annotation_security 1.0.1 → 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/CHANGELOG.md +14 -0
- data/HOW-TO.md +275 -0
- data/{MIT-LICENSE → LICENSE} +1 -1
- data/README.md +39 -0
- data/Rakefile +62 -55
- data/assets/app/helpers/annotation_security_helper.rb +8 -8
- data/assets/config/initializers/annotation_security.rb +11 -11
- data/assets/config/security/relations.rb +20 -20
- data/assets/vendor/plugins/annotation_security/init.rb +13 -13
- data/bin/annotation_security +7 -7
- data/lib/annotation_security/exceptions.rb +124 -124
- data/lib/annotation_security/exec.rb +188 -188
- data/lib/annotation_security/filters.rb +37 -37
- data/lib/annotation_security/includes/action_controller.rb +144 -143
- data/lib/annotation_security/includes/active_record.rb +27 -27
- data/lib/annotation_security/includes/helper.rb +215 -215
- data/lib/annotation_security/includes/resource.rb +84 -84
- data/lib/annotation_security/includes/role.rb +30 -30
- data/lib/annotation_security/includes/user.rb +26 -26
- data/lib/annotation_security/manager/policy_factory.rb +29 -29
- data/lib/annotation_security/manager/policy_manager.rb +79 -79
- data/lib/annotation_security/manager/relation_loader.rb +272 -272
- data/lib/annotation_security/manager/resource_manager.rb +36 -36
- data/lib/annotation_security/manager/right_loader.rb +87 -87
- data/lib/annotation_security/model_observer.rb +61 -61
- data/lib/annotation_security/policy/abstract_policy.rb +344 -344
- data/lib/annotation_security/policy/abstract_static_policy.rb +75 -75
- data/lib/annotation_security/policy/all_resources_policy.rb +20 -20
- data/lib/annotation_security/policy/rule.rb +340 -340
- data/lib/annotation_security/policy/rule_set.rb +138 -138
- data/lib/annotation_security/rails.rb +38 -38
- data/lib/annotation_security/user_wrapper.rb +73 -73
- data/lib/annotation_security/utils.rb +141 -141
- data/lib/annotation_security/version.rb +10 -0
- data/lib/annotation_security.rb +102 -97
- data/lib/extensions/action_controller.rb +32 -32
- data/lib/extensions/active_record.rb +34 -34
- data/lib/extensions/filter.rb +133 -133
- data/lib/extensions/object.rb +10 -10
- data/lib/security_context.rb +589 -551
- data/spec/annotation_security/exceptions_spec.rb +16 -16
- data/spec/annotation_security/includes/helper_spec.rb +82 -82
- data/spec/annotation_security/manager/policy_manager_spec.rb +15 -15
- data/spec/annotation_security/manager/resource_manager_spec.rb +17 -17
- data/spec/annotation_security/manager/right_loader_spec.rb +17 -17
- data/spec/annotation_security/policy/abstract_policy_spec.rb +16 -16
- data/spec/annotation_security/policy/all_resources_policy_spec.rb +24 -24
- data/spec/annotation_security/policy/rule_set_spec.rb +112 -112
- data/spec/annotation_security/policy/rule_spec.rb +77 -77
- data/spec/annotation_security/policy/test_policy_spec.rb +80 -80
- data/spec/annotation_security/security_context_spec.rb +78 -78
- data/spec/annotation_security/utils_spec.rb +73 -73
- data/spec/helper/test_controller.rb +65 -65
- data/spec/helper/test_helper.rb +5 -5
- data/spec/helper/test_relations.rb +6 -6
- data/spec/helper/test_resource.rb +38 -38
- data/spec/helper/test_role.rb +21 -21
- data/spec/helper/test_user.rb +31 -31
- data/spec/rails_stub.rb +37 -37
- metadata +94 -72
- data/CHANGELOG +0 -2
- data/HOW-TO +0 -261
- data/README +0 -39
@@ -1,76 +1,76 @@
|
|
1
|
-
#
|
2
|
-
# = lib/annotation_security/policy/abstract_static_policy.rb
|
3
|
-
#
|
4
|
-
|
5
|
-
# Abstract superclass for all static policies.
|
6
|
-
# For each policy there is a static policy that is responsible for evaluating
|
7
|
-
# static rules.
|
8
|
-
#
|
9
|
-
class AnnotationSecurity::AbstractStaticPolicy < AnnotationSecurity::AbstractPolicy # :nodoc:
|
10
|
-
|
11
|
-
# Rules that are defined for all resource types can be found here.
|
12
|
-
def self.all_resources_policy # :nodoc:
|
13
|
-
AllResourcesPolicy.static_policy_class
|
14
|
-
end
|
15
|
-
|
16
|
-
# Sets the dynamic policy class this policy class belongs to
|
17
|
-
def self.belongs_to(dynamic_policy_class) #:nodoc:
|
18
|
-
@dynamic_policy_class = dynamic_policy_class
|
19
|
-
end
|
20
|
-
|
21
|
-
# A static policy class has no other corresponding static policy class.
|
22
|
-
# This should never be called.
|
23
|
-
def self.static_policy_class #:nodoc:
|
24
|
-
method_missing(:static_policy_class)
|
25
|
-
end
|
26
|
-
|
27
|
-
# The corresponding dynamic policy class.
|
28
|
-
#
|
29
|
-
def self.dynamic_policy_class #:nodoc:
|
30
|
-
@dynamic_policy_class
|
31
|
-
end
|
32
|
-
|
33
|
-
# Returns true iif this is policy class is responsible for static rules.
|
34
|
-
#
|
35
|
-
def self.static? # :nodoc:
|
36
|
-
true
|
37
|
-
end
|
38
|
-
|
39
|
-
# Rule set for this classes resource type
|
40
|
-
#
|
41
|
-
def self.rule_set # :nodoc:
|
42
|
-
# Each dynamic and static policy pair shares one rule set.
|
43
|
-
dynamic_policy_class.rule_set
|
44
|
-
end
|
45
|
-
|
46
|
-
# If possible, redirects the rule to the static side.
|
47
|
-
# Returns a rule object or nil.
|
48
|
-
def self.use_static_rule(symbol) #:nodoc:
|
49
|
-
nil # This is not possible
|
50
|
-
end
|
51
|
-
|
52
|
-
# Evaluate the rules in static mode.
|
53
|
-
# Rules that cannot be evaluated are skipped.
|
54
|
-
# * +rules+ array of symbols
|
55
|
-
# Throws a SecurityViolationError if a rule fails,
|
56
|
-
# returns true if all rules succeed.
|
57
|
-
def evaluate_statically(rules) #:nodoc:
|
58
|
-
rules.each do |rule|
|
59
|
-
if has_rule?(rule) && !__send__(rule)
|
60
|
-
raise_access_denied(rule)
|
61
|
-
end
|
62
|
-
end
|
63
|
-
true
|
64
|
-
end
|
65
|
-
|
66
|
-
# Evaluate a rule that is defined with a proc
|
67
|
-
# * +symbol+ Name of the rule
|
68
|
-
# * +user+ user object that has to fulfill the rule
|
69
|
-
# * +args+ List of additional arguments
|
70
|
-
def evaluate_rule(rule,user,args) #:nodoc:
|
71
|
-
# In contrast to AbstractPolicy#evaluate_rule,
|
72
|
-
# no resource is passed as argument
|
73
|
-
get_rule!(rule).evaluate(self,user,*args)
|
74
|
-
end
|
75
|
-
|
1
|
+
#
|
2
|
+
# = lib/annotation_security/policy/abstract_static_policy.rb
|
3
|
+
#
|
4
|
+
|
5
|
+
# Abstract superclass for all static policies.
|
6
|
+
# For each policy there is a static policy that is responsible for evaluating
|
7
|
+
# static rules.
|
8
|
+
#
|
9
|
+
class AnnotationSecurity::AbstractStaticPolicy < AnnotationSecurity::AbstractPolicy # :nodoc:
|
10
|
+
|
11
|
+
# Rules that are defined for all resource types can be found here.
|
12
|
+
def self.all_resources_policy # :nodoc:
|
13
|
+
AllResourcesPolicy.static_policy_class
|
14
|
+
end
|
15
|
+
|
16
|
+
# Sets the dynamic policy class this policy class belongs to
|
17
|
+
def self.belongs_to(dynamic_policy_class) #:nodoc:
|
18
|
+
@dynamic_policy_class = dynamic_policy_class
|
19
|
+
end
|
20
|
+
|
21
|
+
# A static policy class has no other corresponding static policy class.
|
22
|
+
# This should never be called.
|
23
|
+
def self.static_policy_class #:nodoc:
|
24
|
+
method_missing(:static_policy_class)
