declarative_authorization 0.4.1 → 0.5

data/CHANGELOG

@@ -1,3 +1,18 @@
+
+** RELEASE 0.5 (July 21, 2010) **
+
+* Ruby 1.9.2 compatibility [sb]
+
+* Comparisons in authorization roles: lt, lte, gt, gte [aepstein,hollownest]
+
+* DSL optimization: allow array being passed to to 
+
+* Omnipotent roles [timcharper]
+
+* Meaningful error in case of missing authorization rules file [timcharper]
+
+* Rails 3 support [sb]
+
 * Support shallow nested resources [jjb]
 
 * Allow multiple authorization rules files [kaichen]

data/README.rdoc

@@ -277,8 +277,9 @@ Privilege hierarchies may be context-specific, e.g. applicable to :employees.
       privilege :manage, :employees, :includes => :increase_salary
     end
 
-For more complex use cases, authorizations need to be based on attributes.  E.g.
-if a branch admin should manage only employees of his branch (see 
+For more complex use cases, authorizations need to be based on attributes.  Note 
+that you then also need to set :attribute_check => true in controllers for filter_access_to.
+E.g. if a branch admin should manage only employees of his branch (see 
 Authorization::Reader in the API docs for a full list of available operators):
 
     authorization do
@@ -379,7 +380,7 @@ Then,
 
 == Providing the Plugin's Requirements
 The requirements are
-* Rails >= 2.1 and Ruby >= 1.8.6, including 1.9
+* Rails >= 2.2, including 3 and Ruby >= 1.8.6, including 1.9
 * An authentication mechanism 
 * A user object returned by Controller#current_user
 * An array of role symbols returned by User#role_symbols
@@ -490,10 +491,10 @@ sbartsch at tzi.org
 
 = Contributors
 
-Thanks to John Joseph Bachir, Eike Carls, Kai Chen, Erik Dahlstrand,
-Jeroen van Dijk, Sebastian Dyck, Jeremy Friesen, Daniel Kristensen, Brian Langenfeld,
-Georg Ledermann, Geoff Longman, Olly Lylo, Mark Mansour, Thomas Maurer,
-Mike Vincent
+Thanks to John Joseph Bachir, Eike Carls, Kai Chen, Erik Dahlstrand, Jeroen van Dijk,
+Alexander Dobriakov, Sebastian Dyck, Ari Epstein, Jeremy Friesen, Tim Harper, hollownest,
+Daniel Kristensen, Brian Langenfeld, Georg Ledermann, Geoff Longman, Olly Lylo, Mark Mansour,
+Thomas Maurer, TJ Singleton, Mike Vincent
 
 
 = Licence

data/Rakefile

@@ -33,11 +33,3 @@ desc "clone the garlic repo (for running ci tasks)"
 task :get_garlic do
   sh "git clone git://github.com/ianwhite/garlic.git garlic"
 end
-
-desc "Expand filelist in src gemspec"
-task :build_gemspec do
-  gemspec_data = File.read("declarative_authorization.gemspec.src")
-  gemspec_data.gsub!(/\.files = (.*)/) {|m| ".files = #{eval($1).inspect}"}
-  File.open("declarative_authorization.gemspec", "w") {|f| f.write(gemspec_data)}
-end
-

data/app/controllers/authorization_rules_controller.rb

@@ -18,7 +18,7 @@ class AuthorizationRulesController < ApplicationController
   def index
     respond_to do |format|
       format.html do
-        @auth_rules_script = File.read("#{RAILS_ROOT}/config/authorization_rules.rb")
+        @auth_rules_script = File.read("#{::Rails.root}/config/authorization_rules.rb")
       end
     end
   end

