annotation_security 1.0.2 → 1.3.1

data/spec/rails_stub.rb

@@ -1,38 +1,45 @@
-# AnnoationSecurity requires rails.
-# Here are some stubs to simulate a rails environment for testing.
-#
-
-RAILS_ROOT = ''
-RAILS_ENV = {}
-
-class ConfigStub
-  def config
-    self
-  end
-end
-
-module ActiveRecord
-  class Observer
-    def self.observe(*args)
-    end
-  end
-end
-
-module ActionController
-  class Base
-    def render(*args)
-    end
-    def redirect_to(*args)
-    end
-  end
-  module Routing
-    class Routes
-    end
-  end
-  module Filters
-    class Filter
-    end
-    class AroundFilter < Filter
-    end
-  end
+# AnnoationSecurity requires rails.
+# Here are some stubs to simulate a rails environment for testing.
+#
+
+class Rails
+  def root
+    Pathname.new('')
+  end
+
+  def env
+    return {}
+  end
+end
+
+class ConfigStub
+  def config
+    self
+  end
+end
+
+module ActiveRecord
+  class Observer
+    def self.observe(*args)
+    end
+  end
+end
+
+module ActionController
+  class Base
+    def render(*args)
+    end
+    def redirect_to(*args)
+    end
+  end
+  module Routing
+    class Routes
+    end
+  end
+  module Filters
+    class Filter
+    end
+    class AroundFilter < Filter
+    end
+  end
 end

