annotation_security 1.0.1 → 1.0.2
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG.md +14 -0
- data/HOW-TO.md +275 -0
- data/{MIT-LICENSE → LICENSE} +1 -1
- data/README.md +39 -0
- data/Rakefile +62 -55
- data/assets/app/helpers/annotation_security_helper.rb +8 -8
- data/assets/config/initializers/annotation_security.rb +11 -11
- data/assets/config/security/relations.rb +20 -20
- data/assets/vendor/plugins/annotation_security/init.rb +13 -13
- data/bin/annotation_security +7 -7
- data/lib/annotation_security/exceptions.rb +124 -124
- data/lib/annotation_security/exec.rb +188 -188
- data/lib/annotation_security/filters.rb +37 -37
- data/lib/annotation_security/includes/action_controller.rb +144 -143
- data/lib/annotation_security/includes/active_record.rb +27 -27
- data/lib/annotation_security/includes/helper.rb +215 -215
- data/lib/annotation_security/includes/resource.rb +84 -84
- data/lib/annotation_security/includes/role.rb +30 -30
- data/lib/annotation_security/includes/user.rb +26 -26
- data/lib/annotation_security/manager/policy_factory.rb +29 -29
- data/lib/annotation_security/manager/policy_manager.rb +79 -79
- data/lib/annotation_security/manager/relation_loader.rb +272 -272
- data/lib/annotation_security/manager/resource_manager.rb +36 -36
- data/lib/annotation_security/manager/right_loader.rb +87 -87
- data/lib/annotation_security/model_observer.rb +61 -61
- data/lib/annotation_security/policy/abstract_policy.rb +344 -344
- data/lib/annotation_security/policy/abstract_static_policy.rb +75 -75
- data/lib/annotation_security/policy/all_resources_policy.rb +20 -20
- data/lib/annotation_security/policy/rule.rb +340 -340
- data/lib/annotation_security/policy/rule_set.rb +138 -138
- data/lib/annotation_security/rails.rb +38 -38
- data/lib/annotation_security/user_wrapper.rb +73 -73
- data/lib/annotation_security/utils.rb +141 -141
- data/lib/annotation_security/version.rb +10 -0
- data/lib/annotation_security.rb +102 -97
- data/lib/extensions/action_controller.rb +32 -32
- data/lib/extensions/active_record.rb +34 -34
- data/lib/extensions/filter.rb +133 -133
- data/lib/extensions/object.rb +10 -10
- data/lib/security_context.rb +589 -551
- data/spec/annotation_security/exceptions_spec.rb +16 -16
- data/spec/annotation_security/includes/helper_spec.rb +82 -82
- data/spec/annotation_security/manager/policy_manager_spec.rb +15 -15
- data/spec/annotation_security/manager/resource_manager_spec.rb +17 -17
- data/spec/annotation_security/manager/right_loader_spec.rb +17 -17
- data/spec/annotation_security/policy/abstract_policy_spec.rb +16 -16
- data/spec/annotation_security/policy/all_resources_policy_spec.rb +24 -24
- data/spec/annotation_security/policy/rule_set_spec.rb +112 -112
- data/spec/annotation_security/policy/rule_spec.rb +77 -77
- data/spec/annotation_security/policy/test_policy_spec.rb +80 -80
- data/spec/annotation_security/security_context_spec.rb +78 -78
- data/spec/annotation_security/utils_spec.rb +73 -73
- data/spec/helper/test_controller.rb +65 -65
- data/spec/helper/test_helper.rb +5 -5
- data/spec/helper/test_relations.rb +6 -6
- data/spec/helper/test_resource.rb +38 -38
