annotation_security 1.0.2 → 1.3.1
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG +22 -0
- data/HOW-TO +261 -0
- data/{LICENSE → MIT-LICENSE} +1 -1
- data/README +39 -0
- data/Rakefile +53 -62
- data/assets/app/helpers/annotation_security_helper.rb +8 -8
- data/assets/config/initializers/annotation_security.rb +11 -11
- data/assets/config/security/relations.rb +20 -20
- data/assets/vendor/plugins/annotation_security/init.rb +14 -14
- data/bin/annotation_security +7 -7
- data/lib/annotation_security.rb +94 -103
- data/lib/annotation_security/exceptions.rb +124 -124
- data/lib/annotation_security/exec.rb +188 -188
- data/lib/annotation_security/includes/helper.rb +215 -215
- data/lib/annotation_security/includes/resource.rb +84 -84
- data/lib/annotation_security/includes/role.rb +30 -30
- data/lib/annotation_security/includes/user.rb +26 -26
- data/lib/annotation_security/manager/policy_factory.rb +29 -29
- data/lib/annotation_security/manager/policy_manager.rb +87 -79
- data/lib/annotation_security/manager/relation_loader.rb +272 -272
- data/lib/annotation_security/manager/resource_manager.rb +36 -36
- data/lib/annotation_security/manager/right_loader.rb +87 -87
- data/lib/annotation_security/policy/abstract_policy.rb +344 -344
- data/lib/annotation_security/policy/abstract_static_policy.rb +75 -75
- data/lib/annotation_security/policy/all_resources_policy.rb +20 -20
- data/lib/annotation_security/policy/rule.rb +340 -340
- data/lib/annotation_security/policy/rule_set.rb +138 -138
- data/lib/annotation_security/rails.rb +22 -39
- data/lib/{extensions → annotation_security/rails/2/extensions}/filter.rb +131 -133
- data/lib/annotation_security/rails/2/includes/action_controller.rb +144 -0
- data/lib/annotation_security/rails/2/includes/active_record.rb +28 -0
- data/lib/annotation_security/rails/2/initializer.rb +35 -0
- data/lib/annotation_security/{model_observer.rb → rails/2/model_observer.rb} +61 -61
- data/lib/annotation_security/rails/3/extensions/filter.rb +28 -0
- data/lib/annotation_security/{includes → rails/3/includes}/action_controller.rb +143 -144
- data/lib/annotation_security/{includes → rails/3/includes}/active_record.rb +27 -27
- data/lib/annotation_security/rails/3/initializer.rb +40 -0
- data/lib/annotation_security/rails/3/model_observer.rb +61 -0
- data/lib/annotation_security/rails/extensions.rb +21 -0
- data/lib/{extensions → annotation_security/rails/extensions}/action_controller.rb +31 -32
- data/lib/{extensions → annotation_security/rails/extensions}/active_record.rb +33 -34
- data/lib/{extensions → annotation_security/rails/extensions}/object.rb +10 -10
- data/lib/annotation_security/{filters.rb → rails/filters.rb} +37 -37
- data/lib/annotation_security/user_wrapper.rb +73 -73
- data/lib/annotation_security/utils.rb +141 -141
- data/lib/security_context.rb +588 -589
- data/spec/annotation_security/exceptions_spec.rb +16 -16
- data/spec/annotation_security/includes/helper_spec.rb +82 -82
- data/spec/annotation_security/manager/policy_manager_spec.rb +15 -15
- data/spec/annotation_security/manager/resource_manager_spec.rb +17 -17
- data/spec/annotation_security/manager/right_loader_spec.rb +17 -17
- data/spec/annotation_security/policy/abstract_policy_spec.rb +16 -16
- data/spec/annotation_security/policy/all_resources_policy_spec.rb +24 -24
- data/spec/annotation_security/policy/rule_set_spec.rb +112 -112
