annotation_security 1.0.2 → 1.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/CHANGELOG +22 -0
- data/HOW-TO +261 -0
- data/{LICENSE → MIT-LICENSE} +1 -1
- data/README +39 -0
- data/Rakefile +53 -62
- data/assets/app/helpers/annotation_security_helper.rb +8 -8
- data/assets/config/initializers/annotation_security.rb +11 -11
- data/assets/config/security/relations.rb +20 -20
- data/assets/vendor/plugins/annotation_security/init.rb +14 -14
- data/bin/annotation_security +7 -7
- data/lib/annotation_security.rb +94 -103
- data/lib/annotation_security/exceptions.rb +124 -124
- data/lib/annotation_security/exec.rb +188 -188
- data/lib/annotation_security/includes/helper.rb +215 -215
- data/lib/annotation_security/includes/resource.rb +84 -84
- data/lib/annotation_security/includes/role.rb +30 -30
- data/lib/annotation_security/includes/user.rb +26 -26
- data/lib/annotation_security/manager/policy_factory.rb +29 -29
- data/lib/annotation_security/manager/policy_manager.rb +87 -79
- data/lib/annotation_security/manager/relation_loader.rb +272 -272
- data/lib/annotation_security/manager/resource_manager.rb +36 -36
- data/lib/annotation_security/manager/right_loader.rb +87 -87
- data/lib/annotation_security/policy/abstract_policy.rb +344 -344
- data/lib/annotation_security/policy/abstract_static_policy.rb +75 -75
- data/lib/annotation_security/policy/all_resources_policy.rb +20 -20
- data/lib/annotation_security/policy/rule.rb +340 -340
- data/lib/annotation_security/policy/rule_set.rb +138 -138
- data/lib/annotation_security/rails.rb +22 -39
- data/lib/{extensions → annotation_security/rails/2/extensions}/filter.rb +131 -133
- data/lib/annotation_security/rails/2/includes/action_controller.rb +144 -0
- data/lib/annotation_security/rails/2/includes/active_record.rb +28 -0
- data/lib/annotation_security/rails/2/initializer.rb +35 -0
- data/lib/annotation_security/{model_observer.rb → rails/2/model_observer.rb} +61 -61
- data/lib/annotation_security/rails/3/extensions/filter.rb +28 -0
- data/lib/annotation_security/{includes → rails/3/includes}/action_controller.rb +143 -144
- data/lib/annotation_security/{includes → rails/3/includes}/active_record.rb +27 -27
- data/lib/annotation_security/rails/3/initializer.rb +40 -0
- data/lib/annotation_security/rails/3/model_observer.rb +61 -0
- data/lib/annotation_security/rails/extensions.rb +21 -0
- data/lib/{extensions → annotation_security/rails/extensions}/action_controller.rb +31 -32
- data/lib/{extensions → annotation_security/rails/extensions}/active_record.rb +33 -34
- data/lib/{extensions → annotation_security/rails/extensions}/object.rb +10 -10
- data/lib/annotation_security/{filters.rb → rails/filters.rb} +37 -37
- data/lib/annotation_security/user_wrapper.rb +73 -73
- data/lib/annotation_security/utils.rb +141 -141
- data/lib/security_context.rb +588 -589
- data/spec/annotation_security/exceptions_spec.rb +16 -16
- data/spec/annotation_security/includes/helper_spec.rb +82 -82
- data/spec/annotation_security/manager/policy_manager_spec.rb +15 -15
- data/spec/annotation_security/manager/resource_manager_spec.rb +17 -17
- data/spec/annotation_security/manager/right_loader_spec.rb +17 -17
- data/spec/annotation_security/policy/abstract_policy_spec.rb +16 -16
- data/spec/annotation_security/policy/all_resources_policy_spec.rb +24 -24
- data/spec/annotation_security/policy/rule_set_spec.rb +112 -112
