base_auth 0.2.1

data/.gitignore

@@ -0,0 +1 @@
+/pkg

data/README.rdoc

@@ -0,0 +1,130 @@
+= BaseAuth
+
+== 0.2 beta
+
+=== Best Authorization System Ever
+
+== Installation
+
+Install it as you would any other plugin from github, i.e. 
+  script/plugin install git://github.com/aenima/base-auth.git
+
+== Authorization by Controller
+
+=== Key concept
+
+This plugin makes 2 assumptions:
+
+- you have a current_user method in your controller which returns the currently signed in user which you want to check authorization for.
+- you check authorization using instance methods of your user objects
+
+This worked really well for me so far, so there's a slight chance it will also work for you.
+
+=== Using as a before filter
+
+Simple example:
+
+  class ArticleController < ApplicationController
+    deny :user => :is_guest?
+  end
+
+The above example will deny all guest access (will call current_user.is_guest? method to determine if the user is a guest or not). If you want to allow guests to list articles, but nothing more, use:
+
+  allow :index, :user => :is_guest?
+
+or
+
+  allow :only => :index, :user => :is_guest?
+
+if you want to allow every user who is guest OR admin, you'd go:
+
+  allow :index, :user => [ :is_guest?, :is_admin? ]
+
+if you give an Array as :user value, at least one condition has to be met. For more sophisticated conditions you can pass a string, which will be instance_eval'd:
+
+  allow :index, :user => 'is_guest? or ( is_admin? and is_moderator? )'
+
+Still, there are cases when you want to check something in the controller.
+In that case you can use :exec param instead of :user like this:
+
+  class ArticleController < ApplicationController
+    allow :exec => :check_auth
+    
+    def check_auth
+      session[:allowed] == 'yes'
+    end
+  end
+
+You can also pass a string, which will be eval'd, or a Proc, which will be called.
+
+If you pass a method which accepts arguments, an object will be passed to it as a parameter. Which obejct? By default an instance variable named after singluarized controller name. So:
+
+  class ArticleController < ApplicationController
+    allow :edit, :update, :user => :owns?
+  end
+
+Will call current_user.owns?( @article ) to check for permission. You can override this by passing :object argument, which can be a Symbol (naming instance variable to be used) or the object itself.
+
+By default an Authorization::PermisionDenied exception will be raised. You can also use :method parameter to specify which method should be called instead or :redirect_to to redirect user instead.
+
+With :message parameter you can pass a message that will be stored in exception.
+
+
+=== Using in actions
+
+In actions you can use allow!, deny!, allow? and deny? methods. The ones with '!' will raise an exception, while the ones with '?' will only return true or false:
+
+  def destroy
+    allow! :user => :owns?
+    @article.destroy
+  end
+
+
+=== Using in views
+
+You can use allow and deny methods in your views and pass them a block to execute:
+
+<% allow :user => :is_admin? do %>
+  Only admins can see that!
+<% end>
+
+<% deny :user => :is_guest? do %>
+  You can't see it if you're a guest.
+<% end %>
+
+
+== Authorization by model
+
+Since version 0.2 the code has been modularized a bit and you can also authorize by model (single instance for now). It's usage is dead easy and straightforward. You just have to implement authorize instance method in a given model (as a parameter it takes user to authorize against). You don't even have to do it if you're satisfied with default implementation (supplied with plugin):
+
+  def authorize(user)
+    user.id == self.user_id
+  end
+
+This method is used by authorize! instance method which works exactly like allow! - i.e. does nothing (returns the model) if authorized and throws Authorization::PermissionDenied if not authorized:
+
+  @item = ItemModel.find(35).authorize!(current_user) #throws an exception if current_user is not authorized
+
+
+== Notes
+
+If you're using rails older than 2.0 rescuing exceptions can be a pain. For rails 1.2 I recommend using exceptional plugin:
+
+http://agilewebdevelopment.com/plugins/exceptional
+
+
+== ToDo
+
+- add support for :if parameted (should behave like the one in validations)
+- make it possible to configure default behavior (so you don't have to pass :method parameter everywhere if you always want to call a method instead of raising exception)
+- better documentation
+- model authorization: configuration of authorize! method to allow for redirection etc. (now it can only throw exceptions)
+- model authorization: authorize_for!(:actionname), i.e. let user define and use per-action authorization for a given model (different auth checks for different actions), by authorize_for_actionname methods in model
+- refactor the code structure (divide into three files)
+
+
+== Credits & Licensing
+
+Copyright (c) by Robert Nasiadek at <robert@aenima.pl>. Maintenance and small modifications (model-based auth) by Tomasz Stachewicz <tomasz.stachewicz@aenima.pl>. Distributed under MIT license.
+
+You can find more cool stuff by Aenima on our Github (http://github.com/aenima) and our blog (http://blog.aenima.pl/).

data/Rakefile

@@ -0,0 +1,52 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "base_auth"
+    gem.summary = %Q{A simple and elegant solution to authorization suitable for most small and medium-sized projects.}
+    gem.description = %Q{A simple and elegant solution to authorization suitable for most small and medium-sized projects.}
+    gem.email = "drogus@gmail.com"
+    gem.homepage = "http://github.com/drogus/base_auth"
+    gem.authors = ["Piotr Sarnacki"]
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
+end
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new do |test|
+    test.libs << 'test'
+    test.pattern = 'test/**/test_*.rb'
+    test.verbose = true
+  end
+rescue LoadError
+  task :rcov do
+    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+  end
+end
+
+task :test => :check_dependencies
+
+task :default => :test
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "base_auth #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.2.1

data/base_auth.gemspec

@@ -0,0 +1,118 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{base_auth}
+  s.version = "0.2.1"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Piotr Sarnacki"]
+  s.date = %q{2010-03-15}
+  s.description = %q{A simple and elegant solution to authorization suitable for most small and medium-sized projects.}
+  s.email = %q{drogus@gmail.com}
+  s.extra_rdoc_files = [
+    "README.rdoc"
+  ]
+  s.files = [
+    ".gitignore",
+     "README.rdoc",
+     "Rakefile",
+     "VERSION",
+     "base_auth.gemspec",
+     "init.rb",
+     "lib/base_auth.rb",
+     "tasks/base_auth_tasks.rake",
+     "test/helper.rb",
+     "test/models/user.rb",
+     "test/rails_app/README",
+     "test/rails_app/Rakefile",
+     "test/rails_app/app/controllers/application_controller.rb",
+     "test/rails_app/app/helpers/application_helper.rb",
+     "test/rails_app/config/boot.rb",
+     "test/rails_app/config/database.yml",
+     "test/rails_app/config/environment.rb",
+     "test/rails_app/config/environments/development.rb",
+     "test/rails_app/config/environments/production.rb",
+     "test/rails_app/config/environments/test.rb",
+     "test/rails_app/config/initializers/backtrace_silencers.rb",
+     "test/rails_app/config/initializers/inflections.rb",
+     "test/rails_app/config/initializers/mime_types.rb",
+     "test/rails_app/config/initializers/new_rails_defaults.rb",
+     "test/rails_app/config/initializers/session_store.rb",
+     "test/rails_app/config/locales/en.yml",
+     "test/rails_app/config/routes.rb",
+     "test/rails_app/db/seeds.rb",
+     "test/rails_app/db/test.sqlite3",
+     "test/rails_app/doc/README_FOR_APP",
+     "test/rails_app/log/development.log",
+     "test/rails_app/log/production.log",
+     "test/rails_app/log/server.log",
+     "test/rails_app/log/test.log",
+     "test/rails_app/public/404.html",
+     "test/rails_app/public/422.html",
+     "test/rails_app/public/500.html",
+     "test/rails_app/public/favicon.ico",
+     "test/rails_app/public/images/rails.png",
+     "test/rails_app/public/index.html",
+     "test/rails_app/public/javascripts/application.js",
+     "test/rails_app/public/javascripts/controls.js",
+     "test/rails_app/public/javascripts/dragdrop.js",
+     "test/rails_app/public/javascripts/effects.js",
+     "test/rails_app/public/javascripts/prototype.js",
+     "test/rails_app/public/robots.txt",
+     "test/rails_app/script/about",
+     "test/rails_app/script/console",
+     "test/rails_app/script/dbconsole",
+     "test/rails_app/script/destroy",
+     "test/rails_app/script/generate",
+     "test/rails_app/script/performance/benchmarker",
+     "test/rails_app/script/performance/profiler",
+     "test/rails_app/script/plugin",
+     "test/rails_app/script/runner",
+     "test/rails_app/script/server",
+     "test/rails_app/test/performance/browsing_test.rb",
+     "test/rails_app/test/test_helper.rb",
+     "test/schema.rb",
+     "test/test_base_auth.rb"
+  ]
+  s.homepage = %q{http://github.com/drogus/base_auth}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.6}
+  s.summary = %q{A simple and elegant solution to authorization suitable for most small and medium-sized projects.}
+  s.test_files = [
+    "test/helper.rb",
+     "test/models/user.rb",
+     "test/rails_app/app/controllers/application_controller.rb",
+     "test/rails_app/app/helpers/application_helper.rb",
+     "test/rails_app/config/boot.rb",
+     "test/rails_app/config/environment.rb",
+     "test/rails_app/config/environments/development.rb",
+     "test/rails_app/config/environments/production.rb",
+     "test/rails_app/config/environments/test.rb",
+     "test/rails_app/config/initializers/backtrace_silencers.rb",
+     "test/rails_app/config/initializers/inflections.rb",
+     "test/rails_app/config/initializers/mime_types.rb",
+     "test/rails_app/config/initializers/new_rails_defaults.rb",
+     "test/rails_app/config/initializers/session_store.rb",
+     "test/rails_app/config/routes.rb",
+     "test/rails_app/db/seeds.rb",
+     "test/rails_app/test/performance/browsing_test.rb",
+     "test/rails_app/test/test_helper.rb",
+     "test/schema.rb",
+     "test/test_base_auth.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+    else
+    end
+  else
+  end
+end
+

