authority 1.1.0 → 2.0.0

data/.gitignore

@@ -15,3 +15,5 @@ spec/reports
 test/tmp
 test/version_tmp
 tmp
+*.swp
+*.swo

data/.travis.yml

@@ -7,4 +7,9 @@ rvm:
   - jruby-19mode # JRuby in 1.9 mode
   - rbx-18mode
   - rbx-19mode
-script: rspec spec
+
+gemfile:
+  - gemfiles/3.0.gemfile
+  - gemfiles/3.1.gemfile
+  - gemfiles/3.2.gemfile
+  - Gemfile

data/CHANGELOG.markdown

@@ -2,7 +2,12 @@
 
 This is mainly to document major new features and backwards-incompatible changes.
 
-## Unreleased
+## v2.0.0
+
+- **Breaking change**: models now assume their authorizer is `ApplicationAuthorizer` unless told otherwise. Generator creates a blank `ApplicationAuthorizer`. This, combined with the change in v1.1.0, makes the `default_strategy` proc obsolete in favor of straightforward inheritance of a `default` method, so support for `config.default_strategy` is removed.
+- Added accessors to `Authority::SecurityViolation` for user, action and resource, for use in custom security violation handlers.
+
+## v1.1.0
 
 - Added `Authority::Authorizer.default` class method which is called before the `default_strategy` proc and delegates to that proc. This can be overridden per authorizer.
 

data/README.markdown

@@ -2,11 +2,12 @@
 
 Authority helps you authorize actions in your Rails app. It's **ORM-neutral** and has very little fancy syntax; just group your models under one or more Authorizer classes and write plain Ruby methods on them.
 
-Authority will work fine with a standalone app or a single sign-on system. You can check roles in a database or permissions in a YAML file. It doesn't care! What it **does** do is give you an easy way to organize your logic, define a default strategy, and handle unauthorized actions.
+Authority will work fine with a standalone app or a single sign-on system. You can check roles in a database or permissions in a YAML file. It doesn't care! What it **does** do is give you an easy way to organize your logic and handle unauthorized actions.
 
 It requires that you already have some kind of user object in your application, accessible from all controllers and views via a method like `current_user` (configurable).
 
 [![Build Status](https://secure.travis-ci.org/nathanl/authority.png)](http://travis-ci.org/nathanl/authority)
+[![Dependency Status](https://gemnasium.com/nathanl/authority.png)](https://gemnasium.com/nathanl/authority)
 
 ## Contents
 
@@ -21,9 +22,8 @@ It requires that you already have some kind of user object in your application,
     <li><a href="#models">Models</a></li>
     <li><a href="#authorizers">Authorizers</a>
     <ul>
-      <li><a href="#default_strategies">Default strategies</a></li>
+      <li><a href="#default_methods">Default methods</a></li>
       <li><a href="#testing_authorizers">Testing Authorizers</a></li>
-      <li><a href="#custom_authorizers">Custom Authorizers</a></li>
     </ul></li>
     <li><a href="#controllers">Controllers</a></li>
     <li><a href="#views">Views</a></li>
@@ -54,37 +54,42 @@ The goals of Authority are:
 
 Authority encapsulates all authorization logic in `Authorizer` classes. Want to do something with a model? **Ask its authorizer**.
 
-You can group models under authorizers in any way you wish. For example:
+Models that have the same authorization rules should use the same authorizer. In other words, if you would write the exact same methods on two models to determine who can create them, who can edit them, etc, then they should use the same authorizer.
 