- data/spec/annotation_security/policy/rule_spec.rb +77 -77
- data/spec/annotation_security/policy/test_policy_spec.rb +80 -80
- data/spec/annotation_security/security_context_spec.rb +129 -78
- data/spec/annotation_security/utils_spec.rb +73 -73
- data/spec/helper/test_controller.rb +65 -65
- data/spec/helper/test_helper.rb +5 -5
- data/spec/helper/test_relations.rb +6 -6
- data/spec/helper/test_resource.rb +38 -38
- data/spec/helper/test_role.rb +21 -21
- data/spec/helper/test_user.rb +31 -31
- data/spec/rails_stub.rb +44 -37
- metadata +110 -96
- data/CHANGELOG.md +0 -14
- data/HOW-TO.md +0 -275
- data/README.md +0 -39
- data/lib/annotation_security/version.rb +0 -10
@@ -1,78 +1,78 @@
|
|
1
|
-
require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
|
2
|
-
|
3
|
-
describe AnnotationSecurity::Rule do
|
4
|
-
|
5
|
-
before(:all) do
|
6
|
-
AnnotationSecurity.define_relations(:rule_test_res) do
|
7
|
-
res_dummy
|
8
|
-
sys_dummy(:system) { false }
|
9
|
-
pre_dummy :pretest
|
10
|
-
noc_dummy :system, :require_credential => false
|
11
|
-
|
12
|
-
res_dummy_test { has_res_dummy }
|
13
|
-
sys_dummy_test "if is_sys_dummy"
|
14
|
-
end
|
15
|
-
end
|
16
|
-
|
17
|
-
it 'should create valid dynamic relations' do
|
18
|
-
rule = AnnotationSecurity::Rule.new(:res_proc, RuleTestResPolicy) { |u,r| true }
|
19
|
-
rule.to_s.should == '<RuleTestResPolicy#res_proc[--du]>'
|
20
|
-
rule = AnnotationSecurity::Rule.new(:res, RuleTestResPolicy, :resource)
|
21
|
-
rule.to_s.should == '<RuleTestResPolicy#res[--du]>'
|
22
|
-
end
|
23
|
-
|
24
|
-
it 'should create valid static relations' do
|
25
|
-
rule = AnnotationSecurity::Rule.new(:sys_proc, RuleTestResPolicy, :system) { true }
|
26
|
-
rule.to_s.should == '<RuleTestResPolicy#sys_proc[-s-u]>'
|
27
|
-
end
|
28
|
-
|
29
|
-
it 'should create valid pretest relations' do
|
30
|
-
rule = AnnotationSecurity::Rule.new(:pre_proc, RuleTestResPolicy, :pretest) { true }
|
31
|
-
rule.to_s.should == '<RuleTestResPolicy#pre_proc[-sdu]>'
|
32
|
-
end
|
33
|
-
|
34
|
-
it 'should create valid relations without user' do
|
35
|
-
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy, :require_credential => false)
|
36
|
-
rule.to_s.should == '<RuleTestResPolicy#no_u[--d-]>'
|
37
|
-
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
|
38
|
-
:system, :require_credential => false)
|
39
|
-
rule.to_s.should == '<RuleTestResPolicy#no_u[-s--]>'
|
40
|
-
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
|
41
|
-
:pretest, :require_credential => false)
|
42
|
-
rule.to_s.should == '<RuleTestResPolicy#no_u[-sd-]>'
|
43
|
-
end
|
44
|
-
|
45
|
-
it 'should create valid rights' do
|
46
|
-
{
|
47
|
-
'if res_dummy' => '-du',
|
48
|
-
'if sys_dummy' => 's-u',
|
49
|
-
'if pre_dummy' => 'sdu',
|
50
|
-
'if res_dummy or sys_dummy' => '-du',
|
51
|
-
'if res_dummy or pre_dummy' => '-du',
|
52
|
-
'if sys_dummy or pre_dummy' => 'sdu',
|
53
|
-
'if noc_dummy' => 's--',
|
54
|
-
'if noc_dummy or sys_dummy' => 's-u',
|
55
|
-
'if noc_dummy or res_dummy' => '-du',
|
56
|
-
'if self' => '-du',
|
57
|
-
'if other_right: resource_property' => '-du',
|
58
|
-
'true' => 's--',
|
59
|
-
'false or nil' => 's--'
|
60
|
-
}.each_pair do |condition,flags|
|
61
|
-
right = AnnotationSecurity::Rule.new(:right, RuleTestResPolicy, :right, condition)
|
62
|
-
right.flag_s.should == 'r???'
