authorization-san 1.0.1

data/LICENSE

@@ -0,0 +1,18 @@
+(c) 2009 Fingertips, Manfred Stienstra <m.stienstra@fngtps.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+  
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+   
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,21 @@
+= Authorization-San
+
+Authorization-san allows you to specify access policies in your controllers. The plugin assumes a number of things about the application.
+
+* If a user has authenticated with the application, it's stored in <tt>@authenticated</tt>. The method of authentication doesn't matter. It also doesn't matter what you put in @authenticated, as long as it's truthy.
+* <tt>@authenticated</tt> has either a <tt>role</tt> attribute or a number of methods to query for the role: <tt>admin?</tt>, <tt>editor?</tt>, <tt>guest?</tt>. When the <tt>@authenticated</tt> object doesn't have role methods you can't use role based authentication rules, but the rest still works.
+
+== What does it look like?
+
+  class BooksController < ActionController::Base
+    # Visitors can see list of books and book pages
+    allow_access :all, :only => [:index, :show]
+    # An editor can create new books, but…
+    allow_access :editor, :only => [:new, :create]
+    # …she can only update her own books.
+    allow_access(:editor, :only => [:edit, :update]) { @book = @authenticated.books.find(params[:id]) }
+    # Admin users can do it all.
+    allow_access :admin
+  end
+
+The best place to start learning more is the <tt>examples</tt> directory in the source.

data/examples/administrations_controller.rb

@@ -0,0 +1,11 @@
+# The administrations controller is nested under organizations (ie. /organizations/3214/administrations)
+class PagesController < ApplicationController
+  # The following rule only allows @authenticated if @authenticated.organization.id == params[:organization_id].
+  # Roughly translated this means that the authenticated user can only access resources belonging to its own
+  # organization.
+  allow_access :authenticated, :scope => :organization
+
+  def index
+    @administrations = @authenticated.organization.administrations
+  end
+end

data/examples/application.rb

@@ -0,0 +1,22 @@
+class ApplicationController < ActionController::Base
+  # You have to specify where you want these actions to appear in your filter chain. Make sure you :block_access
+  # before any sensitive processing occurs.
+  before_filter :find_authenticated, :block_access
+
+  private
+
+  # Find the authenticated user
+  def find_authenticated
+    @authenticated = authenticate_with_http_basic { |username, password| User.authenticate(username, password) }
+  end
+
+  # Access was forbidden to client requesting the resource. React to that appropriately. Note that this reply is very
+  # bare bones and you might want to return more elaborate responses in a real application.
+  def access_forbidden
+    if @authenticated.nil?
+      request_http_basic_authentication "Accounting"
+    else
+      head :forbidden
+    end
+  end
+end

data/examples/application_with_multiple_auth_methods.rb

@@ -0,0 +1,33 @@
+class ApplicationController < ActionController::Base
+  before_filter :find_authenticated, :block_access
+
+  private
+
+  # Find the authenticated user, cookie based authentication for browser users and HTTP Basic Authentication for
+  # API users. Note that this does not allow you to get HTML resources when logged in through Basic Auth.
+  def find_authenticated
+    respond_to do |format|
+      format.html do
+        @authenticated = Person.find_by_id session[:authenticated_id] unless session[:authenticated_id].nil?
+      end
+      format.xml do
+        @authenticated = authenticate_with_http_basic { |username, password| User.authenticate(username, password) }
+      end
+    end
+  end
+
+  # Access was forbidden to client requesting the resource. React to that appropriately. Note that this reply is very
+  # bare bones and you might want to return more elaborate responses in a real application.
+  def access_forbidden
+    unless @authenticated
+      # The user is not authenticated; ask for credentials
+      respond_to do |format|
+        format.html { redirect_to login_url }
+        format.xml { request_http_basic_authentication "Accounting" }
+      end
+    else
+      # The user is authentication but unauthorized for this resource
+      head :forbidden
+    end
+  end
+end

data/examples/authenticated_controller.rb

@@ -0,0 +1,6 @@
+class AuthenticatedController < ApplicationController
+  # Authenticated users can access all actions
+  allow_access :authenticated
+
+  def index; end
+end

data/examples/page_controller_with_full_policy.rb

@@ -0,0 +1,28 @@
+# The pages controller is a nest resource under users (ie. /users/12/pages)
+class PagesController < ApplicationController
+  # A user may only access her own index
+  allow_access(:authenticated, :only => :index) { @authenticated == @user }
+  # A user may only access her own pages
+  allow_access(:authenticated, :only => :show) { @authenticated == @page.user}
+
+  # Always find the user the pages are nested under before applying the rules
+  prepend_before_filter :find_user
+  # Find the page before applying the rules when the show action is called
+  prepend_before_filter :find_page, :only => :show
+
+  def index
+    @pages = @user.pages
+  end
+
+  def show; end
+
+  private
+
+  def find_user
+    @user = User.find params[:user_id]
+  end
+
+  def find_page
+    @page = Page.find params[:id]
+  end
+end

