can_play 0.2.4 → 0.2.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7eed223e4874c108017e81a8d0502041e3022e81
-  data.tar.gz: 8a490f3b79ac9af3223e67f5b5ba7c6a6a9a0510
+  metadata.gz: 8defb79962f3b993057d0f3adcf9a10dc76b3b53
+  data.tar.gz: 7be32b34ecd58d7a57c03b6bd586868198d01092
 SHA512:
-  metadata.gz: 3926d91df4c06593a9d521ffe5274304864a3c4fffb1fd58899ca044fe53e4cb4e2fd47e676637c38109d8a426a1aae3815ebe64055f3cabc2bb2f0b26f61192
-  data.tar.gz: 13d6190e996237505d67a5c4abb74b46cbb963898b287dc9967abb6cef0a488ab505e4c5e00e2ae6e17fe3da94db1a459fa84a1a00046eab12ecac565dab3838
+  metadata.gz: cec401f5b1dd9a1fd5de254f720a1704f06fd8e482553b12d0637067c8b95782db584f65e72c001324196c2c66378e4774d5381479dcd3a69d3c0692a8a79d46
+  data.tar.gz: 8e913fc5a5d4dda021b0a03d2c1414884f02b4942fc7c4a97ac7d8e07bc169d4692d159ee99bddc7e2d62ad6e3f8d2898ea7768a42aa99371bf4dbe7f2a085d0

data/README.md

@@ -1,33 +1,69 @@
-can_plan集成了cancancan和consul的功能，使用DSL描述用户对单个类的实例或某个类的操作权限，及可获取的条目的基础的relation对象.
+系统权限的管理，就是控制用户对某个资源的操作权限。这里说的资源并不仅仅是指ActiveRecord::Base的子类，也可以是ruby的其他类或者模型。can_plan集成了cancancan和consul的功能，使用简单的DSL描述用户对单个资源或某类资源的操作权限。它的权限管理方式是基于角色的，不同角色可以赋予不同的权限，我们可以让用户和资源的操作权限之间建立关联并保存进数据库.
 
 ## 安装方式
 
-### 安装cancancan
 
-cancancan的使用请参见cancancan主页，在此我们安装后，不需要设置Ability文件，can_play在内部集成了这些设置。
-### 安装consul
-
-consul的使用请参见consul主页，在此我们安装后，不需要设置power文件，也无需在controller中设置current_power，can_play在内部集成了这些设置。
+can_play在内部集成了cancancan和consul两个gem，所以没必要再安装这两个gem。
 ### can_play安装
-在gemfile中加入can_play的github地址来安装。
+在gemfile中加入can_play。
+
+```
+gem 'can_play'
+```
 
-安装后执行如下命令
+运行bundle，安装完成后执行如下命令
 
 ```
 rails generate can_play:install
 ```
 
-会在initializer和locales文件夹下生成文件。
+执行该命令会在initializer和locales文件夹下生成配置文件。
 initializer文件夹下的can_play.rb是can_play的基本配置文件。
 locales下的can_play.zh-Cn.yml文件用于描述权限名称。
-
-### DSL文件描述权限
+	
+	# path_to_config/initializers/can_play.rb
+	CanPlay::Config.setup do |config|
+	  config.user_class_name = 'User'
+	  config.role_class_name = 'Role'
+	  config.role_resources_relation_name = 'role_resources'
+	  config.super_roles = ['超级管理员']
+	end
+
+can_play.rb配置文件中，可以传入用户类名（默认User）、角色类名（默认Role）、以及角色和权限的关联的名称（默认role_resources）,role_resources_relation_name是角色类和操作权限资源之间的关联。
+
+	---
+	zh-CN:
+	  can_play:
+	    class_name:
+	      test: 测试
+	      contract: 合同
+	    authority_name:
+	      common:
+	        list: 列表查看
+	        create: 新建
+	        read: 查看
+	        update: 修改
+	        delete: 删除
+	        crud: 管理
+	        menus_roles: 菜单分配
+	        role_resources: 权限分配
+	        improve: 完善信息
+	      contract:
+	        terminate: 终止
+	        purchaser_confirm: 采购人确认
+	        supplier_confirm: 供应商确认
+
+can_play.zh-CN.yml是中文翻译文件，在这里写下权限的英文和中文名称的对应，在前端就可以获取到权限的中文描述，其中common是一些常用权限名称，特别的权限名称，可以单独写，如contract下的terminate权限是合同独有的权限名称，必须单独写，而class_name也可以写上资源名称，如contract，如果不写，会默认去ActiveRecord的翻译文件下去取中文翻译。
+
+
+### DSL文件描述权限的方法
 dsl文件写法如下：
 
