declarative_authorization 0.5.3 → 0.5.4

data/CHANGELOG

@@ -1,3 +1,11 @@
+** RELEASE 0.5.4 (Nov 30, 2011)
+
+* Cumulative loading of authorization rules [Damian Curso/sb]
+
+* Improved used_privileges rake task [urkle]
+
+* Performance improvements [John Hawthorn]
+
 ** RELEASE 0.5.3 (May 25, 2011)
 
 * Bugfixes and documentation cleanup

data/README.rdoc

@@ -390,10 +390,8 @@ One of three options to install the plugin:
     gem tumble
   And call from your application's root directory
     rake gems:install
-* Alternatively, to install from github, execute in your application's root directory
+* Alternativelyi, in Rails 2, to install from github, execute in your application's root directory
     cd vendor/plugins && git clone git://github.com/stffn/declarative_authorization.git
-* Or, download one of the released versions from Github at
-  http://github.com/stffn/declarative_authorization/downloads
 
 Then, 
 * provide the requirements as noted below, 
@@ -515,10 +513,10 @@ sbartsch at tzi.org
 
 = Contributors
 
-Thanks to John Joseph Bachir, Eike Carls, Dennis Blöte, Kai Chen, Erik Dahlstrand,
+Thanks to John Joseph Bachir, Dennis Blöte, Eike Carls, Damian Caruso, Kai Chen, Erik Dahlstrand,
 Jeroen van Dijk, Alexander Dobriakov, Sebastian Dyck, Ari Epstein, Jeremy Friesen,
-Tim Harper, hollownest, Daniel Kristensen, Jeremy Kleindl, Brad Langhorst, Brian Langenfeld,
-Georg Ledermann, Geoff Longman, Olly Lylo, Mark Mansour, Thomas Maurer, Tyler Pickett, Sharagoz,
+Tim Harper, John Hawthorn, hollownest, Daniel Kristensen, Jeremy Kleindl, Brad Langhorst, Brian Langenfeld,
+Georg Ledermann, Geoff Longman, Olly Lylo, Mark Mansour, Thomas Maurer, Tyler Pickett, Edward Rudd, Sharagoz,
 TJ Singleton, Mike Vincent, Joel Westerberg
 
 

data/app/helpers/authorization_rules_helper.rb

@@ -13,7 +13,7 @@ module AuthorizationRulesHelper
     }
     regexps.each do |name, res|
       res.each do |re|
-        rules.gsub!(
+        rules = rules.gsub(
           re.is_a?(String) ? Regexp.new("(^|[^:])\\b(#{Regexp.escape(re)})\\b") :
              (re.is_a?(Symbol) ? Regexp.new("()(:#{Regexp.escape(re.to_s)})\\b") : re), 
           "\\1<span class=\"#{name}\">\\2</span>")

data/lib/declarative_authorization/authorization.rb

@@ -1,7 +1,7 @@
 # Authorization
 require File.dirname(__FILE__) + '/reader.rb'
 require "set"
-
+require "forwardable"
 
 module Authorization
   # An exception raised if anything goes wrong in the Authorization realm
@@ -66,50 +66,50 @@ module Authorization
   # a certain privilege is granted for the current user.
   #
   class Engine
-    attr_reader :roles, :omnipotent_roles, :role_titles, :role_descriptions, :privileges,
-      :privilege_hierarchy, :auth_rules, :role_hierarchy, :rev_priv_hierarchy,
-      :rev_role_hierarchy
+    extend Forwardable
+    attr_reader :reader
+
+    def_delegators :@reader, :auth_rules_reader, :privileges_reader, :load, :load!
+    def_delegators :auth_rules_reader, :auth_rules, :roles, :omnipotent_roles, :role_hierarchy, :role_titles, :role_descriptions
+    def_delegators :privileges_reader, :privileges, :privilege_hierarchy
     