- data/spec/annotation_security/policy/rule_spec.rb +77 -77
- data/spec/annotation_security/policy/test_policy_spec.rb +80 -80
- data/spec/annotation_security/security_context_spec.rb +129 -78
- data/spec/annotation_security/utils_spec.rb +73 -73
- data/spec/helper/test_controller.rb +65 -65
- data/spec/helper/test_helper.rb +5 -5
- data/spec/helper/test_relations.rb +6 -6
- data/spec/helper/test_resource.rb +38 -38
- data/spec/helper/test_role.rb +21 -21
- data/spec/helper/test_user.rb +31 -31
- data/spec/rails_stub.rb +44 -37
- metadata +110 -96
- data/CHANGELOG.md +0 -14
- data/HOW-TO.md +0 -275
- data/README.md +0 -39
- data/lib/annotation_security/version.rb +0 -10
@@ -1,78 +1,78 @@
|
|
1
|
-
require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
|
2
|
-
|
3
|
-
describe AnnotationSecurity::Rule do
|
4
|
-
|
5
|
-
before(:all) do
|
6
|
-
AnnotationSecurity.define_relations(:rule_test_res) do
|
7
|
-
res_dummy
|
8
|
-
sys_dummy(:system) { false }
|
9
|
-
pre_dummy :pretest
|
10
|
-
noc_dummy :system, :require_credential => false
|
11
|
-
|
12
|
-
res_dummy_test { has_res_dummy }
|
13
|
-
sys_dummy_test "if is_sys_dummy"
|
14
|
-
end
|
15
|
-
end
|
16
|
-
|
17
|
-
it 'should create valid dynamic relations' do
|
18
|
-
rule = AnnotationSecurity::Rule.new(:res_proc, RuleTestResPolicy) { |u,r| true }
|
19
|
-
rule.to_s.should == '<RuleTestResPolicy#res_proc[--du]>'
|
20
|
-
rule = AnnotationSecurity::Rule.new(:res, RuleTestResPolicy, :resource)
|
21
|
-
rule.to_s.should == '<RuleTestResPolicy#res[--du]>'
|
22
|
-
end
|
23
|
-
|
24
|
-
it 'should create valid static relations' do
|
25
|
-
rule = AnnotationSecurity::Rule.new(:sys_proc, RuleTestResPolicy, :system) { true }
|
26
|
-
rule.to_s.should == '<RuleTestResPolicy#sys_proc[-s-u]>'
|
27
|
-
end
|
28
|
-
|
29
|
-
it 'should create valid pretest relations' do
|
30
|
-
rule = AnnotationSecurity::Rule.new(:pre_proc, RuleTestResPolicy, :pretest) { true }
|
31
|
-
rule.to_s.should == '<RuleTestResPolicy#pre_proc[-sdu]>'
|
32
|
-
end
|
33
|
-
|
34
|
-
it 'should create valid relations without user' do
|
35
|
-
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy, :require_credential => false)
|
36
|
-
rule.to_s.should == '<RuleTestResPolicy#no_u[--d-]>'
|
37
|
-
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
|
38
|
-
:system, :require_credential => false)
|
39
|
-
rule.to_s.should == '<RuleTestResPolicy#no_u[-s--]>'
|
40
|
-
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
|
41
|
-
:pretest, :require_credential => false)
|
42
|
-
rule.to_s.should == '<RuleTestResPolicy#no_u[-sd-]>'
|
43
|
-
end
|
44
|
-
|
45
|
-
it 'should create valid rights' do
|
46
|
-
{
|
47
|
-
'if res_dummy' => '-du',
|
48
|
-
'if sys_dummy' => 's-u',
|
49
|
-
'if pre_dummy' => 'sdu',
|
50
|
-
'if res_dummy or sys_dummy' => '-du',
|
51
|
-
'if res_dummy or pre_dummy' => '-du',
|
52
|
-
'if sys_dummy or pre_dummy' => 'sdu',
|
53
|
-
'if noc_dummy' => 's--',
|
54
|
-
'if noc_dummy or sys_dummy' => 's-u',
|
55
|
-
'if noc_dummy or res_dummy' => '-du',
|
56
|
-
'if self' => '-du',
|
57
|
-
'if other_right: resource_property' => '-du',
|
58
|
-
'true' => 's--',
|
59
|
-
'false or nil' => 's--'
|
60
|
-
}.each_pair do |condition,flags|
|
61
|
-
right = AnnotationSecurity::Rule.new(:right, RuleTestResPolicy, :right, condition)
|
62
|
-
right.flag_s.should == 'r???'
