erbac 0.0.0

data/.gitignore

@@ -0,0 +1,16 @@
+#remove hidden folders
+.komodotools/
+
+#remove project files
+*.komodoproject
+*.komodotools/
+*.sublime-project
+*.sublime-workspace
+
+#remove gemfile
+*.gem
+pkg/*.gem
+
+#remove bat and sh files
+*.bat
+*.sh

data/Gemfile

@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+
+gem 'rails', '3.2.13'
+# Specify my gem's dependencies in erbac.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,114 @@
+PATH
+  remote: .
+  specs:
+    erbac (0.0.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actionmailer (3.2.13)
+      actionpack (= 3.2.13)
+      mail (~> 2.5.3)
+    actionpack (3.2.13)
+      activemodel (= 3.2.13)
+      activesupport (= 3.2.13)
+      builder (~> 3.0.0)
+      erubis (~> 2.7.0)
+      journey (~> 1.0.4)
+      rack (~> 1.4.5)
+      rack-cache (~> 1.2)
+      rack-test (~> 0.6.1)
+      sprockets (~> 2.2.1)
+    activemodel (3.2.13)
+      activesupport (= 3.2.13)
+      builder (~> 3.0.0)
+    activerecord (3.2.13)
+      activemodel (= 3.2.13)
+      activesupport (= 3.2.13)
+      arel (~> 3.0.2)
+      tzinfo (~> 0.3.29)
+    activeresource (3.2.13)
+      activemodel (= 3.2.13)
+      activesupport (= 3.2.13)
+    activesupport (3.2.13)
+      i18n (= 0.6.1)
+      multi_json (~> 1.0)
+    arel (3.0.2)
+    builder (3.0.4)
+    diff-lcs (1.2.4)
+    erubis (2.7.0)
+    hike (1.2.3)
+    i18n (0.6.1)
+    journey (1.0.4)
+    json (1.8.0)
+    mail (2.5.4)
+      mime-types (~> 1.16)
+      treetop (~> 1.4.8)
+    mime-types (1.23)
+    multi_json (1.7.8)
+    polyglot (0.3.3)
+    rack (1.4.5)
+    rack-cache (1.2)
+      rack (>= 0.4)
+    rack-ssl (1.3.3)
+      rack
+    rack-test (0.6.2)
+      rack (>= 1.0)
+    rails (3.2.13)
+      actionmailer (= 3.2.13)
+      actionpack (= 3.2.13)
+      activerecord (= 3.2.13)
+      activeresource (= 3.2.13)
+      activesupport (= 3.2.13)
+      bundler (~> 1.0)
+      railties (= 3.2.13)
+    railties (3.2.13)
+      actionpack (= 3.2.13)
+      activesupport (= 3.2.13)
+      rack-ssl (~> 1.3.2)
+      rake (>= 0.8.7)
+      rdoc (~> 3.4)
+      thor (>= 0.14.6, < 2.0)
+    rake (10.1.0)
+    rdoc (3.12.2)
+      json (~> 1.4)
+    rspec (2.14.1)
+      rspec-core (~> 2.14.0)
+      rspec-expectations (~> 2.14.0)
+      rspec-mocks (~> 2.14.0)
+    rspec-core (2.14.4)
+    rspec-expectations (2.14.0)
+      diff-lcs (>= 1.1.3, < 2.0)
+    rspec-mocks (2.14.2)
+    rspec-rails (2.14.0)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      railties (>= 3.0)
+      rspec-core (~> 2.14.0)
+      rspec-expectations (~> 2.14.0)
+      rspec-mocks (~> 2.14.0)
+    sprockets (2.2.2)
+      hike (~> 1.2)
+      multi_json (~> 1.0)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
+    sqlite3 (1.3.7-x86-mingw32)
+    thor (0.18.1)
+    tilt (1.4.1)
+    treetop (1.4.14)
+      polyglot
+      polyglot (>= 0.3.1)
+    tzinfo (0.3.37)
+
+PLATFORMS
+  x86-mingw32
+
+DEPENDENCIES
+  activerecord (>= 3.0.0)
+  bundler
+  erbac!
+  rails (= 3.2.13)
+  rake
+  rspec (>= 2.0)
+  rspec-rails (>= 2.0)
+  sqlite3

