declarative_authorization-dta 0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/CHANGELOG +148 -0
- data/MIT-LICENSE +20 -0
- data/README.rdoc +504 -0
- data/Rakefile +35 -0
- data/app/controllers/authorization_rules_controller.rb +259 -0
- data/app/controllers/authorization_usages_controller.rb +23 -0
- data/app/helpers/authorization_rules_helper.rb +218 -0
- data/app/views/authorization_rules/_change.erb +58 -0
- data/app/views/authorization_rules/_show_graph.erb +37 -0
- data/app/views/authorization_rules/_suggestions.erb +48 -0
- data/app/views/authorization_rules/change.html.erb +169 -0
- data/app/views/authorization_rules/graph.dot.erb +68 -0
- data/app/views/authorization_rules/graph.html.erb +40 -0
- data/app/views/authorization_rules/index.html.erb +17 -0
- data/app/views/authorization_usages/index.html.erb +36 -0
- data/authorization_rules.dist.rb +20 -0
- data/config/routes.rb +10 -0
- data/garlic_example.rb +20 -0
- data/init.rb +5 -0
- data/lib/declarative_authorization.rb +17 -0
- data/lib/declarative_authorization/authorization.rb +687 -0
- data/lib/declarative_authorization/development_support/analyzer.rb +252 -0
- data/lib/declarative_authorization/development_support/change_analyzer.rb +253 -0
- data/lib/declarative_authorization/development_support/change_supporter.rb +620 -0
- data/lib/declarative_authorization/development_support/development_support.rb +243 -0
- data/lib/declarative_authorization/helper.rb +60 -0
- data/lib/declarative_authorization/in_controller.rb +623 -0
- data/lib/declarative_authorization/in_model.new.rb +298 -0
- data/lib/declarative_authorization/in_model.rb +463 -0
- data/lib/declarative_authorization/maintenance.rb +212 -0
- data/lib/declarative_authorization/obligation_scope.rb +354 -0
- data/lib/declarative_authorization/rails_legacy.rb +22 -0
- data/lib/declarative_authorization/railsengine.rb +6 -0
- data/lib/declarative_authorization/reader.rb +521 -0
- data/lib/tasks/authorization_tasks.rake +82 -0
- data/test/authorization_test.rb +1065 -0
- data/test/controller_filter_resource_access_test.rb +511 -0
- data/test/controller_test.rb +465 -0
- data/test/dsl_reader_test.rb +178 -0
- data/test/helper_test.rb +172 -0
- data/test/maintenance_test.rb +46 -0
- data/test/model_test.rb +2216 -0
- data/test/schema.sql +62 -0
- data/test/test_helper.rb +152 -0
- metadata +108 -0
|
@@ -0,0 +1,465 @@
|
|
|
1
|
+
require File.join(File.dirname(__FILE__), 'test_helper.rb')
|
|
2
|
+
|
|
3
|
+
|
|
4
|
+
class LoadMockObject < MockDataObject
|
|
5
|
+
def self.name
|
|
6
|
+
"LoadMockObject"
|
|
7
|
+
end
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
##################
|
|
11
|
+
class SpecificMocksController < MocksController
|
|
12
|
+
filter_access_to :test_action, :require => :test, :context => :permissions
|
|
13
|
+
filter_access_to :test_action_2, :require => :test, :context => :permissions_2
|
|
14
|
+
filter_access_to :show
|
|
15
|
+
filter_access_to :edit, :create, :require => :test, :context => :permissions
|
|
16
|
+
filter_access_to :edit_2, :require => :test, :context => :permissions,
|
|
17
|
+
:attribute_check => true, :model => LoadMockObject
|
|
18
|
+
filter_access_to :new, :require => :test, :context => :permissions
|
|
19
|
+
|
|
20
|
+
filter_access_to [:action_group_action_1, :action_group_action_2]
|
|
21
|
+
define_action_methods :test_action, :test_action_2, :show, :edit, :create,
|
|
22
|
+
:edit_2, :new, :unprotected_action, :action_group_action_1, :action_group_action_2
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
class BasicControllerTest < ActionController::TestCase
|
|
26
|
+
tests SpecificMocksController
|
|
27
|
+
|
|
28
|
+
def test_filter_access_to_receiving_an_explicit_array
|
|
29
|
+
reader = Authorization::Reader::DSLReader.new
|
|
30
|
+
|
|
31
|
+
reader.parse %{
|
|
32
|
+
authorization do
|
|
33
|
+
role :test_action_group_2 do
|
|
34
|
+
has_permission_on :specific_mocks, :to => :action_group_action_2
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
}
|
|
38
|
+
|
|
39
|
+
request!(MockUser.new(:test_action_group_2), "action_group_action_2", reader)
|
|
40
|
+
assert @controller.authorized?