- data/spec/helper/test_role.rb +21 -21
- data/spec/helper/test_user.rb +31 -31
- data/spec/rails_stub.rb +37 -37
- metadata +94 -72
- data/CHANGELOG +0 -2
- data/HOW-TO +0 -261
- data/README +0 -39
@@ -1,215 +1,215 @@
|
|
1
|
-
#
|
2
|
-
# = lib/annotation_security/includes/helper.rb
|
3
|
-
#
|
4
|
-
|
5
|
-
# = AnnotationSecurity::Helper
|
6
|
-
#
|
7
|
-
# This module adds some useful helper methods to your templates.
|
8
|
-
#
|
9
|
-
module AnnotationSecurity::Helper
|
10
|
-
|
11
|
-
# Returns true if the operation defined by +policy_args+ is allowed.
|
12
|
-
#
|
13
|
-
# The following calls to #allowed? are possible:
|
14
|
-
#
|
15
|
-
# allowed? :show, :resource, @resource
|
16
|
-
# # => true if the current user has the right to show @resource,
|
17
|
-
# # which belongs to the :resource resource-class
|
18
|
-
#
|
19
|
-
# In case of model objects or other classes which implement a #resource_type
|
20
|
-
# method the the second argument may be ommited
|
21
|
-
#
|
22
|
-
# allowed? :show, @resource
|
23
|
-
# # equivalent to the above call if @resource.resource_type == :resource
|
24
|
-
#
|
25
|
-
# A policy description used as a controller annotation may also be used
|
26
|
-
# to check a right
|
27
|
-
#
|
28
|
-
# allowed? "show resource", @resource
|
29
|
-
# # => true if the current user has the right "show resource" for @resource
|
30
|
-
#
|
31
|
-
# A policy may also be applied without an object representing the context:
|
32
|
-
#
|
33
|
-
# allowed? :show, :resource
|
34
|
-
# # => true if the current may show resources.
|
35
|
-
#
|
36
|
-
# This will only check system and pretest rules. The result +true+ does not
|
37
|
-
# mean that the user may show all resources. However, a +false+ indicates
|
38
|
-
# that the user is not allowed to show any resources.
|
39
|
-
#
|
40
|
-
# If the resource class is omitted as well, only rules defined for all
|
41
|
-
# resources can be tested. See RelationLoader#all_resources for details.
|
42
|
-
#
|
43
|
-
# allowed? :administrate
|
44
|
-
# # => true if the user is allowed to administrate all resources.
|
45
|
-
#
|
46
|
-
# See SecurityContext#allowed?.
|
47
|
-
#
|
48
|
-
def allowed?(*args)
|
49
|
-
SecurityContext.allowed?(*args)
|
50
|
-
end
|
51
|
-
|
52
|
-
alias a? allowed?
|
53
|
-
|
54
|
-
# Equivalent to allowed?; is? is provided for better readability.
|
55
|
-
#
|
56
|
-
# allowed? :logged_in
|
57
|
-
# vs
|
58
|
-
# is? :logged_in
|
59
|
-
#
|
60
|
-
def is?(*args)
|
61
|
-
SecurityContext.is?(*args)
|
62
|
-
end
|
63
|
-
|
64
|
-
# Checks whether the user is allowed to access the action.
|
65
|
-
#
|
66
|
-
# Expects arguments like #link_to_if_allowed, just without name and block.
|
67
|
-
#
|
68
|
-
# Returns true if the action is allowed.
|
69
|
-
#
|
70
|
-
def action_allowed?(options, objects=nil, params=nil, html_options=nil)
|
71
|
-
|
72
|
-
options, objects, params, html_options =
|
73
|
-
parse_allow_action_args(options, objects, params, html_options)
|
74
|
-
|
75
|
-
controller = params.delete :controller
|
76
|
-
action = params.delete :action
|
77
|
-
SecurityContext.allow_action?(controller, action, objects, params)
