declarative_authorization 0.4 → 0.4.1

Sign up to get free protection for your applications and to get access to all the features.
data/CHANGELOG CHANGED
@@ -1,3 +1,7 @@
1
+ * Support shallow nested resources [jjb]
2
+
3
+ * Allow multiple authorization rules files [kaichen]
4
+
1
5
  ** RELEASE 0.4 (November 15, 2009) **
2
6
 
3
7
  * Implemented controller namespace handling [sb]
data/README.rdoc CHANGED
@@ -1,23 +1,18 @@
1
1
  = Declarative Authorization
2
2
 
3
3
  The declarative authorization plugin offers an authorization mechanism inspired
4
- by _RBAC_. The most notable distinction to existing authorization plugins is the
5
- declarative authorization approach. That is, authorization rules are not
4
+ by _RBAC_. The most notable distinction to other authorization plugins is the
5
+ declarative approach. That is, authorization rules are not defined
6
6
  programmatically in between business logic but in an authorization configuration.
7
7
 
8
- Currently, Rails authorization plugins only provide for programmatic
9
- authorization rules. That is, the developer needs to specify which roles are
8
+ With programmatic authorization rules, the developer needs to specify which roles are
10
9
  allowed to access a specific controller action or a part of a view, which is
11
- not DRY. With a growing application code base and functions, as it happens
12
- especially in agile development processes, it may be decided to introduce new
13
- roles. Then, at several places of the source code the new group needs to be
14
- added, possibly leading to omissions and thus hard to test errors. Another
15
- aspect are changing authorization requirements in development or
16
- even after taking the application into production. Then, privileges of
17
- certain roles need to be easily adjusted when the original assumptions
18
- concerning access control prove unrealistic. In these situations, a
19
- declarative approach as offered by this plugin increases the development
20
- and maintenance efficiency.
10
+ not DRY. With a growing application code base roles' permissions often
11
+ change and new roles are introduced. Then, at several places of the source code
12
+ the changes have to be implemented, possibly leading to omissions and thus hard
13
+ to find errors. In these cases, a declarative approach as offered by decl_auth
14
+ increases the development and maintenance efficiency.
15
+
21
16
 
22
17
  Plugin features
23
18
  * Authorization at controller action level
@@ -37,6 +32,10 @@ Requirements
37
32
  See below for installation instructions.
38
33
 
39
34
 
35
+ There is a decl_auth screencast by Ryan Bates, nicely introducing the main concepts:
36
+ http://railscasts.com/episodes/188-declarative-authorization
37
+
38
+
40
39
  = Authorization Data Model
41
40
 
42
41
  ----- App domain ----|-------- Authorization conf ---------|------- App domain ------
@@ -75,7 +74,7 @@ A fully functional example application can be found at
75
74
  http://github.com/stffn/decl_auth_demo_app
76
75
 
77
76
  Details on the demonstrated methods can be found in the API docs, either
78
- generated yourself or at http://www.tzi.org/~sbartsch/declarative_authorization
77
+ generated by yourself or at http://www.tzi.org/~sbartsch/declarative_authorization
79
78
 
80
79
  == Controller
81
80
 
@@ -219,7 +218,7 @@ As access control on read are costly, with possibly lots of objects being
219
218
  loaded at a time in one query, checks on read need to be actived explicitly by
220
219
  adding the :include_read option.
221
220
 
222
- === Query rewriting using named scopes
221
+ === Query rewriting through named scopes
223
222
  When retrieving large sets of records from databases, any authorization needs
224
223
  to be integrated into the query in order to prevent inefficient filtering
225
224
  afterwards and to use LIMIT and OFFSET in SQL statements. To keep authorization
@@ -242,7 +241,8 @@ the conditions for manual rewrites.
242
241
 
243
242
  == Authorization Rules
244
243
 
245
- Authorization rules are defined in config/authorization_rules.rb. E.g.
244
+ Authorization rules are defined in config/authorization_rules.rb
245
+ (Or redefine rules files path via +Authorization::AUTH_RULE_FILES+). E.g.
246
246
 
247
247
  authorization do
248
248
  role :admin do
@@ -324,8 +324,7 @@ authorization in mind.
324
324
 
325
325
  In your test_helper.rb, to enable the helpers add
326
326
 
327
- require File.expand_path(File.dirname(__FILE__) +
328
- "/../vendor/plugins/declarative_authorization/lib/maintenance")
327
+ require 'declarative_authorization/maintenance'
329
328
 
330
329
  class Test::Unit::TestCase
331
330
  include Authorization::TestHelper
@@ -451,7 +450,7 @@ All bang methods throw exceptions which may be used to retrieve more
451
450
  information about a denied access than a Boolean value.
452
451
 
453
452
 
454
- == Authorization Browser
453
+ == Authorization Development Support
455
454
 
456
455
  If your authorization rules become more complex, you might be glad to use
457
456
  the authorization rules browser that comes with declarative_authorization.
@@ -468,7 +467,9 @@ Then, point your browser to
468
467
 
469
468
  The browser needs Rails 2.3 (for Engine support). The graphical view requires
470
469
  Graphviz (which e.g. can be installed through the graphviz package under Debian
471
- and Ubuntu) and has only been tested under Linux.
470
+ and Ubuntu) and has only been tested under Linux. Note: for Change Support
471
+ you'll need to have a User#login method that returns a non-ambiguous user
472
+ name for identification.
472
473
 
473
474
 
474
475
  = Help and Contact
@@ -489,18 +490,10 @@ sbartsch at tzi.org
489
490
 
490
491
  = Contributors
491
492
 
492
- Thanks to
493
- * Eike Carls
494
- * Erik Dahlstrand
495
- * Jeroen van Dijk
496
- * Jeremy Friesen
497
- * Brian Langenfeld
498
- * Georg Ledermann
499
- * Geoff Longman
500
- * Olly Lylo
501
- * Mark Mansour
502
- * Thomas Maurer
503
- * Mike Vincent
493
+ Thanks to John Joseph Bachir, Eike Carls, Kai Chen, Erik Dahlstrand,
494
+ Jeroen van Dijk, Sebastian Dyck, Jeremy Friesen, Daniel Kristensen, Brian Langenfeld,
495
+ Georg Ledermann, Geoff Longman, Olly Lylo, Mark Mansour, Thomas Maurer,
496
+ Mike Vincent
504
497
 
505
498
 
506
499
  = Licence
@@ -37,7 +37,7 @@ class AuthorizationRulesController < ApplicationController
37
37
  @privileges = authorization_engine.auth_rules.collect {|rule| rule.privileges.to_a}.flatten.uniq
38
38
  @privileges = @privileges.collect do |priv|
39
39
  priv = Authorization::DevelopmentSupport::AnalyzerEngine::Privilege.for_sym(priv, authorization_engine)
40
- (priv.descendants + priv.ancestors).map(&:to_sym)
40
+ ([priv] + priv.descendants + priv.ancestors).map(&:to_sym)
41
41
  end.flatten.uniq
42
42
  @privileges.sort_by {|priv| priv.to_s}
43
43
  @privilege = params[:privilege].to_sym rescue @privileges.first
@@ -20,7 +20,7 @@ module Authorization
20
20
  # The exception is raised to ensure that the entire rule is invalidated.
21
21
  class NilAttributeValueError < AuthorizationError; end
22
22
 
23
- AUTH_DSL_FILE = "#{RAILS_ROOT}/config/authorization_rules.rb"
23
+ AUTH_DSL_FILES = ["#{RAILS_ROOT}/config/authorization_rules.rb"] unless defined? AUTH_DSL_FILES
24
24
 
25
25
  # Controller-independent method for retrieving the current user.
26
26
  # Needed for model security where the current controller is not available.
@@ -62,12 +62,12 @@ module Authorization
62
62
  :rev_role_hierarchy
63
63
 
64
64
  # If +reader+ is not given, a new one is created with the default
65
- # authorization configuration of +AUTH_DSL_FILE+. If given, may be either
65
+ # authorization configuration of +AUTH_DSL_FILES+. If given, may be either
66
66
  # a Reader object or a path to a configuration file.
67
67
  def initialize (reader = nil)
68
68
  if reader.nil?
69
69
  begin
70
- reader = Reader::DSLReader.load(AUTH_DSL_FILE)
70
+ reader = Reader::DSLReader.load(AUTH_DSL_FILES)
71
71
  rescue SystemCallError
72
72
  reader = Reader::DSLReader.new
73
73
  end
@@ -309,18 +309,8 @@ module Authorization
309
309
  # Returns the privilege hierarchy flattened for given privileges in context.
310
310
  def flatten_privileges (privileges, context = nil)
311
311
  # TODO caching?
312
- #if context.nil?
313
- # context = privileges.collect { |p| p.to_s.split('_') }.
314
- # reject { |p_p| p_p.length < 2 }.
315
- # collect { |p_p| (p_p[1..-1] * '_').to_sym }.first
316
- # raise AuthorizationUsageError, "No context given or inferable from privileges #{privileges.inspect}" unless context
317
- #end
318
312
  raise AuthorizationUsageError, "No context given or inferable from object" unless context
319
- #context_regex = Regexp.new "_#{context}$"
320
- # TODO work with contextless privileges
321
- #flattened_privileges = privileges.collect {|p| p.to_s.sub(context_regex, '')}
322
- flattened_privileges = privileges.clone #collect {|p| p.to_s.end_with?(context.to_s) ?
323
- # p : [p, "#{p}_#{context}".to_sym] }.flatten
313
+ flattened_privileges = privileges.clone
324
314
  flattened_privileges.each do |priv|
325
315
  flattened_privileges.concat(@rev_priv_hierarchy[[priv, nil]]).uniq! if @rev_priv_hierarchy[[priv, nil]]
326
316
  flattened_privileges.concat(@rev_priv_hierarchy[[priv, context]]).uniq! if @rev_priv_hierarchy[[priv, context]]
@@ -427,12 +417,11 @@ module Authorization
427
417
  (hash || @conditions_hash).all? do |attr, value|
428
418
  attr_value = object_attribute_value(object, attr)
429
419
  if value.is_a?(Hash)
430
- case attr_value
431
- when Enumerable
420
+ if attr_value.is_a?(Enumerable)
432
421
  attr_value.any? do |inner_value|
433
422
  validate?(attr_validator, inner_value, value)
434
423
  end
435
- when nil
424
+ elsif attr_value == nil
436
425
  raise NilAttributeValueError, "Attribute #{attr.inspect} is nil in #{object.inspect}."
437
426
  else
438
427
  validate?(attr_validator, attr_value, value)
@@ -588,10 +577,9 @@ module Authorization
588
577
  when Hash
589
578
  hash_or_attr.all? do |attr, sub_hash|
590
579
  attr_value = object_attribute_value(object, attr)
591
- case attr_value
592
- when nil
580
+ if attr_value == nil
593
581
  raise NilAttributeValueError, "Attribute #{attr.inspect} is nil in #{object.inspect}."
594
- when Enumerable
582
+ elsif attr_value.is_a?(Enumerable)
595
583
  attr_value.any? do |inner_value|
596
584
  validate?(attr_validator, inner_value, sub_hash)
597
585
  end
@@ -614,7 +602,11 @@ module Authorization
614
602
  @context ||= begin
615
603
  rule_model = attr_validator.context.to_s.classify.constantize
616
604
  context_reflection = self.class.reflection_for_path(rule_model, path + [hash_or_attr])
617
- context_reflection.klass.table_name.to_sym
605
+ if context_reflection.klass.respond_to?(:decl_auth_context)
606
+ context_reflection.klass.decl_auth_context
607
+ else
608
+ context_reflection.klass.name.tableize.to_sym
609
+ end
618
610
  rescue # missing model, reflections
619
611
  hash_or_attr.to_s.pluralize.to_sym
620
612
  end
@@ -416,6 +416,12 @@ module Authorization
416
416
  # one. This is used to automatically load the parent object, e.g.
417
417
  # @+company+ from params[:company_id] for a BranchController nested in
418
418
  # a CompanyController.
419
+ # [:+shallow+]
420
+ # Only relevant when used in conjunction with +nested_in+. Specifies a nested resource
421
+ # as being a shallow nested resource, resulting in the controller not attempting to
422
+ # load a parent object for all member actions defined by +member+ and
423
+ # +additional_member+ or rather the default member actions (:+show+, :+edit+,
424
+ # :+update+, :+destroy+).
419
425
  # [:+no_attribute_check+]
420
426
  # Allows to set actions for which no attribute check should be perfomed.
421
427
  # See filter_access_to on details. By default, with no +nested_in+,
@@ -448,10 +454,11 @@ module Authorization
448
454
  options[:no_attribute_check] ||= collections.keys unless options[:nested_in]
449
455
 
450
456
  unless options[:nested_in].blank?
451
- load_method = :"load_#{options[:nested_in].to_s.singularize}"
452
- before_filter do |controller|
453
- if controller.respond_to?(load_method)
454
- controller.send(load_method)
457
+ load_parent_method = :"load_#{options[:nested_in].to_s.singularize}"
458
+ shallow_exceptions = options[:shallow] ? {:except => members.keys} : {}
459
+ before_filter shallow_exceptions do |controller|
460
+ if controller.respond_to?(load_parent_method)
461
+ controller.send(load_parent_method)
455
462
  else
456
463
  controller.send(:load_parent_controller_object, options[:nested_in])
457
464
  end
@@ -132,6 +132,11 @@ module Authorization
132
132
  # ...
133
133
  # end
134
134
  # end
135
+ #
136
+ # Note: get_with etc. do two things to set the user for the request:
137
+ # Authorization.current_user is set and session[:user], session[:user_id]
138
+ # are set appropriately. If you determine the current user in a different
139
+ # way, these methods might not work for you.
135
140
  module TestHelper
136
141
  include Authorization::Maintenance
137
142
 
@@ -151,7 +151,7 @@ module Authorization
151
151
  map_table_alias_for( path ) # Claim a table alias for the path.
152
152
 
153
153
  # Claim alias for join table
154
- if reflection.is_a?(ActiveRecord::Reflection::ThroughReflection)
154
+ if !reflection.respond_to?(:proxy_scope) and reflection.is_a?(ActiveRecord::Reflection::ThroughReflection)
155
155
  join_table_path = path[0..-2] + [reflection.options[:through]]
156
156
  reflection_for(join_table_path, true)
157
157
  end
@@ -66,10 +66,13 @@ module Authorization
66
66
  end
67
67
 
68
68
  # Loads and parses a DSL from the given file name.
69
- def self.load (dsl_file)
69
+ def self.load (dsl_files)
70
70
  # TODO cache reader in production mode?
71
71
  reader = new
72
- reader.parse(File.read(dsl_file), dsl_file)
72
+ dsl_files = [dsl_files].flatten
73
+ dsl_files.each do |file|
74
+ reader.parse(File.read(file), file) if File.exist?(file)
75
+ end
73
76
  reader
74
77
  end
75
78
 
@@ -81,6 +81,19 @@ class NestedResource < MockDataObject
81
81
  "NestedResource"
82
82
  end
83
83
  end
84
+
85
+ class ShallowNestedResource < MockDataObject
86
+ def initialize (attributes = {})
87
+ if attributes[:id]
88
+ attributes[:parent_mock] ||= ParentMock.new(:id => attributes[:id])
89
+ end
90
+ super(attributes)
91
+ end
92
+ def self.name
93
+ "ShallowNestedResource"
94
+ end
95
+ end
96
+
84
97
  class ParentMock < MockDataObject
85
98
  def nested_resources
86
99
  Class.new do
@@ -93,6 +106,8 @@ class ParentMock < MockDataObject
93
106
  end.new(self)
94
107
  end
95
108
 
109
+ alias :shallow_nested_resources :nested_resources
110
+
96
111
  def == (other)
97
112
  id == other.id
98
113
  end
@@ -100,6 +115,7 @@ class ParentMock < MockDataObject
100
115
  "ParentMock"
101
116
  end
102
117
  end
118
+
103
119
  class NestedResourcesController < MocksController
104
120
  filter_resource_access :nested_in => :parent_mocks
105
121
  define_resource_actions
@@ -171,6 +187,107 @@ class NestedResourcesControllerTest < ActionController::TestCase
171
187
  end
172
188
  end
173
189
 
190
+ class ShallowNestedResourcesController < MocksController
191
+ filter_resource_access :nested_in => :parent_mocks,
192
+ :shallow => true,
193
+ :additional_member => :additional_member_action
194
+ define_resource_actions
195
+ define_action_methods :additional_member_action
196
+ end
197
+ class ShallowNestedResourcesControllerTest < ActionController::TestCase
198
+ def test_nested_filter_index
199
+ reader = Authorization::Reader::DSLReader.new
200
+ reader.parse %{
201
+ authorization do
202
+ role :allowed_role do
203
+ has_permission_on :shallow_nested_resources, :to => :index do
204
+ if_attribute :parent_mock => is {ParentMock.find("1")}
205
+ end
206
+ end
207
+ end
208
+ }
209
+
210
+ allowed_user = MockUser.new(:allowed_role)
211
+ request!(MockUser.new(:another_role), :index, reader, :parent_mock_id => "2")
212
+ assert !@controller.authorized?
213
+ request!(allowed_user, :index, reader, :parent_mock_id => "2",
214
+ :clear => [:@shallow_nested_resource, :@parent_mock])
215
+ assert !@controller.authorized?
216
+ request!(allowed_user, :index, reader, :parent_mock_id => "1",
217
+ :clear => [:@shallow_nested_resource, :@parent_mock])
218
+ assert assigns(:parent_mock)
219
+ assert @controller.authorized?
220
+ end
221
+
222
+ def test_nested_filter_show_with_id
223
+ reader = Authorization::Reader::DSLReader.new
224
+ reader.parse %{
225
+ authorization do
226
+ role :allowed_role do
227
+ has_permission_on :shallow_nested_resources, :to => :show do
228
+ if_attribute :parent_mock => is {ParentMock.find("1")}
229
+ end
230
+ end
231
+ end
232
+ }
233
+
234
+ allowed_user = MockUser.new(:allowed_role)
235
+ request!(allowed_user, :show, reader, :id => "2", :parent_mock_id => "2")
236
+ assert !@controller.authorized?
237
+ request!(allowed_user, :show, reader, :id => "1",
238
+ :clear => [:@shallow_nested_resource, :@parent_mock])
239
+ assert !assigns(:parent_mock)
240
+ assert assigns(:shallow_nested_resource)
241
+ assert @controller.authorized?
242
+ end
243
+
244
+ def test_nested_filter_new_with_params
245
+ reader = Authorization::Reader::DSLReader.new
246
+ reader.parse %{
247
+ authorization do
248
+ role :allowed_role do
249
+ has_permission_on :shallow_nested_resources, :to => :new do
250
+ if_attribute :parent_mock => is {ParentMock.find("1")}
251
+ end
252
+ end
253
+ end
254
+ }
255
+
256
+ allowed_user = MockUser.new(:allowed_role)
257
+ request!(allowed_user, :new, reader, :parent_mock_id => "2",
258
+ :shallow_nested_resource => {:id => "2"})
259
+ assert !@controller.authorized?
260
+ request!(allowed_user, :new, reader, :parent_mock_id => "1",
261
+ :shallow_nested_resource => {:id => "1"},
262
+ :clear => [:@shallow_nested_resource, :@parent_mock])
263
+ assert assigns(:parent_mock)
264
+ assert assigns(:shallow_nested_resource)
265
+ assert @controller.authorized?
266
+ end
267
+
268
+ def test_nested_filter_additional_member_action_with_id
269
+ reader = Authorization::Reader::DSLReader.new
270
+ reader.parse %{
271
+ authorization do
272
+ role :allowed_role do
273
+ has_permission_on :shallow_nested_resources, :to => :additional_member_action do
274
+ if_attribute :parent_mock => is {ParentMock.find("1")}
275
+ end
276
+ end
277
+ end
278
+ }
279
+
280
+ allowed_user = MockUser.new(:allowed_role)
281
+ request!(allowed_user, :additional_member_action, reader, :id => "2", :parent_mock_id => "2")
282
+ assert !@controller.authorized?
283
+ request!(allowed_user, :additional_member_action, reader, :id => "1",
284
+ :clear => [:@shallow_nested_resource, :@parent_mock])
285
+ assert !assigns(:parent_mock)
286
+ assert assigns(:shallow_nested_resource)
287
+ assert @controller.authorized?
288
+ end
289
+ end
290
+
174
291
 
