be9-acl9 0.9.1 → 0.9.2

data/CHANGELOG.textile

@@ -0,0 +1,9 @@
+h2. 0.9.2 (11-Jan-2009)
+
+* @access_control :method do end@ as shorter form for @access_control :as_method => :method do end@.
+* Boolean method can now receive an objects hash which will be looked into first before taking
+  an instance variable.
+
+h2. 0.9.1 (03-Jan-2009)
+
+Initial release.

data/Manifest

@@ -1,19 +1,22 @@
-lib/acl9/config.rb
+init.rb
+Manifest
+lib/acl9/model_extensions.rb
+lib/acl9/version.rb
 lib/acl9/model_extensions/subject.rb
 lib/acl9/model_extensions/object.rb
+lib/acl9/controller_extensions/generators.rb
+lib/acl9/controller_extensions/dsl_base.rb
+lib/acl9/config.rb
 lib/acl9/controller_extensions.rb
-lib/acl9/controller_extensions/filter_producer.rb
-lib/acl9/version.rb
-lib/acl9/model_extensions.rb
 lib/acl9.rb
+README.textile
+acl9.gemspec
+CHANGELOG.textile
+MIT-LICENSE
+Rakefile
 spec/db/schema.rb
-spec/filter_producer_spec.rb
+spec/dsl_base_spec.rb
 spec/spec_helper.rb
-spec/models.rb
 spec/access_control_spec.rb
 spec/roles_spec.rb
-Manifest
-MIT-LICENSE
-Rakefile
-README.textile
-init.rb
+spec/models.rb

data/README.textile

@@ -45,7 +45,7 @@ Acl9 can be installed as a gem from "GitHub":http://github.com.
 Add the following line to your @config/environment.rb@:
 
 <pre><code>
-  config.gem "be9-acl9", :source => "http://gems.github.com"
+  config.gem "be9-acl9", :source => "http://gems.github.com", :lib => "acl9"
 </pre></code>
 
 Then run @rake gems:install@ (with possible @rake gems:unpack@ thereafter) and you're done!
@@ -118,7 +118,7 @@ Role control subsystem has been lifted from
 but undergone some modifications.
 
 It's based on two tables in the database. First, role table, which stores pairs @[role_name, object]@
-where object is a polymorphic link or a class. Second, join table, which joins users and roles.
+where object is a polymorphic model instance or a class. Second, join table, which joins users and roles.
 
 To use this subsystem, you should define a @Role@ model.
 
@@ -142,7 +142,7 @@ The structure of @roles@ table is as follows:
   end
 </code></pre>
 
-Note that you will never use the @Role@ class directly.
+Note that you will almost never use the @Role@ class directly.
 
 h2. Subject model
 
@@ -333,7 +333,7 @@ In other words, you are _manager_ if you manage at least one @foo@ (or a @bar@..
   user.has_role? :manager             # => true
 </code></pre>
 
-Our @user@ is no more manager of @foo@, but is now a manager of @bar@.
+Our @user@ is no more manager of @foo@, but has become a manager of @bar@.
 
 <pre><code>
   user.has_no_roles!
@@ -343,7 +343,7 @@ Our @user@ is no more manager of @foo@, but is now a manager of @bar@.
   user.roles                          # => []
 </code></pre>
 
-Now @user@ has no roles in the system.
+At this time @user@ has no roles in the system.
 
 h2. Coming up with your own role implementation
 
@@ -381,7 +381,7 @@ from unauthorized access. Acl9 provides a nice DSL for writing access rules.
 
 h2. Allow and deny
 
-Access control is mostly about allowing and denying. So there two  
+Access control is mostly about allowing and denying. So there are two  
 basic methods: @allow@ and @deny@. They have the same syntax:
 
 <pre><code>
@@ -397,8 +397,8 @@ ROLE_LIST is a list of roles (at least 1 role should be there). So,
   allow :manager, :admin
   deny  :banned
 </code></pre>
-will match holders of global role _manager_ *and* holders of global role _admin_ as allowed and 
-_banned_ as denied.
+will match holders of global role _manager_ *and* holders of global role _admin_ as allowed.  
+On the contrary, holders of _banned_ role will match as denied.
 
