declarative_authorization 0.4 → 0.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/CHANGELOG +4 -0
- data/README.rdoc +26 -33
- data/app/controllers/authorization_rules_controller.rb +1 -1
- data/lib/declarative_authorization/authorization.rb +13 -21
- data/lib/declarative_authorization/in_controller.rb +11 -4
- data/lib/declarative_authorization/maintenance.rb +5 -0
- data/lib/declarative_authorization/obligation_scope.rb +1 -1
- data/lib/declarative_authorization/reader.rb +5 -2
- data/test/controller_filter_resource_access_test.rb +117 -0
- data/test/model_test.rb +476 -300
- data/test/test_helper.rb +4 -1
- metadata +2 -2
data/CHANGELOG
CHANGED
data/README.rdoc
CHANGED
|
@@ -1,23 +1,18 @@
|
|
|
1
1
|
= Declarative Authorization
|
|
2
2
|
|
|
3
3
|
The declarative authorization plugin offers an authorization mechanism inspired
|
|
4
|
-
by _RBAC_. The most notable distinction to
|
|
5
|
-
declarative
|
|
4
|
+
by _RBAC_. The most notable distinction to other authorization plugins is the
|
|
5
|
+
declarative approach. That is, authorization rules are not defined
|
|
6
6
|
programmatically in between business logic but in an authorization configuration.
|
|
7
7
|
|
|
8
|
-
|
|
9
|
-
authorization rules. That is, the developer needs to specify which roles are
|
|
8
|
+
With programmatic authorization rules, the developer needs to specify which roles are
|
|
10
9
|
allowed to access a specific controller action or a part of a view, which is
|
|
11
|
-
not DRY. With a growing application code base
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
certain roles need to be easily adjusted when the original assumptions
|
|
18
|
-
concerning access control prove unrealistic. In these situations, a
|
|
19
|
-
declarative approach as offered by this plugin increases the development
|
|
20
|
-
and maintenance efficiency.
|
|
10
|
+
not DRY. With a growing application code base roles' permissions often
|
|
11
|
+
change and new roles are introduced. Then, at several places of the source code
|
|
12
|
+
the changes have to be implemented, possibly leading to omissions and thus hard
|
|
13
|
+
to find errors. In these cases, a declarative approach as offered by decl_auth
|
|
14
|
+
increases the development and maintenance efficiency.
|
|
15
|
+
|
|
21
16
|
|
|
22
17
|
Plugin features
|
|
23
18
|
* Authorization at controller action level
|
|
@@ -37,6 +32,10 @@ Requirements
|
|
|
37
32
|
See below for installation instructions.
|
|
38
33
|
|
|
39
34
|
|
|
35
|
+
There is a decl_auth screencast by Ryan Bates, nicely introducing the main concepts:
|
|
36
|
+
http://railscasts.com/episodes/188-declarative-authorization
|
|
37
|
+
|
|
38
|
+
|
|
40
39
|
= Authorization Data Model
|
|
41
40
|
|
|
42
41
|
----- App domain ----|-------- Authorization conf ---------|------- App domain ------
|
|
@@ -75,7 +74,7 @@ A fully functional example application can be found at
|
|
|
75
74
|
http://github.com/stffn/decl_auth_demo_app
|
|
76
75
|
|
|
77
76
|
Details on the demonstrated methods can be found in the API docs, either
|
|
78
|
-
generated yourself or at http://www.tzi.org/~sbartsch/declarative_authorization
|
|
77
|
+
generated by yourself or at http://www.tzi.org/~sbartsch/declarative_authorization
|
|
79
78
|
|
|
80
79
|
== Controller
|
|
81
80
|
|
|
@@ -219,7 +218,7 @@ As access control on read are costly, with possibly lots of objects being
|
|
|
219
218
|
loaded at a time in one query, checks on read need to be actived explicitly by
|
|
220
219
|
adding the :include_read option.
|
|
221
220
|
|
|
222
|
-
=== Query rewriting
|
|
221
|
+
=== Query rewriting through named scopes
|
|
223
222
|
When retrieving large sets of records from databases, any authorization needs
|
|
224
223
|
to be integrated into the query in order to prevent inefficient filtering
|
|
225
224
|
afterwards and to use LIMIT and OFFSET in SQL statements. To keep authorization
|
|
@@ -242,7 +241,8 @@ the conditions for manual rewrites.
|
|
|
242
241
|
|
|
243
242
|
== Authorization Rules
|
|
244
243
|
|
|
245
|
-
Authorization rules are defined in config/authorization_rules.rb
|
|
244
|
+
Authorization rules are defined in config/authorization_rules.rb
|
|
245
|
+
(Or redefine rules files path via +Authorization::AUTH_RULE_FILES+). E.g.
|
|
246
246
|
|
|
247
247
|
authorization do
|
|
248
248
|
role :admin do
|
|
@@ -324,8 +324,7 @@ authorization in mind.
|
|
|
324
324
|
|
|
325
325
|
In your test_helper.rb, to enable the helpers add
|
|
326
326
|
|
|
327
|
-
require
|
|
328
|
-
"/../vendor/plugins/declarative_authorization/lib/maintenance")
|
|
327
|
+
require 'declarative_authorization/maintenance'
|
|
329
328
|
|
|
330
329
|
class Test::Unit::TestCase
|
|
331
330
|
include Authorization::TestHelper
|
|
@@ -451,7 +450,7 @@ All bang methods throw exceptions which may be used to retrieve more
|
|
|
451
450
|
information about a denied access than a Boolean value.
|
|
452
451
|
|
|
453
452
|
|
|
454
|
-
== Authorization
|
|
453
|
+
== Authorization Development Support
|
|
455
454
|
|
|
456
455
|
If your authorization rules become more complex, you might be glad to use
|
|
457
456
|
the authorization rules browser that comes with declarative_authorization.
|
|
@@ -468,7 +467,9 @@ Then, point your browser to
|
|
|
468
467
|
|
|
469
468
|
The browser needs Rails 2.3 (for Engine support). The graphical view requires
|
|
470
469
|
Graphviz (which e.g. can be installed through the graphviz package under Debian
|
|
471
|
-
and Ubuntu) and has only been tested under Linux.
|
|
470
|
+
and Ubuntu) and has only been tested under Linux. Note: for Change Support
|
|
471
|
+
you'll need to have a User#login method that returns a non-ambiguous user
|
|
472
|
+
name for identification.
|
|
472
473
|
|
|
473
474
|
|
|
474
475
|
= Help and Contact
|
|
@@ -489,18 +490,10 @@ sbartsch at tzi.org
|
|
|
489
490
|
|
|
490
491
|
= Contributors
|
|
491
492
|
|
|
492
|
-
Thanks to
|
|
493
|
-
|
|
494
|
-
|
|
495
|
-
|
|
496
|
-
* Jeremy Friesen
|
|
497
|
-
* Brian Langenfeld
|
|
498
|
-
* Georg Ledermann
|
|
499
|
-
* Geoff Longman
|
|
500
|
-
* Olly Lylo
|
|
501
|
-
* Mark Mansour
|
|
502
|
-
* Thomas Maurer
|
|
503
|
-
* Mike Vincent
|
|
493
|
+
Thanks to John Joseph Bachir, Eike Carls, Kai Chen, Erik Dahlstrand,
|
|
494
|
+
Jeroen van Dijk, Sebastian Dyck, Jeremy Friesen, Daniel Kristensen, Brian Langenfeld,
|
|
495
|
+
Georg Ledermann, Geoff Longman, Olly Lylo, Mark Mansour, Thomas Maurer,
|
|
496
|
+
Mike Vincent
|
|
504
497
|
|
|
505
498
|
|
|
506
499
|
= Licence
|
|
@@ -37,7 +37,7 @@ class AuthorizationRulesController < ApplicationController
|
|
|
37
37
|
@privileges = authorization_engine.auth_rules.collect {|rule| rule.privileges.to_a}.flatten.uniq
|
|
38
38
|
@privileges = @privileges.collect do |priv|
|
|
39
39
|
priv = Authorization::DevelopmentSupport::AnalyzerEngine::Privilege.for_sym(priv, authorization_engine)
|
|
40
|
-
(priv.descendants + priv.ancestors).map(&:to_sym)
|
|
40
|
+
([priv] + priv.descendants + priv.ancestors).map(&:to_sym)
|
|
41
41
|
end.flatten.uniq
|
|
42
42
|
@privileges.sort_by {|priv| priv.to_s}
|
|
43
43
|
@privilege = params[:privilege].to_sym rescue @privileges.first
|
|
@@ -20,7 +20,7 @@ module Authorization
|
|
|
20
20
|
# The exception is raised to ensure that the entire rule is invalidated.
|
|
21
21
|
class NilAttributeValueError < AuthorizationError; end
|
|
22
22
|
|
|
23
|
-
|
|
23
|
+
AUTH_DSL_FILES = ["#{RAILS_ROOT}/config/authorization_rules.rb"] unless defined? AUTH_DSL_FILES
|
|
24
24
|
|
|
25
25
|
# Controller-independent method for retrieving the current user.
|
|
26
26
|
# Needed for model security where the current controller is not available.
|
|
@@ -62,12 +62,12 @@ module Authorization
|
|
|
62
62
|
:rev_role_hierarchy
|
|
63
63
|
|
|
64
64
|
# If +reader+ is not given, a new one is created with the default
|
|
65
|
-
# authorization configuration of +
|
|
65
|
+
# authorization configuration of +AUTH_DSL_FILES+. If given, may be either
|
|
66
66
|
# a Reader object or a path to a configuration file.
|
|
67
67
|
def initialize (reader = nil)
|
|
68
68
|
if reader.nil?
|
|
69
69
|
begin
|
|
70
|
-
reader = Reader::DSLReader.load(
|
|
70
|
+
reader = Reader::DSLReader.load(AUTH_DSL_FILES)
|
|
71
71
|
rescue SystemCallError
|
|
72
72
|
reader = Reader::DSLReader.new
|
|
73
73
|
end
|
|
@@ -309,18 +309,8 @@ module Authorization
|
|
|
309
309
|
# Returns the privilege hierarchy flattened for given privileges in context.
|
|
310
310
|
def flatten_privileges (privileges, context = nil)
|
|
311
311
|
# TODO caching?
|
|
312
|
-
#if context.nil?
|
|
313
|
-
# context = privileges.collect { |p| p.to_s.split('_') }.
|
|
314
|
-
# reject { |p_p| p_p.length < 2 }.
|
|
315
|
-
# collect { |p_p| (p_p[1..-1] * '_').to_sym }.first
|
|
316
|
-
# raise AuthorizationUsageError, "No context given or inferable from privileges #{privileges.inspect}" unless context
|
|
317
|
-
#end
|
|
318
312
|
raise AuthorizationUsageError, "No context given or inferable from object" unless context
|
|
319
|
-
|
|
320
|
-
# TODO work with contextless privileges
|
|
321
|
-
#flattened_privileges = privileges.collect {|p| p.to_s.sub(context_regex, '')}
|
|
322
|
-
flattened_privileges = privileges.clone #collect {|p| p.to_s.end_with?(context.to_s) ?