|
63
|
-
right.static? # trigger lazy initialization
|
64
|
-
right.flag_s.should == 'r'+flags
|
65
|
-
end
|
66
|
-
end
|
67
|
-
|
68
|
-
it 'should call referred rules when being executed' do
|
69
|
-
policy = RuleTestResPolicy.new(:user,:res)
|
70
|
-
|
71
|
-
policy.expects(:res_dummy).returns(true)
|
72
|
-
policy.res_dummy_test.should be_true
|
73
|
-
|
74
|
-
policy.expects(:sys_dummy).returns(false)
|
75
|
-
policy.sys_dummy_test?.should be_false
|
76
|
-
end
|
77
|
-
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
|
2
|
+
|
3
|
+
describe AnnotationSecurity::Rule do
|
4
|
+
|
5
|
+
before(:all) do
|
6
|
+
AnnotationSecurity.define_relations(:rule_test_res) do
|
7
|
+
res_dummy
|
8
|
+
sys_dummy(:system) { false }
|
9
|
+
pre_dummy :pretest
|
10
|
+
noc_dummy :system, :require_credential => false
|
11
|
+
|
12
|
+
res_dummy_test { has_res_dummy }
|
13
|
+
sys_dummy_test "if is_sys_dummy"
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
it 'should create valid dynamic relations' do
|
18
|
+
rule = AnnotationSecurity::Rule.new(:res_proc, RuleTestResPolicy) { |u,r| true }
|
19
|
+
rule.to_s.should == '<RuleTestResPolicy#res_proc[--du]>'
|
20
|
+
rule = AnnotationSecurity::Rule.new(:res, RuleTestResPolicy, :resource)
|
21
|
+
rule.to_s.should == '<RuleTestResPolicy#res[--du]>'
|
22
|
+
end
|
23
|
+
|
24
|
+
it 'should create valid static relations' do
|
25
|
+
rule = AnnotationSecurity::Rule.new(:sys_proc, RuleTestResPolicy, :system) { true }
|
26
|
+
rule.to_s.should == '<RuleTestResPolicy#sys_proc[-s-u]>'
|
27
|
+
end
|
28
|
+
|
29
|
+
it 'should create valid pretest relations' do
|
30
|
+
rule = AnnotationSecurity::Rule.new(:pre_proc, RuleTestResPolicy, :pretest) { true }
|
31
|
+
rule.to_s.should == '<RuleTestResPolicy#pre_proc[-sdu]>'
|
32
|
+
end
|
33
|
+
|
34
|
+
it 'should create valid relations without user' do
|
35
|
+
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy, :require_credential => false)
|
36
|
+
rule.to_s.should == '<RuleTestResPolicy#no_u[--d-]>'
|
37
|
+
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
|
38
|
+
:system, :require_credential => false)
|
39
|
+
rule.to_s.should == '<RuleTestResPolicy#no_u[-s--]>'
|
40
|
+
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
|
41
|
+
:pretest, :require_credential => false)
|
42
|
+
rule.to_s.should == '<RuleTestResPolicy#no_u[-sd-]>'
|
43
|
+
end
|
44
|
+
|
45
|
+
it 'should create valid rights' do
|
46
|
+
{
|
47
|
+
'if res_dummy' => '-du',
|
48
|
+
'if sys_dummy' => 's-u',
|
49
|
+
'if pre_dummy' => 'sdu',
|
50
|
+
'if res_dummy or sys_dummy' => '-du',
|
51
|
+
'if res_dummy or pre_dummy' => '-du',
|
52
|
+
'if sys_dummy or pre_dummy' => 'sdu',
|
53
|
+
'if noc_dummy' => 's--',
|
54
|
+
'if noc_dummy or sys_dummy' => 's-u',
|
55
|
+
'if noc_dummy or res_dummy' => '-du',
|
56
|
+
'if self' => '-du',
|
57
|
+
'if other_right: resource_property' => '-du',
|
58
|
+
'true' => 's--',
|
59
|
+
'false or nil' => 's--'
|
60
|
+
}.each_pair do |condition,flags|
|
61
|
+
right = AnnotationSecurity::Rule.new(:right, RuleTestResPolicy, :right, condition)
|
62
|
+
right.flag_s.should == 'r???'