data/examples/pages_controller.rb

@@ -0,0 +1,25 @@
+# The pages controller is nested under users (ie. /users/12/pages)
+class PagesController < ApplicationController
+  # Users can only reach pages nested under their user_id. Note that this doesn't define the complete access policy,
+  # some of the authorization is still done in the actions. See pages_controller_with_full_policy.rb for an example
+  # of specifying everything in access rules.
+  allow_access(:authenticated) { @authenticated.to_param == params[:user_id].to_param }
+
+  before_filter :find_user
+
+  def index
+    @pages = @user.pages
+  end
+
+  def show
+    @page = @user.pages.find params[:id]
+  rescue ActiveRecord::RecordNotFound
+    head :forbidden
+  end
+
+  private
+
+  def find_user
+    @user = User.find params[:user_id]
+  end
+end

data/examples/public_controller.rb

@@ -0,0 +1,6 @@
+class PublicController < ApplicationController
+  # Everyone can access all actions
+  allow_access
+
+  def index; end
+end

data/examples/users_controller.rb

@@ -0,0 +1,27 @@
+class UsersController < ApplicationController
+  # The default is to deny all access. Every rule creates a 'hole' in this policy. You can specify multiple rules
+  # per role if you want.
+  
+  # The 'admin' role (@authenticated.role) has access to all the actions.
+  allow_access :admin
+  # The 'editor' role has access to the index and show action.
+  allow_access :editor, :only => [:index, :show]
+  # The 'user' role has access to the index, show, edit and update role only if the resource he's editing is the same
+  # as the user resource.
+  allow_access :user, :only => [:index, :show, :edit, :update], :user_resource => true
+  # The 'guest' role has access to the index and show action if the Proc returns true.
+  allow_access(:guest, :only => [:index, :show]) { @authenticated.valid_email? }
+  # Everyone can access the listing and the index action, the other actions can be accessed when it's not sunday.
+  allow_access :only => :listing
+  allow_access :only => :index
+  allow_access() { Time.now.strftime('%A') != 'Sunday' }
+  
+  def index; end
+  def listing; end
+  def new; end
+  def create; end
+  def show; end
+  def edit; end
+  def update; end
+  def destroy; end
+end

data/lib/authorization.rb

@@ -0,0 +1,2 @@
+require 'authorization/allow_access'
+require 'authorization/block_access'

data/lib/authorization/allow_access.rb

@@ -0,0 +1,78 @@
+module Authorization
+  module AllowAccess
+    # By default you block all access to the controller with <tt>block_access</tt>, with <tt>allow_access</tt> you
+    # specify who can access the actions on the controller under certain conditions. <tt>allow_access</tt> can deal
+    # with accounts with and without roles.
+    # 
+    # *Examples*
+    #
+    # Everyone can access all actions on the controller.
+    #   allow_access
+    #   allow_access :all
+    # Everyone with the admin role can access the controller.
+    #   allow_access :admin
+    # Everyone with the admin and editor role can access the controller.
+    #   allow_access :admin, :editor
+    # Everyone with the editor role can access the index. show, edit and update actions.
+    #   allow_access :editor, :only => [:index, :show, :edit, :update]
+    # A coordinator can do anything the admin can, except for delete
+    #   allow_access :coordinator, :except => :destroy
+    # Everyone with the admin and editor role can access the show action.
+    #   allow_access :admin, :editor, :action => :show
+    # A guest can view all resources if he has view permissions. The block is evaltuated in the controller's instance.
+    # Note that rules are evaluated when <tt>block_access</tt> is run.
+    #   allow_access(:guest, :only => [:index, :show]) { @authenticated.view_permission? }
+    # Specifying a role is optional, if you don't specify a role the rule is added for the default role <tt>:all</tt>.
+    #   allow_access(:only => :unsubscribe) { @authenticated.subscribed? }
+    # Only allow authenticated users, :authenticated is a special role meaning all authenticated users.
+    #   allow_access :authenticated
+    # You need to be authenticated for the secret action
+    #   allow_access :all, :except => :secret
+    #   allow_access :authenticated, :only => :secret
+    #
+    # The following special directives might be a little hard to explain, I will give the equivalent rule with the
+    # block access.
+    #
+    # Imagine we have a user controller, every user has an organization association. The users resource is nested
+    # in the organization resource like this.
+    #   map.resources :organizations { |org| org.resources :users }
+    # Now we want the user to edit his own resource (for instance to update the password).
+    #   allow_access :only => [:index, :show, :edit, :update], :user_resource => true
+    #   allow_access(:only => [:index, :show, :edit, :update]) do
+    #     @authenticated.id == params[:id].to_i
+    #   end
+    # We could also specify that a user can edit everything in his own organization.
+    #   allow_access :only => [:index, :show, :edit, :update], :scope => :organization
+    #   allow_access(:only => [:index, :show, :edit, :update]) do
+    #     @authenticated.organization.id == params[:organization_id].to_i
+    #   end
+    def allow_access(*args, &block)
+      unless self.respond_to?(:access_allowed_for)
+        self.class_inheritable_accessor(:access_allowed_for)
+        send(:protected, :access_allowed_for, :access_allowed_for=)
+      end
+      self.access_allowed_for ||= HashWithIndifferentAccess.new
+      if args.first.kind_of?(Hash) || args.empty?
+        self.access_allowed_for[:all] ||= []
+        self.access_allowed_for[:all] << {
+          :directives => args.first || {},
+          :block => block
+        }
+      else
+        directives = args.extract_options!
+        roles = args.flatten
+        if roles.delete(:authenticated) or roles.delete('authenticated')
+          roles = [:all] if roles.empty?
+          directives[:authenticated] = true
+        end
+        roles.each do |role|
+          self.access_allowed_for[role.to_s] ||= []
+          self.access_allowed_for[role.to_s] << {
+            :directives => directives,
+            :block => block
+          }
+        end
+      end
+    end
+  end
+end

