authorizer 0.0.1 → 0.0.2

data/History.txt

@@ -1,4 +1,12 @@
+=== 0.0.2 2011-08-22
+
+* Major enhancements:
+  * Find function wasn't working properly, a user would get a list of objects from another user. Also reworked its internals so all arguments are passed on to the ActiveRecord::Base find function. 
+* Minor enhancements:
+  * Improved error messages.
+  * Fixed some other bugs and quirks.
+
 === 0.0.1 2011-07-01
 
 * 1 major enhancement:
-  * Initial release
+  * Initial release.

data/README.rdoc

@@ -45,13 +45,15 @@ Handles authorization for you.
 Authorize a user on an object
 
  Authorizer::Base.authorize_user( :object => object )
-
  => true/false
 
 If you want to know if the current user is authorized on an object, use:
 
- Authorizer::Base.user_is_authorized?( :object => object)
+ Authorizer::Base.user_is_authorized?( :object => object )
  => true/false
+
+ Authorizer::Base.authorize!( :object => object, :message => "You are not authorized to access this resource." ) # message is optional
+ => returns true or raises Authorizer::UserNotAuthorized
  
 Remove authorization from an object
 
@@ -91,16 +93,13 @@ Authorizer uses ActiveRecord observers to make sure it doesn't make any mess, fo
 
  - Ruby (this gem was tested with 1.8.7)
  - Rails 2.3 (tested with 2.3.11 and 2.3.12)
- - Authlogic (for authentication)
+ - An authentication mechanism such as Authlogic for authentication (tested with authlogic 2.1.6)
 
 Optional:
  - inherited_resources if you want to use the controller filters supplied with this gem. Otherwise, you'll have to check for authorization yourself.
 
 == INSTALL:
 
-Installation
-===
-
  1. sudo gem install authorizer
  2. add "authorizer" to your Gemfile (I hope you've stopped using config.gem already even if you are on Rails 2.3?)
  3. generate a migration for authorization objects:
@@ -125,14 +124,26 @@ Paste this code into the newly generated file:
  end
 
  4. run "rake db:migrate" to migrate your database
+ 5. Add these lines to your app/controllers/application_controller.rb:
+
+  require 'authorizer/exceptions'
+
+  rescue_from Authorizer::UserNotAuthorized do |exception|
+    # Show a static 403 page upon authorization failure
+    render :file => "#{Rails.root}/public/403.html", :status => 403
+  end
+
+ 6. Download the file public/403.html from {authorizer_project}[https://github.com/cmdjohnson/authorizer_project] and copy it to your own app.
  
 That's it!
 
 == DEVELOPERS:
 
-Reviews, patches and bug tickets are welcome!
+Reviews, patches and bug tickets are welcome! There's still some features that need to be implemented:
+ - (Multiple) roles for users on an object
+ - Rails 3 support!
 
-{authorizer_project}[https://github.com/cmdjohnson/authorizer_project] is a sample project that shows the usage of the Authorizer gem. It also contains all tests for your testing pleasure.
+{authorizer_project}[https://github.com/cmdjohnson/authorizer_project] is a sample project that shows the usage of the Authorizer gem. It also contains all unit and functional tests for your testing pleasure.
 
 == LICENSE:
 

data/lib/authorizer.rb

@@ -3,5 +3,5 @@ $:.unshift(File.dirname(__FILE__)) unless
   $:.include?(File.dirname(__FILE__)) || $:.include?(File.expand_path(File.dirname(__FILE__)))
 
 module Authorizer
-  VERSION = '0.0.1'
+  VERSION = '0.0.2'
 end

data/lib/authorizer/application_controller.rb

@@ -17,49 +17,48 @@ class ApplicationController < ActionController::Base
 
   private
 
-  ##############################################################################
-  # authorizer
-  ##############################################################################
+  # Own an object (you've just created)
+  # With no arguments given, this method will try to use inherited_resources to determine the object you've just created.
+  # The object can be overridden with :object => object
+  def own_created_object(options = {})
+    ret = false # default answer: don't allow
 
-  def own_created_object
-    ret = true # always return true otherwise the filter chain would be blocked.
+    r = options[:object]
 
     begin
-      r = resource
+      r ||= resource
     rescue
     end
 
     unless r.nil?
       # only if this objet was successfully created will we do this.
       unless r.new_record?
-        Authorizer::Base.authorize_user( :object => r )
+        ret = Authorizer::Base.authorize_user( :object => r )
       end
     end
 
     ret
   end
 
-  def authorize
+  # Authorize on the current object.
+  # With no arguments given, this method will try to use inherited_resources to determine the object you're supposed to authorize on.
+  # The object can be overridden with :object => object
+  def authorize(options = {})
     ret = false # return false by default, effectively using a whitelist method.
 
