annotation_security 1.0.2 → 1.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/CHANGELOG +22 -0
- data/HOW-TO +261 -0
- data/{LICENSE → MIT-LICENSE} +1 -1
- data/README +39 -0
- data/Rakefile +53 -62
- data/assets/app/helpers/annotation_security_helper.rb +8 -8
- data/assets/config/initializers/annotation_security.rb +11 -11
- data/assets/config/security/relations.rb +20 -20
- data/assets/vendor/plugins/annotation_security/init.rb +14 -14
- data/bin/annotation_security +7 -7
- data/lib/annotation_security.rb +94 -103
- data/lib/annotation_security/exceptions.rb +124 -124
- data/lib/annotation_security/exec.rb +188 -188
- data/lib/annotation_security/includes/helper.rb +215 -215
- data/lib/annotation_security/includes/resource.rb +84 -84
- data/lib/annotation_security/includes/role.rb +30 -30
- data/lib/annotation_security/includes/user.rb +26 -26
- data/lib/annotation_security/manager/policy_factory.rb +29 -29
- data/lib/annotation_security/manager/policy_manager.rb +87 -79
- data/lib/annotation_security/manager/relation_loader.rb +272 -272
- data/lib/annotation_security/manager/resource_manager.rb +36 -36
- data/lib/annotation_security/manager/right_loader.rb +87 -87
- data/lib/annotation_security/policy/abstract_policy.rb +344 -344
- data/lib/annotation_security/policy/abstract_static_policy.rb +75 -75
- data/lib/annotation_security/policy/all_resources_policy.rb +20 -20
- data/lib/annotation_security/policy/rule.rb +340 -340
- data/lib/annotation_security/policy/rule_set.rb +138 -138
- data/lib/annotation_security/rails.rb +22 -39
- data/lib/{extensions → annotation_security/rails/2/extensions}/filter.rb +131 -133
- data/lib/annotation_security/rails/2/includes/action_controller.rb +144 -0
- data/lib/annotation_security/rails/2/includes/active_record.rb +28 -0
- data/lib/annotation_security/rails/2/initializer.rb +35 -0
- data/lib/annotation_security/{model_observer.rb → rails/2/model_observer.rb} +61 -61
- data/lib/annotation_security/rails/3/extensions/filter.rb +28 -0
- data/lib/annotation_security/{includes → rails/3/includes}/action_controller.rb +143 -144
- data/lib/annotation_security/{includes → rails/3/includes}/active_record.rb +27 -27
- data/lib/annotation_security/rails/3/initializer.rb +40 -0
- data/lib/annotation_security/rails/3/model_observer.rb +61 -0
- data/lib/annotation_security/rails/extensions.rb +21 -0
- data/lib/{extensions → annotation_security/rails/extensions}/action_controller.rb +31 -32
- data/lib/{extensions → annotation_security/rails/extensions}/active_record.rb +33 -34
