careacademy-acl9 3.3.0

data/gemfiles/rails_5.2.gemfile

@@ -0,0 +1,9 @@
+# This file was generated by Appraisal
+
+source "http://rubygems.org"
+
+gem "appraisal"
+gem "byebug"
+gem "rails", "~> 5.2.0"
+
+gemspec path: "../"

data/gemfiles/rails_6.0.gemfile

@@ -0,0 +1,9 @@
+# This file was generated by Appraisal
+
+source "http://rubygems.org"
+
+gem "appraisal"
+gem "byebug"
+gem "rails", "~> 6.0.0"
+
+gemspec path: "../"

data/gemfiles/rails_6.1.gemfile

@@ -0,0 +1,9 @@
+# This file was generated by Appraisal
+
+source "http://rubygems.org"
+
+gem "appraisal"
+gem "byebug"
+gem "rails", "~> 6.1.0"
+
+gemspec path: "../"

data/gemfiles/rails_7.0.gemfile

@@ -0,0 +1,9 @@
+# This file was generated by Appraisal
+
+source "http://rubygems.org"
+
+gem "appraisal"
+gem "byebug"
+gem "rails", "~> 7.0.4.2"
+
+gemspec path: "../"

data/lib/acl9/controller_extensions/dsl_base.rb

@@ -0,0 +1,212 @@
+require_relative "../prepositions"
+
+module Acl9
+  module Dsl
+    class Base
+      include Prepositions
+
+      attr_reader :allows, :denys
+
+      def initialize(*args)
+        @default_action = nil
+        @allows = []
+        @denys  = []
+        @original_args = args
+        @action_clause = nil
+      end
+
+      def acl_block!(&acl_block)
+        instance_eval(&acl_block)
+      end
+
+      def default_action
+        @default_action.nil? ? :deny : @default_action
+      end
+
+      def allowance_expression
+        allowed_expr    = @allows.any?  ? @allows.map { |clause| "(#{clause})" }.join(' || ') : 'false'
+        not_denied_expr = @denys.any?   ? @denys.map { |clause| "!(#{clause})" }.join(' && ') : 'true'
+
+        [allowed_expr, not_denied_expr].
+          map { |expr| "(#{expr})" }.
+          join(default_action == :deny ? ' && ' : ' || ')
+      end
+
+      alias to_s allowance_expression
+
+      protected
+
+      def default(default_action)
+        raise ArgumentError, "default can only be called once in access_control block" if @default_action
+
+        unless [:allow, :deny].include? default_action
+          raise ArgumentError, "invalid value for default (can be :allow or :deny)"
+        end
+
+        @default_action = default_action
+      end
+
+      def allow(*args)
+        @current_rule = :allow
+        _parse_and_add_rule(*args)
+      end
+
+      def deny(*args)
+        @current_rule = :deny
+        _parse_and_add_rule(*args)
+      end
+
+      def actions(*args, &block)
+        raise ArgumentError, "actions should receive at least 1 action as argument" if args.size < 1
+
+        subsidiary = self.class.new(*@original_args)
+
+        class <<subsidiary
+          def actions(*args)
+            raise ArgumentError, "You cannot use actions inside another actions block"
+          end
+
+          def default(*args)
+            raise ArgumentError, "You cannot use default inside an actions block"
+          end
+
+          def _set_action_clause(only, except)
+            raise ArgumentError, "You cannot use :only (:to) or :except inside actions block" if only || except
+          end
+        end
+
+        subsidiary.acl_block!(&block)
+        action_check = _action_check_expression(args)
+        squash = lambda { |rules| action_check + ' && ' + _either_of(rules) }
+
+        @allows << squash.call(subsidiary.allows) if subsidiary.allows.size > 0
+        @denys  << squash.call(subsidiary.denys)  if subsidiary.denys.size > 0
+      end
+
+      alias action actions
+
+      def logged_in; false end
+      def anonymous; nil   end
+      def all;       true  end
+
+      alias everyone all
+      alias everybody all
