aegis 2.0.4 → 2.1.0

data/README.rdoc

@@ -69,19 +69,25 @@ There is an awesome {documentation wiki}[http://wiki.github.com/makandra/aegis/]
 
 == Installation
 
-Add the following to your <tt>Initializer.run</tt> block in your <tt>environment.rb</tt>:
+Aegis is a gem, which you can install with
+    sudo gem install aegis
+
+In Rails 2, add the following to your <tt>environment.rb</tt>:
     config.gem 'aegis'
-Then do a
-    sudo rake gems:install
 
-Alternatively, use
-    sudo gem install aegis
+In Rails 3, add the following to your <tt>Gemfile</tt>:
+    gem 'aegis'
+
+
+== Rails 3 compatibility
+
+We cannot guarantee Rails 3 compatibility at this point, but we will upgrade the gem when Rails 3 is released.
 
 
 == Credits
 
 Henning Koch, Tobias Kraze
 
-{gem-session.com}[http://gem-session.com/]
+{makandra.com}[http://makandra.com/]
 
-{www.makandra.de}[http://www.makandra.de/]
+{gem-session.com}[http://gem-session.com/]

data/VERSION

@@ -1 +1 @@
-2.0.4
+2.1.0

data/aegis.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{aegis}
-  s.version = "2.0.4"
+  s.version = "2.1.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Henning Koch", "Tobias Kraze"]
-  s.date = %q{2010-05-29}
+  s.date = %q{2010-07-25}
   s.description = %q{Aegis is an authorization solution for Ruby on Rails that supports roles and a RESTish, resource-style declaration of permission rules.}
   s.email = %q{henning.koch@makandra.de}
   s.extra_rdoc_files = [
@@ -92,10 +92,10 @@ Gem::Specification.new do |s|
      "spec/app_root/lib/console_with_fixtures.rb",
      "spec/action_controller_spec.rb",
      "spec/controllers/reviews_controller_spec.rb",
-     "spec/has_role_spec.rb",
-     "spec/permissions_spec.rb",
      "spec/spec_helper.rb",
      "spec/loader_spec.rb",
+     "spec/has_role_spec.rb",
+     "spec/permissions_spec.rb",
      "spec/sieve_spec.rb"
   ]
 

data/lib/aegis/action.rb

@@ -24,12 +24,9 @@ module Aegis
 
     def may?(user, *args)
       context = extract_context(user, args)
-      may = user.role.may_by_default?
-      for sieve in sieves
-        opinion = sieve.may?(context, *args)
-        may = opinion unless opinion.nil?
+      user.roles.any? do |role|
+        may_as_role?(role, context, *args)
       end
-      may
     end
 
     def may!(user, *args)
@@ -82,6 +79,16 @@ module Aegis
 
     private
 
+    def may_as_role?(role, context, *args)
+      context.role = role
+      may = role.may_by_default?
+      for sieve in sieves
+        opinion = sieve.may?(context, *args)
+        may = opinion unless opinion.nil?
+      end
+      may
+    end
+
     # not *args so we can change the array reference
     def extract_context(user, args)
       context = {}

data/lib/aegis/has_role.rb

@@ -3,35 +3,35 @@ module Aegis
 
     def has_role(options = {})
 
-      if options[:accessor]
-        options[:reader] = "#{options[:accessor]}"
-        options[:writer] = "#{options[:accessor]}="
-        options.delete(:accessor)
-      end
-
-      get_role_name = (options[:reader] || "role_name").to_sym
-      set_role_name = (options[:writer] || "role_name=").to_sym
-
       permissions = lambda { Aegis::Permissions.app_permissions(options[:permissions]) }
 
       may_pattern = /^may_(.+?)([\!\?])$/
 
+      send :define_method, :role_names do
+        (role_name || '').split(/\s*,\s*/)
+      end
+
+      send :define_method, :role_names= do |role_names|
+        self.role_name = role_names.join(',')
+      end
+
       send :define_method, :role do
-        permissions.call.find_role_by_name(send(get_role_name))
+        roles.first
       end
 
-      send :define_method, :role= do |role|
-        send(set_role_name, role.name)
+      send :define_method, :roles do
+        role_names.collect do |role_name|
+          permissions.call.find_role_by_name(role_name)
+        end.compact
       end
 
       metaclass.send :define_method, :validates_role do |*validate_options|
         validate_options = validate_options[0] || {}
 
         send :define_method, :validate_role do
-          role = permissions.call.find_role_by_name(send(get_role_name))
-          unless role
+          unless role_names.size > 0 && role_names.size == roles.size
             message = validate_options[:message] || I18n.translate('activerecord.errors.messages.inclusion')
-            errors.add get_role_name, message
+            errors.add :role_name, message
           end
         end
 
