annotation_security 1.0.1 → 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/CHANGELOG.md +14 -0
- data/HOW-TO.md +275 -0
- data/{MIT-LICENSE → LICENSE} +1 -1
- data/README.md +39 -0
- data/Rakefile +62 -55
- data/assets/app/helpers/annotation_security_helper.rb +8 -8
- data/assets/config/initializers/annotation_security.rb +11 -11
- data/assets/config/security/relations.rb +20 -20
- data/assets/vendor/plugins/annotation_security/init.rb +13 -13
- data/bin/annotation_security +7 -7
- data/lib/annotation_security/exceptions.rb +124 -124
- data/lib/annotation_security/exec.rb +188 -188
- data/lib/annotation_security/filters.rb +37 -37
- data/lib/annotation_security/includes/action_controller.rb +144 -143
- data/lib/annotation_security/includes/active_record.rb +27 -27
- data/lib/annotation_security/includes/helper.rb +215 -215
- data/lib/annotation_security/includes/resource.rb +84 -84
- data/lib/annotation_security/includes/role.rb +30 -30
- data/lib/annotation_security/includes/user.rb +26 -26
- data/lib/annotation_security/manager/policy_factory.rb +29 -29
- data/lib/annotation_security/manager/policy_manager.rb +79 -79
- data/lib/annotation_security/manager/relation_loader.rb +272 -272
- data/lib/annotation_security/manager/resource_manager.rb +36 -36
- data/lib/annotation_security/manager/right_loader.rb +87 -87
- data/lib/annotation_security/model_observer.rb +61 -61
- data/lib/annotation_security/policy/abstract_policy.rb +344 -344
- data/lib/annotation_security/policy/abstract_static_policy.rb +75 -75
- data/lib/annotation_security/policy/all_resources_policy.rb +20 -20
- data/lib/annotation_security/policy/rule.rb +340 -340
- data/lib/annotation_security/policy/rule_set.rb +138 -138
- data/lib/annotation_security/rails.rb +38 -38
- data/lib/annotation_security/user_wrapper.rb +73 -73
- data/lib/annotation_security/utils.rb +141 -141
- data/lib/annotation_security/version.rb +10 -0
- data/lib/annotation_security.rb +102 -97
- data/lib/extensions/action_controller.rb +32 -32
- data/lib/extensions/active_record.rb +34 -34
- data/lib/extensions/filter.rb +133 -133
- data/lib/extensions/object.rb +10 -10
- data/lib/security_context.rb +589 -551
- data/spec/annotation_security/exceptions_spec.rb +16 -16
- data/spec/annotation_security/includes/helper_spec.rb +82 -82
- data/spec/annotation_security/manager/policy_manager_spec.rb +15 -15
- data/spec/annotation_security/manager/resource_manager_spec.rb +17 -17
- data/spec/annotation_security/manager/right_loader_spec.rb +17 -17
- data/spec/annotation_security/policy/abstract_policy_spec.rb +16 -16
- data/spec/annotation_security/policy/all_resources_policy_spec.rb +24 -24
- data/spec/annotation_security/policy/rule_set_spec.rb +112 -112
- data/spec/annotation_security/policy/rule_spec.rb +77 -77
- data/spec/annotation_security/policy/test_policy_spec.rb +80 -80
- data/spec/annotation_security/security_context_spec.rb +78 -78
- data/spec/annotation_security/utils_spec.rb +73 -73