 	#用哪个类用来描写权限，可在intializer下的can_play.rb文件下描写。
 	class Resource
 	  include CanPlay
-
+	  self.module_name = '核心模块'
+	  
 	  # 所有limit块、collection块和member块中都注入了user这个变量，指向当前登录用户，可直接使用。
 
 	  group Contract do |klass|
@@ -37,9 +73,9 @@ dsl文件写法如下：
 	      if user.is_admin?
 	        klass.all
 	      elsif user.role? '供应商'
-	        klass.where(emall: user.emall)
+	        klass.where(supplier: user.supplier)
 	      elsif user.role? '采购人'
-	        klass.where(department: user.department)
+	        klass.where(purchaser: user.purchaser)
 	      else
 	        klass.none
 	      end
@@ -55,9 +91,9 @@ dsl文件写法如下：
 	      if user.is_admin?
 	        true
 	      elsif user.role? '供应商'
-	        obj.emall.is? user.emall
+	        obj.supplier.is? user.supplier
 	      elsif user.role? '采购人'
-	        obj.department.is? user.department
+	        obj.purchaser.is? user.purchaser
 	      else
 	        false
 	      end
@@ -69,26 +105,25 @@ dsl文件写法如下：
 	    end
 	  end
 
-	  group Project do |klass|
+  	end
+  	
+`limit`方法用于控制某个用户可以查看的资源的额列表，如Contract类下的limit限制了管理员可以查看所有合同，供应商和采购人只能查看和自己相关的合同。limit方法会让在controller中生成一个动态方法，`current_power.contracts`，这个方法返回的是是我们再limit中写如的对象，这样就能根据用户的信息返回不同的资源数组。
 
-	    limit do
-	      if user.is_admin?
-	        klass.all
-	      else
-	        klass.none
-	      end
-	    end
+`collection`方法，可以控制某个用户对某类资源的控制权限。如list和create权限，在controller中，我们可以用`authorize!(:read, Contract)`来限制用户的访问。
 
-	    collection [:list, :create], klass do
-	      user.is_admin?
-	    end
+`member`方法，可以控制用户对某个资源的控制权限，如read权限，在controller中我们可以用authorize!(:read, @contract)来限制用户的访问。
 
-	    member [:read, :update, :delete, :create_later_documents], klass do |obj|
-	      user.is_admin?
-	    end
-	  end
-  	end
+`self.module_name = '核心模块'`是用来处理在多模块开发的环境下，各个模块可能有自己的resource文件，并可能出现中文的重名，权限最终要集中管理，module_name可以做个简单的分隔，让用户清楚某个权限属于哪个模块。
+
+这些在controller中需要使用的current_power方法和authorize！方法分别是consul和cancancan中既有的方法。
 
 ### 和角色类之间建立关联
 
-此处的DSL相当于在数据库中的resouces表，记录了所有权限。我们需要通过role_resources这样的中间表，建立角色和资源之间的关联。因此在数据库建立中间表role_resources,使用一个resource_name字段来跟DSL中的权限、资源进行关联。我们再前端页面，只需要调用Resource.grouped_resources_with_chinese_desc就可获取到所有DSL文件中描述的所有权限以及中文描述。再在controller和view中创建权限和role的关联即可（往role_resources中间表写条目）。
+此处的resouce文件相当于在数据库中的resouces表，以动态的语言记录了所有的权限。我们需要通过role_resources这样的中间表，建立角色和权限之间的关联。可以在数据库建立中间表role_resources。
+
+在controller或view中只要调用 CanPlay.splat_grouped_resources_with_chinese_desc就能返回所有的权限hash，并按资源进行了分组。如果调用CanPlay.grouped_resources_with_chinese_desc则返回按module_name分组后，再按资源名称分组的权限hash。我们用这个hash在表单中呈现，让用户勾选，然后在controller中保存角色和资源权限的关联。
+
+
+其中roles_resources的表结构，至少要有role_id、resource_name字段，其中role_id关联角色，而 resource_name用于关联resource类（伪关联，实际不用加belongs_to这类关联）。
+
+有了这个关联，加载页面，就可以自动执行权限的限制了，当然前提是你在controller的每个action加入了cancancan的权限限制语句authorize！。