|
|
41
|
+
request!(MockUser.new(:test_action_group_2), "action_group_action_1", reader)
|
|
42
|
+
assert !@controller.authorized?
|
|
43
|
+
request!(nil, "action_group_action_2", reader)
|
|
44
|
+
assert !@controller.authorized?
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
def test_filter_access
|
|
48
|
+
assert !@controller.class.before_filters.empty?
|
|
49
|
+
|
|
50
|
+
reader = Authorization::Reader::DSLReader.new
|
|
51
|
+
reader.parse %{
|
|
52
|
+
authorization do
|
|
53
|
+
role :test_role do
|
|
54
|
+
has_permission_on :permissions, :to => :test
|
|
55
|
+
has_permission_on :specific_mocks, :to => :show
|
|
56
|
+
end
|
|
57
|
+
end
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
request!(MockUser.new(:test_role), "test_action", reader)
|
|
61
|
+
assert @controller.authorized?
|
|
62
|
+
|
|
63
|
+
request!(MockUser.new(:test_role), "test_action_2", reader)
|
|
64
|
+
assert !@controller.authorized?
|
|
65
|
+
|
|
66
|
+
request!(MockUser.new(:test_role_2), "test_action", reader)
|
|
67
|
+
assert_response :forbidden
|
|
68
|
+
assert !@controller.authorized?
|
|
69
|
+
|
|
70
|
+
request!(MockUser.new(:test_role), "show", reader)
|
|
71
|
+
assert @controller.authorized?
|
|
72
|
+
end
|
|
73
|
+
|
|
74
|
+
def test_filter_access_multi_actions
|
|
75
|
+
reader = Authorization::Reader::DSLReader.new
|
|
76
|
+
reader.parse %{
|
|
77
|
+
authorization do
|
|
78
|
+
role :test_role do
|
|
79
|
+
has_permission_on :permissions, :to => :test
|
|
80
|
+
end
|
|
81
|
+
end
|
|
82
|
+
}
|
|
83
|
+
request!(MockUser.new(:test_role), "create", reader)
|
|
84
|
+
assert @controller.authorized?
|
|
85
|
+
end
|
|
86
|
+
|
|
87
|
+
def test_filter_access_unprotected_actions
|
|
88
|
+
reader = Authorization::Reader::DSLReader.new
|
|
89
|
+
reader.parse %{
|
|
90
|
+
authorization do
|
|
91
|
+
role :test_role do
|
|
92
|
+
end
|
|
93
|
+
end
|
|
94
|
+
}
|
|
95
|
+
request!(MockUser.new(:test_role), "unprotected_action", reader)
|
|
96
|
+
assert @controller.authorized?
|
|
97
|
+
end
|
|
98
|
+
|
|
99
|
+
def test_filter_access_priv_hierarchy
|
|
100
|
+
reader = Authorization::Reader::DSLReader.new
|
|
101
|
+
reader.parse %{
|
|
102
|
+
privileges do
|
|
103
|
+
privilege :read do
|
|
104
|
+
includes :list, :show
|
|
105
|
+
end
|
|
106
|
+
end
|
|
107
|
+
authorization do
|
|
108
|
+
role :test_role do
|
|
109
|
+
has_permission_on :specific_mocks, :to => :read
|
|
110
|
+
end
|
|
111
|
+
end
|
|
112
|
+
}
|
|
113
|
+
request!(MockUser.new(:test_role), "show", reader)
|
|
114
|
+
assert @controller.authorized?
|
|
115
|
+
end
|
|
116
|
+
|
|
117
|
+
def test_filter_access_skip_attribute_test
|
|
118
|
+
reader = Authorization::Reader::DSLReader.new
|
|
119
|
+
reader.parse %{
|
|
120
|
+
authorization do
|
|
121
|
+
role :test_role do
|
|
122
|
+
has_permission_on :permissions, :to => :test do
|
|
123
|
+
if_attribute :id => is { user }
|
|
124
|
+
end
|
|
125
|
+
end
|
|
126
|
+
end
|
|
127
|
+
}
|
|
128
|
+
request!(MockUser.new(:test_role), "new", reader)
|
|
129
|
+
assert @controller.authorized?
