cbac 0.5.4 → 0.6.0

data/context_roles.rb

@@ -0,0 +1,21 @@
+### context_roles.rb
+#
+# Defines the context roles for the CBAC system
+#
+include Cbac
+
+# Defining context roles
+ContextRole.add :not_logged_in_user, 'current_user == 0'
+ContextRole.add :logged_in_user, 'current_user.to_i > 0'
+ContextRole.add :everybody, "true"
+ContextRole.add :news_owner do
+  context[:post].user.id == current_user
+end
+
+ContextRole.add :news_owner_with_email do
+  return false if News.find(params[:id]).author_id == current_user
+  return false if User.find(current_user).email.nil?
+  true
+end
+
+

data/init.rb

@@ -1,11 +1,3 @@
-# Configuration file
-require File.dirname(__FILE__) + '/lib/cbac/config.rb'
-
-# The following code contains configuration options. You can turn them on for
-# gem development. For actual usage, it is advisable to set the configuration
-# options in the environment files.
-Cbac::Config.verbose = false
-
-# Include CBAC core file
-require File.dirname(__FILE__) + '/lib/cbac.rb'
-
+# Include CBAC core file
+require File.dirname(__FILE__) + '/lib/cbac.rb'
+

data/lib/cbac.rb

@@ -1,114 +1,132 @@
-# TODO: Check the permission table for double entries, ie: both an entry in the
-# generic_role_id field and an entry in the context_role field. Solution: solve
-# via model. Update model & add test
-
-
-module Cbac
-  if Cbac::Setup.check
-    puts "CBAC properly installed"
-   
-    require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege'))
-    require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege_set'))
-    require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/context_role'))
-    require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine'))
-    require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_file'))
-    require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_permission'))
-
-    # check performs a check to see if the user is allowed to access the given
-    # resource. Example: authorization_check("BlogController", "index", :get)
-    def authorization_check(controller, action, request, context = {})
-      # Determine the controller to look for
-      controller_method = [controller, action].join("/")
-      # Get the privilegesets
-      privilege_sets = Privilege.select(controller_method, request)
-      # Check the privilege sets
-      check_privilege_sets(privilege_sets, context)
-    end
-
-    # Check the given privilege_set symbol
-    # TODO following code is not yet tested
-    def check_privilege_set(privilege_set, context = {})
-      check_privilege_sets([PrivilegeSet.sets[privilege_set.to_sym]], context)
-    end
-
-    # Check the given privilege_sets
-    def check_privilege_sets(privilege_sets, context = {})
-      # Check the generic roles
-      return true if privilege_sets.any? { |set| Cbac::GenericRole.find(:all, :conditions => ["user_id= ? AND privilege_set_id = ?", current_user_id, set.id],:joins => [:generic_role_members, :permissions]).length > 0 }
-      # Check the context roles Get the permissions
-      privilege_sets.collect{|privilege_set|Cbac::Permission.find(:all, :conditions => ["privilege_set_id = ? AND generic_role_id = 0", privilege_set.id.to_s])}.flatten.each do |permission|
-        puts "Checking for context_role:#{permission.context_role} on privilege_set:#{permission.privilege_set.name}" if Cbac::Config.verbose
-        eval_string = ContextRole.roles[permission.context_role.to_sym]
-        # Not sure if this will work everywhere
-        context["foo"] = "bar"
-        context["session"] = session
-        begin
-          return true if eval_string.call(context)
-        rescue Exception => e
-          puts "Error in context role: #{permission.context_role} on privilege_set: #{permission.privilege_set.name}. Context: #{context}"
-          raise e if RAILS_ENV == "development" or RAILS_ENV == "test" # In development mode, this should crash as hard as possible, but in further stages, it should not
-        end
-      end
-      # not authorized
-      puts "Not authorized for: #{controller_method}" if Cbac::Config.verbose
-      false
-    end
-
-    # Code that performs authorization
-    def authorize
-      authorization_check(params[:controller], params[:action], request.request_method) || unauthorized
-    end
-
-    # Default unauthorized method Override this method to supply your own code
-    # for incorrect authorization
-    def unauthorized
-      render :text => "You are not authorized to perform this action", :status => 401
-    end
-
-    # Default implementation of the current_user method
-    def current_user_id
-      session[:currentuser].to_i
-    end
-
-    # Load controller classes and methods
-    def load_controller_methods
-      begin
-        Dir.glob("app/controllers/**/*.rb").each{|file| require file}
-      rescue LoadError
-        raise "Could not load controller classes"
-      end
-      # Make this iterative TODO
-      @classes = ApplicationController.subclasses
-    end
-
-    # Extracts the class name from the filename
-    def extract_class_name(filename)
-      File.basename(filename).chomp(".rb").camelize
-    end
-
-    # ### Initializer Include privileges file - contains the privilege and
-    # privilege definitions
-    begin
-      require File.join(RAILS_ROOT, "config", "cbac", "privileges.rb")
-    rescue MissingSourceFile
-      puts "CBAC warning: Could not load config/cbac/privileges.rb (Did you run ./script/generate cbac?)"
