authority 0.0.1 → 0.2.0

data/README.md

@@ -1,9 +1,22 @@
 # Authority
 
-## SUPER ALPHA VERSION
+## SUPER BETA VERSION. Stabler release coming soon.
+
+## TL;DR
+
+No time for reading! Reading is for chumps! Here's the skinny:
+
+- Install in your Rails project
+- Put this in your controllers: `check_authorization_on ModelName`
+- Put this in your models:  `include Authority::Abilities`
+- For each model you have, create a corresponding Authorization file. For example, for `app/models/lolcat.rb`, create `app/authorizations/lolcat_authorization.rb` with an empty class inheriting from `Authorization`.
+- Add class methods to that authorization to set rules that can be enforced just by looking at the resource class, like "this user cannot create Lolcats, period."
+- Add instance methods to that authorization to set rules that need to look at a resource instance, like "a user can only edit a Lolcat if it belongs to that user and has not been marked as 'classic'".
 
 ## Overview
 
+Still here? Reading is fun! You always knew that. Time for a deeper look at things.
+
 Authority gives you a clean and easy way to say, in your Rails app, **who** is allowed to do **what** with your models.
 
 It assumes that you already have some kind of user object in your application.
@@ -25,9 +38,20 @@ The goals of Authority are:
 
 - To do all of this **without cluttering** either your controllers or your models. This is done by letting Authorizer classes do most of the work. More on that below.
 
+## The flow of Authority
+
+In broad terms, the authorization process flows like this:
+
+- A request comes to a model, either the class or an instance, saying "can this user do this action to you?"
+- The model passes that question to its Authorizer
+- The Authorizer checks whatever user properties and business rules are relevant to answer that question.
+- The answer is passed back up to the model, then back to the original caller
+
 ## Installation
 
-Add this line to your application's Gemfile:
+First, check in whatever changes you've made to your app already. You want to see what we're doing to your app, don't you?
+
+Now, add this line to your application's Gemfile:
 
     gem 'authority'
 
@@ -39,20 +63,17 @@ Or install it yourself as:
 
     $ gem install authority
 
-## How it works
+Then run the generator:
 
-In broad terms, the authorization process flows like this:
+    $ rails g authority:install
 
-- A request comes to a model, either the class or an instance, saying "can this user do this action to you?"
-- The model passes that question to its Authorizer
-- The Authorizer checks whatever user properties and business rules are relevant to answer that question.
-- The answer is passed back up to the model, then back to the original caller
+Hooray! New files! Go look at them.
 
 ## Usage
 
 ### Users
 
-Your user model (whatever you call it) should `include Authority::UserAbilities`. This defines methods like `can_edit?(resource)`, which are just nice shortcuts for `resource.editable_by?(user)`. (TODO: Add this module).
+Your user model (whatever you call it) should `include Authority::UserAbilities`. This defines methods like `can_edit?(resource)`, which are just nice shortcuts for `resource.editable_by?(user)`.
 
 ### Models
 
@@ -72,7 +93,7 @@ If that's all you need, one line does it.
 
 #### In-action usage
 
-If you need to check some attributes of a model instance to decide if an action is permissible, you can use `check_authorization_for(:action, @model_instance, @user)` (TODO: determine this)
+If you need to check some attributes of a model instance to decide if an action is permissible, you can use `check_authorization_for(:action, @model_instance, @user)`
 
 ### Authorizers
 
@@ -84,8 +105,9 @@ Authorizers should be added under `app/authorizers`, one for each of your models
 
 These are where your actual authorization logic goes. You do have to specify your own business rules, but Authority comes with the following baked in:
 
-- All class-level methods defined on `Authority::Authorizer` return false by default; you must override them in your Authorizers to grant permissions. This whitelisting approach will keep you from accidentally allowing things you didn't intend.
-- All instance-level methods defined on `Authority::Authorizer` call their corresponding class-level method by default.
+- All instance-level methods defined on `Authority::Authorizer` call their corresponding class-level method by default. In other words, if you haven't said whether a user can update **this particular** widget, we'll decide by checking whether they can update **any** widget.
+- All class-level methods defined on `Authority::Authorizer` will use the `default_strategy` you define in your configuration.
+- The **default** default strategy simply returns false; you must override it in your configuration and/or write methods on your individual `Authorizer` classes to grant permissions. This whitelisting approach will keep you from accidentally allowing things you didn't intend.
 
