annotation_security 1.0.2 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (70) hide show
  1. data/CHANGELOG +22 -0
  2. data/HOW-TO +261 -0
  3. data/{LICENSE → MIT-LICENSE} +1 -1
  4. data/README +39 -0
  5. data/Rakefile +53 -62
  6. data/assets/app/helpers/annotation_security_helper.rb +8 -8
  7. data/assets/config/initializers/annotation_security.rb +11 -11
  8. data/assets/config/security/relations.rb +20 -20
  9. data/assets/vendor/plugins/annotation_security/init.rb +14 -14
  10. data/bin/annotation_security +7 -7
  11. data/lib/annotation_security.rb +94 -103
  12. data/lib/annotation_security/exceptions.rb +124 -124
  13. data/lib/annotation_security/exec.rb +188 -188
  14. data/lib/annotation_security/includes/helper.rb +215 -215
  15. data/lib/annotation_security/includes/resource.rb +84 -84
  16. data/lib/annotation_security/includes/role.rb +30 -30
  17. data/lib/annotation_security/includes/user.rb +26 -26
  18. data/lib/annotation_security/manager/policy_factory.rb +29 -29
  19. data/lib/annotation_security/manager/policy_manager.rb +87 -79
  20. data/lib/annotation_security/manager/relation_loader.rb +272 -272
  21. data/lib/annotation_security/manager/resource_manager.rb +36 -36
  22. data/lib/annotation_security/manager/right_loader.rb +87 -87
  23. data/lib/annotation_security/policy/abstract_policy.rb +344 -344
  24. data/lib/annotation_security/policy/abstract_static_policy.rb +75 -75
  25. data/lib/annotation_security/policy/all_resources_policy.rb +20 -20
  26. data/lib/annotation_security/policy/rule.rb +340 -340
  27. data/lib/annotation_security/policy/rule_set.rb +138 -138
  28. data/lib/annotation_security/rails.rb +22 -39
  29. data/lib/{extensions → annotation_security/rails/2/extensions}/filter.rb +131 -133
  30. data/lib/annotation_security/rails/2/includes/action_controller.rb +144 -0
  31. data/lib/annotation_security/rails/2/includes/active_record.rb +28 -0
  32. data/lib/annotation_security/rails/2/initializer.rb +35 -0
  33. data/lib/annotation_security/{model_observer.rb → rails/2/model_observer.rb} +61 -61
  34. data/lib/annotation_security/rails/3/extensions/filter.rb +28 -0
  35. data/lib/annotation_security/{includes → rails/3/includes}/action_controller.rb +143 -144
  36. data/lib/annotation_security/{includes → rails/3/includes}/active_record.rb +27 -27
  37. data/lib/annotation_security/rails/3/initializer.rb +40 -0
  38. data/lib/annotation_security/rails/3/model_observer.rb +61 -0
  39. data/lib/annotation_security/rails/extensions.rb +21 -0
  40. data/lib/{extensions → annotation_security/rails/extensions}/action_controller.rb +31 -32
  41. data/lib/{extensions → annotation_security/rails/extensions}/active_record.rb +33 -34
  42. data/lib/{extensions → annotation_security/rails/extensions}/object.rb +10 -10
  43. data/lib/annotation_security/{filters.rb → rails/filters.rb} +37 -37
  44. data/lib/annotation_security/user_wrapper.rb +73 -73
  45. data/lib/annotation_security/utils.rb +141 -141
  46. data/lib/security_context.rb +588 -589
  47. data/spec/annotation_security/exceptions_spec.rb +16 -16
  48. data/spec/annotation_security/includes/helper_spec.rb +82 -82
  49. data/spec/annotation_security/manager/policy_manager_spec.rb +15 -15
  50. data/spec/annotation_security/manager/resource_manager_spec.rb +17 -17
  51. data/spec/annotation_security/manager/right_loader_spec.rb +17 -17