data/can_play.gemspec

@@ -24,4 +24,5 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'cancancan', "~> 1.12"
   spec.add_dependency 'consul', "~> 0.12"
   spec.add_dependency 'ror_hack', "~> 0.1 "
+  spec.add_dependency 'modularity', "~> 2.0 "
 end

data/lib/can_play/ability.rb

@@ -5,12 +5,12 @@ class Ability
   def initialize(user)
     self.user = user||CanPlay::Config.user_class_name.constantize.new
     CanPlay::Config.super_roles.each do |role_name|
-      can(:manage, :all) if user.role?(role_name)
+      can(:manage, :all) if user.send(CanPlay::Config.role_judge_method, role_name)
     end
     CanPlay::Config.role_class_name.constantize.all.each do |role|
       next unless user.role?(role.name)
       role.send(CanPlay::Config.role_resources_relation_name).each do |role_resource|
-        resource = CanPlay.find_by_name(role_resource.resource_name)
+        resource = CanPlay.find_by_name_and_code(role_resource.resource_name, CanPlay.override_code)
         next unless resource
         if resource[:type] == 'collection'
           if resource[:behavior]

data/lib/can_play/controller.rb

@@ -1,6 +1,29 @@
 class ActionController::Base
   include Consul::Controller
   current_power do
-    Power.new(current_user)
+    CanPlay::Power.new(current_user)
   end
+
+  # 对current_power采用动态方法调用的装饰者。
+  class PlayResourceObject < BasicObject
+    def initialize(obj, klass)
+      @obj = obj
+      @klass = klass
+    end
+
+    def method_missing(method, *args, &block)
+      if @obj.respond_to? "#{method}_evaluate_in_#{@klass.override_code}_scope"
+        @obj.send("#{method}_evaluate_in_#{@klass.override_code}_scope", *args, &block)
+      elsif @obj.respond_to? method
+        @obj.send(method, *args, &block)
+      else
+        super
+      end
+    end
+  end
+
+  def play_resources
+    @play_resource_object ||= PlayResourceObject.new(current_power, CanPlay)
+  end
+
 end

data/lib/can_play/power.rb

@@ -1,9 +1,11 @@
-class Power
-  include Consul::Power
-  attr_accessor :user
+module CanPlay
+  class Power
+    include Consul::Power
+    attr_accessor :user
 
-  def initialize(user)
-    self.user = user
-  end
+    def initialize(user)
+      self.user = user
+    end
 
+  end
 end

data/lib/can_play/version.rb

@@ -1,3 +1,3 @@
 module CanPlay
-  VERSION = "0.2.4"
+  VERSION = "0.2.5"
 end

data/lib/can_play.rb

@@ -1,41 +1,41 @@
 require 'ror_hack'
 require 'consul'
 require 'cancancan'
-require "can_play/version"
-require "can_play/power"
-require "can_play/ability"
-require "can_play/controller"
+require 'modularity'
 
 module CanPlay
-  mattr_accessor :resources
-  @@resources = []
+  mattr_accessor :resources, :override_resources, :override_code
+  self.override_code      = nil
+  self.resources          = []
+  self.override_resources = {}.with_indifferent_access
 
   class << self
     def included(base)
       base.class_eval <<-RUBY
-        include RorHack::ClassLevelInheritableAttributes
-        inheritable_attributes(:groups, :current_group, :module_name)
-        @groups        = []
-        @current_group = nil
-        @module_name = ''
+        singleton_attr_accessor(:groups, :current_group, :module_name)
+        self.groups        = []
+        self.current_group = nil
+        self.module_name = ''
       RUBY
       base.extend ClassMethods
     end
 
