cbac 0.6.3 → 0.6.4

data/context_roles.rb

@@ -1,21 +1,21 @@
-### context_roles.rb
-#
-# Defines the context roles for the CBAC system
-#
-include Cbac
-
-# Defining context roles
-ContextRole.add :not_logged_in_user, 'current_user == 0'
-ContextRole.add :logged_in_user, 'current_user.to_i > 0'
-ContextRole.add :everybody, "true"
-ContextRole.add :news_owner do
-  context[:post].user.id == current_user
-end
-
-ContextRole.add :news_owner_with_email do
-  return false if News.find(params[:id]).author_id == current_user
-  return false if User.find(current_user).email.nil?
-  true
-end
-
-
+### context_roles.rb
+#
+# Defines the context roles for the CBAC system
+#
+include Cbac
+
+# Defining context roles
+ContextRole.add :not_logged_in_user, 'current_user == 0'
+ContextRole.add :logged_in_user, 'current_user.to_i > 0'
+ContextRole.add :everybody, "true"
+ContextRole.add :news_owner do
+  context[:post].user.id == current_user
+end
+
+ContextRole.add :news_owner_with_email do
+  return false if News.find(params[:id]).author_id == current_user
+  return false if User.find(current_user).email.nil?
+  true
+end
+
+

data/init.rb

@@ -1,3 +1,3 @@
-# Include CBAC core file
-require File.dirname(__FILE__) + '/lib/cbac.rb'
-
+# Include CBAC core file
+require File.dirname(__FILE__) + '/lib/cbac.rb'
+

data/lib/cbac.rb

@@ -1,132 +1,132 @@
-# TODO: Check the permission table for double entries, ie: both an entry in the
-# generic_role_id field and an entry in the context_role field. Solution: solve
-# via model. Update model & add test
-require "cbac/setup"
-require "cbac/config"
-require "cbac/context_role"
-require "cbac/generic_role"
-require "cbac/known_permission"
-require "cbac/membership"
-require "cbac/permission"
-require "cbac/privilege"
-require "cbac/privilege_new_api"
-require "cbac/privilege_set"
-require "cbac/privilege_set_record"
-require "cbac/cbac_pristine/pristine"
-require "cbac/cbac_pristine/pristine_file"
-require "cbac/cbac_pristine/pristine_permission"
-require "cbac/cbac_pristine/pristine_role"
-
-# The following code contains configuration options. You can turn them on for
-# gem development. For actual usage, it is advisable to set the configuration
-# options in the environment files.
-Cbac::Config.verbose = true
-
-# Module containing the bootstrap code
-module Cbac
-  def cbac_boot!
-    if Cbac::Setup.check
-      puts "CBAC properly installed"
-   
-      require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege'))
-      require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege_set'))
-      require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/context_role'))
-      require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine'))
-      require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_file'))
-      require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_permission'))
-
-      # check performs a check to see if the user is allowed to access the given
-      # resource. Example: authorization_check("BlogController", "index", :get)
-      def authorization_check(controller, action, request, context = {})
-        # Determine the controller to look for
-        controller_method = [controller, action].join("/")
-        # Get the privilegesets
-        privilege_sets = Privilege.select(controller_method, request)
-        # Check the privilege sets
-        check_privilege_sets(privilege_sets, context)
-      end
-
-      # Check the given privilege_set symbol
-      # TODO following code is not yet tested
-      def check_privilege_set(privilege_set, context = {})
-        check_privilege_sets([PrivilegeSet.sets[privilege_set.to_sym]], context)
-      end
-
-      # Check the given privilege_sets
-      def check_privilege_sets(privilege_sets, context = {})
-        # Check the generic roles
-        return true if privilege_sets.any? { |set| Cbac::GenericRole.find(:all, :conditions => ["user_id= ? AND privilege_set_id = ?", current_user, set.id],:joins => [:generic_role_members, :permissions]).length > 0 }
-        # Check the context roles Get the permissions
