annotation_security 1.0.2 → 1.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/CHANGELOG +22 -0
- data/HOW-TO +261 -0
- data/{LICENSE → MIT-LICENSE} +1 -1
- data/README +39 -0
- data/Rakefile +53 -62
- data/assets/app/helpers/annotation_security_helper.rb +8 -8
- data/assets/config/initializers/annotation_security.rb +11 -11
- data/assets/config/security/relations.rb +20 -20
- data/assets/vendor/plugins/annotation_security/init.rb +14 -14
- data/bin/annotation_security +7 -7
- data/lib/annotation_security.rb +94 -103
- data/lib/annotation_security/exceptions.rb +124 -124
- data/lib/annotation_security/exec.rb +188 -188
- data/lib/annotation_security/includes/helper.rb +215 -215
- data/lib/annotation_security/includes/resource.rb +84 -84
- data/lib/annotation_security/includes/role.rb +30 -30
- data/lib/annotation_security/includes/user.rb +26 -26
- data/lib/annotation_security/manager/policy_factory.rb +29 -29
- data/lib/annotation_security/manager/policy_manager.rb +87 -79
- data/lib/annotation_security/manager/relation_loader.rb +272 -272
- data/lib/annotation_security/manager/resource_manager.rb +36 -36
- data/lib/annotation_security/manager/right_loader.rb +87 -87
- data/lib/annotation_security/policy/abstract_policy.rb +344 -344
- data/lib/annotation_security/policy/abstract_static_policy.rb +75 -75
- data/lib/annotation_security/policy/all_resources_policy.rb +20 -20
- data/lib/annotation_security/policy/rule.rb +340 -340
- data/lib/annotation_security/policy/rule_set.rb +138 -138
- data/lib/annotation_security/rails.rb +22 -39
- data/lib/{extensions → annotation_security/rails/2/extensions}/filter.rb +131 -133
- data/lib/annotation_security/rails/2/includes/action_controller.rb +144 -0
- data/lib/annotation_security/rails/2/includes/active_record.rb +28 -0
- data/lib/annotation_security/rails/2/initializer.rb +35 -0
- data/lib/annotation_security/{model_observer.rb → rails/2/model_observer.rb} +61 -61
- data/lib/annotation_security/rails/3/extensions/filter.rb +28 -0
- data/lib/annotation_security/{includes → rails/3/includes}/action_controller.rb +143 -144
- data/lib/annotation_security/{includes → rails/3/includes}/active_record.rb +27 -27
- data/lib/annotation_security/rails/3/initializer.rb +40 -0
- data/lib/annotation_security/rails/3/model_observer.rb +61 -0
- data/lib/annotation_security/rails/extensions.rb +21 -0
- data/lib/{extensions → annotation_security/rails/extensions}/action_controller.rb +31 -32
- data/lib/{extensions → annotation_security/rails/extensions}/active_record.rb +33 -34
- data/lib/{extensions → annotation_security/rails/extensions}/object.rb +10 -10
- data/lib/annotation_security/{filters.rb → rails/filters.rb} +37 -37
- data/lib/annotation_security/user_wrapper.rb +73 -73
- data/lib/annotation_security/utils.rb +141 -141
- data/lib/security_context.rb +588 -589
- data/spec/annotation_security/exceptions_spec.rb +16 -16
- data/spec/annotation_security/includes/helper_spec.rb +82 -82
- data/spec/annotation_security/manager/policy_manager_spec.rb +15 -15
- data/spec/annotation_security/manager/resource_manager_spec.rb +17 -17
- data/spec/annotation_security/manager/right_loader_spec.rb +17 -17
- data/spec/annotation_security/policy/abstract_policy_spec.rb +16 -16