-    def find_by_name(name)
-      CanPlay.resources.find { |r| r.name == name }
+    def find_by_name_and_code(name, code)
+      resource = CanPlay.override_resources[code].p2a.find { |r| r.name.to_s == name.to_s }
+      resource || CanPlay.resources.find { |r| r.name.to_s == name.to_s }
     end
 
-    def grouped_resources
-      @grouped_resources ||= CanPlay.resources.multi_group_by(:module_name, :group)
+    def conjunct_resources
+      resources = CanPlay.override_resources[CanPlay.override_code].p2a + CanPlay.resources
+      resources.uniq { |i| i.name }
     end
 
-    def splat_grouped_resources
-      @grouped_resources ||= CanPlay.resources.multi_group_by(:group)
+    def grouped_resources
+      conjunct_resources.multi_group_by :module_name, :group
     end
 
-    def my_resources
-      CanPlay.resources
+    def splat_grouped_resources
+      conjunct_resources.multi_group_by :group
     end
 
     def grouped_resources_with_chinese_desc
@@ -60,8 +60,8 @@ module CanPlay
       splat_grouped_resources.tap do |i|
         i.each do |group, resources|
           group[:chinese_desc] = begin
-            name = I18n.t("can_play.class_name.#{group[:name].singularize}", default: '')
-            name = group[:klass].model_name.human if name.blank?
+            name = I18n.t("can_play.class_name.#{group.name.singularize}", default: '')
+            name = group.klass.model_name.human if name.blank?
             name
           end
           resources.each do |resource|
@@ -74,47 +74,52 @@ module CanPlay
   end
 
   module Config
-    mattr_accessor :user_class_name, :role_class_name, :role_resources_relation_name, :super_roles
-    @@user_class_name = 'User'
-    @@role_class_name = 'Role'
-    @@role_resources_relation_name = 'role_resources'
-    @@super_roles = []
+    mattr_accessor :user_class_name, :role_class_name, :role_resources_relation_name, :super_roles, :role_judge_method
+    self.user_class_name              = 'User'
+    self.role_class_name              = 'Role'
+    self.role_resources_relation_name = 'role_resources'
+    self.super_roles                  = []
+    self.role_judge_method            = 'role?'
 
     def self.setup
       yield self
     end
   end
 
-
-
   module ClassMethods
 
+    class NameImportantOpenStruct < OpenStruct
+      def eql?(another)
+        self.name == another.name
+      end
+    end
+
     # 为每个 resource 添加一个 group, 方便管理
     def group(opts, &block)
       if opts.is_a?(Hash)
         opts  = opts.with_indifferent_access
-        group =  OpenStruct.new(name: opts.delete(:name).to_s, klass: opts.delete(:klass))
+        group = NameImportantOpenStruct.new(name: opts.delete(:name).to_s, klass: opts.delete(:klass))
       elsif opts.is_a?(Module)
-        name = opts.try(:table_name).presence || opts.to_s.underscore.gsub('/', '_').pluralize
-        group =  OpenStruct.new(name: name, klass: opts)
+        name  = opts.try(:table_name).presence || opts.to_s.underscore.gsub('/', '_').pluralize
+        group = NameImportantOpenStruct.new(name: name, klass: opts)
       else
         # do nothing
       end
-      @groups << group
-      @groups        = @groups.uniq(&:name)
-      @current_group = group
+      self.groups << group
+      self.groups        = groups.uniq(&:name)
+      self.current_group = group
       block.call(group.klass)
-      @current_group = nil
+      self.current_group = nil
     end
 
     def limit(name=nil, &block)
-      raise "Need define group first" if @current_group.nil?
-      Power.power(name||@current_group.name, &block)
+      raise "Need define group first" if current_group.nil?
+      CanPlay::Power.power(name||current_group.name, &block)
     end
 