|
|
323
|
-
# p : [p, "#{p}_#{context}".to_sym] }.flatten
|
|
313
|
+
flattened_privileges = privileges.clone
|
|
324
314
|
flattened_privileges.each do |priv|
|
|
325
315
|
flattened_privileges.concat(@rev_priv_hierarchy[[priv, nil]]).uniq! if @rev_priv_hierarchy[[priv, nil]]
|
|
326
316
|
flattened_privileges.concat(@rev_priv_hierarchy[[priv, context]]).uniq! if @rev_priv_hierarchy[[priv, context]]
|
|
@@ -427,12 +417,11 @@ module Authorization
|
|
|
427
417
|
(hash || @conditions_hash).all? do |attr, value|
|
|
428
418
|
attr_value = object_attribute_value(object, attr)
|
|
429
419
|
if value.is_a?(Hash)
|
|
430
|
-
|
|
431
|
-
when Enumerable
|
|
420
|
+
if attr_value.is_a?(Enumerable)
|
|
432
421
|
attr_value.any? do |inner_value|
|
|
433
422
|
validate?(attr_validator, inner_value, value)
|
|
434
423
|
end
|
|
435
|
-
|
|
424
|
+
elsif attr_value == nil
|
|
436
425
|
raise NilAttributeValueError, "Attribute #{attr.inspect} is nil in #{object.inspect}."
|
|
437
426
|
else
|
|
438
427
|
validate?(attr_validator, attr_value, value)
|
|
@@ -588,10 +577,9 @@ module Authorization
|
|
|
588
577
|
when Hash
|
|
589
578
|
hash_or_attr.all? do |attr, sub_hash|
|
|
590
579
|
attr_value = object_attribute_value(object, attr)
|
|
591
|
-
|
|
592
|
-
when nil
|
|
580
|
+
if attr_value == nil
|
|
593
581
|
raise NilAttributeValueError, "Attribute #{attr.inspect} is nil in #{object.inspect}."
|
|
594
|
-
|
|
582
|
+
elsif attr_value.is_a?(Enumerable)
|
|
595
583
|
attr_value.any? do |inner_value|
|
|
596
584
|
validate?(attr_validator, inner_value, sub_hash)
|
|
597
585
|
end
|
|
@@ -614,7 +602,11 @@ module Authorization
|
|
|
614
602
|
@context ||= begin
|
|
615
603
|
rule_model = attr_validator.context.to_s.classify.constantize
|
|
616
604
|
context_reflection = self.class.reflection_for_path(rule_model, path + [hash_or_attr])
|
|
617
|
-
context_reflection.klass.
|
|
605
|
+
if context_reflection.klass.respond_to?(:decl_auth_context)
|
|
606
|
+
context_reflection.klass.decl_auth_context
|
|
607
|
+
else
|
|
608
|
+
context_reflection.klass.name.tableize.to_sym
|
|
609
|
+
end
|
|
618
610
|
rescue # missing model, reflections
|
|
619
611
|
hash_or_attr.to_s.pluralize.to_sym
|
|
620
612
|
end
|
|
@@ -416,6 +416,12 @@ module Authorization
|
|
|
416
416
|
# one. This is used to automatically load the parent object, e.g.
|
|
417
417
|
# @+company+ from params[:company_id] for a BranchController nested in
|
|
418
418
|
# a CompanyController.
|
|
419
|
+
# [:+shallow+]
|
|
420
|
+
# Only relevant when used in conjunction with +nested_in+. Specifies a nested resource
|
|
421
|
+
# as being a shallow nested resource, resulting in the controller not attempting to
|
|
422
|
+
# load a parent object for all member actions defined by +member+ and
|
|
423
|
+
# +additional_member+ or rather the default member actions (:+show+, :+edit+,
|
|
424
|
+
# :+update+, :+destroy+).
|
|
419
425
|
# [:+no_attribute_check+]
|
|
420
426
|
# Allows to set actions for which no attribute check should be perfomed.
|
|
421
427
|
# See filter_access_to on details. By default, with no +nested_in+,
|
|
@@ -448,10 +454,11 @@ module Authorization
|
|
|
448
454
|
options[:no_attribute_check] ||= collections.keys unless options[:nested_in]
|
|
449
455
|
|
|
450
456
|
unless options[:nested_in].blank?
|
|
451
|
-
|
|
452
|
-
|
|
453
|
-
|
|
454
|
-
|
|
457
|
+
load_parent_method = :"load_#{options[:nested_in].to_s.singularize}"
|
|
458
|
+
shallow_exceptions = options[:shallow] ? {:except => members.keys} : {}
|
|
459
|
+
before_filter shallow_exceptions do |controller|
|
|
460
|
+
if controller.respond_to?(load_parent_method)
|
|
461
|
+
controller.send(load_parent_method)
|
|
455
462
|
else
|
|
456
463
|
controller.send(:load_parent_controller_object, options[:nested_in])
|
|
457
464
|
end
|
|
@@ -132,6 +132,11 @@ module Authorization
|
|
|
132
132
|
# ...
|
|
133
133
|
# end
|
|
134
134
|
# end
|
|
135
|
+
#
|
|
136
|
+
# Note: get_with etc. do two things to set the user for the request:
|
|
137
|
+
# Authorization.current_user is set and session[:user], session[:user_id]
|
|
138
|
+
# are set appropriately. If you determine the current user in a different
|
|
139
|
+
# way, these methods might not work for you.
|
|
135
140
|
module TestHelper
|
|
136
141
|
include Authorization::Maintenance
|
|
137
142
|
|
|
@@ -151,7 +151,7 @@ module Authorization
|
|
|
151
151
|
map_table_alias_for( path ) # Claim a table alias for the path.
|
|
152
152
|
|
|
153
153
|
# Claim alias for join table
|
|
154
|
-
if reflection.is_a?(ActiveRecord::Reflection::ThroughReflection)
|
|
154
|
+
if !reflection.respond_to?(:proxy_scope) and reflection.is_a?(ActiveRecord::Reflection::ThroughReflection)
|
|
155
155
|
join_table_path = path[0..-2] + [reflection.options[:through]]
|
|
156
156
|
reflection_for(join_table_path, true)
|
|
157
157
|
end
|
|
@@ -66,10 +66,13 @@ module Authorization
|
|
|
66
66
|
end
|
|
67
67
|
|
|
68
68
|
# Loads and parses a DSL from the given file name.
|
|
69
|
-
def self.load (
|
|
69
|
+
def self.load (dsl_files)
|
|
70
70
|
# TODO cache reader in production mode?
|
|
71
71
|
reader = new
|
|
72
|
-
|
|
72
|
+
dsl_files = [dsl_files].flatten
|
|
73
|
+
dsl_files.each do |file|
|
|
74
|
+
reader.parse(File.read(file), file) if File.exist?(file)
|
|
75
|
+
end
|
|
73
76
|
reader
|
|
74
77
|
end
|
|
75
78
|
|
|
@@ -81,6 +81,19 @@ class NestedResource < MockDataObject
|
|
|
81
81
|
"NestedResource"
|
|
82
82
|
end
|
|
83
83
|
end
|
|
84
|
+
|
|
85
|
+
class ShallowNestedResource < MockDataObject
|
|
86
|
+
def initialize (attributes = {})
|
|
87
|
+
if attributes[:id]
|
|
88
|
+
attributes[:parent_mock] ||= ParentMock.new(:id => attributes[:id])
|
|
89
|
+
end
|
|
90
|
+
super(attributes)
|
|
91
|
+
end
|
|
92
|
+
def self.name
|
|
93
|
+
"ShallowNestedResource"
|
|
94
|
+
end
|
|
95
|
+
end
|
|
96
|
+
|
|
84
97
|
class ParentMock < MockDataObject
|
|
85
98
|
def nested_resources
|
|
86
99
|
Class.new do
|
|
@@ -93,6 +106,8 @@ class ParentMock < MockDataObject
|
|
|
93
106
|
end.new(self)
|
|
94
107
|
end
|
|
95
108
|
|
|
109
|
+
alias :shallow_nested_resources :nested_resources
|
|
110
|
+
|
|
96
111
|
def == (other)
|
|
97
112
|
id == other.id
|
|
98
113
|
end
|
|
@@ -100,6 +115,7 @@ class ParentMock < MockDataObject
|
|
|
100
115
|
"ParentMock"
|
|
101
116
|
end
|
|
102
117
|
end
|
|
118
|
+
|
|
103
119
|
class NestedResourcesController < MocksController
|
|
104
120
|
filter_resource_access :nested_in => :parent_mocks
|
|
105
121
|
define_resource_actions
|
|
@@ -171,6 +187,107 @@ class NestedResourcesControllerTest < ActionController::TestCase
|
|
|
171
187
|
end
|
|
172
188
|
end
|
|
173
189
|
|
|
190
|
+
class ShallowNestedResourcesController < MocksController
|
|
191
|
+
filter_resource_access :nested_in => :parent_mocks,
|
|
192
|
+
:shallow => true,
|
|
193
|
+
:additional_member => :additional_member_action
|
|
194
|
+
define_resource_actions
|
|
195
|
+
define_action_methods :additional_member_action
|
|
196
|
+
end
|
|
197
|
+
class ShallowNestedResourcesControllerTest < ActionController::TestCase
|
|
198
|
+
def test_nested_filter_index
|
|
199
|
+
reader = Authorization::Reader::DSLReader.new
|
|
200
|
+
reader.parse %{
|
|
201
|
+
authorization do
|
|
202
|
+
role :allowed_role do
|
|
203
|
+
has_permission_on :shallow_nested_resources, :to => :index do
|
|
204
|
+
if_attribute :parent_mock => is {ParentMock.find("1")}
|
|
205
|
+
end
|
|
206
|
+
end
|
|
207
|
+
end
|
|
208
|
+
}
|
|
209
|
+
|
|
210
|
+
allowed_user = MockUser.new(:allowed_role)
|
|
211
|
+
request!(MockUser.new(:another_role), :index, reader, :parent_mock_id => "2")
|
|
212
|
+
assert !@controller.authorized?
|
|
213
|
+
request!(allowed_user, :index, reader, :parent_mock_id => "2",
|
|
214
|
+
:clear => [:@shallow_nested_resource, :@parent_mock])
|
|
215
|
+
assert !@controller.authorized?
|
|
216
|
+
request!(allowed_user, :index, reader, :parent_mock_id => "1",
|
|
217
|
+
:clear => [:@shallow_nested_resource, :@parent_mock])
|
|
218
|
+
assert assigns(:parent_mock)
|
|
219
|
+
assert @controller.authorized?
|
|
220
|
+
end
|
|
221
|
+
|
|
222
|
+
def test_nested_filter_show_with_id
|
|
223
|
+
reader = Authorization::Reader::DSLReader.new
|
|
224
|
+
reader.parse %{
|
|
225
|
+
authorization do
|
|
226
|
+
role :allowed_role do
|
|
227
|
+
has_permission_on :shallow_nested_resources, :to => :show do
|
|
228
|
+
if_attribute :parent_mock => is {ParentMock.find("1")}
|
|
229
|
+
end
|
|
230
|
+
end
|
|
231
|
+
end
|
|
232
|
+
}
|
|
233
|
+
|
|
234
|
+
allowed_user = MockUser.new(:allowed_role)
|
|
235
|
+
request!(allowed_user, :show, reader, :id => "2", :parent_mock_id => "2")
|
|
236
|
+
assert !@controller.authorized?
|
|
237
|
+
request!(allowed_user, :show, reader, :id => "1",
|
|
238
|
+
:clear => [:@shallow_nested_resource, :@parent_mock])
|
|
239
|
+
assert !assigns(:parent_mock)
|
|
240
|
+
assert assigns(:shallow_nested_resource)
|
|
241
|
+
assert @controller.authorized?
|
|
242
|
+
end
|
|
243
|
+
|
|
244
|
+
def test_nested_filter_new_with_params
|
|
245
|
+
reader = Authorization::Reader::DSLReader.new
|
|
246
|
+
reader.parse %{
|
|
247
|
+
authorization do
|
|
248
|
+
role :allowed_role do
|
|
249
|
+
has_permission_on :shallow_nested_resources, :to => :new do
|
|
250
|
+
if_attribute :parent_mock => is {ParentMock.find("1")}
|
|
251
|
+
end
|
|
252
|
+
end
|
|
253
|
+
end
|
|
254
|
+
}
|
|
255
|
+
|
|
256
|
+
allowed_user = MockUser.new(:allowed_role)
|
|
257
|
+
request!(allowed_user, :new, reader, :parent_mock_id => "2",
|
|
258
|
+
:shallow_nested_resource => {:id => "2"})
|
|
259
|
+
assert !@controller.authorized?
