declarative_authorization 0.3.2.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (42) hide show
  1. data/CHANGELOG +83 -0
  2. data/MIT-LICENSE +20 -0
  3. data/README.rdoc +510 -0
  4. data/Rakefile +43 -0
  5. data/app/controllers/authorization_rules_controller.rb +259 -0
  6. data/app/controllers/authorization_usages_controller.rb +23 -0
  7. data/app/helpers/authorization_rules_helper.rb +187 -0
  8. data/app/views/authorization_rules/_change.erb +58 -0
  9. data/app/views/authorization_rules/_show_graph.erb +37 -0
  10. data/app/views/authorization_rules/_suggestions.erb +48 -0
  11. data/app/views/authorization_rules/change.html.erb +152 -0
  12. data/app/views/authorization_rules/graph.dot.erb +68 -0
  13. data/app/views/authorization_rules/graph.html.erb +40 -0
  14. data/app/views/authorization_rules/index.html.erb +17 -0
  15. data/app/views/authorization_usages/index.html.erb +36 -0
  16. data/authorization_rules.dist.rb +20 -0
  17. data/config/routes.rb +7 -0
  18. data/garlic_example.rb +20 -0
  19. data/init.rb +5 -0
  20. data/lib/declarative_authorization.rb +15 -0
  21. data/lib/declarative_authorization/authorization.rb +634 -0
  22. data/lib/declarative_authorization/development_support/analyzer.rb +252 -0
  23. data/lib/declarative_authorization/development_support/change_analyzer.rb +253 -0
  24. data/lib/declarative_authorization/development_support/change_supporter.rb +620 -0
  25. data/lib/declarative_authorization/development_support/development_support.rb +243 -0
  26. data/lib/declarative_authorization/helper.rb +60 -0
  27. data/lib/declarative_authorization/in_controller.rb +597 -0
  28. data/lib/declarative_authorization/in_model.rb +159 -0
  29. data/lib/declarative_authorization/maintenance.rb +182 -0
  30. data/lib/declarative_authorization/obligation_scope.rb +308 -0
  31. data/lib/declarative_authorization/rails_legacy.rb +14 -0
  32. data/lib/declarative_authorization/reader.rb +441 -0
  33. data/test/authorization_test.rb +827 -0
  34. data/test/controller_filter_resource_access_test.rb +394 -0
  35. data/test/controller_test.rb +386 -0
  36. data/test/dsl_reader_test.rb +157 -0
  37. data/test/helper_test.rb +171 -0
  38. data/test/maintenance_test.rb +46 -0
  39. data/test/model_test.rb +1308 -0
  40. data/test/schema.sql +54 -0
  41. data/test/test_helper.rb +118 -0
  42. metadata +105 -0
@@ -0,0 +1,394 @@
1
+ require File.join(File.dirname(__FILE__), 'test_helper.rb')
2
+
3
+ class BasicResource < MockDataObject
4
+ def self.name
5
+ "BasicResource"
6
+ end
7
+ end
8
+ class BasicResourcesController < MocksController
9
+ filter_resource_access
10
+ define_resource_actions
11
+ end
12
+ class BasicResourcesControllerTest < ActionController::TestCase
13
+ def test_basic_filter_index
14
+ reader = Authorization::Reader::DSLReader.new
15
+ reader.parse %{
16
+ authorization do
17
+ role :allowed_role do
18
+ has_permission_on :basic_resources, :to => :index do
19
+ if_attribute :id => is {"1"}
20
+ end
21
+ end
22
+ end
23
+ }
24
+
25
+ allowed_user = MockUser.new(:allowed_role)
26
+ request!(MockUser.new(:another_role), :index, reader)
27
+ assert !@controller.authorized?
28
+ request!(allowed_user, :index, reader)
29
+ assert @controller.authorized?
