declarative_authorization 0.5.1 → 0.5.2

data/CHANGELOG

@@ -1,3 +1,7 @@
+** RELEASE 0.5.2 (Dec 31, 2010) **
+
+* Bugfixes and documentation updates
+
 ** RELEASE 0.5.1 (Sep 12, 2010) **
 
 ** RELEASE 0.5 (July 21, 2010) **

data/README.rdoc

@@ -332,6 +332,12 @@ In your test_helper.rb, to enable the helpers add
       ...
     end
 
+For using the test helpers with RSpec, just add the following lines to your
+spec_helper.rb (somewhere after require 'spec/rails'):
+
+    require 'declarative_authorization/maintenance'
+    include Authorization::TestHelper
+
 Now, in unit tests, you may deactivate authorization if needed e.g. for test
 setup and assume certain identities for tests:
 
@@ -347,6 +353,19 @@ setup and assume certain identities for tests:
         end
       end
     end
+    
+Or, with RSpec, it would work like this:
+
+  describe Employee do
+    it "should read" do
+      without_access_control do
+        Employee.create(...)
+      end
+      with_user(admin) do
+        Employee.find(:first)
+      end
+    end
+  end
 
 In functional tests, get, posts, etc. may be tested in the name of certain users:
 
@@ -491,10 +510,11 @@ sbartsch at tzi.org
 
 = Contributors
 
-Thanks to John Joseph Bachir, Eike Carls, Kai Chen, Erik Dahlstrand, Jeroen van Dijk,
-Alexander Dobriakov, Sebastian Dyck, Ari Epstein, Jeremy Friesen, Tim Harper, hollownest,
-Daniel Kristensen, Brian Langenfeld, Georg Ledermann, Geoff Longman, Olly Lylo, Mark Mansour,
-Thomas Maurer, TJ Singleton, Mike Vincent
+Thanks to John Joseph Bachir, Eike Carls, Dennis Blöte, Kai Chen, Erik Dahlstrand,
+Jeroen van Dijk, Alexander Dobriakov, Sebastian Dyck, Ari Epstein, Jeremy Friesen,
+Tim Harper, hollownest, Daniel Kristensen, Brad Langhorst, Brian Langenfeld,
+Georg Ledermann, Geoff Longman, Olly Lylo, Mark Mansour, Thomas Maurer, Sharagoz,
+TJ Singleton, Mike Vincent
 
 
 = Licence

data/config/routes.rb

@@ -1,10 +1,20 @@
-# Rails 3 depreciates ActionController::Routing::Routes 
-routes = (Rails.respond_to?(:application) ? Rails.application.routes : ActionController::Routing::Routes)
-
-routes.draw do |map|
-  if Authorization::activate_authorization_rules_browser?
-    map.resources :authorization_rules, :only => [:index],
-        :collection => {:graph => :get, :change => :get, :suggest_change => :get}
-    map.resources :authorization_usages, :only => :index
+if Authorization::activate_authorization_rules_browser?
+  if Rails.respond_to?(:application)
+    Rails.application.routes.draw do
+      resources :authorization_rules, :only => [:index] do
+          collection do
+            get :graph
+            get :change
+            get :suggest_change
+          end
+      end
+      resources :authorization_usages, :only => :index
+    end
+  else
+    ActionController::Routing::Routes.draw do |map|
+      map.resources :authorization_rules, :only => [:index],
+          :collection => {:graph => :get, :change => :get, :suggest_change => :get}
+      map.resources :authorization_usages, :only => :index
+    end
   end
-end
+end

data/lib/declarative_authorization/authorization.rb

@@ -296,7 +296,7 @@ module Authorization
     
     def flatten_roles (roles)
       # TODO caching?
-      flattened_roles = roles.clone.to_a
+      flattened_roles = roles.dup.to_a
       flattened_roles.each do |role|
         flattened_roles.concat(@role_hierarchy[role]).uniq! if @role_hierarchy[role]
       end
@@ -373,18 +373,27 @@ module Authorization
           exceptions << e
           nil
         end
-      end.flatten.compact
+      end
 
       if exceptions.length > 0 and (@join_operator == :and or exceptions.length == @attributes.length)
         raise NotAuthorized, "Missing authorization in collecting obligations: #{exceptions.map(&:to_s) * ", "}"
       end
 
       if @join_operator == :and and !obligations.empty?
-        merged_obligation = obligations.first
-        obligations[1..-1].each do |obligation|
-          merged_obligation = merged_obligation.deep_merge(obligation)
+        # cross product of OR'ed obligations in arrays
+        arrayed_obligations = obligations.map {|obligation| obligation.is_a?(Hash) ? [obligation] : obligation}
+        merged_obligations = arrayed_obligations.first
+        arrayed_obligations[1..-1].each do |inner_obligations|
+          previous_merged_obligations = merged_obligations
+          merged_obligations = inner_obligations.collect do |inner_obligation|
+            previous_merged_obligations.collect do |merged_obligation|
+              merged_obligation.deep_merge(inner_obligation)
+            end
+          end.flatten
         end
-        obligations = [merged_obligation]
+        obligations = merged_obligations
+      else
+        obligations = obligations.flatten.compact
       end
       obligations.empty? ? [{}] : obligations
     end

data/lib/declarative_authorization/in_controller.rb

@@ -274,6 +274,8 @@ module Authorization
         context = options[:context]
         actions = args.flatten
 
