authorization-san 2.0.1 → 2.1.0

data/lib/authorization/allow_access.rb

@@ -48,7 +48,11 @@ module Authorization
     #   end
     def allow_access(*args, &block)
       unless self.respond_to?(:access_allowed_for)
-        self.class_inheritable_accessor(:access_allowed_for)
+        if respond_to?(:class_attribute)
+          class_attribute :access_allowed_for
+        else
+          class_inheritable_accessor(:access_allowed_for)
+        end
         self.access_allowed_for = {}.with_indifferent_access
         send(:protected, :access_allowed_for, :access_allowed_for=)
       end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: authorization-san
 version: !ruby/object:Gem::Version 
-  hash: 13
+  hash: 11
   prerelease: 
   segments: 
   - 2
-  - 0
   - 1
-  version: 2.0.1
+  - 0
+  version: 2.1.0
 platform: ruby
 authors: 
 - Manfred Stienstra
@@ -15,8 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-03-02 00:00:00 +01:00
-default_executable: 
+date: 2011-11-17 00:00:00 Z
 dependencies: []
 
 description: A plugin for authorization in a ReSTful application.
@@ -36,32 +35,6 @@ files:
 - lib/authorization/block_access.rb
 - lib/authorization/deprecated.rb
 - rails/init.rb
-- examples/administrations_controller.rb
-- examples/application.rb
-- examples/application_with_multiple_auth_methods.rb
-- examples/authenticated_controller.rb
-- examples/page_controller_with_full_policy.rb
-- examples/pages_controller.rb
-- examples/public_controller.rb
-- examples/users_controller.rb
-- test/cases/behaviour_test.rb
-- test/cases/deprecated_test.rb
-- test/cases/internals_test.rb
-- test/cases/structural_test.rb
-- test/controllers/all.rb
-- test/controllers/application_controller.rb
-- test/controllers/authenticated_controller.rb
-- test/controllers/broken_block_controller.rb
-- test/controllers/complicated_controller.rb
-- test/controllers/multiple_roles_controller.rb
-- test/controllers/public_controller.rb
-- test/controllers/users_controller.rb
-- test/helpers/methods.rb
-- test/models/resource.rb
-- test/test_helper/rails2/test_helper.rb
-- test/test_helper/rails3/test_helper.rb
-- test/test_helper/shared.rb
-has_rdoc: true
 homepage: http://fingertips.github.com
 licenses: []
 
@@ -91,33 +64,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.5.2
+rubygems_version: 1.8.11
 signing_key: 
 specification_version: 3
 summary: A plugin for authorization in a ReSTful application.
-test_files: 
-- examples/administrations_controller.rb
-- examples/application.rb
-- examples/application_with_multiple_auth_methods.rb
-- examples/authenticated_controller.rb
-- examples/page_controller_with_full_policy.rb
-- examples/pages_controller.rb
-- examples/public_controller.rb
-- examples/users_controller.rb
-- test/cases/behaviour_test.rb
-- test/cases/deprecated_test.rb
-- test/cases/internals_test.rb
-- test/cases/structural_test.rb
-- test/controllers/all.rb
-- test/controllers/application_controller.rb
-- test/controllers/authenticated_controller.rb
-- test/controllers/broken_block_controller.rb
-- test/controllers/complicated_controller.rb
-- test/controllers/multiple_roles_controller.rb
-- test/controllers/public_controller.rb
-- test/controllers/users_controller.rb
-- test/helpers/methods.rb
-- test/models/resource.rb
-- test/test_helper/rails2/test_helper.rb
-- test/test_helper/rails3/test_helper.rb
-- test/test_helper/shared.rb
+test_files: []
+

data/examples/administrations_controller.rb

@@ -1,11 +0,0 @@
-# The administrations controller is nested under organizations (ie. /organizations/3214/administrations)
-class PagesController < ApplicationController
-  # The following rule only allows @authenticated if @authenticated.organization.id == params[:organization_id].
-  # Roughly translated this means that the authenticated user can only access resources belonging to its own
-  # organization.
-  allow_access :authenticated, :scope => :organization
-
-  def index
-    @administrations = @authenticated.organization.administrations
-  end
-end

data/examples/application.rb

@@ -1,22 +0,0 @@
-class ApplicationController < ActionController::Base
-  # You have to specify where you want these actions to appear in your filter chain. Make sure you :block_access
-  # before any sensitive processing occurs.
-  before_filter :find_authenticated, :block_access
-
-  private
-
-  # Find the authenticated user
-  def find_authenticated
-    @authenticated = authenticate_with_http_basic { |username, password| User.authenticate(username, password) }
-  end
-
-  # Access was forbidden to client requesting the resource. React to that appropriately. Note that this reply is very
-  # bare bones and you might want to return more elaborate responses in a real application.
-  def access_forbidden
-    if @authenticated.nil?
-      request_http_basic_authentication "Accounting"
-    else
-      head :forbidden
-    end
-  end
-end

