RubyGems - aegis - Versions diffs - 1.1.8 → 2.0.0 - Mend

aegis 1.1.8 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (65) hide show

data/.gitignore +4 -0
data/README.rdoc +58 -165
data/Rakefile +20 -12
data/VERSION +1 -1
data/aegis.gemspec +85 -56
data/lib/aegis.rb +9 -6
data/lib/aegis/access_denied.rb +4 -0
data/lib/aegis/action.rb +99 -0
data/lib/aegis/compiler.rb +113 -0
data/lib/aegis/has_role.rb +89 -110
data/lib/aegis/parser.rb +110 -0
data/lib/aegis/permissions.rb +164 -107
data/lib/aegis/resource.rb +158 -0
data/lib/aegis/role.rb +25 -55
data/lib/aegis/sieve.rb +39 -0
data/lib/rails/action_controller.rb +38 -0
data/lib/rails/active_record.rb +1 -5
data/spec/action_controller_spec.rb +100 -0
data/spec/app_root/app/controllers/application_controller.rb +7 -0
data/spec/app_root/app/controllers/reviews_controller.rb +36 -0
data/spec/app_root/app/models/permissions.rb +14 -0
data/spec/app_root/app/models/property.rb +5 -0
data/spec/app_root/app/models/review.rb +5 -0
data/{test → spec}/app_root/app/models/user.rb +1 -2
data/{test → spec}/app_root/config/boot.rb +0 -0
data/{test → spec}/app_root/config/database.yml +0 -0
data/{test → spec}/app_root/config/environment.rb +0 -0
data/{test → spec}/app_root/config/environments/in_memory.rb +0 -0
data/{test → spec}/app_root/config/environments/mysql.rb +0 -0
data/{test → spec}/app_root/config/environments/postgresql.rb +0 -0
data/{test → spec}/app_root/config/environments/sqlite.rb +0 -0
data/{test → spec}/app_root/config/environments/sqlite3.rb +0 -0
data/spec/app_root/config/routes.rb +7 -0
data/{test/app_root/db/migrate/20090408115228_create_users.rb → spec/app_root/db/migrate/001_create_users.rb} +2 -1
data/spec/app_root/db/migrate/002_create_properties.rb +13 -0
data/spec/app_root/db/migrate/003_create_reviews.rb +14 -0
data/{test → spec}/app_root/lib/console_with_fixtures.rb +0 -0
data/{test → spec}/app_root/log/.gitignore +0 -0
data/{test → spec}/app_root/script/console +0 -0
data/spec/controllers/reviews_controller_spec.rb +19 -0
data/spec/has_role_spec.rb +177 -0
data/spec/permissions_spec.rb +550 -0
data/spec/rcov.opts +2 -0
data/spec/spec.opts +4 -0
data/{test/test_helper.rb → spec/spec_helper.rb} +6 -9
metadata +73 -57
data/lib/aegis/constants.rb +0 -6
data/lib/aegis/normalization.rb +0 -26
data/lib/aegis/permission_error.rb +0 -5
data/lib/aegis/permission_evaluator.rb +0 -34
data/test/app_root/app/controllers/application_controller.rb +0 -2
data/test/app_root/app/models/old_soldier.rb +0 -6
data/test/app_root/app/models/permissions.rb +0 -49
data/test/app_root/app/models/soldier.rb +0 -5
data/test/app_root/app/models/trust_fund_kid.rb +0 -5
data/test/app_root/app/models/user_subclass.rb +0 -2
data/test/app_root/app/models/veteran_soldier.rb +0 -6
data/test/app_root/config/routes.rb +0 -4
data/test/app_root/db/migrate/20090429075648_create_soldiers.rb +0 -14
data/test/app_root/db/migrate/20091110075648_create_veteran_soldiers.rb +0 -14
data/test/app_root/db/migrate/20091110075649_create_trust_fund_kids.rb +0 -15
data/test/has_role_options_test.rb +0 -64
data/test/has_role_test.rb +0 -54
data/test/permissions_test.rb +0 -109
data/test/validation_test.rb +0 -55

data/spec/permissions_spec.rb ADDED Viewed

@@ -0,0 +1,550 @@
+require File.dirname(__FILE__) + "/spec_helper"
+describe Aegis::Permissions do
+  before(:each) do
+    permissions = @permissions = Class.new(Aegis::Permissions) do
+      role :user
+      role :moderator
+      role :admin, :default_permission => :allow
+    end
+    @user_class = Class.new(ActiveRecord::Base) do
+      set_table_name 'users'
+      has_role :permissions => permissions
+    end
+    @user = @user_class.new(:role_name => 'user')
+    @moderator = @user_class.new(:role_name => 'moderator')
+    @admin = @user_class.new(:role_name => 'admin')
+  end
+  describe 'find_role_by_name' do
+    it "should look up previously defined roles" do
+      user_role = @permissions.find_role_by_name('user')
+      admin_role = @permissions.find_role_by_name('admin')
+      user_role.name.should == 'user'
+      user_role.may_by_default?.should be_false
+      admin_role.name.should == 'admin'
+      admin_role.may_by_default?.should be_true