+    r = options[:object]
+
     begin
-      r = resource
+      r ||= resource
     rescue      
     end
 
     unless r.nil?
-      auth = Authorizer::Base.user_is_authorized?( :object => r )
-
-      if auth.eql?(false)
-        raise Authorizer::UserNotAuthorized.new("You are not authorized to access this resource.")
-      end
+      # Use the bang method, it will raise an Exception if needed
+      ret = Authorizer::Base.authorize!( :object => r )
     end
 
     ret
   end
-
-  ##############################################################################
-  # end authorizer
-  ##############################################################################
 end
 

data/lib/authorizer/base.rb

@@ -40,20 +40,44 @@ module Authorizer
         object_reference = object.id
 
         ObjectRole.create!( :klazz_name => klazz_name, :object_reference => object_reference, :user => user, :role => role )
-        Rails.logger.debug("Authorizer: created authorization on #{object} for current_user with ID #{user.id} witih role #{role}")
+        Rails.logger.debug("Authorizer: created authorization on #{object} for current_user with ID #{user.id} with role #{role}")
         ret = true
       end
 
       ret
     end
 
+    ############################################################################
+    # authorize!
+    #
+    # Bang version of authorize
+    ############################################################################
+
+    def self.authorize! options = {}
+      auth_ok = user_is_authorized?(options)
+
+      # User can override error message
+      message = options[:message]
+      # Attempt to fetch from I18n
+      begin
+        message ||= I18n.translate!("authorizer.access_denied")
+      rescue
+      end
+      # Default error message
+      message ||= "You are not authorized to access this resource."
+
+      raise Authorizer::UserNotAuthorized.new(message) unless auth_ok
+
+      auth_ok
+    end
+
     ############################################################################
     # user_is_authorized?
     #
     # If no user is specified, current_user is used.
     ############################################################################
 
-    def self.user_is_authorized? options
+    def self.user_is_authorized? options = {}
       OptionsChecker.check(options, [ :object ])
 
       ret = false
@@ -78,12 +102,17 @@ module Authorizer
       if ret
         Rails.logger.debug("Authorizer: authorized current_user with ID #{user.id} to access #{or_.description} because of role #{or_.role}") unless user.nil? || or_.nil?
       else
-        Rails.logger.debug("Authorizer: authorization failed for current_user with ID #{user.id} to access #{object.to_s}") unless user.nil? || object.nil?
+        Rails.logger.debug("Authorizer: authorization failed for current_user with ID #{user.id} to access #{object.inspect}") unless user.nil? || object.nil?
       end
 
       ret
     end
 
+    # Could't get alias_method to work. Don't ask me why.
+    def self.authorize(options = {})
+      user_is_authorized?(options)
+    end
+
     ############################################################################
     # remove_authorization
     ############################################################################
@@ -120,8 +149,7 @@ module Authorizer
     ############################################################################
     # find
     ############################################################################
-    # Out of the collection of all Posts, return the subset that belongs to the current user.
-    # External method that maps to the internal_find which is the generic find method.
+    # From the entire collection of Posts, return the subset that belongs to the current user.
     #
     # Arguments:
     #  - class_name: which class to use, e.g. "Post"
@@ -139,8 +167,6 @@ module Authorizer
 
     ############################################################################
     # is_authorized?
-    #
-    # Checks if the corresponding role.eql?("owner")
     ############################################################################
 
     def self.is_authorized? object
@@ -198,80 +224,54 @@ module Authorizer
       class_name = options[:class_name]
       what = options[:what]
       find_options = options[:find_options] || {}
-      user = options[:user] || get_current_user
-
-      # We don't do the what checks anymore, ActiveRecord::Base.find does that for us now.
-      #what_checks = [ :all, :first, :last, :id ]
-      #raise "What must be one of #{what_checks.inspect}" unless what_checks.include?(what)
+      user = options[:user] || get_current_user # Default is current user, but the specified user will override.
 