|
|
130
|
+
end
|
|
131
|
+
|
|
132
|
+
def test_existing_instance_var_remains_unchanged
|
|
133
|
+
reader = Authorization::Reader::DSLReader.new
|
|
134
|
+
reader.parse %{
|
|
135
|
+
authorization do
|
|
136
|
+
role :test_role do
|
|
137
|
+
has_permission_on :permissions, :to => :test do
|
|
138
|
+
if_attribute :id => is { 5 }
|
|
139
|
+
end
|
|
140
|
+
end
|
|
141
|
+
end
|
|
142
|
+
}
|
|
143
|
+
mock_object = MockDataObject.new(:id => 5)
|
|
144
|
+
@controller.send(:instance_variable_set, :"@load_mock_object",
|
|
145
|
+
mock_object)
|
|
146
|
+
request!(MockUser.new(:test_role), "edit_2", reader)
|
|
147
|
+
assert_equal mock_object,
|
|
148
|
+
@controller.send(:instance_variable_get, :"@load_mock_object")
|
|
149
|
+
assert @controller.authorized?
|
|
150
|
+
end
|
|
151
|
+
|
|
152
|
+
def test_permitted_to_without_context
|
|
153
|
+
reader = Authorization::Reader::DSLReader.new
|
|
154
|
+
reader.parse %{
|
|
155
|
+
authorization do
|
|
156
|
+
role :test_role do
|
|
157
|
+
has_permission_on :specific_mocks, :to => :test
|
|
158
|
+
end
|
|
159
|
+
end
|
|
160
|
+
}
|
|
161
|
+
@controller.current_user = MockUser.new(:test_role)
|
|
162
|
+
@controller.authorization_engine = Authorization::Engine.new(reader)
|
|
163
|
+
assert @controller.permitted_to?(:test)
|
|
164
|
+
end
|
|
165
|
+
end
|
|
166
|
+
|
|
167
|
+
|
|
168
|
+
##################
|
|
169
|
+
class AllMocksController < MocksController
|
|
170
|
+
filter_access_to :all
|
|
171
|
+
filter_access_to :view, :require => :test, :context => :permissions
|
|
172
|
+
define_action_methods :show, :view
|
|
173
|
+
end
|
|
174
|
+
class AllActionsControllerTest < ActionController::TestCase
|
|
175
|
+
tests AllMocksController
|
|
176
|
+
def test_filter_access_all
|
|
177
|
+
reader = Authorization::Reader::DSLReader.new
|
|
178
|
+
reader.parse %{
|
|
179
|
+
authorization do
|
|
180
|
+
role :test_role do
|
|
181
|
+
has_permission_on :permissions, :to => :test
|
|
182
|
+
has_permission_on :all_mocks, :to => :show
|
|
183
|
+
end
|
|
184
|
+
end
|
|
185
|
+
}
|
|
186
|
+
|
|
187
|
+
request!(MockUser.new(:test_role), "show", reader)
|
|
188
|
+
assert @controller.authorized?
|
|
189
|
+
|
|
190
|
+
request!(MockUser.new(:test_role), "view", reader)
|
|
191
|
+
assert @controller.authorized?
|
|
192
|
+
|
|
193
|
+
request!(MockUser.new(:test_role_2), "show", reader)
|
|
194
|
+
assert !@controller.authorized?
