effective_roles 1.5.1 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 3f7ade13d344604fbc2373ac6b02ed8e0d478d90
-  data.tar.gz: 356f03271e88bcbaf3e094d3ea8aebf5b228c0f7
+SHA256:
+  metadata.gz: c2e79ad753b38bbae083f785fe11328f944bdd41c2470751c9ab0e34249f35cc
+  data.tar.gz: 5846cd1d6ae353411d97e89b73e0fb97582a27a5a00a8272e2d3391a7a924287
 SHA512:
-  metadata.gz: a6295fa39e152391c565f2f81b078461d07ecd3dea8baeee3b3067446ac7f5bff819062e39b536ec3eeaa7d463545db74d9e2f4d17a6b979e5fc820a2f97faa8
-  data.tar.gz: 51e998f237d577534114355bb834a2611d8b809685054a7baf76101a5a7ea2f5fcadc3b96a21df6fde89577b24af4b7af8b24a4c1d5ec9ce514188c9540fe5c5
+  metadata.gz: 57c6dcaa1b1454f20f6ef6f813d9eb25fee44921cdec96b22c37e171ee8d8d52617d009fbc392847914079018c35f962b7579eb61fb99b89dbc51042f3c1fedb
+  data.tar.gz: 5bb3f94bce4141aa78a04968e1652824386c2dd2d9c0d1ef4af9d7db5087afdb4e084afaec10d97ac371a8a5ffb63c85002f4d1e9c7133a98763fc1cc412d0c4

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright 2018 Code and Effect Inc.
+Copyright 2019 Code and Effect Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -41,7 +41,8 @@ Add the mixin to an existing model:
 
 ```ruby
 class Post
-  acts_as_role_restricted
+  acts_as_role_restricted                  # Singular role, use radio buttons
+  acts_as_role_restricted multiple: true   # Multiple roles. use check boxes
 end
 ```
 
@@ -153,19 +154,15 @@ See the initializers/effective_roles.rb for more information.
   }
 ```
 
-When used in a Form Helper (see below), only the appropriate roles will be displayed.
+When using assignable roles, you must assign the acts_as_role_restricted resource a `current_user` when saving changes to the roles or roles mask:
 
-However, this restriction is not enforced on the controller level, so someone could inspect & re-write the form parameters and still assign a role that they are not allowed to.
+You can do this in one of three ways:
 
-To prevent this, add something like the following code to your controller:
+1. Setting resource.current_user = current_user in your controller directly.
+2. Add `before_action :set_effective_roles_current_user` to your ApplicationController
+3. Using `Effective::CrudController` to do this automatically.
 
-```ruby
-before_filter :only => [:create, :update] do
-  if params[:user] && params[:user][:roles]
-    params[:user][:roles] = params[:user][:roles] & EffectiveRoles.assignable_roles_for(current_user, User.new()).map(&:to_s)
-  end
-end
-```
+This restriction is only applied when running within the rails server. Not on rails console or db:seeds.
 
 ## Form Helper
 
@@ -173,6 +170,8 @@ If you pass current_user (or any acts_as_role_restricted object) into these help
 
 ### effective_form_with
 
+Depending on your `acts_as_role_restricted multiple: ` value:
+
 ```ruby
 effective_form_with(model: @user) do |f|
   = f.checks :roles, EffectiveRoles.roles_collection(f.object, current_user)
@@ -187,12 +186,12 @@ effective_form_with(model: @user) do |f|
 
 ```ruby
 simple_form_for @user do |f|
-  = f.input :roles, collection: EffectiveRoles.roles_collection(f.object), as: :check_boxes
+  = f.input :roles, collection: EffectiveRoles.roles_collection(f.object, current_user), as: :check_boxes
 ```
 
 ```ruby
 simple_form_for @user do |f|
-  = f.input :roles, collection: EffectiveRoles.roles_collection(f.object, current_user), as: :check_boxes
+  = f.input :roles, collection: EffectiveRoles.roles_collection(f.object, current_user), as: :radio_buttons
 ```
 
 ### Strong Parameters

data/app/models/concerns/acts_as_role_restricted.rb

@@ -6,25 +6,48 @@
 #
 # Mark your model with 'acts_as_role_restricted'
 #
-# and create the migration
+# and create the migration to add the following field:
 #
-# structure do
-#    roles_mask              :integer, :default => 0
-# end
+# roles_mask :integer
 #
 
 module ActsAsRoleRestricted
   extend ActiveSupport::Concern
 
   module ActiveRecord
-    def acts_as_role_restricted(*options)
-      @acts_as_role_restricted_opts = options || []
+    def acts_as_role_restricted(multiple: false)
+      @acts_as_role_restricted_opts = { multiple: multiple }
       include ::ActsAsRoleRestricted
     end
   end
 
   included do
-    validates :roles_mask, :numericality => true, :allow_nil => true
+    attr_accessor(:current_user) unless respond_to?(:current_user)
+
+    acts_as_role_restricted_options = @acts_as_role_restricted_opts.dup
+    self.send(:define_method, :acts_as_role_restricted_options) { acts_as_role_restricted_options }
+
+    validates :roles_mask, numericality: true, allow_nil: true
+
+    validate(if: -> { changes.include?(:roles_mask) }) do
+      user = current_user || EffectiveRoles.current_user || (EffectiveLogging.current_user if defined?(EffectiveLogging))
+
+      if user.blank? && EffectiveRoles.assignable_roles.present? && defined?(Rails::Server)
+        self.errors.add(:roles, 'current_user must be present when assigning roles')
+      end
+
+      roles_was = EffectiveRoles.roles_for(changes[:roles_mask].first)
+      changed = (roles + roles_was) - (roles & roles_was)  # XOR
+
+      assignable = EffectiveRoles.assignable_roles_collection(self, user) # Returns all roles when user is blank
+      unauthorized = changed - assignable
+
+      authorized = roles.dup
+      unauthorized.each { |role| authorized.include?(role) ? authorized.delete(role) : authorized.push(role) }
+
+      self.roles_mask = EffectiveRoles.roles_mask_for(authorized)
+    end
+
   end
 
   module ClassMethods
@@ -45,16 +68,15 @@ module ActsAsRoleRestricted
 
     def with_role_sql(*roles)
       roles = roles.flatten.compact
-      roles = roles.first.try(:roles) if roles.length == 1 and roles.first.respond_to?(:roles)
-
+      roles = roles.first.roles if roles.length == 1 && roles.first.respond_to?(:roles)
       roles = (roles.map { |role| role.to_sym } & EffectiveRoles.roles)
+
       roles.map { |role| "(#{self.table_name}.roles_mask & %d > 0)" % 2**EffectiveRoles.roles.index(role) }.join(' OR ')
     end
 
     def without_role(*roles)
       roles = roles.flatten.compact
-      roles = roles.first.try(:roles) if roles.length == 1 and roles.first.respond_to?(:roles)
-
+      roles = roles.first.roles if roles.length == 1 && roles.first.respond_to?(:roles)
       roles = (roles.map { |role| role.to_sym } & EffectiveRoles.roles)
 
       where(
@@ -64,11 +86,11 @@ module ActsAsRoleRestricted
   end
 
   def roles=(roles)
-    self.roles_mask = (Array(roles).flatten.map(&:to_sym) & EffectiveRoles.roles).map { |r| 2**EffectiveRoles.roles.index(r) }.sum
+    self.roles_mask = EffectiveRoles.roles_mask_for(roles)
   end
 
   def roles
-    EffectiveRoles.roles.reject { |r| ((roles_mask || 0) & 2**EffectiveRoles.roles.index(r)).zero? }
+    EffectiveRoles.roles_for(roles_mask)
   end
 
   # if user.is? :admin

data/config/effective_roles.rb

@@ -1,5 +1,5 @@
 EffectiveRoles.setup do |config|
-  config.roles = [:superadmin, :admin, :member] # Only add to the end of this array.  Never prepend roles.
+  config.roles = [:superadmin, :admin, :member] # Only add to the end of this array. Never prepend roles.
 
   # config.role_descriptions
   # ========================
@@ -34,6 +34,13 @@ EffectiveRoles.setup do |config|
   # When current_user is passed into a form helper function (see README.md)
   # this setting determines which roles that current_user may assign
   #
+  # you must assign current_user to all acts_as_role_restricted resources when saving changes to the roles or roles_mask.
+  #
+  # You should probably do this in your controller by one of the following methods:
+  # 1.) Setting resource.current_user = current_user directly.
+  # 2.) Using before_action :set_effective_roles_current_user
+  # 3.) Using Effective::CrudController does this automatically.
+  #
   # Use this Hash syntax if you want different permissions depending on the resource being editted
   #
   # config.assignable_roles = {
@@ -56,30 +63,6 @@ EffectiveRoles.setup do |config|
   #   :member => []                                  # Members may not assign any roles
   # }
 