       # Check userrrrrrrrrrrr --- =====================- ---= ===-=- *&((28 @((8
       check_user(user)
-      # rrrr
       ret = nil
-      # Checks
       # Checks done. Let's go.
       # Get the real klazz
       klazz = nil
       # Check it
       begin
         klazz = eval(class_name)
-      rescue
+      rescue => e
+        # Throw an exception if klazz is nil
+        raise ArgumentError.new("Could not eval class '#{klazz}'. It presumably does not exist. Maybe you mistyped its name? Error was: #{e.inspect}") if klazz.nil?
       end
       # oooo ooo ooo ___ --- === __- --_- ++_+_ =--- +- =+=-=- =-=    <--- ice beam!
       unless klazz.nil?
         # now we know klazz really exists.
-        # let's find the object_role objects that match the user and klaz.
+        # let's find the object_role objects that match the user and klazz.
         # Get the object_role objects
         object_roles_conditions = { :klazz_name => class_name, :user_id => user.id }
         object_roles = ObjectRole.find(:all, :conditions => object_roles_conditions )
-        # Get a list of IDs. These are objects that are owned by the current_user
-        object_role_ids = object_roles.collect { |or_| or_.object_reference } # [ 1, 1, 1, 1 ]
-        # Make it at least an array if object_role_ids returns nil
-        object_role_ids ||= []
-        # Try to emulate find as good as we can
-        # so don't skip this, try to always pass it on.
+        # OK.
+        # We already have the comprehensive list of object roles we are authorized on.
         unless object_roles.nil?
-          # Prepare find_options
-          leading_find_options = {} # insert conventions here if needed
-          my_find_options = find_options.merge(leading_find_options)
-          # If the user passed an Array we should filter it with the list of available (authorized) objects.
-          #
-          # http://www.ruby-doc.org/core/classes/Array.html
-          # &
-          # Set Intersection—Returns a new array containing elements common to the two arrays, with no duplicates.
-          safe_what = what
-          if what.is_a?(Array)
-            safe_what = what & object_role_ids
-          end
-          # The big show. Let's call out F I N D !!!!!!
-          # INF FINFD FIWI FFIND IF FIND FIND FIND FIND FIND FIND FIND FIND
-          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
-          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
-          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
-          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
-          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
-          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
-          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
-          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
-          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
-          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
-          if safe_what.eql?(:all)
-            ret = klazz.find(:all, my_find_options)
-          elsif safe_what.eql?(:first)
-            ret = klazz.find(object_role_ids.first, my_find_options)
-          elsif safe_what.eql?(:last)
-            ret = klazz.find(object_role_ids.last, my_find_options)
-          else
-            ret = klazz.find(safe_what, my_find_options)
+          # Get a list of IDs. These are objects that are owned by the current_user
+          object_role_ids = object_roles.collect { |or_| or_.object_reference } # [ 1, 1, 1, 1 ]
+          # Make it at least an array if collect returns nil
+          object_role_ids ||= []
+          # DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT
+          # DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT
+          # DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT
+          # DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT
+          # DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT
+          # DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT DO IT
+          unless object_role_ids.nil?
+            # Prepare find_options
+            leading_find_options = {} # insert conventions here if needed, maybe for security or other purposes
+            my_find_options = find_options.merge(leading_find_options)
+            # Big chance object_role_ids equals an Empty Array (TM) or []
+            # That's good, it means this line will be
+            #
+            # Post.scoped_by_id([]).find(:all)
+            #
+            # Which will never ever return anything.
+            # This is also good because it means we can just proxy whatever we get from the user into Find and it will take care of it for us.
+            ret = klazz.scoped_by_id(object_role_ids).find(what, my_find_options) # scoped_by is new in 2.3. sweeeeeeeeeeeet
           end
-          # SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT????
-          # SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT????
-          # SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT????
-          # SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT????
-          # SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT????
-          # SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT????
-          # SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT????
-          # SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT????
         end
       end
 
@@ -310,9 +310,18 @@ module Authorizer
     def self.check_user(user)
       ret = true
 
-      raise "User cannot be nil" if user.nil?
-      raise "User must inherit from ActiveRecord::Base" unless user.is_a?(ActiveRecord::Base)
-      raise "User must be saved" if user.new_record?
+      if user.nil?
+        raise Authorizer::RuntimeException.new "User cannot be nil. Maybe you should specify authorizer_options = { :user => user } if you are not calling from a controller?"
+      end
+
+      unless user.is_a?(ActiveRecord::Base)
+        raise Authorizer::RuntimeException.new "User must inherit from ActiveRecord::Base"
+
+      end
+
+      if user.new_record?
+        raise Authorizer::RuntimeException.new "User must be saved"
+      end
 
       ret
     end

data/lib/authorizer/exceptions.rb

@@ -1,6 +1,10 @@
 # -*- encoding : utf-8 -*-
 module Authorizer
+  # Thrown when the user is not authorized.
   class UserNotAuthorized < Exception
-  
+  end
+
+  # Thrown when an internal error occurs, such as when an ObjectRole record doesn't exist.
+  class RuntimeException < Exception
   end
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: authorizer
 version: !ruby/object:Gem::Version 
-  hash: 29
+  hash: 27
   prerelease: false
   segments: 
   - 0
   - 0
-  - 1
-  version: 0.0.1
+  - 2
+  version: 0.0.2
 platform: ruby
 authors: 
 - CmdJohnson
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-07-26 00:00:00 +02:00
+date: 2011-08-22 00:00:00 +02:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency