authorizer 0.0.1

data/History.txt

@@ -0,0 +1,4 @@
+=== 0.0.1 2011-07-01
+
+* 1 major enhancement:
+  * Initial release

data/Manifest.txt

@@ -0,0 +1,17 @@
+History.txt
+Manifest.txt
+PostInstall.txt
+README.rdoc
+Rakefile
+lib/authorizer.rb
+script/console
+script/destroy
+script/generate
+lib/authorizer/admin.rb
+lib/authorizer/application_controller.rb
+lib/authorizer/base.rb
+lib/authorizer/exceptions.rb
+lib/authorizer/object_observer.rb
+lib/authorizer/user_observer.rb
+app/models/object_role.rb
+rails/init.rb

data/PostInstall.txt

@@ -0,0 +1,7 @@
+Remaining installation steps: (1 and 2 already done!)
+
+ 3. generate the migration by running "script/generate authorizer_migration"
+ 4. run "rake db:migrate" to migrate your database
+ 5. Add observers to 'config/environment.rb'
+ 
+config.active_record.observers = "Authorizer::UserObserver", "Authorizer::ObjectObserver"

data/README.rdoc

@@ -0,0 +1,160 @@
+= authorizer
+
+* https://github.com/cmdjohnson/authorizer
+
+== DESCRIPTION:
+
+Authorizer is a gem for Ruby (in conjunction with Rails 2.3) that does authorization for you on a per-object basis. What makes this gem different from e.g. declarative_authorization and cancan is they define one role for the entire application. With Authorizer, you define roles for different users on every Rails object.
+
+Let's use a Dropbox analogy.
+
+With Dropbox, you can choose which folder you want to share. For instance:
+
+Al has a home folder with these subfolders in it:
+ - Music (shared with Bob)
+ - Pictures (shared with Casper and Bob)
+ - News (shared with no-one)
+ 
+This causes Al to have all 3 folders in his Dropbox. Bob has 2 and Casper has only 1 folder called Pictures. 
+
+In other words, a user has access to a subset of the entire collection of folders. Bob has access to 2 of Al's folders, namely Music and Pictures. But he doesn't even see the News folder, nor can he download files from it. 
+
+Bob's access to the two folders is both read and write, so let's call that role "admin". Al is the owner of all 3 folders and has a role called "owner". This leads to the following Roles table:
+
+ folder_name	user_name           role
+ Music		Al                  owner
+ 		Bob                 admin
+ Pictures	Al                  owner
+ 		Bob                 admin
+ 		Casper              admin
+ News		Al                  owner
+
+Now if we would allow Bob to also access the News folder but only read from it, we could add the role called "reader" to the table:
+
+ folder_name	user_name           role
+ News		Bob                 reader
+
+This is exactly what Authorizer does for your Rails application.
+
+== FEATURES/PROBLEMS:
+
+Handles authorization for you.
+
+== SYNOPSIS:
+
+Authorize a user on an object
+
+ Authorizer::Base.authorize_user( :object => object )
+
+ => true/false
+
+If you want to know if the current user is authorized on an object, use:
+
+ Authorizer::Base.user_is_authorized?( :object => object)
+ => true/false
+ 
+Remove authorization from an object
+
+ Authorizer::Base.remove_authorization( :object => object )
+ => true/false
+ 
+Find all objects that the current user is authorized to use
+
+ Authorizer::Base.find("Post", :all, { :conditions => { :name => "my_post" } }) # [ #<Post id: 1>, #<Post id: 2> ]
+ Authorizer::Base.find("Post", :first) #<Post id: 1>
+ Authorizer::Base.find("Post", [ 1, 6 ]) # [ #<Post id: 1>, #<Post id: 6> ]
+
+If you are using inherited_resources, you can also use these filters in your controller class:
