annotation_security 1.0.2 → 1.3.1

data/lib/annotation_security/rails/2/includes/action_controller.rb

@@ -0,0 +1,144 @@
+#
+# = lib/annotation_security/rails/2/includes/action_controller.rb
+#
+
+# Provides security extensions for rails controllers.
+# Is included in ActionController::Base.
+#
+# See AnnotationSecurity::ActionController::ClassMethods.
+#
+module AnnotationSecurity::ActionController
+  
+  def self.included(base) # :nodoc:
+    base.extend(ClassMethods)
+    base.send :include, InstanceMethods
+  end
+
+  # Provides security extensions for rails controllers on the class side.
+  # 
+  module ClassMethods
+
+    # Filters are not affected by the security settings of the action.
+    # If you want security checkings in your filters, activate them with
+    # +apply_security+.
+    #
+    #  apply_security :get_user
+    #
+    #  private
+    #
+    #  desc "shows a user"
+    #  def get_user
+    #    @user = User.find params[:id]
+    #  end
+    #
+    # You can use +apply_security+ to secure any methods, not only filters.
+    # Notice that these rules are *not* taken into account when evaluating
+    # AnnotationSecurity::Helper#link_to_if_allowed and similar methods.
+    #
+    def apply_security(*symbols)
+      symbols.each { |s| pending_security_wrappers << s.to_sym }
+    end
+
+    # Filters are not affected by the security settings of the action.
+    # If you want the security settings of the action applied to your filter,
+    # use this method. It can be combined with #apply_security
+    def apply_action_security(*symbols)
+      symbols.each { |s| pending_action_security_wrappers << s.to_sym }
+    end
+
+    # AnnotationSecurity is using the +method_added+ callback. If this method
+    # is overwritten without calling +super+, +apply_security+ will not work.
+    #
+    def method_added(method)
+      super(method)
+      if pending_security_wrappers.delete method
+        build_security_wrapper(method)
+      end
+      if pending_action_security_wrappers.delete method
+        build_action_security_wrapper(method)
+      end
+    end
+
+    # If no resource type is provided in a description, the default resource
+    # will be used. Once set the value cannot be changed.
+    #
+    # This is still experimental. You should not use it unless you have a
+    # reason. It might be usefull for inheritance.
+    #
+    def default_resource(value=nil)
+      @default_resource ||= value || compute_default_resource
+    end
+
+    # Creates a new security filter.
+    #
+    # Security filters are around filters that are evaluated before the first
+    # before filter. Use security filters to set the credentials and to react
+    # to security violations.
+    #  class ApplicationController < ActionController::Base
+    #
+    #    security_filter :security_filter
+    #
+    #    private
+    #
+    #    def security_filter
+    #      SecurityContext.current_credential = session[:user]
+    #      yield
+    #    rescue SecurityViolationError
+    #      if SecurityContext.is? :logged_in
+    #        render :template => "welcome/not_allowed"
+    #      else
+    #        render :template => "welcome/please_login"
+    #      end
+    #    end
+    #
+    # See SecurityContext#current_credential= and SecurityViolationError.
+    #
+    def security_filter(symbol, &block)
+      filter_chain.append_filter_to_chain([symbol], :security, &block)
+    end
+
+    private
+
+    def pending_security_wrappers
+      @pending_security_wrappers ||= []
+    end
+
+    def pending_action_security_wrappers
+      @pending_action_security_wrappers ||= []
+    end
+
+    def build_security_wrapper(method)
+      no_security = "#{method}_without_security".to_sym
+      class_eval %{
+        alias :#{no_security} :#{method}
+        def #{method}(*args, &proc)
+          rules = self.class.descriptions_of(:#{method})
+          SecurityContext.current.send_with_security(rules, self, :#{no_security}, *args, &proc)
+        end
+      }
+    end
+
+    def build_action_security_wrapper(method)
+      no_security = "#{method}_without_action_security".to_sym
+      class_eval %{
+        alias :#{no_security} :#{method}
+        def #{method}(*args, &proc)
+          rules = self.class.descriptions_of(action_name)
+          SecurityContext.current.send_with_security(rules, self, :#{no_security}, *args, &proc)
+        end
+      }
+    end
+
+    def compute_default_resource
+      name.first(-"Controller".length).singularize.underscore.to_sym
+    end
+
+  end
+
+  module InstanceMethods # :nodoc:
+
+    def security_exception=(ex)
+      @security_exception = ex
+    end
+  end
+end

data/lib/annotation_security/rails/2/includes/active_record.rb

@@ -0,0 +1,28 @@
+#
+# = lib/annotation_security/rails/2/includes/active_record.rb
+#
+
+# = AnnotationSecurity::Rails::ActiveRecord
+# 
+# Included by model classes if they are used as resources.
+# Includes AnnotationSecurity::Resource and sets up the model observer.
+#
+module AnnotationSecurity::Rails::ActiveRecord # :nodoc:
+
+  def self.included(base)
+    base.class_eval do
+      include ::AnnotationSecurity::Resource
+    end
+    base.extend(ClassMethods)
+    AnnotationSecurity::Rails::ModelObserver.observe base.name.underscore.to_sym
+    AnnotationSecurity::Rails::ModelObserver.instance.reload_model_observer
+  end
+  
+  module ClassMethods # :nodoc:
+    def get_resource(object)
+      return object if object.is_a? self
+      # Object.const_get(name) needed because of a bug in Rails
+      Object.const_get(name).find(object)
+    end
+  end
+end

data/lib/annotation_security/rails/2/initializer.rb

@@ -0,0 +1,35 @@
+#
+# = lib/annotation_security/rails/2/initializer.rb
+#
+# Loads the annotation security layer for a rails app
+#
+
+module AnnotationSecurity::Rails
+  def self.init!(config)
+
+    puts "Initializing AnnotationSecurity security layer (v#{AnnotationSecurity::VERSION})"
+
+    # Policy files are situated under RAILS_ROOT/config/security
+    # Default policy file is internal, load it
+    ::AnnotationSecurity.load_relations(File.dirname(__FILE__) + '/../../policy/all_resources_policy')
+
+    # Add AnnotationSecurity::Rails::ModelObserver to observe changes in models.
+    # See http://riotprojects.com/2009/1/18/active-record-observers-in-gems-plugins
+    #
+    config.after_initialize do
+      # Set up a dummy security context that does not interfer with script
+      ::SecurityContext.initialize nil
+
+      ::ActiveRecord::Base.observers << ::AnnotationSecurity::Rails::ModelObserver
+
+      # In development mode, the models we observe get reloaded with each request. Using
+      # this hook allows us to reload the observer relationships each time as well.
+      ::ActionController::Dispatcher.to_prepare(:cache_advance_reload) do
+        ::AnnotationSecurity.reset
+        ::AnnotationSecurity::Rails::ModelObserver.instance.reload_model_observer
+      end
+    end
+
+    puts "Security layer initialized"
+  end
+end

data/lib/annotation_security/{model_observer.rb → rails/2/model_observer.rb}

@@ -1,61 +1,61 @@
-#
-# = lib/annotation_security/model_observer.rb
-#
-# Contains SecurityObserver which implements constraint checking for model
-# classes.
-#
-
-module AnnotationSecurity
-
-  # Observes changes in models and applies security policy to them
-  #
-  class ModelObserver < ::ActiveRecord::Observer # :nodoc:
-
-    # Sets the observed model classes
-    #
-    observe # will be set automatically. However, observe must not be removed
-    
-    def before_validation_on_create(record)
-      SecurityContext.observe record
-    end
-    
-    def before_validation_on_update(record)
-      SecurityContext.observe record
-    end
-
-    # after_find is removed in favour of after_initialize
-
-    def after_initialize(record)      
-      if record.new_record?
-        # The record is new
-      else
-        # The record came out of database
-        SecurityContext.observe record
-      end
-    end
-
-    def before_destroy(record)
-      SecurityContext.observe record
-    end
-
-    # Re-register on classes you are observing
-    # See http://riotprojects.com/2009/1/18/active-record-observers-in-gems-plugins
-    #
-    def reload_model_observer
-      observed_classes.each do |klass|
-        add_observer!(klass.name.constantize)
-      end
-    end
-
-    protected
-
-    def add_observer!(klass)
-      klass.delete_observer(self)      
-      super
-      
-      if respond_to?(:after_initialize) && !klass.method_defined?(:after_initialize)
-        klass.class_eval 'def after_initialize() end'
-      end
-    end
-  end
-end
+#
+# = lib/annotation_security/rails/2/model_observer.rb
+#
+# Contains SecurityObserver which implements constraint checking for model
+# classes.
+#
+
+module AnnotationSecurity::Rails
+
+  # Observes changes in models and applies security policy to them
+  #
+  class ModelObserver < ::ActiveRecord::Observer # :nodoc:
+
+    # Sets the observed model classes
+    #
+    observe # will be set automatically. However, observe must not be removed
+    
+    def before_validation_on_create(record)
+      SecurityContext.observe record
+    end
+    
+    def before_validation_on_update(record)
+      SecurityContext.observe record
+    end
+
+    # after_find is removed in favour of after_initialize
+
+    def after_initialize(record)      
+      if record.new_record?
+        # The record is new
+      else
+        # The record came out of database
+        SecurityContext.observe record
+      end
+    end
+
+    def before_destroy(record)
+      SecurityContext.observe record
+    end
+
+    # Re-register on classes you are observing
+    # See http://riotprojects.com/2009/1/18/active-record-observers-in-gems-plugins
+    #
+    def reload_model_observer
+      observed_classes.each do |klass|
+        add_observer!(klass.name.constantize)
+      end
+    end
+
+    protected
+
+    def add_observer!(klass)      
+      klass.delete_observer(self)      
+      super
+      
+      if respond_to?(:after_initialize) && !klass.method_defined?(:after_initialize)
+        klass.class_eval 'def after_initialize() end'
+      end
+    end
+  end
+end

data/lib/annotation_security/rails/3/extensions/filter.rb

@@ -0,0 +1,28 @@
+#
+# = lib/annotation_security/rails/extensions/filter/rails3.rb
+#
+# Patches rails 3 filter chain to allow security filters
+#
+
+# Extends ActiveRecord::Base and patches ActionController::Filters
+#
+# Performs additions to the rails filter chain. It basically adds two
+# filters which may not be removed:
+#
+#  1) Before Fiter to initialize SecurityContext
+#  2) Around Filter around actions
+#
+# The altered filter chain looks like this:
+#
+#  * AnnotationSecurity::Filters::InitializeSecurity
+#  * ... other before filters
+#  * around filters ...
+#  * AnnotationSecurity::Filters::ApplySecurity
+#  * after filters
+#
+
+module ActionController # :nodoc:
+  module Filters # :nodoc:
+    
+  end
+end