-        privilege_sets.collect{|privilege_set|Cbac::Permission.find(:all, :conditions => ["privilege_set_id = ? AND generic_role_id = 0", privilege_set.id.to_s])}.flatten.each do |permission|
-          puts "Checking for context_role:#{permission.context_role} on privilege_set:#{permission.privilege_set.name}" if Cbac::Config.verbose
-          eval_string = ContextRole.roles[permission.context_role.to_sym]
-          begin
-            return true if eval_string.call(context)
-          rescue Exception => e
-            puts "Error in context role: #{permission.context_role} on privilege_set: #{permission.privilege_set.name}. Context: #{context}"
-            raise e if RAILS_ENV == "development" or RAILS_ENV == "test" # In development mode, this should crash as hard as possible, but in further stages, it should not
-          end
-        end
-        # not authorized
-        puts "Not authorized for: #{privilege_sets.to_s}" if Cbac::Config.verbose
-        false
-      end
-
-      # Code that performs authorization
-      def authorize
-        authorization_check(params[:controller], params[:action], request.request_method.downcase, self) || unauthorized
-      end
-
-      # Default unauthorized method Override this method to supply your own code
-      # for incorrect authorization
-      def unauthorized
-        render :text => "You are not authorized to perform this action", :status => 401
-      end
-
-      # Default implementation of the current_user method
-      def current_user_id
-        session[:currentuser].to_i
-      end
-
-      # Load controller classes and methods
-      def load_controller_methods
-        begin
-          Dir.glob("app/controllers/**/*.rb").each{|file| require file}
-        rescue LoadError
-          raise "Could not load controller classes"
-        end
-        # Make this iterative TODO
-        @classes = ApplicationController.subclasses
-      end
-
-      # Extracts the class name from the filename
-      def extract_class_name(filename)
-        File.basename(filename).chomp(".rb").camelize
-      end
-
-      # ### Initializer Include privileges file - contains the privilege and
-      # privilege definitions
-      begin
-        require File.join(::Rails.root.to_s, "config", "cbac", "privileges.rb")
-      rescue MissingSourceFile
-        puts "CBAC warning: Could not load config/cbac/privileges.rb (Did you run ./script/generate cbac?)"
-      end
-      # Include context roles file - contains the context role definitions
-      begin
-        require File.join(::Rails.root.to_s, "config", "cbac", "context_roles.rb")
-      rescue MissingSourceFile
-        puts "CBAC warning: Could not load config/cbac/context_roles.rb (Did you run ./script/generate cbac?)"
-      end
-
-      # ### Database autoload code
-    else
-      # This is the code that is executed if CBAc is not properly installed/
-      # configured. It includes a different authorize method, aimes at refusing
-      # all authorizations
-      def authorize
-        render :text => "Authorization error", :status => 401
-        false
-      end
-    end
-  end
-end
+# TODO: Check the permission table for double entries, ie: both an entry in the
+# generic_role_id field and an entry in the context_role field. Solution: solve
+# via model. Update model & add test
+require "cbac/setup"
+require "cbac/config"
+require "cbac/context_role"
+require "cbac/generic_role"
+require "cbac/known_permission"
+require "cbac/membership"
+require "cbac/permission"
+require "cbac/privilege"
+require "cbac/privilege_new_api"
+require "cbac/privilege_set"
+require "cbac/privilege_set_record"
+require "cbac/cbac_pristine/pristine"
+require "cbac/cbac_pristine/pristine_file"
+require "cbac/cbac_pristine/pristine_permission"
+require "cbac/cbac_pristine/pristine_role"
+
+# The following code contains configuration options. You can turn them on for
+# gem development. For actual usage, it is advisable to set the configuration
+# options in the environment files.
+Cbac::Config.verbose = true
+
+# Module containing the bootstrap code
+module Cbac
+  def cbac_boot!
