RubyGems - declarative_authorization-dta - Versions diffs - 0.1 - Mend

declarative_authorization-dta 0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

data/CHANGELOG +148 -0
data/MIT-LICENSE +20 -0
data/README.rdoc +504 -0
data/Rakefile +35 -0
data/app/controllers/authorization_rules_controller.rb +259 -0
data/app/controllers/authorization_usages_controller.rb +23 -0
data/app/helpers/authorization_rules_helper.rb +218 -0
data/app/views/authorization_rules/_change.erb +58 -0
data/app/views/authorization_rules/_show_graph.erb +37 -0
data/app/views/authorization_rules/_suggestions.erb +48 -0
data/app/views/authorization_rules/change.html.erb +169 -0
data/app/views/authorization_rules/graph.dot.erb +68 -0
data/app/views/authorization_rules/graph.html.erb +40 -0
data/app/views/authorization_rules/index.html.erb +17 -0
data/app/views/authorization_usages/index.html.erb +36 -0
data/authorization_rules.dist.rb +20 -0
data/config/routes.rb +10 -0
data/garlic_example.rb +20 -0
data/init.rb +5 -0
data/lib/declarative_authorization.rb +17 -0
data/lib/declarative_authorization/authorization.rb +687 -0
data/lib/declarative_authorization/development_support/analyzer.rb +252 -0
data/lib/declarative_authorization/development_support/change_analyzer.rb +253 -0
data/lib/declarative_authorization/development_support/change_supporter.rb +620 -0
data/lib/declarative_authorization/development_support/development_support.rb +243 -0
data/lib/declarative_authorization/helper.rb +60 -0
data/lib/declarative_authorization/in_controller.rb +623 -0
data/lib/declarative_authorization/in_model.new.rb +298 -0
data/lib/declarative_authorization/in_model.rb +463 -0
data/lib/declarative_authorization/maintenance.rb +212 -0
data/lib/declarative_authorization/obligation_scope.rb +354 -0
data/lib/declarative_authorization/rails_legacy.rb +22 -0
data/lib/declarative_authorization/railsengine.rb +6 -0
data/lib/declarative_authorization/reader.rb +521 -0
data/lib/tasks/authorization_tasks.rake +82 -0
data/test/authorization_test.rb +1065 -0
data/test/controller_filter_resource_access_test.rb +511 -0
data/test/controller_test.rb +465 -0
data/test/dsl_reader_test.rb +178 -0
data/test/helper_test.rb +172 -0
data/test/maintenance_test.rb +46 -0
data/test/model_test.rb +2216 -0
data/test/schema.sql +62 -0
data/test/test_helper.rb +152 -0
metadata +108 -0