+
+ # own created objects so you can access them after creation
+ after_filter :own_created_object, :only => :create
+ # authorize entire controller
+ before_filter :authorize, :only => [ :show, :edit, :update, :destroy ]
+
+This obviously works out of the box with resource-oriented controllers, but with anything different you'll have to make your own choices.
+
+If you're just getting started with Authorizer but you already have a running app, you can have one user own all objects with this method:
+
+ Authorizer::Admin.create_brand_new_object_roles(:user => User.first)
+
+This method will guess what objects to use by checking for descendants of ActiveRecord::Base.
+
+If you just want to do this for the Post and Category classes, use:
+
+ Authorizer::Admin.create_brand_new_object_roles(:user => User.first, :objects => [ "Post", "Category" ])
+
+Authorizer uses ActiveRecord observers to make sure it doesn't make any mess, for instance, when a user is deleted, all of his authorization objects are deleted as well. Should you want more control over this garbage collection process, or if you are a cleanfreak, use this to get rid of any stale authorization objects lying around in your database: (protip: embed into rake task!)
+
+ Authorizer::Admin.remove_all_unused_authorization_objects
+
+== REQUIREMENTS:
+
+ - Ruby (this gem was tested with 1.8.7)
+ - Rails 2.3 (tested with 2.3.11 and 2.3.12)
+ - Authlogic (for authentication)
+
+Optional:
+ - inherited_resources if you want to use the controller filters supplied with this gem. Otherwise, you'll have to check for authorization yourself.
+
+== INSTALL:
+
+Installation
+===
+
+ 1. sudo gem install authorizer
+ 2. add "authorizer" to your Gemfile (I hope you've stopped using config.gem already even if you are on Rails 2.3?)
+ 3. generate a migration for authorization objects:
+
+ script/generate migration CreateObjectRoles
+
+Paste this code into the newly generated file:
+
+ def self.up
+  create_table :object_roles do |t|
+    t.string :klazz_name
+    t.integer :object_reference
+    t.references :user
+    t.string :role
+    
+    t.timestamps
+  end
+ end
+
+ def self.down
+  drop_table :object_roles
+ end
+
+ 4. run "rake db:migrate" to migrate your database
+ 
+That's it!
+
+== DEVELOPERS:
+
+Reviews, patches and bug tickets are welcome!
+
+{authorizer_project}[https://github.com/cmdjohnson/authorizer_project] is a sample project that shows the usage of the Authorizer gem. It also contains all tests for your testing pleasure.
+
+== LICENSE:
+
+(The MIT License)
+
+Copyright (c) 2011 Commander Johnson <commanderjohnson@gmail.com>
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,26 @@
+require 'rubygems'
+gem 'hoe', '>= 2.1.0'
+require 'hoe'
+require 'fileutils'
+require './lib/authorizer'
+
+Hoe.plugin :newgem
+# Hoe.plugin :website
+# Hoe.plugin :cucumberfeatures
+
+# Generate all the Rake tasks
+# Run 'rake -T' to see list of generated tasks (from gem root directory)
+$hoe = Hoe.spec 'authorizer' do
+  self.developer 'CmdJohnson', 'commanderjohnson@gmail.com'
+  self.post_install_message = 'PostInstall.txt' 
+  self.rubyforge_name       = self.name 
+  self.extra_deps         = [['options_checker','>= 0.0.1']]
+
+end
+
+require 'newgem/tasks'
+Dir['tasks/**/*.rake'].each { |t| load t }
+
+# TODO - want other tests/tasks run by default? Add them to the list
+# remove_task :default
+# task :default => [:spec, :features]