+Every model starts out assuming that its authorizer is `ApplicationAuthorizer`, but you can specify another one using the model's `authorizer_name=` method. Authorizers are just classes, so you can use any inheritance pattern you like.
+
+Some example groupings:
 
          Simplest case                Logical groups                                 Most granular 
 
-        default_strategy              default_strategy                              default_strategy
+      ApplicationAuthorizer        ApplicationAuthorizer                         ApplicationAuthorizer
                +                             +                                             +
                |                    +--------+-------+                 +-------------------+-------------------+
-               +                    +                +                 +                   +                   +
-       EverythingAuthorizer  BasicAuthorizer   AdminAuthorizer  CommentAuthorizer  ArticleAuthorizer  EditionAuthorizer
-               +                    +                +                 +                   +                   +
+               |                    +                +                 +                   +                   +
+               |             BasicAuthorizer   AdminAuthorizer  CommentAuthorizer  ArticleAuthorizer  EditionAuthorizer
+               |                    +                +                 +                   +                   +
        +-------+-------+            +-+       +------+                 |                   |                   |
        +       +       +              +       +      +                 +                   +                   +
     Comment Article Edition        Comment Article Edition          Comment             Article             Edition
 
+The authorization process generally flows like this:
 
-The process generally flows like this:
-
-                   current_user.can_create?(Moose)                   # You ask this question, and the user
+                   current_user.can_create?(Article)                 # You ask this question, and the user
                                +                                     # automatically asks the model...
                                |
                                v
-                   Moose.creatable_by?(current_user)                 # The model automatically asks
+                 Article.creatable_by?(current_user)                 # The model automatically asks
                                +                                     # its authorizer...
                                |
                                v
-               MooseAuthorizer.creatable_by?(current_user)           # *You define this method.*
-                               +                                     # If it's missing, the default
-                               |                                     # strategy is used...
+               AdminAuthorizer.creatable_by?(current_user)           # *You define this method.*
+                               +                                     # If you don't, the inherited one
+                               |                                     # calls `default`...
                                v
-    config.default_strategy.call(:creatable, MooseAuthorizer, user)  # *You define this strategy.*
+        AdminAuthorizer.default(:creatable, current_user)            # *You define this method.* 
+                                                                     # If you don't, the one inherited 
+                                                                     # from Authority::Authorizer just 
+                                                                     # returns false.
 
 If the answer is `false` and the original caller was a controller, this is treated as a `SecurityViolation`. If it was a view, maybe you just don't show a link.
 
@@ -109,7 +114,7 @@ config.abilities =  {
 }
 ```
 
-This option determines what methods are added to your users, models and authorizers. If you need to ask `user.can_deactivate?(Satellite)` and `@satellite.deactivatable_by?(user)`, add those to the hash.
+This option determines what methods are added to your users, models and authorizers. If you need to ask `user.can_deactivate?(Satellite)` and `@satellite.deactivatable_by?(user)`, add `:deactivate => 'deactivatable'` to the hash.
 
 <a name="wiring_it_together">
 ## Wiring It Together
@@ -134,7 +139,7 @@ class Article
   # Adds `creatable_by?(user)`, etc
   include Authority::Abilities
 
-  # Without this, 'ArticleAuthorizer' is assumed
+  # Without this, 'ApplicationAuthorizer' is assumed
   self.authorizer_name = 'AdminAuthorizer'
   ...
 end
@@ -143,7 +148,7 @@ end
 <a name="authorizers">
 ### Authorizers
 
-Add your authorizers under `app/authorizers`, subclassing `Authority::Authorizer`.
+Add your authorizers under `app/authorizers`, subclassing the generated `ApplicationAuthorizer`.
 
 These are where your actual authorization logic goes. Here's how it works:
 
@@ -151,13 +156,12 @@ These are where your actual authorization logic goes. Here's how it works:
   - Any instance method you don't define (for example, if you didn't make a `def deletable_by?(user)`) will fall back to the corresponding class method. In other words, if you haven't said whether a user can update **this particular** widget, we'll decide by checking whether they can update **any** widget.
 - Class methods answer questions about model classes, like "is it **ever** permissible for this user to update a Widget?"
   - Any class method you don't define (for example, if you didn't make a `def self.updatable_by?(user)`) will call that authorizer's `default` method.
-  - The inherited `default` method calls a [default strategy](#default_strategies) proc (**NOTE**: this will be removed in version 2.0).
 
 For example:
 
