authority 1.0.0 → 1.1.0

data/CHANGELOG.markdown

@@ -2,6 +2,10 @@
 
 This is mainly to document major new features and backwards-incompatible changes.
 
+## Unreleased
+
+- Added `Authority::Authorizer.default` class method which is called before the `default_strategy` proc and delegates to that proc. This can be overridden per authorizer.
+
 ## v1.0.0
 
 - Added `config.security_violation_handler` so users can specify which controller method to use when rescuing `SecurityViolation`s

data/README.markdown

@@ -57,9 +57,7 @@ Authority encapsulates all authorization logic in `Authorizer` classes. Want to
 You can group models under authorizers in any way you wish. For example:
 
 
-        +-------------+              +--------------+                               +-------------+
-        |Simplest case|              |Logical groups|                               |Most granular|
-        +-------------+              +--------------+                               +-------------+
+         Simplest case                Logical groups                                 Most granular 
 
         default_strategy              default_strategy                              default_strategy
                +                             +                                             +
@@ -123,7 +121,7 @@ This option determines what methods are added to your users, models and authoriz
 # Whatever class represents a logged-in user in your app
 class User 
   # Adds `can_create?(resource)`, etc
-  include Authority::Abilities
+  include Authority::UserAbilities
 ...
 end
 ```
@@ -152,7 +150,8 @@ These are where your actual authorization logic goes. Here's how it works:
 - Instance methods answer questions about model instances, like "can this user update this **particular** widget?" (Within an instance method, you can get the model instance with `resource`).
   - Any instance method you don't define (for example, if you didn't make a `def deletable_by?(user)`) will fall back to the corresponding class method. In other words, if you haven't said whether a user can update **this particular** widget, we'll decide by checking whether they can update **any** widget.
 - Class methods answer questions about model classes, like "is it **ever** permissible for this user to update a Widget?"
-  - Any class method you don't define (for example, if you didn't make a `def self.updatable_by?(user)`) will fall back to your configurable [default strategy](#default_strategies).
+  - Any class method you don't define (for example, if you didn't make a `def self.updatable_by?(user)`) will call that authorizer's `default` method.
+  - The inherited `default` method calls a [default strategy](#default_strategies) proc (**NOTE**: this will be removed in version 2.0).
 
 For example:
 
@@ -176,12 +175,15 @@ As you can see, you can specify different logic for every method on every model,
 <a name="default_strategies">
 #### Default Strategies
 
-Any class method you don't define on an authorizer will use your default strategy. The **default** default strategy simply returns `false`, meaning that everything is forbidden. This whitelisting approach will keep you from accidentally allowing things you didn't intend. 
+Any class method you don't define on an authorizer will call the `default` method on that authorizer. If you don't define **that**, the inherited `default` method from `Authority::Authorizer` will call your configured default strategy proc (**NOTE:** this proc will be removed in version 2.0; defining a `default` method is a more standard OOP approach.)
+
+The **default** default strategy proc simply returns `false`, meaning that everything is forbidden. This whitelisting approach will keep you from accidentally allowing things you didn't intend. 
 
 You can configure a different default strategy. For example, you might want one that looks up permissions in your database:
 
 ```ruby
 # In config/initializers/authority.rb
+# Example args: :creatable, AdminAuthorizer, user
 config.default_strategy = Proc.new do |able, authorizer, user|
   # Does the user have any of the roles which give this permission?
   (roles_which_grant(able, authorizer) & user.roles).any?

data/TODO.markdown

@@ -11,3 +11,4 @@
 ## Features
 
 - It would be nice to have an `authorized_link_to` method, which determines from the given path and the user's permissions whether to show the link. Not sure yet how hard this would be.
+- **Breaking change**: on installation, generate empty `ApplicationAuthorizer < Authority::Authorizer`. Any model which doesn't specify its authorizer would assume `ApplicationAuthorizer` instead of `[Modelname]Authorizer`; this way, users start out with a centralized authorizer scheme instead of with the assumption that every model needs its own. This also fits the pattern of Rails controllers.

data/lib/authority/abilities.rb

@@ -3,7 +3,7 @@ module Authority
   # Should be included into all models in a Rails app. Provides the model
   # with both class and instance methods like `updatable_by?(user)`
   # Exactly which methods get defined is determined from `config.abilities`;
-  # the module is evaluated after any user-supplied config block is run 
+  # the module is evaluated after any user-supplied config block is run
   # in order to make that possible.
   # All delegate to the methods of the same name on the model's authorizer.
 