175
292
  class CustomMembersCollectionsResourceController < MocksController
176
293
  def self.controller_name
data/test/model_test.rb CHANGED
@@ -40,6 +40,14 @@ class TestModel < ActiveRecord::Base
40
40
  :through => :test_attrs_with_primary_id, :class_name => "TestAttrThrough",
41
41
  :source => :n_way_join_item
42
42
  end
43
+
44
+ # for checking for unnecessary queries
45
+ mattr_accessor :query_count
46
+ def self.find(*args)
47
+ self.query_count ||= 0
48
+ self.query_count += 1
49
+ super(*args)
50
+ end
43
51
  end
44
52
 
45
53
  class NWayJoinItem < ActiveRecord::Base
@@ -97,8 +105,8 @@ class Country < ActiveRecord::Base
97
105
  has_many :companies
98
106
  end
99
107
 
100
- class ModelTest < Test::Unit::TestCase
101
- def test_named_scope_multiple_deep_ored_belongs_to
108
+ class NamedScopeModelTest < Test::Unit::TestCase
109
+ def test_multiple_deep_ored_belongs_to
102
110
  reader = Authorization::Reader::DSLReader.new
103
111
  reader.parse %{
104
112
  authorization do
@@ -111,19 +119,19 @@ class ModelTest < Test::Unit::TestCase
111
119
  end
112
120
  }
113
121
  Authorization::Engine.instance(reader)
114
-
122
+
115
123
  test_model_1 = TestModel.create!
116
124
  test_model_2 = TestModel.create!
117
125
  test_attr_1 = TestAttr.create! :test_model_id => test_model_1.id,
118
126
  :test_another_model_id => test_model_2.id
119
-
127
+
120
128
  user = MockUser.new(:test_role, :id => test_attr_1)
121
129
  assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
122
130
  TestAttr.delete_all
123
131
  TestModel.delete_all
124
132
  end
125
-
126
- def test_named_scope_with_belongs_to_and_has_many_with_contains
133
+
134
+ def test_with_belongs_to_and_has_many_with_contains
127
135
  reader = Authorization::Reader::DSLReader.new
128
136
  reader.parse %{
129
137
  authorization do
@@ -135,11 +143,11 @@ class ModelTest < Test::Unit::TestCase
135
143
  end
136
144
  }
137
145
  Authorization::Engine.instance(reader)
138
-
146
+
139
147
  test_attr_1 = TestAttr.create!
140
148
  test_model_1 = TestModel.create!
141
149
  test_model_1.test_attrs.create!
142
-
150
+
143
151
  user = MockUser.new(:test_role, :test_attr_value => test_model_1.test_attrs.first.id )
144
152
  assert_equal 1, TestAttr.with_permissions_to( :read, :context => :test_attrs, :user => user ).length
145
153
  assert_equal 1, TestAttr.with_permissions_to( :read, :user => user ).length
@@ -150,7 +158,7 @@ class ModelTest < Test::Unit::TestCase
150
158
  TestModel.delete_all
151
159
  end
152
160
 
153
- def test_named_scope_with_nested_has_many
161
+ def test_with_nested_has_many
154
162
  reader = Authorization::Reader::DSLReader.new
155
163
  reader.parse %{
156
164
  authorization do
@@ -180,7 +188,7 @@ class ModelTest < Test::Unit::TestCase
180
188
  TestAttr.delete_all
181
189
  end
182
190
 
183
- def test_named_scope_with_nested_has_many_through
191
+ def test_with_nested_has_many_through
184
192
  reader = Authorization::Reader::DSLReader.new
185
193
  reader.parse %{
186
194
  authorization do
@@ -209,8 +217,8 @@ class ModelTest < Test::Unit::TestCase
209
217
  TestAttrThrough.delete_all
210
218
  TestAttr.delete_all
211
219
  end
212
-
213
- def test_named_scope_with_is
220
+
221
+ def test_with_is
214
222
  reader = Authorization::Reader::DSLReader.new
215
223
  reader.parse %{
216
224
  authorization do
@@ -222,12 +230,12 @@ class ModelTest < Test::Unit::TestCase
222
230
  end
223
231
  }
224
232
  Authorization::Engine.instance(reader)
225
-
233
+
226
234
  test_model_1 = TestModel.create!
227
235
  TestModel.create!
228
-
236
+
229
237
  user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
230
- assert_equal 1, TestModel.with_permissions_to(:read,
238
+ assert_equal 1, TestModel.with_permissions_to(:read,
231
239
  :context => :test_models, :user => user).length
232
240
  assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
233
241
  assert_raise Authorization::NotAuthorized do
@@ -278,12 +286,23 @@ class ModelTest < Test::Unit::TestCase
278
286
  TestModel.create!(:country_id => 2, :content => "Content")
279
287
 
280
288
  user = MockUser.new(:test_role)
289
+
290
+ TestModel.query_count = 0
281
291
  assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
292
+ assert_equal 1, TestModel.query_count
293
+
294
+ TestModel.query_count = 0
282
295
  assert_equal 1, TestModel.with_content.with_permissions_to(:read, :user => user).length
296
+ assert_equal 1, TestModel.query_count
297
+
298
+ TestModel.query_count = 0
299
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).with_content.length
300
+ assert_equal 1, TestModel.query_count
301
+
283
302
  TestModel.delete_all
284
303
  end
285
304
 
286
- def test_named_scope_with_modified_context
305
+ def test_with_modified_context
287
306
  reader = Authorization::Reader::DSLReader.new
288
307
  reader.parse %{
289
308
  authorization do
@@ -304,7 +323,7 @@ class ModelTest < Test::Unit::TestCase
304
323
  SmallCompany.delete_all
305
324
  end
306
325
 
307
- def test_named_scope_with_is_nil
326
+ def test_with_is_nil
308
327
  reader = Authorization::Reader::DSLReader.new
309
328
  reader.parse %{
310
329
  authorization do
@@ -332,7 +351,7 @@ class ModelTest < Test::Unit::TestCase
332
351
  TestModel.delete_all
333
352
  end
334
353
 
335
- def test_named_scope_with_not_is
354
+ def test_with_not_is
336
355
  reader = Authorization::Reader::DSLReader.new
337
356
  reader.parse %{
338
357
  authorization do
@@ -352,8 +371,8 @@ class ModelTest < Test::Unit::TestCase
352
371
  assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
353
372
  TestModel.delete_all
354
373
  end
355
-
356
- def test_named_scope_with_empty_obligations
374
+
375
+ def test_with_empty_obligations
357
376
  reader = Authorization::Reader::DSLReader.new
358
377
  reader.parse %{
359
378
  authorization do
@@ -363,9 +382,9 @@ class ModelTest < Test::Unit::TestCase
363
382
  end
364
383
  }
365
384
  Authorization::Engine.instance(reader)
366
-
385
+
367
386
  TestModel.create!
368
-
387
+
369
388
  user = MockUser.new(:test_role)
370
389
  assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
371
390
  assert_raise Authorization::NotAuthorized do
@@ -373,8 +392,8 @@ class ModelTest < Test::Unit::TestCase
373
392
  end
374
393
  TestModel.delete_all
375
394
  end
376
-
377
- def test_named_scope_multiple_obligations
395
+
396
+ def test_multiple_obligations
378
397
  reader = Authorization::Reader::DSLReader.new
379
398
  reader.parse %{
380
399
  authorization do
@@ -389,17 +408,17 @@ class ModelTest < Test::Unit::TestCase
389
408
  end
390
409
  }
391
410
  Authorization::Engine.instance(reader)
392
-
411
+
393
412
  test_model_1 = TestModel.create!
394
413
  test_model_2 = TestModel.create!
395
-
396
- user = MockUser.new(:test_role, :test_attr_value => test_model_1.id,
414
+
415
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id,
397
416
  :test_attr_value_2 => test_model_2.id)
398
417
  assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
399
418
  TestModel.delete_all
400
419
  end
401
420
 
