authority 2.5.0 → 2.6.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 0486fc9d457c9b5624e3f424edfae6f6cf95d97f
+  data.tar.gz: 1d0e25a2ae7c561ab1552f5eb4a0bbf4b0f530e6
+SHA512:
+  metadata.gz: a6d5fe92ed2f6a0291e8d8837ac4d846effede53fca5303369294e3e6aa20d167539cf4d9bfb27a6c5e0b8e44058e3fee3d5bd26ac71b87741e7f1797948deb1
+  data.tar.gz: 897deb92bd285807303b6b67511c46dbca0e4ebc3937a0b980d9b7283f8c478402bf803584048e8b80dafa9e6060123d98bb295a605cded512991680a04350b3

data/.gitignore

@@ -17,3 +17,5 @@ test/version_tmp
 tmp
 *.swp
 *.swo
+.ruby-version
+.ruby-gemset

data/.travis.yml

@@ -13,4 +13,16 @@ gemfile:
   - gemfiles/3.0.gemfile
   - gemfiles/3.1.gemfile
   - gemfiles/3.2.gemfile
+  - gemfiles/4.0.gemfile
   - Gemfile
+
+matrix:
+  exclude:
+    - rvm: 1.8.7
+      gemfile: gemfiles/4.0.gemfile
+    - rvm: 1.9.2
+      gemfile: gemfiles/4.0.gemfile
+    - rvm: jruby-18mode
+      gemfile: gemfiles/4.0.gemfile
+    - rvm: rbx-18mode
+      gemfile: gemfiles/4.0.gemfile

data/CHANGELOG.markdown

@@ -2,6 +2,12 @@
 
 Authority does its best to use [semantic versioning](http://semver.org).
 
+## v2.6.0
+
+- Now dependent on ActiveSupport, not all of Rails, as a step toward easier use with other frameworks
+- Testing with Rails 4.0
+- Clearer backtraces in certain situations
+
 ## v2.5.0
 
 Models whose `authorizer_name` is not specified will now check for an authorizer with their own name before falling back to `ApplicationAuthorizer`.  Eg, `Comment` will look for `CommentAuthorizer`. Namespacing is respected.

data/README.markdown

@@ -1,10 +1,10 @@
 # Authority
 
-Authority helps you authorize actions in your Rails app. It's **ORM-neutral** and has very little fancy syntax; just group your models under one or more Authorizer classes and write plain Ruby methods on them.
+Authority helps you authorize actions in your Ruby app. It's **ORM-neutral** and has very little fancy syntax; just group your models under one or more Authorizer classes and write plain Ruby methods on them.
 
 Authority will work fine with a standalone app or a single sign-on system. You can check roles in a database or permissions in a YAML file. It doesn't care! What it **does** do is give you an easy way to organize your logic and handle unauthorized actions.
 
-It requires that you already have some kind of user object in your application, accessible from all controllers and views via a method like `current_user` (configurable).
+If you're using it with Rails controllers, it requires that you already have some kind of user object in your application, accessible via a method like `current_user` (configurable).
 
 [![Build Status](https://secure.travis-ci.org/nathanl/authority.png?branch=master)](http://travis-ci.org/nathanl/authority)
 [![Code Climate](https://codeclimate.com/github/nathanl/authority.png)](https://codeclimate.com/github/nathanl/authority)
@@ -40,10 +40,10 @@ It requires that you already have some kind of user object in your application,
 
 Using Authority, you have:
 
-- Broad, **class-level** rules. Examples: 
+- Broad, **class-level** rules. Examples:
   - "Basic users cannot delete any Widget."
   - "Only admin users can create Offices."
-- Fine-grained, **instance-level** rules. Examples: 
+- Fine-grained, **instance-level** rules. Examples:
   - "Management users can only edit schedules with date ranges in the future."
   - "Users can't create playlists more than 20 songs long unless they've paid."
 - A clear syntax for permissions-based views. Examples:
@@ -54,7 +54,7 @@ Using Authority, you have:
 
 Most importantly, you have **total flexibility**: Authority does not constrain you into using a particular scheme of roles and/or permissions.
 
-Authority lets you control access based on: 
+Authority lets you control access based on:
 
 - Roles in your app's database ([rolify](http://github.com/EppO/rolify) makes this easy)
 - Roles in a separate, single-sign-on app
@@ -62,7 +62,7 @@ Authority lets you control access based on:
 - Time and date
 - Weather, stock prices, vowels in the user's name, or **anything else you can check with Ruby**
 
-All you have to do is define the methods you need on your authorizers. You have all the flexibility of normal Ruby classes. 
+All you have to do is define the methods you need on your authorizers. You have all the flexibility of normal Ruby classes.
 