  52. data/spec/annotation_security/policy/abstract_policy_spec.rb +16 -16
  53. data/spec/annotation_security/policy/all_resources_policy_spec.rb +24 -24
  54. data/spec/annotation_security/policy/rule_set_spec.rb +112 -112
  55. data/spec/annotation_security/policy/rule_spec.rb +77 -77
  56. data/spec/annotation_security/policy/test_policy_spec.rb +80 -80
  57. data/spec/annotation_security/security_context_spec.rb +129 -78
  58. data/spec/annotation_security/utils_spec.rb +73 -73
  59. data/spec/helper/test_controller.rb +65 -65
  60. data/spec/helper/test_helper.rb +5 -5
  61. data/spec/helper/test_relations.rb +6 -6
  62. data/spec/helper/test_resource.rb +38 -38
  63. data/spec/helper/test_role.rb +21 -21
  64. data/spec/helper/test_user.rb +31 -31
  65. data/spec/rails_stub.rb +44 -37
  66. metadata +110 -96
  67. data/CHANGELOG.md +0 -14
  68. data/HOW-TO.md +0 -275
  69. data/README.md +0 -39
  70. data/lib/annotation_security/version.rb +0 -10
@@ -1,78 +1,78 @@
1
- require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
2
-
3
- describe AnnotationSecurity::Rule do
4
-
5
- before(:all) do
6
- AnnotationSecurity.define_relations(:rule_test_res) do
7
- res_dummy
8
- sys_dummy(:system) { false }
9
- pre_dummy :pretest
10
- noc_dummy :system, :require_credential => false
11
-
12
- res_dummy_test { has_res_dummy }
13
- sys_dummy_test "if is_sys_dummy"
14
- end
15
- end
16
-
17
- it 'should create valid dynamic relations' do
18
- rule = AnnotationSecurity::Rule.new(:res_proc, RuleTestResPolicy) { |u,r| true }
19
- rule.to_s.should == '<RuleTestResPolicy#res_proc[--du]>'
20
- rule = AnnotationSecurity::Rule.new(:res, RuleTestResPolicy, :resource)
21
- rule.to_s.should == '<RuleTestResPolicy#res[--du]>'
22
- end
23
-
24
- it 'should create valid static relations' do
25
- rule = AnnotationSecurity::Rule.new(:sys_proc, RuleTestResPolicy, :system) { true }
26
- rule.to_s.should == '<RuleTestResPolicy#sys_proc[-s-u]>'
27
- end
28
-
29
- it 'should create valid pretest relations' do
30
- rule = AnnotationSecurity::Rule.new(:pre_proc, RuleTestResPolicy, :pretest) { true }
31
- rule.to_s.should == '<RuleTestResPolicy#pre_proc[-sdu]>'
32
- end
33
-
34
- it 'should create valid relations without user' do
35
- rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy, :require_credential => false)
36
- rule.to_s.should == '<RuleTestResPolicy#no_u[--d-]>'
37
- rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
38
- :system, :require_credential => false)
39
- rule.to_s.should == '<RuleTestResPolicy#no_u[-s--]>'
40
- rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
41
- :pretest, :require_credential => false)
42
- rule.to_s.should == '<RuleTestResPolicy#no_u[-sd-]>'
43
- end
44
-
45
- it 'should create valid rights' do
46
- {
47
- 'if res_dummy' => '-du',
48
- 'if sys_dummy' => 's-u',
49
- 'if pre_dummy' => 'sdu',
50
- 'if res_dummy or sys_dummy' => '-du',
51
- 'if res_dummy or pre_dummy' => '-du',
52
- 'if sys_dummy or pre_dummy' => 'sdu',
53
- 'if noc_dummy' => 's--',
54
- 'if noc_dummy or sys_dummy' => 's-u',
55
- 'if noc_dummy or res_dummy' => '-du',
56
- 'if self' => '-du',
57
- 'if other_right: resource_property' => '-du',
58
- 'true' => 's--',
59
- 'false or nil' => 's--'
60
- }.each_pair do |condition,flags|
61
- right = AnnotationSecurity::Rule.new(:right, RuleTestResPolicy, :right, condition)
62
- right.flag_s.should == 'r???'