 This combination means that, with this code:
 
@@ -119,17 +141,30 @@ If you update your authorizer as follows:
     current_user.can_create?(@laser_cannon)  # true; inherited instance method calls class method
     current_user.can_delete?(@laser_cannon)  # Only Larry, and only on Fridays
 
+## Integration Notes
+
+- If you want to have nice log messages for security violations, you should ensure that your user object has a `to_s` method; this will control how it shows up in log messages saying things like "Harvey Johnson is not allowed to delete this resource:..."
+
 ## TODO
 
-- Add a module, to be included in whatever user class an app has, which defines all the `can_(verb)` methods.
-- Determine exact syntax for checking rules during a controller action.
-- Add ability to customize default authorization
-- Add customizable logger for authorization violations
+- Document syntax for checking rules during a controller action
+- Rename Authorization to Authorizer
+- Update generator to create an authorizer for every model
+- Generator
+  - Add generators or hook into existing rails generators
+  - Add generator to installation instructions
+  - Generate well-commented default configuration file like Devise does (shout out!)
+  - Generate 403.html, with option to skip if exists
+- Note that you MUST call configure; internals aren't included until you do.
+- Write about configuration file and options in Configuration section.
 
 ## Contributing
 
 1. Fork it
 2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Added some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Pull Request
+3. `bundle install` to get all dependencies
+4. `rspec spec` to run all tests.
+5. Make your changes and update/add tests as necessary.
+6. Commit your changes (`git commit -am 'Added some feature'`)
+7. Push to the branch (`git push origin my-new-feature`)
+8. Create new Pull Request

data/lib/authority.rb

@@ -1,11 +1,60 @@
 require 'active_support/concern'
 require 'active_support/core_ext/class/attribute'
+require 'active_support/core_ext/hash/keys'
 require 'active_support/core_ext/string/inflections'
+require 'logger'
 
 module Authority
-  ADJECTIVES = %w[creatable readable updatable deletable]
+
+  # NOTE: once this method is called, the library has started meta programming
+  # and abilities should no longer be modified
+  def self.abilities
+    configuration.abilities.freeze
+  end
+
+  def self.verbs
+    abilities.keys
+  end
+
+  def self.adjectives
+    abilities.values
+  end
+
+  def self.enforce(action, resource, user)
+    action_authorized = user.send("can_#{action}?", resource)
+    unless action_authorized
+      message = "#{user} is not authorized to #{action} this resource: #{resource.inspect}"
+      raise SecurityTransgression.new(message)
+    end
+    resource
+  end
+
+  class << self
+    attr_accessor :configuration
+  end
+
+  def self.configure
+    self.configuration ||= Configuration.new
+    yield(configuration) if block_given?
+    require_authority_internals!
+
+    configuration
+  end
+
+  private
+
+  def self.require_authority_internals!
+    require 'authority/abilities'
+    require 'authority/authorizer'
+    require 'authority/user_abilities'
+  end
+
+  class SecurityTransgression < StandardError ; end
+
 end
 
-require 'authority/abilities'
-require 'authority/authorizer'
+require 'authority/configuration'
+require 'authority/controller'
+require 'authority/railtie' if defined?(Rails)
 require 'authority/version'
+

data/lib/authority/abilities.rb

@@ -10,12 +10,12 @@ module Authority
 
     module ClassMethods
 
-      ADJECTIVES.each do |adjective|
+      Authority.adjectives.each do |adjective|
 
         # Metaprogram needed methods, allowing for nice backtraces
         class_eval <<-RUBY, __FILE__, __LINE__ + 1
-          def #{adjective}_by?(actor)
-            authorizer.#{adjective}_by?(actor)
+          def #{adjective}_by?(user)
+            authorizer.#{adjective}_by?(user)
           end
         RUBY
       end
@@ -25,12 +25,16 @@ module Authority
       end
     end
 
