aegis 1.1.3

data/lib/aegis/permission_error.rb

@@ -0,0 +1,5 @@
+module Aegis
+  class PermissionError < StandardError
+
+  end
+end

data/lib/aegis/permission_evaluator.rb

@@ -0,0 +1,34 @@
+module Aegis
+  class PermissionEvaluator
+
+	def initialize(role)
+	  @role = role
+	end
+
+	def evaluate(permissions, rule_args)
+	  @result = @role.allow_by_default?
+	  permissions.each do |permission|
+		instance_exec(*rule_args, &permission)
+	  end
+	  @result
+	end
+
+	def allow(*role_name_or_names, &block)
+	  rule_encountered(role_name_or_names, true, &block)
+	end
+
+	def deny(*role_name_or_names, &block)
+	  rule_encountered(role_name_or_names, false, &block)
+	end
+
+	def rule_encountered(role_name_or_names, is_allow, &block)
+	  role_names = Array(role_name_or_names)
+	  if role_names.include?(@role.name) || role_names.include?(Aegis::Constants::EVERYONE_ROLE_NAME)
+		@result = (block ? block.call : true) 
+		@result = !@result unless is_allow
+	  end
+	end
+
+  end
+end
+

data/lib/aegis/permissions.rb

@@ -0,0 +1,108 @@
+module Aegis
+  class Permissions
+  
+    def self.inherited(base)
+      base.class_eval do
+        @roles_by_name = {}
+        @permission_blocks = Hash.new { |hash, key| hash[key] = [] }
+        extend ClassMethods
+      end
+    end    
+
+    module ClassMethods
+    
+ 
+      def role(role_name, options = {})
+        role_name = role_name.to_sym
+        role_name != Aegis::Constants::EVERYONE_ROLE_NAME or raise "Cannot define a role named: #{Aegis::Constants::EVERYONE_ROLE_NAME}"
+        @roles_by_name[role_name] = Aegis::Role.new(role_name, self, options)
+      end
+      
+      def find_all_role_names
+        @roles_by_name.keys
+      end
+      
+      def find_all_roles
+        @roles_by_name.values.sort
+      end
+      
+      def find_role_by_name(name)
+        # cannot call :to_sym on nil or an empty string
+        if name.blank?
+          nil
+        else
+          @roles_by_name[name.to_sym]
+        end
+      end
+      
+      def find_role_by_name!(name)
+        find_role_by_name(name) or raise "Undefined role: #{name}"
+      end
+      
+      def permission(*permission_name_or_names, &block)
+        permission_names = Array(permission_name_or_names).map(&:to_s)
+        permission_names.each do |permission_name|
+          add_split_crud_permission(permission_name, &block)
+        end
+      end
+      
+      def may?(role_or_role_name, permission, *args)
+        role = role_or_role_name.is_a?(Aegis::Role) ? role_or_role_name : find_role_by_name(role_or_role_name)
+        blocks = @permission_blocks[permission.to_sym]
+        evaluate_permission_blocks(role, blocks, *args)
+      end
+      
+      def evaluate_permission_blocks(role, blocks, *args)
+    evaluator = Aegis::PermissionEvaluator.new(role)
+    evaluator.evaluate(blocks, args)
+      end
+      
+      def denied?(*args)
+        !allowed?(*args)
+      end
+      
+      private
+
+      def add_split_crud_permission(permission_name, &block)
+        if permission_name =~ /^crud_(.+?)$/
+          target = $1
+          Aegis::Constants::CRUD_VERBS.each do |verb|
+            add_normalized_permission("#{verb}_#{target}", &block)
+          end
+        else
+          add_normalized_permission(permission_name, &block)
+        end
+      end
+
+      def add_normalized_permission(permission_name, &block)
+        normalized_permission_name = Aegis::Normalization.normalize_permission(permission_name)
+        add_singularized_permission(normalized_permission_name, &block)
+      end
+      
+      def add_singularized_permission(permission_name, &block)
+        if permission_name =~ /^([^_]+?)_(.+?)$/
+          verb = $1
+          target = $2
+          singular_target = target.singularize
+          if singular_target.length < target.length
+            singular_block = lambda do |*args|
+        args.delete_at 1
+        instance_exec(*args, &block)
+            end
+            singular_permission_name = "#{verb}_#{singular_target}"
+            add_permission(singular_permission_name, &singular_block)
+          end
+        end
+        add_permission(permission_name, &block)
+      end
+      
+      def add_permission(permission_name, &block)
+        permission_name = permission_name.to_sym
+        @permission_blocks[permission_name] << block
+      end
+ 
+    end # module ClassMethods
+    
+  end # class Permissions
+end # module Aegis
+

data/lib/aegis/role.rb

@@ -0,0 +1,55 @@
+module Aegis
+  class Role
+  
+    attr_reader :name, :default_permission
+          
+    # permissions is a hash like: permissions[:edit_user] = lambda { |user| ... }
+    def initialize(name, permissions, options)
+      @name = name
+      @permissions = permissions
+      @default_permission = options[:default_permission] == :allow ? :allow : :deny
+      freeze
+    end
+    
+    def allow_by_default?
+      @default_permission == :allow
+    end
+    
+    def may?(permission, *args)
+      # puts "may? #{permission}, #{args}"
+      @permissions.may?(self, permission, *args)
+    end
+    
+    def <=>(other)
+      name.to_s <=> other.name.to_s
+    end
+
+    def to_s
+      name.to_s.humanize
+    end
+    
+    def id
+      name.to_s
+    end
+
+    private
+    
+    def method_missing(symb, *args)
+      method_name = symb.to_s
+      if method_name =~ /^may_(.+)(\?|\!)$/
+        permission, severity = $1, $2
+        permission = Aegis::Normalization.normalize_permission(permission)
+        may = may?(permission, *args)
+        if severity == '!' && !may 
+          raise PermissionError, "Access denied: #{permission}" 
+        else
+          may
+        end
+      else
+        super
+      end
+    end
+        
+    
+  end
+end

data/lib/rails/active_record.rb

@@ -0,0 +1,5 @@
+ActiveRecord::Base.class_eval do
+
+  extend Aegis::HasRole
+  
+end

data/test/app_root/app/controllers/application_controller.rb

@@ -0,0 +1,2 @@
+class ApplicationController < ActionController::Base
+end

data/test/app_root/app/models/permissions.rb

@@ -0,0 +1,49 @@
+
+class Permissions < Aegis::Permissions
+
+  role :guest
+  role :student
+  role :admin, :default_permission => :allow
+  
+  permission :use_empty do
+  end
+  
+  permission :use_simple do
+    allow :student
+    deny :admin
+  end
+
+  permission :update_users do
+    allow :student
+    deny :admin
+  end
+  
+  permission :crud_projects do
+    allow :student
+  end
+  
+  permission :edit_drinks do
+    allow :student
+    deny :admin
+  end
+  
+  permission :hug do
+    allow :everyone
+  end
+  
+  permission :divide do |user, left, right|
+    allow :student do
+      right != 0
+    end
+  end
+  
+  permission :draw do
+    allow :everyone
+  end
+  
+  permission :draw do
+    deny :student
+    deny :admin
+  end
+  
+end

data/test/app_root/app/models/soldier.rb

@@ -0,0 +1,5 @@
+class Soldier < ActiveRecord::Base
+
+  has_role :name_accessor => "rank"
+
+end

data/test/app_root/app/models/user.rb

@@ -0,0 +1,6 @@
+class User < ActiveRecord::Base
+
+  has_role
+  validates_role_name
+
+end

data/test/app_root/config/boot.rb

@@ -0,0 +1,114 @@
+# Allow customization of the rails framework path
+RAILS_FRAMEWORK_ROOT = (ENV['RAILS_FRAMEWORK_ROOT'] || "#{File.dirname(__FILE__)}/../../../../../../vendor/rails") unless defined?(RAILS_FRAMEWORK_ROOT) 
+
+# Don't change this file!
+# Configure your app in config/environment.rb and config/environments/*.rb
+
+RAILS_ROOT = "#{File.dirname(__FILE__)}/.." unless defined?(RAILS_ROOT)
+
+module Rails
+  class << self
+    def boot!
+      unless booted?
+        preinitialize
+        pick_boot.run
+      end
+    end
+
+    def booted?
+      defined? Rails::Initializer
+    end
+
+    def pick_boot
+      (vendor_rails? ? VendorBoot : GemBoot).new
+    end
+
+    def vendor_rails?
+      File.exist?(RAILS_FRAMEWORK_ROOT)
+    end
+
+    def preinitialize
+      load(preinitializer_path) if File.exist?(preinitializer_path)
+    end
+
+    def preinitializer_path
+      "#{RAILS_ROOT}/config/preinitializer.rb"
+    end
+  end
+
+  class Boot
+    def run
+      load_initializer
+      Rails::Initializer.run(:set_load_path)
+    end
+  end
+
+  class VendorBoot < Boot
+    def load_initializer
+      require "#{RAILS_FRAMEWORK_ROOT}/railties/lib/initializer"
+      Rails::Initializer.run(:install_gem_spec_stubs)
+    end
+  end
+
+  class GemBoot < Boot
+    def load_initializer
+      self.class.load_rubygems
+      load_rails_gem
+      require 'initializer'
+    end
+
+    def load_rails_gem
+      if version = self.class.gem_version
+        gem 'rails', version
+      else
+        gem 'rails'
+      end
+    rescue Gem::LoadError => load_error
+      $stderr.puts %(Missing the Rails #{version} gem. Please `gem install -v=#{version} rails`, update your RAILS_GEM_VERSION setting in config/environment.rb for the Rails version you do have installed, or comment out RAILS_GEM_VERSION to use the latest version installed.)
+      exit 1
+    end
+
+    class << self
+      def rubygems_version
+        Gem::RubyGemsVersion rescue nil
+      end
+
+      def gem_version
+        if defined? RAILS_GEM_VERSION
+          RAILS_GEM_VERSION
+        elsif ENV.include?('RAILS_GEM_VERSION')
+          ENV['RAILS_GEM_VERSION']
+        else
+          parse_gem_version(read_environment_rb)
+        end
+      end
+
+      def load_rubygems
+        require 'rubygems'
+        min_version = '1.1.1'
+        unless rubygems_version >= min_version
+          $stderr.puts %Q(Rails requires RubyGems >= #{min_version} (you have #{rubygems_version}). Please `gem update --system` and try again.)
+          exit 1
+        end
+ 
+      rescue LoadError
+        $stderr.puts %Q(Rails requires RubyGems >= #{min_version}. Please install RubyGems and try again: http://rubygems.rubyforge.org)
+        exit 1
+      end
+
+      def parse_gem_version(text)
+        $1 if text =~ /^[^#]*RAILS_GEM_VERSION\s*=\s*["']([!~<>=]*\s*[\d.]+)["']/
+      end
+
+      private
+        def read_environment_rb
+          environment_rb = "#{RAILS_ROOT}/config/environment.rb"
+          environment_rb = "#{HELPER_RAILS_ROOT}/config/environment.rb" unless File.exists?(environment_rb)
+          File.read(environment_rb)
+        end
+    end
+  end
+end
+
+# All that for this:
+Rails.boot!

data/test/app_root/config/database.yml

@@ -0,0 +1,21 @@
+in_memory:
+  adapter: sqlite3
+  database: ":memory:"
+  verbosity: quiet
+sqlite:
+  adapter: sqlite
+  dbfile: plugin_test.sqlite.db
+sqlite3:
+  adapter: sqlite3
+  dbfile: plugin_test.sqlite3.db
+postgresql:
+  adapter: postgresql
+  username: postgres
+  password: postgres
+  database: plugin_test
+mysql:
+  adapter: mysql
+  host: localhost
+  username: root
+  password:
+  database: plugin_test

data/test/app_root/config/environment.rb

@@ -0,0 +1,14 @@
+require File.join(File.dirname(__FILE__), 'boot')
+
+Rails::Initializer.run do |config|
+  config.cache_classes = false
+  config.whiny_nils = true
+  config.action_controller.session = { :key => "_myapp_session", :secret => "gwirofjweroijger8924rt2zfwehfuiwehb1378rifowenfoqwphf23" }
+  config.plugin_locators.unshift(
+    Class.new(Rails::Plugin::Locator) do
+      def plugins
+        [Rails::Plugin.new(File.expand_path('.'))]
+      end
+    end
+  ) unless defined?(PluginTestHelper::PluginLocator)
+end