data/test/controller_filter_resource_access_test.rb ADDED Viewed

@@ -0,0 +1,511 @@
+require File.join(File.dirname(__FILE__), 'test_helper.rb')
+class BasicResource < MockDataObject
+  def self.name
+    "BasicResource"
+  end
+end
+class BasicResourcesController < MocksController
+  filter_resource_access
+  define_resource_actions
+end
+class BasicResourcesControllerTest < ActionController::TestCase
+  def test_basic_filter_index
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :index do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(MockUser.new(:another_role), :index, reader)
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader)
+    assert @controller.authorized?
+  end
+  def test_basic_filter_show_with_id
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :show do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :show, reader, :id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+  def test_basic_filter_new_with_params
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :new do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+end
+class NestedResource < MockDataObject
+  def initialize (attributes = {})
+    if attributes[:id]
+      attributes[:parent_mock] ||= ParentMock.new(:id => attributes[:id])
+    end
+    super(attributes)
+  end
+  def self.name
+    "NestedResource"
+  end
+end
+class ShallowNestedResource < MockDataObject
+  def initialize (attributes = {})
+    if attributes[:id]
+      attributes[:parent_mock] ||= ParentMock.new(:id => attributes[:id])
+    end
+    super(attributes)
+  end
+  def self.name
+    "ShallowNestedResource"
+  end
+end
+class ParentMock < MockDataObject
+  def nested_resources
+    Class.new do
+      def initialize (parent_mock)
+        @parent_mock = parent_mock
+      end
+      def new (attributes = {})
+        NestedResource.new(attributes.merge(:parent_mock => @parent_mock))
+      end
+    end.new(self)
+  end
+  alias :shallow_nested_resources :nested_resources
+  def == (other)
+    id == other.id
+  end
+  def self.name
+    "ParentMock"
+  end
+end
+class NestedResourcesController < MocksController
+  filter_resource_access :nested_in => :parent_mocks
+  define_resource_actions
+end
+class NestedResourcesControllerTest < ActionController::TestCase
+  def test_nested_filter_index
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :nested_resources, :to => :index do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(MockUser.new(:another_role), :index, reader, :parent_mock_id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader, :parent_mock_id => "2",
+        :clear => [:@nested_resource, :@parent_mock])
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader, :parent_mock_id => "1",
+        :clear => [:@nested_resource, :@parent_mock])
+    assert @controller.authorized?
+  end
+  def test_nested_filter_show_with_id
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :nested_resources, :to => :show do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :show, reader, :id => "2", :parent_mock_id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1", :parent_mock_id => "1",
+        :clear => [:@nested_resource, :@parent_mock])
+    assert @controller.authorized?
+  end
+  def test_nested_filter_new_with_params
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :nested_resources, :to => :new do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :new, reader, :parent_mock_id => "2",
+        :nested_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :new, reader, :parent_mock_id => "1",
+        :nested_resource => {:id => "1"},
+        :clear => [:@nested_resource, :@parent_mock])
+    assert @controller.authorized?
+  end
+end
+class ShallowNestedResourcesController < MocksController
+  filter_resource_access :nested_in => :parent_mocks,
+                         :shallow => true,
+                         :additional_member => :additional_member_action
+  define_resource_actions
+  define_action_methods :additional_member_action
+end
+class ShallowNestedResourcesControllerTest < ActionController::TestCase
+  def test_nested_filter_index
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :shallow_nested_resources, :to => :index do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(MockUser.new(:another_role), :index, reader, :parent_mock_id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader, :parent_mock_id => "2",
+        :clear => [:@shallow_nested_resource, :@parent_mock])
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader, :parent_mock_id => "1",
+        :clear => [:@shallow_nested_resource, :@parent_mock])
+    assert assigns(:parent_mock)
+    assert @controller.authorized?
+  end
+  def test_nested_filter_show_with_id
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :shallow_nested_resources, :to => :show do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :show, reader, :id => "2", :parent_mock_id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1",
+        :clear => [:@shallow_nested_resource, :@parent_mock])
+    assert !assigns(:parent_mock)
+    assert assigns(:shallow_nested_resource)
+    assert @controller.authorized?
+  end
+  def test_nested_filter_new_with_params
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :shallow_nested_resources, :to => :new do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :new, reader, :parent_mock_id => "2",
+        :shallow_nested_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :new, reader, :parent_mock_id => "1",
+        :shallow_nested_resource => {:id => "1"},
+        :clear => [:@shallow_nested_resource, :@parent_mock])
+    assert assigns(:parent_mock)
+    assert assigns(:shallow_nested_resource)
+    assert @controller.authorized?
+  end
+  def test_nested_filter_additional_member_action_with_id
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :shallow_nested_resources, :to => :additional_member_action do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :additional_member_action, reader, :id => "2", :parent_mock_id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :additional_member_action, reader, :id => "1",
+        :clear => [:@shallow_nested_resource, :@parent_mock])
+    assert !assigns(:parent_mock)
+    assert assigns(:shallow_nested_resource)
+    assert @controller.authorized?
+  end
+end
+class CustomMembersCollectionsResourceController < MocksController
+  def self.controller_name
+    "basic_resources"
+  end
+  filter_resource_access :member => [[:other_show, :read]],
+      :collection => {:search => :read}, :new => [:other_new]
+  define_action_methods :other_new, :search, :other_show
+end
+class CustomMembersCollectionsResourceControllerTest < ActionController::TestCase
+  def test_custom_members_filter_search
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :read do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    request!(MockUser.new(:another_role), :search, reader)
+    assert !@controller.authorized?
+    request!(MockUser.new(:allowed_role), :search, reader)
+    assert @controller.authorized?
+  end
+  def test_custom_members_filter_other_show
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :read do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :other_show, reader, :id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :other_show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+  def test_custom_members_filter_other_new
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :other_new do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+end
+class AdditionalMembersCollectionsResourceController < MocksController
+  def self.controller_name
+    "basic_resources"
+  end
+  filter_resource_access :additional_member => :other_show,
+      :additional_collection => [:search], :additional_new => {:other_new => :new}
+  define_resource_actions
+  define_action_methods :other_new, :search, :other_show
+end
+class AdditionalMembersCollectionsResourceControllerTest < ActionController::TestCase
+  def test_additional_members_filter_search_index
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => [:search, :index] do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    request!(MockUser.new(:another_role), :search, reader)
+    assert !@controller.authorized?
+    request!(MockUser.new(:another_role), :index, reader)
+    assert !@controller.authorized?
+    request!(MockUser.new(:allowed_role), :search, reader)
+    assert @controller.authorized?
+    request!(MockUser.new(:allowed_role), :index, reader)
+    assert @controller.authorized?
+  end
+  def test_additional_members_filter_other_show
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => [:show, :other_show] do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :other_show, reader, :id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "2", :clear => [:@basic_resource])
+    assert !@controller.authorized?
+    request!(allowed_user, :other_show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+  def test_additional_members_filter_other_new
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :new do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "2"},
+        :clear => [:@basic_resource])
+    assert !@controller.authorized?
+    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+end
+class CustomMethodsResourceController < MocksController
+  # not implemented yet
+end
+class ExplicitContextResourceController < MocksController
+  filter_resource_access :context => :basic_resources
+  define_resource_actions
+end
+class ExplicitContextResourceControllerTest < ActionController::TestCase
+  def test_explicit_context_filter_index
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :index do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(MockUser.new(:another_role), :index, reader)
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader)
+    assert @controller.authorized?
+  end
+  def test_explicit_context_filter_show_with_id
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :show do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :show, reader, :id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+  def test_explicit_context_filter_new_with_params
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :new do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+end