authorization-next 0.1.0

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+task :default => :spec

data/authorization.gemspec

@@ -0,0 +1,29 @@
+# coding: utf-8
+
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "authorization/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "authorization-next"
+  spec.version       = Authorization::VERSION
+  spec.authors       = ["Pavan Agrawal"]
+  spec.email         = ["pavan.agrawala@gmail.com"]
+
+  spec.summary       = %q{Converted plugin to gem which will work with association as well.}
+  spec.description   = %q{Converted plugin to gem which will work with association as well.}
+  spec.homepage      = "https://github.com/pavanagrawal/authorization"
+  spec.license       = "MIT"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.17"
+  spec.add_development_dependency "rake", "~> 10.0"
+end

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "authorization"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/authorization.rb

@@ -0,0 +1,172 @@
+require "authorization/version"
+require File.dirname(__FILE__) + '/authorization/publishare/exceptions'
+require File.dirname(__FILE__) + '/authorization/publishare/parser'
+
+
+
+module Authorization
+  module Base
+
+    # Modify these constants in your environment.rb to tailor the plugin to your authentication system
+    if not Object.constants.include? "DEFAULT_REDIRECTION_HASH"
+      DEFAULT_REDIRECTION_HASH = { :controller => 'account', :action => 'login' }
+    end
+    if not Object.constants.include? "STORE_LOCATION_METHOD"
+      STORE_LOCATION_METHOD = :store_return_location
+    end
+
+    def self.included( recipient )
+      recipient.extend( ControllerClassMethods )
+      recipient.class_eval do
+        include ControllerInstanceMethods
+      end
+    end
+
+    module ControllerClassMethods
+
+      # Allow class-level authorization check.
+      # permit is used in a before_filter fashion and passes arguments to the before_filter.
+      def permit( authorization_expression, *args )
+        filter_keys = [ :only, :except ]
+        filter_args, eval_args = {}, {}
+        if args.last.is_a? Hash
+          filter_args.merge!( args.last.reject {|k,v| not filter_keys.include? k } )
+          eval_args.merge!( args.last.reject {|k,v| filter_keys.include? k } )
+        end
+        before_filter( filter_args ) do |controller|
+          controller.permit( authorization_expression, eval_args )
+        end
+      end
+    end
+
+    module ControllerInstanceMethods
+      include Authorization::Base::EvalParser  # RecursiveDescentParser is another option
+
+      # Permit? turns off redirection by default and takes no blocks
+      def permit?( authorization_expression, *args )
+        @options = { :allow_guests => false, :redirect => false }
+        @options.merge!( args.last.is_a?( Hash ) ? args.last : {} )
+
+        has_permission?( authorization_expression )
+      end
+
+      # Allow method-level authorization checks.
+      # permit (without a question mark ending) calls redirect on denial by default.
+      # Specify :redirect => false to turn off redirection.
+      def permit( authorization_expression, *args )
+        @options = { :allow_guests => false, :redirect => true }
+        @options.merge!( args.last.is_a?( Hash ) ? args.last : {} )
+
+        if has_permission?( authorization_expression )
+          yield if block_given?
+        elsif @options[:redirect]
+          handle_redirection
+        end
+      end
+
+      private
+
+      def has_permission?( authorization_expression )
+        @current_user = get_user
+        if not @options[:allow_guests]
+          if @current_user.nil?  # We aren't logged in, or an exception has already been raised
+            return false
+          elsif not @current_user.respond_to? :id
+            raise( UserDoesntImplementID, "User doesn't implement #id")
+          elsif not @current_user.respond_to? :has_role?
+            raise( UserDoesntImplementRoles, "User doesn't implement #has_role?" )
+          end
+        end
+        parse_authorization_expression( authorization_expression )
+      end
+
+      # Handle redirection within permit if authorization is denied.
+      def handle_redirection
+        return if not self.respond_to?( :redirect_to )
+        redirection = DEFAULT_REDIRECTION_HASH
+        redirection[:controller] = @options[:redirect_controller] if @options[:redirect_controller]
+        redirection[:action] = @options[:redirect_action] if @options[:redirect_action]
+
+        # Store url in session for return if this is available from authentication
+        send( STORE_LOCATION_METHOD ) if respond_to? STORE_LOCATION_METHOD
+        if @current_user
+          flash[:notice] = "Permission denied. Your account cannot access the requested page."
+        else
+          flash[:notice] = @options[:redirect_message] ? @options[:redirect_message] : "Login is required"
+        end
+        redirect_to redirection
+        false  # Want to short-circuit the filters
+      end
+
+      # Try to find current user by checking options hash and instance method in that order.
+      def get_user
+        if @options[:user]
+          @options[:user]
+        elsif @options[:get_user_method]
+          send( @options[:get_user_method] )
+        elsif self.respond_to? :current_user
+          current_user
+        elsif not @options[:allow_guests]
+          raise( CannotObtainUserObject, "Couldn't find #current_user or @user, and nothing appropriate found in hash" )
+        end
+      end
+
+      # Try to find a model to query for permissions
+      def get_model( str )
+        if str =~ /\s*([A-Z]+\w*)\s*/
+          # Handle model class
+          begin
+            Module.const_get( str )
+          rescue
+            raise CannotObtainModelClass, "Couldn't find model class: #{str}"
+          end
+        elsif str =~ /\s*:*(\w+)\s*/
+          # Handle model instances
+          model_name = $1
+          model_symbol = model_name.to_sym
+          if @options[model_symbol]
+            @options[model_symbol]
+          elsif instance_variables.include?( '@'+model_name )
+            instance_variable_get( '@'+model_name )
+            # Note -- while the following code makes autodiscovery more convenient, it's a little too much side effect & security question
+            # elsif self.params[:id]
+            #  eval_str = model_name.camelize + ".find(#{self.params[:id]})"
+            #  eval eval_str
+          else
+            raise CannotObtainModelObject, "Couldn't find model (#{str}) in hash or as an instance variable"
+          end
+        end
+      end
+    end
+
+  end
+end
+
+
+ActionController::Base.send( :include, Authorization::Base )
+ActionView::Base.send( :include, Authorization::Base::ControllerInstanceMethods )
+
+# You can perform authorization at varying degrees of complexity.
+# Choose a style of authorization below (see README) and the appropriate
+# mixin will be used for your app.
+
+# When used with the auth_test app, we define this in config/environment.rb
+# AUTHORIZATION_MIXIN = "hardwired"
+if not Object.constants.include? "AUTHORIZATION_MIXIN"
+  AUTHORIZATION_MIXIN = "object roles"
+end
+
+case AUTHORIZATION_MIXIN
+when "hardwired"
+  require "authorization/publishare/hardwired_roles"
+  ActiveRecord::Base.send( :include,
+                           Authorization::HardwiredRoles::UserExtensions,
+                           Authorization::HardwiredRoles::ModelExtensions
+  )
+when "object roles"
+  require "authorization/publishare/object_roles_table"
+  ActiveRecord::Base.send( :include,
+                           Authorization::ObjectRolesTable::UserExtensions,
+                           Authorization::ObjectRolesTable::ModelExtensions
+  )
+end

data/lib/authorization/publishare/exceptions.rb

@@ -0,0 +1,40 @@
+module Authorization #:nodoc:
+
+  # Base error class for Authorization module
+  class AuthorizationError < StandardError
+  end
+  
+  # Raised when the authorization expression is invalid (cannot be parsed)
+  class AuthorizationExpressionInvalid < AuthorizationError
+  end
+  
+  # Raised when we can't find the current user
+  class CannotObtainUserObject < AuthorizationError
+  end
+  
+  # Raised when an authorization expression contains a model class that doesn't exist
+  class CannotObtainModelClass < AuthorizationError
+  end
+  
+  # Raised when an authorization expression contains a model reference that doesn't exist
+  class CannotObtainModelObject < AuthorizationError
+  end
+  
+  # Raised when the obtained user object doesn't implement #id
+  class UserDoesntImplementID < AuthorizationError
+  end
+  
+  # Raised when the obtained user object doesn't implement #has_role?
+  class UserDoesntImplementRoles < AuthorizationError
+  end
+  
+  # Raised when the obtained model doesn't implement #accepts_role?
+  class ModelDoesntImplementRoles < AuthorizationError
+  end
+
+  class CannotSetRoleWhenHardwired < AuthorizationError
+  end
+  
+  class CannotSetObjectRoleWhenSimpleRoleTable < AuthorizationError
+  end
+end

data/lib/authorization/publishare/hardwired_roles.rb

@@ -0,0 +1,81 @@
+require File.dirname(__FILE__) + '/exceptions'
+
+# In order to use this mixin, you'll need to define roles by overriding the
+# following functions:
+#
+# User#has_role?(role)
+#   Return true or false depending on the roles (strings) passed in.
+#   
+# Model#accepts_role?(role, user)
+#   Return true or false depending on the roles (strings) this particular user has for
+#   this particular model object.
+#
+# See http://www.writertopia.com/developers/authorization
+
+module Authorization
+  module HardwiredRoles
+  
+    module UserExtensions
+      def self.included( recipient )
+        recipient.extend( ClassMethods )
+      end
+      
+      module ClassMethods
+        def acts_as_authorized_user
+          include Authorization::HardwiredRoles::UserExtensions::InstanceMethods
+        end
+      end
+      
+      module InstanceMethods
+        # If roles aren't explicitly defined in user class then return false
+        def has_role?( role, authorizable_object = nil )
+          false
+        end
+        
+        def has_role( role, authorizable_object = nil )
+          raise( CannotSetRoleWhenHardwired, 
+            "Hardwired mixin: Cannot set user to role #{role}. Don't use #has_role, use code in models."
+          )
+        end
+        
+        def has_no_role( role, authorizable_object = nil )
+          raise( CannotSetRoleWhenHardwired, 
+            "Hardwired mixin: Cannot remove user role #{role}. Don't use #has_no_role, use code in models."
+          )
+        end
+      end 
+    end
+    
+    module ModelExtensions
+      def self.included( recipient )
+        recipient.extend( ClassMethods )
+      end
+      
+      module ClassMethods
+        def acts_as_authorizable
+          include Authorization::HardwiredRoles::ModelExtensions::InstanceMethods
+        end
+      end
+      
+      module InstanceMethods
+        def accepts_role?( role, user )
+          return false
+        end
+        
+        def accepts_role( role, user )
+          raise( CannotSetRoleWhenHardwired, 
+            "Hardwired mixin: Cannot set user to role #{role}. Don't use #accepts_role, use code in models."
+          )
+        end
+        
+        def accepts_no_role( role, user )
+          raise( CannotSetRoleWhenHardwired, 
+            "Hardwired mixin: Cannot set user to role #{role}. Don't use #accepts_no_role, use code in models."
+          )
+        end
+      end 
+    end
+    
+  end
+end
+

