authorize 0.0.2 → 0.0.3

data/README

@@ -44,9 +44,18 @@ point for traversing the role hierarchy and determining the effective set of rol
 
 Resource
 A #permissions association is defined that links a resource to the set of permissions (Authorize::Permission) that define the available
-access modes to the resource.
+access modes to the resource.  A #permitted parameterized scope is also provided:
 
-In addition to the macro methods described above, two ActiveRecord::Base subclasses are defined:
+Resource.permitted(roles, options = {})
+Returns the resources to which the given roles have any permissions.  Optionally, the qualifying permissions can be restricted with the
+remaining arguments, or the :mode or :modes options:
+Examples:
+  Widget.permitted([Authorize::Role::PUB])
+  Widget.permitted([Authorize::Role::PUB, my_role], :mode => :update)
+  Widget.permitted([Authorize::Role::PUB, my_role], :modes => [:delete, :update])
+  Widget.permitted([Authorize::Role::PUB, my_role], :delete, :update)
+
+In addition to the macro methods described above, two models (ActiveRecord::Base subclasses) are defined:
 
 Authorize::Permission
 Permissions link roles to resources along with a defined access mode.  Access modes are limited to the classics (read, update, delete, etc.),
@@ -69,14 +78,14 @@ role graph (a DAG) stored in the Redis database.
 
 A Note on Performance
 
-Performance of the <Subject Class>.authorized named scope is critical to effective use of this plugin.  However, it is difficult to optimize across multiple
-database systems for multiple use cases.  Empirically, it seems to be best to use a UNION of the three cases that can yield an authorization: global, class-
+Performance of the Resource.permitted named scope is critical to effective use of this plugin.  However, it is difficult to optimize across multiple
+database systems for multiple use cases.  Empirically, it seems to be best to use a UNION of the three cases that can yield a permission: global, class-
 based and instance based.  Alternatives using moderately complex nested or expanded OR clauses fail to optimize correctly on MySQL 5.0 and degrade terribly 
 with substantial authorization and subject volume.  Not surprisingly, COALESCE also fails to optimize nicely.  A JOIN-based solution was considered, but the
 semantics of a JOIN are such that duplicate subject records are returned.  The duplicates could be eliminated with :group and :having options, but at the cost
-of transparency of the #authorized named scope.
+of transparency of the #permitted named scope.
 
-Indexing of the authorization table is very important.  See the test application's schema for an reasonable set of indices.
+Indexing of the authorize_permissions table is very important.  See the test application's schema for an reasonable set of indices.
 
 Code examples of alternatives:
 
@@ -151,5 +160,4 @@ Code examples of alternatives:
           }
 
 TODO:
- * Flexible configuration of permission bits
- 
+ * Flexible configuration of permission bits

data/lib/authorize.rb

@@ -1,2 +1,2 @@
 module Authorize
-end
+end

data/lib/authorize/active_record.rb

@@ -23,9 +23,12 @@ module Authorize
         resource_pk = "#{connection.quote_table_name(table_name)}.#{connection.quote_column_name(primary_key)}"
         # See README file for a discussion of the performance of this named scope
         named_scope :permitted, lambda {|*args|
-          roles, modes = *args
+          roles = args.shift
+          options = {:modes => []}.merge(args.last.kind_of?(Hash) ? args.pop : {})
+          modes = args + options[:modes]
+          modes << options[:mode] if options[:mode]
           scope = Permission.as(roles)
-          scope = scope.to_do(Authorize::Permission::Mask[modes]) if modes
+          scope = scope.to_do(Authorize::Permission::Mask[*modes]) unless modes.empty?
           sq0 = scope.construct_finder_sql({:select => 1, :conditions => {:resource_id => nil, :resource_type => nil}})
           sq1 = scope.construct_finder_sql({:select => 1, :conditions => {:resource_type => base_class.name, :resource_id => nil}})
           sq2 = scope.scoped(:conditions => "#{auth_fk} = #{resource_pk}").construct_finder_sql({:select => 1, :conditions => {:resource_type => base_class.name}})

data/lib/authorize/version.rb

@@ -1,3 +1,3 @@
 module Authorize
-  VERSION = "0.0.2"
+  VERSION = "0.0.3"
 end

data/test/.gitignore

@@ -0,0 +1 @@
+Gemfile.lock

data/test/Gemfile

@@ -0,0 +1 @@
+gemspec :path => ".."