 ```ruby
 # app/authorizers/schedule_authorizer.rb
-class ScheduleAuthorizer < Authority::Authorizer
+class ScheduleAuthorizer < ApplicationAuthorizer
   # Class method: can this user at least sometimes create a Schedule?
   def self.creatable_by?(user)
     user.manager?
@@ -168,29 +172,44 @@ class ScheduleAuthorizer < Authority::Authorizer
     resource.in_future? && user.manager? && resource.department == user.department
   end
 end
-```
 
-As you can see, you can specify different logic for every method on every model, if necessary. On the other extreme, you could simply supply a [default strategy](#default_strategies) that covers all your use cases.
+# undefined; calls `ScheduleAuthorizer.default(:updatable, user)`
+ScheduleAuthorizer.updatable_by?(user) 
+```
 
-<a name="default_strategies">
-#### Default Strategies
+As you can see, you can specify different logic for every method on every model, if necessary. On the other extreme, you could simply supply a [default method](#default_methods) that covers all your use cases.
 
-Any class method you don't define on an authorizer will call the `default` method on that authorizer. If you don't define **that**, the inherited `default` method from `Authority::Authorizer` will call your configured default strategy proc (**NOTE:** this proc will be removed in version 2.0; defining a `default` method is a more standard OOP approach.)
+<a name="default_methods">
+#### Default Methods
 
-The **default** default strategy proc simply returns `false`, meaning that everything is forbidden. This whitelisting approach will keep you from accidentally allowing things you didn't intend. 
+Any class method you don't define on an authorizer will call the `default` method on that authorizer. This method is defined on `Authority::Authorizer` to simply return false. This is a 'whitelisting' approach; any permission you haven't specified (which falls back to the default method) is considered forbidden.
 
-You can configure a different default strategy. For example, you might want one that looks up permissions in your database:
+You can override this method in your `ApplicationAuthorizer` and/or per authorizer. For example, you might want one that looks up the user's roles and correlates them with permissions:
 
 ```ruby
-# In config/initializers/authority.rb
-# Example args: :creatable, AdminAuthorizer, user
-config.default_strategy = Proc.new do |able, authorizer, user|
-  # Does the user have any of the roles which give this permission?
-  (roles_which_grant(able, authorizer) & user.roles).any?
+# app/authorizers/application_authorizer.rb
+class ApplicationAuthorizer < Authority::Authorizer
+
+  # Example call: `default(:creatable, current_user)`
+  def self.default(able, user)
+    has_role_granting?(user, able) || user.admin?
+  end
+  
+  protected
+
+  def has_role_granting(user, able)
+    # Does the user have any of the roles which give this permission?
+    (roles_which_grant(able) & user.roles).any?
+  end
+
+  def roles_which_grant(able)
+    # Look up roles for the current authorizer and `able`
+    ...
+  end
 end
 ```
 
-If your system is uniform enough, **this strategy alone might handle all the logic you need**.
+If your system is uniform enough, **this method alone might handle all the logic you need**.
 
 <a name="testing_authorizers">
 #### Testing Authorizers
@@ -223,40 +242,19 @@ describe AdminAuthorizer do
       @admin_resource_instance = mock_admin_resource
     end
 
-    it "should not allow users to delete" do
-      @admin_resource_instance.authorizer.should_not be_deletable_by(@user)
+    it "should let admins delete" do
+      @admin_resource_instance.authorizer.should be_deletable_by(@admin)
     end
 