metadata

@@ -1,105 +1,102 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification 
 name: annotation_security
-version: !ruby/object:Gem::Version
-  version: 1.0.2
-  prerelease: 
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 1
+  - 3
+  - 1
+  version: 1.3.1
 platform: ruby
-authors:
+authors: 
 - Nico Rehwaldt, Arian Treffer
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-03-23 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+
+date: 2010-11-19 00:00:00 +01:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
   name: action_annotation
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 1.0.1
-  type: :runtime
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: &id001 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 0
+        - 1
         version: 1.0.1
-- !ruby/object:Gem::Dependency
-  name: activesupport
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 2.3.18
   type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: activesupport
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: &id002 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 2.3.18
-- !ruby/object:Gem::Dependency
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 2
+        - 3
+        - 5
+        version: 2.3.5
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
   name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 1.3.2
-  type: :development
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 1.3.2
-- !ruby/object:Gem::Dependency
-  name: mocha
-  requirement: !ruby/object:Gem::Requirement
+  requirement: &id003 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 0.9.8
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 2
+        - 0
+        version: 1.2.0
   type: :development
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: mocha
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: &id004 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        - 9
+        - 8
         version: 0.9.8
-description: AnnotationSecurity provides a role based security model with automated
-  rule evaluation for Ruby on Rails. It allows you to define user-resource-relations
-  and rights in separate files, keeping your controllers and views free from any security
-  logic. See the gem's homepage for an example.
+  type: :development
+  version_requirements: *id004
+description: AnnotationSecurity provides a role based security model with automated rule evaluation for Ruby on Rails. It allows you to define user-resource-relations and rights in separate files, keeping your controllers and views free from any security logic. See the gem's homepage for an example.
 email: ruby@nixis.de
-executables:
+executables: 
 - annotation_security
 extensions: []
-extra_rdoc_files:
-- README.md
-- LICENSE
-- CHANGELOG.md
-- HOW-TO.md
-files:
-- CHANGELOG.md
-- LICENSE
-- README.md
-- HOW-TO.md
+
+extra_rdoc_files: 
+- README
+- MIT-LICENSE
+- CHANGELOG
+- HOW-TO
+files: 
+- CHANGELOG
+- MIT-LICENSE
+- README
+- HOW-TO
 - Rakefile
 - bin/annotation_security
 - lib/annotation_security/exceptions.rb
 - lib/annotation_security/exec.rb
-- lib/annotation_security/filters.rb
-- lib/annotation_security/includes/action_controller.rb
-- lib/annotation_security/includes/active_record.rb
 - lib/annotation_security/includes/helper.rb
 - lib/annotation_security/includes/resource.rb
 - lib/annotation_security/includes/role.rb
@@ -109,21 +106,30 @@ files:
 - lib/annotation_security/manager/relation_loader.rb
 - lib/annotation_security/manager/resource_manager.rb
 - lib/annotation_security/manager/right_loader.rb
-- lib/annotation_security/model_observer.rb
 - lib/annotation_security/policy/abstract_policy.rb
 - lib/annotation_security/policy/abstract_static_policy.rb
 - lib/annotation_security/policy/all_resources_policy.rb
 - lib/annotation_security/policy/rule.rb
 - lib/annotation_security/policy/rule_set.rb
+- lib/annotation_security/rails/2/extensions/filter.rb
+- lib/annotation_security/rails/2/includes/action_controller.rb
+- lib/annotation_security/rails/2/includes/active_record.rb
+- lib/annotation_security/rails/2/initializer.rb
+- lib/annotation_security/rails/2/model_observer.rb
+- lib/annotation_security/rails/3/extensions/filter.rb
+- lib/annotation_security/rails/3/includes/action_controller.rb
+- lib/annotation_security/rails/3/includes/active_record.rb
+- lib/annotation_security/rails/3/initializer.rb
+- lib/annotation_security/rails/3/model_observer.rb
+- lib/annotation_security/rails/extensions/action_controller.rb
+- lib/annotation_security/rails/extensions/active_record.rb
+- lib/annotation_security/rails/extensions/object.rb
+- lib/annotation_security/rails/extensions.rb
+- lib/annotation_security/rails/filters.rb
 - lib/annotation_security/rails.rb
 - lib/annotation_security/user_wrapper.rb
 - lib/annotation_security/utils.rb
-- lib/annotation_security/version.rb
 - lib/annotation_security.rb
-- lib/extensions/action_controller.rb
-- lib/extensions/active_record.rb
-- lib/extensions/filter.rb
-- lib/extensions/object.rb
 - lib/security_context.rb
 - spec/annotation_security/exceptions_spec.rb
 - spec/annotation_security/includes/helper_spec.rb
@@ -151,29 +157,37 @@ files:
 - assets/config/security/relations.rb
 - assets/config/security/rights.yml
 - assets/vendor/plugins/annotation_security/init.rb
-homepage: http://github.com/Nikku/annotation_security
+has_rdoc: true
+homepage: http://tech.lefedt.de/2010/3/annotation-based-security-for-rails
 licenses: []
+
 post_install_message: 
 rdoc_options: []
-require_paths:
+
+require_paths: 
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
-required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
 requirements: []
+
 rubyforge_project: 
-rubygems_version: 1.8.23
+rubygems_version: 1.3.7
 signing_key: 
 specification_version: 3
-summary: A role based security model for rails applications with descriptive definitions
-  and automated evaluation.
+summary: A role based security model for rails applications with descriptive definitions and automated evaluation.
 test_files: []
+

data/CHANGELOG.md

@@ -1,14 +0,0 @@
-Changelog
-=========
-
-1.0.2
------
-
-* dropped rails 2.3.8 support in favour of rails 2.3.18 support
-* updated docs
-
-
-1.0.1
------
-
-* first public release

data/HOW-TO.md

@@ -1,275 +0,0 @@
-# How to secure your Rails application with Annotation Security
-
-## Step 0: Install Annotation Security
-
-Annotation Security comes as a gem hosted on rubygems.org. You can install it
-via `gem install annotation_security`.
-The gem contains a binary called `annotation_security`. It can be used to
-install the security layer into a rails app via
-`annotation_security --rails RAILS_HOME`. This will make your app ready to be
-secured.
-
-### Version Notes
-
-Use the gem version < 2 for Rails 2.3.x applications.
-Use the gem version 3.x for Rails 3.x applications.
-
-## Step 1: Defining user and roles
-
-Annotation Security assumes that there is a user class, representing the user,
-and some role classes containing additional information if the user has a
-certain role in the application.
-
-If you don't have user or role classes in your application,
-continue with step 2.
-
-### User
-
-In most cases the user class will be a subclass of `ActiveRecord::Base`,
-but this is not necessary.
-
-Include the `module AnnotationSecurity::User` into this class.
-
-    class User < ActiveRecord::Base
-      include AnnotationSecurity::User
-      ...
-
-### Roles
-
-Include the module `AnnotationSecurity::Role` into these classes. If you are
-having a hierachy of role classes, only include the module in the topmost class.
-
-    class Role < ActiveRecord::Base
-      belongs_to :user
-      include AnnotationSecurity::Role
-      ...
-
-    class Student < Role
-      # no include here
-      ...
-
-A role object should respond to `user` with returning the user object
-it belongs to.
-
-__Do not include both modules in one class!__
-
-### Connecting user and roles
-
-As next, you should provide some default methods for accessing the roles
-of a user. You can skip this step, but it will be helpfull later on.
-
-There are two types of access methods: `is_ROLE?` and `as_ROLE`.
-
-IS-methods return true or false whether a user has a role or not.
- 
-    class User < ActiveRecord::Base
-      def is_administrator?
-        self.admin_flag == 1
-      end
-
-      def is_student?
-        self.roles.any? { |role| role.is_a? Student }
-      end
-      ...
-
-AS-methods return a single object or an array of objects representing the role.
-If the user does not have the role, the result should be an empty array or nil.
-    
-    class User < ActiveRecord::Base
-      def as_administrator
-        # there is no administrator class, just return the user
-        is_administrator? ? self : nil
-      end
-      
-      def as_student
-        # assuming a user can only be student once
-        self.roles.detect { |role| role.is_a? Student }
-      end
-      
-      def as_corrector
-        # assuming a user can be a corrector several times
-        self.roles.select { |role| role.is_a? Corrector }
-      end
-
-## Step 2: Providing the current credential
-
-To evaluate the security policies, for each request the current credential has
-to be provided. Therefore, a new filter type was introduced: security filters
-are around filters that are always the first in the filter chain. You can also
-use these filters to react to security violations.
-
-In this example, the user is simply fetched from the session. However, you
-could also pass a symbol or a string (e.g. if you are using API-keys).
-
-Passing `nil` will be interpreted as not being authenticated in any way.
-
-    class ApplicationController < ActionController::Base
-    
-      security_filter :security_filter
-
-      private
-
-      def security_filter
-        SecurityContext.current_credential = session[:user]
-        yield
-      rescue SecurityViolationError
-        if SecurityContext.is? :logged_in
-         render :template => "welcome/not_allowed"
-        else
-         render :template => "welcome/please_login"
-        end
-      end
-
-Please notice that once set, the credential cannot be changed.
-
-## Step 3: Defining your resources
-
-Another wild assumption we made is that your application contains some resources
-you want to protect. In most cases, this will be your ActiveRecord classes.
-To turn them into resources, just call `resource(symbol)` in the class
-definition.
-
-    class Course < ActiveRecord::Base
-      resource :course
-      ...
-
-The symbol is used to further identify this class and should be unique.
-
-It is possible (and likely) that the users and roles are resources as well.
-
-If you want to restrict access to other resource classes, see
-`AnnotationSecurity::Resource` for more information.
-
-## Step 4: Defining relations and rights
-
-in `config/security` you will find the files `relations.rb` and
-`rights.yml`.
-
-### Relations
-
-The relations between the user (or the roles) and the resources are defined
-as code blocks, that evaluate to true or false.
