annotation_security 1.0.2 → 1.3.1

data/lib/annotation_security/{includes → rails/3/includes}/active_record.rb

@@ -1,28 +1,28 @@
-#
-# = lib/annotation_security/includes/active_record.rb
-#
-
-# = AnnotationSecurity::ActiveRecord
-# 
-# Included by model classes if they are used as resources.
-# Includes AnnotationSecurity::Resource and sets up the model observer.
-#
-module AnnotationSecurity::ActiveRecord # :nodoc:
-
-  def self.included(base)
-    base.class_eval do
-      include ::AnnotationSecurity::Resource
-    end
-    base.extend(ClassMethods)
-    AnnotationSecurity::ModelObserver.observe base.name.underscore.to_sym
-    AnnotationSecurity::ModelObserver.instance.reload_model_observer
-  end
-  
-  module ClassMethods # :nodoc:
-    def get_resource(object)
-      return object if object.is_a? self
-      # Object.const_get(name) needed because of a bug in Rails
-      Object.const_get(name).find(object)
-    end
-  end
+#
+# = lib/annotation_security/includes/active_record.rb
+#
+
+# = AnnotationSecurity::Rails::ActiveRecord
+# 
+# Included by model classes if they are used as resources.
+# Includes AnnotationSecurity::Resource and sets up the model observer.
+#
+module AnnotationSecurity::Rails::ActiveRecord # :nodoc:
+
+  def self.included(base)
+    base.class_eval do
+      include ::AnnotationSecurity::Resource
+    end
+    base.extend(ClassMethods)
+    AnnotationSecurity::Rails::ModelObserver.observe base.name.underscore.to_sym
+    AnnotationSecurity::Rails::ModelObserver.instance.reload_model_observer
+  end
+  
+  module ClassMethods # :nodoc:
+    def get_resource(object)
+      return object if object.is_a? self
+      # Object.const_get(name) needed because of a bug in Rails
+      Object.const_get(name).find(object)
+    end
+  end
 end

data/lib/annotation_security/rails/3/initializer.rb

@@ -0,0 +1,40 @@
+#
+# = lib/annotation_security/rails/3/initializer.rb
+#
+# Loads the annotation security layer for a rails app
+#
+
+# Load rails 3 specific initializers
+require "rails/railtie"
+
+module AnnotationSecurity::Rails
+  
+  # Contains rails specific initializer (only works for rails 3)
+  class Railtie < ::Rails::Railtie
+
+    initializer "annotation_security.init" do |app|
+
+      ::Rails.logger.info "Initializing AnnotationSecurity security layer (v#{AnnotationSecurity::VERSION})"
+
+      # Policy files are situated under [Rails Root]/config/security
+      # Default policy file is internal, load it
+      ::AnnotationSecurity.load_relations(
+          File.dirname(__FILE__) + '/../../policy/all_resources_policy')
+
+      ::SecurityContext.initialize nil
+  #
+  #        # In development mode, the models we observe get reloaded with each request. Using
+  #        # this hook allows us to reload the observer relationships each time as well.
+  #        app.config.to_prepare(:cache_advance_reload) do
+  #          ::AnnotationSecurity.reset
+  #          ::AnotationSecurity::ModelObserver.instance.reload_model_observer
+  #        end
+  #
+  #        ::ActiveRecord::Base.observers << AnnotationSecurity::Rails::ModelObserver
+
+      ::Rails.logger.info "Security layer initialized"
+    end
+  end
+  
+  def self.init!(config); end
+end

