authorization-rails 1.0.12

data/Rakefile

@@ -0,0 +1,39 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the authorization plugin.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+desc 'Generate documentation for the authorization plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Authorization'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README.txt')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+begin
+  require "jeweler"
+  Jeweler::Tasks.new do |gem|
+    gem.name = "authorization-rails"
+    gem.summary = "Authoization plugin for authorizing."
+    gem.files = Dir["*", "{lib}/**/*","{generators}/**/*","{tasks}/**/*","{doc}/**/*"]
+    gem.require_paths=[".","lib"]
+    gem.author="Bill Katz; Arturo Pie"
+    gem.homepage="https://github.com/arturopie/rails-authorization-plugin"
+    gem.description="Rails 3 compatible rails-authorization-plugin gem"
+  end
+  
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: sudo gem install jeweler"
+end

data/UPGRADE.rdoc

@@ -0,0 +1,13 @@
+= Instructions for Upgrading
+
+Scroll down to the last time you updated the plugin, then follow the upgrade steps upward till you get back to this message.
+
+== 25/12/08 - Changes has_and_belongs_to_many to a has_many :through association
+
+* Copy generators/role_model/templates/role_model.rb to app/models/role.rb
+* Copy generators/role_model/templates/role_user_model.rb to app/models/role_user.rb
+* Open each file and replace the erb code (<%= %>) with the correct model class name below
+
+  role.rb         ->    Role
+
+  role_user.rb    ->    RoleUser

data/VERSION

@@ -0,0 +1 @@
+1.0.12

data/about.yml

@@ -0,0 +1,8 @@
+author: Bill Katz
+summary: Adds a flexible mechanism for authorization.
+description: "Adds a flexible mechanism for authorization. Differs from other authorization systems in the following ways: (1) You can specify roles programmatically with model code or use a mixin to keep roles in a database. (2) The plugin uses a clean language for specifying authorization expressions. (3) Ability to handle roles on instances of a model. (4) Rights are explicitly declared in controller and view code. (5) Different levels of authorization complexity are provided through mixins available with the plugin. If you don't want to use the database for authorization, you mixin a HardwiredRoles module. If you want full database support for roles on model instances, you mixin the ObjectRolesTable module."
+homepage: http://www.writertopia.com/developers/authorization
+plugin: http://svn.writertopia.com/svn/plugins/authorization/
+license: MIT
+version: 1.0.10
+rails_version: 2.0+

data/authorization-rails.gemspec

@@ -0,0 +1,65 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = "authorization-rails"
+  s.version = "1.0.12"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Bill Katz; Arturo Pie"]
+  s.date = "2012-03-06"
+  s.description = "Rails 3 compatible rails-authorization-plugin gem"
+  s.extra_rdoc_files = [
+    "README.rdoc",
+    "README.txt",
+    "README_developers.txt"
+  ]
+  s.files = [
+    "CHANGELOG.txt",
+    "MIT-LICENSE",
+    "README.rdoc",
+    "README.txt",
+    "README_developers.txt",
+    "Rakefile",
+    "UPGRADE.rdoc",
+    "VERSION",
+    "about.yml",
+    "authorization-rails.gemspec",
+    "authorization.gemspec",
+    "doc/authorization_example.gif",
+    "doc/authorization_example.rb",
+    "generators/role_model/USAGE",
+    "generators/role_model/role_model_generator.rb",
+    "generators/role_model/templates/fixtures.yml",
+    "generators/role_model/templates/migration.rb",
+    "generators/role_model/templates/model.rb",
+    "generators/role_model/templates/role_model.rb",
+    "generators/role_model/templates/role_user_model.rb",
+    "generators/role_model/templates/unit_test.rb",
+    "init.rb",
+    "install.rb",
+    "lib/authorization.rb",
+    "lib/publishare/exceptions.rb",
+    "lib/publishare/hardwired_roles.rb",
+    "lib/publishare/identity.rb",
+    "lib/publishare/object_roles_table.rb",
+    "lib/publishare/parser.rb",
+    "tasks/authorization_tasks.rake"
+  ]
+  s.homepage = "https://github.com/arturopie/rails-authorization-plugin"
+  s.require_paths = [".", "lib"]
+  s.rubygems_version = "1.8.10"
+  s.summary = "Authoization plugin for authorizing."
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+    else
+    end
+  else
+  end
+end
+