|
25
|
+
end
|
26
|
+
|
27
|
+
# The corresponding dynamic policy class.
|
28
|
+
#
|
29
|
+
def self.dynamic_policy_class #:nodoc:
|
30
|
+
@dynamic_policy_class
|
31
|
+
end
|
32
|
+
|
33
|
+
# Returns true iif this is policy class is responsible for static rules.
|
34
|
+
#
|
35
|
+
def self.static? # :nodoc:
|
36
|
+
true
|
37
|
+
end
|
38
|
+
|
39
|
+
# Rule set for this classes resource type
|
40
|
+
#
|
41
|
+
def self.rule_set # :nodoc:
|
42
|
+
# Each dynamic and static policy pair shares one rule set.
|
43
|
+
dynamic_policy_class.rule_set
|
44
|
+
end
|
45
|
+
|
46
|
+
# If possible, redirects the rule to the static side.
|
47
|
+
# Returns a rule object or nil.
|
48
|
+
def self.use_static_rule(symbol) #:nodoc:
|
49
|
+
nil # This is not possible
|
50
|
+
end
|
51
|
+
|
52
|
+
# Evaluate the rules in static mode.
|
53
|
+
# Rules that cannot be evaluated are skipped.
|
54
|
+
# * +rules+ array of symbols
|
55
|
+
# Throws a SecurityViolationError if a rule fails,
|
56
|
+
# returns true if all rules succeed.
|
57
|
+
def evaluate_statically(rules) #:nodoc:
|
58
|
+
rules.each do |rule|
|
59
|
+
if has_rule?(rule) && !__send__(rule)
|
60
|
+
raise_access_denied(rule)
|
61
|
+
end
|
62
|
+
end
|
63
|
+
true
|
64
|
+
end
|
65
|
+
|
66
|
+
# Evaluate a rule that is defined with a proc
|
67
|
+
# * +symbol+ Name of the rule
|
68
|
+
# * +user+ user object that has to fulfill the rule
|
69
|
+
# * +args+ List of additional arguments
|
70
|
+
def evaluate_rule(rule,user,args) #:nodoc:
|
71
|
+
# In contrast to AbstractPolicy#evaluate_rule,
|
72
|
+
# no resource is passed as argument
|
73
|
+
get_rule!(rule).evaluate(self,user,*args)
|
74
|
+
end
|
75
|
+
|
76
76
|
end
|
@@ -1,21 +1,21 @@
|
|
1
|
-
#
|
2
|
-
# = lib/annotation_security/policy/all_resources_policy.rb
|
3
|
-
#
|
4
|
-
# By default, two relations are provided for all resources.
|
5
|
-
#
|
6
|
-
# The system relation +logged_in+ evaluates to true if the provided
|
7
|
-
# credentials are not nil.
|
8
|
-
# logged_in(:system, :require_credential => false) {|u| not u.nil?}
|
9
|
-
#
|
10
|
-
# The relation +self+ is true when the accessed resource is the current user
|
11
|
-
# himself or a role that belongs to the current user.
|
12
|
-
# __self__ { |user, resource| resource.is_user?(user) }
|
13
|
-
#
|
14
|
-
AnnotationSecurity.define_relations :all_resources do
|
15
|
-
|
16
|
-
# can be used as "self" in a right definition
|
17
|
-
# success if the accessed resource is the user himself or one of his roles
|
18
|
-
__self__ { |user, resource| resource.is_user?(user) }
|
19
|
-
|
20
|
-
logged_in(:system, :require_credential => false) {|u| not u.nil?}
|
1
|
+
#
|
2
|
+
# = lib/annotation_security/policy/all_resources_policy.rb
|
3
|
+
#
|
4
|
+
# By default, two relations are provided for all resources.
|
5
|
+
#
|
6
|
+
# The system relation +logged_in+ evaluates to true if the provided
|
7
|
+
# credentials are not nil.
|
8
|
+
# logged_in(:system, :require_credential => false) {|u| not u.nil?}
|
9
|
+
#
|
10
|
+
# The relation +self+ is true when the accessed resource is the current user
|
11
|
+
# himself or a role that belongs to the current user.
|
12
|
+
# __self__ { |user, resource| resource.is_user?(user) }
|
13
|
+
#
|
14
|
+
AnnotationSecurity.define_relations :all_resources do
|
15
|
+
|
16
|
+
# can be used as "self" in a right definition
|
17
|
+
# success if the accessed resource is the user himself or one of his roles
|
18
|
+
__self__ { |user, resource| resource.is_user?(user) }
|
19
|
+
|
20
|
+
logged_in(:system, :require_credential => false) {|u| not u.nil?}
|
21
21
|
end
|