annotation_security 1.0.2 → 1.3.1
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG +22 -0
- data/HOW-TO +261 -0
- data/{LICENSE → MIT-LICENSE} +1 -1
- data/README +39 -0
- data/Rakefile +53 -62
- data/assets/app/helpers/annotation_security_helper.rb +8 -8
- data/assets/config/initializers/annotation_security.rb +11 -11
- data/assets/config/security/relations.rb +20 -20
- data/assets/vendor/plugins/annotation_security/init.rb +14 -14
- data/bin/annotation_security +7 -7
- data/lib/annotation_security.rb +94 -103
- data/lib/annotation_security/exceptions.rb +124 -124
- data/lib/annotation_security/exec.rb +188 -188
- data/lib/annotation_security/includes/helper.rb +215 -215
- data/lib/annotation_security/includes/resource.rb +84 -84
- data/lib/annotation_security/includes/role.rb +30 -30
- data/lib/annotation_security/includes/user.rb +26 -26
- data/lib/annotation_security/manager/policy_factory.rb +29 -29
- data/lib/annotation_security/manager/policy_manager.rb +87 -79
- data/lib/annotation_security/manager/relation_loader.rb +272 -272
- data/lib/annotation_security/manager/resource_manager.rb +36 -36
- data/lib/annotation_security/manager/right_loader.rb +87 -87
- data/lib/annotation_security/policy/abstract_policy.rb +344 -344
- data/lib/annotation_security/policy/abstract_static_policy.rb +75 -75
- data/lib/annotation_security/policy/all_resources_policy.rb +20 -20
- data/lib/annotation_security/policy/rule.rb +340 -340
- data/lib/annotation_security/policy/rule_set.rb +138 -138
- data/lib/annotation_security/rails.rb +22 -39
- data/lib/{extensions → annotation_security/rails/2/extensions}/filter.rb +131 -133
- data/lib/annotation_security/rails/2/includes/action_controller.rb +144 -0
- data/lib/annotation_security/rails/2/includes/active_record.rb +28 -0
- data/lib/annotation_security/rails/2/initializer.rb +35 -0
- data/lib/annotation_security/{model_observer.rb → rails/2/model_observer.rb} +61 -61
- data/lib/annotation_security/rails/3/extensions/filter.rb +28 -0
- data/lib/annotation_security/{includes → rails/3/includes}/action_controller.rb +143 -144
- data/lib/annotation_security/{includes → rails/3/includes}/active_record.rb +27 -27
- data/lib/annotation_security/rails/3/initializer.rb +40 -0
- data/lib/annotation_security/rails/3/model_observer.rb +61 -0
- data/lib/annotation_security/rails/extensions.rb +21 -0
- data/lib/{extensions → annotation_security/rails/extensions}/action_controller.rb +31 -32
- data/lib/{extensions → annotation_security/rails/extensions}/active_record.rb +33 -34
