annotation_security 1.0.1 → 1.0.2
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG.md +14 -0
- data/HOW-TO.md +275 -0
- data/{MIT-LICENSE → LICENSE} +1 -1
- data/README.md +39 -0
- data/Rakefile +62 -55
- data/assets/app/helpers/annotation_security_helper.rb +8 -8
- data/assets/config/initializers/annotation_security.rb +11 -11
- data/assets/config/security/relations.rb +20 -20
- data/assets/vendor/plugins/annotation_security/init.rb +13 -13
- data/bin/annotation_security +7 -7
- data/lib/annotation_security/exceptions.rb +124 -124
- data/lib/annotation_security/exec.rb +188 -188
- data/lib/annotation_security/filters.rb +37 -37
- data/lib/annotation_security/includes/action_controller.rb +144 -143
- data/lib/annotation_security/includes/active_record.rb +27 -27
- data/lib/annotation_security/includes/helper.rb +215 -215
- data/lib/annotation_security/includes/resource.rb +84 -84
- data/lib/annotation_security/includes/role.rb +30 -30
- data/lib/annotation_security/includes/user.rb +26 -26
- data/lib/annotation_security/manager/policy_factory.rb +29 -29
- data/lib/annotation_security/manager/policy_manager.rb +79 -79
- data/lib/annotation_security/manager/relation_loader.rb +272 -272
- data/lib/annotation_security/manager/resource_manager.rb +36 -36
- data/lib/annotation_security/manager/right_loader.rb +87 -87
- data/lib/annotation_security/model_observer.rb +61 -61
- data/lib/annotation_security/policy/abstract_policy.rb +344 -344
- data/lib/annotation_security/policy/abstract_static_policy.rb +75 -75
- data/lib/annotation_security/policy/all_resources_policy.rb +20 -20
- data/lib/annotation_security/policy/rule.rb +340 -340
- data/lib/annotation_security/policy/rule_set.rb +138 -138
- data/lib/annotation_security/rails.rb +38 -38
- data/lib/annotation_security/user_wrapper.rb +73 -73
- data/lib/annotation_security/utils.rb +141 -141
- data/lib/annotation_security/version.rb +10 -0
- data/lib/annotation_security.rb +102 -97
- data/lib/extensions/action_controller.rb +32 -32
- data/lib/extensions/active_record.rb +34 -34
- data/lib/extensions/filter.rb +133 -133
- data/lib/extensions/object.rb +10 -10
- data/lib/security_context.rb +589 -551
- data/spec/annotation_security/exceptions_spec.rb +16 -16
- data/spec/annotation_security/includes/helper_spec.rb +82 -82
- data/spec/annotation_security/manager/policy_manager_spec.rb +15 -15
- data/spec/annotation_security/manager/resource_manager_spec.rb +17 -17
- data/spec/annotation_security/manager/right_loader_spec.rb +17 -17
- data/spec/annotation_security/policy/abstract_policy_spec.rb +16 -16
- data/spec/annotation_security/policy/all_resources_policy_spec.rb +24 -24
- data/spec/annotation_security/policy/rule_set_spec.rb +112 -112
- data/spec/annotation_security/policy/rule_spec.rb +77 -77
- data/spec/annotation_security/policy/test_policy_spec.rb +80 -80
- data/spec/annotation_security/security_context_spec.rb +78 -78
- data/spec/annotation_security/utils_spec.rb +73 -73