data/lib/authorization/publishare/identity.rb

@@ -0,0 +1,125 @@
+require File.dirname(__FILE__) + '/exceptions'
+
+# Provides the appearance of dynamically generated methods on the roles database.
+#
+# Examples:
+#   user.is_member?                     --> Returns true if user has any role of "member"
+#   user.is_member_of? this_workshop    --> Returns true/false. Must have authorizable object after query.
+#   user.is_eligible_for [this_award]   --> Gives user the role "eligible" for "this_award"
+#   user.is_moderator                   --> Gives user the general role "moderator" (not tied to any class or object)
+#   user.is_candidate_of_what           --> Returns array of objects for which this user is a "candidate"
+#
+#   model.has_members                   --> Returns array of users which have role "member" on that model
+#   model.has_members?                  --> Returns true/false
+#
+module Authorization
+  module Identity
+    
+    module UserExtensions
+      module InstanceMethods
+
+        def method_missing( method_sym, *args )
+          method_name = method_sym.to_s
+          authorizable_object = args.empty? ? nil : args[0]
+        
+          base_regex = "is_(\\w+)"
+          fancy_regex = base_regex + "_(#{Authorization::Base::VALID_PREPOSITIONS_PATTERN})"
+          is_either_regex = '^((' + fancy_regex + ')|(' + base_regex + '))'
+          base_not_regex = "is_no[t]?_(\\w+)"
+          fancy_not_regex = base_not_regex + "_(#{Authorization::Base::VALID_PREPOSITIONS_PATTERN})"      
+          is_not_either_regex = '^((' + fancy_not_regex + ')|(' + base_not_regex + '))'
+        
+          if method_name =~ Regexp.new(is_either_regex + '_what$')
+            role_name = $3 || $6
+            has_role_for_objects(role_name)
+          elsif method_name =~ Regexp.new(is_not_either_regex + '\?$')
+            role_name = $3 || $6
+            not is_role?( role_name, authorizable_object )
+          elsif method_name =~ Regexp.new(is_either_regex + '\?$')
+            role_name = $3 || $6
+            is_role?( role_name, authorizable_object )
+          elsif method_name =~ Regexp.new(is_not_either_regex + '$')
+            role_name = $3 || $6
+            is_no_role( role_name, authorizable_object )
+          elsif method_name =~ Regexp.new(is_either_regex + '$')
+            role_name = $3 || $6
+            is_role( role_name, authorizable_object )
+          else
+            super
+          end
+        end
+      
+        private
+      
+        def is_role?( role_name, authorizable_object )
+          if authorizable_object.nil?
+            return self.has_role?(role_name)
+          elsif authorizable_object.respond_to?(:accepts_role?)
+            return self.has_role?(role_name, authorizable_object)
+          end
+          false
+        end
+      
+        def is_no_role( role_name, authorizable_object = nil )
+          if authorizable_object.nil?
+            self.has_no_role role_name
+          else
+            self.has_no_role role_name, authorizable_object
+          end
+        end
+      
+        def is_role( role_name, authorizable_object = nil )
+          if authorizable_object.nil?
+            self.has_role role_name
+          else
+            self.has_role role_name, authorizable_object
+          end
+        end
+      
+        def has_role_for_objects(role_name)
+          roles = self.roles.find_all_by_name( role_name )
+          roles.collect do |role|
+            if role.authorizable_id.nil? 
+              role.authorizable_type.nil? ?
+                nil : Module.const_get( role.authorizable_type )   # Returns class
+            else
+              role.authorizable
+            end
+          end
+        end
+      end
+    end
+    
+    module ModelExtensions
+      module InstanceMethods
+
+        def method_missing( method_sym, *args )
+          method_name = method_sym.to_s
+          if method_name =~ /^has_(\w+)\?$/
+            role_name = $1.singularize
+            self.accepted_roles.find_all_by_name(role_name).any? { |role| role.users }
+          elsif method_name =~ /^has_(\w+)$/
+            role_name = $1.singularize
+            users = self.accepted_roles.find_all_by_name(role_name).collect { |role| role.users }
+            users.flatten.uniq if users
+          else
+            super
+          end
+        end
+
+        def respond_to? method_sym
+          method_name = method_sym.to_s
+          if method_name =~ /^has_(\w+)\?$/
+            true
+          elsif method_name =~ /^has_(\w+)$/
+            true
+          else
+            super
+          end
+
+        end
+      end
+    end
+      
+  end
+end