- data/lib/{extensions → annotation_security/rails/extensions}/object.rb +10 -10
- data/lib/annotation_security/{filters.rb → rails/filters.rb} +37 -37
- data/lib/annotation_security/user_wrapper.rb +73 -73
- data/lib/annotation_security/utils.rb +141 -141
- data/lib/security_context.rb +588 -589
- data/spec/annotation_security/exceptions_spec.rb +16 -16
- data/spec/annotation_security/includes/helper_spec.rb +82 -82
- data/spec/annotation_security/manager/policy_manager_spec.rb +15 -15
- data/spec/annotation_security/manager/resource_manager_spec.rb +17 -17
- data/spec/annotation_security/manager/right_loader_spec.rb +17 -17
- data/spec/annotation_security/policy/abstract_policy_spec.rb +16 -16
- data/spec/annotation_security/policy/all_resources_policy_spec.rb +24 -24
- data/spec/annotation_security/policy/rule_set_spec.rb +112 -112
- data/spec/annotation_security/policy/rule_spec.rb +77 -77
- data/spec/annotation_security/policy/test_policy_spec.rb +80 -80
- data/spec/annotation_security/security_context_spec.rb +129 -78
- data/spec/annotation_security/utils_spec.rb +73 -73
- data/spec/helper/test_controller.rb +65 -65
- data/spec/helper/test_helper.rb +5 -5
- data/spec/helper/test_relations.rb +6 -6
- data/spec/helper/test_resource.rb +38 -38
- data/spec/helper/test_role.rb +21 -21
- data/spec/helper/test_user.rb +31 -31
- data/spec/rails_stub.rb +44 -37
- metadata +110 -96
- data/CHANGELOG.md +0 -14
- data/HOW-TO.md +0 -275
- data/README.md +0 -39
- data/lib/annotation_security/version.rb +0 -10
@@ -1,9 +1,9 @@
|
|
1
|
-
#
|
2
|
-
# = app/helpers/annotation_security_helper.rb
|
3
|
-
#
|
4
|
-
# This helper provides some useful view methods to be used in conjunction with
|
5
|
-
# the plugin. See AnnotationSecurity::Helper for documentation.
|
6
|
-
#
|
7
|
-
module AnnotationSecurityHelper
|
8
|
-
include AnnotationSecurity::Helper
|
1
|
+
#
|
2
|
+
# = app/helpers/annotation_security_helper.rb
|
3
|
+
#
|
4
|
+
# This helper provides some useful view methods to be used in conjunction with
|
5
|
+
# the plugin. See AnnotationSecurity::Helper for documentation.
|
6
|
+
#
|
7
|
+
module AnnotationSecurityHelper
|
8
|
+
include AnnotationSecurity::Helper
|
9
9
|
end
|
@@ -1,12 +1,12 @@
|
|
1
|
-
#
|
2
|
-
# = config/initializers/annotation_security.rb
|
3
|
-
#
|
4
|
-
# Sets up files under <tt>config/security</tt> which hold
|
5
|
-
# the security configuration.
|
6
|
-
|
7
|
-
#
|
8
|
-
# Add your own files here if they should also be loaded.
|
9
|
-
#
|
10
|
-
AnnotationSecurity.load_relations('relations')
|
11
|
-
AnnotationSecurity.load_rights('rights')
|
1
|
+
#
|
2
|
+
# = config/initializers/annotation_security.rb
|
3
|
+
#
|
4
|
+
# Sets up files under <tt>config/security</tt> which hold
|
5
|
+
# the security configuration.
|
6
|
+
|
7
|
+
#
|
8
|
+
# Add your own files here if they should also be loaded.
|
9
|
+
#
|
10
|
+
AnnotationSecurity.load_relations('relations')
|
11
|
+
AnnotationSecurity.load_rights('rights')