-
-The `:as`-flag causes that instead of the user object, a role object
-will be passed into the block (using the `as_ROLE`-method from above).
-Similar, the `:is`-flag can be used as precondition.
-
-    AnnotationSecurity.define_relations do
-      resource :course do
-        enrolled :as => :student { |student,course| course.students.include? student }
-        corrector :as => :corrector { |corrector,course| corrector.corrects? course }
-        lecturer :as => :lecturer { |lecturer,course| lecturer.lectures? course }
-      end
-      ...
-
-You can also define relations that are valid for all resources.
-
-    all_resources do
-      # corrector and lecturer are defined by the resource
-      responsible { corrector or lecturer }
-      # no block required here
-      administrator :is => :administrator
-    end
-
-For more details and features on defining relations,
-see `AnnotationSecurity::RelationLoader`.
-
-### Rights
-
-The rights of application are specified in a YAML-file, they correspond to the
-actions(not necessarily the controller actions) that can be performed on a
-resource. For instance, to edit a course object, you will need the edit-right
-for the course resource. If you are not sure which rights your application
-needs, just skip this now and return after step 5.
-
-Rights should be valid ruby conditional statements.
-
-    course:
-      create: if lecturer
-      show: if enrolled or responsible
-      edit: if responsible
-
-AnnotationSecurity provides two default relations: `logged_in`, that is true
-if there is a user at all, and +self+, that can be used to determine if a user
-or role resource belongs to the current user.
-
-    user:
-      register: unless logged_in
-      show: if logged_in
-      edit: if self or administrator
-    student:
-      show_results: if self
-
-To improve readability, you can append 'may', 'is', 'can' or 'has' as prefix and
-'for', 'in', 'of' or 'to' as suffix to the relation name.
-This is especially recommended if you are defining rights that depend on
-other rights of the resource.
-
-    assignment:
-      edit: if responsible
-      delete: if may_edit
-
-Another example can be found at `AnnotationSecurity::RightLoader`.
-
-## Step 5: Securing your actions
-
-The main goal of AnnotationSecurity was to remove security logic from
-controller actions. Now you only have to define the abstract effects of an
-action.
-
-An action performs one or more tasks on different resources. You have to provide
-this information as a descriptions, using the
-[Action Annotation Gem](http://github.com/Nikku/action_annotation).
-A description always has the form 'ACTION on RESOURCE'.
-
-    desc 'shows a course'
-    def show
-      @course = Course.find(params[:id])
-    end
-
-To perform a task, the user must have the right for it. Thus, when a course is
-fetched from the database during the show-action, the right course/show will be
-evaluated for the current user and the course instance.
-
-In our example, the user has to be responsible or enrolled. If both relations
-evaluate to false, the right is not given and access will be denied by raising
-a SecurityViolationError, which will then be catched in the security filter.
-
-Congratulations, you Rails application is secured now.
-
-## Step 6: Securing your views
-
-However, actions aren't the only place with security code. Links to the actions
-are shown in the view and very often, the view itself depends on the
-user's rights.
-
-When setting up Annotation Security in your Rails project, a helper will be
-included automatically. The most important functions this helper provides are
-`allowed?` and `link_to_if_allowed`.
-
-The method `allowed?` expects a right and a resource and returns true iif
-the current user has that right.
-
-    <% unless allowed? :edit, @course %>
-      <p>You may not edit this course!</p>
-    <% end %>
-
-`link_to_if_allowed` expects the same arguments as +link_to+, except it also
-expects a block like +link_to_if+ (which will be called internally).
-
-    <%= link_to_if_allowed("New", new_course_path) { "You may not create a new course." } %>
-    <%= link_to_if_allowed("Edit", edit_course_path(@course)) { } %>
-    <%= link_to_if_allowed("Delete", @course, {:method => :delete}) { } %>
-
-`link_to_if_allowed` tries to automatically detect the accessed resources.
-In case this should not work for you, see `AnnotationSecurity::Helper` for more
-features.
-
-## Step 7: Live long and prosper
-
-Well, that's it. Here are some additional notes:
-
-* in development mode, the rights and relations are reloaded with every request.
-* See `AnnotationSecurity::RelationLoader` and `AnnotationSecurity::RightLoader`
-  for more examples and features for defining relations and rights.
-* See `AnnotationSecurity::Helper` for more methods for securing your views.