authorization 1.0.11

data/lib/publishare/exceptions.rb

@@ -0,0 +1,41 @@
+module Authorization #:nodoc:
+
+  # Base error class for Authorization module
+  class AuthorizationError < StandardError
+  end
+
+  # Raised when the authorization expression is invalid (cannot be parsed)
+  class AuthorizationExpressionInvalid < AuthorizationError
+  end
+
+  # Raised when we can't find the current user
+  class CannotObtainUserObject < AuthorizationError
+  end
+
+  # Raised when an authorization expression contains a model class that doesn't exist
+  class CannotObtainModelClass < AuthorizationError
+  end
+
+  # Raised when an authorization expression contains a model reference that doesn't exist
+  class CannotObtainModelObject < AuthorizationError
+  end
+
+  # Raised when the obtained user object doesn't implement #id
+  class UserDoesntImplementID < AuthorizationError
+  end
+
+  # Raised when the obtained user object doesn't implement #has_role?
+  class UserDoesntImplementRoles < AuthorizationError
+  end
+
+  # Raised when the obtained model doesn't implement #accepts_role?
+  class ModelDoesntImplementRoles < AuthorizationError
+  end
+
+  class CannotSetRoleWhenHardwired < AuthorizationError
+  end
+
+  class CannotSetObjectRoleWhenSimpleRoleTable < AuthorizationError
+  end
+
+end

data/lib/publishare/hardwired_roles.rb

@@ -0,0 +1,82 @@
+require File.dirname(__FILE__) + '/exceptions'
+
+# In order to use this mixin, you'll need to define roles by overriding the
+# following functions:
+#
+# User#has_role?(role)
+#   Return true or false depending on the roles (strings) passed in.
+#
+# Model#accepts_role?(role, user)
+#   Return true or false depending on the roles (strings) this particular user has for
+#   this particular model object.
+#
+# See http://www.writertopia.com/developers/authorization
+
+module Authorization
+  module HardwiredRoles
+
+    module UserExtensions
+      def self.included( recipient )
+        recipient.extend( ClassMethods )
+      end
+
+      module ClassMethods
+        def acts_as_authorized_user
+          include Authorization::HardwiredRoles::UserExtensions::InstanceMethods
+        end
+      end
+
+      module InstanceMethods
+        # If roles aren't explicitly defined in user class then return false
+        def has_role?( role, authorizable_object = nil )
+          false
+        end
+
+        def has_role( role, authorizable_object = nil )
+          raise( CannotSetRoleWhenHardwired,
+            "Hardwired mixin: Cannot set user to role #{role}. Don't use #has_role, use code in models."
+          )
+        end
+
+        def has_no_role( role, authorizable_object = nil )
+          raise( CannotSetRoleWhenHardwired,
+            "Hardwired mixin: Cannot remove user role #{role}. Don't use #has_no_role, use code in models."
+          )
+        end
+      end
+    end
+
+    module ModelExtensions
+      def self.included( recipient )
+        recipient.extend( ClassMethods )
+      end
+
+      module ClassMethods
+        def acts_as_authorizable
+          include Authorization::HardwiredRoles::ModelExtensions::InstanceMethods
+        end
+      end
+
+      module InstanceMethods
+        def accepts_role?( role, user )
+          return false
+        end
+
+        def accepts_role( role, user )
+          raise( CannotSetRoleWhenHardwired,
+            "Hardwired mixin: Cannot set user to role #{role}. Don't use #accepts_role, use code in models."
+          )
+        end
+
+        def accepts_no_role( role, user )
+          raise( CannotSetRoleWhenHardwired,
+            "Hardwired mixin: Cannot set user to role #{role}. Don't use #accepts_no_role, use code in models."
+          )
+        end
+      end
+    end
+
+  end
+
+end
+

