declarative_authorization 0.5.2 → 0.5.3

data/CHANGELOG

@@ -1,3 +1,13 @@
+** RELEASE 0.5.3 (May 25, 2011)
+
+* Bugfixes and documentation cleanup
+
+* Rails 3.1.rc1 compatibility [sb]
+
+* Added has_any_role?, has_any_role_with_hierarchy? [t.pickett66]
+
+* Allow changing the default role [dbloete]
+
 ** RELEASE 0.5.2 (Dec 31, 2010) **
 
 * Bugfixes and documentation updates

data/README.rdoc

@@ -192,13 +192,13 @@ See also Authorization::AuthorizationHelper.
 
 == Models
 
-There are two destinct features for model security built into this plugin:
+There are two distinct features for model security built into this plugin:
 authorizing CRUD operations on objects as well as query rewriting to limit
 results according to certain privileges.
 
 See also Authorization::AuthorizationInModel.
 
-=== Model security for CRUD opterations
+=== Model security for CRUD operations
 To activate model security, all it takes is an explicit enabling for each
 model that model security should be enforced on, i.e.
 
@@ -215,7 +215,7 @@ happened if an operation is denied, the filters throw
 Authorization::NotAuthorized exceptions.
 
 As access control on read are costly, with possibly lots of objects being
-loaded at a time in one query, checks on read need to be actived explicitly by
+loaded at a time in one query, checks on read need to be activated explicitly by
 adding the :include_read option.
 
 === Query rewriting through named scopes
@@ -256,6 +256,11 @@ public pages, :+guest+ can be used to allow access for users that are not
 logged in.  All other roles are application defined and need to be associated
 with users by the application.
 
+If you need to change the default role, you can do so by adding an initializer
+that contains the following statement:
+
+    Authorization.default_role = :anonymous
+
 Privileges, such as :create, may be put into hierarchies to simplify
 maintenance.  So the example above has the same meaning as
 
@@ -512,12 +517,12 @@ sbartsch at tzi.org
 
 Thanks to John Joseph Bachir, Eike Carls, Dennis Blöte, Kai Chen, Erik Dahlstrand,
 Jeroen van Dijk, Alexander Dobriakov, Sebastian Dyck, Ari Epstein, Jeremy Friesen,
-Tim Harper, hollownest, Daniel Kristensen, Brad Langhorst, Brian Langenfeld,
-Georg Ledermann, Geoff Longman, Olly Lylo, Mark Mansour, Thomas Maurer, Sharagoz,
-TJ Singleton, Mike Vincent
+Tim Harper, hollownest, Daniel Kristensen, Jeremy Kleindl, Brad Langhorst, Brian Langenfeld,
+Georg Ledermann, Geoff Longman, Olly Lylo, Mark Mansour, Thomas Maurer, Tyler Pickett, Sharagoz,
+TJ Singleton, Mike Vincent, Joel Westerberg
 
 
-= Licence
+= License
 
 Copyright (c) 2008 Steffen Bartsch, TZI, Universität Bremen, Germany
 released under the MIT license

data/app/views/authorization_usages/index.html.erb

@@ -17,7 +17,7 @@
   <% @auth_usages_by_controller.keys.sort {|c1, c2| c1.name <=> c2.name}.each do |controller| %>
     <% default_context = controller.controller_name.to_sym rescue nil %>
     <tr>
-      <th colspan="3"><%= h controller.controller_name %></th>
+      <th colspan="3"><%= h controller.name.underscore.sub(/_controller\Z/, '') %></th>
     </tr>
     <% @auth_usages_by_controller[controller].keys.sort {|c1, c2| c1.to_s <=> c2.to_s}.each do |action| %>
       <% auth_info = @auth_usages_by_controller[controller][action] %>