|
12
12
|
# AnnotationSecurity.load_rights('rights', 'rb) # loads rights from a ruby file
|
@@ -1,20 +1,20 @@
|
|
1
|
-
AnnotationSecurity.define_relations do
|
2
|
-
|
3
|
-
# All relations are defined in the context of a resource.
|
4
|
-
# The block should return true iif the user has this relations.
|
5
|
-
|
6
|
-
# all_resources do
|
7
|
-
# administrator(:system, :is => :administrator)
|
8
|
-
# owner_or_admin(:pretest){ owner or administrator }
|
9
|
-
# owner(:system) { |user| user.status == :registered }
|
10
|
-
# end
|
11
|
-
|
12
|
-
# resource :album do
|
13
|
-
# owner { |user, album| album.owner == user }
|
14
|
-
# end
|
15
|
-
|
16
|
-
# resource :picture do
|
17
|
-
# owner "if owner: album"
|
18
|
-
# end
|
19
|
-
|
20
|
-
end
|
1
|
+
AnnotationSecurity.define_relations do
|
2
|
+
|
3
|
+
# All relations are defined in the context of a resource.
|
4
|
+
# The block should return true iif the user has this relations.
|
5
|
+
|
6
|
+
# all_resources do
|
7
|
+
# administrator(:system, :is => :administrator)
|
8
|
+
# owner_or_admin(:pretest){ owner or administrator }
|
9
|
+
# owner(:system) { |user| user.status == :registered }
|
10
|
+
# end
|
11
|
+
|
12
|
+
# resource :album do
|
13
|
+
# owner { |user, album| album.owner == user }
|
14
|
+
# end
|
15
|
+
|
16
|
+
# resource :picture do
|
17
|
+
# owner "if owner: album"
|
18
|
+
# end
|
19
|
+
|
20
|
+
end
|
@@ -1,14 +1,14 @@
|
|
1
|
-
#
|
2
|
-
# = init.rb
|
3
|
-
#
|
4
|
-
# This file will be copied to a rails apps `vendors/plugins/annotation_security`
|
5
|
-
# directory if the annotation_security gem is installed into a rails app
|
6
|
-
# via `annosec --rails`. It will be invoked by the rails app during startup an
|
7
|
-
# loads the security layer.
|
8
|
-
#
|
9
|
-
|
10
|
-
require "annotation_security"
|
11
|
-
|
12
|
-
# Initialize security layer for rails root
|
13
|
-
|
14
|
-
AnnotationSecurity::init_rails(
|
1
|
+
#
|
2
|
+
# = init.rb
|
3
|
+
#
|
4
|
+
# This file will be copied to a rails apps `vendors/plugins/annotation_security`
|
5
|
+
# directory if the annotation_security gem is installed into a rails app
|
6
|
+
# via `annosec --rails`. It will be invoked by the rails app during startup an
|
7
|
+
# loads the security layer.
|
8
|
+
#
|
9
|
+
|
10
|
+
require "annotation_security"
|
11
|
+
|
12
|
+
# Initialize security layer for rails root
|
13
|
+
config = eval("config", binding)
|
14
|
+
AnnotationSecurity::init_rails(config)
|
data/bin/annotation_security
CHANGED
@@ -1,8 +1,8 @@
|
|
1
|
-
#!/usr/bin/env ruby
|
2
|
-
# The command line to install .
|
3
|
-
|
4
|
-
$LOAD_PATH.unshift File.dirname(__FILE__) + '/../lib'
|
5
|
-
|
6
|
-
require "annotation_security/exec"
|
7
|
-
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
# The command line to install .
|
3
|
+
|
4
|
+
$LOAD_PATH.unshift File.dirname(__FILE__) + '/../lib'
|
5
|
+
|
6
|
+
require "annotation_security/exec"
|
7
|
+
|
8
8
|
AnnotationSecurity::Exec::RailsInstaller.new(ARGV).parse!
|
data/lib/annotation_security.rb
CHANGED
@@ -1,103 +1,94 @@
|
|
1
|
-
#
|
2
|
-
# = lib/annotation_security.rb
|
3
|
-
#
|
4
|
-
# This modul provides the AnnotationSecurity security layer.
|
5
|
-
#
|
6
|
-
|
7
|
-
# = AnnotationSecurity
|
8
|
-
module AnnotationSecurity; end
|
9
|
-
|
10
|
-
# Load annotation security files
|
11
|
-
dir = File.dirname(__FILE__)
|
12
|
-
require dir + '/annotation_security/manager/policy_manager'
|
13
|
-
require dir + '/annotation_security/manager/policy_factory'
|
14
|
-
require dir + '/annotation_security/manager/relation_loader'
|
15
|
-
require dir + '/annotation_security/manager/right_loader'
|
16
|
-
require dir + '/annotation_security/manager/resource_manager'
|
17
|
-
require dir + '/annotation_security/policy/abstract_policy'
|
18
|
-
require dir + '/annotation_security/policy/abstract_static_policy'
|
19
|
-
require dir + '/annotation_security/policy/rule_set'
|
20
|
-
require dir + '/annotation_security/policy/rule'
|
21
|
-
require dir + '/annotation_security/
|
22
|
-
require dir + '/annotation_security/
|
23
|
-
require dir + '/annotation_security/
|
24
|
-
require dir + '/annotation_security/
|
25
|
-
require dir + '/
|
26
|
-
|
27
|
-
require dir + '/annotation_security/
|
28
|
-
require dir + '/annotation_security/
|
29
|
-
require dir + '/annotation_security/
|
30
|
-
require dir + '/annotation_security/
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
#
|
39
|
-
#
|
40
|
-
#
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
#
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
#
|
51
|
-
#
|
52
|
-
#
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
#
|
60
|
-
#
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
#
|
68
|
-
#
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
#
|
76
|
-
#
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
#
|
84
|
-
#
|
85
|
-
#
|
86
|
-
#
|
87
|
-
#
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
dir = File.dirname(__FILE__)
|
97
|
-
|
98
|
-
%w{annotation_security/rails extensions/object extensions/action_controller
|
99
|
-
extensions/active_record extensions/filter }.each { |f| require "#{dir}/#{f}" }
|
100
|
-
|
101
|
-
AnnotationSecurity::Rails.init!(config)