-      ADJECTIVES.each do |adjective|
+      Authority.adjectives.each do |adjective|
 
         # Metaprogram needed methods, allowing for nice backtraces
         class_eval <<-RUBY, __FILE__, __LINE__ + 1
-          def #{adjective}_by?(actor)
-            self.class.authorizer.new(self).#{adjective}_by?(actor)
+          def #{adjective}_by?(user)
+            authorizer.#{adjective}_by?(user)
+          end
+
+          def authorizer
+            self.class.authorizer.new(self)
           end
         RUBY
       end

data/lib/authority/authorizer.rb

@@ -7,18 +7,18 @@ module Authority
       @resource = resource
     end
 
-    ADJECTIVES.each do |adjective|
+    Authority.adjectives.each do |adjective|
       class_eval <<-RUBY, __FILE__, __LINE__ + 1
-        def self.#{adjective}_by?(actor)
-          false
+        def self.#{adjective}_by?(user)
+          Authority.configuration.default_strategy.call(:#{adjective}, self, user)
         end
       RUBY
     end
 
-    ADJECTIVES.each do |adjective|
+    Authority.adjectives.each do |adjective|
       class_eval <<-RUBY, __FILE__, __LINE__ + 1
-        def #{adjective}_by?(actor)
-          false
+        def #{adjective}_by?(user)
+          self.class.#{adjective}_by?(user)
         end
       RUBY
     end

data/lib/authority/configuration.rb

@@ -0,0 +1,34 @@
+module Authority
+  class Configuration
+
+    attr_accessor :default_strategy, :abilities, :authority_actions, :user_method, :logger
+
+    def initialize
+      @default_strategy = Proc.new { |able, authorizer, user|
+        false
+      }
+
+      @abilities = {
+        :create => 'creatable',
+        :read   => 'readable',
+        :update => 'updatable',
+        :delete => 'deletable'
+      }
+
+      @authority_actions = {
+        :index   => 'read',
+        :show    => 'read',
+        :new     => 'create',
+        :create  => 'create',
+        :edit    => 'update',
+        :update  => 'update',
+        :destroy => 'delete'
+      }
+
+      @user_method = :current_user
+
+      @logger = Logger.new(STDERR)
+    end
+
+  end
+end

data/lib/authority/controller.rb

@@ -0,0 +1,44 @@
+module Authority
+  module Controller
+    extend ActiveSupport::Concern
+
+    included do
+      rescue_from Authority::SecurityTransgression, :with => 'forbidden'
+      class_attribute :authority_resource
+      class_attribute :authority_actions
+    end
+
+    module ClassMethods
+      def check_authorization_on(model_class, options = {})
+        self.authority_resource = model_class
+        self.authority_actions  = Authority.configuration.authority_actions.merge(options[:actions] || {}).symbolize_keys
+        before_filter :run_authorization_check, options
+      end
+
+      def authority_action(action_map)
+        self.authority_actions.merge!(action_map).symbolize_keys
+      end
+    end
+
+    protected
+
+    def authority_forbidden(error)
+      Authority.configuration.logger.warn(error.message)
+      render :file => Rails.root.join('public', '403.html'), :status => 403
+    end
+
+    def run_authorization_check
+      check_authorization_for self.class.authority_resource, send(Authority.configuration.user_method)
+    end
+
+    def check_authorization_for(authority_resource, user)
+      authority_action = self.class.authority_actions[action_name.to_sym]
+      if authority_action.nil?
+        raise MissingAction.new("No authority action defined for #{action_name}")
+      end
+      Authority.enforce(authority_action, authority_resource, user)
+    end
+
+    class MissingAction < StandardError ; end
+  end
+end

data/lib/authority/railtie.rb

@@ -0,0 +1,12 @@
+require 'rails'
+
+module Authority
+  class Railtie < ::Rails::Railtie
+
+    initializer "authority.controller" do
+      ApplicationController.send(:include, Authority::Controller)
+    end
+
+  end
+end
+