-    def collection(verb_or_verbs, &block)
-      raise "Need define group first" if @current_group.nil?
-      group    = @current_group
+    def collection(verb_or_verbs, opts={}.with_indifferent_access, &block)
+      raise "Need define group first" if current_group.nil?
+      group    = current_group
       behavior = nil
       if block
         behavior = lambda do |user|
@@ -127,16 +132,16 @@ module CanPlay
 
       if verb_or_verbs.kind_of?(Array)
         verb_or_verbs.each do |verb|
-          add_resource(group, verb, group.klass, 'collection', behavior)
+          add_resource(group, verb, group.klass, 'collection', behavior, opts)
         end
       else
-        add_resource(group, verb_or_verbs, group.klass, 'collection', behavior)
+        add_resource(group, verb_or_verbs, group.klass, 'collection', behavior, opts)
       end
     end
 
-    def member(verb_or_verbs, &block)
-      raise "Need define group first" if @current_group.nil?
-      group    = @current_group
+    def member(verb_or_verbs, opts={}.with_indifferent_access, &block)
+      raise "Need define group first" if current_group.nil?
+      group    = current_group
       behavior = nil
       if block
         behavior = lambda do |user, obj|
@@ -149,26 +154,65 @@ module CanPlay
 
       if verb_or_verbs.kind_of?(Array)
         verb_or_verbs.each do |verb|
-          add_resource(group, verb, group.klass, 'member', behavior)
+          add_resource(group, verb, group.klass, 'member', behavior, opts)
         end
       else
-        add_resource(group, verb_or_verbs, group.klass, 'member', behavior)
+        add_resource(group, verb_or_verbs, group.klass, 'member', behavior, opts)
       end
     end
 
-    def add_resource(group, verb, object, type, behavior)
+    def add_resource(group, verb, object, type, behavior, opts)
       name     = "#{verb}_#{group.name}"
       resource = OpenStruct.new(
         module_name: module_name,
-        name:     name,
-        group:    group,
-        verb:     verb,
-        object:   object,
-        type:     type,
-        behavior: behavior
+        name:        name,
+        group:       group,
+        verb:        verb,
+        object:      object,
+        type:        type,
+        behavior:    behavior,
+        opts:        opts
       )
       CanPlay.resources.keep_if { |i| i.name != name }
       CanPlay.resources << resource
     end
   end
+
+  module Override
+    as_trait do |code|
+      extend ClassMethods
+      singleton_attr_accessor(:groups, :current_group, :module_name)
+      self.groups        = []
+      self.current_group = nil
+      self.module_name   = ''
+
+      define_singleton_method(:limit) do |name=nil, &block|
+        raise "Need define group first" if current_group.nil?
+        method_name = name ? "#{name}_evaluate_in_#{code}_scope" : "#{current_group.name}_evaluate_in_#{code}_scope"
+        Power.power(method_name, &block)
+      end
+
+      define_singleton_method(:add_resource) do |group, verb, object, type, behavior, opts|
+        super(group, verb, object, type, behavior, opts) and return if code.blank?
+        CanPlay.override_resources[code] ||= []
+        name                             = "#{verb}_#{group.name}"
+        resource                         = OpenStruct.new(
+          module_name: module_name,
+          name:        name,
+          group:       group,
+          verb:        verb,
+          object:      object,
+          type:        type,
+          behavior:    behavior,
+          opts:        opts
+        )
+        CanPlay.override_resources[code].keep_if { |i| i.name != name }
+        CanPlay.override_resources[code] << resource
+      end
+    end
+  end
 end
+
+require "can_play/power"
+require "can_play/controller"
+require "can_play/ability"

data/lib/generators/templates/can_play.rb

@@ -13,4 +13,7 @@ CanPlay::Config.setup do |config|
 
   # super_roles表示无需分配权限既可拥有所有权限的角色。
   config.super_roles = ['超级管理员']
+
+  # 判断角色是否符合的方法。
+  config.role_judge_method = 'role?'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: can_play
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.2.5
 platform: ruby
 authors:
 - happyming9527
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2015-08-30 00:00:00.000000000 Z
+date: 2015-09-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -80,6 +80,20 @@ dependencies:
     - - ~>
       - !ruby/object:Gem::Version
         version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: modularity
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.0'
 description: control user's permissions based on role and resource.
 email:
 - happyming9527@gmail.com