|
|
260
|
+
request!(allowed_user, :new, reader, :parent_mock_id => "1",
|
|
261
|
+
:shallow_nested_resource => {:id => "1"},
|
|
262
|
+
:clear => [:@shallow_nested_resource, :@parent_mock])
|
|
263
|
+
assert assigns(:parent_mock)
|
|
264
|
+
assert assigns(:shallow_nested_resource)
|
|
265
|
+
assert @controller.authorized?
|
|
266
|
+
end
|
|
267
|
+
|
|
268
|
+
def test_nested_filter_additional_member_action_with_id
|
|
269
|
+
reader = Authorization::Reader::DSLReader.new
|
|
270
|
+
reader.parse %{
|
|
271
|
+
authorization do
|
|
272
|
+
role :allowed_role do
|
|
273
|
+
has_permission_on :shallow_nested_resources, :to => :additional_member_action do
|
|
274
|
+
if_attribute :parent_mock => is {ParentMock.find("1")}
|
|
275
|
+
end
|
|
276
|
+
end
|
|
277
|
+
end
|
|
278
|
+
}
|
|
279
|
+
|
|
280
|
+
allowed_user = MockUser.new(:allowed_role)
|
|
281
|
+
request!(allowed_user, :additional_member_action, reader, :id => "2", :parent_mock_id => "2")
|
|
282
|
+
assert !@controller.authorized?
|
|
283
|
+
request!(allowed_user, :additional_member_action, reader, :id => "1",
|
|
284
|
+
:clear => [:@shallow_nested_resource, :@parent_mock])
|
|
285
|
+
assert !assigns(:parent_mock)
|
|
286
|
+
assert assigns(:shallow_nested_resource)
|
|
287
|
+
assert @controller.authorized?
|
|
288
|
+
end
|
|
289
|
+
end
|
|
290
|
+
|
|
174
291
|
|
|
175
292
|
class CustomMembersCollectionsResourceController < MocksController
|
|
176
293
|
def self.controller_name
|
data/test/model_test.rb
CHANGED
|
@@ -40,6 +40,14 @@ class TestModel < ActiveRecord::Base
|
|
|
40
40
|
:through => :test_attrs_with_primary_id, :class_name => "TestAttrThrough",
|
|
41
41
|
:source => :n_way_join_item
|
|
42
42
|
end
|
|
43
|
+
|
|
44
|
+
# for checking for unnecessary queries
|
|
45
|
+
mattr_accessor :query_count
|
|
46
|
+
def self.find(*args)
|
|
47
|
+
self.query_count ||= 0
|
|
48
|
+
self.query_count += 1
|
|
49
|
+
super(*args)
|
|
50
|
+
end
|
|
43
51
|
end
|
|
44
52
|
|
|
45
53
|
class NWayJoinItem < ActiveRecord::Base
|
|
@@ -97,8 +105,8 @@ class Country < ActiveRecord::Base
|
|
|
97
105
|
has_many :companies
|
|
98
106
|
end
|
|
99
107
|
|
|
100
|
-
class
|
|
101
|
-
def
|
|
108
|
+
class NamedScopeModelTest < Test::Unit::TestCase
|
|
109
|
+
def test_multiple_deep_ored_belongs_to
|
|
102
110
|
reader = Authorization::Reader::DSLReader.new
|
|
103
111
|
reader.parse %{
|
|
104
112
|
authorization do
|
|
@@ -111,19 +119,19 @@ class ModelTest < Test::Unit::TestCase
|
|
|
111
119
|
end
|
|
112
120
|
}
|
|
113
121
|
Authorization::Engine.instance(reader)
|
|
114
|
-
|
|
122
|
+
|
|
115
123
|
test_model_1 = TestModel.create!
|
|
116
124
|
test_model_2 = TestModel.create!
|
|
117
125
|
test_attr_1 = TestAttr.create! :test_model_id => test_model_1.id,
|
|
118
126
|
:test_another_model_id => test_model_2.id
|
|
119
|
-
|
|
127
|
+
|
|
120
128
|
user = MockUser.new(:test_role, :id => test_attr_1)
|
|
121
129
|
assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
|
|
122
130
|
TestAttr.delete_all
|
|
123
131
|
TestModel.delete_all
|
|
124
132
|
end
|
|
125
|
-
|
|
126
|
-
def
|
|
133
|
+
|
|
134
|
+
def test_with_belongs_to_and_has_many_with_contains
|
|
127
135
|
reader = Authorization::Reader::DSLReader.new
|
|
128
136
|
reader.parse %{
|
|
129
137
|
authorization do
|
|
@@ -135,11 +143,11 @@ class ModelTest < Test::Unit::TestCase
|
|
|
135
143
|
end
|
|
136
144
|
}
|
|
137
145
|
Authorization::Engine.instance(reader)
|
|
138
|
-
|
|
146
|
+
|
|
139
147
|
test_attr_1 = TestAttr.create!
|
|
140
148
|
test_model_1 = TestModel.create!
|
|
141
149
|
test_model_1.test_attrs.create!
|
|
142
|
-
|
|
150
|
+
|
|
143
151
|
user = MockUser.new(:test_role, :test_attr_value => test_model_1.test_attrs.first.id )
|
|
144
152
|
assert_equal 1, TestAttr.with_permissions_to( :read, :context => :test_attrs, :user => user ).length
|
|
145
153
|
assert_equal 1, TestAttr.with_permissions_to( :read, :user => user ).length
|
|
@@ -150,7 +158,7 @@ class ModelTest < Test::Unit::TestCase
|
|
|
150
158
|
TestModel.delete_all
|
|
151
159
|
end
|
|
152
160
|
|
|
153
|
-
def
|
|
161
|
+
def test_with_nested_has_many
|
|
154
162
|
reader = Authorization::Reader::DSLReader.new
|
|
155
163
|
reader.parse %{
|
|
156
164
|
authorization do
|
|
@@ -180,7 +188,7 @@ class ModelTest < Test::Unit::TestCase
|
|
|
180
188
|
TestAttr.delete_all
|
|
181
189
|
end
|
|
182
190
|
|
|
183
|
-
def
|
|
191
|
+
def test_with_nested_has_many_through
|
|
184
192
|
reader = Authorization::Reader::DSLReader.new
|
|
185
193
|
reader.parse %{
|
|
186
194
|
authorization do
|
|
@@ -209,8 +217,8 @@ class ModelTest < Test::Unit::TestCase
|
|
|
209
217
|
TestAttrThrough.delete_all
|
|
210
218
|
TestAttr.delete_all
|
|
211
219
|
end
|
|
212
|
-
|
|
213
|
-
def
|
|
220
|
+
|
|
221
|
+
def test_with_is
|
|
214
222
|
reader = Authorization::Reader::DSLReader.new
|
|
215
223
|
reader.parse %{
|
|
216
224
|
authorization do
|
|
@@ -222,12 +230,12 @@ class ModelTest < Test::Unit::TestCase
|
|
|
222
230
|
end
|
|
223
231
|
}
|
|
224
232
|
Authorization::Engine.instance(reader)
|
|
225
|
-
|
|
233
|
+
|
|
226
234
|
test_model_1 = TestModel.create!
|
|
227
235
|
TestModel.create!
|
|
228
|
-
|
|
236
|
+
|
|
229
237
|
user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
|
|
230
|
-
assert_equal 1, TestModel.with_permissions_to(:read,
|
|
238
|
+
assert_equal 1, TestModel.with_permissions_to(:read,
|
|
231
239
|
:context => :test_models, :user => user).length
|
|
232
240
|
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
|
233
241
|
assert_raise Authorization::NotAuthorized do
|
|
@@ -278,12 +286,23 @@ class ModelTest < Test::Unit::TestCase
|
|
|
278
286
|
TestModel.create!(:country_id => 2, :content => "Content")
|
|
279
287
|
|
|
280
288
|
user = MockUser.new(:test_role)
|
|
289
|
+
|
|
290
|
+
TestModel.query_count = 0
|
|
281
291
|
assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
|
|
292
|
+
assert_equal 1, TestModel.query_count
|
|
293
|
+
|
|
294
|
+
TestModel.query_count = 0
|
|
282
295
|
assert_equal 1, TestModel.with_content.with_permissions_to(:read, :user => user).length
|
|
296
|
+
assert_equal 1, TestModel.query_count
|
|
297
|
+
|
|
298
|
+
TestModel.query_count = 0
|
|
299
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).with_content.length
|
|
300
|
+
assert_equal 1, TestModel.query_count
|
|
301
|
+
|
|
283
302
|
TestModel.delete_all
|
|
284
303
|
end
|
|
285
304
|
|
|
286
|
-
def
|
|
305
|
+
def test_with_modified_context
|
|
287
306
|
reader = Authorization::Reader::DSLReader.new
|
|
288
307
|
reader.parse %{
|
|
289
308
|
authorization do
|
|
@@ -304,7 +323,7 @@ class ModelTest < Test::Unit::TestCase
|
|
|
304
323
|
SmallCompany.delete_all
|
|
305
324
|
end
|
|
306
325
|
|
|
307
|
-
def
|
|
326
|
+
def test_with_is_nil
|
|
308
327
|
reader = Authorization::Reader::DSLReader.new
|
|
309
328
|
reader.parse %{
|
|
310
329
|
authorization do
|
|
@@ -332,7 +351,7 @@ class ModelTest < Test::Unit::TestCase
|
|
|
332
351
|
TestModel.delete_all
|
|
333
352
|
end
|
|
334
353
|
|
|
335
|
-
def
|
|
354
|
+
def test_with_not_is
|
|
336
355
|
reader = Authorization::Reader::DSLReader.new
|
|
337
356
|
reader.parse %{
|
|
338
357
|
authorization do
|
|
@@ -352,8 +371,8 @@ class ModelTest < Test::Unit::TestCase
|
|
|
352
371
|
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
|
353
372
|
TestModel.delete_all
|
|
354
373
|
end
|
|
355
|
-
|
|
356
|
-
def
|
|
374
|
+
|
|
375
|
+
def test_with_empty_obligations
|
|
357
376
|
reader = Authorization::Reader::DSLReader.new
|
|
358
377
|
reader.parse %{
|
|
359
378
|
authorization do
|
|
@@ -363,9 +382,9 @@ class ModelTest < Test::Unit::TestCase
|
|
|
363
382
|
end
|
|
364
383
|
}
|
|
365
384
|
Authorization::Engine.instance(reader)
|
|
366
|
-
|
|
385
|
+
|
|
367
386
|
TestModel.create!
|
|
368
|
-
|
|
387
|
+
|
|
369
388
|
user = MockUser.new(:test_role)
|
|
370
389
|
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
|
371
390
|
assert_raise Authorization::NotAuthorized do
|
|
@@ -373,8 +392,8 @@ class ModelTest < Test::Unit::TestCase
|
|
|
373
392
|
end
|
|
374
393
|
TestModel.delete_all
|
|
375
394
|
end
|
|
376
|
-
|
|
377
|
-
def
|
|
395
|
+
|
|
396
|
+
def test_multiple_obligations
|
|
378
397
|
reader = Authorization::Reader::DSLReader.new
|
|
379
398
|
reader.parse %{
|
|
380
399
|
authorization do
|
|
@@ -389,17 +408,17 @@ class ModelTest < Test::Unit::TestCase
|
|
|
389
408
|
end
|
|
390
409
|
}
|
|
391
410
|
Authorization::Engine.instance(reader)
|
|
392
|
-
|
|
411
|
+
|
|
393
412
|
test_model_1 = TestModel.create!