 **You** make the rules; Authority enforces them.
 
@@ -80,7 +80,7 @@ You can specify a model's authorizer using the class method `authorizer_name=`.
 
 Some example groupings:
 
-         Simplest case                Logical groups                                 Most granular 
+         Simplest case                Logical groups                                 Most granular
 
       ApplicationAuthorizer        ApplicationAuthorizer                         ApplicationAuthorizer
                +                             +                                             +
@@ -106,8 +106,8 @@ The authorization process generally flows like this:
                                +                                     # If you don't, the inherited one
                                |                                     # calls `default`...
                                v
-        AdminAuthorizer.default(:creatable, current_user)            # *You define this method.* 
-                                                                     # If you don't, it will use the one 
+        AdminAuthorizer.default(:creatable, current_user)            # *You define this method.*
+                                                                     # If you don't, it will use the one
                                                                      # inherited from ApplicationAuthorizer.
                                                                      # (Its parent, Authority::Authorizer,
                                                                      # defines the method as `return false`.)
@@ -119,7 +119,9 @@ If the answer is `false` and the original caller was a controller, this is treat
 <a name="installation">
 ## Installation
 
-Starting from a clean commit status, add `authority` to your Gemfile, `bundle`, then `rails g authority:install`.
+Starting from a clean commit status, add `authority` to your Gemfile, then `bundle`.
+
+If you're using Rails, run `rails g authority:install`. Otherwise, pass a block to `Authority.configure` with [configuration options](https://github.com/nathanl/authority/blob/master/lib/generators/templates/authority_initializer.rb) somewhere when your application boots up.
 
 <a name="defining_your_abilities">
 ## Defining Your Abilities
@@ -145,7 +147,7 @@ This option determines what methods are added to your users, models and authoriz
 
 ```ruby
 # Whatever class represents a logged-in user in your app
-class User 
+class User
   # Adds `can_create?(resource)`, etc
   include Authority::UserAbilities
 ...
@@ -195,13 +197,13 @@ class ScheduleAuthorizer < ApplicationAuthorizer
 end
 
 # undefined; calls `ScheduleAuthorizer.default(:updatable, user)`
-ScheduleAuthorizer.updatable_by?(user) 
+ScheduleAuthorizer.updatable_by?(user)
 ```
 
 As you can see, you can specify different logic for every method on every model, if necessary. On the other extreme, you could simply supply a [default method](#default_methods) that covers all your use cases.
 
 <a name="passing_options">
-#### Passing Options 
+#### Passing Options
 
 Any options you pass when checking permissions will be passed right up the chain. One use case for this would be if you needed an associated instance in order to do a class-level check. For example:
 
@@ -238,7 +240,7 @@ class ApplicationAuthorizer < Authority::Authorizer
   def self.default(able, user)
     has_role_granting?(user, able) || user.admin?
   end
-  
+
   protected
 
   def has_role_granting(user, able)
@@ -264,7 +266,7 @@ One nice thing about putting your authorization logic in authorizers is the ease
 # An authorizer shared by several admin-only models
 describe AdminAuthorizer do
 
-  before :each do 
+  before :each do
     @user  = FactoryGirl.build(:user)
     @admin = FactoryGirl.build(:admin)
   end
@@ -302,6 +304,8 @@ end
 <a name="controllers">
 ### Controllers
 
+If you're using Rails, ActionController support will be loaded in through a Railtie. Otherwise, you'll want to integrate it into your framework yourself. [Authority's controller](https://github.com/nathanl/authority/blob/master/lib/authority/controller.rb) is an excellent starting point.
+
 Anytime a controller finds a user attempting something they're not authorized to do, a [Security Violation](#security_violations_and_logging) will result. Controllers get two ways to check authorization:
 
 - `authorize_actions_for Llama` protects multiple controller actions with a `before_filter`, which performs a **class-level** check. If the current user is never allowed to delete a `Llama`, they'll never even get to the controller's `destroy` method.
@@ -329,7 +333,7 @@ class LlamasController < ApplicationController
   # Check class-level authorizations before all actions except :create
   # Also, to authorize this controller's 'neuter' action, ask whether `current_user.can_update?(Llama)`
   authorize_actions_for Llama, :except => :create, :actions => {:neuter => :update},
-  
+
   # To authorize this controller's 'breed' action, ask whether `current_user.can_create?(Llama)`
   # To authorize its 'vaporize' action, ask whether `current_user.can_delete?(Llama)`
   authority_actions :breed => 'create', :vaporize => 'delete'
@@ -338,7 +342,7 @@ class LlamasController < ApplicationController
 
   def edit
     @llama = Llama.find(params[:id])
-    authorize_action_for(@llama)        # Check to see if you're allowed to edit this llama. failure == SecurityViolation    
+    authorize_action_for(@llama)        # Check to see if you're allowed to edit this llama. failure == SecurityViolation
   end
 
   def update
@@ -418,7 +422,9 @@ Use this very sparingly, and consider it a [code smell](http://en.wikipedia.org/
 <a name="security_violations_and_logging">
 ## Security Violations & Logging
 
-If you're using Authority's view helpers, users should only see links for actions they're authorized to take. If a user deliberately tries to access a restricted resource (for instance, by typing the URL directly), Authority raises and rescues an `Authority::SecurityViolation`.
+If you're using Authority's `ActiveController` integration or have used it as a template for your own, your application will handle unauthorized requests with `403 Forbidden` automatically.
+
+If you use Authority to [conditionally render links](#security_violations_and_logging), users will only see links for actions they're authorized to take. If a user deliberately tries to access a restricted resource (for instance, by typing the URL directly), Authority raises and rescues an `Authority::SecurityViolation`.
 
 When it rescues the exception, Authority calls whatever controller method is specified by your `security_violation_handler` option, handing it the exception. The default handler is `authority_forbidden`, which Authority mixes in to your `ApplicationController`. It does the following:
 

data/authority.gemspec

@@ -8,7 +8,8 @@ Gem::Specification.new do |gem|
   gem.description   = %q{Authority helps you authorize actions in your Rails app. It's ORM-neutral and has very little fancy syntax; just group your models under one or more Authorizer classes and write plain Ruby methods on them.}
   gem.homepage      = "https://github.com/nathanl/authority"
 
-  gem.add_dependency "rails", ">= 3.0.0"
+  gem.add_dependency "activesupport", ">= 3.0.0"
+  gem.add_dependency "rake",          ">= 0.8.7"
 
   gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   gem.files         = `git ls-files`.split("\n")

data/gemfiles/4.0.gemfile

@@ -0,0 +1,6 @@
+source "http://rubygems.org"
+
+gem "rails", ">= 4.0.0.rc", "< 4.1"
+gem 'rspec', '>= 2.8.0'
+
+gemspec :path=>"../"

data/lib/authority.rb

@@ -2,6 +2,7 @@ require 'active_support/concern'
 require 'active_support/core_ext/class/attribute'
 require 'active_support/core_ext/hash/keys'
 require 'active_support/core_ext/string/inflections'
+require 'active_support/rescuable'
 require 'forwardable'
 require 'logger'
 require 'authority/security_violation'
@@ -33,7 +34,7 @@ module Authority
   # @return [Model] resource instance
   def self.enforce(action, resource, user, options = {})
     unless action_authorized?(action, resource, user, options)
-      raise SecurityViolation.new(user, action, resource) 
+      raise SecurityViolation.new(user, action, resource)
     end
     resource
   end

data/lib/authority/abilities.rb

@@ -9,7 +9,6 @@ module Authority
 
   module Abilities
     extend ActiveSupport::Concern
-    extend Forwardable
 
     included do |base|
       class_attribute :authorizer_name
@@ -28,18 +27,18 @@ module Authority
       self.class.authorizer.new(self) # instantiate on every check, in case model has changed
     end
 
-    # Send all calls like `editable_by?` to an authorizer instance
-    Authority.adjectives.each do |adjective|
-      def_delegators :authorizer, :"#{adjective}_by?"
+    module Definitions
+      # Send all calls like `editable_by?` to an authorizer instance
+      # Not using Forwardable because it makes it harder for users to track an ArgumentError
+      # back to their authorizer
+      Authority.adjectives.each do |adjective|
+        define_method("#{adjective}_by?") { |*args| authorizer.send("#{adjective}_by?", *args) }
+      end
     end
+    include Definitions
 
     module ClassMethods
-      extend Forwardable
-
-      # Send all calls like `editable_by?` to the authorizer class
-      Authority.adjectives.each do |adjective|
-        def_delegators :authorizer, :"#{adjective}_by?"
-      end
+      include Definitions
 
       # @return [Class] of the designated authorizer
       def authorizer

data/lib/authority/controller.rb

@@ -3,6 +3,7 @@ module Authority
   module Controller
 
     extend ActiveSupport::Concern
+    include ActiveSupport::Rescuable unless defined?(Rails)
 
     def self.security_violation_callback
       Proc.new do |exception|

data/lib/authority/version.rb

@@ -1,3 +1,3 @@
 module Authority
-  VERSION = "2.5.0"
+  VERSION = "2.6.0"
 end

data/lib/generators/authority/install_generator.rb

@@ -5,7 +5,7 @@ module Authority
     class InstallGenerator < Rails::Generators::Base
 
       source_root File.expand_path("../../templates", __FILE__)
-      desc "Creates an Authority initializer for your application." 
+      desc "Creates an Authority initializer for your application."
 