data/app/models/object_role.rb

@@ -0,0 +1,59 @@
+# -*- encoding : utf-8 -*-
+class ObjectRole < ActiveRecord::Base
+  ##############################################################################
+  # class methods
+  ##############################################################################
+
+  def self.roles
+    [ "owner" ]
+  end
+
+  # What ObjectRoles does this object have associated?
+  def self.find_all_by_object(object)
+    raise "Can only operate on ActiveRecord::Base objects." unless object.is_a?(ActiveRecord::Base)
+    raise "Can only operate on saved objects" if object.new_record?
+
+    klazz_name = object.class.to_s
+    object_reference = object.id
+
+    ObjectRole.find(:all, :conditions => { :klazz_name => klazz_name, :object_reference => object_reference } )
+  end
+
+  ##############################################################################
+  # associations
+  ##############################################################################
+
+  belongs_to :user
+
+  ##############################################################################
+  # validations
+  ##############################################################################
+  
+  validates_presence_of :klazz_name, :object_reference, :user_id, :role
+  validates_numericality_of :object_reference, :only_integer => true
+  validates_inclusion_of :role, :in => ObjectRole.roles
+
+  ##############################################################################
+  # constructor
+  ##############################################################################
+
+  ##############################################################################
+  # instance methods
+  ##############################################################################
+
+  def description
+    "#{self.klazz_name} #{self.object_reference}"
+  end
+
+  def object
+    obj = nil
+
+    begin
+      klazz = eval(self.klazz_name)
+      obj = klazz.find(self.object_reference)
+    rescue
+    end
+
+    obj
+  end
+end

data/lib/authorizer.rb

@@ -0,0 +1,7 @@
+# -*- encoding : utf-8 -*-
+$:.unshift(File.dirname(__FILE__)) unless
+  $:.include?(File.dirname(__FILE__)) || $:.include?(File.expand_path(File.dirname(__FILE__)))
+
+module Authorizer
+  VERSION = '0.0.1'
+end

data/lib/authorizer/admin.rb

@@ -0,0 +1,112 @@
+# -*- encoding : utf-8 -*-
+module Authorizer
+  ############################################################################
+  # helper class that does administrative functions for you
+  ############################################################################
+  class Admin < Base
+    # not everybody uses "User" as user class name. We do :o -=- :))) ffFF  ww ppO :)))
+    @@user_class_name = "User"
+
+    ############################################################################
+    # create_brand_new_object_roles
+    #
+    # For if you've been working without Authorizer and want to start using it.
+    # Obviously, if you don't have any ObjectRoles then you'll find yourself blocked out of your own app.
+    # This method will assign all objects listed in an array to a certain user.
+    # For instance:
+    #
+    # user = User.find(1)
+    # objects = [ "Post", "Category" ]
+    # Authorizer::Admin.create_brand_new_object_roles( :user => user, :objects => objects )
+    #
+    # If objects is not specified, Admin will look for all descendants of ActiveRecord::Base
+    # and exclude the ObjectRole and User classes.
+    #
+    # Authorizer::Admin.create_brand_new_object_roles( :user => user )
+    ############################################################################
+
+    def self.create_brand_new_object_roles(options = {})
+      OptionsChecker.check(options, [ :user ])
+
+      objects = gather_direct_descendants_of_activerecord_base || options[:objects]
+
+      ret = false
+
+      raise "objects must be an Array" unless objects.is_a?(Array)
+
+      # Nothing to do ..
+      return ret if objects.blank?
+
+      begin
+        user_id = options[:user].id
+      rescue
+      end
+
+      unless user_id.nil?
+        for object in objects
+          evaled_klazz = nil
+
+          begin
+            evaled_klazz = eval(object)
+          rescue
+          end
+
+          unless evaled_klazz.nil?
+            # One is enough to return exit status OK.
+            ret = true
+            # Let's find all. This is the same as Post.all
+            if evaled_klazz.is_a?(Class)
+              collection = evaled_klazz.all
+
+              # Go
+              unless collection.blank?
+                for coll_ in collection
+                  ObjectRole.create!( :klazz_name => object, :object_reference => coll_.id, :user_id => user_id, :role => "owner" )
+                end
+              end
+            end
+          end
+        end
+      end
+
+      ret
+    end
+
+    ############################################################################
+    # remove_all_unused_authorization_objects
+    #############################################################################
+    # Remove all stale (non-object) authorization objects.
+    ############################################################################
+
+    def self.remove_all_unused_authorization_objects options = {}
+      # no options
+      # ___
+      # Let's iterate all ObjectRoles
+      for object_role in ObjectRole.all
+        object_role.destroy if object_role.object.nil?
+      end
+    end
+
+    protected
+
+    ############################################################################
+    # gather_direct_descendants_of_activerecord_base
+    ############################################################################
+
+    def self.gather_direct_descendants_of_activerecord_base
+      ret = []
+
+      classes = ActiveRecord::Base.send(:subclasses)
+
+      # Go through it twice to determine direct descendants
+      for klazz in classes
+        # Push the class name, not the class object itself.
+        klazz_name = klazz.to_s
+        # May never use the ObjectRole or User class.
+        ret.push klazz_name if !klazz_name.eql?("ObjectRole") && !klazz_name.eql?(@@user_class_name)
+      end
+
+      ret
+    end
+  end
+end

