aegis 1.1.8 → 2.0.0

data/lib/aegis/sieve.rb

@@ -0,0 +1,39 @@
+module Aegis
+  class Sieve
+
+    def initialize(role_name, effect, block = nil)
+      role_name = 'everyone' if role_name.blank?
+      @role_name = role_name.to_s
+      @effect = effect
+      @block = block
+    end
+
+    def may?(context, *args)
+      matches_role = @role_name == 'everyone' || @role_name == context.user.role_name
+      if matches_role
+        if @block
+          block_result = context.instance_exec(*args, &@block)
+          block_result ? @effect : !@effect
+        else
+          @effect
+        end
+      else
+        nil
+      end
+    end
+
+    def inspect
+      "Sieve(#{{:role_name => @role_name, :effect => @effect ? :allow : :deny, :block => @block.present?}.inspect})"
+    end
+
+    def self.allow_to_all
+      new('everyone', true)
+    end
+
+    def self.deny_to_all
+      new('everyone', false)
+    end
+
+  end
+
+end

data/lib/rails/action_controller.rb

@@ -0,0 +1,38 @@
+module Aegis
+  module ActionController
+
+    def permissions(resource, options = {})
+
+      before_filter :check_permissions, options.slice(:except, :only)
+
+      instance_eval do
+
+        private
+
+        actions_map = (options[:map] || {}).stringify_keys
+        object_method = options[:object] || :object
+        parent_object_method = options[:parent_object] || :parent_object
+        user_method = options[:user] || :current_user
+        permissions = lambda { Aegis::Permissions.app_permissions(options[:permissions]) }
+
+        define_method :check_permissions do
+          action = permissions.call.guess_action(
+            resource,
+            action_name.to_s,
+            actions_map
+          )
+          args = []
+          args << send(user_method)
+          args << send(parent_object_method) if action.takes_parent_object
+          args << send(object_method) if action.takes_object
+          action.may!(*args)
+        end
+
+      end
+
+    end
+
+  end
+end
+
+ActionController::Base.extend(Aegis::ActionController)

data/lib/rails/active_record.rb

@@ -1,5 +1 @@
-ActiveRecord::Base.class_eval do
-
-  extend Aegis::HasRole
-  
-end
+ActiveRecord::Base.extend(Aegis::HasRole)

data/spec/action_controller_spec.rb

@@ -0,0 +1,100 @@
+require File.dirname(__FILE__) + "/spec_helper"
+
+describe 'Aegis::ActionController' do
+
+  before(:each) do
+
+    permissions_class = @permissions_class = Class.new(Aegis::Permissions) do
+      role :user
+      resources :posts do
+        reading do
+          allow :user
+        end
+      end
+    end
+
+    @user_class = Class.new(ActiveRecord::Base) do
+      set_table_name 'users'
+      has_role :permissions => permissions_class
+    end
+
+    user = @user = @user_class.new(:role_name => 'user')
+
+    @controller_class = Class.new(ActionController::Base) do
+      define_method :current_user do
+        user
+      end
+    end
+
+  end
+
+  describe 'permissions' do
+
+    it "should fetch the context through #object, #parent_object and #current_user by default" do
+      permissions_class = @permissions_class
+      @controller_class.class_eval do
+        permissions :posts, :permissions => permissions_class
+      end
+      controller = @controller_class.new
+      permissions_class.stub(:guess_action => stub('action', :takes_object => true, :takes_parent_object => true).as_null_object)
+      controller.should_receive(:object)
+      controller.should_receive(:parent_object)
+      controller.should_receive(:current_user)
+      controller.send(:check_permissions)
+    end
+
+    it "should allow custom readers for object, parent object and the current user" do
+      permissions_class = @permissions_class
+      @controller_class.class_eval do
+        permissions :posts, :permissions => permissions_class, :user => :my_user, :object => :my_object, :parent_object => :my_parent 
+      end
+      controller = @controller_class.new
+      permissions_class.stub(:guess_action => stub('action', :takes_object => true, :takes_parent_object => true).as_null_object)
+      controller.should_receive(:my_object)
+      controller.should_receive(:my_parent)
+      controller.should_receive(:my_user)
+      controller.send(:check_permissions)
+    end
+
+    it 'should install a before_filter that checks permissions' do
+      @controller_class.should_receive(:before_filter).with(:check_permissions, :only => [:update])
+      permissions_class = @permissions_class
+      @controller_class.class_eval do
+        permissions :posts, :permissions => permissions_class, :only => [:update]
+      end
+    end
+
+  end
+
+  describe 'check_permissions' do
+
+    before(:each) do
+      permissions_class = @permissions_class
+      map = @map = { 'controller_action' => 'permission_path' }
+      @controller_class.class_eval do
+        permissions :posts, :permissions => permissions_class, :map => map
+      end
+      @controller = @controller_class.new
+      @controller.stub(:object => "object", :parent_object => "parent object")
+    end
+
+    it "should guess the aegis-action using the current resource, action name and actions-map" do
+      @controller.stub(:action_name => 'update')
+      action = stub("action").as_null_object
+      @permissions_class.should_receive(:guess_action).with(:posts, 'update', @map).and_return(action)
+      @controller.send(:check_permissions)
+    end
+
+    it "should raise an error if permission is denied" do
+      @controller.stub(:action_name => 'update')
+      lambda { @controller.send(:check_permissions) }.should raise_error(Aegis::AccessDenied)
+    end
+
+    it "should pass silently if permission is granted" do
+      @controller.stub(:action_name => 'show')
+      lambda { @controller.send(:check_permissions) }.should_not raise_error
+    end
+
+  end
+
+end