data/Rakefile

@@ -0,0 +1,11 @@
+require 'bundler'
+Bundler::GemHelper.install_tasks
+
+task :default => :spec
+task :test => :spec
+
+desc "Run all specs"
+task "spec" do
+  exec "bundle exec rspec spec"
+end
+

data/erbac.gemspec

@@ -0,0 +1,28 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "erbac/version"
+
+Gem::Specification.new do |s|
+  s.name        = 'erbac'
+  s.version     = Erbac::VERSION.dup
+  s.date        = '2013-07-16'
+  s.summary     = "Yii rbac transplatation!"
+  s.description = "A simple hello world gem"
+  
+  s.authors     = ["dx"]
+  s.email       = 'bitcheap@gmail.com'
+  s.homepage    = 'http://utocity.com'
+  
+  s.files       = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.require_paths = ["lib"]
+  
+  s.add_development_dependency "sqlite3"
+  s.add_development_dependency 'rake'
+  s.add_development_dependency 'rspec', ">= 2.0"
+  s.add_development_dependency "rspec-rails", ">= 2.0"
+  s.add_development_dependency "bundler"
+  s.add_development_dependency "activerecord", ">= 3.0.0"
+ 
+
+end

data/lib/erbac/action_controller_support.rb

@@ -0,0 +1,15 @@
+module Erbac
+	module ActionControllerSupport
+		def self.included(base)
+  		base.extend ClassMethods
+  		base.helper_method :check_access
+  	end
+
+  	def check_access
+  		p "checked!"
+  	end
+
+  	module ClassMethods
+  	end
+	end
+end

