_allowed_user).length
1161
- TestModel.delete_all
1162
- TestAttr.delete_all
1163
- end
1164
-
1165
- def test_with_deep_has_many_if_permitted_to
1166
- reader = Authorization::Reader::DSLReader.new
1167
- reader.parse %{
1168
- authorization do
1169
- role :test_role do
1170
- has_permission_on :branches, :to => :read do
1171
- if_attribute :name => "A Branch"
1172
- end
1173
- has_permission_on :companies, :to => :read do
1174
- if_permitted_to :read, :test_attrs => :branch
1175
- end
1176
- end
1177
- end
1178
- }
1179
- Authorization::Engine.instance(reader)
1180
-
1181
- readable_company = Company.create!
1182
- readable_company.test_attrs.create!(:branch => Branch.create!(:name => "A Branch"))
1183
-
1184
- forbidden_company = Company.create!
1185
- forbidden_company.test_attrs.create!(:branch => Branch.create!(:name => "Different Branch"))
1186
-
1187
- user = MockUser.new(:test_role)
1188
- assert_equal 1, Company.with_permissions_to(:read, :user => user).length
1189
- Company.delete_all
1190
- Branch.delete_all
1191
- TestAttr.delete_all
1192
- end
1193
-
1194
- def test_with_if_permitted_to_and_empty_obligations
1195
- reader = Authorization::Reader::DSLReader.new
1196
- reader.parse %{
1197
- authorization do
1198
- role :test_role do
1199
- has_permission_on :test_models, :to => :read
1200
- has_permission_on :test_attrs, :to => :read do
1201
- if_permitted_to :read, :test_model
1202
- end
1203
- end
1204
- end
1205
- }
1206
- Authorization::Engine.instance(reader)
1207
-
1208
- test_model_1 = TestModel.create!
1209
- test_attr_1 = test_model_1.test_attrs.create!
1210
-
1211
- user = MockUser.new(:test_role)
1212
- assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
1213
- TestModel.delete_all
1214
- TestAttr.delete_all
1215
- end
1216
-
1217
- def test_with_if_permitted_to_nil
1218
- reader = Authorization::Reader::DSLReader.new
1219
- reader.parse %{
1220
- authorization do
1221
- role :test_role do
1222
- has_permission_on :test_models, :to => :read do
1223
- if_attribute :test_attrs => contains { user }
1224
- end
1225
- has_permission_on :test_attrs, :to => :read do
1226
- if_permitted_to :read, :test_model
1227
- end
1228
- end
1229
- end
1230
- }
1231
- Authorization::Engine.instance(reader)
1232
-
1233
- test_attr_1 = TestAttr.create!
1234
-
1235
- user = MockUser.new(:test_role, :id => test_attr_1.id)
1236
- assert_equal 0, TestAttr.with_permissions_to(:read, :user => user).length
1237
- TestAttr.delete_all
1238
- end
1239
-
1240
- def test_with_if_permitted_to_self
1241
- reader = Authorization::Reader::DSLReader.new
1242
- reader.parse %{
1243
- authorization do
1244
- role :test_role do
1245
- has_permission_on :test_models, :to => :read do
1246
- if_attribute :test_attrs => contains { user }
1247
- end
1248
- has_permission_on :test_models, :to => :update do
1249
- if_permitted_to :read
1250
- end
1251
- end
1252
- end
1253
- }
1254
- Authorization::Engine.instance(reader)
1255
-
1256
- test_model_1 = TestModel.create!
1257
- test_attr_1 = test_model_1.test_attrs.create!
1258
- test_attr_2 = TestAttr.create!
1259
-
1260
- user = MockUser.new(:test_role, :id => test_attr_1.id)
1261
- assert_equal 1, TestModel.with_permissions_to(:update, :user => user).length
1262
- TestAttr.delete_all
1263
- TestModel.delete_all
1264
- end
1265
-
1266
- def test_with_has_many_and_reoccuring_tables
1267
- reader = Authorization::Reader::DSLReader.new
1268
- reader.parse %{
1269
- authorization do
1270
- role :test_role do
1271
- has_permission_on :test_attrs, :to => :read do
1272
- if_attribute :test_another_model => { :content => 'test_1_2' },
1273
- :test_model => { :content => 'test_1_1' }
1274
- end
1275
- end
1276
- end
1277
- }
1278
- Authorization::Engine.instance(reader)
1279
-
1280
- test_attr_1 = TestAttr.create!(
1281
- :test_model => TestModel.create!(:content => 'test_1_1'),
1282
- :test_another_model => TestModel.create!(:content => 'test_1_2')
1283
- )
1284
- test_attr_2 = TestAttr.create!(
1285
- :test_model => TestModel.create!(:content => 'test_2_1'),
1286
- :test_another_model => TestModel.create!(:content => 'test_2_2')
1287
- )
1288
-
1289
- user = MockUser.new(:test_role)
1290
- assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
1291
- TestModel.delete_all
1292
- TestAttr.delete_all
1293
- end
1294
-
1295
- def test_with_ored_rules_and_reoccuring_tables
1296
- reader = Authorization::Reader::DSLReader.new
1297
- reader.parse %{
1298
- authorization do
1299
- role :test_role do
1300
- has_permission_on :test_attrs, :to => :read do
1301
- if_attribute :test_another_model => { :content => 'test_1_2' },
1302
- :test_model => { :content => 'test_1_1' }
1303
- end
1304
- has_permission_on :test_attrs, :to => :read do
1305
- if_attribute :test_another_model => { :content => 'test_2_2' },
1306
- :test_model => { :test_attrs => contains {user.test_attr} }
1307
- end
1308
- end
1309
- end
1310
- }
1311
- Authorization::Engine.instance(reader)
1312
-
1313
- test_attr_1 = TestAttr.create!(
1314
- :test_model => TestModel.create!(:content => 'test_1_1'),
1315
- :test_another_model => TestModel.create!(:content => 'test_1_2')
1316
- )
1317
- test_attr_2 = TestAttr.create!(
1318
- :test_model => TestModel.create!(:content => 'test_2_1'),
1319
- :test_another_model => TestModel.create!(:content => 'test_2_2')
1320
- )
1321
- test_attr_2.test_model.test_attrs.create!
1322
-
1323
- user = MockUser.new(:test_role, :test_attr => test_attr_2.test_model.test_attrs.last)
1324
- assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).references(:test_attrs, :test_models, :test_models_test_attrs, :test_attrs_test_models).length
1325
-
1326
- TestModel.delete_all
1327
- TestAttr.delete_all
1328
- end
1329
-
1330
- def test_with_many_ored_rules_and_reoccuring_tables
1331
- reader = Authorization::Reader::DSLReader.new
1332
- reader.parse %{
1333
- authorization do
1334
- role :test_role do
1335
- has_permission_on :test_attrs, :to => :read do
1336
- if_attribute :branch => { :company => { :country => {
1337
- :test_models => contains { user.test_model }
1338
- }} }
1339
- if_attribute :company => { :country => {
1340
- :test_models => contains { user.test_model }
1341
- }}
1342
- end
1343
- end
1344
- end
1345
- }
1346
- Authorization::Engine.instance(reader)
1347
-
1348
- country = Country.create!(:name => 'country_1')
1349
- country.test_models.create!
1350
- test_attr_1 = TestAttr.create!(
1351
- :branch => Branch.create!(:name => 'branch_1',
1352
- :company => Company.create!(:name => 'company_1',
1353
- :country => country))
1354
- )
1355
- test_attr_2 = TestAttr.create!(
1356
- :company => Company.create!(:name => 'company_2',
1357
- :country => country)
1358
- )
1359
-
1360
- user = MockUser.new(:test_role, :test_model => country.test_models.first)
1361
- assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).references(:test_attrs, :test_models, :test_models_countries).length
1362
-
1363
- TestModel.delete_all
1364
- TestAttr.delete_all
1365
- end
1366
- end
1367
-
1368
- class ModelTest < Test::Unit::TestCase
1369
- def test_permit_with_has_one_raises_no_name_error
1370
- reader = Authorization::Reader::DSLReader.new
1371
- reader.parse %{
1372
- authorization do :test_attr_has_one
1373
- role :test_role do
1374
- has_permission_on :test_attrs, :to => :update do
1375
- if_attribute :id => is { user.test_attr.id }
1376
- end
1377
- end
1378
- end
1379
- }
1380
- instance = Authorization::Engine.instance(reader)
1381
-
1382
- test_model = TestModel.create!
1383
- test_attr = test_model.create_test_attr_has_one
1384
- assert !test_attr.new_record?