|
|
195
|
+
end
|
|
196
|
+
end
|
|
197
|
+
|
|
198
|
+
|
|
199
|
+
##################
|
|
200
|
+
class LoadMockObjectsController < MocksController
|
|
201
|
+
filter_access_to :show, :attribute_check => true, :model => LoadMockObject
|
|
202
|
+
filter_access_to :edit, :attribute_check => true
|
|
203
|
+
filter_access_to :update, :delete, :attribute_check => true,
|
|
204
|
+
:load_method => proc {MockDataObject.new(:test => 1)}
|
|
205
|
+
filter_access_to :create do
|
|
206
|
+
permitted_to! :edit, :load_mock_objects
|
|
207
|
+
end
|
|
208
|
+
filter_access_to :view, :attribute_check => true, :load_method => :load_method
|
|
209
|
+
def load_method
|
|
210
|
+
MockDataObject.new(:test => 2)
|
|
211
|
+
end
|
|
212
|
+
define_action_methods :show, :edit, :update, :delete, :create, :view
|
|
213
|
+
end
|
|
214
|
+
class LoadObjectControllerTest < ActionController::TestCase
|
|
215
|
+
tests LoadMockObjectsController
|
|
216
|
+
|
|
217
|
+
def test_filter_access_with_object_load
|
|
218
|
+
reader = Authorization::Reader::DSLReader.new
|
|
219
|
+
reader.parse %{
|
|
220
|
+
authorization do
|
|
221
|
+
role :test_role do
|
|
222
|
+
has_permission_on :load_mock_objects, :to => [:show, :edit] do
|
|
223
|
+
if_attribute :id => 1
|
|
224
|
+
if_attribute :id => "1"
|
|
225
|
+
end
|
|
226
|
+
end
|
|
227
|
+
end
|
|
228
|
+
}
|
|
229
|
+
|
|
230
|
+
request!(MockUser.new(:test_role), "show", reader, :id => 2)
|
|
231
|
+
assert !@controller.authorized?
|
|
232
|
+
|
|
233
|
+
request!(MockUser.new(:test_role), "show", reader, :id => 1,
|
|
234
|
+
:clear => [:@load_mock_object])
|
|
235
|
+
assert @controller.authorized?
|
|
236
|
+
|
|
237
|
+
request!(MockUser.new(:test_role), "edit", reader, :id => 1,
|
|
238
|
+
:clear => [:@load_mock_object])
|
|
239
|
+
assert @controller.authorized?
|
|
240
|
+
assert @controller.instance_variable_defined?(:@load_mock_object)
|
|
241
|
+
end
|
|
242
|
+
|
|
243
|
+
def test_filter_access_object_load_without_param
|
|
244
|
+
reader = Authorization::Reader::DSLReader.new
|
|
245
|
+
reader.parse %{
|
|
246
|
+
authorization do
|
|
247
|
+
role :test_role do
|
|
248
|
+
has_permission_on :load_mock_objects, :to => [:show, :edit] do
|
|
249
|
+
if_attribute :id => is {"1"}
|
|
250
|
+
end
|
|
251
|
+
end
|
|
252
|
+
end
|
|
253
|
+
}
|
|
254
|
+
|
|
255
|
+
assert_raise RuntimeError, "No id param supplied" do
|
|
256
|
+
request!(MockUser.new(:test_role), "show", reader)
|
|
257
|
+
end
|
|
258
|
+
|
|
259
|
+
Authorization::AuthorizationInController.failed_auto_loading_is_not_found = false
|
|
260
|
+
assert_nothing_raised "Load error is only logged" do
|
|
261
|
+
request!(MockUser.new(:test_role), "show", reader)
|
|
262
|
+
end
|
|
263
|
+
assert !@controller.authorized?
|
|
264
|
+
Authorization::AuthorizationInController.failed_auto_loading_is_not_found = true
|
|
265
|
+
end
|
|
266
|
+
|
|
267
|
+
def test_filter_access_with_object_load_custom
|
|
268
|
+
reader = Authorization::Reader::DSLReader.new
|
|
269
|
+
reader.parse %{
|
|
270
|
+
authorization do
|
|
271
|
+
role :test_role do
|
|
272
|
+
has_permission_on :load_mock_objects, :to => :view do
|
|
273
|
+
if_attribute :test => is {2}
|
|
274
|
+
end
|
|
275
|
+
has_permission_on :load_mock_objects, :to => :update do
|
|
276
|
+
if_attribute :test => is {1}
|
|
277
|
+
end
|
|
278
|
+
has_permission_on :load_mock_objects, :to => :delete do
|
|
279
|
+
if_attribute :test => is {2}
|
|
280
|
+
end
|
|
281
|
+
end
|
|
282
|
+
end
|
|
283
|
+
}
|
|
284
|
+
|
|
285
|
+
request!(MockUser.new(:test_role), "delete", reader)
|
|
286
|
+
assert !@controller.authorized?
|
|
287
|
+
|
|
288
|
+
request!(MockUser.new(:test_role), "view", reader)
|
|
289
|
+
assert @controller.authorized?
|
|
290
|
+
|
|
291
|
+
request!(MockUser.new(:test_role), "update", reader)
|
|
292
|
+
assert @controller.authorized?