+    if Cbac::Setup.check
+      puts "CBAC properly installed"
+   
+      require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege'))
+      require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege_set'))
+      require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/context_role'))
+      require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine'))
+      require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_file'))
+      require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_permission'))
+
+      # check performs a check to see if the user is allowed to access the given
+      # resource. Example: authorization_check("BlogController", "index", :get)
+      def authorization_check(controller, action, request, context = {})
+        # Determine the controller to look for
+        controller_method = [controller, action].join("/")
+        # Get the privilegesets
+        privilege_sets = Privilege.select(controller_method, request)
+        # Check the privilege sets
+        check_privilege_sets(privilege_sets, context)
+      end
+
+      # Check the given privilege_set symbol
+      # TODO following code is not yet tested
+      def check_privilege_set(privilege_set, context = {})
+        check_privilege_sets([PrivilegeSet.sets[privilege_set.to_sym]], context)
+      end
+
+      # Check the given privilege_sets
+      def check_privilege_sets(privilege_sets, context = {})
+        # Check the generic roles
+        return true if privilege_sets.any? { |set| Cbac::GenericRole.find(:all, :conditions => ["user_id= ? AND privilege_set_id = ?", current_user, set.id],:joins => [:generic_role_members, :permissions]).length > 0 }
+        # Check the context roles Get the permissions
+        privilege_sets.collect{|privilege_set|Cbac::Permission.find(:all, :conditions => ["privilege_set_id = ? AND generic_role_id = 0", privilege_set.id.to_s])}.flatten.each do |permission|
+          puts "Checking for context_role:#{permission.context_role} on privilege_set:#{permission.privilege_set.name}" if Cbac::Config.verbose
+          eval_string = ContextRole.roles[permission.context_role.to_sym]
+          begin
+            return true if eval_string.call(context)
+          rescue Exception => e
+            puts "Error in context role: #{permission.context_role} on privilege_set: #{permission.privilege_set.name}. Context: #{context}"
+            raise e if RAILS_ENV == "development" or RAILS_ENV == "test" # In development mode, this should crash as hard as possible, but in further stages, it should not
+          end
+        end
+        # not authorized
+        puts "Not authorized for: #{privilege_sets.to_s}" if Cbac::Config.verbose
+        false
+      end
+
+      # Code that performs authorization
+      def authorize
+        authorization_check(params[:controller], params[:action], request.request_method.downcase, self) || unauthorized
+      end
+
+      # Default unauthorized method Override this method to supply your own code
+      # for incorrect authorization
+      def unauthorized
+        render :text => "You are not authorized to perform this action", :status => 401
+      end
+
+      # Default implementation of the current_user method
+      def current_user_id
+        session[:currentuser].to_i
+      end
+
+      # Load controller classes and methods
+      def load_controller_methods
+        begin
+          Dir.glob("app/controllers/**/*.rb").each{|file| require file}
+        rescue LoadError
+          raise "Could not load controller classes"
+        end
+        # Make this iterative TODO
+        @classes = ApplicationController.subclasses
+      end
+
+      # Extracts the class name from the filename
+      def extract_class_name(filename)
+        File.basename(filename).chomp(".rb").camelize
+      end
+
+      # ### Initializer Include privileges file - contains the privilege and
+      # privilege definitions
+      begin
+        require File.join(::Rails.root.to_s, "config", "cbac", "privileges.rb")
+      rescue MissingSourceFile
+        puts "CBAC warning: Could not load config/cbac/privileges.rb (Did you run ./script/generate cbac?)"
+      end
+      # Include context roles file - contains the context role definitions
+      begin
+        require File.join(::Rails.root.to_s, "config", "cbac", "context_roles.rb")
+      rescue MissingSourceFile
+        puts "CBAC warning: Could not load config/cbac/context_roles.rb (Did you run ./script/generate cbac?)"
+      end
+
+      # ### Database autoload code
+    else
+      # This is the code that is executed if CBAc is not properly installed/
+      # configured. It includes a different authorize method, aimes at refusing
+      # all authorizations
+      def authorize
+        render :text => "Authorization error", :status => 401
+        false
+      end
+    end
+  end
+end

data/lib/cbac/cbac_pristine/pristine.rb

@@ -1,138 +1,138 @@
-require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_file'))
-require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_permission'))
-
-module Cbac
-  module CbacPristine
-    #creates a yml file containing all generic roles from the specified pristine file objects
-    def create_generic_role_fixtures_file(pristine_files, fixtures_file_name)
-      roles = []
-
-      pristine_files.each do |pristine_file|
-        #if the pristine file wasn't parsed yet, we'll do it here
-        pristine_file.parse(false) if pristine_file.permissions.nil? || pristine_file.permissions.empty?
-        pristine_file.generic_roles.each do |generic_role|
-          # we only want the unique generic roles, because the yml file cannot have duplicates
-          has_role = false
-          roles.each do |role|
-            if role.name == generic_role.name
-              has_role = true
-            end
-          end
-          roles.push(generic_role) unless has_role
-        end
-      end
-      create_fixtures_file(roles, fixtures_file_name)
-    end
-
-    # creates a yml file containing all cbac_permissions from the specified pristine file objects
-    def create_permissions_fixtures_file(pristine_files, fixtures_file_name)
-      permissions = []
-
-      pristine_files.each do |pristine_file|
-        pristine_file.parse(false) if pristine_file.permissions.nil? || pristine_file.permissions.empty?
-        pristine_file.permission_set.each do |line|
-          permissions.push(line)
-        end
-      end
-      create_fixtures_file(permissions, fixtures_file_name)
-    end
-
-    # turns the fixtures into yml and writes them to a file with specified name.