data/lib/authorizer/application_controller.rb

@@ -0,0 +1,65 @@
+# -*- encoding : utf-8 -*-
+# Use this file to add a couple of helper methods to ApplicationController
+
+################################################################################
+# Addendum to ApplicationController
+################################################################################
+# These methods are heavily dependent on InheritedResources, more specifically the 'resource' method.
+#
+# Otherwise there would be no predefined way of peeking into a controller's resource object.
+################################################################################
+
+# for user_not_authorized
+require 'authorizer/exceptions'
+
+class ApplicationController < ActionController::Base
+  helper_method :own_created_object, :authorize
+
+  private
+
+  ##############################################################################
+  # authorizer
+  ##############################################################################
+
+  def own_created_object
+    ret = true # always return true otherwise the filter chain would be blocked.
+
+    begin
+      r = resource
+    rescue
+    end
+
+    unless r.nil?
+      # only if this objet was successfully created will we do this.
+      unless r.new_record?
+        Authorizer::Base.authorize_user( :object => r )
+      end
+    end
+
+    ret
+  end
+
+  def authorize
+    ret = false # return false by default, effectively using a whitelist method.
+
+    begin
+      r = resource
+    rescue      
+    end
+
+    unless r.nil?
+      auth = Authorizer::Base.user_is_authorized?( :object => r )
+
+      if auth.eql?(false)
+        raise Authorizer::UserNotAuthorized.new("You are not authorized to access this resource.")
+      end
+    end
+
+    ret
+  end
+
+  ##############################################################################
+  # end authorizer
+  ##############################################################################
+end
+