402
- def test_named_scope_multiple_roles
421
+ def test_multiple_roles
403
422
  reader = Authorization::Reader::DSLReader.new
404
423
  reader.parse %{
405
424
  authorization do
@@ -426,8 +445,8 @@ class ModelTest < Test::Unit::TestCase
426
445
  assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
427
446
  TestAttr.delete_all
428
447
  end
429
-
430
- def test_named_scope_multiple_and_empty_obligations
448
+
449
+ def test_multiple_and_empty_obligations
431
450
  reader = Authorization::Reader::DSLReader.new
432
451
  reader.parse %{
433
452
  authorization do
@@ -440,16 +459,16 @@ class ModelTest < Test::Unit::TestCase
440
459
  end
441
460
  }
442
461
  Authorization::Engine.instance(reader)
443
-
462
+
444
463
  test_model_1 = TestModel.create!
445
464
  TestModel.create!
446
-
465
+
447
466
  user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
448
467
  assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
449
468
  TestModel.delete_all
450
469
  end
451
-
452
- def test_named_scope_multiple_attributes
470
+
471
+ def test_multiple_attributes
453
472
  reader = Authorization::Reader::DSLReader.new
454
473
  reader.parse %{
455
474
  authorization do
@@ -461,17 +480,17 @@ class ModelTest < Test::Unit::TestCase
461
480
  end
462
481
  }
463
482
  Authorization::Engine.instance(reader)
464
-
483
+
465
484
  test_model_1 = TestModel.create! :content => 'bla'
466
485
  TestModel.create! :content => 'bla'
467
486
  TestModel.create!
468
-
487
+
469
488
  user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
470
489
  assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
471
490
  TestModel.delete_all
472
491
  end
473
492
 
474
- def test_named_scope_multiple_belongs_to
493
+ def test_multiple_belongs_to
475
494
  reader = Authorization::Reader::DSLReader.new
476
495
  reader.parse %{
477
496
  authorization do
@@ -491,8 +510,8 @@ class ModelTest < Test::Unit::TestCase
491
510
  assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
492
511
  TestAttr.delete_all
493
512
  end
494
-
495
- def test_named_scope_with_is_and_priv_hierarchy
513
+
514
+ def test_with_is_and_priv_hierarchy
496
515
  reader = Authorization::Reader::DSLReader.new
497
516
  reader.parse %{
498
517
  privileges do
@@ -509,19 +528,19 @@ class ModelTest < Test::Unit::TestCase
509
528
  end
510
529
  }
511
530
  Authorization::Engine.instance(reader)
512
-
531
+
513
532
  test_model_1 = TestModel.create!
514
533
  TestModel.create!
515
-
534
+
516
535
  user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
517
- assert_equal 1, TestModel.with_permissions_to(:list,
536
+ assert_equal 1, TestModel.with_permissions_to(:list,
518
537
  :context => :test_models, :user => user).length
519
538
  assert_equal 1, TestModel.with_permissions_to(:list, :user => user).length
520
-
539
+
521
540
  TestModel.delete_all
522
541
  end
523
-
524
- def test_named_scope_with_is_and_belongs_to
542
+
543
+ def test_with_is_and_belongs_to
525
544
  reader = Authorization::Reader::DSLReader.new
526
545
  reader.parse %{
527
546
  authorization do
@@ -533,20 +552,20 @@ class ModelTest < Test::Unit::TestCase
533
552
  end
534
553
  }
535
554
  Authorization::Engine.instance(reader)
536
-
555
+
537
556
  test_model_1 = TestModel.create!
538
557
  test_model_1.test_attrs.create!
539
558
  TestModel.create!.test_attrs.create!
540
-
559
+
541
560
  user = MockUser.new(:test_role, :test_model => test_model_1)
542
- assert_equal 1, TestAttr.with_permissions_to(:read,
561
+ assert_equal 1, TestAttr.with_permissions_to(:read,
543
562
  :context => :test_attrs, :user => user).length
544
-
563
+
545
564
  TestModel.delete_all
546
565
  TestAttr.delete_all
547
566
  end
548
-
549
- def test_named_scope_with_deep_attribute
567
+
568
+ def test_with_deep_attribute
550
569
  reader = Authorization::Reader::DSLReader.new
551
570
  reader.parse %{
552
571
  authorization do
@@ -558,20 +577,20 @@ class ModelTest < Test::Unit::TestCase
558
577
  end
559
578
  }
560
579
  Authorization::Engine.instance(reader)
561
-
580
+
562
581
  test_model_1 = TestModel.create!
563
582
  test_model_1.test_attrs.create!
564
583
  TestModel.create!.test_attrs.create!
565
-
584
+
566
585
  user = MockUser.new(:test_role, :test_model_id => test_model_1.id)
567
- assert_equal 1, TestAttr.with_permissions_to(:read,
586
+ assert_equal 1, TestAttr.with_permissions_to(:read,
568
587
  :context => :test_attrs, :user => user).length
569
-
588
+
570
589
  TestModel.delete_all
571
590
  TestAttr.delete_all
572
591
  end
573
-
574
- def test_named_scope_with_anded_rules
592
+
593
+ def test_with_anded_rules
575
594
  reader = Authorization::Reader::DSLReader.new
576
595
  reader.parse %{
577
596
  authorization do
@@ -584,21 +603,21 @@ class ModelTest < Test::Unit::TestCase
584
603
  end
585
604
  }
586
605
  Authorization::Engine.instance(reader)
587
-
606
+
588
607
  test_model_1 = TestModel.create!
589
608
  test_model_1.test_attrs.create!(:attr => 1)
590
609
  TestModel.create!.test_attrs.create!(:attr => 1)
591
610
  TestModel.create!.test_attrs.create!
592
-
611
+
593
612
  user = MockUser.new(:test_role, :test_model => test_model_1)
594
- assert_equal 1, TestAttr.with_permissions_to(:read,
613
+ assert_equal 1, TestAttr.with_permissions_to(:read,
595
614
  :context => :test_attrs, :user => user).length
596
-
615
+
597
616
  TestModel.delete_all
598
617
  TestAttr.delete_all
599
618
  end
600
-
601
- def test_named_scope_with_contains
619
+
620
+ def test_with_contains
602
621
  reader = Authorization::Reader::DSLReader.new
603
622
  reader.parse %{
604
623
  authorization do
@@ -610,23 +629,23 @@ class ModelTest < Test::Unit::TestCase
610
629
  end
611
630
  }
612
631
  Authorization::Engine.instance(reader)
613
-
632
+
614
633
  test_model_1 = TestModel.create!
615
634
  test_model_2 = TestModel.create!
616
635
  test_model_1.test_attrs.create!
617
636
  test_model_1.test_attrs.create!
618
637
  test_model_2.test_attrs.create!
619
-
638
+
620
639
  user = MockUser.new(:test_role,
621
640
  :id => test_model_1.test_attrs.first.id)
622
641
  assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
623
642
  assert_equal 1, TestModel.with_permissions_to(:read, :user => user).find(:all, :conditions => {:id => test_model_1.id}).length
624
-
643
+
625
644
  TestModel.delete_all
626
645
  TestAttr.delete_all
627
646
  end
628
647
 
629
- def test_named_scope_with_does_not_contain
648
+ def test_with_does_not_contain
630
649
  reader = Authorization::Reader::DSLReader.new
631
650
  reader.parse %{
632
651
  authorization do
@@ -651,8 +670,8 @@ class ModelTest < Test::Unit::TestCase
651
670
  TestModel.delete_all
652
671
  TestAttr.delete_all
653
672
  end
654
-
655
- def test_named_scope_with_contains_conditions
673
+
674
+ def test_with_contains_conditions
656
675
  reader = Authorization::Reader::DSLReader.new
657
676
  reader.parse %{
658
677
  authorization do
@@ -664,14 +683,14 @@ class ModelTest < Test::Unit::TestCase
664
683
  end
665
684
  }
666
685
  Authorization::Engine.instance(reader)
667
-
686
+
668
687
  test_model_1 = TestModel.create!
669
688
  test_model_2 = TestModel.create!
670
689
  test_model_1.test_attrs_with_attr.create!
671
690
  test_model_1.test_attrs.create!(:attr => 2)
672
691
  test_model_2.test_attrs_with_attr.create!
673
692
  test_model_2.test_attrs.create!(:attr => 2)
674
-
693
+
675
694
  #assert_equal 1, test_model_1.test_attrs_with_attr.length
676
695
  user = MockUser.new(:test_role,
677
696
  :id => test_model_1.test_attrs.first.id)
@@ -679,12 +698,12 @@ class ModelTest < Test::Unit::TestCase
679
698
  user = MockUser.new(:test_role,
680
699
  :id => test_model_1.test_attrs.last.id)
681
700
  assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
682
-
701
+
683
702
  TestModel.delete_all
684
703
  TestAttr.delete_all
685
704
  end
686
-
687
- def test_named_scope_with_contains_through_conditions
705
+
706
+ def test_with_contains_through_conditions
688
707
  reader = Authorization::Reader::DSLReader.new
689
708
  reader.parse %{
690
709
  authorization do
@@ -696,14 +715,14 @@ class ModelTest < Test::Unit::TestCase
696
715
  end
697
716
  }
698
717
  Authorization::Engine.instance(reader)
699
-
718
+
700
719
  test_model_1 = TestModel.create!
701
720
  test_model_2 = TestModel.create!
702
721
  test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
703
722
  test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
704
723
  test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
705
724
  test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
706
-
725
+
707
726
  #assert_equal 1, test_model_1.test_attrs_with_attr.length
708
727
  user = MockUser.new(:test_role,
709
728
  :id => test_model_1.test_attr_throughs.first.id)
@@ -717,7 +736,7 @@ class ModelTest < Test::Unit::TestCase
717
736
  TestAttr.delete_all
718
737
  end
719
738
 