@@ -30,7 +30,7 @@ module Authority
 
       def authorizer
         @authorizer ||= authorizer_name.constantize # Get an actual reference to the authorizer class
-      rescue NameError => e
+      rescue NameError
         raise Authority::NoAuthorizerError.new("#{authorizer_name} does not exist in your application")
       end
     end

data/lib/authority/authorizer.rb

@@ -5,7 +5,7 @@ module Authority
     # descend. Provides the authorizer with both class and instance methods
     # like `updatable_by?(user)`.
     # Exactly which methods get defined is determined from `config.abilities`;
-    # the class is evaluated after any user-supplied config block is run 
+    # the class is evaluated after any user-supplied config block is run
     # in order to make that possible.
 
     attr_reader :resource
@@ -27,12 +27,16 @@ module Authority
     Authority.adjectives.each do |adjective|
       class_eval <<-RUBY, __FILE__, __LINE__ + 1
         def self.#{adjective}_by?(user)
-          Authority.configuration.default_strategy.call(:#{adjective}, self, user)
+          default(:#{adjective}, user)
         end
       RUBY
     end
 
+    def self.default(adjective, user)
+      Authority.configuration.default_strategy.call(adjective, self, user)
+    end
+
   end
 
-  class NoAuthorizerError < StandardError ; end ;
+  class NoAuthorizerError < StandardError ; end
 end

data/lib/authority/configuration.rb

@@ -9,7 +9,7 @@ module Authority
       @default_strategy = Proc.new do |able, authorizer, user|
         false
       end
-      
+
 
       @abilities = {
         :create => 'creatable',

data/lib/authority/controller.rb

@@ -52,7 +52,7 @@ module Authority
 
     # Renders a static file to minimize the chances of further errors.
     #
-    # @param [Exception] error, an error that indicates the user tried to perform a forbidden action. 
+    # @param [Exception] error, an error that indicates the user tried to perform a forbidden action.
     def authority_forbidden(error)
       Authority.configuration.logger.warn(error.message)
       render :file => Rails.root.join('public', '403.html'), :status => 403, :layout => false

data/lib/authority/railtie.rb

@@ -11,4 +11,3 @@ module Authority
 
   end
 end
-

data/lib/authority/user_abilities.rb

@@ -4,7 +4,7 @@ module Authority
     # Should be included into whatever class represents users in an app.
     # Provides methods like `can_update?(resource)`
     # Exactly which methods get defined is determined from `config.abilities`;
-    # the module is evaluated after any user-supplied config block is run 
+    # the module is evaluated after any user-supplied config block is run
     # in order to make that possible.
     # All delegate to corresponding methods on the resource.
 
@@ -15,6 +15,6 @@ module Authority
         end
       RUBY
     end
-   
+
   end
 end

data/lib/authority/version.rb

@@ -1,3 +1,3 @@
 module Authority
-  VERSION = "1.0.0"
+  VERSION = "1.1.0"
 end

data/spec/authority/abilities_spec.rb

@@ -87,11 +87,11 @@ describe Authority::Abilities do
 
     # TODO: Nathan will comment more clearly in the future
     # aka "don't memoize" (to prevent dirty models from contaminating authorization)
-    it "should always create a new authorizer instance when accessing the authorizer" do 
+    it "should always create a new authorizer instance when accessing the authorizer" do
       @ability_model.class.authorizer.should_receive(:new).with(@ability_model).twice
       2.times { @ability_model.authorizer }
     end
-    
+
   end
 
 end

data/spec/authority/authorizer_spec.rb

@@ -7,49 +7,59 @@ describe Authority::Authorizer do
   before :each do
     @ability_model = AbilityModel.new
     @authorizer    = @ability_model.authorizer
-    @user         = User.new
+    @user          = User.new
   end
 
   it "should take a resource instance in its initializer" do
     @authorizer.resource.should eq(@ability_model)
   end
 
-  describe "class methods" do
+  describe "instance methods" do
 
     Authority.adjectives.each do |adjective|
       method_name = "#{adjective}_by?"
 
       it "should respond to `#{method_name}`" do
-        Authority::Authorizer.should respond_to(method_name)
+        @authorizer.should respond_to(method_name)
       end
 