|
102
|
-
end
|
103
|
-
end
|
1
|
+
#
|
2
|
+
# = lib/annotation_security.rb
|
3
|
+
#
|
4
|
+
# This modul provides the AnnotationSecurity security layer.
|
5
|
+
#
|
6
|
+
|
7
|
+
# = AnnotationSecurity
|
8
|
+
module AnnotationSecurity; end
|
9
|
+
|
10
|
+
# Load annotation security files
|
11
|
+
dir = File.dirname(__FILE__)
|
12
|
+
require dir + '/annotation_security/manager/policy_manager'
|
13
|
+
require dir + '/annotation_security/manager/policy_factory'
|
14
|
+
require dir + '/annotation_security/manager/relation_loader'
|
15
|
+
require dir + '/annotation_security/manager/right_loader'
|
16
|
+
require dir + '/annotation_security/manager/resource_manager'
|
17
|
+
require dir + '/annotation_security/policy/abstract_policy'
|
18
|
+
require dir + '/annotation_security/policy/abstract_static_policy'
|
19
|
+
require dir + '/annotation_security/policy/rule_set'
|
20
|
+
require dir + '/annotation_security/policy/rule'
|
21
|
+
require dir + '/annotation_security/exceptions'
|
22
|
+
require dir + '/annotation_security/user_wrapper'
|
23
|
+
require dir + '/annotation_security/utils'
|
24
|
+
require dir + '/annotation_security/rails'
|
25
|
+
require dir + '/security_context'
|
26
|
+
|
27
|
+
require dir + '/annotation_security/includes/role'
|
28
|
+
require dir + '/annotation_security/includes/resource'
|
29
|
+
require dir + '/annotation_security/includes/user'
|
30
|
+
require dir + '/annotation_security/includes/helper'
|
31
|
+
|
32
|
+
module AnnotationSecurity
|
33
|
+
|
34
|
+
VERSION = '1.3.1'
|
35
|
+
|
36
|
+
# Load the file specified by +fname+.
|
37
|
+
# The file will be reloaded automatically if reset is called.
|
38
|
+
#
|
39
|
+
# See AnnotationSecurity::RightLoader for details.
|
40
|
+
#
|
41
|
+
def self.load_rights(fname, ext = 'yml')
|
42
|
+
# The file is expected to be a yaml file.
|
43
|
+
# However, it is also possible to use a ruby file that uses
|
44
|
+
# AnnotationSecurity.define_rights. In this case, ext should be 'rb'.
|
45
|
+
PolicyManager.add_file(fname, ext)
|
46
|
+
end
|
47
|
+
|
48
|
+
# Load the file specified by +fname+.
|
49
|
+
# The file will be reloaded automatically if reset is called.
|
50
|
+
#
|
51
|
+
# See AnnotationSecurity::RelationLoader for details.
|
52
|
+
#
|
53
|
+
def self.load_relations(fname)
|
54
|
+
PolicyManager.add_file(fname, 'rb')
|
55
|
+
end
|
56
|
+
|
57
|
+
# Defines relations specified in +block+.
|
58
|
+
#
|
59
|
+
# See AnnotationSecurity::RelationLoader for details
|
60
|
+
#
|
61
|
+
def self.define_relations(*resources,&block)
|
62
|
+
RelationLoader.define_relations(*resources,&block)