data/spec/app_root/app/controllers/application_controller.rb

@@ -0,0 +1,7 @@
+class ApplicationController < ActionController::Base
+
+  def current_user
+    User.new(:role_name => 'user')
+  end
+
+end

data/spec/app_root/app/controllers/reviews_controller.rb

@@ -0,0 +1,36 @@
+class ReviewsController < ApplicationController
+
+  permissions :property_reviews
+
+  def show
+  end
+
+  def edit
+  end
+
+  def update
+  end
+
+  def new
+  end
+
+  def create
+  end
+
+  def destroy
+  end
+
+  def index
+  end
+
+  private
+
+  def object
+    @oject ||= parent_object.reviews.find(params[:id])
+  end
+
+  def parent_object
+    @parent_object ||= Property.find(params[:id])
+  end
+
+end

data/spec/app_root/app/models/permissions.rb

@@ -0,0 +1,14 @@
+class Permissions < Aegis::Permissions
+
+  role :user
+
+  resources :properties do
+    resources :reviews do
+      reading do
+        allow :user
+      end
+    end
+  end
+
+end
+

data/spec/app_root/app/models/property.rb

@@ -0,0 +1,5 @@
+class Property < ActiveRecord::Base
+
+  has_many :reviews
+
+end

data/spec/app_root/app/models/review.rb

@@ -0,0 +1,5 @@
+class Review < ActiveRecord::Base
+
+  belongs_to :property
+
+end

data/{test → spec}/app_root/app/models/user.rb

@@ -1,6 +1,5 @@
 class User < ActiveRecord::Base
 
   has_role
-  validates_role_name
 
-end
+end

data/spec/app_root/config/routes.rb

@@ -0,0 +1,7 @@
+ActionController::Routing::Routes.draw do |map|
+
+  map.resources :properties do |properties|
+    properties.resources :reviews
+  end
+
+end

data/{test/app_root/db/migrate/20090408115228_create_users.rb → spec/app_root/db/migrate/001_create_users.rb}

@@ -3,6 +3,7 @@ class CreateUsers < ActiveRecord::Migration
   def self.up
     create_table :users do |t|
       t.string :role_name
+      t.string :name
       t.timestamps
     end
   end
@@ -10,5 +11,5 @@ class CreateUsers < ActiveRecord::Migration
   def self.down
     drop_table :users
   end
-  
+
 end

data/spec/app_root/db/migrate/002_create_properties.rb

@@ -0,0 +1,13 @@
+class CreateProperties < ActiveRecord::Migration
+
+  def self.up
+    create_table :properties do |t|
+      t.timestamps
+    end
+  end
+
+  def self.down
+    drop_table :properties
+  end
+
+end

data/spec/app_root/db/migrate/003_create_reviews.rb

@@ -0,0 +1,14 @@
+class CreateReviews < ActiveRecord::Migration
+
+  def self.up
+    create_table :reviews do |t|
+      t.integer :property_id
+      t.timestamps
+    end
+  end
+
+  def self.down
+    drop_table :reviews
+  end
+
+end

data/spec/controllers/reviews_controller_spec.rb

@@ -0,0 +1,19 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+
+describe ReviewsController do
+
+  before(:each) do
+    Property.stub(:find => stub("a property", :reviews => stub("reviews", :find => "a review")))
+  end
+
+  it "should grant access in a fully integrated scenario" do
+    lambda { get :show, :property_id => '10', :id => '20' }.should_not raise_error
+    lambda { get :index, :property_id => '10' }.should_not raise_error
+  end
+
+  it "should deny access in a fully integrated scenario" do
+    lambda { put :update, :property_id => '10', :id => '20' }.should raise_error(Aegis::AccessDenied)
+    lambda { get :new, :property_id => '10' }.should raise_error(Aegis::AccessDenied)
+  end
+
+end

data/spec/has_role_spec.rb

@@ -0,0 +1,177 @@
+require File.dirname(__FILE__) + "/spec_helper"
+
+describe Aegis::HasRole do
+
+  before(:each) do
+
+    @permissions_class = permissions_class = Class.new(Aegis::Permissions) do
+      role :user
+      role :admin
+    end
+
+    @user_class = Class.new(ActiveRecord::Base) do
+      set_table_name 'users'
+      has_role :permissions => permissions_class
+    end
+
+  end
+
+  describe 'has_role' do
+
+    it "should define accessors for the role association" do
+      user = @user_class.new
+      user.should respond_to(:role)
+      user.should respond_to(:role=)
+    end
+
+  end
+
+  describe 'role' do
+
+    it "should be nil by default" do
+      user = @user_class.new
+      user.role.should be_nil
+    end
+
+    it "should return the role corresponding to the role_name" do
+      user = @user_class.new(:role_name => 'admin')
+      user.role.name.should == 'admin'
+    end
+
+    it "should be nil if the role_name doesn't match a known role" do
+      user = @user_class.new(:role_name => 'nonexisting_role_name')
+      user.role.should be_nil
+    end
+
+    it "should read the role name from a custom reader" do
+      permissions_class = @permissions_class
+      @user_class.class_eval { has_role :reader => "role_handle", :permissions => permissions_class }
+      user = @user_class.new
+      user.should_receive(:role_handle).and_return('admin')
+      user.role
+    end
+
+    it "should read the role name from a custom accessor" do
+      permissions_class = @permissions_class
+      @user_class.class_eval { has_role :accessor => "role_handle", :permissions => permissions_class }
+      user = @user_class.new
+      user.should_receive(:role_handle).and_return('admin')
+      user.role
+    end
+
+    it "should take a default role" do
+      permissions_class = @permissions_class
+      @user_class.class_eval { has_role :default => "admin", :permissions => permissions_class }
+      user = @user_class.new
+      user.role.name.should == 'admin'
+    end
+
+  end
+
+  describe 'role=' do
+
+    before :each do
+      @admin_role = @permissions_class.find_role_by_name('admin')
+    end
+
+    it "should write the role name to the role_name attribute" do
+      user = @user_class.new
+      user.should_receive(:role_name=).with('admin')
+      user.role = @admin_role
+    end
+
+    it "should write the role name to a custom writer" do
+      permissions_class = @permissions_class
+      @user_class.class_eval { has_role :writer => "role_handle=", :permissions => permissions_class }
+      user = @user_class.new
+      user.should_receive(:role_handle=).with('admin')
+      user.role = @admin_role
+    end
+
+    it "should write the role name to a custom accessor" do
+      permissions_class = @permissions_class
+      @user_class.class_eval { has_role :accessor => "role_handle", :permissions => permissions_class }
+      user = @user_class.new
+      user.should_receive(:role_handle=).with('admin')
+      user.role = @admin_role
+    end
+
+  end
+
+  describe 'method_missing' do
+
+    it "should delegate may...? messages to the permissions class" do
+      user = @user_class.new
+      @permissions_class.should_receive(:may?).with(user, 'do_action', 'argument')
+      user.may_do_action?('argument')
+    end
+
+    it "should delegate may...! messages to the permissions class" do
+      user = @user_class.new
+      @permissions_class.should_receive(:may!).with(user, 'do_action', 'argument')
+      user.may_do_action!('argument')
+    end
+
+    it "should retain its usual behaviour for non-permission methods" do
+      user = @user_class.new
+      lambda { user.nonexisting_method }.should raise_error(NoMethodError)
+    end
+
+  end
+
+  describe 'respond_to?' do
+
+    it "should be true for all permission methods, even if they are not explicitely defined" do
+      user = @user_class.new
+      user.should respond_to(:may_foo?)
+      user.should respond_to(:may_foo!)
+    end
+
+    it "should retain its usual behaviour for non-permission methods" do
+      user = @user_class.new
+      user.should respond_to(:to_s)
+      user.should_not respond_to(:nonexisting_method)
+    end
+
+  end
+
+  describe 'validates_role' do
+
+    before(:each) do
+      @user_class.class_eval { validates_role }
+    end
+
+    it "should run the validation callback :validate_role" do
+      user = @user_class.new
+      user.should_receive(:validate_role)
+      user.run_callbacks(:validate)
+    end
+
+    it "should add an inclusion error to the role name if the role name is blank" do
+      user = @user_class.new(:role_name => '')
+      user.errors.should_receive(:add).with(:role_name, I18n.translate('activerecord.errors.messages.inclusion'))
+      user.send(:validate_role)
+    end
+
+    it "should add an inclusion error to the role name if the role name doesn't match a role" do
+      user = @user_class.new(:role_name => 'nonexisting_role')
+      user.errors.should_receive(:add).with(:role_name, I18n.translate('activerecord.errors.messages.inclusion'))
+      user.send(:validate_role)
+    end
+
+    it "should add no error if the role name matches a role" do
+      user = @user_class.new(:role_name => 'admin')
+      user.errors.should_not_receive(:add)
+      user.send(:validate_role)
+    end
+
+    it "should allow a custom error message with the :message options" do
+      @user_class.class_eval { validates_role :message => "custom message" }
+      user = @user_class.new(:role_name => '')
+      user.errors.should_receive(:add).with(:role_name, 'custom message')
+      user.send(:validate_role)
+    end
+
+  end
+
+end