authorizable 0.9.0

data/lib/authorizable/model.rb

@@ -0,0 +1,162 @@
+module Authorizable
+  # this should be included on the 'User' model or whatever
+  # is going to be performing action that need to be
+  # authorized
+  module Model
+    extend ActiveSupport::Concern
+
+    # @TODO figure out how to make roles generic
+    IS_OWNER = 0
+    IS_UNRELATED = 1
+
+    def method_missing(name, *args, &block)
+      string_name = name.to_s
+
+      if string_name =~ /can_(.+)\?/
+        permission_name = $1
+        permission_name.gsub!('destroy', 'delete')
+        if ["delete", "edit", "create"].include?(permission_name)
+          # shorthand for delete_{object_name}
+          object = args[0]
+          object_name = object.class.name.downcase
+          return send("can_#{permission_name}_#{object_name}?", *args, &block)
+        else
+          return process_permission(name, permission_name, args)
+        end
+      else
+        super(name, *args, &block)
+      end
+    end
+
+    private
+
+    def process_permission(method_name, permission_name, args)
+      permission = permission_name.to_sym
+      o = args[0] # object; Event, Discount, etc
+      # default to allow
+      result = true
+
+      role = get_role_of(o)
+
+      # don't perform the permission evaluation, if we have already computed it
+      permission_value_from_cache = value_from_permission_cache(method_name, role)
+      return permission_value_from_cache if permission_value_from_cache.present?
+
+
+      # evaluate procs
+      if (proc = PermissionUtilities.has_procs?(permission))
+        result &= proc.call(o, self)
+      end
+
+      # Here is where the addition of adding collaborations may reside
+
+      # finally, determine if the user (self) can do the requested action
+      result &= can?(permission, role)
+
+      # so we don't need to do everything again
+      set_permission_cache(
+        name: method_name,
+        value: result,
+        role: role
+      )
+
+      result
+    end
+
+    # @param [String] permission name of the permission
+    # @param [Number] role role of the user
+    # @param [Hash] set a hash of string keys and values
+    # @return [Boolean] the result of the whether or not the user, self,
+    #   is allowed to perform the action
+    def can?(permission, role = IS_OWNER, set = {})
+      result = true
+      use_default = false
+
+      use_default = true if set[permission].nil?
+
+      if use_default
+        result &= PermissionUtilities.value_for(permission, role)
+      else
+        result &= set[permission]
+      end
+
+      result
+    end
+
+    # By default this will just be a pass-through to has_role_with
+    # This method is intended to be a part of a group/role implementation.
+    # for example, if working with a hierarchy of objects, such as a
+    # Book having many chapters, and the chapters themselves don't have a User
+    # but the Book does, that logic should be added in a method that overrides this one.
+    #
+    # @param [ActiveRecord::Base] object should be the object that is being tested
+    #   if the user can perform the action on
+    def get_role_of(object)
+      return has_role_with(object)
+    end
+
+    # This method can also be overridden if one desires to have multiple types of
+    # ownership, such as a collaborator-type relationship
+    #
+    # @param [ActiveRecord::Base] object should be the object that is being tested
+    #   if the user can perform the action on
+    # @return [Number] true if self owns object
+    def has_role_with(object)
+      if object.respond_to?(:user_id)
+        if object.user_id == self.id
+          return IS_OWNER
+        else
+          return IS_UNRELATED
+        end
+      end
+      # hopefully the object passed always responds to user_id
+      IS_UNRELATED
+    end
+
+    # calculating the value of a permission is costly.
+    # there are several Database lookups and lots of merging
+    # of hashes.
+    # once a permission is calculated, we'll store it here, so we don't
+    # have to re-calculate/query/merge everything all over again
+    #
+    # for both object access and page access, check if we've
+    # already calculated the permission
+    #
+    # the structure of this cache is the following:
+    # {
+    #   role_1: {
+    #     permission1: true
+    #     permission2: false
+    #   },
+    #   authorization_permission_name: true
+    # }
+    #
+    # @param [String] name name of the permission
+    # @param [Number] role role of the user
+    # @param [Boolean] value
+    def set_permission_cache(name: "", role: nil, value: nil)
+      @permission_cache ||= {}
+      if role
+        @permission_cache[role] ||= {}
+        @permission_cache[role][name] = value
+      else
+        @permission_cache[name] = value
+      end
+    end
+
+    # @param [String] permission_name name of the permission
+    # @param [Number] role role of the user
+    # @return [Boolean] value of the previously stored permission
+    def value_from_permission_cache(permission_name, role = nil)
+      @permission_cache ||= {}
+
+      if role
+        @permission_cache[role] ||= {}
+        @permission_cache[role][permission_name]
+      else
+        @permission_cache[permission_name]
+      end
+    end
+
+  end
+end

