careacademy-acl9 3.3.0

data/test/config_test.rb

@@ -0,0 +1,55 @@
+require 'test_helper'
+
+class ConfigTest < ActiveSupport::TestCase
+  teardown do
+    Acl9.config.reset!
+  end
+
+  test "configure block API" do
+    assert new_method = :fruitcake
+    Acl9.configure do |c|
+      assert c.default_subject_method = new_method
+    end
+
+    assert_equal new_method, Acl9.config.default_subject_method
+    assert_equal new_method, Acl9.config[:default_subject_method]
+    assert_equal new_method, Acl9::config[:default_subject_method]
+  end
+
+  test "method API" do
+    assert new_method = :seesaw
+    Acl9.config.default_subject_method = new_method
+
+    assert_equal new_method, Acl9.config.default_subject_method
+    assert_equal new_method, Acl9.config[:default_subject_method]
+    assert_equal new_method, Acl9::config[:default_subject_method]
+  end
+
+  test "hash API" do
+    assert new_method = :sandcastle
+    assert Acl9.config[:default_subject_method] = new_method
+
+    assert_equal new_method, Acl9.config.default_subject_method
+    assert_equal new_method, Acl9.config[:default_subject_method]
+    assert_equal new_method, Acl9::config[:default_subject_method]
+  end
+
+  test "reset!" do
+    assert new_method = :bluesky
+    assert Acl9.config.default_subject_method = new_method
+
+    assert Acl9.config.reset!
+
+    refute_equal new_method, Acl9.config.default_subject_method
+  end
+
+  test "errors when missing option" do
+    assert_raises NoMethodError do
+      Acl9.config[:does_not_exist] = :foo
+    end
+
+    assert_raises NoMethodError do
+      Acl9.config[:does_not_exist]
+    end
+  end
+end

data/test/controller_extensions/actions_test.rb

@@ -0,0 +1,199 @@
+require_relative 'base'
+
+module ControllerExtensions
+  class ActionTest < Base
+    test "should raise an ArgumentError when actions has no block" do
+      assert_raise ArgumentError do
+        @tester.acl_block! { actions :foo, :bar }
+      end
+    end
+
+    test "should raise an ArgumentError when actions has no arguments" do
+      assert_raise ArgumentError do
+        @tester.acl_block! { actions do end }
+      end
+    end
+
+    test "should raise an ArgumentError when actions is called inside actions block" do
+      assert_raise ArgumentError do
+        @tester.acl_block! do
+          actions :foo, :bar do
+            actions :foo, :bar do
+            end
+          end
+        end
+      end
+    end
+
+    test "should raise an ArgumentError when default is called inside actions block" do
+      assert_raise ArgumentError do
+        @tester.acl_block! do
+          actions :foo, :bar do
+            default :allow
+          end
+        end
+      end
+    end
+
+    [:to, :only, :except].each do |opt|
+      test "should raise an ArgumentError when allow is called with #{opt} option" do
+        assert_raise ArgumentError do
+          @tester.acl_block! do
+            actions :foo do
+              allow all, opt => :bar
+            end
+          end
+        end
+      end
+
+      test "should raise an ArgumentError when deny is called with #{opt} option" do
+        assert_raise ArgumentError do
+          @tester.acl_block! do
+            actions :foo do
+              deny all, opt => :bar
+            end
+          end
+        end
+      end
+    end
+
+    test "empty actions block should do nothing" do
+      @tester.acl_block! do
+        actions :foo do
+        end
+
+        allow all
+      end
+      assert_permitted nil
+      assert_permitted nil, :foo
+    end
+
+    test "#allow should limit its scope to specified actions" do
+      assert ( bee = User.create ).has_role! :bee
+
+      @tester.acl_block! do
+        actions :edit do
+          allow :bee
+        end
+      end
+      assert_permitted bee, :edit
+      assert_forbidden bee, :update
+    end
+
+    test "#deny should limit its scope to specified actions" do
+      assert ( bee = User.create ).has_role! :bee
+
+      @tester.acl_block! do
+        default :allow
+        actions :edit do
+          deny :bee
+        end
+      end
+      assert_forbidden bee, :edit
+      assert_permitted bee, :update
+    end
+
+    test "#allow and #deny should work together inside actions block" do
+      assert foo = Foo.create
+
+      assert ( owner = User.create ).has_role! :owner, foo
+      assert ( hacker = User.create ).has_role! :hacker
+      assert hacker.has_role! :the_destroyer
+
+      assert ( another_owner = User.create ).has_role! :owner, foo
+      assert another_owner.has_role! :hacker
+
+      @tester.acl_block! do
+        actions :show, :index do
+          allow all
+        end
+
+        actions :edit, :new, :create, :update do
+          allow :owner, :of => :foo
+          deny :hacker
+        end
+
+        actions :destroy do
+          allow :owner, :of => :foo
+          allow :the_destroyer
+        end
+      end
+
+      assert set_all_actions
+      permit_some owner,  @all_actions, :foo => foo
+      permit_some hacker, %w(show index destroy), foo: foo
+      permit_some another_owner, %w(show index destroy), :foo => foo
+    end
+
+    def set_all_actions
+      @all_actions = %w(index show new edit create update destroy)
+    end
+
+    test "should work with anonymous" do
+      assert ( superadmin = User.create ).has_role! :superadmin
+
+      @tester.acl_block! do
+        allow :superadmin
+
+        action :index, :show do
+          allow anonymous
+        end
+      end
+
+      assert set_all_actions
+      permit_some superadmin, @all_actions
+      permit_some nil, %w(index show)
+    end
+
+    test "should work with anonymous and other role inside" do
+      assert ( superadmin = User.create ).has_role! :superadmin
+      assert ( member = User.create ).has_role! :member
+
+      @tester.acl_block! do
+        allow :superadmin
+
+        action :index, :show do
+          allow anonymous
+          allow :member
+        end
+      end
+
+      assert set_all_actions
+      permit_some superadmin, @all_actions
+      permit_some member, %w(index show)
+      permit_some nil, %w(index show)
+    end
+
+    test "multiple allows in an action" do
+      assert ( special = User.create ).has_role! :special
+      assert ( viewer = User.create ).has_role! :viewer
+
+      @tester.acl_block! do
+        action :show do
+          allow all
+          allow :viewer
+        end
+      end
+
+      assert set_all_actions
+      permit_some special, %w(show)
+      permit_some viewer, %w(show)
+    end
+
+    test "multiple allows with logged_in" do
+      assert ( normal = User.create )
+      assert ( viewer = User.create ).has_role! :viewer
+
+      @tester.acl_block! do
+        action :index do
+          allow logged_in
+          allow :viewer
+        end
+      end
+
+      assert set_all_actions
+      permit_some normal, %w(index)
+      permit_some viewer, %w(index)
+    end
+  end
+end

