authorize 0.0.2 → 0.0.3
Sign up to get free protection for your applications and to get access to all the features.
- data/README +16 -8
- data/lib/authorize.rb +1 -1
- data/lib/authorize/active_record.rb +5 -2
- data/lib/authorize/version.rb +1 -1
- data/test/.gitignore +1 -0
- data/test/Gemfile +1 -0
- data/test/config/environment.rb +0 -3
- data/test/config/preinitializer.rb +21 -0
- data/test/test/unit/resource_test.rb +12 -0
- metadata +8 -3
data/README
CHANGED
@@ -44,9 +44,18 @@ point for traversing the role hierarchy and determining the effective set of rol
|
|
44
44
|
|
45
45
|
Resource
|
46
46
|
A #permissions association is defined that links a resource to the set of permissions (Authorize::Permission) that define the available
|
47
|
-
access modes to the resource.
|
47
|
+
access modes to the resource. A #permitted parameterized scope is also provided:
|
48
48
|
|
49
|
-
|
49
|
+
Resource.permitted(roles, options = {})
|
50
|
+
Returns the resources to which the given roles have any permissions. Optionally, the qualifying permissions can be restricted with the
|
51
|
+
remaining arguments, or the :mode or :modes options:
|
52
|
+
Examples:
|
53
|
+
Widget.permitted([Authorize::Role::PUB])
|
54
|
+
Widget.permitted([Authorize::Role::PUB, my_role], :mode => :update)
|
55
|
+
Widget.permitted([Authorize::Role::PUB, my_role], :modes => [:delete, :update])
|
56
|
+
Widget.permitted([Authorize::Role::PUB, my_role], :delete, :update)
|
57
|
+
|
58
|
+
In addition to the macro methods described above, two models (ActiveRecord::Base subclasses) are defined:
|
50
59
|
|
51
60
|
Authorize::Permission
|
52
61
|
Permissions link roles to resources along with a defined access mode. Access modes are limited to the classics (read, update, delete, etc.),
|
@@ -69,14 +78,14 @@ role graph (a DAG) stored in the Redis database.
|
|
69
78
|
|
70
79
|
A Note on Performance
|
71
80
|
|
72
|
-
Performance of the
|
73
|
-
database systems for multiple use cases. Empirically, it seems to be best to use a UNION of the three cases that can yield
|
81
|
+
Performance of the Resource.permitted named scope is critical to effective use of this plugin. However, it is difficult to optimize across multiple
|
82
|
+
database systems for multiple use cases. Empirically, it seems to be best to use a UNION of the three cases that can yield a permission: global, class-
|
74
83
|
based and instance based. Alternatives using moderately complex nested or expanded OR clauses fail to optimize correctly on MySQL 5.0 and degrade terribly
|
75
84
|
with substantial authorization and subject volume. Not surprisingly, COALESCE also fails to optimize nicely. A JOIN-based solution was considered, but the
|
76
85
|
semantics of a JOIN are such that duplicate subject records are returned. The duplicates could be eliminated with :group and :having options, but at the cost
|
77
|
-
of transparency of the #
|
86
|
+
of transparency of the #permitted named scope.
|
78
87
|
|
79
|
-
Indexing of the
|
88
|
+
Indexing of the authorize_permissions table is very important. See the test application's schema for an reasonable set of indices.
|
80
89
|
|
81
90
|
Code examples of alternatives:
|
82
91
|
|
@@ -151,5 +160,4 @@ Code examples of alternatives:
|
|
151
160
|
}
|
152
161
|
|
153
162
|
TODO:
|
154
|
-
* Flexible configuration of permission bits
|
155
|
-
|
163
|
+
* Flexible configuration of permission bits
|
data/lib/authorize.rb
CHANGED
@@ -1,2 +1,2 @@
|
|
1
1
|
module Authorize
|
2
|
-
end
|
2
|
+
end
|
@@ -23,9 +23,12 @@ module Authorize
|
|
23
23
|
resource_pk = "#{connection.quote_table_name(table_name)}.#{connection.quote_column_name(primary_key)}"
|
24
24
|
# See README file for a discussion of the performance of this named scope
|
25
25
|
named_scope :permitted, lambda {|*args|
|
26
|
-
roles
|
26
|
+
roles = args.shift
|
27
|
+
options = {:modes => []}.merge(args.last.kind_of?(Hash) ? args.pop : {})
|
28
|
+
modes = args + options[:modes]
|
29
|
+
modes << options[:mode] if options[:mode]
|
27
30
|
scope = Permission.as(roles)
|
28
|
-
scope = scope.to_do(Authorize::Permission::Mask[modes])
|
31
|
+
scope = scope.to_do(Authorize::Permission::Mask[*modes]) unless modes.empty?
|
29
32
|
sq0 = scope.construct_finder_sql({:select => 1, :conditions => {:resource_id => nil, :resource_type => nil}})
|
30
33
|
sq1 = scope.construct_finder_sql({:select => 1, :conditions => {:resource_type => base_class.name, :resource_id => nil}})
|
31
34
|
sq2 = scope.scoped(:conditions => "#{auth_fk} = #{resource_pk}").construct_finder_sql({:select => 1, :conditions => {:resource_type => base_class.name}})
|
data/lib/authorize/version.rb
CHANGED
data/test/.gitignore
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
Gemfile.lock
|
data/test/Gemfile
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
gemspec :path => ".."
