authorization-san 1.0.2 → 2.0.0

data/LICENSE

@@ -1,4 +1,4 @@
-(c) 2009 Fingertips, Manfred Stienstra <m.stienstra@fngtps.com>
+(c) 2011 Fingertips, Manfred Stienstra <m.stienstra@fngtps.com>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

data/lib/authorization/allow_access.rb

@@ -49,29 +49,29 @@ module Authorization
     def allow_access(*args, &block)
       unless self.respond_to?(:access_allowed_for)
         self.class_inheritable_accessor(:access_allowed_for)
+        self.access_allowed_for = {}.with_indifferent_access
         send(:protected, :access_allowed_for, :access_allowed_for=)
       end
-      self.access_allowed_for ||= HashWithIndifferentAccess.new
+      
       if args.first.kind_of?(Hash) || args.empty?
-        self.access_allowed_for[:all] ||= []
-        self.access_allowed_for[:all] << {
-          :directives => args.first || {},
-          :block => block
-        }
+        directives = args.first || {}
+        roles = ['all']
       else
         directives = args.extract_options!
         roles = args.flatten
-        if roles.delete(:authenticated) or roles.delete('authenticated')
-          roles = [:all] if roles.empty?
-          directives[:authenticated] = true
-        end
-        roles.each do |role|
-          self.access_allowed_for[role.to_s] ||= []
-          self.access_allowed_for[role.to_s] << {
-            :directives => directives,
-            :block => block
-          }
-        end
+      end
+      
+      if roles.delete(:authenticated) or roles.delete('authenticated')
+        directives[:authenticated] = true
+        roles = ['all'] if roles.empty?
+      end
+      
+      roles.each do |role|
+        self.access_allowed_for[role] ||= []
+        self.access_allowed_for[role] << {
+          :directives => directives,
+          :block => block
+        }
       end
     end
   end

data/lib/authorization/block_access.rb

@@ -2,132 +2,107 @@ module Authorization
   module BlockAccess
     protected
 
+    def die_if_undefined #:nodoc:
+      if !self.respond_to?(:access_allowed_for) or access_allowed_for.nil?
+        raise ArgumentError, "Please specify access control using `allow_access' in the controller"
+      end
+    end
+
     # Block access to all actions in the controller, designed to be used as a <tt>before_filter</tt>.
+    #
     #   class ApplicationController < ActionController::Base
     #     before_filter :block_access
     #   end
+    #
+    # When there are no rules to allow the client on the requested resource it calls
+    # +access_forbidden+. You can override +access_forbidden+ to halt the filter
+    # chain or do something else.
+    #
+    # The +block_access+ method returns +true+ when access was granted. It returns
+    # the same thing as +access_forbidden+ when access was forbidden.
     def block_access
       die_if_undefined
       unless @authenticated.nil?
-        # Find the user's roles
-        roles = []
-        roles << @authenticated.role if @authenticated.respond_to?(:role)
-        access_allowed_for.keys.each do |role|
-           roles << role.to_s if @authenticated.respond_to?("#{role}?") and @authenticated.send("#{role}?")
+        if @authenticated.respond_to?(:role)
+          return true if _access_allowed?(params, @authenticated.role, @authenticated)
         end
-        # Check if any of the roles give her access
-        roles.each do |role|
-          return true if access_allowed?(params, role, @authenticated)
+        access_allowed_for.keys.each do |role|
+          if @authenticated.respond_to?("#{role}?") and @authenticated.send("#{role}?")
+            return true if _access_allowed?(params, role, @authenticated)
+          end
         end
       end
-      return true if access_allowed?(params, :all, @authenticated)
-      access_forbidden
+      _access_allowed?(params, :all, @authenticated) ? true : access_forbidden
     end
 
-    # Checks if access is allowed for the params, role and authenticated user.
-    #   access_allowed?({:action => :show, :id => 1}, :admin, @authenticated)
-    def access_allowed?(params, role, authenticated=nil)
-      die_if_undefined
-      if (rules = access_allowed_for[role]).nil?
-        logger.debug("  \e[31mCan't find rules for `#{role}'\e[0m")
-        return false
+    def _matches_action?(directives, action) #:nodoc:
+      if directives[:only]
+        directives[:only] == action or (directives[:only].respond_to?(:include?) and directives[:only].include?(action))
+      elsif directives[:except]
+        directives[:except] != action and !(directives[:except].respond_to?(:include?) and directives[:except].include?(action))
+      else
+        true
       end
-      !rules.detect do |rule|
-        if !action_allowed_by_rule?(rule, params, role) or !resource_allowed_by_rule?(rule, params, role, authenticated) or !block_allowed_by_rule?(rule)
-          logger.debug("  \e[31mAccess DENIED by RULE #{rule.inspect} FOR `#{role}'\e[0m")
-          false
-        else
-          logger.debug("  \e[32mAccess GRANTED by RULE #{rule.inspect} FOR `#{role}'\e[0m")
-          true
-        end
-      end.nil?
     end
-
-    # <tt>access_forbidden</tt> is called by <tt>block_access</tt> when access is forbidden. This method does
-    # nothing by default. Make sure you return <tt>false</tt> from the method if you want to halt the filter
-    # chain.
-    def access_forbidden
+    
+    def _matches_scope?(scope, params, authenticated) #:nodoc:
+      return true if scope.nil?
+      scope_id  = params["#{scope}_id"].to_i
+      object_id = authenticated.send(scope).id.to_i
+      (object_id > 0) and (scope_id == object_id)
+    rescue NoMethodError
       false
     end
+    
+    def _matches_user_resource?(run, params, authenticated) #:nodoc:
+      return true unless run
+      authenticated_id = authenticated ? authenticated.id.to_i : 0
+      (authenticated_id > 0) and (params[:id].to_i == authenticated_id)
+    end
+    
+    def _matches_authenticated_requirement?(run, authenticated) #:nodoc:
+      return true unless run
+      authenticated
+    end
 