data/lib/annotation_security/rails/3/model_observer.rb

@@ -0,0 +1,61 @@
+#
+# = lib/annotation_security/rails/3/model_observer.rb
+#
+# Contains SecurityObserver which implements constraint checking for model
+# classes.
+#
+
+module AnnotationSecurity::Rails
+
+  # Observes changes in models and applies security policy to them
+  #
+  class ModelObserver < ::ActiveRecord::Observer # :nodoc:
+
+    # Sets the observed model classes
+    #
+    observe # will be set automatically. However, observe must not be removed
+    
+    def before_validation_on_create(record)
+      SecurityContext.observe record
+    end
+    
+    def before_validation_on_update(record)
+      SecurityContext.observe record
+    end
+
+    # after_find is removed in favour of after_initialize
+
+    def after_initialize(record)      
+      if record.new_record?
+        # The record is new
+      else
+        # The record came out of database
+        SecurityContext.observe record
+      end
+    end
+
+    def before_destroy(record)
+      SecurityContext.observe record
+    end
+
+    # Re-register on classes you are observing
+    # See http://riotprojects.com/2009/1/18/active-record-observers-in-gems-plugins
+    #
+    def reload_model_observer
+      observed_classes.each do |klass|
+        add_observer!(klass.name.constantize)
+      end
+    end
+
+    protected
+
+    def add_observer!(klass)      
+      klass.delete_observer(self)      
+      super
+      
+      if respond_to?(:after_initialize) && !klass.method_defined?(:after_initialize)
+        klass.class_eval 'def after_initialize() end'
+      end
+    end
+  end
+end

data/lib/annotation_security/rails/extensions.rb

@@ -0,0 +1,21 @@
+#
+# = lib/annotation_security/rails/extensions.rb
+#
+# This modul provides the rails extensions contained in the
+# AnnotationSecurity security layer.
+#
+
+#
+# Contains rails specific extensions
+#
+module AnnotationSecurity::Rails; end
+
+# Load annotation security files
+rails_version = Rails::VERSION::MAJOR
+dir = File.dirname(__FILE__)
+
+require dir + '/extensions/action_controller'
+require dir + '/extensions/active_record'
+require dir + '/extensions/object'
+
+require dir + "/#{rails_version}/extensions/filter"

data/lib/{extensions → annotation_security/rails/extensions}/action_controller.rb

@@ -1,33 +1,32 @@
-#
-# = lib/extensions/action_controller.rb
-#
-
-module ActionController # :nodoc:
-  
-  # Extends ActionController::Base for security.
-  #
-  class Base # :nodoc:
-
-    # Include required security functionality
-    include AnnotationSecurity::ActionController
-
-    alias render_without_security render
-
-    # Before rendering, evaluates the bounded rules of the current action.
-    #
-    def render(*args, &block)
-      SecurityContext.apply_rules_after_action
-      render_without_security(*args, &block)
-    end
-
-    alias redirect_to_without_security redirect_to
-
-    # Before redirecting, evaluates the bounded rules of the current action.
-    #
-    def redirect_to(*args, &block)
-      SecurityContext.apply_rules_after_action
-      redirect_to_without_security(*args, &block)
-    end
-  end
-
+#
+# = lib/extensions/action_controller.rb
+#
+
+module ActionController # :nodoc:
+
+  # Extends ActionController::Base for security.
+  #
+  class Base # :nodoc:
+
+    # Include required security functionality
+    include AnnotationSecurity::ActionController
+
+    alias render_without_security render
+
+    # Before rendering, evaluates the bounded rules of the current action.
+    #
+    def render(*args, &block)
+      SecurityContext.apply_rules_after_action
+      render_without_security(*args, &block)
+    end
+
+    alias redirect_to_without_security redirect_to
+
+    # Before redirecting, evaluates the bounded rules of the current action.
+    #
+    def redirect_to(*args, &block)
+      SecurityContext.apply_rules_after_action
+      redirect_to_without_security(*args, &block)
+    end
+  end
 end