|
|
293
|
+
end
|
|
294
|
+
|
|
295
|
+
def test_filter_access_custom
|
|
296
|
+
reader = Authorization::Reader::DSLReader.new
|
|
297
|
+
reader.parse %{
|
|
298
|
+
authorization do
|
|
299
|
+
role :test_role do
|
|
300
|
+
has_permission_on :load_mock_objects, :to => :edit
|
|
301
|
+
end
|
|
302
|
+
role :test_role_2 do
|
|
303
|
+
has_permission_on :load_mock_objects, :to => :create
|
|
304
|
+
end
|
|
305
|
+
end
|
|
306
|
+
}
|
|
307
|
+
|
|
308
|
+
request!(MockUser.new(:test_role), "create", reader)
|
|
309
|
+
assert @controller.authorized?
|
|
310
|
+
|
|
311
|
+
request!(MockUser.new(:test_role_2), "create", reader)
|
|
312
|
+
assert !@controller.authorized?
|
|
313
|
+
end
|
|
314
|
+
end
|
|
315
|
+
|
|
316
|
+
|
|
317
|
+
##################
|
|
318
|
+
class AccessOverwritesController < MocksController
|
|
319
|
+
filter_access_to :test_action, :test_action_2,
|
|
320
|
+
:require => :test, :context => :permissions_2
|
|
321
|
+
filter_access_to :test_action, :require => :test, :context => :permissions
|
|
322
|
+
define_action_methods :test_action, :test_action_2
|
|
323
|
+
end
|
|
324
|
+
class AccessOverwritesControllerTest < ActionController::TestCase
|
|
325
|
+
def test_filter_access_overwrite
|
|
326
|
+
reader = Authorization::Reader::DSLReader.new
|
|
327
|
+
reader.parse %{
|
|
328
|
+
authorization do
|
|
329
|
+
role :test_role do
|
|
330
|
+
has_permission_on :permissions, :to => :test
|
|
331
|
+
end
|
|
332
|
+
end
|
|
333
|
+
}
|
|
334
|
+
request!(MockUser.new(:test_role), "test_action_2", reader)
|
|
335
|
+
assert !@controller.authorized?
|
|
336
|
+
|
|
337
|
+
request!(MockUser.new(:test_role), "test_action", reader)
|
|
338
|
+
assert @controller.authorized?
|
|
339
|
+
end
|
|
340
|
+
end
|
|
341
|
+
|
|
342
|
+
|
|
343
|
+
##################
|
|
344
|
+
class PeopleController < MocksController
|
|
345
|
+
filter_access_to :all
|
|
346
|
+
define_action_methods :show
|
|
347
|
+
end
|
|
348
|
+
class PluralizationControllerTest < ActionController::TestCase
|
|
349
|
+
tests PeopleController
|
|
350
|
+
|
|
351
|
+
def test_filter_access_people_controller
|
|
352
|
+
reader = Authorization::Reader::DSLReader.new
|
|
353
|
+
reader.parse %{
|
|
354
|
+
authorization do
|
|
355
|
+
role :test_role do
|
|
356
|
+
has_permission_on :people, :to => :show
|
|
357
|
+
end
|
|
358
|
+
end
|
|
359
|
+
}
|
|
360
|
+
request!(MockUser.new(:test_role), "show", reader)
|
|
361
|
+
assert @controller.authorized?
|
|
362
|
+
end
|
|
363
|
+
end
|
|
364
|
+
|
|
365
|
+
|
|
366
|
+
##################
|
|
367
|
+
class CommonController < MocksController
|
|
368
|
+
filter_access_to :delete, :context => :common
|
|
369
|
+
filter_access_to :all
|
|
370
|
+
end
|
|
371
|
+
class CommonChild1Controller < CommonController
|
|
372
|
+
filter_access_to :all, :context => :context_1
|
|
373
|
+
end
|
|
374
|
+
class CommonChild2Controller < CommonController
|
|
375
|
+
filter_access_to :delete
|
|
376
|
+
define_action_methods :show, :delete
|
|
377
|
+
end
|
|
378
|
+
class HierachicalControllerTest < ActionController::TestCase
|
|
379
|
+
tests CommonChild2Controller
|
|
380
|
+
def test_controller_hierarchy
|
|
381
|
+
reader = Authorization::Reader::DSLReader.new
|
|
382
|
+
reader.parse %{
|
|
383
|
+
authorization do
|
|
384
|
+
role :test_role do
|
|
385
|
+
has_permission_on :mocks, :to => [:delete, :show]
|
|
386
|
+
end
|
|
387
|
+
end
|
|
388
|
+
}
|
|
389
|
+
request!(MockUser.new(:test_role), "show", reader)
|
|
390
|
+
assert !@controller.authorized?