-    # Checks if a certain action can be accessed by the role.
-    # If you want to check for <tt>action_allowed?</tt>, <tt>resource_allowed?</tt> and <tt>block_allowed?</tt>
-    # use <tt>access_allowed?</tt>.
-    #   action_allowed?({:action => :show, :id => 1}, :editor)
-    def action_allowed?(params, role=:all)
-      die_if_undefined
-      return false if (rules = access_allowed_for[role]).nil?
-      !rules.detect { |rule| action_allowed_by_rule?(rule, params, role) }.nil?
+    def _block_is_successful?(block) #:nodoc:
+      block ? block.bind(self).call : true
     end
 
-    def action_allowed_by_rule?(rule, params, role) #:nodoc:
-      return false if (action = params[:action]).nil?
+    def _access_allowed_with_rule?(rule, params, role, authenticated) #:nodoc:
+      action     = params[:action].to_sym
       directives = rule[:directives]
-      return false if directives[:only].kind_of?(Array) and !directives[:only].include?(action.to_sym)
-      return false if directives[:only].kind_of?(Symbol) and directives[:only] != action.to_sym
-      return false if directives[:except].kind_of?(Array) and directives[:except].include?(action.to_sym)
-      return false if directives[:except].kind_of?(Symbol) and directives[:except] == action.to_sym
-      true
+      _matches_action?(directives, action) and
+        _matches_scope?(directives[:scope], params, authenticated) and
+        _matches_user_resource?(directives[:user_resource], params, authenticated) and
+        _matches_authenticated_requirement?(directives[:authenticated], authenticated) and
+        _block_is_successful?(rule[:block])
     end
 
-    # Checks if the resource indicated by the params can be accessed by user.
-    # If you want to check for <tt>action_allowed?</tt>, <tt>resource_allowed?</tt> and <tt>block_allowed?</tt>
-    # use <tt>access_allowed?</tt>.
-    #   resource_allowed?({:id => 1, :organization_id => 12}, :guest, @authenticated)
-    def resource_allowed?(params, role=:all, user=nil)
-      user ||= @authenticated
+    def _access_allowed?(params, role, authenticated=nil) #:nodoc:
       die_if_undefined
-      return false if (rules = access_allowed_for[role]).nil?
-      !rules.detect { |rule| resource_allowed_by_rule?(rule, params, role, user) }.nil?
-    end
-
-    def resource_allowed_by_rule?(rule, params, role, user) #:nodoc:
-      directives = rule[:directives]
-      if directives[:authenticated]
-        return false unless user
-      end
-      begin
-        if directives[:user_resource]
-          return false if params[:id].nil? or user.id.nil?
-          return false if params[:id].to_i != user.id.to_i
-        end
-      rescue NoMethodError
-      end
-      begin
-        if scope = directives[:scope]
-          assoc_id = params["#{scope}_id"].to_i
-          begin
-            object_id = user.send(scope).id.to_i
-          rescue NoMethodError
-            return false
+      if rules = access_allowed_for[role]
+        rules.each do |rule|
+          if _access_allowed_with_rule?(rule, params, role, authenticated)
+            logger.debug("  \e[32mAccess GRANTED by RULE #{rule.inspect} FOR `#{role}'\e[0m")
+            return true
+          else
+            logger.debug("  \e[31mAccess DENIED by RULE #{rule.inspect} FOR `#{role}'\e[0m")
           end
-          return false if assoc_id.nil? or object_id.nil?
-          return false if assoc_id != object_id
         end
-      rescue NoMethodError
+      else
+        logger.debug("  \e[31mCan't find rules for `#{role}'\e[0m")
       end
-      true
-    end
-
-    # Checks if the blocks associated with the rules doesn't stop the user from acessing the resource.
-    # If you want to check for <tt>action_allowed?</tt>, <tt>resource_allowed?</tt> and <tt>block_allowed?</tt>
-    # use <tt>access_allowed?</tt>.
-    #   block_allowed?(:guest)
-    def block_allowed?(role)
-      die_if_undefined
-      return false if (rules = access_allowed_for[role]).nil?
-      !rules.detect { |rule| block_allowed_by_rule?(rule) }.nil?
-    end
-
-    def block_allowed_by_rule?(rule) #:nodoc:
-      return false if !rule[:block].nil? and !rule[:block].bind(self).call
-      true
+      false
     end
 
