annotation_security 1.0.1 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (63) hide show
  1. data/CHANGELOG.md +14 -0
  2. data/HOW-TO.md +275 -0
  3. data/{MIT-LICENSE → LICENSE} +1 -1
  4. data/README.md +39 -0
  5. data/Rakefile +62 -55
  6. data/assets/app/helpers/annotation_security_helper.rb +8 -8
  7. data/assets/config/initializers/annotation_security.rb +11 -11
  8. data/assets/config/security/relations.rb +20 -20
  9. data/assets/vendor/plugins/annotation_security/init.rb +13 -13
  10. data/bin/annotation_security +7 -7
  11. data/lib/annotation_security/exceptions.rb +124 -124
  12. data/lib/annotation_security/exec.rb +188 -188
  13. data/lib/annotation_security/filters.rb +37 -37
  14. data/lib/annotation_security/includes/action_controller.rb +144 -143
  15. data/lib/annotation_security/includes/active_record.rb +27 -27
  16. data/lib/annotation_security/includes/helper.rb +215 -215
  17. data/lib/annotation_security/includes/resource.rb +84 -84
  18. data/lib/annotation_security/includes/role.rb +30 -30
  19. data/lib/annotation_security/includes/user.rb +26 -26
  20. data/lib/annotation_security/manager/policy_factory.rb +29 -29
  21. data/lib/annotation_security/manager/policy_manager.rb +79 -79
  22. data/lib/annotation_security/manager/relation_loader.rb +272 -272
  23. data/lib/annotation_security/manager/resource_manager.rb +36 -36
  24. data/lib/annotation_security/manager/right_loader.rb +87 -87
  25. data/lib/annotation_security/model_observer.rb +61 -61
  26. data/lib/annotation_security/policy/abstract_policy.rb +344 -344
  27. data/lib/annotation_security/policy/abstract_static_policy.rb +75 -75
  28. data/lib/annotation_security/policy/all_resources_policy.rb +20 -20
  29. data/lib/annotation_security/policy/rule.rb +340 -340
  30. data/lib/annotation_security/policy/rule_set.rb +138 -138
  31. data/lib/annotation_security/rails.rb +38 -38
  32. data/lib/annotation_security/user_wrapper.rb +73 -73
  33. data/lib/annotation_security/utils.rb +141 -141
  34. data/lib/annotation_security/version.rb +10 -0
  35. data/lib/annotation_security.rb +102 -97
  36. data/lib/extensions/action_controller.rb +32 -32
  37. data/lib/extensions/active_record.rb +34 -34
  38. data/lib/extensions/filter.rb +133 -133
  39. data/lib/extensions/object.rb +10 -10
  40. data/lib/security_context.rb +589 -551
  41. data/spec/annotation_security/exceptions_spec.rb +16 -16
  42. data/spec/annotation_security/includes/helper_spec.rb +82 -82
  43. data/spec/annotation_security/manager/policy_manager_spec.rb +15 -15
  44. data/spec/annotation_security/manager/resource_manager_spec.rb +17 -17
  45. data/spec/annotation_security/manager/right_loader_spec.rb +17 -17
  46. data/spec/annotation_security/policy/abstract_policy_spec.rb +16 -16
  47. data/spec/annotation_security/policy/all_resources_policy_spec.rb +24 -24
  48. data/spec/annotation_security/policy/rule_set_spec.rb +112 -112
  49. data/spec/annotation_security/policy/rule_spec.rb +77 -77
  50. data/spec/annotation_security/policy/test_policy_spec.rb +80 -80
  51. data/spec/annotation_security/security_context_spec.rb +78 -78
  52. data/spec/annotation_security/utils_spec.rb +73 -73
  53. data/spec/helper/test_controller.rb +65 -65
  54. data/spec/helper/test_helper.rb +5 -5
  55. data/spec/helper/test_relations.rb +6 -6
  56. data/spec/helper/test_resource.rb +38 -38
  57. data/spec/helper/test_role.rb +21 -21
  58. data/spec/helper/test_user.rb +31 -31
  59. data/spec/rails_stub.rb +37 -37
  60. metadata +94 -72
  61. data/CHANGELOG +0 -2
  62. data/HOW-TO +0 -261
  63. data/README +0 -39
@@ -1,88 +1,88 @@
1
- #
2
- # = lib/annotation_security/manager/right_loader.rb
3
- #
4
-
5
- # = AnnotationSecurity::RightLoader
6
- # Contains the right loader class, which is responsible for loading
7
- # right definitions for resources. Load rights from a yaml file or a hash.