data/test/controller_extensions/anon_test.rb

@@ -0,0 +1,39 @@
+require_relative 'base'
+
+module ControllerExtensions
+  class AnonTest < Base
+    test "allow nil permits only nil" do
+      @tester.acl_block! { allow nil }
+
+      assert_permitted nil
+      assert_user_types_forbidden
+    end
+
+    test "allow anon permits only nil" do
+      @tester.acl_block! { allow anonymous }
+
+      assert_permitted nil
+      assert_user_types_forbidden
+    end
+
+    test "default allowed, nil denied" do
+      @tester.acl_block! do
+        default :allow
+        deny nil
+      end
+
+      assert_forbidden nil
+      assert_user_types_permitted
+    end
+
+    test "default allowed, anon denied" do
+      @tester.acl_block! do
+        default :allow
+        deny anonymous
+      end
+
+      assert_forbidden nil
+      assert_user_types_permitted
+    end
+  end
+end

data/test/controller_extensions/base.rb

@@ -0,0 +1,96 @@
+require 'test_helper'
+
+module ControllerExtensions
+  class Base < ActiveSupport::TestCase
+    setup do
+      # TODO - clean this up so we don't need to create such a complex object just for a test
+      @tester = Class.new(Acl9::Dsl::Base) do
+        def check_allowance(subject, *args)
+          @_subject = subject
+          @_current_action = (args[0] || 'index').to_s
+          @_objects = args.last.is_a?(Hash) ? args.last : {}
+          @_callable = @_objects.delete(:call)
+
+          instance_eval(allowance_expression)
+        end
+
+        def _subject_ref
+          "@_subject"
+        end
+
+        def _object_ref(object)
+          "@_objects[:#{object}]"
+        end
+
+        def _action_ref
+          "@_current_action"
+        end
+
+        def _method_ref(method)
+          "@_callable.send(:#{method})"
+        end
+      end.new
+    end
+
+    def permit_some(user, actions, vars = {})
+      actions.each                  { |act| assert_permitted(user, act, vars) }
+      (@all_actions - actions).each { |act| assert_forbidden(user, act, vars) }
+    end
+
+    def assert_permitted *args
+      assert @tester.check_allowance *args
+    end
+
+    def assert_forbidden *args
+      refute @tester.check_allowance *args
+    end
+
+    def assert_all_forbidden
+      assert_forbidden nil
+      assert_user_types_forbidden
+    end
+
+    def assert_all_permitted
+      assert_permitted nil
+      assert_user_types_permitted
+    end
+
+    def assert_user_types_forbidden
+      assert @user = User.create
+      assert_forbidden @user
+      assert_admins_forbidden
+    end
+
+    def assert_admins_forbidden
+      assert @user = User.first_or_create
+
+      assert @user.has_role! :admin
+      assert_forbidden @user
+
+      assert @user.has_role! :admin, Foo
+      assert_forbidden @user
+
+      assert @user.has_role! :admin, Foo.first_or_create
+      assert_forbidden @user
+    end
+
+    def assert_user_types_permitted
+      assert @user = User.first_or_create
+      assert_permitted @user
+      assert_admins_permitted
+    end
+
+    def assert_admins_permitted
+      assert @user = User.first_or_create
+
+      assert @user.has_role! :admin
+      assert_permitted @user
+
+      assert @user.has_role! :admin, Foo
+      assert_permitted @user
+
+      assert @user.has_role! :admin, Foo.first_or_create
+      assert_permitted @user
+    end
+  end
+end