30
+ end
31
+
32
+ def test_basic_filter_show_with_id
33
+ reader = Authorization::Reader::DSLReader.new
34
+ reader.parse %{
35
+ authorization do
36
+ role :allowed_role do
37
+ has_permission_on :basic_resources, :to => :show do
38
+ if_attribute :id => is {"1"}
39
+ end
40
+ end
41
+ end
42
+ }
43
+
44
+ allowed_user = MockUser.new(:allowed_role)
45
+ request!(allowed_user, :show, reader, :id => "2")
46
+ assert !@controller.authorized?
47
+ request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
48
+ assert @controller.authorized?
49
+ end
50
+
51
+ def test_basic_filter_new_with_params
52
+ reader = Authorization::Reader::DSLReader.new
53
+ reader.parse %{
54
+ authorization do
55
+ role :allowed_role do
56
+ has_permission_on :basic_resources, :to => :new do
57
+ if_attribute :id => is {"1"}
58
+ end
59
+ end
60
+ end
61
+ }
62
+
63
+ allowed_user = MockUser.new(:allowed_role)
64
+ request!(allowed_user, :new, reader, :basic_resource => {:id => "2"})
65
+ assert !@controller.authorized?
66
+ request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
67
+ :clear => [:@basic_resource])
68
+ assert @controller.authorized?
69
+ end
70
+ end
71
+
72
+
73
+ class NestedResource < MockDataObject
74
+ def initialize (attributes = {})
75
+ if attributes[:id]
76
+ attributes[:parent_mock] ||= ParentMock.new(:id => attributes[:id])
77
+ end
78
+ super(attributes)
79
+ end
80
+ def self.name
81
+ "NestedResource"
82
+ end
83
+ end
84
+ class ParentMock < MockDataObject
85
+ def nested_resources
86
+ Class.new do
87
+ def initialize (parent_mock)
88
+ @parent_mock = parent_mock
89
+ end
90
+ def new (attributes = {})
91
+ NestedResource.new(attributes.merge(:parent_mock => @parent_mock))
92
+ end
93
+ end.new(self)
94
+ end
95
+
96
+ def == (other)
97
+ id == other.id
98
+ end
99
+ def self.name
100
+ "ParentMock"
101
+ end
102
+ end
103
+ class NestedResourcesController < MocksController
104
+ filter_resource_access :nested_in => :parent_mocks
105
+ define_resource_actions
106
+ end
107
+ class NestedResourcesControllerTest < ActionController::TestCase
108
+ def test_nested_filter_index
109
+ reader = Authorization::Reader::DSLReader.new
110
+ reader.parse %{
111
+ authorization do
112
+ role :allowed_role do
113
+ has_permission_on :nested_resources, :to => :index do
114
+ if_attribute :parent_mock => is {ParentMock.find("1")}
115
+ end
116
+ end
117
+ end
118
+ }
119
+
120
+ allowed_user = MockUser.new(:allowed_role)
121
+ request!(MockUser.new(:another_role), :index, reader, :parent_mock_id => "2")
122
+ assert !@controller.authorized?
123
+ request!(allowed_user, :index, reader, :parent_mock_id => "2",
124
+ :clear => [:@nested_resource, :@parent_mock])
125
+ assert !@controller.authorized?
126
+ request!(allowed_user, :index, reader, :parent_mock_id => "1",
127
+ :clear => [:@nested_resource, :@parent_mock])
128
+ assert @controller.authorized?
129
+ end
130
+
131
+ def test_nested_filter_show_with_id
132
+ reader = Authorization::Reader::DSLReader.new
133
+ reader.parse %{
134
+ authorization do
135
+ role :allowed_role do
136
+ has_permission_on :nested_resources, :to => :show do
137
+ if_attribute :parent_mock => is {ParentMock.find("1")}
138
+ end
139
+ end
140
+ end
141
+ }
142
+
143
+ allowed_user = MockUser.new(:allowed_role)
144
+ request!(allowed_user, :show, reader, :id => "2", :parent_mock_id => "2")
145
+ assert !@controller.authorized?