data/lib/authority/user_abilities.rb

@@ -0,0 +1,13 @@
+module Authority
+  module UserAbilities
+
+    Authority.verbs.each do |verb|
+      class_eval <<-RUBY, __FILE__, __LINE__ + 1
+        def can_#{verb}?(resource)
+          resource.#{Authority.abilities[verb]}_by?(self)
+        end
+      RUBY
+    end
+   
+  end
+end

data/lib/authority/version.rb

@@ -1,3 +1,3 @@
 module Authority
-  VERSION = "0.0.1"
+  VERSION = "0.2.0"
 end

data/lib/generators/authority/install_generator.rb

@@ -0,0 +1,21 @@
+require 'rails/generators/base'
+
+module Authority
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+
+      source_root File.expand_path("../../templates", __FILE__)
+
+      desc "Creates an Authority initializer for your application." 
+
+      def copy_initializer
+        template "authority.rb", "config/initializers/authority.rb"
+      end
+
+      def copy_forbidden
+        template "403.html", "public/403.html"
+      end
+      
+    end
+  end
+end

data/lib/generators/templates/403.html

@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Forbidden</title>
+  </head>
+  <body>
+    <h1>Access Denied, HUMAN!</h1>
+    <p>No, seriously, you can't do that...</p>
+  </body>
+</html>

data/lib/generators/templates/authority.rb

@@ -0,0 +1,84 @@
+Authority.configure do |config|
+
+  # USER_METHOD
+  # ===========
+  # Authority needs the name of a method, available in any controller, which
+  # will return the currently logged-in user.
+  #
+  # Default is:
+  #
+  # config.user_method = :current_user
+
+  # DEFAULT_STRATEGY
+  # ================
+  # When no class-level method is defined on an Authorizer, a default_strategy
+  # proc will be called to determine what to do.
+  # Depending on your app, you may be able to put all the logic you need here.
+  #
+  # The arguments passed to this proc will be:
+  #
+  # able       - symbol name of class method being called on the Authorizer. 
+  #              Ex: `:deletable_by?` or `:updatable_by?`
+  # authorizer - constant name of authorizer. Ex: `WidgetAuthorizer` or `UserAuthorizer`
+  # user       - user object (whatever that is in your application; found using config.user_method)
+  #
+  # For example:
+  #
+  # config.default_strategy = Proc.new { |able, authorizer, user|
+  #   # Does the user have any roles which give this permission?
+  #   (Permissions.find_by_name_and_authorizer(able, authorizer).roles & user.roles).any?
+  # }
+  #
+  # OR
+  #
+  # config.default_strategy = Proc.new { |able, authorizer, user|
+  #   able != 'implodable_by?' && user.has_hairstyle?('pompadour')
+  # }
+  #
+  # Default strategy simply returns false, as follows:
+  #
+  # config.default_strategy =  Proc.new { |able, authorizer, user| false }
+  
+  # AUTHORITY_ACTIONS
+  # For a given controller method, what verb must a user be able to do?
+  # For example, a user can access 'show' if they 'can_read' the resource.
+  #
+  # Defaults are as follows:
+  #
+  # config.authority_actions = {
+  #   :index   => 'read',
+  #   :show    => 'read',
+  #   :new     => 'create',
+  #   :create  => 'create',
+  #   :edit    => 'update',
+  #   :update  => 'update',
+  #   :destroy => 'delete'
+  # }
+
+  # ABILITIES
+  # Teach Authority how to understand the verbs and adjectives in your system. Perhaps you
+  # need {:microwave => 'microwavable'}. I'm not saying you do, of course. Stop looking at 
+  # me like that.
+  #
+  # Defaults are as follows:
+  #
+  # config.abilities =  {
+  #   :create => 'creatable',
+  #   :read   => 'readable',
+  #   :update => 'updatable',
+  #   :delete => 'deletable'
+  # }
+  
+  # LOGGER
+  # If a user tries to perform an unauthorized action, where should we log that fact?
+  # Provide a logger object which responds to `.warn(message)`
+  #
+  # Default is:
+  #
+  # config.logger = Logger.new(STDERR)
+  #
+  # Suggested setting for a Rails app is:
+  config.logger = Rails.logger
+
+end
+

