andrewzielinski-lockdown 0.9.6

data/History.txt

@@ -0,0 +1,195 @@
+== 0.7.1 2009-01-xx
+* Update init.rb with documentation on how to use admin namespaces
+
+== 0.7.0 2009-01-xx
+* Removed lockdown as an executable.  Will always go through the generator used by the framework.
+* Removed references to classy inheritance.  Directly coded some of classy inheritance's functionality into User model.
+
+== 0.6.3 2008-12-02
+* Fixed: Database sync was failing.  Cause of refactor. Apologies
+
+== 0.6.2 2008-12-01
+* Fixed: Made call to action_methods instead of calculating controller actions
+
+== 0.6.1 2008-11-21
+* Fixed: Named routes were not being honored in link_to 
+
+== 0.6.0 2008-11-15
+* Big refactor of internals
+
+== 0.5.22 2008-09-14
+* Update: Add test for future deprecation: Dependencies to be ActiveSupport::Dependencies 
+
+== 0.5.21 2008-09-12
+* Updated lockdown to abide by config.active_record.timestamped_migrations introduced in Rails 2.1.1 
+* Fixed: schlick fixed an issue with the user_groups edit.html.erb.  thanks Michael!
+
+== 0.5.20 2008-08-04
+* Fixed authorized? method to avoid ActionController::Routing::Routes.recognize_path invalid return values
+* Added option[:session_timeout_method]. This method will be called when the session times out.
+
+== 0.5.19 2008-08-01
+* Modified the lockdown system to account for permissions added/removed from user groups in init.rb.  This will NOT manage user groups defined via the admin screens.
+== 0.5.18 2008-07-23
+* Changed the generator options to simplify things. The default now is to generate all templates.
+== 0.5.17 2008-07-21
+* Updated included classy inheritance library 0.6.1.
+== 0.5.16 2008-07-18
+* Updated included classy inheritance library.
+== 0.5.14 2008-07-18
+* Change: option no_migration to skip-migrations to mimick other generator options
+* Fixed: errant creation of sessions directory in app/controllers
+
+== 0.5.13 2008-07-10
+* Add: Support for --namespace option on generator.  Use as ./script generate lockdown --all --namespace=admin
+
+== 0.5.12 2008-07-02
+* Fix: Added production environment conditional to Dependencies.clear.
+
+== 0.5.11 2008-06-25
+* Update: Classy Inheritance to current version 0.4.4
+
+== 0.5.10 2008-06-24
+* Modified: Classy Inheritance is now bundled with Lockdown to simplify the user management screens.
+* Fixed: Templates: Use m.template with views to test for rails version for action_name issue 
+* Added: Templates: Missing javascript for do_highlight
+* Fixed: Templates: Usage of ul for permissions and user groups. 
+* Clean: Templates: Removed unnecessary :locals => {:f => f} attribute in _form partials
+* Clean: Templates: Changed text_field_tag to text_field.  
+
+== 0.5.9 2008-06-19
+* Fixed: Added url.strip! to account for spaces.  URI::split(url) was bombing if url contained spaces.
+
+== 0.5.8 2008-06-17
+* Fixed: External links are no longer restricted by link_to security.
+* Modified: Name of migration that adds admin user.
+
+== 0.5.7 2008-06-13
+* Fixed: Change password template, removed ajax usage. Issue: http://stonean.com/issues/show/5
+
+== 0.5.6 2008-06-05
+* Fixed: Misspelling of respond_to?, for some reason I keep thinking responds_to?
+
+== 0.5.5 2008-06-05
+* Fixed: Changed request comparison code. Requests that were supposed to be passing were failing.
+
+== 0.5.4 2008-06-05
+* Fixed: Issue with helpers in Rails 2.1, @action_name is no longer accessible, must call action_name method.
+* Fixed: Issue with users controller, show method not having user_groups_for_user instance variable
+* Modified: The end of the lockdown executable now references stonean.com instead of rubyforge site.
+
+== 0.5.3 2008-06-01
+* Fixed: Issue with new timestamped based migrations in rails 2.1.  Migration templates created were all done within the same second, therefore having the same timestamp, added a sleep call to the next_migration_string to get around the issue.
+
+* Fixed: User Groups management template had a bug on the show screen.  Was not getting @all_permissions instance variable set.
+
+== 0.5.2 2008-05-26
+* Fixed: make call to Dependencies.clear after inspecting controllers.  Using Dependencies.require_or_load is not sufficient it seems.
+
+== 0.5.1 2008-05-25
+* Fixed: bug with namespaced access having identical standard access.  e.g. /users and /admin/users 