146
+ request!(allowed_user, :show, reader, :id => "1", :parent_mock_id => "1",
147
+ :clear => [:@nested_resource, :@parent_mock])
148
+ assert @controller.authorized?
149
+ end
150
+
151
+ def test_nested_filter_new_with_params
152
+ reader = Authorization::Reader::DSLReader.new
153
+ reader.parse %{
154
+ authorization do
155
+ role :allowed_role do
156
+ has_permission_on :nested_resources, :to => :new do
157
+ if_attribute :parent_mock => is {ParentMock.find("1")}
158
+ end
159
+ end
160
+ end
161
+ }
162
+
163
+ allowed_user = MockUser.new(:allowed_role)
164
+ request!(allowed_user, :new, reader, :parent_mock_id => "2",
165
+ :nested_resource => {:id => "2"})
166
+ assert !@controller.authorized?
167
+ request!(allowed_user, :new, reader, :parent_mock_id => "1",
168
+ :nested_resource => {:id => "1"},
169
+ :clear => [:@nested_resource, :@parent_mock])
170
+ assert @controller.authorized?
171
+ end
172
+ end
173
+
174
+
175
+ class CustomMembersCollectionsResourceController < MocksController
176
+ def self.controller_name
177
+ "basic_resources"
178
+ end
179
+ filter_resource_access :member => [[:other_show, :read]],
180
+ :collection => {:search => :read}, :new => [:other_new]
181
+ define_action_methods :other_new, :search, :other_show
182
+ end
183
+ class CustomMembersCollectionsResourceControllerTest < ActionController::TestCase
184
+ def test_custom_members_filter_search
185
+ reader = Authorization::Reader::DSLReader.new
186
+ reader.parse %{
187
+ authorization do
188
+ role :allowed_role do
189
+ has_permission_on :basic_resources, :to => :read do
190
+ if_attribute :id => is {"1"}
191
+ end
192
+ end
193
+ end
194
+ }
195
+
196
+ request!(MockUser.new(:another_role), :search, reader)
197
+ assert !@controller.authorized?
198
+ request!(MockUser.new(:allowed_role), :search, reader)
199
+ assert @controller.authorized?
200
+ end
201
+
202
+ def test_custom_members_filter_other_show
203
+ reader = Authorization::Reader::DSLReader.new
204
+ reader.parse %{
205
+ authorization do
206
+ role :allowed_role do
207
+ has_permission_on :basic_resources, :to => :read do
208
+ if_attribute :id => is {"1"}
209
+ end
210
+ end
211
+ end
212
+ }
213
+
214
+ allowed_user = MockUser.new(:allowed_role)
215
+ request!(allowed_user, :other_show, reader, :id => "2")
216
+ assert !@controller.authorized?
217
+ request!(allowed_user, :other_show, reader, :id => "1", :clear => [:@basic_resource])
218
+ assert @controller.authorized?
219
+ end
220
+
221
+ def test_custom_members_filter_other_new
222
+ reader = Authorization::Reader::DSLReader.new
223
+ reader.parse %{
224
+ authorization do
225
+ role :allowed_role do
226
+ has_permission_on :basic_resources, :to => :other_new do
227
+ if_attribute :id => is {"1"}
228
+ end
229
+ end
230
+ end
231
+ }
232
+
233
+ allowed_user = MockUser.new(:allowed_role)
234
+ request!(allowed_user, :other_new, reader, :basic_resource => {:id => "2"})
235
+ assert !@controller.authorized?
236
+ request!(allowed_user, :other_new, reader, :basic_resource => {:id => "1"},
237
+ :clear => [:@basic_resource])
238
+ assert @controller.authorized?