-    end
-    # Include context roles file - contains the context role definitions
-    begin
-      require File.join(RAILS_ROOT, "config", "cbac", "context_roles.rb")
-    rescue MissingSourceFile
-      puts "CBAC warning: Could not load config/cbac/context_roles.rb (Did you run ./script/generate cbac?)"
-    end
-
-    # ### Database autoload code
-  else
-    # This is the code that is executed if CBAc is not properly installed/
-    # configured. It includes a different authorize method, aimes at refusing
-    # all authorizations
-    def authorize
-      render :text => "Authorization error", :status => 401
-      false
-    end
-  end
-end
-
+# TODO: Check the permission table for double entries, ie: both an entry in the
+# generic_role_id field and an entry in the context_role field. Solution: solve
+# via model. Update model & add test
+require "cbac/setup"
+require "cbac/config"
+require "cbac/context_role"
+require "cbac/generic_role"
+require "cbac/known_permission"
+require "cbac/membership"
+require "cbac/permission"
+require "cbac/privilege"
+require "cbac/privilege_new_api"
+require "cbac/privilege_set"
+require "cbac/privilege_set_record"
+require "cbac/cbac_pristine/pristine"
+require "cbac/cbac_pristine/pristine_file"
+require "cbac/cbac_pristine/pristine_permission"
+require "cbac/cbac_pristine/pristine_role"
+
+# The following code contains configuration options. You can turn them on for
+# gem development. For actual usage, it is advisable to set the configuration
+# options in the environment files.
+Cbac::Config.verbose = true
+
+# Module containing the bootstrap code
+module Cbac
+  def cbac_boot!
+    if Cbac::Setup.check
+      puts "CBAC properly installed"
+   
+      require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege'))
+      require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege_set'))
+      require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/context_role'))
+      require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine'))
+      require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_file'))
+      require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_permission'))
+
+      # check performs a check to see if the user is allowed to access the given
+      # resource. Example: authorization_check("BlogController", "index", :get)
+      def authorization_check(controller, action, request, context = {})
+        # Determine the controller to look for
+        controller_method = [controller, action].join("/")
+        # Get the privilegesets
+        privilege_sets = Privilege.select(controller_method, request)
+        # Check the privilege sets
+        check_privilege_sets(privilege_sets, context)
+      end
+
+      # Check the given privilege_set symbol
+      # TODO following code is not yet tested
+      def check_privilege_set(privilege_set, context = {})
+        check_privilege_sets([PrivilegeSet.sets[privilege_set.to_sym]], context)
+      end
+
+      # Check the given privilege_sets
+      def check_privilege_sets(privilege_sets, context = {})
+        # Check the generic roles
+        return true if privilege_sets.any? { |set| Cbac::GenericRole.find(:all, :conditions => ["user_id= ? AND privilege_set_id = ?", current_user, set.id],:joins => [:generic_role_members, :permissions]).length > 0 }
+        # Check the context roles Get the permissions
+        privilege_sets.collect{|privilege_set|Cbac::Permission.find(:all, :conditions => ["privilege_set_id = ? AND generic_role_id = 0", privilege_set.id.to_s])}.flatten.each do |permission|
+          puts "Checking for context_role:#{permission.context_role} on privilege_set:#{permission.privilege_set.name}" if Cbac::Config.verbose
+          eval_string = ContextRole.roles[permission.context_role.to_sym]
+          begin
+            return true if eval_string.call(context)
+          rescue Exception => e
+            puts "Error in context role: #{permission.context_role} on privilege_set: #{permission.privilege_set.name}. Context: #{context}"
+            raise e if RAILS_ENV == "development" or RAILS_ENV == "test" # In development mode, this should crash as hard as possible, but in further stages, it should not
+          end
+        end
+        # not authorized
+        puts "Not authorized for: #{privilege_sets.to_s}" if Cbac::Config.verbose
+        false
+      end
+
+      # Code that performs authorization
+      def authorize
+        authorization_check(params[:controller], params[:action], request.request_method.downcase, self) || unauthorized
+      end
+
+      # Default unauthorized method Override this method to supply your own code
+      # for incorrect authorization
+      def unauthorized
+        render :text => "You are not authorized to perform this action", :status => 401
+      end
+
+      # Default implementation of the current_user method
+      def current_user_id
+        session[:currentuser].to_i
+      end
+
+      # Load controller classes and methods
+      def load_controller_methods
+        begin
+          Dir.glob("app/controllers/**/*.rb").each{|file| require file}
+        rescue LoadError
+          raise "Could not load controller classes"
+        end
+        # Make this iterative TODO
+        @classes = ApplicationController.subclasses
+      end
+
+      # Extracts the class name from the filename
+      def extract_class_name(filename)
+        File.basename(filename).chomp(".rb").camelize
+      end
+
+      # ### Initializer Include privileges file - contains the privilege and
+      # privilege definitions
+      begin
+        require File.join(::Rails.root.to_s, "config", "cbac", "privileges.rb")
+      rescue MissingSourceFile
+        puts "CBAC warning: Could not load config/cbac/privileges.rb (Did you run ./script/generate cbac?)"
+      end
+      # Include context roles file - contains the context role definitions
+      begin
+        require File.join(::Rails.root.to_s, "config", "cbac", "context_roles.rb")
+      rescue MissingSourceFile
+        puts "CBAC warning: Could not load config/cbac/context_roles.rb (Did you run ./script/generate cbac?)"
+      end
+
+      # ### Database autoload code
+    else
+      # This is the code that is executed if CBAc is not properly installed/
+      # configured. It includes a different authorize method, aimes at refusing
+      # all authorizations
+      def authorize
+        render :text => "Authorization error", :status => 401
+        false
+      end
+    end
+  end
+end

data/lib/cbac/cbac_pristine/pristine.rb

@@ -1,135 +1,135 @@
-require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_file'))
-require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_permission'))
-
-module Cbac
-  module CbacPristine
-    #creates a yml file containing all generic roles from the specified pristine file objects
-    def create_generic_role_fixtures_file(pristine_files, fixtures_file_name)
-      roles = []
-
-      pristine_files.each do |pristine_file|
-        #if the pristine file wasn't parsed yet, we'll do it here
-        pristine_file.parse(false) if pristine_file.permissions.empty?
-        pristine_file.generic_roles.each do |generic_role|
-          # we only want the unique generic roles, because the yml file cannot have duplicates
-          has_role = false
-          roles.each do |role|
-            if role.name == generic_role.name
-              has_role = true
-            end
-          end
-          roles.push(generic_role) unless has_role
-        end
-      end
-      create_fixtures_file(roles, fixtures_file_name)
-    end
-
-    # creates a yml file containing all cbac_permissions from the specified pristine file objects
-    def create_permissions_fixtures_file(pristine_files, fixtures_file_name)
-      permissions = []
-
-      pristine_files.each do |pristine_file|
-        pristine_file.parse(false) if pristine_file.permissions.empty?
-        pristine_file.permission_set.each do |line|
-          permissions.push(line)
-        end
-      end
-      create_fixtures_file(permissions, fixtures_file_name)
-    end
-
-    # turns the fixtures into yml and writes them to a file with specified name.
