aegis 1.1.8 → 2.0.0

data/lib/aegis.rb

@@ -1,10 +1,13 @@
-# Include hook code here
-require 'aegis/constants'
+require 'ostruct'
+
+require 'aegis/access_denied'
+require 'aegis/action'
+require 'aegis/compiler'
 require 'aegis/has_role'
-require 'aegis/normalization'
-require 'aegis/permission_error'
-require 'aegis/permission_evaluator'
+require 'aegis/parser'
 require 'aegis/permissions'
 require 'aegis/role'
-require 'rails/active_record'
+require 'aegis/sieve'
 
+require 'rails/action_controller'
+require 'rails/active_record'

data/lib/aegis/access_denied.rb

@@ -0,0 +1,4 @@
+module Aegis
+  class AccessDenied < StandardError
+  end
+end

data/lib/aegis/action.rb

@@ -0,0 +1,99 @@
+module Aegis
+  class Action
+
+    attr_reader :name, :takes_object, :takes_parent_object, :writing, :sieves, :pluralize_resource
+
+    def initialize(name, options)
+      @name = name.to_s
+      @sieves = []
+      update(options, true)
+    end
+
+    def update(options, use_defaults = false)
+      update_attribute(options, :takes_object, use_defaults, true)
+      update_attribute(options, :takes_parent_object, use_defaults, false)
+      update_attribute(options, :writing, use_defaults, true)
+      update_attribute(options, :pluralize_resource, use_defaults, false)
+    end
+
+    def update_attribute(options, key, use_defaults, default)
+      value = options[key]
+      value = default if value.nil? && use_defaults
+      instance_variable_set("@#{key}", value) unless value.nil?
+    end
+
+    def may?(user, *args)
+      context = extract_context(user, args)
+      may = user.role.may_by_default?
+      for sieve in sieves
+        opinion = sieve.may?(context, *args)
+        may = opinion unless opinion.nil?
+      end
+      may
+    end
+
+    def may!(user, *args)
+      may?(user, *args) or raise Aegis::AccessDenied, "Access denied: #{args.inspect}"
+    end
+
+    def self.index(options = {})
+      new('index', options.reverse_merge(:takes_object => false, :pluralize_resource => true, :writing => false))
+    end
+
+    def self.show(options = {})
+      new('show', options.reverse_merge(:takes_object => true, :writing => false))
+    end
+
+    def self.update(options = {})
+      new('update', options.reverse_merge(:takes_object => true, :writing => true))
+    end
+
+    def self.create(options = {})
+      new('create', options.reverse_merge(:takes_object => false, :writing => true))
+    end
+
+    def self.destroy(options = {})
+      new('destroy', options.reverse_merge(:takes_object => true, :writing => true))
+    end
+
+    def self.undefined
+      new(nil, :takes_object => false, :writing => true)
+    end
+
+    def self.allow_to_all
+      action = undefined
+      action.sieves << Aegis::Sieve.allow_to_all
+      action
+    end
+
+    def self.deny_to_all
+      action = undefined
+      action.sieves << Aegis::Sieve.deny_to_all
+      action
+    end
+
+    def abstract?
+      name.blank?
+    end
+
+    def inspect
+      "Action(#{{ :name => name, :takes_object => takes_object, :takes_parent_object => takes_parent_object,  :sieves => sieves }.inspect})"
+    end
+
+    private
+
+    # not *args so we can change the array reference
+    def extract_context(user, args)
+      context = {}
+      context[:user] = user
+      if takes_parent_object
+        context[:parent_object] = args.shift or raise ArgumentError, "No parent object given"
+      end
+      if takes_object
+        context[:object] = args.shift or raise ArgumentError, "No object given"
+      end
+      OpenStruct.new(context)
+    end
+
+  end
+end