data/lib/authorizable/permission_utilities.rb

@@ -0,0 +1,89 @@
+module Authorizable
+
+  module PermissionUtilities
+
+    KIND = 0
+    DEFAULT_ACCESS = 1
+    DESCRIPTION = 2
+    VISIBILITY_PROC = 3
+    ACCESS_PROC = 4
+
+    OBJECT = 0
+    ACCESS = 1
+    DEFAULT_ROLE = 0
+
+    def self.permissions
+      Authorizable::Permissions.definitions
+    end
+
+    def self.set_for_role(role)
+      permissions.inject({}) { |h,(k, v)|
+        value = v[DEFAULT_ACCESS]
+        h[k.to_sym] = value.is_a?(Array) ? value[role] : value
+        h
+      }
+    end
+
+    # returns procs or false
+    def self.has_procs?(permission)
+      permission_data_helper(permission, ACCESS_PROC)
+    end
+
+    def self.has_visibility_procs?(permission)
+      permission_data_helper(permission, VISIBILITY_PROC)
+    end
+
+    def self.should_render?(permission, *args)
+      result = true
+      proc = self.has_visibility_procs?(permission)
+
+      if proc
+        result = proc.call(*args)
+      end
+
+      result
+    end
+
+    def self.description_for(permission)
+      result = permission_data_helper(permission.to_sym, DESCRIPTION)
+
+      if result.blank?
+        result = permission.to_s.humanize
+      end
+
+      result
+    end
+
+    def self.value_for(permission, role = DEFAULT_ROLE)
+      value = permissions[permission.to_sym][DEFAULT_ACCESS]
+      value.is_a?(Array) ? value[role] : value
+    end
+
+    def self.has_key?(permission)
+      permissions[permission.to_sym].present?
+    end
+
+    def self.is_access?(permission)
+      permissions[permission][KIND] == ACCESS
+    end
+
+    def self.is_object?(permission)
+      permissions[permission][KIND] == OBJECT
+    end
+
+    private
+
+    def self.permission_data_helper(permission, position)
+      result = false
+      data = permissions[permission]
+
+      if data && data.length >= (position + 1)
+        result = data[position]
+      end
+
+      result
+    end
+
+  end
+
+end

data/lib/authorizable/permissions.rb

@@ -0,0 +1,112 @@
+module Authorizable
+
+  class Permissions
+
+    # Aliased constants for easier typing / readability
+    OBJECT = PermissionUtilities::OBJECT
+    ACCESS = PermissionUtilities::ACCESS
+
+    # defaults for a resource
+    CRUD_TYPES = {
+      edit: OBJECT,
+      delete: OBJECT,
+      create: OBJECT,
+      view: ACCESS
+    }
+
+    # where all the permission definitions are stored
+    #
+    # example structure:
+    #   {
+    #     edit_organization:   [OBJECT, [true, false]],
+    #     delete_organization: [OBJECT, [true, false], nil, ->(e, user){ e.hosted_by == user }, ->(e, user){ e.owner == user }],
+    #     create_organization: [ACCESS, [true, false], nil, nil],
+    #
+    #     edit_collaborator: [OBJECT, [true, false]],
+    #     delete_collaborator: [OBJECT, [true, false]],
+    #     create_collaborator: [OBJECT, [true, false]],
+    #     view_collaborators: [OBJECT, [true, false]],
+    #
+    #     view_attendees: [OBJECT, true],
+    #     view_unpaid_attendees: [OBJECT, true],
+    #     view_cancelled_registrations: [OBJECT, true]
+    #   }
+    #
+    # note that because this is a hash, order and organization of like-named
+    # permissions is non-existent
+    class_attribute :definitions
+
+    # @example:
+    #   {
+    #     update_event:   [OBJECT, true, "Edit Event"],
+    #     delete_event: [OBJECT, [true, false, false], nil, ->(e, user){ e.hosted_by == user }],
+    #     create_event: [ACCESS, RESTRICT_COLLABORATORS]
+    #   }
+    #   CRUD authorizations can be expcitly defined
+    #
+    # @example
+    #   {
+    #     crud: [
+    #       object_name: [true, false, false],
+    #       ojbect2_name: true,
+    #     ]
+    #   }
+    #   by providing a :crud array in the hash will generate permissions
+    #   for the specified object: create, delete, read, and update
+    #
+    # @note:
+    #   update is aliased with edit, and may be used interchangeably
+    #   delete is aliased with destroy, and may be used interchangeably
+    #
+    # @note:
+    #   descriptions are not provided by default, and are only specifiable
+    #   when explicitly defining permissions (not using crud)
+    #
+    # @param [Hash] permissions
+    def self.set(permissions)
+      cruds = permissions.delete(:crud)
+
+      self.definitions = permissions
+
+      if cruds.present?
+        cruds.each do |set|
+          set.each do |key, values_for_roles|
+            CRUD_TYPES.each do |action, kind|
+              permission = "#{action}_#{key}"
+              permission << "s" if kind == ACCESS # need a better way to pluralize
+              permission = permission.to_sym
+              permission_array = [kind, values_for_roles]
+              self.definitions[permission] = permission_array
+            end
+          end
+        end
+      end
+    end
+
+    # similar to how CanCan does the creation of permission
+    # but without the need for a user to exist immediately
+    #
+    # @param [Symbol] name what the permission should be called
+    #   (the can prefix is automatic, and should be excluded)
+    # @param [Boolean] allow (true) default authorization for this permission
+    # @param [Array] allow (true) default authorization for this permission
+    # @param [String] description (nil) how to explain this permission
+    # @param [Proc] visibility (nil) conditions used when rendering this permission in the UI
+    # @param [Proc] conditions (nil) additional conditions used when authorizing a user
+    # @param [Number] kind (OBJECT) used to specify if this permission takes access on an object or not
+    def self.can(name, allow = true, description = nil, visibility = nil, conditions = nil, kind = OBJECT)
+      permission_array = [kind, allow, description, visibility, conditions]
+      self.add(name, permission_array)
+    end
+
+    private
+
+    # @param [Symbol] key permission name
+    # @param [Array] array settings for permission
+    def self.add(key, array)
+      self.definitions[key.to_sym] = array
+    end
+
+  end
+
+end