- data/lib/{extensions → annotation_security/rails/extensions}/object.rb +10 -10
- data/lib/annotation_security/{filters.rb → rails/filters.rb} +37 -37
- data/lib/annotation_security/user_wrapper.rb +73 -73
- data/lib/annotation_security/utils.rb +141 -141
- data/lib/security_context.rb +588 -589
- data/spec/annotation_security/exceptions_spec.rb +16 -16
- data/spec/annotation_security/includes/helper_spec.rb +82 -82
- data/spec/annotation_security/manager/policy_manager_spec.rb +15 -15
- data/spec/annotation_security/manager/resource_manager_spec.rb +17 -17
- data/spec/annotation_security/manager/right_loader_spec.rb +17 -17
- data/spec/annotation_security/policy/abstract_policy_spec.rb +16 -16
- data/spec/annotation_security/policy/all_resources_policy_spec.rb +24 -24
- data/spec/annotation_security/policy/rule_set_spec.rb +112 -112
- data/spec/annotation_security/policy/rule_spec.rb +77 -77
- data/spec/annotation_security/policy/test_policy_spec.rb +80 -80
- data/spec/annotation_security/security_context_spec.rb +129 -78
- data/spec/annotation_security/utils_spec.rb +73 -73
- data/spec/helper/test_controller.rb +65 -65
- data/spec/helper/test_helper.rb +5 -5
- data/spec/helper/test_relations.rb +6 -6
- data/spec/helper/test_resource.rb +38 -38
- data/spec/helper/test_role.rb +21 -21
- data/spec/helper/test_user.rb +31 -31
- data/spec/rails_stub.rb +44 -37
- metadata +110 -96
- data/CHANGELOG.md +0 -14
- data/HOW-TO.md +0 -275
- data/README.md +0 -39
- data/lib/annotation_security/version.rb +0 -10
@@ -1,9 +1,9 @@
|
|
1
|
-
#
|
2
|
-
# = app/helpers/annotation_security_helper.rb
|
3
|
-
#
|
4
|
-
# This helper provides some useful view methods to be used in conjunction with
|
5
|
-
# the plugin. See AnnotationSecurity::Helper for documentation.
|
6
|
-
#
|
7
|
-
module AnnotationSecurityHelper
|
8
|
-
include AnnotationSecurity::Helper
|
1
|
+
#
|
2
|
+
# = app/helpers/annotation_security_helper.rb
|
3
|
+
#
|
4
|
+
# This helper provides some useful view methods to be used in conjunction with
|
5
|
+
# the plugin. See AnnotationSecurity::Helper for documentation.
|
6
|
+
#
|
7
|
+
module AnnotationSecurityHelper
|
8
|
+
include AnnotationSecurity::Helper
|
9
9
|
end
|
@@ -1,12 +1,12 @@
|
|
1
|
-
#
|
2
|
-
# = config/initializers/annotation_security.rb
|
3
|
-
#
|
4
|
-
# Sets up files under <tt>config/security</tt> which hold
|
5
|
-
# the security configuration.
|
6
|
-
|
7
|
-
#
|
8
|
-
# Add your own files here if they should also be loaded.
|
9
|
-
#
|
10
|
-
AnnotationSecurity.load_relations('relations')
|
11
|
-
AnnotationSecurity.load_rights('rights')
|
1
|
+
#
|
2
|
+
# = config/initializers/annotation_security.rb
|
3
|
+
#
|
4
|
+
# Sets up files under <tt>config/security</tt> which hold
|
5
|
+
# the security configuration.
|
6
|
+
|
7
|
+
#
|
8
|
+
# Add your own files here if they should also be loaded.
|
9
|
+
#
|
10
|
+
AnnotationSecurity.load_relations('relations')
|
11
|
+
AnnotationSecurity.load_rights('rights')