data/authorization.gemspec

@@ -0,0 +1,67 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{authorization}
+  s.version = "1.0.12"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Bill Katz"]
+  s.autorequire = %q{authorization}
+  s.date = %q{2010-11-14}
+  s.description = %q{Rails 3 compatible rails-authorization-plugin gem}
+  s.extra_rdoc_files = [
+    "README.rdoc",
+     "README.txt",
+     "README_developers.txt"
+  ]
+  s.files = [
+    "CHANGELOG.txt",
+     "MIT-LICENSE",
+     "README.rdoc",
+     "README.txt",
+     "README_developers.txt",
+     "Rakefile",
+     "UPGRADE.rdoc",
+     "VERSION",
+     "about.yml",
+     "authorization.gemspec",
+     "doc/authorization_example.gif",
+     "doc/authorization_example.rb",
+     "generators/role_model/USAGE",
+     "generators/role_model/role_model_generator.rb",
+     "generators/role_model/templates/fixtures.yml",
+     "generators/role_model/templates/migration.rb",
+     "generators/role_model/templates/model.rb",
+     "generators/role_model/templates/role_model.rb",
+     "generators/role_model/templates/role_user_model.rb",
+     "generators/role_model/templates/unit_test.rb",
+     "init.rb",
+     "install.rb",
+     "lib/authorization.rb",
+     "lib/publishare/exceptions.rb",
+     "lib/publishare/hardwired_roles.rb",
+     "lib/publishare/identity.rb",
+     "lib/publishare/object_roles_table.rb",
+     "lib/publishare/parser.rb",
+     "tasks/authorization_tasks.rake"
+  ]
+  s.homepage = %q{https://github.com/g5search/rails-authorization-plugin}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.7}
+  s.summary = %q{Authoization plugin for authorizing.}
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+    else
+    end
+  else
+  end
+end
+

data/doc/authorization_example.rb

@@ -0,0 +1,38 @@
+class MeetingController < ApplicationController
+
+  permit "rubyists and wanna_be_rubyists", :except => :public_page
+
+  def public_page
+    render :text => "We're all in Chicago"
+  end
+
+  def secret_info
+    permit "(matz or dhh) and interested in Answers" do
+      render :text => "The Answer = 42"
+    end
+  end
+
+  def find_apprentice
+    @founder = User.find_by_name('matz')
+    permit "'inner circle' of :founder" do
+      if request.post?
+        apprentice = User.find_by_skillset(params[:uber_hacker])
+        ruby_community = Group.find_by_name('Ruby')
+        ruby_community.accepts_role 'yarv_builder', apprentice
+      end
+    end
+  end
+
+  def rails_conf
+    @meeting = Meeting.find_by_name('RailsConf')
+    permit "attendees of :meeting or swedish_mensa_supermodels" do
+      venue = Hotel.find_by_name("Wyndham O'Hare")
+      current_user.is_traveller_to venue
+      if permit? "traveller to :venue and not speaker"
+        Partay.all_night_long
+        @misdeeds = current_user.is_participant_in_what
+      end
+    end
+  end
+
+end

data/generators/role_model/USAGE

@@ -0,0 +1,20 @@
+Description:
+    The role_model generator creates a Role model for use with the Authorization plugin.
+
+    The generator takes a model name as its argument, which at this time must be 'Role'.
+
+    The generator creates a Role model class in app/models, a test suite in
+    test/unit, test fixtures in test/fixtures/roles.yml, and a migration
+    in the db/migrate directory.
+
+Example:
+    ./script/generate role_model Role
+
+    This will create a Role model:
+        Model:      app/models/role.rb
+        Test:       test/unit/role_test.rb
+        Fixtures:   test/fixtures/roles.yml
+        Migration:  db/migrate/XXX_add_role.rb
+
+    You should then run 'rake db:migrate'.
+