+      alias anyone all
+
+      def _permitted_allow_deny_option!(key)
+        raise ArgumentError, "#{key} is not a valid option" unless [:to, :only, :except, :if, :unless, *VALID_PREPOSITIONS].include?(key.to_sym)
+      end
+
+      def _retrieve_only options
+        only = [ options.delete(:only) ].flatten.compact
+        only |= [ options.delete(:to) ].flatten.compact
+        only if only.present?
+      end
+
+      def _parse_and_add_rule(*args)
+        options = args.extract_options!
+        options.keys.each { |key| _permitted_allow_deny_option!(key) }
+
+        _set_action_clause( _retrieve_only(options), options.delete(:except))
+
+        object_s = _role_object_s(options)
+
+        role_checks = args.map do |who|
+          case who
+          when anonymous then "#{_subject_ref}.nil?"
+          when logged_in then "!#{_subject_ref}.nil?"
+          when all       then "true"
+          else
+            "!#{_subject_ref}.nil? && #{_subject_ref}.has_role?('#{who}'#{object_s})"
+          end
+        end
+
+        [:if, :unless].each do |cond|
+          val = options[cond]
+          raise ArgumentError, "#{cond} option must be a Symbol" if val && !val.is_a?(Symbol)
+        end
+
+        condition = [
+          (_method_ref(options[:if]) if options[:if]),
+          ("!#{_method_ref(options[:unless])}" if options[:unless])
+        ].compact.join(' && ')
+
+        condition = nil if condition.blank?
+
+        _add_rule(case role_checks.size
+                  when 0
+                    raise ArgumentError, "allow/deny should have at least 1 argument"
+                  when 1 then role_checks.first
+                  else
+                    _either_of(role_checks)
+                  end, condition)
+      end
+
+      def _either_of(exprs)
+        clause = exprs.map { |expr| "(#{expr})" }.join(' || ')
+        return "(#{clause})"
+      end
+
+      def _add_rule(what, condition)
+        anded = [what] + [@action_clause, condition].compact
+        anded[0] = "(#{anded[0]})" if anded.size > 1
+
+        (@current_rule == :allow ? @allows : @denys) << anded.join(' && ')
+      end
+
+      def _set_action_clause(only, except)
+        raise ArgumentError, "both :only (:to) and :except cannot be specified in the rule" if only && except
+
+        @action_clause  = nil
+        action_list     = only || except
+        return unless action_list
+
+        expr = _action_check_expression(action_list)
+        @action_clause = only ? "#{expr}" : "!#{expr}"
+      end
+
+      def _action_check_expression(action_list)
+        unless action_list.is_a?(Array)
+          action_list = [ action_list.to_s ]
+        end
+
+        case action_list.size
+        when 0 then "true"
+        when 1 then "(#{_action_ref} == '#{action_list.first}')"
+        else
+          set_of_actions = "Set.new([" + action_list.map { |act| "'#{act}'"}.join(',')  + "])"
+
+          "#{set_of_actions}.include?(#{_action_ref})"
+        end
+      end
+
+      def _role_object_s(options)
+        object = _by_preposition options
+
+        case object
+        when Class  then ", #{object}"
+        when Symbol then ", #{_object_ref object}"
+        when nil    then ""
+        else
+          raise ArgumentError, "object specified by preposition can only be a Class or a Symbol"
+        end
+      end
+
+      def _subject_ref
+        raise
+      end
+
+      def _object_ref(object)
+        raise
+      end
+
+      def _action_ref
+        raise
+      end
+
+      def _method_ref(method)
+        raise
+      end
+    end
+  end
+end