+    end
+    it "should be nil if no role with that name was defined" do
+      @permissions.find_role_by_name('nonexisting_role').should be_nil
+    end
+  end
+  describe 'permission definition' do
+    it "should allow the definition of simple actions" do
+      @permissions.class_eval do
+        action :action_name do
+          allow :user
+        end
+      end
+      @permissions.may?(@user, 'action_name').should be_true
+    end
+    it "should allow the definition of multiple actions at once" do
+      @permissions.class_eval do
+        action :action1, :action2 do
+          allow
+        end
+      end
+      @permissions.may?(@user, 'action1').should be_true
+      @permissions.may?(@user, 'action2').should be_true
+      @permissions.may?(@user, 'action3').should be_false
+    end
+    it "should match an allow/deny directive to everyone is no role is named" do
+      @permissions.class_eval do
+        action :allowed_to_all do
+          allow
+        end
+        action :denied_to_all do
+          deny
+        end
+      end
+      @permissions.may?(@user, 'allowed_to_all').should be_true
+      @permissions.may?(@admin, 'denied_to_all').should be_false
+    end
+    it "should allow to grant permissions to multiple roles at once" do
+      @permissions.class_eval do
+        action :action_name do
+          allow :user, :moderator
+        end
+      end
+      @permissions.may?(@user, 'action_name').should be_true
+      @permissions.may?(@moderator, 'action_name').should be_true
+    end
+    it "should return the default permission when queried for undefined actions" do
+      @permissions.may?(@user, 'undefined_action').should be_false
+      @permissions.may?(@admin, 'undefined_action').should be_true
+    end
+    it "should distinguish between roles" do
+      @permissions.class_eval do
+        action :update_news do
+          allow :moderator
+        end
+      end
+      @permissions.may?(@user, 'update_news').should be_false
+      @permissions.may?(@moderator, 'update_news').should be_true
+    end
+    it "should run sieves in a sequence, the result being the last matching sieve" do
+      @permissions.class_eval do
+        action :update_news do
+          allow :everyone
+          deny :user
+        end
+      end
+      @permissions.may?(@user, 'update_news').should be_false
+      @permissions.may?(@moderator, 'update_news').should be_true
+    end
+    it "should evaluate collection resources" do
+      @permissions.class_eval do
+        resources :posts do
+          allow :moderator
+        end
+      end
+      @permissions.may?(@moderator, 'update_post', "the post").should be_true
+      @permissions.may?(@moderator, 'show_post', "the post").should be_true
+      @permissions.may?(@moderator, 'create_post', "the post").should be_true
+      @permissions.may?(@moderator, 'destroy_post', "the post").should be_true
+      @permissions.may?(@moderator, 'index_posts').should be_true
+    end
+    it "should allow to configure generated resource actions" do
+      @permissions.class_eval do
+        resources :posts do
+          action :index do
+            allow :user
+          end
+          action :show do
+            allow :user
+          end
+        end
+      end
+      @permissions.may?(@user, 'update_post', "the post").should be_false
+      @permissions.may?(@user, 'show_post', "the post").should be_true
+      @permissions.may?(@user, 'create_post', "the post").should be_false
+      @permissions.may?(@user, 'destroy_post', "the post").should be_false
+      @permissions.may?(@user, 'index_posts').should be_true
+      @permissions.find_action_by_path('index_posts').takes_object.should be_false
+      @permissions.find_action_by_path('show_post').takes_object.should be_true
+    end
+    it "should raise an error if an action takes an object but does not get it in the arguments" do
+      @permissions.class_eval do
+        resources :posts do
+          allow :moderator
+        end
+      end
+      @permissions.may?(@moderator, 'update_post', "the post").should be_true
+    end
+    it "should evaluate sieves with blocks" do