|
63
|
-
right.static? # trigger lazy initialization
|
64
|
-
right.flag_s.should == 'r'+flags
|
65
|
-
end
|
66
|
-
end
|
67
|
-
|
68
|
-
it 'should call referred rules when being executed' do
|
69
|
-
policy = RuleTestResPolicy.new(:user,:res)
|
70
|
-
|
71
|
-
policy.expects(:res_dummy).returns(true)
|
72
|
-
policy.res_dummy_test.should be_true
|
73
|
-
|
74
|
-
policy.expects(:sys_dummy).returns(false)
|
75
|
-
policy.sys_dummy_test?.should be_false
|
76
|
-
end
|
77
|
-
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
|
2
|
+
|
3
|
+
describe AnnotationSecurity::Rule do
|
4
|
+
|
5
|
+
before(:all) do
|
6
|
+
AnnotationSecurity.define_relations(:rule_test_res) do
|
7
|
+
res_dummy
|
8
|
+
sys_dummy(:system) { false }
|
9
|
+
pre_dummy :pretest
|
10
|
+
noc_dummy :system, :require_credential => false
|
11
|
+
|
12
|
+
res_dummy_test { has_res_dummy }
|
13
|
+
sys_dummy_test "if is_sys_dummy"
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
it 'should create valid dynamic relations' do
|
18
|
+
rule = AnnotationSecurity::Rule.new(:res_proc, RuleTestResPolicy) { |u,r| true }
|
19
|
+
rule.to_s.should == '<RuleTestResPolicy#res_proc[--du]>'
|
20
|
+
rule = AnnotationSecurity::Rule.new(:res, RuleTestResPolicy, :resource)
|
21
|
+
rule.to_s.should == '<RuleTestResPolicy#res[--du]>'
|
22
|
+
end
|
23
|
+
|
24
|
+
it 'should create valid static relations' do
|
25
|
+
rule = AnnotationSecurity::Rule.new(:sys_proc, RuleTestResPolicy, :system) { true }
|
26
|
+
rule.to_s.should == '<RuleTestResPolicy#sys_proc[-s-u]>'
|
27
|
+
end
|
28
|
+
|
29
|
+
it 'should create valid pretest relations' do
|
30
|
+
rule = AnnotationSecurity::Rule.new(:pre_proc, RuleTestResPolicy, :pretest) { true }
|
31
|
+
rule.to_s.should == '<RuleTestResPolicy#pre_proc[-sdu]>'
|
32
|
+
end
|
33
|
+
|
34
|
+
it 'should create valid relations without user' do
|
35
|
+
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy, :require_credential => false)
|
36
|
+
rule.to_s.should == '<RuleTestResPolicy#no_u[--d-]>'
|
37
|
+
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
|
38
|
+
:system, :require_credential => false)
|
39
|
+
rule.to_s.should == '<RuleTestResPolicy#no_u[-s--]>'
|
40
|
+
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
|
41
|
+
:pretest, :require_credential => false)
|
42
|
+
rule.to_s.should == '<RuleTestResPolicy#no_u[-sd-]>'
|
43
|
+
end
|
44
|
+
|
45
|
+
it 'should create valid rights' do
|
46
|
+
{
|
47
|
+
'if res_dummy' => '-du',
|
48
|
+
'if sys_dummy' => 's-u',
|
49
|
+
'if pre_dummy' => 'sdu',
|
50
|
+
'if res_dummy or sys_dummy' => '-du',
|
51
|
+
'if res_dummy or pre_dummy' => '-du',
|
52
|
+
'if sys_dummy or pre_dummy' => 'sdu',
|
53
|
+
'if noc_dummy' => 's--',
|
54
|
+
'if noc_dummy or sys_dummy' => 's-u',
|
55
|
+
'if noc_dummy or res_dummy' => '-du',
|
56
|
+
'if self' => '-du',
|
57
|
+
'if other_right: resource_property' => '-du',
|
58
|
+
'true' => 's--',
|
59
|
+
'false or nil' => 's--'
|
60
|
+
}.each_pair do |condition,flags|
|
61
|
+
right = AnnotationSecurity::Rule.new(:right, RuleTestResPolicy, :right, condition)
|
62
|
+
right.flag_s.should == 'r???'