- data/spec/annotation_security/policy/all_resources_policy_spec.rb +24 -24
- data/spec/annotation_security/policy/rule_set_spec.rb +112 -112
- data/spec/annotation_security/policy/rule_spec.rb +77 -77
- data/spec/annotation_security/policy/test_policy_spec.rb +80 -80
- data/spec/annotation_security/security_context_spec.rb +129 -78
- data/spec/annotation_security/utils_spec.rb +73 -73
- data/spec/helper/test_controller.rb +65 -65
- data/spec/helper/test_helper.rb +5 -5
- data/spec/helper/test_relations.rb +6 -6
- data/spec/helper/test_resource.rb +38 -38
- data/spec/helper/test_role.rb +21 -21
- data/spec/helper/test_user.rb +31 -31
- data/spec/rails_stub.rb +44 -37
- metadata +110 -96
- data/CHANGELOG.md +0 -14
- data/HOW-TO.md +0 -275
- data/README.md +0 -39
- data/lib/annotation_security/version.rb +0 -10
@@ -1,139 +1,139 @@
|
|
1
|
-
#
|
2
|
-
# = lib/annotation_security/policy/rule_set.rb
|
3
|
-
#
|
4
|
-
|
5
|
-
# = AnnotationSecurity::RuleSet
|
6
|
-
# Contains all rule objects for a policy
|
7
|
-
#
|
8
|
-
class AnnotationSecurity::RuleSet # :nodoc:
|
9
|
-
|
10
|
-
# Initializes the rule set
|
11
|
-
# * +pclass+ Policy class this rule set belongs to
|
12
|
-
#
|
13
|
-
def initialize(pclass)
|
14
|
-
super()
|
15
|
-
@pclass = pclass
|
16
|
-
@rights = {}
|
17
|
-
@static = {}
|
18
|
-
@dynamic = {}
|
19
|
-
end
|
20
|
-
|
21
|
-
def to_s
|
22
|
-
"<RuleSet of #@pclass>"
|
23
|
-
end
|
24
|
-
|
25
|
-
# Returns a rule object or nil if the rule does not exist.
|
26
|
-
# * +symbol+ name of the rule
|
27
|
-
# * +static+ boolean specifing whether the rule is static or dynamic
|
28
|
-
def get_rule(symbol,static)
|
29
|
-
static ? get_static_rule(symbol) : get_dynamic_rule(symbol)
|
30
|
-
end
|
31
|
-
|
32
|
-
# Returns a dynamic rule or nil if the rule does not exist.
|
33
|
-
# * +symbol+ name of the rule
|
34
|
-
def get_dynamic_rule(symbol)
|
35
|
-
# If no rule is available, maybe there is a right that can be used
|
36
|
-
@dynamic[symbol] ||= get_dynamic_right(symbol)
|
37
|
-
end
|
38
|
-
|
39
|
-
# Returns a static rule or nil if the rule does not exist.
|
40
|
-
# * +symbol+ name of the rule
|
41
|
-
def get_static_rule(symbol)
|
42
|
-
# If no rule is available, maybe there is a right that can be used
|
43
|
-
@static[symbol] ||= get_static_right(symbol)
|
44
|
-
end
|
45
|
-
|
46
|
-
# Copies a rule from another rule set.
|
47
|
-
# Returns the newly created rule or nil if the operation had no effect.
|
48
|
-
# * +symbol+ name of the rule
|
49
|
-
# * +source+ rule set to copy from
|
50
|
-
# * +static+ boolean specifing whether the rule is static or dynamic
|
51
|
-
def copy_rule_from(symbol,source,static)
|
52
|
-
add_copy(source.get_rule(symbol,static))
|
53
|
-
end
|
54
|
-
|
55
|
-
# Creates a dynamic rule that redirects to a static rule with the same name.
|
56
|
-
# Returns the newly created rule or nil if the operation had no effect.
|
57
|
-
# * +symbol+ name of the rule
|
58
|
-
def create_dynamic_copy(symbol)
|
59
|
-
rule = get_static_rule(symbol)
|
60
|
-
if rule
|
61
|
-
add_rule(symbol,
|
62
|
-
"static_policy.#{symbol}(*args)",
|
63
|
-
:resource,
|
64
|
-
:require_credential => rule.requires_credential?)
