declarative_authorization 0.3.2.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (42) hide show
  1. data/CHANGELOG +83 -0
  2. data/MIT-LICENSE +20 -0
  3. data/README.rdoc +510 -0
  4. data/Rakefile +43 -0
  5. data/app/controllers/authorization_rules_controller.rb +259 -0
  6. data/app/controllers/authorization_usages_controller.rb +23 -0
  7. data/app/helpers/authorization_rules_helper.rb +187 -0
  8. data/app/views/authorization_rules/_change.erb +58 -0
  9. data/app/views/authorization_rules/_show_graph.erb +37 -0
  10. data/app/views/authorization_rules/_suggestions.erb +48 -0
  11. data/app/views/authorization_rules/change.html.erb +152 -0
  12. data/app/views/authorization_rules/graph.dot.erb +68 -0
  13. data/app/views/authorization_rules/graph.html.erb +40 -0
  14. data/app/views/authorization_rules/index.html.erb +17 -0
  15. data/app/views/authorization_usages/index.html.erb +36 -0
  16. data/authorization_rules.dist.rb +20 -0
  17. data/config/routes.rb +7 -0
  18. data/garlic_example.rb +20 -0
  19. data/init.rb +5 -0
  20. data/lib/declarative_authorization.rb +15 -0
  21. data/lib/declarative_authorization/authorization.rb +634 -0
  22. data/lib/declarative_authorization/development_support/analyzer.rb +252 -0
  23. data/lib/declarative_authorization/development_support/change_analyzer.rb +253 -0
  24. data/lib/declarative_authorization/development_support/change_supporter.rb +620 -0
  25. data/lib/declarative_authorization/development_support/development_support.rb +243 -0
  26. data/lib/declarative_authorization/helper.rb +60 -0
  27. data/lib/declarative_authorization/in_controller.rb +597 -0
  28. data/lib/declarative_authorization/in_model.rb +159 -0
  29. data/lib/declarative_authorization/maintenance.rb +182 -0
  30. data/lib/declarative_authorization/obligation_scope.rb +308 -0
  31. data/lib/declarative_authorization/rails_legacy.rb +14 -0
  32. data/lib/declarative_authorization/reader.rb +441 -0
  33. data/test/authorization_test.rb +827 -0
  34. data/test/controller_filter_resource_access_test.rb +394 -0
  35. data/test/controller_test.rb +386 -0
  36. data/test/dsl_reader_test.rb +157 -0
  37. data/test/helper_test.rb +171 -0
  38. data/test/maintenance_test.rb +46 -0
  39. data/test/model_test.rb +1308 -0
  40. data/test/schema.sql +54 -0
  41. data/test/test_helper.rb +118 -0
  42. metadata +105 -0
@@ -0,0 +1,827 @@
1
+ require File.join(File.dirname(__FILE__), 'test_helper.rb')
2
+
3
+ class AuthorizationTest < Test::Unit::TestCase
4
+
5
+ def test_permit
6
+ reader = Authorization::Reader::DSLReader.new
7
+ reader.parse %{
8
+ authorization do
9
+ role :test_role do
10
+ has_permission_on :permissions, :to => :test
11
+ end
12
+ end
13
+ }
14
+ engine = Authorization::Engine.new(reader)
15
+ assert engine.permit?(:test, :context => :permissions,
16
+ :user => MockUser.new(:test_role, :test_role_2))
17
+ assert !engine.permit?(:test_2, :context => :permissions_2,
18
+ :user => MockUser.new(:test_role))
19
+ assert !engine.permit?(:test, :context => :permissions,
20
+ :user => MockUser.new(:test_role_2))
21
+ end
22
+
23
+ def test_permit_context_people
24
+ reader = Authorization::Reader::DSLReader.new
25
+ reader.parse %{
26
+ authorization do
27
+ role :test_role do
28
+ has_permission_on :people, :to => :test
29
+ end
30
+ end
31
+ }
32
+ engine = Authorization::Engine.new(reader)
33
+ assert engine.permit?(:test, :context => :people,
34
+ :user => MockUser.new(:test_role))
35
+ end
36
+
37
+ def test_permit_multiple_contexts
38
+ reader = Authorization::Reader::DSLReader.new
39
+ reader.parse %{
40
+ authorization do
41
+ role :test_role do
42
+ has_permission_on [:permissions, :permissions_2], :to => :test
43
+ has_permission_on :permissions_4, :permissions_5, :to => :test
44
+ end
45
+ end
46
+ }
47
+ engine = Authorization::Engine.new(reader)
48
+ assert engine.permit?(:test, :context => :permissions,