|
78
|
-
end
|
79
|
-
|
80
|
-
# Returns a link tag with the specified name to the specified resource if
|
81
|
-
# the user is allowed to access it. See #link_to_unless and
|
82
|
-
# SecurityContext#action_allowed? for more documentation.
|
83
|
-
#
|
84
|
-
# There are two ways of using #link_to_if_allowed
|
85
|
-
#
|
86
|
-
# === As #link_to with alternative
|
87
|
-
# (or as #link_to_unless without explicit condition)
|
88
|
-
# link_to_if_allowed(name, options={}, html_options=nil) { 'alternative' }
|
89
|
-
# +options+ either is a hash, like
|
90
|
-
# { :controller => :comments, :action => edit, :id => @comment }
|
91
|
-
# a string, like
|
92
|
-
# "comments/1/edit"
|
93
|
-
# or
|
94
|
-
# edit_comment_path(@comment)
|
95
|
-
# or a single resource object.
|
96
|
-
#
|
97
|
-
# Notice that when providing a string, controller, action and parameters will
|
98
|
-
# be parsed. After that, the resource types of the parameters are *guessed*,
|
99
|
-
# the resources are retrieved and the rules of the action are evaluated.
|
100
|
-
#
|
101
|
-
# The block will be evaluated if the action is not allowed,
|
102
|
-
# like in #link_to_unless.
|
103
|
-
#
|
104
|
-
# === As #link_to with alternative and explicit objects
|
105
|
-
# link_to_if_allowed(name, options={}, objects=[], params={}, html_options=nil) { 'alternative' }
|
106
|
-
# In this case, controller and action will be derived from +options+ unless
|
107
|
-
# they are specified in +params+.
|
108
|
-
# All items in +objects+ and all remaining items in +params+ will be used
|
109
|
-
# for evaluating the rules of the action.
|
110
|
-
#
|
111
|
-
# If you want to specify +html_options+, provide at least an empty hash
|
112
|
-
# for +params+.
|
113
|
-
#
|
114
|
-
# Unlike to #link_to, you can also provide a symbol as +options+ value.
|
115
|
-
# In this case, the target url will be determined by sending symbol as
|
116
|
-
# message, providing +objects+ and +params+ as arguments, e.g.
|
117
|
-
# link_to_if_allowed("Show comment", :comment_path, [@article, @comment], {:details => true})
|
118
|
-
# will call
|
119
|
-
# comment_path(@article, @comment, {:details => true})
|
120
|
-
#
|
121
|
-
# === Examples
|
122
|
-
# <%= link_to_if_allowed("Show", @course) { } %>
|
123
|
-
# <%= link_to_if_allowed("New", new_course_path) { "You may not create a new course." } %>
|
124
|
-
#
|
125
|
-
# These two are equivalent, however, the second approach is more efficient:
|
126
|
-
# <%= link_to_if_allowed("Edit", edit_course_path(@course)) { } %>
|
127
|
-
# <%= link_to_if_allowed("Edit", :edit_course_path, @course) { } %>
|
128
|
-
#
|
129
|
-
# The HTML-options are taken into account when choosing the action.
|
130
|
-
# <%= link_to_if_allowed("Delete", @course, {:method => :delete}) { } %>
|
131
|
-
#
|
132
|
-
# You can also define all values explicitly
|
133
|
-
# <%= link_to_if_allowed("Edit comment", "articles/1/comments/5/edit", [@comment], {:article => @comment.article, :action => :edit, :controller => :comments}) { } %>
|
134
|
-
#
|
135
|
-
# === Parameters
|
136
|
-
# - +name+ Text of the link
|
137
|
-
# - +options+
|
138
|
-
# - +objects+
|
139
|
-
# - +params+
|
140
|
-
# - +html_options+
|
141
|
-
#
|
142
|
-
def link_to_if_allowed(name, options, objects=nil, params=nil, html_options=nil, &block)
|
143
|
-
|
144
|
-
options, objects, params, html_options =
|
145
|
-
parse_allow_action_args(options, objects, params, html_options)
|
146
|
-
|
147
|
-
controller = params.delete :controller
|
148
|
-
action = params.delete :action
|
149
|
-
allowed = SecurityContext.allow_action?(controller, action, objects, params)
|
150
|
-
|
151
|
-
link_to_if(allowed, name, options, html_options, &block)
|
152
|
-
end
|
153
|
-
|
154
|
-
alias link_if_a link_to_if_allowed
|
155
|
-
|
156
|
-
private
|
157
|
-
|
158
|
-
def parse_allow_action_args(*args)
|
159
|
-
if args.second && !(args.second.is_a? Hash)
|
160
|
-
# objects and params are specified
|
161
|
-
options, objects, params, html_options = args
|
162
|
-
objects = [objects] unless objects.is_a? Array
|
163
|
-
params ||= {}
|
164
|
-
html_options ||= {}
|
165
|
-
if options.is_a? Symbol
|
166
|
-
# options is a symbol, send the message to get the link path
|
167
|
-
path_args = objects + [params]
|
168
|
-
options = send(options, *path_args)
|
169
|
-
end
|
170
|
-
else
|
171
|
-
# retrieve objects and params from options
|
172
|
-
options = args.first
|
173
|
-
html_options = args.second || {}
|
174
|
-
objects = [] # everything will be in the params
|
175
|
-
if options.is_a? Hash
|
176
|
-
params = options.dup
|
177
|
-
else
|
178
|
-
params = parse_action_params(options, html_options)
|
179
|
-
end
|
180
|
-
end
|
181
|
-
|
182
|
-
unless params[:controller] && params[:action]
|
183
|
-
# if controller and action are not given, parse from options
|
184
|
-
params = parse_controller_action(options, params, html_options)
|
185
|
-
end
|
186
|
-
|
187
|
-
[options, objects, params, html_options]
|
188
|
-
end
|
189
|
-
|
190
|
-
# uses options and html_options to retrieve controller and action,
|
191
|
-
# adds these values to params hash
|
192
|
-
def parse_controller_action(options, params, html_options)
|
193
|
-
path_info = get_path_info(options, html_options)
|
194
|
-
params[:controller] ||= path_info[:controller]
|
195
|
-
params[:action] ||= path_info[:action]
|
196
|
-
params
|
197
|
-
end
|
198
|
-
|
199
|
-
# uses options and html_options to retrieve controller, action
|
200
|
-
# and params
|
201
|
-
def parse_action_params(options, html_options)
|
202
|
-
get_path_info(options, html_options)
|
203
|
-
end
|
204
|
-
|
205
|
-
def get_path_info(options, html_options)
|
206
|
-
if options.is_a? String
|
207
|
-
path = options
|
208
|
-
else
|
209
|
-
path = url_for(options)
|
210
|
-
end
|
211
|
-
env = { :method => (html_options[:method] || :get ) }
|
212
|
-
ActionController::Routing::Routes.recognize_path(path, env)
|
213
|
-
end
|
214
|
-
|
215
|
-
end
|
1
|
+
#
|
2
|
+
# = lib/annotation_security/includes/helper.rb
|
3
|
+
#
|
4
|
+
|
5
|
+
# = AnnotationSecurity::Helper
|
6
|
+
#
|
7
|
+
# This module adds some useful helper methods to your templates.
|
8
|
+
#
|
9
|
+
module AnnotationSecurity::Helper
|
10
|
+
|
11
|
+
# Returns true if the operation defined by +policy_args+ is allowed.
|
12
|
+
#
|
13
|
+
# The following calls to #allowed? are possible:
|
14
|
+
#
|
15
|
+
# allowed? :show, :resource, @resource
|
16
|
+
# # => true if the current user has the right to show @resource,
|
17
|
+
# # which belongs to the :resource resource-class
|
18
|
+
#
|
19
|
+
# In case of model objects or other classes which implement a #resource_type
|
20
|
+
# method the the second argument may be ommited
|
21
|
+
#
|
22
|
+
# allowed? :show, @resource
|
23
|
+
# # equivalent to the above call if @resource.resource_type == :resource
|
24
|
+
#
|
25
|
+
# A policy description used as a controller annotation may also be used
|
26
|
+
# to check a right
|
27
|
+
#
|
28
|
+
# allowed? "show resource", @resource
|
29
|
+
# # => true if the current user has the right "show resource" for @resource
|
30
|
+
#
|
31
|
+
# A policy may also be applied without an object representing the context:
|
32
|
+
#
|
33
|
+
# allowed? :show, :resource
|
34
|
+
# # => true if the current may show resources.
|
35
|
+
#
|
36
|
+
# This will only check system and pretest rules. The result +true+ does not
|
37
|
+
# mean that the user may show all resources. However, a +false+ indicates
|
38
|
+
# that the user is not allowed to show any resources.
|
39
|
+
#
|
40
|
+
# If the resource class is omitted as well, only rules defined for all
|
41
|
+
# resources can be tested. See RelationLoader#all_resources for details.
|
42
|
+
#
|
43
|
+
# allowed? :administrate
|
44
|
+
# # => true if the user is allowed to administrate all resources.
|
45
|
+
#
|
46
|
+
# See SecurityContext#allowed?.
|
47
|
+
#
|
48
|
+
def allowed?(*args)
|
49
|
+
SecurityContext.allowed?(*args)
|
50
|
+
end
|
51
|
+
|
52
|
+
alias a? allowed?
|
53
|
+
|
54
|
+
# Equivalent to allowed?; is? is provided for better readability.
|
55
|
+
#
|
56
|
+
# allowed? :logged_in
|
57
|
+
# vs
|
58
|
+
# is? :logged_in
|
59
|
+
#
|
60
|
+
def is?(*args)
|
61
|
+
SecurityContext.is?(*args)
|
62
|
+
end
|
63
|
+
|
64
|
+
# Checks whether the user is allowed to access the action.
|
65
|
+
#
|
66
|
+
# Expects arguments like #link_to_if_allowed, just without name and block.
|
67
|
+
#
|
68
|
+
# Returns true if the action is allowed.
|
69
|
+
#
|
70
|
+
def action_allowed?(options, objects=nil, params=nil, html_options=nil)
|
71
|
+
|
72
|
+
options, objects, params, html_options =
|
73
|
+
parse_allow_action_args(options, objects, params, html_options)
|
74
|
+
|
75
|
+
controller = params.delete :controller
|
76
|
+
action = params.delete :action
|
77
|
+
SecurityContext.allow_action?(controller, action, objects, params)
|
78
|
+
end
|
79
|
+
|
80
|
+
# Returns a link tag with the specified name to the specified resource if
|
81
|
+
# the user is allowed to access it. See #link_to_unless and
|
82
|
+
# SecurityContext#action_allowed? for more documentation.
|
83
|
+
#
|
84
|
+
# There are two ways of using #link_to_if_allowed
|
85
|
+
#
|
86
|
+
# === As #link_to with alternative
|
87
|
+
# (or as #link_to_unless without explicit condition)
|
88
|
+
# link_to_if_allowed(name, options={}, html_options=nil) { 'alternative' }
|
89
|
+
# +options+ either is a hash, like
|
90
|
+
# { :controller => :comments, :action => edit, :id => @comment }
|
91
|
+
# a string, like
|
92
|
+
# "comments/1/edit"
|
93
|
+
# or
|
94
|
+
# edit_comment_path(@comment)
|
95
|
+
# or a single resource object.
|
96
|
+
#
|
97
|
+
# Notice that when providing a string, controller, action and parameters will
|
98
|
+
# be parsed. After that, the resource types of the parameters are *guessed*,
|
99
|
+
# the resources are retrieved and the rules of the action are evaluated.
|
100
|
+
#
|
101
|
+
# The block will be evaluated if the action is not allowed,
|
102
|
+
# like in #link_to_unless.
|
103
|
+
#
|
104
|
+
# === As #link_to with alternative and explicit objects
|
105
|
+
# link_to_if_allowed(name, options={}, objects=[], params={}, html_options=nil) { 'alternative' }
|
106
|
+
# In this case, controller and action will be derived from +options+ unless
|
107
|
+
# they are specified in +params+.
|
108
|
+
# All items in +objects+ and all remaining items in +params+ will be used
|
109
|
+
# for evaluating the rules of the action.
|
110
|
+
#
|
111
|
+
# If you want to specify +html_options+, provide at least an empty hash
|
112
|
+
# for +params+.
|
113
|
+
#
|
114
|
+
# Unlike to #link_to, you can also provide a symbol as +options+ value.
|
115
|
+
# In this case, the target url will be determined by sending symbol as
|
116
|
+
# message, providing +objects+ and +params+ as arguments, e.g.
|
117
|
+
# link_to_if_allowed("Show comment", :comment_path, [@article, @comment], {:details => true})
|
118
|
+
# will call
|
119
|
+
# comment_path(@article, @comment, {:details => true})
|
120
|
+
#
|
121
|
+
# === Examples
|
122
|
+
# <%= link_to_if_allowed("Show", @course) { } %>
|
123
|
+
# <%= link_to_if_allowed("New", new_course_path) { "You may not create a new course." } %>
|
124
|
+
#
|
125
|
+
# These two are equivalent, however, the second approach is more efficient:
|
126
|
+
# <%= link_to_if_allowed("Edit", edit_course_path(@course)) { } %>
|