- data/spec/helper/test_controller.rb +65 -65
- data/spec/helper/test_helper.rb +5 -5
- data/spec/helper/test_relations.rb +6 -6
- data/spec/helper/test_resource.rb +38 -38
- data/spec/helper/test_role.rb +21 -21
- data/spec/helper/test_user.rb +31 -31
- data/spec/rails_stub.rb +37 -37
- metadata +94 -72
- data/CHANGELOG +0 -2
- data/HOW-TO +0 -261
- data/README +0 -39
data/lib/extensions/filter.rb
CHANGED
@@ -1,134 +1,134 @@
|
|
1
|
-
#
|
2
|
-
# = lib/extensions/filter.rb
|
3
|
-
#
|
4
|
-
# Adds security filters to the Rails filter mechanism.
|
5
|
-
#
|
6
|
-
# Modifies ActionController::Filter::FilterChain. Might not work with other
|
7
|
-
# gems modifying this class.
|
8
|
-
#
|
9
|
-
|
10
|
-
# Extends ActiveRecord::Base and patches ActionController::Filters
|
11
|
-
#
|
12
|
-
# Performs additions to the rails filter chain. It basically adds two
|
13
|
-
# filters which may not be removed:
|
14
|
-
#
|
15
|
-
# 1) Before Fiter to initialize SecurityContext
|
16
|
-
# 2) Around Filter around actions
|
17
|
-
#
|
18
|
-
# The altered filter chain looks like this:
|
19
|
-
#
|
20
|
-
# * AnnotationSecurity::Filters::InitializeSecurity
|
21
|
-
# * ... other before filters
|
22
|
-
# * around filters ...
|
23
|
-
# * AnnotationSecurity::Filters::ApplySecurity
|
24
|
-
# * after filters
|
25
|
-
#
|
26
|
-
module ActionController # :nodoc:
|
27
|
-
module Filters # :nodoc:
|
28
|
-
class FilterChain # :nodoc:
|
29
|
-
def self.new(&block)
|
30
|
-
|
31
|
-
filter_chain.append_filter_to_chain([AnnotationSecurity::Filters::InitializeSecurity], :security, &block)
|
32
|
-
filter_chain.append_filter_to_chain([AnnotationSecurity::Filters::ApplySecurity], :action_security, &block)
|
33
|
-
end
|
34
|
-
end
|
35
|
-
|
36
|
-
private
|
37
|
-
|
38
|
-
def find_filter_append_position(filters, filter_type)
|
39
|
-
# appending an after filter puts it at the end of the call chain
|
40
|
-
# before and around filters go after security filters and
|
41
|
-
# before the first after or action_security filter
|
42
|
-
#
|
43
|
-
return -1 if filter_type == :after
|
44
|
-
|
45
|
-
if filter_type == :security
|
46
|
-
#security filters are first filters in chain
|
47
|
-
each_with_index do |f,i|
|
48
|
-
return i unless f.security?
|
49
|
-
end
|
50
|
-
else
|
51
|
-
each_with_index do |f,i|
|
52
|
-
return i if f.after? or f.action_security?
|
53
|
-
end
|
54
|
-
end
|
55
|
-
return -1
|
56
|
-
end
|
57
|
-
|
58
|
-
def find_filter_prepend_position(filters, filter_type)
|
59
|
-
if filter_type == :after
|
60
|
-
# after filters go before the first after filter in the chain
|
61
|
-
each_with_index do |f,i|
|
62
|
-
return i if f.after?
|
63
|
-
end
|
64
|
-
return -1
|
65
|
-
elsif filter_type == :security
|
66
|
-
return 0
|
67
|
-
else
|
68
|
-
# prepending a before or around filter puts it at the front of the call chain
|
69
|
-
each_with_index do |f,i|
|
70
|
-
return i unless f.security?
|
71
|
-
end
|
72
|
-
end
|
73
|
-
return 0 # Since first filter is security initialization filter
|
74
|
-
end
|
75
|
-
|
76
|
-
def find_or_create_filter(filter, filter_type, options = {})
|
77
|
-
update_filter_in_chain([filter], options)
|
78
|
-
|
79
|
-
if found_filter = find(filter) { |f| f.type == filter_type }
|
80
|
-
found_filter
|
81
|
-
else
|
82
|
-
filter_kind = case
|
83
|
-
when filter.respond_to?(:before) && filter_type == :before
|
84
|
-
:before
|
85
|
-
when filter.respond_to?(:after) && filter_type == :after
|
86
|
-
:after
|
87
|
-
else
|
88
|
-
:filter
|
89
|
-
end
|
90
|
-
|
91
|
-
case filter_type
|
92
|
-
when :before
|
93
|
-
BeforeFilter.new(filter_kind, filter, options)
|
94
|
-
when :after
|
95
|
-
AfterFilter.new(filter_kind, filter, options)
|
96
|
-
when :security
|
97
|
-
SecurityFilter.new(filter_kind, filter, options)
|
98
|
-
when :action_security
|
99
|
-
ActionSecurityFilter.new(filter_kind, filter, options)
|
100
|
-
else
|
101
|
-
AroundFilter.new(filter_kind, filter, options)
|
102
|
-
end
|
103
|
-
end
|
104
|
-
end
|
105
|
-
end
|
106
|
-
|
107
|
-
class Filter # :nodoc:
|
108
|
-
|
109
|
-
# override to return true in appropriate subclass
|
110
|
-
def security?
|
111
|
-
false
|
112
|
-
end
|
113
|
-
|
114
|
-
def action_security?
|
115
|
-
false
|
116
|
-
end
|
117
|
-
end
|
118
|
-
|
119
|
-
# the customized security filter that sets the current user
|
120
|
-
# and catches security exceptions
|
121
|
-
class SecurityFilter < AroundFilter # :nodoc:
|
122
|
-
def security?
|
123
|
-
true
|
124
|
-
end
|
125
|
-
end
|
126
|
-
|
127
|
-
# filter used to activate security for actions
|
128
|
-
class ActionSecurityFilter < AroundFilter # :nodoc:
|
129
|
-
def action_security?
|
130
|
-
true
|
131
|
-
end
|
132
|
-
end
|
133
|
-
end
|
1
|
+
#
|
2
|
+
# = lib/extensions/filter.rb
|
3
|
+
#
|
4
|
+
# Adds security filters to the Rails filter mechanism.
|
5
|
+
#
|
6
|
+
# Modifies ActionController::Filter::FilterChain. Might not work with other
|
7
|
+
# gems modifying this class.
|
8
|
+
#
|
9
|
+
|
10
|
+
# Extends ActiveRecord::Base and patches ActionController::Filters
|
11
|
+
#
|
12
|
+
# Performs additions to the rails filter chain. It basically adds two
|
13
|
+
# filters which may not be removed:
|
14
|
+
#
|
15
|
+
# 1) Before Fiter to initialize SecurityContext
|
16
|
+
# 2) Around Filter around actions
|
17
|
+
#
|
18
|
+
# The altered filter chain looks like this:
|
19
|
+
#
|
20
|
+
# * AnnotationSecurity::Filters::InitializeSecurity
|
21
|
+
# * ... other before filters
|
22
|
+
# * around filters ...
|
23
|
+
# * AnnotationSecurity::Filters::ApplySecurity
|
24
|
+
# * after filters
|
25
|
+
#
|
26
|
+
module ActionController # :nodoc:
|
27
|
+
module Filters # :nodoc:
|
28
|
+
class FilterChain # :nodoc:
|
29
|
+
def self.new(&block)
|
30
|
+
super.tap do |filter_chain|
|
31
|
+
filter_chain.append_filter_to_chain([AnnotationSecurity::Filters::InitializeSecurity], :security, &block)
|
32
|
+
filter_chain.append_filter_to_chain([AnnotationSecurity::Filters::ApplySecurity], :action_security, &block)
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
private
|
37
|
+
|
38
|
+
def find_filter_append_position(filters, filter_type)
|
39
|
+
# appending an after filter puts it at the end of the call chain
|
40
|
+
# before and around filters go after security filters and
|
41
|
+
# before the first after or action_security filter
|
42
|
+
#
|
43
|
+
return -1 if filter_type == :after
|
44
|
+
|
45
|
+
if filter_type == :security
|
46
|
+
#security filters are first filters in chain
|
47
|
+
each_with_index do |f,i|
|
48
|
+
return i unless f.security?
|
49
|
+
end
|
50
|
+
else
|
51
|
+
each_with_index do |f,i|
|
52
|
+
return i if f.after? or f.action_security?