-  # config.disabled_roles
-  # Which roles should be displayed as disabled
-  # =========================
-  # Sometimes you don't want a role to be assignable (see README.md)
-  # So that you can overload it yourself and assingn the role programatically
-  #
-  # Use this Hash syntax if you want different permissions depending on the resource being editted
-  #
-  # config.disabled_roles = {
-  #   'User' => [:member]               # When editing a User object, will be unable to assign the member role
-  #   'Page' => [:superadmin, :admin]   # When editing a Page object, will be unable to assign superadmin, admin role
-  # }
-  #
-  # Or just keep it simple, and use this Array syntax of permissions for every resource
-  #
-  # config.disabled_roles = [:member]
-  #
-  # or
-  #
-  # config.disabled_roles = {
-  #   'User' => [:member]
-  # }
-
-
   # Authorization Method
   #
   # This doesn't have anything to do with the roles themselves.

data/lib/effective_roles.rb

@@ -4,12 +4,9 @@ require 'effective_roles/version'
 module EffectiveRoles
   mattr_accessor :roles
   mattr_accessor :role_descriptions
-
-  mattr_accessor :layout
-
   mattr_accessor :assignable_roles
-  mattr_accessor :disabled_roles
 
+  mattr_accessor :layout
   mattr_accessor :authorization_method
 
   def self.setup
@@ -37,6 +34,15 @@ module EffectiveRoles
     raise Effective::AccessDenied unless authorized?(controller, action, resource)
   end
 
+  # This is set by the "set_effective_roles_current_user" before_filter.
+  def self.current_user=(user)
+    @effective_roles_current_user = user
+  end
+
+  def self.current_user
+    @effective_roles_current_user
+  end
+
   # This method converts whatever is given into its roles
   # Pass an object, Integer, or Symbol to find corresponding role
   def self.roles_for(obj)
@@ -48,38 +54,67 @@ module EffectiveRoles
       [roles.find { |role| role == obj }].compact
     elsif obj.kind_of?(String)
       [roles.find { |role| role == obj.to_sym }].compact
+    elsif obj.kind_of?(Array)
+      obj.map { |obj| roles_for(obj) }.flatten.compact
     elsif obj.nil?
       []
     else
-      raise 'unsupported object passed to EffectiveRoles.roles_for method.  Expecting an acts_as_role_restricted object or a roles_mask integer'
+      raise 'unsupported object passed to EffectiveRoles.roles_for method. Expecting an acts_as_role_restricted object or a roles_mask integer'
     end
   end
 
   # EffectiveRoles.roles_mask_for(:admin, :member)
   def self.roles_mask_for(*roles)
-    (Array(roles).flatten.map(&:to_sym) & EffectiveRoles.roles).map { |r| 2**EffectiveRoles.roles.index(r) }.sum
+    roles_for(roles).map { |r| 2**EffectiveRoles.roles.index(r) }.sum
   end
 
-  def self.roles_collection(obj = nil, user = nil)
-    assignable_roles_for(user, obj).map do |role|
+  def self.roles_collection(resource, current_user = nil, only: nil, except: nil, multiple: nil)
+    if assignable_roles.present?
+      raise('expected object to respond to is_role_restricted?') unless resource.respond_to?(:is_role_restricted?)
+      raise('expected current_user to respond to is_role_restricted?') if current_user && !current_user.respond_to?(:is_role_restricted?)
+    end
+
+    only = Array(only).compact
+    except = Array(except).compact
+    multiple = resource.acts_as_role_restricted_options[:multiple] if multiple.nil?
+    assignable = assignable_roles_collection(resource, current_user, multiple: multiple)
+
+    roles.map do |role|
+      next if only.present? && !only.include?(role)
+      next if except.present? && except.include?(role)
+
       [
-        "#{role}<p class='help-block text-muted'>#{role_description(role, obj)}</p>".html_safe,
+        "#{role}<p class='help-block text-muted'>#{role_description(role, resource)}</p>".html_safe,
         role,
-        ({:disabled => :disabled} if disabled_roles_for(obj).include?(role))
+        ({:disabled => :disabled} unless assignable.include?(role))
       ]
-    end
+    end.compact
   end
 
-  def self.assignable_roles_for(user, obj = nil)
-    raise 'EffectiveRoles config.assignable_roles_for must be a Hash, Array or nil' unless [Hash, Array, NilClass].include?(assignable_roles.class)
-
-    return assignable_roles if assignable_roles.kind_of?(Array)
+  def self.assignable_roles_collection(resource, current_user = nil, multiple: nil)
     return roles if assignable_roles.nil?
-    return roles if !user.respond_to?(:is_role_restricted?) # All roles, if the user (or object) is not role_resticted
 
-    assignable = assignable_roles[obj.try(:class).to_s] || assignable_roles || {}
+    raise 'EffectiveRoles config.assignable_roles_for must be a Hash, Array or nil' unless [Hash, Array].include?(assignable_roles.class)
+    raise('expected resource to respond to is_role_restricted?') unless resource.respond_to?(:is_role_restricted?)
+    raise('expected current_user to respond to is_role_restricted?') if current_user && !current_user.respond_to?(:is_role_restricted?)
+    
+    multiple = resource.acts_as_role_restricted_options[:multiple] if multiple.nil?
+    current_user ||= (EffectiveRoles.current_user || (EffectiveLogging.current_user if defined?(EffectiveLogging)))
+
+    assignable = if assignable_roles.kind_of?(Array)
+      assignable_roles
+    elsif current_user.present?
+      current_roles = assignable_roles[resource.try(:class).to_s] || assignable_roles || {}
+      current_user.roles.map { |role| current_roles[role] }.flatten.compact.uniq
+    else
+      assignable_roles[resource.try(:class).to_s] || []
+    end
+
+    # Check boxes
+    return assignable if multiple
 
-    user.roles.map { |role| assignable[role] }.flatten.compact.uniq
+    # Radios
+    (resource.roles - assignable).present? ? [] : assignable
   end
 
   # This is used by the effective_roles_summary_table helper method
@@ -142,19 +177,6 @@ module EffectiveRoles
     (role_descriptions[obj.try(:class).to_s] || {})[role] || role_descriptions[role] || ''
   end
 
-  def self.disabled_roles_for(obj)
-    raise 'EffectiveRoles config.disabled_roles must be a Hash, Array or nil' unless [Hash, Array, NilClass].include?(disabled_roles.class)
-
-    case disabled_roles
-    when Array
-      disabled_roles
-    when Hash
-      Array(disabled_roles[obj.try(:class).to_s])
-    else
-      []
-    end
-  end
-
   def self._authorization_level(controller, role, resource, auth_method)
     resource = (resource.new() rescue resource) if resource.kind_of?(ActiveRecord::Base)
 

data/lib/effective_roles/engine.rb

@@ -2,7 +2,7 @@ module EffectiveRoles
   class Engine < ::Rails::Engine
     engine_name 'effective_roles'
 
-    config.autoload_paths += Dir["#{config.root}/app/models/concerns"]
+    config.autoload_paths += Dir["#{config.root}/app/models/concerns", "#{config.root}/lib/"]
 
     # Include acts_as_addressable concern and allow any ActiveRecord object to call it
     initializer 'effective_roles.active_record' do |app|
@@ -11,6 +11,16 @@ module EffectiveRoles
       end
     end
 
+    # Register the log_page_views concern so that it can be called in ActionController or elsewhere
+    initializer 'effective_logging.log_changes_action_controller' do |app|
+      Rails.application.config.to_prepare do
+        ActiveSupport.on_load :action_controller do
+          require 'effective_roles/set_current_user'
+          ActionController::Base.include(EffectiveRoles::SetCurrentUser::ActionController)
+        end
+      end
+    end
+
     # Set up our default configuration options.
     initializer "effective_roles.defaults", :before => :load_config_initializers do |app|
       eval File.read("#{config.root}/config/effective_roles.rb")

data/lib/effective_roles/set_current_user.rb

@@ -0,0 +1,15 @@
+module EffectiveRoles
+  module SetCurrentUser
+    module ActionController
+
+      # Add me to your ApplicationController
+      # before_action :set_effective_roles_current_user
+
+      def set_effective_roles_current_user
+        EffectiveRoles.current_user = current_user
+      end
+
+    end
+  end
+end
+

data/lib/effective_roles/version.rb

@@ -1,3 +1,3 @@
 module EffectiveRoles
-  VERSION = '1.5.1'.freeze
+  VERSION = '2.0.0'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: effective_roles
 version: !ruby/object:Gem::Version
-  version: 1.5.1
+  version: 2.0.0
 platform: ruby
 authors:
 - Code and Effect
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-03-08 00:00:00.000000000 Z
+date: 2019-05-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -46,6 +46,7 @@ files:
 - config/routes.rb
 - lib/effective_roles.rb
 - lib/effective_roles/engine.rb
+- lib/effective_roles/set_current_user.rb
 - lib/effective_roles/version.rb
 - lib/generators/effective_roles/install_generator.rb
 homepage: https://github.com/code-and-effect/effective_roles
@@ -67,8 +68,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.4.5.1
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Assign multiple roles to any User or other ActiveRecord object. Select only