data/lib/annotation_security/{includes → rails/3/includes}/action_controller.rb

@@ -1,145 +1,144 @@
-#
-# = lib/annotation_security/includes/action_controller.rb
-#
-
-# Provides security extensions for rails controllers.
-# Is included in ActionController::Base.
-#
-# See AnnotationSecurity::ActionController::ClassMethods.
-#
-module AnnotationSecurity::ActionController
-
-  def self.included(base) # :nodoc:
-    base.extend(ClassMethods)
-    base.send :include, InstanceMethods
-  end
-
-  # Provides security extensions for rails controllers on the class side.
-  # 
-  module ClassMethods
-
-    # Filters are not affected by the security settings of the action.
-    # If you want security checkings in your filters, activate them with
-    # +apply_security+.
-    #
-    #  apply_security :get_user
-    #
-    #  private
-    #
-    #  desc "shows a user"
-    #  def get_user
-    #    @user = User.find params[:id]
-    #  end
-    #
-    # You can use +apply_security+ to secure any methods, not only filters.
-    # Notice that these rules are *not* taken into account when evaluating
-    # AnnotationSecurity::Helper#link_to_if_allowed and similar methods.
-    #
-    def apply_security(*symbols)
-      symbols.each { |s| pending_security_wrappers << s.to_sym }
-    end
-
-    # Filters are not affected by the security settings of the action.
-    # If you want the security settings of the action applied to your filter,
-    # use this method. It can be combined with #apply_security
-    def apply_action_security(*symbols)
-      symbols.each { |s| pending_action_security_wrappers << s.to_sym }
-    end
-
-    # AnnotationSecurity is using the +method_added+ callback. If this method
-    # is overwritten without calling +super+, +apply_security+ will not work.
-    #
-    def method_added(method)
-      super(method)
-      if pending_security_wrappers.delete method
-        build_security_wrapper(method)
-      end
-      if pending_action_security_wrappers.delete method
-        build_action_security_wrapper(method)
-      end
-    end
-
-    # If no resource type is provided in a description, the default resource
-    # will be used. Once set the value cannot be changed.
-    #
-    # This is still experimental. You should not use it unless you have a
-    # reason. It might be useful for inheritance.
-    #
-    def default_resource(value=nil)
-      @default_resource ||= value || compute_default_resource
-    end
-
-    # Creates a new security filter.
-    #
-    # Security filters are around filters that are evaluated before the first
-    # before filter. Use security filters to set the credentials and to react
-    # to security violations.
-    # 
-    #  class ApplicationController < ActionController::Base
-    #
-    #    security_filter :security_filter
-    #
-    #    private
-    #
-    #    def security_filter
-    #      SecurityContext.current_credential = session[:user]
-    #      yield
-    #    rescue SecurityViolationError
-    #      if SecurityContext.is? :logged_in
-    #        render :template => "welcome/not_allowed"
-    #      else
-    #        render :template => "welcome/please_login"
-    #      end
-    #    end
-    #
-    # See SecurityContext#current_credential= and SecurityViolationError.
-    #
-    def security_filter(symbol, &block)
-      filter_chain.append_filter_to_chain([symbol], :security, &block)
-    end
-
-    private
-
-    def pending_security_wrappers
-      @pending_security_wrappers ||= []
-    end
-
-    def pending_action_security_wrappers
-      @pending_action_security_wrappers ||= []
-    end
-
-    def build_security_wrapper(method)
-      no_security = "#{method}_without_security".to_sym
-      class_eval %{
-        alias :#{no_security} :#{method}
-        def #{method}(*args, &proc)
-          rules = self.class.descriptions_of(:#{method})
-          SecurityContext.current.send_with_security(rules, self, :#{no_security}, *args, &proc)
-        end
-      }
-    end
-
-    def build_action_security_wrapper(method)
-      no_security = "#{method}_without_action_security".to_sym
-      class_eval %{
-        alias :#{no_security} :#{method}
-        def #{method}(*args, &proc)
-          rules = self.class.descriptions_of(action_name)
-          SecurityContext.current.send_with_security(rules, self, :#{no_security}, *args, &proc)
-        end
-      }
-    end
-
-    def compute_default_resource
-      name.first(-"Controller".length).singularize.underscore.to_sym
-    end
-
-  end
-
-  module InstanceMethods # :nodoc:
-
-    def security_exception=(ex)