49
+ :user => MockUser.new(:test_role))
50
+ assert engine.permit?(:test, :context => :permissions_2,
51
+ :user => MockUser.new(:test_role))
52
+ assert !engine.permit?(:test, :context => :permissions_3,
53
+ :user => MockUser.new(:test_role))
54
+
55
+ assert engine.permit?(:test, :context => :permissions_4, :user => MockUser.new(:test_role))
56
+ assert engine.permit?(:test, :context => :permissions_5, :user => MockUser.new(:test_role))
57
+ end
58
+
59
+ def test_obligations_without_conditions
60
+ reader = Authorization::Reader::DSLReader.new
61
+ reader.parse %{
62
+ authorization do
63
+ role :test_role do
64
+ has_permission_on :permissions, :to => :test
65
+ end
66
+ end
67
+ }
68
+ engine = Authorization::Engine.new(reader)
69
+ assert_equal [{}], engine.obligations(:test, :context => :permissions,
70
+ :user => MockUser.new(:test_role))
71
+ end
72
+
73
+ def test_obligations_with_conditions
74
+ reader = Authorization::Reader::DSLReader.new
75
+ reader.parse %{
76
+ authorization do
77
+ role :test_role do
78
+ has_permission_on :permissions, :to => :test do
79
+ if_attribute :attr => is { user.attr }
80
+ end
81
+ end
82
+ end
83
+ }
84
+ engine = Authorization::Engine.new(reader)
85
+ assert_equal [{:attr => [:is, 1]}],
86
+ engine.obligations(:test, :context => :permissions,
87
+ :user => MockUser.new(:test_role, :attr => 1))
88
+ end
89
+
90
+ def test_obligations_with_anded_conditions
91
+ reader = Authorization::Reader::DSLReader.new
92
+ reader.parse %{
93
+ authorization do
94
+ role :test_role do
95
+ has_permission_on :permissions, :to => :test, :join_by => :and do
96
+ if_attribute :attr => is { user.attr }
97
+ if_attribute :attr_2 => is { user.attr_2 }
98
+ end
99
+ end
100
+ end
101
+ }
102
+ engine = Authorization::Engine.new(reader)
103
+ assert_equal [{:attr => [:is, 1], :attr_2 => [:is, 2]}],
104
+ engine.obligations(:test, :context => :permissions,
105
+ :user => MockUser.new(:test_role, :attr => 1, :attr_2 => 2))
106
+ end
107
+
108
+ def test_obligations_with_deep_anded_conditions
109
+ reader = Authorization::Reader::DSLReader.new
110
+ reader.parse %{
111
+ authorization do
112
+ role :test_role do
113
+ has_permission_on :permissions, :to => :test, :join_by => :and do
114
+ if_attribute :attr => { :deeper_attr => is { user.deeper_attr }}
115
+ if_attribute :attr => { :deeper_attr_2 => is { user.deeper_attr_2 }}
116
+ end
117
+ end
118
+ end
119
+ }
120
+ engine = Authorization::Engine.new(reader)
121
+ assert_equal [{:attr => { :deeper_attr => [:is, 1], :deeper_attr_2 => [:is, 2] } }],
122
+ engine.obligations(:test, :context => :permissions,
123
+ :user => MockUser.new(:test_role, :deeper_attr => 1, :deeper_attr_2 => 2))
124
+ end
125
+
126
+ def test_obligations_with_conditions_and_empty
127
+ reader = Authorization::Reader::DSLReader.new
128
+ reader.parse %{
129
+ authorization do
130
+ role :test_role do
131
+ has_permission_on :permissions, :to => :test
132
+ has_permission_on :permissions, :to => :test do
133
+ if_attribute :attr => is { user.attr }
134
+ end
135
+ end
136
+ end
137
+ }
138
+ engine = Authorization::Engine.new(reader)
139
+ assert_equal [{}, {:attr => [:is, 1]}],
140
+ engine.obligations(:test, :context => :permissions,
141
+ :user => MockUser.new(:test_role, :attr => 1))
142
+ end
143
+
144
+ def test_obligations_with_permissions
145
+ reader = Authorization::Reader::DSLReader.new
146
+ reader.parse %{
147
+ authorization do
148
+ role :test_role do
149
+ has_permission_on :permissions, :to => :test do
150
+ if_attribute :attr => is { user.attr }
151
+ end
152
+ has_permission_on :permission_children, :to => :test do
153
+ if_permitted_to :test, :permission, :context => :permissions
154
+ end
155
+ has_permission_on :permission_children_2, :to => :test do
156
+ if_permitted_to :test, :permission
157
+ end
158
+ has_permission_on :permission_children_children, :to => :test do