720
- def test_named_scope_with_contains_habtm
739
+ def test_with_contains_habtm
721
740
  reader = Authorization::Reader::DSLReader.new
722
741
  reader.parse %{
723
742
  authorization do
@@ -746,10 +765,10 @@ class ModelTest < Test::Unit::TestCase
746
765
  TestAttrThrough.delete_all
747
766
  TestAttr.delete_all
748
767
  end
749
-
768
+
750
769
  # take this out for Rails prior to 2.2
751
770
  if ([Rails::VERSION::MAJOR, Rails::VERSION::MINOR] <=> [2, 2]) > -1
752
- def test_named_scope_with_contains_through_primary_key
771
+ def test_with_contains_through_primary_key
753
772
  reader = Authorization::Reader::DSLReader.new
754
773
  reader.parse %{
755
774
  authorization do
@@ -761,7 +780,7 @@ class ModelTest < Test::Unit::TestCase
761
780
  end
762
781
  }
763
782
  Authorization::Engine.instance(reader)
764
-
783
+
765
784
  test_attr_through_1 = TestAttrThrough.create!
766
785
  test_item = NWayJoinItem.create!
767
786
  test_model_1 = TestModel.create!(:test_attr_through_id => test_attr_through_1.id)
@@ -771,14 +790,14 @@ class ModelTest < Test::Unit::TestCase
771
790
  user = MockUser.new(:test_role,
772
791
  :id => test_attr_through_1.id)
773
792
  assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
774
-
793
+
775
794
  TestModel.delete_all
776
795
  TestAttrThrough.delete_all
777
796
  TestAttr.delete_all
778
797
  end
779
798
  end
780
799
 
781
- def test_named_scope_with_intersects_with
800
+ def test_with_intersects_with
782
801
  reader = Authorization::Reader::DSLReader.new
783
802
  reader.parse %{
784
803
  authorization do
@@ -809,8 +828,8 @@ class ModelTest < Test::Unit::TestCase
809
828
  TestModel.delete_all
810
829
  TestAttr.delete_all
811
830
  end
812
-
813
- def test_named_scope_with_is_and_has_one
831
+
832
+ def test_with_is_and_has_one
814
833
  reader = Authorization::Reader::DSLReader.new
815
834
  reader.parse %{
816
835
  authorization do :test_attr_has_one
@@ -822,47 +841,20 @@ class ModelTest < Test::Unit::TestCase
822
841
  end
823
842
  }
824
843
  Authorization::Engine.instance(reader)
825
-
844
+
826
845
  test_model_1 = TestModel.create!
827
846
  test_attr_1 = test_model_1.test_attrs.create!
828
847
  TestModel.create!.test_attrs.create!
829
-
848
+
830
849
  user = MockUser.new(:test_role, :test_attr => test_attr_1)
831
- assert_equal 1, TestModel.with_permissions_to(:read,
850
+ assert_equal 1, TestModel.with_permissions_to(:read,
832
851
  :context => :test_models, :user => user).length
833
-
834
- TestModel.delete_all
835
- TestAttr.delete_all
836
- end
837
-
838
- def test_permit_with_has_one_raises_no_name_error
839
- reader = Authorization::Reader::DSLReader.new
840
- reader.parse %{
841
- authorization do :test_attr_has_one
842
- role :test_role do
843
- has_permission_on :test_attrs, :to => :update do
844
- if_attribute :id => is { user.test_attr.id }
845
- end
846
- end
847
- end
848
- }
849
- instance = Authorization::Engine.instance(reader)
850
-
851
- test_model = TestModel.create!
852
- test_attr = test_model.create_test_attr_has_one
853
- assert !test_attr.new_record?
854
-
855
- user = MockUser.new(:test_role, :test_attr => test_attr)
856
-
857
- assert_nothing_raised do
858
- assert instance.permit?(:update, :user => user, :object => test_model.test_attr_has_one)
859
- end
860
-
852
+
861
853
  TestModel.delete_all
862
854
  TestAttr.delete_all
863
855
  end
864
-
865
- def test_named_scope_with_is_and_has_one_through_conditions
856
+
857
+ def test_with_is_and_has_one_through_conditions
866
858
  reader = Authorization::Reader::DSLReader.new
867
859
  reader.parse %{
868
860
  authorization do
@@ -874,14 +866,14 @@ class ModelTest < Test::Unit::TestCase
874
866
  end
875
867
  }
876
868
  Authorization::Engine.instance(reader)
877
-
869
+
878
870
  test_model_1 = TestModel.create!
879
871
  test_model_2 = TestModel.create!
880
872
  test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
881
873
  test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
882
874
  test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
883
875
  test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
884
-
876
+
885
877
  #assert_equal 1, test_model_1.test_attrs_with_attr.length
886
878
  user = MockUser.new(:test_role,
887
879
  :id => test_model_1.test_attr_throughs.first.id)
@@ -889,13 +881,13 @@ class ModelTest < Test::Unit::TestCase
889
881
  user = MockUser.new(:test_role,
890
882
  :id => test_model_1.test_attr_throughs.last.id)
891
883
  assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
892
-
884
+
893
885
  TestModel.delete_all
894
886
  TestAttr.delete_all
895
887
  TestAttrThrough.delete_all
896
888
  end
897
-
898
- def test_named_scope_with_is_in
889
+
890
+ def test_with_is_in
899
891
  reader = Authorization::Reader::DSLReader.new
900
892
  reader.parse %{
901
893
  authorization do
@@ -907,22 +899,22 @@ class ModelTest < Test::Unit::TestCase
907
899
  end
908
900
  }
909
901
  Authorization::Engine.instance(reader)
910
-
902
+
911
903
  test_model_1 = TestModel.create!
912
904
  test_model_2 = TestModel.create!
913
905
  test_model_1.test_attrs.create!
914
906
  TestModel.create!.test_attrs.create!
915
-
907
+
916
908
  user = MockUser.new(:test_role, :test_model => test_model_1,
917
909
  :test_model_2 => test_model_2)
918
- assert_equal 1, TestAttr.with_permissions_to(:read,
910
+ assert_equal 1, TestAttr.with_permissions_to(:read,
919
911
  :context => :test_attrs, :user => user).length
920
-
912
+
921
913
  TestModel.delete_all
922
914
  TestAttr.delete_all
923
915
  end
924
916
 
925
- def test_named_scope_with_not_is_in
917
+ def test_with_not_is_in
926
918
  reader = Authorization::Reader::DSLReader.new
927
919
  reader.parse %{
928
920
  authorization do
@@ -948,8 +940,8 @@ class ModelTest < Test::Unit::TestCase
948
940
  TestModel.delete_all
949
941
  TestAttr.delete_all
950
942
  end
951
-
952
- def test_named_scope_with_if_permitted_to
943
+
944
+ def test_with_if_permitted_to
953
945
  reader = Authorization::Reader::DSLReader.new
954
946
  reader.parse %{
955
947
  authorization do
@@ -964,17 +956,17 @@ class ModelTest < Test::Unit::TestCase
964
956
  end
965
957
  }
966
958
  Authorization::Engine.instance(reader)
967
-
959
+
968
960
  test_model_1 = TestModel.create!
969
961
  test_attr_1 = test_model_1.test_attrs.create!
970
-
962
+
971
963
  user = MockUser.new(:test_role, :id => test_attr_1.id)
972
964
  assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
973
965
  TestModel.delete_all
974
966
  TestAttr.delete_all
975
967
  end
976
968
 
977
- def test_named_scope_with_if_permitted_to_with_no_child_permissions
969
+ def test_with_if_permitted_to_with_no_child_permissions
978
970
  reader = Authorization::Reader::DSLReader.new
979
971
  reader.parse %{
980
972
  authorization do
@@ -1010,12 +1002,12 @@ class ModelTest < Test::Unit::TestCase
1010
1002
  assert_raise Authorization::NotAuthorized do
1011
1003
  TestAttr.with_permissions_to(:read, :user => non_allowed_user).find(:all)
1012
1004
  end
1013
-
1005
+
1014
1006
  TestModel.delete_all
1015
1007
  TestAttr.delete_all
1016
1008
  end
1017
1009
 
1018
- def test_named_scope_with_if_permitted_to_with_context_from_model
1010
+ def test_with_if_permitted_to_with_context_from_model
1019
1011
  reader = Authorization::Reader::DSLReader.new
1020
1012
  reader.parse %{
1021
1013
  authorization do
@@ -1043,7 +1035,7 @@ class ModelTest < Test::Unit::TestCase
1043
1035
  TestAttr.delete_all
1044
1036
  end
1045
1037
 