data/spec/authority/abilities_spec.rb

@@ -1,11 +1,11 @@
 require 'spec_helper'
 require 'support/ability_model'
-require 'support/actor'
+require 'support/user'
 
 describe Authority::Abilities do
 
   before :each do
-    @actor = Actor.new
+    @user = User.new
   end
 
   describe "authorizer" do
@@ -38,7 +38,7 @@ describe Authority::Abilities do
 
   describe "class methods" do
 
-    Authority::ADJECTIVES.each do |adjective|
+    Authority.adjectives.each do |adjective|
       method_name = "#{adjective}_by?"
 
       it "should respond to `#{method_name}`" do
@@ -46,8 +46,8 @@ describe Authority::Abilities do
       end
 
       it "should delegate `#{method_name}` to its authorizer class" do
-        AbilityModel.authorizer.should_receive(method_name).with(@actor)
-        AbilityModel.send(method_name, @actor)
+        AbilityModel.authorizer.should_receive(method_name).with(@user)
+        AbilityModel.send(method_name, @user)
       end
 
     end
@@ -61,7 +61,7 @@ describe Authority::Abilities do
       @authorizer    = AbilityModel.authorizer.new(@ability_model)
     end
 
-    Authority::ADJECTIVES.each do |adjective|
+    Authority.adjectives.each do |adjective|
       method_name = "#{adjective}_by?"
 
       it "should respond to `#{method_name}`" do
@@ -70,17 +70,21 @@ describe Authority::Abilities do
 
       it "should delegate `#{method_name}` to a new authorizer instance" do
         AbilityModel.authorizer.stub(:new).and_return(@authorizer)
-        @authorizer.should_receive(method_name).with(@actor)
-        @ability_model.send(method_name, @actor)
+        @authorizer.should_receive(method_name).with(@user)
+        @ability_model.send(method_name, @user)
       end
 
-      it "should always create a new authorizer instance when checking `#{method_name}`" do
-        2.times do
-          @ability_model.class.authorizer.should_receive(:new).with(@ability_model).and_return(@authorizer)
-          @ability_model.send(method_name, @actor)
-        end
-      end
+    end
+
+    it "should provide an accessor for its authorizer" do
+      @ability_model.should respond_to(:authorizer)
+    end
 
+    # TODO: Nathan will comment more clearly in the future
+    # aka "don't memoize" (to prevent dirty models from contaminating authorization)
+    it "should always create a new authorizer instance when accessing the authorizer" do 
+      @ability_model.class.authorizer.should_receive(:new).with(@ability_model).twice
+      2.times { @ability_model.authorizer }
     end
     
   end

data/spec/authority/authorizer_spec.rb

@@ -1,11 +1,13 @@
 require 'spec_helper'
 require 'support/ability_model'
+require 'support/user'
 
 describe Authority::Authorizer do
 
   before :each do
     @ability_model = AbilityModel.new
-    @authorizer = Authority::Authorizer.new(@ability_model)
+    @authorizer    = @ability_model.authorizer
+    @user         = User.new
   end
 
   it "should take a resource instance in its initializer" do
@@ -14,25 +16,36 @@ describe Authority::Authorizer do
 
   describe "class methods" do
 
-    Authority::ADJECTIVES.each do |adjective|
+    Authority.adjectives.each do |adjective|
       method_name = "#{adjective}_by?"
 
       it "should respond to `#{method_name}`" do
         Authority::Authorizer.should respond_to(method_name)
       end
 
+      it "should run the default authorization strategy block" do
+        able = method_name.sub('_by?', '').to_sym
+        Authority.configuration.default_strategy.should_receive(:call).with(able, Authority::Authorizer, @user)
+        Authority::Authorizer.send(method_name, @user)
+      end
+
     end
 
   end
 
   describe "instance methods" do
 
-    Authority::ADJECTIVES.each do |adjective|
+    Authority.adjectives.each do |adjective|
       method_name = "#{adjective}_by?"
 