159
+ if_permitted_to :test, :permission_child => :permission,
160
+ :context => :permissions
161
+ end
162
+ end
163
+ end
164
+ }
165
+ engine = Authorization::Engine.new(reader)
166
+ assert_equal [{:permission => {:attr => [:is, 1]}}],
167
+ engine.obligations(:test, :context => :permission_children,
168
+ :user => MockUser.new(:test_role, :attr => 1))
169
+ assert_equal [{:permission => {:attr => [:is, 1]}}],
170
+ engine.obligations(:test, :context => :permission_children_2,
171
+ :user => MockUser.new(:test_role, :attr => 1))
172
+ assert_equal [{:permission_child => {:permission => {:attr => [:is, 1]}}}],
173
+ engine.obligations(:test, :context => :permission_children_children,
174
+ :user => MockUser.new(:test_role, :attr => 1))
175
+ end
176
+
177
+ def test_obligations_with_permissions_multiple
178
+ reader = Authorization::Reader::DSLReader.new
179
+ reader.parse %{
180
+ authorization do
181
+ role :test_role do
182
+ has_permission_on :permissions, :to => :test do
183
+ if_attribute :attr => is { 1 }
184
+ if_attribute :attr => is { 2 }
185
+ end
186
+ has_permission_on :permission_children_children, :to => :test do
187
+ if_permitted_to :test, :permission_child => :permission
188
+ end
189
+ end
190
+ end
191
+ }
192
+ engine = Authorization::Engine.new(reader)
193
+ assert_equal [{:permission_child => {:permission => {:attr => [:is, 1]}}},
194
+ {:permission_child => {:permission => {:attr => [:is, 2]}}}],
195
+ engine.obligations(:test, :context => :permission_children_children,
196
+ :user => MockUser.new(:test_role))
197
+ end
198
+
199
+ def test_obligations_with_permissions_and_anded_conditions
200
+ reader = Authorization::Reader::DSLReader.new
201
+ reader.parse %{
202
+ authorization do
203
+ role :test_role do
204
+ has_permission_on :permission_children, :to => :test, :join_by => :and do
205
+ if_permitted_to :test, :permission
206
+ if_attribute :test_attr => 1
207
+ end
208
+ has_permission_on :permissions, :to => :test do
209
+ if_attribute :test_attr => 1
210
+ end
211
+ end
212
+ end
213
+ }
214
+ engine = Authorization::Engine.new(reader)
215
+
216
+ assert_equal [{:test_attr => [:is, 1], :permission => {:test_attr => [:is, 1]}}],
217
+ engine.obligations(:test, :context => :permission_children,
218
+ :user => MockUser.new(:test_role))
219
+ end
220
+
221
+ def test_guest_user
222
+ reader = Authorization::Reader::DSLReader.new
223
+ reader.parse %{
224
+ authorization do
225
+ role :guest do
226
+ has_permission_on :permissions, :to => :test
227
+ end
228
+ end
229
+ }
230
+ engine = Authorization::Engine.new(reader)
231
+ assert engine.permit?(:test, :context => :permissions)
232
+ assert !engine.permit?(:test, :context => :permissions_2)
233
+ end
234
+
235
+ def test_invalid_user_model
236
+ reader = Authorization::Reader::DSLReader.new
237
+ reader.parse %{
238
+ authorization do
239
+ role :guest do
240
+ has_permission_on :permissions, :to => :test
241
+ end
242
+ end
243
+ }
244
+ engine = Authorization::Engine.new(reader)
245
+ assert_raise(Authorization::AuthorizationUsageError) do
246
+ engine.permit?(:test, :context => :permissions, :user => MockUser.new(1, 2))
247
+ end
248
+ assert_raise(Authorization::AuthorizationUsageError) do
249
+ engine.permit?(:test, :context => :permissions, :user => MockDataObject.new)
250
+ end
251
+ end
252
+
253
+ def test_role_hierarchy
254
+ reader = Authorization::Reader::DSLReader.new
255
+ reader.parse %{
256
+ authorization do
257
+ role :test_role do
258
+ includes :lower_role
259
+ has_permission_on :permissions, :to => :test
260
+ end
261
+ role :lower_role do
262
+ has_permission_on :permissions, :to => :lower
263
+ end
264
+ end
265
+ }
266
+ engine = Authorization::Engine.new(reader)
267
+ assert engine.permit?(:lower, :context => :permissions,
268
+ :user => MockUser.new(:test_role))
269
+ end
270
+
271
+ def test_role_hierarchy_infinity