+        # prevent setting filter_access_filter multiple times
+        skip_before_filter :filter_access_filter
         before_filter :filter_access_filter
         
         filter_access_permissions.each do |perm|

data/test/authorization_test.rb

@@ -69,6 +69,26 @@ class AuthorizationTest < Test::Unit::TestCase
     assert  engine.permit?(:test, :context => :permissions_4, :user => MockUser.new(:test_role))
     assert  engine.permit?(:test, :context => :permissions_5, :user => MockUser.new(:test_role))
   end
+
+  def test_permit_with_frozen_roles
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :other_role do
+          includes :test_role
+        end
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    roles = [:other_role].freeze
+    assert_nothing_raised do
+      assert engine.permit?(:test, :context => :permissions,
+        :user => MockUser.new(:role_symbols => roles))
+    end
+  end
   
   def test_obligations_without_conditions
     reader = Authorization::Reader::DSLReader.new

data/test/controller_test.rb

@@ -198,6 +198,7 @@ end
 
 ##################
 class LoadMockObjectsController < MocksController
+  before_filter { @@load_method_call_count = 0 }
   filter_access_to :show, :attribute_check => true, :model => LoadMockObject
   filter_access_to :edit, :attribute_check => true
   filter_access_to :update, :delete, :attribute_check => true,
@@ -207,9 +208,18 @@ class LoadMockObjectsController < MocksController
   end
   filter_access_to :view, :attribute_check => true, :load_method => :load_method
   def load_method
+    self.class.load_method_called
     MockDataObject.new(:test => 2)
   end
   define_action_methods :show, :edit, :update, :delete, :create, :view
+
+  def self.load_method_called
+    @@load_method_call_count ||= 0
+    @@load_method_call_count += 1
+  end
+  def self.load_method_call_count
+    @@load_method_call_count || 0
+  end
 end
 class LoadObjectControllerTest < ActionController::TestCase
   tests LoadMockObjectsController
@@ -287,7 +297,12 @@ class LoadObjectControllerTest < ActionController::TestCase
     
     request!(MockUser.new(:test_role), "view", reader)
     assert @controller.authorized?
+    assert_equal 1, @controller.class.load_method_call_count
     
+    request!(MockUser.new(:test_role_2), "view", reader)
+    assert !@controller.authorized?
+    assert_equal 1, @controller.class.load_method_call_count
+
     request!(MockUser.new(:test_role), "update", reader)
     assert @controller.authorized?
   end

data/test/model_test.rb

@@ -1099,6 +1099,52 @@ class NamedScopeModelTest < Test::Unit::TestCase
     TestAttr.delete_all
   end
 
+  def test_with_anded_if_permitted_to
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :base_role do
+          has_permission_on :test_attrs, :to => :read, :join_by => :and do
+            if_permitted_to :read, :test_model
+            if_attribute :attr => 1
+          end
+        end
+        role :first_role do
+          includes :base_role
+          has_permission_on :test_models, :to => :read do
+            if_attribute :content => "first test"
+          end
+        end
+        role :second_role do
+          includes :base_role
+          has_permission_on :test_models, :to => :read do
+            if_attribute :country_id => 2
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+
+    test_model_1 = TestModel.create!(:content => "first test")
+    test_model_1.test_attrs.create!(:attr => 1)
+    test_model_for_second_role = TestModel.create!(:country_id => 2)
+    test_model_for_second_role.test_attrs.create!(:attr => 1)
+    test_model_for_second_role.test_attrs.create!(:attr => 2)
+
+    user = MockUser.new(:first_role)
+    assert Authorization::Engine.instance.permit?(:read, :object => test_model_1.test_attrs.first, :user => user)
+    assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
+
+    user_with_both_roles = MockUser.new(:first_role, :second_role)
+    assert Authorization::Engine.instance.permit?(:read, :object => test_model_1.test_attrs.first, :user => user_with_both_roles)
+    assert Authorization::Engine.instance.permit?(:read, :object => test_model_for_second_role.test_attrs.first, :user => user_with_both_roles)
+    #p Authorization::Engine.instance.obligations(:read, :user => user_with_both_roles, :context => :test_attrs)
+    assert_equal 2, TestAttr.with_permissions_to(:read, :user => user_with_both_roles).length
+
+    TestModel.delete_all
+    TestAttr.delete_all
+  end
+
   def test_with_if_permitted_to_with_no_child_permissions
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{

data/test/test_helper.rb

@@ -70,7 +70,7 @@ end
 class MockUser < MockDataObject
   def initialize (*roles)
     options = roles.last.is_a?(::Hash) ? roles.pop : {}
-    super(options.merge(:role_symbols => roles, :login => hash))
+    super({:role_symbols => roles, :login => hash}.merge(options))
   end
 
   def initialize_copy (other)

metadata

@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
   segments: 
   - 0
   - 5
-  - 1
-  version: 0.5.1
+  - 2
+  version: 0.5.2
 platform: ruby
 authors: 
 - Steffen Bartsch
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-09-12 00:00:00 +02:00
+date: 2010-12-31 00:00:00 +01:00
 default_executable: 
 dependencies: []
 
@@ -102,6 +102,6 @@ rubyforge_project:
 rubygems_version: 1.3.6
 signing_key: 
 specification_version: 3
-summary: declarative_authorization is a Rails plugin for authorization based on readable authorization rules.
+summary: declarative_authorization is a Rails plugin for maintainable authorization based on readable authorization rules.
 test_files: []