data/examples/application_with_multiple_auth_methods.rb

@@ -1,33 +0,0 @@
-class ApplicationController < ActionController::Base
-  before_filter :find_authenticated, :block_access
-
-  private
-
-  # Find the authenticated user, cookie based authentication for browser users and HTTP Basic Authentication for
-  # API users. Note that this does not allow you to get HTML resources when logged in through Basic Auth.
-  def find_authenticated
-    respond_to do |format|
-      format.html do
-        @authenticated = Person.find_by_id session[:authenticated_id] unless session[:authenticated_id].nil?
-      end
-      format.xml do
-        @authenticated = authenticate_with_http_basic { |username, password| User.authenticate(username, password) }
-      end
-    end
-  end
-
-  # Access was forbidden to client requesting the resource. React to that appropriately. Note that this reply is very
-  # bare bones and you might want to return more elaborate responses in a real application.
-  def access_forbidden
-    unless @authenticated
-      # The user is not authenticated; ask for credentials
-      respond_to do |format|
-        format.html { redirect_to login_url }
-        format.xml { request_http_basic_authentication "Accounting" }
-      end
-    else
-      # The user is authentication but unauthorized for this resource
-      head :forbidden
-    end
-  end
-end

data/examples/authenticated_controller.rb

@@ -1,6 +0,0 @@
-class AuthenticatedController < ApplicationController
-  # Authenticated users can access all actions
-  allow_access :authenticated
-
-  def index; end
-end

data/examples/page_controller_with_full_policy.rb

@@ -1,28 +0,0 @@
-# The pages controller is a nest resource under users (ie. /users/12/pages)
-class PagesController < ApplicationController
-  # A user may only access her own index
-  allow_access(:authenticated, :only => :index) { @authenticated == @user }
-  # A user may only access her own pages
-  allow_access(:authenticated, :only => :show) { @authenticated == @page.user}
-
-  # Always find the user the pages are nested under before applying the rules
-  prepend_before_filter :find_user
-  # Find the page before applying the rules when the show action is called
-  prepend_before_filter :find_page, :only => :show
-
-  def index
-    @pages = @user.pages
-  end
-
-  def show; end
-
-  private
-
-  def find_user
-    @user = User.find params[:user_id]
-  end
-
-  def find_page
-    @page = Page.find params[:id]
-  end
-end

data/examples/pages_controller.rb

@@ -1,25 +0,0 @@
-# The pages controller is nested under users (ie. /users/12/pages)
-class PagesController < ApplicationController
-  # Users can only reach pages nested under their user_id. Note that this doesn't define the complete access policy,
-  # some of the authorization is still done in the actions. See pages_controller_with_full_policy.rb for an example
-  # of specifying everything in access rules.
-  allow_access(:authenticated) { @authenticated.to_param == params[:user_id].to_param }
-
-  before_filter :find_user
-
-  def index
-    @pages = @user.pages
-  end
-
-  def show
-    @page = @user.pages.find params[:id]
-  rescue ActiveRecord::RecordNotFound
-    head :forbidden
-  end
-
-  private
-
-  def find_user
-    @user = User.find params[:user_id]
-  end
-end

data/examples/public_controller.rb

@@ -1,6 +0,0 @@
-class PublicController < ApplicationController
-  # Everyone can access all actions
-  allow_access
-
-  def index; end
-end

data/examples/users_controller.rb

@@ -1,27 +0,0 @@
-class UsersController < ApplicationController
-  # The default is to deny all access. Every rule creates a 'hole' in this policy. You can specify multiple rules
-  # per role if you want.
-  
-  # The 'admin' role (@authenticated.role) has access to all the actions.
-  allow_access :admin
-  # The 'editor' role has access to the index and show action.
-  allow_access :editor, :only => [:index, :show]
-  # The 'user' role has access to the index, show, edit and update role only if the resource he's editing is the same
-  # as the user resource.
-  allow_access :user, :only => [:index, :show, :edit, :update], :user_resource => true
-  # The 'guest' role has access to the index and show action if the Proc returns true.
-  allow_access(:guest, :only => [:index, :show]) { @authenticated.valid_email? }
-  # Everyone can access the listing and the index action, the other actions can be accessed when it's not sunday.
-  allow_access :only => :listing
-  allow_access :only => :index
-  allow_access() { Time.now.strftime('%A') != 'Sunday' }
-  
-  def index; end
-  def listing; end
-  def new; end
-  def create; end
-  def show; end
-  def edit; end
-  def update; end
-  def destroy; end
-end

