be9-acl9 0.10.0 → 0.11.0

data/lib/acl9/model_extensions/subject.rb

@@ -1,16 +1,55 @@
 module Acl9
   module ModelExtensions
     module Subject
+      ##
+      # Role check.
+      #
+      # There is a global option, +Acl9.config[:protect_global_roles]+, which governs
+      # this method behavior.
+      #
+      # If protect_global_roles is +false+, an object role is automatically counted
+      # as global role. E.g.
+      #
+      #   Acl9.config[:protect_global_roles] = false
+      #   user.has_role!(:manager, @foo)
+      #   user.has_role?(:manager, @foo)  # => true
+      #   user.has_role?(:manager)        # => true
+      #
+      # In this case manager is anyone who "manages" at least one object.
+      #
+      # However, if protect_global_roles option set to +true+, you'll need to 
+      # explicitly grant global role with same name.
+      #
+      #   Acl9.config[:protect_global_roles] = true
+      #   user.has_role!(:manager, @foo)
+      #   user.has_role?(:manager)        # => false
+      #   user.has_role!(:manager)
+      #   user.has_role?(:manager)        # => true
+      #
+      # protect_global_roles option is +false+ by default as for now, but this 
+      # may change in future!
+      #
+      # @return [Boolean] Whether +self+ has a role +role_name+ on +object+.
+      # @param [Symbol,String] role_name Role name
+      # @param [Object] object Object to query a role on
+      #
+      # @see Acl9::ModelExtensions::Object#accepts_role?
       def has_role?(role_name, object = nil)
-        !! if object.nil?
-          self.roles.find_by_name(role_name.to_s) ||
-          self.roles.member?(get_role(role_name, nil))
+        !! if object.nil? && !::Acl9.config[:protect_global_roles]
+          self.role_objects.find_by_name(role_name.to_s) ||
+          self.role_objects.member?(get_role(role_name, nil))
         else
           role = get_role(role_name, object)
-          role && self.roles.exists?(role.id)
+          role && self.role_objects.exists?(role.id)
         end
       end
 
+      ##
+      # Add specified role on +object+ to +self+.
+      #
+      # @param [Symbol,String] role_name Role name
+      # @param [Object] object Object to add a role for
+      # @see Acl9::ModelExtensions::Object#accepts_role!
       def has_role!(role_name, object = nil)
         role = get_role(role_name, object)
 
@@ -21,37 +60,66 @@ module Acl9
                        else            { :authorizable => object }
                        end.merge(      { :name => role_name.to_s })
 
-          role = self._auth_role_class.create(role_attrs)          
+          role = self._auth_role_class.create(role_attrs)
         end
 
-        self.roles << role if role && !self.roles.exists?( role.id )
+        self.role_objects << role if role && !self.role_objects.exists?(role.id)
       end
 
+      ##
+      # Free +self+ from a specified role on +object+.
+      #
+      # @param [Symbol,String] role_name Role name
+      # @param [Object] object Object to remove a role on
+      # @see Acl9::ModelExtensions::Object#accepts_no_role!
       def has_no_role!(role_name, object = nil)
         delete_role(get_role(role_name, object))
       end
 
+      ##
+      # Are there any roles for +self+ on +object+?
+      #
+      # @param [Object] object Object to query roles
+      # @return [Boolean] Returns true if +self+ has any roles on +object+.
+      # @see Acl9::ModelExtensions::Object#accepts_roles_by?
       def has_roles_for?(object)
-        !!self.roles.detect(&role_selecting_lambda(object))
+        !!self.role_objects.detect(&role_selecting_lambda(object))
       end
 
       alias :has_role_for? :has_roles_for?
 
