authorize_me 0.1.0

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2010 [name of plugin creator]
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,74 @@
+= authorize_me
+
+authorize_me is a gem for Rails to handle simple role-based authorization. It is similar in style to can-can.
+The largest difference is that authorization rules are defined in the model they protect rather than one centralized location.
+
+== Set up the user model
+
+Tell the gem which model to treat as the "user".
+
+  class User
+    authorize_me
+  end
+
+The following methods are generated:
+
+  User#can_create?(obj)
+  User#can_read?(obj)
+  User#can_update?(obj)
+  User#can_destroy?(obj)
+
+Each of these methods can take a model class, instance, or symbol.
+
+The user model is expected to have a role method that returns a string or symbol.
+It could be a DB column or a method you define.  Here is an example:
+
+  def role
+    if admin?
+      :admin
+    else
+      user_type
+    end
+  end
+
+== Declare authorization rules
+
+Authorization rules are declared in each model where they apply
+
+  class Article
+    authorization do |role|
+      role.admin     :can => :manage
+      role.publisher :can => :manage, :if => :author?
+      role.publisher :can => [:read, :create]
+      role.any       :can => :read
+    end
+  end
+
+In this example a publisher can always read and create articles, 
+but they can only manage articles for which they are the author.  
+This declaration assumes there is an Article#author? method which
+takes a user argument and returns a boolean. 
+
+:manage is shorthand for [:create, :read, :update, :destroy]
+
+== In your controllers
+
+The unauthorized! method simply raises an AuthorizeMe::Unauthorized exception
+for you to handle as you choose.
+
+  def show
+    @article = Article.find(params[:id])
+    unauthorized! unless current_user.can_read?(@article)
+  end
+
+== In your views
+
+  <% if current_user.can_update?(@article) %>
+    <%= link_to 'edit', edit_article_path(@article) %>
+  <% end %>
+
+Copyright (c) 2010 Adam McCrea, released under the MIT license
+
+
+
+

data/lib/authorize_me.rb

@@ -0,0 +1,6 @@
+require 'authorize_me/model'
+require 'authorize_me/controller'
+require 'authorize_me/ability_checker'
+require 'authorize_me/role_definition'
+require 'authorize_me/exceptions'
+

data/lib/authorize_me/ability_checker.rb

@@ -0,0 +1,53 @@
+module AuthorizeMe
+  class AbilityChecker
+    def initialize(ability, target, association, user)
+      @ability, @target, @association, @user = ability, target, association, user
+      @target = @target.to_s if @target.is_a?(Symbol)
+    end
+
+    def check
+      return false if access_rule.nil?
+
+      if_condition_met     = access_rule[:if].nil?     || call_method(access_rule[:if])
+      unless_condition_met = access_rule[:unless].nil? || !call_method(access_rule[:unless])
+
+      if_condition_met && unless_condition_met
+    end
+
+    protected
+
+      def object
+        @object ||= if @target.is_a?(String)
+            build_model_object
+          elsif ! @target.class.respond_to?(:authorization_rules)
+            raise AuthorizeMe::AuthorizationRuleMissing.new(@target)
+          else
+            @target
+          end
+      end
+
+      def build_model_object
+        if @association
+          @association.send(@target.pluralize).new
+        else
+          @target.singularize.camelize.constantize.new
+        end
+      end
+
+      def rules
+        object.class.authorization_rules[@user.role.to_sym] || {}
+      end
+
+      def access_rule
+        rules[@ability.to_sym] || rules[:manage]
+      end
+
+      def call_method(method)
+        arity = object.send(:method, method).arity
+        case arity.abs
+        when 0 then object.send(method)
+        when 1 then object.send(method, @user)
+        end
+      end
+  end
+end

data/lib/authorize_me/controller.rb

@@ -0,0 +1,11 @@
+module AuthorizeMe
+  module Controller
+
+    private 
+
+      def unauthorized!
+        raise AuthorizeMe::Unauthorized
+      end
+  
+  end
+end

