corral_acl 0.9.0

data/lib/corral/ability.rb

@@ -0,0 +1,85 @@
+module Corral
+  module Ability
+    # Check whether the object can perform an action on a subject.
+    #
+    # @overload can?(action, subject)
+    #   @param action [Symbol] The action, represented as a symbol.
+    #   @param subject [Object] The subject.
+    # @overload can?(action, subject, args)
+    #   @param action [Symbol] The action, represented as a symbol.
+    #   @param subject [Object] The subject.
+    #   @param args [Hash] Variable arguments for more granular matching.
+    # @return [Boolean] True or false.
+    def can?(action, subject, *args)
+      return true if @allow_anything
+      lookup_rule(subject).authorized?(action, subject, args)
+    end
+
+    # Inverse of #can?.
+    #
+    # @see #can?
+    def cannot?(*args)
+      not can?(*args)
+    end
+
+    # Adds a granting-access rule.
+    #
+    # @param action [Symbol] The action, represented as a symbol.
+    # @param subject [Object] The subject.
+    # @param block [Hash] Variable arguments for more granular matching.
+    def can(action, subject, &block)
+      rule_for(subject).add_grant(action, block)
+    end
+
+    # Inverse of #can.
+    #
+    # @see #can
+    def cannot(action, subject, &block)
+      rule_for(subject).add_deny(action, block)
+    end
+
+    # Allow the object to perform any action on any subject.
+    # This overrides any #cannot rules.
+    #
+    def allow_anything!
+      @allow_anything = true
+    end
+
+    # Check whether the object has authorization to perform the
+    # action it intends to on the subject. Raise AccessDenied
+    # if it doesn't.
+    #
+    # @param action [Symbol] The intended action.
+    # @param subject [Object] The subject of the action.
+    # @raise [AccessDenied] if the object does not have permission.
+    def authorize!(action, subject, *args)
+      raise AccessDenied if cannot?(action, subject, *args)
+    end
+
+    protected
+
+    # Subjects hash.
+    def subjects
+      @subjects ||= {}
+    end
+
+    # Find or create a new rule for the specified subject.
+    #
+    # @param subject [Object] The subject.
+    def rule_for(subject)
+      subjects[subject] ||= SubjectRule.new
+    end
+
+    # Lookup a rule for a particular subject.
+    #
+    # @param subject [Object] The subject.
+    def lookup_rule(subject)
+      case subject
+      when Symbol, Class
+        r = subjects[subject] || subjects[:all] || NullRule
+      else
+        subjects[subject.class] || NullRule
+      end
+    end
+  end
+end

data/lib/corral/controller_additions.rb

@@ -0,0 +1,76 @@
+module Corral
+  module ControllerAdditions
+    module ClassMethods
+      # Add this to a controller to ensure it performs authorization through +authorized+! or +authorize_resource+ call.
+      # If neither of these authorization methods are called, a Corral::AuthorizationNotPerformed exception will be raised.
+      # This can be placed in ApplicationController to ensure all controller actions do authorization.
+      def check_authorization(options = {})
+        self.after_filter(options.slice(:only, :except)) do |controller|
+          next if controller.instance_variable_defined?(:@_authorized)
+          next if options[:if] && !controller.send(options[:if])
+          next if options[:unless] && controller.send(options[:unless])
+          raise AuthorizationNotPerformed, "This action failed the check_authorization because it did not authorize a resource. Add skip_authorization_check to bypass this check."
+        end
+      end
+
+      # Call this in the class of a controller to skip the check_authorization behavior on the actions.
+      # Any arguments are passed to the +before_filter+ called.
+      def skip_authorization_check(*args)
+        self.before_filter(*args) do |controller|
+          controller.instance_variable_set(:@_authorized, true)
+        end
+      end
+    end
+
+    def self.included(base)
+      base.extend ClassMethods
+      base.helper_method :can?, :cannot?, :current_ability if base.respond_to? :helper_method
+    end
+
+    # Raises a Corral::AccessDenied exception if the current_ability cannot
+    # perform the given action. This is usually called in a controller action or
+    # before filter to perform the authorization.
+    #
+    # A :message option can be passed to specify a different message.
+    #
+    # You can rescue from the exception in the controller to customize how unauthorized
+    # access is displayed to the user.
+    #
+    # See the load_and_authorize_resource method to automatically add the authorize! behavior
+    # to the default RESTful actions.
+    def authorize!(*args)
+      @_authorized = true
+      current_ability.authorize!(*args)
+    end
+
+    # Creates and returns the current user's ability and caches it. If you
+    # want to override how the Ability is defined then this is the place.
+    # Just define the method in the controller to change behavior.
+    #
+    # Notice it is important to memoize the ability object so it is not
+    # recreated every time.
+    def current_ability
+      @current_ability ||= ::Ability.new(current_user)
+    end
+
+    # Use in the controller or view to check the user's permission for a given action
+    # and object.
+    #
+    # This simply calls "can?" on the current_ability. See Ability#can?.
+    def can?(*args)
+      current_ability.can?(*args)
+    end
+
+    # Convenience method which works the same as "can?" but returns the opposite value.
+    #
+    def cannot?(*args)
+      current_ability.cannot?(*args)
+    end
+  end
+end
+
+if defined? ActionController::Base
+  ActionController::Base.class_eval do
+    include Corral::ControllerAdditions
+  end
+end