data/lib/acl9/controller_extensions/generators.rb

@@ -0,0 +1,166 @@
+require_relative "dsl_base"
+
+module Acl9
+  module Dsl
+    module Generators
+      class BaseGenerator < Acl9::Dsl::Base
+        def initialize(*args)
+          @subject_method = args[0]
+
+          super
+        end
+
+        protected
+
+        def _access_denied
+          "raise Acl9::AccessDenied"
+        end
+
+        def _subject_ref
+          "#{_controller_ref}send(:#{@subject_method})"
+        end
+
+        def _object_ref(object)
+          "#{_controller_ref}instance_variable_get('@#{object}')"
+        end
+
+        def _action_ref
+          "#{_controller_ref}action_name"
+        end
+
+        def _method_ref(method)
+          "#{_controller_ref}send(:#{method})"
+        end
+
+        def _controller_ref
+          @controller ? "#{@controller}." : ''
+        end
+
+        def install_on(controller_class, options)
+          debug_dump(controller_class) if options[:debug]
+        end
+
+        def debug_dump(klass)
+          return unless logger
+          logger.debug "=== Acl9 access_control expression dump (#{klass.to_s})"
+          logger.debug self.to_s
+          logger.debug "======"
+        end
+
+        def logger
+          ActionController::Base.logger
+        end
+      end
+
+      class FilterLambda < BaseGenerator
+        def initialize(subject_method)
+          super
+
+          @controller = 'controller'
+        end
+
+        def install_on(controller_class, options)
+          super
+
+          controller_class.send(:before_action, options, &self.to_proc)
+        end
+
+        def to_proc
+          code = <<-RUBY
+            lambda do |controller|
+              unless #{allowance_expression}
+                #{_access_denied}
+              end
+            end
+          RUBY
+
+          self.instance_eval(code, __FILE__, __LINE__)
+        rescue SyntaxError
+          raise FilterSyntaxError, code
+        end
+      end
+
+      ################################################################
+
+      class FilterMethod < BaseGenerator
+        def initialize(subject_method, method_name)
+          super
+
+          @method_name = method_name
+          @controller = nil
+        end
+
+        def install_on(controller_class, options)
+          super
+          _add_method(controller_class)
+          controller_class.send(:before_action, @method_name, options)
+        end
+
+        protected
+
+        def _add_method(controller_class)
+          code = self.to_method_code
+          controller_class.send(:class_eval, code, __FILE__, __LINE__)
+        rescue SyntaxError
+          raise FilterSyntaxError, code
+        end
+
+        def to_method_code
+          <<-RUBY
+            def #{@method_name}
+              unless #{allowance_expression}
+                #{_access_denied}
+              end
+            end
+          RUBY
+        end
+      end
+
+      ################################################################
+
+      class BooleanMethod < FilterMethod
+        def install_on(controller_class, opts)
+          debug_dump(controller_class) if opts[:debug]
+
+          _add_method(controller_class)
+
+          if opts[:helper]
+            controller_class.send(:helper_method, @method_name)
+          end
+        end
+
+        protected
+
+        def to_method_code
+          <<-RUBY
+            def #{@method_name}(*args)
+              options = args.extract_options!
+
+              unless args.size <= 1
+                raise ArgumentError, "call #{@method_name} with 0, 1 or 2 arguments"
+              end
+
+              self.action_name = args.first.to_s if args.present?
+
+              return #{allowance_expression}
+            end
+          RUBY
+        end
+
+        def _object_ref(object)
+          "(options[:#{object}] || #{super})"
+        end
+      end
+
+      ################################################################
+
+      class HelperMethod < BooleanMethod
+        def initialize(subject_method, method)
+          super
+
+          @controller = 'controller'
+        end
+      end
+    end
+  end
+end

data/lib/acl9/controller_extensions.rb

@@ -0,0 +1,85 @@
+require_relative "controller_extensions/generators"
+
+module Acl9
+  module ControllerExtensions
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+
+    module ClassMethods
+      def access_control(*args, &block)
+        opts = args.extract_options!
+
+        case args.size
+        when 0 then true
+        when 1
+          meth = args.first
+
+          if meth.is_a? Symbol
+            opts[:as_method] = meth
+          else
+            raise ArgumentError, "access_control argument must be a :symbol!"
+          end
+        else
+          raise ArgumentError, "Invalid arguments for access_control"
+        end
+
+        subject_method = opts[:subject_method] || Acl9::config[:default_subject_method]
+
+        raise ArgumentError, "Block must be supplied to access_control" unless block
+
+        filter = opts[:filter]
+        filter = true if filter.nil?
+
+        case helper = opts[:helper]
+        when true
+          raise ArgumentError, "you should specify :helper => :method_name" if !opts[:as_method]
+        when nil then nil
+        else
+          if opts[:as_method]
+            raise ArgumentError, "you can't specify both method name and helper name" 
+          else
+            opts[:as_method] = helper
+            filter = false
+          end
+        end
+
+        method = opts[:as_method]
+
+        query_method_available = true
+        generator = case
+                    when method && filter
+                      Acl9::Dsl::Generators::FilterMethod.new(subject_method, method)
+                    when method && !filter
+                      query_method_available = false
+                      Acl9::Dsl::Generators::BooleanMethod.new(subject_method, method)
+                    else
+                      Acl9::Dsl::Generators::FilterLambda.new(subject_method)
+                    end
+
+        generator.acl_block!(&block)
+
+        generator.install_on(self, opts)
+
+        if query_method_available && (query_method = opts.delete(:query_method))
+          case query_method
+          when true
+            if method
+              query_method = "#{method}?"
+            else
+              raise ArgumentError, "You must specify :query_method as Symbol"
+            end
+          when Symbol, String
+            # okay here
+          else
+            raise ArgumentError, "Invalid value for :query_method"
+          end
+
+          second_generator = Acl9::Dsl::Generators::BooleanMethod.new(subject_method, query_method)
+          second_generator.acl_block!(&block)
+          second_generator.install_on(self, opts)
+        end
+      end
+    end
+  end
+end