       it "should respond to `#{method_name}`" do
         @authorizer.should respond_to(method_name)
       end
+      
+      it "should delegate `#{method_name}` to the corresponding class method by default" do
+        @authorizer.class.should_receive(method_name).with(@user)
+        @authorizer.send(method_name, @user)
+      end
 
     end
 

data/spec/authority/configuration_spec.rb

@@ -0,0 +1,64 @@
+require 'spec_helper'
+
+describe Authority::Configuration do
+  describe "the default configuration" do
+
+    it "should have a default authorization strategy block" do
+      Authority.configuration.default_strategy.should respond_to(:call)
+    end
+
+    it "should return false when calling the default authorization strategy block" do
+      Authority.configuration.default_strategy.call(:action, Authority::Authorizer, User.new).should be_false
+    end
+
+    it "should have a default authority controller actions map" do
+      Authority.configuration.authority_actions.should be_a(Hash)
+    end
+
+    it "should have a default controller method for accessing the user object" do
+      Authority.configuration.user_method.should eq(:current_user)
+    end
+
+    describe "logging security violations" do
+
+      it "should log to standard error by default" do
+        Authority.instance_variable_set :@configuration, nil
+        null = File.exists?('/dev/null') ? '/dev/null' : 'NUL:' # Allow for Windows
+        @logger = Logger.new(null)
+        Logger.should_receive(:new).with(STDERR).and_return(@logger)
+        Authority.configure
+        Authority.configuration.logger
+      end
+
+    end
+
+  end
+
+  describe "customizing the configuration" do
+    before :all do 
+      Authority.instance_variable_set :@configuration, nil
+      Authority.configure do |config|
+        config.abilities[:eat]  = 'edible'
+        config.default_strategy = Proc.new { |able, authorizer, user|
+          true
+        }
+      end
+
+      after :all do
+        Authority.instance_variable_set :@configuration, nil
+        Authority.configure
+      end
+
+      it "should allow customizing the authorization block" do
+        Authority.configuration.default_strategy.call(:action, Authority::Authorizer, User.new).should be_true
+      end
+
+      # This shouldn't be used during runtime, only during configuration
+      # It won't do anything outside of configuration anyway
+      it "should allow adding to the default list of abilities" do
+        Authority.configuration.abilities[:eat].should eq('edible')
+      end
+
+    end
+  end
+end

data/spec/authority/controller_spec.rb

@@ -0,0 +1,95 @@
+require 'spec_helper'
+require 'support/ability_model'
+require 'support/example_controller'
+require 'support/mock_rails'
+require 'support/user'
+
+describe Authority::Controller do
+
+  describe "when including" do
+    it "should specify rescuing security transgressions" do
+      class DummyController < ExampleController ; end
+      DummyController.should_receive(:rescue_from).with(Authority::SecurityTransgression, :with => 'forbidden')
+      DummyController.send(:include, Authority::Controller)
+    end
+  end
+
+  describe "after including" do
+    before :all do
+      ExampleController.send(:include, Authority::Controller)
+    end
+
+    describe "DSL (class) methods" do
+      it "should allow specifying the model to protect" do
+        ExampleController.check_authorization_on AbilityModel
+        ExampleController.authority_resource.should eq(AbilityModel)
+      end
+
+      it "should pass the options provided to the before filter that is set up" do
+        @options = {:only => [:show, :edit, :update]}
+        ExampleController.should_receive(:before_filter).with(:run_authorization_check, @options)
+        ExampleController.check_authorization_on AbilityModel, @options
+      end
+
+      it "should give the controller its own copy of the authority actions map" do
+        ExampleController.check_authorization_on AbilityModel
+        ExampleController.authority_actions.should be_a(Hash)
+        ExampleController.authority_actions.should_not be(Authority.configuration.authority_actions)
+      end
+
+      it "should allow specifying the authority action map in the `check_authorization_on` declaration" do
+        ExampleController.check_authorization_on AbilityModel, :actions => {:eat => 'delete'}
+        ExampleController.authority_actions[:eat].should eq('delete')
+      end
+
+      it "should have a write into the authority actions map usuable in a DSL format" do
+        ExampleController.authority_action :smite => 'delete'
+        ExampleController.authority_actions[:smite].should eq('delete')
+      end
+    end
+
+    describe "instance methods" do
+      before :each do 
+        @user       = User.new
+        @controller = ExampleController.new
+        @controller.stub!(:action_name).and_return(:edit)
+        @controller.stub!(Authority.configuration.user_method).and_return(@user)
+      end
+
+      it "should check authorization on the model specified" do
+        @controller.should_receive(:check_authorization_for).with(AbilityModel, @user)
+        @controller.send(:run_authorization_check)
+      end
+
+      it "should raise a SecurityTransgression if authorization fails" do
+        expect { @controller.send(:run_authorization_check) }.to raise_error(Authority::SecurityTransgression)
+      end
+
+      it "should raise a MissingAction if there is no corresponding action for the controller" do
+        @controller.stub(:action_name).and_return('sculpt')
+        expect { @controller.send(:run_authorization_check) }.to raise_error(Authority::Controller::MissingAction)
+      end
+
+      describe "authority_forbidden action" do
+
+        before :each do
+          @mock_error = mock(:message => 'oh noes! an error!')
+        end
+
+        it "should log an error" do
+          Authority.configuration.logger.should_receive(:warn)
+          @controller.stub(:render)
+          @controller.send(:authority_forbidden, @mock_error)
+        end
+
+        it "should render the public/403.html file" do
+          forbidden_page = Rails.root.join('public/403.html')
+          @controller.should_receive(:render).with(:file => forbidden_page, :status => 403)
+          @controller.send(:authority_forbidden, @mock_error)
+        end
+      end
+    end
+  end
+
+end
+