+      ##
+      # Which roles does +self+ have on +object+?
+      #
+      # @return [Array<Role>] Role instances, associated both with +self+ and +object+
+      # @param [Object] object Object to query roles
+      # @see Acl9::ModelExtensions::Object#accepted_roles_by
+      # @example
+      #   user = User.find(...)
+      #   product = Product.find(...)
+      #
+      #   user.roles_for(product).map(&:name).sort  #=> role names in alphabetical order
       def roles_for(object)
-        self.roles.select(&role_selecting_lambda(object))
+        self.role_objects.select(&role_selecting_lambda(object))
       end
 
+      ##
+      # Unassign any roles on +object+ from +self+.
+      #
+      # @param [Object,nil] object Object to unassign roles for. +nil+ means unassign global roles.
       def has_no_roles_for!(object = nil)
         roles_for(object).each { |role| delete_role(role) }
       end
 
+      ##
+      # Unassign all roles from +self+.
       def has_no_roles!
-        # for some reason simple 
+        # for some reason simple
         #
         #   self.roles.each { |role| delete_role(role) }
         #
         # doesn't work. seems like a bug in ActiveRecord
-        self.roles.map(&:id).each do |role_id|
+        self.role_objects.map(&:id).each do |role_id|
           delete_role self._auth_role_class.find(role_id)
         end
       end
@@ -65,8 +133,8 @@ module Acl9
         when nil
           lambda { |role| role.authorizable.nil? }
         else
-          lambda do |role| 
-            role.authorizable_type == object.class.base_class.to_s && role.authorizable == object 
+          lambda do |role|
+            role.authorizable_type == object.class.base_class.to_s && role.authorizable == object
           end
         end
       end
@@ -80,20 +148,20 @@ module Acl9
                when nil
                  [ 'name = ? and authorizable_type IS NULL and authorizable_id IS NULL', role_name ]
                else
-                 [ 
+                 [
                    'name = ? and authorizable_type = ? and authorizable_id = ?',
-                   role_name, object.class.base_class.to_s, object.id 
+                   role_name, object.class.base_class.to_s, object.id
                  ]
                end
 
         self._auth_role_class.first :conditions => cond
       end
 
-      def delete_role(role) 
+      def delete_role(role)
         if role
-          self.roles.delete role
+          self.role_objects.delete role
 
-          role.destroy if role.send(self.class.to_s.tableize).empty?
+          role.destroy if role.send(self.class.to_s.demodulize.tableize).empty?
         end
       end
 

data/test/access_control_test.rb

@@ -22,7 +22,7 @@ class Bartender
   end
 end
 
-class TheOnlyUser 
+class TheOnlyUser
   include Singleton
 
   def has_role?(role, subj)
@@ -30,6 +30,16 @@ class TheOnlyUser
   end
 end
 
+class Beholder
+  def initialize(role)
+    @role = role.to_s
+  end
+
+  def has_role?(role, obj)
+    role.to_s == @role
+  end
+end
+
 #######################################################################
 
 module BaseTests
@@ -38,18 +48,18 @@ module BaseTests
     klass.class_eval do
       [:index, :show].each do |act|
         it "should permit anonymous to #{act}" do
-          get act 
+          get act
           @response.body.should == 'OK'
         end
       end
 
       [:new, :edit, :update, :delete, :destroy].each do |act|
         it "should forbid anonymous to #{act}" do
-          get act 
+          get act
           @response.body.should == 'AccessDenied'
         end
       end
-      
+
       [:index, :show, :new, :edit, :update, :delete, :destroy].each do |act|
         it "should permit admin to #{act}" do
           get act, :user => Admin.new
@@ -66,6 +76,10 @@ module ShouldRespondToAcl
       it "should add :acl as a method" do
         @controller.should respond_to(:acl)
       end
+
+      it "should_not add :acl? as a method" do
+        @controller.should_not respond_to(:acl?)
+      end
     end
   end
 end
@@ -106,12 +120,12 @@ end
 
 class ACLIvarsTest < ActionController::TestCase
   tests ACLIvars
-  
+
   it "should allow owner of foo to destroy" do
     delete :destroy, :user => OwnerOfFoo.new
     @response.body.should == 'OK'
   end
-  
+
   it "should allow bartender to destroy" do
     delete :destroy, :user => Bartender.new
     @response.body.should == 'OK'
@@ -125,7 +139,7 @@ class ACLSubjectMethodTest < ActionController::TestCase
     get :index, :user => TheOnlyUser.instance
     @response.body.should == 'OK'
   end
-  
+
   it "should deny anonymous to index" do
     get :index
     @response.body.should == 'AccessDenied'
@@ -139,13 +153,39 @@ class ACLObjectsHashTest < ActionController::TestCase
     get :allow, :user => OwnerOfFoo.new
     @response.body.should == 'OK'
   end
-  
+
   it "should return AccessDenied when not logged in" do
     get :allow
     @response.body.should == 'AccessDenied'
   end
 end
 
+class ACLActionOverrideTest < ActionController::TestCase
+  tests ACLActionOverride
+
+  it "should allow index action to anonymous" do
+    get :check_allow, :_action => :index
+    @response.body.should == 'OK'
+  end
+
+  it "should deny show action to anonymous" do
+    get :check_allow, :_action => :show
+    @response.body.should == 'AccessDenied'
+  end
+
+  it "should deny edit action to regular user" do
+    get :check_allow_with_foo, :_action => :edit, :user => TheOnlyUser.instance
+
+    @response.body.should == 'AccessDenied'
+  end
+
+  it "should allow edit action to owner of foo" do
+    get :check_allow_with_foo, :_action => :edit, :user => OwnerOfFoo.new
+
+    @response.body.should == 'OK'
+  end
+end
+
 class ACLHelperMethodTest < ActionController::TestCase
   tests ACLHelperMethod
 
@@ -153,28 +193,116 @@ class ACLHelperMethodTest < ActionController::TestCase
     get :allow, :user => OwnerOfFoo.new
     @response.body.should == 'OK'
   end
-  
+
   it "should return AccessDenied when not logged in" do
     get :allow
     @response.body.should == 'AccessDenied'
   end
 end
 
+#######################################################################
+
+module ACLQueryMixin
+  def self.included(base)
+    base.class_eval do
+      describe "#acl_question_mark" do      # describe "#acl?" doesn't work
+        before do
+          @editor = Beholder.new(:editor)
+          @viewer = Beholder.new(:viewer)
+          @owneroffoo = OwnerOfFoo.new
+        end
+
+        [:edit, :update, :destroy].each do |meth|
+          it "should return true for editor/#{meth}" do
+            @controller.current_user = @editor
+            @controller.acl?(meth).should == true
+            @controller.acl?(meth.to_s).should == true
+          end
+
+          it "should return false for viewer/#{meth}" do
+            @controller.current_user = @viewer
+            @controller.acl?(meth).should == false
+            @controller.acl?(meth.to_s).should == false
+          end
+        end
+
+        [:index, :show].each do |meth|
+          it "should return false for editor/#{meth}" do
+            @controller.current_user = @editor
+            @controller.acl?(meth).should == false
+            @controller.acl?(meth.to_s).should == false
+          end
+
+          it "should return true for viewer/#{meth}" do
+            @controller.current_user = @viewer
+            @controller.acl?(meth).should == true
+            @controller.acl?(meth.to_s).should == true
+          end
+        end
+
+        it "should return false for editor/fooize" do
+          @controller.current_user = @editor
+          @controller.acl?(:fooize).should == false
+        end
+
+        it "should return true for foo owner" do
+          @controller.current_user = @owneroffoo
+          @controller.acl?(:fooize, :foo => MyDearFoo.instance).should == true
+        end
+      end
+    end
+  end
+end
+
+class ACLQueryMethodTest < ActionController::TestCase
+  tests ACLQueryMethod
+
+  it "should respond to :acl?" do
+    @controller.should respond_to(:acl?)
+  end
+
+  include ACLQueryMixin
+end
+
+class ACLQueryMethodWithLambdaTest < ActionController::TestCase
+  tests ACLQueryMethodWithLambda
+
+  it "should respond to :acl?" do
+    @controller.should respond_to(:acl?)
+  end
+
+  include ACLQueryMixin
+end
+
+#######################################################################
+
+class ACLNamedQueryMethodTest < ActionController::TestCase
+  tests ACLNamedQueryMethod
+
+  it "should respond to :allow_ay" do
+    @controller.should respond_to(:allow_ay)
+  end
+
+  include ACLQueryMixin
+end
+
+#######################################################################
+
 class ArgumentsCheckingTest < ActiveSupport::TestCase
   def arg_err(&block)
     lambda do
       block.call
     end.should raise_error(ArgumentError)
   end
-  
+
   it "should raise ArgumentError without a block" do
     arg_err do
       class FailureController < ApplicationController
-        access_control 
+        access_control
       end
     end
   end
-  
+
   it "should raise ArgumentError with 1st argument which is not a symbol" do
     arg_err do
       class FailureController < ApplicationController
@@ -182,7 +310,7 @@ class ArgumentsCheckingTest < ActiveSupport::TestCase
       end
     end
   end
-  
+
   it "should raise ArgumentError with more than 1 positional argument" do
     arg_err do
       class FailureController < ApplicationController
@@ -190,7 +318,7 @@ class ArgumentsCheckingTest < ActiveSupport::TestCase
       end
     end
   end
-  
+
   it "should raise ArgumentError with :helper => true and no method name" do
     arg_err do
       class FailureController < ApplicationController
@@ -198,7 +326,7 @@ class ArgumentsCheckingTest < ActiveSupport::TestCase
       end
     end
   end
-  
+
   it "should raise ArgumentError with :helper => :method and a method name" do
     arg_err do
       class FailureController < ApplicationController
@@ -207,3 +335,4 @@ class ArgumentsCheckingTest < ActiveSupport::TestCase
     end
   end
 end
+