data/lib/authorization/block_access.rb

@@ -0,0 +1,133 @@
+module Authorization
+  module BlockAccess
+    protected
+
+    # Block access to all actions in the controller, designed to be used as a <tt>before_filter</tt>.
+    #   class ApplicationController < ActionController::Base
+    #     before_filter :block_access
+    #   end
+    def block_access
+      die_if_undefined
+      unless @authenticated.nil?
+        # Find the user's roles
+        roles = []
+        roles << @authenticated.role if @authenticated.respond_to?(:role)
+        access_allowed_for.keys.each do |role|
+           roles << role.to_s if @authenticated.respond_to?("#{role}?") and @authenticated.send("#{role}?")
+        end
+        # Check if any of the roles give her access
+        roles.each do |role|
+          return true if access_allowed?(params, role, @authenticated)
+        end
+      end
+      return true if access_allowed?(params, :all, @authenticated)
+      access_forbidden
+    end
+
+    # Checks if access is allowed for the params, role and authenticated user.
+    #   access_allowed?({:action => :show, :id => 1}, :admin, @authenticated)
+    def access_allowed?(params, role, authenticated=nil)
+      die_if_undefined
+      if (rules = access_allowed_for[role]).nil?
+        logger.debug("  \e[31mCan't find rules for `#{role}'\e[0m")
+        return false
+      end
+      !rules.detect do |rule|
+        if !action_allowed_by_rule?(rule, params, role) or !resource_allowed_by_rule?(rule, params, role, authenticated) or !block_allowed_by_rule?(rule)
+          logger.debug("  \e[31mAccess DENIED by RULE #{rule.inspect} FOR `#{role}'\e[0m")
+          false
+        else
+          logger.debug("  \e[32mAccess GRANTED by RULE #{rule.inspect} FOR `#{role}'\e[0m")
+          true
+        end
+      end.nil?
+    end
+
+    # <tt>access_forbidden</tt> is called by <tt>block_access</tt> when access is forbidden. This method does
+    # nothing by default. Make sure you return <tt>false</tt> from the method if you want to halt the filter
+    # chain.
+    def access_forbidden
+      false
+    end
+
+    # Checks if a certain action can be accessed by the role.
+    # If you want to check for <tt>action_allowed?</tt>, <tt>resource_allowed?</tt> and <tt>block_allowed?</tt>
+    # use <tt>access_allowed?</tt>.
+    #   action_allowed?({:action => :show, :id => 1}, :editor)
+    def action_allowed?(params, role=:all)
+      die_if_undefined
+      return false if (rules = access_allowed_for[role]).nil?
+      !rules.detect { |rule| action_allowed_by_rule?(rule, params, role) }.nil?
+    end
+
+    def action_allowed_by_rule?(rule, params, role) #:nodoc:
+      return false if (action = params[:action]).nil?
+      directives = rule[:directives]
+      return false if directives[:only].kind_of?(Array) and !directives[:only].include?(action.to_sym)
+      return false if directives[:only].kind_of?(Symbol) and directives[:only] != action.to_sym
+      return false if directives[:except].kind_of?(Array) and directives[:except].include?(action.to_sym)
+      return false if directives[:except].kind_of?(Symbol) and directives[:except] == action.to_sym
+      true
+    end
+
+    # Checks if the resource indicated by the params can be accessed by user.
+    # If you want to check for <tt>action_allowed?</tt>, <tt>resource_allowed?</tt> and <tt>block_allowed?</tt>
+    # use <tt>access_allowed?</tt>.
+    #   resource_allowed?({:id => 1, :organization_id => 12}, :guest, @authenticated)
+    def resource_allowed?(params, role=:all, user=nil)
+      user ||= @authenticated
+      die_if_undefined
+      return false if (rules = access_allowed_for[role]).nil?
+      !rules.detect { |rule| resource_allowed_by_rule?(rule, params, role, user) }.nil?
+    end
+
+    def resource_allowed_by_rule?(rule, params, role, user) #:nodoc:
+      directives = rule[:directives]
+      if directives[:authenticated]
+        return false unless user
+      end
+      begin
+        if directives[:user_resource]
+          return false if params[:id].nil? or user.id.nil?
+          return false if params[:id].to_i != user.id.to_i
+        end
+      rescue NoMethodError
+      end
+      begin
+        if scope = directives[:scope]
+          assoc_id = params["#{scope}_id"].to_i
+          begin
+            object_id = user.send(scope).id.to_i
+          rescue NoMethodError
+            return false
+          end
+          return false if assoc_id.nil? or object_id.nil?
+          return false if assoc_id != object_id
+        end
+      rescue NoMethodError
+      end
+      true
+    end
+
+    # Checks if the blocks associated with the rules doesn't stop the user from acessing the resource.
+    # If you want to check for <tt>action_allowed?</tt>, <tt>resource_allowed?</tt> and <tt>block_allowed?</tt>
+    # use <tt>access_allowed?</tt>.
+    #   block_allowed?(:guest)
+    def block_allowed?(role)
+      die_if_undefined
+      return false if (rules = access_allowed_for[role]).nil?
+      !rules.detect { |rule| block_allowed_by_rule?(rule) }.nil?
+    end
+
+    def block_allowed_by_rule?(rule) #:nodoc:
+      return false if !rule[:block].nil? and !rule[:block].bind(self).call
+      true
+    end
+
+    def die_if_undefined #:nodoc:
+      if !self.respond_to?(:access_allowed_for) or access_allowed_for.nil?
+        raise ArgumentError, "Please specify access control using `allow_access' in the controller"
+      end
+    end
+  end
+end

data/rails/init.rb

@@ -0,0 +1,4 @@
+require 'authorization'
+
+ActionController::Base.send(:include, Authorization::BlockAccess)
+ActionController::Base.send(:extend, Authorization::AllowAccess)

data/test/cases/behaviour_test.rb

@@ -0,0 +1,167 @@
+require File.expand_path('../../test_helper', __FILE__)
+
+require 'controllers/all'
+require 'models/resource'
+
+class BehaviourTest < ActionController::TestCase
+  test "access is denied for nonexistant actions without an access rule" do
+    tests UsersController, :authenticated => Resource.new(:role => :tester, :id => 1)
+    get :unknown, :id => 1
+    assert_response :forbidden
+  end
+  
+  test "roles are properly checked" do
+    tests UsersController, :authenticated => Resource.new
+    {
+      [:admin, :index] => :ok,
+      [:admin, :show] => :ok,
+      [:admin, :guest] => :ok,
+      [:admin, :listing] => :ok,
+      [:admin, :react] => :ok,
+      [:editor, :index] => :ok,
+      [:editor, :guest] => :forbidden,
+      [:editor, :listing] => :ok,
+      [:editor, :react] => :ok,
+      [:guest, :index] => :forbidden,
+      [:guest, :guest] => :ok,
+      [:guest, :listing] => :ok,
+      [:guest, :react] => :ok,
+      [:user, :listing] => :ok,
+      [:user, :react] => :ok,
+      [:user, :index] => :forbidden,
+    }.each do |(role, action), status|
+      @controller.authenticated.role = role
+      get action
+      assert_response status
+    end
+  end
+  
+  test "authenticated is allowed to access its own resource" do
+    tests UsersController, :authenticated => Resource.new(:role => :tester, :id => 1)
+    get :show, :id => 1
+    assert_response :ok
+  end
+  
+  test "authenticated is not allowed to access other users" do
+    tests UsersController, :authenticated => Resource.new(:role => :tester, :id => 1)
+    get :show, :id => 2
+    assert_response :forbidden
+  end
+  
+  test "authenticated is allowed to access within the defined scope" do
+    tests UsersController, :authenticated => Resource.new(:role => :reader, :organization => Resource.new(:id => 1))
+    get :show, :organization_id => 1
+    assert_response :success
+  end
+  
+  test "authenticated is not allowed to access outside of the defined scope" do
+    tests UsersController, :authenticated => Resource.new(:role => :tester, :id => 1)
+    get :show, :organization_id => 2
+    assert_response :forbidden
+  end
+  test "rule without restrictions opens up the whole controller" do
+    tests PublicController
+    get :index
+    assert_response :ok
+  end
+  
+  test "rule with special role :authenticated allows when @authenticated is truthy" do
+    tests AuthenticatedController, :authenticated => true
+    get :index
+    assert_response :ok
+  end
+  
+  test "rule with special role :authenticated disallows when @authenticated is not truthy" do
+    tests AuthenticatedController, :authenticated => false
+    get :index
+    assert_response :forbidden
+  end
+  
+  test "rule with broken block should raise an exception when evaluated" do
+    tests BrokenBlockController
+    assert_raises(NoMethodError) do
+      get :index
+    end
+  end
+  
+  test "rule with block should only be evaluated when the action matches" do
+    tests BrokenBlockController
+    assert_nothing_raised do
+      get :show
+    end
+  end
+  
+  test "rule with block should only be evaluated when the role matches" do
+    tests BrokenBlockController, :authenticated => Resource.new(:role => :admin)
+    assert_nothing_raised do
+      get :show
+    end
+  end
+  
+  test "rule with block should only be evaluated when the special role matches" do
+    tests BrokenBlockController, :authenticated => true
+    assert_nothing_raised do
+      get :show
+    end
+  end
+  
+  test "rule with multiple roles" do
+    tests MultipleRolesController, :authenticated => Resource.new
+    {
+      [:a, :index] => :ok,
+      [:b, :index] => :ok,
+      [:c, :index] => :ok,
+      [:d, :index] => :ok,
+      [:e, :index] => :ok,
+      [:f, :index] => :ok,
+      [:e, :show] => :forbidden,
+      [:f, :show] => :forbidden,
+      [:g, :index] => :forbidden,
+      [:h, :index] => :forbidden,
+      [:g, :show] => :ok,
+      [:h, :show] => :ok,
+    }.each do |(role, action), status|
+      @controller.authenticated.role = role
+      get action
+      assert_response status
+    end
+  end
+  
+  test "rule with special role, user resource and action restriction, should disallow unauthenticated" do
+    tests ComplicatedController
+    get :show, :id => 1
+    assert_response :forbidden
+  end
+  
+  test "rule with special role, user resource and action restriction, should disallow incorrect user" do
+    tests ComplicatedController, :authenticated => Resource.new(:id => 2)
+    get :show, :id => 1
+    assert_response :forbidden
+  end
+  
+  test "rule with special role, user resource and action restriction, should allow correct user" do
+    tests ComplicatedController, :authenticated => Resource.new(:id => 1)
+    get :show, :id => 1
+    assert_response :ok
+  end
+  
+  test "controller with rule about special role, user resource and action restriction, should allow open actions" do
+    tests ComplicatedController
+    get :index
+    assert_response :ok
+  end
+  
+  private
+  
+  def tests(controller, options={})
+    @request = ActionController::TestRequest.new
+    @response = ActionController::TestResponse.new
+    @controller ||= controller.new rescue nil
+    
+    @controller.request = @request
+    @controller.params = {}
+    @controller.send(:initialize_current_url)
+    
+    @controller.authenticated = options[:authenticated]
+  end
+end