127
|
+
# <%= link_to_if_allowed("Edit", :edit_course_path, @course) { } %>
|
128
|
+
#
|
129
|
+
# The HTML-options are taken into account when choosing the action.
|
130
|
+
# <%= link_to_if_allowed("Delete", @course, {:method => :delete}) { } %>
|
131
|
+
#
|
132
|
+
# You can also define all values explicitly
|
133
|
+
# <%= link_to_if_allowed("Edit comment", "articles/1/comments/5/edit", [@comment], {:article => @comment.article, :action => :edit, :controller => :comments}) { } %>
|
134
|
+
#
|
135
|
+
# === Parameters
|
136
|
+
# - +name+ Text of the link
|
137
|
+
# - +options+
|
138
|
+
# - +objects+
|
139
|
+
# - +params+
|
140
|
+
# - +html_options+
|
141
|
+
#
|
142
|
+
def link_to_if_allowed(name, options, objects=nil, params=nil, html_options=nil, &block)
|
143
|
+
|
144
|
+
options, objects, params, html_options =
|
145
|
+
parse_allow_action_args(options, objects, params, html_options)
|
146
|
+
|
147
|
+
controller = params.delete :controller
|
148
|
+
action = params.delete :action
|
149
|
+
allowed = SecurityContext.allow_action?(controller, action, objects, params)
|
150
|
+
|
151
|
+
link_to_if(allowed, name, options, html_options, &block)
|
152
|
+
end
|
153
|
+
|
154
|
+
alias link_if_a link_to_if_allowed
|
155
|
+
|
156
|
+
private
|
157
|
+
|
158
|
+
def parse_allow_action_args(*args)
|
159
|
+
if args.second && !(args.second.is_a? Hash)
|
160
|
+
# objects and params are specified
|
161
|
+
options, objects, params, html_options = args
|
162
|
+
objects = [objects] unless objects.is_a? Array
|
163
|
+
params ||= {}
|
164
|
+
html_options ||= {}
|
165
|
+
if options.is_a? Symbol
|
166
|
+
# options is a symbol, send the message to get the link path
|
167
|
+
path_args = objects + [params]
|
168
|
+
options = send(options, *path_args)
|
169
|
+
end
|
170
|
+
else
|
171
|
+
# retrieve objects and params from options
|
172
|
+
options = args.first
|
173
|
+
html_options = args.second || {}
|
174
|
+
objects = [] # everything will be in the params
|
175
|
+
if options.is_a? Hash
|
176
|
+
params = options.dup
|
177
|
+
else
|
178
|
+
params = parse_action_params(options, html_options)
|
179
|
+
end
|
180
|
+
end
|
181
|
+
|
182
|
+
unless params[:controller] && params[:action]
|
183
|
+
# if controller and action are not given, parse from options
|
184
|
+
params = parse_controller_action(options, params, html_options)
|
185
|
+
end
|
186
|
+
|
187
|
+
[options, objects, params, html_options]
|
188
|
+
end
|
189
|
+
|
190
|
+
# uses options and html_options to retrieve controller and action,
|
191
|
+
# adds these values to params hash
|
192
|
+
def parse_controller_action(options, params, html_options)
|
193
|
+
path_info = get_path_info(options, html_options)
|
194
|
+
params[:controller] ||= path_info[:controller]
|
195
|
+
params[:action] ||= path_info[:action]
|
196
|
+
params
|
197
|
+
end
|
198
|
+
|
199
|
+
# uses options and html_options to retrieve controller, action
|
200
|
+
# and params
|
201
|
+
def parse_action_params(options, html_options)
|
202
|
+
get_path_info(options, html_options)
|
203
|
+
end
|
204
|
+
|
205
|
+
def get_path_info(options, html_options)
|
206
|
+
if options.is_a? String
|
207
|
+
path = options
|
208
|
+
else
|
209
|
+
path = url_for(options)
|
210
|
+
end
|
211
|
+
env = { :method => (html_options[:method] || :get ) }
|
212
|
+
ActionController::Routing::Routes.recognize_path(path, env)
|
213
|
+
end
|
214
|
+
|
215
|
+
end
|
@@ -1,85 +1,85 @@
|
|
1
|
-
#
|
2
|
-
# = lib/annotation_security/includes/resource.rb
|
3
|
-
#
|
4
|
-
|
5
|
-
# Must be included by all classes that are resource classes and do not extend
|
6
|
-
# ActiveRecord::Base.
|
7
|
-
#
|
8
|
-
# class MailDispatcher
|
9
|
-
# include AnnotationSecurity::Resource
|
10
|
-
# resource_type = :email
|
11
|
-
# ...
|
12
|
-
#
|
13
|
-
# See AnnotationSecurity::Resource::ClassMethods.
|
14
|
-
#
|
15
|
-
module AnnotationSecurity::Resource
|
16
|
-
|
17
|
-
def self.included(base) # :nodoc:
|
18
|
-
base.extend(ClassMethods)
|
19
|
-
base.class_eval do
|
20
|
-
include InstanceMethods
|
21
|
-
end
|
22
|
-
end
|
23
|
-
|
24
|
-
# Provides class side methods for resource classes.
|
25
|
-
module ClassMethods
|
26
|
-
|
27
|
-
# Registers the class as a resource.
|
28
|
-
#
|
29
|
-
def resource_type=(symbol)
|
30
|
-
@resource_type = symbol
|
31
|
-
AnnotationSecurity::ResourceManager.add_resource_class(symbol,self)
|
32
|
-
symbol
|
33
|
-
end
|
34
|
-
|
35
|
-
def resource_type # :nodoc:
|
36
|
-
@resource_type || (self.resource_type = name.underscore.to_sym)
|
37
|
-
end
|
38
|
-
|
39
|
-
def policy_for(user,obj=nil) # :nodoc:
|
40
|
-
policy_factory.create_policy(user,obj)
|
41
|
-
end
|
42
|
-
|
43
|
-
# If required, overwrite this method to return a resource object identified
|
44
|
-
# by the argument.
|
45
|
-
#
|
46
|
-
# This might be necessary if you change the to_param method of an
|
47
|
-
# ActiveRecord class.
|
48
|
-
#
|
49
|
-
# class Course < ActiveRecord::Base
|
50
|
-
# ...
|
51
|
-
# # each course has a unique name --> make better urls
|
52
|
-
# def to_param
|
53
|
-
# name
|
54
|
-
# end
|
55
|
-
#
|
56
|
-
# def self.get_resource(name)
|
57
|
-
# find_by_name(name)
|
58
|
-
# end
|
59
|
-
#
|
60
|
-
def get_resource(arg)
|
61
|
-
raise NoMethodError, "#{self} does not implement #get_resource"
|
62
|
-
end
|
63
|
-
|
64
|
-
private
|
65
|
-
|
66
|
-
def policy_factory # :nodoc:
|
67
|
-
@policy_factory ||= AnnotationSecurity::PolicyManager.policy_factory(resource_type)
|
68
|
-
end
|
69
|
-
|
70
|
-
end
|
71
|
-
|
72
|
-
module InstanceMethods # :nodoc:
|
73
|
-
def resource_type
|
74
|
-
self.class.resource_type
|
75
|
-
end
|
76
|
-
|
77
|
-
def __is_resource?
|
78
|
-
true
|
79
|
-
end
|
80
|
-
|
81
|
-
def policy_for(user)
|
82
|
-
self.class.policy_for(user,self)
|
83
|
-
end
|
84
|
-
end
|
1
|
+
#
|
2
|
+
# = lib/annotation_security/includes/resource.rb
|
3
|
+
#
|
4
|
+
|
5
|
+
# Must be included by all classes that are resource classes and do not extend
|
6
|
+
# ActiveRecord::Base.
|
7
|
+
#
|
8
|
+
# class MailDispatcher
|
9
|
+
# include AnnotationSecurity::Resource
|
10
|
+
# resource_type = :email
|
11
|
+
# ...
|
12
|
+
#
|
13
|
+
# See AnnotationSecurity::Resource::ClassMethods.
|
14
|
+
#
|
15
|
+
module AnnotationSecurity::Resource
|
16
|
+
|
17
|
+
def self.included(base) # :nodoc:
|
18
|
+
base.extend(ClassMethods)
|
19
|
+
base.class_eval do
|
20
|
+
include InstanceMethods
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
# Provides class side methods for resource classes.
|
25
|
+
module ClassMethods
|
26
|
+
|
27
|
+
# Registers the class as a resource.
|
28
|
+
#
|
29
|
+
def resource_type=(symbol)
|
30
|
+
@resource_type = symbol
|
31
|
+
AnnotationSecurity::ResourceManager.add_resource_class(symbol,self)
|
32
|
+
symbol
|
33
|
+
end
|
34
|
+
|
35
|
+
def resource_type # :nodoc:
|
36
|
+
@resource_type || (self.resource_type = name.underscore.to_sym)
|
37
|
+
end
|
38
|
+
|
39
|
+
def policy_for(user,obj=nil) # :nodoc:
|
40
|
+
policy_factory.create_policy(user,obj)