1385
-
1386
- user = MockUser.new(:test_role, :test_attr => test_attr)
1387
-
1388
- assert_nothing_raised do
1389
- assert instance.permit?(:update, :user => user, :object => test_model.test_attr_has_one)
1390
- end
1391
-
1392
- TestModel.delete_all
1393
- TestAttr.delete_all
1394
- end
1395
-
1396
- def test_model_security_write_allowed
1397
- reader = Authorization::Reader::DSLReader.new
1398
- reader.parse %{
1399
- authorization do
1400
- role :test_role do
1401
- has_permission_on :test_model_security_models do
1402
- to :read, :create, :update, :delete
1403
- if_attribute :attr => is { 1 }
1404
- end
1405
- end
1406
- end
1407
- }
1408
- Authorization::Engine.instance(reader)
1409
-
1410
- Authorization.stub :current_user, MockUser.new(:test_role) do
1411
- assert(object = TestModelSecurityModel.create)
1412
-
1413
- assert_nothing_raised { object.update_attributes(:attr_2 => 2) }
1414
- object.reload
1415
- assert_equal 2, object.attr_2
1416
- object.destroy
1417
- assert_raise ActiveRecord::RecordNotFound do
1418
- TestModelSecurityModel.find(object.id)
1419
- end
1420
- end
1421
- end
1422
-
1423
- def test_model_security_write_not_allowed_no_privilege
1424
- reader = Authorization::Reader::DSLReader.new
1425
- reader.parse %{
1426
- authorization do
1427
- role :test_role do
1428
- has_permission_on :test_model_security_models do
1429
- to :read, :create, :update, :delete
1430
- if_attribute :attr => is { 1 }
1431
- end
1432
- end
1433
- role :test_role_restricted do
1434
- end
1435
- end
1436
- }
1437
- Authorization::Engine.instance(reader)
1438
-
1439
- Authorization.current_user = MockUser.new(:test_role)
1440
- assert(object = TestModelSecurityModel.create)
1441
-
1442
- Authorization.current_user = MockUser.new(:test_role_restricted)
1443
- assert_raise Authorization::NotAuthorized do
1444
- object.update_attributes(:attr_2 => 2)
1445
- end
1446
- end
1447
-
1448
- def test_model_security_write_not_allowed_wrong_attribute_value
1449
- reader = Authorization::Reader::DSLReader.new
1450
- reader.parse %{
1451
- authorization do
1452
- role :test_role_unrestricted do
1453
- has_permission_on :test_model_security_models do
1454
- to :read, :create, :update, :delete
1455
- end
1456
- end
1457
- role :test_role do
1458
- has_permission_on :test_model_security_models do
1459
- to :read, :create, :update, :delete
1460
- if_attribute :attr => is { 1 }
1461
- end
1462
- end
1463
- end
1464
- }
1465
- Authorization::Engine.instance(reader)
1466
-
1467
- Authorization.stub :current_user, MockUser.new(:test_role) do
1468
- assert(object = TestModelSecurityModel.create)
1469
- assert_raise Authorization::AttributeAuthorizationError do
1470
- TestModelSecurityModel.create :attr => 2
1471
- end
1472
- object = TestModelSecurityModel.create
1473
- assert_raise Authorization::AttributeAuthorizationError do
1474
- object.update_attributes(:attr => 2)
1475
- end
1476
- object.reload
1477
-
1478
- assert_nothing_raised do
1479
- object.update_attributes(:attr_2 => 1)
1480
- end
1481
- assert_raise Authorization::AttributeAuthorizationError do
1482
- object.update_attributes(:attr => 2)
1483
- end
1484
- end
1485
- end
1486
-
1487
- def test_model_security_with_and_without_find_restrictions
1488
- reader = Authorization::Reader::DSLReader.new
1489
- reader.parse %{
1490
- authorization do
1491
- role :test_role_unrestricted do
1492
- has_permission_on :test_model_security_models do
1493
- to :read, :create, :update, :delete
1494
- end
1495
- end
1496
- role :test_role do
1497
- has_permission_on :test_model_security_models do
1498
- to :read, :create, :update, :delete
1499
- if_attribute :attr => is { 1 }
1500
- end
1501
- end
1502
- end
1503
- }
1504
- Authorization::Engine.instance(reader)
1505
-
1506
- Authorization.current_user = MockUser.new(:test_role_unrestricted)
1507
- object = TestModelSecurityModel.create :attr => 2
1508
- object_with_find = TestModelSecurityModelWithFind.create :attr => 2
1509
-
1510
- Authorization.current_user = MockUser.new(:test_role)
1511
- assert_nothing_raised do
1512
- object.class.find(object.id)
1513
- end
1514
- assert_raise Authorization::AttributeAuthorizationError do
1515
- object_with_find.class.find(object_with_find.id)
1516
- end
1517
- end
1518
-
1519
- def test_model_security_with_read_restrictions_and_exists
1520
- reader = Authorization::Reader::DSLReader.new
1521
- reader.parse %{
1522
- authorization do
1523
- role :test_role do
1524
- has_permission_on :test_model_security_models do
1525
- to :read, :create, :update, :delete
1526
- if_attribute :test_attr => is { user.test_attr }
1527
- end
1528
- end
1529
- end
1530
- }
1531
- Authorization::Engine.instance(reader)
1532
-
1533
- test_attr = TestAttr.create
1534
- Authorization.stub :current_user, MockUser.new(:test_role, :test_attr => test_attr) do
1535
- object_with_find = TestModelSecurityModelWithFind.create :test_attr => test_attr
1536
- assert_nothing_raised do
1537
- object_with_find.class.find(object_with_find.id)
1538
- end
1539
- assert_equal 1, test_attr.test_model_security_model_with_finds.length
1540
- end
1541
- end
1542
-
1543
- def test_model_security_delete_unallowed
1544
- reader = Authorization::Reader::DSLReader.new
1545
- reader.parse %{
1546
- authorization do
1547
- role :test_role_unrestricted do
1548
- has_permission_on :test_model_security_models do
1549
- to :read, :create, :update, :delete
1550
- end
1551
- end
1552
- role :test_role do
1553
- has_permission_on :test_model_security_models do
1554
- to :read, :create, :update, :delete
1555
- if_attribute :attr => is { 1 }
1556
- end
1557
- end
1558
- end
1559
- }
1560
- Authorization::Engine.instance(reader)
1561
-
1562
- Authorization.current_user = MockUser.new(:test_role_unrestricted)
1563
- object = TestModelSecurityModel.create :attr => 2
1564
- Authorization.current_user = MockUser.new(:test_role)
1565
- assert_raise Authorization::AttributeAuthorizationError do
1566
- object.destroy
1567
- end
1568
- end
1569
-
1570
- def test_model_security_changing_critical_attribute_unallowed
1571
- reader = Authorization::Reader::DSLReader.new
1572
- reader.parse %{
1573
- authorization do
1574
- role :test_role_unrestricted do
1575
- has_permission_on :test_model_security_models do
1576
- to :read, :create, :update, :delete
1577
- end
1578
- end
1579
- role :test_role do
1580
- has_permission_on :test_model_security_models do
1581
- to :read, :create, :update, :delete
1582
- if_attribute :attr => is { 1 }
1583
- end
1584
- end
1585
- end
1586
- }
1587
- Authorization::Engine.instance(reader)
1588
-
1589
- Authorization.stub :current_user, MockUser.new(:test_role_unrestricted) do
1590
- object = TestModelSecurityModel.create :attr => 2
1591
- end
1592
- end
1593
-
1594
- def test_model_security_no_role_unallowed
1595
- reader = Authorization::Reader::DSLReader.new
1596
- reader.parse %{
1597
- authorization do
1598
- end
1599
- }
1600
- Authorization::Engine.instance(reader)
1601
-
1602
- Authorization.stub :current_user, MockUser.new(:test_role_2) do
1603
- assert_raise Authorization::NotAuthorized do
1604
- TestModelSecurityModel.create
1605
- end
1606
- end
1607
- end
1608
-
1609
- def test_model_security_with_assoc
1610
- reader = Authorization::Reader::DSLReader.new
1611
- reader.parse %{
1612
- authorization do
1613
- role :test_role do
1614
- has_permission_on :test_model_security_models do
1615
- to :create, :update, :delete
1616
- if_attribute :test_attrs => contains { user }
1617
- end
1618
- end
1619
- end
1620
- }
1621
- Authorization::Engine.instance(reader)
1622
-
1623
- test_attr = TestAttr.create
1624
- test_attr.role_symbols << :test_role
1625
- Authorization.stub :current_user, test_attr do
1626
- assert(object = TestModelSecurityModel.create(:test_attrs => [test_attr]))
1627
- assert_nothing_raised do
1628
- object.update_attributes(:attr_2 => 2)
1629
- end
1630
- without_access_control do
1631
- object.reload
1632
- end
1633
- assert_equal 2, object.attr_2
1634
- object.destroy
1635
- assert_raise ActiveRecord::RecordNotFound do
1636
- TestModelSecurityModel.find(object.id)
1637
- end
1638
- end
1639
- end
1640
-
1641
- def test_model_security_with_update_attrbributes
1642
- reader = Authorization::Reader::DSLReader.new
1643
- reader.parse %{
1644
- authorization do
1645
- role :test_role do
1646
- has_permission_on :test_model_security_models, :to => :update do
1647
- if_attribute :test_attrs => { :branch => is { user.branch }}
1648
- end
1649
- end
1650
- end
1651
- }
1652
- Authorization::Engine.instance(reader)
1653
-
1654
- params = {
1655
- :model_data => { :attr => 11 }
1656
- }
1657
-
1658
- test_attr = TestAttr.create!(:branch => Branch.create!)
1659
- test_model = without_access_control do
1660
- TestModelSecurityModel.create!(:test_attrs => [test_attr])
1661
- end
1662
-
1663
- with_user MockUser.new(:test_role, :branch => test_attr.branch) do
1664
- assert_nothing_raised do
1665
- test_model.update_attributes(params[:model_data])
1666
- end
1667
- end
1668
- without_access_control do
1669
- assert_equal params[:model_data][:attr], test_model.reload.attr
1670
- end
1671
-
1672
- TestAttr.delete_all
1673
- TestModelSecurityModel.delete_all
1674
- Branch.delete_all
1675
- end
1676
-
1677
- def test_using_access_control
1678
- assert !TestModel.using_access_control?
1679
- assert TestModelSecurityModel.using_access_control?
1680
- end
1681
-
1682
- def test_authorization_permit_association_proxy
1683
- reader = Authorization::Reader::DSLReader.new
1684
- reader.parse %{
1685
- authorization do
1686
- role :test_role do
1687
- has_permission_on :test_attrs, :to => :read do
1688
- if_attribute :test_model => {:content => "content" }
1689
- end
1690
- end
1691
- end
1692
- }
1693
- engine = Authorization::Engine.instance(reader)
1694
-
1695
- test_model = TestModel.create(:content => "content")
1696
- assert engine.permit?(:read, :object => test_model.test_attrs,
1697
- :user => MockUser.new(:test_role))
1698
- assert !engine.permit?(:read, :object => TestAttr.new,
1699
- :user => MockUser.new(:test_role))
1700
- TestModel.delete_all
1701
- end
1702
-
1703
- def test_authorization_permit_nested_association_proxy
1704
- reader = Authorization::Reader::DSLReader.new
1705
- reader.parse %{
1706
- authorization do
1707
- role :test_role do
1708
- has_permission_on :branches, :to => :read do
1709
- if_attribute :test_model => { :test_attrs => {:attr => 1 } }
1710
- end
1711
- end
1712
- end
1713
- }
1714
- engine = Authorization::Engine.instance(reader)
1715
-
1716
- test_model = TestModel.create!
1717
- test_model.test_attrs.create!(:attr => 0)
1718
- test_attr = test_model.test_attrs.create!(:attr => 1)
1719
- test_model.test_attrs.create!(:attr => 3)
1720
- test_branch = Branch.create!(:test_model => test_model)
1721
-
1722
- test_model_2 = TestModel.create!
1723
- test_attr_2 = test_model_2.test_attrs.create!(:attr => 2)
1724
- test_branch_2 = Branch.create!(:test_model => test_model_2)
1725
-
1726
- test_model_3 = TestModel.create!
1727
- test_branch_3 = Branch.create!(:test_model => test_model_3)
1728
-
1729
- assert engine.permit?(:read, :object => test_branch,
1730
- :user => MockUser.new(:test_role))
1731
- assert !engine.permit?(:read, :object => test_branch_2,
1732
- :user => MockUser.new(:test_role))
1733
- assert !engine.permit?(:read, :object => test_branch_3,
1734
- :user => MockUser.new(:test_role))
1735
- TestModel.delete_all
1736
- Branch.delete_all
1737
- TestAttr.delete_all
1738
- end
1739
-
1740
- def test_multiple_roles_with_has_many_through
1741
- reader = Authorization::Reader::DSLReader.new
1742
- reader.parse %{
1743
- authorization do
1744
- role :test_role_1 do
1745
- has_permission_on :test_models, :to => :read do
1746
- if_attribute :test_attr_throughs => contains {user.test_attr_through_id},
1747
- :content => 'test_1'
1748
- end
1749
- end
1750
-
1751
- role :test_role_2 do
1752
- has_permission_on :test_models, :to => :read do
1753
- if_attribute :test_attr_throughs_2 => contains {user.test_attr_through_2_id},
1754
- :content => 'test_2'
1755
- end
1756
- end
1757
- end
1758
- }
1759
- Authorization::Engine.instance(reader)
1760
- TestModel.delete_all
1761
- TestAttr.delete_all
1762
- TestAttrThrough.delete_all
1763
-
1764
- test_model_1 = TestModel.create! :content => 'test_1'
1765
- test_model_2 = TestModel.create! :content => 'test_2'
1766
- test_model_1.test_attrs.create!.test_attr_throughs.create!
1767
- test_model_2.test_attrs.create!.test_attr_throughs.create!