data/generators/role_model/role_model_generator.rb

@@ -0,0 +1,35 @@
+# Shamelessly derived from Rick Olsen's acts_as_attachment
+class RoleModelGenerator < Rails::Generator::NamedBase
+  default_options :skip_migration => false
+
+  def manifest
+    record do |m|
+      # Check for class naming collisions.
+      m.class_collisions class_path, class_name, "#{class_name}Test"
+
+      # Model, test, and fixture directories.
+      m.directory File.join('app/models', class_path)
+      m.directory File.join('test/unit', class_path)
+      m.directory File.join('test/fixtures', class_path)
+
+      # Model class, unit test, and fixtures.
+      m.template 'model.rb',      File.join('app/models', class_path, "#{file_name}.rb")
+      m.template 'unit_test.rb',  File.join('test/unit', class_path, "#{file_name}_test.rb")
+      m.template 'fixtures.yml',  File.join('test/fixtures', class_path, "#{table_name}.yml")
+      
+      unless options[:skip_migration]
+        m.migration_template 'migration.rb', 'db/migrate', :assigns => {
+          :migration_name => "Create#{class_name.pluralize.gsub(/::/, '')}"
+        }, :migration_file_name => "create_#{file_path.gsub(/\//, '_').pluralize}"
+      end
+    end
+  end
+
+  protected
+    def add_options!(opt)
+      opt.separator ''
+      opt.separator 'Options:'
+      opt.on("--skip-migration", 
+             "Don't generate a migration file for this model") { |v| options[:skip_migration] = v }
+    end
+end

data/generators/role_model/templates/fixtures.yml

@@ -0,0 +1,5 @@
+# Read about fixtures at http://ar.rubyonrails.org/classes/Fixtures.html
+first:
+  id: 1
+another:
+  id: 2

data/generators/role_model/templates/migration.rb

@@ -0,0 +1,21 @@
+class <%= migration_name %> < ActiveRecord::Migration
+
+  def self.up
+    create_table :<%= (table_name < 'users') ? "#{table_name}_users" : "users_#{table_name}" %>, :id => false, :force => true  do |t|
+      t.integer :user_id, :<%= singular_name %>_id
+      t.timestamps
+    end
+
+    create_table :<%= table_name %>, :force => true do |t|
+      t.string  :name, :authorizable_type, :limit => 40
+      t.integer :authorizable_id
+      t.timestamps
+    end
+  end
+
+  def self.down
+    drop_table :<%= table_name %>
+    drop_table :<%= (table_name < 'users') ? "#{table_name}_users" : "users_#{table_name}" %>
+  end
+
+end

data/generators/role_model/templates/model.rb

@@ -0,0 +1,8 @@
+# Defines named roles for users that may be applied to
+# objects in a polymorphic fashion. For example, you could create a role
+# "moderator" for an instance of a model (i.e., an object), a model class,
+# or without any specification at all.
+class <%= class_name %> < ActiveRecord::Base
+  has_and_belongs_to_many :users
+  belongs_to :authorizable, :polymorphic => true
+end

data/generators/role_model/templates/role_model.rb

@@ -0,0 +1,9 @@
+# Defines named roles for users that may be applied to
+# objects in a polymorphic fashion. For example, you could create a role
+# "moderator" for an instance of a model (i.e., an object), a model class,
+# or without any specification at all.
+class <%= class_name %> < ActiveRecord::Base
+  has_many :roles_users, :dependent => :delete_all
+  has_many :users, :through => :roles_users
+  belongs_to :authorizable, :polymorphic => true
+end

data/generators/role_model/templates/role_user_model.rb

@@ -0,0 +1,5 @@
+# The table that links roles with users (generally named RoleUser.rb)
+class <%= (class_name < 'User') ? "#{class_name.pluralize}User" : "Users#{class_name}" %> < ActiveRecord::Base
+  belongs_to :user
+  belongs_to :role
+end

data/generators/role_model/templates/unit_test.rb

@@ -0,0 +1,10 @@
+require File.dirname(__FILE__) + '<%= '/..' * class_nesting_depth %>/../test_helper'
+
+class <%= class_name %>Test < Test::Unit::TestCase
+  fixtures :<%= table_name %>
+
+  # Replace this with your real tests.
+  def test_truth
+    assert true
+  end
+end

data/init.rb

@@ -0,0 +1 @@
+require File.dirname(__FILE__) + '/lib/authorization'

data/install.rb

@@ -0,0 +1,2 @@
+puts IO.read(File.join(File.dirname(__FILE__), 'README.txt'))
+

data/lib/authorization.rb

@@ -0,0 +1,176 @@
+require File.dirname(__FILE__) + '/publishare/exceptions'
+require File.dirname(__FILE__) + '/publishare/parser'
+
+module Authorization
+  module Base
+
+    # Modify these constants in your environment.rb to tailor the plugin to
+    # your authentication system
+    unless Object.const_defined?(:LOGIN_REQUIRED_REDIRECTION)
+      LOGIN_REQUIRED_REDIRECTION = {
+        :controller => 'session',
+        :action => 'new'
+      }
+    end
+    unless Object.const_defined?(:PERMISSION_DENIED_REDIRECTION)
+      PERMISSION_DENIED_REDIRECTION = ''
+    end
+    unless Object.const_defined?(:STORE_LOCATION_METHOD)
+      STORE_LOCATION_METHOD = :store_location
+    end
+
+    def self.included( recipient )
+      recipient.extend( ControllerClassMethods )
+      recipient.class_eval do
+        include ControllerInstanceMethods
+      end
+    end
+
+    module ControllerClassMethods
+
+      # Allow class-level authorization check.
+      # permit is used in a before_filter fashion and passes arguments to the before_filter.
+      def permit( authorization_expression, *args )
+        filter_keys = [ :only, :except ]
+        filter_args, eval_args = {}, {}
+        if args.last.is_a? Hash
+          filter_args.merge!( args.last.reject {|k,v| not filter_keys.include? k } )
+          eval_args.merge!( args.last.reject {|k,v| filter_keys.include? k } )
+        end
+        before_filter( filter_args ) do |controller|
+          controller.permit( authorization_expression, eval_args )
+        end
+      end
+    end
+
+    module ControllerInstanceMethods
+      include Authorization::Base::EvalParser  # RecursiveDescentParser is another option
+
+      # Permit? turns off redirection by default and takes no blocks
+      def permit?( authorization_expression, *args )
+        @options = { :allow_guests => false, :redirect => false }
+        @options.merge!( args.last.is_a?( Hash ) ? args.last : {} )
+
+        has_permission?( authorization_expression )
+      end
+
+      # Allow method-level authorization checks.
+      # permit (without a question mark ending) calls redirect on denial by default.
+      # Specify :redirect => false to turn off redirection.
+      def permit( authorization_expression, *args )
+        @options = { :allow_guests => false, :redirect => true }
+        @options.merge!( args.last.is_a?( Hash ) ? args.last : {} )
+
+        if has_permission?( authorization_expression )
+          yield if block_given?
+        elsif @options[:redirect]
+          handle_redirection
+        end
+      end
+
+      private
+
+      def has_permission?( authorization_expression )
+        @current_user = get_user
+        if not @options[:allow_guests]
+          # We aren't logged in, or an exception has already been raised.
+          # Test for both nil and :false symbol as restful_authentication plugin
+          # will set current user to ':false' on a failed login (patch by Ho-Sheng Hsiao).
+          if @current_user.nil? || @current_user == :false
+            return false
+          elsif not @current_user.respond_to? :id