data/test/controller_extensions/basics_test.rb

@@ -0,0 +1,44 @@
+require_relative 'base'
+
+module ControllerExtensions
+  class BasicsTest < Base
+    test "empty default denies" do
+      @tester.acl_block! { }
+      assert_equal :deny, @tester.default_action
+      assert_all_forbidden
+    end
+
+    test "deny default denies" do
+      @tester.acl_block! { default :deny }
+      assert_equal :deny, @tester.default_action
+      assert_all_forbidden
+    end
+
+    test "allow default allows" do
+      @tester.acl_block! { default :allow }
+      assert_equal :allow, @tester.default_action
+      assert_all_permitted
+    end
+
+    test "error with bad args" do
+      assert_raise ArgumentError do
+        @tester.acl_block! { default 123 }
+      end
+
+      assert_raise ArgumentError do
+        @tester.acl_block! do
+          default :deny
+          default :deny
+        end
+      end
+
+      assert_raise ArgumentError do
+        @tester.acl_block! { allow }
+      end
+
+      assert_raise ArgumentError do
+        @tester.acl_block! { deny }
+      end
+    end
+  end
+end

data/test/controller_extensions/conditions_test.rb

@@ -0,0 +1,48 @@
+require_relative 'base'
+
+module ControllerExtensions
+  class ConditionsTest < Base
+    [:if, :unless].each do |cond|
+      test "should raise ArgumentError when #{cond} is not a Symbol" do
+         assert_raise ArgumentError do
+          @tester.acl_block! { allow nil, cond => 123 }
+        end
+      end
+    end
+
+    test "allow ... :if" do
+      @tester.acl_block! do
+        allow nil, :if => :meth
+      end
+      assert_permitted nil, :call => OpenStruct.new(:meth => true)
+      assert_forbidden nil, :call => OpenStruct.new(:meth => false)
+    end
+
+    test "allow ... :unless" do
+      @tester.acl_block! do
+        allow nil, :unless => :meth
+      end
+      assert_permitted nil, :call => OpenStruct.new(:meth => false)
+      assert_forbidden nil, :call => OpenStruct.new(:meth => true)
+    end
+
+    test "deny ... :if" do
+      @tester.acl_block! do
+        default :allow
+        deny nil, :if => :meth
+      end
+      assert_permitted nil, :call => OpenStruct.new(:meth => false)
+      assert_forbidden nil, :call => OpenStruct.new(:meth => true)
+    end
+
+    test "deny ... :unless" do
+      @tester.acl_block! do
+        default :allow
+        deny nil, :unless => :meth
+      end
+      assert_permitted nil, :call => OpenStruct.new(:meth => true)
+      assert_forbidden nil, :call => OpenStruct.new(:meth => false)
+    end
+
+  end
+end