data/lib/authorizer/base.rb

@@ -0,0 +1,320 @@
+# -*- encoding : utf-8 -*-
+################################################################################
+# Authorizer
+#
+# Authorizer is a Ruby class that authorizes using the ObjectRole record.
+################################################################################
+
+# for user_not_authorized
+require 'authorizer/exceptions'
+require 'authorizer/application_controller'
+
+module Authorizer
+  class Base < ApplicationController
+    ############################################################################
+    # authorize_user
+    #
+    # If no user is specified, authorizes the current user.
+    # If no role is specified, "owner" is used as role.
+    ############################################################################
+
+    def self.authorize_user(options)
+      OptionsChecker.check(options, [ :object ])
+
+      ret = false
+
+      object = options[:object]
+      role = options[:role] || "owner"
+      user = options[:user] || get_current_user
+
+      return false if basic_check_fails?(options)
+
+      check_user(user)
+      # Checks done. Let's go.
+
+      or_ = find_object_role(object, user)
+
+      # This time, we want it to be nil.
+      if or_.nil? && !user.nil?
+        klazz_name = object.class.to_s
+        object_reference = object.id
+
+        ObjectRole.create!( :klazz_name => klazz_name, :object_reference => object_reference, :user => user, :role => role )
+        Rails.logger.debug("Authorizer: created authorization on #{object} for current_user with ID #{user.id} witih role #{role}")
+        ret = true
+      end
+
+      ret
+    end
+
+    ############################################################################
+    # user_is_authorized?
+    #
+    # If no user is specified, current_user is used.
+    ############################################################################
+
+    def self.user_is_authorized? options
+      OptionsChecker.check(options, [ :object ])
+
+      ret = false
+
+      check = basic_check_fails?(options)
+      return ret if check
+
+      object = options[:object]
+      user = options[:user] || get_current_user
+
+      # Checks
+      check_user(user)
+      # Checks done. Let's go.
+
+      or_ = find_object_role(object, user)
+        
+      # Congratulations, you've been Authorized.
+      unless or_.nil?
+        ret = true
+      end
+
+      if ret
+        Rails.logger.debug("Authorizer: authorized current_user with ID #{user.id} to access #{or_.description} because of role #{or_.role}") unless user.nil? || or_.nil?
+      else
+        Rails.logger.debug("Authorizer: authorization failed for current_user with ID #{user.id} to access #{object.to_s}") unless user.nil? || object.nil?
+      end
+
+      ret
+    end
+
+    ############################################################################
+    # remove_authorization
+    ############################################################################
+    # Remove authorization a user has on a certain object.
+    ############################################################################
+
+    def self.remove_authorization options = {}
+      OptionsChecker.check(options, [ :object ])
+
+      ret = false
+
+      return ret if basic_check_fails?(options)
+
+      object = options[:object]
+      user = options[:user] || get_current_user
+
+      # Check
+      check_user(user)
+      # Checks done. Let's go.
+
+      or_ = find_object_role(object, user)
+
+      unless or_.nil?
+        Rails.logger.debug("Authorizer: removed authorization for user ID #{user.id} on #{or_.description}")
+
+        or_.destroy
+
+        ret = true
+      end
+
+      ret
+    end
+
+    ############################################################################
+    # find
+    ############################################################################
+    # Out of the collection of all Posts, return the subset that belongs to the current user.
+    # External method that maps to the internal_find which is the generic find method.
+    #
+    # Arguments:
+    #  - class_name: which class to use, e.g. "Post"
+    #  - what: will be passed on to the ActiveRecord find function (e.g. Post.find(what))
+    #  - find_options: will also be passed on (e.g. Post.find(what, find_options))
+    #  - authorizer_options: options for authorizer, e.g. { :user => @user }
+    ############################################################################
+
+    def self.find(class_name, what, find_options = {}, authorizer_options = {})
+      options = { :class_name => class_name, :what => what, :find_options => find_options }
+      my_options = authorizer_options.merge(options) # options overrides user-specified options.
+
+      internal_find(my_options)
+    end
+
+    ############################################################################
+    # is_authorized?
+    #
+    # Checks if the corresponding role.eql?("owner")
+    ############################################################################
+
+    def self.is_authorized? object
+      user_is_authorized? :object => object
+    end
+
+    ############################################################################
+    # create_ownership
+    #
+    # ObjectRole.create!( :klazz_name => object.class.to_s, :object_reference => object.id, :user => current_user, :role => "owner" )
+    ############################################################################
+
+    def self.create_ownership object
+      ret = false
+
+      return ret if basic_check_fails?(object)
+
+      ret = authorize_user( :object => object )
+
+      ret
+    end
+
+    protected
+
+    ############################################################################
+    # get_current_user
+    ############################################################################