8
- #
9
- # == Example YAML
10
- #
11
- # The file <tt>config/security/rights.yml</tt> inside a rails app
12
- # might look like this:
13
- # picture:
14
- # # a user may show a picture if he fulfils the 'related'-relation
15
- # show: if related
16
- # comment:
17
- # # you have to be logged in to view comments
18
- # show: if logged_in
19
- # user:
20
- # # like in ruby, 'unless' is equivalent to 'if not'
21
- # register: unless logged_in
22
- # delete: if administrator # comments are also possible behind a line
23
- # user_content:
24
- # # all rights of 'user_content' are defined for 'picture' and 'comment' too
25
- # applies_to: picture, comment
26
- # create: if logged_in
27
- # edit: if owner
28
- # delete: if owner or administrator
29
- # The file can be loaded via <code>AnnotationSecurity#load_rights('rights')</code>.
30
- #
31
- # A right's condition can use the keywords +if+, +unless+, +and+, +or+ and
32
- # +not+, brackets, other rights and all of the resource's relations
33
- # (see AnnotationSecurity::RelationLoader). For better readability you may
34
- # add the prefixes +may+, +is+, +can+ or +has+,
35
- # or append one of the suffixes +for+, +in+, +of+ or +to+.
36
- #
37
- # user_content:
38
- # edit: if is_owner_of
39
- # delete: if may_edit or is_administrator
40
- #
41
- # However, it is recommended to use this feature sparingly.
42
- #
43
- class AnnotationSecurity::RightLoader
44
-
45
- # Goes through all resources of +hash+ and load the defined rights.
46
- #
47
- def self.define_rights(hash) # :nodoc:
48
- if hash
49
- hash.each_pair do |resource_class, rights|
50
- new(resource_class).define_rights(rights)
51
- end
52
- end
53
- end
54
-
55
- # An instance of RightLoader is responsible for loading the rights of a
56
- # resource class.
57
- #
58
- def initialize(resource) # :nodoc:
59
- @factory = AnnotationSecurity::PolicyManager.policy_factory(resource)
60
- end
61
-
62
- # Goes through all rights in +hash+ and creates rules for all policies these
63
- # rights apply to.
64
- #
65
- def define_rights(hash) # :nodoc:
66
- factories = extract_applies_to(hash) << @factory
67
- hash.each_pair do |right,condition|
68
- # Important: set the :right-flag to activate automatic detection of
69
- # the other flags (static,dynamic,require_user)
70
- factories.each { |f| f.add_rule(right,:right,condition) }
71
- end
72
- end
73
-
74
- private
75
-
76
- # Looks for the key 'applies_to', which is no right but a command to apply
77
- # all rights of the current resource class to the resource classes listed
78
- # in the value.
79
- #
80
- def extract_applies_to(hash)
81
- applies_to = hash.delete('applies_to') || hash.delete(:applies_to)
82
- return [] if applies_to.blank?
83
- applies_to = [applies_to] if applies_to.is_a? String
84
- applies_to.collect{ |r| r.split(',') }.flatten.
85
- collect{ |r| AnnotationSecurity::PolicyManager.policy_factory(r.strip) }
86
- end
87
-
1
+ #
2
+ # = lib/annotation_security/manager/right_loader.rb
3
+ #
4
+
5
+ # = AnnotationSecurity::RightLoader
6
+ # Contains the right loader class, which is responsible for loading
7
+ # right definitions for resources. Load rights from a yaml file or a hash.
8
+ #
9
+ # == Example YAML
10
+ #
11
+ # The file <tt>config/security/rights.yml</tt> inside a rails app
12
+ # might look like this:
13
+ # picture:
14
+ # # a user may show a picture if he fulfils the 'related'-relation
15
+ # show: if related
16
+ # comment:
17
+ # # you have to be logged in to view comments
18
+ # show: if logged_in
19
+ # user:
20
+ # # like in ruby, 'unless' is equivalent to 'if not'
21
+ # register: unless logged_in
22
+ # delete: if administrator # comments are also possible behind a line
23
+ # user_content:
24
+ # # all rights of 'user_content' are defined for 'picture' and 'comment' too
25
+ # applies_to: picture, comment
26
+ # create: if logged_in
27
+ # edit: if owner
28
+ # delete: if owner or administrator
29
+ # The file can be loaded via <code>AnnotationSecurity#load_rights('rights')</code>.
30
+ #
31
+ # A right's condition can use the keywords +if+, +unless+, +and+, +or+ and
32
+ # +not+, brackets, other rights and all of the resource's relations
33
+ # (see AnnotationSecurity::RelationLoader). For better readability you may
34
+ # add the prefixes +may+, +is+, +can+ or +has+,
35
+ # or append one of the suffixes +for+, +in+, +of+ or +to+.
36
+ #
37
+ # user_content:
38
+ # edit: if is_owner_of
39
+ # delete: if may_edit or is_administrator
40
+ #
41
+ # However, it is recommended to use this feature sparingly.
42
+ #
43
+ class AnnotationSecurity::RightLoader
44
+
45
+ # Goes through all resources of +hash+ and load the defined rights.
46
+ #
47
+ def self.define_rights(hash) # :nodoc:
48
+ if hash
49
+ hash.each_pair do |resource_class, rights|
50
+ new(resource_class).define_rights(rights)
51
+ end
52
+ end
53
+ end
54
+
55
+ # An instance of RightLoader is responsible for loading the rights of a
56
+ # resource class.