- data/spec/helper/test_controller.rb +65 -65
- data/spec/helper/test_helper.rb +5 -5
- data/spec/helper/test_relations.rb +6 -6
- data/spec/helper/test_resource.rb +38 -38
- data/spec/helper/test_role.rb +21 -21
- data/spec/helper/test_user.rb +31 -31
- data/spec/rails_stub.rb +37 -37
- metadata +94 -72
- data/CHANGELOG +0 -2
- data/HOW-TO +0 -261
- data/README +0 -39
data/lib/extensions/filter.rb
CHANGED
@@ -1,134 +1,134 @@
|
|
1
|
-
#
|
2
|
-
# = lib/extensions/filter.rb
|
3
|
-
#
|
4
|
-
# Adds security filters to the Rails filter mechanism.
|
5
|
-
#
|
6
|
-
# Modifies ActionController::Filter::FilterChain. Might not work with other
|
7
|
-
# gems modifying this class.
|
8
|
-
#
|
9
|
-
|
10
|
-
# Extends ActiveRecord::Base and patches ActionController::Filters
|
11
|
-
#
|
12
|
-
# Performs additions to the rails filter chain. It basically adds two
|
13
|
-
# filters which may not be removed:
|
14
|
-
#
|
15
|
-
# 1) Before Fiter to initialize SecurityContext
|
16
|
-
# 2) Around Filter around actions
|
17
|
-
#
|
18
|
-
# The altered filter chain looks like this:
|
19
|
-
#
|
20
|
-
# * AnnotationSecurity::Filters::InitializeSecurity
|
21
|
-
# * ... other before filters
|
22
|
-
# * around filters ...
|
23
|
-
# * AnnotationSecurity::Filters::ApplySecurity
|
24
|
-
# * after filters
|
25
|
-
#
|
26
|
-
module ActionController # :nodoc:
|
27
|
-
module Filters # :nodoc:
|
28
|
-
class FilterChain # :nodoc:
|
29
|
-
def self.new(&block)
|
30
|
-
|
31
|
-
filter_chain.append_filter_to_chain([AnnotationSecurity::Filters::InitializeSecurity], :security, &block)
|
32
|
-
filter_chain.append_filter_to_chain([AnnotationSecurity::Filters::ApplySecurity], :action_security, &block)
|
33
|
-
end
|
34
|
-
end
|
35
|
-
|
36
|
-
private
|
37
|
-
|
38
|
-
def find_filter_append_position(filters, filter_type)
|
39
|
-
# appending an after filter puts it at the end of the call chain
|
40
|
-
# before and around filters go after security filters and
|
41
|
-
# before the first after or action_security filter
|
42
|
-
#
|
43
|
-
return -1 if filter_type == :after
|
44
|
-
|
45
|
-
if filter_type == :security
|
46
|
-
#security filters are first filters in chain
|
47
|
-
each_with_index do |f,i|
|
48
|
-
return i unless f.security?
|
49
|
-
end
|
50
|
-
else
|
51
|
-
each_with_index do |f,i|
|
52
|
-
return i if f.after? or f.action_security?
|
53
|
-
end
|
54
|
-
end
|
55
|
-
return -1
|
56
|
-
end
|
57
|
-
|
58
|
-
def find_filter_prepend_position(filters, filter_type)
|
59
|
-
if filter_type == :after
|
60
|
-
# after filters go before the first after filter in the chain
|
61
|
-
each_with_index do |f,i|
|
62
|
-
return i if f.after?
|
63
|
-
end
|
64
|
-
return -1
|
65
|
-
elsif filter_type == :security
|
66
|
-
return 0
|
67
|
-
else
|
68
|
-
# prepending a before or around filter puts it at the front of the call chain
|
69
|
-
each_with_index do |f,i|
|
70
|
-
return i unless f.security?