data/test/dsl_base_test.rb

@@ -31,19 +31,19 @@ class DslTester < Acl9::Dsl::Base
     @_objects = {}
     @_current_action = nil
   end
-  
+
   def permit(user, *args)
     check_allowance(user, *args).should == true
 
     self
   end
-  
+
   def forbid(user, *args)
     check_allowance(user, *args).should == false
 
     self
   end
-  
+
   def show_code
     puts "\n", allowance_expression
     self
@@ -91,7 +91,7 @@ class DslBaseTest < Test::Unit::TestCase
   def acl(&block)
     tester = DslTester.new
     tester.acl_block!(&block)
-    
+
     tester
   end
 
@@ -99,7 +99,7 @@ class DslBaseTest < Test::Unit::TestCase
     actions.each                  { |act| tester.permit(user, act, vars) }
     (@all_actions - actions).each { |act| tester.forbid(user, act, vars) }
   end
-  
+
   before do
     @user = FakeUser.new
     @user2 = FakeUser.new
@@ -111,29 +111,29 @@ class DslBaseTest < Test::Unit::TestCase
 
   describe "default" do
     it "should set default action to deny if none specified" do
-      acl do end.default_action.should == :deny 
+      acl do end.default_action.should == :deny
     end
-    
+
     it "should set default action to allow" do
-      acl do 
+      acl do
         default :allow
       end.default_action.should == :allow
     end
-    
+
     it "should set default action to deny" do
-      acl do 
+      acl do
         default :deny
       end.default_action.should == :deny
     end
-    
+
     it "should raise ArgumentError with unknown default_action" do
-      arg_err do 
+      arg_err do
         default 123
       end
     end
-    
+
     it "should raise ArgumentError when default is called more than once" do
-      arg_err do 
+      arg_err do
         default :deny
         default :deny
       end
@@ -145,7 +145,7 @@ class DslBaseTest < Test::Unit::TestCase
       acl do
       end.forbid(nil).forbid(@user)
     end
-    
+
     it "should allow everyone with default allow" do
       acl do
         default :allow
@@ -157,7 +157,7 @@ class DslBaseTest < Test::Unit::TestCase
     it "allow should raise an ArgumentError" do
       arg_err { allow }
     end
-    
+
     it "deny should raise an ArgumentError" do
       arg_err { deny }
     end
@@ -169,20 +169,20 @@ class DslBaseTest < Test::Unit::TestCase
         allow nil
       end.permit(nil).forbid(@user)
     end
-    
+
     it "'allow anonymous' should allow anonymous, but not logged in" do
       acl do
         allow anonymous
       end.permit(nil).forbid(@user)
     end
-    
+
     it "'deny nil' should deny anonymous, but not logged in" do
       acl do
         default :allow
         deny nil
       end.forbid(nil).permit(@user)
     end
-    
+
     it "'deny anonymous' should deny anonymous, but not logged in" do
       acl do
         default :allow
@@ -192,17 +192,19 @@ class DslBaseTest < Test::Unit::TestCase
   end
 
   describe "all" do
-    it "'allow all' should allow all" do
-      acl do
-        allow all
-      end.permit(nil).permit(@user)
-    end
-    
-    it "'deny all' should deny all" do
-      acl do
-        default :allow
-        deny all
-      end.forbid(nil).forbid(@user)
+    [:all, :everyone, :everybody, :anyone].each do |pseudorole|
+      it "'allow #{pseudorole}' should allow all" do
+        acl do
+          allow send(pseudorole)
+        end.permit(nil).permit(@user)
+      end
+
+      it "'deny #{pseudorole}' should deny all" do
+        acl do
+          default :allow
+          deny send(pseudorole)
+        end.forbid(nil).forbid(@user)
+      end
     end
   end
 