data/test/cases/internals_test.rb

@@ -0,0 +1,252 @@
+require File.expand_path('../../test_helper', __FILE__)
+
+require 'models/resource'
+
+class MethodsTest < ActiveSupport::TestCase
+  include Authorization::BlockAccess
+  attr_accessor :params, :access_allowed_for
+  
+  def logger
+    @logger ||= Logger.new('/dev/null')
+  end
+  
+  def do_false
+    false
+  end
+  
+  def do_true
+    true
+  end
+  
+  def test_action_allowed
+    @access_allowed_for = {
+      :admin => [{
+          :directives => {}
+        }],
+      :editor => [{
+          :directives => {:only => :index}
+        }],
+      :complex => [
+          {:directives => {:only => :index}},
+          {:directives => {:only => :show}}
+        ],
+      :all => [{
+          :directives => {:only => :listing}
+        }]
+      }
+    assert_action_allowed({
+      [:admin, :index] => true,
+      [:admin, :show] => true,
+      [:admin, :unknown] => true,
+      [:editor, :unknown] => false,
+      [:editor, :index] => true,
+      [:all, :index] => false,
+      [:all, :unknown] => false,
+      [:all, :listing] => true,
+      [:complex, :index] => true,
+      [:complex, :show] => true,
+      [:complex, :unknown] => false
+      })
+  end
+  
+  def test_action_allowed_open
+    @access_allowed_for = {:all => [{:directives => {}}] }
+    assert_action_allowed({
+      [:admin, :index] => false,
+      [:all, :show] => true,
+      [:unknown, :show] => false
+    })
+  end
+  
+  def test_action_allowed_closed
+    @access_allowed_for = {}
+    assert_action_allowed({
+      [:admin, :index] => false,
+      [:all, :show] => false,
+      [:show, :unknown] => false
+    })
+  end
+  
+  def test_action_allowed_nil
+    @access_allowed_for = nil
+    params = HashWithIndifferentAccess.new :action => :something
+    assert_raises(ArgumentError) { action_allowed?(params, :something) }
+  end
+  
+  def test_resource_allowed_user_resource
+    @access_allowed_for = {
+      :user => [{
+        :directives => {:only => [:index, :show], :user_resource => true}
+        }]
+      }
+    assert_resource_allowed({
+      [{}, :admin, {}] => false,
+      [{:id => 1}, :admin, {:id => 1}] => false,
+      [{}, :admin, {:id => 1}] => false,
+      [{:id => 1}, :admin, {}] => false,
+      [{}, :user, {}] => false,
+      [{:id => 1}, :user, {:id => 1}] => true,
+      [{:id => 2}, :user, {:id => 1}] => false,
+      [{:id => 1}, :user, {:id => 2}] => false,
+      [{}, :user, {:id => 1}] => false,
+      [{:id => 1}, :user, {}] => false,
+    })
+  end
+  
+  def test_resource_allowed_scope
+    @access_allowed_for = {
+      :user => [{
+        :directives => {:only => [:index, :show], :scope => :organization}
+        }]
+      }
+    assert_resource_allowed({
+      [{}, :admin, {}] => false,
+      [{:organization_id => 1}, :admin, {:organization => Resource.new({:id => 1})}] => false,
+      [{}, :admin, {:organization => Resource.new({:id => 1})}] => false,
+      [{:organization_id => 1}, :admin, {}] => false,
+      [{}, :user, {}] => false,
+      [{:organization_id => 1}, :user, {:organization => Resource.new({:id => 1})}] => true,
+      [{}, :user, {:organization => Resource.new({:id => 1})}] => false,
+      [{:organization_id => 1}, :user, {}] => false,
+      [{:organization_id => 2}, :user, {:organization => Resource.new({:id => 1})}] => false,
+      [{:organization_id => 1}, :user, {:organization => Resource.new({:id => 2})}] => false,
+    })
+  end
+  
+  def test_resource_allowed_authenticated
+    @access_allowed_for = {
+      :all => [{
+        :directives => {:authenticated => true}
+      }]
+    }
+    assert !resource_allowed?({}, :admin, nil)
+    assert !resource_allowed?({}, :admin, true)
+    assert resource_allowed?({}, :all, true)
+    assert resource_allowed?({:action => :edit}, :all, true)