+    # helper method to not be dependent on the current_user method
+    ############################################################################
+
+    def self.get_current_user
+      ret = nil
+
+      begin
+        session = UserSession.find
+        ret = session.user
+      rescue
+      end
+
+      ret
+    end
+
+    ############################################################################
+    # internal_find
+    ############################################################################
+    # Extract some info from ObjectRole objects and then pass the info through
+    # to the ActiveRecord finder.
+    ############################################################################
+
+    def self.internal_find(options = {})
+      # Options
+      OptionsChecker.check(options, [ :what, :class_name ])
+
+      # assign
+      class_name = options[:class_name]
+      what = options[:what]
+      find_options = options[:find_options] || {}
+      user = options[:user] || get_current_user
+
+      # We don't do the what checks anymore, ActiveRecord::Base.find does that for us now.
+      #what_checks = [ :all, :first, :last, :id ]
+      #raise "What must be one of #{what_checks.inspect}" unless what_checks.include?(what)
+
+      # Check userrrrrrrrrrrr --- =====================- ---= ===-=- *&((28 @((8
+      check_user(user)
+      # rrrr
+      ret = nil
+      # Checks
+      # Checks done. Let's go.
+      # Get the real klazz
+      klazz = nil
+      # Check it
+      begin
+        klazz = eval(class_name)
+      rescue
+      end
+      # oooo ooo ooo ___ --- === __- --_- ++_+_ =--- +- =+=-=- =-=    <--- ice beam!
+      unless klazz.nil?
+        # now we know klazz really exists.
+        # let's find the object_role objects that match the user and klaz.
+        # Get the object_role objects
+        object_roles_conditions = { :klazz_name => class_name, :user_id => user.id }
+        object_roles = ObjectRole.find(:all, :conditions => object_roles_conditions )
+        # Get a list of IDs. These are objects that are owned by the current_user
+        object_role_ids = object_roles.collect { |or_| or_.object_reference } # [ 1, 1, 1, 1 ]
+        # Make it at least an array if object_role_ids returns nil
+        object_role_ids ||= []
+        # Try to emulate find as good as we can
+        # so don't skip this, try to always pass it on.
+        unless object_roles.nil?
+          # Prepare find_options
+          leading_find_options = {} # insert conventions here if needed
+          my_find_options = find_options.merge(leading_find_options)
+          # If the user passed an Array we should filter it with the list of available (authorized) objects.
+          #
+          # http://www.ruby-doc.org/core/classes/Array.html
+          # &
+          # Set Intersection—Returns a new array containing elements common to the two arrays, with no duplicates.
+          safe_what = what
+          if what.is_a?(Array)
+            safe_what = what & object_role_ids
+          end
+          # The big show. Let's call out F I N D !!!!!!
+          # INF FINFD FIWI FFIND IF FIND FIND FIND FIND FIND FIND FIND FIND
+          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
+          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
+          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
+          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
+          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
+          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
+          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
+          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
+          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
+          # FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND FIND
+          if safe_what.eql?(:all)
+            ret = klazz.find(:all, my_find_options)
+          elsif safe_what.eql?(:first)
+            ret = klazz.find(object_role_ids.first, my_find_options)
+          elsif safe_what.eql?(:last)
+            ret = klazz.find(object_role_ids.last, my_find_options)
+          else
+            ret = klazz.find(safe_what, my_find_options)
+          end
+          # SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT????
+          # SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT????
+          # SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT????
+          # SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT????
+          # SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT????
+          # SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT????
+          # SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT????
+          # SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT???? SAFE WHAT????
+        end
+      end
+
+      ret
+    end
+
+    def self.find_object_role(object, user)
+      return nil if object.nil? || user.nil?
+
+      # Check
+      check_user(user)
+      # Checks done. Let's go.
+    
+      klazz_name = object.class.to_s
+      object_reference = object.id
+
+      unless user.nil?
+        or_ = ObjectRole.first( :conditions => { :klazz_name => klazz_name, :object_reference => object_reference, :user_id => user.id } )
+      end
+
+      or_
+    end
+
+    def self.basic_check_fails?(options)
+      ret = false
+
+      unless options[:object].nil?
+        if !options[:object].is_a?(ActiveRecord::Base) || options[:object].new_record?
+          raise "object must be subclass of ActiveRecord::Base and must also be saved."
+        end
+      end
+
+      ret
+    end
+
+    def self.check_user(user)
+      ret = true
+
+      raise "User cannot be nil" if user.nil?
+      raise "User must inherit from ActiveRecord::Base" unless user.is_a?(ActiveRecord::Base)
+      raise "User must be saved" if user.new_record?
+
+      ret
+    end
+  end
+end