-  end
-
-end
-```
-
-<a name="custom_authorizers">
-#### Custom Authorizers
-
-If you want to customize your authorizers even further - for example, maybe you want them all to have a method like `has_permission?(user, permission_name)` - just use normal Ruby inheritance. For example, add your own parent class, like this:
-
-```ruby
-# lib/my_app/authorizer.rb
-module MyApp
-  class Authorizer < Authority::Authorizer
-  
-    def self.has_permission(user, permission_name)
-      # look that up somewhere
+    it "should not let users delete" do
+      @admin_resource_instance.authorizer.should_not be_deletable_by(@user)
     end
 
   end
-end
 
-#app/authorizers/badger_authorizer.rb
-class BadgerAuthorizer < MyApp::Authorizer
-  # contents
 end
 ```
 
-If you decide to place your custom class in `lib` as shown above (as opposed to putting it in `app`), you should require it at the bottom of `config/initializers/authority.rb`.
-
 <a name="controllers">
 ### Controllers
 
@@ -271,10 +269,10 @@ The relationship between controller actions and abilities - like checking `reada
 class LlamaController < ApplicationController
 
   # Check class-level authorizations before all actions except :create
-  # Before this controller's 'neuter' action, ask whether current_user.can_update?(Llama)
-  authorize_actions_for Llama, :actions => {:neuter => :update}, :except => :create
+  # Also, to authorize this controller's 'neuter' action, ask whether `current_user.can_update?(Llama)`
+  authorize_actions_for Llama, :except => :create, :actions => {:neuter => :update},
   
-  # Before this controller's 'breed' action, ask whether current_user.can_create?(Llama)
+  # To authorize this controller's 'breed' action, ask whether `current_user.can_create?(Llama)`
   authority_action :breed => 'new'
 
   ...
@@ -309,14 +307,15 @@ Anytime a user attempts an unauthorized action, Authority calls whatever control
 - Renders `public/403.html`
 - Logs the violation to whatever logger you configured.
 
-You can specify a different handler like so:
+You can specify a different handler like this:
 
 ```ruby
 # config/initializers/authority.rb
-...
 config.security_violation_handler = :fire_ze_missiles
-...
+```
+Then define the method on your controller:
 
+```ruby
 # app/controllers/application_controller.rb
 class ApplicationController < ActionController::Base
 

data/Rakefile

@@ -1,2 +1,7 @@
 #!/usr/bin/env rake
 require "bundler/gem_tasks"
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task "default" => "spec"

data/TODO.markdown

@@ -1,8 +1,9 @@
 # TODO
 
-## Chores
+## Tests
 
 - Add tests for the generators
+- Test `ActionController` integration
 
 ## Documentation
 
@@ -11,4 +12,3 @@
 ## Features
 
 - It would be nice to have an `authorized_link_to` method, which determines from the given path and the user's permissions whether to show the link. Not sure yet how hard this would be.
-- **Breaking change**: on installation, generate empty `ApplicationAuthorizer < Authority::Authorizer`. Any model which doesn't specify its authorizer would assume `ApplicationAuthorizer` instead of `[Modelname]Authorizer`; this way, users start out with a centralized authorizer scheme instead of with the assumption that every model needs its own. This also fits the pattern of Rails controllers.

data/authority.gemspec

@@ -9,7 +9,6 @@ Gem::Specification.new do |gem|
   gem.homepage      = "https://github.com/nathanl/authority"
 
   gem.add_dependency "rails", ">= 3.0.0"
-  gem.add_development_dependency "bundler", ">= 1.0.0"
 
   gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   gem.files         = `git ls-files`.split("\n")

data/gemfiles/3.0.gemfile

@@ -0,0 +1,6 @@
+source "http://rubygems.org"
+
+gem "rails", "~> 3.0.12"
+gem 'rspec', '>= 2.8.0'
+
+gemspec :path=>"../"

data/gemfiles/3.1.gemfile

@@ -0,0 +1,6 @@
+source "http://rubygems.org"
+
+gem "rails", "~> 3.1.4"
+gem 'rspec', '>= 2.8.0'
+
+gemspec :path=>"../"