+      @permissions.class_eval do
+        resources :posts do
+          allow :user do
+            user.name == 'Waldo'
+          end
+        end
+      end
+      frank = @user_class.new(:name => 'Frank', :role_name => 'user')
+      waldo = @user_class.new(:name => 'Waldo', :role_name => 'user')
+      frank.may_update_post?('the post').should be_false
+      waldo.may_update_post?('the post').should be_true
+    end
+    it "should evaluate singleton resources, which take no object" do
+      @permissions.class_eval do
+        resource :session do
+          allow :moderator
+        end
+      end
+      @permissions.may?(@moderator, 'update_session').should be_true
+      @permissions.may?(@moderator, 'show_session').should be_true
+      @permissions.may?(@moderator, 'create_session').should be_true
+      @permissions.may?(@moderator, 'destroy_session').should be_true
+    end
+    it "should allow to nest resources into collection resources" do
+      @permissions.class_eval do
+        resources :properties do
+          resources :comments do
+            allow :moderator
+          end
+        end
+      end
+      @permissions.may?(@moderator, 'update_property_comment', "the property", "the comment").should be_true
+      @permissions.may?(@moderator, 'show_property_comment', "the property", "the comment").should be_true
+      @permissions.may?(@moderator, 'create_property_comment', "the property").should be_true
+      @permissions.may?(@moderator, 'destroy_property_comment', "the property", "the comment").should be_true
+      @permissions.may?(@moderator, 'index_property_comments', "the property").should be_true
+    end
+    it "should allow to nest resources into singleton resources" do
+      @permissions.class_eval do
+        resource :account do
+          resources :bookings do
+            allow :moderator
+          end
+        end
+      end
+      @permissions.may?(@moderator, 'update_account_booking', "the booking").should be_true
+      @permissions.may?(@moderator, 'show_account_booking', "the booking").should be_true
+      @permissions.may?(@moderator, 'create_account_booking').should be_true
+      @permissions.may?(@moderator, 'destroy_account_booking', "the booking").should be_true
+      @permissions.may?(@moderator, 'index_account_bookings').should be_true
+      @permissions.find_action_by_path('update_account').should_not be_abstract
+    end
+    it "should support namespaces, which act like singleton resources but don't generate actions by default" do
+      @permissions.class_eval do
+        namespace :admin do
+          resources :bookings do
+            allow :moderator
+          end
+        end
+      end
+      @permissions.may?(@moderator, 'update_admin_booking', "the booking").should be_true
+      @permissions.may?(@moderator, 'show_admin_booking', "the booking").should be_true
+      @permissions.may?(@moderator, 'create_admin_booking').should be_true
+      @permissions.may?(@moderator, 'destroy_admin_booking', "the booking").should be_true
+      @permissions.may?(@moderator, 'index_admin_bookings').should be_true
+      @permissions.find_action_by_path('update_admin').should be_abstract
+    end
+    it "should allow multiple levels of resource-nesting" do
+      @permissions.class_eval do
+        resources :properties do
+          resources :reviews do
+            resources :comments do
+              allow :moderator
+            end
+          end
+        end
+      end
+      @permissions.may?(@moderator, 'update_property_review_comment', "the review", "the comment").should be_true
+      @permissions.may?(@moderator, 'show_property_review_comment', "the review", "the comment").should be_true
+      @permissions.may?(@moderator, 'create_property_review_comment', "the review").should be_true
+      @permissions.may?(@moderator, 'destroy_property_review_comment', "the review", "the comment").should be_true
+      @permissions.may?(@moderator, 'index_property_review_comments', "the review").should be_true
+    end
+    it "should raise an error if an action takes a parent object but does not get it in the arguments" do