data/spec/authority/user_abilities_spec.rb

@@ -0,0 +1,25 @@
+require 'spec_helper'
+require 'support/ability_model'
+require 'support/user'
+
+describe Authority::UserAbilities do
+
+  before :each do
+    @ability_model = AbilityModel.new
+    @user          = User.new
+  end
+
+  Authority.verbs.each do |verb|
+    method_name = "can_#{verb}?"
+
+    it "should define the `#{method_name}` method" do
+      @user.should respond_to(method_name)
+    end
+
+    it "should delegate the authorization check to the resource provided" do
+      @ability_model.should_receive("#{Authority.abilities[verb]}_by?").with(@user)
+      @user.send(method_name, @ability_model)
+    end
+  end
+
+end

data/spec/authority_spec.rb

@@ -1,7 +1,55 @@
 require 'spec_helper'
+require 'support/ability_model'
+require 'support/user'
 
 describe Authority do
-  it "should have a constant of abilities" do
-    Authority::ADJECTIVES.should be_an(Array)
+
+  it "should have a default list of abilities" do
+    Authority.abilities.should be_a(Hash)
+  end
+
+  it "should not allow modification of the Authority.abilities hash directly" do
+    expect { Authority.abilities[:exchange] = 'fungible' }.to raise_error(RuntimeError, "can't modify frozen Hash")
+  end
+
+  it "should have a convenience accessor for the ability verbs" do
+    Authority.verbs.sort.should eq([:create, :delete, :read, :update])
   end
+
+  it "should have a convenience accessor for the ability adjectives" do
+    Authority.adjectives.sort.should eq(%w[creatable deletable readable updatable])
+  end
+
+  describe "configuring Authority" do
+
+    it "should have a configuration accessor" do
+      Authority.should respond_to(:configuration)
+    end
+
+    it "should have a `configure` method" do
+      Authority.should respond_to(:configure)
+    end
+
+    it "should require the remainder of library internals after configuration" do
+      Authority.should_receive(:require_authority_internals!)
+      Authority.configure
+    end
+  end
+
+  describe "enforcement" do
+
+    before :each do
+      @user = User.new
+    end
+
+    it "should raise a SecurityTransgression if the action is unauthorized" do
+      expect { Authority.enforce(:update, AbilityModel, @user) }.to raise_error(Authority::SecurityTransgression)
+    end
+
+    it "should not raise a SecurityTransgression if the action is authorized" do
+      expect { Authority.enforce(:read, AbilityModel, @user) }.not_to raise_error(Authority::SecurityTransgression)
+    end
+
+  end
+
 end

data/spec/spec_helper.rb

@@ -2,6 +2,8 @@ $LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
 require 'rspec'
 require 'authority'
 