1046
- def test_named_scope_with_has_many_if_permitted_to
1038
+ def test_with_has_many_if_permitted_to
1047
1039
  reader = Authorization::Reader::DSLReader.new
1048
1040
  reader.parse %{
1049
1041
  authorization do
@@ -1070,7 +1062,7 @@ class ModelTest < Test::Unit::TestCase
1070
1062
  TestAttr.delete_all
1071
1063
  end
1072
1064
 
1073
- def test_named_scope_with_deep_has_many_if_permitted_to
1065
+ def test_with_deep_has_many_if_permitted_to
1074
1066
  reader = Authorization::Reader::DSLReader.new
1075
1067
  reader.parse %{
1076
1068
  authorization do
@@ -1099,7 +1091,7 @@ class ModelTest < Test::Unit::TestCase
1099
1091
  TestAttr.delete_all
1100
1092
  end
1101
1093
 
1102
- def test_named_scope_with_if_permitted_to_and_empty_obligations
1094
+ def test_with_if_permitted_to_and_empty_obligations
1103
1095
  reader = Authorization::Reader::DSLReader.new
1104
1096
  reader.parse %{
1105
1097
  authorization do
@@ -1122,7 +1114,7 @@ class ModelTest < Test::Unit::TestCase
1122
1114
  TestAttr.delete_all
1123
1115
  end
1124
1116
 
1125
- def test_named_scope_with_if_permitted_to_nil
1117
+ def test_with_if_permitted_to_nil
1126
1118
  reader = Authorization::Reader::DSLReader.new
1127
1119
  reader.parse %{
1128
1120
  authorization do
@@ -1145,7 +1137,7 @@ class ModelTest < Test::Unit::TestCase
1145
1137
  TestAttr.delete_all
1146
1138
  end
1147
1139
 
1148
- def test_named_scope_with_if_permitted_to_self
1140
+ def test_with_if_permitted_to_self
1149
1141
  reader = Authorization::Reader::DSLReader.new
1150
1142
  reader.parse %{
1151
1143
  authorization do
@@ -1170,265 +1162,449 @@ class ModelTest < Test::Unit::TestCase
1170
1162
  TestAttr.delete_all
1171
1163
  TestModel.delete_all
1172
1164
  end
1173
-
1174
- def test_model_security
1165
+
1166
+ def test_with_has_many_and_reoccuring_tables
1175
1167
  reader = Authorization::Reader::DSLReader.new
1176
1168
  reader.parse %{
1177
1169
  authorization do
1178
- role :test_role_unrestricted do
1179
- has_permission_on :test_model_security_models do
1180
- to :read, :create, :update, :delete
1181
- end
1182
- end
1183
1170
  role :test_role do
1184
- has_permission_on :test_model_security_models do
1185
- to :read, :create, :update, :delete
1186
- if_attribute :attr => is { 1 }
1171
+ has_permission_on :test_attrs, :to => :read do
1172
+ if_attribute :test_another_model => { :content => 'test_1_2' },
1173
+ :test_model => { :content => 'test_1_1' }
1187
1174
  end
1188
1175
  end
1189
- role :test_role_restricted do
1190
- end
1191
1176
  end
1192
1177
  }
1193
1178
  Authorization::Engine.instance(reader)
1194
-
1195
- Authorization.current_user = MockUser.new(:test_role)
1196
- assert(object = TestModelSecurityModel.create)
1197
- Authorization.current_user = MockUser.new(:test_role_restricted)
1198
- assert_raise Authorization::NotAuthorized do
1199
- object.update_attributes(:attr_2 => 2)
1200
- end
1201
- Authorization.current_user = MockUser.new(:test_role)
1202
- assert_nothing_raised { object.update_attributes(:attr_2 => 2) }
1203
- object.reload
1204
- assert_equal 2, object.attr_2
1205
- object.destroy
1206
- assert_raise ActiveRecord::RecordNotFound do
1207
- TestModelSecurityModel.find(object.id)
1208
- end
1209
-
1210
- assert_raise Authorization::AttributeAuthorizationError do
1211
- TestModelSecurityModel.create :attr => 2
1212
- end
1213
- object = TestModelSecurityModel.create
1214
- assert_raise Authorization::AttributeAuthorizationError do
1215
- object.update_attributes(:attr => 2)
1216
- end
1217
- Authorization.current_user = MockUser.new(:test_role_unrestricted)
1218
- object = TestModelSecurityModel.create :attr => 2
1219
- object_with_find = TestModelSecurityModelWithFind.create :attr => 2
1220
- Authorization.current_user = MockUser.new(:test_role)
1221
- assert_nothing_raised do
1222
- object.class.find(object.id)
1223
- end
1224
- assert_raise Authorization::AttributeAuthorizationError do
1225
- object_with_find.class.find(object_with_find.id)
1226
- end
1227
- assert_raise Authorization::AttributeAuthorizationError do
1228
- object.update_attributes(:attr_2 => 2)
1229
- end
1230
- # TODO test this:
1231
- #assert_raise Authorization::AuthorizationError do
1232
- # object.update_attributes(:attr => 1)
1233
- #end
1234
- assert_raise Authorization::AttributeAuthorizationError do
1235
- object.destroy
1236
- end
1237
-
1238
- Authorization.current_user = MockUser.new(:test_role_2)
1239
- assert_raise Authorization::NotAuthorized do
1240
- TestModelSecurityModel.create
1241
- end
1179
+
1180
+ test_attr_1 = TestAttr.create!(
1181
+ :test_model => TestModel.create!(:content => 'test_1_1'),
1182
+ :test_another_model => TestModel.create!(:content => 'test_1_2')
1183
+ )
1184
+ test_attr_2 = TestAttr.create!(
1185
+ :test_model => TestModel.create!(:content => 'test_2_1'),
1186
+ :test_another_model => TestModel.create!(:content => 'test_2_2')
1187
+ )
1188
+
1189
+ user = MockUser.new(:test_role)
1190
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
1191
+ TestModel.delete_all
1192
+ TestAttr.delete_all
1242
1193
  end
1243
-
1244
- def test_model_security_with_assoc
1194
+
1195
+ def test_with_ored_rules_and_reoccuring_tables
1245
1196
  reader = Authorization::Reader::DSLReader.new
1246
1197
  reader.parse %{
1247
1198
  authorization do
1248
1199
  role :test_role do
1249
- has_permission_on :test_model_security_models do
1250
- to :create, :update, :delete
1251
- if_attribute :test_attrs => contains { user }
1200
+ has_permission_on :test_attrs, :to => :read do
1201
+ if_attribute :test_another_model => { :content => 'test_1_2' },
1202
+ :test_model => { :content => 'test_1_1' }
1203
+ end
1204
+ has_permission_on :test_attrs, :to => :read do
1205
+ if_attribute :test_another_model => { :content => 'test_2_2' },
1206
+ :test_model => { :test_attrs => contains {user.test_attr} }
1252
1207
  end
1253
1208
  end
1254
1209
  end
1255
1210
  }
1256
1211
  Authorization::Engine.instance(reader)
1212
+
1213
+ test_attr_1 = TestAttr.create!(
1214
+ :test_model => TestModel.create!(:content => 'test_1_1'),
1215
+ :test_another_model => TestModel.create!(:content => 'test_1_2')
1216
+ )
1217
+ test_attr_2 = TestAttr.create!(
1218
+ :test_model => TestModel.create!(:content => 'test_2_1'),
1219
+ :test_another_model => TestModel.create!(:content => 'test_2_2')
1220
+ )
1221
+ test_attr_2.test_model.test_attrs.create!
1222
+
1223
+ user = MockUser.new(:test_role, :test_attr => test_attr_2.test_model.test_attrs.last)
1224
+ assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
1225
+ TestModel.delete_all
1226
+ TestAttr.delete_all
1227
+ end
1228
+
1229
+ def test_with_many_ored_rules_and_reoccuring_tables
1230
+ reader = Authorization::Reader::DSLReader.new
1231
+ reader.parse %{
1232
+ authorization do
1233
+ role :test_role do
1234
+ has_permission_on :test_attrs, :to => :read do
1235
+ if_attribute :branch => { :company => { :country => {
1236
+ :test_models => contains { user.test_model }
1237
+ }} }
1238
+ if_attribute :company => { :country => {
1239
+ :test_models => contains { user.test_model }
1240
+ }}
1241
+ end
1242
+ end
1243
+ end
1244
+ }
1245
+ Authorization::Engine.instance(reader)
1246
+
1247
+ country = Country.create!(:name => 'country_1')
1248
+ country.test_models.create!
1249
+ test_attr_1 = TestAttr.create!(
1250
+ :branch => Branch.create!(:name => 'branch_1',
1251
+ :company => Company.create!(:name => 'company_1',
1252
+ :country => country))
1253
+ )
1254
+ test_attr_2 = TestAttr.create!(
1255
+ :company => Company.create!(:name => 'company_2',
1256
+ :country => country)
1257
+ )
1258
+
1259
+ user = MockUser.new(:test_role, :test_model => country.test_models.first)
1260
+
1261
+ assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
1262
+ TestModel.delete_all
1263
+ TestAttr.delete_all
1264
+ end
1265
+ end
1266
+
1267
+ class ModelTest < Test::Unit::TestCase
1268
+ def test_permit_with_has_one_raises_no_name_error
1269
+ reader = Authorization::Reader::DSLReader.new
1270
+ reader.parse %{
1271
+ authorization do :test_attr_has_one
1272
+ role :test_role do
1273
+ has_permission_on :test_attrs, :to => :update do
1274
+ if_attribute :id => is { user.test_attr.id }
1275
+ end
1276
+ end
1277
+ end
1278
+ }
1279
+ instance = Authorization::Engine.instance(reader)
1280
+
1281
+ test_model = TestModel.create!
1282
+ test_attr = test_model.create_test_attr_has_one
1283
+ assert !test_attr.new_record?
1284
+
1285
+ user = MockUser.new(:test_role, :test_attr => test_attr)
1257
1286
 