|
63
|
+
right.static? # trigger lazy initialization
|
64
|
+
right.flag_s.should == 'r'+flags
|
65
|
+
end
|
66
|
+
end
|
67
|
+
|
68
|
+
it 'should call referred rules when being executed' do
|
69
|
+
policy = RuleTestResPolicy.new(:user,:res)
|
70
|
+
|
71
|
+
policy.expects(:res_dummy).returns(true)
|
72
|
+
policy.res_dummy_test.should be_true
|
73
|
+
|
74
|
+
policy.expects(:sys_dummy).returns(false)
|
75
|
+
policy.sys_dummy_test?.should be_false
|
76
|
+
end
|
77
|
+
|
78
78
|
end
|
@@ -1,81 +1,81 @@
|
|
1
|
-
require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
|
2
|
-
|
3
|
-
AnnotationSecurity.define_relations(:a_test) do
|
4
|
-
sys_relation :system
|
5
|
-
res_relation :resource
|
6
|
-
pre_relation :pretest
|
7
|
-
end
|
8
|
-
|
9
|
-
describe ATestPolicy do
|
10
|
-
|
11
|
-
it 'should be dynamic' do
|
12
|
-
ATestPolicy.static?.should be_false
|
13
|
-
end
|
14
|
-
|
15
|
-
it 'should have a static partner' do
|
16
|
-
ATestPolicy.static_policy_class.should eql(ATestStaticPolicy)
|
17
|
-
end
|
18
|
-
|
19
|
-
it 'should know its resource type' do
|
20
|
-
ATestPolicy.resource_type.should eql(:a_test)
|
21
|
-
end
|
22
|
-
|
23
|
-
it 'should have all rules' do
|
24
|
-
ATestPolicy.has_rule?(:sys_relation).should be_true
|
25
|
-
ATestPolicy.has_rule?(:res_relation).should be_true
|
26
|
-
ATestPolicy.has_rule?(:pre_relation).should be_true
|
27
|
-
end
|
28
|
-
|
29
|
-
it 'should be aware of the evaluation time of a rule' do
|
30
|
-
ATestPolicy.has_dynamic_rule?(:sys_relation).should be_false
|
31
|
-
ATestPolicy.has_dynamic_rule?(:res_relation).should be_true
|
32
|
-
ATestPolicy.has_dynamic_rule?(:pre_relation).should be_true
|
33
|
-
|
34
|
-
ATestPolicy.has_static_rule?(:sys_relation).should be_true
|
35
|
-
ATestPolicy.has_static_rule?(:res_relation).should be_false
|
36
|
-
ATestPolicy.has_static_rule?(:pre_relation).should be_true
|
37
|
-
end
|
38
|
-
|
39
|
-
it 'should have access to rules defined for all resources' do
|
40
|
-
ATestPolicy.has_rule?(:__self__).should be_true
|
41
|
-
ATestPolicy.has_rule?(:logged_in).should be_true
|
42
|
-
end
|
43
|
-
#
|
44
|
-
# it 'should be possible to add rules'
|
45
|
-
#
|
46
|
-
# it 'should be possible to evaluate a list of rules (static/dynamic/both)'
|
47
|
-
|
48
|
-
end
|
49
|
-
|
50
|
-
describe ATestStaticPolicy do
|
51
|
-
|
52
|
-
it 'should be static' do
|
53
|
-
ATestStaticPolicy.static?.should be_true
|
54
|
-
end
|
55
|
-
|
56
|
-
it 'should not have a static partner' do
|
57
|
-
lambda {
|
58
|
-
ATestStaticPolicy.static_policy_class
|
59
|
-
}.should raise_error(NameError)
|
60
|
-
end
|
61
|
-
|
62
|
-
it 'should know its resource type' do
|
63
|
-
ATestStaticPolicy.resource_type.should eql(:a_test)
|
64
|
-
end
|
65
|
-
|
66
|
-
it 'should use the rule set of the dynamic policy' do
|
67
|
-
ATestStaticPolicy.rule_set.should eql(ATestPolicy.rule_set)
|
68
|
-
end
|
69
|
-
|
70
|
-
it 'should have all static rules' do
|
71
|
-
ATestStaticPolicy.has_rule?(:sys_relation).should be_true
|
72
|
-
ATestStaticPolicy.has_rule?(:res_relation).should be_false
|
73
|
-
ATestStaticPolicy.has_rule?(:pre_relation).should be_true
|
74
|
-
end
|
75
|
-
|
76
|
-
it 'should have access to static rules defined for all resources' do
|
77
|
-
ATestStaticPolicy.has_rule?(:__self__).should be_false
|
78
|
-
ATestStaticPolicy.has_rule?(:logged_in).should be_true
|
79
|
-
end
|
80
|
-