63
- right.static? # trigger lazy initialization
64
- right.flag_s.should == 'r'+flags
65
- end
66
- end
67
-
68
- it 'should call referred rules when being executed' do
69
- policy = RuleTestResPolicy.new(:user,:res)
70
-
71
- policy.expects(:res_dummy).returns(true)
72
- policy.res_dummy_test.should be_true
73
-
74
- policy.expects(:sys_dummy).returns(false)
75
- policy.sys_dummy_test?.should be_false
76
- end
77
-
1
+ require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
2
+
3
+ describe AnnotationSecurity::Rule do
4
+
5
+ before(:all) do
6
+ AnnotationSecurity.define_relations(:rule_test_res) do
7
+ res_dummy
8
+ sys_dummy(:system) { false }
9
+ pre_dummy :pretest
10
+ noc_dummy :system, :require_credential => false
11
+
12
+ res_dummy_test { has_res_dummy }
13
+ sys_dummy_test "if is_sys_dummy"
14
+ end
15
+ end
16
+
17
+ it 'should create valid dynamic relations' do
18
+ rule = AnnotationSecurity::Rule.new(:res_proc, RuleTestResPolicy) { |u,r| true }
19
+ rule.to_s.should == '<RuleTestResPolicy#res_proc[--du]>'
20
+ rule = AnnotationSecurity::Rule.new(:res, RuleTestResPolicy, :resource)
21
+ rule.to_s.should == '<RuleTestResPolicy#res[--du]>'
22
+ end
23
+
24
+ it 'should create valid static relations' do
25
+ rule = AnnotationSecurity::Rule.new(:sys_proc, RuleTestResPolicy, :system) { true }
26
+ rule.to_s.should == '<RuleTestResPolicy#sys_proc[-s-u]>'
27
+ end
28
+
29
+ it 'should create valid pretest relations' do
30
+ rule = AnnotationSecurity::Rule.new(:pre_proc, RuleTestResPolicy, :pretest) { true }
31
+ rule.to_s.should == '<RuleTestResPolicy#pre_proc[-sdu]>'
32
+ end
33
+
34
+ it 'should create valid relations without user' do
35
+ rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy, :require_credential => false)
36
+ rule.to_s.should == '<RuleTestResPolicy#no_u[--d-]>'
37
+ rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
38
+ :system, :require_credential => false)
39
+ rule.to_s.should == '<RuleTestResPolicy#no_u[-s--]>'
40
+ rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
41
+ :pretest, :require_credential => false)
42
+ rule.to_s.should == '<RuleTestResPolicy#no_u[-sd-]>'
43
+ end
44
+
45
+ it 'should create valid rights' do
46
+ {
47
+ 'if res_dummy' => '-du',
48
+ 'if sys_dummy' => 's-u',
49
+ 'if pre_dummy' => 'sdu',
50
+ 'if res_dummy or sys_dummy' => '-du',
51
+ 'if res_dummy or pre_dummy' => '-du',
52
+ 'if sys_dummy or pre_dummy' => 'sdu',
53
+ 'if noc_dummy' => 's--',
54
+ 'if noc_dummy or sys_dummy' => 's-u',
55
+ 'if noc_dummy or res_dummy' => '-du',
56
+ 'if self' => '-du',
57
+ 'if other_right: resource_property' => '-du',
58
+ 'true' => 's--',
59
+ 'false or nil' => 's--'
60
+ }.each_pair do |condition,flags|
61
+ right = AnnotationSecurity::Rule.new(:right, RuleTestResPolicy, :right, condition)
62
+ right.flag_s.should == 'r???'
63
+ right.static? # trigger lazy initialization
64
+ right.flag_s.should == 'r'+flags
65
+ end
66
+ end
67
+
68
+ it 'should call referred rules when being executed' do
69
+ policy = RuleTestResPolicy.new(:user,:res)
70
+
71
+ policy.expects(:res_dummy).returns(true)
72
+ policy.res_dummy_test.should be_true
73
+
74
+ policy.expects(:sys_dummy).returns(false)
75
+ policy.sys_dummy_test?.should be_false
76
+ end
77
+
78
78
  end
@@ -1,81 +1,81 @@
1
- require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
2
-
3
- AnnotationSecurity.define_relations(:a_test) do
4
- sys_relation :system
5
- res_relation :resource
6
- pre_relation :pretest
7
- end
8
-
9
- describe ATestPolicy do
10
-
11
- it 'should be dynamic' do
12
- ATestPolicy.static?.should be_false
13
- end
14
-
15
- it 'should have a static partner' do
16
- ATestPolicy.static_policy_class.should eql(ATestStaticPolicy)
17
- end
18
-
19
- it 'should know its resource type' do
20
- ATestPolicy.resource_type.should eql(:a_test)
21
- end
22
-
23
- it 'should have all rules' do
24