-    def create_fixtures_file(fixtures, fixtures_file_name)
-      File.delete(fixtures_file_name) if File.exists?(fixtures_file_name)
-      f = File.new(fixtures_file_name, "w")
-      flock(f, File::LOCK_EX) do |f|
-        fixtures.each_with_index do |fixture, index|
-          f.write(fixture.to_yml_fixture(index + 1))
-        end
-      end
-    end
-
-    # set all cbac permissions and generic roles to the state in the specified pristine file objects
-    def set_pristine_state(pristine_files, clear_tables)
-      clear_cbac_tables if clear_tables
-      pristine_files.each do |pristine_file|
-        pristine_file.parse if pristine_file.permissions.empty?
-        pristine_file.permissions.each do |permission|
-          permission.accept
-        end
-      end
-    end
-
-    # stage all unknown cbac_permissions
-    def stage_permissions(pristine_files)
-
-      pristine_files.each do |pristine_file|
-        pristine_file.parse(true) if pristine_file.permissions.empty?
-        pristine_file.permissions.each do |permission|
-          permission.stage
-        end
-      end
-    end
-
-    def clear_cbac_tables
-      Cbac::GenericRole.delete_all
-      Cbac::Membership.delete_all
-      Cbac::Permission.delete_all
-      Cbac::KnownPermission.delete_all
-      Cbac::CbacPristine::PristinePermission.delete_all
-      Cbac::CbacPristine::PristineRole.delete_all
-    end
-
-    def delete_generic_known_permissions
-      known_permissions = Cbac::KnownPermission.find(:all, :conditions => {:permission_type => Cbac::KnownPermission.PERMISSION_TYPES[:generic]})
-      known_permissions.each { |p| p.destroy }
-    end
-
-    def delete_generic_permissions
-      permissions = Cbac::Permission.find(:all, :conditions => {:context_role => nil})
-      # for backwards compatibility, generic_role name was administrators instead of administrator
-      # SMELL: administrator role *only* identified by name
-      (permissions.select { |perm| perm.generic_role.name != "administrator" and perm.generic_role.name != "administrators" }).each { |p| p.destroy }
-    end
-
-    def delete_non_generic_staged_permissions
-      PristinePermission.delete_non_generic_permissions
-    end
-
-    def delete_generic_staged_permissions
-      PristinePermission.delete_generic_permissions
-    end
-
-    def database_contains_cbac_data?
-      return (Cbac::GenericRole.count != 0 or Cbac::Membership.count != 0 or Cbac::Permission.count != 0 or Cbac::KnownPermission.count != 0 or Cbac::CbacPristine::PristinePermission.count != 0 or Cbac::CbacPristine::PristineRole.count != 0)
-    end
-
-    def create_generic_pristine_file(file_name)
-       GenericPristineFile.new(file_name)      
-    end
-
-    def create_pristine_file(file_name)
-       PristineFile.new(file_name)
-    end
-
-    def number_of_generic_staged_permissions
-      PristinePermission.count_generic_permissions
-    end
-
-    def number_of_non_generic_staged_permissions
-      PristinePermission.count_non_generic_permissions
-    end
-
-    def flock(file, mode)
-      success = file.flock(mode)
-      if success
-        begin
-          yield file
-        ensure
-          file.flock(File::LOCK_UN)
-        end
-      end
-      return success
-    end
-
-  end
+require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_file'))
+require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_permission'))
+
+module Cbac
+  module CbacPristine
+    #creates a yml file containing all generic roles from the specified pristine file objects
+    def create_generic_role_fixtures_file(pristine_files, fixtures_file_name)
+      roles = []
+
+      pristine_files.each do |pristine_file|
+        #if the pristine file wasn't parsed yet, we'll do it here
+        pristine_file.parse(false) if pristine_file.permissions.empty?