+      @permissions.class_eval do
+        resources :properties do
+          resources :comments
+        end
+      end
+      lambda { @permissions.may?(@moderator, 'update_property_comment', "the comment") }.should raise_error(ArgumentError)
+    end
+    it "should allow sieves with blocks and arguments" do
+      @permissions.class_eval do
+        action :sign_in do
+          allow do |password|
+            user.password == password
+          end
+        end
+      end
+      @user.stub(:password => "secret")
+      @user.may_sign_in?("wrong_password").should be_false
+      @user.may_sign_in?("secret").should be_true
+    end
+    it "should provide the object and parent_object for a sieve block" do
+      spy = stub("spy")
+      @permissions.class_eval do
+        resources :properties do
+          resources :comments do
+            allow :moderator do |additional_argument|
+              spy.observe(parent_object, object, additional_argument)
+            end
+          end
+        end
+      end
+      spy.should_receive(:observe).with("the property", "the comment", "additional argument")
+      @moderator.may_update_property_comment?("the property", "the comment", "additional argument")
+    end
+    it "should evaluate additional resource actions" do
+      @permissions.class_eval do
+        resources :properties do
+          action :zoom_into do
+            allow :user
+          end
+          action :view_all, :collection => true do
+            allow :user
+          end
+        end
+      end
+      @permissions.may?(@user, "zoom_into_property", "the property").should be_true
+      @permissions.may?(@user, "view_all_properties", "the property").should be_true
+    end
+    it "should allow rules that only affect reading actions" do
+      @permissions.class_eval do
+        resources :posts do
+          reading do
+            allow :user
+          end
+          action :syndicate, :writing => false
+          action :close
+        end
+      end
+      @permissions.may?(@user, 'update_post', "the post").should be_false
+      @permissions.may?(@user, 'show_post', "the post").should be_true
+      @permissions.may?(@user, 'create_post', "the post").should be_false
+      @permissions.may?(@user, 'destroy_post', "the post").should be_false
+      @permissions.may?(@user, 'index_posts').should be_true
+      @permissions.may?(@user, 'syndicate_post', "the post").should be_true
+      @permissions.may?(@user, 'close_post", "the post').should be_false
+    end
+    it "should allow rules that only affect writing actions" do
+      @permissions.class_eval do
+        resources :posts do
+          writing do
+            allow :moderator
+          end
+          action :syndicate, :writing => false
+          action :close
+        end
+      end
+      # debugger
+      @permissions.may?(@moderator, 'update_post', "the post").should be_true
+      @permissions.may?(@moderator, 'show_post', "the post").should be_false
+      @permissions.may?(@moderator, 'create_post', "the post").should be_true
+      @permissions.may?(@moderator, 'destroy_post', "the post").should be_true
+      @permissions.may?(@moderator, 'index_posts').should be_false
+      @permissions.may?(@moderator, 'syndicate_post', "the post").should be_false
+      @permissions.may?(@moderator, "close_post", "the post").should be_true
+    end
+    it "should allow resources with only selected actions" do
+      @permissions.class_eval do
+        resources :posts, :only => [:show, :update]
+      end
+      @permissions.find_action_by_path('update_post').should_not be_abstract
+      @permissions.find_action_by_path('show_post').should_not be_abstract
+      @permissions.find_action_by_path('create_post').should be_abstract
+      @permissions.find_action_by_path('destroy_post').should be_abstract
+      @permissions.find_action_by_path('index_posts').should be_abstract
+    end
+    it "should allow resources with all actions except a selected few" do
+      @permissions.class_eval do
+        resources :posts, :except => [:show, :update]
+      end
+      @permissions.find_action_by_path('update_post').should be_abstract