data/lib/publishare/identity.rb

@@ -0,0 +1,119 @@
+require File.dirname(__FILE__) + '/exceptions'
+
+# Provides the appearance of dynamically generated methods on the roles database.
+#
+# Examples:
+#   user.is_member?                     --> Returns true if user has any role of "member"
+#   user.is_member_of? this_workshop    --> Returns true/false. Must have authorizable object after query.
+#   user.is_eligible_for [this_award]   --> Gives user the role "eligible" for "this_award"
+#   user.is_moderator                   --> Gives user the general role "moderator" (not tied to any class or object)
+#   user.is_candidate_of_what           --> Returns array of objects for which this user is a "candidate" (any type)
+#   user.is_candidate_of_what(Party)    --> Returns array of objects for which this user is a "candidate" (only 'Party' type)
+#
+#   model.has_members                   --> Returns array of users which have role "member" on that model
+#   model.has_members?                  --> Returns true/false
+#
+module Authorization
+  module Identity
+
+    module UserExtensions
+      module InstanceMethods
+
+        def method_missing( method_sym, *args )
+          method_name = method_sym.to_s
+          authorizable_object = args.empty? ? nil : args[0]
+
+          base_regex = "is_(\\w+)"
+          fancy_regex = base_regex + "_(#{Authorization::Base::VALID_PREPOSITIONS_PATTERN})"
+          is_either_regex = '^((' + fancy_regex + ')|(' + base_regex + '))'
+          base_not_regex = "is_no[t]?_(\\w+)"
+          fancy_not_regex = base_not_regex + "_(#{Authorization::Base::VALID_PREPOSITIONS_PATTERN})"
+          is_not_either_regex = '^((' + fancy_not_regex + ')|(' + base_not_regex + '))'
+
+          if method_name =~ Regexp.new(is_either_regex + '_what$')
+            role_name = $3 || $6
+            has_role_for_objects(role_name, authorizable_object)
+          elsif method_name =~ Regexp.new(is_not_either_regex + '\?$')
+            role_name = $3 || $6
+            not is_role?( role_name, authorizable_object )
+          elsif method_name =~ Regexp.new(is_either_regex + '\?$')
+            role_name = $3 || $6
+            is_role?( role_name, authorizable_object )
+          elsif method_name =~ Regexp.new(is_not_either_regex + '$')
+            role_name = $3 || $6
+            is_no_role( role_name, authorizable_object )
+          elsif method_name =~ Regexp.new(is_either_regex + '$')
+            role_name = $3 || $6
+            is_role( role_name, authorizable_object )
+          else
+            super
+          end
+        end
+
+        private
+
+        def is_role?( role_name, authorizable_object )
+          if authorizable_object.nil?
+            return self.has_role?(role_name)
+          elsif authorizable_object.respond_to?(:accepts_role?)
+            return self.has_role?(role_name, authorizable_object)
+          end
+          false
+        end
+
+        def is_no_role( role_name, authorizable_object = nil )
+          if authorizable_object.nil?
+            self.has_no_role role_name
+          else
+            self.has_no_role role_name, authorizable_object
+          end
+        end
+
+        def is_role( role_name, authorizable_object = nil )
+          if authorizable_object.nil?
+            self.has_role role_name
+          else
+            self.has_role role_name, authorizable_object
+          end
+        end
+
+        def has_role_for_objects(role_name, type)
+          if type.nil?
+            roles = self.roles.find_all_by_name( role_name )
+          else
+            roles = self.roles.find_all_by_authorizable_type_and_name( type.name, role_name )
+          end
+          roles.collect do |role|
+            if role.authorizable_id.nil?
+              role.authorizable_type.nil? ?
+                nil : Module.const_get( role.authorizable_type )   # Returns class
+            else
+              role.authorizable
+            end
+          end
+        end
+      end
+    end
+
+    module ModelExtensions
+      module InstanceMethods
+
+        def method_missing( method_sym, *args )
+          method_name = method_sym.to_s
+          if method_name =~ /^has_(\w+)\?$/
+            role_name = $1.singularize
+            self.accepted_roles.find_all_by_name(role_name).any? { |role| role.users.any? }
+          elsif method_name =~ /^has_(\w+)$/
+            role_name = $1.singularize
+            users = self.accepted_roles.find_all_by_name(role_name).collect { |role| role.users }
+            users.flatten.uniq if users
+          else
+            super
+          end
+        end
+
+      end
+    end
+
+  end
+end