272
+ reader = Authorization::Reader::DSLReader.new
273
+ reader.parse %{
274
+ authorization do
275
+ role :test_role do
276
+ includes :lower_role
277
+ has_permission_on :permissions, :to => :test
278
+ end
279
+ role :lower_role do
280
+ includes :higher_role
281
+ has_permission_on :permissions, :to => :lower
282
+ end
283
+ end
284
+ }
285
+ engine = Authorization::Engine.new(reader)
286
+ assert engine.permit?(:lower, :context => :permissions,
287
+ :user => MockUser.new(:test_role))
288
+ end
289
+
290
+ def test_privilege_hierarchy
291
+ reader = Authorization::Reader::DSLReader.new
292
+ reader.parse %{
293
+ privileges do
294
+ privilege :test, :permissions do
295
+ includes :lower
296
+ end
297
+ end
298
+ authorization do
299
+ role :test_role do
300
+ has_permission_on :permissions, :to => :test
301
+ end
302
+ end
303
+ }
304
+ engine = Authorization::Engine.new(reader)
305
+ assert engine.permit?(:lower, :context => :permissions,
306
+ :user => MockUser.new(:test_role))
307
+ end
308
+
309
+ def test_privilege_hierarchy_without_context
310
+ reader = Authorization::Reader::DSLReader.new
311
+ reader.parse %{
312
+ privileges do
313
+ privilege :read do
314
+ includes :list, :show
315
+ end
316
+ end
317
+ authorization do
318
+ role :test_role do
319
+ has_permission_on :permissions, :to => :read
320
+ end
321
+ end
322
+ }
323
+ engine = Authorization::Engine.new(reader)
324
+ assert engine.permit?(:list, :context => :permissions,
325
+ :user => MockUser.new(:test_role))
326
+ end
327
+
328
+ def test_attribute_is
329
+ reader = Authorization::Reader::DSLReader.new
330
+ reader.parse %|
331
+ authorization do
332
+ role :test_role do
333
+ has_permission_on :permissions, :to => :test do
334
+ if_attribute :test_attr => is { user.test_attr }
335
+ if_attribute :test_attr => 3
336
+ end
337
+ end
338
+ end
339
+ |
340
+ engine = Authorization::Engine.new(reader)
341
+ assert engine.permit?(:test, :context => :permissions,
342
+ :user => MockUser.new(:test_role, :test_attr => 1),
343
+ :object => MockDataObject.new(:test_attr => 1))
344
+ assert engine.permit?(:test, :context => :permissions,
345
+ :user => MockUser.new(:test_role, :test_attr => 2),
346
+ :object => MockDataObject.new(:test_attr => 3))
347
+ assert((not(engine.permit?(:test, :context => :permissions,
348
+ :user => MockUser.new(:test_role, :test_attr => 2),
349
+ :object => MockDataObject.new(:test_attr => 1)))))
350
+ end
351
+
352
+ def test_attribute_is_not
353
+ reader = Authorization::Reader::DSLReader.new
354
+ reader.parse %|
355
+ authorization do
356
+ role :test_role do
357
+ has_permission_on :permissions, :to => :test do
358
+ if_attribute :test_attr => is_not { user.test_attr }
359
+ end
360
+ end
361
+ end
362
+ |
363
+ engine = Authorization::Engine.new(reader)
364
+ assert !engine.permit?(:test, :context => :permissions,
365
+ :user => MockUser.new(:test_role, :test_attr => 1),
366
+ :object => MockDataObject.new(:test_attr => 1))
367
+ assert engine.permit?(:test, :context => :permissions,
368
+ :user => MockUser.new(:test_role, :test_attr => 2),
369
+ :object => MockDataObject.new(:test_attr => 1))
370
+ end
371
+
372
+ def test_attribute_contains
373
+ reader = Authorization::Reader::DSLReader.new
374
+ reader.parse %|
375
+ authorization do
376
+ role :test_role do
377
+ has_permission_on :permissions, :to => :test do
378
+ if_attribute :test_attr => contains { user.test_attr }
379
+ end
380
+ end
381
+ end
382
+ |
383
+ engine = Authorization::Engine.new(reader)
384
+ assert engine.permit?(:test, :context => :permissions,
385
+ :user => MockUser.new(:test_role, :test_attr => 1),
386
+ :object => MockDataObject.new(:test_attr => [1,2]))
387
+ assert !engine.permit?(:test, :context => :permissions,
388
+ :user => MockUser.new(:test_role, :test_attr => 3),
389
+ :object => MockDataObject.new(:test_attr => [1,2]))
390
+ end
391
+
392