|
65
|
-
end
|
66
|
-
end
|
67
|
-
|
68
|
-
# Adds a new rule to this rule set. The rule will be classified either
|
69
|
-
# as dynamic, static, both or right.
|
70
|
-
# Returns the newly create rule.
|
71
|
-
# For an explainition of the parameters see AnnotationSecurity::Rule#initialize.
|
72
|
-
def add_rule(symbol,*args,&block)
|
73
|
-
__add__ AnnotationSecurity::Rule.new(symbol,@pclass,*args,&block)
|
74
|
-
end
|
75
|
-
|
76
|
-
private
|
77
|
-
|
78
|
-
# Copies a rule object to this rule set.
|
79
|
-
# Returns the newly created rule or nil.
|
80
|
-
# * +rule+ rule object to copy or nil.
|
81
|
-
def add_copy(rule)
|
82
|
-
__add__(rule.copy(@pclass)) if rule
|
83
|
-
end
|
84
|
-
|
85
|
-
# Adds a new rule to this rule set. The rule will be classified either
|
86
|
-
# as dynamic, static, both or right.
|
87
|
-
# * +rule+ rule object
|
88
|
-
def __add__(rule)
|
89
|
-
if rule.right?
|
90
|
-
# if the rule is a right, its not clear yet whether
|
91
|
-
# it is static or dynamic. These rules will be analyzed later.
|
92
|
-
raise_if_forbidden_name 'right', rule
|
93
|
-
raise_if_exists 'right', @rights[rule.name]
|
94
|
-
@rights[rule.name] = rule
|
95
|
-
else
|
96
|
-
raise_if_forbidden_name 'relation', rule
|
97
|
-
if rule.dynamic?
|
98
|
-
raise_if_exists 'dynamic relation', @dynamic[rule.name]
|
99
|
-
@dynamic[rule.name] = rule
|
100
|
-
end
|
101
|
-
if rule.static?
|
102
|
-
raise_if_exists 'static relation', @static[rule.name]
|
103
|
-
@static[rule.name] = rule
|
104
|
-
end
|
105
|
-
end
|
106
|
-
rule
|
107
|
-
end
|
108
|
-
|
109
|
-
# Raises an error if +rule+ is not nil.
|
110
|
-
# * +type+ type of rule, like 'right' or 'dynamic relation'
|
111
|
-
# * +rule+ existing rule object or nil
|
112
|
-
def raise_if_exists(type,rule)
|
113
|
-
raise AnnotationSecurity::RuleError.defined_twice(type,rule) if rule
|
114
|
-
end
|
115
|
-
|
116
|
-
# Raises an error if +rule+ has a forbidden name.
|
117
|
-
# * +type+ type of rule, like 'right' or 'relation'
|
118
|
-
# * +rule+ rule object
|
119
|
-
def raise_if_forbidden_name(type,rule)
|
120
|
-
if AnnotationSecurity::AbstractPolicy.forbidden_rule_names.include? rule.name.to_s
|
121
|
-
raise AnnotationSecurity::RuleError.forbidden_name(type,rule)
|
122
|
-
end
|
123
|
-
end
|
124
|
-
|
125
|
-
# Returns a dynamic rule that was defined as right
|
126
|
-
# * +symbol+ name of the rule
|
127
|
-
def get_dynamic_right(symbol)
|
128
|
-
r = @rights[symbol]
|
129
|
-
r and r.dynamic? ? r : nil
|
130
|
-
end
|
131
|
-
|
132
|
-
# Returns a static rule that was defined as right
|
133
|
-
# * +symbol+ name of the rule
|
134
|
-
def get_static_right(symbol)
|
135
|
-
r = @rights[symbol]
|
136
|
-
r and r.static? ? r : nil
|
137
|
-
end
|
138
|
-
|
1
|
+
#
|
2
|
+
# = lib/annotation_security/policy/rule_set.rb
|
3
|
+
#
|
4
|
+
|
5
|
+
# = AnnotationSecurity::RuleSet
|
6
|
+
# Contains all rule objects for a policy
|
7
|
+
#
|
8
|
+
class AnnotationSecurity::RuleSet # :nodoc:
|
9
|
+
|
10
|
+
# Initializes the rule set
|
11
|
+
# * +pclass+ Policy class this rule set belongs to
|
12
|
+
#
|
13
|
+
def initialize(pclass)
|
14
|
+
super()
|
15
|
+
@pclass = pclass
|
16
|
+
@rights = {}
|
17
|
+
@static = {}
|
18
|
+
@dynamic = {}
|
19
|
+
end
|
20
|
+
|
21
|
+
def to_s
|
22
|
+
"<RuleSet of #@pclass>"