+  end
+  
+  def test_block_allowed
+    @access_allowed_for = {
+      :admin => [{:block => MethodsTest.instance_method(:do_true)}],
+      :all => [{:block => MethodsTest.instance_method(:do_false)}]
+    }
+    assert_block_allowed({
+      :admin => true,
+      :all => false
+    })
+  end
+  
+  def test_access_forbidden
+    assert_equal false, access_forbidden
+  end
+  
+  def test_block_access
+    @access_allowed_for = {
+      :admin => [{
+          :directives => {}
+        }],
+      :editor => [{
+          :directives => {:only => :index}
+        }],
+      :blocked_guest => [{
+          :directives => {:only => :index},
+          :block => MethodsTest.instance_method(:do_false)
+        }],
+      :open_guest => [{
+          :directives => {:only => :index},
+          :block => MethodsTest.instance_method(:do_true)
+        }],
+      :complex => [
+          {:directives => {:only => :index}},
+          {:directives => {:only => :show}}
+        ],
+      :all => [{
+          :directives => {:only => :listing}
+        }]
+      }
+    assert_block_access({
+      [:admin, :index] => true,
+      [:admin, :show] => true,
+      [:admin, :unknown] => true,
+      [:editor, :unknown] => false,
+      [:editor, :index] => true,
+      [:blocked_guest, :index] => false,
+      [:blocked_guest, :unknown] => false,
+      [:open_guest, :index] => true,
+      [:open_guest, :unknown] => false,
+      [:all, :index] => false,
+      [:all, :unknown] => false,
+      [:all, :listing] => true,
+      [:complex, :index] => true,
+      [:complex, :show] => true,
+      [:complex, :unknown] => false
+      })
+  end
+  
+  def test_block_access_closed
+    @access_allowed_for = {}
+    assert_equal false, block_access
+  end
+  
+  def test_block_access_nil
+    @access_allowed_for = nil
+    assert_raises(ArgumentError) { block_access }
+  end
+  
+  def test_block_access_on_object_with_role_and_accessors_defined
+    @access_allowed_for = {:special => [{
+        :directives => {}
+      }]}
+    @authenticated = Resource.new :role => 'user', :'special?' => true
+    @params = HashWithIndifferentAccess.new :action => :new
+    assert !block_access
+  end
+  
+  def test_block_access_on_object_with_multiple_block_accessors_defined
+    @access_allowed_for = {:special => [{
+        :directives => {}
+      }]}
+    @authenticated = Resource.new :'special?' => true, :'admin?' => true
+    @params = HashWithIndifferentAccess.new :action => :new
+    assert !block_access
+  end
+  
+  def test_block_access_on_object_with_accessor_dined_on_role
+    @access_allowed_for = {:user => [{
+        :directives => {}
+      }]}
+    @authenticated = Resource.new :role => 'user', :'special?' => true
+    @params = HashWithIndifferentAccess.new :action => :new
+    assert !block_access
+  end
+  
+  private
+  
+  def assert_action_allowed(h)
+    h.each do |pair, value|
+      params = HashWithIndifferentAccess.new(:action => pair.last)
+      assert_equal value, action_allowed?(params, pair.first), "For #{pair.inspect} => #{value.inspect}"
+    end
+  end
+  
+  def assert_resource_allowed(h)
+    h.each do |triplet, value|
+      params = HashWithIndifferentAccess.new(triplet.first)
+      assert_equal value, resource_allowed?(params, triplet[1], triplet.last ? Resource.new(triplet.last) : nil), "For #{triplet.inspect} => #{value.inspect}"
+    end
+  end
+  
+  def assert_block_allowed(h)
+    h.each do |role, value|
+      assert_equal value, block_allowed?(role)
+    end
+  end
+  
+  def assert_block_access(h)
+    h.each do |pair, value|
+      @authenticated = Resource.new :role => pair.first
+      @params = {:action => pair.last}
+      assert_equal value, block_access, "For #{pair.inspect} => #{value.inspect}"
+    end
+  end
+end