1768
-
1769
- user = MockUser.new(:test_role_1, :test_role_2,
1770
- :test_attr_through_id => test_model_1.test_attr_throughs.first.id,
1771
- :test_attr_through_2_id => test_model_2.test_attr_throughs.first.id)
1772
- assert_equal 2, TestModel.with_permissions_to(:read, :user => user).references(:test_models, :test_attr_throughs).length
1773
-
1774
- TestModel.delete_all
1775
- TestAttr.delete_all
1776
- TestAttrThrough.delete_all
1777
- end
1778
-
1779
- def test_model_permitted_to
1780
- reader = Authorization::Reader::DSLReader.new
1781
- reader.parse %{
1782
- authorization do
1783
- role :test_role do
1784
- has_permission_on :companies, :to => :read do
1785
- if_attribute :name => "company_1"
1786
- end
1787
- end
1788
- end
1789
- }
1790
- Authorization::Engine.instance(reader)
1791
-
1792
- user = MockUser.new(:test_role)
1793
- allowed_read_company = Company.new(:name => 'company_1')
1794
- prohibited_company = Company.new(:name => 'company_2')
1795
-
1796
- assert allowed_read_company.permitted_to?(:read, :user => user)
1797
- assert !allowed_read_company.permitted_to?(:update, :user => user)
1798
- assert !prohibited_company.permitted_to?(:read, :user => user)
1799
-
1800
- executed_block = false
1801
- allowed_read_company.permitted_to?(:read, :user => user) do
1802
- executed_block = true
1803
- end
1804
- assert executed_block
1805
-
1806
- executed_block = false
1807
- prohibited_company.permitted_to?(:read, :user => user) do
1808
- executed_block = true
1809
- end
1810
- assert !executed_block
1811
-
1812
- assert_nothing_raised do
1813
- allowed_read_company.permitted_to!(:read, :user => user)
1814
- end
1815
- assert_raise Authorization::NotAuthorized do
1816
- prohibited_company.permitted_to!(:update, :user => user)
1817
- end
1818
- assert_raise Authorization::AttributeAuthorizationError do
1819
- prohibited_company.permitted_to!(:read, :user => user)
1820
- end
1821
- end
1822
-
1823
- def test_model_permitted_to_with_modified_context
1824
- reader = Authorization::Reader::DSLReader.new
1825
- reader.parse %{
1826
- authorization do
1827
- role :test_role do
1828
- has_permission_on :companies, :to => :read
1829
- end
1830
- end
1831
- }
1832
- Authorization::Engine.instance(reader)
1833
-
1834
- user = MockUser.new(:test_role)
1835
- allowed_read_company = SmallCompany.new(:name => 'small_company_1')
1836
-
1837
- assert allowed_read_company.permitted_to?(:read, :user => user)
1838
- assert !allowed_read_company.permitted_to?(:update, :user => user)
1839
- end
1840
- end
1
+ require 'test_helper'
2
+ require File.join(File.dirname(__FILE__), %w{.. lib declarative_authorization in_model})
3
+
4
+ ActiveRecord::Base.send :include, Authorization::AuthorizationInModel
5
+ #ActiveRecord::Base.logger = Logger.new(STDOUT)
6
+
7
+ options = {:adapter => 'sqlite3', :timeout => 500, :database => ':memory:'}
8
+ ActiveRecord::Base.establish_connection(options)
9
+ ActiveRecord::Base.configurations = { 'sqlite3_ar_integration' => options }
10
+ ActiveRecord::Base.connection
11
+
12
+ File.read(File.dirname(__FILE__) + "/schema.sql").split(';').each do |sql|
13
+ ActiveRecord::Base.connection.execute(sql) unless sql.blank?
14
+ end
15
+
16
+ class TestModel < ActiveRecord::Base
17
+ has_many :test_attrs
18
+ has_many :test_another_attrs, :class_name => "TestAttr", :foreign_key => :test_another_model_id
19
+ has_many :test_attr_throughs, :through => :test_attrs
20
+ has_one :test_attr_has_one, :class_name => "TestAttr"
21
+ has_many :branches
22
+
23
+ has_many :test_attrs_with_attr,
24
+ lambda { where(:attr => 1) },
25
+ :class_name => "TestAttr"
26
+
27
+ has_many :test_attr_throughs_with_attr,
28
+ lambda { where("test_attrs.attr = 1") },
29
+ :through => :test_attrs,
30
+ :class_name => "TestAttrThrough", :source => :test_attr_throughs
31
+
32
+ has_one :test_attr_throughs_with_attr_and_has_one,
33
+ lambda { where("test_attrs.attr = 1") },
34
+ :through => :test_attrs,
35
+ :class_name => "TestAttrThrough",
36
+ :source => :test_attr_throughs
37
+
38
+ scope :with_content, lambda { where("test_models.content IS NOT NULL") }
39
+
40
+ # Primary key test
41
+ has_many :test_attrs_with_primary_id,
42
+ :class_name => "TestAttr",
43
+ :primary_key => :test_attr_through_id,
44
+ :foreign_key => :test_attr_through_id
45
+ has_many :test_attr_throughs_with_primary_id,
46
+ :through => :test_attrs_with_primary_id,
47
+ :class_name => "TestAttrThrough",
48
+ :source => :n_way_join_item
49
+
50
+ # for checking for unnecessary queries
51
+ mattr_accessor :query_count
52
+ def self.find(*args)
53
+ self.query_count ||= 0
54
+ self.query_count += 1
55
+ super(*args)
56
+ end
57
+ end
58
+
59
+ class NWayJoinItem < ActiveRecord::Base
60
+ has_many :test_attrs
61
+ has_many :others, :through => :test_attrs, :source => :n_way_join_item
62
+ end
63
+
64
+ class TestAttr < ActiveRecord::Base
65
+ belongs_to :test_model
66
+ belongs_to :test_another_model, :class_name => "TestModel", :foreign_key => :test_another_model_id
67
+ belongs_to :test_a_third_model, :class_name => "TestModel", :foreign_key => :test_a_third_model_id
68
+ belongs_to :n_way_join_item
69
+ belongs_to :test_attr
70
+ belongs_to :branch
71
+ belongs_to :company
72
+ has_many :test_attr_throughs
73
+ has_many :test_model_security_model_with_finds
74
+ attr_reader :role_symbols
75
+
76
+ def initialize(*args)
77
+ @role_symbols = []
78
+ super(*args)
79
+ end
80
+ end
81
+
82
+ class TestAttrThrough < ActiveRecord::Base
83
+ belongs_to :test_attr
84
+ end
85
+
86
+ class TestModelSecurityModel < ActiveRecord::Base
87
+ has_many :test_attrs
88
+ using_access_control
89
+ end
90
+ class TestModelSecurityModelWithFind < ActiveRecord::Base
91
+ self.table_name = 'test_model_security_models'
92
+
93
+ has_many :test_attrs
94
+ belongs_to :test_attr
95
+ using_access_control :include_read => true,
96
+ :context => :test_model_security_models
97
+ end
98
+
99
+ class Branch < ActiveRecord::Base
100
+ has_many :test_attrs
101
+ belongs_to :company
102
+ belongs_to :test_model
103
+ end
104
+ class Company < ActiveRecord::Base
105
+ has_many :test_attrs
106
+ has_many :branches
107
+ belongs_to :country
108
+ end
109
+ class SmallCompany < Company
110
+ def self.decl_auth_context
111
+ :companies
112
+ end
113
+ end
114
+ class Country < ActiveRecord::Base
115
+ has_many :test_models
116
+ has_many :companies
117
+ end
118
+
119
+ class NamedScopeModelTest < Test::Unit::TestCase
120
+ def test_multiple_deep_ored_belongs_to
121
+ reader = Authorization::Reader::DSLReader.new
122
+ reader.parse %{
123
+ authorization do
124
+ role :test_role do
125
+ has_permission_on :test_attrs, :to => :read do
126
+ if_attribute :test_model => {:test_attrs => contains {user}}
127
+ if_attribute :test_another_model => {:test_attrs => contains {user}}
128
+ end
129
+ end
130
+ end
131
+ }
132
+ Authorization::Engine.instance(reader)
133
+
134
+ test_model_1 = TestModel.create!
135
+ test_model_2 = TestModel.create!
136
+ test_attr_1 = TestAttr.create! :test_model_id => test_model_1.id,
137
+ :test_another_model_id => test_model_2.id
138
+
139
+ user = MockUser.new(:test_role, :id => test_attr_1)
140
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).references(:test_attrs, :test_attrs_test_models, :test_attrs_test_models_2).length
141
+
142
+ TestAttr.delete_all
143
+ TestModel.delete_all
144
+ end
145
+
146
+ def test_with_belongs_to_and_has_many_with_contains
147
+ reader = Authorization::Reader::DSLReader.new
148
+ reader.parse %{
149
+ authorization do
150
+ role :test_role do
151
+ has_permission_on :test_attrs, :to => :read do
152
+ if_attribute :test_model => { :test_attrs => contains { user.test_attr_value } }
153
+ end
154
+ end
155
+ end
156
+ }
157
+ Authorization::Engine.instance(reader)
158
+
159
+ test_attr_1 = TestAttr.create!
160
+ test_model_1 = TestModel.create!
161
+ test_model_1.test_attrs.create!
162
+
163
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.test_attrs.first.id )
164
+ assert_equal 1, TestAttr.with_permissions_to( :read, :context => :test_attrs, :user => user ).length
165
+ assert_equal 1, TestAttr.with_permissions_to( :read, :user => user ).length
166
+ assert_raise Authorization::NotAuthorized do
167
+ TestAttr.with_permissions_to( :update_test_attrs, :user => user )
168
+ end
169
+ TestAttr.delete_all
170
+ TestModel.delete_all
171
+ end
172
+
173
+ def test_with_nested_has_many
174
+ reader = Authorization::Reader::DSLReader.new
175
+ reader.parse %{
176
+ authorization do
177
+ role :test_role do
178
+ has_permission_on :companies, :to => :read do
179
+ if_attribute :branches => { :test_attrs => { :attr => is { user.test_attr_value } } }
180
+ end
181
+ end
182
+ end
183
+ }
184
+ Authorization::Engine.instance(reader)
185
+
186
+ allowed_company = Company.create!
187
+ allowed_company.branches.create!.test_attrs.create!(:attr => 1)
188
+ allowed_company.branches.create!.test_attrs.create!(:attr => 2)
189
+
190
+ prohibited_company = Company.create!
191
+ prohibited_company.branches.create!.test_attrs.create!(:attr => 3)
192
+
193
+ user = MockUser.new(:test_role, :test_attr_value => 1)
194
+ prohibited_user = MockUser.new(:test_role, :test_attr_value => 4)
195
+ assert_equal 1, Company.with_permissions_to(:read, :user => user).length
196
+ assert_equal 0, Company.with_permissions_to(:read, :user => prohibited_user).length
197
+
198
+ Company.delete_all
199
+ Branch.delete_all
200
+ TestAttr.delete_all
201
+ end
202
+
203
+ def test_with_nested_has_many_through
204
+ reader = Authorization::Reader::DSLReader.new
205
+ reader.parse %{
206
+ authorization do
207
+ role :test_role do
208
+ has_permission_on :test_models, :to => :read do
209
+ if_attribute :test_attr_throughs => { :test_attr => { :attr => is { user.test_attr_value } } }
210
+ end
211
+ end
212
+ end
213
+ }
214
+ Authorization::Engine.instance(reader)
215
+ TestModel.delete_all
216
+ TestAttrThrough.delete_all
217
+ TestAttr.delete_all
218
+
219
+ allowed_model = TestModel.create!
220
+ allowed_model.test_attrs.create!(:attr => 1).test_attr_throughs.create!
221
+ allowed_model.test_attrs.create!(:attr => 2).test_attr_throughs.create!
222
+
223
+ prohibited_model = TestModel.create!
224
+ prohibited_model.test_attrs.create!(:attr => 3).test_attr_throughs.create!
225
+
226
+ user = MockUser.new(:test_role, :test_attr_value => 1)
227
+ prohibited_user = MockUser.new(:test_role, :test_attr_value => 4)
228
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
229
+ assert_equal 0, TestModel.with_permissions_to(:read, :user => prohibited_user).length
230
+
231
+ TestModel.delete_all
232
+ TestAttrThrough.delete_all
233
+ TestAttr.delete_all
234
+ end
235
+
236
+ def test_with_is
237
+ reader = Authorization::Reader::DSLReader.new
238
+ reader.parse %{
239
+ authorization do
240
+ role :test_role do
241
+ has_permission_on :test_models, :to => :read do
242
+ if_attribute :id => is { user.test_attr_value }
243
+ end
244
+ end
245
+ end
246
+ }
247
+ Authorization::Engine.instance(reader)
248
+
249
+ test_model_1 = TestModel.create!
250
+ TestModel.create!