|
23
|
+
end
|
24
|
+
|
25
|
+
# Returns a rule object or nil if the rule does not exist.
|
26
|
+
# * +symbol+ name of the rule
|
27
|
+
# * +static+ boolean specifing whether the rule is static or dynamic
|
28
|
+
def get_rule(symbol,static)
|
29
|
+
static ? get_static_rule(symbol) : get_dynamic_rule(symbol)
|
30
|
+
end
|
31
|
+
|
32
|
+
# Returns a dynamic rule or nil if the rule does not exist.
|
33
|
+
# * +symbol+ name of the rule
|
34
|
+
def get_dynamic_rule(symbol)
|
35
|
+
# If no rule is available, maybe there is a right that can be used
|
36
|
+
@dynamic[symbol] ||= get_dynamic_right(symbol)
|
37
|
+
end
|
38
|
+
|
39
|
+
# Returns a static rule or nil if the rule does not exist.
|
40
|
+
# * +symbol+ name of the rule
|
41
|
+
def get_static_rule(symbol)
|
42
|
+
# If no rule is available, maybe there is a right that can be used
|
43
|
+
@static[symbol] ||= get_static_right(symbol)
|
44
|
+
end
|
45
|
+
|
46
|
+
# Copies a rule from another rule set.
|
47
|
+
# Returns the newly created rule or nil if the operation had no effect.
|
48
|
+
# * +symbol+ name of the rule
|
49
|
+
# * +source+ rule set to copy from
|
50
|
+
# * +static+ boolean specifing whether the rule is static or dynamic
|
51
|
+
def copy_rule_from(symbol,source,static)
|
52
|
+
add_copy(source.get_rule(symbol,static))
|
53
|
+
end
|
54
|
+
|
55
|
+
# Creates a dynamic rule that redirects to a static rule with the same name.
|
56
|
+
# Returns the newly created rule or nil if the operation had no effect.
|
57
|
+
# * +symbol+ name of the rule
|
58
|
+
def create_dynamic_copy(symbol)
|
59
|
+
rule = get_static_rule(symbol)
|
60
|
+
if rule
|
61
|
+
add_rule(symbol,
|
62
|
+
"static_policy.#{symbol}(*args)",
|
63
|
+
:resource,
|
64
|
+
:require_credential => rule.requires_credential?)
|
65
|
+
end
|
66
|
+
end
|
67
|
+
|
68
|
+
# Adds a new rule to this rule set. The rule will be classified either
|
69
|
+
# as dynamic, static, both or right.
|
70
|
+
# Returns the newly create rule.
|
71
|
+
# For an explainition of the parameters see AnnotationSecurity::Rule#initialize.
|
72
|
+
def add_rule(symbol,*args,&block)
|
73
|
+
__add__ AnnotationSecurity::Rule.new(symbol,@pclass,*args,&block)
|
74
|
+
end
|
75
|
+
|
76
|
+
private
|
77
|
+
|
78
|
+
# Copies a rule object to this rule set.
|
79
|
+
# Returns the newly created rule or nil.
|
80
|
+
# * +rule+ rule object to copy or nil.
|
81
|
+
def add_copy(rule)
|
82
|
+
__add__(rule.copy(@pclass)) if rule
|
83
|
+
end
|
84
|
+
|
85
|
+
# Adds a new rule to this rule set. The rule will be classified either
|
86
|
+
# as dynamic, static, both or right.
|
87
|
+
# * +rule+ rule object
|
88
|
+
def __add__(rule)
|
89
|
+
if rule.right?