data/lib/corral/exceptions.rb

@@ -0,0 +1,10 @@
+module Corral
+  # A general exception
+  class Error < StandardError; end
+
+  # Raised when using check_authorization without calling authorize!
+  class AuthorizationNotPerformed < Error; end
+
+  # This error is raised when a user isn't allowed to access a given controller action.
+  class AccessDenied < Error; end
+end

data/lib/corral/rule.rb

@@ -0,0 +1,45 @@
+module Corral
+  # Rule class representing actions doable on a subject.
+  # @!visibility private
+  class SubjectRule
+    def initialize
+      @actions = {}
+    end
+
+    # Add a granting ACL for a particular action.
+    #
+    # @param action [symbol] The action.
+    # @param block An optional block for granularity.
+    def add_grant(action, block)
+      @actions[action] = (block || true)
+    end
+
+    # Add a denying ACL for a particular action.
+    #
+    # @param action [symbol] The action.
+    # @param block An optional block for granularity.
+    def add_deny(action, block)
+      @actions[action] = (block || false)
+    end
+
+    # Return whether or not an object can perform a particular action on a subject
+    # @param action [Symbol] The action.
+    # @param subject [Object] The subject.
+    # @param args [Hash] Variable arguments for more granular matching.
+    # @return [Boolean] True or false.
+    def authorized?(action, subject, args)
+      block = @actions[:manage] || @actions[action]
+      return false unless block
+      return true if block == true
+      return !!block.call(*[subject, *args])
+    end
+  end
+
+  # Fake rule representing nothing matched a subject when looking up its ability.
+  # @!visibility private
+  class NullRule # :nodoc:
+    def self.authorized?(*)
+      false
+    end
+  end
+end

data/lib/corral/version.rb

@@ -0,0 +1,3 @@
+module Corral
+  VERSION = "0.9.0"
+end

data/lib/corral.rb

@@ -0,0 +1,5 @@
+require 'corral/version'
+require 'corral/rule'
+require 'corral/ability'
+require 'corral/controller_additions'
+require 'corral/exceptions'

data/lib/generators/corral/ability/USAGE

@@ -0,0 +1,4 @@
+Description:
+  The corral:ability generator creates an Ability class in the models
+  directory. You can move this file anywhere you want as long as it
+  is in the load path.

data/lib/generators/corral/ability/ability_generator.rb

@@ -0,0 +1,11 @@
+module Corral
+  module Generators
+    class AbilityGenerator < Rails::Generators::Base
+      source_root File.expand_path('../templates', __FILE__)
+
+      def generate_ability
+        copy_file "ability.rb", "app/models/ability.rb"
+      end
+    end
+  end
+end

data/lib/generators/corral/ability/templates/ability.rb

@@ -0,0 +1,25 @@
+class Ability
+  include Corral::Ability
+
+  def initialize(user)
+    # Define abilities for the passed in user here. For example:
+    #
+    #   user ||= User.new # guest user (not logged in)
+    #   if user.admin?
+    #     allow_anything!
+    #   else
+    #     can :read, Post
+    #   end
+    #
+    # The first argument to `can` is the action you are giving the user
+    # permission to do.
+    # If you pass :manage it will apply to every action. Other common actions
+    # here are :read, :create, :update and :destroy.
+    #
+    # The second argument is the resource the user can perform the action on.
+    # Pass a Ruby class of the resource.
+    #
+    #   can :update, Article
+    #
+  end
+end