data/gemfiles/3.2.gemfile

@@ -0,0 +1,6 @@
+source "http://rubygems.org"
+
+gem "rails", "~> 3.2.3"
+gem 'rspec', '>= 2.8.0'
+
+gemspec :path=>"../"

data/lib/authority.rb

@@ -57,6 +57,8 @@ module Authority
   end
 
   class SecurityViolation < StandardError
+    attr_reader :user, :action, :resource
+
     def initialize(user, action, resource)
       @user = user
       @action = action
@@ -74,4 +76,3 @@ require 'authority/configuration'
 require 'authority/controller'
 require 'authority/railtie' if defined?(Rails)
 require 'authority/version'
-

data/lib/authority/abilities.rb

@@ -10,11 +10,10 @@ module Authority
   module Abilities
     extend ActiveSupport::Concern
 
-    # Let the Foo model know that its authorizer is called 'FooAuthorizer'
-    # (but let the user change that)
+    # Assume authorizer is `ApplicationAuthorizer` (but let the user change that)
     included do
       class_attribute :authorizer_name
-      self.authorizer_name = "#{name}Authorizer"
+      self.authorizer_name = "ApplicationAuthorizer"
     end
 
     module ClassMethods

data/lib/authority/authorizer.rb

@@ -23,7 +23,7 @@ module Authority
       RUBY
     end
 
-    # Each class method simply calls the user-definable default strategy
+    # Each class method simply calls the `default` method
     Authority.adjectives.each do |adjective|
       class_eval <<-RUBY, __FILE__, __LINE__ + 1
         def self.#{adjective}_by?(user)
@@ -32,8 +32,9 @@ module Authority
       RUBY
     end
 
+    # Whitelisting approach: anything not specified will be forbidden
     def self.default(adjective, user)
-      Authority.configuration.default_strategy.call(adjective, self, user)
+      false
     end
 
   end

data/lib/authority/configuration.rb

@@ -3,13 +3,9 @@ module Authority
 
     # Has default settings, overrideable in the initializer.
 
-    attr_accessor :default_strategy, :abilities, :controller_action_map, :user_method, :security_violation_handler, :logger
+    attr_accessor :abilities, :controller_action_map, :user_method, :security_violation_handler, :logger
 
     def initialize
-      @default_strategy = Proc.new do |able, authorizer, user|
-        false
-      end
-
 
       @abilities = {
         :create => 'creatable',
@@ -35,5 +31,9 @@ module Authority
       @logger = Logger.new(STDERR)
     end
 
+    def default_strategy=(val)
+      raise ArgumentError, "`config.default_strategy=` was removed in Authority 2.0; see README and CHANGELOG"
+    end
+
   end
 end

data/lib/authority/controller.rb

@@ -1,8 +1,7 @@
 module Authority
+  # Gets included into the app's controllers automatically by the railtie
   module Controller
 
-    # Gets included into the app's controllers automatically by the railtie
-
     extend ActiveSupport::Concern
 
     included do
@@ -66,7 +65,7 @@ module Authority
       authorize_action_for self.class.authority_resource
     end
 
-    # Convencience wrapper for sending configured user_method to extract the
+    # Convenience wrapper for sending configured user_method to extract the
     # request's current user
     #
     # @return [Object] the user object returned from sending the user_method

data/lib/authority/version.rb

@@ -1,3 +1,3 @@
 module Authority
-  VERSION = "1.1.0"
+  VERSION = "2.0.0"
 end

data/lib/generators/authority/install_generator.rb

@@ -8,22 +8,15 @@ module Authority
       desc "Creates an Authority initializer for your application." 
 
       def do_all
+        create_authorizers_directory
+        copy_application_authorizer
         copy_initializer
         copy_forbidden
-        create_authorizers_directory
         message = <<-RUBY
 
         Install complete! See the README on Github for instructions on getting your
         app running with Authority.
 