data/lib/declarative_authorization/authorization.rb

@@ -9,7 +9,7 @@ module Authorization
   # NotAuthorized is raised if the current user is not allowed to perform
   # the given operation possibly on a specific object.
   class NotAuthorized < AuthorizationError ; end
-  # AttributeAuthorizationError is more specific than NotAuthorized, signalling
+  # AttributeAuthorizationError is more specific than NotAuthorized, signaling
   # that the access was denied on the grounds of attribute conditions.
   class AttributeAuthorizationError < NotAuthorized ; end
   # AuthorizationUsageError is used whenever a situation is encountered
@@ -25,7 +25,7 @@ module Authorization
   # Controller-independent method for retrieving the current user.
   # Needed for model security where the current controller is not available.
   def self.current_user
-    Thread.current["current_user"] || GuestUser.new
+    Thread.current["current_user"] || AnonymousUser.new
   end
   
   # Controller-independent method for setting the current user.
@@ -52,6 +52,15 @@ module Authorization
     @@dot_path = path
   end
   
+  @@default_role = :guest
+  def self.default_role
+    @@default_role
+  end
+
+  def self.default_role= (role)
+    @@default_role = role.to_sym
+  end
+  
   # Authorization::Engine implements the reference monitor.  It may be used
   # for querying the permission and retrieving obligations under which
   # a certain privilege is granted for the current user.
@@ -113,7 +122,7 @@ module Authorization
     #   The context part of the privilege.
     #   Defaults either to the tableized +class_name+ of the given :+object+, if given.
     #   That is, :+users+ for :+object+ of type User.  
-    #   Raises AuthorizationUsageError if context is missing and not to be infered.
+    #   Raises AuthorizationUsageError if context is missing and not to be inferred.
     # [:+object+] An context object to test attribute checks against.
     # [:+skip_attribute_test+]
     #   Skips those attribute checks in the 
@@ -232,8 +241,8 @@ module Authorization
       raise AuthorizationUsageError, "User object doesn't respond to roles (#{user.inspect})" \
         if !user.respond_to?(:role_symbols) and !user.respond_to?(:roles)
 
-      RAILS_DEFAULT_LOGGER.info("The use of user.roles is deprecated.  Please add a method " +
-          "role_symbols to your User model.") if defined?(RAILS_DEFAULT_LOGGER) and !user.respond_to?(:role_symbols)
+      Rails.logger.info("The use of user.roles is deprecated.  Please add a method " +
+          "role_symbols to your User model.") if defined?(Rails) and Rails.respond_to?(:logger) and !user.respond_to?(:role_symbols)
 
       roles = user.respond_to?(:role_symbols) ? user.role_symbols : user.roles
 
@@ -241,7 +250,7 @@ module Authorization
         "doesn't return an Array of Symbols (#{roles.inspect})" \
             if !roles.is_a?(Array) or (!roles.empty? and !roles[0].is_a?(Symbol))
 
-      (roles.empty? ? [:guest] : roles)
+      (roles.empty? ? [Authorization.default_role] : roles)
     end
     
     # Returns the role symbols and inherritted role symbols for the given user
@@ -685,10 +694,10 @@ module Authorization
     end
   end
   
-  # Represents a pseudo-user to facilitate guest users in applications
-  class GuestUser
+  # Represents a pseudo-user to facilitate anonymous users in applications
+  class AnonymousUser
     attr_reader :role_symbols
-    def initialize (roles = [:guest])
+    def initialize (roles = [Authorization.default_role])
       @role_symbols = roles
     end
   end

data/lib/declarative_authorization/development_support/analyzer.rb

@@ -18,7 +18,7 @@ module Authorization
     # * merging roles
     # * role hierarchy
     #
-    # Mergeable Rules:  respect if_permitted_to hash
+    # Merge-able Rules:  respect if_permitted_to hash
     #
     class Analyzer < AbstractAnalyzer
       def analyze (rules)

data/lib/declarative_authorization/development_support/change_analyzer.rb

@@ -32,7 +32,7 @@ module Authorization
 
         # * strategy for removing: [remove privilege, add privilege to different role]
         @seen_states = Set.new
-        # * heurisic: change of failed tests;  small number of policy items
+        # * heuristic: change of failed tests;  small number of policy items
         strategy = case [change_action, type]
                    when [:remove, :permission]
                      [:remove_role_from_user, :remove_privilege, :add_privilege,

