be9-acl9 0.9.1

data/Rakefile

@@ -0,0 +1,37 @@
+require 'rubygems'
+require File.join(File.dirname(__FILE__), 'lib', 'acl9', 'version')
+require 'rake'
+require 'spec/rake/spectask'
+
+desc 'Default: run specs.'
+task :default => :spec
+
+begin
+  require 'echoe'
+
+  Echoe.new 'acl9' do |p|
+    p.version = Acl9::Version::STRING
+    p.author = "Oleg Dashevskii"
+    p.email  = 'olegdashevskii@gmail.com'
+    p.project = 'acl9'
+    p.summary = "Yet another role-based authorization system for Rails with a nice DSL for access control lists."
+    p.url = "http://github.com/be9/acl9"
+    p.ignore_pattern = ["spec/db/*.sqlite3", "spec/debug.log"]
+    p.development_dependencies = ["rspec >=1.1.11", "rspec-rails >=1.1.11"]
+  end
+rescue LoadError => boom
+  puts "You are missing a dependency required for meta-operations on this gem."
+  puts "#{boom.to_s.capitalize}."
+end
+
+desc 'Run the specs'
+Spec::Rake::SpecTask.new(:spec) do |t|
+  t.spec_opts = ['--colour --format progress --loadby mtime --reverse']
+  t.spec_files = FileList['spec/**/*_spec.rb']
+end
+
+desc 'Regenerate the .gemspec'
+task :gemspec => :package do
+  gemspec = Dir["pkg/**/*.gemspec"].first
+  FileUtils.cp gemspec, "."
+end

data/acl9.gemspec

@@ -0,0 +1,37 @@
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{acl9}
+  s.version = "0.9.1"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Oleg Dashevskii"]
+  s.date = %q{2009-01-03}
+  s.description = %q{Yet another role-based authorization system for Rails with a nice DSL for access control lists.}
+  s.email = %q{olegdashevskii@gmail.com}
+  s.extra_rdoc_files = ["lib/acl9/config.rb", "lib/acl9/model_extensions/subject.rb", "lib/acl9/model_extensions/object.rb", "lib/acl9/controller_extensions.rb", "lib/acl9/controller_extensions/filter_producer.rb", "lib/acl9/version.rb", "lib/acl9/model_extensions.rb", "lib/acl9.rb", "README.textile"]
+  s.files = ["lib/acl9/config.rb", "lib/acl9/model_extensions/subject.rb", "lib/acl9/model_extensions/object.rb", "lib/acl9/controller_extensions.rb", "lib/acl9/controller_extensions/filter_producer.rb", "lib/acl9/version.rb", "lib/acl9/model_extensions.rb", "lib/acl9.rb", "spec/db/schema.rb", "spec/filter_producer_spec.rb", "spec/spec_helper.rb", "spec/models.rb", "spec/access_control_spec.rb", "spec/roles_spec.rb", "Manifest", "MIT-LICENSE", "Rakefile", "README.textile", "init.rb", "acl9.gemspec"]
+  s.has_rdoc = true
+  s.homepage = %q{http://github.com/be9/acl9}
+  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Acl9", "--main", "README.textile"]
+  s.require_paths = ["lib"]
+  s.rubyforge_project = %q{acl9}
+  s.rubygems_version = %q{1.3.1}
+  s.summary = %q{Yet another role-based authorization system for Rails with a nice DSL for access control lists.}
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 2
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+      s.add_development_dependency(%q<rspec>, [">= 1.1.11"])
+      s.add_development_dependency(%q<rspec-rails>, [">= 1.1.11"])
+    else
+      s.add_dependency(%q<rspec>, [">= 1.1.11"])
+      s.add_dependency(%q<rspec-rails>, [">= 1.1.11"])
+    end
+  else
+    s.add_dependency(%q<rspec>, [">= 1.1.11"])
+    s.add_dependency(%q<rspec-rails>, [">= 1.1.11"])
+  end
+end

data/init.rb

@@ -0,0 +1 @@
+require 'acl9'

data/lib/acl9.rb

@@ -0,0 +1,14 @@
+require File.join(File.dirname(__FILE__), 'acl9', 'config')
+
+if defined? ActiveRecord::Base
+  require File.join(File.dirname(__FILE__), 'acl9', 'model_extensions')
+
+  ActiveRecord::Base.send(:include, Acl9::ModelExtensions)
+end
+
+
+if defined? ActionController::Base
+  require File.join(File.dirname(__FILE__), 'acl9', 'controller_extensions')
+
+  ActionController::Base.send(:include, Acl9::ControllerExtensions)
+end

data/lib/acl9/config.rb

@@ -0,0 +1,9 @@
+module Acl9
+  @@config = {
+    :default_role_class_name => 'Role',
+    :default_subject_class_name => 'User',
+    :default_subject_method => :current_user,
+  }
+
+  mattr_reader :config
+end