-        One note: each model needs to know the name of its its authorizer class. 
-        You can specify that in the model like `authorizer_name FooAuthorizer`.
-        If you don't, the `Article` model (for example) will look for `ArticleAuthorizer`.
-
-        To generate one authorizer like that for each of your models, see
-        `rails g authority:authorizers`. If you also want to specify your own
-        parent class for them, use `rails g authority:authorizers MyClass`.
-
         RUBY
         puts message.strip_heredoc
         
@@ -31,6 +24,15 @@ module Authority
 
       private
 
+      def create_authorizers_directory
+        # creates empty directory if none; doesn't empty the directory
+        empty_directory "app/authorizers" 
+      end
+
+      def copy_application_authorizer
+        template "application_authorizer.rb", "app/authorizers/application_authorizer.rb"
+      end
+
       def copy_initializer
         template "authority_initializer.rb", "config/initializers/authority.rb"
       end
@@ -39,11 +41,6 @@ module Authority
         template "403.html", "public/403.html"
       end
 
-      def create_authorizers_directory
-        # creates empty directory if none; doesn't empty the directory
-        empty_directory "app/authorizers" 
-      end
-
     end
   end
 end

data/lib/generators/templates/application_authorizer.rb

@@ -0,0 +1,16 @@
+# Other authorizers should subclass this one
+class ApplicationAuthorizer < Authority::Authorizer
+
+  # Any class method from Authority::Authorizer that isn't overridden
+  # will call its authorizer's default method. 
+  #
+  # @param [Symbol] adjective; example: `:creatable`
+  # @param [Object] user - whatever represents the current user in your app
+  # @return [Boolean]
+  def self.default(adjective, user)
+    # 'Whitelist' strategy for security: anything not explicitly allowed is
+    # considered forbidden.
+    false
+  end
+
+end

data/lib/generators/templates/authority_initializer.rb

@@ -8,35 +8,6 @@ Authority.configure do |config|
   # Default is:
   #
   # config.user_method = :current_user
-
-  # DEFAULT_STRATEGY
-  # ================
-  # When no class-level method is defined on an Authorizer, a default_strategy
-  # proc will be called to determine what to do.
-  # Depending on your app, you may be able to put all the logic you need here.
-  #
-  # The arguments passed to this proc will be:
-  #
-  # able       - symbol name of 'able', like `:creatable`, or `:deletable`
-  # authorizer - authorizer constant. Ex: `WidgetAuthorizer` or `UserAuthorizer`
-  # user       - user object (whatever that is in your application; found using config.user_method)
-  #
-  # For example:
-  #
-  # config.default_strategy = Proc.new { |able, authorizer, user|
-  #   # Does the user have any of the roles which give this permission?
-  #   (roles_which_grant(able, authorizer) & user.roles).any?
-  # }
-  #
-  # OR
-  #
-  # config.default_strategy = Proc.new { |able, authorizer, user|
-  #   able != :implodable && user.has_hairstyle?('pompadour')
-  # }
-  #
-  # Default default strategy simply returns false, as follows:
-  #
-  # config.default_strategy =  Proc.new { |able, authorizer, user| false }
   
   # CONTROLLER_ACTION_MAP
   # For a given controller method, what verb must a user be able to do?
@@ -93,4 +64,3 @@ Authority.configure do |config|
   # config.logger = Logger.new('/dev/null')          # Don't log at all (on a Unix system)
 
 end
-

data/spec/authority/abilities_spec.rb

@@ -1,6 +1,5 @@
 require 'spec_helper'
 require 'support/ability_model'
-require 'support/no_authorizer_model'
 require 'support/user'
 
 describe Authority::Abilities do
@@ -19,8 +18,8 @@ describe Authority::Abilities do
       AbilityModel.should respond_to(:authorizer_name=)
     end
 