@@ -46,8 +46,8 @@ module Aegis
         end
 
         send :define_method, :set_default_role_name do
-          if new_record? && send(get_role_name).blank?
-            send(set_role_name, options[:default])
+          if new_record? && role_name.blank?
+            self.role_name = options[:default]
           end
         end
 

data/lib/aegis/sieve.rb

@@ -9,7 +9,7 @@ module Aegis
     end
 
     def may?(context, *args)
-      matches_role = @role_name == 'everyone' || @role_name == context.user.role.name
+      matches_role = @role_name == 'everyone' || @role_name == context.role.name
       if matches_role
         if @block
           block_result = context.instance_exec(*args, &@block)

data/spec/has_role_spec.rb

@@ -21,79 +21,85 @@ describe Aegis::HasRole do
     it "should define accessors for the role association" do
       user = @user_class.new
       user.should respond_to(:role)
-      user.should respond_to(:role=)
+      user.should respond_to(:roles)
+    end
+
+    it "should allow a default for new records" do
+      permissions_class = @permissions_class
+      @user_class.class_eval { has_role :permissions => permissions_class, :default => "admin" }
+      user = @user_class.new
+      user.role_name.should == 'admin'
     end
 
   end
 
   describe 'role' do
 
-    it "should be nil by default" do
+    it "should return the first role" do
       user = @user_class.new
-      user.role.should be_nil
+      user.should_receive(:roles).and_return(['first role', 'second role'])
+      user.role.should == 'first role'
     end
 
-    it "should return the role corresponding to the role_name" do
-      user = @user_class.new(:role_name => 'admin')
-      user.role.name.should == 'admin'
-    end
-
-    it "should be nil if the role_name doesn't match a known role" do
-      user = @user_class.new(:role_name => 'nonexisting_role_name')
+    it "should be nil if no roles are associated" do
+      user = @user_class.new
+      user.should_receive(:roles).and_return([])
       user.role.should be_nil
     end
 
-    it "should read the role name from a custom reader" do
-      permissions_class = @permissions_class
-      @user_class.class_eval { has_role :reader => "role_handle", :permissions => permissions_class }
-      user = @user_class.new
-      user.should_receive(:role_handle).and_return('admin')
-      user.role
-    end
+  end
 
-    it "should read the role name from a custom accessor" do
-      permissions_class = @permissions_class
-      @user_class.class_eval { has_role :accessor => "role_handle", :permissions => permissions_class }
+  describe 'roles' do
+
+    it "should return the corresponding role for each role name" do
       user = @user_class.new
-      user.should_receive(:role_handle).and_return('admin')
-      user.role
+      user.should_receive(:role_names).and_return(['admin', 'user'])
+      user.roles.collect(&:name).should == ['admin', 'user']
     end
 
-    it "should take a default role" do
-      permissions_class = @permissions_class
-      @user_class.class_eval { has_role :default => "admin", :permissions => permissions_class }
+    it "should ignore unknown role names that doesn't match a known role" do
       user = @user_class.new
-      user.role.name.should == 'admin'
+      user.should_receive(:role_names).and_return(['unknown role', 'user'])
+      user.roles.collect(&:name).should == ['user']
     end
 
   end
 
-  describe 'role=' do
+  describe 'role_names' do
 
-    before :each do
-      @admin_role = @permissions_class.find_role_by_name('admin')
+    it "should be empty if the role name is blank" do
+      user = @user_class.new(:role_name => '')
+      user.role_names.should be_empty
     end
 
-    it "should write the role name to the role_name attribute" do
-      user = @user_class.new
-      user.should_receive(:role_name=).with('admin')
-      user.role = @admin_role
+    it "should be empty if the role_name is nil" do
+      user = @user_class.new(:role_name => nil)
+      user.role_names.should be_empty
     end
 
-    it "should write the role name to a custom writer" do
-      permissions_class = @permissions_class
-      @user_class.class_eval { has_role :writer => "role_handle=", :permissions => permissions_class }
-      user = @user_class.new
-      user.should_receive(:role_handle=).with('admin')
-      user.role = @admin_role
+    it "should deserialize a single role name into an array with a single element" do
+      user = @user_class.new(:role_name => 'admin')
+      user.role_names.should == ['admin']
     end
 