data/lib/erbac/active_record_support.rb

@@ -0,0 +1,241 @@
+module Erbac
+	module ActiveRecordSupport
+		def self.included(base)
+  		base.extend ClassMethods
+  	end
+
+  	module ClassMethods
+  		def control_access
+		    has_many Erbac.auth_assignment.pluralize.to_sym,
+		      dependent: :delete_all,
+		      class_name: Erbac.auth_assignment_class,
+		      foreign_key: "user_id"
+
+		    accepts_nested_attributes_for Erbac.auth_assignment.pluralize.to_sym, allow_destroy: true
+		    attr_accessible (Erbac.auth_assignment.pluralize + "_attributes").to_sym
+
+		  	has_many Erbac.auth_item.pluralize.to_sym, 
+		      through: Erbac.auth_assignment.pluralize.to_sym,
+		      source: Erbac.auth_item.pluralize.to_sym
+
+		    define_method :check_access? do |*args|
+		      unless (args.first.is_a? Erbac.auth_item_class.constantize)
+		        raise TypeError, "Should pass in #{Erbac.auth_item_class} instance as the first parameter. Got #{args.first.to_s}", caller
+		      end
+
+		      check_access_recursive? args.first, args.extract_options!
+		    end
+
+		    define_method :execute_biz_rule? do |*args|
+		      item = args.first
+		      params = args.extract_options!
+		      if (item.is_a? Erbac.auth_item_class.constantize or item.is_a? Erbac.auth_assignment_class.constantize)
+		        bizrule_sandbox(item.bizrule, params, item.data)
+		      else
+		        raise TypeError, "Argument type not supported, should pass in #{Erbac.auth_item_class} or #{Erbac.auth_assignment_class} instance as the first parameter. Got #{item.class.to_s}", caller
+		      end
+		    end
+
+		    define_method :check_access_recursive? do |item, params={}|
+		      if bizrule_sandbox(item.bizrule, params, item.data)
+		        return true if Erbac.default_roles.include? item.name
+		        assignment = Erbac.auth_assignment_class.constantize.where(user_id: self, item_id: item).first
+		        if assignment
+		          return true if bizrule_sandbox(item.bizrule, params, item.data)
+		        end
+		        item.parents.each do |p|
+		          return true if check_access_recursive?(p, params)
+		        end
+		      end
+		      false
+		    end
+
+		    define_method :bizrule_sandbox do |bizrule, params={}, data=nil|
+		      if (bizrule.nil? or bizrule.empty?)
+		        true
+		      else
+		        proc do
+		        	# $SAFE = 3 how to change this ?
+		          Erbac.strict_check_mode ? (self.instance_eval bizrule) == true : (self.instance_eval bizrule) != false
+		        end.call
+		      end
+		    end
+
+		    send :protected, :check_access_recursive?, :bizrule_sandbox
+		    
+		    # add an anonymous singleton instance
+		    @anonymous = self.new
+		    class << self
+		    	define_method :anonymous do
+		    		@anonymous
+		    	end
+		    end
+
+		    define_method :anonymous_should_not_be_saved do
+		    	raise NoMethodError, "Anonymous object should not be saved!", caller if self.equal? self.class.anonymous
+		    end
+
+		    before_save :anonymous_should_not_be_saved
+
+		    define_method :anonymous? do
+		    	self.equal? @anonymous
+		    end
+
+		  end
+
+		  def control_auth_item
+		    attr_accessible :name, :auth_type, :description, :bizrule, :data
+		    validates :name, uniqueness: true
+
+		    has_many Erbac.auth_assignment.pluralize.to_sym,
+		      dependent: :delete_all,
+		      class_name: Erbac.auth_assignment_class,
+		      foreign_key: "item_id"
+
+		    accepts_nested_attributes_for Erbac.auth_assignment.pluralize.to_sym, allow_destroy: true
+		    attr_accessible (Erbac.auth_assignment.pluralize + "_attributes").to_sym
+
+		    has_many Erbac.user_class.underscore.pluralize.to_sym, 
+		      through: Erbac.auth_assignment.pluralize.to_sym,
+		      source: Erbac.user_class.underscore.pluralize.to_sym
+
+		    has_and_belongs_to_many :parents,
+		      join_table: Erbac.auth_item_child_table,
+		      class_name: Erbac.auth_item_class,
+		      foreign_key: "child_id", association_foreign_key: "parent_id"
+
+		    has_and_belongs_to_many :children,
+		      join_table: Erbac.auth_item_child_table,
+		      class_name: Erbac.auth_item_class,
+		      foreign_key: "parent_id", association_foreign_key: "child_id"
+
+		    const_set("TYPE_OPERATION", 0)