data/lib/declarative_authorization/helper.rb

@@ -56,5 +56,13 @@ module Authorization
     def has_role_with_hierarchy?(*roles, &block)
       controller.has_role_with_hierarchy?(*roles, &block)
     end
+    
+    def has_any_role?(*roles,&block)
+      controller.has_any_role?(*roles,&block)
+    end
+    
+    def has_any_role_with_hierarchy?(*roles, &block)
+      controller.has_any_role_with_hierarchy?(*roles, &block)
+    end
   end
 end

data/lib/declarative_authorization/in_controller.rb

@@ -12,13 +12,13 @@ module Authorization
     
     DEFAULT_DENY = false
     
-    # If attribute_check is set for filter_access_to, decl_auth will try to
+    # If attribute_check is set for filter_access_to, decl_auth_context will try to
     # load the appropriate object from the current controller's model with
     # the id from params[:id].  If that fails, a 404 Not Found is often the
     # right way to handle the error.  If you have additional measures in place
     # that restricts the find scope, handling this error as a permission denied
     # might be a better way.  Set failed_auto_loading_is_not_found to false
-    # for the latter behaviour.
+    # for the latter behavior.
     @@failed_auto_loading_is_not_found = true
     def self.failed_auto_loading_is_not_found?
       @@failed_auto_loading_is_not_found
@@ -52,7 +52,7 @@ module Authorization
       context = object = nil
       if object_or_sym.nil?
         context = self.class.decl_auth_context
-      elsif object_or_sym.is_a?(Symbol)
+      elsif !object_or_sym.respond_to?(:proxy_reflection) and object_or_sym.is_a?(Symbol)
         context = object_or_sym
       else
         object = object_or_sym
@@ -86,6 +86,17 @@ module Authorization
       result
     end
     
+    # Intended to be used where you want to allow users with any single listed role to view 
+    # the content in question
+    def has_any_role?(*roles,&block)
+      user_roles = authorization_engine.roles_for(current_user)
+      result = roles.any? do |role|
+        user_roles.include?(role)
+      end
+      yield if result and block_given?
+      result
+    end
+    
     # As has_role? except checks all roles included in the role hierarchy
     def has_role_with_hierarchy?(*roles, &block)
       user_roles = authorization_engine.roles_with_hierarchy_for(current_user)
@@ -96,6 +107,15 @@ module Authorization
       result
     end
     
+    # As has_any_role? except checks all roles included in the role hierarchy
+    def has_any_role_with_hierarchy?(*roles, &block)
+      user_roles = authorization_engine.roles_with_hierarchy_for(current_user)
+      result = roles.any? do |role|
+        user_roles.include?(role)
+      end
+      yield if result and block_given?
+      result
+    end
     