-    it "should have a default authorizer_name of '(ClassName)Authorizer'" do
-      AbilityModel.authorizer_name.should eq("AbilityModelAuthorizer")
+    it "should have a default authorizer_name of 'ApplicationAuthorizer'" do
+      AbilityModel.authorizer_name.should eq("ApplicationAuthorizer")
     end
 
     it "should constantize the authorizer name as the authorizer" do
@@ -36,7 +35,14 @@ describe Authority::Abilities do
     end
 
     it "should raise a friendly error if the authorizer doesn't exist" do
-      expect { NoAuthorizerModel.authorizer }.to raise_error(Authority::NoAuthorizerError)
+      AbilityModel.instance_variable_set(:@authorizer, nil)
+      AbilityModel.authorizer_name = 'NonExistentAuthorizer'
+      expect { AbilityModel.authorizer }.to raise_error(Authority::NoAuthorizerError)
+
+      # Cleanup to prevent affecting other tests
+      # TODO: Clean up this cleanup code. :)
+      AbilityModel.instance_variable_set(:@authorizer, nil)
+      AbilityModel.authorizer_name = 'ApplicationAuthorizer'
     end
 
   end

data/spec/authority/authorizer_spec.rb

@@ -53,11 +53,8 @@ describe Authority::Authorizer do
 
   describe "the default method" do
 
-    it "should call the configured `default_strategy` proc by default" do
-      Authority.configuration.default_strategy.should_receive(:call).with(
-        :implodable, Authority::Authorizer, @user
-      )
-      Authority::Authorizer.default(:implodable, @user)
+    it "should return false" do
+      Authority::Authorizer.default(:implodable, @user).should be_false
     end
 
   end

data/spec/authority/configuration_spec.rb

@@ -3,14 +3,6 @@ require 'spec_helper'
 describe Authority::Configuration do
   describe "the default configuration" do
 
-    it "should have a default authorization strategy block" do
-      Authority.configuration.default_strategy.should respond_to(:call)
-    end
-
-    it "should return false when calling the default authorization strategy block" do
-      Authority.configuration.default_strategy.call(:action, Authority::Authorizer, User.new).should be_false
-    end
-
     it "should have a default authority controller actions map" do
       Authority.configuration.controller_action_map.should be_a(Hash)
     end
@@ -39,9 +31,6 @@ describe Authority::Configuration do
       Authority.instance_variable_set :@configuration, nil
       Authority.configure do |config|
         config.abilities[:eat]  = 'edible'
-        config.default_strategy = Proc.new { |able, authorizer, user|
-          true
-        }
       end
 
       after :all do
@@ -49,10 +38,6 @@ describe Authority::Configuration do
         Authority.configure
       end
 
-      it "should allow customizing the authorization block" do
-        Authority.configuration.default_strategy.call(:action, Authority::Authorizer, User.new).should be_true
-      end
-
       # This shouldn't be used during runtime, only during configuration
       # It won't do anything outside of configuration anyway
       it "should allow adding to the default list of abilities" do
@@ -61,4 +46,18 @@ describe Authority::Configuration do
 
     end
   end
+
+  describe "helping those upgrading to 2.0" do
+
+    before :all do
+      Authority.instance_variable_set :@configuration, nil
+    end
+
+    it "should raise a helpful exception if `config.default_strategy` is called" do
+      expect { Authority.configure { |config| config.default_strategy = Proc.new { false }}}.to raise_error(
+        ArgumentError, "`config.default_strategy=` was removed in Authority 2.0; see README and CHANGELOG"
+      )
+    end
+
+  end
 end

data/spec/authority/controller_spec.rb

@@ -130,6 +130,7 @@ describe Authority::Controller do
 
         it "should render the public/403.html file" do
           forbidden_page = Rails.root.join('public/403.html')
+          Authority.configuration.logger.stub(:warn)
           @controller.should_receive(:render).with(:file => forbidden_page, :status => 403, :layout => false)
           @controller.send(:authority_forbidden, @mock_error)
         end