data/test/cases/behaviour_test.rb

@@ -1,183 +0,0 @@
-require 'test_helper'
-
-require 'controllers/all'
-require 'models/resource'
-
-class BehaviourTest < ActionController::TestCase
-  test "access is denied for nonexistant actions without an access rule" do
-    begin
-      tests UsersController, :authenticated => Resource.new(:role => :tester, :id => 1)
-      get :unknown, :id => 1
-      assert_response :forbidden
-    rescue AbstractController::ActionNotFound # Rails 3 behaves diffently to missing methods
-      assert true
-    end
-  end
-  
-  test "roles are properly checked" do
-    tests UsersController, :authenticated => Resource.new
-    {
-      [:admin, :index] => :ok,
-      [:admin, :show] => :ok,
-      [:admin, :guest] => :ok,
-      [:admin, :listing] => :ok,
-      [:admin, :react] => :ok,
-      [:editor, :index] => :ok,
-      [:editor, :guest] => :forbidden,
-      [:editor, :listing] => :ok,
-      [:editor, :react] => :ok,
-      [:guest, :index] => :forbidden,
-      [:guest, :guest] => :ok,
-      [:guest, :listing] => :ok,
-      [:guest, :react] => :ok,
-      [:user, :listing] => :ok,
-      [:user, :react] => :ok,
-      [:user, :index] => :forbidden,
-    }.each do |(role, action), status|
-      @controller.authenticated.role = role
-      get action
-      assert_response status
-    end
-  end
-  
-  test "authenticated is allowed to access its own resource" do
-    tests UsersController, :authenticated => Resource.new(:role => :tester, :id => 1)
-    get :show, :id => 1
-    assert_response :ok
-  end
-  
-  test "authenticated is not allowed to access other users" do
-    tests UsersController, :authenticated => Resource.new(:role => :tester, :id => 1)
-    get :show, :id => 2
-    assert_response :forbidden
-  end
-  
-  test "authenticated is allowed to access within the defined scope" do
-    tests UsersController, :authenticated => Resource.new(:role => :reader, :organization => Resource.new(:id => 1))
-    get :show, :organization_id => 1
-    assert_response :success
-  end
-  
-  test "authenticated is not allowed to access outside of the defined scope" do
-    tests UsersController, :authenticated => Resource.new(:role => :tester, :id => 1)
-    get :show, :organization_id => 2
-    assert_response :forbidden
-  end
-  test "rule without restrictions opens up the whole controller" do
-    tests PublicController
-    get :index
-    assert_response :ok
-  end
-  
-  test "rule with special role :authenticated allows when @authenticated is truthy" do
-    tests AuthenticatedController, :authenticated => true
-    get :index
-    assert_response :ok
-  end
-  
-  test "rule with special role :authenticated disallows when @authenticated is not truthy" do
-    tests AuthenticatedController, :authenticated => false
-    get :index
-    assert_response :forbidden
-  end
-  
-  test "rule with broken block should raise an exception when evaluated" do
-    tests BrokenBlockController
-    assert_raises(NoMethodError) do
-      get :index
-    end
-  end
-  
-  test "rule with block should only be evaluated when the action matches" do
-    tests BrokenBlockController
-    assert_nothing_raised do
-      get :show
-    end
-  end
-  
-  test "rule with block should only be evaluated when the role matches" do
-    tests BrokenBlockController, :authenticated => Resource.new(:role => :admin)
-    assert_nothing_raised do
-      get :show
-    end
-  end
-  
-  test "rule with block should only be evaluated when the special role matches" do
-    tests BrokenBlockController, :authenticated => true
-    assert_nothing_raised do
-      get :show
-    end
-  end
-  
-  test "rule with multiple roles" do
-    tests MultipleRolesController, :authenticated => Resource.new
-    {
-      [:a, :index] => :ok,
-      [:b, :index] => :ok,
-      [:c, :index] => :ok,
-      [:d, :index] => :ok,
-      [:e, :index] => :ok,
-      [:f, :index] => :ok,
-      [:e, :show] => :forbidden,
-      [:f, :show] => :forbidden,
-      [:g, :index] => :forbidden,
-      [:h, :index] => :forbidden,
-      [:g, :show] => :ok,
-      [:h, :show] => :ok,
-    }.each do |(role, action), status|
-      @controller.authenticated.role = role
-      get action
-      assert_response status
-    end
-  end
-  
-  test "rule with special role, user resource and action restriction, should disallow unauthenticated" do
-    tests ComplicatedController
-    get :show, :id => 1
-    assert_response :forbidden
-  end
-  
-  test "rule with special role, user resource and action restriction, should disallow incorrect user" do
-    tests ComplicatedController, :authenticated => Resource.new(:id => 2)
-    get :show, :id => 1
-    assert_response :forbidden
-  end
-  
-  test "rule with special role, user resource and action restriction, should allow correct user" do
-    tests ComplicatedController, :authenticated => Resource.new(:id => 1)
-    get :show, :id => 1
-    assert_response :ok
-  end
-  
-  test "controller with rule about special role, user resource and action restriction, should allow open actions" do
-    tests ComplicatedController
-    get :index
-    assert_response :ok
-  end
-  
-  class ActionController::Base
-    class << self
-      attr_accessor :_routes
-    end
-  end
-  
-  private
-  
-  def tests(controller, options={})
-    @request = ActionController::TestRequest.new
-    @response = ActionController::TestResponse.new
-    @controller ||= controller.new rescue nil
-    
-    if defined?(ActionDispatch)
-      @routes = ActionDispatch::Routing::RouteSet.new
-      @routes.draw { match ':controller(/:action(/:id(.:format)))' }
-      @routes.finalize!
-      controller._routes = @routes
-    end
-    
-    @controller.request = @request
-    @controller.params = {}
-    
-    @controller.authenticated = options[:authenticated]
-  end
-end