data/init.rb

@@ -0,0 +1 @@
+require 'base_auth'

data/lib/base_auth.rb

@@ -0,0 +1,175 @@
+# BaseAuth
+
+module Authorization
+
+  DEFAULT_PERMISSION_DENIED_MESSAGE = 'You have no permissions to access this page.'
+
+  def self.included( base )
+    base.extend( ClassMethods )
+    base.send( :include, InstanceMethods )
+  end
+
+  class PermissionDenied < Exception
+    attr :message
+    def initialize( message = nil )
+      @message = message || DEFAULT_PERMISSION_DENIED_MESSAGE
+    end
+    def clean_message
+      @message
+    end
+    def to_s
+      @message
+    end
+  end
+  
+  module InstanceMethods
+  
+    def eval_authorization_conditions( conditions, user_for_auth )
+      exec = conditions[:exec]
+      if exec
+        case exec.class.name
+          when 'Symbol':
+            send( exec )
+          when 'String':
+            eval( exec )
+          when 'Proc':
+            exec.call
+          else
+            raise ArgumentError( ":exec doesn't accept values of class #{exec.class.name}" )
+        end
+      elsif conditions[:user]
+        if conditions[:user].is_a?( String )
+          return user_for_auth.instance_eval conditions[:user]
+        end
+        o = conditions[:object] || controller_name.singularize.to_sym
+        object = o.is_a?( Symbol ) ? eval("@#{o}") : o
+        
+        methods = conditions[:user]
+        methods = [ methods ] if not methods.is_a?( Array )
+        
+        for method in methods
+          if user_for_auth.respond_to?( method ) and
+             user_for_auth.method( method ).arity == 0
+            return true if user_for_auth.send( method )
+          else
+            return true if user_for_auth.send( method, object )
+          end
+        end
+        return false
+      end
+    end
+    
+    def allow?( conditions )
+      eval_authorization_conditions( conditions )
+    end
+    
+    def deny?( conditions )
+      !eval_authorization_conditions( conditions )
+    end
+    
+    def allow!( conditions )
+      invoke_permission_denied_action( conditions ) unless allow?( conditions )
+    end
+    
+    def deny!( conditions )
+      invoke_permission_denied_action( conditions ) unless deny?( conditions )
+    end
+    
+    def allow( conditions )
+      if allow?( conditions )
+        yield
+      end
+    end
+
+    def deny( conditions )
+      if deny?( conditions )
+        yield
+      end
+    end
+
+    def invoke_permission_denied_action( config )
+      if config[:redirect_to]
+        redirect_to config[:redirect_to]
+      elsif config[:method]
+        send( config[:method] )
+      else
+        raise Authorization::PermissionDenied.new( config[:message] )
+      end
+      false
+    end
+    
+  end
+
+  module ClassMethods
+  
+    def authorization_filter( action, attrs )
+      config = { }
+      config.update( attrs.pop ) if attrs.last.is_a?( Hash )
+      
+      opts = {}
+      opts[:only] = config[:only]
+      opts[:only] ||= attrs unless attrs.blank?
+      opts[:except] = config[:except]
+      
+      if config[:if]
+        
+      end
+      
+      before_filter opts do |controller|
+        if action == :allow
+          controller.allow! config
+        else
+          controller.deny! config
+        end
+      end
+    end
+  
+    def allow( *attrs )
+      authorization_filter :allow, attrs
+    end
+
+    def deny( *attrs )
+      authorization_filter :deny, attrs
+    end
+  end
+
+end
+
+
+module ControllerAuthorization
+  
+  def self.included( base )
+    base.send( :include, Authorization )
+    base.send( :include, InstanceMethods )
+  end
+  
+  module InstanceMethods
+    def eval_authorization_conditions( conditions )
+      super( conditions, current_user )
+    end
+  end
+end
+
+module ModelAuthorization
+  
+  def self.included( base )
+    base.send( :include, Authorization )
+    base.send( :include, InstanceMethods )
+  end
+  
+  module InstanceMethods
+    def authorize!(for_user)
+      invoke_permission_denied_action( {} ) unless self.authorize(for_user)
+      self
+    end
+    
+    #re-implement this in your model if you check authorization in a different way
+    def authorize(user)
+      user.id == self.user_id
+    end
+  end
+end
+
+ActiveRecord::Base.send( :include, ModelAuthorization )
+ActionController::Base.send( :include, ControllerAuthorization )
+ActionController::Base.send( :helper_method, [ :allow, :deny ] )