data/lib/authorize_me/exceptions.rb

@@ -0,0 +1,16 @@
+module AuthorizeMe
+
+  class AuthorizationRuleMissing < Exception
+    def initialize(obj)
+      @obj = obj
+    end
+
+    def message
+      "AuthorizeMe tried to access #{@obj.inspect}, which does not declare authorization rules"
+    end
+  end
+
+  class Unauthorized < Exception; end
+
+end
+

data/lib/authorize_me/model.rb

@@ -0,0 +1,70 @@
+require 'active_support/core_ext'
+
+module AuthorizeMe
+  module Model
+
+    def self.included(base)
+      base.extend ClassMethods
+      base.send   :include, InstanceMethods
+    end
+    
+    module ClassMethods
+      # define a bunch of methods on extended class
+      # * User#can_create?(obj)
+      # * User#can_read?(obj)
+      # * User#can_update?(obj)
+      # * User#can_destroy?(obj)
+      def authorize_me
+        %w{ create read update destroy }.each do |ability|
+          define_method "can_#{ability}?" do |*args|
+            obj = args[0]
+            association_options = args[1] || {}
+            check_ability_on_object ability, obj, association_options
+          end
+        end
+      end
+
+      # declare authorization rules on a model. For example
+      #   authorize do |role|
+      #     role.owner  :can => :manage
+      #     role.admin  :can => :manage
+      #     role.member :can => :read, :if => :has_application_read_permission?
+      #     role.member :can => [:create, :update, :destroy], :if => :has_application_write_permission?
+      #   end
+      #
+      def authorize
+        yield AuthorizeMe::RoleDefinition.new(self)
+      end
+
+      def add_authorization_rule(role, options)
+        role = role.to_sym
+        abilities = options[:can]
+        abilities = [abilities] unless abilities.is_a?(Array)
+
+        @authorization_rules ||= {}
+        @authorization_rules[role] ||= {}
+
+        abilities.each do |ability|
+          @authorization_rules[role][ability.to_sym]          = {}
+          @authorization_rules[role][ability.to_sym][:if]     = options[:if]
+          @authorization_rules[role][ability.to_sym][:unless] = options[:unless]
+        end
+      end
+
+      def authorization_rules
+        @authorization_rules || {}
+      end
+    end
+
+    module InstanceMethods
+      protected
+        def check_ability_on_object(ability, target, association_options)
+          association = association_options[:for]
+          checker = AuthorizeMe::AbilityChecker.new(ability, target, association, self)
+          checker.check
+        end
+    end
+
+  end
+end
+

data/lib/authorize_me/role_definition.rb

@@ -0,0 +1,15 @@
+module AuthorizeMe
+  class RoleDefinition
+    def initialize(model_class)
+      @model_class = model_class
+    end
+
+    def method_missing(name, *args)
+      if args.length == 1 && args.first.is_a?(Hash)
+        @model_class.add_authorization_rule(name, args.first)
+      else
+        super
+      end
+    end
+  end
+end

data/lib/authorize_me/version.rb

@@ -0,0 +1,3 @@
+module AuthorizeMe
+  Version = "0.1.0"
+end

data/rails/init.rb

@@ -0,0 +1,2 @@
+ActiveRecord::Base.send(:include, AuthorizeMe::Model)
+ActionController::Base.send(:include, AuthorizeMe::Controller)

metadata

@@ -0,0 +1,73 @@
+--- !ruby/object:Gem::Specification 
+name: authorize_me
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 0
+  - 1
+  - 0
+  version: 0.1.0
+platform: ruby
+authors: 
+- Adam McCrea
+- John Andrews
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-12-10 00:00:00 -05:00
+default_executable: 
+dependencies: []
+
+description: Simple role-based authorization
+email: adam@edgecase.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- MIT-LICENSE
+- README.rdoc
+files: 
+- lib/authorize_me/ability_checker.rb
+- lib/authorize_me/controller.rb
+- lib/authorize_me/exceptions.rb
+- lib/authorize_me/model.rb
+- lib/authorize_me/role_definition.rb
+- lib/authorize_me/version.rb
+- lib/authorize_me.rb
+- rails/init.rb
+- MIT-LICENSE
+- README.rdoc
+has_rdoc: true
+homepage: http://github.com/edgecase/authorize_me
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.6
+signing_key: 
+specification_version: 3
+summary: Simple role-based authorization
+test_files: []
+