aegis 1.1.8 → 2.0.0

data/lib/aegis/permissions.rb

@@ -1,107 +1,164 @@
-module Aegis
-  class Permissions
-  
-    def self.inherited(base)
-      base.class_eval do
-        @roles_by_name = {}
-        @permission_blocks = Hash.new { |hash, key| hash[key] = [] }
-        extend ClassMethods
-      end
-    end    
-
-    module ClassMethods
- 
-      def role(role_name, options = {})
-        role_name = role_name.to_sym
-        role_name != Aegis::Constants::EVERYONE_ROLE_NAME or raise "Cannot define a role named: #{Aegis::Constants::EVERYONE_ROLE_NAME}"
-        @roles_by_name[role_name] = Aegis::Role.new(role_name, self, options)
-      end
-      
-      def find_all_role_names
-        @roles_by_name.keys
-      end
-      
-      def find_all_roles
-        @roles_by_name.values.sort
-      end
-      
-      def find_role_by_name(name)
-        # cannot call :to_sym on nil or an empty string
-        if name.blank?
-          nil
-        else
-          @roles_by_name[name.to_sym]
-        end
-      end
-      
-      def find_role_by_name!(name)
-        find_role_by_name(name) or raise "Undefined role: #{name}"
-      end
-      
-      def permission(*permission_name_or_names, &block)
-        permission_names = Array(permission_name_or_names).map(&:to_s)
-        permission_names.each do |permission_name|
-          add_split_crud_permission(permission_name, &block)
-        end
-      end
-      
-      def may?(role_or_role_name, permission, *args)
-        role = role_or_role_name.is_a?(Aegis::Role) ? role_or_role_name : find_role_by_name(role_or_role_name)
-        blocks = @permission_blocks[permission.to_sym]
-        evaluate_permission_blocks(role, blocks, *args)
-      end
-      
-      def evaluate_permission_blocks(role, blocks, *args)
-        evaluator = Aegis::PermissionEvaluator.new(role)
-        evaluator.evaluate(blocks, args)
-      end
-      
-      def denied?(*args)
-        !allowed?(*args)
-      end
-      
-      private
-
-      def add_split_crud_permission(permission_name, &block)
-        if permission_name =~ /^crud_(.+?)$/
-          target = $1
-          Aegis::Constants::CRUD_VERBS.each do |verb|
-            add_normalized_permission("#{verb}_#{target}", &block)
-          end
-        else
-          add_normalized_permission(permission_name, &block)
-        end
-      end
-
-      def add_normalized_permission(permission_name, &block)
-        normalized_permission_name = Aegis::Normalization.normalize_permission(permission_name)
-        add_singularized_permission(normalized_permission_name, &block)
-      end
-      
-      def add_singularized_permission(permission_name, &block)
-        if permission_name =~ /^([^_]+?)_(.+?)$/
-          verb = $1
-          target = $2
-          singular_target = target.singularize
-          if singular_target.length < target.length
-            singular_block = lambda do |*args|
-        args.delete_at 1
-        instance_exec(*args, &block)
-            end
-            singular_permission_name = "#{verb}_#{singular_target}"
-            add_permission(singular_permission_name, &singular_block)
-          end
-        end
-        add_permission(permission_name, &block)
-      end
-      
-      def add_permission(permission_name, &block)
-        permission_name = permission_name.to_sym
-        @permission_blocks[permission_name] << block
-      end
- 
-    end # module ClassMethods
-    
-  end # class Permissions
-end # module Aegis
-
+module Aegis
+  class Permissions
+    class << self
+
+      MISSING_ACTION_STRATEGIES = [
+        :allow, :deny, :default_permission, :error
+      ]
+
+      def missing_action_means(strategy)
+        prepare
+        MISSING_ACTION_STRATEGIES.include?(strategy) or raise ArgumentError, "missing_action_means must be one of #{MISSING_ACTION_STRATEGIES.inspect}"
+        @missing_action_strategy = strategy
+      end
+
+      def missing_user_means(&strategy)
+        prepare
+        @missing_user_strategy = strategy
+      end
+
+      def alias_action(aliases)