 Basically this snippet is equivalent to
 
@@ -407,13 +407,13 @@ Basically this snippet is equivalent to
   allow :admin
   deny  :banned
 </code></pre>
-which means that roles in argument list is OR'ed for a match, and not AND'ed.
+which means that roles in argument list are OR'ed for a match, and not AND'ed.
 
 Also note that:
 * You may use both strings and :symbols to specify roles (the latter get converted into strings).
 * Role names are singularized before check.
 
-The mentioned snippet can thus be written as
+Thus the snippet above can also be written as
 
 <pre><code>
   allow :managers, :admins
@@ -440,7 +440,7 @@ use object and class roles in the ACL block.
   deny  :hated, :by => :us
 </code></pre>
 
-So, to specify an object you use one of the 6 preposition options: 
+To specify an object you use one of the 6 preposition options: 
 * :of
 * :at
 * :on
@@ -482,8 +482,6 @@ Checking against an instance variable has sense when you have another _before fi
   end
 </code></pre>
 
-
-
 Note that the object option is applied to all of the roles you specify in the argument list.
 As such,
 
@@ -589,7 +587,7 @@ Same result as a table:
 | None of the @allow@ rules matched, some of the @deny@ rules matched. | Access is denied. | Access is denied. |
 | Some of the @allow@ rules matched, some of the @deny@ rules matched. | Access is allowed. | Access is denied. |
 
-Apparently _default deny_ mode is stricter, that's because it's on by default.
+Apparently _default deny_ mode is more strict, and that's because it's on by default.
 
 h2. Actions block
 
@@ -644,11 +642,12 @@ By calling @access_control@ in your controller you can get your ACL block transl
 First case is by default. You can catch the exception with @rescue_from@ call and do something 
 you like: make a redirect, or render "Access denied" template, or whatever.
 
-Second case is obtained with @:as_method@ option (see below) and may be helpful if you want
-to use @skip_before_filter@ somewhere on the derived controller.
+Second case is obtained with specifying method name as an argument to
+@access_control@ (or using @:as_method@ option, see below) and may be helpful
+if you want to use @skip_before_filter@ somewhere in the derived controller.
 
-Third case will take place if you use @:as_method@ with @:filter => false@. You'll get an ordinary 
-method which you can call anywhere you want.
+Third case will take place if you supply @:filter => false@ along with method
+name. You'll get an ordinary method which you can call anywhere you want.
 
 h3. :subject_method
 
@@ -694,14 +693,30 @@ In the case
 
 access control checks will be added as @acl@ method onto MyController, with @before_filter :acl@ call thereafter.
 
+Instead of using @:as_method@ you may specify the name of the method as a positional argument
+to @access_control@:
+
+<pre><code>
+  class MyController < ApplicationController 
+    access_control :acl do
+      # ...
+    end
+
+    # ...
+  end
+</code></pre>
+
+
 h3. :filter
 
-If you set @:filter@ to @false@ (it's @true@ by default) and also use @:as_method@, you'll get a method
-which won't raise @Acl9::AccessDenied@ exception, but rather return @true@ or @false@ (access allowed/denied).
+If you set @:filter@ to @false@ (it's @true@ by default) and also use
+@:as_method@ (or method name as 1st argument to @access_control@, you'll get a
+method which won't raise @Acl9::AccessDenied@ exception, but rather return
+@true@ or @false@ (access allowed/denied).
 