1258
- test_attr = TestAttr.create
1259
- test_attr.role_symbols << :test_role
1260
- Authorization.current_user = test_attr
1261
- assert(object = TestModelSecurityModel.create(:test_attrs => [test_attr]))
1262
1287
  assert_nothing_raised do
1263
- object.update_attributes(:attr_2 => 2)
1288
+ assert instance.permit?(:update, :user => user, :object => test_model.test_attr_has_one)
1264
1289
  end
1290
+
1291
+ TestModel.delete_all
1292
+ TestAttr.delete_all
1293
+ end
1294
+
1295
+ def test_model_security_write_allowed
1296
+ reader = Authorization::Reader::DSLReader.new
1297
+ reader.parse %{
1298
+ authorization do
1299
+ role :test_role do
1300
+ has_permission_on :test_model_security_models do
1301
+ to :read, :create, :update, :delete
1302
+ if_attribute :attr => is { 1 }
1303
+ end
1304
+ end
1305
+ end
1306
+ }
1307
+ Authorization::Engine.instance(reader)
1308
+
1309
+ Authorization.current_user = MockUser.new(:test_role)
1310
+ assert(object = TestModelSecurityModel.create)
1311
+
1312
+ assert_nothing_raised { object.update_attributes(:attr_2 => 2) }
1265
1313
  object.reload
1266
- assert_equal 2, object.attr_2
1314
+ assert_equal 2, object.attr_2
1267
1315
  object.destroy
1268
1316
  assert_raise ActiveRecord::RecordNotFound do
1269
1317
  TestModelSecurityModel.find(object.id)
1270
1318
  end
1271
1319
  end
1272
1320
 
1273
- def test_using_access_control
1274
- assert !TestModel.using_access_control?
1275
- assert TestModelSecurityModel.using_access_control?
1276
- end
1321
+ def test_model_security_write_not_allowed_no_privilege
1322
+ reader = Authorization::Reader::DSLReader.new
1323
+ reader.parse %{
1324
+ authorization do
1325
+ role :test_role do
1326
+ has_permission_on :test_model_security_models do
1327
+ to :read, :create, :update, :delete
1328
+ if_attribute :attr => is { 1 }
1329
+ end
1330
+ end
1331
+ role :test_role_restricted do
1332
+ end
1333
+ end
1334
+ }
1335
+ Authorization::Engine.instance(reader)
1277
1336
 
1278
- def test_authorization_permit_association_proxy
1337
+ Authorization.current_user = MockUser.new(:test_role)
1338
+ assert(object = TestModelSecurityModel.create)
1339
+
1340
+ Authorization.current_user = MockUser.new(:test_role_restricted)
1341
+ assert_raise Authorization::NotAuthorized do
1342
+ object.update_attributes(:attr_2 => 2)
1343
+ end
1344
+ end
1345
+
1346
+ def test_model_security_write_not_allowed_wrong_attribute_value
1279
1347
  reader = Authorization::Reader::DSLReader.new
1280
1348
  reader.parse %{
1281
1349
  authorization do
1350
+ role :test_role_unrestricted do
1351
+ has_permission_on :test_model_security_models do
1352
+ to :read, :create, :update, :delete
1353
+ end
1354
+ end
1282
1355
  role :test_role do
1283
- has_permission_on :test_attrs, :to => :read do
1284
- if_attribute :test_model => {:content => "content" }
1356
+ has_permission_on :test_model_security_models do
1357
+ to :read, :create, :update, :delete
1358
+ if_attribute :attr => is { 1 }
1285
1359
  end
1286
1360
  end
1287
1361
  end
1288
1362
  }
1289
- engine = Authorization::Engine.instance(reader)
1363
+ Authorization::Engine.instance(reader)
1364
+
1365
+ Authorization.current_user = MockUser.new(:test_role)
1366
+ assert(object = TestModelSecurityModel.create)
1367
+ assert_raise Authorization::AttributeAuthorizationError do
1368
+ TestModelSecurityModel.create :attr => 2
1369
+ end
1370
+ object = TestModelSecurityModel.create
1371
+ assert_raise Authorization::AttributeAuthorizationError do
1372
+ object.update_attributes(:attr => 2)
1373
+ end
1374
+ object.reload
1290
1375
 
1291
- test_model = TestModel.create(:content => "content")
1292
- assert engine.permit?(:read, :object => test_model.test_attrs,
1293
- :user => MockUser.new(:test_role))
1294
- assert !engine.permit?(:read, :object => TestAttr.new,
1295
- :user => MockUser.new(:test_role))
1296
- TestModel.delete_all
1376
+ assert_nothing_raised do
1377
+ object.update_attributes(:attr_2 => 1)
1378
+ end
1379
+ assert_raise Authorization::AttributeAuthorizationError do
1380
+ object.update_attributes(:attr => 2)
1381
+ end
1297
1382
  end
1298
1383
 
1299
- def test_multiple_roles_with_has_many_through
1384
+ def test_model_security_with_and_without_find_restrictions
1300
1385
  reader = Authorization::Reader::DSLReader.new
1301
1386
  reader.parse %{
1302
1387
  authorization do
1303
- role :test_role_1 do
1304
- has_permission_on :test_models, :to => :read do
1305
- if_attribute :test_attr_throughs => contains {user.test_attr_through_id},
1306
- :content => 'test_1'
1388
+ role :test_role_unrestricted do
1389
+ has_permission_on :test_model_security_models do
1390
+ to :read, :create, :update, :delete
1391
+ end
1392
+ end
1393
+ role :test_role do
1394
+ has_permission_on :test_model_security_models do
1395
+ to :read, :create, :update, :delete
1396
+ if_attribute :attr => is { 1 }
1307
1397
  end
1308
1398
  end
1399
+ end
1400
+ }
1401
+ Authorization::Engine.instance(reader)
1309
1402
 
1310
- role :test_role_2 do
1311
- has_permission_on :test_models, :to => :read do
1312
- if_attribute :test_attr_throughs_2 => contains {user.test_attr_through_2_id},
1313
- :content => 'test_2'
1403
+ Authorization.current_user = MockUser.new(:test_role_unrestricted)
1404
+ object = TestModelSecurityModel.create :attr => 2
1405
+ object_with_find = TestModelSecurityModelWithFind.create :attr => 2
1406
+ Authorization.current_user = MockUser.new(:test_role)
1407
+ assert_nothing_raised do
1408
+ object.class.find(object.id)
1409
+ end
1410
+ assert_raise Authorization::AttributeAuthorizationError do
1411
+ object_with_find.class.find(object_with_find.id)
1412
+ end
1413
+ end
1414
+
1415
+ def test_model_security_delete_unallowed
1416
+ reader = Authorization::Reader::DSLReader.new
1417
+ reader.parse %{
1418
+ authorization do
1419
+ role :test_role_unrestricted do
1420
+ has_permission_on :test_model_security_models do
1421
+ to :read, :create, :update, :delete
1422
+ end
1423
+ end
1424
+ role :test_role do
1425
+ has_permission_on :test_model_security_models do
1426
+ to :read, :create, :update, :delete
1427
+ if_attribute :attr => is { 1 }
1314
1428
  end
1315
1429
  end
1316
1430
  end
1317
1431
  }
1318
1432
  Authorization::Engine.instance(reader)
1319
1433
 
1320
- test_model_1 = TestModel.create! :content => 'test_1'
1321
- test_model_2 = TestModel.create! :content => 'test_2'
1322
- test_model_1.test_attrs.create!.test_attr_throughs.create!
1323
- test_model_2.test_attrs.create!.test_attr_throughs.create!
1434
+ Authorization.current_user = MockUser.new(:test_role_unrestricted)
1435
+ object = TestModelSecurityModel.create :attr => 2
1436
+ Authorization.current_user = MockUser.new(:test_role)
1324
1437
 
1325
- user = MockUser.new(:test_role_1, :test_role_2,
1326
- :test_attr_through_id => test_model_1.test_attr_throughs.first.id,
1327
- :test_attr_through_2_id => test_model_2.test_attr_throughs.first.id)
1328
- assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
1329
- TestModel.delete_all
1330
- TestAttr.delete_all
1331
- TestAttrThrough.delete_all
1438
+ assert_raise Authorization::AttributeAuthorizationError do
1439
+ object.destroy
1440
+ end
1332
1441
  end
1333
1442
 