data/lib/{extensions → annotation_security/rails/extensions}/active_record.rb

@@ -1,35 +1,34 @@
-#
-# = lib/extensions/active_record.rb
-#
-
-module ActiveRecord # :nodoc: 
-
-  # Extends ActiveRecord::Base so that model classes 
-  # can be tagged as resources.
-  #
-  # To associate a model class with a resource type, use #resource in the class
-  # definition.
-  #
-  #  class MyResource < ActiveRecord::Base
-  #    resource :my_resource
-  #
-  #    # ...
-  #  end
-  #
-  # If you don't pass an argument to #resource, the resource name will be
-  # the underscored class name.
-  #
-  # See AnnotationSecurity::Resource if you want to use non-model classes as resources.
-  #
-  class Base
-
-    # Declares a model class to be a resource.
-    # * +resource_type+ (optional) Symbol of the resource type (like :course)
-    def self.resource(resource_type = nil)
-      include ::AnnotationSecurity::ActiveRecord
-      self.resource_type = resource_type if resource_type
-      self.resource_type
-    end
-  end
-
+#
+# = lib/extensions/active_record.rb
+#
+
+module ActiveRecord # :nodoc: 
+
+  # Extends ActiveRecord::Base so that model classes 
+  # can be tagged as resources.
+  #
+  # To associate a model class with a resource type, use #resource in the class
+  # definition.
+  #
+  #  class MyResource < ActiveRecord::Base
+  #    resource :my_resource
+  #
+  #    # ...
+  #  end
+  #
+  # If you don't pass an argument to #resource, the resource name will be
+  # the underscored class name.
+  #
+  # See AnnotationSecurity::Resource if you want to use non-model classes as resources.
+  #
+  class Base
+
+    # Declares a model class to be a resource.
+    # * +resource_type+ (optional) Symbol of the resource type (like :course)
+    def self.resource(resource_type = nil)
+      include ::AnnotationSecurity::Rails::ActiveRecord
+      self.resource_type = resource_type if resource_type
+      self.resource_type
+    end
+  end
 end

data/lib/{extensions → annotation_security/rails/extensions}/object.rb

@@ -1,11 +1,11 @@
-#
-# = lib/extensions/object.rb
-#
-
-class Object # :nodoc:
-
-  def __is_resource? # :nodoc:
-    false
-  end
-
+#
+# = lib/extensions/object.rb
+#
+
+class Object # :nodoc:
+
+  def __is_resource? # :nodoc:
+    false
+  end
+
 end

data/lib/annotation_security/{filters.rb → rails/filters.rb}

@@ -1,38 +1,38 @@
-#
-# = lib/annotation_security/filters.rb
-#
-
-require "active_record"
-
-module AnnotationSecurity # :nodoc:
-  
-  # Contains filters of the security layer which filter current requests,
-  # set up security context and apply security rules.
-  module Filters
-    # This filter is a before filter and is executed as the first filter in the
-    # filter chain. It initializes the security layer.
-    class InitializeSecurity
-      
-      # Initialize current security context depending on logged_in user
-      def self.filter(controller)
-        SecurityContext.initialize(controller)
-        yield
-      end
-    end
-
-    # This filter is an around filter and is executed as the last filter before
-    # execution of action. It applies the security mechanisms.
-    class ApplySecurity
-      # Applies security policies based on current user.
-      def self.filter(controller)
-        ::ActiveRecord::Base.transaction do
-          rules = controller.class.descriptions_of(controller.action_name)
-          SecurityContext.current.eval_with_security(rules){ yield }
-        end
-      rescue AnnotationSecurity::SecurityError
-        SecurityContext.security_exception = $!
-        raise $!
-      end
-    end
-  end
+#
+# = lib/annotation_security/rails/filters.rb
+#
+
+require "active_record"
+
+module AnnotationSecurity::Rails # :nodoc:
+  
+  # Contains filters of the security layer which filter current requests,
+  # set up security context and apply security rules.
+  module Filters
+    # This filter is a before filter and is executed as the first filter in the
+    # filter chain. It initializes the security layer.
+    class InitializeSecurity
+      
+      # Initialize current security context depending on logged_in user
+      def self.filter(controller)
+        SecurityContext.initialize(controller)
+        yield
+      end
+    end
+
+    # This filter is an around filter and is executed as the last filter before
+    # execution of action. It applies the security mechanisms.
+    class ApplySecurity
+      # Applies security policies based on current user.
+      def self.filter(controller)
+        ::ActiveRecord::Base.transaction do
+          rules = controller.class.descriptions_of(controller.action_name)
+          SecurityContext.current.eval_with_security(rules){ yield }
+        end
+      rescue AnnotationSecurity::SecurityError
+        SecurityContext.security_exception = $!
+        raise $!
+      end
+    end
+  end
 end