data/lib/authorizer/exceptions.rb

@@ -0,0 +1,6 @@
+# -*- encoding : utf-8 -*-
+module Authorizer
+  class UserNotAuthorized < Exception
+  
+  end
+end

data/lib/authorizer/object_observer.rb

@@ -0,0 +1,21 @@
+# -*- encoding : utf-8 -*-
+module Authorizer
+  # Observes users and deleted any associated ObjectRole objects when the user gets deleted.
+  class ObjectObserver < ActiveRecord::Observer
+    # Observe this.
+    observe ActiveRecord::Base
+
+    # W DONT DO DIZ
+    # let's use before_destroy instead of after_destroy. More chance it will still have an ID >:)))))))))) :') :DDDDDDDDDDDDDDDDDDDDDDD
+    # W DONT DO DIZ
+    def after_destroy(object)
+      return nil if object.is_a?(User) # Users are covered by the other observer class.
+      # Find all ObjectRole records that point to this object.
+      object_roles = ObjectRole.find_all_by_object(object)
+      # Walk through 'em
+      for object_role in object_roles
+        object_role.destroy
+      end
+    end
+  end
+end

data/lib/authorizer/user_observer.rb

@@ -0,0 +1,26 @@
+# -*- encoding : utf-8 -*-
+module Authorizer
+  # Observes users and deleted any associated ObjectRole objects when the user gets deleted.
+  class UserObserver < ActiveRecord::Observer
+    # Observe this.
+    observe :user
+
+    # W DONT DO DIZ
+    # let's use before_destroy instead of after_destroy. More chance it will still have an ID >:)))))))))) :') :DDDDDDDDDDDDDDDDDDDDDDD
+    # W DONT DO DIZ
+    def after_destroy(user)
+      # Default
+      object_roles = []
+      # Find all ObjectRole records that point to this user's ID.
+      begin
+        object_roles = ObjectRole.find_all_by_user_id(user.id)
+      rescue
+      end
+      # Walk through 'em
+      # Not executed if anything happens (array.size = 0)
+      for object_role in object_roles
+        object_role.destroy
+      end
+    end
+  end
+end

data/rails/init.rb

@@ -0,0 +1,11 @@
+# -*- encoding : utf-8 -*-
+################################################################################
+# init.rb
+#
+# This file will load the Observers we need to prevent the database from becoming clogged with stale authorization objects.
+################################################################################
+
+config.after_initialize do
+  ActiveRecord::Base.observers << Authorizer::UserObserver
+  ActiveRecord::Base.observers << Authorizer::ObjectObserver
+end

data/script/console

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+# File: script/console
+irb = RUBY_PLATFORM =~ /(:?mswin|mingw)/ ? 'irb.bat' : 'irb'
+
+libs =  " -r irb/completion"
+# Perhaps use a console_lib to store any extra methods I may want available in the cosole
+# libs << " -r #{File.dirname(__FILE__) + '/../lib/console_lib/console_logger.rb'}"
+libs <<  " -r #{File.dirname(__FILE__) + '/../lib/authorizer.rb'}"
+puts "Loading authorizer gem"
+exec "#{irb} #{libs} --simple-prompt"

data/script/destroy

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+APP_ROOT = File.expand_path(File.join(File.dirname(__FILE__), '..'))
+
+begin
+  require 'rubigen'
+rescue LoadError
+  require 'rubygems'
+  require 'rubigen'
+end
+require 'rubigen/scripts/destroy'
+
+ARGV.shift if ['--help', '-h'].include?(ARGV[0])
+RubiGen::Base.use_component_sources! [:rubygems, :newgem, :newgem_theme, :test_unit]
+RubiGen::Scripts::Destroy.new.run(ARGV)