+        prepare
+        aliases.each do |key, value|
+          @action_aliases[key.to_s] = value.to_s
+        end
+      end
+
+      def permission(*args)
+        raise "The Aegis API has changed. See http://wiki.github.com/makandra/aegis/upgrading-to-aegis-2 for migration instructions."
+      end
+
+      def action(*args, &block)
+        prepare
+        @parser.action(*args, &block)
+      end
+
+      def resource(*args, &block)
+        prepare
+        @parser.resource(*args, &block)
+      end
+
+      def namespace(*args, &block)
+        prepare
+        @parser.namespace(*args, &block)
+      end
+
+      def resources(*args, &block)
+        prepare
+        @parser.resources(*args, &block)
+      end
+
+      def may?(user, path, *args)
+        query_action(:may?, user, path, *args)
+      end
+
+      def may!(user, path, *args)
+        query_action(:may!, user, path, *args)
+      end
+
+      def role(role_name, options = {})
+        role_name = role_name.to_s
+        role_name != 'everyone' or raise "Cannot define a role named: #{role_name}"
+        @roles_by_name ||= {}
+        @roles_by_name[role_name] = Aegis::Role.new(role_name, options)
+      end
+
+      def roles
+        @roles_by_name.values.sort
+      end
+
+      def find_role_by_name(name)
+        @roles_by_name[name.to_s]
+      end
+
+      def guess_action(resource_name, action_name, map = {})
+        compile
+        action = nil
+        action_name = action_name.to_s
+        guess_action_paths(resource_name, action_name, map).detect do |path|
+          action = find_action_by_path(path, false)
+        end
+        handle_missing_action(action)
+      end
+
+      def find_action_by_path(path, handle_missing = true)
+        compile
+        action = @actions_by_path[path.to_s]
+        action = handle_missing_action(action) if handle_missing
+        action
+      end
+
+      def app_permissions(option)
+        if option.is_a?(Class)
+          option
+        else
+          (option || '::Permissions').constantize
+        end
+      end
+
+      def inspect
+        compile
+        "Permissions(#{@root_resource.inspect})"
+      end
+
+      private
+
+      def query_action(verb, user, path, *args)
+        user = handle_missing_user(user)
+        action = find_action_by_path(path)
+        action.send(verb, user, *args)
+      end
+
+      def handle_missing_user(possibly_missing_user)
+        possibly_missing_user ||= case @missing_user_strategy
+          when :error then raise "Cannot check permission without a user"
+          when Proc then @missing_user_strategy.call
+        end
+      end
+
+      def handle_missing_action(possibly_missing_action)
+        possibly_missing_action ||= case @missing_action_strategy
+          when :default_permission then Aegis::Action.undefined
+          when :allow then Aegis::Action.allow_to_all
+          when :deny then Aegis::Action.deny_to_all
+          when :error then raise "Undefined Aegis action: #{action}"
+        end
+      end
+
+      def guess_action_paths(resource_name, action_name, map)
+        if mapped = map[action_name]
+          [ mapped.to_s ]
+        else
+          [ "#{action_name}_#{resource_name.to_s.singularize}",
+            "#{action_name}_#{resource_name.to_s.pluralize}" ]
+        end
+      end
+
+      def prepare
+        unless @parser
+          @parser = Aegis::Parser.new
+          @missing_user_strategy = :error
+          @missing_action_strategy = :default_permission
+          @action_aliases = {
+            'new' => 'create',
+            'edit' => 'update'
+          }
+        end
+      end
+
+      def compile
+        unless @root_resource
+          prepare
+          @root_resource = Aegis::Resource.new(nil, nil, :root, {})
+          Aegis::Compiler.compile(@root_resource, @parser.atoms)
+          index_actions
+        end
+      end
+
+      def index_actions
+        @actions_by_path = @root_resource.index_actions_by_path(@action_aliases)        
+      end
+
+    end
+  end
+end

data/lib/aegis/resource.rb

@@ -0,0 +1,158 @@
+module Aegis
+  class Resource
+
+    attr_reader :parent, :children, :name, :type, :never_takes_object, :actions
+
+    def initialize(parent, name, type, options)
+      @parent = parent
+      @children = []
+      @name = name
+      @type = type
+      @actions = initial_actions(options)
+      # @never_takes_object = options[:object] == false
+    end
+
+    def inspect
+      "Resource(#{{:name => name || 'root', :actions => actions, :children => children, :parent => parent}.inspect})"      
+    end
+
+    def find_action_by_name(name)
+      name = name.to_s
+      @actions.detect { |action| action.name == name }
+    end
+
+    def create_or_update_action(name, create_options, update_options)
+      action = nil
+      if action = find_action_by_name(name)
+        action.update(update_options)
+      else
+        action = Action.new(name, create_options)
+        @actions << action
+      end
+      action
+    end
+
+    def root?
+      type == :root
+    end
+
+    def singleton?
+      type == :singleton
+    end
+
+    def collection?
+      type == :collection
+    end
+
+    def reading_actions
+      actions.reject(&:writing)
+    end
+
+    def writing_actions
+      actions.select(&:writing)
+    end
+
+    def action_paths(action, aliases)
+      if root?
+        action_names_with_aliases(action.name, aliases)
+      else
+        action_names_with_aliases(action.name, aliases).collect do |action_name|
+          build_path(
+            action_name,
+            parent && parent.path(false),
+            action.pluralize_resource ? name.pluralize : name.singularize
+          )
+        end
+      end
+    end
+
+    def action_names_with_aliases(native_name, aliases)
+      names = [native_name]
+      aliases.each do |key, value|
+        names << key if value == native_name
+      end
+      names
+    end
+
+    def index_actions_by_path(aliases)
+      index = {}
+      actions.each do |action|
+        action_paths(action, aliases).each do |path|
+          index[path] = action
+        end
+      end
+      children.each do |child|
+        index.merge! child.index_actions_by_path(aliases)
+      end
+      index
+    end
+
+    def new_action_takes_object?(action_options = {})
+      collection? && action_options[:collection] != true # && !never_takes_object
+    end
+
+    def new_action_takes_parent_object?(action_options = {})
+      parent && parent.collection? # && !parent.never_takes_object
+    end
+
+    protected
+
+    def path(pluralize = true)
+      parent_path = parent && parent.path(false)
+      pluralized_name = name ? (pluralize ? name.pluralize : name.singularize) : nil
+      build_path(parent_path, pluralized_name)
+    end
+
+    private
+
+    def build_path(*args)
+      args.select(&:present?).join("_")
+    end
+
+    def filter_actions(actions, options)
+      if options[:only]
+        actions = actions.select(&action_name_filter(options[:only]))
+      elsif options[:except]
+        actions = actions.reject(&action_name_filter(options[:except]))
+      end
+      actions
+    end
+
+    def action_name_filter(whitelist)
+      whitelist = whitelist.collect(&:to_s)
+      lambda { |action| whitelist.include?(action.name) }
+    end
+
+    def initial_actions(options)
+      send("initial_actions_for_#{type}", options)
+    end
+
+    def initial_actions_for_collection(options = {})
+      filter_actions([
+        Aegis::Action.index(initial_action_options),
+        Aegis::Action.show(initial_action_options),
+        Aegis::Action.update(initial_action_options),
+        Aegis::Action.create(initial_action_options),
+        Aegis::Action.destroy(initial_action_options),
+      ], options)
+    end
+
+    def initial_actions_for_singleton(options = {})
+      filter_actions([
+        Aegis::Action.show(initial_action_options(:takes_object => false)),
+        Aegis::Action.update(initial_action_options(:takes_object => false)),
+        Aegis::Action.create(initial_action_options(:takes_object => false)),
+        Aegis::Action.destroy(initial_action_options(:takes_object => false))
+      ], options)
+    end
+
+    def initial_action_options(options = {})
+      { :takes_parent_object => new_action_takes_parent_object? }.merge(options)
+    end
+
+    def initial_actions_for_root(options = {})
+      []
+    end
+
+  end
+end

data/lib/aegis/role.rb

@@ -1,55 +1,25 @@
-module Aegis
-  class Role
-  
-    attr_reader :name, :default_permission
-          
-    # permissions is a hash like: permissions[:edit_user] = lambda { |user| ... }
-    def initialize(name, permissions, options)
-      @name = name
-      @permissions = permissions
-      @default_permission = options[:default_permission] == :allow ? :allow : :deny
-      freeze
-    end
-    
-    def allow_by_default?
-      @default_permission == :allow
-    end
-    
-    def may?(permission, *args)
-      # puts "may? #{permission}, #{args}"
-      @permissions.may?(self, permission, *args)
-    end
-    
-    def <=>(other)
-      name.to_s <=> other.name.to_s
-    end
-
-    def to_s
-      name.to_s.humanize
-    end
-    
-    def id
-      name.to_s
-    end
-
-    private
-    
-    def method_missing(symb, *args)
-      method_name = symb.to_s
-      if method_name =~ /^may_(.+)(\?|\!)$/
-        permission, severity = $1, $2
-        permission = Aegis::Normalization.normalize_permission(permission)
-        may = may?(permission, *args)
-        if severity == '!' && !may 
-          raise PermissionError, "Access denied: #{permission}" 
-        else
-          may
-        end
-      else
-        super
-      end
-    end
-        
-    
-  end
-end
+module Aegis
+  class Role
+
+    attr_reader :name, :default_permission
+
+    def initialize(name, options)
+      @name = name
+      @default_permission = options[:default_permission] == :allow ? :allow : :deny
+      freeze
+    end
+
+    def may_by_default?
+      @default_permission == :allow
+    end
+
+    def <=>(other)
+      name <=> other.name
+    end
+
+    def to_s
+      name.to_s.humanize
+    end
+
+  end
+end