aegis 1.1.3

data/.gitignore

@@ -0,0 +1,3 @@
+doc
+pkg
+*.gem

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 Henning Koch
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,176 @@
+= Aegis - role-based permissions for your user models
+
+Aegis allows you to manage fine-grained, complex permission for user accounts in a central place.
+
+== Installation
+
+Add the following to your <tt>Initializer.run</tt> block in your <tt>environment.rb</tt>:
+    config.gem 'makandra-aegis', :lib => 'aegis', :source => 'http://gems.github.com'
+Then do a 
+    sudo rake gems:install
+
+Alternatively, use
+    sudo gem sources -a http://gems.github.com
+    sudo gem install makandra-aegis
+
+== Example 
+
+First, let's define some roles:
+
+    # app/models/permissions.rb
+    class Permissions < Aegis::Permissions
+
+      role :guest
+      role :registered_user
+      role :moderator
+      role :administrator, :default_permission => :allow
+      
+      permission :edit_post do |user, post|
+        allow :registered_user do
+          post.creator == user      # a registered_user can only edit his own posts
+        end
+        allow :moderator
+      end
+      
+      permission :read_post do |post|
+        allow :everyone
+        deny :guest do
+          post.private?             # guests may not read private posts
+        end
+      end
+
+    end
+
+
+Now we assign roles to users. For this, the users table needs to have a string
+column +role_name+.
+
+    # app/models/user.rb
+    class User
+      has_role
+    end
+
+
+These permissions may be used in views and controllers:
+    
+    # app/views/posts/index.html.erb
+    @posts.each do |post|
+      <% if current_user.may_read_post? post %>
+        <%= render post %>
+        <% if current_user.may_edit_post? post %>
+          <%= link_to 'Edit', edit_post_path(post) %>
+        <% end %>
+      <% end %>
+    <% end %>
+
+
+    # app/controllers/posts_controller.rb
+    class PostsController
+      # ...
+
+      def update
+        @post = Post.find(params[:id])
+        current_user.may_edit_post! @post    # raises an Aegis::PermissionError for unauthorized access
+        # ...
+      end
+
+    end
+
+== Details
+
+=== Roles
+
+To equip a (user) model with any permissions, you simply call *has_role* within
+the model:
+    class User < ActiveRecord::Base
+      has_role
+    end
+Aegis assumes that the corresponding database table has a string-valued column
+called +role_name+. You may override the name with the <tt>:name_accessor =>
+:my_role_column</tt> option.
+
+The roles and permissions themselves are defined in a class inheriting from
+<b>Aegis::Permissions</b>. To define roles you create a model <tt>permissions.rb</tt>
+and use the *role* method:
+    class Permissions < Aegis::Permissions
+      role 'role_name'
+    end
+
+By default, users belonging to this role are not permitted anything. You may
+override this with <tt>:default_permission => :allow</tt>, e.g.
+    role 'admin', :default_permission => :allow
+
+=== Permissions
+
+Permissions are specified with the *permission* method and *allow* and *deny*
+    permission :do_something do
+        allow :role_a, :role_b
+        deny :role_c
+    end
+
+Your user model just received two methods called <b>User#may_do_something?</b>
+and <b>User#may_do_something!</b>. The first one with the ? returns true for users with
++role_a+ and +role_b+, and false for users with +role_c+. The second one with the ! raises an
+Aegis::PermissionError for +role_c+.
+
+=== Normalization
+
+Aegis will perform some normalization. For example, the permissions
++edit_something+ and +update_something+ will be the same, each granting both 
+<tt>may_edit_something?</tt> and <tt>may_update_something?</tt>. The following normalizations
+are active:
+* edit = update
+* show = list = view = read
+* delete = remove = destroy
+
+=== Complex permissions (with parameters)
+ 
+*allow* and *deny* can also take a block that may return +true+ or +false+
+indicating if this really applies. So
+    permission :pull_april_fools_prank do
+      allow :everyone do
+        Date.today.month == 4 and Date.today.day == 1
+      end
+    end
+will generate a <tt>may_pull_april_fools_prank?</tt> method that only returns true on
+April 1.
+
+This becomes more useful if you pass parameters to a <tt>may_...?</tt> method, which
+are passed through to the permission block (together with the user object). This
+way you can define more complex permissions like
+    permission :edit_post do |current_user, post|
+      allow :registered_user do
+        post.owner == current_user
+      end
+      allow :admin
+    end
+which will permit admins and post owners to edit posts.
+
+=== For your convenience
+
+As a convenience, if you create a permission ending in a plural 's', this
+automatically includes the singular form. That is, after
+    permission :read_posts do
+      allow :everyone
+    end
+<tt>.may_read_post? @post</tt> will return true, as well.
+
+If you want to grant +create_something+, +read_something+, +update_something+
+and +destroy_something+ permissions all at once, just use
+    permission :crud_something do
+      allow :admin
+    end
+
+If several permission blocks (or several allow and denies) apply to a certain
+role, the later one always wins. That is
+    permission :do_something do
+      deny :everyone
+      allow :admin
+    end
+will work as expected.
+
+=== Credits
+
+Henning Koch, Tobias Kraze
+
+{link www.makandra.de}[http://www.makandra.de/]