+ def test_attribute_does_not_contain
393
+ reader = Authorization::Reader::DSLReader.new
394
+ reader.parse %|
395
+ authorization do
396
+ role :test_role do
397
+ has_permission_on :permissions, :to => :test do
398
+ if_attribute :test_attr => does_not_contain { user.test_attr }
399
+ end
400
+ end
401
+ end
402
+ |
403
+ engine = Authorization::Engine.new(reader)
404
+ assert !engine.permit?(:test, :context => :permissions,
405
+ :user => MockUser.new(:test_role, :test_attr => 1),
406
+ :object => MockDataObject.new(:test_attr => [1,2]))
407
+ assert engine.permit?(:test, :context => :permissions,
408
+ :user => MockUser.new(:test_role, :test_attr => 3),
409
+ :object => MockDataObject.new(:test_attr => [1,2]))
410
+ end
411
+
412
+ def test_attribute_in_array
413
+ reader = Authorization::Reader::DSLReader.new
414
+ reader.parse %|
415
+ authorization do
416
+ role :test_role do
417
+ has_permission_on :permissions, :to => :test do
418
+ if_attribute :test_attr => is_in { [1,2] }
419
+ if_attribute :test_attr => [2,3]
420
+ end
421
+ end
422
+ end
423
+ |
424
+ engine = Authorization::Engine.new(reader)
425
+ assert engine.permit?(:test, :context => :permissions,
426
+ :user => MockUser.new(:test_role),
427
+ :object => MockDataObject.new(:test_attr => 1))
428
+ assert engine.permit?(:test, :context => :permissions,
429
+ :user => MockUser.new(:test_role),
430
+ :object => MockDataObject.new(:test_attr => 3))
431
+ assert !engine.permit?(:test, :context => :permissions,
432
+ :user => MockUser.new(:test_role),
433
+ :object => MockDataObject.new(:test_attr => 4))
434
+ end
435
+
436
+ def test_attribute_not_in_array
437
+ reader = Authorization::Reader::DSLReader.new
438
+ reader.parse %|
439
+ authorization do
440
+ role :test_role do
441
+ has_permission_on :permissions, :to => :test do
442
+ if_attribute :test_attr => is_not_in { [1,2] }
443
+ end
444
+ end
445
+ end
446
+ |
447
+ engine = Authorization::Engine.new(reader)
448
+ assert !engine.permit?(:test, :context => :permissions,
449
+ :user => MockUser.new(:test_role),
450
+ :object => MockDataObject.new(:test_attr => 1))
451
+ assert engine.permit?(:test, :context => :permissions,
452
+ :user => MockUser.new(:test_role),
453
+ :object => MockDataObject.new(:test_attr => 4))
454
+ end
455
+
456
+ def test_attribute_intersects_with
457
+ reader = Authorization::Reader::DSLReader.new
458
+ reader.parse %{
459
+ authorization do
460
+ role :test_role do
461
+ has_permission_on :permissions, :to => :test do
462
+ if_attribute :test_attrs => intersects_with { [1,2] }
463
+ end
464
+ end
465
+ role :test_role_2 do
466
+ has_permission_on :permissions, :to => :test do
467
+ if_attribute :test_attrs => intersects_with { 1 }
468
+ end
469
+ end
470
+ end
471
+ }
472
+
473
+ engine = Authorization::Engine.new(reader)
474
+ assert_raise Authorization::AuthorizationUsageError do
475
+ engine.permit?(:test, :context => :permissions,
476
+ :user => MockUser.new(:test_role),
477
+ :object => MockDataObject.new(:test_attrs => 1 ))
478
+ end
479
+ assert_raise Authorization::AuthorizationUsageError do
480
+ engine.permit?(:test, :context => :permissions,
481
+ :user => MockUser.new(:test_role_2),
482
+ :object => MockDataObject.new(:test_attrs => [1, 2] ))
483
+ end
484
+ assert engine.permit?(:test, :context => :permissions,
485
+ :user => MockUser.new(:test_role),
486
+ :object => MockDataObject.new(:test_attrs => [1,3] ))
487
+ assert !engine.permit?(:test, :context => :permissions,
488
+ :user => MockUser.new(:test_role),
489
+ :object => MockDataObject.new(:test_attrs => [3,4] ))
490
+ end
491
+
492
+ def test_attribute_deep
493
+ reader = Authorization::Reader::DSLReader.new
494
+ reader.parse %|
495
+ authorization do
496
+ role :test_role do
497
+ has_permission_on :permissions, :to => :test do
498
+ if_attribute :test_attr_1 => {:test_attr_2 => contains { 1 }}
499
+ end
500
+ end
501