+		    const_set("TYPE_TASK", 1)
+		    const_set("TYPE_ROLE", 2)
+
+		    
+		    define_method :add_child do |item|
+		      if self.name == item.name
+		        raise AuthItemRelationError, "Cannot add #{self.name} as a child of itself.", caller
+		      end
+
+		      check_item_child_type(item)
+
+		      if detect_loop?(item)
+		        raise AuthItemRelationError, "Cannot add #{child.name} as a child of #{self.name}. A loop has been detected.", caller 
+		      end
+
+		      self.children << item
+		    end
+
+		    define_method :remove_child do |item|
+		      self.children.delete item
+		    end
+
+		    define_method :has_child? do |item|
+		      self.children.include? child
+		    end
+
+		    define_method :assign do |user, bizrule=nil, data=nil|
+		      assignment = Erbac.auth_assignment_class.constantize.where({item_id: self, user_id: user}).first_or_create
+		      assignment.bizrule = bizrule
+		      assignment.data = data
+		      assignment
+		    end
+
+		    define_method :revoke do |user|
+		      Erbac.auth_assignment_class.constantize.delete({item_id: self, user_id: user})
+		    end
+
+		    define_method :is_assigned? do |user|
+		      Erbac.auth_assignment_class.constantize.where({item_id: self, user_id: user}).any?
+		    end
+
+		    define_method :get_auth_assignment? do |user|
+		      Erbac.auth_assignment_class.constantize.where({item_id: self, user_id: user}).first
+		    end
+
+		    define_method :detect_loop? do |child|
+		      return true if (self.name == child.name)
+		      child.children.each do |g|
+		        return true if self.detect_loop?(g)
+		      end
+		      false
+		    end
+
+
+		    define_method :check_item_child_type do |child|
+		      unless (self.is_a? Erbac.auth_item_class.constantize)
+		        raise TypeError, "Should pass in #{Erbac.auth_item_class} instance as the first parameter. Got #{self.to_s}", caller
+		      end
+
+		      unless (child.is_a? Erbac.auth_item_class.constantize)
+		        raise TypeError, "Should pass in #{Erbac.auth_item_class} instance as the second parameter. Got #{child.to_s}", caller
+		      end
+
+		      if self.auth_type < child.auth_type
+		        raise Erbac::AuthItemRelationError, "Cannot add an itme of type #{AUTH_TYPES[child.auth_type]} to an item of type #{AUTH_TYPES[self.auth_type]}.", caller
+		      end
+		    end
+
+		    # should marshal the data when it comes to database
+		    # make it transparent with the user
+		    define_method :marshal_around_save do |*args, &block|
+		      data = self.data
+		      self.data = Marshal.dump data
+		      block.call # it is a trick, search it!
+		      self.data = data
+		    end
+		    around_save :marshal_around_save
+
+		    define_method :marshal_after_find do
+		    	begin # rescue marshal error and replace with nil
+		      	self.data = Marshal.restore self.data
+		      rescue ArgumentError
+		      	self.data = nil
+		      end
+		    end
+		    after_find :marshal_after_find
+
+		    send :protected, :detect_loop?, :check_item_child_type
+		    send :private, :marshal_around_save, :marshal_after_find
+
+		  end
+
+		  def control_auth_assignment
+		    attr_accessible :item_id, :user_id, :bizrule, :data
+
+		    belongs_to Erbac.user_class.underscore.pluralize.to_sym,
+		      class_name: Erbac.user_class,
+		      foreign_key: "user_id"
+
+		    belongs_to Erbac.auth_item.pluralize.to_sym,
+		      class_name: Erbac.auth_item_class,
+		      foreign_key: "item_id"
+
+		    protected
+
+		    # should marshal the data when it comes to database
+		    # make it transparent with the user
+		    define_method :marshal_around_save do |*args, &block|
+		      data = self.data
+		      self.data = Marshal.dump data
+		      block.call # it is a trick, search it!
+		      self.data = data
+		    end
+		    around_save :marshal_around_save
+
+		    define_method :marshal_after_find do
+		      begin # rescue marshal error and replace with nil
+		      	self.data = Marshal.restore self.data
+		      rescue ArgumentError
+		      	self.data = nil
+		      end
+		    end
+		    after_find :marshal_after_find
+
+		    send :private, :marshal_around_save, :marshal_after_find
+		  end
+  	end
+	end
+end

data/lib/erbac/auth_manage.rb

@@ -0,0 +1,102 @@
+module Erbac
+  module AuthManage
+  	def self.included(base)
+  		base.extend ClassMethods
+  	end
+
+  	module ClassMethods
+  		AUTH_TYPES = ["operation", "task", "role"]
+
+  		AUTH_TYPES.each do |type|
+  			define_method ("create_" + type) do |name, options={}|
+	  			options[:name] = name
+	  			options[:auth_type] = Erbac.auth_item_class.constantize.const_get("TYPE_" + type.upcase)
+	  			Erbac.auth_item_class.constantize.create options
+  			end
+
+  			define_method ("get_" + type.pluralize) do |user|
+  				user.send Erbac.auth_item.pluralize.to_sym
+  			end
+  		end
+
+  		def check_access(*args)
+        user = args[1].is_a? Erbac.user_class.constantize ? args[1] : Erbac.user_class.constantize.anonymous
+  			user.check_access? args.first, args.extract_options!
+  		end
+
+  		def add_item_child(parent, child)
+        parent.add_child child
+  		end
+
+  		def remove_item_child(parent, child)
+  			parent.remove_child child
+  		end
+
+  		def has_item_child?(parent, child)
+  			parent.has_child? child
+  		end
+
+  		def assign(item, user, bizrule=nil, data=nil)
+  			item.assign user, bizrule, data
+  		end
+
+  		def revoke(item, user)
+  			item.revoke user
+  		end
+
+  		def is_assigned?(item, user)
+  			item.is_assigned? user
+  		end
+
+  		def get_auth_assignment(item, user)
+  			item.get_auth_assignment user
+  		end
+
+  		def clear_all
+  			Erbac.auth_item_class.constantize.delete_all
+  		end
+
+  		def clear_auth_assignments(*args)
+  			Erbac.auth_assignment_class.constantize.delete_all args
+  		end
+
+      def execute_biz_rule?(*args)
+        item = args.first
+        params = args.extract_options!
+        unless (item.is_a? Erbac.auth_item_class.constantize or item.is_a? Erbac.auth_assignment_class.constantize)
+          raise TypeError, "Argument type not supported, should pass in #{Erbac.auth_item_class} or #{Erbac.auth_assignment_class} instance as the first parameter. Got #{item.class.to_s}", caller
+        end
+
+        if (args[1].is_a? Erbac.user_class.constantize)
+          args[1].execute_biz_rule? item, params
+        else
+          bizrule_sandbox(item.bizrule, params, item.data)
+        end
+      end
+
+      def check_access?(*args)
+        unless (args.first.is_a? Erbac.auth_item_class.constantize)
+          raise TypeError, "Should pass in #{Erbac.auth_item_class} instance as the first parameter. Got #{args.first.to_s}", caller
+        end
+
+        if (args[1].is_a? Erbac.user_class.constantize)
+          args[1].check_access? args.first, args.extract_options!
+        else
+          bizrule_sandbox args.first.bizrule, args.extract_options!, args.first.data
+        end
+      end
+
+  		protected
+  		def bizrule_sandbox(bizrule, params={}, data=nil)
+  			if (bizrule.nil? or bizrule.empty?)
+  				true
+  			else
+  				proc do
+  					$SAFE = 4 # here is a military area
+						Erbac.restrict_check_mode ? (eval bizrule) == true : (eval bizrule) != false
+					end.call
+  			end
+  		end
+  	end
+  end
+end

data/lib/erbac/configure.rb

@@ -0,0 +1,44 @@
+module Erbac
+  module Configure
+    attr_accessor :strict_check_mode
+    attr_accessor :default_roles
+
+  	USER_CLASS = "User"
+  	attr_accessor :user_class
+
+  	AUTH_ITEM = "auth_item"
+  	AUTH_ITEM_CLASS = AUTH_ITEM.dup.classify
+  	AUTH_ITEM_TABLE = AUTH_ITEM.dup.tableize
+  	attr_accessor :auth_item, :auth_item_class, :auth_item_table
+
+  	AUTH_ITEM_CHILD = "auth_item_child"
+  	AUTH_ITEM_CHILD_TABLE = AUTH_ITEM_CHILD.dup.tableize
+  	attr_accessor :auth_item_child, :auth_item_child_table
+
+  	AUTH_ASSIGNMENT = "auth_assignment"
+  	AUTH_ASSIGNMENT_CLASS = AUTH_ASSIGNMENT.dup.classify
+  	AUTH_ASSIGNMENT_TABLE = AUTH_ASSIGNMENT.dup.tableize
+  	attr_accessor :auth_assignment, :auth_assignment_class, :auth_assignment_table
+
+    def configure
+      yield self if block_given?
+
+      self.strict_check_mode ||= true
+      self.default_roles ||= []
+
+      self.user_class ||= USER_CLASS
+
+      self.auth_item ||= AUTH_ITEM
+    	self.auth_item_class ||= self.auth_item.classify
+    	self.auth_item_table ||= self.auth_item.tableize
+
+    	self.auth_item_child ||= AUTH_ITEM_CHILD
+    	self.auth_item_child_table ||= self.auth_item_child.tableize
+
+    	self.auth_assignment ||= AUTH_ASSIGNMENT
+    	self.auth_assignment_class ||= self.auth_assignment.classify
+    	self.auth_assignment_table ||= self.auth_assignment.tableize
+    end
+  
+  end
+end

data/lib/erbac/errors.rb

@@ -0,0 +1,5 @@
+module Erbac
+	module Error
+		class AuthItemRelationError < StandardError; end
+	end
+end