data/lib/publishare/object_roles_table.rb

@@ -0,0 +1,119 @@
+require File.dirname(__FILE__) + '/exceptions'
+require File.dirname(__FILE__) + '/identity'
+
+module Authorization
+  module ObjectRolesTable
+
+    module UserExtensions
+      def self.included( recipient )
+        recipient.extend( ClassMethods )
+      end
+
+      module ClassMethods
+        def acts_as_authorized_user(roles_relationship_opts = {})
+          has_and_belongs_to_many :roles, roles_relationship_opts
+          include Authorization::ObjectRolesTable::UserExtensions::InstanceMethods
+          include Authorization::Identity::UserExtensions::InstanceMethods   # Provides all kinds of dynamic sugar via method_missing
+        end
+      end
+
+      module InstanceMethods
+        def has_role?( role_name, authorizable_obj = nil )
+          if authorizable_obj.nil?
+            case role_name
+              when String then self.roles.detect { |role| role.name == role_name } ? true : false
+              when Array then role_name.inject(false) { |memo,role| memo ? memo : has_role?(role) }
+              else false
+            end
+          else
+            role = get_role( role_name, authorizable_obj )
+            role ? self.roles.exists?( role.id ) : false
+          end
+        end
+
+        def has_role( role_name, authorizable_obj = nil )
+          role = get_role( role_name, authorizable_obj )
+          if role.nil?
+            if authorizable_obj.is_a? Class
+              role = Role.create( :name => role_name, :authorizable_type => authorizable_obj.to_s )
+            elsif authorizable_obj
+              role = Role.create( :name => role_name, :authorizable => authorizable_obj )
+            else
+              role = Role.create( :name => role_name )
+            end
+          end
+          self.roles << role if role and not self.roles.exists?( role.id )
+        end
+
+        def has_no_role( role_name, authorizable_obj = nil  )
+          role = get_role( role_name, authorizable_obj )
+          if role
+            self.roles.delete( role )
+            role.destroy if role.users.empty?
+          end
+        end
+
+        private
+
+        def get_role( role_name, authorizable_obj )
+          if authorizable_obj.is_a? Class
+            Role.find( :first,
+                       :conditions => [ 'name = ? and authorizable_type = ? and authorizable_id IS NULL', role_name, authorizable_obj.to_s ] )
+          elsif authorizable_obj
+            Role.find( :first,
+                       :conditions => [ 'name = ? and authorizable_type = ? and authorizable_id = ?',
+                                        role_name, authorizable_obj.class.base_class.to_s, authorizable_obj.id ] )
+          else
+            Role.find( :first,
+                       :conditions => [ 'name = ? and authorizable_type IS NULL and authorizable_id IS NULL', role_name ] )
+          end
+        end
+
+      end
+    end
+
+    module ModelExtensions
+      def self.included( recipient )
+        recipient.extend( ClassMethods )
+      end
+
+      module ClassMethods
+        def acts_as_authorizable
+          has_many :accepted_roles, :as => :authorizable, :class_name => 'Role'
+
+          def accepts_role?( role_name, user )
+            user.has_role? role_name, self
+          end
+
+          def accepts_role( role_name, user )
+            user.has_role role_name, self
+          end
+
+          def accepts_no_role( role_name, user )
+            user.has_no_role role_name, self
+          end
+
+          include Authorization::ObjectRolesTable::ModelExtensions::InstanceMethods
+          include Authorization::Identity::ModelExtensions::InstanceMethods   # Provides all kinds of dynamic sugar via method_missing
+        end
+      end
+
+      module InstanceMethods
+        # If roles aren't overriden in model then check roles table
+        def accepts_role?( role_name, user )
+          user.has_role? role_name, self
+        end
+
+        def accepts_role( role_name, user )
+          user.has_role role_name, self
+        end
+
+        def accepts_no_role( role_name, user )
+          user.has_no_role role_name, self
+        end
+      end
+    end
+
+  end
+end
+