data/test/cases/deprecated_test.rb

@@ -1,127 +0,0 @@
-require 'test_helper'
-
-require 'models/resource'
-require 'helpers/methods'
-
-class DeprecatedTest < ActiveSupport::TestCase
-  include Authorization::BlockAccess
-  include MethodsHelpers
-  
-  test "action_allowed? sanity" do
-    @access_allowed_for = {
-      :admin => [{
-          :directives => {}
-        }],
-      :editor => [{
-          :directives => {:only => :index}
-        }],
-      :complex => [
-          {:directives => {:only => :index}},
-          {:directives => {:only => :show}}
-        ],
-      :all => [{
-          :directives => {:only => :listing}
-        }]
-      }
-    assert_action_allowed({
-      [:admin, :index] => true,
-      [:admin, :show] => true,
-      [:admin, :unknown] => true,
-      [:editor, :unknown] => false,
-      [:editor, :index] => true,
-      [:all, :index] => false,
-      [:all, :unknown] => false,
-      [:all, :listing] => true,
-      [:complex, :index] => true,
-      [:complex, :show] => true,
-      [:complex, :unknown] => false
-      })
-  end
-  
-  test "action_allowed? sanity with directives" do
-    @access_allowed_for = {:all => [{:directives => {}}] }
-    assert_action_allowed({
-      [:admin, :index] => false,
-      [:all, :show] => true,
-      [:unknown, :show] => false
-    })
-  end
-  
-  test "action_allowed? sanity without directives" do
-    @access_allowed_for = {}
-    assert_action_allowed({
-      [:admin, :index] => false,
-      [:all, :show] => false,
-      [:show, :unknown] => false
-    })
-  end
-  
-  test "action_allowed? breaks when no rules are defined" do
-    @access_allowed_for = nil
-    params = HashWithIndifferentAccess.new :action => :something
-    assert_raises(ArgumentError) { action_allowed?(params, :something) }
-  end
-  
-  test "resource_allowed? sanity with :authenticated directive" do
-    @access_allowed_for = {
-      :all => [{
-        :directives => {:authenticated => true}
-      }]
-    }
-    assert !resource_allowed?({}, :admin, nil)
-    assert !resource_allowed?({}, :admin, true)
-    assert resource_allowed?({}, :all, true)
-    assert resource_allowed?({:action => :edit}, :all, true)
-  end
-  
-  test "resource_allowed? sanity with :user_resource directive" do
-    @access_allowed_for = {
-      :user => [{
-        :directives => {:only => [:index, :show], :user_resource => true}
-        }]
-      }
-    assert_resource_allowed({
-      [{}, :admin, {}] => false,
-      [{:id => 1}, :admin, {:id => 1}] => false,
-      [{}, :admin, {:id => 1}] => false,
-      [{:id => 1}, :admin, {}] => false,
-      [{}, :user, {}] => false,
-      [{:id => 1}, :user, {:id => 1}] => true,
-      [{:id => 2}, :user, {:id => 1}] => false,
-      [{:id => 1}, :user, {:id => 2}] => false,
-      [{}, :user, {:id => 1}] => false,
-      [{:id => 1}, :user, {}] => false,
-    })
-  end
-  
-  test "resource_allowed? sanity with :scope directive" do
-    @access_allowed_for = {
-      :user => [{
-        :directives => {:only => [:index, :show], :scope => :organization}
-        }]
-      }
-    assert_resource_allowed({
-      [{}, :admin, {}] => false,
-      [{:organization_id => 1}, :admin, {:organization => Resource.new({:id => 1})}] => false,
-      [{}, :admin, {:organization => Resource.new({:id => 1})}] => false,
-      [{:organization_id => 1}, :admin, {}] => false,
-      [{}, :user, {}] => false,
-      [{:organization_id => 1}, :user, {:organization => Resource.new({:id => 1})}] => true,
-      [{}, :user, {:organization => Resource.new({:id => 1})}] => false,
-      [{:organization_id => 1}, :user, {}] => false,
-      [{:organization_id => 2}, :user, {:organization => Resource.new({:id => 1})}] => false,
-      [{:organization_id => 1}, :user, {:organization => Resource.new({:id => 2})}] => false,
-    })
-  end
-  
-  test "block_allowed? sanity" do
-    @access_allowed_for = {
-      :admin => [{:block => self.class.instance_method(:do_true)}],
-      :all => [{:block => self.class.instance_method(:do_false)}]
-    }
-    assert_block_allowed({
-      :admin => true,
-      :all => false
-    })
-  end
-end