|
71
|
-
end
|
72
|
-
end
|
73
|
-
return 0 # Since first filter is security initialization filter
|
74
|
-
end
|
75
|
-
|
76
|
-
def find_or_create_filter(filter, filter_type, options = {})
|
77
|
-
update_filter_in_chain([filter], options)
|
78
|
-
|
79
|
-
if found_filter = find(filter) { |f| f.type == filter_type }
|
80
|
-
found_filter
|
81
|
-
else
|
82
|
-
filter_kind = case
|
83
|
-
when filter.respond_to?(:before) && filter_type == :before
|
84
|
-
:before
|
85
|
-
when filter.respond_to?(:after) && filter_type == :after
|
86
|
-
:after
|
87
|
-
else
|
88
|
-
:filter
|
89
|
-
end
|
90
|
-
|
91
|
-
case filter_type
|
92
|
-
when :before
|
93
|
-
BeforeFilter.new(filter_kind, filter, options)
|
94
|
-
when :after
|
95
|
-
AfterFilter.new(filter_kind, filter, options)
|
96
|
-
when :security
|
97
|
-
SecurityFilter.new(filter_kind, filter, options)
|
98
|
-
when :action_security
|
99
|
-
ActionSecurityFilter.new(filter_kind, filter, options)
|
100
|
-
else
|
101
|
-
AroundFilter.new(filter_kind, filter, options)
|
102
|
-
end
|
103
|
-
end
|
104
|
-
end
|
105
|
-
end
|
106
|
-
|
107
|
-
class Filter # :nodoc:
|
108
|
-
|
109
|
-
# override to return true in appropriate subclass
|
110
|
-
def security?
|
111
|
-
false
|
112
|
-
end
|
113
|
-
|
114
|
-
def action_security?
|
115
|
-
false
|
116
|
-
end
|
117
|
-
end
|
118
|
-
|
119
|
-
# the customized security filter that sets the current user
|
120
|
-
# and catches security exceptions
|
121
|
-
class SecurityFilter < AroundFilter # :nodoc:
|
122
|
-
def security?
|
123
|
-
true
|
124
|
-
end
|
125
|
-
end
|
126
|
-
|
127
|
-
# filter used to activate security for actions
|
128
|
-
class ActionSecurityFilter < AroundFilter # :nodoc:
|
129
|
-
def action_security?
|
130
|
-
true
|
131
|
-
end
|
132
|
-
end
|
133
|
-
end
|
1
|
+
#
|
2
|
+
# = lib/extensions/filter.rb
|
3
|
+
#
|
4
|
+
# Adds security filters to the Rails filter mechanism.
|
5
|
+
#
|
6
|
+
# Modifies ActionController::Filter::FilterChain. Might not work with other
|
7
|
+
# gems modifying this class.
|
8
|
+
#
|
9
|
+
|
10
|
+
# Extends ActiveRecord::Base and patches ActionController::Filters
|
11
|
+
#
|
12
|
+
# Performs additions to the rails filter chain. It basically adds two
|
13
|
+
# filters which may not be removed:
|
14
|
+
#
|
15
|
+
# 1) Before Fiter to initialize SecurityContext
|
16
|
+
# 2) Around Filter around actions
|
17
|
+
#
|
18
|
+
# The altered filter chain looks like this:
|
19
|
+
#
|
20
|
+
# * AnnotationSecurity::Filters::InitializeSecurity
|
21
|
+
# * ... other before filters
|
22
|
+
# * around filters ...
|
23
|
+
# * AnnotationSecurity::Filters::ApplySecurity
|
24
|
+
# * after filters
|
25
|
+
#
|
26
|
+
module ActionController # :nodoc:
|
27
|
+
module Filters # :nodoc:
|
28
|
+
class FilterChain # :nodoc:
|
29
|
+
def self.new(&block)
|
30
|
+
super.tap do |filter_chain|
|
31
|
+
filter_chain.append_filter_to_chain([AnnotationSecurity::Filters::InitializeSecurity], :security, &block)
|
32
|
+
filter_chain.append_filter_to_chain([AnnotationSecurity::Filters::ApplySecurity], :action_security, &block)
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
private
|
37
|
+
|
38
|
+
def find_filter_append_position(filters, filter_type)
|
39
|
+
# appending an after filter puts it at the end of the call chain
|
40
|
+
# before and around filters go after security filters and
|
41
|
+
# before the first after or action_security filter
|
42
|
+
#
|
43
|
+
return -1 if filter_type == :after
|
44
|
+
|
45
|
+
if filter_type == :security
|
46
|
+
#security filters are first filters in chain
|
47
|
+
each_with_index do |f,i|
|
48
|
+
return i unless f.security?
|
49
|
+
end
|
50
|
+
else
|
51
|
+
each_with_index do |f,i|
|
52
|
+
return i if f.after? or f.action_security?