-    it "should write the role name to a custom accessor" do
-      permissions_class = @permissions_class
-      @user_class.class_eval { has_role :accessor => "role_handle", :permissions => permissions_class }
+    it "should deserialize multiple, comma-separated role names into an array" do
+      user = @user_class.new(:role_name => 'admin,user')
+      user.role_names.should == ['admin', 'user']
+    end
+
+    it "should ignore whitespace around the comma-separator" do
+      user = @user_class.new(:role_name => 'admin , user')
+      user.role_names.should == ['admin', 'user']
+    end
+    
+  end
+
+  describe 'role_names=' do
+
+    it "should serialize the given array into a comma-separated string and store it into #role_name" do
       user = @user_class.new
-      user.should_receive(:role_handle=).with('admin')
-      user.role = @admin_role
+      user.should_receive(:role_name=).with("first,second")
+      user.role_names = ['first', 'second']
     end
 
   end
@@ -147,20 +153,26 @@ describe Aegis::HasRole do
       user.run_callbacks(:validate)
     end
 
-    it "should add an inclusion error to the role name if the role name is blank" do
+    it "should add an inclusion error to the role name if the role name is nil" do
+      user = @user_class.new(:role_name => nil)
+      user.errors.should_receive(:add).with(:role_name, I18n.translate('activerecord.errors.messages.inclusion'))
+      user.send(:validate_role)
+    end
+
+    it "should add an inclusion error to the role name if the role name is an empty string" do
       user = @user_class.new(:role_name => '')
       user.errors.should_receive(:add).with(:role_name, I18n.translate('activerecord.errors.messages.inclusion'))
       user.send(:validate_role)
     end
 
-    it "should add an inclusion error to the role name if the role name doesn't match a role" do
-      user = @user_class.new(:role_name => 'nonexisting_role')
+    it "should add an inclusion error to the role name if a role name doesn't match a role" do
+      user = @user_class.new(:role_name => 'user,nonexisting_role')
       user.errors.should_receive(:add).with(:role_name, I18n.translate('activerecord.errors.messages.inclusion'))
       user.send(:validate_role)
     end
 
-    it "should add no error if the role name matches a role" do
-      user = @user_class.new(:role_name => 'admin')
+    it "should add no error if all role names matches a role" do
+      user = @user_class.new(:role_name => 'admin,user')
       user.errors.should_not_receive(:add)
       user.send(:validate_role)
     end

data/spec/permissions_spec.rb

@@ -5,6 +5,7 @@ describe Aegis::Permissions do
   before(:each) do
 
     permissions = @permissions = Class.new(Aegis::Permissions) do
+      role :guest
       role :user
       role :moderator
       role :admin, :default_permission => :allow
@@ -117,6 +118,40 @@ describe Aegis::Permissions do
 
     end
 
+    describe 'multiple roles' do
+
+      before(:each) do
+
+        @permissions.class_eval do
+          action :update_news do
+            allow :moderator
+          end
+        end
+
+      end
+
+      it "should allow a user with multiple roles access if at least one role passes, even if other roles don't" do
+        person = @user_class.new(:role_names => ['user', 'moderator'])
+        @permissions.may?(person, 'update_news').should be_true
+      end
+
+      it "should deny a user with multiple roles access if no role passes" do
+        person = @user_class.new(:role_names => ['user', 'guest'])
+        @permissions.may?(person, 'update_news').should be_false
+      end
+
+      it "should deny a user with no roles access" do
+        person = @user_class.new(:role_names => [])
+        @permissions.may?(person, 'update_news').should be_false
+      end
+
+      it "should honor default permissions" do
+        person = @user_class.new(:role_names => ['admin'])
+        @permissions.may?(person, 'update_news').should be_true
+      end
+
+    end
+
     it "should run sieves in a sequence, the result being the last matching sieve" do
 
       @permissions.class_eval do

data/spec/sieve_spec.rb

@@ -4,8 +4,8 @@ describe Aegis::Sieve do
 
   before(:each) do
     @role = stub('role', :name => 'user')
-    @user = stub('user', :role => @role)
-    @context = OpenStruct.new(:user => @user)
+    # user = stub('user', :role => role)
+    @context = OpenStruct.new(:role => @role)
   end
 
   describe 'may? 'do

metadata

@@ -4,9 +4,9 @@ version: !ruby/object:Gem::Version
   prerelease: false
   segments: 
   - 2
+  - 1
   - 0
-  - 4
-  version: 2.0.4
+  version: 2.1.0
 platform: ruby
 authors: 
 - Henning Koch
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-05-29 00:00:00 +02:00
+date: 2010-07-25 00:00:00 +02:00
 default_executable: 
 dependencies: []
 
@@ -128,8 +128,8 @@ test_files:
 - spec/app_root/lib/console_with_fixtures.rb
 - spec/action_controller_spec.rb
 - spec/controllers/reviews_controller_spec.rb
-- spec/has_role_spec.rb
-- spec/permissions_spec.rb
 - spec/spec_helper.rb
 - spec/loader_spec.rb
+- spec/has_role_spec.rb
+- spec/permissions_spec.rb
 - spec/sieve_spec.rb