|
data/test/config/environment.rb
CHANGED
@@ -18,9 +18,6 @@ Rails::Initializer.run do |config|
|
|
18
18
|
:secret => '7e54ff5913c5c26e6389fad599134e255845d537650386fb04e5ed9c34aaeea4538a3c50833e1f243210c54d612a388afb11a6c876af18d9ac31f1be4fc78698'
|
19
19
|
}
|
20
20
|
|
21
|
-
config.gem 'redis', :version => '>=2.0'
|
22
|
-
config.gem 'authorize'
|
23
|
-
|
24
21
|
config.after_initialize do
|
25
22
|
ActiveRecord::Migration.verbose = false
|
26
23
|
require File.join(RAILS_ROOT, "db", 'schema.rb')
|
@@ -0,0 +1,21 @@
|
|
1
|
+
# This file is loaded as part of the boot process, before the initializer has run.
|
2
|
+
begin
|
3
|
+
require "rubygems"
|
4
|
+
require "bundler"
|
5
|
+
rescue LoadError
|
6
|
+
raise "Could not load the bundler gem. Install it with `gem install bundler`."
|
7
|
+
end
|
8
|
+
|
9
|
+
if Gem::Version.new(Bundler::VERSION) <= Gem::Version.new("0.9.24")
|
10
|
+
raise RuntimeError, "Your bundler version is too old for Rails 2.3." +
|
11
|
+
"Run `gem install bundler` to upgrade."
|
12
|
+
end
|
13
|
+
|
14
|
+
begin
|
15
|
+
# Set up load paths for all bundled gems
|
16
|
+
ENV["BUNDLE_GEMFILE"] = File.expand_path("../../Gemfile", __FILE__)
|
17
|
+
Bundler.setup
|
18
|
+
rescue Bundler::GemNotFound
|
19
|
+
raise RuntimeError, "Bundler couldn't find some gems." +
|
20
|
+
"Did you run `bundle install`?"
|
21
|
+
end
|
@@ -17,6 +17,18 @@ class ResourceTest < ActiveSupport::TestCase
|
|
17
17
|
assert_equal Set[widgets(:foo)], Widget.permitted([roles(:a)], :read).to_set
|
18
18
|
end
|
19
19
|
|
20
|
+
test 'permitted scope to do specified access modes' do
|
21
|
+
assert_equal Set[], Widget.permitted([roles(:a)], :read, :update).to_set
|
22
|
+
end
|
23
|
+
|
24
|
+
test 'permitted scope to do specified access mode via options' do
|
25
|
+
assert_equal Set[widgets(:foo)], Widget.permitted([roles(:a)], {:mode => :read}).to_set
|
26
|
+
end
|
27
|
+
|
28
|
+
test 'permitted scope to do specified access modes via options' do
|
29
|
+
assert_equal Set[], Widget.permitted([roles(:a)], {:modes => [:read, :update]}).to_set
|
30
|
+
end
|
31
|
+
|
20
32
|
test 'permitted scope with class permission' do
|
21
33
|
assert_equal Widget.all.to_set, Widget.permitted([roles(:c)]).to_set
|
22
34
|
end
|
metadata
CHANGED
@@ -1,13 +1,13 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: authorize
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
hash:
|
4
|
+
hash: 25
|
5
5
|
prerelease:
|
6
6
|
segments:
|
7
7
|
- 0
|
8
8
|
- 0
|
9
|
-
-
|
10
|
-
version: 0.0.
|
9
|
+
- 3
|
10
|
+
version: 0.0.3
|
11
11
|
platform: ruby
|
12
12
|
authors:
|
13
13
|
- Chris Hapgood
|
@@ -137,6 +137,8 @@ files:
|
|
137
137
|
- lib/authorize/version.rb
|
138
138
|
- rails/init.rb
|
139
139
|
- tasks/authorize_tasks.rake
|
140
|
+
- test/.gitignore
|
141
|
+
- test/Gemfile
|
140
142
|
- test/Rakefile
|
141
143
|
- test/app/controllers/application_controller.rb
|
142
144
|
- test/app/controllers/thingy_controller.rb
|
@@ -151,6 +153,7 @@ files:
|
|
151
153
|
- test/config/environments/test.rb
|
152
154
|
- test/config/initializers/mask.rb
|
153
155
|
- test/config/initializers/redis.rb
|
156
|
+
- test/config/preinitializer.rb
|
154
157
|
- test/config/routes.rb
|
155
158
|
- test/db/.gitignore
|
156
159
|
- test/db/schema.rb
|
@@ -243,6 +246,7 @@ signing_key:
|
|
243
246
|
specification_version: 3
|
244
247
|
summary: A fast and flexible RBAC for Rails
|
245
248
|
test_files:
|
249
|
+
- test/Gemfile
|
246
250
|
- test/Rakefile
|
247
251
|
- test/app/controllers/application_controller.rb
|
248
252
|
- test/app/controllers/thingy_controller.rb
|
@@ -257,6 +261,7 @@ test_files:
|
|
257
261
|
- test/config/environments/test.rb
|
258
262
|
- test/config/initializers/mask.rb
|
259
263
|
- test/config/initializers/redis.rb
|
264
|
+
- test/config/preinitializer.rb
|
260
265
|
- test/config/routes.rb
|
261
266
|
- test/db/.gitignore
|
262
267
|
- test/db/schema.rb
|