 <pre><code>
   class SecretController < ApplicationController 
-    access_control :as_method => :secret_access?, :filter => false do
+    access_control :secret_access?, :filter => false do
       allow :james_bond
       # ...
     end
@@ -728,6 +743,26 @@ which won't raise @Acl9::AccessDenied@ exception, but rather return @true@ or @f
   end
 </code></pre>
 
+The generated method can receive an objects hash as an argument. In this example,
+
+<pre><code>
+  class LolController < ApplicationController 
+    access_control :lolcats?, :filter => false do
+      allow :cats, :by => :lol
+      # ...
+    end
+  end
+</code></pre>
+
+you may not only call @lolcats?@ with no arguments, which will basically return
+
+<pre><code>
+  current_user.has_role?('cats', @lol)
+</code></pre>
+
+but also as @lolcats?(:lol => Lol.find(params[:lol]))@. The hash will be looked into first,
+even if you have an instance variable @lol@.
+
 h3. Other options
 
 Other options will be passed to @before_filter@. As such, you may use @:only@ and @:except@ to narrow
@@ -762,4 +797,6 @@ is basically equivalent to
 </code></pre>
 
 
-Copyright (c) 2009 Oleg Dashevskii, released under the MIT license
+Copyright (c) 2009 Oleg Dashevskii, released under the MIT license.
+
+Contact me at "#{%w(Oleg Dashevskii).join('').downcase}@gmail.com"

data/acl9.gemspec

@@ -2,15 +2,15 @@
 
 Gem::Specification.new do |s|
   s.name = %q{acl9}
-  s.version = "0.9.1"
+  s.version = "0.9.2"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
   s.authors = ["Oleg Dashevskii"]
-  s.date = %q{2009-01-03}
+  s.date = %q{2009-01-14}
   s.description = %q{Yet another role-based authorization system for Rails with a nice DSL for access control lists.}
   s.email = %q{olegdashevskii@gmail.com}
-  s.extra_rdoc_files = ["lib/acl9/config.rb", "lib/acl9/model_extensions/subject.rb", "lib/acl9/model_extensions/object.rb", "lib/acl9/controller_extensions.rb", "lib/acl9/controller_extensions/filter_producer.rb", "lib/acl9/version.rb", "lib/acl9/model_extensions.rb", "lib/acl9.rb", "README.textile"]
-  s.files = ["lib/acl9/config.rb", "lib/acl9/model_extensions/subject.rb", "lib/acl9/model_extensions/object.rb", "lib/acl9/controller_extensions.rb", "lib/acl9/controller_extensions/filter_producer.rb", "lib/acl9/version.rb", "lib/acl9/model_extensions.rb", "lib/acl9.rb", "spec/db/schema.rb", "spec/filter_producer_spec.rb", "spec/spec_helper.rb", "spec/models.rb", "spec/access_control_spec.rb", "spec/roles_spec.rb", "Manifest", "MIT-LICENSE", "Rakefile", "README.textile", "init.rb", "acl9.gemspec"]
+  s.extra_rdoc_files = ["lib/acl9/model_extensions.rb", "lib/acl9/version.rb", "lib/acl9/model_extensions/subject.rb", "lib/acl9/model_extensions/object.rb", "lib/acl9/controller_extensions/generators.rb", "lib/acl9/controller_extensions/dsl_base.rb", "lib/acl9/config.rb", "lib/acl9/controller_extensions.rb", "lib/acl9.rb", "README.textile", "CHANGELOG.textile"]
+  s.files = ["init.rb", "Manifest", "lib/acl9/model_extensions.rb", "lib/acl9/version.rb", "lib/acl9/model_extensions/subject.rb", "lib/acl9/model_extensions/object.rb", "lib/acl9/controller_extensions/generators.rb", "lib/acl9/controller_extensions/dsl_base.rb", "lib/acl9/config.rb", "lib/acl9/controller_extensions.rb", "lib/acl9.rb", "README.textile", "acl9.gemspec", "CHANGELOG.textile", "MIT-LICENSE", "Rakefile", "spec/db/schema.rb", "spec/dsl_base_spec.rb", "spec/spec_helper.rb", "spec/access_control_spec.rb", "spec/roles_spec.rb", "spec/models.rb"]
   s.has_rdoc = true
   s.homepage = %q{http://github.com/be9/acl9}
   s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Acl9", "--main", "README.textile"]