data/Rakefile

@@ -0,0 +1,37 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the aegis gem.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+desc 'Generate documentation for the aegis plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Aegis'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gemspec|
+    gemspec.name = "aegis"
+    gemspec.summary = "Role-based permissions for your user models."
+    gemspec.email = "github@makandra.de"
+    gemspec.homepage = "http://github.com/makandra/aegis"
+    gemspec.description = "Aegis is a role-based permission system, where all users are given a role. It is possible to define detailed and complex permissions for each role very easily."
+    gemspec.authors = ["Henning Koch"]
+  end
+rescue LoadError
+  puts "Jeweler not available. Install it with: sudo gem install technicalpickles-jeweler -s http://gems.github.com"
+end
+

data/VERSION

@@ -0,0 +1 @@
+1.1.3

data/aegis.gemspec

@@ -0,0 +1,92 @@
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{aegis}
+  s.version = "1.1.3"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Henning Koch"]
+  s.date = %q{2009-10-15}
+  s.description = %q{Aegis is a role-based permission system, where all users are given a role. It is possible to define detailed and complex permissions for each role very easily.}
+  s.email = %q{github@makandra.de}
+  s.extra_rdoc_files = [
+    "README.rdoc"
+  ]
+  s.files = [
+    ".gitignore",
+     "MIT-LICENSE",
+     "README.rdoc",
+     "Rakefile",
+     "VERSION",
+     "aegis.gemspec",
+     "lib/aegis.rb",
+     "lib/aegis/constants.rb",
+     "lib/aegis/has_role.rb",
+     "lib/aegis/normalization.rb",
+     "lib/aegis/permission_error.rb",
+     "lib/aegis/permission_evaluator.rb",
+     "lib/aegis/permissions.rb",
+     "lib/aegis/role.rb",
+     "lib/rails/active_record.rb",
+     "test/app_root/app/controllers/application_controller.rb",
+     "test/app_root/app/models/permissions.rb",
+     "test/app_root/app/models/soldier.rb",
+     "test/app_root/app/models/user.rb",
+     "test/app_root/config/boot.rb",
+     "test/app_root/config/database.yml",
+     "test/app_root/config/environment.rb",
+     "test/app_root/config/environments/in_memory.rb",
+     "test/app_root/config/environments/mysql.rb",
+     "test/app_root/config/environments/postgresql.rb",
+     "test/app_root/config/environments/sqlite.rb",
+     "test/app_root/config/environments/sqlite3.rb",
+     "test/app_root/config/routes.rb",
+     "test/app_root/db/migrate/20090408115228_create_users.rb",
+     "test/app_root/db/migrate/20090429075648_create_soldiers.rb",
+     "test/app_root/lib/console_with_fixtures.rb",
+     "test/app_root/log/.gitignore",
+     "test/app_root/script/console",
+     "test/has_role_options_test.rb",
+     "test/has_role_test.rb",
+     "test/permissions_test.rb",
+     "test/test_helper.rb",
+     "test/validation_test.rb"
+  ]
+  s.homepage = %q{http://github.com/makandra/aegis}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.5}
+  s.summary = %q{Role-based permissions for your user models.}
+  s.test_files = [
+    "test/app_root/app/models/permissions.rb",
+     "test/app_root/app/models/soldier.rb",
+     "test/app_root/app/models/user.rb",
+     "test/app_root/app/controllers/application_controller.rb",
+     "test/app_root/config/environment.rb",
+     "test/app_root/config/environments/mysql.rb",
+     "test/app_root/config/environments/postgresql.rb",
+     "test/app_root/config/environments/sqlite3.rb",
+     "test/app_root/config/environments/in_memory.rb",
+     "test/app_root/config/environments/sqlite.rb",
+     "test/app_root/config/boot.rb",
+     "test/app_root/config/routes.rb",
+     "test/app_root/db/migrate/20090429075648_create_soldiers.rb",
+     "test/app_root/db/migrate/20090408115228_create_users.rb",
+     "test/app_root/lib/console_with_fixtures.rb",
+     "test/validation_test.rb",
+     "test/test_helper.rb",
+     "test/has_role_options_test.rb",
+     "test/has_role_test.rb",
+     "test/permissions_test.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+    else
+    end
+  else
+  end
+end

data/lib/aegis.rb

@@ -0,0 +1,9 @@
+# Include hook code here
+require 'aegis/constants'
+require 'aegis/normalization'
+require 'aegis/permission_error'
+require 'aegis/role'
+require 'aegis/permissions'
+require 'aegis/has_role'
+require 'rails/active_record'
+

data/lib/aegis/constants.rb

@@ -0,0 +1,6 @@
+module Aegis
+  module Constants
+    EVERYONE_ROLE_NAME = :everyone
+    CRUD_VERBS = ["create", "read", "update", "destroy"]
+  end
+end

data/lib/aegis/has_role.rb

@@ -0,0 +1,77 @@
+module Aegis
+  module HasRole
+  
+    def validates_role_name(options = {})
+      validates_each :role_name do |record, attr, value|
+        options[:message] ||= ActiveRecord::Errors.default_error_messages[:inclusion]
+        role = ::Permissions.find_role_by_name(value)
+        record.errors.add attr, options[:message] if role.nil?
+      end
+    end
+    
+    alias_method :validates_role, :validates_role_name
+
+    def has_role(options = {})
+    
+      if options[:name_accessor]
+        options[:name_reader] = "#{options[:name_accessor]}"
+        options[:name_writer] = "#{options[:name_accessor]}="
+        options.delete(:name_accessor)
+      end
+    
+      self.class_eval do
+      
+        @aegis_role_name_reader = (options[:name_reader] || "role_name").to_sym
+        @aegis_role_name_writer = (options[:name_writer] || "role_name=").to_sym
+        
+        def aegis_role_name_reader
+          self.class.class_eval{ @aegis_role_name_reader }
+        end
+
+        def aegis_role_name_writer
+          self.class.class_eval{ @aegis_role_name_writer }
+        end
+
+        def aegis_role_name
+          send(aegis_role_name_reader)
+        end
+
+        def aegis_role_name=(value)
+          send(aegis_role_name_writer, value)
+        end
+
+        def role
+          ::Permissions.find_role_by_name!(aegis_role_name)
+        end
+        
+        def role=(role_or_name)
+          self.aegis_role_name = if role_or_name.is_a?(Aegis::Role)
+            role_or_name.name
+          else
+            role_or_name.to_s
+          end
+        end
+        
+        private
+    
+        # Delegate may_...? and may_...! methods to the user's role.
+        def method_missing_with_aegis_permissions(symb, *args)
+          method_name = symb.to_s
+          if method_name =~ /^may_(.+?)[\!\?]$/
+            role.send(symb, self, *args)
+          elsif method_name =~ /^(.*?)\?$/ && queried_role = ::Permissions.find_role_by_name($1)
+            role == queried_role
+          else
+            method_missing_without_aegis_permissions(symb, *args)
+          end
+        end
+        
+        alias_method_chain :method_missing, :aegis_permissions
+        
+      end
+
+    end
+  
+  end
+
+end

data/lib/aegis/normalization.rb

@@ -0,0 +1,26 @@
+module Aegis
+  class Normalization
+    
+    VERB_NORMALIZATIONS = {
+      "edit"   => "update",
+      "show"   => "read",
+      "list"   => "read",
+      "view"   => "read",
+      "delete" => "destroy",
+      "remove" => "destroy"
+    }
+    
+    def self.normalize_verb(verb)
+      VERB_NORMALIZATIONS[verb] || verb
+    end
+    
+    def self.normalize_permission(permission)
+      if permission =~ /^([^_]+?)_(.+?)$/
+        verb, target = $1, $2
+        permission = normalize_verb(verb) + "_" + target
+      end
+      permission
+    end
+    
+  end
+end