data/test/cases/internals_test.rb

@@ -1,223 +0,0 @@
-require 'test_helper'
-
-require 'models/resource'
-require 'helpers/methods'
-
-class BlockAccessTest < ActiveSupport::TestCase
-  include Authorization::BlockAccess
-  include MethodsHelpers
-  
-  test "block_access sanity" do
-    @access_allowed_for = {
-      :admin => [{
-          :directives => {}
-        }],
-      :editor => [{
-          :directives => {:only => :index}
-        }],
-      :blocked_guest => [{
-          :directives => {:only => :index},
-          :block => self.class.instance_method(:do_false)
-        }],
-      :open_guest => [{
-          :directives => {:only => :index},
-          :block => self.class.instance_method(:do_true)
-        }],
-      :complex => [
-          {:directives => {:only => :index}},
-          {:directives => {:only => :show}}
-        ],
-      :all => [{
-          :directives => {:only => :listing}
-        }]
-      }
-    assert_block_access({
-      [:admin, :index] => true,
-      [:admin, :show] => true,
-      [:admin, :unknown] => true,
-      [:editor, :unknown] => false,
-      [:editor, :index] => true,
-      [:blocked_guest, :index] => false,
-      [:blocked_guest, :unknown] => false,
-      [:open_guest, :index] => true,
-      [:open_guest, :unknown] => false,
-      [:all, :index] => false,
-      [:all, :unknown] => false,
-      [:all, :listing] => true,
-      [:complex, :index] => true,
-      [:complex, :show] => true,
-      [:complex, :unknown] => false
-      })
-  end
-  
-  test "block_access breaks when no rules are defined" do
-    @access_allowed_for = nil
-    assert_raises(ArgumentError) { block_access }
-  end
-  
-  test "access is denied when there are no rules" do
-    @access_allowed_for = {}
-    assert !block_access
-  end
-  
-  test "access is granted when authenticated has role and accessor and a rule matches accessor" do
-    @authenticated = Resource.new(:role => 'user', :'special?' => true)
-    set_rules(:special => [{:directives => {}}])
-    set_params(:action => :new)
-    assert block_access
-  end
-  
-  test "access is granted when authenticated has role and accessor and a rule matches role" do
-    @authenticated = Resource.new(:role => 'user', :'special?' => true)
-    set_rules(:user => [{:directives => {}}])
-    set_params(:action => :new)
-    assert block_access
-  end
-  
-  test "access is denied when authenticated has role and accessor and NO rule matches" do
-    @authenticated = Resource.new(:role => 'user', :'special?' => true)
-    set_rules(:admin => [{:directives => {}}])
-    set_params(:action => :new)
-    assert !block_access
-  end
-  
-  test "access is granted when authenticated has multiple accessors and a rule matches" do
-    @access_allowed_for = {:special => [{
-        :directives => {}
-      }]}
-    @authenticated = Resource.new(:'special?' => true, :'admin?' => true)
-    @params = { :action => :new }.with_indifferent_access
-    assert block_access
-  end
-end
-
-class AccessByRuleTest < ActiveSupport::TestCase
-  include Authorization::BlockAccess
-  include MethodsHelpers
-  
-  test "matches action when there are no restrictions on action" do
-    assert _matches_action?({}, :new)
-  end
-  
-  test "matches action when there are no restrictions on action and no action" do
-    assert _matches_action?({}, nil)
-  end
-  
-  test "matches action when there are inclusive restrictions on action (array)" do
-    assert _matches_action?({:only => [:index, :new, :create]}, :index)
-  end
-  
-  test "matches action when there are inclusive restrictions on action (symbol)" do
-    assert _matches_action?({:only => :index}, :index)
-  end
-  
-  test "matches action when there are exclusive restrictions on action (array)" do
-    assert _matches_action?({:except => [:update, :create, :delete]}, :index)
-  end
-  
-  test "matches action when there are exclusive restrictions on action (symbol)" do
-    assert _matches_action?({:except => :update}, :index)