data/lib/acl9/controller_extensions.rb

@@ -0,0 +1,37 @@
+require File.join(File.dirname(__FILE__), 'controller_extensions', 'filter_producer')
+
+module Acl9
+  module ControllerExtensions
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+
+    module ClassMethods
+      def access_control(opts = {}, &block)
+        subject_method = opts.delete(:subject_method) || Acl9::config[:default_subject_method]
+
+        raise ArgumentError, "Block must be supplied to access_control" unless block
+
+        producer = Acl9::FilterProducer.new(subject_method)
+        producer.acl(&block)
+
+        filter = opts.delete(:filter)
+        filter = true if filter.nil?
+
+        if opts.delete(:debug)
+          Rails::logger.debug "=== Acl9 access_control expression dump (#{self.to_s})"
+          Rails::logger.debug producer.to_s
+          Rails::logger.debug "======"
+        end
+
+        if method = opts.delete(:as_method)
+          class_eval producer.to_method_code(method, filter)
+
+          before_filter(method, opts) if filter
+        else
+          before_filter(opts, &producer.to_proc)
+        end
+      end
+    end
+  end
+end

data/lib/acl9/controller_extensions/filter_producer.rb

@@ -0,0 +1,244 @@
+require 'set'
+
+module Acl9
+  class AccessDenied < Exception; end
+  class FilterSyntaxError < Exception; end
+
+  class FilterProducer
+    attr_reader :allows, :denys
+
+    def initialize(subject_method)
+      @subject_method = subject_method
+      @default_action = nil
+      @allows = []
+      @denys = []
+
+      @subject = "controller.send(:#{subject_method})"
+    end
+
+    def acl(&acl_block)
+      self.instance_eval(&acl_block)
+    end
+
+    def to_s
+      _allowance_check_expression
+    end
+
+    def to_proc
+      code = <<-RUBY
+        lambda do |controller|
+          unless #{self.to_s}
+            raise Acl9::AccessDenied
+          end
+        end
+      RUBY
+      
+      self.instance_eval(code, __FILE__, __LINE__)
+    rescue SyntaxError
+      raise FilterSyntaxError, code
+    end
+
+    def to_method_code(method_name, filter = true)
+      body = if filter
+               "unless #{self.to_s}; raise Acl9::AccessDenied; end"
+             else
+               self.to_s
+             end
+
+      <<-RUBY
+        def #{method_name}
+          controller = self
+          #{body}
+        end
+      RUBY
+    end
+
+    def default_action
+      @default_action.nil? ? :deny : @default_action
+    end
+
+    protected
+
+    def default(default_action)
+      raise ArgumentError, "default can only be called once in access_control block" if @default_action
+
+      unless [:allow, :deny].include? default_action
+        raise ArgumentError, "invalid value for default (can be :allow or :deny)"
+      end
+
+      @default_action = default_action
+    end
+
+    def allow(*args)
+      @current_rule = :allow
+      _parse_and_add_rule(*args)
+    end
+    
+    def deny(*args)
+      @current_rule = :deny
+      _parse_and_add_rule(*args)
+    end
+
+    def actions(*args, &block)
+      raise ArgumentError, "actions should receive at least 1 action as argument" if args.size < 1    
+  
+      subsidiary = FilterProducer.new(@subject_method)
+
+      class <<subsidiary
+        def actions(*args)
+          raise ArgumentError, "You cannot use actions inside another actions block"  
+        end
+
+        def default(*args)
+          raise ArgumentError, "You cannot use default inside an actions block"  
+        end
+
+        def _set_action_clause(to, except)
+          raise ArgumentError, "You cannot use :to/:except inside actions block" if to || except
+        end
+      end
+
+      subsidiary.acl(&block)
+
+      action_check = _action_check_expression(args)
+ 
+      squash = lambda do |rules|
+        _either_of(rules) + ' && ' + action_check
+      end
+
+      @allows << squash.call(subsidiary.allows) if subsidiary.allows.size > 0
+      @denys  << squash.call(subsidiary.denys)  if subsidiary.denys.size > 0
+    end
+
+    alias action actions
+
+    def anonymous
+      nil
+    end
+    
+    def all
+      true
+    end
+
+    def logged_in
+      false
+    end
+
+    private
+
+    def _parse_and_add_rule(*args)
+      options = if args.last.is_a? Hash
+                  args.pop
+                else
+                  {}
+                end
+
+      _set_action_clause(options.delete(:to), options.delete(:except))
+
+      object = _role_object(options)
+        
+      role_checks = args.map do |who|
+        case who
+        when nil   then "#{@subject}.nil?"    # anonymous
+        when false then "!#{@subject}.nil?"   # logged_in
+        when true  then "true"                # all
+        else
+          "!#{@subject}.nil? && #{@subject}.has_role?('#{who.to_s.singularize}', #{object})"
+        end
+      end
+
+      _add_rule case role_checks.size
+                when 0
+                  raise ArgumentError, "allow/deny should have at least 1 argument"
+                when 1 then role_checks.first
+                else
+                  _either_of(role_checks)
+                end
+    end
+
+    def _either_of(exprs)
+      exprs.map { |expr| "(#{expr})" }.join(' || ')
+    end
+
+    def _add_rule(what)
+      what = "(#{what}) && #{@action_clause}" if @action_clause
+
+      (@current_rule == :allow ? @allows : @denys) << what
+    end
+
+    def _set_action_clause(to, except)
+      raise ArgumentError, "both :to and :except cannot be specified in the rule" if to && except
+
+      @action_clause = nil
+
+      action_list = to || except
+      return unless action_list
+
+      expr = _action_check_expression(action_list)
+      
+      @action_clause = if to
+                         "#{expr}"
+                       else
+                         "!#{expr}"
+                       end
+    end
+   
+    def _action_check_expression(action_list)
+      unless action_list.is_a?(Array)
+        action_list = [ action_list.to_s ]
+      end
+
+      case action_list.size
+      when 0 then "true"
+      when 1 then "(controller.action_name == '#{action_list.first}')"
+      else
+        set_of_actions = "Set.new([" + action_list.map { |act| "'#{act}'"}.join(',')  + "])"
+
+        "#{set_of_actions}.include?(controller.action_name)" 
+      end
+    end
+
+    VALID_PREPOSITIONS = %w(of for in on at by).freeze unless defined? VALID_PREPOSITIONS
+
+    def _role_object(options)
+      object = nil
+
+      VALID_PREPOSITIONS.each do |prep|
+        if options[prep.to_sym]
+          raise ArgumentError, "You may only use one preposition to specify object" if object
+
+          object = options[prep.to_sym]
+        end
+      end
+
+      case object
+      when Class
+        object.to_s
+      when Symbol
+        "controller.instance_variable_get('@#{object}')"
+      when nil
+        "nil"
+      else
+        raise ArgumentError, "object specified by preposition can only be a Class or a Symbol"
+      end
+    end 
+
+    def _allowance_check_expression
+      allowed_expr = if @allows.size > 0
+                       @allows.map { |clause| "(#{clause})" }.join(' || ')
+                     else
+                       "false"
+                     end
+
+      not_denied_expr = if @denys.size > 0
+                          @denys.map { |clause| "!(#{clause})" }.join(' && ')
+                        else
+                          "true"
+                        end
+
+      [allowed_expr, not_denied_expr].
+        map { |expr| "(#{expr})" }.
+        join(default_action == :deny ? ' && ' : ' || ')
+    end
+  end
+end