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
|
2
|
+
|
3
|
+
AnnotationSecurity.define_relations(:a_test) do
|
4
|
+
sys_relation :system
|
5
|
+
res_relation :resource
|
6
|
+
pre_relation :pretest
|
7
|
+
end
|
8
|
+
|
9
|
+
describe ATestPolicy do
|
10
|
+
|
11
|
+
it 'should be dynamic' do
|
12
|
+
ATestPolicy.static?.should be_false
|
13
|
+
end
|
14
|
+
|
15
|
+
it 'should have a static partner' do
|
16
|
+
ATestPolicy.static_policy_class.should eql(ATestStaticPolicy)
|
17
|
+
end
|
18
|
+
|
19
|
+
it 'should know its resource type' do
|
20
|
+
ATestPolicy.resource_type.should eql(:a_test)
|
21
|
+
end
|
22
|
+
|
23
|
+
it 'should have all rules' do
|
24
|
+
ATestPolicy.has_rule?(:sys_relation).should be_true
|
25
|
+
ATestPolicy.has_rule?(:res_relation).should be_true
|
26
|
+
ATestPolicy.has_rule?(:pre_relation).should be_true
|
27
|
+
end
|
28
|
+
|
29
|
+
it 'should be aware of the evaluation time of a rule' do
|
30
|
+
ATestPolicy.has_dynamic_rule?(:sys_relation).should be_false
|
31
|
+
ATestPolicy.has_dynamic_rule?(:res_relation).should be_true
|
32
|
+
ATestPolicy.has_dynamic_rule?(:pre_relation).should be_true
|
33
|
+
|
34
|
+
ATestPolicy.has_static_rule?(:sys_relation).should be_true
|
35
|
+
ATestPolicy.has_static_rule?(:res_relation).should be_false
|
36
|
+
ATestPolicy.has_static_rule?(:pre_relation).should be_true
|
37
|
+
end
|
38
|
+
|
39
|
+
it 'should have access to rules defined for all resources' do
|
40
|
+
ATestPolicy.has_rule?(:__self__).should be_true
|
41
|
+
ATestPolicy.has_rule?(:logged_in).should be_true
|
42
|
+
end
|
43
|
+
#
|
44
|
+
# it 'should be possible to add rules'
|
45
|
+
#
|
46
|
+
# it 'should be possible to evaluate a list of rules (static/dynamic/both)'
|
47
|
+
|
48
|
+
end
|
49
|
+
|
50
|
+
describe ATestStaticPolicy do
|
51
|
+
|
52
|
+
it 'should be static' do
|
53
|
+
ATestStaticPolicy.static?.should be_true
|
54
|
+
end
|
55
|
+
|
56
|
+
it 'should not have a static partner' do
|
57
|
+
lambda {
|
58
|
+
ATestStaticPolicy.static_policy_class
|
59
|
+
}.should raise_error(NameError)
|
60
|
+
end
|
61
|
+
|
62
|
+
it 'should know its resource type' do
|
63
|
+
ATestStaticPolicy.resource_type.should eql(:a_test)
|
64
|
+
end
|
65
|
+
|
66
|
+
it 'should use the rule set of the dynamic policy' do
|
67
|
+
ATestStaticPolicy.rule_set.should eql(ATestPolicy.rule_set)
|
68
|
+
end
|
69
|
+
|
70
|
+
it 'should have all static rules' do
|
71
|
+
ATestStaticPolicy.has_rule?(:sys_relation).should be_true
|
72
|
+
ATestStaticPolicy.has_rule?(:res_relation).should be_false
|
73
|
+
ATestStaticPolicy.has_rule?(:pre_relation).should be_true
|
74
|
+
end
|
75
|
+
|
76
|
+
it 'should have access to static rules defined for all resources' do
|
77
|
+
ATestStaticPolicy.has_rule?(:__self__).should be_false
|
78
|
+
ATestStaticPolicy.has_rule?(:logged_in).should be_true
|
79
|
+
end
|
80
|
+
|
81
81
|
end
|
@@ -1,78 +1,129 @@
|
|
1
|
-
require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
|
2
|
-
|
3
|
-
describe SecurityContext do
|
4
|
-
|
5
|
-
before(:each) do
|
6
|
-
@user1 = TestUser.new 'theuser'
|
7
|
-
@user2 = TestUser.new 'otheruser'
|
8
|
-
end
|
9
|
-
|
10
|
-
it "should check 'logged_in' for 'show'" do
|
11
|
-
request(@user1, :show, { :id => 'theuser' }).should succeed
|
12
|
-
request(@user2, :show, { :id => 'theuser' }).should succeed
|
13
|
-
request(nil, :show, { :id => 'theuser' }).should fail
|