+      @permissions.find_action_by_path('show_post').should be_abstract
+      @permissions.find_action_by_path('create_post').should_not be_abstract
+      @permissions.find_action_by_path('destroy_post').should_not be_abstract
+      @permissions.find_action_by_path('index_posts').should_not be_abstract
+    end
+    it "should alias action names for all actions and resources, aliasing #new and #edit by default" do
+      @permissions.class_eval do
+        alias_action :delete => :destroy
+        resources :properties do
+          resources :comments
+        end
+      end
+      @permissions.find_action_by_path('delete_property').should_not be_abstract
+      @permissions.find_action_by_path('new_property').should_not be_abstract
+      @permissions.find_action_by_path('edit_property').should_not be_abstract
+      @permissions.find_action_by_path('delete_property_comment').should_not be_abstract
+      @permissions.find_action_by_path('new_property_comment').should_not be_abstract
+      @permissions.find_action_by_path('edit_property_comment').should_not be_abstract
+    end
+  end
+  describe 'may!' do
+    it "should return if permission is granted" do
+      lambda { @permissions.may!(@admin, :delete_everything) }.should_not raise_error
+    end
+    it "should raise an error if permission is denied" do
+      lambda { @permissions.may!(@user, :delete_everything) }.should raise_error(Aegis::AccessDenied)
+    end
+  end
+  describe 'behavior when checking permissions without a user' do
+    it "should raise an error if the user is nil" do
+      lambda { @permissions.may?(nil, :some_action) }.should raise_error
+    end
+    it "should substitute the results from the blank user strategy" do
+      @permissions.class_eval do
+        missing_user_means { User.new(:role_name => 'user') }
+        action :create_post do
+          allow :moderator
+        end
+        action :show_post do
+          allow :user
+        end
+      end
+      @permissions.may?(nil, :create_post).should be_false
+      @permissions.may?(nil, :show_post).should be_true
+    end
+  end
+  describe 'behavior when a permission is not defined' do
+    it "should use the default permission if the strategy is :default_permission" do
+      @permissions.class_eval do
+        missing_action_means :default_permission
+      end
+      @user.may_missing_action?.should be_false
+      @admin.may_missing_action?.should be_true
+    end
+    it "should grant everyone access if the strategy is :allow" do
+      @permissions.class_eval do
+        missing_action_means :allow
+      end
+      @user.may_missing_action?.should be_true
+      @admin.may_missing_action?.should be_true
+    end
+    it "should deny everyone access if the strategy is :deny" do
+      @permissions.class_eval do
+        missing_action_means :deny
+      end
+      @user.may_missing_action?.should be_false
+      @admin.may_missing_action?.should be_false
+    end
+    it "should raise an error if the strategy is :error" do
+      @permissions.class_eval do
+        missing_action_means :error
+      end
+      lambda { @user.may_missing_action? }.should raise_error
+      lambda { @admin.may_missing_action? }.should raise_error
+    end
+  end
+  describe 'guess_action' do
+    it "should guess an action based on the given resource and action name, trying both singular and plural" do
+      @permissions.class_eval do
+        resources :posts
+      end
+      @permissions.guess_action(:posts, :index).should_not be_abstract
+      @permissions.guess_action(:posts, :update).should_not be_abstract
+      @permissions.guess_action(:posts, :unknown_action).should be_abstract
+    end
+    it "should consult the actions map first and use the the default behaviour for unmapped actions" do
+      @permissions.class_eval do
+        resources :posts, :only => [:update] do
+          action :view_all, :collection => true
+        end
+      end
+      @permissions.guess_action(:posts, 'index', 'index' => 'view_all_posts').should_not be_abstract
+      @permissions.guess_action(:posts, 'update', 'index' => 'view_all_posts').should_not be_abstract
+    end
+  end
+end