251
+
252
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
253
+ assert_equal 1, TestModel.with_permissions_to(:read,
254
+ :context => :test_models, :user => user).length
255
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
256
+ assert_raise Authorization::NotAuthorized do
257
+ TestModel.with_permissions_to(:update_test_models, :user => user)
258
+ end
259
+ TestModel.delete_all
260
+ end
261
+
262
+ def test_named_scope_on_proxy
263
+ reader = Authorization::Reader::DSLReader.new
264
+ reader.parse %{
265
+ authorization do
266
+ role :test_role do
267
+ has_permission_on :test_attrs, :to => :read do
268
+ if_attribute :id => is { user.test_attr_value }
269
+ end
270
+ end
271
+ end
272
+ }
273
+ Authorization::Engine.instance(reader)
274
+
275
+ test_model_1 = TestModel.create!
276
+ test_attr_1 = test_model_1.test_attrs.create!
277
+ test_model_1.test_attrs.create!
278
+ TestAttr.create!
279
+
280
+ user = MockUser.new(:test_role, :test_attr_value => test_attr_1.id)
281
+ assert_equal 1, test_model_1.test_attrs.with_permissions_to(:read, :user => user).length
282
+ TestModel.delete_all
283
+ TestAttr.delete_all
284
+ end
285
+
286
+ def test_named_scope_on_named_scope
287
+ reader = Authorization::Reader::DSLReader.new
288
+ reader.parse %{
289
+ authorization do
290
+ role :test_role do
291
+ has_permission_on :test_models, :to => :read do
292
+ if_attribute :test_attr_through_id => 1
293
+ end
294
+ has_permission_on :test_attrs, :to => :read do
295
+ if_permitted_to :read, :test_model
296
+ end
297
+ end
298
+ end
299
+ }
300
+ Authorization::Engine.instance(reader)
301
+
302
+ country = Country.create!
303
+ model_1 = TestModel.create!(:test_attr_through_id => 1, :content => "Content")
304
+ country.test_models << model_1
305
+ TestModel.create!(:test_attr_through_id => 1)
306
+ TestModel.create!(:test_attr_through_id => 2, :content => "Content")
307
+
308
+ user = MockUser.new(:test_role)
309
+
310
+ TestModel.query_count = 0
311
+ assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
312
+
313
+ TestModel.query_count = 0
314
+ assert_equal 1, TestModel.with_content.with_permissions_to(:read, :user => user).length
315
+
316
+ TestModel.query_count = 0
317
+ assert_equal 1, country.test_models.with_permissions_to(:read, :user => user).length
318
+
319
+ TestModel.delete_all
320
+ Country.delete_all
321
+ end
322
+
323
+ def test_with_modified_context
324
+ reader = Authorization::Reader::DSLReader.new
325
+ reader.parse %{
326
+ authorization do
327
+ role :test_role do
328
+ has_permission_on :companies, :to => :read do
329
+ if_attribute :id => is { user.test_company_id }
330
+ end
331
+ end
332
+ end
333
+ }
334
+ Authorization::Engine.instance(reader)
335
+
336
+ test_company = SmallCompany.create!
337
+
338
+ user = MockUser.new(:test_role, :test_company_id => test_company.id)
339
+ assert_equal 1, SmallCompany.with_permissions_to(:read,
340
+ :user => user).length
341
+ SmallCompany.delete_all
342
+ end
343
+
344
+ def test_with_is_nil
345
+ reader = Authorization::Reader::DSLReader.new
346
+ reader.parse %{
347
+ authorization do
348
+ role :test_role do
349
+ has_permission_on :test_models, :to => :read do
350
+ if_attribute :content => nil
351
+ end
352
+ end
353
+ role :test_role_not_nil do
354
+ has_permission_on :test_models, :to => :read do
355
+ if_attribute :content => is_not { nil }
356
+ end
357
+ end
358
+ end
359
+ }
360
+ Authorization::Engine.instance(reader)
361
+
362
+ test_model_1 = TestModel.create!
363
+ test_model_2 = TestModel.create! :content => "Content"
364
+
365
+ assert_equal test_model_1, TestModel.with_permissions_to(:read,
366
+ :context => :test_models, :user => MockUser.new(:test_role)).first
367
+ assert_equal test_model_2, TestModel.with_permissions_to(:read,
368
+ :context => :test_models, :user => MockUser.new(:test_role_not_nil)).first
369
+ TestModel.delete_all
370
+ end
371
+
372
+ def test_with_not_is
373
+ reader = Authorization::Reader::DSLReader.new
374
+ reader.parse %{
375
+ authorization do
376
+ role :test_role do
377
+ has_permission_on :test_models, :to => :read do
378
+ if_attribute :id => is_not { user.test_attr_value }
379
+ end
380
+ end
381
+ end
382
+ }
383
+ Authorization::Engine.instance(reader)
384
+ TestModel.delete_all
385
+
386
+ test_model_1 = TestModel.create!
387
+ TestModel.create!
388
+
389
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
390
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
391
+ TestModel.delete_all
392
+ end
393
+
394
+ def test_with_lt
395
+ reader = Authorization::Reader::DSLReader.new
396
+ reader.parse %{
397
+ authorization do
398
+ role :test_role do
399
+ has_permission_on :test_models, :to => :read do
400
+ if_attribute :id => lt { user.test_attr_value }
401
+ end
402
+ end
403
+ end
404
+ }
405
+ Authorization::Engine.instance(reader)
406
+
407
+ test_model_1 = TestModel.create!
408
+ TestModel.create!
409
+
410
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id + 1)
411
+ assert_equal 1, TestModel.with_permissions_to(:read,
412
+ :context => :test_models, :user => user).length
413
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
414
+ assert_raise Authorization::NotAuthorized do
415
+ TestModel.with_permissions_to(:update_test_models, :user => user)
416
+ end
417
+ TestModel.delete_all
418
+ end
419
+
420
+ def test_with_lte
421
+ reader = Authorization::Reader::DSLReader.new
422
+ reader.parse %{
423
+ authorization do
424
+ role :test_role do
425
+ has_permission_on :test_models, :to => :read do
426
+ if_attribute :id => lte { user.test_attr_value }
427
+ end
428
+ end
429
+ end
430
+ }
431
+ Authorization::Engine.instance(reader)
432
+
433
+ test_model_1 = TestModel.create!
434
+ 2.times { TestModel.create! }
435
+
436
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id + 1)
437
+ assert_equal 2, TestModel.with_permissions_to(:read,
438
+ :context => :test_models, :user => user).length
439
+ assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
440
+ assert_raise Authorization::NotAuthorized do
441
+ TestModel.with_permissions_to(:update_test_models, :user => user)
442
+ end
443
+ TestModel.delete_all
444
+ end
445
+
446
+ def test_with_gt
447
+ reader = Authorization::Reader::DSLReader.new
448
+ reader.parse %{
449
+ authorization do
450
+ role :test_role do
451
+ has_permission_on :test_models, :to => :read do
452
+ if_attribute :id => gt { user.test_attr_value }
453
+ end
454
+ end
455
+ end
456
+ }
457
+ Authorization::Engine.instance(reader)
458
+
459
+ TestModel.create!
460
+ test_model_1 = TestModel.create!
461
+
462
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id - 1)
463
+ assert_equal 1, TestModel.with_permissions_to(:read,
464
+ :context => :test_models, :user => user).length
465
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
466
+ assert_raise Authorization::NotAuthorized do
467
+ TestModel.with_permissions_to(:update_test_models, :user => user)
468
+ end
469
+ TestModel.delete_all
470
+ end
471
+
472
+ def test_with_gte
473
+ reader = Authorization::Reader::DSLReader.new
474
+ reader.parse %{
475
+ authorization do
476
+ role :test_role do
477
+ has_permission_on :test_models, :to => :read do
478
+ if_attribute :id => gte { user.test_attr_value }
479
+ end
480
+ end
481
+ end
482
+ }
483
+ Authorization::Engine.instance(reader)
484
+
485
+ 2.times { TestModel.create! }
486
+ test_model_1 = TestModel.create!
487
+
488
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id - 1)
489
+ assert_equal 2, TestModel.with_permissions_to(:read,
490
+ :context => :test_models, :user => user).length
491
+ assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
492
+ assert_raise Authorization::NotAuthorized do
493
+ TestModel.with_permissions_to(:update_test_models, :user => user)
494
+ end
495
+ TestModel.delete_all
496
+ end
497
+
498
+ def test_with_empty_obligations
499
+ reader = Authorization::Reader::DSLReader.new
500
+ reader.parse %{
501
+ authorization do
502
+ role :test_role do
503
+ has_permission_on :test_models, :to => :read
504
+ end
505
+ end
506
+ }
507
+ Authorization::Engine.instance(reader)
508
+
509
+ TestModel.create!
510
+
511
+ user = MockUser.new(:test_role)
512
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
513
+ assert_raise Authorization::NotAuthorized do
514
+ TestModel.with_permissions_to(:update, :user => user)
515
+ end
516
+ TestModel.delete_all
517
+ end
518
+
519
+ def test_multiple_obligations
520
+ reader = Authorization::Reader::DSLReader.new
521
+ reader.parse %{
522
+ authorization do
523
+ role :test_role do
524
+ has_permission_on :test_models, :to => :read do
525
+ if_attribute :id => is { user.test_attr_value }
526
+ end
527
+ has_permission_on :test_models, :to => :read do
528
+ if_attribute :id => is { user.test_attr_value_2 }
529
+ end
530
+ end
531
+ end
532
+ }
533
+ Authorization::Engine.instance(reader)
534
+
535
+ test_model_1 = TestModel.create!
536
+ test_model_2 = TestModel.create!
537
+
538
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id,
539
+ :test_attr_value_2 => test_model_2.id)
540
+ assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
541
+ TestModel.delete_all
542
+ end
543
+
544
+ def test_multiple_roles
545
+ reader = Authorization::Reader::DSLReader.new
546
+ reader.parse %{
547
+ authorization do
548
+ role :test_role do
549
+ has_permission_on :test_attrs, :to => :read do
550
+ if_attribute :attr => [1,2]
551
+ end
552
+ end
553
+
554
+ role :test_role_2 do
555
+ has_permission_on :test_attrs, :to => :read do
556
+ if_attribute :attr => [2,3]
557
+ end
558
+ end
559
+ end
560
+ }
561
+ Authorization::Engine.instance(reader)
562
+
563
+ TestAttr.create! :attr => 1
564
+ TestAttr.create! :attr => 2
565
+ TestAttr.create! :attr => 3
566
+
567
+ user = MockUser.new(:test_role)
568
+ assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
569
+ TestAttr.delete_all
570
+ end
571
+
572
+ def test_multiple_and_empty_obligations
573
+ reader = Authorization::Reader::DSLReader.new
574
+ reader.parse %{
575
+ authorization do
576
+ role :test_role do
577
+ has_permission_on :test_models, :to => :read do
578
+ if_attribute :id => is { user.test_attr_value }
579
+ end
580
+ has_permission_on :test_models, :to => :read
581
+ end
582
+ end
583
+ }
584
+ Authorization::Engine.instance(reader)
585
+
586
+ test_model_1 = TestModel.create!
587
+ TestModel.create!
588
+
589
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
590
+ assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
591
+ TestModel.delete_all
592
+ end
593
+
594
+ def test_multiple_attributes
595
+ reader = Authorization::Reader::DSLReader.new
596
+ reader.parse %{
597
+ authorization do
598
+ role :test_role do
599
+ has_permission_on :test_models, :to => :read do
600
+ if_attribute :id => is { user.test_attr_value }, :content => "bla"
601
+ end
602
+ end
603
+ end
604
+ }
605
+ Authorization::Engine.instance(reader)
606
+
607
+ test_model_1 = TestModel.create! :content => 'bla'
608
+ TestModel.create! :content => 'bla'
609
+ TestModel.create!
610
+
611
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
612
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
613
+ TestModel.delete_all
614
+ end
615
+
616
+ def test_multiple_belongs_to
617
+ reader = Authorization::Reader::DSLReader.new
618
+ reader.parse %{
619
+ authorization do
620
+ role :test_role do
621
+ has_permission_on :test_attrs, :to => :read do
622
+ if_attribute :test_model => is {user}
623
+ if_attribute :test_another_model => is {user}
624
+ end
625
+ end
626
+ end
627
+ }
628
+ Authorization::Engine.instance(reader)
629
+
630
+ test_attr_1 = TestAttr.create! :test_model_id => 1, :test_another_model_id => 2
631
+
632
+ user = MockUser.new(:test_role, :id => 1)
633
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
634
+ TestAttr.delete_all
635
+ end
636
+
637
+ def test_with_is_and_priv_hierarchy
638
+ reader = Authorization::Reader::DSLReader.new
639
+ reader.parse %{
640
+ privileges do
641
+ privilege :read do
642
+ includes :list, :show
643
+ end
644
+ end
645
+ authorization do
646
+ role :test_role do
647
+ has_permission_on :test_models, :to => :read do
648
+ if_attribute :id => is { user.test_attr_value }
649
+ end
650
+ end
651
+ end
652
+ }
653
+ Authorization::Engine.instance(reader)
654
+
655
+ test_model_1 = TestModel.create!
656
+ TestModel.create!
657
+
658
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
659
+ assert_equal 1, TestModel.with_permissions_to(:list,
660
+ :context => :test_models, :user => user).length
661
+ assert_equal 1, TestModel.with_permissions_to(:list, :user => user).length
662
+
663
+ TestModel.delete_all
664
+ end
665
+
666
+ def test_with_is_and_belongs_to
667
+ reader = Authorization::Reader::DSLReader.new
668
+ reader.parse %{
669
+ authorization do
670
+ role :test_role do
671
+ has_permission_on :test_attrs, :to => :read do
672
+ if_attribute :test_model => is { user.test_model }
673
+ end
674
+ end
675
+ end
676
+ }
677
+ Authorization::Engine.instance(reader)
678
+
679
+ test_model_1 = TestModel.create!
680
+ test_model_1.test_attrs.create!
681
+ TestModel.create!.test_attrs.create!
682
+
683
+ user = MockUser.new(:test_role, :test_model => test_model_1)
684
+ assert_equal 1, TestAttr.with_permissions_to(:read,
685
+ :context => :test_attrs, :user => user).length
686
+
687
+ TestModel.delete_all
688
+ TestAttr.delete_all
689
+ end
690
+
691
+ def test_with_deep_attribute
692
+ reader = Authorization::Reader::DSLReader.new
693
+ reader.parse %{
694
+ authorization do
695
+ role :test_role do
696
+ has_permission_on :test_attrs, :to => :read do
697
+ if_attribute :test_model => {:id => is { user.test_model_id } }
698
+ end
699
+ end
700
+ end
701
+ }
702
+ Authorization::Engine.instance(reader)
703
+
704
+ test_model_1 = TestModel.create!
705
+ test_model_1.test_attrs.create!
706
+ TestModel.create!.test_attrs.create!
707
+
708
+ user = MockUser.new(:test_role, :test_model_id => test_model_1.id)
709
+ assert_equal 1, TestAttr.with_permissions_to(:read,
710
+ :context => :test_attrs, :user => user).length
711
+
712
+ TestModel.delete_all
713
+ TestAttr.delete_all
714
+ end
715
+
716
+ def test_with_multiple_conditions
717
+ reader = Authorization::Reader::DSLReader.new
718
+ reader.parse %{
719
+ authorization do
720
+ role :test_role do
721
+ has_permission_on :test_attrs, :to => :read do
722
+ if_attribute :test_model => {:content => is { "pickle" } }
723
+ if_attribute :test_model => {:content => is { "hotdog" } }
724
+ end
725
+ end
726
+ end
727
+ }
728
+ Authorization::Engine.instance(reader)
729
+
730
+ test_model_1 = TestModel.create!(content: "pickle")
731
+ test_model_1.test_attrs.create!
732
+ TestModel.create!.test_attrs.create!
733
+
734
+ user = MockUser.new(:test_role, :test_model_id => test_model_1.id)
735
+ assert_equal 1, TestAttr.with_permissions_to(:read,
736
+ :context => :test_attrs, :user => user).length
737
+
738
+ TestModel.delete_all
739
+ TestAttr.delete_all
740
+ end
741
+
742
+ def test_with_anded_rules
743
+ reader = Authorization::Reader::DSLReader.new
744
+ reader.parse %{
745
+ authorization do
746
+ role :test_role do
747
+ has_permission_on :test_attrs, :to => :read, :join_by => :and do
748
+ if_attribute :test_model => is { user.test_model }
749
+ if_attribute :attr => 1
750
+ end
751
+ end
752
+ end
753
+ }
754
+ Authorization::Engine.instance(reader)
755
+
756
+ test_model_1 = TestModel.create!
757
+ test_model_1.test_attrs.create!(:attr => 1)
758
+ TestModel.create!.test_attrs.create!(:attr => 1)
759
+ TestModel.create!.test_attrs.create!
760
+
761
+ user = MockUser.new(:test_role, :test_model => test_model_1)
762
+ assert_equal 1, TestAttr.with_permissions_to(:read,
763
+ :context => :test_attrs, :user => user).length
764
+
765
+ TestModel.delete_all
766
+ TestAttr.delete_all
767
+ end
768
+
769
+ def test_with_contains
770
+ reader = Authorization::Reader::DSLReader.new
771
+ reader.parse %{
772
+ authorization do
773
+ role :test_role do
774
+ has_permission_on :test_models, :to => :read do
775
+ if_attribute :test_attrs => contains { user }
776
+ end
777
+ end
778
+ end
779
+ }
780
+ Authorization::Engine.instance(reader)
781
+
782
+ test_model_1 = TestModel.create!
783
+ test_model_2 = TestModel.create!
784
+ test_model_1.test_attrs.create!
785
+ test_model_1.test_attrs.create!
786
+ test_model_2.test_attrs.create!
787
+
788
+ user = MockUser.new(:test_role,
789
+ :id => test_model_1.test_attrs.first.id)
790
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
791
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).where(:id => test_model_1.id).length
792
+
793
+ TestModel.delete_all
794
+ TestAttr.delete_all
795
+ end
796
+
797
+ def test_with_does_not_contain
798
+ reader = Authorization::Reader::DSLReader.new
799
+ reader.parse %{
800
+ authorization do
801
+ role :test_role do
802
+ has_permission_on :test_models, :to => :read do
803
+ if_attribute :test_attrs => does_not_contain { user }
804
+ end
805
+ end
806
+ end
807
+ }
808
+ Authorization::Engine.instance(reader)
809
+
810
+ test_model_1 = TestModel.create!
811
+ test_model_2 = TestModel.create!
812
+ test_model_1.test_attrs.create!
813
+ test_model_2.test_attrs.create!
814
+
815
+ user = MockUser.new(:test_role,
816
+ :id => test_model_1.test_attrs.first.id)
817
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
818
+
819
+ TestModel.delete_all
820
+ TestAttr.delete_all
821
+ end
822
+
823
+ def test_with_contains_conditions
824
+ reader = Authorization::Reader::DSLReader.new
825
+ reader.parse %{
826
+ authorization do
827
+ role :test_role do
828
+ has_permission_on :test_models, :to => :read do
829
+ if_attribute :test_attrs_with_attr => contains { user }
830
+ end
831
+ end
832
+ end
833
+ }
834
+ Authorization::Engine.instance(reader)
835
+
836
+ test_model_1 = TestModel.create!
837
+ test_model_2 = TestModel.create!
838
+ test_model_1.test_attrs_with_attr.create!
839
+ test_model_1.test_attrs.create!(:attr => 2)
840
+ test_model_2.test_attrs_with_attr.create!
841
+ test_model_2.test_attrs.create!(:attr => 2)
842
+
843
+ #assert_equal 1, test_model_1.test_attrs_with_attr.length
844
+ user = MockUser.new(:test_role,
845
+ :id => test_model_1.test_attrs.first.id)
846
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
847
+ user = MockUser.new(:test_role,
848
+ :id => test_model_1.test_attrs.last.id)
849
+ assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
850
+
851
+ TestModel.delete_all
852
+ TestAttr.delete_all
853
+ end
854
+
855
+ def test_with_contains_through_primary_key
856
+ reader = Authorization::Reader::DSLReader.new
857
+ reader.parse %{
858
+ authorization do
859
+ role :test_role do
860
+ has_permission_on :test_models, :to => :read do
861
+ if_attribute :test_attr_throughs_with_primary_id => contains { user }
862
+ end
863
+ end
864
+ end
865
+ }
866
+ Authorization::Engine.instance(reader)
867
+ TestModel.delete_all
868
+ TestAttrThrough.delete_all
869
+ TestAttr.delete_all
870
+
871
+ test_attr_through_1 = TestAttrThrough.create!
872
+ test_item = NWayJoinItem.create!
873
+ test_model_1 = TestModel.create!(:test_attr_through_id => test_attr_through_1.id)
874
+ test_attr_1 = TestAttr.create!(:test_attr_through_id => test_attr_through_1.id,
875
+ :n_way_join_item_id => test_item.id)
876
+
877
+ user = MockUser.new(:test_role,
878
+ :id => test_attr_through_1.id)
879
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
880
+
881
+ TestModel.delete_all
882
+ TestAttrThrough.delete_all
883
+ TestAttr.delete_all
884
+ end
885
+
886
+ def test_with_intersects_with
887
+ reader = Authorization::Reader::DSLReader.new
888
+ reader.parse %{
889
+ authorization do
890
+ role :test_role do
891
+ has_permission_on :test_models, :to => :read do
892
+ if_attribute :test_attrs => intersects_with { user.test_attrs }
893
+ end
894
+ end
895
+ end
896
+ }
897
+ Authorization::Engine.instance(reader)
898
+
899
+ test_model_1 = TestModel.create!
900
+ test_model_2 = TestModel.create!
901
+ test_model_1.test_attrs.create!
902
+ test_model_1.test_attrs.create!
903
+ test_model_1.test_attrs.create!
904
+ test_model_2.test_attrs.create!
905
+
906
+ user = MockUser.new(:test_role,
907
+ :test_attrs => [test_model_1.test_attrs.first, TestAttr.create!])
908
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
909
+
910
+ user = MockUser.new(:test_role,
911
+ :test_attrs => [TestAttr.create!])
912
+ assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
913
+
914
+ TestModel.delete_all
915
+ TestAttr.delete_all
916
+ end
917
+
918
+ def test_with_is_and_has_one
919
+ reader = Authorization::Reader::DSLReader.new
920
+ reader.parse %{
921
+ authorization do :test_attr_has_one
922
+ role :test_role do
923
+ has_permission_on :test_models, :to => :read do
924
+ if_attribute :test_attr_has_one => is { user.test_attr }
925
+ end
926
+ end
927
+ end
928
+ }
929
+ Authorization::Engine.instance(reader)
930
+
931
+ test_model_1 = TestModel.create!
932
+ test_attr_1 = test_model_1.test_attrs.create!
933
+ TestModel.create!.test_attrs.create!
934
+
935
+ user = MockUser.new(:test_role, :test_attr => test_attr_1)
936
+ assert_equal 1, TestModel.with_permissions_to(:read,
937
+ :context => :test_models, :user => user).length
938
+
939
+ TestModel.delete_all
940
+ TestAttr.delete_all
941
+ end
942
+
943
+ def test_with_is_in
944
+ reader = Authorization::Reader::DSLReader.new
945
+ reader.parse %{
946
+ authorization do
947
+ role :test_role do
948
+ has_permission_on :test_attrs, :to => :read do
949
+ if_attribute :test_model => is_in { [user.test_model, user.test_model_2] }
950
+ end
951
+ end
952
+ end
953
+ }
954
+ Authorization::Engine.instance(reader)
955
+
956
+ test_model_1 = TestModel.create!
957
+ test_model_2 = TestModel.create!
958
+ test_model_1.test_attrs.create!
959
+ TestModel.create!.test_attrs.create!
960
+
961
+ user = MockUser.new(:test_role, :test_model => test_model_1,
962
+ :test_model_2 => test_model_2)
963
+ assert_equal 1, TestAttr.with_permissions_to(:read,
964
+ :context => :test_attrs, :user => user).length
965
+
966
+ TestModel.delete_all
967
+ TestAttr.delete_all
968
+ end
969
+
970
+ def test_with_not_is_in
971
+ reader = Authorization::Reader::DSLReader.new
972
+ reader.parse %{
973
+ authorization do
974
+ role :test_role do
975
+ has_permission_on :test_attrs, :to => :read do
976
+ if_attribute :test_model => is_not_in { [user.test_model, user.test_model_2] }
977
+ end
978
+ end
979
+ end
980
+ }
981
+ Authorization::Engine.instance(reader)
982
+ TestModel.delete_all
983
+ TestAttr.delete_all
984
+
985
+ test_model_1 = TestModel.create!
986
+ test_model_2 = TestModel.create!
987
+ test_model_1.test_attrs.create!
988
+ TestModel.create!.test_attrs.create!
989
+
990
+ user = MockUser.new(:test_role, :test_model => test_model_1,
991
+ :test_model_2 => test_model_2)
992
+ assert_equal 1, TestAttr.with_permissions_to(:read,
993
+ :context => :test_attrs, :user => user).length
994
+
995
+ TestModel.delete_all
996
+ TestAttr.delete_all
997
+ end
998
+
999
+ def test_with_if_permitted_to
1000
+ reader = Authorization::Reader::DSLReader.new
1001
+ reader.parse %{
1002
+ authorization do
1003
+ role :test_role do
1004
+ has_permission_on :test_models, :to => :read do
1005
+ if_attribute :test_attrs => contains { user }
1006
+ end
1007
+ has_permission_on :test_attrs, :to => :read do
1008
+ if_permitted_to :read, :test_model
1009
+ end
1010
+ end
1011
+ end
1012
+ }
1013
+ Authorization::Engine.instance(reader)
1014
+
1015
+ test_model_1 = TestModel.create!
1016
+ test_attr_1 = test_model_1.test_attrs.create!
1017
+
1018
+ user = MockUser.new(:test_role, :id => test_attr_1.id)
1019
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
1020
+ TestModel.delete_all
1021
+ TestAttr.delete_all
1022
+ end
1023
+
1024
+ def test_with_anded_if_permitted_to
1025
+ reader = Authorization::Reader::DSLReader.new
1026
+ reader.parse %{
1027
+ authorization do
1028
+ role :base_role do
1029
+ has_permission_on :test_attrs, :to => :read, :join_by => :and do
1030
+ if_permitted_to :read, :test_model
1031
+ if_attribute :attr => 1
1032
+ end
1033
+ end
1034
+ role :first_role do
1035
+ includes :base_role
1036
+ has_permission_on :test_models, :to => :read do
1037
+ if_attribute :content => "first test"
1038
+ end
1039
+ end
1040
+ role :second_role do
1041
+ includes :base_role
1042
+ has_permission_on :test_models, :to => :read do
1043
+ if_attribute :country_id => 2
1044
+ end
1045
+ end
1046
+ end
1047
+ }
1048
+ Authorization::Engine.instance(reader)
1049
+
1050
+ test_model_1 = TestModel.create!(:content => "first test")
1051
+ test_model_1.test_attrs.create!(:attr => 1)
1052
+ test_model_for_second_role = TestModel.create!(:country_id => 2)
1053
+ test_model_for_second_role.test_attrs.create!(:attr => 1)
1054
+ test_model_for_second_role.test_attrs.create!(:attr => 2)
1055
+
1056
+ user = MockUser.new(:first_role)
1057
+ assert Authorization::Engine.instance.permit?(:read, :object => test_model_1.test_attrs.first, :user => user)
1058
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
1059
+
1060
+ user_with_both_roles = MockUser.new(:first_role, :second_role)
1061
+ assert Authorization::Engine.instance.permit?(:read, :object => test_model_1.test_attrs.first, :user => user_with_both_roles)
1062
+ assert Authorization::Engine.instance.permit?(:read, :object => test_model_for_second_role.test_attrs.first, :user => user_with_both_roles)
1063
+ assert_equal 2, TestAttr.with_permissions_to(:read, :user => user_with_both_roles).references(:test_attrs, :test_models).length
1064
+
1065
+ TestModel.delete_all
1066
+ TestAttr.delete_all
1067
+ end
1068
+
1069
+ def test_with_if_permitted_to_with_no_child_permissions
1070
+ reader = Authorization::Reader::DSLReader.new
1071
+ reader.parse %{
1072
+ authorization do
1073
+ role :another_role do
1074
+ has_permission_on :test_models, :to => :read do
1075
+ if_attribute :test_attrs => contains { user }
1076
+ end
1077
+ end
1078
+ role :additional_if_attribute do
1079
+ has_permission_on :test_attrs, :to => :read do
1080
+ if_permitted_to :read, :test_model
1081
+ if_attribute :test_model => {:test_attrs => contains { user }}
1082
+ end
1083
+ end
1084
+ role :only_permitted_to do
1085
+ has_permission_on :test_attrs, :to => :read do
1086
+ if_permitted_to :read, :test_model
1087
+ end
1088
+ end
1089
+ end
1090
+ }
1091
+ Authorization::Engine.instance(reader)
1092
+
1093
+ test_model_1 = TestModel.create!
1094
+ test_attr_1 = test_model_1.test_attrs.create!
1095
+
1096
+ user = MockUser.new(:only_permitted_to, :another_role, :id => test_attr_1.id)
1097
+ also_allowed_user = MockUser.new(:additional_if_attribute, :id => test_attr_1.id)
1098
+ non_allowed_user = MockUser.new(:only_permitted_to, :id => test_attr_1.id)
1099
+
1100
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
1101
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => also_allowed_user).length
1102
+ assert_raise Authorization::NotAuthorized do
1103
+ TestAttr.with_permissions_to(:read, :user => non_allowed_user).find(:all)
1104
+ end
1105
+
1106
+ TestModel.delete_all
1107
+ TestAttr.delete_all
1108
+ end
1109
+
1110
+ def test_with_if_permitted_to_with_context_from_model
1111
+ reader = Authorization::Reader::DSLReader.new
1112
+ reader.parse %{
1113
+ authorization do
1114
+ role :test_role do
1115
+ has_permission_on :test_models, :to => :read do
1116
+ if_attribute :test_another_attrs => contains { user }
1117
+ end
1118
+ has_permission_on :test_attrs, :to => :read do
1119
+ if_permitted_to :read, :test_another_model
1120
+ end
1121
+ end
1122
+ end
1123
+ }
1124
+ Authorization::Engine.instance(reader)
1125
+
1126
+ test_model_1 = TestModel.create!
1127
+ test_attr_1 = test_model_1.test_another_attrs.create!
1128
+
1129
+ user = MockUser.new(:test_role, :id => test_attr_1.id)
1130
+ non_allowed_user = MockUser.new(:test_role, :id => 111)
1131
+
1132
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
1133
+ assert_equal 0, TestAttr.with_permissions_to(:read, :user => non_allowed_user).length
1134
+ TestModel.delete_all
1135
+ TestAttr.delete_all
1136
+ end
1137
+
1138
+ def test_with_has_many_if_permitted_to
1139
+ reader = Authorization::Reader::DSLReader.new
1140
+ reader.parse %{
1141
+ authorization do
1142
+ role :test_role do
1143
+ has_permission_on :test_models, :to => :read do
1144
+ if_permitted_to :read, :test_attrs
1145
+ end
1146
+ has_permission_on :test_attrs, :to => :read do
1147
+ if_attribute :attr => is { user.id }
1148
+ end
1149
+ end
1150
+ end
1151
+ }
1152
+ Authorization::Engine.instance(reader)
1153
+
1154
+ test_model_1 = TestModel.create!
1155
+ test_attr_1 = test_model_1.test_attrs.create!(:attr => 111)
1156
+
1157
+ user = MockUser.new(:test_role, :id => test_attr_1.attr)
1158
+ non_allowed_user = MockUser.new(:test_role, :id => 333)
1159
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
1160
+ assert_equal 0, TestModel.with_permissions_to(:read, :user => non_allowed_user).length
1161
+ TestModel.delete_all
1162
+ TestAttr.delete_all
1163
+ end
1164
+
1165
+ def test_with_deep_has_many_if_permitted_to
1166
+ reader = Authorization::Reader::DSLReader.new
1167
+ reader.parse %{
1168
+ authorization do
1169
+ role :test_role do
1170
+ has_permission_on :branches, :to => :read do
1171
+ if_attribute :name => "A Branch"
1172
+ end
1173
+ has_permission_on :companies, :to => :read do
1174
+ if_permitted_to :read, :test_attrs => :branch
1175
+ end
1176
+ end
1177
+ end
1178
+ }
1179
+ Authorization::Engine.instance(reader)
1180
+
1181
+ readable_company = Company.create!
1182
+ readable_company.test_attrs.create!(:branch => Branch.create!(:name => "A Branch"))
1183
+
1184
+ forbidden_company = Company.create!
1185
+ forbidden_company.test_attrs.create!(:branch => Branch.create!(:name => "Different Branch"))
1186
+
1187
+ user = MockUser.new(:test_role)
1188
+ assert_equal 1, Company.with_permissions_to(:read, :user => user).length
1189
+ Company.delete_all
1190
+ Branch.delete_all
1191
+ TestAttr.delete_all
1192
+ end
1193
+
1194
+ def test_with_if_permitted_to_and_empty_obligations
1195
+ reader = Authorization::Reader::DSLReader.new
1196
+ reader.parse %{
1197
+ authorization do
1198
+ role :test_role do
1199
+ has_permission_on :test_models, :to => :read
1200
+ has_permission_on :test_attrs, :to => :read do
1201
+ if_permitted_to :read, :test_model
1202
+ end
1203
+ end
1204
+ end
1205
+ }
1206
+ Authorization::Engine.instance(reader)
1207
+
1208
+ test_model_1 = TestModel.create!
1209
+ test_attr_1 = test_model_1.test_attrs.create!
1210
+
1211
+ user = MockUser.new(:test_role)
1212
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
1213
+ TestModel.delete_all
1214
+ TestAttr.delete_all
1215
+ end
1216
+
1217
+ def test_with_if_permitted_to_nil
1218
+ reader = Authorization::Reader::DSLReader.new
1219
+ reader.parse %{
1220
+ authorization do
1221
+ role :test_role do
1222
+ has_permission_on :test_models, :to => :read do
1223
+ if_attribute :test_attrs => contains { user }
1224
+ end
1225
+ has_permission_on :test_attrs, :to => :read do
1226
+ if_permitted_to :read, :test_model
1227
+ end
1228
+ end
1229
+ end
1230
+ }
1231
+ Authorization::Engine.instance(reader)
1232
+
1233
+ test_attr_1 = TestAttr.create!