data/lib/acl9/controller_extensions.rb

@@ -1,4 +1,4 @@
-require File.join(File.dirname(__FILE__), 'controller_extensions', 'filter_producer')
+require File.join(File.dirname(__FILE__), 'controller_extensions', 'generators')
 
 module Acl9
   module ControllerExtensions
@@ -7,30 +7,54 @@ module Acl9
     end
 
     module ClassMethods
-      def access_control(opts = {}, &block)
+      def access_control(*args, &block)
+        opts = if args.last.is_a? Hash
+                 args.pop
+               else
+                 {}
+               end
+
+        case args.size
+        when 0 then true
+        when 1
+          meth = args.first
+
+          if meth.is_a? Symbol
+            opts[:as_method] = meth
+          else
+            raise ArgumentError, "access control argument must be a :symbol!"
+          end
+        else
+          raise ArgumentError, "Invalid arguments for access_control"
+        end
+
         subject_method = opts.delete(:subject_method) || Acl9::config[:default_subject_method]
 
         raise ArgumentError, "Block must be supplied to access_control" unless block
 
-        producer = Acl9::FilterProducer.new(subject_method)
-        producer.acl(&block)
-
         filter = opts.delete(:filter)
         filter = true if filter.nil?
 
+        method = opts.delete(:as_method)
+
+        generator = case
+                    when method && filter
+                      Acl9::Dsl::Generators::FilterMethod.new(subject_method, method)
+                    when method && !filter
+                      Acl9::Dsl::Generators::BooleanMethod.new(subject_method, method)
+                    else
+                      Acl9::Dsl::Generators::FilterLambda.new(subject_method)
+                    end
+
+        generator.acl_block!(&block)
+        
         if opts.delete(:debug)
           Rails::logger.debug "=== Acl9 access_control expression dump (#{self.to_s})"
-          Rails::logger.debug producer.to_s
+          Rails::logger.debug generator.to_s
           Rails::logger.debug "======"
         end
 
-        if method = opts.delete(:as_method)
-          class_eval producer.to_method_code(method, filter)
-
-          before_filter(method, opts) if filter
-        else
-          before_filter(opts, &producer.to_proc)
-        end
+        generator.install_on(self, opts)
       end
     end
   end