-    def create_fixtures_file(fixtures, fixtures_file_name)
-      File.delete(fixtures_file_name) if File.exists?(fixtures_file_name)
-      f = File.new(fixtures_file_name, "w")
-      flock(f, File::LOCK_EX) do |f|
-        fixtures.each_with_index do |fixture, index|
-          f.write(fixture.to_yml_fixture(index + 1))
-        end
-      end
-    end
-
-    # set all cbac permissions and generic roles to the state in the specified pristine file objects
-    def set_pristine_state(pristine_files, clear_tables)
-      clear_cbac_tables if clear_tables
-      pristine_files.each do |pristine_file|
-        pristine_file.parse if pristine_file.permissions.nil? || pristine_file.permissions.empty?
-        pristine_file.permissions.each do |permission|
-          permission.accept
-        end
-      end
-    end
-
-    # stage all unknown cbac_permissions
-    def stage_permissions(pristine_files)
-
-      pristine_files.each do |pristine_file|
-        pristine_file.parse(true) if pristine_file.permissions.nil? || pristine_file.permissions.empty?
-        pristine_file.permissions.each do |permission|
-          permission.stage
-        end
-      end
-    end
-
-    def clear_cbac_tables
-      Cbac::GenericRole.delete_all
-      Cbac::Membership.delete_all
-      Cbac::Permission.delete_all
-      Cbac::KnownPermission.delete_all
-      Cbac::CbacPristine::PristineFile.delete_all
-      Cbac::CbacPristine::PristinePermission.delete_all
-      Cbac::CbacPristine::PristineRole.delete_all
-    end
-
-    def delete_generic_known_permissions
-      known_permissions = Cbac::KnownPermission.find(:all, :conditions => {:permission_type => Cbac::KnownPermission.PERMISSION_TYPES[:generic]})
-      known_permissions.each { |p| p.destroy }
-    end
-
-    def delete_generic_permissions
-      permissions = Cbac::Permission.find(:all, :conditions => {:context_role => nil})
-      # for backwards compatibility, generic_role name was administrators instead of administrator
-      # SMELL: administrator role *only* identified by name
-      (permissions.select { |perm| perm.generic_role.name != "administrator" and perm.generic_role.name != "administrators" }).each { |p| p.destroy }
-    end
-
-    def delete_non_generic_staged_permissions
-      PristinePermission.delete_non_generic_permissions
-    end
-
-    def delete_generic_staged_permissions
-      PristinePermission.delete_generic_permissions
-    end
-
-    def database_contains_cbac_data?
-      (Cbac::GenericRole.count != 0 or Cbac::Membership.count != 0 or Cbac::Permission.count != 0 or Cbac::KnownPermission.count != 0 or Cbac::CbacPristine::PristinePermission.count != 0 or Cbac::CbacPristine::PristineRole.count != 0)
-    end
-
-    def find_or_create_generic_pristine_file(file_name)
-      pristine_file = GenericPristineFile.find_by_file_name(file_name)
-      pristine_file.present? ? pristine_file : GenericPristineFile.create(:file_name => file_name)
-    end
-
-    def find_or_create_pristine_file(file_name)
-      pristine_file = PristineFile.find_by_file_name(file_name)
-      pristine_file.present? ? pristine_file : PristineFile.create(:file_name => file_name)
-    end
-
-    def number_of_generic_staged_permissions
-      PristinePermission.count_generic_permissions
-    end
-
-    def number_of_non_generic_staged_permissions
-      PristinePermission.count_non_generic_permissions
-    end
-
-    def flock(file, mode)
-      success = file.flock(mode)
-      if success
-        begin
-          yield file
-        ensure
-          file.flock(File::LOCK_UN)
-        end
-      end
-      return success
-    end
-
-  end
-end
+require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_file'))
+require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_permission'))
+
+module Cbac
+  module CbacPristine
+    #creates a yml file containing all generic roles from the specified pristine file objects
+    def create_generic_role_fixtures_file(pristine_files, fixtures_file_name)
+      roles = []
+
+      pristine_files.each do |pristine_file|
+        #if the pristine file wasn't parsed yet, we'll do it here
+        pristine_file.parse(false) if pristine_file.permissions.nil? || pristine_file.permissions.empty?