57
+ #
58
+ def initialize(resource) # :nodoc:
59
+ @factory = AnnotationSecurity::PolicyManager.policy_factory(resource)
60
+ end
61
+
62
+ # Goes through all rights in +hash+ and creates rules for all policies these
63
+ # rights apply to.
64
+ #
65
+ def define_rights(hash) # :nodoc:
66
+ factories = extract_applies_to(hash) << @factory
67
+ hash.each_pair do |right,condition|
68
+ # Important: set the :right-flag to activate automatic detection of
69
+ # the other flags (static,dynamic,require_user)
70
+ factories.each { |f| f.add_rule(right,:right,condition) }
71
+ end
72
+ end
73
+
74
+ private
75
+
76
+ # Looks for the key 'applies_to', which is no right but a command to apply
77
+ # all rights of the current resource class to the resource classes listed
78
+ # in the value.
79
+ #
80
+ def extract_applies_to(hash)
81
+ applies_to = hash.delete('applies_to') || hash.delete(:applies_to)
82
+ return [] if applies_to.blank?
83
+ applies_to = [applies_to] if applies_to.is_a? String
84
+ applies_to.collect{ |r| r.split(',') }.flatten.
85
+ collect{ |r| AnnotationSecurity::PolicyManager.policy_factory(r.strip) }
86
+ end
87
+
88
88
  end
@@ -1,61 +1,61 @@
1
- #
2
- # = lib/annotation_security/model_observer.rb
3
- #
4
- # Contains SecurityObserver which implements constraint checking for model
5
- # classes.
6
- #
7
-
8
- module AnnotationSecurity
9
-
10
- # Observes changes in models and applies security policy to them
11
- #
12
- class ModelObserver < ::ActiveRecord::Observer # :nodoc:
13
-
14
- # Sets the observed model classes
15
- #
16
- observe # will be set automatically. However, observe must not be removed
17
-
18
- def before_validation_on_create(record)
19
- SecurityContext.observe record
20
- end
21
-
22
- def before_validation_on_update(record)
23
- SecurityContext.observe record
24
- end
25
-
26
- # after_find is removed in favour of after_initialize
27
-
28
- def after_initialize(record)
29
- if record.new_record?
30
- # The record is new
31
- else
32
- # The record came out of database
33
- SecurityContext.observe record
34
- end
35
- end
36
-
37
- def before_destroy(record)
38
- SecurityContext.observe record
39
- end
40
-
41
- # Re-register on classes you are observing
42
- # See http://riotprojects.com/2009/1/18/active-record-observers-in-gems-plugins
43
- #
44
- def reload_model_observer
45
- observed_classes.each do |klass|
46
- add_observer!(klass.name.constantize)
47
- end
48
- end
49
-
50
- protected
51
-
52
- def add_observer!(klass)
53
- klass.delete_observer(self)
54
- super
55
-
56
- if respond_to?(:after_initialize) && !klass.method_defined?(:after_initialize)
57
- klass.class_eval 'def after_initialize() end'
58
- end
59
- end
60
- end
61
- end
1
+ #
2
+ # = lib/annotation_security/model_observer.rb
3
+ #
4
+ # Contains SecurityObserver which implements constraint checking for model
5
+ # classes.
6
+ #
7
+
8
+ module AnnotationSecurity
9
+
10
+ # Observes changes in models and applies security policy to them
11
+ #
12
+ class ModelObserver < ::ActiveRecord::Observer # :nodoc:
13
+
14
+ # Sets the observed model classes
15
+ #
16
+ observe # will be set automatically. However, observe must not be removed
17
+
18
+ def before_validation_on_create(record)
19
+ SecurityContext.observe record
20
+ end
21
+
22
+ def before_validation_on_update(record)
23
+ SecurityContext.observe record
24
+ end
25
+
26
+ # after_find is removed in favour of after_initialize
27
+
28
+ def after_initialize(record)
29
+ if record.new_record?
30
+ # The record is new
31
+ else
32
+ # The record came out of database
33
+ SecurityContext.observe record
34
+ end
35
+ end
36
+
37
+ def before_destroy(record)
38
+ SecurityContext.observe record
39
+ end
40
+
41
+ # Re-register on classes you are observing
42
+ # See http://riotprojects.com/2009/1/18/active-record-observers-in-gems-plugins
43
+ #
44
+ def reload_model_observer
45
+ observed_classes.each do |klass|
46
+ add_observer!(klass.name.constantize)
47
+ end
48
+ end
49
+
50
+ protected
51
+
52
+ def add_observer!(klass)
53
+ klass.delete_observer(self)
54
+ super
55
+
56
+ if respond_to?(:after_initialize) && !klass.method_defined?(:after_initialize)
57
+ klass.class_eval 'def after_initialize() end'
58
+ end
59
+ end
60
+ end
61
+ end