|
90
|
+
# if the rule is a right, its not clear yet whether
|
91
|
+
# it is static or dynamic. These rules will be analyzed later.
|
92
|
+
raise_if_forbidden_name 'right', rule
|
93
|
+
raise_if_exists 'right', @rights[rule.name]
|
94
|
+
@rights[rule.name] = rule
|
95
|
+
else
|
96
|
+
raise_if_forbidden_name 'relation', rule
|
97
|
+
if rule.dynamic?
|
98
|
+
raise_if_exists 'dynamic relation', @dynamic[rule.name]
|
99
|
+
@dynamic[rule.name] = rule
|
100
|
+
end
|
101
|
+
if rule.static?
|
102
|
+
raise_if_exists 'static relation', @static[rule.name]
|
103
|
+
@static[rule.name] = rule
|
104
|
+
end
|
105
|
+
end
|
106
|
+
rule
|
107
|
+
end
|
108
|
+
|
109
|
+
# Raises an error if +rule+ is not nil.
|
110
|
+
# * +type+ type of rule, like 'right' or 'dynamic relation'
|
111
|
+
# * +rule+ existing rule object or nil
|
112
|
+
def raise_if_exists(type,rule)
|
113
|
+
raise AnnotationSecurity::RuleError.defined_twice(type,rule) if rule
|
114
|
+
end
|
115
|
+
|
116
|
+
# Raises an error if +rule+ has a forbidden name.
|
117
|
+
# * +type+ type of rule, like 'right' or 'relation'
|
118
|
+
# * +rule+ rule object
|
119
|
+
def raise_if_forbidden_name(type,rule)
|
120
|
+
if AnnotationSecurity::AbstractPolicy.forbidden_rule_names.include? rule.name.to_s
|
121
|
+
raise AnnotationSecurity::RuleError.forbidden_name(type,rule)
|
122
|
+
end
|
123
|
+
end
|
124
|
+
|
125
|
+
# Returns a dynamic rule that was defined as right
|
126
|
+
# * +symbol+ name of the rule
|
127
|
+
def get_dynamic_right(symbol)
|
128
|
+
r = @rights[symbol]
|
129
|
+
r and r.dynamic? ? r : nil
|
130
|
+
end
|
131
|
+
|
132
|
+
# Returns a static rule that was defined as right
|
133
|
+
# * +symbol+ name of the rule
|
134
|
+
def get_static_right(symbol)
|
135
|
+
r = @rights[symbol]