data/lib/aegis/compiler.rb

@@ -0,0 +1,113 @@
+module Aegis
+  class Compiler
+
+    ATOM_GROUPS = {
+      :namespace  => :structure,
+      :resource   => :structure,
+      :resources  => :structure,
+      :action     => :structure,
+      :allow      => :sieve,
+      :deny       => :sieve,
+      :reading    => :sieve,
+      :writing    => :sieve
+    }
+
+    def initialize(resource)
+      @resource = resource
+    end
+
+    def compile(atoms)
+      grouped_atoms = group_atoms(atoms)
+      for atom in grouped_atoms[:structure] || []
+        compile_structure(atom)
+      end
+      for atom in grouped_atoms[:sieve] || []
+        compile_sieve(atom)
+      end
+    end
+
+    def self.compile(resource, atoms)
+      new(resource).compile(atoms)
+    end
+
+    private
+
+    def compile_structure(atom)
+      case atom[:type]
+      when :action
+        compile_action(atom)
+      when :namespace
+        compile_namespace(atom)
+      when :resource
+        compile_child_resource(atom, :singleton)
+      when :resources
+        compile_child_resource(atom, :collection)
+      else
+        "Unexpected atom type: #{atom[:type]}"
+      end
+    end
+
+    def compile_namespace(atom)
+      atom[:options].merge!(:only => [])
+      compile_child_resource(atom, :singleton)
+    end
+
+    def compile_action(atom)
+      action = @resource.create_or_update_action(
+        atom[:name],
+        create_action_options(atom[:options]),
+        update_action_options(atom[:options])
+      )
+      for sieve_atom in atom[:children]
+        compile_sieve(sieve_atom, [action])
+      end
+    end
+
+    def compile_sieve(atom, affected_actions = @resource.actions)
+      case atom[:type]
+      when :allow
+        for action in affected_actions
+          action.sieves << Aegis::Sieve.new(atom[:role_name], true, atom[:block])
+        end
+      when :deny
+        for action in affected_actions
+          action.sieves << Aegis::Sieve.new(atom[:role_name], false, atom[:block])
+        end
+      when :reading
+        for child in atom[:children]
+          compile_sieve(child, @resource.reading_actions)
+        end
+      when :writing
+        for child in atom[:children]
+          compile_sieve(child, @resource.writing_actions)
+        end
+      else
+        "Unexpected atom type: #{atom[:type]}"
+      end
+    end
+
+    def compile_child_resource(atom, type)
+      child = Aegis::Resource.new(@resource, atom[:name], type, atom[:options])
+      @resource.children << child
+      Aegis::Compiler.compile(child, atom[:children])
+    end
+
+    def create_action_options(options)
+      { :takes_object => @resource.new_action_takes_object?(options),
+        :takes_parent_object => @resource.new_action_takes_parent_object?(options)
+      }.merge(update_action_options(options))
+    end
+
+    def update_action_options(options)
+      { :writing => options[:writing],
+        :pluralize_resource => options[:collection] }
+    end
+
+    def group_atoms(atoms)
+      atoms.group_by do |atom|
+        ATOM_GROUPS[atom[:type]]
+      end
+    end
+
+  end
+end

data/lib/aegis/has_role.rb

@@ -1,110 +1,89 @@
-module Aegis
-  module HasRole
-  
-    def validates_role_name(options = {})
-      validates_each :role_name do |record, attr, value|
-        options[:message] ||= I18n.translate('activerecord.errors.messages.inclusion')
-        role = ::Permissions.find_role_by_name(value)
-        record.errors.add attr, options[:message] if role.nil?
-      end
-    end
-    
-    alias_method :validates_role, :validates_role_name
-
-    def has_role(options = {})
-    
-      # Legacy parameter names
-      options[:accessor] ||= options.delete(:name_accessor)
-      options[:reader] ||= options.delete(:name_reader)
-      options[:writer] ||= options.delete(:name_writer)
-    
-      if options[:accessor]
-        options[:reader] = "#{options[:accessor]}"
-        options[:writer] = "#{options[:accessor]}="
-        options.delete(:accessor)
-      end
-    
-      self.class_eval do
-      
-        class_attribute :aegis_role_name_reader, :aegis_role_name_writer, :aegis_default_role_name
-
-        unless method_defined?(:after_initialize)
-          def after_initialize
-          end
-        end
-
-        if options[:default]
-          self.aegis_default_role_name = options[:default].to_s
-          after_initialize :set_default_aegis_role_name
-        end
-        
-        self.aegis_role_name_reader = (options[:reader] || "role_name").to_sym
-        self.aegis_role_name_writer = (options[:writer] || "role_name=").to_sym
-
-        def aegis_role_name_reader
-          self.class.class_eval{ aegis_role_name_reader }
-        end
-
-        def aegis_role_name_writer
-          self.class.class_eval{ aegis_role_name_writer }
-        end
-
-        def aegis_role_name
-          send(aegis_role_name_reader)
-        end
-
-        def aegis_role_name=(value)
-          send(aegis_role_name_writer, value)
-        end
-
-        def role
-          ::Permissions.find_role_by_name!(aegis_role_name)
-        end
-        
-        def role=(role_or_name)
-          self.aegis_role_name = if role_or_name.is_a?(Aegis::Role)
-            role_or_name.name
-          else
-            role_or_name.to_s
-          end
-        end
-        
-        private
-        
-        # Delegate may_...? and may_...! methods to the user's role.
-        def method_missing_with_aegis_permissions(symb, *args)
-          method_name = symb.to_s
-          if method_name =~ /^may_(.+?)[\!\?]$/
-            role.send(symb, self, *args)
-          elsif method_name =~ /^(.*?)\?$/ && queried_role = ::Permissions.find_role_by_name($1)
-            role == queried_role
-          else
-            method_missing_without_aegis_permissions(symb, *args)
-          end
-        end
-        
-        alias_method_chain :method_missing, :aegis_permissions
-        
-        def respond_to_with_aegis_permissions?(symb, include_private = false)
-          if symb.to_s =~ /^may_(.+?)[\!\?]$/
-            true
-          else
-            respond_to_without_aegis_permissions?(symb, include_private)
-          end
-        end
-        
-        alias_method_chain :respond_to?, :aegis_permissions
-        
-        def set_default_aegis_role_name
-          if new_record? && self.aegis_role_name.blank?
-            self.aegis_role_name = self.class.aegis_default_role_name
-          end
-        end
-        
-      end
-
-    end
-  
-  end
-
-end
+module Aegis
+  module HasRole
+
+    def has_role(options = {})
+
+      if options[:accessor]
+        options[:reader] = "#{options[:accessor]}"
+        options[:writer] = "#{options[:accessor]}="
+        options.delete(:accessor)
+      end
+
+      get_role_name = (options[:reader] || "role_name").to_sym
+      set_role_name = (options[:writer] || "role_name=").to_sym
+
+      permissions = lambda { Aegis::Permissions.app_permissions(options[:permissions]) }
+
+      may_pattern = /^may_(.+?)([\!\?])$/
+
+      send :define_method, :role do
+        permissions.call.find_role_by_name(send(get_role_name))
+      end
+
+      send :define_method, :role= do |role|
+        send(set_role_name, role.name)
+      end
+
+      metaclass.send :define_method, :validates_role do |*validate_options|
+        validate_options = validate_options[0] || {}
+
+        send :define_method, :validate_role do
+          role = permissions.call.find_role_by_name(send(get_role_name))
+          unless role
+            message = validate_options[:message] || I18n.translate('activerecord.errors.messages.inclusion')
+            errors.add get_role_name, message
+          end
+        end
+
+        validate :validate_role
+      end
+
+      if options[:default]
+
+        unless method_defined?(:after_initialize)
+          send :define_method, :after_initialize do
+          end
+        end
+
+        send :define_method, :set_default_role_name do
+          if new_record? && send(get_role_name).blank?
+            send(set_role_name, options[:default])
+          end
+        end
+
+        after_initialize :set_default_role_name
+
+      end
+
+      unless method_defined?(:method_missing_with_aegis_permissions)
+
+        # Delegate may_...? and may_...! methods to the permissions class.
+        send :define_method, :method_missing_with_aegis_permissions do |symb, *args|
+          method_name = symb.to_s
+          if method_name =~ may_pattern
+            action_path = $1
+            severity = $2
+            permissions.call.send("may#{severity}", self, action_path, *args)
+          else
+            method_missing_without_aegis_permissions(symb, *args)
+          end
+        end
+
+        alias_method_chain :method_missing, :aegis_permissions
+
+        send :define_method, :respond_to_with_aegis_permissions? do |symb, *args|
+          if symb.to_s =~ may_pattern
+            true
+          else
+            include_private = args.first.nil? ? false : args.first
+            respond_to_without_aegis_permissions?(symb, include_private)
+          end
+        end
+
+        alias_method_chain :respond_to?, :aegis_permissions
+
+      end
+    end
+
+  end
+end

data/lib/aegis/parser.rb

@@ -0,0 +1,110 @@
+module Aegis
+  class Parser
+
+    attr_reader :atoms
+
+    def self.parse(&block)
+      Aegis::Parser.new.parse(&block)
+    end
+
+    def initialize
+      @atoms = []
+    end
+
+    def parse(&block)
+      instance_eval(&block) if block
+      atoms
+    end
+
+    def action(*args, &block)
+      split_definitions(*args) do |name, options|
+        @atoms.push({
+          :type => :action,
+          :name => name.to_s,
+          :options => options,
+          :children => Aegis::Parser.parse(&block)
+        })
+      end
+    end
+
+    def namespace(*args, &block)
+      split_definitions(*args) do |name, options|
+        @atoms.push({
+          :type => :namespace,
+          :name => name.to_s,
+          :options => options,
+          :children => Aegis::Parser.parse(&block)
+        })
+      end
+    end
+
+    def resource(*args, &block)
+      split_definitions(*args) do |name, options|
+        @atoms.push({
+          :type => :resource,
+          :name => name.to_s,
+          :options => options,
+          :children => Aegis::Parser.parse(&block)
+        })
+      end
+    end
+
+    def resources(*args, &block)
+      split_definitions(*args) do |name, options|
+        @atoms.push({
+          :type => :resources,
+          :name => name.to_s,
+          :options => options,
+          :children => Aegis::Parser.parse(&block)
+        })
+      end
+    end
+
+    def allow(*args, &block)
+      split_definitions(*args) do |role_name, options|
+        @atoms.push({
+          :type => :allow,
+          :role_name => role_name.to_s,
+          :block => block
+        })
+      end
+    end
+
+    def deny(*args, &block)
+      split_definitions(*args) do |role_name, options|
+        @atoms.push({
+          :type => :deny,
+          :role_name => role_name.to_s,
+          :block => block
+        })
+      end
+    end
+
+    def reading(&block)
+      block or raise "missing block"
+      @atoms.push({
+        :type => :reading,
+        :children => Aegis::Parser.parse(&block)
+      })
+    end
+
+    def writing(&block)
+      block or raise "missing block"
+      @atoms.push({
+        :type => :writing,
+        :children => Aegis::Parser.parse(&block)
+      })
+    end
+
+    private
+
+    def split_definitions(*args, &definition)
+      options = args.extract_options!
+      args = [nil] if args.empty?
+      for name in args
+        definition.call(name, options)
+      end
+    end
+
+  end
+end