|
41
|
+
end
|
42
|
+
|
43
|
+
# If required, overwrite this method to return a resource object identified
|
44
|
+
# by the argument.
|
45
|
+
#
|
46
|
+
# This might be necessary if you change the to_param method of an
|
47
|
+
# ActiveRecord class.
|
48
|
+
#
|
49
|
+
# class Course < ActiveRecord::Base
|
50
|
+
# ...
|
51
|
+
# # each course has a unique name --> make better urls
|
52
|
+
# def to_param
|
53
|
+
# name
|
54
|
+
# end
|
55
|
+
#
|
56
|
+
# def self.get_resource(name)
|
57
|
+
# find_by_name(name)
|
58
|
+
# end
|
59
|
+
#
|
60
|
+
def get_resource(arg)
|
61
|
+
raise NoMethodError, "#{self} does not implement #get_resource"
|
62
|
+
end
|
63
|
+
|
64
|
+
private
|
65
|
+
|
66
|
+
def policy_factory # :nodoc:
|
67
|
+
@policy_factory ||= AnnotationSecurity::PolicyManager.policy_factory(resource_type)
|
68
|
+
end
|
69
|
+
|
70
|
+
end
|
71
|
+
|
72
|
+
module InstanceMethods # :nodoc:
|
73
|
+
def resource_type
|
74
|
+
self.class.resource_type
|
75
|
+
end
|
76
|
+
|
77
|
+
def __is_resource?
|
78
|
+
true
|
79
|
+
end
|
80
|
+
|
81
|
+
def policy_for(user)
|
82
|
+
self.class.policy_for(user,self)
|
83
|
+
end
|
84
|
+
end
|
85
85
|
end
|
@@ -1,31 +1,31 @@
|
|
1
|
-
#
|
2
|
-
# = lib/annotation_security/includes/role.rb
|
3
|
-
#
|
4
|
-
|
5
|
-
# = AnnotationSecurity::Role
|
6
|
-
#
|
7
|
-
# This module should be included by all role classes
|
8
|
-
# to enable full support of all features.
|
9
|
-
#
|
10
|
-
# A role class is a domain class that represents user roles
|
11
|
-
# and does not extend the user class. It should have the method #user that
|
12
|
-
# returns the user object it belongs to.
|
13
|
-
#
|
14
|
-
module AnnotationSecurity::Role
|
15
|
-
|
16
|
-
# Returns true if this belongs to the user given as parameter.
|
17
|
-
#
|
18
|
-
# Required to have a common interface with AnnotationSecurity::User.
|
19
|
-
#
|
20
|
-
def is_user?(user)
|
21
|
-
self.user == user
|
22
|
-
end
|
23
|
-
|
24
|
-
# If +obj+ is a UserWrapper, extract the role before comparing
|
25
|
-
#
|
26
|
-
def ==(obj)
|
27
|
-
obj = obj.__role__ if obj.is_a? AnnotationSecurity::UserWrapper
|
28
|
-
super(obj)
|
29
|
-
end
|
30
|
-
|
1
|
+
#
|
2
|
+
# = lib/annotation_security/includes/role.rb
|
3
|
+
#
|
4
|
+
|
5
|
+
# = AnnotationSecurity::Role
|
6
|
+
#
|
7
|
+
# This module should be included by all role classes
|
8
|
+
# to enable full support of all features.
|
9
|
+
#
|
10
|
+
# A role class is a domain class that represents user roles
|
11
|
+
# and does not extend the user class. It should have the method #user that
|
12
|
+
# returns the user object it belongs to.
|
13
|
+
#
|
14
|
+
module AnnotationSecurity::Role
|
15
|
+
|
16
|
+
# Returns true if this belongs to the user given as parameter.
|
17
|
+
#
|
18
|
+
# Required to have a common interface with AnnotationSecurity::User.
|
19
|
+
#
|
20
|
+
def is_user?(user)
|
21
|
+
self.user == user
|
22
|
+
end
|
23
|
+
|
24
|
+
# If +obj+ is a UserWrapper, extract the role before comparing
|
25
|
+
#
|
26
|
+
def ==(obj)
|
27
|
+
obj = obj.__role__ if obj.is_a? AnnotationSecurity::UserWrapper
|
28
|
+
super(obj)
|
29
|
+
end
|
30
|
+
|
31
31
|
end
|