|
12
12
|
# AnnotationSecurity.load_rights('rights', 'rb) # loads rights from a ruby file
|
@@ -1,20 +1,20 @@
|
|
1
|
-
AnnotationSecurity.define_relations do
|
2
|
-
|
3
|
-
# All relations are defined in the context of a resource.
|
4
|
-
# The block should return true iif the user has this relations.
|
5
|
-
|
6
|
-
# all_resources do
|
7
|
-
# administrator(:system, :is => :administrator)
|
8
|
-
# owner_or_admin(:pretest){ owner or administrator }
|
9
|
-
# owner(:system) { |user| user.status == :registered }
|
10
|
-
# end
|
11
|
-
|
12
|
-
# resource :album do
|
13
|
-
# owner { |user, album| album.owner == user }
|
14
|
-
# end
|
15
|
-
|
16
|
-
# resource :picture do
|
17
|
-
# owner "if owner: album"
|
18
|
-
# end
|
19
|
-
|
20
|
-
end
|
1
|
+
AnnotationSecurity.define_relations do
|
2
|
+
|
3
|
+
# All relations are defined in the context of a resource.
|
4
|
+
# The block should return true iif the user has this relations.
|
5
|
+
|
6
|
+
# all_resources do
|
7
|
+
# administrator(:system, :is => :administrator)
|
8
|
+
# owner_or_admin(:pretest){ owner or administrator }
|
9
|
+
# owner(:system) { |user| user.status == :registered }
|
10
|
+
# end
|
11
|
+
|
12
|
+
# resource :album do
|
13
|
+
# owner { |user, album| album.owner == user }
|
14
|
+
# end
|
15
|
+
|
16
|
+
# resource :picture do
|
17
|
+
# owner "if owner: album"
|
18
|
+
# end
|
19
|
+
|
20
|
+
end
|
@@ -1,14 +1,14 @@
|
|
1
|
-
#
|
2
|
-
# = init.rb
|
3
|
-
#
|
4
|
-
# This file will be copied to a rails apps `vendors/plugins/annotation_security`
|
5
|
-
# directory if the annotation_security gem is installed into a rails app
|
6
|
-
# via `annosec --rails`. It will be invoked by the rails app during startup an
|
7
|
-
# loads the security layer.
|
8
|
-
#
|
9
|
-
|
10
|
-
require "annotation_security"
|
11
|
-
|
12
|
-
# Initialize security layer for rails root
|
13
|
-
|
14
|
-
AnnotationSecurity::init_rails(
|
1
|
+
#
|
2
|
+
# = init.rb
|
3
|
+
#
|
4
|
+
# This file will be copied to a rails apps `vendors/plugins/annotation_security`
|
5
|
+
# directory if the annotation_security gem is installed into a rails app
|
6
|
+
# via `annosec --rails`. It will be invoked by the rails app during startup an
|
7
|
+
# loads the security layer.
|
8
|
+
#
|
9
|
+
|
10
|
+
require "annotation_security"
|
11
|
+
|
12
|
+
# Initialize security layer for rails root
|
13
|
+
config = eval("config", binding)
|
14
|
+
AnnotationSecurity::init_rails(config)
|
data/bin/annotation_security
CHANGED
@@ -1,8 +1,8 @@
|
|
1
|
-
#!/usr/bin/env ruby
|
2
|
-
# The command line to install .
|
3
|
-
|
4
|
-
$LOAD_PATH.unshift File.dirname(__FILE__) + '/../lib'
|
5
|
-
|
6
|
-
require "annotation_security/exec"
|
7
|
-
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
# The command line to install .
|
3
|
+
|
4
|
+
$LOAD_PATH.unshift File.dirname(__FILE__) + '/../lib'
|
5
|
+
|
6
|
+
require "annotation_security/exec"
|
7
|
+
|
8
8
|
AnnotationSecurity::Exec::RailsInstaller.new(ARGV).parse!
|
data/lib/annotation_security.rb
CHANGED
@@ -1,103 +1,94 @@
|
|
1
|
-
#
|
2
|
-
# = lib/annotation_security.rb
|
3
|
-
#
|
4
|
-
# This modul provides the AnnotationSecurity security layer.
|
5
|
-
#
|
6
|
-
|
7
|
-
# = AnnotationSecurity
|
8
|
-
module AnnotationSecurity; end
|
9
|
-
|
10
|
-
# Load annotation security files
|
11
|
-
dir = File.dirname(__FILE__)
|
12
|
-
require dir + '/annotation_security/manager/policy_manager'
|
13
|
-
require dir + '/annotation_security/manager/policy_factory'
|
14
|
-
require dir + '/annotation_security/manager/relation_loader'
|
15
|
-
require dir + '/annotation_security/manager/right_loader'
|
16
|
-
require dir + '/annotation_security/manager/resource_manager'
|
17
|
-
require dir + '/annotation_security/policy/abstract_policy'
|
18
|
-
require dir + '/annotation_security/policy/abstract_static_policy'
|
19
|
-
require dir + '/annotation_security/policy/rule_set'
|
20
|
-
require dir + '/annotation_security/policy/rule'
|
21
|
-
require dir + '/annotation_security/
|
22
|
-
require dir + '/annotation_security/
|
23
|
-
require dir + '/annotation_security/
|
24
|
-
require dir + '/annotation_security/
|
25
|
-
require dir + '/
|
26
|
-
|
27
|
-
require dir + '/annotation_security/
|
28
|
-
require dir + '/annotation_security/
|
29
|
-
require dir + '/annotation_security/
|
30
|
-
require dir + '/annotation_security/
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
#
|
39
|
-
#
|
40
|
-
#
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
#
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
#
|
51
|
-
#
|
52
|
-
#
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
#
|
60
|
-
#
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
#
|
68
|
-
#
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
#
|
76
|
-
#
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
#
|
84
|
-
#
|
85
|
-
#
|
86
|
-
#
|
87
|
-
#
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
dir = File.dirname(__FILE__)
|
97
|
-
|
98
|
-
%w{annotation_security/rails extensions/object extensions/action_controller
|
99
|
-
extensions/active_record extensions/filter }.each { |f| require "#{dir}/#{f}" }
|
100
|
-
|
101
|
-
AnnotationSecurity::Rails.init!(config)
|
102
|
-
end
|
103
|
-
end
|
1
|
+
#
|
2
|
+
# = lib/annotation_security.rb
|
3
|
+
#
|
4
|
+
# This modul provides the AnnotationSecurity security layer.
|
5
|
+
#
|
6
|
+
|
7
|
+
# = AnnotationSecurity
|
8
|
+
module AnnotationSecurity; end
|
9
|
+
|
10
|
+
# Load annotation security files
|
11
|
+
dir = File.dirname(__FILE__)
|
12
|
+
require dir + '/annotation_security/manager/policy_manager'
|
13
|
+
require dir + '/annotation_security/manager/policy_factory'
|
14
|
+
require dir + '/annotation_security/manager/relation_loader'
|
15
|
+
require dir + '/annotation_security/manager/right_loader'
|
16
|
+
require dir + '/annotation_security/manager/resource_manager'
|
17
|
+
require dir + '/annotation_security/policy/abstract_policy'
|
18
|
+
require dir + '/annotation_security/policy/abstract_static_policy'
|
19
|
+
require dir + '/annotation_security/policy/rule_set'
|
20
|
+
require dir + '/annotation_security/policy/rule'
|
21
|
+
require dir + '/annotation_security/exceptions'
|
22
|
+
require dir + '/annotation_security/user_wrapper'
|
23
|
+
require dir + '/annotation_security/utils'
|
24
|
+
require dir + '/annotation_security/rails'
|
25
|
+
require dir + '/security_context'
|
26
|
+
|
27
|
+
require dir + '/annotation_security/includes/role'
|
28
|
+
require dir + '/annotation_security/includes/resource'
|
29
|
+
require dir + '/annotation_security/includes/user'
|
30
|
+
require dir + '/annotation_security/includes/helper'
|
31
|
+
|
32
|
+
module AnnotationSecurity
|
33
|
+
|
34
|
+
VERSION = '1.3.1'
|
35
|
+
|
36
|
+
# Load the file specified by +fname+.
|
37
|
+
# The file will be reloaded automatically if reset is called.
|
38
|
+
#
|
39
|
+
# See AnnotationSecurity::RightLoader for details.
|
40
|
+
#
|
41
|
+
def self.load_rights(fname, ext = 'yml')
|
42
|
+
# The file is expected to be a yaml file.
|
43
|
+
# However, it is also possible to use a ruby file that uses
|
44
|
+
# AnnotationSecurity.define_rights. In this case, ext should be 'rb'.
|
45
|
+
PolicyManager.add_file(fname, ext)
|
46
|
+
end
|
47
|
+
|
48
|
+
# Load the file specified by +fname+.
|
49
|
+
# The file will be reloaded automatically if reset is called.
|
50
|
+
#
|
51
|
+
# See AnnotationSecurity::RelationLoader for details.
|
52
|
+
#
|
53
|
+
def self.load_relations(fname)
|
54
|
+
PolicyManager.add_file(fname, 'rb')
|
55
|
+
end
|
56
|
+
|
57
|
+
# Defines relations specified in +block+.
|
58
|
+
#
|
59
|
+
# See AnnotationSecurity::RelationLoader for details
|
60
|
+
#
|
61
|
+
def self.define_relations(*resources,&block)
|
62
|
+
RelationLoader.define_relations(*resources,&block)
|
63
|
+
end
|
64
|
+
|
65
|
+
# Defines rights specified in +hash+.
|
66
|
+
#
|
67
|
+
# See AnnotationSecurity::RightLoader for details
|
68
|
+
#
|
69
|
+
def self.define_rights(hash)
|
70
|
+
RightLoader.define_rights(hash)
|
71
|
+
end
|
72
|
+
|
73
|
+
# Reloads all files that were loaded with load_rights or load_relations.
|
74
|
+
#
|
75
|
+
# In development mode, reset is being executed before each request.
|
76
|
+
#
|
77
|
+
def self.reset
|
78
|
+
PolicyManager.reset
|
79
|
+
end
|
80
|
+
|
81
|
+
# Initializes AnnotationSecurity for a Rails application and loads
|
82
|
+
# Rails specific parts of the library.
|
83
|
+
#
|
84
|
+
# This method is called by `init.rb`,
|
85
|
+
# which is run by Rails on startup.
|
86
|
+
#
|
87
|
+
# * +binding+ [Binding] The context of the `init.rb` file.
|
88
|
+
def self.init_rails(config)
|
89
|
+
dir = File.dirname(__FILE__)
|
90
|
+
|
91
|
+
require dir + '/annotation_security/rails/extensions'
|
92
|
+
AnnotationSecurity::Rails.init!(config)
|
93
|
+
end
|
94
|
+
end
|
@@ -1,125 +1,125 @@
|
|
1
|
-
#
|
2
|
-
# = lib/annotation_security/exceptions.rb
|
3
|
-
#
|
4
|
-
# Provides some Exceptions used within AnnotationSecurity
|
5
|
-
|
6
|
-
module AnnotationSecurity
|
7
|
-
|
8
|
-
# Superclass of all security related errors thrown by anno sec
|
9
|
-
class SecurityError < StandardError # :nodoc:
|
10
|
-
end
|
11
|
-
|
12
|
-
end
|
13
|
-
|
14
|
-
# Exception indicating that some rights were violated.
|
15
|
-
#
|
16
|
-
class SecurityViolationError < AnnotationSecurity::SecurityError
|
17
|
-
|
18
|
-
def self.access_denied(user,*args) # :nodoc:
|
19
|
-
new(user,*args)
|
20
|
-
end
|
21
|
-
|
22
|
-
def initialize(user=nil,*args) # :nodoc:
|
23
|
-
if user == nil || args.empty?
|
24
|
-
super "Access denied"
|
25
|
-
else
|
26
|
-
super load_args(user,args)
|
27
|
-
end
|
28
|
-
end
|
29
|
-
|
30
|
-
def load_args(user,args) # :nodoc:
|
31
|
-
@user = user
|
32
|
-
@action,@resclass,@res = AnnotationSecurity::Utils.parse_policy_arguments(args)
|
33
|
-
"You (#@user) are missing the right '#@action' for #@resclass" +
|
34
|
-
(@res.blank? ? '' : " '#@res'")
|
35
|
-
end
|
36
|
-
|
37
|
-
# user that violated the right
|
38
|
-
#
|
39
|
-
def user
|
40
|
-
@user
|
41
|
-
end
|
42
|
-
|
43
|
-
# the action that should have been performed on the resource object
|
44
|
-
#
|
45
|
-
def action
|
46
|
-
@action
|
47
|
-
end
|
48
|
-
|
49
|
-
# the resource type
|
50
|
-
#
|
51
|
-
def resource_class
|
52
|
-
@resclass
|
53
|
-
end
|
54
|
-
|
55
|
-
# the resource that was accessed
|
56
|
-
#
|
57
|
-
def resource
|
58
|
-
@res
|
59
|
-
end
|
60
|
-
end
|
61
|
-
|
62
|
-
module AnnotationSecurity
|
63
|
-
|
64
|
-
# = AnnotationSecurity::RuleError
|
65
|
-
#
|
66
|
-
# Will be raised if a right or relation is defined twice
|
67
|
-
# or has an invalid name.
|
68
|
-
#
|
69
|
-
class RuleError < SecurityError
|
70
|
-
def self.defined_twice(type,rule) # :nodoc:
|
71
|
-
new "The #{type} #{rule} is defined twice"
|
72
|
-
end
|
73
|
-
|
74
|
-
def self.forbidden_name(type,rule) # :nodoc:
|
75
|
-
new "#{rule} is not allowed as #{type} name"
|
76
|
-
end
|
77
|
-
end
|
78
|
-
|
79
|
-
# = AnnotationSecurity::RuleExecutionError
|
80
|
-
#
|
81
|
-
# Will be raised if an error occured while evaluation a right or relation.
|
82
|
-
#
|
83
|
-
class RuleExecutionError < RuleError
|
84
|
-
|
85
|
-
def initialize(rule, proc=false, ex = nil) # :nodoc:
|
86
|
-
if ex
|
87
|
-
log_backtrace(proc,ex)
|
88
|
-
super("An error occured while evaluating #{rule}: \n" +
|
89
|
-
ex.class.name + ": " + ex.message)
|
90
|
-
else
|
91
|
-
super("An error occured while evaluating #{rule}")
|
92
|
-
end
|
93
|
-
end
|
94
|
-
|
95
|
-
def set_backtrace(array) # :nodoc:
|
96
|
-
super((@bt || []) + array[1..-1])
|
97
|
-
end
|
98
|
-
|
99
|
-
private
|
100
|
-
|
101
|
-
# Select all lines of the backtrace above "rule.rb evaluate".
|
102
|
-
# so they can be appended to the backtrace
|
103
|
-
def log_backtrace(proc,ex)
|
104
|
-
return unless proc
|
105
|
-
backtrace = ex.backtrace
|
106
|
-
stop = backtrace.find { |l| l =~ /rule\.rb(.*)`evaluate'/ }
|
107
|
-
stop = backtrace.index(stop) || 5
|
108
|
-
backtrace = backtrace.first(stop)
|
109
|
-
@bt = backtrace.reject { |l| l =~ /annotation_security|active_support/ }
|
110
|
-
end
|
111
|
-
|
112
|
-
end
|
113
|
-
|
114
|
-
# = AnnotationSecurity::RuleNotFoundError
|
115
|
-
#
|
116
|
-
# Will be raised when attempting to acces a right or relation that was not
|
117
|
-
# defined.
|
118
|
-
#
|
119
|
-
class RuleNotFoundError < RuleError
|
120
|
-
def self.for_rule(rname,policy_class)
|
121
|
-
new("Unknown #{policy_class.static? ? 'static' : 'dynamic'} " +
|
122
|
-
"rule '#{rname}' for #{policy_class.name}")
|
123
|
-
end
|
124
|
-
end
|
1
|
+
#
|
2
|
+
# = lib/annotation_security/exceptions.rb
|
3
|
+
#
|
4
|
+
# Provides some Exceptions used within AnnotationSecurity
|
5
|
+
|
6
|
+
module AnnotationSecurity
|
7
|
+
|
8
|
+
# Superclass of all security related errors thrown by anno sec
|
9
|
+
class SecurityError < StandardError # :nodoc:
|
10
|
+
end
|
11
|
+
|
12
|
+
end
|
13
|
+
|
14
|
+
# Exception indicating that some rights were violated.
|
15
|
+
#
|
16
|
+
class SecurityViolationError < AnnotationSecurity::SecurityError
|
17
|
+
|
18
|
+
def self.access_denied(user,*args) # :nodoc:
|
19
|
+
new(user,*args)
|
20
|
+
end
|
21
|
+
|
22
|
+
def initialize(user=nil,*args) # :nodoc:
|
23
|
+
if user == nil || args.empty?
|
24
|
+
super "Access denied"
|
25
|
+
else
|
26
|
+
super load_args(user,args)
|
27
|
+
end
|
28
|
+
end
|
29
|
+
|
30
|
+
def load_args(user,args) # :nodoc:
|
31
|
+
@user = user
|
32
|
+
@action,@resclass,@res = AnnotationSecurity::Utils.parse_policy_arguments(args)
|
33
|
+
"You (#@user) are missing the right '#@action' for #@resclass" +
|
34
|
+
(@res.blank? ? '' : " '#@res'")
|
35
|
+
end
|
36
|
+
|
37
|
+
# user that violated the right
|
38
|
+
#
|
39
|
+
def user
|
40
|
+
@user
|
41
|
+
end
|
42
|
+
|
43
|
+
# the action that should have been performed on the resource object
|
44
|
+
#
|
45
|
+
def action
|
46
|
+
@action
|
47
|
+
end
|
48
|
+
|
49
|
+
# the resource type
|
50
|
+
#
|
51
|
+
def resource_class
|
52
|
+
@resclass
|
53
|
+
end
|
54
|
+
|
55
|
+
# the resource that was accessed
|
56
|
+
#
|
57
|
+
def resource
|
58
|
+
@res
|
59
|
+
end
|
60
|
+
end
|
61
|
+
|
62
|
+
module AnnotationSecurity
|
63
|
+
|
64
|
+
# = AnnotationSecurity::RuleError
|
65
|
+
#
|
66
|
+
# Will be raised if a right or relation is defined twice
|
67
|
+
# or has an invalid name.
|
68
|
+
#
|
69
|
+
class RuleError < SecurityError
|
70
|
+
def self.defined_twice(type,rule) # :nodoc:
|
71
|
+
new "The #{type} #{rule} is defined twice"
|
72
|
+
end
|
73
|
+
|
74
|
+
def self.forbidden_name(type,rule) # :nodoc:
|
75
|
+
new "#{rule} is not allowed as #{type} name"
|
76
|
+
end
|
77
|
+
end
|
78
|
+
|
79
|
+
# = AnnotationSecurity::RuleExecutionError
|
80
|
+
#
|
81
|
+
# Will be raised if an error occured while evaluation a right or relation.
|
82
|
+
#
|
83
|
+
class RuleExecutionError < RuleError
|
84
|
+
|
85
|
+
def initialize(rule, proc=false, ex = nil) # :nodoc:
|
86
|
+
if ex
|
87
|
+
log_backtrace(proc,ex)
|
88
|
+
super("An error occured while evaluating #{rule}: \n" +
|
89
|
+
ex.class.name + ": " + ex.message)
|
90
|
+
else
|
91
|
+
super("An error occured while evaluating #{rule}")
|
92
|
+
end
|
93
|
+
end
|
94
|
+
|
95
|
+
def set_backtrace(array) # :nodoc:
|
96
|
+
super((@bt || []) + array[1..-1])
|
97
|
+
end
|
98
|
+
|
99
|
+
private
|
100
|
+
|
101
|
+
# Select all lines of the backtrace above "rule.rb evaluate".
|
102
|
+
# so they can be appended to the backtrace
|
103
|
+
def log_backtrace(proc,ex)
|
104
|
+
return unless proc
|
105
|
+
backtrace = ex.backtrace
|
106
|
+
stop = backtrace.find { |l| l =~ /rule\.rb(.*)`evaluate'/ }
|
107
|
+
stop = backtrace.index(stop) || 5
|
108
|
+
backtrace = backtrace.first(stop)
|
109
|
+
@bt = backtrace.reject { |l| l =~ /annotation_security|active_support/ }
|
110
|
+
end
|
111
|
+
|
112
|
+
end
|
113
|
+
|
114
|
+
# = AnnotationSecurity::RuleNotFoundError
|
115
|
+
#
|
116
|
+
# Will be raised when attempting to acces a right or relation that was not
|
117
|
+
# defined.
|
118
|
+
#
|
119
|
+
class RuleNotFoundError < RuleError
|
120
|
+
def self.for_rule(rname,policy_class)
|
121
|
+
new("Unknown #{policy_class.static? ? 'static' : 'dynamic'} " +
|
122
|
+
"rule '#{rname}' for #{policy_class.name}")
|
123
|
+
end
|
124
|
+
end
|
125
125
|
end
|