|
136
|
+
r and r.static? ? r : nil
|
137
|
+
end
|
138
|
+
|
139
139
|
end
|
@@ -1,39 +1,22 @@
|
|
1
|
-
#
|
2
|
-
# = annotation_security/rails
|
3
|
-
#
|
4
|
-
#
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
# Set up a dummy security context that does not interfer with script
|
24
|
-
::SecurityContext.initialize nil
|
25
|
-
|
26
|
-
::ActiveRecord::Base.observers << ::AnnotationSecurity::ModelObserver
|
27
|
-
|
28
|
-
# In development mode, the models we observe get reloaded with each request. Using
|
29
|
-
# this hook allows us to reload the observer relationships each time as well.
|
30
|
-
::ActionController::Dispatcher.to_prepare(:cache_advance_reload) do
|
31
|
-
::AnnotationSecurity.reset
|
32
|
-
::AnnotationSecurity::ModelObserver.instance.reload_model_observer
|
33
|
-
end
|
34
|
-
end
|
35
|
-
|
36
|
-
puts "Security layer initialized"
|
37
|
-
end
|
38
|
-
end
|
39
|
-
end
|
1
|
+
#
|
2
|
+
# = lib/annotation_security/rails.rb
|
3
|
+
#
|
4
|
+
# This modul provides the rails extensions contained in the
|
5
|
+
# AnnotationSecurity security layer.
|
6
|
+
#
|
7
|
+
|
8
|
+
#
|
9
|
+
# Contains rails specific extensions
|
10
|
+
#
|
11
|
+
module AnnotationSecurity::Rails; end
|
12
|
+
|
13
|
+
# Load annotation security files
|
14
|
+
rails_version = Rails::VERSION::MAJOR
|
15
|
+
dir = File.dirname(__FILE__)
|
16
|
+
|
17
|
+
require dir + "/rails/#{rails_version}/includes/action_controller"
|
18
|
+
require dir + "/rails/#{rails_version}/includes/active_record"
|
19
|
+
|
20
|
+
require dir + "/rails/#{rails_version}/model_observer"
|
21
|
+
require dir + "/rails/#{rails_version}/initializer"
|
22
|
+
require dir + "/rails/filters"
|
@@ -1,134 +1,132 @@
|
|
1
|
-
#
|
2
|
-
# = lib/extensions/filter.rb
|
3
|
-
#
|
4
|
-
#
|
5
|
-
#
|
6
|
-
|
7
|
-
#
|
8
|
-
#
|
9
|
-
|
10
|
-
#
|
11
|
-
#
|
12
|
-
#
|
13
|
-
#
|
14
|
-
#
|
15
|
-
#
|
16
|
-
#
|
17
|
-
#
|
18
|
-
#
|
19
|
-
#
|
20
|
-
# * AnnotationSecurity::Filters::
|
21
|
-
# *
|
22
|
-
#
|
23
|
-
|
24
|
-
#
|
25
|
-
#
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
#
|
40
|
-
#
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
return
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
when filter.respond_to?(:
|
84
|
-
:
|
85
|
-
|
86
|
-
:
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
when :
|
93
|
-
|
94
|
-
when :
|
95
|
-
|
96
|
-
when :
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
|
122
|
-
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
|
132
|
-
end
|
133
|
-
end
|
1
|
+
#
|
2
|
+
# = lib/annotation_security/rails/extensions/filter/rails2.rb
|
3
|
+
#
|
4
|
+
# Patches rails 2 filter chain to allow security filters
|
5
|
+
#
|
6
|
+
|
7
|
+
# Extends ActiveRecord::Base and patches ActionController::Filters
|
8
|
+
#
|
9
|
+
# Performs additions to the rails filter chain. It basically adds two
|
10
|
+
# filters which may not be removed:
|
11
|
+
#
|
12
|
+
# 1) Before Fiter to initialize SecurityContext
|
13
|
+
# 2) Around Filter around actions
|
14
|
+
#
|
15
|
+
# The altered filter chain looks like this:
|
16
|
+
#
|
17
|
+
# * AnnotationSecurity::Rails::Filters::InitializeSecurity
|
18
|
+
# * ... other before filters
|
19
|
+
# * around filters ...
|
20
|
+
# * AnnotationSecurity::Rails::Filters::ApplySecurity
|
21
|
+
# * after filters
|
22
|
+
#
|
23
|
+
|
24
|
+
module ActionController # :nodoc:
|
25
|
+
module Filters # :nodoc:
|
26
|
+
class FilterChain # :nodoc:
|
27
|
+
def self.new(&block)
|
28
|
+
returning super do |filter_chain|
|
29
|
+
filter_chain.append_filter_to_chain([AnnotationSecurity::Rails::Filters::InitializeSecurity], :security, &block)
|
30
|
+
filter_chain.append_filter_to_chain([AnnotationSecurity::Rails::Filters::ApplySecurity], :action_security, &block)
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
private
|
35
|
+
|
36
|
+
def find_filter_append_position(filters, filter_type)
|
37
|
+
# appending an after filter puts it at the end of the call chain
|
38
|
+
# before and around filters go after security filters and
|
39
|
+
# before the first after or action_security filter
|
40
|
+
#
|
41
|
+
return -1 if filter_type == :after
|
42
|
+
|
43
|
+
if filter_type == :security
|
44
|
+
#security filters are first filters in chain
|
45
|
+
each_with_index do |f,i|
|
46
|
+
return i unless f.security?