@@ -214,7 +216,7 @@ class DslBaseTest < Test::Unit::TestCase
         deny :bzz
       end.permit(nil).permit(@user)
     end
-    
+
     it "should deny when deny is matched, but allow is not" do
       acl do
         default :allow
@@ -222,7 +224,7 @@ class DslBaseTest < Test::Unit::TestCase
         allow :blah
       end.forbid(nil).forbid(@user)
     end
-    
+
     it "should allow when allow is matched, but deny is not" do
       @user << :cool
       acl do
@@ -231,7 +233,7 @@ class DslBaseTest < Test::Unit::TestCase
         allow :cool
       end.permit(@user)
     end
-    
+
     it "should allow both allow and deny conditions are matched" do
       @user << :cool
       acl do
@@ -239,7 +241,7 @@ class DslBaseTest < Test::Unit::TestCase
         deny :cool
         allow :cool
       end.permit(@user)
-      
+
       acl do
         default :allow
         deny all
@@ -247,14 +249,14 @@ class DslBaseTest < Test::Unit::TestCase
       end.permit(@user).permit(nil).permit(@user2)
     end
   end
- 
+
   describe "logged_in" do
     it "'allow logged_in' should allow logged in, but not anonymous" do
       acl do
         allow logged_in
       end.forbid(nil).permit(@user)
     end
-    
+
     it "'allow logged_in' should deny logged in, but not anonymous" do
       acl do
         default :allow
@@ -271,7 +273,7 @@ class DslBaseTest < Test::Unit::TestCase
         deny :bzz
       end.forbid(nil).forbid(@user)
     end
-    
+
     it "should deny when deny is matched, but allow is not" do
       acl do
         default :deny
@@ -279,7 +281,7 @@ class DslBaseTest < Test::Unit::TestCase
         allow :blah
       end.forbid(nil).forbid(@user)
     end
-    
+
     it "should allow when allow is matched, but deny is not" do
       @user << :cool
       acl do
@@ -288,7 +290,7 @@ class DslBaseTest < Test::Unit::TestCase
         allow :cool
       end.permit(@user)
     end
-    
+
     it "should deny both allow and deny conditions are matched" do
       @user << :cool
       acl do
@@ -296,7 +298,7 @@ class DslBaseTest < Test::Unit::TestCase
         deny :cool
         allow :cool
       end.forbid(@user)
-      
+
       acl do
         default :deny
         deny all
@@ -311,7 +313,7 @@ class DslBaseTest < Test::Unit::TestCase
 
       acl { allow :admin }.permit(@user).forbid(nil).forbid(@user2)
     end
-    
+
     it "#allow with plural role name" do
       @user << :mouse
 
@@ -333,13 +335,13 @@ class DslBaseTest < Test::Unit::TestCase
         allow :cool
       end.permit(@user).permit(@user2).forbid(nil).forbid(@user3)
     end
-    
+
     it "#deny with role" do
       @user << :foo
 
       acl { default :allow; deny :foo }.forbid(@user).permit(nil).permit(@user2)
     end
-    
+
     it "#deny with plural role name" do
       @user << :mouse
 
@@ -394,7 +396,7 @@ class DslBaseTest < Test::Unit::TestCase
         allow :owner, :of => ThatFoo
       end.permit(@user).forbid(nil).forbid(@user2)
     end
-    
+
     [:of, :for, :in, :on, :at, :by].each do |prep|
       it "#deny with object role (:#{prep}) should check controller's ivar" do
         @user << [:bastard, @foo]
@@ -409,7 +411,7 @@ class DslBaseTest < Test::Unit::TestCase
         permit(nil, :foo => @foo).
         permit(@user2, :foo => @foo)
       end
-      
+
       it "#deny with invalid value for preposition :#{prep} should raise an ArgumentError" do
         arg_err do
           deny :her, :for => "him"
@@ -450,7 +452,7 @@ class DslBaseTest < Test::Unit::TestCase
       after do
         %w(index show).each                 { |act| @list.permit(nil, act) }
         %w(edit update delete destroy).each { |act| @list.forbid(nil, act) }
-        
+
         %w(index show edit update).each { |act| @list.permit(@user, act) }
         %w(delete destroy).each         { |act| @list.forbid(@user, act) }
 