data/test/cases/structural_test.rb

@@ -0,0 +1,21 @@
+require File.expand_path('../../test_helper', __FILE__)
+
+require 'controllers/application_controller'
+require 'controllers/users_controller'
+require 'models/resource'
+
+class StructuralTest < ActionController::TestCase
+  tests UsersController
+  
+  def setup
+    @controller.authenticated = Resource.new(:role => :admin)
+  end
+  
+  test "rules should be in place" do
+    assert @controller.__send__(:access_allowed_for)
+  end
+  
+  test "role accessors should not be public" do
+    assert @acontroller.public_methods.grep(/access_allowed_for/).empty?
+  end
+end

data/test/controllers/all.rb

@@ -0,0 +1,7 @@
+require 'controllers/application_controller'
+require 'controllers/authenticated_controller'
+require 'controllers/broken_block_controller'
+require 'controllers/complicated_controller'
+require 'controllers/public_controller'
+require 'controllers/multiple_roles_controller'
+require 'controllers/users_controller'

data/test/controllers/application_controller.rb

@@ -0,0 +1,16 @@
+class ApplicationController < ActionController::Base
+  attr_accessor :authenticated
+  
+  before_filter :block_access
+  
+  def access_forbidden
+    head :forbidden
+    false
+  end
+  
+  def logger
+    @logger ||= Logger.new('/dev/null')
+  end
+  
+  def rescue_action(e) raise e end;
+end

data/test/controllers/authenticated_controller.rb

@@ -0,0 +1,7 @@
+class AuthenticatedController < ApplicationController
+  allow_access :authenticated
+  
+  def index
+    head :ok
+  end
+end

data/test/controllers/broken_block_controller.rb

@@ -0,0 +1,10 @@
+class BrokenBlockController < ApplicationController
+  allow_access(:only => :index) { nil.unknown_method }
+  allow_access(:only => :show) { true }
+  allow_access(:authenticated, :only => :edit) { @authenticated.unknown_method }
+  allow_access(:admin, :only => :edit) { @authenticated.unknown_method }
+    
+  %w(index show edit).each do |name|
+    define_method(name) { head :ok }
+  end
+end

data/test/controllers/complicated_controller.rb

@@ -0,0 +1,8 @@
+class ComplicatedController < ApplicationController
+  allow_access :all, :only => :index
+  allow_access :authenticated, :only => [:show, :edit, :update], :user_resource => true
+  
+  %w(index show edit update).each do |name|
+    define_method(name) { head :ok }
+  end
+end

data/test/controllers/multiple_roles_controller.rb

@@ -0,0 +1,10 @@
+class MultipleRolesController < ApplicationController
+  allow_access :a, :b
+  allow_access [:c, :d]
+  allow_access [:e, :f], :only => :index
+  allow_access :g, :h, :only => :show
+  
+  %w(index show).each do |name|
+    define_method(name) { head 200 }
+  end
+end