     # If +reader+ is not given, a new one is created with the default
     # authorization configuration of +AUTH_DSL_FILES+.  If given, may be either
     # a Reader object or a path to a configuration file.
     def initialize (reader = nil)
-      reader = Reader::DSLReader.factory(reader || AUTH_DSL_FILES)
-
-      @privileges = reader.privileges_reader.privileges
-      # {priv => [[priv, ctx],...]}
-      @privilege_hierarchy = reader.privileges_reader.privilege_hierarchy
-      @auth_rules = reader.auth_rules_reader.auth_rules
-      @roles = reader.auth_rules_reader.roles
-      @omnipotent_roles = reader.auth_rules_reader.omnipotent_roles
-      @role_hierarchy = reader.auth_rules_reader.role_hierarchy
-
-      @role_titles = reader.auth_rules_reader.role_titles
-      @role_descriptions = reader.auth_rules_reader.role_descriptions
-      @reader = reader
-      
-      # {[priv, ctx] => [priv, ...]}
-      @rev_priv_hierarchy = {}
-      @privilege_hierarchy.each do |key, value|
-        value.each do |val| 
-          @rev_priv_hierarchy[val] ||= []
-          @rev_priv_hierarchy[val] << key
+      #@auth_rules = AuthorizationRuleSet.new reader.auth_rules_reader.auth_rules
+      @reader = Reader::DSLReader.factory(reader || AUTH_DSL_FILES)
+    end
+
+    def initialize_copy (from) # :nodoc:
+      @reader = from.reader.clone
+    end
+
+    # {[priv, ctx] => [priv, ...]}
+    def rev_priv_hierarchy
+      if @rev_priv_hierarchy.nil?
+        @rev_priv_hierarchy = {}
+        privilege_hierarchy.each do |key, value|
+          value.each do |val| 
+            @rev_priv_hierarchy[val] ||= []
+            @rev_priv_hierarchy[val] << key
+          end
         end
       end
-      @rev_role_hierarchy = {}
-      @role_hierarchy.each do |higher_role, lower_roles|
-        lower_roles.each do |role|
-          (@rev_role_hierarchy[role] ||= []) << higher_role
+      @rev_priv_hierarchy
+    end
+   
+    # {[priv, ctx] => [priv, ...]}
+    def rev_role_hierarchy  
+      if @rev_role_hierarchy.nil?
+        @rev_role_hierarchy = {}
+        role_hierarchy.each do |higher_role, lower_roles|
+          lower_roles.each do |role|
+            (@rev_role_hierarchy[role] ||= []) << higher_role
+          end
         end
       end
-    end
-
-    def initialize_copy (from) # :nodoc:
-      [
-        :privileges, :privilege_hierarchy, :roles, :role_hierarchy, :role_titles,
-        :role_descriptions, :rev_priv_hierarchy, :rev_role_hierarchy
-      ].each {|attr| instance_variable_set(:"@#{attr}", from.send(attr).clone) }
-      @auth_rules = from.auth_rules.collect {|rule| rule.clone}
+      @rev_role_hierarchy
     end
     
     # Returns true if privilege is met by the current user.  Raises
@@ -130,13 +130,17 @@ module Authorization
     # [:+user+] 
     #   The user to check the authorization for.
     #   Defaults to Authorization#current_user.
+    # [:+bang+]
+    #   Should NotAuthorized exceptions be raised
+    #   Defaults to true.
     #
     def permit! (privilege, options = {})
       return true if Authorization.ignore_access_control
       options = {
         :object => nil,
         :skip_attribute_test => false,
-        :context => nil
+        :context => nil,
+        :bang => true
       }.merge(options)
       
       # Make sure we're handling all privileges as symbols.
@@ -163,34 +167,40 @@ module Authorization
       
       user, roles, privileges = user_roles_privleges_from_options(privilege, options)
 
-      return true if roles.is_a?(Array) and not (roles & @omnipotent_roles).empty?
+      return true if roles.is_a?(Array) and not (roles & omnipotent_roles).empty?
 
       # find a authorization rule that matches for at least one of the roles and 
       # at least one of the given privileges
       attr_validator = AttributeValidator.new(self, user, options[:object], privilege, options[:context])
       rules = matching_auth_rules(roles, privileges, options[:context])
-      if rules.empty?
-        raise NotAuthorized, "No matching rules found for #{privilege} for #{user.inspect} " +
-          "(roles #{roles.inspect}, privileges #{privileges.inspect}, " +
-          "context #{options[:context].inspect})."
-      end
       
       # Test each rule in turn to see whether any one of them is satisfied.
-      unless rules.any? {|rule| rule.validate?(attr_validator, options[:skip_attribute_test])}
-        raise AttributeAuthorizationError, "#{privilege} not allowed for #{user.inspect} on #{(options[:object] || options[:context]).inspect}."
+      rules.each do |rule|
+        return true if rule.validate?(attr_validator, options[:skip_attribute_test])
+      end
+
+      if options[:bang]
+        if rules.empty?
+          raise NotAuthorized, "No matching rules found for #{privilege} for #{user.inspect} " +
+            "(roles #{roles.inspect}, privileges #{privileges.inspect}, " +
+            "context #{options[:context].inspect})."
+        else
+          raise AttributeAuthorizationError, "#{privilege} not allowed for #{user.inspect} on #{(options[:object] || options[:context]).inspect}."
+        end
+      else
+        false
       end
-      true
     end
     
-    # Calls permit! but rescues the AuthorizationException and returns false
-    # instead.  If no exception is raised, permit? returns true and yields
-    # to the optional block.
-    def permit? (privilege, options = {}, &block) # :yields:
-      permit!(privilege, options)
-      yield if block_given?
-      true
-    rescue NotAuthorized
-      false
+    # Calls permit! but doesn't raise authorization errors. If no exception is
+    # raised, permit? returns true and yields  to the optional block.
+    def permit? (privilege, options = {}) # :yields:
+      if permit!(privilege, options.merge(:bang=> false))
+        yield if block_given?
+        true
+      else
+        false
+      end
     end
     
     # Returns the obligations to be met by the current user for the given 
@@ -262,7 +272,7 @@ module Authorization
     # yet.  If +dsl_file+ is given, it is passed on to Engine.new and 
     # a new instance is always created.
     def self.instance (dsl_file = nil)
-      if dsl_file or ENV['RAILS_ENV'] == 'development'
+      if dsl_file
         @@instance = new(dsl_file)
       else
         @@instance ||= new
@@ -303,30 +313,83 @@ module Authorization
       [user, roles, privileges]
     end
     
-    def flatten_roles (roles)
+    def flatten_roles (roles, flattened_roles = Set.new)
       # TODO caching?
-      flattened_roles = roles.dup.to_a
-      flattened_roles.each do |role|
-        flattened_roles.concat(@role_hierarchy[role]).uniq! if @role_hierarchy[role]
+      roles.reject {|role| flattened_roles.include?(role)}.each do |role|
+        flattened_roles << role
+        flatten_roles(role_hierarchy[role], flattened_roles) if role_hierarchy[role]
       end
+      flattened_roles.to_a
     end
     
     # Returns the privilege hierarchy flattened for given privileges in context.
-    def flatten_privileges (privileges, context = nil)
+    def flatten_privileges (privileges, context = nil, flattened_privileges = Set.new)
       # TODO caching?
       raise AuthorizationUsageError, "No context given or inferable from object" unless context
-      flattened_privileges = privileges.clone
-      flattened_privileges.each do |priv|
-        flattened_privileges.concat(@rev_priv_hierarchy[[priv, nil]]).uniq! if @rev_priv_hierarchy[[priv, nil]]
-        flattened_privileges.concat(@rev_priv_hierarchy[[priv, context]]).uniq! if @rev_priv_hierarchy[[priv, context]]
+      privileges.reject {|priv| flattened_privileges.include?(priv)}.each do |priv|
+        flattened_privileges << priv
+        flatten_privileges(rev_priv_hierarchy[[priv, nil]], context, flattened_privileges) if rev_priv_hierarchy[[priv, nil]]
+        flatten_privileges(rev_priv_hierarchy[[priv, context]], context, flattened_privileges) if rev_priv_hierarchy[[priv, context]]
       end
+      flattened_privileges.to_a
     end
     
     def matching_auth_rules (roles, privileges, context)
-      @auth_rules.select {|rule| rule.matches? roles, privileges, context}
+      auth_rules.matching(roles, privileges, context)
     end
   end
   
+
+  class AuthorizationRuleSet
+    include Enumerable
+    extend Forwardable
+    def_delegators :@rules, :each, :length, :[]
+
+    def initialize (rules = [])
+      @rules = rules.clone
+      reset!
+    end
+
+    def initialize_copy (source)
+      @rules = @rules.collect {|rule| rule.clone}
+      reset!
+    end
+
+    def matching(roles, privileges, context)
+      roles = [roles] unless roles.is_a?(Array)
+      rules = cached_auth_rules[context] || []
+      rules.select do |rule|
+        rule.matches? roles, privileges, context
+      end
+    end
+    def delete rule
+      @rules.delete rule
+      reset!
+    end
+    def << rule
+      @rules << rule
+      reset!
+    end
+    def each &block
+      @rules.each &block
+    end
+
+    private
+    def reset!
+      @cached_auth_rules =nil
+    end
+    def cached_auth_rules
+      return @cached_auth_rules if @cached_auth_rules
+      @cached_auth_rules = {}
+      @rules.each do |rule|
+        rule.contexts.each do |context|
+          @cached_auth_rules[context] ||= []
+          @cached_auth_rules[context] << rule
+        end
+      end
+      @cached_auth_rules
+    end
+  end
   class AuthorizationRule
     attr_reader :attributes, :contexts, :role, :privileges, :join_operator,
         :source_file, :source_line

data/lib/declarative_authorization/in_controller.rb

@@ -42,35 +42,19 @@ module Authorization
     # If no object or context is specified, the controller_name is used as
     # context.
     #
-    def permitted_to? (privilege, object_or_sym = nil, options = {}, &block)
-      permitted_to!(privilege, object_or_sym, options.merge(:non_bang => true), &block)
+    def permitted_to? (privilege, object_or_sym = nil, options = {})
+      if authorization_engine.permit!(privilege, options_for_permit(object_or_sym, options, false))
+        yield if block_given?
+        true
+      else
+        false
+      end
     end
     
     # Works similar to the permitted_to? method, but
     # throws the authorization exceptions, just like Engine#permit!
-    def permitted_to! (privilege, object_or_sym = nil, options = {}, &block)
-      context = object = nil
-      if object_or_sym.nil?
-        context = self.class.decl_auth_context
-      elsif !object_or_sym.respond_to?(:proxy_reflection) and object_or_sym.is_a?(Symbol)
-        context = object_or_sym
-      else
-        object = object_or_sym
-      end
-
-      non_bang = options.delete(:non_bang)
-      args = [
-        privilege,
-        {:user => current_user,
-         :object => object,
-         :context => context,
-         :skip_attribute_test => object.nil?}.merge(options)
-      ]
-      if non_bang
-        authorization_engine.permit?(*args, &block)
-      else
-        authorization_engine.permit!(*args, &block)
-      end
+    def permitted_to! (privilege, object_or_sym = nil, options = {})
+      authorization_engine.permit!(privilege, options_for_permit(object_or_sym, options, true))
     end
 
     # While permitted_to? is used for authorization, in some cases
@@ -182,6 +166,23 @@ module Authorization
       instance_variable_set(instance_var, model_or_proxy.new)
     end
 
+    def options_for_permit (object_or_sym = nil, options = {}, bang = true)
+      context = object = nil
+      if object_or_sym.nil?
+        context = self.class.decl_auth_context
+      elsif !object_or_sym.respond_to?(:proxy_reflection) and object_or_sym.is_a?(Symbol)
+        context = object_or_sym
+      else
+        object = object_or_sym
+      end
+
+      {:user => current_user,
+        :object => object,
+        :context => context,
+        :skip_attribute_test => object.nil?,
+        :bang => bang}.merge(options)
+    end
+
     module ClassMethods
       #
       # Defines a filter to be applied according to the authorization of the

data/lib/declarative_authorization/reader.rb

@@ -59,6 +59,11 @@ module Authorization
         @auth_rules_reader = AuthorizationRulesReader.new
       end
 
+      def initialize_copy (from) # :nodoc:
+        @privileges_reader = from.privileges_reader.clone
+        @auth_rules_reader = from.auth_rules_reader.clone
+      end
+
       # ensures you get back a DSLReader
       # if you provide a:
       #   DSLReader - you will get it back.
@@ -84,17 +89,25 @@ module Authorization
         raise DSLSyntaxError, "Illegal DSL syntax: #{e}"
       end
 
-      # Loads and parses a DSL from the given file name.
+      # Load and parse a DSL from the given file name.
+      def load (dsl_file)
+        parse(File.read(dsl_file), dsl_file) if File.exist?(dsl_file)
+      end
+
+      # Load and parse a DSL from the given file name. Raises Authorization::Reader::DSLFileNotFoundError
+      # if the file cannot be found.
+      def load! (dsl_file)
+        raise ::Authorization::Reader::DSLFileNotFoundError, "Error reading authorization rules file with path '#{dsl_file}'!  Please ensure it exists and that it is accessible." unless File.exist?(dsl_file)
+        load(dsl_file)
+      end
+
+      # Loads and parses DSL files and returns a new reader
       def self.load (dsl_files)
         # TODO cache reader in production mode?
         reader = new
         dsl_files = [dsl_files].flatten
         dsl_files.each do |file|
-          begin
-            reader.parse(File.read(file), file)
-          rescue SystemCallError
-            raise ::Authorization::Reader::DSLFileNotFoundError, "Error reading authorization rules file with path '#{file}'!  Please ensure it exists and that it is accessible."
-          end
+          reader.load(file)
         end
         reader
       end
@@ -133,6 +146,11 @@ module Authorization
         @privilege_hierarchy = {}
       end
 
+      def initialize_copy (from) # :nodoc:
+        @privileges = from.privileges.clone
+        @privilege_hierarchy = from.privilege_hierarchy.clone
+      end
+
       def append_privilege (priv) # :nodoc:
         @privileges << priv unless @privileges.include?(priv)
       end
@@ -182,7 +200,14 @@ module Authorization
         @role_hierarchy = {}
         @role_titles = {}
         @role_descriptions = {}
-        @auth_rules = []
+        @auth_rules = AuthorizationRuleSet.new
+      end
+
+      def initialize_copy (from) # :nodoc:
+        [:roles, :role_hierarchy, :auth_rules,
+            :role_descriptions, :role_titles, :omnipotent_roles].each do |attribute|
+          instance_variable_set(:"@#{attribute}", from.send(attribute).clone)
+        end
       end
 
       def append_role (role, options = {}) # :nodoc:

data/lib/tasks/authorization_tasks.rake

@@ -23,8 +23,15 @@ namespace :auth do
       end
       all += contr_perms.reject {|cp| cp[0].nil?}.collect {|cp| cp[0..1]}
     end
-    
-    model_files = `grep -l "^[[:space:]]*using_access_control" #{RAILS_ROOT}/app/models/*.rb`.split("\n")
+
+    model_all = `grep -l "Base\.using_access_control" #{RAILS_ROOT}/config/*.rb #{RAILS_ROOT}/config/initializers/*.rb`.split("\n")
+    if model_all.count > 0
+      model_files = Dir.glob( "#{RAILS_ROOT}/app/models/*.rb").reject do |item|
+        item.match(/_observer\.rb/)
+      end
+    else
+      model_files = `grep -l "^[[:space:]]*using_access_control" #{RAILS_ROOT}/app/models/*.rb`.split("\n")
+    end
     models_with_ac = model_files.collect {|mf| mf.sub(/^.*\//, "").sub(".rb", "").tableize.to_sym}
     model_security_privs = [:create, :read, :update, :delete]
     models_with_ac.each {|m| perms += model_security_privs.collect{|msp| [msp, m]}}
@@ -60,7 +67,7 @@ namespace :auth do
         privilege ||= :read
       end
       if privilege.nil? or context.nil?
-        puts "Could not handle: #{ptu}"
+        puts "Could not handle: #{wpt}"
       else
         perms << [privilege, context]
       end

data/test/authorization_test.rb

@@ -1095,10 +1095,10 @@ class AuthorizationTest < Test::Unit::TestCase
 
     engine = Authorization::Engine.new(reader)
     cloned_engine = engine.clone
-    assert_not_equal engine.auth_rules[0].contexts.object_id,
-        cloned_engine.auth_rules[0].contexts.object_id
-    assert_not_equal engine.auth_rules[0].attributes[0].send(:instance_variable_get, :@conditions_hash)[:attr].object_id,
-        cloned_engine.auth_rules[0].attributes[0].send(:instance_variable_get, :@conditions_hash)[:attr].object_id
+    assert_not_equal engine.auth_rules.first.contexts.object_id,
+        cloned_engine.auth_rules.first.contexts.object_id
+    assert_not_equal engine.auth_rules.first.attributes.first.send(:instance_variable_get, :@conditions_hash)[:attr].object_id,
+        cloned_engine.auth_rules.first.attributes.first.send(:instance_variable_get, :@conditions_hash)[:attr].object_id
   end
 end
 

data/test/dsl_reader_test.rb

@@ -171,7 +171,7 @@ class DSLReaderTest < Test::Unit::TestCase
 
   def test_load_file_not_found
     assert_raise(Authorization::Reader::DSLFileNotFoundError) do
-      Authorization::Reader::DSLReader.load("nonexistent_file.rb")
+      Authorization::Reader::DSLReader.new.load!("nonexistent_file.rb")
     end
   end
 end

metadata

@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
   segments: 
   - 0
   - 5
-  - 3
-  version: 0.5.3
+  - 4
+  version: 0.5.4
 platform: ruby
 authors: 
 - Steffen Bartsch
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-05-25 00:00:00 +02:00
+date: 2011-11-30 00:00:00 +01:00
 default_executable: 
 dependencies: []