data/lib/publishare/parser.rb

@@ -0,0 +1,210 @@
+module Authorization
+  module Base
+
+    VALID_PREPOSITIONS = ['of', 'for', 'in', 'on', 'to', 'at', 'by']
+    BOOLEAN_OPS = ['not', 'or', 'and']
+    VALID_PREPOSITIONS_PATTERN = VALID_PREPOSITIONS.join('|')
+
+    module EvalParser
+      # Parses and evaluates an authorization expression and returns <tt>true</tt> or <tt>false</tt>.
+      #
+      # The authorization expression is defined by the following grammar:
+      #         <expr> ::= (<expr>) | not <expr> | <term> or <expr> | <term> and <expr> | <term>
+      #         <term> ::= <role> | <role> <preposition> <model>
+      #  <preposition> ::= of | for | in | on | to | at | by
+      #        <model> ::= /:*\w+/
+      #         <role> ::= /\w+/ | /'.*'/
+      #
+      # Instead of doing recursive descent parsing (not so fun when we support nested parentheses, etc),
+      # we let Ruby do the work for us by inserting the appropriate permission calls and using eval.
+      # This would not be a good idea if you were getting authorization expressions from the outside,
+      # so in that case (e.g. somehow letting users literally type in permission expressions) you'd
+      # be better off using the recursive descent parser in Module RecursiveDescentParser.
+      #
+      # We search for parts of our authorization evaluation that match <role> or <role> <preposition> <model>
+      # and we ignore anything terminal in our grammar.
+      #
+      # 1) Replace all <role> <preposition> <model> matches.
+      # 2) Replace all <role> matches that aren't one of our other terminals ('not', 'or', 'and', or preposition)
+      # 3) Eval
+
+      def parse_authorization_expression( str )
+        if str =~ /[^A-Za-z0-9_:'\(\)\s]/
+          raise AuthorizationExpressionInvalid, "Invalid authorization expression (#{str})"
+          return false
+        end
+        @replacements = []
+        expr = replace_temporarily_role_of_model( str )
+        expr = replace_role( expr )
+        expr = replace_role_of_model( expr )
+        begin
+          instance_eval( expr )
+        rescue
+          raise AuthorizationExpressionInvalid, "Cannot parse authorization (#{str})"
+        end
+      end
+
+      def replace_temporarily_role_of_model( str )
+        role_regex = '\s*(\'\s*(.+?)\s*\'|(\w+))\s+'
+        model_regex = '\s+(:*\w+)'
+        parse_regex = Regexp.new(role_regex + '(' + VALID_PREPOSITIONS.join('|') + ')' + model_regex)
+        str.gsub(parse_regex) do |match|
+          @replacements.push " process_role_of_model('#{$2 || $3}', '#{$5}') "
+          " <#{@replacements.length-1}> "
+        end
+      end
+
+      def replace_role( str )
+        role_regex = '\s*(\'\s*(.+?)\s*\'|([A-Za-z]\w*))\s*'
+        parse_regex = Regexp.new(role_regex)
+        str.gsub(parse_regex) do |match|
+          if BOOLEAN_OPS.include?($3)
+            " #{match} "
+          else
+            " process_role('#{$2 || $3}') "
+          end
+        end
+      end
+
+      def replace_role_of_model( str )
+        str.gsub(/<(\d+)>/) do |match|
+          @replacements[$1.to_i]
+        end
+      end
+
+      def process_role_of_model( role_name, model_name )
+        model = get_model( model_name )
+        raise( ModelDoesntImplementRoles, "Model (#{model_name}) doesn't implement #accepts_role?" ) if not model.respond_to? :accepts_role?
+        model.send( :accepts_role?, role_name, @current_user )
+      end
+
+      def process_role( role_name )
+        return false if @current_user.nil? || @current_user == :false
+        raise( UserDoesntImplementRoles, "User doesn't implement #has_role?" ) if not @current_user.respond_to? :has_role?
+        @current_user.has_role?( role_name )
+      end
+
+    end
+
+    # Parses and evaluates an authorization expression and returns <tt>true</tt> or <tt>false</tt>.
+    # This recursive descent parses uses two instance variables:
+    #  @stack --> a stack with the top holding the boolean expression resulting from the parsing
+    #
+    # The authorization expression is defined by the following grammar:
+    #         <expr> ::= (<expr>) | not <expr> | <term> or <expr> | <term> and <expr> | <term>
+    #         <term> ::= <role> | <role> <preposition> <model>
+    #  <preposition> ::= of | for | in | on | to | at | by