data/lib/acl9/model_extensions.rb

@@ -0,0 +1,58 @@
+require File.join(File.dirname(__FILE__), 'model_extensions', 'subject')
+require File.join(File.dirname(__FILE__), 'model_extensions', 'object')
+
+module Acl9
+  module ModelExtensions
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+
+    module ClassMethods
+      def acts_as_authorization_subject(options = {})
+        role = options[:role_class_name] || Acl9::config[:default_role_class_name]
+        has_and_belongs_to_many :roles, :class_name => role
+
+        cattr_accessor :_auth_role_class_name
+        self._auth_role_class_name = role
+
+        include Acl9::ModelExtensions::Subject 
+      end
+
+      def acts_as_authorization_object(options = {})
+        subject = options[:subject_class_name] || Acl9::config[:default_subject_class_name]
+        subj_table = subject.tableize
+        subj_col = subject.underscore
+
+        role       = options[:role_class_name] || Acl9::config[:default_role_class_name]
+        role_table = role.tableize
+
+        sql_tables = <<-EOS
+          FROM #{subj_table}
+          INNER JOIN #{role_table}_#{subj_table} ON #{subj_col}_id = #{subj_table}.id
+          INNER JOIN #{role_table}               ON #{role_table}.id = #{role.underscore}_id
+        EOS
+
+        sql_where = <<-'EOS'
+          WHERE authorizable_type = '#{self.class.base_class.to_s}'
+          AND authorizable_id = #{id}"
+        EOS
+        
+        has_many :accepted_roles, :as => :authorizable, :class_name => role, :dependent => :destroy
+
+        has_many :"#{subj_table}",
+          :finder_sql  => ("SELECT DISTINCT #{subj_table}.*" + sql_tables + sql_where),
+          :counter_sql => ("SELECT COUNT(DISTINCT #{subj_table}.id)" + sql_tables + sql_where),
+          :readonly => true
+        
+        include Acl9::ModelExtensions::Object
+      end
+
+      def acts_as_authorization_role(options = {})
+        subject = options[:subject_class_name] || Acl9::config[:default_subject_class_name]
+
+        has_and_belongs_to_many subject.tableize.to_sym
+        belongs_to :authorizable, :polymorphic => true
+      end
+    end
+  end
+end