+
+== 0.5.0 2008-05-22
+* Added: new generator options for more control over templates
+* Fixed: sessions_controller successful_login didn't honor Lockdown::System options setting for :successful_login_path
+* Modified: System had [] method which could cause issues in future releases.  Use Lockdown::System.fetch(:option) to retrieve options
+
+== 0.4.6 2008-05-08
+* Fixed: link_to destroy/show conditionals were in wrong order and therefore not working. 
+
+== 0.4.5 2008-05-08
+* Rubyforge having an issue with the gem, I'm getting 404 errors trying to install 0.4.4 so I'm deploying a new version. no code changes.
+
+== 0.4.4 2008-05-08
+* Modified: refactored the link_to_secured and authorized? code to be more efficient
+
+== 0.4.3 2008-05-08
+* Fixed: broken show (and destroy) permission test.  also reduced calls to polymorphic path by generating the url once
+
+== 0.4.2 2008-05-08
+* Fixed: broken link_to functionality. 
+
+== 0.4.1 2008-05-06
+* Just some minor tabs-to-spaces formatting and removed unnecessary helper included into the user model.
+
+== 0.4.0 2008-05-04
+* Added: Automatically sync definitions in init.rb with database to remove migrations requirement 
+* Added: Improved notification if invalid user group or permission is referenced in init.rb
+* Added: Check in user_groups controller to prevent url hack and modify/destroy user group defined in init.rb
+* Modified: Renamed access_rights_for_perm to access_rights_for_permission for consistency sake.  Change then method call in permissions_helper if you have this installed
+
+== 0.3.15 2008-05-03
+* Fixed: The controller inspection code was short-circuiting the Dependencies reload mechanism while in development mode.
+
+== 0.3.14 2008-05-02
+* Fixed:  Session keys to use symbols.  Wasn't correctly expiring the session.  
+
+== 0.3.13 2008-05-02
+* Fixed: The users and user_groups controller templates needed user_groups_for_users and all_permissions (respectively) instance variables set if validation failed on update.
+
+== 0.3.12 2008-05-02
+* Fixed: The timestamps were being set on created_by and updated_by.
+* Changed: The init.rb and lockdown_all interaction to better define where configurations should be placed.
+
+== 0.3.11 2008-05-01
+* Modified: Lockdown::System controller inspect to use "load" instead of "require".
+
+== 0.3.10 2008-05-01
+* Fixed: users_controller management of user_groups was using outdated methods.  this applies only to the stubs produced with the generator
+
+== 0.3.9 2008-05-01
+* Modify: changed controller_classes from array to hash to speed up access
+
+== 0.3.8 2008-05-01
+* Fixed: corrected class loader to ensure ObjectSpace is used only once
+
+== 0.3.7 2008-05-01
+* Fixed: access rights list for permissions. maded modifications to permissions helper as well.
+
+== 0.3.6 2008-04-30
+* Fixed: The block in init.rb does not take a parameter.  This has been removed from the template.
+
+== 0.3.5 2008-04-30
+* Added: Basic configuations to config/lockdown/init.rb when using the generator
+
+== 0.3.4 2008-04-30
+* Fixed: Addition of require 'lockdown/init' to config file
+
+== 0.3.3 2008-04-30
+* Spoke too soon.  Omitted user_group controller change.
+
+== 0.3.2 2008-04-30
+* Management screens looking good.  Now moving on to testing with starter application.
+
+== 0.3.1 2008-04-29
+* Some initital testing done.  
+
+== 0.3.0 2008-04-29
+* Big change in how the system is installed and configured in the project. 
+	Introduced lib/lockdown/init.rb.
+	Removed lib/lockdown/access.rb.
+	Now use more of a Rails-ish initializer functionality.  This adds flexibility
+	and places the core code back in the gem, that's what I was after.
+
+== 0.2.0 2008-04-25
+* First full implementation of generate script "lockdown_all".  Warranted a bump up of the minor version.
+
+== 0.1.4 2008-04-25
+* Uncommented line in config/hoe.rb to hopefully resolved rubigen dependency issue.
+
+== 0.1.3 2008-04-25
+* Still Don't have correct dependencies. Added in first crack at lockdown_all generator.
+
+== 0.1.2 2008-04-25
+* Didn't have correct dependencies.
+
+== 0.1.1 2008-04-24
+* Fixed bug with session cleanup.
+
+== 0.1.0 2008-04-18
+* Nearing public release status.  
+  * In bug testing mode now.
+
+== 0.0.1 2008-04-18
+
+* initial add of gem