239
+ end
240
+ end
241
+
242
+
243
+ class AdditionalMembersCollectionsResourceController < MocksController
244
+ def self.controller_name
245
+ "basic_resources"
246
+ end
247
+ filter_resource_access :additional_member => :other_show,
248
+ :additional_collection => [:search], :additional_new => {:other_new => :new}
249
+ define_resource_actions
250
+ define_action_methods :other_new, :search, :other_show
251
+ end
252
+ class AdditionalMembersCollectionsResourceControllerTest < ActionController::TestCase
253
+ def test_additional_members_filter_search_index
254
+ reader = Authorization::Reader::DSLReader.new
255
+ reader.parse %{
256
+ authorization do
257
+ role :allowed_role do
258
+ has_permission_on :basic_resources, :to => [:search, :index] do
259
+ if_attribute :id => is {"1"}
260
+ end
261
+ end
262
+ end
263
+ }
264
+
265
+ request!(MockUser.new(:another_role), :search, reader)
266
+ assert !@controller.authorized?
267
+ request!(MockUser.new(:another_role), :index, reader)
268
+ assert !@controller.authorized?
269
+ request!(MockUser.new(:allowed_role), :search, reader)
270
+ assert @controller.authorized?
271
+ request!(MockUser.new(:allowed_role), :index, reader)
272
+ assert @controller.authorized?
273
+ end
274
+
275
+ def test_additional_members_filter_other_show
276
+ reader = Authorization::Reader::DSLReader.new
277
+ reader.parse %{
278
+ authorization do
279
+ role :allowed_role do
280
+ has_permission_on :basic_resources, :to => [:show, :other_show] do
281
+ if_attribute :id => is {"1"}
282
+ end
283
+ end
284
+ end
285
+ }
286
+
287
+ allowed_user = MockUser.new(:allowed_role)
288
+ request!(allowed_user, :other_show, reader, :id => "2")
289
+ assert !@controller.authorized?
290
+ request!(allowed_user, :show, reader, :id => "2", :clear => [:@basic_resource])
291
+ assert !@controller.authorized?
292
+ request!(allowed_user, :other_show, reader, :id => "1", :clear => [:@basic_resource])
293
+ assert @controller.authorized?
294
+ request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
295
+ assert @controller.authorized?
296
+ end
297
+
298
+ def test_additional_members_filter_other_new
299
+ reader = Authorization::Reader::DSLReader.new
300
+ reader.parse %{
301
+ authorization do
302
+ role :allowed_role do
303
+ has_permission_on :basic_resources, :to => :new do
304
+ if_attribute :id => is {"1"}
305
+ end
306
+ end
307
+ end
308
+ }
309
+
310
+ allowed_user = MockUser.new(:allowed_role)
311
+ request!(allowed_user, :other_new, reader, :basic_resource => {:id => "2"})
312
+ assert !@controller.authorized?
313
+ request!(allowed_user, :new, reader, :basic_resource => {:id => "2"},
314
+ :clear => [:@basic_resource])
315
+ assert !@controller.authorized?
316
+
317
+ request!(allowed_user, :other_new, reader, :basic_resource => {:id => "1"},
318
+ :clear => [:@basic_resource])
319
+ assert @controller.authorized?
320
+ request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
321
+ :clear => [:@basic_resource])
322
+ assert @controller.authorized?
323
+ end
324
+ end
325
+
326
+
327
+ class CustomMethodsResourceController < MocksController
328
+ # not implemented yet
329
+ end
330
+
331
+
332
+ class ExplicitContextResourceController < MocksController
333
+ filter_resource_access :context => :basic_resources
334
+ define_resource_actions
335
+ end
336
+ class ExplicitContextResourceControllerTest < ActionController::TestCase
337
+ def test_explicit_context_filter_index
338
+ reader = Authorization::Reader::DSLReader.new
339
+ reader.parse %{
340
+ authorization do
341
+ role :allowed_role do
342
+ has_permission_on :basic_resources, :to => :index do
343
+ if_attribute :id => is {"1"}
344
+ end
345
+ end
346
+ end
347
+ }
348
+
349
+ allowed_user = MockUser.new(:allowed_role)
350
+ request!(MockUser.new(:another_role), :index, reader)
351
+ assert !@controller.authorized?