+Authority.configure
+
 RSpec.configure do |config|
   config.mock_with :rspec
 end

data/spec/support/ability_model.rb

@@ -3,4 +3,7 @@ class AbilityModel
 end
 
 class AbilityModelAuthorizer < Authority::Authorizer
+  def self.readable_by?(user)
+    true
+  end
 end

data/spec/support/example_controller.rb

@@ -0,0 +1,5 @@
+class ExampleController
+  def self.rescue_from(*args) ; end
+
+  def self.before_filter(*args) ; end
+end

data/spec/support/mock_rails.rb

@@ -0,0 +1,7 @@
+require 'pathname'
+
+module Rails
+  def self.root
+    Pathname.new('.')
+  end
+end

data/spec/support/user.rb

@@ -0,0 +1,3 @@
+class User
+  include Authority::UserAbilities
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: authority
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.2.0
   prerelease: 
 platform: ruby
 authors:
@@ -10,11 +10,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-03-12 00:00:00.000000000 Z
+date: 2012-03-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
-  requirement: &2152357800 !ruby/object:Gem::Requirement
+  requirement: &2152320300 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -22,10 +22,10 @@ dependencies:
         version: 3.0.0
   type: :runtime
   prerelease: false
-  version_requirements: *2152357800
+  version_requirements: *2152320300
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &2152357040 !ruby/object:Gem::Requirement
+  requirement: &2152319760 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -33,7 +33,7 @@ dependencies:
         version: 1.0.0
   type: :development
   prerelease: false
-  version_requirements: *2152357040
+  version_requirements: *2152319760
 description: Gem for managing authorization on model actions in Rails
 email:
 - nathanmlong@gmail.com
@@ -52,13 +52,25 @@ files:
 - lib/authority.rb
 - lib/authority/abilities.rb
 - lib/authority/authorizer.rb
+- lib/authority/configuration.rb
+- lib/authority/controller.rb
+- lib/authority/railtie.rb
+- lib/authority/user_abilities.rb
 - lib/authority/version.rb
+- lib/generators/authority/install_generator.rb
+- lib/generators/templates/403.html
+- lib/generators/templates/authority.rb
 - spec/authority/abilities_spec.rb
 - spec/authority/authorizer_spec.rb
+- spec/authority/configuration_spec.rb
+- spec/authority/controller_spec.rb
+- spec/authority/user_abilities_spec.rb
 - spec/authority_spec.rb
 - spec/spec_helper.rb
 - spec/support/ability_model.rb
-- spec/support/actor.rb
+- spec/support/example_controller.rb
+- spec/support/mock_rails.rb
+- spec/support/user.rb
 homepage: https://github.com/nathanl/authority
 licenses: []
 post_install_message: 
@@ -87,7 +99,12 @@ summary: Authority gives you a clean and easy way to say, in your Rails app, **w
 test_files:
 - spec/authority/abilities_spec.rb
 - spec/authority/authorizer_spec.rb
+- spec/authority/configuration_spec.rb
+- spec/authority/controller_spec.rb
+- spec/authority/user_abilities_spec.rb
 - spec/authority_spec.rb
 - spec/spec_helper.rb
 - spec/support/ability_model.rb
-- spec/support/actor.rb
+- spec/support/example_controller.rb
+- spec/support/mock_rails.rb
+- spec/support/user.rb

data/spec/support/actor.rb

@@ -1,17 +0,0 @@
-class Actor
-  def can_create?(resource)
-    resource.creatable_by?(self)
-  end
-
-  def can_read?(resource)
-    resource.readable_by?(self)
-  end
-
-  def can_update?(resource)
-    resource.updatable_by?(self)
-  end
-
-  def can_delete?(resource)
-    resource.deletable_by?(self)
-  end
-end