1234
+
1235
+ user = MockUser.new(:test_role, :id => test_attr_1.id)
1236
+ assert_equal 0, TestAttr.with_permissions_to(:read, :user => user).length
1237
+ TestAttr.delete_all
1238
+ end
1239
+
1240
+ def test_with_if_permitted_to_self
1241
+ reader = Authorization::Reader::DSLReader.new
1242
+ reader.parse %{
1243
+ authorization do
1244
+ role :test_role do
1245
+ has_permission_on :test_models, :to => :read do
1246
+ if_attribute :test_attrs => contains { user }
1247
+ end
1248
+ has_permission_on :test_models, :to => :update do
1249
+ if_permitted_to :read
1250
+ end
1251
+ end
1252
+ end
1253
+ }
1254
+ Authorization::Engine.instance(reader)
1255
+
1256
+ test_model_1 = TestModel.create!
1257
+ test_attr_1 = test_model_1.test_attrs.create!
1258
+ test_attr_2 = TestAttr.create!
1259
+
1260
+ user = MockUser.new(:test_role, :id => test_attr_1.id)
1261
+ assert_equal 1, TestModel.with_permissions_to(:update, :user => user).length
1262
+ TestAttr.delete_all
1263
+ TestModel.delete_all
1264
+ end
1265
+
1266
+ def test_with_has_many_and_reoccuring_tables
1267
+ reader = Authorization::Reader::DSLReader.new
1268
+ reader.parse %{
1269
+ authorization do
1270
+ role :test_role do
1271
+ has_permission_on :test_attrs, :to => :read do
1272
+ if_attribute :test_another_model => { :content => 'test_1_2' },
1273
+ :test_model => { :content => 'test_1_1' }
1274
+ end
1275
+ end
1276
+ end
1277
+ }
1278
+ Authorization::Engine.instance(reader)
1279
+
1280
+ test_attr_1 = TestAttr.create!(
1281
+ :test_model => TestModel.create!(:content => 'test_1_1'),
1282
+ :test_another_model => TestModel.create!(:content => 'test_1_2')
1283
+ )
1284
+ test_attr_2 = TestAttr.create!(
1285
+ :test_model => TestModel.create!(:content => 'test_2_1'),
1286
+ :test_another_model => TestModel.create!(:content => 'test_2_2')
1287
+ )
1288
+
1289
+ user = MockUser.new(:test_role)
1290
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
1291
+ TestModel.delete_all
1292
+ TestAttr.delete_all
1293
+ end
1294
+
1295
+ def test_with_ored_rules_and_reoccuring_tables
1296
+ reader = Authorization::Reader::DSLReader.new
1297
+ reader.parse %{
1298
+ authorization do
1299
+ role :test_role do
1300
+ has_permission_on :test_attrs, :to => :read do
1301
+ if_attribute :test_another_model => { :content => 'test_1_2' },
1302
+ :test_model => { :content => 'test_1_1' }
1303
+ end
1304
+ has_permission_on :test_attrs, :to => :read do
1305
+ if_attribute :test_another_model => { :content => 'test_2_2' },
1306
+ :test_model => { :test_attrs => contains {user.test_attr} }
1307
+ end
1308
+ end
1309
+ end
1310
+ }
1311
+ Authorization::Engine.instance(reader)
1312
+
1313
+ test_attr_1 = TestAttr.create!(
1314
+ :test_model => TestModel.create!(:content => 'test_1_1'),
1315
+ :test_another_model => TestModel.create!(:content => 'test_1_2')
1316
+ )
1317
+ test_attr_2 = TestAttr.create!(
1318
+ :test_model => TestModel.create!(:content => 'test_2_1'),
1319
+ :test_another_model => TestModel.create!(:content => 'test_2_2')
1320
+ )
1321
+ test_attr_2.test_model.test_attrs.create!
1322
+
1323
+ user = MockUser.new(:test_role, :test_attr => test_attr_2.test_model.test_attrs.last)
1324
+ assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).references(:test_attrs, :test_models, :test_models_test_attrs, :test_attrs_test_models).length
1325
+
1326
+ TestModel.delete_all
1327
+ TestAttr.delete_all
1328
+ end
1329
+
1330
+ def test_with_many_ored_rules_and_reoccuring_tables
1331
+ reader = Authorization::Reader::DSLReader.new
1332
+ reader.parse %{
1333
+ authorization do
1334
+ role :test_role do
1335
+ has_permission_on :test_attrs, :to => :read do
1336
+ if_attribute :branch => { :company => { :country => {
1337
+ :test_models => contains { user.test_model }
1338
+ }} }
1339
+ if_attribute :company => { :country => {
1340
+ :test_models => contains { user.test_model }
1341
+ }}
1342
+ end
1343
+ end
1344
+ end
1345
+ }
1346
+ Authorization::Engine.instance(reader)
1347
+
1348
+ country = Country.create!(:name => 'country_1')
1349
+ country.test_models.create!
1350
+ test_attr_1 = TestAttr.create!(
1351
+ :branch => Branch.create!(:name => 'branch_1',
1352
+ :company => Company.create!(:name => 'company_1',
1353
+ :country => country))
1354
+ )
1355
+ test_attr_2 = TestAttr.create!(
1356
+ :company => Company.create!(:name => 'company_2',
1357
+ :country => country)
1358
+ )
1359
+
1360
+ user = MockUser.new(:test_role, :test_model => country.test_models.first)
1361
+ assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).references(:test_attrs, :test_models, :test_models_countries).length
1362
+
1363
+ TestModel.delete_all
1364
+ TestAttr.delete_all
1365
+ end
1366
+ end
1367
+
1368
+ class ModelTest < Test::Unit::TestCase
1369
+ def test_permit_with_has_one_raises_no_name_error
1370
+ reader = Authorization::Reader::DSLReader.new
1371
+ reader.parse %{
1372
+ authorization do :test_attr_has_one
1373
+ role :test_role do
1374
+ has_permission_on :test_attrs, :to => :update do
1375
+ if_attribute :id => is { user.test_attr.id }
1376
+ end
1377
+ end
1378
+ end
1379
+ }
1380
+ instance = Authorization::Engine.instance(reader)
1381
+
1382
+ test_model = TestModel.create!
1383
+ test_attr = test_model.create_test_attr_has_one
1384
+ assert !test_attr.new_record?
1385
+
1386
+ user = MockUser.new(:test_role, :test_attr => test_attr)
1387
+
1388
+ assert_nothing_raised do
1389
+ assert instance.permit?(:update, :user => user, :object => test_model.test_attr_has_one)
1390
+ end
1391
+
1392
+ TestModel.delete_all
1393
+ TestAttr.delete_all
1394
+ end
1395
+
1396
+ def test_model_security_write_allowed
1397
+ reader = Authorization::Reader::DSLReader.new
1398
+ reader.parse %{
1399
+ authorization do
1400
+ role :test_role do
1401
+ has_permission_on :test_model_security_models do
1402
+ to :read, :create, :update, :delete
1403
+ if_attribute :attr => is { 1 }
1404
+ end
1405
+ end
1406
+ end
1407
+ }
1408
+ Authorization::Engine.instance(reader)
1409
+
1410
+ Authorization.stub :current_user, MockUser.new(:test_role) do
1411
+ assert(object = TestModelSecurityModel.create)
1412
+
1413
+ assert_nothing_raised { object.update_attributes(:attr_2 => 2) }
1414
+ object.reload
1415
+ assert_equal 2, object.attr_2
1416
+ object.destroy
1417
+ assert_raise ActiveRecord::RecordNotFound do
1418
+ TestModelSecurityModel.find(object.id)
1419
+ end
1420
+ end
1421
+ end
1422
+
1423
+ def test_model_security_write_not_allowed_no_privilege
1424
+ reader = Authorization::Reader::DSLReader.new
1425
+ reader.parse %{
1426
+ authorization do
1427
+ role :test_role do
1428
+ has_permission_on :test_model_security_models do
1429
+ to :read, :create, :update, :delete
1430
+ if_attribute :attr => is { 1 }
1431
+ end
1432
+ end
1433
+ role :test_role_restricted do
1434
+ end
1435
+ end
1436
+ }
1437
+ Authorization::Engine.instance(reader)
1438
+
1439
+ Authorization.current_user = MockUser.new(:test_role)
1440
+ assert(object = TestModelSecurityModel.create)
1441
+
1442
+ Authorization.current_user = MockUser.new(:test_role_restricted)
1443
+ assert_raise Authorization::NotAuthorized do
1444
+ object.update_attributes(:attr_2 => 2)
1445
+ end
1446
+ end
1447
+
1448
+ def test_model_security_write_not_allowed_wrong_attribute_value
1449
+ reader = Authorization::Reader::DSLReader.new
1450
+ reader.parse %{
1451
+ authorization do
1452
+ role :test_role_unrestricted do
1453
+ has_permission_on :test_model_security_models do
1454
+ to :read, :create, :update, :delete
1455
+ end
1456
+ end
1457
+ role :test_role do
1458
+ has_permission_on :test_model_security_models do
1459
+ to :read, :create, :update, :delete
1460
+ if_attribute :attr => is { 1 }
1461
+ end
1462
+ end
1463
+ end
1464
+ }
1465
+ Authorization::Engine.instance(reader)
1466
+
1467
+ Authorization.stub :current_user, MockUser.new(:test_role) do
1468
+ assert(object = TestModelSecurityModel.create)
1469
+ assert_raise Authorization::AttributeAuthorizationError do
1470
+ TestModelSecurityModel.create :attr => 2
1471
+ end
1472
+ object = TestModelSecurityModel.create
1473
+ assert_raise Authorization::AttributeAuthorizationError do
1474
+ object.update_attributes(:attr => 2)
1475
+ end
1476
+ object.reload
1477
+
1478
+ assert_nothing_raised do
1479
+ object.update_attributes(:attr_2 => 1)
1480
+ end
1481
+ assert_raise Authorization::AttributeAuthorizationError do
1482
+ object.update_attributes(:attr => 2)
1483
+ end
1484
+ end
1485
+ end
1486
+
1487
+ def test_model_security_with_and_without_find_restrictions
1488
+ reader = Authorization::Reader::DSLReader.new
1489
+ reader.parse %{
1490
+ authorization do
1491
+ role :test_role_unrestricted do
1492
+ has_permission_on :test_model_security_models do
1493
+ to :read, :create, :update, :delete
1494
+ end
1495
+ end
1496
+ role :test_role do
1497
+ has_permission_on :test_model_security_models do
1498
+ to :read, :create, :update, :delete
1499
+ if_attribute :attr => is { 1 }
1500
+ end
1501
+ end
1502
+ end
1503
+ }
1504
+ Authorization::Engine.instance(reader)
1505
+
1506
+ Authorization.current_user = MockUser.new(:test_role_unrestricted)
1507
+ object = TestModelSecurityModel.create :attr => 2
1508
+ object_with_find = TestModelSecurityModelWithFind.create :attr => 2
1509
+
1510
+ Authorization.current_user = MockUser.new(:test_role)
1511
+ assert_nothing_raised do
1512
+ object.class.find(object.id)
1513
+ end
1514
+ assert_raise Authorization::AttributeAuthorizationError do
1515
+ object_with_find.class.find(object_with_find.id)
1516
+ end
1517
+ end
1518
+
1519
+ def test_model_security_with_read_restrictions_and_exists
1520
+ reader = Authorization::Reader::DSLReader.new
1521
+ reader.parse %{
1522
+ authorization do
1523
+ role :test_role do
1524
+ has_permission_on :test_model_security_models do
1525
+ to :read, :create, :update, :delete
1526
+ if_attribute :test_attr => is { user.test_attr }
1527
+ end
1528
+ end
1529
+ end
1530
+ }
1531
+ Authorization::Engine.instance(reader)
1532
+
1533
+ test_attr = TestAttr.create
1534
+ Authorization.stub :current_user, MockUser.new(:test_role, :test_attr => test_attr) do
1535