|
63
|
+
end
|
64
|
+
|
65
|
+
# Defines rights specified in +hash+.
|
66
|
+
#
|
67
|
+
# See AnnotationSecurity::RightLoader for details
|
68
|
+
#
|
69
|
+
def self.define_rights(hash)
|
70
|
+
RightLoader.define_rights(hash)
|
71
|
+
end
|
72
|
+
|
73
|
+
# Reloads all files that were loaded with load_rights or load_relations.
|
74
|
+
#
|
75
|
+
# In development mode, reset is being executed before each request.
|
76
|
+
#
|
77
|
+
def self.reset
|
78
|
+
PolicyManager.reset
|
79
|
+
end
|
80
|
+
|
81
|
+
# Initializes AnnotationSecurity for a Rails application and loads
|
82
|
+
# Rails specific parts of the library.
|
83
|
+
#
|
84
|
+
# This method is called by `init.rb`,
|
85
|
+
# which is run by Rails on startup.
|
86
|
+
#
|
87
|
+
# * +binding+ [Binding] The context of the `init.rb` file.
|
88
|
+
def self.init_rails(config)
|
89
|
+
dir = File.dirname(__FILE__)
|
90
|
+
|
91
|
+
require dir + '/annotation_security/rails/extensions'
|
92
|
+
AnnotationSecurity::Rails.init!(config)
|
93
|
+
end
|
94
|
+
end
|
@@ -1,125 +1,125 @@
|
|
1
|
-
#
|
2
|
-
# = lib/annotation_security/exceptions.rb
|
3
|
-
#
|
4
|
-
# Provides some Exceptions used within AnnotationSecurity
|
5
|
-
|
6
|
-
module AnnotationSecurity
|
7
|
-
|
8
|
-
# Superclass of all security related errors thrown by anno sec
|
9
|
-
class SecurityError < StandardError # :nodoc:
|
10
|
-
end
|
11
|
-
|
12
|
-
end
|
13
|
-
|
14
|
-
# Exception indicating that some rights were violated.
|
15
|
-
#
|
16
|
-
class SecurityViolationError < AnnotationSecurity::SecurityError
|
17
|
-
|
18
|
-
def self.access_denied(user,*args) # :nodoc:
|
19
|
-
new(user,*args)
|
20
|
-
end
|
21
|
-
|
22
|
-
def initialize(user=nil,*args) # :nodoc:
|
23
|
-
if user == nil || args.empty?
|
24
|
-
super "Access denied"
|
25
|
-
else
|
26
|
-
super load_args(user,args)
|
27
|
-
end
|
28
|
-
end
|
29
|
-
|
30
|
-
def load_args(user,args) # :nodoc:
|
31
|
-
@user = user
|
32
|
-
@action,@resclass,@res = AnnotationSecurity::Utils.parse_policy_arguments(args)
|
33
|
-
"You (#@user) are missing the right '#@action' for #@resclass" +
|
34
|
-
(@res.blank? ? '' : " '#@res'")