|
63
|
+
right.static? # trigger lazy initialization
|
64
|
+
right.flag_s.should == 'r'+flags
|
65
|
+
end
|
66
|
+
end
|
67
|
+
|
68
|
+
it 'should call referred rules when being executed' do
|
69
|
+
policy = RuleTestResPolicy.new(:user,:res)
|
70
|
+
|
71
|
+
policy.expects(:res_dummy).returns(true)
|
72
|
+
policy.res_dummy_test.should be_true
|
73
|
+
|
74
|
+
policy.expects(:sys_dummy).returns(false)
|
75
|
+
policy.sys_dummy_test?.should be_false
|
76
|
+
end
|
77
|
+
|
78
78
|
end
|
@@ -1,81 +1,81 @@
|
|
1
|
-
require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
|
2
|
-
|
3
|
-
AnnotationSecurity.define_relations(:a_test) do
|
4
|
-
sys_relation :system
|
5
|
-
res_relation :resource
|
6
|
-
pre_relation :pretest
|
7
|
-
end
|
8
|
-
|
9
|
-
describe ATestPolicy do
|
10
|
-
|
11
|
-
it 'should be dynamic' do
|
12
|
-
ATestPolicy.static?.should be_false
|
13
|
-
end
|
14
|
-
|
15
|
-
it 'should have a static partner' do
|
16
|
-
ATestPolicy.static_policy_class.should eql(ATestStaticPolicy)
|
17
|
-
end
|
18
|
-
|
19
|
-
it 'should know its resource type' do
|
20
|
-
ATestPolicy.resource_type.should eql(:a_test)
|
21
|
-
end
|
22
|
-
|
23
|
-
it 'should have all rules' do
|
24
|
-
ATestPolicy.has_rule?(:sys_relation).should be_true
|
25
|
-
ATestPolicy.has_rule?(:res_relation).should be_true
|
26
|
-
ATestPolicy.has_rule?(:pre_relation).should be_true
|
27
|
-
end
|
28
|
-
|
29
|
-
it 'should be aware of the evaluation time of a rule' do
|
30
|
-
ATestPolicy.has_dynamic_rule?(:sys_relation).should be_false
|
31
|
-
ATestPolicy.has_dynamic_rule?(:res_relation).should be_true
|
32
|
-
ATestPolicy.has_dynamic_rule?(:pre_relation).should be_true
|
33
|
-
|
34
|
-
ATestPolicy.has_static_rule?(:sys_relation).should be_true
|
35
|
-
ATestPolicy.has_static_rule?(:res_relation).should be_false
|
36
|
-
ATestPolicy.has_static_rule?(:pre_relation).should be_true
|
37
|
-
end
|
38
|
-
|
39
|
-
it 'should have access to rules defined for all resources' do
|
40
|
-
ATestPolicy.has_rule?(:__self__).should be_true
|
41
|
-
ATestPolicy.has_rule?(:logged_in).should be_true
|
42
|
-
end
|
43
|
-
#
|
44
|
-
# it 'should be possible to add rules'
|
45
|
-
#
|
46
|
-
# it 'should be possible to evaluate a list of rules (static/dynamic/both)'
|
47
|
-
|
48
|
-
end
|
49
|
-
|
50
|
-
describe ATestStaticPolicy do
|
51
|
-
|
52
|
-
it 'should be static' do
|
53
|
-
ATestStaticPolicy.static?.should be_true
|
54
|
-
end
|
55
|
-
|
56
|
-
it 'should not have a static partner' do
|
57
|
-
lambda {
|
58
|
-
ATestStaticPolicy.static_policy_class
|
59
|
-
}.should raise_error(NameError)
|
60
|
-
end
|
61
|
-
|
62
|
-
it 'should know its resource type' do
|
63
|
-
ATestStaticPolicy.resource_type.should eql(:a_test)
|
64
|
-
end
|
65
|
-
|
66
|
-
it 'should use the rule set of the dynamic policy' do
|
67
|
-
ATestStaticPolicy.rule_set.should eql(ATestPolicy.rule_set)
|
68
|
-
end
|
69
|
-
|
70
|
-
it 'should have all static rules' do
|
71
|
-
ATestStaticPolicy.has_rule?(:sys_relation).should be_true
|
72
|
-
ATestStaticPolicy.has_rule?(:res_relation).should be_false
|
73
|
-
ATestStaticPolicy.has_rule?(:pre_relation).should be_true
|
74
|
-
end
|
75
|
-
|
76
|
-
it 'should have access to static rules defined for all resources' do
|
77
|
-
ATestStaticPolicy.has_rule?(:__self__).should be_false
|
78
|
-
ATestStaticPolicy.has_rule?(:logged_in).should be_true
|
79
|
-
end
|
80
|
-