data/spec/corral/ability_spec.rb

@@ -0,0 +1,26 @@
+require "spec_helper"
+
+describe Corral::Ability do
+  before :each do
+    (@ability = double).extend Corral::Ability
+  end
+
+  it "is able to do anything" do
+    @ability.allow_anything!
+    expect(@ability.can?(:manage, String)).to be true
+    expect(@ability.cannot?(:manage, String)).to be false
+  end
+
+  it "is able to perform a specific action on everything" do
+    @ability.can(:read, :all)
+    expect(@ability.can?(:read, String)).to be true
+    expect(@ability.can?(:write, String)).to be false
+  end
+
+  it "cannot do something it has been told it cannot do" do
+    @ability.can(:read, :all)
+    expect(@ability.can?(:read, :this)).to be true
+    @ability.cannot(:read, :this)
+    expect(@ability.can?(:read, :this)).to be false
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,97 @@
+require 'corral'
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# The generated `.rspec` file contains `--require spec_helper` which will cause
+# this file to always be loaded, without a need to explicitly require it in any
+# files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, consider making
+# a separate helper file that requires the additional dependencies and performs
+# the additional setup, and require it from the spec files that actually need
+# it.
+#
+# The `.rspec` file also contains a few flags that are not defaults but that
+# users commonly want.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    #     be_bigger_than(2).and_smaller_than(4).description
+    #     # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #     # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+# The settings below are suggested to provide a good initial experience
+# with RSpec, but feel free to customize to your heart's content.
+=begin
+  # These two settings work together to allow you to limit a spec run
+  # to individual examples or groups you care about by tagging them with
+  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
+  # get run.
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+
+  # Allows RSpec to persist some state between runs in order to support
+  # the `--only-failures` and `--next-failure` CLI options. We recommend
+  # you configure your source control system to ignore this file.
+  config.example_status_persistence_file_path = "spec/examples.txt"
+
+  # Limits the available syntax to the non-monkey patched syntax that is
+  # recommended. For more details, see:
+  #   - http://rspec.info/blog/2012/06/rspecs-new-expectation-syntax/
+  #   - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://rspec.info/blog/2014/05/notable-changes-in-rspec-3/#zero-monkey-patching-mode
+  config.disable_monkey_patching!
+
+  # This setting enables warnings. It's recommended, but in some cases may
+  # be too noisy due to issues in dependencies.
+  config.warnings = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = 'doc'
+  end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+=end
+end

metadata

@@ -0,0 +1,101 @@
+--- !ruby/object:Gem::Specification
+name: corral_acl
+version: !ruby/object:Gem::Version
+  version: 0.9.0
+platform: ruby
+authors:
+- Arcaire
+- Liam White
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-07-06 00:00:00.000000000 Z
+dependencies: []
+description: Yet another authorization solution.
+email: "/dev/null"
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- Gemfile
+- LICENSE
+- README.md
+- corral.gemspec
+- doc/Ability.html
+- doc/Corral.html
+- doc/Corral/Ability.html
+- doc/Corral/AccessDenied.html
+- doc/Corral/AuthorizationNotPerformed.html
+- doc/Corral/ControllerAdditions.html
+- doc/Corral/ControllerAdditions/ClassMethods.html
+- doc/Corral/Error.html
+- doc/Corral/Generators.html
+- doc/Corral/Generators/AbilityGenerator.html
+- doc/Corral/NullRule.html
+- doc/Corral/SubjectRule.html
+- doc/_index.html
+- doc/class_list.html
+- doc/css/common.css
+- doc/css/full_list.css
+- doc/css/style.css
+- doc/doc/_index.html
+- doc/doc/class_list.html
+- doc/doc/css/common.css
+- doc/doc/css/full_list.css
+- doc/doc/css/style.css
+- doc/doc/file_list.html
+- doc/doc/frames.html
+- doc/doc/index.html
+- doc/doc/js/app.js
+- doc/doc/js/full_list.js
+- doc/doc/js/jquery.js
+- doc/doc/method_list.html
+- doc/doc/top-level-namespace.html
+- doc/file.README.html
+- doc/file_list.html
+- doc/frames.html
+- doc/index.html
+- doc/js/app.js
+- doc/js/full_list.js
+- doc/js/jquery.js
+- doc/method_list.html
+- doc/top-level-namespace.html
+- lib/corral.rb
+- lib/corral/ability.rb
+- lib/corral/controller_additions.rb
+- lib/corral/exceptions.rb
+- lib/corral/rule.rb
+- lib/corral/version.rb
+- lib/generators/corral/ability/USAGE
+- lib/generators/corral/ability/ability_generator.rb
+- lib/generators/corral/ability/templates/ability.rb
+- spec/corral/ability_spec.rb
+- spec/spec_helper.rb
+homepage: 
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Extremely simple authorization solution.
+test_files: []
+has_rdoc: