authority 2.3.2 → 2.4.0

data/CHANGELOG.markdown

@@ -1,5 +1,19 @@
 # Changelog
 
+Authority does its best to use [semantic versioning](http://semver.org).
+
+## v2.4.0
+
+Controller method `authorize_actions_for` can now be given a method name to dynamically determine the class to authorize. For example, `authorize_actions_for :model_class` will call the `model_class` method on the controller instance at request time.
+
+## v2.3.2
+
+- Updated `can?` to only pass options if it was given options.
+
+## v2.3.1
+
+- Had second thought and reworked `can?(:action)` to call `Application_authorizer.authorizes_to_#{action}?`. Ensured it's backwards compatible for the few people who started using this in the last day or so.
+
 ## v2.3.0
 
 - Added generic `current_user.can?(:mimic_lemurs)` for cases where there is no resource to work with. This calls a corresponding class method on `ApplicationAuthorizer`, like `ApplicationAuthorizer.can_mimic_lemurs?`.

data/README.markdown

@@ -6,7 +6,7 @@ Authority will work fine with a standalone app or a single sign-on system. You c
 
 It requires that you already have some kind of user object in your application, accessible from all controllers and views via a method like `current_user` (configurable).
 
-[![Build Status](https://secure.travis-ci.org/nathanl/authority.png?branch=master)](http://travis-ci.org/nathanl/authority)
+<!--[![Build Status](https://secure.travis-ci.org/nathanl/authority.png?branch=master)](http://travis-ci.org/nathanl/authority) -->
 <!-- [![Dependency Status](https://gemnasium.com/nathanl/authority.png)](https://gemnasium.com/nathanl/authority) -->
 [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/nathanl/authority)
 
@@ -353,6 +353,35 @@ end
 
 As with other authorization checks, you can also pass options here, and they'll be sent along to your authorization method: `authorize_action_for(@llama, :sporting => @hat_style)`. Generally, though, your authorization will depend on some attribute or association of the model instance, so the authorizer can check `@llama.neck_strength` and `@llama.owner.nationality`, etc, without needing any additional information.
 
+Note that you can also call `authority_actions` as many times as you like, so you can specify one mapping at a time if you prefer:
+
+```ruby
+class LlamasController < ApplicationController
+  def breed
+    # some code
+  end
+  authority_actions :breed => 'create'
+
+  def vaporize
+    # some code
+  end
+  authority_actions :vaporize => 'delete'
+end
+```
+
+Finally, note that if you have a controller that dynamically determines the class it's working with, you can pass the name of a controller instance method to `authorize_actions_for` instead of a class, and the class will be looked up when a request is made.
+
+```ruby
+class LlamasController < ApplicationController
+
+  authorize_actions_for :llama_class
+
+  def llama_class
+    [StandardLlama, LludicriousLlama].sample
+  end
+end
+```
+
 <a name="views">
 ### Views
 
@@ -387,44 +416,23 @@ Use this very sparingly, and consider it a [code smell](http://en.wikipedia.org/
 <a name="security_violations_and_logging">
 ## Security Violations & Logging
 
-Anytime a user attempts an unauthorized action, Authority calls whatever controller method is specified by your `security_violation_handler` option, handing it the exception. The default handler is `authority_forbidden`, which Authority adds to your `ApplicationController`. It does the following:
+If you're using Authority's view helpers, users should only see links for actions they're authorized to take. If a user deliberately tries to access a restricted resource (for instance, by typing the URL directly), Authority raises and rescues an `Authority::SecurityViolation`.
+
+When it rescues the exception, Authority calls whatever controller method is specified by your `security_violation_handler` option, handing it the exception. The default handler is `authority_forbidden`, which Authority mixes in to your `ApplicationController`. It does the following:
 
 - Renders `public/403.html`
 - Logs the violation to whatever logger you configured.
 
-You can define your own `authority_forbidden` method:
-
+You can define your own `authority_forbidden` method on `ApplicationController` and/or any other controller. For example:
 
 ```ruby
 # Send 'em back where they came from with a slap on the wrist
-def authority_forbidden(exception)
+def authority_forbidden(error)
   Authority.logger.warn(error.message)
   redirect_to request.referrer.presence || root_path, :alert => 'You are not authorized to complete that action.'
 end
 ```
 
-... or specify a different handler like this:
-
-```ruby
-# config/initializers/authority.rb
-config.security_violation_handler = :fire_ze_missiles
-```
-Then define the method on your controller:
-
-```ruby
-# app/controllers/application_controller.rb
-class ApplicationController < ActionController::Base
-
-  def fire_ze_missiles(exception)
-    # Log? Set a flash message? Dispatch minions to 
-    # fill their mailbox with goose droppings? It's up to you.
-  end
-...
-end
-```
-
-If you want different error handling per controller, define `fire_ze_missiles` on each of them.
-
 Your method will be handed the `SecurityViolation`, which has a `message` method. In case you want to build your own message, it also exposes `user`, `action` and `resource`.
 