+        pristine_file.generic_roles.each do |generic_role|
+          # we only want the unique generic roles, because the yml file cannot have duplicates
+          has_role = false
+          roles.each do |role|
+            if role.name == generic_role.name
+              has_role = true
+            end
+          end
+          roles.push(generic_role) unless has_role
+        end
+      end
+      create_fixtures_file(roles, fixtures_file_name)
+    end
+
+    # creates a yml file containing all cbac_permissions from the specified pristine file objects
+    def create_permissions_fixtures_file(pristine_files, fixtures_file_name)
+      permissions = []
+
+      pristine_files.each do |pristine_file|
+        pristine_file.parse(false) if pristine_file.permissions.nil? || pristine_file.permissions.empty?
+        pristine_file.permission_set.each do |line|
+          permissions.push(line)
+        end
+      end
+      create_fixtures_file(permissions, fixtures_file_name)
+    end
+
+    # turns the fixtures into yml and writes them to a file with specified name.
+    def create_fixtures_file(fixtures, fixtures_file_name)
+      File.delete(fixtures_file_name) if File.exists?(fixtures_file_name)
+      f = File.new(fixtures_file_name, "w")
+      flock(f, File::LOCK_EX) do |f|
+        fixtures.each_with_index do |fixture, index|
+          f.write(fixture.to_yml_fixture(index + 1))
+        end
+      end
+    end
+
+    # set all cbac permissions and generic roles to the state in the specified pristine file objects
+    def set_pristine_state(pristine_files, clear_tables)
+      clear_cbac_tables if clear_tables
+      pristine_files.each do |pristine_file|
+        pristine_file.parse if pristine_file.permissions.nil? || pristine_file.permissions.empty?
+        pristine_file.permissions.each do |permission|
+          permission.accept
+        end
+      end
+    end
+
+    # stage all unknown cbac_permissions
+    def stage_permissions(pristine_files)
+
+      pristine_files.each do |pristine_file|
+        pristine_file.parse(true) if pristine_file.permissions.nil? || pristine_file.permissions.empty?
+        pristine_file.permissions.each do |permission|
+          permission.stage
+        end
+      end
+    end
+
+    def clear_cbac_tables
+      Cbac::GenericRole.delete_all
+      Cbac::Membership.delete_all
+      Cbac::Permission.delete_all
+      Cbac::KnownPermission.delete_all
+      Cbac::CbacPristine::PristineFile.delete_all
+      Cbac::CbacPristine::PristinePermission.delete_all
+      Cbac::CbacPristine::PristineRole.delete_all
+    end
+
+    def delete_generic_known_permissions
+      known_permissions = Cbac::KnownPermission.find(:all, :conditions => {:permission_type => Cbac::KnownPermission.PERMISSION_TYPES[:generic]})
+      known_permissions.each { |p| p.destroy }
+    end
+
+    def delete_generic_permissions
+      permissions = Cbac::Permission.find(:all, :conditions => {:context_role => nil})
+      # for backwards compatibility, generic_role name was administrators instead of administrator
+      # SMELL: administrator role *only* identified by name
+      (permissions.select { |perm| perm.generic_role.name != "administrator" and perm.generic_role.name != "administrators" }).each { |p| p.destroy }
+    end
+
+    def delete_non_generic_staged_permissions
+      PristinePermission.delete_non_generic_permissions
+    end
+
+    def delete_generic_staged_permissions
+      PristinePermission.delete_generic_permissions
+    end
+
+    def database_contains_cbac_data?
+      (Cbac::GenericRole.count != 0 or Cbac::Membership.count != 0 or Cbac::Permission.count != 0 or Cbac::KnownPermission.count != 0 or Cbac::CbacPristine::PristinePermission.count != 0 or Cbac::CbacPristine::PristineRole.count != 0)
+    end
+
+    def find_or_create_generic_pristine_file(file_name)
+      pristine_file = GenericPristineFile.find_by_file_name(file_name)
+      pristine_file.present? ? pristine_file : GenericPristineFile.create(:file_name => file_name)
+    end
+
+    def find_or_create_pristine_file(file_name)
+      pristine_file = PristineFile.find_by_file_name(file_name)
+      pristine_file.present? ? pristine_file : PristineFile.create(:file_name => file_name)
+    end
+
+    def number_of_generic_staged_permissions
+      PristinePermission.count_generic_permissions
+    end
+
+    def number_of_non_generic_staged_permissions
+      PristinePermission.count_non_generic_permissions
+    end
+
+    def flock(file, mode)
+      success = file.flock(mode)
+      if success
+        begin
+          yield file
+        ensure
+          file.flock(File::LOCK_UN)
+        end
+      end
+      return success
+    end
+
+  end
+end