-      @security_exception = ex
-    end
-  end
+#
+# = lib/annotation_security/includes/action_controller.rb
+#
+
+# Provides security extensions for rails controllers.
+# Is included in ActionController::Base.
+#
+# See AnnotationSecurity::ActionController::ClassMethods.
+#
+module AnnotationSecurity::ActionController
+  
+  def self.included(base) # :nodoc:
+    base.extend(ClassMethods)
+    base.send :include, InstanceMethods
+  end
+
+  # Provides security extensions for rails controllers on the class side.
+  # 
+  module ClassMethods
+
+    # Filters are not affected by the security settings of the action.
+    # If you want security checkings in your filters, activate them with
+    # +apply_security+.
+    #
+    #  apply_security :get_user
+    #
+    #  private
+    #
+    #  desc "shows a user"
+    #  def get_user
+    #    @user = User.find params[:id]
+    #  end
+    #
+    # You can use +apply_security+ to secure any methods, not only filters.
+    # Notice that these rules are *not* taken into account when evaluating
+    # AnnotationSecurity::Helper#link_to_if_allowed and similar methods.
+    #
+    def apply_security(*symbols)
+      symbols.each { |s| pending_security_wrappers << s.to_sym }
+    end
+
+    # Filters are not affected by the security settings of the action.
+    # If you want the security settings of the action applied to your filter,
+    # use this method. It can be combined with #apply_security
+    def apply_action_security(*symbols)
+      symbols.each { |s| pending_action_security_wrappers << s.to_sym }
+    end
+
+    # AnnotationSecurity is using the +method_added+ callback. If this method
+    # is overwritten without calling +super+, +apply_security+ will not work.
+    #
+    def method_added(method)
+      super(method)
+      if pending_security_wrappers.delete method
+        build_security_wrapper(method)
+      end
+      if pending_action_security_wrappers.delete method
+        build_action_security_wrapper(method)
+      end
+    end
+
+    # If no resource type is provided in a description, the default resource
+    # will be used. Once set the value cannot be changed.
+    #
+    # This is still experimental. You should not use it unless you have a
+    # reason. It might be usefull for inheritance.
+    #
+    def default_resource(value=nil)
+      @default_resource ||= value || compute_default_resource
+    end
+
+    # Creates a new security filter.
+    #
+    # Security filters are around filters that are evaluated before the first
+    # before filter. Use security filters to set the credentials and to react
+    # to security violations.
+    #  class ApplicationController < ActionController::Base
+    #
+    #    security_filter :security_filter
+    #
+    #    private
+    #
+    #    def security_filter
+    #      SecurityContext.current_credential = session[:user]
+    #      yield
+    #    rescue SecurityViolationError
+    #      if SecurityContext.is? :logged_in
+    #        render :template => "welcome/not_allowed"
+    #      else
+    #        render :template => "welcome/please_login"
+    #      end
+    #    end
+    #
+    # See SecurityContext#current_credential= and SecurityViolationError.
+    #
+    def security_filter(symbol, &block)
+      filter_chain.append_filter_to_chain([symbol], :security, &block)
+    end
+
+    private
+
+    def pending_security_wrappers
+      @pending_security_wrappers ||= []
+    end
+
+    def pending_action_security_wrappers
+      @pending_action_security_wrappers ||= []
+    end
+
+    def build_security_wrapper(method)
+      no_security = "#{method}_without_security".to_sym
+      class_eval %{
+        alias :#{no_security} :#{method}
+        def #{method}(*args, &proc)
+          rules = self.class.descriptions_of(:#{method})
+          SecurityContext.current.send_with_security(rules, self, :#{no_security}, *args, &proc)
+        end
+      }
+    end
+
+    def build_action_security_wrapper(method)
+      no_security = "#{method}_without_action_security".to_sym
+      class_eval %{
+        alias :#{no_security} :#{method}
+        def #{method}(*args, &proc)
+          rules = self.class.descriptions_of(action_name)
+          SecurityContext.current.send_with_security(rules, self, :#{no_security}, *args, &proc)
+        end
+      }
+    end
+
+    def compute_default_resource
+      name.first(-"Controller".length).singularize.underscore.to_sym
+    end
+
+  end
+
+  module InstanceMethods # :nodoc:
+
+    def security_exception=(ex)
+      @security_exception = ex
+    end
+  end
 end