data/lib/annotation_security/user_wrapper.rb

@@ -1,74 +1,74 @@
-#
-# = lib/annotation_security/user_wrapper.rb
-#
-
-# = AnnotationSecurity::UserWrapper
-#
-# This class is not in use!
-#
-# Needed for evaluating relations, especially if the :as-option is used.
-# 
-# Merges a user and a role. If a role is given,
-#
-class AnnotationSecurity::UserWrapper # :nodoc:
-
-  # Return user wrappers for the requested role. The role(s) will be
-  # determined with sending user.as_'role'.
-  # (Normally a user has a role only once, however it will work when he
-  # has many roles of the same kind as well)
-  def self.all_for_role(user,role_name)
-    return [] if user.nil?
-    user = user.__user__ if user.is_a? AnnotationSecurity::UserWrapper
-    return [new(user)] if role_name.nil?
-    roles = user.__send__("as_#{role_name}")
-    return [] if roles.blank?
-    roles = [roles] unless roles.is_a?(Array)
-    roles.compact.collect { |role| new(user,role) }
-  end
-
-  def initialize(user,role=nil)
-    @user = user
-    @role = role
-  end
-
-  def id
-    @role? @role.id : @user.id
-  end
-
-  def __user__
-    @user
-  end
-
-  def __role__
-    @role
-  end
-
-  def ==(obj)
-    @user == obj or (!@role.nil? and @role == obj)
-  end
-
-  # Try to send to role, user and policy of args[0]
-  #
-  def method_missing(symbol,*args,&block)
-    if @role && (@role.respond_to? symbol)
-      @role.__send__(symbol,*args,&block)
-    elsif @user.respond_to? symbol
-      @user.__send__(symbol,*args,&block)
-    elsif args.first.respond_to? :policy_for
-      args.first.policy_for(@user).__send__(symbol,*args[1..-1])
-    else
-      # This will raise a NoMethodError
-      @user.__send__(symbol,*args,&block)
-    end
-  end
-
-  def is_a?(klass)
-    return true if super(klass)
-    if @role
-      @role.is_a?(klass)
-    else
-      @user.is_a?(klass)
-    end
-  end
-
+#
+# = lib/annotation_security/user_wrapper.rb
+#
+
+# = AnnotationSecurity::UserWrapper
+#
+# This class is not in use!
+#
+# Needed for evaluating relations, especially if the :as-option is used.
+# 
+# Merges a user and a role. If a role is given,
+#
+class AnnotationSecurity::UserWrapper # :nodoc:
+
+  # Return user wrappers for the requested role. The role(s) will be
+  # determined with sending user.as_'role'.
+  # (Normally a user has a role only once, however it will work when he
+  # has many roles of the same kind as well)
+  def self.all_for_role(user,role_name)
+    return [] if user.nil?
+    user = user.__user__ if user.is_a? AnnotationSecurity::UserWrapper
+    return [new(user)] if role_name.nil?
+    roles = user.__send__("as_#{role_name}")
+    return [] if roles.blank?
+    roles = [roles] unless roles.is_a?(Array)
+    roles.compact.collect { |role| new(user,role) }
+  end
+
+  def initialize(user,role=nil)
+    @user = user
+    @role = role
+  end
+
+  def id
+    @role? @role.id : @user.id
+  end
+
+  def __user__
+    @user
+  end
+
+  def __role__
+    @role
+  end
+
+  def ==(obj)
+    @user == obj or (!@role.nil? and @role == obj)
+  end
+
+  # Try to send to role, user and policy of args[0]
+  #
+  def method_missing(symbol,*args,&block)
+    if @role && (@role.respond_to? symbol)
+      @role.__send__(symbol,*args,&block)
+    elsif @user.respond_to? symbol
+      @user.__send__(symbol,*args,&block)
+    elsif args.first.respond_to? :policy_for
+      args.first.policy_for(@user).__send__(symbol,*args[1..-1])
+    else
+      # This will raise a NoMethodError
+      @user.__send__(symbol,*args,&block)
+    end
+  end
+
+  def is_a?(klass)
+    return true if super(klass)
+    if @role
+      @role.is_a?(klass)
+    else
+      @user.is_a?(klass)
+    end
+  end
+
 end