       def do_all
         create_authorizers_directory
@@ -19,14 +19,14 @@ module Authority
 
         RUBY
         puts message.strip_heredoc
-        
+
       end
 
       private
 
       def create_authorizers_directory
         # Creates empty directory if none; doesn't empty the directory
-        empty_directory "app/authorizers" 
+        empty_directory "app/authorizers"
       end
 
       def copy_application_authorizer

data/lib/generators/templates/application_authorizer.rb

@@ -2,7 +2,7 @@
 class ApplicationAuthorizer < Authority::Authorizer
 
   # Any class method from Authority::Authorizer that isn't overridden
-  # will call its authorizer's default method. 
+  # will call its authorizer's default method.
   #
   # @param [Symbol] adjective; example: `:creatable`
   # @param [Object] user - whatever represents the current user in your app

data/lib/generators/templates/authority_initializer.rb

@@ -9,7 +9,7 @@ Authority.configure do |config|
   # Default is:
   #
   # config.user_method = :current_user
-  
+
   # CONTROLLER_ACTION_MAP
   # =====================
   # For a given controller method, what verb must a user be able to do?
@@ -33,7 +33,7 @@ Authority.configure do |config|
   # ABILITIES
   # =========
   # Teach Authority how to understand the verbs and adjectives in your system. Perhaps you
-  # need {:microwave => 'microwavable'}. I'm not saying you do, of course. Stop looking at 
+  # need {:microwave => 'microwavable'}. I'm not saying you do, of course. Stop looking at
   # me like that.
   #
   # Defaults are as follows:
@@ -48,7 +48,7 @@ Authority.configure do |config|
   # LOGGER
   # ======
   # If a user tries to perform an unauthorized action, where should we log that fact?
-  # Provide a logger object which responds to `.warn(message)`, unless your 
+  # Provide a logger object which responds to `.warn(message)`, unless your
   # security_violation_handler calls a different method.
   #
   # Default is:

data/spec/authority/controller_spec.rb

@@ -167,9 +167,9 @@ describe Authority::Controller do
       end
 
       let(:controller_instance) do
-        controller_class.new.tap do |cc| 
+        controller_class.new.tap do |cc|
           cc.stub(Authority.configuration.user_method).and_return(user)
-        end 
+        end
       end
 
       let(:user) { ExampleUser.new }
@@ -275,7 +275,7 @@ describe Authority::Controller do
       end
 
     end
-    
+
   end
 
 end

metadata

@@ -1,8 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: authority
 version: !ruby/object:Gem::Version
-  version: 2.5.0
-  prerelease: 
+  version: 2.6.0
 platform: ruby
 authors:
 - Nathan Long
@@ -10,19 +9,36 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-03-21 00:00:00.000000000 Z
+date: 2013-06-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: rails
-  requirement: &74282880 !ruby/object:Gem::Requirement
-    none: false
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: 3.0.0
   type: :runtime
   prerelease: false
-  version_requirements: *74282880
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 0.8.7
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 0.8.7
 description: Authority helps you authorize actions in your Rails app. It's ORM-neutral
   and has very little fancy syntax; just group your models under one or more Authorizer
   classes and write plain Ruby methods on them.
@@ -35,7 +51,6 @@ extra_rdoc_files: []
 files:
 - .gitignore
 - .rspec
-- .rvmrc
 - .travis.yml
 - CHANGELOG.markdown
 - Gemfile
@@ -47,6 +62,7 @@ files:
 - gemfiles/3.0.gemfile
 - gemfiles/3.1.gemfile
 - gemfiles/3.2.gemfile
+- gemfiles/4.0.gemfile
 - lib/authority.rb
 - lib/authority/abilities.rb
 - lib/authority/authorizer.rb
@@ -72,27 +88,36 @@ files:
 - spec/support/mock_rails.rb
 homepage: https://github.com/nathanl/authority
 licenses: []
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.10
+rubygems_version: 2.0.3
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: Authority helps you authorize actions in your Rails app using plain Ruby
   methods on Authorizer classes.
-test_files: []
+test_files:
+- spec/authority/abilities_spec.rb
+- spec/authority/authorizer_spec.rb
+- spec/authority/configuration_spec.rb
+- spec/authority/controller_spec.rb
+- spec/authority/integration_spec.rb
+- spec/authority/user_abilities_spec.rb
+- spec/authority_spec.rb
+- spec/spec_helper.rb
+- spec/support/example_classes.rb
+- spec/support/mock_rails.rb

data/.rvmrc

@@ -1 +0,0 @@
-rvm use --create default@authority