data/app/helpers/authorization_rules_helper.rb

@@ -36,14 +36,14 @@ module AuthorizationRulesHelper
       note = %Q{<span class="note" title="#{h text}">[i]</span>}
       marked_up_by_line[line - 1] = note + marked_up_by_line[line - 1]
     end
-    marked_up_by_line * "\n"
+    (marked_up_by_line * "\n").html_safe
   end
-  
+
   def link_to_graph (title, options = {})
     type = options[:type] || ''
     link_to_function title, "$$('object')[0].data = '#{url_for :action => 'index', :format => 'svg', :type => type}'"
   end
-  
+
   def navigation
     link_to("Rules", authorization_rules_path) << ' | ' <<
     link_to("Change Support", change_authorization_rules_path) << ' | ' <<

data/config/routes.rb

@@ -1,6 +1,9 @@
-ActionController::Routing::Routes.draw do |map|
+# Rails 3 depreciates ActionController::Routing::Routes 
+routes = (Rails.respond_to?(:application) ? Rails.application.routes : ActionController::Routing::Routes)
+
+routes.draw do |map|
   if Authorization::activate_authorization_rules_browser?
-    map.resources :authorization_rules, :only => [:index], 
+    map.resources :authorization_rules, :only => [:index],
         :collection => {:graph => :get, :change => :get, :suggest_change => :get}
     map.resources :authorization_usages, :only => :index
   end

data/lib/declarative_authorization.rb

@@ -9,6 +9,8 @@ if Rails::VERSION::STRING < min_rails_version
   raise "declarative_authorization requires Rails #{min_rails_version}.  You are using #{Rails::VERSION::STRING}."
 end
 
+require File.join(%w{declarative_authorization railsengine}) if defined?(::Rails::Engine)
+
 ActionController::Base.send :include, Authorization::AuthorizationInController
 ActionController::Base.helper Authorization::AuthorizationHelper
 

data/lib/declarative_authorization/authorization.rb

@@ -20,7 +20,7 @@ module Authorization
   # The exception is raised to ensure that the entire rule is invalidated.
   class NilAttributeValueError < AuthorizationError; end
   
-  AUTH_DSL_FILES = ["#{RAILS_ROOT}/config/authorization_rules.rb"] unless defined? AUTH_DSL_FILES
+  AUTH_DSL_FILES = [(Rails.root || Pathname.new('')).join("config", "authorization_rules.rb").to_s] unless defined? AUTH_DSL_FILES
   
   # Controller-independent method for retrieving the current user.
   # Needed for model security where the current controller is not available.
@@ -40,7 +40,7 @@ module Authorization
   end
 
   def self.activate_authorization_rules_browser? # :nodoc:
-    ::RAILS_ENV == 'development'
+    ::Rails.env.development?
   end
 
   @@dot_path = "dot"
@@ -57,7 +57,7 @@ module Authorization
   # a certain privilege is granted for the current user.
   #
   class Engine
-    attr_reader :roles, :role_titles, :role_descriptions, :privileges,
+    attr_reader :roles, :omnipotent_roles, :role_titles, :role_descriptions, :privileges,
       :privilege_hierarchy, :auth_rules, :role_hierarchy, :rev_priv_hierarchy,
       :rev_role_hierarchy
     
@@ -65,20 +65,14 @@ module Authorization
     # authorization configuration of +AUTH_DSL_FILES+.  If given, may be either
     # a Reader object or a path to a configuration file.
     def initialize (reader = nil)
-      if reader.nil?
-        begin
-          reader = Reader::DSLReader.load(AUTH_DSL_FILES)
-        rescue SystemCallError
-          reader = Reader::DSLReader.new
-        end
-      elsif reader.is_a?(String)
-        reader = Reader::DSLReader.load(reader)
-      end
+      reader = Reader::DSLReader.factory(reader || AUTH_DSL_FILES)
+
       @privileges = reader.privileges_reader.privileges
       # {priv => [[priv, ctx],...]}
       @privilege_hierarchy = reader.privileges_reader.privilege_hierarchy
       @auth_rules = reader.auth_rules_reader.auth_rules
       @roles = reader.auth_rules_reader.roles
+      @omnipotent_roles = reader.auth_rules_reader.omnipotent_roles
       @role_hierarchy = reader.auth_rules_reader.role_hierarchy
 
       @role_titles = reader.auth_rules_reader.role_titles
@@ -160,6 +154,8 @@ module Authorization
       
       user, roles, privileges = user_roles_privleges_from_options(privilege, options)
 
+      return true if roles.is_a?(Array) and not (roles & @omnipotent_roles).empty?
+
       # find a authorization rule that matches for at least one of the roles and 
       # at least one of the given privileges
       attr_validator = AttributeValidator.new(self, user, options[:object], privilege, options[:context])
@@ -477,6 +473,14 @@ module Authorization
                   "subclass of Enumerable as value, got: #{attr_value.inspect} " +
                   "is_not_in #{evaluated.inspect}: #{e}"
             end
+          when :lt
+            attr_value && attr_value < evaluated
+          when :lte
+            attr_value && attr_value <= evaluated
+          when :gt
+            attr_value && attr_value > evaluated
+          when :gte
+            attr_value && attr_value >= evaluated
           else
             raise AuthorizationError, "Unknown operator #{value[0]}"
           end
@@ -521,8 +525,9 @@ module Authorization
       begin
         object.send(attr)
       rescue ArgumentError, NoMethodError => e
-        raise AuthorizationUsageError, "Error when calling #{attr} on " +
-         "#{object.inspect} for validating attribute: #{e}"
+        raise AuthorizationUsageError, "Error occurred while validating attribute ##{attr} on #{object.inspect}: #{e}.\n" +
+          "Please check your authorization rules and ensure the attribute is correctly spelled and \n" +
+          "corresponds to a method on the model you are authorizing for."
       end
     end
 
@@ -679,3 +684,4 @@ module Authorization
     end
   end
 end
+

data/lib/declarative_authorization/in_controller.rb

@@ -112,7 +112,7 @@ module Authorization
                   else
                     !DEFAULT_DENY
                   end
-      rescue AuthorizationError => e
+      rescue NotAuthorized => e
         auth_exception = e
       end
 
@@ -274,10 +274,7 @@ module Authorization
         context = options[:context]
         actions = args.flatten
 
-        # collect permits in controller array for use in one before_filter
-        unless filter_chain.any? {|filter| filter.method == :filter_access_filter}
-          before_filter :filter_access_filter
-        end
+        before_filter :filter_access_filter
         
         filter_access_permissions.each do |perm|
           perm.remove_actions(actions)

data/lib/declarative_authorization/in_model.rb

@@ -69,11 +69,12 @@ module Authorization
           }.merge(options)
           engine = options[:engine] || Authorization::Engine.instance
 
-          scope = ObligationScope.new( options[:model], {} )
+          obligation_scope = ObligationScope.new( options[:model], {} )
           engine.obligations( privileges, :user => options[:user], :context => options[:context] ).each do |obligation|
-            scope.parse!( obligation )
+            obligation_scope.parse!( obligation )
           end
-          scope
+
+          obligation_scope.scope
         end
 
         # Named scope for limiting query results according to the authorization
@@ -132,15 +133,17 @@ module Authorization
                   :object => object, :context => options[:context])
               end
             end
-
-            # after_find is only called if after_find is implemented
-            after_find do |object|
-              Authorization::Engine.instance.permit!(:read, :object => object,
-                :context => options[:context])
-            end
             
             if options[:include_read]
-              def after_find; end
+              # after_find is only called if after_find is implemented
+              after_find do |object|
+                Authorization::Engine.instance.permit!(:read, :object => object,
+                  :context => options[:context])
+              end
+
+              if Rails.version < "3"
+                def after_find; end
+              end
             end
 
             def self.using_access_control?