|
53
|
+
end
|
54
|
+
end
|
55
|
+
return -1
|
56
|
+
end
|
57
|
+
|
58
|
+
def find_filter_prepend_position(filters, filter_type)
|
59
|
+
if filter_type == :after
|
60
|
+
# after filters go before the first after filter in the chain
|
61
|
+
each_with_index do |f,i|
|
62
|
+
return i if f.after?
|
63
|
+
end
|
64
|
+
return -1
|
65
|
+
elsif filter_type == :security
|
66
|
+
return 0
|
67
|
+
else
|
68
|
+
# prepending a before or around filter puts it at the front of the call chain
|
69
|
+
each_with_index do |f,i|
|
70
|
+
return i unless f.security?
|
71
|
+
end
|
72
|
+
end
|
73
|
+
return 0 # Since first filter is security initialization filter
|
74
|
+
end
|
75
|
+
|
76
|
+
def find_or_create_filter(filter, filter_type, options = {})
|
77
|
+
update_filter_in_chain([filter], options)
|
78
|
+
|
79
|
+
if found_filter = find(filter) { |f| f.type == filter_type }
|
80
|
+
found_filter
|
81
|
+
else
|
82
|
+
filter_kind = case
|
83
|
+
when filter.respond_to?(:before) && filter_type == :before
|
84
|
+
:before
|
85
|
+
when filter.respond_to?(:after) && filter_type == :after
|
86
|
+
:after
|
87
|
+
else
|
88
|
+
:filter
|
89
|
+
end
|
90
|
+
|
91
|
+
case filter_type
|
92
|
+
when :before
|
93
|
+
BeforeFilter.new(filter_kind, filter, options)
|
94
|
+
when :after
|
95
|
+
AfterFilter.new(filter_kind, filter, options)
|
96
|
+
when :security
|
97
|
+
SecurityFilter.new(filter_kind, filter, options)
|
98
|
+
when :action_security
|
99
|
+
ActionSecurityFilter.new(filter_kind, filter, options)
|
100
|
+
else
|
101
|
+
AroundFilter.new(filter_kind, filter, options)
|
102
|
+
end
|
103
|
+
end
|
104
|
+
end
|
105
|
+
end
|
106
|
+
|
107
|
+
class Filter # :nodoc:
|
108
|
+
|
109
|
+
# override to return true in appropriate subclass
|
110
|
+
def security?
|
111
|
+
false
|
112
|
+
end
|
113
|
+
|
114
|
+
def action_security?
|
115
|
+
false
|
116
|
+
end
|
117
|
+
end
|
118
|
+
|
119
|
+
# the customized security filter that sets the current user
|
120
|
+
# and catches security exceptions
|
121
|
+
class SecurityFilter < AroundFilter # :nodoc:
|
122
|
+
def security?
|
123
|
+
true
|
124
|
+
end
|
125
|
+
end
|
126
|
+
|
127
|
+
# filter used to activate security for actions
|
128
|
+
class ActionSecurityFilter < AroundFilter # :nodoc:
|
129
|
+
def action_security?
|
130
|
+
true
|
131
|
+
end
|
132
|
+
end
|
133
|
+
end
|
134
134
|
end
|
data/lib/extensions/object.rb
CHANGED
@@ -1,11 +1,11 @@
|
|
1
|
-
#
|
2
|
-
# = lib/extensions/object.rb
|
3
|
-
#
|
4
|
-
|
5
|
-
class Object # :nodoc:
|
6
|
-
|
7
|
-
def __is_resource? # :nodoc:
|
8
|
-
false
|
9
|
-
end
|
10
|
-
|
1
|
+
#
|
2
|
+
# = lib/extensions/object.rb
|
3
|
+
#
|
4
|
+
|
5
|
+
class Object # :nodoc:
|
6
|
+
|
7
|
+
def __is_resource? # :nodoc:
|
8
|
+
false
|
9
|
+
end
|
10
|
+
|
11
11
|
end
|