-  end
-  
-  test "does not match action when there are inclusive restrictions on action (array)" do
-    assert !_matches_action?({:only => [:index, :new, :create]}, :update)
-  end
-  
-  test "does not match action when there are inclusive restrictions on action (symbol)" do
-    assert !_matches_action?({:only => :index}, :update)
-  end
-  
-  test "does not match action when there are exclusive restrictions on action (array)" do
-    assert !_matches_action?({:except => [:update, :create, :delete]}, :update)
-  end
-  
-  test "does not match action when there are exclusive restrictions on action (symbol)" do
-    assert !_matches_action?({:except => :update}, :update)
-  end
-  
-  test "accepts a block when it's not there" do
-    assert _block_is_successful?(nil)
-  end
-  
-  test "accepts a block when it returns true" do
-    assert _block_is_successful?(lambda { true })
-  end
-  
-  test "refuses a block when it returns false" do
-    assert !_block_is_successful?(lambda { false })
-  end
-  
-  test "matches scope when there is no scope" do
-    assert _matches_scope?(nil, {}, nil)
-  end
-  
-  test "matches scope when the object ID matches the ID in the params" do
-    assert _matches_scope?(:organization,
-      {:organization_id => 12}.with_indifferent_access,
-      Resource.new(:organization => Resource.new(:id => 12)))
-  end
-  
-  test "does not match scope when the ID in the params is blank" do
-    assert !_matches_scope?(:organization,
-      {}.with_indifferent_access,
-      Resource.new(:organization => Resource.new(:id => 12)))
-  end
-  
-  test "does not match scope when the object ID is nil" do
-    assert !_matches_scope?(:organization,
-      {:organization_id => 12}.with_indifferent_access,
-      Resource.new(:organization => Resource.new(:id => nil)))
-  end
-  
-  test "does not match scope when both params are blank and the object ID is nil" do
-    assert !_matches_scope?(:organization,
-      {}.with_indifferent_access,
-      Resource.new(:organization => Resource.new(:id => nil)))
-  end
-  
-  test "does not match scope when the object ID does not match the ID in the params" do
-    assert !_matches_scope?(:organization,
-      {:organization_id => 32 }.with_indifferent_access,
-      Resource.new(:organization => Resource.new(:id => 65)))
-  end
-  
-  test "matches user resource when it doesn't have to run" do
-    assert _matches_user_resource?(false, {}, nil)
-  end
-  
-  test "matches user resource when it matches the params" do
-    assert _matches_user_resource?(true, {:id => 12}.with_indifferent_access, Resource.new(:id => 12))
-  end
-  
-  test "does not match user resource when the params are empty" do
-    assert !_matches_user_resource?(true, {}.with_indifferent_access, Resource.new(:id => 12))
-  end
-  
-  test "does not match user resource when the params are wrong" do
-    assert !_matches_user_resource?(true, {:id => 32}.with_indifferent_access, Resource.new(:id => 12))
-  end
-  
-  test "does not match user resource when the resource has no ID" do
-    assert !_matches_user_resource?(true, {:id => 12}.with_indifferent_access, Resource.new(:id => nil))
-  end
-  
-  test "matches authenticated requirement when it doesn't have to run (boolean)" do
-    assert _matches_authenticated_requirement?(false, nil)
-  end
-  
-  test "matches authenticated requirement when it doesn't have to run (nil)" do
-    assert _matches_authenticated_requirement?(nil, nil)
-  end
-  
-  test "matches authenticated requirement when authenticated is thruthy" do
-    assert _matches_authenticated_requirement?(true, Resource.new)
-  end
-  
-  test "does not match authenticated requirement when authenticated is not thruthy (boolean)" do
-    assert !_matches_authenticated_requirement?(true, false)
-  end
-  
-  test "does not match authenticated requirement when authenticated is not thruthy (nil)" do
-    assert !_matches_authenticated_requirement?(true, nil)
-  end
-end