+        pristine_file.generic_roles.each do |generic_role|
+          # we only want the unique generic roles, because the yml file cannot have duplicates
+          has_role = false
+          roles.each do |role|
+            if role.name == generic_role.name
+              has_role = true
+            end
+          end
+          roles.push(generic_role) unless has_role
+        end
+      end
+      create_fixtures_file(roles, fixtures_file_name)
+    end
+
+    # creates a yml file containing all cbac_permissions from the specified pristine file objects
+    def create_permissions_fixtures_file(pristine_files, fixtures_file_name)
+      permissions = []
+
+      pristine_files.each do |pristine_file|
+        pristine_file.parse(false) if pristine_file.permissions.empty?
+        pristine_file.permission_set.each do |line|
+          permissions.push(line)
+        end
+      end
+      create_fixtures_file(permissions, fixtures_file_name)
+    end
+
+    # turns the fixtures into yml and writes them to a file with specified name.
+    def create_fixtures_file(fixtures, fixtures_file_name)
+      File.delete(fixtures_file_name) if File.exists?(fixtures_file_name)
+      f = File.new(fixtures_file_name, "w")
+      flock(f, File::LOCK_EX) do |f|
+        fixtures.each_with_index do |fixture, index|
+          f.write(fixture.to_yml_fixture(index + 1))
+        end
+      end
+    end
+
+    # set all cbac permissions and generic roles to the state in the specified pristine file objects
+    def set_pristine_state(pristine_files, clear_tables)
+      clear_cbac_tables if clear_tables
+      pristine_files.each do |pristine_file|
+        pristine_file.parse if pristine_file.permissions.empty?
+        pristine_file.permissions.each do |permission|
+          permission.accept
+        end
+      end
+    end
+
+    # stage all unknown cbac_permissions
+    def stage_permissions(pristine_files)
+
+      pristine_files.each do |pristine_file|
+        pristine_file.parse(true) if pristine_file.permissions.empty?
+        pristine_file.permissions.each do |permission|
+          permission.stage
+        end
+      end
+    end
+
+    def clear_cbac_tables
+      Cbac::GenericRole.delete_all
+      Cbac::Membership.delete_all
+      Cbac::Permission.delete_all
+      Cbac::KnownPermission.delete_all
+      Cbac::CbacPristine::PristinePermission.delete_all
+      Cbac::CbacPristine::PristineRole.delete_all
+    end
+
+    def delete_generic_known_permissions
+      known_permissions = Cbac::KnownPermission.find(:all, :conditions => {:permission_type => Cbac::KnownPermission.PERMISSION_TYPES[:generic]})
+      known_permissions.each { |p| p.destroy }
+    end
+
+    def delete_generic_permissions
+      permissions = Cbac::Permission.find(:all, :conditions => {:context_role => nil})
+      # for backwards compatibility, generic_role name was administrators instead of administrator
+      # SMELL: administrator role *only* identified by name
+      (permissions.select { |perm| perm.generic_role.name != "administrator" and perm.generic_role.name != "administrators" }).each { |p| p.destroy }
+    end
+
+    def delete_non_generic_staged_permissions
+      PristinePermission.delete_non_generic_permissions
+    end
+
+    def delete_generic_staged_permissions
+      PristinePermission.delete_generic_permissions
+    end
+
+    def database_contains_cbac_data?
+      return (Cbac::GenericRole.count != 0 or Cbac::Membership.count != 0 or Cbac::Permission.count != 0 or Cbac::KnownPermission.count != 0 or Cbac::CbacPristine::PristinePermission.count != 0 or Cbac::CbacPristine::PristineRole.count != 0)
+    end
+
+    def create_generic_pristine_file(file_name)
+       GenericPristineFile.new(file_name)      
+    end
+
+    def create_pristine_file(file_name)
+       PristineFile.new(file_name)
+    end
+
+    def number_of_generic_staged_permissions
+      PristinePermission.count_generic_permissions
+    end
+
+    def number_of_non_generic_staged_permissions
+      PristinePermission.count_non_generic_permissions
+    end
+
+    def flock(file, mode)
+      success = file.flock(mode)
+      if success
+        begin
+          yield file
+        ensure
+          file.flock(File::LOCK_UN)
+        end
+      end
+      return success
+    end
+
+  end
 end