 <a name="credits">

data/TODO.markdown

@@ -1,5 +1,7 @@
 # TODO
 
+- Consider removing `config.security_violation_handler`, since `authority_forbidden` can already be redefined on any controller
+
 ## Tests
 
 - Test with Rails 4 and Ruby 2.0

data/lib/authority.rb

@@ -31,19 +31,16 @@ module Authority
   # @param [Hash] options, arbitrary options hash to delegate to the authorizer
   # @raise [SecurityViolation] if user is not allowed to perform action on resource
   # @return [Model] resource instance
-  def self.enforce(action, resource, user, *options)
-    unless action_authorized?(action, resource, user, *options)
+  def self.enforce(action, resource, user, options = {})
+    unless action_authorized?(action, resource, user, options)
       raise SecurityViolation.new(user, action, resource) 
     end
     resource
   end
 
-  def self.action_authorized?(action, resource, user, *options)
-    if options.empty?
-      user.send("can_#{action}?", resource)
-    else
-      user.send("can_#{action}?", resource, Hash[*options])
-    end
+  def self.action_authorized?(action, resource, user, options = {})
+    resource_and_maybe_options = [resource, options].tap {|args| args.pop if args.last == {}}
+    user.send("can_#{action}?", *resource_and_maybe_options)
   end
 
   class << self

data/lib/authority/authorizer.rb

@@ -29,11 +29,8 @@ module Authority
     Authority.adjectives.each do |adjective|
       class_eval <<-RUBY, __FILE__, __LINE__ + 1
         def self.#{adjective}_by?(user, options = {})
-          if options.empty?
-            default(:#{adjective}, user)
-          else
-            default(:#{adjective}, user, options)
-          end
+          user_and_maybe_options = [user, options].tap {|args| args.pop if args.last == {}}
+          default(:#{adjective}, *user_and_maybe_options)
         end
       RUBY
     end

data/lib/authority/controller.rb

@@ -14,18 +14,23 @@ module Authority
 
     included do
       rescue_from(Authority::SecurityViolation, :with => Authority::Controller.security_violation_callback)
-      class_attribute :authority_resource
+      class << self
+        attr_accessor :authority_resource
+      end
     end
 
     module ClassMethods
 
       # Sets up before_filter to ensure user is allowed to perform a given controller action
       #
-      # @param [Class] model_class - class whose authorizer should be consulted
-      # @param [Hash] options - can contain :actions to be merged with existing
+      # @param [Class OR Symbol] resource_or_finder - class whose authorizer
+      # should be consulted, or instance method on the controller which will
+      # determine that class when the request is made
+      # @param [Hash] options - can contain :actions to
+      # be merged with existing
       # ones and any other options applicable to a before_filter
-      def authorize_actions_for(model_class, options = {})
-        self.authority_resource = model_class
+      def authorize_actions_for(resource_or_finder, options = {})
+        self.authority_resource = resource_or_finder
         authority_actions(options[:actions] || {})
         before_filter :run_authorization_check, options
       end
@@ -86,7 +91,17 @@ module Authority
     # The `before_filter` that will be setup to run when the class method
     # `authorize_actions_for` is called
     def run_authorization_check
-      authorize_action_for self.class.authority_resource
+      authorize_action_for authority_resource
+    end
+
+    def authority_resource
+      return self.class.authority_resource       if self.class.authority_resource.is_a?(Class)
+      return send(self.class.authority_resource) if respond_to?(self.class.authority_resource)
+      raise MissingResource.new(
+          "Trying to authorize actions for '#{self.class.authority_resource}', but can't. \
+          Must be either a resource class OR the name of a controller instance method that \
+          returns one.".squeeze(' ')
+      )
     end
 
     # Convenience wrapper for sending configured `user_method` to extract the
@@ -97,6 +112,7 @@ module Authority
       send(Authority.configuration.user_method)
     end
 
-    class MissingAction < StandardError ; end
+    class MissingAction   < StandardError ; end
+    class MissingResource < StandardError ; end
   end
 end

data/lib/authority/user_abilities.rb

@@ -11,17 +11,14 @@ module Authority
     Authority.verbs.each do |verb|
       class_eval <<-RUBY, __FILE__, __LINE__ + 1
         def can_#{verb}?(resource, options = {})
-          if options.empty?
-            resource.#{Authority.abilities[verb]}_by?(self)
-          else
-            resource.#{Authority.abilities[verb]}_by?(self, options)
-          end
+          self_and_maybe_options = [self, options].tap {|args| args.pop if args.last == {}}
+          resource.#{Authority.abilities[verb]}_by?(*self_and_maybe_options)
         end
       RUBY
     end
 
     def can?(action, options = {})
-      self_and_maybe_options = [self, (options == {} ? nil : options)].compact # throw out if nil
+      self_and_maybe_options = [self, options].tap {|args| args.pop if args.last == {}}
       begin
         ApplicationAuthorizer.send("authorizes_to_#{action}?", *self_and_maybe_options)
       rescue NoMethodError => original_exception