data/lib/acl9/controller_extensions/dsl_base.rb

@@ -0,0 +1,212 @@
+module Acl9
+  module Dsl
+    class Base
+      attr_reader :allows, :denys
+      
+      def initialize(*args)
+        @default_action = nil
+
+        @allows = []
+        @denys = []
+
+        @original_args = args
+      end
+      
+      def acl_block!(&acl_block)
+        self.instance_eval(&acl_block)
+      end
+      
+      def default_action
+        @default_action.nil? ? :deny : @default_action
+      end
+      
+      def allowance_expression
+        allowed_expr = if @allows.size > 0
+                         @allows.map { |clause| "(#{clause})" }.join(' || ')
+                       else
+                         "false"
+                       end
+
+        not_denied_expr = if @denys.size > 0
+                            @denys.map { |clause| "!(#{clause})" }.join(' && ')
+                          else
+                            "true"
+                          end
+
+        [allowed_expr, not_denied_expr].
+          map { |expr| "(#{expr})" }.
+          join(default_action == :deny ? ' && ' : ' || ')
+      end
+
+      alias to_s allowance_expression
+
+      protected
+
+      def default(default_action)
+        raise ArgumentError, "default can only be called once in access_control block" if @default_action
+
+        unless [:allow, :deny].include? default_action
+          raise ArgumentError, "invalid value for default (can be :allow or :deny)"
+        end
+
+        @default_action = default_action
+      end
+
+      def allow(*args)
+        @current_rule = :allow
+        _parse_and_add_rule(*args)
+      end
+      
+      def deny(*args)
+        @current_rule = :deny
+        _parse_and_add_rule(*args)
+      end
+
+      def actions(*args, &block)
+        raise ArgumentError, "actions should receive at least 1 action as argument" if args.size < 1    
+    
+        subsidiary = self.class.new(*@original_args)
+
+        class <<subsidiary
+          def actions(*args)
+            raise ArgumentError, "You cannot use actions inside another actions block"  
+          end
+
+          def default(*args)
+            raise ArgumentError, "You cannot use default inside an actions block"  
+          end
+
+          def _set_action_clause(to, except)
+            raise ArgumentError, "You cannot use :to/:except inside actions block" if to || except
+          end
+        end
+
+        subsidiary.acl_block!(&block)
+
+        action_check = _action_check_expression(args)
+   
+        squash = lambda do |rules|
+          _either_of(rules) + ' && ' + action_check
+        end
+
+        @allows << squash.call(subsidiary.allows) if subsidiary.allows.size > 0
+        @denys  << squash.call(subsidiary.denys)  if subsidiary.denys.size > 0
+      end
+
+      alias action actions
+
+      def anonymous; nil   end
+      def all;       true  end
+      def logged_in; false end
+      
+      def _parse_and_add_rule(*args)
+        options = if args.last.is_a? Hash
+                    args.pop
+                  else
+                    {}
+                  end
+
+        _set_action_clause(options.delete(:to), options.delete(:except))
+
+        object = _role_object(options)
+          
+        role_checks = args.map do |who|
+          case who
+          when nil   then "#{_subject_ref}.nil?"    # anonymous
+          when false then "!#{_subject_ref}.nil?"   # logged_in
+          when true  then "true"                # all
+          else
+            "!#{_subject_ref}.nil? && #{_subject_ref}.has_role?('#{who.to_s.singularize}', #{object})"
+          end
+        end
+
+        _add_rule case role_checks.size
+                  when 0
+                    raise ArgumentError, "allow/deny should have at least 1 argument"
+                  when 1 then role_checks.first
+                  else
+                    _either_of(role_checks)
+                  end
+      end
+
+      def _either_of(exprs)
+        exprs.map { |expr| "(#{expr})" }.join(' || ')
+      end
+
+      def _add_rule(what)
+        what = "(#{what}) && #{@action_clause}" if @action_clause
+
+        (@current_rule == :allow ? @allows : @denys) << what
+      end
+
+      def _set_action_clause(to, except)
+        raise ArgumentError, "both :to and :except cannot be specified in the rule" if to && except
+
+        @action_clause = nil
+
+        action_list = to || except
+        return unless action_list
+
+        expr = _action_check_expression(action_list)
+        
+        @action_clause = if to
+                           "#{expr}"
+                         else
+                           "!#{expr}"
+                         end
+      end
+     
+      def _action_check_expression(action_list)
+        unless action_list.is_a?(Array)
+          action_list = [ action_list.to_s ]
+        end
+
+        case action_list.size
+        when 0 then "true"
+        when 1 then "(#{_action_ref} == '#{action_list.first}')"
+        else
+          set_of_actions = "Set.new([" + action_list.map { |act| "'#{act}'"}.join(',')  + "])"
+
+          "#{set_of_actions}.include?(#{_action_ref})" 
+        end
+      end
+
+      VALID_PREPOSITIONS = %w(of for in on at by).freeze unless defined? VALID_PREPOSITIONS
+
+      def _role_object(options)
+        object = nil
+
+        VALID_PREPOSITIONS.each do |prep|
+          if options[prep.to_sym]
+            raise ArgumentError, "You may only use one preposition to specify object" if object
+
+            object = options[prep.to_sym]
+          end
+        end
+
+        case object
+        when Class
+          object.to_s
+        when Symbol
+          _object_ref object
+        when nil
+          "nil"
+        else
+          raise ArgumentError, "object specified by preposition can only be a Class or a Symbol"
+        end
+      end 
+
+      def _subject_ref
+        raise
+      end
+
+      def _object_ref(object)
+        raise
+      end
+
+      def _action_ref
+        raise
+      end
+    end
+  end
+end