data/test/cases/structural_test.rb

@@ -1,21 +0,0 @@
-require 'test_helper'
-
-require 'controllers/application_controller'
-require 'controllers/users_controller'
-require 'models/resource'
-
-class StructuralTest < ActionController::TestCase
-  tests UsersController
-  
-  def setup
-    @controller.authenticated = Resource.new(:role => :admin)
-  end
-  
-  test "rules should be in place" do
-    assert @controller.__send__(:access_allowed_for)
-  end
-  
-  test "role accessors should not be public" do
-    assert @acontroller.public_methods.grep(/access_allowed_for/).empty?
-  end
-end

data/test/controllers/all.rb

@@ -1,7 +0,0 @@
-require 'controllers/application_controller'
-require 'controllers/authenticated_controller'
-require 'controllers/broken_block_controller'
-require 'controllers/complicated_controller'
-require 'controllers/public_controller'
-require 'controllers/multiple_roles_controller'
-require 'controllers/users_controller'

data/test/controllers/application_controller.rb

@@ -1,16 +0,0 @@
-class ApplicationController < ActionController::Base
-  attr_accessor :authenticated
-  
-  before_filter :block_access
-  
-  def access_forbidden
-    head :forbidden
-    false
-  end
-  
-  def logger
-    @logger ||= Logger.new('/dev/null')
-  end
-  
-  def rescue_action(e) raise e end;
-end

data/test/controllers/authenticated_controller.rb

@@ -1,7 +0,0 @@
-class AuthenticatedController < ApplicationController
-  allow_access :authenticated
-  
-  def index
-    head :ok
-  end
-end

data/test/controllers/broken_block_controller.rb

@@ -1,10 +0,0 @@
-class BrokenBlockController < ApplicationController
-  allow_access(:only => :index) { nil.unknown_method }
-  allow_access(:only => :show) { true }
-  allow_access(:authenticated, :only => :edit) { @authenticated.unknown_method }
-  allow_access(:admin, :only => :edit) { @authenticated.unknown_method }
-    
-  %w(index show edit).each do |name|
-    define_method(name) { head :ok }
-  end
-end

data/test/controllers/complicated_controller.rb

@@ -1,8 +0,0 @@
-class ComplicatedController < ApplicationController
-  allow_access :all, :only => :index
-  allow_access :authenticated, :only => [:show, :edit, :update], :user_resource => true
-  
-  %w(index show edit update).each do |name|
-    define_method(name) { head :ok }
-  end
-end

data/test/controllers/multiple_roles_controller.rb

@@ -1,10 +0,0 @@
-class MultipleRolesController < ApplicationController
-  allow_access :a, :b
-  allow_access [:c, :d]
-  allow_access [:e, :f], :only => :index
-  allow_access :g, :h, :only => :show
-  
-  %w(index show).each do |name|
-    define_method(name) { head 200 }
-  end
-end

data/test/controllers/public_controller.rb

@@ -1,7 +0,0 @@
-class PublicController < ApplicationController
-  allow_access
-  
-  def index
-    head :ok
-  end
-end

data/test/controllers/users_controller.rb

@@ -1,13 +0,0 @@
-class UsersController < ApplicationController
-  allow_access :admin
-  allow_access :editor, :only => [:index, :show]
-  allow_access(:guest, :only => :guest) { params[:action] == 'guest' }
-  allow_access :tester, :only => :show, :user_resource => true
-  allow_access :reader, :only => :show, :scope => :organization
-  allow_access :only => :listing
-  allow_access :only => :react
-  
-  %w(index show guest listing react).each do |name|
-    define_method(name) { head :ok }
-  end
-end