data/test/controller_extensions/method_test.rb

@@ -0,0 +1,70 @@
+require_relative 'base'
+
+module ControllerExtensions
+  class MethodTest < Base
+    def run_tests
+      %w(index show).each                 { |act| assert_permitted nil, act }
+      %w(edit update delete destroy).each { |act| assert_forbidden nil, act }
+
+      %w(index show edit update).each { |act| assert_permitted @manager, act }
+      %w(delete destroy).each         { |act| assert_forbidden @manager, act }
+
+      %w(index show edit update delete destroy).each { |act| assert_permitted @trusted, act }
+    end
+
+    test "should raise an ArgumentError when either :to or :only and :except are specified" do
+      %i[to only].each do |only|
+        assert_raise ArgumentError do
+          @tester.acl_block! { allow all, only => :index, :except => ['show', 'edit'] }
+        end
+      end
+    end
+
+    test ":to and :only should combine in union" do
+      assert ( @manager = User.create ).has_role! :manager
+      assert ( @trusted = User.create ).has_role! :trusted
+
+      @tester.acl_block! do
+        allow all,      :only => :index, :to => :show
+
+        allow 'manager', :only => :edit, :to => 'edit'
+        allow 'manager', :to => 'update', :only => :update
+        allow 'trusted', :only => %w(edit update destroy), :to => %w(edit delete)
+      end
+
+      run_tests
+    end
+
+
+    test ":to and :only should limit rule scope to specified actions" do
+      assert ( @manager = User.create ).has_role! :manager
+      assert ( @trusted = User.create ).has_role! :trusted
+
+      %i[to only].each do |only|
+        @tester.acl_block! do
+          allow all,       only => [:index, :show]
+
+          allow 'manager', only => :edit
+          allow 'manager', only => 'update'
+          allow 'trusted', only => %w(edit update delete destroy)
+        end
+
+        run_tests
+      end
+    end
+
+    test ":except should limit rule scope to all actions except specified" do
+      assert ( @manager = User.create ).has_role! :manager
+      assert ( @trusted = User.create ).has_role! :trusted
+
+      @tester.acl_block! do
+        allow all,       :except => %w(edit update delete destroy)
+
+        allow 'manager', :except => %w(delete destroy)
+        allow 'trusted'
+      end
+
+      run_tests
+    end
+  end
+end

data/test/controller_extensions/multi_match_test.rb

@@ -0,0 +1,142 @@
+require_relative 'base'
+
+module ControllerExtensions
+  class MultiMatchTest < Base
+    test "default when nothing else matches" do
+      @tester.acl_block! do
+        default :allow
+        allow :blah
+        deny :bzz
+      end
+
+      assert_equal :allow, @tester.default_action
+      assert_all_permitted
+    end
+
+    test "should deny when deny is matched, but allow is not" do
+      @tester.acl_block! do
+        default :allow
+        deny all
+        allow :blah
+      end
+      
+      assert_all_forbidden
+    end
+
+    test "allow allowed and deny denied and default for unmatched" do
+      assert ( cool_user = User.create ).has_role! :cool
+      assert ( jerk_user = User.create ).has_role! :jerk
+
+      @tester.acl_block! do
+        default :allow
+        deny :jerk
+        allow :cool
+      end
+      
+      assert_forbidden jerk_user
+      assert_permitted cool_user
+      assert_all_permitted
+    end
+
+    test "allowed by default when both match" do
+      assert ( cool_user = User.create ).has_role! :cool
+      assert ( jerk_user = User.create ).has_role! :jerk
+
+      @tester.acl_block! do
+        default :allow
+        deny :cool
+        allow :cool
+      end
+
+      assert_permitted cool_user
+      assert_permitted jerk_user
+      assert_all_permitted
+    end
+
+    test "allowed by default when both all" do
+      assert ( cool_user = User.create ).has_role! :cool
+      assert ( jerk_user = User.create ).has_role! :jerk
+
+      @tester.acl_block! do
+        default :allow
+        deny all
+        allow all
+      end
+
+      assert_permitted cool_user
+      assert_permitted jerk_user
+      assert_all_permitted
+    end
+
+    test "allow logged_in allows user not anon" do
+      @tester.acl_block! do
+        allow logged_in
+      end
+      
+      assert_forbidden nil
+      assert_user_types_permitted
+    end
+
+    test "deny logged_in denies user not anon" do
+      @tester.acl_block! do
+        default :allow
+        deny logged_in
+      end
+      
+      assert_permitted nil
+      assert_user_types_forbidden
+    end
+
+    test "denies unmatched when default deny" do
+      @tester.acl_block! do
+        default :deny
+        allow :blah
+        deny :bzz
+      end
+      
+      assert_all_forbidden
+    end
+
+    test "deny all when allow unmatched" do
+      @tester.acl_block! do
+        default :allow
+        deny all
+        allow :blah
+      end
+
+      assert_all_forbidden
+    end
+
+    test "allow when allow matches and deny doesn't" do
+      @tester.acl_block! do
+        default :deny
+        deny nil
+        allow :admin
+      end
+
+      assert_admins_permitted
+    end
+
+    test "denied by default when both match" do
+      assert ( user = User.create ).has_role! :cool
+
+      @tester.acl_block! do
+        default :deny
+        deny :cool
+        allow :cool
+      end
+      
+      assert_forbidden user
+    end
+
+    test "denied by default when both all" do
+      @tester.acl_block! do
+        default :deny
+        deny all
+        allow all
+      end
+
+      assert_all_forbidden
+    end
+  end
+end