+ end
502
+ |
503
+ engine = Authorization::Engine.new(reader)
504
+ attr_1_struct = Struct.new(:test_attr_2)
505
+ assert engine.permit?(:test, :context => :permissions,
506
+ :user => MockUser.new(:test_role),
507
+ :object => MockDataObject.new(:test_attr_1 => attr_1_struct.new([1,2])))
508
+ assert !engine.permit?(:test, :context => :permissions,
509
+ :user => MockUser.new(:test_role),
510
+ :object => MockDataObject.new(:test_attr_1 => attr_1_struct.new([3,4])))
511
+ assert_equal [{:test_attr_1 => {:test_attr_2 => [:contains, 1]}}],
512
+ engine.obligations(:test, :context => :permissions,
513
+ :user => MockUser.new(:test_role))
514
+ end
515
+
516
+ def test_attribute_non_block
517
+ reader = Authorization::Reader::DSLReader.new
518
+ reader.parse %|
519
+ authorization do
520
+ role :test_role do
521
+ has_permission_on :permissions, :to => :test do
522
+ if_attribute :test_attr => 1
523
+ end
524
+ end
525
+ end
526
+ |
527
+ engine = Authorization::Engine.new(reader)
528
+ assert engine.permit?(:test, :context => :permissions,
529
+ :user => MockUser.new(:test_role),
530
+ :object => MockDataObject.new(:test_attr => 1))
531
+ assert !engine.permit?(:test, :context => :permissions,
532
+ :user => MockUser.new(:test_role),
533
+ :object => MockDataObject.new(:test_attr => 2))
534
+ end
535
+
536
+ def test_attribute_multiple
537
+ reader = Authorization::Reader::DSLReader.new
538
+ reader.parse %{
539
+ authorization do
540
+ role :test_role do
541
+ has_permission_on :permissions, :to => :test do
542
+ if_attribute :test_attr => 1
543
+ if_attribute :test_attr => 2 # or
544
+ end
545
+ end
546
+ end
547
+ }
548
+ engine = Authorization::Engine.new(reader)
549
+ assert engine.permit?(:test, :context => :permissions,
550
+ :user => MockUser.new(:test_role),
551
+ :object => MockDataObject.new(:test_attr => 1))
552
+ assert engine.permit?(:test, :context => :permissions,
553
+ :user => MockUser.new(:test_role),
554
+ :object => MockDataObject.new(:test_attr => 2))
555
+ end
556
+
557
+ class PermissionMock < MockDataObject
558
+ def self.name
559
+ "Permission"
560
+ end
561
+ end
562
+ def test_attribute_with_permissions
563
+ reader = Authorization::Reader::DSLReader.new
564
+ reader.parse %{
565
+ authorization do
566
+ role :test_role do
567
+ has_permission_on :permissions, :to => :test do
568
+ if_attribute :test_attr => 1
569
+ end
570
+ has_permission_on :permission_children, :to => :test do
571
+ if_permitted_to :test, :permission
572
+ end
573
+ end
574
+ end
575
+ }
576
+ engine = Authorization::Engine.new(reader)
577
+
578
+ perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
579
+ perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
580
+ assert engine.permit?(:test, :context => :permission_children,
581
+ :user => MockUser.new(:test_role),
582
+ :object => MockDataObject.new(:permission => perm_data_attr_1))
583
+ assert !engine.permit?(:test, :context => :permission_children,
584
+ :user => MockUser.new(:test_role),
585
+ :object => MockDataObject.new(:permission => perm_data_attr_2))
586
+ end
587
+
588
+ def test_attribute_with_deep_permissions
589
+ reader = Authorization::Reader::DSLReader.new
590
+ reader.parse %{
591
+ authorization do
592
+ role :test_role do
593
+ has_permission_on :permissions, :to => :test do
594
+ if_attribute :test_attr => 1
595
+ end
596
+ has_permission_on :permission_children, :to => :test do
597
+ if_permitted_to :test, :shallow_permission => :permission
598
+ end
599
+ end
600
+ end
601
+ }
602
+ engine = Authorization::Engine.new(reader)
603
+
604
+ perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
605
+ perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
606
+ assert engine.permit?(:test, :context => :permission_children,
607
+ :user => MockUser.new(:test_role),
608
+ :object => MockDataObject.new(:shallow_permission =>
609
+ MockDataObject.new(:permission => perm_data_attr_1)))