+ object_with_find = TestModelSecurityModelWithFind.create :test_attr => test_attr
1536
+ assert_nothing_raised do
1537
+ object_with_find.class.find(object_with_find.id)
1538
+ end
1539
+ assert_equal 1, test_attr.test_model_security_model_with_finds.length
1540
+ end
1541
+ end
1542
+
1543
+ def test_model_security_delete_unallowed
1544
+ reader = Authorization::Reader::DSLReader.new
1545
+ reader.parse %{
1546
+ authorization do
1547
+ role :test_role_unrestricted do
1548
+ has_permission_on :test_model_security_models do
1549
+ to :read, :create, :update, :delete
1550
+ end
1551
+ end
1552
+ role :test_role do
1553
+ has_permission_on :test_model_security_models do
1554
+ to :read, :create, :update, :delete
1555
+ if_attribute :attr => is { 1 }
1556
+ end
1557
+ end
1558
+ end
1559
+ }
1560
+ Authorization::Engine.instance(reader)
1561
+
1562
+ Authorization.current_user = MockUser.new(:test_role_unrestricted)
1563
+ object = TestModelSecurityModel.create :attr => 2
1564
+ Authorization.current_user = MockUser.new(:test_role)
1565
+ assert_raise Authorization::AttributeAuthorizationError do
1566
+ object.destroy
1567
+ end
1568
+ end
1569
+
1570
+ def test_model_security_changing_critical_attribute_unallowed
1571
+ reader = Authorization::Reader::DSLReader.new
1572
+ reader.parse %{
1573
+ authorization do
1574
+ role :test_role_unrestricted do
1575
+ has_permission_on :test_model_security_models do
1576
+ to :read, :create, :update, :delete
1577
+ end
1578
+ end
1579
+ role :test_role do
1580
+ has_permission_on :test_model_security_models do
1581
+ to :read, :create, :update, :delete
1582
+ if_attribute :attr => is { 1 }
1583
+ end
1584
+ end
1585
+ end
1586
+ }
1587
+ Authorization::Engine.instance(reader)
1588
+
1589
+ Authorization.stub :current_user, MockUser.new(:test_role_unrestricted) do
1590
+ object = TestModelSecurityModel.create :attr => 2
1591
+ end
1592
+ end
1593
+
1594
+ def test_model_security_no_role_unallowed
1595
+ reader = Authorization::Reader::DSLReader.new
1596
+ reader.parse %{
1597
+ authorization do
1598
+ end
1599
+ }
1600
+ Authorization::Engine.instance(reader)
1601
+
1602
+ Authorization.stub :current_user, MockUser.new(:test_role_2) do
1603
+ assert_raise Authorization::NotAuthorized do
1604
+ TestModelSecurityModel.create
1605
+ end
1606
+ end
1607
+ end
1608
+
1609
+ def test_model_security_with_assoc
1610
+ reader = Authorization::Reader::DSLReader.new
1611
+ reader.parse %{
1612
+ authorization do
1613
+ role :test_role do
1614
+ has_permission_on :test_model_security_models do
1615
+ to :create, :update, :delete
1616
+ if_attribute :test_attrs => contains { user }
1617
+ end
1618
+ end
1619
+ end
1620
+ }
1621
+ Authorization::Engine.instance(reader)
1622
+
1623
+ test_attr = TestAttr.create
1624
+ test_attr.role_symbols << :test_role
1625
+ Authorization.stub :current_user, test_attr do
1626
+ assert(object = TestModelSecurityModel.create(:test_attrs => [test_attr]))
1627
+ assert_nothing_raised do
1628
+ object.update_attributes(:attr_2 => 2)
1629
+ end
1630
+ without_access_control do
1631
+ object.reload
1632
+ end
1633
+ assert_equal 2, object.attr_2
1634
+ object.destroy
1635
+ assert_raise ActiveRecord::RecordNotFound do
1636
+ TestModelSecurityModel.find(object.id)
1637
+ end
1638
+ end
1639
+ end
1640
+
1641
+ def test_model_security_with_update_attrbributes
1642
+ reader = Authorization::Reader::DSLReader.new
1643
+ reader.parse %{
1644
+ authorization do
1645
+ role :test_role do
1646
+ has_permission_on :test_model_security_models, :to => :update do
1647
+ if_attribute :test_attrs => { :branch => is { user.branch }}
1648
+ end
1649
+ end
1650
+ end
1651
+ }
1652
+ Authorization::Engine.instance(reader)
1653
+
1654
+ params = {
1655
+ :model_data => { :attr => 11 }
1656
+ }
1657
+
1658
+ test_attr = TestAttr.create!(:branch => Branch.create!)
1659
+ test_model = without_access_control do
1660
+ TestModelSecurityModel.create!(:test_attrs => [test_attr])
1661
+ end
1662
+
1663
+ with_user MockUser.new(:test_role, :branch => test_attr.branch) do
1664
+ assert_nothing_raised do
1665
+ test_model.update_attributes(params[:model_data])
1666
+ end
1667
+ end
1668
+ without_access_control do
1669
+ assert_equal params[:model_data][:attr], test_model.reload.attr
1670
+ end
1671
+
1672
+ TestAttr.delete_all
1673
+ TestModelSecurityModel.delete_all
1674
+ Branch.delete_all
1675
+ end
1676
+
1677
+ def test_using_access_control
1678
+ assert !TestModel.using_access_control?
1679
+ assert TestModelSecurityModel.using_access_control?
1680
+ end
1681
+
1682
+ def test_authorization_permit_association_proxy
1683
+ reader = Authorization::Reader::DSLReader.new
1684
+ reader.parse %{
1685
+ authorization do
1686
+ role :test_role do
1687
+ has_permission_on :test_attrs, :to => :read do
1688
+ if_attribute :test_model => {:content => "content" }
1689
+ end
1690
+ end
1691
+ end
1692
+ }
1693
+ engine = Authorization::Engine.instance(reader)
1694
+
1695
+ test_model = TestModel.create(:content => "content")
1696
+ assert engine.permit?(:read, :object => test_model.test_attrs,
1697
+ :user => MockUser.new(:test_role))
1698
+ assert !engine.permit?(:read, :object => TestAttr.new,
1699
+ :user => MockUser.new(:test_role))
1700
+ TestModel.delete_all
1701
+ end
1702
+
1703
+ def test_authorization_permit_nested_association_proxy
1704
+ reader = Authorization::Reader::DSLReader.new
1705
+ reader.parse %{
1706
+ authorization do
1707
+ role :test_role do
1708
+ has_permission_on :branches, :to => :read do
1709
+ if_attribute :test_model => { :test_attrs => {:attr => 1 } }
1710
+ end
1711
+ end
1712
+ end
1713
+ }
1714
+ engine = Authorization::Engine.instance(reader)
1715
+
1716
+ test_model = TestModel.create!
1717
+ test_model.test_attrs.create!(:attr => 0)
1718
+ test_attr = test_model.test_attrs.create!(:attr => 1)
1719
+ test_model.test_attrs.create!(:attr => 3)
1720
+ test_branch = Branch.create!(:test_model => test_model)
1721
+
1722
+ test_model_2 = TestModel.create!
1723
+ test_attr_2 = test_model_2.test_attrs.create!(:attr => 2)
1724
+ test_branch_2 = Branch.create!(:test_model => test_model_2)
1725
+
1726
+ test_model_3 = TestModel.create!
1727
+ test_branch_3 = Branch.create!(:test_model => test_model_3)
1728
+
1729
+ assert engine.permit?(:read, :object => test_branch,
1730
+ :user => MockUser.new(:test_role))
1731
+ assert !engine.permit?(:read, :object => test_branch_2,
1732
+ :user => MockUser.new(:test_role))
1733
+ assert !engine.permit?(:read, :object => test_branch_3,
1734
+ :user => MockUser.new(:test_role))
1735
+ TestModel.delete_all
1736
+ Branch.delete_all
1737
+ TestAttr.delete_all
1738
+ end
1739
+
1740
+ def test_multiple_roles_with_has_many_through
1741
+ reader = Authorization::Reader::DSLReader.new
1742
+ reader.parse %{
1743
+ authorization do
1744
+ role :test_role_1 do
1745
+ has_permission_on :test_models, :to => :read do
1746
+ if_attribute :test_attr_throughs => contains {user.test_attr_through_id},
1747
+ :content => 'test_1'
1748
+ end
1749
+ end
1750
+
1751
+ role :test_role_2 do
1752
+ has_permission_on :test_models, :to => :read do
1753
+ if_attribute :test_attr_throughs_2 => contains {user.test_attr_through_2_id},
1754
+ :content => 'test_2'
1755
+ end
1756
+ end
1757
+ end
1758
+ }
1759
+ Authorization::Engine.instance(reader)
1760
+ TestModel.delete_all
1761
+ TestAttr.delete_all
1762
+ TestAttrThrough.delete_all
1763
+
1764
+ test_model_1 = TestModel.create! :content => 'test_1'
1765
+ test_model_2 = TestModel.create! :content => 'test_2'
1766
+ test_model_1.test_attrs.create!.test_attr_throughs.create!
1767
+ test_model_2.test_attrs.create!.test_attr_throughs.create!
1768
+
1769
+ user = MockUser.new(:test_role_1, :test_role_2,
1770
+ :test_attr_through_id => test_model_1.test_attr_throughs.first.id,
1771
+ :test_attr_through_2_id => test_model_2.test_attr_throughs.first.id)
1772
+ assert_equal 2, TestModel.with_permissions_to(:read, :user => user).references(:test_models, :test_attr_throughs).length
1773
+
1774
+ TestModel.delete_all
1775
+ TestAttr.delete_all
1776
+ TestAttrThrough.delete_all
1777
+ end
1778
+
1779
+ def test_model_permitted_to
1780
+ reader = Authorization::Reader::DSLReader.new
1781
+ reader.parse %{
1782
+ authorization do
1783
+ role :test_role do
1784
+ has_permission_on :companies, :to => :read do
1785
+ if_attribute :name => "company_1"
1786
+ end
1787
+ end
1788
+ end
1789
+ }
1790
+ Authorization::Engine.instance(reader)
1791
+
1792
+ user = MockUser.new(:test_role)
1793
+ allowed_read_company = Company.new(:name => 'company_1')
1794
+ prohibited_company = Company.new(:name => 'company_2')
1795
+
1796
+ assert allowed_read_company.permitted_to?(:read, :user => user)
1797
+ assert !allowed_read_company.permitted_to?(:update, :user => user)
1798
+ assert !prohibited_company.permitted_to?(:read, :user => user)
1799
+
1800
+ executed_block = false
1801
+ allowed_read_company.permitted_to?(:read, :user => user) do
1802
+ executed_block = true
1803
+ end
1804
+ assert executed_block
1805
+
1806
+ executed_block = false
1807
+ prohibited_company.permitted_to?(:read, :user => user) do
1808
+ executed_block = true
1809
+ end
1810
+ assert !executed_block
1811
+
1812
+ assert_nothing_raised do
1813
+ allowed_read_company.permitted_to!(:read, :user => user)
1814
+ end
1815
+ assert_raise Authorization::NotAuthorized do
1816
+ prohibited_company.permitted_to!(:update, :user => user)
1817
+ end
1818
+ assert_raise Authorization::AttributeAuthorizationError do
1819
+ prohibited_company.permitted_to!(:read, :user => user)
1820
+ end
1821
+ end
1822
+
1823
+ def test_model_permitted_to_with_modified_context
1824
+ reader = Authorization::Reader::DSLReader.new
1825
+ reader.parse %{
1826
+ authorization do
1827
+ role :test_role do
1828
+ has_permission_on :companies, :to => :read
1829
+ end
1830
+ end
1831
+ }
1832
+ Authorization::Engine.instance(reader)
1833
+
1834
+ user = MockUser.new(:test_role)
1835
+ allowed_read_company = SmallCompany.new(:name => 'small_company_1')
1836
+
1837
+ assert allowed_read_company.permitted_to?(:read, :user => user)
1838
+ assert !allowed_read_company.permitted_to?(:update, :user => user)
1839
+ end
1840
+ end