14
|
-
end
|
15
|
-
|
16
|
-
it "should check 'owner' for 'edit'" do
|
17
|
-
request(@user1, :edit, { :id => 'theuser' }).should succeed
|
18
|
-
request(@user2, :edit, { :id => 'theuser' }).should fail
|
19
|
-
end
|
20
|
-
|
21
|
-
it "should check 'logged_in' and 'owner' for 'show_edit'" do
|
22
|
-
request(@user1, :show_edit, { :id => 'theuser' }).should succeed
|
23
|
-
request(@user2, :show_edit, { :id => 'theuser' }).should fail
|
24
|
-
end
|
25
|
-
|
26
|
-
it "should check 'owner' for 'delete' based on :id" do
|
27
|
-
request(@user1, :delete, { :id => 'theuser' }).should succeed
|
28
|
-
request(@user2, :delete, { :id => 'theuser' }).should fail
|
29
|
-
end
|
30
|
-
|
31
|
-
it "should not call action if check based on :id fails" do
|
32
|
-
TestController.expects(:enter_delete).never
|
33
|
-
request(@user2, :delete, { :id => 'theuser' }).should fail
|
34
|
-
end
|
35
|
-
|
36
|
-
it "should check 'owner' for 'list' based on @list" do
|
37
|
-
request(@user1, :list, { :id1 => 'theuser', :id2 => 'theuser' }).should succeed
|
38
|
-
request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
|
39
|
-
request(@user1, :list, { :id1 => 'otheruser', :id2 => 'theuser' }).should fail
|
40
|
-
end
|
41
|
-
|
42
|
-
it "should not be disturbed by calls to #render" do
|
43
|
-
TestController.expects(:exit_render).twice
|
44
|
-
request(@user1, :edit_with_render,
|
45
|
-
{ :id1 => 'theuser', :id2 => 'theuser' }).should succeed
|
46
|
-
request(@user1, :edit_with_render,
|
47
|
-
{ :id1 => 'theuser', :id2 => 'otheruser' }).should fail
|
48
|
-
end
|
49
|
-
|
50
|
-
it "should check rules before #render" do
|
51
|
-
TestController.expects(:exit_render).never
|
52
|
-
request(@user1, :edit_with_render,
|
53
|
-
{ :id1 => 'otheruser', :id2 => 'theuser' }).should fail
|
54
|
-
end
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
controller
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
|
2
|
+
|
3
|
+
describe SecurityContext do
|
4
|
+
|
5
|
+
before(:each) do
|
6
|
+
@user1 = TestUser.new 'theuser'
|
7
|
+
@user2 = TestUser.new 'otheruser'
|
8
|
+
end
|
9
|
+
|
10
|
+
it "should check 'logged_in' for 'show'" do
|
11
|
+
request(@user1, :show, { :id => 'theuser' }).should succeed
|
12
|
+
request(@user2, :show, { :id => 'theuser' }).should succeed
|
13
|
+
request(nil, :show, { :id => 'theuser' }).should fail
|
14
|
+
end
|
15
|
+
|
16
|
+
it "should check 'owner' for 'edit'" do
|
17
|
+
request(@user1, :edit, { :id => 'theuser' }).should succeed
|
18
|
+
request(@user2, :edit, { :id => 'theuser' }).should fail
|
19
|
+
end
|
20
|
+
|
21
|
+
it "should check 'logged_in' and 'owner' for 'show_edit'" do
|
22
|
+
request(@user1, :show_edit, { :id => 'theuser' }).should succeed
|
23
|
+
request(@user2, :show_edit, { :id => 'theuser' }).should fail
|
24
|
+
end
|
25
|
+
|
26
|
+
it "should check 'owner' for 'delete' based on :id" do
|
27
|
+
request(@user1, :delete, { :id => 'theuser' }).should succeed
|
28
|
+
request(@user2, :delete, { :id => 'theuser' }).should fail
|
29
|
+
end
|
30
|
+
|
31
|
+
it "should not call action if check based on :id fails" do
|
32
|
+
TestController.expects(:enter_delete).never
|
33
|
+
request(@user2, :delete, { :id => 'theuser' }).should fail
|
34
|
+
end
|
35
|
+
|
36
|
+
it "should check 'owner' for 'list' based on @list" do
|
37
|
+
request(@user1, :list, { :id1 => 'theuser', :id2 => 'theuser' }).should succeed
|
38
|