-    def die_if_undefined #:nodoc:
-      if !self.respond_to?(:access_allowed_for) or access_allowed_for.nil?
-        raise ArgumentError, "Please specify access control using `allow_access' in the controller"
-      end
+    # <tt>access_forbidden</tt> is called by <tt>block_access</tt> when access is forbidden. This method does
+    # nothing by default. Make sure you return <tt>false</tt> from the method if you want to halt the filter
+    # chain.
+    def access_forbidden
+      false
     end
   end
-end
+end
+
+require 'authorization/deprecated'

data/lib/authorization/deprecated.rb

@@ -0,0 +1,84 @@
+module Authorization
+  module BlockAccess
+    protected
+    # Checks if a certain action can be accessed by the role.
+    # If you want to check for <tt>action_allowed?</tt>, <tt>resource_allowed?</tt> and <tt>block_allowed?</tt>
+    # use <tt>access_allowed?</tt>.
+    #   action_allowed?({:action => :show, :id => 1}, :editor)
+    def action_allowed?(params, role=:all)
+      ::ActiveSupport::Deprecation.warn("action_allowed? has been deprecated.", caller)
+      die_if_undefined
+      return false if (rules = access_allowed_for[role]).nil?
+      !rules.detect { |rule| action_allowed_by_rule?(rule, params, role) }.nil?
+    end
+
+    def action_allowed_by_rule?(rule, params, role) #:nodoc:
+      ::ActiveSupport::Deprecation.warn("action_allowed_by_rule? has been deprecated.", caller)
+      return false if (action = params[:action]).nil?
+      directives = rule[:directives]
+      return false if directives[:only].kind_of?(Array) and !directives[:only].include?(action.to_sym)
+      return false if directives[:only].kind_of?(Symbol) and directives[:only] != action.to_sym
+      return false if directives[:except].kind_of?(Array) and directives[:except].include?(action.to_sym)
+      return false if directives[:except].kind_of?(Symbol) and directives[:except] == action.to_sym
+      true
+    end
+
+    # Checks if the resource indicated by the params can be accessed by user.
+    # If you want to check for <tt>action_allowed?</tt>, <tt>resource_allowed?</tt> and <tt>block_allowed?</tt>
+    # use <tt>access_allowed?</tt>.
+    #   resource_allowed?({:id => 1, :organization_id => 12}, :guest, @authenticated)
+    def resource_allowed?(params, role=:all, user=nil)
+      ::ActiveSupport::Deprecation.warn("resource_allowed? has been deprecated.", caller)
+      user ||= @authenticated
+      die_if_undefined
+      return false if (rules = access_allowed_for[role]).nil?
+      !rules.detect { |rule| resource_allowed_by_rule?(rule, params, role, user) }.nil?
+    end
+
+    def resource_allowed_by_rule?(rule, params, role, user) #:nodoc:
+      ::ActiveSupport::Deprecation.warn("resource_allowed_by_rule? has been deprecated.", caller)
+      directives = rule[:directives]
+      if directives[:authenticated]
+        return false unless user
+      end
+      begin
+        if directives[:user_resource]
+          return false if params[:id].nil? or user.id.nil?
+          return false if params[:id].to_i != user.id.to_i
+        end
+      rescue NoMethodError
+      end
+      begin
+        if scope = directives[:scope]
+          assoc_id = params["#{scope}_id"].to_i
+          begin
+            object_id = user.send(scope).id.to_i
+          rescue NoMethodError
+            return false
+          end
+          return false if assoc_id.nil? or object_id.nil?
+          return false if assoc_id != object_id
+        end
+      rescue NoMethodError
+      end
+      true
+    end
+
+    # Checks if the blocks associated with the rules doesn't stop the user from acessing the resource.
+    # If you want to check for <tt>action_allowed?</tt>, <tt>resource_allowed?</tt> and <tt>block_allowed?</tt>
+    # use <tt>access_allowed?</tt>.
+    #   block_allowed?(:guest)
+    def block_allowed?(role)
+      ::ActiveSupport::Deprecation.warn("block_allowed? has been deprecated.", caller)
+      die_if_undefined
+      return false if (rules = access_allowed_for[role]).nil?
+      !rules.detect { |rule| block_allowed_by_rule?(rule) }.nil?
+    end
+
+    def block_allowed_by_rule?(rule) #:nodoc:
+      ::ActiveSupport::Deprecation.warn("block_allowed_by_rule? has been deprecated.", caller)
+      return false if !rule[:block].nil? and !rule[:block].bind(self).call
+      true
+    end
+  end
+end

data/test/cases/behaviour_test.rb

@@ -1,13 +1,17 @@
-require File.expand_path('../../test_helper', __FILE__)
+require 'test_helper'
 
 require 'controllers/all'
 require 'models/resource'
 
 class BehaviourTest < ActionController::TestCase
   test "access is denied for nonexistant actions without an access rule" do
-    tests UsersController, :authenticated => Resource.new(:role => :tester, :id => 1)
-    get :unknown, :id => 1
-    assert_response :forbidden
+    begin
+      tests UsersController, :authenticated => Resource.new(:role => :tester, :id => 1)
+      get :unknown, :id => 1
+      assert_response :forbidden
+    rescue AbstractController::ActionNotFound # Rails 3 behaves diffently to missing methods
+      assert true
+    end
   end
   
   test "roles are properly checked" do
@@ -151,6 +155,12 @@ class BehaviourTest < ActionController::TestCase
     assert_response :ok
   end
   
+  class ActionController::Base
+    class << self
+      attr_accessor :_routes
+    end
+  end
+  
   private
   
   def tests(controller, options={})
@@ -158,9 +168,15 @@ class BehaviourTest < ActionController::TestCase
     @response = ActionController::TestResponse.new
     @controller ||= controller.new rescue nil
     
+    if defined?(ActionDispatch)
+      @routes = ActionDispatch::Routing::RouteSet.new
+      @routes.draw { match ':controller(/:action(/:id(.:format)))' }
+      @routes.finalize!
+      controller._routes = @routes
+    end
+    
     @controller.request = @request
     @controller.params = {}
-    @controller.send(:initialize_current_url)
     
     @controller.authenticated = options[:authenticated]
   end

data/test/cases/deprecated_test.rb

@@ -0,0 +1,127 @@
+require 'test_helper'
+
+require 'models/resource'
+require 'helpers/methods'
+
+class DeprecatedTest < ActiveSupport::TestCase
+  include Authorization::BlockAccess
+  include MethodsHelpers
+  
+  test "action_allowed? sanity" do
+    @access_allowed_for = {
+      :admin => [{
+          :directives => {}
+        }],
+      :editor => [{
+          :directives => {:only => :index}
+        }],
+      :complex => [
+          {:directives => {:only => :index}},
+          {:directives => {:only => :show}}
+        ],
+      :all => [{
+          :directives => {:only => :listing}
+        }]
+      }
+    assert_action_allowed({
+      [:admin, :index] => true,
+      [:admin, :show] => true,
+      [:admin, :unknown] => true,
+      [:editor, :unknown] => false,
+      [:editor, :index] => true,
+      [:all, :index] => false,
+      [:all, :unknown] => false,
+      [:all, :listing] => true,
+      [:complex, :index] => true,
+      [:complex, :show] => true,
+      [:complex, :unknown] => false
+      })
+  end
+  
+  test "action_allowed? sanity with directives" do
+    @access_allowed_for = {:all => [{:directives => {}}] }
+    assert_action_allowed({
+      [:admin, :index] => false,
+      [:all, :show] => true,
+      [:unknown, :show] => false
+    })
+  end
+  
+  test "action_allowed? sanity without directives" do
+    @access_allowed_for = {}
+    assert_action_allowed({
+      [:admin, :index] => false,
+      [:all, :show] => false,
+      [:show, :unknown] => false
+    })
+  end
+  
+  test "action_allowed? breaks when no rules are defined" do
+    @access_allowed_for = nil
+    params = HashWithIndifferentAccess.new :action => :something
+    assert_raises(ArgumentError) { action_allowed?(params, :something) }
+  end
+  
+  test "resource_allowed? sanity with :authenticated directive" do
+    @access_allowed_for = {
+      :all => [{
+        :directives => {:authenticated => true}
+      }]
+    }
+    assert !resource_allowed?({}, :admin, nil)
+    assert !resource_allowed?({}, :admin, true)
+    assert resource_allowed?({}, :all, true)
+    assert resource_allowed?({:action => :edit}, :all, true)
+  end
+  
+  test "resource_allowed? sanity with :user_resource directive" do
+    @access_allowed_for = {
+      :user => [{
+        :directives => {:only => [:index, :show], :user_resource => true}
+        }]
+      }
+    assert_resource_allowed({
+      [{}, :admin, {}] => false,
+      [{:id => 1}, :admin, {:id => 1}] => false,
+      [{}, :admin, {:id => 1}] => false,
+      [{:id => 1}, :admin, {}] => false,
+      [{}, :user, {}] => false,
+      [{:id => 1}, :user, {:id => 1}] => true,
+      [{:id => 2}, :user, {:id => 1}] => false,
+      [{:id => 1}, :user, {:id => 2}] => false,
+      [{}, :user, {:id => 1}] => false,
+      [{:id => 1}, :user, {}] => false,
+    })
+  end
+  
+  test "resource_allowed? sanity with :scope directive" do
+    @access_allowed_for = {
+      :user => [{
+        :directives => {:only => [:index, :show], :scope => :organization}
+        }]
+      }
+    assert_resource_allowed({
+      [{}, :admin, {}] => false,
+      [{:organization_id => 1}, :admin, {:organization => Resource.new({:id => 1})}] => false,
+      [{}, :admin, {:organization => Resource.new({:id => 1})}] => false,
+      [{:organization_id => 1}, :admin, {}] => false,
+      [{}, :user, {}] => false,
+      [{:organization_id => 1}, :user, {:organization => Resource.new({:id => 1})}] => true,
+      [{}, :user, {:organization => Resource.new({:id => 1})}] => false,
+      [{:organization_id => 1}, :user, {}] => false,
+      [{:organization_id => 2}, :user, {:organization => Resource.new({:id => 1})}] => false,
+      [{:organization_id => 1}, :user, {:organization => Resource.new({:id => 2})}] => false,
+    })
+  end
+  
+  test "block_allowed? sanity" do
+    @access_allowed_for = {
+      :admin => [{:block => self.class.instance_method(:do_true)}],
+      :all => [{:block => self.class.instance_method(:do_false)}]
+    }
+    assert_block_allowed({
+      :admin => true,
+      :all => false
+    })
+  end
+end

data/test/cases/internals_test.rb

@@ -1,146 +1,13 @@
-require File.expand_path('../../test_helper', __FILE__)
+require 'test_helper'
 
 require 'models/resource'
+require 'helpers/methods'
 
-class MethodsTest < ActiveSupport::TestCase
+class BlockAccessTest < ActiveSupport::TestCase
   include Authorization::BlockAccess
-  attr_accessor :params, :access_allowed_for
+  include MethodsHelpers
   