data/test/controllers/public_controller.rb

@@ -0,0 +1,7 @@
+class PublicController < ApplicationController
+  allow_access
+  
+  def index
+    head :ok
+  end
+end

data/test/controllers/users_controller.rb

@@ -0,0 +1,13 @@
+class UsersController < ApplicationController
+  allow_access :admin
+  allow_access :editor, :only => [:index, :show]
+  allow_access(:guest, :only => :guest) { params[:action] == 'guest' }
+  allow_access :tester, :only => :show, :user_resource => true
+  allow_access :reader, :only => :show, :scope => :organization
+  allow_access :only => :listing
+  allow_access :only => :react
+  
+  %w(index show guest listing react).each do |name|
+    define_method(name) { head :ok }
+  end
+end

data/test/models/resource.rb

@@ -0,0 +1,33 @@
+class Resource
+  def initialize(hash={})
+    @attributes = {}
+    hash.each do |k,v|
+      self.send("#{k}=", v)
+    end
+  end
+  
+  def id
+    @attributes['id']
+  end
+  
+  def id=(value)
+    @attributes['id'] = value
+  end
+  
+  def method_missing(m, v=nil)
+    if m.to_s =~ /(.*)=$/
+      @attributes[$1] = v
+    else
+      if @attributes.has_key?(m.to_s)
+        @attributes[m.to_s]
+      else
+        raise NoMethodError, "We don't know anything about #{m}"
+      end
+    end
+  end
+  
+  alias_method :old_respond_to?, :respond_to?
+  def respond_to?(m)
+    old_respond_to?(m) or @attributes.has_key?(m.to_s)
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,45 @@
+module AuthorizationSanTest
+  module Initializer
+    VENDOR_RAILS = File.expand_path('../../../../rails', __FILE__)
+    OTHER_RAILS = File.expand_path('../../../rails', __FILE__)
+    PLUGIN_ROOT = File.expand_path('../../', __FILE__)
+    
+    def self.rails_directory
+      if File.exist?(VENDOR_RAILS)
+        VENDOR_RAILS
+      elsif File.exist?(OTHER_RAILS)
+        OTHER_RAILS
+      end
+    end
+    
+    def self.load_dependencies
+      $stdout.write('Loading Rails from ')
+      if rails_directory
+        puts rails_directory
+        $:.unshift(File.join(rails_directory, 'activesupport', 'lib'))
+        $:.unshift(File.join(rails_directory, 'activerecord', 'lib'))
+      else
+        puts 'rubygems'
+        require 'rubygems' rescue LoadError
+      end
+      
+      require 'test/unit'
+      require 'active_support'
+      require 'active_support/test_case'
+      require 'action_controller'
+      require 'action_controller/test_process'
+      
+      require File.join(PLUGIN_ROOT, 'rails', 'init')
+      
+      $:.unshift(File.join(PLUGIN_ROOT, 'lib'))
+      $:.unshift(File.join(PLUGIN_ROOT, 'test'))
+    end
+    
+    def self.start
+      load_dependencies
+      ActionController::Routing::Routes.reload rescue nil
+    end
+  end
+end
+
+AuthorizationSanTest::Initializer.start

metadata

@@ -0,0 +1,81 @@
+--- !ruby/object:Gem::Specification 
+name: authorization-san
+version: !ruby/object:Gem::Version 
+  version: 1.0.1
+platform: ruby
+authors: 
+- Manfred Stienstra
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-01-29 00:00:00 +01:00
+default_executable: 
+dependencies: []
+
+description: A plugin for authorization in a ReSTful application.
+email: manfred@fngtps.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.rdoc
+files: 
+- LICENSE
+- README.rdoc
+- lib/authorization.rb
+- lib/authorization/allow_access.rb
+- lib/authorization/block_access.rb
+- rails/init.rb
+has_rdoc: true
+homepage: http://fingertips.github.com
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: A plugin for authorization in a ReSTful application.
+test_files: 
+- test/cases/behaviour_test.rb
+- test/cases/internals_test.rb
+- test/cases/structural_test.rb
+- test/controllers/all.rb
+- test/controllers/application_controller.rb
+- test/controllers/authenticated_controller.rb
+- test/controllers/broken_block_controller.rb
+- test/controllers/complicated_controller.rb
+- test/controllers/multiple_roles_controller.rb
+- test/controllers/public_controller.rb
+- test/controllers/users_controller.rb
+- test/models/resource.rb
+- test/test_helper.rb
+- examples/administrations_controller.rb
+- examples/application.rb
+- examples/application_with_multiple_auth_methods.rb
+- examples/authenticated_controller.rb
+- examples/page_controller_with_full_policy.rb
+- examples/pages_controller.rb
+- examples/public_controller.rb
+- examples/users_controller.rb