610
+ assert !engine.permit?(:test, :context => :permission_children,
611
+ :user => MockUser.new(:test_role),
612
+ :object => MockDataObject.new(:shallow_permission =>
613
+ MockDataObject.new(:permission => perm_data_attr_2)))
614
+ end
615
+
616
+ def test_attribute_with_permissions_nil
617
+ reader = Authorization::Reader::DSLReader.new
618
+ reader.parse %{
619
+ authorization do
620
+ role :test_role do
621
+ has_permission_on :permissions, :to => :test do
622
+ if_attribute :test_attr => 1
623
+ end
624
+ has_permission_on :permission_children, :to => :test do
625
+ if_permitted_to :test, :permission
626
+ end
627
+ end
628
+ end
629
+ }
630
+ engine = Authorization::Engine.new(reader)
631
+
632
+ assert_nothing_raised do
633
+ engine.permit?(:test, :context => :permission_children,
634
+ :user => MockUser.new(:test_role),
635
+ :object => MockDataObject.new(:permission => nil))
636
+ end
637
+
638
+ assert !engine.permit?(:test, :context => :permission_children,
639
+ :user => MockUser.new(:test_role),
640
+ :object => MockDataObject.new(:permission => nil))
641
+ end
642
+
643
+ def test_attribute_with_permissions_on_self
644
+ reader = Authorization::Reader::DSLReader.new
645
+ reader.parse %{
646
+ authorization do
647
+ role :test_role do
648
+ has_permission_on :permissions, :to => :test do
649
+ if_attribute :test_attr => 1
650
+ end
651
+ has_permission_on :permissions, :to => :another_test do
652
+ if_permitted_to :test
653
+ end
654
+ end
655
+ end
656
+ }
657
+ engine = Authorization::Engine.new(reader)
658
+
659
+ perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
660
+ perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
661
+ assert engine.permit?(:another_test, :context => :permissions,
662
+ :user => MockUser.new(:test_role),
663
+ :object => perm_data_attr_1)
664
+ assert !engine.permit?(:another_test, :context => :permissions,
665
+ :user => MockUser.new(:test_role),
666
+ :object => perm_data_attr_2)
667
+ end
668
+
669
+ def test_attribute_with_permissions_on_self_with_context
670
+ reader = Authorization::Reader::DSLReader.new
671
+ reader.parse %{
672
+ authorization do
673
+ role :test_role do
674
+ has_permission_on :permissions, :to => :test do
675
+ if_attribute :test_attr => 1
676
+ end
677
+ has_permission_on :permissions, :to => :another_test do
678
+ if_permitted_to :test, :context => :permissions
679
+ end
680
+ end
681
+ end
682
+ }
683
+ engine = Authorization::Engine.new(reader)
684
+
685
+ perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
686
+ perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
687
+ assert engine.permit?(:another_test, :context => :permissions,
688
+ :user => MockUser.new(:test_role),
689
+ :object => perm_data_attr_1)
690
+ assert !engine.permit?(:another_test, :context => :permissions,
691
+ :user => MockUser.new(:test_role),
692
+ :object => perm_data_attr_2)
693
+ end
694
+
695
+ def test_attribute_with_permissions_and_anded_rules
696
+ reader = Authorization::Reader::DSLReader.new
697
+ reader.parse %{
698
+ authorization do
699
+ role :test_role do
700
+ has_permission_on :permissions, :to => :test do
701
+ if_attribute :test_attr => 1
702
+ end
703
+ has_permission_on :permission_children, :to => :test, :join_by => :and do
704
+ if_permitted_to :test, :permission
705
+ if_attribute :test_attr => 1
706
+ end
707
+ end
708
+ end
709
+ }
710
+ engine = Authorization::Engine.new(reader)
711
+
712
+ perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
713
+ perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
714
+ assert engine.permit?(:test, :context => :permission_children,
715
+ :user => MockUser.new(:test_role),
716
+ :object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 1))
717
+ assert !engine.permit?(:test, :context => :permission_children,
718
+ :user => MockUser.new(:test_role),
719