data/test/config/environment.rb

@@ -18,9 +18,6 @@ Rails::Initializer.run do |config|
     :secret      => '7e54ff5913c5c26e6389fad599134e255845d537650386fb04e5ed9c34aaeea4538a3c50833e1f243210c54d612a388afb11a6c876af18d9ac31f1be4fc78698'
   }
 
-  config.gem 'redis', :version => '>=2.0'
-  config.gem 'authorize'
-
   config.after_initialize do
     ActiveRecord::Migration.verbose = false
     require File.join(RAILS_ROOT, "db", 'schema.rb')

data/test/config/preinitializer.rb

@@ -0,0 +1,21 @@
+# This file is loaded as part of the boot process, before the initializer has run.
+begin
+  require "rubygems"
+  require "bundler"
+rescue LoadError
+  raise "Could not load the bundler gem. Install it with `gem install bundler`."
+end
+
+if Gem::Version.new(Bundler::VERSION) <= Gem::Version.new("0.9.24")
+  raise RuntimeError, "Your bundler version is too old for Rails 2.3." +
+   "Run `gem install bundler` to upgrade."
+end
+
+begin
+  # Set up load paths for all bundled gems
+  ENV["BUNDLE_GEMFILE"] = File.expand_path("../../Gemfile", __FILE__)
+  Bundler.setup
+rescue Bundler::GemNotFound
+  raise RuntimeError, "Bundler couldn't find some gems." +
+    "Did you run `bundle install`?"
+end

data/test/test/unit/resource_test.rb

@@ -17,6 +17,18 @@ class ResourceTest < ActiveSupport::TestCase
     assert_equal Set[widgets(:foo)], Widget.permitted([roles(:a)], :read).to_set
   end
 
+  test 'permitted scope to do specified access modes' do
+    assert_equal Set[], Widget.permitted([roles(:a)], :read, :update).to_set
+  end
+
+  test 'permitted scope to do specified access mode via options' do
+    assert_equal Set[widgets(:foo)], Widget.permitted([roles(:a)], {:mode => :read}).to_set
+  end
+
+  test 'permitted scope to do specified access modes via options' do
+    assert_equal Set[], Widget.permitted([roles(:a)], {:modes => [:read, :update]}).to_set
+  end
+
   test 'permitted scope with class permission' do
     assert_equal Widget.all.to_set, Widget.permitted([roles(:c)]).to_set
   end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: authorize
 version: !ruby/object:Gem::Version 
-  hash: 27
+  hash: 25
   prerelease: 
   segments: 
   - 0
   - 0
-  - 2
-  version: 0.0.2
+  - 3
+  version: 0.0.3
 platform: ruby
 authors: 
 - Chris Hapgood
@@ -137,6 +137,8 @@ files:
 - lib/authorize/version.rb
 - rails/init.rb
 - tasks/authorize_tasks.rake
+- test/.gitignore
+- test/Gemfile
 - test/Rakefile
 - test/app/controllers/application_controller.rb
 - test/app/controllers/thingy_controller.rb
@@ -151,6 +153,7 @@ files:
 - test/config/environments/test.rb
 - test/config/initializers/mask.rb
 - test/config/initializers/redis.rb
+- test/config/preinitializer.rb
 - test/config/routes.rb
 - test/db/.gitignore
 - test/db/schema.rb
@@ -243,6 +246,7 @@ signing_key:
 specification_version: 3
 summary: A fast and flexible RBAC for Rails
 test_files: 
+- test/Gemfile
 - test/Rakefile
 - test/app/controllers/application_controller.rb
 - test/app/controllers/thingy_controller.rb
@@ -257,6 +261,7 @@ test_files:
 - test/config/environments/test.rb
 - test/config/initializers/mask.rb
 - test/config/initializers/redis.rb
+- test/config/preinitializer.rb
 - test/config/routes.rb
 - test/db/.gitignore
 - test/db/schema.rb