data/README.txt

@@ -0,0 +1,36 @@
+lockdown
+    by Andrew Stone
+    http://stonean.com
+
+== DESCRIPTION:
+
+Lockdown is an authorization system for RubyOnRails (ver >= 2.1).
+
+== INSTALL:
+
+  sudo gem install lockdown 
+
+== LICENSE:
+
+(The MIT License)
+
+Copyright (c) 2009 Andrew Stone
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,41 @@
+# Look in the tasks/setup.rb file for the various options that can be
+# configured in this Rakefile. The .rake files in the tasks directory
+# are where the options are used.
+
+begin
+  require 'bones'
+  Bones.setup
+rescue LoadError
+  load 'tasks/setup.rb'
+end
+
+ensure_in_path 'lib'
+require 'lockdown'
+
+task :default => 'rcov'
+
+desc "Flog your code for Justice!"
+task :flog do
+    sh('flog lib/**/*.rb')
+end
+
+desc "Run all specs and rcov in a non-sucky way"
+Spec::Rake::SpecTask.new(:rcov) do |t|
+  t.spec_opts = IO.readlines("spec/spec.opts").map {|l| l.chomp.split " "}.flatten
+  t.spec_files = FileList['spec/**/*_spec.rb']
+  t.rcov = true
+  t.rcov_opts = IO.readlines("spec/rcov.opts").map {|l| l.chomp.split " "}.flatten
+end
+
+PROJ.name = 'lockdown'
+PROJ.authors = 'Andrew Stone'
+PROJ.email = 'andy@stonean.com'
+PROJ.url = 'http://stonean.com/wiki/lockdown'
+PROJ.version = Lockdown::VERSION
+PROJ.rubyforge.name = 'lockdown'
+
+PROJ.spec.opts << '--color'
+PROJ.exclude << ".swp"
+PROJ.exclude << ".gitignore"
+
+# EOF

data/lib/lockdown.rb

@@ -0,0 +1,70 @@
+require File.join(File.dirname(__FILE__), "lockdown", "helper")
+
+module Lockdown
+  extend Lockdown::Helper
+
+  VERSION = '0.9.6'
+
+  # Returns the version string for the library.
+  def self.version
+    VERSION
+  end
+
+  def self.major_version
+    version.split('.')[0].to_i
+  end
+
+  def self.minor_version
+    version.split('.')[1].to_i
+  end
+
+  def self.patch_version
+    version.split('.')[2].to_i
+  end
+
+  # Mixin Lockdown code to the appropriate framework and ORM
+  def self.mixin
+    if mixin_resource?("frameworks")
+      unless mixin_resource?("orms")
+        raise NotImplementedError, "ORM unknown to Lockdown!"
+      end
+
+      if File.exists?(Lockdown.init_file)
+        puts "=> Requiring Lockdown rules engine: #{Lockdown.init_file} \n"
+        require Lockdown.init_file
+      else
+        puts "=> Note:: Lockdown couldn't find init file: #{Lockdown.init_file}\n"
+      end
+    else
+      puts "=> Note:: Lockdown cannot determine framework and therefore is not active.\n"
+    end
+  end # mixin
+
+  private
+
+  def self.mixin_resource?(str)
+    wildcard_path = File.join( File.dirname(__FILE__), 'lockdown', str , '*.rb' ) 
+    Dir[wildcard_path].each do |f|
+      require f
+      module_name = File.basename(f).split(".")[0]
+      module_class = eval("Lockdown::#{str.capitalize}::#{Lockdown.camelize(module_name)}")
+      if module_class.use_me?
+        include module_class
+        return true
+      end
+    end
+    false
+  end # mixin_resource?
+end # Lockdown
+
+require File.join(File.dirname(__FILE__), "lockdown", "session")
+require File.join(File.dirname(__FILE__), "lockdown", "context")
+require File.join(File.dirname(__FILE__), "lockdown", "permission")
+require File.join(File.dirname(__FILE__), "lockdown", "database")
+require File.join(File.dirname(__FILE__), "lockdown", "rules")
+require File.join(File.dirname(__FILE__), "lockdown", "system")
+
+puts "=> Mixing in Lockdown version: #{Lockdown.version} \n"
+
+Lockdown.mixin
+

data/lib/lockdown/context.rb

@@ -0,0 +1,41 @@
+module Lockdown
+  class Context
+    attr_accessor :name, :allowed_methods
+
+    def to_s
+      self.class.to_s
+    end
+
+    def allows?(method_name)
+      @allowed_methods.include?(method_name)
+    end
+  end
+
+  class RootContext < Context
+    def initialize(name)
+      @name = name
+      @allowed_methods = %w(with_controller and_controller to_model)
+    end
+  end
+
+  class ControllerContext < Context
+    def initialize(name)
+      @name = name
+      @allowed_methods = %w(with_controller and_controller to_model only_methods except_methods)
+    end
+  end
+
+  class ModelContext < Context
+    def initialize(name)
+      @name = name
+      @allowed_methods = %w(where)
+    end
+  end
+
+  class ModelWhereContext < Context
+    def initialize(name)
+      @name = name
+      @allowed_methods = %w(is_in includes equals)
+    end
+  end
+end

data/lib/lockdown/database.rb

@@ -0,0 +1,105 @@
+module Lockdown
+  class Database
+    class << self
+      # This is very basic and could be handled better using orm specific
+      # functionality, but I wanted to keep it generic to avoid creating 
+      # an interface for each the different orm implementations. 
+      # We'll see how it works...
+      def sync_with_db
+
+        @permissions = Lockdown::System.get_permissions
+        @user_groups = Lockdown::System.get_user_groups
+
+        create_new_permissions
+
+        delete_extinct_permissions
+      
+        maintain_user_groups
+      rescue Exception => e
+        puts ">> Lockdown sync failed: #{e}" 
+      end
+
+      # Create permissions not found in the database
+      def create_new_permissions
+        @permissions.each do |key|
+          next if Lockdown::System.permission_assigned_automatically?(key)
+          str = Lockdown.get_string(key)
+          p = ::Permission.find(:first, :conditions => ["name = ?", str])
+          unless p
+            puts ">> Lockdown: Permission not found in db: #{str}, creating."
+            ::Permission.create(:name => str)
+          end
+        end
+      end
+
+      # Delete the permissions not found in init.rb
+      def delete_extinct_permissions
+        db_perms = ::Permission.find(:all).dup
+        db_perms.each do |dbp|
+          unless @permissions.include?(Lockdown.get_symbol(dbp.name))
+            puts ">> Lockdown: Permission no longer in init.rb: #{dbp.name}, deleting."
+            Lockdown.database_execute("delete from permissions_user_groups where permission_id = #{dbp.id}")
+            dbp.destroy
+          end
+        end
+      end
+
+      def maintain_user_groups
+        # Create user groups not found in the database
+        @user_groups.each do |key|
+          str = Lockdown.get_string(key)
+          unless ug = ::UserGroup.find(:first, :conditions => ["name = ?", str])
+            create_user_group(str, key)
+          else
+            # Remove permissions from user group not found in init.rb
+            remove_invalid_permissions(ug, key)
+
+            # Add in permissions from init.rb not found in database
+            add_valid_permissions(ug, key)
+          end
+        end
+      end
+
+      def create_user_group(name_str, key)
+        puts ">> Lockdown: UserGroup not in the db: #{name_str}, creating."
+        ug = ::UserGroup.create(:name => name_str)
+        #Inefficient, definitely, but shouldn't have any issues across orms.
+        Lockdown::System.permissions_for_user_group(key).each do |perm|
+          p = ::Permission.find(:first, :conditions => ["name = ?", 
+                                Lockdown.get_string(perm)])
+
+          Lockdown.database_execute "insert into permissions_user_groups(permission_id, user_group_id) values(#{p.id}, #{ug.id})"
+        end
+      end
+
+      def remove_invalid_permissions(ug, key)
+        ug.permissions.each do |perm|
+          perm_sym = Lockdown.get_symbol(perm)
+          perm_string = Lockdown.get_string(perm)
+          unless Lockdown::System.permissions_for_user_group(key).include?(perm_sym)
+            puts ">> Lockdown: Permission: #{perm_string} no longer associated to User Group: #{ug.name}, deleting."
+            ug.permissions.delete(perm)
+          end
+        end
+      end
+
+      def add_valid_permissions(ug, key)
+        Lockdown::System.permissions_for_user_group(key).each do |perm|
+          perm_string = Lockdown.get_string(perm)
+          found = false
+          # see if permission exists
+          ug.permissions.each do |p|
+            found = true if Lockdown.get_string(p) == perm_string 
+          end
+          # if not found, add it
+          unless found
+            puts ">> Lockdown: Permission: #{perm_string} not found for User Group: #{ug.name}, adding it."
+            p = ::Permission.find(:first, :conditions => ["name = ?", perm_string])
+            ug.permissions << p
+          end
+        end
+      end
+
+    end # class block
+  end # Database
+end #Lockdown