352
+ request!(allowed_user, :index, reader)
353
+ assert @controller.authorized?
354
+ end
355
+
356
+ def test_explicit_context_filter_show_with_id
357
+ reader = Authorization::Reader::DSLReader.new
358
+ reader.parse %{
359
+ authorization do
360
+ role :allowed_role do
361
+ has_permission_on :basic_resources, :to => :show do
362
+ if_attribute :id => is {"1"}
363
+ end
364
+ end
365
+ end
366
+ }
367
+
368
+ allowed_user = MockUser.new(:allowed_role)
369
+ request!(allowed_user, :show, reader, :id => "2")
370
+ assert !@controller.authorized?
371
+ request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
372
+ assert @controller.authorized?
373
+ end
374
+
375
+ def test_explicit_context_filter_new_with_params
376
+ reader = Authorization::Reader::DSLReader.new
377
+ reader.parse %{
378
+ authorization do
379
+ role :allowed_role do
380
+ has_permission_on :basic_resources, :to => :new do
381
+ if_attribute :id => is {"1"}
382
+ end
383
+ end
384
+ end
385
+ }
386
+
387
+ allowed_user = MockUser.new(:allowed_role)
388
+ request!(allowed_user, :new, reader, :basic_resource => {:id => "2"})
389
+ assert !@controller.authorized?
390
+ request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
391
+ :clear => [:@basic_resource])
392
+ assert @controller.authorized?
393
+ end
394
+ end
@@ -0,0 +1,386 @@
1
+ require File.join(File.dirname(__FILE__), 'test_helper.rb')
2
+
3
+
4
+ class LoadMockObject < MockDataObject
5
+ def self.name
6
+ "LoadMockObject"
7
+ end
8
+ end
9
+
10
+ ##################
11
+ class SpecificMocksController < MocksController
12
+ filter_access_to :test_action, :require => :test, :context => :permissions
13
+ filter_access_to :test_action_2, :require => :test, :context => :permissions_2
14
+ filter_access_to :show
15
+ filter_access_to :edit, :create, :require => :test, :context => :permissions
16
+ filter_access_to :edit_2, :require => :test, :context => :permissions,
17
+ :attribute_check => true, :model => LoadMockObject
18
+ filter_access_to :new, :require => :test, :context => :permissions
19
+
20
+ filter_access_to [:action_group_action_1, :action_group_action_2]
21
+ define_action_methods :test_action, :test_action_2, :show, :edit, :create,
22
+ :edit_2, :new, :unprotected_action, :action_group_action_1, :action_group_action_2
23
+ end
24
+
25
+ class BasicControllerTest < ActionController::TestCase
26
+ tests SpecificMocksController
27
+
28
+ def test_filter_access_to_receiving_an_explicit_array
29
+ reader = Authorization::Reader::DSLReader.new
30
+
31
+ reader.parse %{
32
+ authorization do
33
+ role :test_action_group_2 do
34
+ has_permission_on :specific_mocks, :to => :action_group_action_2
35
+ end
36
+ end
37
+ }
38
+
39
+ request!(MockUser.new(:test_action_group_2), "action_group_action_2", reader)
40
+ assert @controller.authorized?
41
+ request!(MockUser.new(:test_action_group_2), "action_group_action_1", reader)
42
+ assert !@controller.authorized?
43
+ request!(nil, "action_group_action_2", reader)
44
+ assert !@controller.authorized?
45
+ end
46
+
47
+ def test_filter_access
48
+ assert !@controller.class.before_filters.empty?
49
+
50
+ reader = Authorization::Reader::DSLReader.new
51
+ reader.parse %{
52
+ authorization do
53
+ role :test_role do
54
+ has_permission_on :permissions, :to => :test
55
+ has_permission_on :specific_mocks, :to => :show
56
+ end
57
+ end
58
+ }
59
+
60
+ request!(MockUser.new(:test_role), "test_action", reader)
61
+ assert @controller.authorized?
62
+
63
+ request!(MockUser.new(:test_role), "test_action_2", reader)
64
+ assert !@controller.authorized?
65
+
66
+ request!(MockUser.new(:test_role_2), "test_action", reader)
67
+ assert_response :forbidden
68
+ assert !@controller.authorized?
69
+
70
+ request!(MockUser.new(:test_role), "show", reader)
71
+ assert @controller.authorized?
72
+ end
73
+
74
+ def test_filter_access_multi_actions
75
+ reader = Authorization::Reader::DSLReader.new
76
+ reader.parse %{
77
+ authorization do
78
+ role :test_role do
79
+ has_permission_on :permissions, :to => :test
80
+ end
81
+ end
82
+ }
83
+ request!(MockUser.new(:test_role), "create", reader)
84
+ assert @controller.authorized?
85
+ end
86
+
87
+ def test_filter_access_unprotected_actions
88
+ reader = Authorization::Reader::DSLReader.new
89
+ reader.parse %{
90
+ authorization do
91
+ role :test_role do
92
+ end
93
+ end
94
+ }
95
+ request!(MockUser.new(:test_role), "unprotected_action", reader)
96
+ assert @controller.authorized?
97
+ end
98
+
99
+ def test_filter_access_priv_hierarchy
100
+ reader = Authorization::Reader::DSLReader.new
101
+ reader.parse %{
102
+ privileges do
103
+ privilege :read do
104
+ includes :list, :show
105
+ end
106
+ end
107
+ authorization do
108
+ role :test_role do
109
+ has_permission_on :specific_mocks, :to => :read
110
+ end
111
+ end
112
+ }
113
+ request!(MockUser.new(:test_role), "show", reader)
114
+ assert @controller.authorized?
115
+ end
116
+
117
+ def test_filter_access_skip_attribute_test
118
+ reader = Authorization::Reader::DSLReader.new
119
+ reader.parse %{
120
+ authorization do
121
+ role :test_role do
122
+ has_permission_on :permissions, :to => :test do
123
+ if_attribute :id => is { user }
124
+ end
125
+ end
126
+ end
127
+ }
128
+ request!(MockUser.new(:test_role), "new", reader)
129
+ assert @controller.authorized?
130
+ end
131
+
132
+ def test_existing_instance_var_remains_unchanged
133
+ reader = Authorization::Reader::DSLReader.new
134
+ reader.parse %{
135
+ authorization do
136
+ role :test_role do
137
+ has_permission_on :permissions, :to => :test do
138
+ if_attribute :id => is { 5 }
139
+ end
140
+ end
141
+ end
142
+ }
143
+ mock_object = MockDataObject.new(:id => 5)
144
+ @controller.send(:instance_variable_set, :"@load_mock_object",
145
+ mock_object)
146
+ request!(MockUser.new(:test_role), "edit_2", reader)
147
+ assert_equal mock_object,
148
+ @controller.send(:instance_variable_get, :"@load_mock_object")
149
+ assert @controller.authorized?
150
+ end
151
+
152
+ def test_permitted_to_without_context
153
+ reader = Authorization::Reader::DSLReader.new
154
+ reader.parse %{
155
+ authorization do
156
+ role :test_role do
157
+ has_permission_on :specific_mocks, :to => :test
158
+ end
159
+ end
160
+ }
161
+ @controller.current_user = MockUser.new(:test_role)
162
+ @controller.authorization_engine = Authorization::Engine.new(reader)
163
+ assert @controller.permitted_to?(:test)
164
+ end
165
+ end
166
+
167
+
168
+ ##################
169
+ class AllMocksController < MocksController
170
+ filter_access_to :all
171
+ filter_access_to :view, :require => :test, :context => :permissions
172
+ define_action_methods :show, :view
173
+ end
174
+ class AllActionsControllerTest < ActionController::TestCase
175
+ tests AllMocksController
176
+ def test_filter_access_all
177
+ reader = Authorization::Reader::DSLReader.new
178
+ reader.parse %{
179
+ authorization do
180
+ role :test_role do
181
+ has_permission_on :permissions, :to => :test
182
+ has_permission_on :all_mocks, :to => :show
183
+ end
184
+ end
185
+ }
186
+
187
+ request!(MockUser.new(:test_role), "show", reader)
188
+ assert @controller.authorized?
189
+
190
+ request!(MockUser.new(:test_role), "view", reader)
191
+ assert @controller.authorized?
192
+
193
+ request!(MockUser.new(:test_role_2), "show", reader)
194
+ assert !@controller.authorized?
195
+ end
196
+ end
197
+
198
+
199
+ ##################
200
+ class LoadMockObjectsController < MocksController
201
+ filter_access_to :show, :attribute_check => true, :model => LoadMockObject
202
+ filter_access_to :edit, :attribute_check => true
203
+ filter_access_to :update, :delete, :attribute_check => true,
204
+ :load_method => lambda {MockDataObject.new(:test => 1)}
205
+ filter_access_to :create do
206
+ permitted_to! :edit, :load_mock_objects
207
+ end
208
+ filter_access_to :view, :attribute_check => true, :load_method => :load_method
209
+ def load_method
210
+ MockDataObject.new(:test => 2)
211
+ end
212
+ define_action_methods :show, :edit, :update, :delete, :create, :view
213
+ end
214
+ class LoadObjectControllerTest < ActionController::TestCase
215
+ tests LoadMockObjectsController
216
+
217
+ def test_filter_access_with_object_load
218
+ reader = Authorization::Reader::DSLReader.new
219
+ reader.parse %{
220
+ authorization do
221
+ role :test_role do
222
+ has_permission_on :load_mock_objects, :to => [:show, :edit] do
223
+ if_attribute :id => is {"1"}
224
+ end
225
+ end
226
+ end
227
+ }
228
+
229
+ request!(MockUser.new(:test_role), "show", reader, :id => 2)
230
+ assert !@controller.authorized?
231
+
232
+ request!(MockUser.new(:test_role), "show", reader, :id => 1,
233
+ :clear => [:@load_mock_object])
234
+ assert @controller.authorized?
235
+
236
+ request!(MockUser.new(:test_role), "edit", reader, :id => 1,
237
+ :clear => [:@load_mock_object])
238
+ assert @controller.authorized?
239
+ assert @controller.instance_variable_defined?(:@load_mock_object)
240
+ end
241
+
242
+ def test_filter_access_object_load_without_param
243
+ reader = Authorization::Reader::DSLReader.new
244
+ reader.parse %{
245
+ authorization do
246
+ role :test_role do
247
+ has_permission_on :load_mock_objects, :to => [:show, :edit] do
248
+ if_attribute :id => is {"1"}
249
+ end
250
+ end
251
+ end
252
+ }
253
+
254
+ assert_raise RuntimeError, "No id param supplied" do
255
+ request!(MockUser.new(:test_role), "show", reader)
256
+ end
257
+ end
258
+
259
+ def test_filter_access_with_object_load_custom
260
+ reader = Authorization::Reader::DSLReader.new
261
+ reader.parse %{
262
+ authorization do
263
+ role :test_role do
264
+ has_permission_on :load_mock_objects, :to => :view do
265
+ if_attribute :test => is {2}
266
+ end
267
+ has_permission_on :load_mock_objects, :to => :update do
268
+ if_attribute :test => is {1}
269
+ end
270
+ has_permission_on :load_mock_objects, :to => :delete do
271
+ if_attribute :test => is {2}
272
+ end
273
+ end
274
+ end
275
+ }
276
+
277
+ request!(MockUser.new(:test_role), "delete", reader)
278
+ assert !@controller.authorized?
279
+
280
+ request!(MockUser.new(:test_role), "view", reader)
281
+ assert @controller.authorized?
282
+
283
+ request!(MockUser.new(:test_role), "update", reader)
284
+ assert @controller.authorized?
285
+ end
286
+
287
+ def test_filter_access_custom
288
+ reader = Authorization::Reader::DSLReader.new
289
+ reader.parse %{
290
+ authorization do
291
+ role :test_role do
292
+ has_permission_on :load_mock_objects, :to => :edit
293
+ end
294
+ role :test_role_2 do
295
+ has_permission_on :load_mock_objects, :to => :create
296
+ end
297
+ end
298
+ }
299
+
300
+ request!(MockUser.new(:test_role), "create", reader)
301
+ assert @controller.authorized?
302
+
303
+ request!(MockUser.new(:test_role_2), "create", reader)
304
+ assert !@controller.authorized?
305
+ end
306
+ end
307
+
308
+
309
+ ##################
310
+ class AccessOverwritesController < MocksController
311
+ filter_access_to :test_action, :test_action_2,
312
+ :require => :test, :context => :permissions_2
313
+ filter_access_to :test_action, :require => :test, :context => :permissions
314
+ define_action_methods :test_action, :test_action_2
315
+ end
316
+ class AccessOverwritesControllerTest < ActionController::TestCase
317
+ def test_filter_access_overwrite
318
+ reader = Authorization::Reader::DSLReader.new
319
+ reader.parse %{
320
+ authorization do
321
+ role :test_role do
322
+ has_permission_on :permissions, :to => :test
323
+ end
324
+ end
325
+ }
326
+ request!(MockUser.new(:test_role), "test_action_2", reader)
327
+ assert !@controller.authorized?
328
+
329
+ request!(MockUser.new(:test_role), "test_action", reader)
330
+ assert @controller.authorized?
331
+ end
332
+ end
333
+
334
+
335
+ ##################
336
+ class PeopleController < MocksController
337
+ filter_access_to :all
338
+ define_action_methods :show
339
+ end
340
+ class PluralizationControllerTest < ActionController::TestCase
341
+ tests PeopleController
342
+
343
+ def test_filter_access_people_controller
344
+ reader = Authorization::Reader::DSLReader.new
345
+ reader.parse %{
346
+ authorization do
347
+ role :test_role do
348
+ has_permission_on :people, :to => :show
349
+ end
350
+ end
351
+ }
352
+ request!(MockUser.new(:test_role), "show", reader)
353
+ assert @controller.authorized?
354
+ end
355
+ end
356
+
357
+
358
+ ##################
359
+ class CommonController < MocksController
360
+ filter_access_to :delete, :context => :common
361
+ filter_access_to :all
362
+ end
363
+ class CommonChild1Controller < CommonController
364
+ filter_access_to :all, :context => :context_1
365
+ end
366
+ class CommonChild2Controller < CommonController
367
+ filter_access_to :delete
368
+ define_action_methods :show
369
+ end
370
+ class HierachicalControllerTest < ActionController::TestCase
371
+ tests CommonChild2Controller
372
+ def test_controller_hierarchy
373
+ reader = Authorization::Reader::DSLReader.new
374
+ reader.parse %{
375
+ authorization do
376
+ role :test_role do
377
+ has_permission_on :mocks, :to => [:delete, :show]
378
+ end
379
+ end
380
+ }
381
+ request!(MockUser.new(:test_role), "show", reader)
382
+ assert !@controller.authorized?
383
+ request!(MockUser.new(:test_role), "delete", reader)
384
+ assert !@controller.authorized?
385
+ end
386
+ end