     protected
     def filter_access_filter # :nodoc:
@@ -194,7 +214,7 @@ module Authorization
       #     end
       #   end
       # 
-      # By default, required privileges are infered from the action name and
+      # By default, required privileges are inferred from the action name and
       # the controller name.  Thus, in UserController :+edit+ requires
       # :+edit+ +users+.  To specify required privilege, use the option :+require+
       #   filter_access_to :new, :create, :require => :create, :context => :users
@@ -256,7 +276,7 @@ module Authorization
       #   to load the object.  Both should return the loaded object.
       #   If a Proc object is given, e.g. by way of
       #   +lambda+, it is called in the instance of the controller.  
-      #   Example demonstrating the default behaviour:
+      #   Example demonstrating the default behavior:
       #     filter_access_to :show, :attribute_check => true,
       #                      :load_method => lambda { User.find(params[:id]) }
       # 
@@ -337,7 +357,7 @@ module Authorization
       #
       # In many cases, the default seven CRUD actions are not sufficient.  As in
       # the resource definition for routing you may thus give additional member,
-      # new and collection methods.  The options allow you to specify the
+      # new and collection methods.  The +options+ allow you to specify the
       # required privileges for each action by providing a hash or an array of
       # pairs.  By default, for each action the action name is taken as privilege
       # (action search in the example below requires the privilege :index
@@ -348,7 +368,19 @@ module Authorization
       #         :additional_member => {:mark_as_key_company => :update}
       #   end
       # The +additional_+* options add to the respective CRUD actions,
-      # the other options replace the respective CRUD actions.
+      # the other options (:+member+, :+collection+, :+new+) replace their
+      # respective CRUD actions.
+      #    filter_resource_access :member => { :toggle_open => :update }
+      # Would declare :toggle_open as the only member action in the controller and
+      # require that permission :update is granted for the current user.
+      #    filter_resource_access :additional_member => { :toggle_open => :update }
+      # Would add a member action :+toggle_open+ to the default members, such as :+show+.
+      #
+      # If :+collection+ is an array of method names filter_resource_access will 
+      # associate a permission with the method that is the same as the method 
+      # name and no attribute checks will be performed unless 
+      #   :attribute_check => true
+      # is added in the options.
       # 
       # You can override the default object loading by implementing any of the
       # following instance methods on the controller.  Examples are given for the
@@ -390,7 +422,7 @@ module Authorization
       #   +nested_in+, attribute check is deactivated for these actions.  By
       #   default, collection is set to :+index+.
       # [:+additional_collection+]
-      #   Allows to add additional collaction actions to the default resource +collection+
+      #   Allows to add additional collection actions to the default resource +collection+
       #   actions.
       # [:+new+]
       #   +new+ methods are actions such as +new+ and +create+, which don't
@@ -422,7 +454,7 @@ module Authorization
       #   +additional_member+ or rather the default member actions (:+show+, :+edit+,
       #   :+update+, :+destroy+).
       # [:+no_attribute_check+]
-      #   Allows to set actions for which no attribute check should be perfomed.
+      #   Allows to set actions for which no attribute check should be performed.
       #   See filter_access_to on details.  By default, with no +nested_in+,
       #   +no_attribute_check+ is set to all collections.  If +nested_in+ is given
       #   +no_attribute_check+ is empty by default.
@@ -443,8 +475,8 @@ module Authorization
           :nested_in  => nil,
         }.merge(options)
 
-        new_actions = actions_from_option(options[:new]).merge(
-            actions_from_option(options[:additional_new]))
+        new_actions = actions_from_option( options[:new] ).merge(
+            actions_from_option(options[:additional_new]) )
         members = actions_from_option(options[:member]).merge(
             actions_from_option(options[:additional_member]))
         collections = actions_from_option(options[:collection]).merge(
@@ -609,7 +641,7 @@ module Authorization
         unless object
           begin
             object = load_object_model.find(contr.params[:id])
-          rescue RuntimeError => e
+          rescue => e
             contr.logger.debug("filter_access_to tried to find " +
                 "#{load_object_model} from params[:id] " +
                 "(#{contr.params[:id].inspect}), because attribute_check is enabled " +

data/lib/declarative_authorization/in_model.rb

@@ -34,29 +34,31 @@ module Authorization
     def self.included(base) # :nodoc:
       #base.extend(ClassMethods)
       base.module_eval do
-        scopes[:with_permissions_to] = lambda do |parent_scope, *args|
-          options = args.last.is_a?(Hash) ? args.pop : {}
-          privilege = (args[0] || :read).to_sym
-          privileges = [privilege]
-          context =
-              if options[:context]
-                options[:context]
-              elsif parent_scope.respond_to?(:proxy_reflection)
-                parent_scope.proxy_reflection.klass.name.tableize.to_sym
-              elsif parent_scope.respond_to?(:decl_auth_context)
-                parent_scope.decl_auth_context
-              else
-                parent_scope.name.tableize.to_sym
-              end
-          
-          user = options[:user] || Authorization.current_user
+        if Rails.version < "3.1"
+          scopes[:with_permissions_to] = lambda do |parent_scope, *args|
+            options = args.last.is_a?(Hash) ? args.pop : {}
+            privilege = (args[0] || :read).to_sym
+            privileges = [privilege]
+            context =
+                if options[:context]
+                  options[:context]
+                elsif parent_scope.respond_to?(:proxy_reflection)
+                  parent_scope.proxy_reflection.klass.name.tableize.to_sym
+                elsif parent_scope.respond_to?(:decl_auth_context)
+                  parent_scope.decl_auth_context
+                else
+                  parent_scope.name.tableize.to_sym
+                end
 