+
request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
|
39
|
+
request(@user1, :list, { :id1 => 'otheruser', :id2 => 'theuser' }).should fail
|
40
|
+
end
|
41
|
+
|
42
|
+
it "should not be disturbed by calls to #render" do
|
43
|
+
TestController.expects(:exit_render).twice
|
44
|
+
request(@user1, :edit_with_render,
|
45
|
+
{ :id1 => 'theuser', :id2 => 'theuser' }).should succeed
|
46
|
+
request(@user1, :edit_with_render,
|
47
|
+
{ :id1 => 'theuser', :id2 => 'otheruser' }).should fail
|
48
|
+
end
|
49
|
+
|
50
|
+
it "should check rules before #render" do
|
51
|
+
TestController.expects(:exit_render).never
|
52
|
+
request(@user1, :edit_with_render,
|
53
|
+
{ :id1 => 'otheruser', :id2 => 'theuser' }).should fail
|
54
|
+
end
|
55
|
+
|
56
|
+
it "should disable security inside #without_security!" do
|
57
|
+
request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
|
58
|
+
|
59
|
+
block = proc do |rules, controller, action|
|
60
|
+
SecurityContext.without_security! do
|
61
|
+
SecurityContext.current.enabled?.should be_false
|
62
|
+
SecurityContext.current.send_with_security(rules, controller, action)
|
63
|
+
end
|
64
|
+
SecurityContext.current.enabled?.should be_true
|
65
|
+
end
|
66
|
+
|
67
|
+
request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }, &block).should succeed
|
68
|
+
end
|
69
|
+
|
70
|
+
# simulates an action invokation in rails
|
71
|
+
def request(user, action, params, &block)
|
72
|
+
controller = TestController.new
|
73
|
+
controller.test_init(action, params)
|
74
|
+
SecurityContext.initialize(controller)
|
75
|
+
SecurityContext.credential = user
|
76
|
+
rules = controller.class.descriptions_of(action)
|
77
|
+
if block
|
78
|
+
yield(rules, controller, action)
|
79
|
+
else
|
80
|
+
SecurityContext.current.send_with_security(rules, controller, action)
|
81
|
+
end
|
82
|
+
|
83
|
+
'no_error'
|
84
|
+
rescue SecurityViolationError => sve
|
85
|
+
sve
|
86
|
+
end
|
87
|
+
|
88
|
+
def succeed
|
89
|
+
eql 'no_error'
|
90
|
+
end
|
91
|
+
|
92
|
+
def fail
|
93
|
+
be_instance_of SecurityViolationError
|
94
|
+
end
|
95
|
+
|
96
|
+
end
|
97
|
+
|
98
|
+
describe 'SecurityContext#allowed?' do
|
99
|
+
|
100
|
+
before(:each) do
|
101
|
+
controller = TestController.new
|
102
|
+
SecurityContext.initialize(controller)
|
103
|
+
SecurityContext.credential = TestUser.new 'theuser'
|
104
|
+
@res1 = TestResource.new 'theuser'
|
105
|
+
@res2 = TestResource.new 'otheruser'
|
106
|
+
end
|
107
|
+
|
108
|
+
it "should accept symbol and object" do
|
109
|
+
SecurityContext.allowed?(:edit, @res1).should be_true
|
110
|
+
SecurityContext.allowed?(:edit, @res2).should be_false
|
111
|
+
end
|
112
|
+
|
113
|
+
it "should accept string and object" do
|
114
|
+
SecurityContext.allowed?('edit', @res1).should be_true
|
115
|
+
SecurityContext.allowed?('edit', @res2).should be_false
|
116
|
+
end
|
117
|
+
|
118
|
+
it "should accept description strings " do
|
119
|
+
SecurityContext.allowed?('edits a test_resource', @res1).should be_true
|
120
|
+
SecurityContext.allowed?('edits the test_resource (in @res2 which should fail)', @res2).should be_false
|
121
|
+
end
|
122
|
+
|
123
|
+
it "should not accept description strings with a source" do
|
124
|
+
lambda {
|
125
|
+
SecurityContext.allowed?('edits test_resource in @res1', @res1)
|
126
|
+
}.should raise_error(ArgumentError)
|
127
|
+
end
|
128
|
+
|
129
|
+
end
|