|
47
|
+
end
|
48
|
+
else
|
49
|
+
each_with_index do |f,i|
|
50
|
+
return i if f.after? or f.action_security?
|
51
|
+
end
|
52
|
+
end
|
53
|
+
return -1
|
54
|
+
end
|
55
|
+
|
56
|
+
def find_filter_prepend_position(filters, filter_type)
|
57
|
+
if filter_type == :after
|
58
|
+
# after filters go before the first after filter in the chain
|
59
|
+
each_with_index do |f,i|
|
60
|
+
return i if f.after?
|
61
|
+
end
|
62
|
+
return -1
|
63
|
+
elsif filter_type == :security
|
64
|
+
return 0
|
65
|
+
else
|
66
|
+
# prepending a before or around filter puts it at the front of the call chain
|
67
|
+
each_with_index do |f,i|
|
68
|
+
return i unless f.security?
|
69
|
+
end
|
70
|
+
end
|
71
|
+
return 0 # Since first filter is security initialization filter
|
72
|
+
end
|
73
|
+
|
74
|
+
def find_or_create_filter(filter, filter_type, options = {})
|
75
|
+
update_filter_in_chain([filter], options)
|
76
|
+
|
77
|
+
if found_filter = find(filter) { |f| f.type == filter_type }
|
78
|
+
found_filter
|
79
|
+
else
|
80
|
+
filter_kind = case
|
81
|
+
when filter.respond_to?(:before) && filter_type == :before
|
82
|
+
:before
|
83
|
+
when filter.respond_to?(:after) && filter_type == :after
|
84
|
+
:after
|
85
|
+
else
|
86
|
+
:filter
|
87
|
+
end
|
88
|
+
|
89
|
+
case filter_type
|
90
|
+
when :before
|
91
|
+
BeforeFilter.new(filter_kind, filter, options)
|
92
|
+
when :after
|
93
|
+
AfterFilter.new(filter_kind, filter, options)
|
94
|
+
when :security
|
95
|
+
SecurityFilter.new(filter_kind, filter, options)
|
96
|
+
when :action_security
|
97
|
+
ActionSecurityFilter.new(filter_kind, filter, options)
|
98
|
+
else
|
99
|
+
AroundFilter.new(filter_kind, filter, options)
|
100
|
+
end
|
101
|
+
end
|
102
|
+
end
|
103
|
+
end
|
104
|
+
|
105
|
+
class Filter # :nodoc:
|
106
|
+
|
107
|
+
# override to return true in appropriate subclass
|
108
|
+
def security?
|
109
|
+
false
|
110
|
+
end
|
111
|
+
|
112
|
+
def action_security?
|
113
|
+
false
|
114
|
+
end
|
115
|
+
end
|
116
|
+
|
117
|
+
# the customized security filter that sets the current user
|
118
|
+
# and catches security exceptions
|
119
|
+
class SecurityFilter < AroundFilter # :nodoc:
|
120
|
+
def security?
|
121
|
+
true
|
122
|
+
end
|
123
|
+
end
|
124
|
+
|
125
|
+
# filter used to activate security for actions
|
126
|
+
class ActionSecurityFilter < AroundFilter # :nodoc:
|
127
|
+
def action_security?
|
128
|
+
true
|
129
|
+
end
|
130
|
+
end
|
131
|
+
end
|
134
132
|
end
|