+    #        <model> ::= /:*\w+/
+    #         <role> ::= /\w+/ | /'.*'/
+    #
+    # There are really two values we must track:
+    # (1) whether the expression is valid according to the grammar
+    # (2) the evaluated results --> true/false on the permission queries
+    # The first is embedded in the control logic because we want short-circuiting. If an expression
+    # has been parsed and the permission is false, we don't want to try different ways of parsing.
+    # Note that this implementation of a recursive descent parser is meant to be simple
+    # and doesn't allow arbitrary nesting of parentheses. It supports up to 5 levels of nesting.
+    # It also won't handle some types of expressions (A or B) and C, which has to be rewritten as
+    # C and (A or B) so the parenthetical expressions are in the tail.
+    module RecursiveDescentParser
+
+      OPT_PARENTHESES_PATTERN = '(([^()]|\(([^()]|\(([^()]|\(([^()]|\(([^()]|\(([^()])*\))*\))*\))*\))*\))*)'
+      PARENTHESES_PATTERN = '\(' + OPT_PARENTHESES_PATTERN + '\)'
+      NOT_PATTERN = '^\s*not\s+' + OPT_PARENTHESES_PATTERN + '$'
+      AND_PATTERN = '^\s*' + OPT_PARENTHESES_PATTERN + '\s+and\s+' + OPT_PARENTHESES_PATTERN + '\s*$'
+      OR_PATTERN = '^\s*' + OPT_PARENTHESES_PATTERN + '\s+or\s+' + OPT_PARENTHESES_PATTERN + '\s*$'
+      ROLE_PATTERN = '(\'\s*(.+)\s*\'|(\w+))'
+      MODEL_PATTERN = '(:*\w+)'
+
+      PARENTHESES_REGEX = Regexp.new('^\s*' + PARENTHESES_PATTERN + '\s*$')
+      NOT_REGEX = Regexp.new(NOT_PATTERN)
+      AND_REGEX = Regexp.new(AND_PATTERN)
+      OR_REGEX = Regexp.new(OR_PATTERN)
+      ROLE_REGEX = Regexp.new('^\s*' + ROLE_PATTERN + '\s*$')
+      ROLE_OF_MODEL_REGEX = Regexp.new('^\s*' + ROLE_PATTERN + '\s+(' + VALID_PREPOSITIONS_PATTERN + ')\s+' + MODEL_PATTERN + '\s*$')
+
+      def parse_authorization_expression( str )
+        @stack = []
+        raise AuthorizationExpressionInvalid, "Cannot parse authorization (#{str})" if not parse_expr( str )
+        return @stack.pop
+      end
+
+      def parse_expr( str )
+        parse_parenthesis( str ) or
+        parse_not( str ) or
+        parse_or( str ) or
+        parse_and( str ) or
+        parse_term( str )
+      end
+
+      def parse_not( str )
+        if str =~ NOT_REGEX
+          can_parse = parse_expr( $1 )
+          @stack.push( !@stack.pop ) if can_parse
+        end
+        false
+      end
+
+      def parse_or( str )
+        if str =~ OR_REGEX
+          can_parse = parse_expr( $1 ) and parse_expr( $8 )
+          @stack.push( @stack.pop | @stack.pop ) if can_parse
+          return can_parse
+        end
+        false
+      end
+
+      def parse_and( str )
+        if str =~ AND_REGEX
+          can_parse = parse_expr( $1 ) and parse_expr( $8 )
+          @stack.push(@stack.pop & @stack.pop) if can_parse
+          return can_parse
+        end
+        false
+      end
+
+      # Descend down parenthesis (allow up to 5 levels of nesting)
+      def parse_parenthesis( str )
+        str =~ PARENTHESES_REGEX ? parse_expr( $1 ) : false
+      end
+
+      def parse_term( str )
+        parse_role_of_model( str ) or
+        parse_role( str )
+      end
+
+      # Parse <role> of <model>
+      def parse_role_of_model( str )
+        if str =~ ROLE_OF_MODEL_REGEX
+          role_name = $2 || $3
+          model_name = $5
+          model_obj = get_model( model_name )
+          raise( ModelDoesntImplementRoles, "Model (#{model_name}) doesn't implement #accepts_role?" ) if not model_obj.respond_to? :accepts_role?
+
+          has_permission = model_obj.send( :accepts_role?, role_name, @current_user )
+          @stack.push( has_permission )
+          true
+        else
+          false
+        end
+      end
+
+      # Parse <role> of the User-like object
+      def parse_role( str )
+        if str =~ ROLE_REGEX
+          role_name = $1
+          if @current_user.nil? || @current_user == :false
+            @stack.push(false)
+          else
+            raise( UserDoesntImplementRoles, "User doesn't implement #has_role?" ) if not @current_user.respond_to? :has_role?
+            @stack.push( @current_user.has_role?(role_name) )
+          end
+          true
+        else
+          false
+        end
+      end
+
+    end
+  end
+end