data/lib/acl9/helpers.rb

@@ -0,0 +1,49 @@
+module Acl9
+  module Helpers
+    def self.included(base)
+      base.extend ClassMethods
+    end
+
+    module ClassMethods
+      def access_control(method, opts = {}, &block)
+        subject_method = opts.delete(:subject_method) || Acl9::config[:default_subject_method]
+        raise ArgumentError, "Block must be supplied to access_control" unless block
+
+        generator = Acl9::Dsl::Generators::HelperMethod.new(subject_method, method)
+
+        generator.acl_block!(&block)
+        generator.install_on(self, opts)
+      end
+
+    end
+
+    # Usage:
+    #
+    #     <%=show_to(:owner, :supervisor, :of => :account) do %>
+    #       <%= 'hello' %>
+    #     <% end %>
+    #
+    def show_to(*args, &block)
+      user = send(Acl9.config[:default_subject_method])
+      return if user.nil?
+
+      has_any = false
+
+      if args.last.is_a?(Hash)
+        an_obj  = args.pop.values.first
+        has_any = args.detect { |role| user.has_role?(role, an_obj) }
+      else
+        has_any = args.detect { |role| user.has_role?(role) }
+      end
+
+      if has_any
+        begin
+          capture( &block )
+        rescue NoMethodError
+          yield( :block )
+        end
+      end
+
+    end
+  end
+end

data/lib/acl9/model_extensions/for_object.rb

@@ -0,0 +1,74 @@
+module Acl9
+  module ModelExtensions
+    module ForObject
+      ##
+      # Role check.
+      #
+      # @return [Boolean] Returns true if +subject+ has a role +role_name+ on this object.
+      #
+      # @param [Symbol,String] role_name Role name
+      # @param [Subject] subject Subject to add role for
+      # @see Acl9::ModelExtensions::Subject#has_role?
+      def accepts_role?(role_name, subject)
+        if not subject.nil?
+          return subject.has_role? role_name, self
+        end
+        false
+      end
+
+      ##
+      # Add role on the object to specified subject.
+      #
+      # @param [Symbol,String] role_name Role name
+      # @param [Subject] subject Subject to add role for
+      # @see Acl9::ModelExtensions::Subject#has_role!
+      def accepts_role!(role_name, subject)
+        if not subject.nil?
+          return subject.has_role! role_name, self
+        end
+        false
+      end
+
+      ##
+      # Free specified subject of a role on this object.
+      #
+      # @param [Symbol,String] role_name Role name
+      # @param [Subject] subject Subject to remove role from
+      # @see Acl9::ModelExtensions::Subject#has_no_role!
+      def accepts_no_role!(role_name, subject)
+        if not subject.nil?
+          return subject.has_no_role! role_name, self
+        end
+        false
+      end
+
+      ##
+      # Are there any roles for the specified +subject+ on this object?
+      #
+      # @param [Subject] subject Subject to query roles
+      # @return [Boolean] Returns true if +subject+ has any roles on this object.
+      # @see Acl9::ModelExtensions::Subject#has_roles_for?
+      def accepts_roles_by?(subject)
+        if not subject.nil?
+          return subject.has_roles_for? self
+        end
+        false
+      end
+
+      alias :accepts_role_by? :accepts_roles_by?
+
+      ##
+      # Which roles does +subject+ have on this object?
+      #
+      # @return [Array<Role>] Role instances, associated both with +subject+ and +object+
+      # @param [Subject] subject Subject to query roles
+      # @see Acl9::ModelExtensions::Subject#roles_for
+      def accepted_roles_by(subject)
+        if not subject.nil?
+          return subject.roles_for self
+        end
+        false
+      end
+    end
+  end
+end