data/spec/authority_spec.rb

@@ -54,4 +54,31 @@ describe Authority do
 
   end
 
+  describe Authority::SecurityViolation do
+
+    before :each do
+      @user               = "I am a user"
+      @action             = :keelhaul
+      @resource           = "I am a resource"
+      @security_violation = Authority::SecurityViolation.new(@user, @action, @resource)
+    end
+
+    it "should have a reader for the user" do
+      @security_violation.user.should eq(@user)
+    end
+
+    it "should have a reader for the action" do
+      @security_violation.action.should eq(@action)
+    end
+
+    it "should have a reader for the resource" do
+      @security_violation.resource.should eq(@resource)
+    end
+
+    it "should use them all in its message" do
+      @security_violation.message.should eq("#{@user} is not authorized to #{@action} this resource: #{@resource}")
+    end
+
+  end
+
 end

data/spec/support/ability_model.rb

@@ -2,7 +2,7 @@ class AbilityModel
   include Authority::Abilities
 end
 
-class AbilityModelAuthorizer < Authority::Authorizer
+class ApplicationAuthorizer < Authority::Authorizer
   def self.readable_by?(user)
     true
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: authority
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 2.0.0
   prerelease: 
 platform: ruby
 authors:
@@ -10,11 +10,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-04-24 00:00:00.000000000 Z
+date: 2012-04-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
-  requirement: &75302770 !ruby/object:Gem::Requirement
+  requirement: &2152144680 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -22,18 +22,7 @@ dependencies:
         version: 3.0.0
   type: :runtime
   prerelease: false
-  version_requirements: *75302770
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: &75302460 !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 1.0.0
-  type: :development
-  prerelease: false
-  version_requirements: *75302460
+  version_requirements: *2152144680
 description: Authority helps you authorize actions in your Rails app. It's ORM-neutral
   and has very little fancy syntax; just group your models under one or more Authorizer
   classes and write plain Ruby methods on them.
@@ -55,6 +44,9 @@ files:
 - Rakefile
 - TODO.markdown
 - authority.gemspec
+- gemfiles/3.0.gemfile
+- gemfiles/3.1.gemfile
+- gemfiles/3.2.gemfile
 - lib/authority.rb
 - lib/authority/abilities.rb
 - lib/authority/authorizer.rb
@@ -65,6 +57,7 @@ files:
 - lib/authority/version.rb
 - lib/generators/authority/install_generator.rb
 - lib/generators/templates/403.html
+- lib/generators/templates/application_authorizer.rb
 - lib/generators/templates/authority_initializer.rb
 - spec/authority/abilities_spec.rb
 - spec/authority/authorizer_spec.rb
@@ -76,7 +69,6 @@ files:
 - spec/support/ability_model.rb
 - spec/support/example_controllers.rb
 - spec/support/mock_rails.rb
-- spec/support/no_authorizer_model.rb
 - spec/support/user.rb
 homepage: https://github.com/nathanl/authority
 licenses: []
@@ -98,9 +90,20 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.10
+rubygems_version: 1.8.16
 signing_key: 
 specification_version: 3
 summary: Authority helps you authorize actions in your Rails app using plain Ruby
   methods on Authorizer classes.
-test_files: []
+test_files:
+- spec/authority/abilities_spec.rb
+- spec/authority/authorizer_spec.rb
+- spec/authority/configuration_spec.rb
+- spec/authority/controller_spec.rb
+- spec/authority/user_abilities_spec.rb
+- spec/authority_spec.rb
+- spec/spec_helper.rb
+- spec/support/ability_model.rb
+- spec/support/example_controllers.rb
+- spec/support/mock_rails.rb
+- spec/support/user.rb

data/spec/support/no_authorizer_model.rb

@@ -1,5 +0,0 @@
-# No corresponding Authorizer is defined for this model
-
-class NoAuthorizerModel
-  include Authority::Abilities
-end