|
|
391
|
+
request!(MockUser.new(:test_role), "delete", reader)
|
|
392
|
+
assert !@controller.authorized?
|
|
393
|
+
end
|
|
394
|
+
end
|
|
395
|
+
|
|
396
|
+
##################
|
|
397
|
+
module Name
|
|
398
|
+
class SpacedThingsController < MocksController
|
|
399
|
+
filter_access_to :show
|
|
400
|
+
filter_access_to :update, :context => :spaced_things
|
|
401
|
+
define_action_methods :show, :update
|
|
402
|
+
end
|
|
403
|
+
end
|
|
404
|
+
class NameSpacedControllerTest < ActionController::TestCase
|
|
405
|
+
tests Name::SpacedThingsController
|
|
406
|
+
def test_context
|
|
407
|
+
reader = Authorization::Reader::DSLReader.new
|
|
408
|
+
reader.parse %{
|
|
409
|
+
authorization do
|
|
410
|
+
role :permitted_role do
|
|
411
|
+
has_permission_on :name_spaced_things, :to => :show
|
|
412
|
+
has_permission_on :spaced_things, :to => :update
|
|
413
|
+
end
|
|
414
|
+
role :prohibited_role do
|
|
415
|
+
has_permission_on :name_spaced_things, :to => :update
|
|
416
|
+
has_permission_on :spaced_things, :to => :show
|
|
417
|
+
end
|
|
418
|
+
end
|
|
419
|
+
}
|
|
420
|
+
request!(MockUser.new(:permitted_role), "show", reader)
|
|
421
|
+
assert @controller.authorized?
|
|
422
|
+
request!(MockUser.new(:prohibited_role), "show", reader)
|
|
423
|
+
assert !@controller.authorized?
|
|
424
|
+
request!(MockUser.new(:permitted_role), "update", reader)
|
|
425
|
+
assert @controller.authorized?
|
|
426
|
+
request!(MockUser.new(:prohibited_role), "update", reader)
|
|
427
|
+
assert !@controller.authorized?
|
|
428
|
+
end
|
|
429
|
+
end
|
|
430
|
+
|
|
431
|
+
module Deep
|
|
432
|
+
module NameSpaced
|
|
433
|
+
class ThingsController < MocksController
|
|
434
|
+
filter_access_to :show
|
|
435
|
+
filter_access_to :update, :context => :things
|
|
436
|
+
define_action_methods :show, :update
|
|
437
|
+
end
|
|
438
|
+
end
|
|
439
|
+
end
|
|
440
|
+
class DeepNameSpacedControllerTest < ActionController::TestCase
|
|
441
|
+
tests Deep::NameSpaced::ThingsController
|
|
442
|
+
def test_context
|
|
443
|
+
reader = Authorization::Reader::DSLReader.new
|
|
444
|
+
reader.parse %{
|
|
445
|
+
authorization do
|
|
446
|
+
role :permitted_role do
|
|
447
|
+
has_permission_on :deep_name_spaced_things, :to => :show
|
|
448
|
+
has_permission_on :things, :to => :update
|
|
449
|
+
end
|
|
450
|
+
role :prohibited_role do
|
|
451
|
+
has_permission_on :deep_name_spaced_things, :to => :update
|
|
452
|
+
has_permission_on :things, :to => :show
|
|
453
|
+
end
|
|
454
|
+
end
|
|
455
|
+
}
|
|
456
|
+
request!(MockUser.new(:permitted_role), "show", reader)
|
|
457
|
+
assert @controller.authorized?
|
|
458
|
+
request!(MockUser.new(:prohibited_role), "show", reader)
|
|
459
|
+
assert !@controller.authorized?
|
|
460
|
+
request!(MockUser.new(:permitted_role), "update", reader)
|
|
461
|
+
assert @controller.authorized?
|
|
462
|
+
request!(MockUser.new(:prohibited_role), "update", reader)
|
|
463
|
+
assert !@controller.authorized?
|
|
464
|
+
end
|
|
465
|
+
end
|