|
35
|
-
end
|
36
|
-
|
37
|
-
# user that violated the right
|
38
|
-
#
|
39
|
-
def user
|
40
|
-
@user
|
41
|
-
end
|
42
|
-
|
43
|
-
# the action that should have been performed on the resource object
|
44
|
-
#
|
45
|
-
def action
|
46
|
-
@action
|
47
|
-
end
|
48
|
-
|
49
|
-
# the resource type
|
50
|
-
#
|
51
|
-
def resource_class
|
52
|
-
@resclass
|
53
|
-
end
|
54
|
-
|
55
|
-
# the resource that was accessed
|
56
|
-
#
|
57
|
-
def resource
|
58
|
-
@res
|
59
|
-
end
|
60
|
-
end
|
61
|
-
|
62
|
-
module AnnotationSecurity
|
63
|
-
|
64
|
-
# = AnnotationSecurity::RuleError
|
65
|
-
#
|
66
|
-
# Will be raised if a right or relation is defined twice
|
67
|
-
# or has an invalid name.
|
68
|
-
#
|
69
|
-
class RuleError < SecurityError
|
70
|
-
def self.defined_twice(type,rule) # :nodoc:
|
71
|
-
new "The #{type} #{rule} is defined twice"
|
72
|
-
end
|
73
|
-
|
74
|
-
def self.forbidden_name(type,rule) # :nodoc:
|
75
|
-
new "#{rule} is not allowed as #{type} name"
|
76
|
-
end
|
77
|
-
end
|
78
|
-
|
79
|
-
# = AnnotationSecurity::RuleExecutionError
|
80
|
-
#
|
81
|
-
# Will be raised if an error occured while evaluation a right or relation.
|
82
|
-
#
|
83
|
-
class RuleExecutionError < RuleError
|
84
|
-
|
85
|
-
def initialize(rule, proc=false, ex = nil) # :nodoc:
|
86
|
-
if ex
|
87
|
-
log_backtrace(proc,ex)
|
88
|
-
super("An error occured while evaluating #{rule}: \n" +
|
89
|
-
ex.class.name + ": " + ex.message)
|
90
|
-
else
|
91
|
-
super("An error occured while evaluating #{rule}")
|
92
|
-
end
|
93
|
-
end
|
94
|
-
|
95
|
-
def set_backtrace(array) # :nodoc:
|
96
|
-
super((@bt || []) + array[1..-1])
|
97
|
-
end
|
98
|
-
|
99
|
-
private
|
100
|
-
|
101
|
-
# Select all lines of the backtrace above "rule.rb evaluate".
|
102
|
-
# so they can be appended to the backtrace
|
103
|
-
def log_backtrace(proc,ex)
|
104
|
-
return unless proc
|
105
|
-
backtrace = ex.backtrace
|
106
|
-
stop = backtrace.find { |l| l =~ /rule\.rb(.*)`evaluate'/ }
|
107
|
-
stop = backtrace.index(stop) || 5
|
108
|
-
backtrace = backtrace.first(stop)
|
109
|
-
@bt = backtrace.reject { |l| l =~ /annotation_security|active_support/ }
|
110
|
-
end
|
111
|
-
|
112
|
-
end
|
113
|
-
|
114
|
-
# = AnnotationSecurity::RuleNotFoundError
|
115
|
-
#
|
116
|
-
# Will be raised when attempting to acces a right or relation that was not
|
117
|
-
# defined.
|
118
|
-
#
|
119
|
-
class RuleNotFoundError < RuleError
|
120
|
-
def self.for_rule(rname,policy_class)
|
121
|
-
new("Unknown #{policy_class.static? ? 'static' : 'dynamic'} " +
|
122
|
-
"rule '#{rname}' for #{policy_class.name}")
|
123
|
-
end
|
124
|
-
end
|
1
|
+
#
|
2
|
+
# = lib/annotation_security/exceptions.rb
|
3
|
+
#
|
4
|
+
# Provides some Exceptions used within AnnotationSecurity
|
5
|
+
|
6
|
+
module AnnotationSecurity
|
7
|
+
|
8
|
+
# Superclass of all security related errors thrown by anno sec
|
9
|
+
class SecurityError < StandardError # :nodoc:
|
10
|
+
end
|
11
|
+
|
12
|
+
end
|
13
|
+
|
14
|
+
# Exception indicating that some rights were violated.
|
15
|
+
#
|
16
|
+
class SecurityViolationError < AnnotationSecurity::SecurityError
|
17
|
+
|
18
|
+
def self.access_denied(user,*args) # :nodoc:
|
19
|
+
new(user,*args)
|
20
|
+
end
|
21
|
+
|
22
|
+
def initialize(user=nil,*args) # :nodoc:
|
23
|
+
if user == nil || args.empty?