+ :object => MockDataObject.new(:permission => perm_data_attr_2, :test_attr => 1))
720
+ assert !engine.permit?(:test, :context => :permission_children,
721
+ :user => MockUser.new(:test_role),
722
+ :object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 2))
723
+ end
724
+
725
+ def test_attribute_with_anded_rules
726
+ reader = Authorization::Reader::DSLReader.new
727
+ reader.parse %{
728
+ authorization do
729
+ role :test_role do
730
+ has_permission_on :permissions, :to => :test, :join_by => :and do
731
+ if_attribute :test_attr => 1
732
+ if_attribute :test_attr_2 => 2
733
+ end
734
+ end
735
+ end
736
+ }
737
+ engine = Authorization::Engine.new(reader)
738
+
739
+ assert engine.permit?(:test, :context => :permissions,
740
+ :user => MockUser.new(:test_role),
741
+ :object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 2))
742
+ assert !engine.permit?(:test, :context => :permissions,
743
+ :user => MockUser.new(:test_role),
744
+ :object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 3))
745
+ end
746
+
747
+ def test_raise_on_if_attribute_hash_on_collection
748
+ reader = Authorization::Reader::DSLReader.new
749
+ reader.parse %{
750
+ authorization do
751
+ role :test_role do
752
+ has_permission_on :permissions, :to => :test do
753
+ if_attribute :test_attrs => {:attr => is {1}}
754
+ end
755
+ end
756
+ end
757
+ }
758
+ engine = Authorization::Engine.new(reader)
759
+ assert_raise Authorization::AuthorizationUsageError do
760
+ engine.permit?(:test, :context => :permissions,
761
+ :user => MockUser.new(:test_role),
762
+ :object => MockDataObject.new(:test_attrs => [1, 2, 3]))
763
+ end
764
+ end
765
+
766
+ def test_role_title_description
767
+ reader = Authorization::Reader::DSLReader.new
768
+ reader.parse %{
769
+ authorization do
770
+ role :test_role, :title => 'Test Role' do
771
+ description "Test Role Description"
772
+ end
773
+ end
774
+ }
775
+ engine = Authorization::Engine.new(reader)
776
+ assert engine.roles.include?(:test_role)
777
+ assert_equal "Test Role", engine.role_titles[:test_role]
778
+ assert_equal "Test Role", engine.title_for(:test_role)
779
+ assert_nil engine.title_for(:test_role_2)
780
+ assert_equal "Test Role Description", engine.role_descriptions[:test_role]
781
+ assert_equal "Test Role Description", engine.description_for(:test_role)
782
+ assert_nil engine.description_for(:test_role_2)
783
+ end
784
+
785
+ def test_multithread
786
+ reader = Authorization::Reader::DSLReader.new
787
+ reader.parse %{
788
+ authorization do
789
+ role :test_role do
790
+ has_permission_on :permissions, :to => :test
791
+ end
792
+ end
793
+ }
794
+
795
+ engine = Authorization::Engine.new(reader)
796
+ Authorization.current_user = MockUser.new(:test_role)
797
+ assert engine.permit?(:test, :context => :permissions)
798
+ Thread.new do
799
+ Authorization.current_user = MockUser.new(:test_role2)
800
+ assert !engine.permit?(:test, :context => :permissions)
801
+ end
802
+ assert engine.permit?(:test, :context => :permissions)
803
+ Authorization.current_user = nil
804
+ end
805
+
806
+ def test_clone
807
+ reader = Authorization::Reader::DSLReader.new
808
+ reader.parse %{
809
+ authorization do
810
+ role :test_role do
811
+ has_permission_on :permissions, :to => :test do
812
+ if_attribute :attr => { :sub_attr => is { user } }
813
+ if_permitted_to :read, :attr_2 => :attr_3
814
+ if_permitted_to :read, :attr_2
815
+ end
816
+ end
817
+ end
818
+ }
819
+
820
+ engine = Authorization::Engine.new(reader)
821
+ cloned_engine = engine.clone
822
+ assert_not_equal engine.auth_rules[0].contexts.object_id,
823
+ cloned_engine.auth_rules[0].contexts.object_id
824
+ assert_not_equal engine.auth_rules[0].attributes[0].send(:instance_variable_get, :@conditions_hash)[:attr].object_id,
825
+ cloned_engine.auth_rules[0].attributes[0].send(:instance_variable_get, :@conditions_hash)[:attr].object_id
826
+ end
827
+ end