data/lib/declarative_authorization/maintenance.rb

@@ -55,9 +55,9 @@ module Authorization
       def self.usages_by_controller
         # load each application controller
         begin
-          Dir.foreach(File.join(RAILS_ROOT, %w{app controllers})) do |entry|
+          Dir.foreach(File.join(::Rails.root, %w{app controllers})) do |entry|
             if entry =~ /^\w+_controller\.rb$/
-              require File.join(RAILS_ROOT, %w{app controllers}, entry)
+              require File.join(::Rails.root, %w{app controllers}, entry)
             end
           end
         rescue Errno::ENOENT
@@ -78,7 +78,7 @@ module Authorization
             end
           end
 
-          actions = controller.public_instance_methods(false) - controller.hidden_actions
+          actions = controller.public_instance_methods(false) - controller.hidden_actions.to_a
           memo[controller] = actions.inject({}) do |actions_memo, action|
             action_sym = action.to_sym
             actions_memo[action_sym] =
@@ -171,7 +171,7 @@ module Authorization
     
     def request_with (user, method, xhr, action, params = {}, 
         session = {}, flash = {})
-      session = session.merge({:user => user, :user_id => user.id})
+      session = session.merge({:user => user, :user_id => user && user.id})
       with_user(user) do
         if xhr
           xhr method, action, params, session, flash

data/lib/declarative_authorization/obligation_scope.rb

@@ -33,6 +33,7 @@ module Authorization
   #   [ :attr, :is, <user.id> ]
   # ]+
   #
+  # TODO update doc for Relations:
   # After successfully parsing an obligation, all of the stored paths and conditions are converted
   # into scope options (stored in +proxy_options+ as +:joins+ and +:conditions+).  The resulting
   # scope may then be used to find all scoped objects for which at least one of the parsed
@@ -41,8 +42,25 @@ module Authorization
   # +@proxy_options[:joins] = { :bar => { :baz => :foo } }
   # @proxy_options[:conditions] = [ 'foos_bazzes.attr = :foos_bazzes__id_0', { :foos_bazzes__id_0 => 1 } ]+
   #
-  class ObligationScope < ActiveRecord::NamedScope::Scope
-    
+  class ObligationScope < (Rails.version < "3" ? ActiveRecord::NamedScope::Scope : ActiveRecord::Relation)
+    def initialize (model, options)
+      @finder_options = {}
+      if Rails.version < "3"
+        super(model, options)
+      else
+	super(model, model.table_name)
+      end
+    end
+
+    def scope
+      if Rails.version < "3"
+        self
+      else
+        # for Rails < 3: scope, after setting proxy_options
+        self.klass.scoped(@finder_options)
+      end
+    end
+
     # Consumes the given obligation, converting it into scope join and condition options.
     def parse!( obligation )
       @current_obligation = obligation
@@ -79,6 +97,18 @@ module Authorization
         raise "invalid obligation path #{[past_steps, steps].inspect}"
       end
     end
+
+    def top_level_model
+      if Rails.version < "3"
+        @proxy_scope
+      else
+        self.klass
+      end
+    end
+
+    def finder_options
+      Rails.version < "3" ? @proxy_options : @finder_options
+    end
     
     # At the end of every association path, we expect to see a comparison of some kind; for
     # example, +:attr => [ :is, :value ]+.
@@ -135,7 +165,7 @@ module Authorization
     def map_reflection_for( path )
       raise "reflection for #{path.inspect} already exists" unless reflections[path].nil?
 
-      reflection = path.empty? ? @proxy_scope : begin
+      reflection = path.empty? ? top_level_model : begin
         parent = reflection_for( path[0..-2] )
         if !parent.respond_to?(:proxy_reflection) and parent.respond_to?(:klass)
           parent.klass.reflect_on_association( path.last )
@@ -151,7 +181,8 @@ module Authorization
       map_table_alias_for( path )  # Claim a table alias for the path.
 
       # Claim alias for join table
-      if !reflection.respond_to?(:proxy_scope) and reflection.is_a?(ActiveRecord::Reflection::ThroughReflection)
+      # TODO change how this is checked
+      if !reflection.respond_to?(:proxy_reflection) and !reflection.respond_to?(:proxy_scope) and reflection.is_a?(ActiveRecord::Reflection::ThroughReflection)
         join_table_path = path[0..-2] + [reflection.options[:through]]
         reflection_for(join_table_path, true)
       end
@@ -209,7 +240,7 @@ module Authorization
         conditions.each do |path, expressions|
           model = model_for( path )
           table_alias = table_alias_for(path)
-          parent_model = (path.length > 1 ? model_for(path[0..-2]) : @proxy_scope)
+          parent_model = (path.length > 1 ? model_for(path[0..-2]) : top_level_model)
           expressions.each do |expression|
             attribute, operator, value = expression
             # prevent unnecessary joins:
@@ -227,7 +258,8 @@ module Authorization
             end
             bindvar = "#{attribute_table_alias}__#{attribute_name}_#{obligation_index}".to_sym
 
-            sql_attribute = "#{connection.quote_table_name(attribute_table_alias)}.#{connection.quote_table_name(attribute_name)}"
+            sql_attribute = "#{parent_model.connection.quote_table_name(attribute_table_alias)}." +
+                "#{parent_model.connection.quote_table_name(attribute_name)}"
             if value.nil? and [:is, :is_not].include?(operator)
               obligation_conds << "#{sql_attribute} IS #{[:contains, :is].include?(operator) ? '' : 'NOT '}NULL"
             else
@@ -236,6 +268,10 @@ module Authorization
                                    when :does_not_contain, :is_not then "<> :#{bindvar}"
                                    when :is_in, :intersects_with   then "IN (:#{bindvar})"
                                    when :is_not_in                 then "NOT IN (:#{bindvar})"
+                                   when :lt                        then "< :#{bindvar}"
+                                   when :lte                       then "<= :#{bindvar}"
+                                   when :gt                        then "> :#{bindvar}"
+                                   when :gte                       then ">= :#{bindvar}"
                                    else raise AuthorizationUsageError, "Unknown operator: #{operator}"
                                    end
               obligation_conds << "#{sql_attribute} #{attribute_operator}"
@@ -247,7 +283,8 @@ module Authorization
         conds << "(#{obligation_conds.join(' AND ')})"
       end
       (delete_paths - used_paths).each {|path| reflections.delete(path)}
-      @proxy_options[:conditions] = [ conds.join( " OR " ), binds ]
+
+      finder_options[:conditions] = [ conds.join( " OR " ), binds ]
     end
 
     def attribute_value (value)
@@ -259,7 +296,7 @@ module Authorization
     # Parses all of the defined obligation joins and defines the scope's :joins or :includes option.
     # TODO: Support non-linear association paths.  Right now, we just break down the longest path parsed.
     def rebuild_join_options!
-      joins = (@proxy_options[:joins] || []) + (@proxy_options[:includes] || [])
+      joins = (finder_options[:joins] || []) + (finder_options[:includes] || [])
 
       reflections.keys.each do |path|
         next if path.empty? or @join_table_joins.include?(path)
@@ -283,11 +320,11 @@ module Authorization
       when 0 then
         # No obligation conditions means we don't have to mess with joins or includes at all.
       when 1 then
-        @proxy_options[:joins] = joins
-        @proxy_options.delete( :include )
+        finder_options[:joins] = joins
+        finder_options.delete( :include )
       else
-        @proxy_options.delete( :joins )
-        @proxy_options[:include] = joins
+        finder_options.delete( :joins )
+        finder_options[:include] = joins
       end
     end
 
@@ -313,4 +350,5 @@ module Authorization
       end
     end
   end
-end
+end
+

data/lib/declarative_authorization/rails_legacy.rb

@@ -11,4 +11,12 @@ class Hash
       end
     end
   end
-end
+end
+
+class String
+  unless "".respond_to?(:html_safe)
+    def html_safe
+      self
+    end
+  end
+end