|
24
|
+
super "Access denied"
|
25
|
+
else
|
26
|
+
super load_args(user,args)
|
27
|
+
end
|
28
|
+
end
|
29
|
+
|
30
|
+
def load_args(user,args) # :nodoc:
|
31
|
+
@user = user
|
32
|
+
@action,@resclass,@res = AnnotationSecurity::Utils.parse_policy_arguments(args)
|
33
|
+
"You (#@user) are missing the right '#@action' for #@resclass" +
|
34
|
+
(@res.blank? ? '' : " '#@res'")
|
35
|
+
end
|
36
|
+
|
37
|
+
# user that violated the right
|
38
|
+
#
|
39
|
+
def user
|
40
|
+
@user
|
41
|
+
end
|
42
|
+
|
43
|
+
# the action that should have been performed on the resource object
|
44
|
+
#
|
45
|
+
def action
|
46
|
+
@action
|
47
|
+
end
|
48
|
+
|
49
|
+
# the resource type
|
50
|
+
#
|
51
|
+
def resource_class
|
52
|
+
@resclass
|
53
|
+
end
|
54
|
+
|
55
|
+
# the resource that was accessed
|
56
|
+
#
|
57
|
+
def resource
|
58
|
+
@res
|
59
|
+
end
|
60
|
+
end
|
61
|
+
|
62
|
+
module AnnotationSecurity
|
63
|
+
|
64
|
+
# = AnnotationSecurity::RuleError
|
65
|
+
#
|
66
|
+
# Will be raised if a right or relation is defined twice
|
67
|
+
# or has an invalid name.
|
68
|
+
#
|
69
|
+
class RuleError < SecurityError
|
70
|
+
def self.defined_twice(type,rule) # :nodoc:
|
71
|
+
new "The #{type} #{rule} is defined twice"
|
72
|
+
end
|
73
|
+
|
74
|
+
def self.forbidden_name(type,rule) # :nodoc:
|
75
|
+
new "#{rule} is not allowed as #{type} name"
|
76
|
+
end
|
77
|
+
end
|
78
|
+
|
79
|
+
# = AnnotationSecurity::RuleExecutionError
|
80
|
+
#
|
81
|
+
# Will be raised if an error occured while evaluation a right or relation.
|
82
|
+
#
|
83
|
+
class RuleExecutionError < RuleError
|
84
|
+
|
85
|
+
def initialize(rule, proc=false, ex = nil) # :nodoc:
|
86
|
+
if ex
|
87
|
+
log_backtrace(proc,ex)
|
88
|
+
super("An error occured while evaluating #{rule}: \n" +
|
89
|
+
ex.class.name + ": " + ex.message)
|
90
|
+
else
|
91
|
+
super("An error occured while evaluating #{rule}")
|
92
|
+
end
|
93
|
+
end
|
94
|
+
|
95
|
+
def set_backtrace(array) # :nodoc:
|
96
|
+
super((@bt || []) + array[1..-1])
|
97
|
+
end
|
98
|
+
|
99
|
+
private
|
100
|
+
|
101
|
+
# Select all lines of the backtrace above "rule.rb evaluate".
|
102
|
+
# so they can be appended to the backtrace
|
103
|
+
def log_backtrace(proc,ex)
|
104
|
+
return unless proc
|
105
|
+
backtrace = ex.backtrace
|
106
|
+
stop = backtrace.find { |l| l =~ /rule\.rb(.*)`evaluate'/ }
|
107
|
+
stop = backtrace.index(stop) || 5
|
108
|
+
backtrace = backtrace.first(stop)
|
109
|
+
@bt = backtrace.reject { |l| l =~ /annotation_security|active_support/ }
|
110
|
+
end
|
111
|
+
|
112
|
+
end
|
113
|
+
|
114
|
+
# = AnnotationSecurity::RuleNotFoundError
|
115
|
+
#
|
116
|
+
# Will be raised when attempting to acces a right or relation that was not
|
117
|
+
# defined.
|
118
|
+
#
|
119
|
+
class RuleNotFoundError < RuleError
|
120
|
+
def self.for_rule(rname,policy_class)
|
121
|
+
new("Unknown #{policy_class.static? ? 'static' : 'dynamic'} " +
|
122
|
+
"rule '#{rname}' for #{policy_class.name}")
|
123
|
+
end
|
124
|
+
end
|
125
125
|
end
|