data/lib/authorizable/version.rb

@@ -0,0 +1,5 @@
+module Authorizable
+
+  VERSION = "0.9.0"
+
+end

data/spec/integration/controller_spec.rb

@@ -0,0 +1,127 @@
+require 'rails_helper'
+
+describe EventsController, type: :controller do
+
+  it 'includes authorizable' do
+    expect(controller.class.ancestors).to include(Authorizable::Controller)
+  end
+
+  it 'calls authorizable' do
+    allow_any_instance_of(EventsController).to receive(:authorizable)
+    get :index
+  end
+
+  context 'actions' do
+    before(:each) do
+      EventsController.send(
+        :authorizable,
+        edit: {
+          target: :event,
+          redirect_path: Proc.new{ event_path(@event) }
+        },
+        create: {
+          permission: :can_create_event?,
+          redirect_path: Proc.new{ events_path }
+        },
+        destroy: {
+          target: :event,
+          redirect_path: Proc.new{ event_path(@event) }
+        }
+      )
+    end
+
+    context 'is authorized' do
+      let(:user){ create(:user) }
+      let(:event){ create(:event, user: user) }
+
+      it 'is allowed' do
+        expect(controller).to receive(:authorizable_authorized?)
+        get :edit, id: event.id
+        expect(assigns(:event)).to eq event
+      end
+    end
+
+    context 'redirects on' do
+
+      context 'json requests' do
+        let(:event){ create(:event) }
+        let(:user){ create(:user) }
+
+        after(:each) do
+          expect(response.status).to eq 401
+        end
+
+        it 'edit' do
+          allow(user).to receive(:can_edit?){ false }
+          allow(controller).to receive(:current_user){ user }
+
+          get :edit, id: event, format: :json
+        end
+      end
+
+      context 'html requests' do
+        let(:event){ create(:event) }
+        let(:user){ create(:user) }
+
+        after(:each) do
+          expect(flash[:alert]).to eq I18n.t('authorizable.not_authorized')
+        end
+
+        context 'edit' do
+          before(:each) do
+            allow(user).to receive(:can_edit?){ false }
+            allow(controller).to receive(:current_user){ user }
+          end
+
+          it 'to show' do
+            get :edit, id: event.id
+            expected = { action: :show, id: event.id }
+            expect(response).to redirect_to expected
+          end
+
+          context 'and update' do
+            it 'to show' do
+              put :update, id: event.id
+              expected = { action: :show, id: event.id }
+              expect(response).to redirect_to expected
+            end
+          end
+
+        end
+
+        context 'create' do
+          before(:each) do
+            allow(user).to receive(:can_create_event?){ false }
+            allow(controller).to receive(:current_user){ user }
+          end
+
+          it 'to index' do
+            post :create
+            expect(response).to redirect_to action: :index
+          end
+
+          context 'and new' do
+            it 'to index' do
+              get :new
+              expect(response).to redirect_to action: :index
+            end
+          end
+
+        end
+
+        context 'destroy' do
+          before(:each) do
+            allow(user).to receive(:can_destroy?).and_return(false)
+            allow(controller).to receive(:current_user){ user }
+          end
+
+          it 'to show' do
+            delete :destroy, id: event.id
+            expect(response).to redirect_to action: :show
+          end
+        end
+      end
+    end
+  end
+
+end