1334
- def test_named_scope_with_has_many_and_reoccuring_tables
1443
+ def test_model_security_changing_critical_attribute_unallowed
1335
1444
  reader = Authorization::Reader::DSLReader.new
1336
1445
  reader.parse %{
1337
1446
  authorization do
1447
+ role :test_role_unrestricted do
1448
+ has_permission_on :test_model_security_models do
1449
+ to :read, :create, :update, :delete
1450
+ end
1451
+ end
1338
1452
  role :test_role do
1339
- has_permission_on :test_attrs, :to => :read do
1340
- if_attribute :test_another_model => { :content => 'test_1_2' },
1341
- :test_model => { :content => 'test_1_1' }
1453
+ has_permission_on :test_model_security_models do
1454
+ to :read, :create, :update, :delete
1455
+ if_attribute :attr => is { 1 }
1342
1456
  end
1343
1457
  end
1344
1458
  end
1345
1459
  }
1346
1460
  Authorization::Engine.instance(reader)
1347
1461
 
1348
- test_attr_1 = TestAttr.create!(
1349
- :test_model => TestModel.create!(:content => 'test_1_1'),
1350
- :test_another_model => TestModel.create!(:content => 'test_1_2')
1351
- )
1352
- test_attr_2 = TestAttr.create!(
1353
- :test_model => TestModel.create!(:content => 'test_2_1'),
1354
- :test_another_model => TestModel.create!(:content => 'test_2_2')
1355
- )
1462
+ Authorization.current_user = MockUser.new(:test_role_unrestricted)
1463
+ object = TestModelSecurityModel.create :attr => 2
1464
+ Authorization.current_user = MockUser.new(:test_role)
1356
1465
 
1357
- user = MockUser.new(:test_role)
1358
- assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
1359
- TestModel.delete_all
1360
- TestAttr.delete_all
1466
+ # TODO before not checked yet
1467
+ #assert_raise Authorization::AuthorizationError do
1468
+ # object.update_attributes(:attr => 1)
1469
+ #end
1470
+ end
1471
+
1472
+ def test_model_security_no_role_unallowed
1473
+ reader = Authorization::Reader::DSLReader.new
1474
+ reader.parse %{
1475
+ authorization do
1476
+ end
1477
+ }
1478
+ Authorization::Engine.instance(reader)
1479
+
1480
+ Authorization.current_user = MockUser.new(:test_role_2)
1481
+ assert_raise Authorization::NotAuthorized do
1482
+ TestModelSecurityModel.create
1483
+ end
1361
1484
  end
1362
1485
 
1363
- def test_named_scope_with_ored_rules_and_reoccuring_tables
1486
+ def test_model_security_with_assoc
1364
1487
  reader = Authorization::Reader::DSLReader.new
1365
1488
  reader.parse %{
1366
1489
  authorization do
1367
1490
  role :test_role do
1368
- has_permission_on :test_attrs, :to => :read do
1369
- if_attribute :test_another_model => { :content => 'test_1_2' },
1370
- :test_model => { :content => 'test_1_1' }
1491
+ has_permission_on :test_model_security_models do
1492
+ to :create, :update, :delete
1493
+ if_attribute :test_attrs => contains { user }
1371
1494
  end
1372
- has_permission_on :test_attrs, :to => :read do
1373
- if_attribute :test_another_model => { :content => 'test_2_2' },
1374
- :test_model => { :test_attrs => contains {user.test_attr} }
1495
+ end
1496
+ end
1497
+ }
1498
+ Authorization::Engine.instance(reader)
1499
+
1500
+ test_attr = TestAttr.create
1501
+ test_attr.role_symbols << :test_role
1502
+ Authorization.current_user = test_attr
1503
+ assert(object = TestModelSecurityModel.create(:test_attrs => [test_attr]))
1504
+ assert_nothing_raised do
1505
+ object.update_attributes(:attr_2 => 2)
1506
+ end
1507
+ object.reload
1508
+ assert_equal 2, object.attr_2
1509
+ object.destroy
1510
+ assert_raise ActiveRecord::RecordNotFound do
1511
+ TestModelSecurityModel.find(object.id)
1512
+ end
1513
+ end
1514
+
1515
+ def test_model_security_with_update_attrbributes
1516
+ reader = Authorization::Reader::DSLReader.new
1517
+ reader.parse %{
1518
+ authorization do
1519
+ role :test_role do
1520
+ has_permission_on :test_model_security_models, :to => :update do
1521
+ if_attribute :test_attrs => { :branch => is { user.branch }}
1375
1522
  end
1376
1523
  end
1377
1524
  end
1378
1525
  }
1379
1526
  Authorization::Engine.instance(reader)
1380
1527
 
1381
- test_attr_1 = TestAttr.create!(
1382
- :test_model => TestModel.create!(:content => 'test_1_1'),
1383
- :test_another_model => TestModel.create!(:content => 'test_1_2')
1384
- )
1385
- test_attr_2 = TestAttr.create!(
1386
- :test_model => TestModel.create!(:content => 'test_2_1'),
1387
- :test_another_model => TestModel.create!(:content => 'test_2_2')
1388
- )
1389
- test_attr_2.test_model.test_attrs.create!
1528
+ params = {
1529
+ :model_data => { :attr => 11 }
1530
+ }
1531
+
1532
+ test_attr = TestAttr.create!(:branch => Branch.create!)
1533
+ test_model = without_access_control do
1534
+ TestModelSecurityModel.create!(:test_attrs => [test_attr])
1535
+ end
1536
+
1537
+ with_user MockUser.new(:test_role, :branch => test_attr.branch) do
1538
+ assert_nothing_raised do
1539
+ test_model.update_attributes(params[:model_data])
1540
+ end
1541
+ end
1542
+ assert_equal params[:model_data][:attr], test_model.reload.attr
1390
1543
 
1391
- user = MockUser.new(:test_role, :test_attr => test_attr_2.test_model.test_attrs.last)
1392
- assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
1393
- TestModel.delete_all
1394
1544
  TestAttr.delete_all
1545
+ TestModelSecurityModel.delete_all
1546
+ Branch.delete_all
1547
+ end
1548
+
1549
+ def test_using_access_control
1550
+ assert !TestModel.using_access_control?
1551
+ assert TestModelSecurityModel.using_access_control?
1395
1552
  end
1396
1553
 
1397
- def test_named_scope_with_many_ored_rules_and_reoccuring_tables
1554
+ def test_authorization_permit_association_proxy
1398
1555
  reader = Authorization::Reader::DSLReader.new
1399
1556
  reader.parse %{
1400
1557
  authorization do
1401
1558
  role :test_role do
1402
1559
  has_permission_on :test_attrs, :to => :read do
1403
- if_attribute :branch => { :company => { :country => {
1404
- :test_models => contains { user.test_model }
1405
- }} }
1406
- if_attribute :company => { :country => {
1407
- :test_models => contains { user.test_model }
1408
- }}
1560
+ if_attribute :test_model => {:content => "content" }
1409
1561
  end
1410
1562
  end
1411
1563
  end
1412
1564
  }
1413
- Authorization::Engine.instance(reader)
1565
+ engine = Authorization::Engine.instance(reader)
1414
1566
 
1415
- country = Country.create!(:name => 'country_1')
1416
- country.test_models.create!
1417
- test_attr_1 = TestAttr.create!(
1418
- :branch => Branch.create!(:name => 'branch_1',
1419
- :company => Company.create!(:name => 'company_1',
1420
- :country => country))
1421
- )
1422
- test_attr_2 = TestAttr.create!(
1423
- :company => Company.create!(:name => 'company_2',
1424
- :country => country)
1425
- )
1567
+ test_model = TestModel.create(:content => "content")
1568
+ assert engine.permit?(:read, :object => test_model.test_attrs,
1569
+ :user => MockUser.new(:test_role))
1570
+ assert !engine.permit?(:read, :object => TestAttr.new,
1571
+ :user => MockUser.new(:test_role))
1572
+ TestModel.delete_all
1573
+ end
1426
1574
 
1427
- user = MockUser.new(:test_role, :test_model => country.test_models.first)
1575
+ def test_multiple_roles_with_has_many_through
1576
+ reader = Authorization::Reader::DSLReader.new
1577
+ reader.parse %{
1578
+ authorization do
1579
+ role :test_role_1 do
1580
+ has_permission_on :test_models, :to => :read do
1581
+ if_attribute :test_attr_throughs => contains {user.test_attr_through_id},
1582
+ :content => 'test_1'
1583
+ end
1584
+ end
1428
1585
 
1429
- assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
1586
+ role :test_role_2 do
1587
+ has_permission_on :test_models, :to => :read do
1588
+ if_attribute :test_attr_throughs_2 => contains {user.test_attr_through_2_id},
1589
+ :content => 'test_2'
1590
+ end
1591
+ end
1592
+ end
1593
+ }
1594
+ Authorization::Engine.instance(reader)
1595
+
1596
+ test_model_1 = TestModel.create! :content => 'test_1'
1597
+ test_model_2 = TestModel.create! :content => 'test_2'
1598
+ test_model_1.test_attrs.create!.test_attr_throughs.create!
1599
+ test_model_2.test_attrs.create!.test_attr_throughs.create!
1600
+
1601
+ user = MockUser.new(:test_role_1, :test_role_2,
1602
+ :test_attr_through_id => test_model_1.test_attr_throughs.first.id,
1603
+ :test_attr_through_2_id => test_model_2.test_attr_throughs.first.id)
1604
+ assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
1430
1605
  TestModel.delete_all
1431
1606
  TestAttr.delete_all
1607
+ TestAttrThrough.delete_all
1432
1608
  end
1433
1609
 
1434
1610
  def test_model_permitted_to