-  def logger
-    @logger ||= Logger.new('/dev/null')
-  end
-  
-  def do_false
-    false
-  end
-  
-  def do_true
-    true
-  end
-  
-  def test_action_allowed
-    @access_allowed_for = {
-      :admin => [{
-          :directives => {}
-        }],
-      :editor => [{
-          :directives => {:only => :index}
-        }],
-      :complex => [
-          {:directives => {:only => :index}},
-          {:directives => {:only => :show}}
-        ],
-      :all => [{
-          :directives => {:only => :listing}
-        }]
-      }
-    assert_action_allowed({
-      [:admin, :index] => true,
-      [:admin, :show] => true,
-      [:admin, :unknown] => true,
-      [:editor, :unknown] => false,
-      [:editor, :index] => true,
-      [:all, :index] => false,
-      [:all, :unknown] => false,
-      [:all, :listing] => true,
-      [:complex, :index] => true,
-      [:complex, :show] => true,
-      [:complex, :unknown] => false
-      })
-  end
-  
-  def test_action_allowed_open
-    @access_allowed_for = {:all => [{:directives => {}}] }
-    assert_action_allowed({
-      [:admin, :index] => false,
-      [:all, :show] => true,
-      [:unknown, :show] => false
-    })
-  end
-  
-  def test_action_allowed_closed
-    @access_allowed_for = {}
-    assert_action_allowed({
-      [:admin, :index] => false,
-      [:all, :show] => false,
-      [:show, :unknown] => false
-    })
-  end
-  
-  def test_action_allowed_nil
-    @access_allowed_for = nil
-    params = HashWithIndifferentAccess.new :action => :something
-    assert_raises(ArgumentError) { action_allowed?(params, :something) }
-  end
-  
-  def test_resource_allowed_user_resource
-    @access_allowed_for = {
-      :user => [{
-        :directives => {:only => [:index, :show], :user_resource => true}
-        }]
-      }
-    assert_resource_allowed({
-      [{}, :admin, {}] => false,
-      [{:id => 1}, :admin, {:id => 1}] => false,
-      [{}, :admin, {:id => 1}] => false,
-      [{:id => 1}, :admin, {}] => false,
-      [{}, :user, {}] => false,
-      [{:id => 1}, :user, {:id => 1}] => true,
-      [{:id => 2}, :user, {:id => 1}] => false,
-      [{:id => 1}, :user, {:id => 2}] => false,
-      [{}, :user, {:id => 1}] => false,
-      [{:id => 1}, :user, {}] => false,
-    })
-  end
-  
-  def test_resource_allowed_scope
-    @access_allowed_for = {
-      :user => [{
-        :directives => {:only => [:index, :show], :scope => :organization}
-        }]
-      }
-    assert_resource_allowed({
-      [{}, :admin, {}] => false,
-      [{:organization_id => 1}, :admin, {:organization => Resource.new({:id => 1})}] => false,
-      [{}, :admin, {:organization => Resource.new({:id => 1})}] => false,
-      [{:organization_id => 1}, :admin, {}] => false,
-      [{}, :user, {}] => false,
-      [{:organization_id => 1}, :user, {:organization => Resource.new({:id => 1})}] => true,
-      [{}, :user, {:organization => Resource.new({:id => 1})}] => false,
-      [{:organization_id => 1}, :user, {}] => false,
-      [{:organization_id => 2}, :user, {:organization => Resource.new({:id => 1})}] => false,
-      [{:organization_id => 1}, :user, {:organization => Resource.new({:id => 2})}] => false,
-    })
-  end
-  
-  def test_resource_allowed_authenticated
-    @access_allowed_for = {
-      :all => [{
-        :directives => {:authenticated => true}
-      }]
-    }
-    assert !resource_allowed?({}, :admin, nil)
-    assert !resource_allowed?({}, :admin, true)
-    assert resource_allowed?({}, :all, true)
-    assert resource_allowed?({:action => :edit}, :all, true)
-  end
-  
-  def test_block_allowed
-    @access_allowed_for = {
-      :admin => [{:block => MethodsTest.instance_method(:do_true)}],
-      :all => [{:block => MethodsTest.instance_method(:do_false)}]
-    }
-    assert_block_allowed({
-      :admin => true,
-      :all => false
-    })
-  end
-  
-  def test_access_forbidden
-    assert_equal false, access_forbidden
-  end
-  
-  def test_block_access
+  test "block_access sanity" do
     @access_allowed_for = {
       :admin => [{
           :directives => {}
@@ -150,11 +17,11 @@ class MethodsTest < ActiveSupport::TestCase
         }],
       :blocked_guest => [{
           :directives => {:only => :index},
-          :block => MethodsTest.instance_method(:do_false)
+          :block => self.class.instance_method(:do_false)
         }],
       :open_guest => [{
           :directives => {:only => :index},
-          :block => MethodsTest.instance_method(:do_true)
+          :block => self.class.instance_method(:do_true)
         }],
       :complex => [
           {:directives => {:only => :index}},
@@ -183,70 +50,174 @@ class MethodsTest < ActiveSupport::TestCase
       })
   end
   
-  def test_block_access_closed
+  test "block_access breaks when no rules are defined" do
+    @access_allowed_for = nil
+    assert_raises(ArgumentError) { block_access }
+  end
+  
+  test "access is denied when there are no rules" do
     @access_allowed_for = {}
-    assert_equal false, block_access
+    assert !block_access
   end
   
-  def test_block_access_nil
-    @access_allowed_for = nil
-    assert_raises(ArgumentError) { block_access }
+  test "access is granted when authenticated has role and accessor and a rule matches accessor" do
+    @authenticated = Resource.new(:role => 'user', :'special?' => true)
+    set_rules(:special => [{:directives => {}}])
+    set_params(:action => :new)
+    assert block_access
   end
   
-  def test_block_access_on_object_with_role_and_accessors_defined
-    @access_allowed_for = {:special => [{
-        :directives => {}
-      }]}
-    @authenticated = Resource.new :role => 'user', :'special?' => true
-    @params = HashWithIndifferentAccess.new :action => :new
+  test "access is granted when authenticated has role and accessor and a rule matches role" do
+    @authenticated = Resource.new(:role => 'user', :'special?' => true)
+    set_rules(:user => [{:directives => {}}])
+    set_params(:action => :new)
+    assert block_access
+  end
+  
+  test "access is denied when authenticated has role and accessor and NO rule matches" do
+    @authenticated = Resource.new(:role => 'user', :'special?' => true)
+    set_rules(:admin => [{:directives => {}}])
+    set_params(:action => :new)
     assert !block_access
   end
   
-  def test_block_access_on_object_with_multiple_block_accessors_defined
+  test "access is granted when authenticated has multiple accessors and a rule matches" do
     @access_allowed_for = {:special => [{
         :directives => {}
       }]}
-    @authenticated = Resource.new :'special?' => true, :'admin?' => true
-    @params = HashWithIndifferentAccess.new :action => :new
-    assert !block_access
+    @authenticated = Resource.new(:'special?' => true, :'admin?' => true)
+    @params = { :action => :new }.with_indifferent_access
+    assert block_access
   end
+end
+
+class AccessByRuleTest < ActiveSupport::TestCase
+  include Authorization::BlockAccess
+  include MethodsHelpers
   
-  def test_block_access_on_object_with_accessor_dined_on_role
-    @access_allowed_for = {:user => [{
-        :directives => {}
-      }]}
-    @authenticated = Resource.new :role => 'user', :'special?' => true
-    @params = HashWithIndifferentAccess.new :action => :new
-    assert !block_access
+  test "matches action when there are no restrictions on action" do
+    assert _matches_action?({}, :new)
+  end
+  
+  test "matches action when there are no restrictions on action and no action" do
+    assert _matches_action?({}, nil)
   end
   
-  private
+  test "matches action when there are inclusive restrictions on action (array)" do
+    assert _matches_action?({:only => [:index, :new, :create]}, :index)
+  end
+  
+  test "matches action when there are inclusive restrictions on action (symbol)" do
+    assert _matches_action?({:only => :index}, :index)
+  end
+  
+  test "matches action when there are exclusive restrictions on action (array)" do
+    assert _matches_action?({:except => [:update, :create, :delete]}, :index)
+  end
+  
+  test "matches action when there are exclusive restrictions on action (symbol)" do
+    assert _matches_action?({:except => :update}, :index)
+  end
+  
+  test "does not match action when there are inclusive restrictions on action (array)" do
+    assert !_matches_action?({:only => [:index, :new, :create]}, :update)
+  end
+  
+  test "does not match action when there are inclusive restrictions on action (symbol)" do
+    assert !_matches_action?({:only => :index}, :update)
+  end
+  
+  test "does not match action when there are exclusive restrictions on action (array)" do
+    assert !_matches_action?({:except => [:update, :create, :delete]}, :update)
+  end
+  
+  test "does not match action when there are exclusive restrictions on action (symbol)" do
+    assert !_matches_action?({:except => :update}, :update)
+  end
+  
+  test "accepts a block when it's not there" do
+    assert _block_is_successful?(nil)
+  end
+  
+  test "accepts a block when it returns true" do
+    assert _block_is_successful?(lambda { true })
+  end
+  
+  test "refuses a block when it returns false" do
+    assert !_block_is_successful?(lambda { false })
+  end
+  
+  test "matches scope when there is no scope" do
+    assert _matches_scope?(nil, {}, nil)
+  end
+  
+  test "matches scope when the object ID matches the ID in the params" do
+    assert _matches_scope?(:organization,
+      {:organization_id => 12}.with_indifferent_access,
+      Resource.new(:organization => Resource.new(:id => 12)))
+  end
+  
+  test "does not match scope when the ID in the params is blank" do
+    assert !_matches_scope?(:organization,
+      {}.with_indifferent_access,
+      Resource.new(:organization => Resource.new(:id => 12)))
+  end
+  
+  test "does not match scope when the object ID is nil" do
+    assert !_matches_scope?(:organization,
+      {:organization_id => 12}.with_indifferent_access,
+      Resource.new(:organization => Resource.new(:id => nil)))
+  end
+  
+  test "does not match scope when both params are blank and the object ID is nil" do
+    assert !_matches_scope?(:organization,
+      {}.with_indifferent_access,
+      Resource.new(:organization => Resource.new(:id => nil)))
+  end
+  
+  test "does not match scope when the object ID does not match the ID in the params" do
+    assert !_matches_scope?(:organization,
+      {:organization_id => 32 }.with_indifferent_access,
+      Resource.new(:organization => Resource.new(:id => 65)))
+  end
+  
+  test "matches user resource when it doesn't have to run" do
+    assert _matches_user_resource?(false, {}, nil)
+  end
+  
+  test "matches user resource when it matches the params" do
+    assert _matches_user_resource?(true, {:id => 12}.with_indifferent_access, Resource.new(:id => 12))
+  end
+  
+  test "does not match user resource when the params are empty" do
+    assert !_matches_user_resource?(true, {}.with_indifferent_access, Resource.new(:id => 12))
+  end
+  
+  test "does not match user resource when the params are wrong" do
+    assert !_matches_user_resource?(true, {:id => 32}.with_indifferent_access, Resource.new(:id => 12))
+  end
+  
+  test "does not match user resource when the resource has no ID" do
+    assert !_matches_user_resource?(true, {:id => 12}.with_indifferent_access, Resource.new(:id => nil))
+  end
+  
+  test "matches authenticated requirement when it doesn't have to run (boolean)" do
+    assert _matches_authenticated_requirement?(false, nil)
+  end
   
-  def assert_action_allowed(h)
-    h.each do |pair, value|
-      params = HashWithIndifferentAccess.new(:action => pair.last)
-      assert_equal value, action_allowed?(params, pair.first), "For #{pair.inspect} => #{value.inspect}"
-    end
+  test "matches authenticated requirement when it doesn't have to run (nil)" do
+    assert _matches_authenticated_requirement?(nil, nil)
   end
   
-  def assert_resource_allowed(h)
-    h.each do |triplet, value|
-      params = HashWithIndifferentAccess.new(triplet.first)
-      assert_equal value, resource_allowed?(params, triplet[1], triplet.last ? Resource.new(triplet.last) : nil), "For #{triplet.inspect} => #{value.inspect}"
-    end
+  test "matches authenticated requirement when authenticated is thruthy" do
+    assert _matches_authenticated_requirement?(true, Resource.new)
   end
   
-  def assert_block_allowed(h)
-    h.each do |role, value|
-      assert_equal value, block_allowed?(role)
-    end
+  test "does not match authenticated requirement when authenticated is not thruthy (boolean)" do
+    assert !_matches_authenticated_requirement?(true, false)
   end
   
-  def assert_block_access(h)
-    h.each do |pair, value|
-      @authenticated = Resource.new :role => pair.first
-      @params = {:action => pair.last}
-      assert_equal value, block_access, "For #{pair.inspect} => #{value.inspect}"
-    end
+  test "does not match authenticated requirement when authenticated is not thruthy (nil)" do
+    assert !_matches_authenticated_requirement?(true, nil)
   end
 end

data/test/cases/structural_test.rb

@@ -1,4 +1,4 @@
-require File.expand_path('../../test_helper', __FILE__)
+require 'test_helper'
 
 require 'controllers/application_controller'
 require 'controllers/users_controller'

data/test/helpers/methods.rb

@@ -0,0 +1,52 @@
+module MethodsHelpers
+  attr_reader :access_allowed_for, :params
+  
+  def logger
+    @logger ||= Logger.new('/dev/null')
+  end
+  
+  def do_false
+    false
+  end
+  
+  def do_true
+    true
+  end
+  
+  def set_rules(rules)
+    @access_allowed_for = rules.with_indifferent_access
+  end
+  
+  def set_params(params)
+    @params = params.with_indifferent_access
+  end
+  
+  def assert_action_allowed(h)
+    h.each do |(role, action), value|
+      params = {:action => action}.with_indifferent_access
+      assert_equal(value, action_allowed?(params, role), "Expected #{role} to access #{action} with params #{params.inspect}")
+    end
+  end
+  
+  def assert_resource_allowed(h)
+    h.each do |(params, role, authenticated), value|
+      params        = params.with_indifferent_access
+      authenticated = authenticated ? Resource.new(authenticated) : nil
+      assert_equal(value, resource_allowed?(params, role, authenticated), "Expected #{role} #{authenticated} to access #{params.inspect}")
+    end
+  end
+  
+  def assert_block_allowed(h)
+    h.each do |role, value|
+      assert_equal value, block_allowed?(role)
+    end
+  end
+  
+  def assert_block_access(h)
+    h.each do |(role, action), expected|
+      @authenticated = Resource.new(:role => role)
+      @params = {:action => action}.with_indifferent_access
+      assert_equal(expected, block_access, "Expected #{role} #{@authenticated} #{expected ? '' : 'NOT '}to access #{action}")
+    end
+  end
+end

data/test/models/resource.rb

@@ -14,6 +14,10 @@ class Resource
     @attributes['id'] = value
   end
   
+  def to_s
+    "#<Resource:#{object_id} #{@attributes.inspect}>"
+  end
+  
   def method_missing(m, v=nil)
     if m.to_s =~ /(.*)=$/
       @attributes[$1] = v

data/test/test_helper/rails2/test_helper.rb

@@ -0,0 +1,29 @@
+require File.expand_path('../../shared', __FILE__)
+
+module AuthorizationSanTest
+  module Initializer
+    def self.load_dependencies
+      if rails_directory
+        $:.unshift(File.join(rails_directory, 'activesupport', 'lib'))
+        $:.unshift(File.join(rails_directory, 'activerecord', 'lib'))
+      else
+        require 'rubygems'
+        gem 'rails', '< 3.0'
+      end
+      
+      require 'test/unit'
+      
+      require 'active_support'
+      require 'active_support/test_case'
+      require 'active_record'
+      require 'active_record/test_case'
+      require 'active_record/base' # this is needed because of dependency hell
+      require 'action_controller'
+      
+      $:.unshift File.expand_path('../../lib', __FILE__)
+      require File.join(PLUGIN_ROOT, 'rails', 'init')
+    end
+  end
+end
+
+AuthorizationSanTest::Initializer.start