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
|
2
|
+
|
3
|
+
AnnotationSecurity.define_relations(:a_test) do
|
4
|
+
sys_relation :system
|
5
|
+
res_relation :resource
|
6
|
+
pre_relation :pretest
|
7
|
+
end
|
8
|
+
|
9
|
+
describe ATestPolicy do
|
10
|
+
|
11
|
+
it 'should be dynamic' do
|
12
|
+
ATestPolicy.static?.should be_false
|
13
|
+
end
|
14
|
+
|
15
|
+
it 'should have a static partner' do
|
16
|
+
ATestPolicy.static_policy_class.should eql(ATestStaticPolicy)
|
17
|
+
end
|
18
|
+
|
19
|
+
it 'should know its resource type' do
|
20
|
+
ATestPolicy.resource_type.should eql(:a_test)
|
21
|
+
end
|
22
|
+
|
23
|
+
it 'should have all rules' do
|
24
|
+
ATestPolicy.has_rule?(:sys_relation).should be_true
|
25
|
+
ATestPolicy.has_rule?(:res_relation).should be_true
|
26
|
+
ATestPolicy.has_rule?(:pre_relation).should be_true
|
27
|
+
end
|
28
|
+
|
29
|
+
it 'should be aware of the evaluation time of a rule' do
|
30
|
+
ATestPolicy.has_dynamic_rule?(:sys_relation).should be_false
|
31
|
+
ATestPolicy.has_dynamic_rule?(:res_relation).should be_true
|
32
|
+
ATestPolicy.has_dynamic_rule?(:pre_relation).should be_true
|
33
|
+
|
34
|
+
ATestPolicy.has_static_rule?(:sys_relation).should be_true
|
35
|
+
ATestPolicy.has_static_rule?(:res_relation).should be_false
|
36
|
+
ATestPolicy.has_static_rule?(:pre_relation).should be_true
|
37
|
+
end
|
38
|
+
|
39
|
+
it 'should have access to rules defined for all resources' do
|
40
|
+
ATestPolicy.has_rule?(:__self__).should be_true
|
41
|
+
ATestPolicy.has_rule?(:logged_in).should be_true
|
42
|
+
end
|
43
|
+
#
|
44
|
+
# it 'should be possible to add rules'
|
45
|
+
#
|
46
|
+
# it 'should be possible to evaluate a list of rules (static/dynamic/both)'
|
47
|
+
|
48
|
+
end
|
49
|
+
|
50
|
+
describe ATestStaticPolicy do
|
51
|
+
|
52
|
+
it 'should be static' do
|
53
|
+
ATestStaticPolicy.static?.should be_true
|
54
|
+
end
|
55
|
+
|
56
|
+
it 'should not have a static partner' do
|
57
|
+
lambda {
|
58
|
+
ATestStaticPolicy.static_policy_class
|
59
|
+
}.should raise_error(NameError)
|
60
|
+
end
|
61
|
+
|
62
|
+
it 'should know its resource type' do
|
63
|
+
ATestStaticPolicy.resource_type.should eql(:a_test)
|
64
|
+
end
|
65
|
+
|
66
|
+
it 'should use the rule set of the dynamic policy' do
|
67
|
+
ATestStaticPolicy.rule_set.should eql(ATestPolicy.rule_set)
|
68
|
+
end
|
69
|
+
|
70
|
+
it 'should have all static rules' do
|
71
|
+
ATestStaticPolicy.has_rule?(:sys_relation).should be_true
|
72
|
+
ATestStaticPolicy.has_rule?(:res_relation).should be_false
|
73
|
+
ATestStaticPolicy.has_rule?(:pre_relation).should be_true
|
74
|
+
end
|
75
|
+
|
76
|
+
it 'should have access to static rules defined for all resources' do
|
77
|
+
ATestStaticPolicy.has_rule?(:__self__).should be_false
|
78
|
+
ATestStaticPolicy.has_rule?(:logged_in).should be_true
|
79
|
+
end
|
80
|
+
|
81
81
|
end
|
@@ -1,78 +1,129 @@
|
|
1
|
-
require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
|
2
|
-
|
3
|
-
describe SecurityContext do
|
4
|
-
|
5
|
-
before(:each) do
|
6
|
-
@user1 = TestUser.new 'theuser'
|
7
|
-
@user2 = TestUser.new 'otheruser'
|
8
|
-
end
|
9
|
-
|
10
|
-
it "should check 'logged_in' for 'show'" do
|
11
|
-
request(@user1, :show, { :id => 'theuser' }).should succeed
|
12
|
-
request(@user2, :show, { :id => 'theuser' }).should succeed
|
13
|
-
request(nil, :show, { :id => 'theuser' }).should fail
|
14
|
-
end
|
15
|
-
|
16
|
-
it "should check 'owner' for 'edit'" do
|
17
|
-
request(@user1, :edit, { :id => 'theuser' }).should succeed
|
18
|
-
request(@user2, :edit, { :id => 'theuser' }).should fail
|
19
|
-
end
|
20
|
-
|
21
|
-
it "should check 'logged_in' and 'owner' for 'show_edit'" do
|
22
|
-
request(@user1, :show_edit, { :id => 'theuser' }).should succeed
|
23
|
-
request(@user2, :show_edit, { :id => 'theuser' }).should fail
|
24
|
-
end
|
25
|
-
|
26
|
-
it "should check 'owner' for 'delete' based on :id" do
|
27
|
-
request(@user1, :delete, { :id => 'theuser' }).should succeed
|
28
|
-
request(@user2, :delete, { :id => 'theuser' }).should fail
|
29
|
-
end
|
30
|
-
|
31
|
-
it "should not call action if check based on :id fails" do
|
32
|
-
TestController.expects(:enter_delete).never
|
33
|
-
request(@user2, :delete, { :id => 'theuser' }).should fail
|
34
|
-
end
|
35
|
-
|
36
|
-
it "should check 'owner' for 'list' based on @list" do
|
37
|
-
request(@user1, :list, { :id1 => 'theuser', :id2 => 'theuser' }).should succeed
|
38
|
-
request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
|
39
|
-
request(@user1, :list, { :id1 => 'otheruser', :id2 => 'theuser' }).should fail
|
40
|
-
end
|
41
|
-
|
42
|
-
it "should not be disturbed by calls to #render" do
|
43
|
-
TestController.expects(:exit_render).twice
|
44
|
-
request(@user1, :edit_with_render,
|
45
|
-
{ :id1 => 'theuser', :id2 => 'theuser' }).should succeed
|
46
|
-
request(@user1, :edit_with_render,
|
47
|
-
{ :id1 => 'theuser', :id2 => 'otheruser' }).should fail
|
48
|
-
end
|
49
|
-
|
50
|
-
it "should check rules before #render" do
|
51
|
-
TestController.expects(:exit_render).never
|
52
|
-
request(@user1, :edit_with_render,
|
53
|
-
{ :id1 => 'otheruser', :id2 => 'theuser' }).should fail
|
54
|
-
end
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
controller
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
|
2
|
+
|
3
|
+
describe SecurityContext do
|
4
|
+
|
5
|
+
before(:each) do
|
6
|
+
@user1 = TestUser.new 'theuser'
|
7
|
+
@user2 = TestUser.new 'otheruser'
|
8
|
+
end
|
9
|
+
|
10
|
+
it "should check 'logged_in' for 'show'" do
|
11
|
+
request(@user1, :show, { :id => 'theuser' }).should succeed
|
12
|
+
request(@user2, :show, { :id => 'theuser' }).should succeed
|
13
|
+
request(nil, :show, { :id => 'theuser' }).should fail
|
14
|
+
end
|
15
|
+
|
16
|
+
it "should check 'owner' for 'edit'" do
|
17
|
+
request(@user1, :edit, { :id => 'theuser' }).should succeed
|
18
|
+
request(@user2, :edit, { :id => 'theuser' }).should fail
|
19
|
+
end
|
20
|
+
|
21
|
+
it "should check 'logged_in' and 'owner' for 'show_edit'" do
|
22
|
+
request(@user1, :show_edit, { :id => 'theuser' }).should succeed
|
23
|
+
request(@user2, :show_edit, { :id => 'theuser' }).should fail
|
24
|
+
end
|
25
|
+
|
26
|
+
it "should check 'owner' for 'delete' based on :id" do
|
27
|
+
request(@user1, :delete, { :id => 'theuser' }).should succeed
|
28
|
+
request(@user2, :delete, { :id => 'theuser' }).should fail
|
29
|
+
end
|
30
|
+
|
31
|
+
it "should not call action if check based on :id fails" do
|
32
|
+
TestController.expects(:enter_delete).never
|
33
|
+
request(@user2, :delete, { :id => 'theuser' }).should fail
|
34
|
+
end
|
35
|
+
|
36
|
+
it "should check 'owner' for 'list' based on @list" do
|
37
|
+
request(@user1, :list, { :id1 => 'theuser', :id2 => 'theuser' }).should succeed
|
38
|
+
request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
|
39
|
+
request(@user1, :list, { :id1 => 'otheruser', :id2 => 'theuser' }).should fail
|
40
|
+
end
|
41
|
+
|
42
|
+
it "should not be disturbed by calls to #render" do
|
43
|
+
TestController.expects(:exit_render).twice
|
44
|
+
request(@user1, :edit_with_render,
|
45
|
+
{ :id1 => 'theuser', :id2 => 'theuser' }).should succeed
|
46
|
+
request(@user1, :edit_with_render,
|
47
|
+
{ :id1 => 'theuser', :id2 => 'otheruser' }).should fail
|
48
|
+
end
|
49
|
+
|
50
|
+
it "should check rules before #render" do
|
51
|
+
TestController.expects(:exit_render).never
|
52
|
+
request(@user1, :edit_with_render,
|
53
|
+
{ :id1 => 'otheruser', :id2 => 'theuser' }).should fail
|
54
|
+
end
|
55
|
+
|
56
|
+
it "should disable security inside #without_security!" do
|
57
|
+
request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
|
58
|
+
|
59
|
+
block = proc do |rules, controller, action|
|
60
|
+
SecurityContext.without_security! do
|
61
|
+
SecurityContext.current.enabled?.should be_false
|
62
|
+
SecurityContext.current.send_with_security(rules, controller, action)
|
63
|
+
end
|
64
|
+
SecurityContext.current.enabled?.should be_true
|
65
|
+
end
|
66
|
+
|
67
|
+
request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }, &block).should succeed
|
68
|
+
end
|
69
|
+
|
70
|
+
# simulates an action invokation in rails
|
71
|
+
def request(user, action, params, &block)
|
72
|
+
controller = TestController.new
|
73
|
+
controller.test_init(action, params)
|
74
|
+
SecurityContext.initialize(controller)
|
75
|
+
SecurityContext.credential = user
|
76
|
+
rules = controller.class.descriptions_of(action)
|
77
|
+
if block
|
78
|
+
yield(rules, controller, action)
|
79
|
+
else
|
80
|
+
SecurityContext.current.send_with_security(rules, controller, action)
|
81
|
+
end
|
82
|
+
|
83
|
+
'no_error'
|
84
|
+
rescue SecurityViolationError => sve
|
85
|
+
sve
|
86
|
+
end
|
87
|
+
|
88
|
+
def succeed
|
89
|
+
eql 'no_error'
|
90
|
+
end
|
91
|
+
|
92
|
+
def fail
|
93
|
+
be_instance_of SecurityViolationError
|
94
|
+
end
|
95
|
+
|
96
|
+
end
|
97
|
+
|
98
|
+
describe 'SecurityContext#allowed?' do
|
99
|
+
|
100
|
+
before(:each) do
|
101
|
+
controller = TestController.new
|
102
|
+
SecurityContext.initialize(controller)
|
103
|
+
SecurityContext.credential = TestUser.new 'theuser'
|
104
|
+
@res1 = TestResource.new 'theuser'
|
105
|
+
@res2 = TestResource.new 'otheruser'
|
106
|
+
end
|
107
|
+
|
108
|
+
it "should accept symbol and object" do
|
109
|
+
SecurityContext.allowed?(:edit, @res1).should be_true
|
110
|
+
SecurityContext.allowed?(:edit, @res2).should be_false
|
111
|
+
end
|
112
|
+
|
113
|
+
it "should accept string and object" do
|
114
|
+
SecurityContext.allowed?('edit', @res1).should be_true
|
115
|
+
SecurityContext.allowed?('edit', @res2).should be_false
|
116
|
+
end
|
117
|
+
|
118
|
+
it "should accept description strings " do
|
119
|
+
SecurityContext.allowed?('edits a test_resource', @res1).should be_true
|
120
|
+
SecurityContext.allowed?('edits the test_resource (in @res2 which should fail)', @res2).should be_false
|
121
|
+
end
|
122
|
+
|
123
|
+
it "should not accept description strings with a source" do
|
124
|
+
lambda {
|
125
|
+
SecurityContext.allowed?('edits test_resource in @res1', @res1)
|
126
|
+
}.should raise_error(ArgumentError)
|
127
|
+
end
|
128
|
+
|
129
|
+
end
|