+            raise( UserDoesntImplementID, "User doesn't implement #id")
+          elsif not @current_user.respond_to? :has_role?
+            raise( UserDoesntImplementRoles, "User doesn't implement #has_role?" )
+          end
+        end
+        parse_authorization_expression( authorization_expression )
+      end
+
+      # Handle redirection within permit if authorization is denied.
+      def handle_redirection
+        return if not self.respond_to?( :redirect_to )
+
+        # Store url in session for return if this is available from
+        # authentication
+        send( STORE_LOCATION_METHOD ) if respond_to? STORE_LOCATION_METHOD
+        if @current_user && !@current_user.nil? && @current_user != :false
+          flash[:notice] = @options[:permission_denied_message] || "Permission denied. You cannot access the requested page."
+          redirect_to @options[:permission_denied_redirection] || @current_user.uri
+        else
+          flash[:notice] = @options[:login_required_message] || "Login is required to access the requested page."
+          redirect_to @options[:login_required_redirection] || LOGIN_REQUIRED_REDIRECTION
+        end
+        false  # Want to short-circuit the filters
+      end
+
+      # Try to find current user by checking options hash and instance method in that order.
+      def get_user
+        if @options[:user]
+          @options[:user]
+        elsif @options[:get_user_method]
+          send( @options[:get_user_method] )
+        elsif self.respond_to? :current_user
+          current_user
+        elsif not @options[:allow_guests]
+          raise( CannotObtainUserObject, "Couldn't find #current_user or @user, and nothing appropriate found in hash" )
+        end
+      end
+
+      # Try to find a model to query for permissions
+      def get_model( str )
+        if str =~ /\s*([A-Z]+\w*)\s*/
+          # Handle model class
+          begin
+            Module.const_get( str )
+          rescue
+            raise CannotObtainModelClass, "Couldn't find model class: #{str}"
+          end
+        elsif str =~ /\s*:*(\w+)\s*/
+          # Handle model instances
+          model_name = $1
+          model_symbol = model_name.to_sym
+          if @options[model_symbol]
+            @options[model_symbol]
+          elsif instance_variables.include?( '@'+model_name )
+            instance_variable_get( '@'+model_name )
+          # Note -- while the following code makes autodiscovery more convenient, it's a little too much side effect & security question
+          # elsif self.params[:id]
+          #  eval_str = model_name.camelize + ".find(#{self.params[:id]})"
+          #  eval eval_str
+          else
+            raise CannotObtainModelObject, "Couldn't find model (#{str}) in hash or as an instance variable"
+          end
+        end
+      end
+    end
+
+  end
+end
+ActionController::Base.send( :include, Authorization::Base ) if defined?(ActionController)
+ActionView::Base.send( :include, Authorization::Base::ControllerInstanceMethods ) if defined?(ActionView)
+
+# You can perform authorization at varying degrees of complexity.
+# Choose a style of authorization below (see README.txt) and the appropriate
+# mixin will be used for your app.
+
+# When used with the auth_test app, we define this in config/environment.rb
+# AUTHORIZATION_MIXIN = "hardwired"
+unless Object.const_defined?(:AUTHORIZATION_MIXIN)
+  AUTHORIZATION_MIXIN = "object roles"
+end
+
+case AUTHORIZATION_MIXIN
+  when "hardwired"
+    require File.dirname(__FILE__) + '/publishare/hardwired_roles'
+    ActiveRecord::Base.send( :include, 
+      Authorization::HardwiredRoles::UserExtensions, 
+      Authorization::HardwiredRoles::ModelExtensions 
+    )
+  when "object roles"
+    require File.dirname(__FILE__) + '/publishare/object_roles_table'
+    ActiveRecord::Base.send( :include, 
+      Authorization::ObjectRolesTable::UserExtensions, 
+      Authorization::ObjectRolesTable::ModelExtensions
+    )
+end