data/test/test_helper/rails3/test_helper.rb

@@ -0,0 +1,29 @@
+require File.expand_path('../../shared', __FILE__)
+
+module AuthorizationSanTest
+  module Initializer
+    def self.load_dependencies
+      if rails_directory
+        $:.unshift(File.join(rails_directory, 'activesupport', 'lib'))
+        $:.unshift(File.join(rails_directory, 'activerecord', 'lib'))
+      else
+        require 'rubygems'
+        gem 'rails', '> 3.0'
+      end
+      
+      require 'test/unit'
+      
+      require 'active_support'
+      require 'active_support/test_case'
+      require 'active_record'
+      require 'active_record/test_case'
+      require 'active_record/base' # this is needed because of dependency hell
+      require 'action_controller'
+      
+      $:.unshift File.expand_path('../../lib', __FILE__)
+      require File.join(PLUGIN_ROOT, 'rails', 'init')
+    end
+  end
+end
+
+AuthorizationSanTest::Initializer.start

data/test/test_helper/shared.rb

@@ -0,0 +1,17 @@
+module AuthorizationSanTest
+  module Initializer
+    VENDOR_RAILS = File.expand_path('../../../../../rails', __FILE__)
+    PLUGIN_ROOT = File.expand_path('../../../', __FILE__)
+    
+    def self.rails_directory
+      if File.exist?(VENDOR_RAILS)
+        VENDOR_RAILS
+      end
+    end
+    
+    def self.start
+      load_dependencies
+      ActionController::Routing::Routes.reload rescue nil
+    end
+  end
+end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: authorization-san
 version: !ruby/object:Gem::Version 
-  hash: 19
+  hash: 15
   prerelease: 
   segments: 
-  - 1
-  - 0
   - 2
-  version: 1.0.2
+  - 0
+  - 0
+  version: 2.0.0
 platform: ruby
 authors: 
 - Manfred Stienstra
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-02-23 00:00:00 +01:00
+date: 2011-03-02 00:00:00 +01:00
 default_executable: 
 dependencies: []
 
@@ -34,6 +34,7 @@ files:
 - lib/authorization.rb
 - lib/authorization/allow_access.rb
 - lib/authorization/block_access.rb
+- lib/authorization/deprecated.rb
 - rails/init.rb
 - examples/administrations_controller.rb
 - examples/application.rb
@@ -44,6 +45,7 @@ files:
 - examples/public_controller.rb
 - examples/users_controller.rb
 - test/cases/behaviour_test.rb
+- test/cases/deprecated_test.rb
 - test/cases/internals_test.rb
 - test/cases/structural_test.rb
 - test/controllers/all.rb
@@ -54,8 +56,11 @@ files:
 - test/controllers/multiple_roles_controller.rb
 - test/controllers/public_controller.rb
 - test/controllers/users_controller.rb
+- test/helpers/methods.rb
 - test/models/resource.rb
-- test/test_helper.rb
+- test/test_helper/rails2/test_helper.rb
+- test/test_helper/rails3/test_helper.rb
+- test/test_helper/shared.rb
 has_rdoc: true
 homepage: http://fingertips.github.com
 licenses: []
@@ -100,6 +105,7 @@ test_files:
 - examples/public_controller.rb
 - examples/users_controller.rb
 - test/cases/behaviour_test.rb
+- test/cases/deprecated_test.rb
 - test/cases/internals_test.rb
 - test/cases/structural_test.rb
 - test/controllers/all.rb
@@ -110,5 +116,8 @@ test_files:
 - test/controllers/multiple_roles_controller.rb
 - test/controllers/public_controller.rb
 - test/controllers/users_controller.rb
+- test/helpers/methods.rb
 - test/models/resource.rb
-- test/test_helper.rb
+- test/test_helper/rails2/test_helper.rb
+- test/test_helper/rails3/test_helper.rb
+- test/test_helper/shared.rb

data/test/test_helper.rb

@@ -1,49 +0,0 @@
-module AuthorizationSanTest
-  module Initializer
-    VENDOR_RAILS = File.expand_path('../../../../rails', __FILE__)
-    OTHER_RAILS = File.expand_path('../../../rails', __FILE__)
-    PLUGIN_ROOT = File.expand_path('../../', __FILE__)
-    
-    def self.rails_directory
-      if File.exist?(VENDOR_RAILS)
-        VENDOR_RAILS
-      elsif File.exist?(OTHER_RAILS)
-        OTHER_RAILS
-      end
-    end
-    
-    def self.load_dependencies
-      $stdout.write('Loading Rails from ')
-      if rails_directory
-        puts rails_directory
-        $:.unshift(File.join(rails_directory, 'activesupport', 'lib'))
-        $:.unshift(File.join(rails_directory, 'activerecord', 'lib'))
-      else
-        puts 'rubygems'
-        begin
-          require 'rubygems'
-          gem 'rails', '< 3.0'
-        rescue LoadError
-        end
-      end
-      
-      require 'test/unit'
-      require 'active_support'
-      require 'active_support/test_case'
-      require 'action_controller'
-      require 'action_controller/test_process'
-      
-      require File.join(PLUGIN_ROOT, 'rails', 'init')
-      
-      $:.unshift(File.join(PLUGIN_ROOT, 'lib'))
-      $:.unshift(File.join(PLUGIN_ROOT, 'test'))
-    end
-    
-    def self.start
-      load_dependencies
-      ActionController::Routing::Routes.reload rescue nil
-    end
-  end
-end
-
-AuthorizationSanTest::Initializer.start