data/test/helpers/methods.rb

@@ -1,52 +0,0 @@
-module MethodsHelpers
-  attr_reader :access_allowed_for, :params
-  
-  def logger
-    @logger ||= Logger.new('/dev/null')
-  end
-  
-  def do_false
-    false
-  end
-  
-  def do_true
-    true
-  end
-  
-  def set_rules(rules)
-    @access_allowed_for = rules.with_indifferent_access
-  end
-  
-  def set_params(params)
-    @params = params.with_indifferent_access
-  end
-  
-  def assert_action_allowed(h)
-    h.each do |(role, action), value|
-      params = {:action => action}.with_indifferent_access
-      assert_equal(value, action_allowed?(params, role), "Expected #{role} to access #{action} with params #{params.inspect}")
-    end
-  end
-  
-  def assert_resource_allowed(h)
-    h.each do |(params, role, authenticated), value|
-      params        = params.with_indifferent_access
-      authenticated = authenticated ? Resource.new(authenticated) : nil
-      assert_equal(value, resource_allowed?(params, role, authenticated), "Expected #{role} #{authenticated} to access #{params.inspect}")
-    end
-  end
-  
-  def assert_block_allowed(h)
-    h.each do |role, value|
-      assert_equal value, block_allowed?(role)
-    end
-  end
-  
-  def assert_block_access(h)
-    h.each do |(role, action), expected|
-      @authenticated = Resource.new(:role => role)
-      @params = {:action => action}.with_indifferent_access
-      assert_equal(expected, block_access, "Expected #{role} #{@authenticated} #{expected ? '' : 'NOT '}to access #{action}")
-    end
-  end
-end

data/test/models/resource.rb

@@ -1,37 +0,0 @@
-class Resource
-  def initialize(hash={})
-    @attributes = {}
-    hash.each do |k,v|
-      self.send("#{k}=", v)
-    end
-  end
-  
-  def id
-    @attributes['id']
-  end
-  
-  def id=(value)
-    @attributes['id'] = value
-  end
-  
-  def to_s
-    "#<Resource:#{object_id} #{@attributes.inspect}>"
-  end
-  
-  def method_missing(m, v=nil)
-    if m.to_s =~ /(.*)=$/
-      @attributes[$1] = v
-    else
-      if @attributes.has_key?(m.to_s)
-        @attributes[m.to_s]
-      else
-        raise NoMethodError, "We don't know anything about #{m}"
-      end
-    end
-  end
-  
-  alias_method :old_respond_to?, :respond_to?
-  def respond_to?(m)
-    old_respond_to?(m) or @attributes.has_key?(m.to_s)
-  end
-end

data/test/test_helper/rails2/test_helper.rb

@@ -1,29 +0,0 @@
-require File.expand_path('../../shared', __FILE__)
-
-module AuthorizationSanTest
-  module Initializer
-    def self.load_dependencies
-      if rails_directory
-        $:.unshift(File.join(rails_directory, 'activesupport', 'lib'))
-        $:.unshift(File.join(rails_directory, 'activerecord', 'lib'))
-      else
-        require 'rubygems'
-        gem 'rails', '< 3.0'
-      end
-      
-      require 'test/unit'
-      
-      require 'active_support'
-      require 'active_support/test_case'
-      require 'active_record'
-      require 'active_record/test_case'
-      require 'active_record/base' # this is needed because of dependency hell
-      require 'action_controller'
-      
-      $:.unshift File.expand_path('../../lib', __FILE__)
-      require File.join(PLUGIN_ROOT, 'rails', 'init')
-    end
-  end
-end
-
-AuthorizationSanTest::Initializer.start

data/test/test_helper/rails3/test_helper.rb

@@ -1,29 +0,0 @@
-require File.expand_path('../../shared', __FILE__)
-
-module AuthorizationSanTest
-  module Initializer
-    def self.load_dependencies
-      if rails_directory
-        $:.unshift(File.join(rails_directory, 'activesupport', 'lib'))
-        $:.unshift(File.join(rails_directory, 'activerecord', 'lib'))
-      else
-        require 'rubygems'
-        gem 'rails', '> 3.0'
-      end
-      
-      require 'test/unit'
-      
-      require 'active_support'
-      require 'active_support/test_case'
-      require 'active_record'
-      require 'active_record/test_case'
-      require 'active_record/base' # this is needed because of dependency hell
-      require 'action_controller'
-      
-      $:.unshift File.expand_path('../../lib', __FILE__)
-      require File.join(PLUGIN_ROOT, 'rails', 'init')
-    end
-  end
-end
-
-AuthorizationSanTest::Initializer.start

data/test/test_helper/shared.rb

@@ -1,17 +0,0 @@
-module AuthorizationSanTest
-  module Initializer
-    VENDOR_RAILS = File.expand_path('../../../../../rails', __FILE__)
-    PLUGIN_ROOT = File.expand_path('../../../', __FILE__)
-    
-    def self.rails_directory
-      if File.exist?(VENDOR_RAILS)
-        VENDOR_RAILS
-      end
-    end
-    
-    def self.start
-      load_dependencies
-      ActionController::Routing::Routes.reload rescue nil
-    end
-  end
-end