-      it "should run the default authorization strategy block" do
-        able = method_name.sub('_by?', '').to_sym
-        Authority.configuration.default_strategy.should_receive(:call).with(able, Authority::Authorizer, @user)
-        Authority::Authorizer.send(method_name, @user)
+      it "should delegate `#{method_name}` to the corresponding class method by default" do
+        @authorizer.class.should_receive(method_name).with(@user)
+        @authorizer.send(method_name, @user)
       end
 
     end
 
   end
 
-  describe "instance methods" do
+  describe "class methods" do
 
     Authority.adjectives.each do |adjective|
       method_name = "#{adjective}_by?"
 
       it "should respond to `#{method_name}`" do
-        @authorizer.should respond_to(method_name)
+        Authority::Authorizer.should respond_to(method_name)
       end
-      
-      it "should delegate `#{method_name}` to the corresponding class method by default" do
-        @authorizer.class.should_receive(method_name).with(@user)
-        @authorizer.send(method_name, @user)
+
+      it "should delegate `#{method_name}` to the authorizer's `default` method by default" do
+        able = method_name.sub('_by?', '').to_sym
+        Authority::Authorizer.should_receive(:default).with(able, @user)
+        Authority::Authorizer.send(method_name, @user)
       end
 
     end
 
   end
 
-end
+  describe "the default method" do
+
+    it "should call the configured `default_strategy` proc by default" do
+      Authority.configuration.default_strategy.should_receive(:call).with(
+        :implodable, Authority::Authorizer, @user
+      )
+      Authority::Authorizer.default(:implodable, @user)
+    end
 
+  end
+
+end

data/spec/authority/configuration_spec.rb

@@ -35,7 +35,7 @@ describe Authority::Configuration do
   end
 
   describe "customizing the configuration" do
-    before :all do 
+    before :all do
       Authority.instance_variable_set :@configuration, nil
       Authority.configure do |config|
         config.abilities[:eat]  = 'edible'

data/spec/authority/controller_spec.rb

@@ -13,9 +13,9 @@ describe Authority::Controller do
       # Here be dragons!
       @fake_exception = Exception.new
       @sample_controller = SampleController.new
-      # If a callback is passed to a controller's `rescue_from` method as the value for 
+      # If a callback is passed to a controller's `rescue_from` method as the value for
       # the `with` option (like `SomeController.rescue_from FooException, :with => some_callback`),
-      # Rails will use ActiveSupport's `Proc#bind` to ensure that when the proc refers to 
+      # Rails will use ActiveSupport's `Proc#bind` to ensure that when the proc refers to
       # `self`, it will be the controller, not the proc itself.
       # I need this callback's `self` to be the controller for the purposes of
       # this test, so I'm stealing that behavior.
@@ -56,7 +56,7 @@ describe Authority::Controller do
           ExampleController.authority_action_map[:erase].should be_nil
         end
       end
-      
+
     end
 
     describe "DSL (class) methods" do
@@ -83,7 +83,7 @@ describe Authority::Controller do
     end
 
     describe "instance methods" do
-      before :each do 
+      before :each do
         @user       = User.new
         @controller = ExampleController.new
         @controller.stub!(:action_name).and_return(:edit)
@@ -138,4 +138,3 @@ describe Authority::Controller do
   end
 
 end
-

data/spec/support/example_controllers.rb

@@ -20,4 +20,3 @@ end
 class SampleController
   extend MockController
 end
-

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: authority
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
   prerelease: 
 platform: ruby
 authors:
@@ -10,11 +10,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-04-17 00:00:00.000000000 Z
+date: 2012-04-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
-  requirement: &82923350 !ruby/object:Gem::Requirement
+  requirement: &75302770 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -22,10 +22,10 @@ dependencies:
         version: 3.0.0
   type: :runtime
   prerelease: false
-  version_requirements: *82923350
+  version_requirements: *75302770
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &82923030 !ruby/object:Gem::Requirement
+  requirement: &75302460 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -33,7 +33,7 @@ dependencies:
         version: 1.0.0
   type: :development
   prerelease: false
-  version_requirements: *82923030
+  version_requirements: *75302460
 description: Authority helps you authorize actions in your Rails app. It's ORM-neutral
   and has very little fancy syntax; just group your models under one or more Authorizer
   classes and write plain Ruby methods on them.