- ATestPolicy.has_rule?(:sys_relation).should be_true
25
- ATestPolicy.has_rule?(:res_relation).should be_true
26
- ATestPolicy.has_rule?(:pre_relation).should be_true
27
- end
28
-
29
- it 'should be aware of the evaluation time of a rule' do
30
- ATestPolicy.has_dynamic_rule?(:sys_relation).should be_false
31
- ATestPolicy.has_dynamic_rule?(:res_relation).should be_true
32
- ATestPolicy.has_dynamic_rule?(:pre_relation).should be_true
33
-
34
- ATestPolicy.has_static_rule?(:sys_relation).should be_true
35
- ATestPolicy.has_static_rule?(:res_relation).should be_false
36
- ATestPolicy.has_static_rule?(:pre_relation).should be_true
37
- end
38
-
39
- it 'should have access to rules defined for all resources' do
40
- ATestPolicy.has_rule?(:__self__).should be_true
41
- ATestPolicy.has_rule?(:logged_in).should be_true
42
- end
43
- #
44
- # it 'should be possible to add rules'
45
- #
46
- # it 'should be possible to evaluate a list of rules (static/dynamic/both)'
47
-
48
- end
49
-
50
- describe ATestStaticPolicy do
51
-
52
- it 'should be static' do
53
- ATestStaticPolicy.static?.should be_true
54
- end
55
-
56
- it 'should not have a static partner' do
57
- lambda {
58
- ATestStaticPolicy.static_policy_class
59
- }.should raise_error(NameError)
60
- end
61
-
62
- it 'should know its resource type' do
63
- ATestStaticPolicy.resource_type.should eql(:a_test)
64
- end
65
-
66
- it 'should use the rule set of the dynamic policy' do
67
- ATestStaticPolicy.rule_set.should eql(ATestPolicy.rule_set)
68
- end
69
-
70
- it 'should have all static rules' do
71
- ATestStaticPolicy.has_rule?(:sys_relation).should be_true
72
- ATestStaticPolicy.has_rule?(:res_relation).should be_false
73
- ATestStaticPolicy.has_rule?(:pre_relation).should be_true
74
- end
75
-
76
- it 'should have access to static rules defined for all resources' do
77
- ATestStaticPolicy.has_rule?(:__self__).should be_false
78
- ATestStaticPolicy.has_rule?(:logged_in).should be_true
79
- end
80
-
1
+ require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
2
+
3
+ AnnotationSecurity.define_relations(:a_test) do
4
+ sys_relation :system
5
+ res_relation :resource
6
+ pre_relation :pretest
7
+ end
8
+
9
+ describe ATestPolicy do
10
+
11
+ it 'should be dynamic' do
12
+ ATestPolicy.static?.should be_false
13
+ end
14
+
15
+ it 'should have a static partner' do
16
+ ATestPolicy.static_policy_class.should eql(ATestStaticPolicy)
17
+ end
18
+
19
+ it 'should know its resource type' do
20
+ ATestPolicy.resource_type.should eql(:a_test)
21
+ end
22
+
23
+ it 'should have all rules' do
24
+ ATestPolicy.has_rule?(:sys_relation).should be_true
25
+ ATestPolicy.has_rule?(:res_relation).should be_true
26
+ ATestPolicy.has_rule?(:pre_relation).should be_true
27
+ end
28
+
29
+ it 'should be aware of the evaluation time of a rule' do
30
+ ATestPolicy.has_dynamic_rule?(:sys_relation).should be_false
31
+ ATestPolicy.has_dynamic_rule?(:res_relation).should be_true
32
+ ATestPolicy.has_dynamic_rule?(:pre_relation).should be_true
33
+
34
+ ATestPolicy.has_static_rule?(:sys_relation).should be_true
35
+ ATestPolicy.has_static_rule?(:res_relation).should be_false
36
+ ATestPolicy.has_static_rule?(:pre_relation).should be_true
37
+ end
38
+
39
+ it 'should have access to rules defined for all resources' do
40
+ ATestPolicy.has_rule?(:__self__).should be_true
41
+ ATestPolicy.has_rule?(:logged_in).should be_true
42
+ end
43
+ #
44
+ # it 'should be possible to add rules'
45
+ #
46
+ # it 'should be possible to evaluate a list of rules (static/dynamic/both)'
47
+
48
+ end
49
+
50
+ describe ATestStaticPolicy do
51
+
52
+ it 'should be static' do
53
+ ATestStaticPolicy.static?.should be_true
54
+ end
55
+
56
+ it 'should not have a static partner' do
57
+ lambda {
58
+ ATestStaticPolicy.static_policy_class
59
+ }.should raise_error(NameError)
60
+ end
61
+
62
+ it 'should know its resource type' do
63
+ ATestStaticPolicy.resource_type.should eql(:a_test)
64
+ end
65
+
66
+ it 'should use the rule set of the dynamic policy' do
67
+ ATestStaticPolicy.rule_set.should eql(ATestPolicy.rule_set)
68
+ end
69
+
70
+ it 'should have all static rules' do
71
+ ATestStaticPolicy.has_rule?(:sys_relation).should be_true
72
+ ATestStaticPolicy.has_rule?(:res_relation).should be_false
73
+ ATestStaticPolicy.has_rule?(:pre_relation).should be_true
74
+ end
75
+
76
+ it 'should have access to static rules defined for all resources' do
77
+ ATestStaticPolicy.has_rule?(:__self__).should be_false
78
+ ATestStaticPolicy.has_rule?(:logged_in).should be_true
79
+ end
80
+
81
81
  end
@@ -1,78 +1,129 @@
1
- require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
2
-
3
- describe SecurityContext do
4
-
5
- before(:each) do
6
- @user1 = TestUser.new 'theuser'
7
- @user2 = TestUser.new 'otheruser'
8
- end
9
-
10
- it "should check 'logged_in' for 'show'" do
11
- request(@user1, :show, { :id => 'theuser' }).should succeed
12
- request(@user2, :show, { :id => 'theuser' }).should succeed
13
- request(nil, :show, { :id => 'theuser' }).should fail
14
- end
15
-
16
- it "should check 'owner' for 'edit'" do
17
- request(@user1, :edit, { :id => 'theuser' }).should succeed
18
- request(@user2, :edit, { :id => 'theuser' }).should fail
19
- end
20
-
21
- it "should check 'logged_in' and 'owner' for 'show_edit'" do
22
- request(@user1, :show_edit, { :id => 'theuser' }).should succeed
23
- request(@user2, :show_edit, { :id => 'theuser' }).should fail
24
- end
25
-
26
- it "should check 'owner' for 'delete' based on :id" do
27
- request(@user1, :delete, { :id => 'theuser' }).should succeed
28
- request(@user2, :delete, { :id => 'theuser' }).should fail
29
- end
30
-
31
- it "should not call action if check based on :id fails" do
32
- TestController.expects(:enter_delete).never
33
- request(@user2, :delete, { :id => 'theuser' }).should fail
34
- end
35
-
36
- it "should check 'owner' for 'list' based on @list" do
37
- request(@user1, :list, { :id1 => 'theuser', :id2 => 'theuser' }).should succeed
38
- request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
39
- request(@user1, :list, { :id1 => 'otheruser', :id2 => 'theuser' }).should fail
40
- end
41
-
42
- it "should not be disturbed by calls to #render" do
43
- TestController.expects(:exit_render).twice
44
- request(@user1, :edit_with_render,
45
- { :id1 => 'theuser', :id2 => 'theuser' }).should succeed
46
- request(@user1, :edit_with_render,
47
- { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
48
- end
49
-
50
- it "should check rules before #render" do
51
- TestController.expects(:exit_render).never
52
- request(@user1, :edit_with_render,
53
- { :id1 => 'otheruser', :id2 => 'theuser' }).should fail
54
- end
55
-
56
- # simulates an action invokation in rails
57
- def request(user, action, params)
58
- controller = TestController.new
59
- controller.test_init(action, params)
60
- SecurityContext.initialize(controller)
61
- SecurityContext.credential = user
62
- rules = controller.class.descriptions_of(action)
63
- SecurityContext.current.send_with_security(rules, controller, action)
64
- 'no_error'
65
- rescue SecurityViolationError => sve
66
- sve
67
- end
68
-
69
- def succeed
70
- eql 'no_error'
71
- end
72
-
73
- def fail
74
- be_instance_of SecurityViolationError
75
- end
76
-
77
- end
78
-
1
+ require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
2
+
3
+ describe SecurityContext do
4
+
5
+ before(:each) do
6
+ @user1 = TestUser.new 'theuser'
7
+ @user2 = TestUser.new 'otheruser'
8
+ end
9
+
10
+ it "should check 'logged_in' for 'show'" do
11
+ request(@user1, :show, { :id => 'theuser' }).should succeed
12
+ request(@user2, :show, { :id => 'theuser' }).should succeed
13
+ request(nil, :show, { :id => 'theuser' }).should fail
14
+ end
15
+
16
+ it "should check 'owner' for 'edit'" do
17
+ request(@user1, :edit, { :id => 'theuser' }).should succeed
18
+ request(@user2, :edit, { :id => 'theuser' }).should fail
19
+ end
20
+
21
+ it "should check 'logged_in' and 'owner' for 'show_edit'" do
22
+ request(@user1, :show_edit, { :id => 'theuser' }).should succeed
23
+ request(@user2, :show_edit, { :id => 'theuser' }).should fail
24
+ end
25
+
26
+ it "should check 'owner' for 'delete' based on :id" do
27
+ request(@user1, :delete, { :id => 'theuser' }).should succeed
28
+ request(@user2, :delete, { :id => 'theuser' }).should fail
29
+ end
30
+
31
+ it "should not call action if check based on :id fails" do
32
+ TestController.expects(:enter_delete).never
33
+ request(@user2, :delete, { :id => 'theuser' }).should fail
34
+ end
35
+
36
+ it "should check 'owner' for 'list' based on @list" do
37
+ request(@user1, :list, { :id1 => 'theuser', :id2 => 'theuser' }).should succeed
38
+ request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
39
+ request(@user1, :list, { :id1 => 'otheruser', :id2 => 'theuser' }).should fail
40
+ end
41
+
42
+ it "should not be disturbed by calls to #render" do
43
+ TestController.expects(:exit_render).twice
44
+ request(@user1, :edit_with_render,
45
+ { :id1 => 'theuser', :id2 => 'theuser' }).should succeed
46
+ request(@user1, :edit_with_render,
47
+ { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
48
+ end
49
+
50
+ it "should check rules before #render" do
51
+ TestController.expects(:exit_render).never
52
+ request(@user1, :edit_with_render,
53
+ { :id1 => 'otheruser', :id2 => 'theuser' }).should fail
54
+ end
55
+
56
+ it "should disable security inside #without_security!" do
57
+ request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
58
+
59
+ block = proc do |rules, controller, action|
60
+ SecurityContext.without_security! do
61
+ SecurityContext.current.enabled?.should be_false
62
+ SecurityContext.current.send_with_security(rules, controller, action)
63
+ end
64
+ SecurityContext.current.enabled?.should be_true
65
+ end
66
+
67
+ request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }, &block).should succeed
68
+ end
69
+
70
+ # simulates an action invokation in rails
71
+ def request(user, action, params, &block)
72
+ controller = TestController.new
73
+ controller.test_init(action, params)
74
+ SecurityContext.initialize(controller)
75
+ SecurityContext.credential = user
76
+ rules = controller.class.descriptions_of(action)
77
+ if block
78
+ yield(rules, controller, action)
79
+ else
80
+ SecurityContext.current.send_with_security(rules, controller, action)
81
+ end
82
+
83
+ 'no_error'
84
+ rescue SecurityViolationError => sve
85
+ sve
86
+ end
87
+
88
+ def succeed
89
+ eql 'no_error'
90
+ end
91
+
92
+ def fail
93
+ be_instance_of SecurityViolationError
94
+ end
95
+
96
+ end
97
+
98
+ describe 'SecurityContext#allowed?' do
99
+
100
+ before(:each) do
101
+ controller = TestController.new
102
+ SecurityContext.initialize(controller)
103
+ SecurityContext.credential = TestUser.new 'theuser'
104
+ @res1 = TestResource.new 'theuser'
105
+ @res2 = TestResource.new 'otheruser'
106
+ end
107
+
108
+ it "should accept symbol and object" do
109
+ SecurityContext.allowed?(:edit, @res1).should be_true
110
+ SecurityContext.allowed?(:edit, @res2).should be_false
111
+ end
112
+
113
+ it "should accept string and object" do
114
+ SecurityContext.allowed?('edit', @res1).should be_true
115
+ SecurityContext.allowed?('edit', @res2).should be_false
116
+ end
117
+
118
+ it "should accept description strings " do
119
+ SecurityContext.allowed?('edits a test_resource', @res1).should be_true
120
+ SecurityContext.allowed?('edits the test_resource (in @res2 which should fail)', @res2).should be_false
121
+ end
122
+
123
+ it "should not accept description strings with a source" do
124
+ lambda {
125
+ SecurityContext.allowed?('edits test_resource in @res1', @res1)
126
+ }.should raise_error(ArgumentError)
127
+ end
128
+
129
+ end