data/lib/authority/version.rb

@@ -1,3 +1,3 @@
 module Authority
-  VERSION = "2.3.2"
+  VERSION = "2.4.0"
 end

data/lib/generators/templates/403.html

@@ -4,7 +4,7 @@
     <title>Forbidden</title>
   </head>
   <body>
-    <h1>Access Denied, HUMAN!</h1>
-    <p>No, seriously, you can't do that...</p>
+    <h1>Access Denied</h1>
+    <p>You do not have permission to access this resource.</p>
   </body>
 </html>

data/lib/generators/templates/authority_initializer.rb

@@ -3,7 +3,8 @@ Authority.configure do |config|
   # USER_METHOD
   # ===========
   # Authority needs the name of a method, available in any controller, which
-  # will return the currently logged-in user.
+  # will return the currently logged-in user. (If this varies by controller,
+  # just create a common alias.)
   #
   # Default is:
   #
@@ -44,14 +45,6 @@ Authority.configure do |config|
   #   :delete => 'deletable'
   # }
 
-  # SECURITY_VIOLATION_HANDLER
-  # ==========================
-  # If a SecurityViolation is raised, what controller method should be used to rescue it?
-  #
-  # Default is:
-  #
-  # config.security_violation_handler = :authority_forbidden # Defined in controller.rb
-  
   # LOGGER
   # ======
   # If a user tries to perform an unauthorized action, where should we log that fact?

data/spec/authority/controller_spec.rb

@@ -87,11 +87,16 @@ describe Authority::Controller do
 
       describe "authorize_actions_for" do
 
-        it "allows specifying the model to protect" do
+        it "allows specifying the class of the model to protect" do
           controller_class.authorize_actions_for(resource_class)
           expect(controller_class.authority_resource).to eq(resource_class)
         end
 
+        it "allows specifying an instance method to find the class of the model to protect" do
+          controller_class.authorize_actions_for(:finder_method)
+          expect(controller_class.authority_resource).to eq(:finder_method)
+        end
+
         it "sets up a before_filter, passing the options it was given" do
           filter_options = {:only => [:show, :edit, :update]}
           controller_class.should_receive(:before_filter).with(:run_authorization_check, filter_options)
@@ -146,9 +151,48 @@ describe Authority::Controller do
 
       describe "run_authorization_check (used as a before_filter)" do
 
-        it "checks authorization on the model specified" do
-          controller_instance.should_receive(:authorize_action_for).with(resource_class)
-          controller_instance.send(:run_authorization_check)
+        context "if a resource class was specified" do
+
+          it "checks authorization on the model specified" do
+            controller_instance.should_receive(:authorize_action_for).with(resource_class)
+            controller_instance.send(:run_authorization_check)
+          end
+
+        end
+
+        context "if a method for determining the class was specified" do
+
+          let(:resource_class) { Hash }
+          let(:controller_class) do
+            Class.new(ExampleController).tap do |c|
+              c.send(:include, Authority::Controller)
+              c.authorize_actions_for(:method_to_find_class)
+            end
+          end
+
+          context "if the controller has such an instance method" do
+
+            before :each do
+              controller_instance.stub(:method_to_find_class).and_return(resource_class)
+            end
+
+            it "checks authorization on class returned by that method" do
+              controller_instance.should_receive(:authorize_action_for).with(resource_class)
+              controller_instance.send(:run_authorization_check)
+            end
+
+          end
+
+          context "if the controller has no such instance method" do
+
+            it "raises an exception" do
+              expect{controller_instance.send(:run_authorization_check)}.to raise_error(
+                Authority::Controller::MissingResource
+              )
+            end
+
+          end
+
         end
 
         it "raises a MissingAction if there is no corresponding action for the controller" do

data/spec/authority_spec.rb

@@ -42,7 +42,7 @@ describe Authority do
     let(:user)           { ExampleUser.new }
     let(:resource_class) { ExampleResource }
 
-    describe "if given options" do
+    describe "when given options" do
 
       it "checks the user's authorization, passing along the options" do
         options = { :for => 'context' }
@@ -52,7 +52,7 @@ describe Authority do
 
     end
 
-    describe "if not given options" do
+    describe "when not given options" do
 
       it "checks the user's authorization, passing no options" do
         user.should_receive(:can_delete?).with(resource_class).and_return(true)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: authority
 version: !ruby/object:Gem::Version
-  version: 2.3.2
+  version: 2.4.0
   prerelease: 
 platform: ruby
 authors:
@@ -10,11 +10,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-12-11 00:00:00.000000000 Z
+date: 2013-02-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
-  requirement: &2152546080 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -22,7 +22,12 @@ dependencies:
         version: 3.0.0
   type: :runtime
   prerelease: false
-  version_requirements: *2152546080
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.0.0
 description: Authority helps you authorize actions in your Rails app. It's ORM-neutral
   and has very little fancy syntax; just group your models under one or more Authorizer
   classes and write plain Ruby methods on them.
@@ -82,15 +87,21 @@ required_ruby_version: !ruby/object:Gem::Requirement
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
+      segments:
+      - 0
+      hash: -37039868613240694
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
+      segments:
+      - 0
+      hash: -37039868613240694
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.16
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: Authority helps you authorize actions in your Rails app using plain Ruby