|
|
394
413
|
test_model_2 = TestModel.create!
|
|
395
|
-
|
|
396
|
-
user = MockUser.new(:test_role, :test_attr_value => test_model_1.id,
|
|
414
|
+
|
|
415
|
+
user = MockUser.new(:test_role, :test_attr_value => test_model_1.id,
|
|
397
416
|
:test_attr_value_2 => test_model_2.id)
|
|
398
417
|
assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
|
|
399
418
|
TestModel.delete_all
|
|
400
419
|
end
|
|
401
420
|
|
|
402
|
-
def
|
|
421
|
+
def test_multiple_roles
|
|
403
422
|
reader = Authorization::Reader::DSLReader.new
|
|
404
423
|
reader.parse %{
|
|
405
424
|
authorization do
|
|
@@ -426,8 +445,8 @@ class ModelTest < Test::Unit::TestCase
|
|
|
426
445
|
assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
|
|
427
446
|
TestAttr.delete_all
|
|
428
447
|
end
|
|
429
|
-
|
|
430
|
-
def
|
|
448
|
+
|
|
449
|
+
def test_multiple_and_empty_obligations
|
|
431
450
|
reader = Authorization::Reader::DSLReader.new
|
|
432
451
|
reader.parse %{
|
|
433
452
|
authorization do
|
|
@@ -440,16 +459,16 @@ class ModelTest < Test::Unit::TestCase
|
|
|
440
459
|
end
|
|
441
460
|
}
|
|
442
461
|
Authorization::Engine.instance(reader)
|
|
443
|
-
|
|
462
|
+
|
|
444
463
|
test_model_1 = TestModel.create!
|
|
445
464
|
TestModel.create!
|
|
446
|
-
|
|
465
|
+
|
|
447
466
|
user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
|
|
448
467
|
assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
|
|
449
468
|
TestModel.delete_all
|
|
450
469
|
end
|
|
451
|
-
|
|
452
|
-
def
|
|
470
|
+
|
|
471
|
+
def test_multiple_attributes
|
|
453
472
|
reader = Authorization::Reader::DSLReader.new
|
|
454
473
|
reader.parse %{
|
|
455
474
|
authorization do
|
|
@@ -461,17 +480,17 @@ class ModelTest < Test::Unit::TestCase
|
|
|
461
480
|
end
|
|
462
481
|
}
|
|
463
482
|
Authorization::Engine.instance(reader)
|
|
464
|
-
|
|
483
|
+
|
|
465
484
|
test_model_1 = TestModel.create! :content => 'bla'
|
|
466
485
|
TestModel.create! :content => 'bla'
|
|
467
486
|
TestModel.create!
|
|
468
|
-
|
|
487
|
+
|
|
469
488
|
user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
|
|
470
489
|
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
|
471
490
|
TestModel.delete_all
|
|
472
491
|
end
|
|
473
492
|
|
|
474
|
-
def
|
|
493
|
+
def test_multiple_belongs_to
|
|
475
494
|
reader = Authorization::Reader::DSLReader.new
|
|
476
495
|
reader.parse %{
|
|
477
496
|
authorization do
|
|
@@ -491,8 +510,8 @@ class ModelTest < Test::Unit::TestCase
|
|
|
491
510
|
assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
|
|
492
511
|
TestAttr.delete_all
|
|
493
512
|
end
|
|
494
|
-
|
|
495
|
-
def
|
|
513
|
+
|
|
514
|
+
def test_with_is_and_priv_hierarchy
|
|
496
515
|
reader = Authorization::Reader::DSLReader.new
|
|
497
516
|
reader.parse %{
|
|
498
517
|
privileges do
|
|
@@ -509,19 +528,19 @@ class ModelTest < Test::Unit::TestCase
|
|
|
509
528
|
end
|
|
510
529
|
}
|
|
511
530
|
Authorization::Engine.instance(reader)
|
|
512
|
-
|
|
531
|
+
|
|
513
532
|
test_model_1 = TestModel.create!
|
|
514
533
|
TestModel.create!
|
|
515
|
-
|
|
534
|
+
|
|
516
535
|
user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
|
|
517
|
-
assert_equal 1, TestModel.with_permissions_to(:list,
|
|
536
|
+
assert_equal 1, TestModel.with_permissions_to(:list,
|
|
518
537
|
:context => :test_models, :user => user).length
|
|
519
538
|
assert_equal 1, TestModel.with_permissions_to(:list, :user => user).length
|
|
520
|
-
|
|
539
|
+
|
|
521
540
|
TestModel.delete_all
|
|
522
541
|
end
|
|
523
|
-
|
|
524
|
-
def
|
|
542
|
+
|
|
543
|
+
def test_with_is_and_belongs_to
|
|
525
544
|
reader = Authorization::Reader::DSLReader.new
|
|
526
545
|
reader.parse %{
|
|
527
546
|
authorization do
|
|
@@ -533,20 +552,20 @@ class ModelTest < Test::Unit::TestCase
|
|
|
533
552
|
end
|
|
534
553
|
}
|
|
535
554
|
Authorization::Engine.instance(reader)
|
|
536
|
-
|
|
555
|
+
|
|
537
556
|
test_model_1 = TestModel.create!
|
|
538
557
|
test_model_1.test_attrs.create!
|
|
539
558
|
TestModel.create!.test_attrs.create!
|
|
540
|
-
|
|
559
|
+
|
|
541
560
|
user = MockUser.new(:test_role, :test_model => test_model_1)
|
|
542
|
-
assert_equal 1, TestAttr.with_permissions_to(:read,
|
|
561
|
+
assert_equal 1, TestAttr.with_permissions_to(:read,
|
|
543
562
|
:context => :test_attrs, :user => user).length
|
|
544
|
-
|
|
563
|
+
|
|
545
564
|
TestModel.delete_all
|
|
546
565
|
TestAttr.delete_all
|
|
547
566
|
end
|
|
548
|
-
|
|
549
|
-
def
|
|
567
|
+
|
|
568
|
+
def test_with_deep_attribute
|
|
550
569
|
reader = Authorization::Reader::DSLReader.new
|
|
551
570
|
reader.parse %{
|
|
552
571
|
authorization do
|
|
@@ -558,20 +577,20 @@ class ModelTest < Test::Unit::TestCase
|
|
|
558
577
|
end
|
|
559
578
|
}
|
|
560
579
|
Authorization::Engine.instance(reader)
|
|
561
|
-
|
|
580
|
+
|
|
562
581
|
test_model_1 = TestModel.create!
|
|
563
582
|
test_model_1.test_attrs.create!
|
|
564
583
|
TestModel.create!.test_attrs.create!
|
|
565
|
-
|
|
584
|
+
|
|
566
585
|
user = MockUser.new(:test_role, :test_model_id => test_model_1.id)
|
|
567
|
-
assert_equal 1, TestAttr.with_permissions_to(:read,
|
|
586
|
+
assert_equal 1, TestAttr.with_permissions_to(:read,
|
|
568
587
|
:context => :test_attrs, :user => user).length
|
|
569
|
-
|
|
588
|
+
|
|
570
589
|
TestModel.delete_all
|
|
571
590
|
TestAttr.delete_all
|
|
572
591
|
end
|
|
573
|
-
|
|
574
|
-
def
|
|
592
|
+
|
|
593
|
+
def test_with_anded_rules
|
|
575
594
|
reader = Authorization::Reader::DSLReader.new
|
|
576
595
|
reader.parse %{
|
|
577
596
|
authorization do
|
|
@@ -584,21 +603,21 @@ class ModelTest < Test::Unit::TestCase
|
|
|
584
603
|
end
|
|
585
604
|
}
|
|
586
605
|
Authorization::Engine.instance(reader)
|
|
587
|
-
|
|
606
|
+
|
|
588
607
|
test_model_1 = TestModel.create!
|
|
589
608
|
test_model_1.test_attrs.create!(:attr => 1)
|
|
590
609
|
TestModel.create!.test_attrs.create!(:attr => 1)
|
|
591
610
|
TestModel.create!.test_attrs.create!
|
|
592
|
-
|
|
611
|
+
|
|
593
612
|
user = MockUser.new(:test_role, :test_model => test_model_1)
|
|
594
|
-
assert_equal 1, TestAttr.with_permissions_to(:read,
|
|
613
|
+
assert_equal 1, TestAttr.with_permissions_to(:read,
|
|
595
614
|
:context => :test_attrs, :user => user).length
|
|
596
|
-
|
|
615
|
+
|
|
597
616
|
TestModel.delete_all
|
|
598
617
|
TestAttr.delete_all
|
|
599
618
|
end
|
|
600
|
-
|
|
601
|
-
def
|
|
619
|
+
|
|
620
|
+
def test_with_contains
|
|
602
621
|
reader = Authorization::Reader::DSLReader.new
|
|
603
622
|
reader.parse %{
|
|
604
623
|
authorization do
|
|
@@ -610,23 +629,23 @@ class ModelTest < Test::Unit::TestCase
|
|
|
610
629
|
end
|
|
611
630
|
}
|
|
612
631
|
Authorization::Engine.instance(reader)
|
|
613
|
-
|
|
632
|
+
|
|
614
633
|
test_model_1 = TestModel.create!
|
|
615
634
|
test_model_2 = TestModel.create!
|
|
616
635
|
test_model_1.test_attrs.create!
|
|
617
636
|
test_model_1.test_attrs.create!
|
|
618
637
|
test_model_2.test_attrs.create!
|
|
619
|
-
|
|
638
|
+
|
|
620
639
|
user = MockUser.new(:test_role,
|
|
621
640
|
:id => test_model_1.test_attrs.first.id)
|
|
622
641
|
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
|
623
642
|
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).find(:all, :conditions => {:id => test_model_1.id}).length
|
|
624
|
-
|
|
643
|
+
|
|
625
644
|
TestModel.delete_all
|
|
626
645
|
TestAttr.delete_all
|
|
627
646
|
end
|
|
628
647
|
|
|
629
|
-
def
|
|
648
|
+
def test_with_does_not_contain
|
|
630
649
|
reader = Authorization::Reader::DSLReader.new
|
|
631
650
|
reader.parse %{
|
|
632
651
|
authorization do
|
|
@@ -651,8 +670,8 @@ class ModelTest < Test::Unit::TestCase
|
|
|
651
670
|
TestModel.delete_all
|
|
652
671
|
TestAttr.delete_all
|
|
653
672
|
end
|
|
654
|
-
|
|
655
|
-
def
|
|
673
|
+
|
|
674
|
+
def test_with_contains_conditions
|
|
656
675
|
reader = Authorization::Reader::DSLReader.new
|
|
657
676
|
reader.parse %{
|
|
658
677
|
authorization do
|
|
@@ -664,14 +683,14 @@ class ModelTest < Test::Unit::TestCase
|
|
|
664
683
|
end
|
|
665
684
|
}
|
|
666
685
|
Authorization::Engine.instance(reader)
|
|
667
|
-
|
|
686
|
+
|
|
668
687
|
test_model_1 = TestModel.create!
|
|
669
688
|
test_model_2 = TestModel.create!
|
|
670
689
|
test_model_1.test_attrs_with_attr.create!
|
|
671
690
|
test_model_1.test_attrs.create!(:attr => 2)
|
|
672
691
|
test_model_2.test_attrs_with_attr.create!