data/script/generate

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+APP_ROOT = File.expand_path(File.join(File.dirname(__FILE__), '..'))
+
+begin
+  require 'rubigen'
+rescue LoadError
+  require 'rubygems'
+  require 'rubigen'
+end
+require 'rubigen/scripts/generate'
+
+ARGV.shift if ['--help', '-h'].include?(ARGV[0])
+RubiGen::Base.use_component_sources! [:rubygems, :newgem, :newgem_theme, :test_unit]
+RubiGen::Scripts::Generate.new.run(ARGV)

metadata

@@ -0,0 +1,149 @@
+--- !ruby/object:Gem::Specification 
+name: authorizer
+version: !ruby/object:Gem::Version 
+  hash: 29
+  prerelease: false
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- CmdJohnson
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-07-26 00:00:00 +02:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: options_checker
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 29
+        segments: 
+        - 0
+        - 0
+        - 1
+        version: 0.0.1
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: hoe
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 47
+        segments: 
+        - 2
+        - 8
+        - 0
+        version: 2.8.0
+  type: :development
+  version_requirements: *id002
+description: |-
+  Authorizer is a gem for Ruby (in conjunction with Rails 2.3) that does authorization for you on a per-object basis. What makes this gem different from e.g. declarative_authorization and cancan is they define one role for the entire application. With Authorizer, you define roles for different users on every Rails object.
+  
+  Let's use a Dropbox analogy.
+  
+  With Dropbox, you can choose which folder you want to share. For instance:
+  
+  Al has a home folder with these subfolders in it:
+   - Music (shared with Bob)
+   - Pictures (shared with Casper and Bob)
+   - News (shared with no-one)
+   
+  This causes Al to have all 3 folders in his Dropbox. Bob has 2 and Casper has only 1 folder called Pictures. 
+  
+  In other words, a user has access to a subset of the entire collection of folders. Bob has access to 2 of Al's folders, namely Music and Pictures. But he doesn't even see the News folder, nor can he download files from it. 
+  
+  Bob's access to the two folders is both read and write, so let's call that role "admin". Al is the owner of all 3 folders and has a role called "owner". This leads to the following Roles table:
+  
+   folder_name	user_name           role
+   Music		Al                  owner
+   		Bob                 admin
+   Pictures	Al                  owner
+   		Bob                 admin
+   		Casper              admin
+   News		Al                  owner
+  
+  Now if we would allow Bob to also access the News folder but only read from it, we could add the role called "reader" to the table:
+  
+   folder_name	user_name           role
+   News		Bob                 reader
+  
+  This is exactly what Authorizer does for your Rails application.
+email: 
+- commanderjohnson@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- History.txt
+- Manifest.txt
+- PostInstall.txt
+files: 
+- History.txt
+- Manifest.txt
+- PostInstall.txt
+- README.rdoc
+- Rakefile
+- lib/authorizer.rb
+- script/console
+- script/destroy
+- script/generate
+- lib/authorizer/admin.rb
+- lib/authorizer/application_controller.rb
+- lib/authorizer/base.rb
+- lib/authorizer/exceptions.rb
+- lib/authorizer/object_observer.rb
+- lib/authorizer/user_observer.rb
+- app/models/object_role.rb
+- rails/init.rb
+has_rdoc: true
+homepage: https://github.com/cmdjohnson/authorizer
+licenses: []
+
+post_install_message: PostInstall.txt
+rdoc_options: 
+- --main
+- README.rdoc
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: authorizer
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: Authorizer is a gem for Ruby (in conjunction with Rails 2.3) that does authorization for you on a per-object basis
+test_files: []
+