|
53
|
+
end
|
54
|
+
end
|
55
|
+
return -1
|
56
|
+
end
|
57
|
+
|
58
|
+
def find_filter_prepend_position(filters, filter_type)
|
59
|
+
if filter_type == :after
|
60
|
+
# after filters go before the first after filter in the chain
|
61
|
+
each_with_index do |f,i|
|
62
|
+
return i if f.after?
|
63
|
+
end
|
64
|
+
return -1
|
65
|
+
elsif filter_type == :security
|
66
|
+
return 0
|
67
|
+
else
|
68
|
+
# prepending a before or around filter puts it at the front of the call chain
|
69
|
+
each_with_index do |f,i|
|
70
|
+
return i unless f.security?
|
71
|
+
end
|
72
|
+
end
|
73
|
+
return 0 # Since first filter is security initialization filter
|
74
|
+
end
|
75
|
+
|
76
|
+
def find_or_create_filter(filter, filter_type, options = {})
|
77
|
+
update_filter_in_chain([filter], options)
|
78
|
+
|
79
|
+
if found_filter = find(filter) { |f| f.type == filter_type }
|
80
|
+
found_filter
|
81
|
+
else
|
82
|
+
filter_kind = case
|
83
|
+
when filter.respond_to?(:before) && filter_type == :before
|
84
|
+
:before
|
85
|
+
when filter.respond_to?(:after) && filter_type == :after
|
86
|
+
:after
|
87
|
+
else
|
88
|
+
:filter
|
89
|
+
end
|
90
|
+
|
91
|
+
case filter_type
|
92
|
+
when :before
|
93
|
+
BeforeFilter.new(filter_kind, filter, options)
|
94
|
+
when :after
|
95
|
+
AfterFilter.new(filter_kind, filter, options)
|
96
|
+
when :security
|
97
|
+
SecurityFilter.new(filter_kind, filter, options)
|
98
|
+
when :action_security
|
99
|
+
ActionSecurityFilter.new(filter_kind, filter, options)
|
100
|
+
else
|
101
|
+
AroundFilter.new(filter_kind, filter, options)
|
102
|
+
end
|
103
|
+
end
|
104
|
+
end
|
105
|
+
end
|
106
|
+
|
107
|
+
class Filter # :nodoc:
|
108
|
+
|
109
|
+
# override to return true in appropriate subclass
|
110
|
+
def security?
|
111
|
+
false
|
112
|
+
end
|
113
|
+
|
114
|
+
def action_security?
|
115
|
+
false
|
116
|
+
end
|
117
|
+
end
|
118
|
+
|
119
|
+
# the customized security filter that sets the current user
|
120
|
+
# and catches security exceptions
|
121
|
+
class SecurityFilter < AroundFilter # :nodoc:
|
122
|
+
def security?
|
123
|
+
true
|
124
|
+
end
|
125
|
+
end
|
126
|
+
|
127
|
+
# filter used to activate security for actions
|
128
|
+
class ActionSecurityFilter < AroundFilter # :nodoc:
|
129
|
+
def action_security?
|
130
|
+
true
|
131
|
+
end
|
132
|
+
end
|
133
|
+
end
|
134
134
|
end
|
data/lib/extensions/object.rb
CHANGED
@@ -1,11 +1,11 @@
|
|
1
|
-
#
|
2
|
-
# = lib/extensions/object.rb
|
3
|
-
#
|
4
|
-
|
5
|
-
class Object # :nodoc:
|
6
|
-
|
7
|
-
def __is_resource? # :nodoc:
|
8
|
-
false
|
9
|
-
end
|
10
|
-
|
1
|
+
#
|
2
|
+
# = lib/extensions/object.rb
|
3
|
+
#
|
4
|
+
|
5
|
+
class Object # :nodoc:
|
6
|
+
|
7
|
+
def __is_resource? # :nodoc:
|
8
|
+
false
|
9
|
+
end
|
10
|
+
|
11
11
|
end
|