|
|
673
692
|
test_model_2.test_attrs.create!(:attr => 2)
|
|
674
|
-
|
|
693
|
+
|
|
675
694
|
#assert_equal 1, test_model_1.test_attrs_with_attr.length
|
|
676
695
|
user = MockUser.new(:test_role,
|
|
677
696
|
:id => test_model_1.test_attrs.first.id)
|
|
@@ -679,12 +698,12 @@ class ModelTest < Test::Unit::TestCase
|
|
|
679
698
|
user = MockUser.new(:test_role,
|
|
680
699
|
:id => test_model_1.test_attrs.last.id)
|
|
681
700
|
assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
|
|
682
|
-
|
|
701
|
+
|
|
683
702
|
TestModel.delete_all
|
|
684
703
|
TestAttr.delete_all
|
|
685
704
|
end
|
|
686
|
-
|
|
687
|
-
def
|
|
705
|
+
|
|
706
|
+
def test_with_contains_through_conditions
|
|
688
707
|
reader = Authorization::Reader::DSLReader.new
|
|
689
708
|
reader.parse %{
|
|
690
709
|
authorization do
|
|
@@ -696,14 +715,14 @@ class ModelTest < Test::Unit::TestCase
|
|
|
696
715
|
end
|
|
697
716
|
}
|
|
698
717
|
Authorization::Engine.instance(reader)
|
|
699
|
-
|
|
718
|
+
|
|
700
719
|
test_model_1 = TestModel.create!
|
|
701
720
|
test_model_2 = TestModel.create!
|
|
702
721
|
test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
|
|
703
722
|
test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
|
|
704
723
|
test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
|
|
705
724
|
test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
|
|
706
|
-
|
|
725
|
+
|
|
707
726
|
#assert_equal 1, test_model_1.test_attrs_with_attr.length
|
|
708
727
|
user = MockUser.new(:test_role,
|
|
709
728
|
:id => test_model_1.test_attr_throughs.first.id)
|
|
@@ -717,7 +736,7 @@ class ModelTest < Test::Unit::TestCase
|
|
|
717
736
|
TestAttr.delete_all
|
|
718
737
|
end
|
|
719
738
|
|
|
720
|
-
def
|
|
739
|
+
def test_with_contains_habtm
|
|
721
740
|
reader = Authorization::Reader::DSLReader.new
|
|
722
741
|
reader.parse %{
|
|
723
742
|
authorization do
|
|
@@ -746,10 +765,10 @@ class ModelTest < Test::Unit::TestCase
|
|
|
746
765
|
TestAttrThrough.delete_all
|
|
747
766
|
TestAttr.delete_all
|
|
748
767
|
end
|
|
749
|
-
|
|
768
|
+
|
|
750
769
|
# take this out for Rails prior to 2.2
|
|
751
770
|
if ([Rails::VERSION::MAJOR, Rails::VERSION::MINOR] <=> [2, 2]) > -1
|
|
752
|
-
def
|
|
771
|
+
def test_with_contains_through_primary_key
|
|
753
772
|
reader = Authorization::Reader::DSLReader.new
|
|
754
773
|
reader.parse %{
|
|
755
774
|
authorization do
|
|
@@ -761,7 +780,7 @@ class ModelTest < Test::Unit::TestCase
|
|
|
761
780
|
end
|
|
762
781
|
}
|
|
763
782
|
Authorization::Engine.instance(reader)
|
|
764
|
-
|
|
783
|
+
|
|
765
784
|
test_attr_through_1 = TestAttrThrough.create!
|
|
766
785
|
test_item = NWayJoinItem.create!
|
|
767
786
|
test_model_1 = TestModel.create!(:test_attr_through_id => test_attr_through_1.id)
|
|
@@ -771,14 +790,14 @@ class ModelTest < Test::Unit::TestCase
|
|
|
771
790
|
user = MockUser.new(:test_role,
|
|
772
791
|
:id => test_attr_through_1.id)
|
|
773
792
|
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
|
774
|
-
|
|
793
|
+
|
|
775
794
|
TestModel.delete_all
|
|
776
795
|
TestAttrThrough.delete_all
|
|
777
796
|
TestAttr.delete_all
|
|
778
797
|
end
|
|
779
798
|
end
|
|
780
799
|
|
|
781
|
-
def
|
|
800
|
+
def test_with_intersects_with
|
|
782
801
|
reader = Authorization::Reader::DSLReader.new
|
|
783
802
|
reader.parse %{
|
|
784
803
|
authorization do
|
|
@@ -809,8 +828,8 @@ class ModelTest < Test::Unit::TestCase
|
|
|
809
828
|
TestModel.delete_all
|
|
810
829
|
TestAttr.delete_all
|
|
811
830
|
end
|
|
812
|
-
|
|
813
|
-
def
|
|
831
|
+
|
|
832
|
+
def test_with_is_and_has_one
|
|
814
833
|
reader = Authorization::Reader::DSLReader.new
|
|
815
834
|
reader.parse %{
|
|
816
835
|
authorization do :test_attr_has_one
|
|
@@ -822,47 +841,20 @@ class ModelTest < Test::Unit::TestCase
|
|
|
822
841
|
end
|
|
823
842
|
}
|
|
824
843
|
Authorization::Engine.instance(reader)
|
|
825
|
-
|
|
844
|
+
|
|
826
845
|
test_model_1 = TestModel.create!
|
|
827
846
|
test_attr_1 = test_model_1.test_attrs.create!
|
|
828
847
|
TestModel.create!.test_attrs.create!
|
|
829
|
-
|
|
848
|
+
|
|
830
849
|
user = MockUser.new(:test_role, :test_attr => test_attr_1)
|
|
831
|
-
assert_equal 1, TestModel.with_permissions_to(:read,
|
|
850
|
+
assert_equal 1, TestModel.with_permissions_to(:read,
|
|
832
851
|
:context => :test_models, :user => user).length
|
|
833
|
-
|
|
834
|
-
TestModel.delete_all
|
|
835
|
-
TestAttr.delete_all
|
|
836
|
-
end
|
|
837
|
-
|
|
838
|
-
def test_permit_with_has_one_raises_no_name_error
|
|
839
|
-
reader = Authorization::Reader::DSLReader.new
|
|
840
|
-
reader.parse %{
|
|
841
|
-
authorization do :test_attr_has_one
|
|
842
|
-
role :test_role do
|
|
843
|
-
has_permission_on :test_attrs, :to => :update do
|
|
844
|
-
if_attribute :id => is { user.test_attr.id }
|
|
845
|
-
end
|
|
846
|
-
end
|
|
847
|
-
end
|
|
848
|
-
}
|
|
849
|
-
instance = Authorization::Engine.instance(reader)
|
|
850
|
-
|
|
851
|
-
test_model = TestModel.create!
|
|
852
|
-
test_attr = test_model.create_test_attr_has_one
|
|
853
|
-
assert !test_attr.new_record?
|
|
854
|
-
|
|
855
|
-
user = MockUser.new(:test_role, :test_attr => test_attr)
|
|
856
|
-
|
|
857
|
-
assert_nothing_raised do
|
|
858
|
-
assert instance.permit?(:update, :user => user, :object => test_model.test_attr_has_one)
|
|
859
|
-
end
|
|
860
|
-
|
|
852
|
+
|
|
861
853
|
TestModel.delete_all
|
|
862
854
|
TestAttr.delete_all
|
|
863
855
|
end
|
|
864
|
-
|
|
865
|
-
def
|
|
856
|
+
|
|
857
|
+
def test_with_is_and_has_one_through_conditions
|
|
866
858
|
reader = Authorization::Reader::DSLReader.new
|
|
867
859
|
reader.parse %{
|
|
868
860
|
authorization do
|
|
@@ -874,14 +866,14 @@ class ModelTest < Test::Unit::TestCase
|
|
|
874
866
|
end
|
|
875
867
|
}
|
|
876
868
|
Authorization::Engine.instance(reader)
|
|
877
|
-
|
|
869
|
+
|
|
878
870
|
test_model_1 = TestModel.create!
|
|
879
871
|
test_model_2 = TestModel.create!
|
|
880
872
|
test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
|
|
881
873
|
test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
|
|
882
874
|
test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
|
|
883
875
|
test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
|
|
884
|
-
|
|
876
|
+
|
|
885
877
|
#assert_equal 1, test_model_1.test_attrs_with_attr.length
|
|
886
878
|
user = MockUser.new(:test_role,
|
|
887
879
|
:id => test_model_1.test_attr_throughs.first.id)
|
|
@@ -889,13 +881,13 @@ class ModelTest < Test::Unit::TestCase
|
|
|
889
881
|
user = MockUser.new(:test_role,
|
|
890
882
|
:id => test_model_1.test_attr_throughs.last.id)
|
|
891
883
|
assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
|
|
892
|
-
|
|
884
|
+
|
|
893
885
|
TestModel.delete_all
|
|
894
886
|
TestAttr.delete_all
|
|
895
887
|
TestAttrThrough.delete_all
|
|
896
888
|
end
|
|
897
|
-
|
|
898
|
-
def
|
|
889
|
+
|
|
890
|
+
def test_with_is_in
|
|
899
891
|
reader = Authorization::Reader::DSLReader.new
|
|
900
892
|
reader.parse %{
|
|
901
893
|
authorization do
|
|
@@ -907,22 +899,22 @@ class ModelTest < Test::Unit::TestCase
|
|
|
907
899
|
end
|
|
908
900
|
}
|
|
909
901
|
Authorization::Engine.instance(reader)
|
|
910
|
-
|
|
902
|
+
|
|
911
903
|
test_model_1 = TestModel.create!
|
|
912
904
|
test_model_2 = TestModel.create!
|
|
913
905
|
test_model_1.test_attrs.create!
|
|
914
906
|
TestModel.create!.test_attrs.create!
|
|
915
|
-
|
|
907
|
+
|
|
916
908
|
user = MockUser.new(:test_role, :test_model => test_model_1,
|
|
917
909
|
:test_model_2 => test_model_2)
|
|
918
|
-
assert_equal 1, TestAttr.with_permissions_to(:read,
|
|
910
|
+
assert_equal 1, TestAttr.with_permissions_to(:read,
|
|
919
911
|
:context => :test_attrs, :user => user).length
|
|
920
|
-
|
|
912
|
+
|
|
921
913
|
TestModel.delete_all
|
|
922
914
|
TestAttr.delete_all
|
|
923
915
|
end
|
|
924
916
|
|
|
925
|
-
def
|
|
917
|
+
def test_with_not_is_in
|
|
926
918
|
reader = Authorization::Reader::DSLReader.new
|
|
927
919
|
reader.parse %{
|
|
928
920
|
authorization do
|
|
@@ -948,8 +940,8 @@ class ModelTest < Test::Unit::TestCase
|
|
|
948
940
|
TestModel.delete_all
|
|
949
941
|
TestAttr.delete_all
|
|
950
942
|
end
|
|
951
|
-
|
|
952
|
-
def
|
|
943
|
+
|
|
944
|
+
def test_with_if_permitted_to
|
|
953
945
|
reader = Authorization::Reader::DSLReader.new
|
|
954
946
|
reader.parse %{
|
|
955
947
|
authorization do
|
|
@@ -964,17 +956,17 @@ class ModelTest < Test::Unit::TestCase
|
|
|
964
956
|
end
|
|
965
957
|
}
|
|
966
958
|
Authorization::Engine.instance(reader)
|
|
967
|
-
|
|
959
|
+
|
|
968
960
|
test_model_1 = TestModel.create!
|
|
969
961
|
test_attr_1 = test_model_1.test_attrs.create!
|
|
970
|
-
|
|
962
|
+
|
|
971
963
|
user = MockUser.new(:test_role, :id => test_attr_1.id)
|
|
972
964
|
assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
|
|
973
965
|
TestModel.delete_all
|
|
974
966
|
TestAttr.delete_all
|
|
975
967
|
end
|
|
976
968
|
|
|
977
|
-
def
|
|
969
|
+
def test_with_if_permitted_to_with_no_child_permissions
|
|
978
970
|
reader = Authorization::Reader::DSLReader.new
|
|
979
971
|
reader.parse %{
|
|
980
972
|
authorization do
|
|
@@ -1010,12 +1002,12 @@ class ModelTest < Test::Unit::TestCase
|
|
|
1010
1002
|
assert_raise Authorization::NotAuthorized do
|
|
1011
1003
|
TestAttr.with_permissions_to(:read, :user => non_allowed_user).find(:all)
|
|
1012
1004
|
end
|
|
1013
|
-
|
|
1005
|
+
|
|
1014
1006
|
TestModel.delete_all
|
|
1015
1007
|
TestAttr.delete_all
|
|
1016
1008
|
end
|
|
1017
1009
|
|
|
1018
|
-
def
|
|
1010
|
+
def test_with_if_permitted_to_with_context_from_model
|
|
1019
1011
|
reader = Authorization::Reader::DSLReader.new
|
|
1020
1012
|
reader.parse %{
|
|
1021
1013
|
authorization do
|
|
@@ -1043,7 +1035,7 @@ class ModelTest < Test::Unit::TestCase
|
|
|
1043
1035
|
TestAttr.delete_all
|
|
1044
1036
|
end
|
|
1045
1037
|
|
|
1046
|
-
def
|
|
1038
|
+
def test_with_has_many_if_permitted_to
|
|
1047
1039
|
reader = Authorization::Reader::DSLReader.new
|
|
1048
1040
|
reader.parse %{
|
|
1049
1041
|
authorization do
|
|
@@ -1070,7 +1062,7 @@ class ModelTest < Test::Unit::TestCase
|
|
|
1070
1062
|
TestAttr.delete_all
|
|
1071
1063
|
end
|
|
1072
1064
|
|
|
1073
|
-
def
|
|
1065
|
+
def test_with_deep_has_many_if_permitted_to
|
|
1074
1066
|
reader = Authorization::Reader::DSLReader.new
|
|
1075
1067
|
reader.parse %{
|
|
1076
1068
|
authorization do
|
|
@@ -1099,7 +1091,7 @@ class ModelTest < Test::Unit::TestCase
|
|
|
1099
1091
|
TestAttr.delete_all
|
|
1100
1092
|
end
|
|
1101
1093
|
|
|
1102
|
-
def
|
|
1094
|
+
def test_with_if_permitted_to_and_empty_obligations
|
|
1103
1095
|
reader = Authorization::Reader::DSLReader.new
|
|
1104
1096
|
reader.parse %{
|
|
1105
1097
|
authorization do
|
|
@@ -1122,7 +1114,7 @@ class ModelTest < Test::Unit::TestCase
|
|
|
1122
1114
|
TestAttr.delete_all
|
|
1123
1115
|
end
|
|
1124
1116
|
|
|
1125
|
-
def
|
|
1117
|
+
def test_with_if_permitted_to_nil
|
|
1126
1118
|
reader = Authorization::Reader::DSLReader.new
|
|
1127
1119
|
reader.parse %{
|
|
1128
1120
|
authorization do
|
|
@@ -1145,7 +1137,7 @@ class ModelTest < Test::Unit::TestCase
|
|
|
1145
1137
|
TestAttr.delete_all
|
|
1146
1138
|
end
|
|
1147
1139
|
|
|
1148
|
-
def
|
|
1140
|
+
def test_with_if_permitted_to_self
|
|
1149
1141
|
reader = Authorization::Reader::DSLReader.new
|
|
1150
1142
|
reader.parse %{
|
|
1151
1143
|
authorization do
|
|
@@ -1170,265 +1162,449 @@ class ModelTest < Test::Unit::TestCase
|
|
|
1170
1162
|
TestAttr.delete_all
|
|
1171
1163
|
TestModel.delete_all
|
|
1172
1164
|
end
|
|
1173
|
-
|
|
1174
|
-
def
|
|
1165
|
+
|
|
1166
|
+
def test_with_has_many_and_reoccuring_tables
|
|
1175
1167
|
reader = Authorization::Reader::DSLReader.new
|
|
1176
1168
|
reader.parse %{
|
|
1177
1169
|
authorization do
|
|
1178
|
-
role :test_role_unrestricted do
|
|
1179
|
-
has_permission_on :test_model_security_models do
|
|
1180
|
-
to :read, :create, :update, :delete
|
|
1181
|
-
end
|
|
1182
|
-
end
|
|
1183
1170
|
role :test_role do
|
|
1184
|
-
has_permission_on :
|
|
1185
|
-
|
|
1186
|
-
|
|
1171
|
+
has_permission_on :test_attrs, :to => :read do
|
|
1172
|
+
if_attribute :test_another_model => { :content => 'test_1_2' },
|
|
1173
|
+
:test_model => { :content => 'test_1_1' }
|
|
1187
1174
|
end
|
|
1188
1175
|
end
|
|
1189
|
-
role :test_role_restricted do
|
|
1190
|
-
end
|
|
1191
1176
|
end
|
|
1192
1177
|
}
|
|
1193
1178
|
Authorization::Engine.instance(reader)
|
|
1194
|
-
|
|
1195
|
-
|
|
1196
|
-
|
|
1197
|
-
|
|
1198
|
-
|
|
1199
|
-
|
|
1200
|
-
|
|
1201
|
-
|
|
1202
|
-
|
|
1203
|
-
|
|
1204
|
-
|
|
1205
|
-
|
|
1206
|
-
|
|
1207
|
-
|
|
1208
|
-
end
|
|
1209
|
-
|
|
1210
|
-
assert_raise Authorization::AttributeAuthorizationError do
|
|
1211
|
-
TestModelSecurityModel.create :attr => 2
|
|
1212
|
-
end
|
|
1213
|
-
object = TestModelSecurityModel.create
|
|
1214
|
-
assert_raise Authorization::AttributeAuthorizationError do
|
|
1215
|
-
object.update_attributes(:attr => 2)
|
|
1216
|
-
end
|
|
1217
|
-
Authorization.current_user = MockUser.new(:test_role_unrestricted)
|
|
1218
|
-
object = TestModelSecurityModel.create :attr => 2
|
|
1219
|
-
object_with_find = TestModelSecurityModelWithFind.create :attr => 2
|
|
1220
|
-
Authorization.current_user = MockUser.new(:test_role)
|
|
1221
|
-
assert_nothing_raised do
|
|
1222
|
-
object.class.find(object.id)
|
|
1223
|
-
end
|
|
1224
|
-
assert_raise Authorization::AttributeAuthorizationError do
|
|
1225
|
-
object_with_find.class.find(object_with_find.id)
|
|
1226
|
-
end
|
|
1227
|
-
assert_raise Authorization::AttributeAuthorizationError do
|
|
1228
|
-
object.update_attributes(:attr_2 => 2)
|
|
1229
|
-
end
|
|
1230
|
-
# TODO test this:
|
|
1231
|
-
#assert_raise Authorization::AuthorizationError do
|
|
1232
|
-
# object.update_attributes(:attr => 1)
|
|
1233
|
-
#end
|
|
1234
|
-
assert_raise Authorization::AttributeAuthorizationError do
|
|
1235
|
-
object.destroy
|
|
1236
|
-
end
|
|
1237
|
-
|
|
1238
|
-
Authorization.current_user = MockUser.new(:test_role_2)
|
|
1239
|
-
assert_raise Authorization::NotAuthorized do
|
|
1240
|
-
TestModelSecurityModel.create
|
|
1241
|
-
end
|
|
1179
|
+
|
|
1180
|
+
test_attr_1 = TestAttr.create!(
|
|
1181
|
+
:test_model => TestModel.create!(:content => 'test_1_1'),
|
|
1182
|
+
:test_another_model => TestModel.create!(:content => 'test_1_2')
|
|
1183
|
+
)
|
|
1184
|
+
test_attr_2 = TestAttr.create!(
|
|
1185
|
+
:test_model => TestModel.create!(:content => 'test_2_1'),
|
|
1186
|
+
:test_another_model => TestModel.create!(:content => 'test_2_2')
|
|
1187
|
+
)
|
|
1188
|
+
|
|
1189
|
+
user = MockUser.new(:test_role)
|
|
1190
|
+
assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
|
|
1191
|
+
TestModel.delete_all
|
|
1192
|
+
TestAttr.delete_all
|
|
1242
1193
|
end
|
|
1243
|
-
|
|
1244
|
-
def
|
|
1194
|
+
|
|
1195
|
+
def test_with_ored_rules_and_reoccuring_tables
|
|
1245
1196
|
reader = Authorization::Reader::DSLReader.new
|
|
1246
1197
|
reader.parse %{
|
|
1247
1198
|
authorization do
|
|
1248
1199
|
role :test_role do
|
|
1249
|
-
has_permission_on :
|
|
1250
|
-
|
|
1251
|
-
|
|
1200
|
+
has_permission_on :test_attrs, :to => :read do
|
|
1201
|
+
if_attribute :test_another_model => { :content => 'test_1_2' },
|
|
1202
|
+
:test_model => { :content => 'test_1_1' }
|
|
1203
|
+
end
|
|
1204
|
+
has_permission_on :test_attrs, :to => :read do
|
|
1205
|
+
if_attribute :test_another_model => { :content => 'test_2_2' },
|
|
1206
|
+
:test_model => { :test_attrs => contains {user.test_attr} }
|
|
1252
1207
|
end
|
|
1253
1208
|
end
|
|
1254
1209
|
end
|
|
1255
1210
|
}
|
|
1256
1211
|
Authorization::Engine.instance(reader)
|
|
1212
|
+
|
|
1213
|
+
test_attr_1 = TestAttr.create!(
|
|
1214
|
+
:test_model => TestModel.create!(:content => 'test_1_1'),
|
|
1215
|
+
:test_another_model => TestModel.create!(:content => 'test_1_2')
|
|
1216
|
+
)
|
|
1217
|
+
test_attr_2 = TestAttr.create!(
|
|
1218
|
+
:test_model => TestModel.create!(:content => 'test_2_1'),
|
|
1219
|
+
:test_another_model => TestModel.create!(:content => 'test_2_2')
|
|
1220
|
+
)
|
|
1221
|
+
test_attr_2.test_model.test_attrs.create!
|
|
1222
|
+
|
|
1223
|
+
user = MockUser.new(:test_role, :test_attr => test_attr_2.test_model.test_attrs.last)
|
|
1224
|
+
assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
|
|
1225
|
+
TestModel.delete_all
|
|
1226
|
+
TestAttr.delete_all
|
|
1227
|
+
end
|
|
1228
|
+
|
|
1229
|
+
def test_with_many_ored_rules_and_reoccuring_tables
|
|
1230
|
+
reader = Authorization::Reader::DSLReader.new
|
|
1231
|
+
reader.parse %{
|
|
1232
|
+
authorization do
|
|
1233
|
+
role :test_role do
|
|
1234
|
+
has_permission_on :test_attrs, :to => :read do
|
|
1235
|
+
if_attribute :branch => { :company => { :country => {
|
|
1236
|
+
:test_models => contains { user.test_model }
|
|
1237
|
+
}} }
|
|
1238
|
+
if_attribute :company => { :country => {
|
|
1239
|
+
:test_models => contains { user.test_model }
|
|
1240
|
+
}}
|
|
1241
|
+
end
|
|
1242
|
+
end
|
|
1243
|
+
end
|
|
1244
|
+
}
|
|
1245
|
+
Authorization::Engine.instance(reader)
|
|
1246
|
+
|
|
1247
|
+
country = Country.create!(:name => 'country_1')
|
|
1248
|
+
country.test_models.create!
|
|
1249
|
+
test_attr_1 = TestAttr.create!(
|
|
1250
|
+
:branch => Branch.create!(:name => 'branch_1',
|
|
1251
|
+
:company => Company.create!(:name => 'company_1',
|
|
1252
|
+
:country => country))
|
|
1253
|
+
)
|
|
1254
|
+
test_attr_2 = TestAttr.create!(
|
|
1255
|
+
:company => Company.create!(:name => 'company_2',
|
|
1256
|
+
:country => country)
|
|
1257
|
+
)
|
|
1258
|
+
|
|
1259
|
+
user = MockUser.new(:test_role, :test_model => country.test_models.first)
|
|
1260
|
+
|
|
1261
|
+
assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
|
|
1262
|
+
TestModel.delete_all
|
|
1263
|
+
TestAttr.delete_all
|
|
1264
|
+
end
|
|
1265
|
+
end
|
|
1266
|
+
|
|
1267
|
+
class ModelTest < Test::Unit::TestCase
|
|
1268
|
+
def test_permit_with_has_one_raises_no_name_error
|
|
1269
|
+
reader = Authorization::Reader::DSLReader.new
|
|
1270
|
+
reader.parse %{
|
|
1271
|
+
authorization do :test_attr_has_one
|
|
1272
|
+
role :test_role do
|
|
1273
|
+
has_permission_on :test_attrs, :to => :update do
|
|
1274
|
+
if_attribute :id => is { user.test_attr.id }
|
|
1275
|
+
end
|
|
1276
|
+
end
|
|
1277
|
+
end
|
|
1278
|
+
}
|
|
1279
|
+
instance = Authorization::Engine.instance(reader)
|
|
1280
|
+
|
|
1281
|
+
test_model = TestModel.create!
|
|
1282
|
+
test_attr = test_model.create_test_attr_has_one
|
|
1283
|
+
assert !test_attr.new_record?
|
|
1284
|
+
|
|
1285
|
+
user = MockUser.new(:test_role, :test_attr => test_attr)
|
|
1257
1286
|
|
|
1258
|
-
test_attr = TestAttr.create
|
|
1259
|
-
test_attr.role_symbols << :test_role
|
|
1260
|
-
Authorization.current_user = test_attr
|
|
1261
|
-
assert(object = TestModelSecurityModel.create(:test_attrs => [test_attr]))
|
|
1262
1287
|
assert_nothing_raised do
|
|
1263
|
-
|
|
1288
|
+
assert instance.permit?(:update, :user => user, :object => test_model.test_attr_has_one)
|
|
1264
1289
|
end
|
|
1290
|
+
|
|
1291
|
+
TestModel.delete_all
|
|
1292
|
+
TestAttr.delete_all
|
|
1293
|
+
end
|
|
1294
|
+
|
|
1295
|
+
def test_model_security_write_allowed
|
|
1296
|
+
reader = Authorization::Reader::DSLReader.new
|
|
1297
|
+
reader.parse %{
|
|
1298
|
+
authorization do
|
|
1299
|
+
role :test_role do
|
|
1300
|
+
has_permission_on :test_model_security_models do
|
|
1301
|
+
to :read, :create, :update, :delete
|
|
1302
|
+
if_attribute :attr => is { 1 }
|
|
1303
|
+
end
|
|
1304
|
+
end
|
|
1305
|
+
end
|
|
1306
|
+
}
|
|
1307
|
+
Authorization::Engine.instance(reader)
|
|
1308
|
+
|
|
1309
|
+
Authorization.current_user = MockUser.new(:test_role)
|
|
1310
|
+
assert(object = TestModelSecurityModel.create)
|
|
1311
|
+
|
|
1312
|
+
assert_nothing_raised { object.update_attributes(:attr_2 => 2) }
|
|
1265
1313
|
object.reload
|
|
1266
|
-
assert_equal 2, object.attr_2
|
|
1314
|
+
assert_equal 2, object.attr_2
|
|
1267
1315
|
object.destroy
|
|
1268
1316
|
assert_raise ActiveRecord::RecordNotFound do
|
|
1269
1317
|
TestModelSecurityModel.find(object.id)
|
|
1270
1318
|
end
|
|
1271
1319
|
end
|
|
1272
1320
|
|
|
1273
|
-
def
|
|
1274
|
-
|
|
1275
|
-
|
|
1276
|
-
|
|
1321
|
+
def test_model_security_write_not_allowed_no_privilege
|
|
1322
|
+
reader = Authorization::Reader::DSLReader.new
|
|
1323
|
+
reader.parse %{
|
|
1324
|
+
authorization do
|
|
1325
|
+
role :test_role do
|
|
1326
|
+
has_permission_on :test_model_security_models do
|
|
1327
|
+
to :read, :create, :update, :delete
|
|
1328
|
+
if_attribute :attr => is { 1 }
|
|
1329
|
+
end
|
|
1330
|
+
end
|
|
1331
|
+
role :test_role_restricted do
|
|
1332
|
+
end
|
|
1333
|
+
end
|
|
1334
|
+
}
|
|
1335
|
+
Authorization::Engine.instance(reader)
|
|
1277
1336
|
|
|
1278
|
-
|
|
1337
|
+
Authorization.current_user = MockUser.new(:test_role)
|
|
1338
|
+
assert(object = TestModelSecurityModel.create)
|
|
1339
|
+
|
|
1340
|
+
Authorization.current_user = MockUser.new(:test_role_restricted)
|
|
1341
|
+
assert_raise Authorization::NotAuthorized do
|
|
1342
|
+
object.update_attributes(:attr_2 => 2)
|
|
1343
|
+
end
|
|
1344
|
+
end
|
|
1345
|
+
|
|
1346
|
+
def test_model_security_write_not_allowed_wrong_attribute_value
|
|
1279
1347
|
reader = Authorization::Reader::DSLReader.new
|
|
1280
1348
|
reader.parse %{
|
|
1281
1349
|
authorization do
|
|
1350
|
+
role :test_role_unrestricted do
|
|
1351
|
+
has_permission_on :test_model_security_models do
|
|
1352
|
+
to :read, :create, :update, :delete
|
|
1353
|
+
end
|
|
1354
|
+
end
|
|
1282
1355
|
role :test_role do
|
|
1283
|
-
has_permission_on :
|
|
1284
|
-
|
|
1356
|
+
has_permission_on :test_model_security_models do
|
|
1357
|
+
to :read, :create, :update, :delete
|
|
1358
|
+
if_attribute :attr => is { 1 }
|
|
1285
1359
|
end
|
|
1286
1360
|
end
|
|
1287
1361
|
end
|
|
1288
1362
|
}
|
|
1289
|
-
|
|
1363
|
+
Authorization::Engine.instance(reader)
|
|
1364
|
+
|
|
1365
|
+
Authorization.current_user = MockUser.new(:test_role)
|
|
1366
|
+
assert(object = TestModelSecurityModel.create)
|
|
1367
|
+
assert_raise Authorization::AttributeAuthorizationError do
|
|
1368
|
+
TestModelSecurityModel.create :attr => 2
|
|
1369
|
+
end
|
|
1370
|
+
object = TestModelSecurityModel.create
|
|
1371
|
+
assert_raise Authorization::AttributeAuthorizationError do
|
|
1372
|
+
object.update_attributes(:attr => 2)
|
|
1373
|
+
end
|
|
1374
|
+
object.reload
|
|
1290
1375
|
|
|
1291
|
-
|
|
1292
|
-
|
|
1293
|
-
|
|
1294
|
-
|
|
1295
|
-
|
|
1296
|
-
|
|
1376
|
+
assert_nothing_raised do
|
|
1377
|
+
object.update_attributes(:attr_2 => 1)
|
|
1378
|
+
end
|
|
1379
|
+
assert_raise Authorization::AttributeAuthorizationError do
|
|
1380
|
+
object.update_attributes(:attr => 2)
|
|
1381
|
+
end
|
|
1297
1382
|
end
|
|
1298
1383
|
|
|
1299
|
-
def
|
|
1384
|
+
def test_model_security_with_and_without_find_restrictions
|
|
1300
1385
|
reader = Authorization::Reader::DSLReader.new
|
|
1301
1386
|
reader.parse %{
|
|
1302
1387
|
authorization do
|
|
1303
|
-
role :
|
|
1304
|
-
has_permission_on :
|
|
1305
|
-
|
|
1306
|
-
|
|
1388
|
+
role :test_role_unrestricted do
|
|
1389
|
+
has_permission_on :test_model_security_models do
|
|
1390
|
+
to :read, :create, :update, :delete
|
|
1391
|
+
end
|
|
1392
|
+
end
|
|
1393
|
+
role :test_role do
|
|
1394
|
+
has_permission_on :test_model_security_models do
|
|
1395
|
+
to :read, :create, :update, :delete
|
|
1396
|
+
if_attribute :attr => is { 1 }
|
|
1307
1397
|
end
|
|
1308
1398
|
end
|
|
1399
|
+
end
|
|
1400
|
+
}
|
|
1401
|
+
Authorization::Engine.instance(reader)
|
|
1309
1402
|
|
|
1310
|
-
|
|
1311
|
-
|
|
1312
|
-
|
|
1313
|
-
|
|
1403
|
+
Authorization.current_user = MockUser.new(:test_role_unrestricted)
|
|
1404
|
+
object = TestModelSecurityModel.create :attr => 2
|
|
1405
|
+
object_with_find = TestModelSecurityModelWithFind.create :attr => 2
|
|
1406
|
+
Authorization.current_user = MockUser.new(:test_role)
|
|
1407
|
+
assert_nothing_raised do
|
|
1408
|
+
object.class.find(object.id)
|
|
1409
|
+
end
|
|
1410
|
+
assert_raise Authorization::AttributeAuthorizationError do
|
|
1411
|
+
object_with_find.class.find(object_with_find.id)
|
|
1412
|
+
end
|
|
1413
|
+
end
|
|
1414
|
+
|
|
1415
|
+
def test_model_security_delete_unallowed
|
|
1416
|
+
reader = Authorization::Reader::DSLReader.new
|
|
1417
|
+
reader.parse %{
|
|
1418
|
+
authorization do
|
|
1419
|
+
role :test_role_unrestricted do
|
|
1420
|
+
has_permission_on :test_model_security_models do
|
|
1421
|
+
to :read, :create, :update, :delete
|
|
1422
|
+
end
|
|
1423
|
+
end
|
|
1424
|
+
role :test_role do
|
|
1425
|
+
has_permission_on :test_model_security_models do
|
|
1426
|
+
to :read, :create, :update, :delete
|
|
1427
|
+
if_attribute :attr => is { 1 }
|
|
1314
1428
|
end
|
|
1315
1429
|
end
|
|
1316
1430
|
end
|
|
1317
1431
|
}
|
|
1318
1432
|
Authorization::Engine.instance(reader)
|
|
1319
1433
|
|
|
1320
|
-
|
|
1321
|
-
|
|
1322
|
-
|
|
1323
|
-
test_model_2.test_attrs.create!.test_attr_throughs.create!
|
|
1434
|
+
Authorization.current_user = MockUser.new(:test_role_unrestricted)
|
|
1435
|
+
object = TestModelSecurityModel.create :attr => 2
|
|
1436
|
+
Authorization.current_user = MockUser.new(:test_role)
|
|
1324
1437
|
|
|
1325
|
-
|
|
1326
|
-
|
|
1327
|
-
|
|
1328
|
-
assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
|
|
1329
|
-
TestModel.delete_all
|
|
1330
|
-
TestAttr.delete_all
|
|
1331
|
-
TestAttrThrough.delete_all
|
|
1438
|
+
assert_raise Authorization::AttributeAuthorizationError do
|
|
1439
|
+
object.destroy
|
|
1440
|
+
end
|
|
1332
1441
|
end
|
|
1333
1442
|
|
|
1334
|
-
def
|
|
1443
|
+
def test_model_security_changing_critical_attribute_unallowed
|
|
1335
1444
|
reader = Authorization::Reader::DSLReader.new
|
|
1336
1445
|
reader.parse %{
|
|
1337
1446
|
authorization do
|
|
1447
|
+
role :test_role_unrestricted do
|
|
1448
|
+
has_permission_on :test_model_security_models do
|
|
1449
|
+
to :read, :create, :update, :delete
|
|
1450
|
+
end
|
|
1451
|
+
end
|
|
1338
1452
|
role :test_role do
|
|
1339
|
-
has_permission_on :
|
|
1340
|
-
|
|
1341
|
-
|
|
1453
|
+
has_permission_on :test_model_security_models do
|
|
1454
|
+
to :read, :create, :update, :delete
|
|
1455
|
+
if_attribute :attr => is { 1 }
|
|
1342
1456
|
end
|
|
1343
1457
|
end
|
|
1344
1458
|
end
|
|
1345
1459
|
}
|
|
1346
1460
|
Authorization::Engine.instance(reader)
|
|
1347
1461
|
|
|
1348
|
-
|
|
1349
|
-
|
|
1350
|
-
|
|
1351
|
-
)
|
|
1352
|
-
test_attr_2 = TestAttr.create!(
|
|
1353
|
-
:test_model => TestModel.create!(:content => 'test_2_1'),
|
|
1354
|
-
:test_another_model => TestModel.create!(:content => 'test_2_2')
|
|
1355
|
-
)
|
|
1462
|
+
Authorization.current_user = MockUser.new(:test_role_unrestricted)
|
|
1463
|
+
object = TestModelSecurityModel.create :attr => 2
|
|
1464
|
+
Authorization.current_user = MockUser.new(:test_role)
|
|
1356
1465
|
|
|
1357
|
-
|
|
1358
|
-
|
|
1359
|
-
|
|
1360
|
-
|
|
1466
|
+
# TODO before not checked yet
|
|
1467
|
+
#assert_raise Authorization::AuthorizationError do
|
|
1468
|
+
# object.update_attributes(:attr => 1)
|
|
1469
|
+
#end
|
|
1470
|
+
end
|
|
1471
|
+
|
|
1472
|
+
def test_model_security_no_role_unallowed
|
|
1473
|
+
reader = Authorization::Reader::DSLReader.new
|
|
1474
|
+
reader.parse %{
|
|
1475
|
+
authorization do
|
|
1476
|
+
end
|
|
1477
|
+
}
|
|
1478
|
+
Authorization::Engine.instance(reader)
|
|
1479
|
+
|
|
1480
|
+
Authorization.current_user = MockUser.new(:test_role_2)
|
|
1481
|
+
assert_raise Authorization::NotAuthorized do
|
|
1482
|
+
TestModelSecurityModel.create
|
|
1483
|
+
end
|
|
1361
1484
|
end
|
|
1362
1485
|
|
|
1363
|
-
def
|
|
1486
|
+
def test_model_security_with_assoc
|
|
1364
1487
|
reader = Authorization::Reader::DSLReader.new
|
|
1365
1488
|
reader.parse %{
|
|
1366
1489
|
authorization do
|
|
1367
1490
|
role :test_role do
|
|
1368
|
-
has_permission_on :
|
|
1369
|
-
|
|
1370
|
-
|
|
1491
|
+
has_permission_on :test_model_security_models do
|
|
1492
|
+
to :create, :update, :delete
|
|
1493
|
+
if_attribute :test_attrs => contains { user }
|
|
1371
1494
|
end
|
|
1372
|
-
|
|
1373
|
-
|
|
1374
|
-
|
|
1495
|
+
end
|
|
1496
|
+
end
|
|
1497
|
+
}
|
|
1498
|
+
Authorization::Engine.instance(reader)
|
|
1499
|
+
|
|
1500
|
+
test_attr = TestAttr.create
|
|
1501
|
+
test_attr.role_symbols << :test_role
|
|
1502
|
+
Authorization.current_user = test_attr
|
|
1503
|
+
assert(object = TestModelSecurityModel.create(:test_attrs => [test_attr]))
|
|
1504
|
+
assert_nothing_raised do
|
|
1505
|
+
object.update_attributes(:attr_2 => 2)
|
|
1506
|
+
end
|
|
1507
|
+
object.reload
|
|
1508
|
+
assert_equal 2, object.attr_2
|
|
1509
|
+
object.destroy
|
|
1510
|
+
assert_raise ActiveRecord::RecordNotFound do
|
|
1511
|
+
TestModelSecurityModel.find(object.id)
|
|
1512
|
+
end
|
|
1513
|
+
end
|
|
1514
|
+
|
|
1515
|
+
def test_model_security_with_update_attrbributes
|
|
1516
|
+
reader = Authorization::Reader::DSLReader.new
|
|
1517
|
+
reader.parse %{
|
|
1518
|
+
authorization do
|
|
1519
|
+
role :test_role do
|
|
1520
|
+
has_permission_on :test_model_security_models, :to => :update do
|
|
1521
|
+
if_attribute :test_attrs => { :branch => is { user.branch }}
|
|
1375
1522
|
end
|
|
1376
1523
|
end
|
|
1377
1524
|
end
|
|
1378
1525
|
}
|
|
1379
1526
|
Authorization::Engine.instance(reader)
|
|
1380
1527
|
|
|
1381
|
-
|
|
1382
|
-
|
|
1383
|
-
|
|
1384
|
-
|
|
1385
|
-
|
|
1386
|
-
|
|
1387
|
-
|
|
1388
|
-
|
|
1389
|
-
|
|
1528
|
+
params = {
|
|
1529
|
+
:model_data => { :attr => 11 }
|
|
1530
|
+
}
|
|
1531
|
+
|
|
1532
|
+
test_attr = TestAttr.create!(:branch => Branch.create!)
|
|
1533
|
+
test_model = without_access_control do
|
|
1534
|
+
TestModelSecurityModel.create!(:test_attrs => [test_attr])
|
|
1535
|
+
end
|
|
1536
|
+
|
|
1537
|
+
with_user MockUser.new(:test_role, :branch => test_attr.branch) do
|
|
1538
|
+
assert_nothing_raised do
|
|
1539
|
+
test_model.update_attributes(params[:model_data])
|
|
1540
|
+
end
|
|
1541
|
+
end
|
|
1542
|
+
assert_equal params[:model_data][:attr], test_model.reload.attr
|
|
1390
1543
|
|
|
1391
|
-
user = MockUser.new(:test_role, :test_attr => test_attr_2.test_model.test_attrs.last)
|
|
1392
|
-
assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
|
|
1393
|
-
TestModel.delete_all
|
|
1394
1544
|
TestAttr.delete_all
|
|
1545
|
+
TestModelSecurityModel.delete_all
|
|
1546
|
+
Branch.delete_all
|
|
1547
|
+
end
|
|
1548
|
+
|
|
1549
|
+
def test_using_access_control
|
|
1550
|
+
assert !TestModel.using_access_control?
|
|
1551
|
+
assert TestModelSecurityModel.using_access_control?
|
|
1395
1552
|
end
|
|
1396
1553
|
|
|
1397
|
-
def
|
|
1554
|
+
def test_authorization_permit_association_proxy
|
|
1398
1555
|
reader = Authorization::Reader::DSLReader.new
|
|
1399
1556
|
reader.parse %{
|
|
1400
1557
|
authorization do
|
|
1401
1558
|
role :test_role do
|
|
1402
1559
|
has_permission_on :test_attrs, :to => :read do
|
|
1403
|
-
if_attribute :
|
|
1404
|
-
:test_models => contains { user.test_model }
|
|
1405
|
-
}} }
|
|
1406
|
-
if_attribute :company => { :country => {
|
|
1407
|
-
:test_models => contains { user.test_model }
|
|
1408
|
-
}}
|
|
1560
|
+
if_attribute :test_model => {:content => "content" }
|
|
1409
1561
|
end
|
|
1410
1562
|
end
|
|
1411
1563
|
end
|
|
1412
1564
|
}
|
|
1413
|
-
Authorization::Engine.instance(reader)
|
|
1565
|
+
engine = Authorization::Engine.instance(reader)
|
|
1414
1566
|
|
|
1415
|
-
|
|
1416
|
-
|
|
1417
|
-
|
|
1418
|
-
|
|
1419
|
-
|
|
1420
|
-
|
|
1421
|
-
|
|
1422
|
-
test_attr_2 = TestAttr.create!(
|
|
1423
|
-
:company => Company.create!(:name => 'company_2',
|
|
1424
|
-
:country => country)
|
|
1425
|
-
)
|
|
1567
|
+
test_model = TestModel.create(:content => "content")
|
|
1568
|
+
assert engine.permit?(:read, :object => test_model.test_attrs,
|
|
1569
|
+
:user => MockUser.new(:test_role))
|
|
1570
|
+
assert !engine.permit?(:read, :object => TestAttr.new,
|
|
1571
|
+
:user => MockUser.new(:test_role))
|
|
1572
|
+
TestModel.delete_all
|
|
1573
|
+
end
|
|
1426
1574
|
|
|
1427
|
-
|
|
1575
|
+
def test_multiple_roles_with_has_many_through
|
|
1576
|
+
reader = Authorization::Reader::DSLReader.new
|
|
1577
|
+
reader.parse %{
|
|
1578
|
+
authorization do
|
|
1579
|
+
role :test_role_1 do
|
|
1580
|
+
has_permission_on :test_models, :to => :read do
|
|
1581
|
+
if_attribute :test_attr_throughs => contains {user.test_attr_through_id},
|
|
1582
|
+
:content => 'test_1'
|
|
1583
|
+
end
|
|
1584
|
+
end
|
|
1428
1585
|
|
|
1429
|
-
|
|
1586
|
+
role :test_role_2 do
|
|
1587
|
+
has_permission_on :test_models, :to => :read do
|
|
1588
|
+
if_attribute :test_attr_throughs_2 => contains {user.test_attr_through_2_id},
|
|
1589
|
+
:content => 'test_2'
|
|
1590
|
+
end
|
|
1591
|
+
end
|
|
1592
|
+
end
|
|
1593
|
+
}
|
|
1594
|
+
Authorization::Engine.instance(reader)
|
|
1595
|
+
|
|
1596
|
+
test_model_1 = TestModel.create! :content => 'test_1'
|
|
1597
|
+
test_model_2 = TestModel.create! :content => 'test_2'
|
|
1598
|
+
test_model_1.test_attrs.create!.test_attr_throughs.create!
|
|
1599
|
+
test_model_2.test_attrs.create!.test_attr_throughs.create!
|
|
1600
|
+
|
|
1601
|
+
user = MockUser.new(:test_role_1, :test_role_2,
|
|
1602
|
+
:test_attr_through_id => test_model_1.test_attr_throughs.first.id,
|
|
1603
|
+
:test_attr_through_2_id => test_model_2.test_attr_throughs.first.id)
|
|
1604
|
+
assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
|
|
1430
1605
|
TestModel.delete_all
|
|
1431
1606
|
TestAttr.delete_all
|
|
1607
|
+
TestAttrThrough.delete_all
|
|
1432
1608
|
end
|
|
1433
1609
|
|
|
1434
1610
|
def test_model_permitted_to
|