-          engine = options[:engine] || Authorization::Engine.instance
-          engine.permit!(privileges, :user => user, :skip_attribute_test => true,
-                         :context => context)
+            user = options[:user] || Authorization.current_user
+
+            engine = options[:engine] || Authorization::Engine.instance
+            engine.permit!(privileges, :user => user, :skip_attribute_test => true,
+                           :context => context)
 
-          obligation_scope_for( privileges, :user => user,
-              :context => context, :engine => engine, :model => parent_scope)
+            obligation_scope_for( privileges, :user => user,
+                :context => context, :engine => engine, :model => parent_scope)
+          end
         end
         
         # Builds and returns a scope with joins and conditions satisfying all obligations.
@@ -96,7 +98,32 @@ module Authorization
         #   current user.
         #
         def self.with_permissions_to (*args)
-          scopes[:with_permissions_to].call(self, *args)
+          if Rails.version < "3.1"
+            scopes[:with_permissions_to].call(self, *args)
+          else
+            options = args.last.is_a?(Hash) ? args.pop : {}
+            privilege = (args[0] || :read).to_sym
+            privileges = [privilege]
+
+            parent_scope = scoped
+            context =
+                if options[:context]
+                  options[:context]
+                elsif parent_scope.klass.respond_to?(:decl_auth_context)
+                  parent_scope.klass.decl_auth_context
+                else
+                  parent_scope.klass.name.tableize.to_sym
+                end
+
+            user = options[:user] || Authorization.current_user
+
+            engine = options[:engine] || Authorization::Engine.instance
+            engine.permit!(privileges, :user => user, :skip_attribute_test => true,
+                           :context => context)
+
+            obligation_scope_for( privileges, :user => user,
+                :context => context, :engine => engine, :model => parent_scope.klass)
+          end
         end
         
         # Activates model security for the current model.  Then, CRUD operations

data/lib/declarative_authorization/maintenance.rb

@@ -55,17 +55,14 @@ module Authorization
       def self.usages_by_controller
         # load each application controller
         begin
-          Dir.foreach(File.join(::Rails.root, %w{app controllers})) do |entry|
-            if entry =~ /^\w+_controller\.rb$/
-              require File.join(::Rails.root, %w{app controllers}, entry)
-            end
+          Dir.glob(File.join(::Rails.root, 'app', 'controllers', '**', '*_controller\.rb')) do |entry|
+            require entry
           end
         rescue Errno::ENOENT
         end
         controllers = []
         ObjectSpace.each_object(Class) do |obj|
-          controllers << obj if obj.ancestors.include?(ActionController::Base) and
-                                !%w{ActionController::Base ApplicationController}.include?(obj.name)
+          controllers << obj if obj.ancestors.include?(ActionController::Base) and obj != ActionController::Base and obj.name.demodulize != 'ApplicationController'
         end
 
         controllers.inject({}) do |memo, controller|

data/lib/declarative_authorization/reader.rb

@@ -6,7 +6,7 @@ module Authorization
   # Parses an authorization configuration file in the authorization DSL and
   # constructs a data model of its contents.
   # 
-  # For examples and the modelled data model, see the 
+  # For examples and the modeled data model, see the 
   # README[link:files/README_rdoc.html].
   #
   # Also, see role definition methods
@@ -381,12 +381,12 @@ module Authorization
       #
       #   role :branch_manager
       #     has_permission_on :branches, :to => :manage do
-      #       if_attribute :employees => includes { user }
+      #       if_attribute :employees => contains { user }
       #     end
       #     has_permission_on :employees, :to => :read do
       #       if_permitted_to :read, :branch
       #       # instead of
-      #       # if_attribute :branch => { :employees => includes { user } }
+      #       # if_attribute :branch => { :employees => contains { user } }
       #     end
       #   end
       #
@@ -404,19 +404,19 @@ module Authorization
       # To check permissions based on the current object, the attribute has to
       # be left out:
       #   has_permission_on :branches, :to => :manage do
-      #     if_attribute :employees => includes { user }
+      #     if_attribute :employees => contains { user }
       #   end
       #   has_permission_on :branches, :to => :paint_green do
       #     if_permitted_to :update
       #   end
-      # Normally, one would merge those rules into one.  Deviding makes sense
+      # Normally, one would merge those rules into one.  Dividing makes sense
       # if additional if_attribute are used in the second rule or those rules
       # are applied to different roles.
       #
       # Options:
       # [:+context+]
       #   When using with_permissions_to, the target context of the if_permitted_to
-      #   statement is infered from the last reflections target class.  Still,
+      #   statement is inferred from the last reflections target class.  Still,
       #   you may override this algorithm by setting the context explicitly.
       #     if_permitted_to :read, :home_branch, :context => :branches
       #     if_permitted_to :read, :branch => :main_company, :context => :companies

data/test/authorization_test.rb

@@ -316,6 +316,25 @@ class AuthorizationTest < Test::Unit::TestCase
     assert !engine.permit?(:test, :context => :permissions_2)
   end
   
+  def test_default_role
+    previous_default_role = Authorization.default_role
+    Authorization.default_role = :anonymous
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :anonymous do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions)
+    assert !engine.permit?(:test, :context => :permissions, 
+      :user => MockUser.new(:guest))
+    # reset the default role, so that it does not mess up other tests
+    Authorization.default_role = previous_default_role
+  end
+  
   def test_invalid_user_model
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{

data/test/controller_test.rb

@@ -262,7 +262,7 @@ class LoadObjectControllerTest < ActionController::TestCase
       end
     }
 
-    assert_raise RuntimeError, "No id param supplied" do
+    assert_raise StandardError, "No id param supplied" do
       request!(MockUser.new(:test_role), "show", reader)
     end
     

data/test/helper_test.rb

@@ -113,7 +113,42 @@ class HelperTest < ActionController::TestCase
     end
     assert !block_evaled
   end
-
+  
+  def test_has_any_role
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :mocks, :to => :show
+        end
+      end
+    }
+    user = MockUser.new(:test_role)
+    request!(user, :action, reader)
+    
+    assert has_any_role?(:test_role)
+    assert !has_any_role?(:test_role2)
+    assert has_any_role?(:test_role, :test_role2)
+    
+    block_evaled = false
+    has_any_role?(:test_role) do
+      block_evaled = true
+    end
+    assert block_evaled
+    
+    block_evaled = false
+    has_any_role?(:test_role2) do
+      block_evaled = true
+    end
+    assert !block_evaled
+    
+    block_evaled = false
+    has_any_role?(:test_role,:test_role2) do
+      block_evaled = true
+    end
+    assert block_evaled
+  end
+  
   def test_has_role_with_guest_user
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{
@@ -165,8 +200,48 @@ class HelperTest < ActionController::TestCase
       block_evaled = true
     end
     assert !block_evaled
-
   end
   
-  
+  def test_has_any_role_with_hierarchy
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :mocks, :to => :show
+        end
+        role :other_role do
+          has_permission_on :another_mocks, :to => :show
+        end
+
+        role :root do
+          includes :test_role
+        end
+      end
+    }    
+    
+    user = MockUser.new(:root)
+    request!(user, :action, reader)
+    
+    assert has_any_role_with_hierarchy?(:test_role)
+    assert !has_any_role_with_hierarchy?(:other_role)
+    assert has_any_role_with_hierarchy?(:test_role,:other_role)
+
+    block_evaled = false
+    has_any_role_with_hierarchy?(:test_role) do
+      block_evaled = true
+    end
+    assert block_evaled
+    
+    block_evaled = false
+    has_any_role_with_hierarchy?(:test_role2) do
+      block_evaled = true
+    end
+    assert !block_evaled
+    
+    block_evaled = false
+    has_any_role_with_hierarchy?(:test_role,:test_role2) do
+      block_evaled = true
+    end
+    assert block_evaled
+  end
 end

data/test/model_test.rb

@@ -71,6 +71,7 @@ class TestAttr < ActiveRecord::Base
   belongs_to :branch
   belongs_to :company
   has_many :test_attr_throughs
+  has_many :test_model_security_model_with_finds
   attr_reader :role_symbols
   def initialize (*args)
     @role_symbols = []
@@ -89,6 +90,7 @@ end
 class TestModelSecurityModelWithFind < ActiveRecord::Base
   set_table_name "test_model_security_models"
   has_many :test_attrs
+  belongs_to :test_attr
   using_access_control :include_read => true, 
     :context => :test_model_security_models
 end
@@ -1591,6 +1593,32 @@ class ModelTest < Test::Unit::TestCase
     end
   end
 
+  def test_model_security_with_read_restrictions_and_exists
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_model_security_models do
+            to :read, :create, :update, :delete
+            if_attribute :test_attr => is { user.test_attr }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+
+    test_attr = TestAttr.create
+    Authorization.current_user = MockUser.new(:test_role, :test_attr => test_attr)
+    object_with_find = TestModelSecurityModelWithFind.create :test_attr => test_attr
+    assert_nothing_raised do
+      object_with_find.class.find(object_with_find.id)
+    end
+    assert_equal 1, test_attr.test_model_security_model_with_finds.length
+    
+    # Raises error since AR does not populate the object
+    #assert test_attr.test_model_security_model_with_finds.exists?(object_with_find)
+  end
+
   def test_model_security_delete_unallowed
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{

data/test/schema.sql

@@ -28,7 +28,8 @@ CREATE TABLE 'test_attr_throughs' (
 CREATE TABLE 'test_model_security_models' (
   'id' INTEGER PRIMARY KEY NOT NULL, 
   'attr' integer default 1, 
-  'attr_2' integer default 1
+  'attr_2' integer default 1,
+  'test_attr_id' integer
 );
 
 CREATE TABLE 'n_way_join_items' (

data/test/test_helper.rb

@@ -62,7 +62,7 @@ class MockDataObject
   end
   
   def self.find(*args)
-    raise "Couldn't find #{self.name} with id #{args[0].inspect}" unless args[0]
+    raise StandardError, "Couldn't find #{self.name} with id #{args[0].inspect}" unless args[0]
     new :id => args[0]
   end
 end
@@ -118,7 +118,8 @@ if Rails.version < "3"
     map.connect ':controller/:action/:id'
   end
 else
-  Rails::Application.routes.draw do
+  #Rails::Application.routes.draw do
+  Rails.application.routes.draw do
     match '/name/spaced_things(/:action)' => 'name/spaced_things'
     match '/deep/name_spaced/things(/:action)' => 'deep/name_spaced/things'
     match '/:controller(/:action(/:id))'
@@ -146,7 +147,8 @@ class Test::Unit::TestCase
 
   unless Rails.version < "3"
     def setup
-      @routes = Rails::Application.routes
+      #@routes = Rails::Application.routes
+      @routes = Rails.application.routes
     end
   end
 end

metadata

@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
   segments: 
   - 0
   - 5
-  - 2
-  version: 0.5.2
+  - 3
+  version: 0.5.3
 platform: ruby
 authors: 
 - Steffen Bartsch
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-12-31 00:00:00 +01:00
+date: 2011-05-25 00:00:00 +02:00
 default_executable: 
 dependencies: []