@@ -469,7 +471,7 @@ class DslBaseTest < Test::Unit::TestCase
           allow 'trusted', :to => %w(edit update delete destroy)
         end
       end
-      
+
       it ":except should limit rule scope to all actions except specified" do
         @user << :manager
         @user2 << :trusted
@@ -500,7 +502,7 @@ class DslBaseTest < Test::Unit::TestCase
       permit(nil, :call => OpenStruct.new(:meth => true)).
       forbid(nil, :call => OpenStruct.new(:meth => false))
     end
-    
+
     it "allow ... :unless" do
       acl do
         allow nil, :unless => :meth
@@ -508,7 +510,7 @@ class DslBaseTest < Test::Unit::TestCase
       permit(nil, :call => OpenStruct.new(:meth => false)).
       forbid(nil, :call => OpenStruct.new(:meth => true))
     end
-    
+
     it "deny ... :if" do
       acl do
         default :allow
@@ -538,7 +540,7 @@ class DslBaseTest < Test::Unit::TestCase
         allow :bzz, :whoa
       end.permit(@user).permit(@user2).forbid(nil).forbid(@user3)
     end
-    
+
     it "#allow should be able to receive a role list (object roles)" do
       @user << [:maker, @foo]
       @user2 << [:faker, @foo2]
@@ -554,7 +556,7 @@ class DslBaseTest < Test::Unit::TestCase
       forbid(@user3, :foo => @foo2).
       forbid(nil)
     end
-    
+
     it "#allow should be able to receive a role list (class roles)" do
       @user  << [:frooble, ThatFoo]
       @user2 << [:oombigle, ThatFoo]
@@ -568,7 +570,7 @@ class DslBaseTest < Test::Unit::TestCase
       forbid(@user3).
       forbid(nil)
     end
-    
+
     it "#deny should be able to receive a role list (global roles)" do
       @user << :bzz
       @user2 << :whoa
@@ -578,7 +580,7 @@ class DslBaseTest < Test::Unit::TestCase
         deny :bzz, :whoa
       end.forbid(@user).forbid(@user2).permit(nil).permit(@user3)
     end
-    
+
     it "#deny should be able to receive a role list (object roles)" do
       @user << [:maker, @foo]
       @user2 << [:faker, @foo2]
@@ -596,7 +598,7 @@ class DslBaseTest < Test::Unit::TestCase
       permit(@user3, :foo => @foo2).
       permit(nil)
     end
-    
+
     it "#deny should be able to receive a role list (class roles)" do
       @user  << [:frooble, ThatFoo]
       @user2 << [:oombigle, ThatFoo]
@@ -645,25 +647,25 @@ class DslBaseTest < Test::Unit::TestCase
         actions :foo, :bar
       end
     end
-    
+
     it "should raise an ArgumentError when actions has no arguments" do
       arg_err do
         actions do end
       end
     end
-    
+
     it "should raise an ArgumentError when actions is called inside actions block" do
       arg_err do
-        actions :foo, :bar do 
+        actions :foo, :bar do
           actions :foo, :bar do
           end
         end
       end
     end
-    
+
     it "should raise an ArgumentError when default is called inside actions block" do
       arg_err do
-        actions :foo, :bar do 
+        actions :foo, :bar do
           default :allow
         end
       end
@@ -672,15 +674,15 @@ class DslBaseTest < Test::Unit::TestCase
     [:to, :except].each do |opt|
       it "should raise an ArgumentError when allow is called with #{opt} option" do
         arg_err do
-          actions :foo do 
+          actions :foo do
             allow all, opt => :bar
           end
         end
       end
-      
+
       it "should raise an ArgumentError when deny is called with #{opt} option" do
         arg_err do
-          actions :foo do 
+          actions :foo do
             deny all, opt => :bar
           end
         end