data/lib/erbac/railtie.rb

@@ -0,0 +1,16 @@
+require 'erbac'
+require 'rails'
+
+module Erbac
+  class Railtie < Rails::Railtie
+    initializer 'erbac.initialize' do
+      ActiveSupport.on_load(:active_record) do
+        ActiveRecord::Base.send :include, Erbac::ActiveRecordSupport
+      end
+
+      ActiveSupport.on_load(:action_controller) do
+        ActionController::Base.send :include, Erbac::ActionControllerSupport
+      end
+    end
+  end
+end

data/lib/erbac/utils.rb

@@ -0,0 +1,10 @@
+module Erbac
+  module Utils
+    def deprecate(old_method, new_method)
+      define_method(old_method) do |*args|
+        warn "[DEPRECATION] #{caller.first}: `#{old_method}` is deprecated.  Please use `#{new_method}` instead."
+        send(new_method, *args)
+      end
+    end
+  end
+end

data/lib/erbac/version.rb

@@ -0,0 +1,3 @@
+module Erbac
+  VERSION = "0.0.0".freeze
+end

data/lib/erbac.rb

@@ -0,0 +1,12 @@
+require 'erbac/railtie' if defined?(Rails)
+require 'erbac/configure'
+require 'erbac/auth_manage'
+require 'erbac/errors'
+require 'erbac/active_record_support'
+require 'erbac/action_controller_support'
+
+module Erbac
+  include AuthManage
+  include Error
+  extend Configure
+end

data/lib/generators/active_record/erbac_generator.rb

@@ -0,0 +1,54 @@
+require 'rails/generators/active_record'
+require 'active_support/core_ext'
+require 'erbac/configure'
+
+module ActiveRecord
+  module Generators
+    class ErbacGenerator < ActiveRecord::Generators::Base
+      source_root File.expand_path("../templates", __FILE__)
+
+      class_option :auth_item, type: :array, aliases: "-i", 
+        default: [Erbac::Configure::AUTH_ITEM, Erbac::Configure::AUTH_ITEM_CLASS, Erbac::Configure::AUTH_ITEM_TABLE]
+      class_option :auth_item_child, type: :array, aliases: "-c", 
+        default: [Erbac::Configure::AUTH_ITEM_CHILD, Erbac::Configure::AUTH_ITEM_CHILD_TABLE]
+      class_option :auth_assignment, type: :array, aliases: "-a", 
+        default: [Erbac::Configure::AUTH_ASSIGNMENT, Erbac::Configure::AUTH_ASSIGNMENT_CLASS, Erbac::Configure::AUTH_ASSIGNMENT_TABLE]
+
+      def init_erbac_options
+        # assert options.auth_item[0]
+        options.auth_item[1] ||= options.auth_item[0].classify || Erbac::Configure::AUTH_ITEM_CLASS
+        options.auth_item[2] ||= options.auth_item[0].tableize || Erbac::Configure::AUTH_ITEM_TABLE
+
+        # assert options.auth_item_child[0]
+        options.auth_item_child[1] || options.auth_item_child[0].tableize || Erbac::Configure::AUTH_ITEM_CHILD_TABLE
+
+        # assert options.auth_assignment[0]
+        options.auth_assignment[1] || options.auth_assignment[0].classify || Erbac::Configure::AUTH_ASSIGNMENT_CLASS
+        options.auth_assignment[2] || options.auth_assignment[0].tableize || Erbac::Configure::AUTH_ASSIGNMENT_TABLE
+      end
+
+      def generate_auth_item_model
+        Rails::Generators.invoke("active_record:model", [options.auth_item[0], "--no-migration"], behavior: behavior)
+        Rails::Generators.invoke("active_record:model", [options.auth_assignment[0], "--no-migration"], behavior: behavior)
+      end
+
+      def inject_auth_item_model
+        if behavior == :invoke
+          inject_into_class(model_path(options.auth_item[0]), options.auth_item[1], "  control_auth_item\n")
+          inject_into_class(model_path(options.auth_assignment[0]), options.auth_assignment[1], "  control_auth_assignment\n")
+        end
+      end
+
+      def copy_erbac_migration
+        migration_template "migration.rb", "db/migrate/erbac_create_auth"
+      end
+
+      protected
+
+      def model_path(filename)
+        File.join("app", "models", "#{filename}.rb")
+      end
+      
+    end
+  end
+end

data/lib/generators/active_record/templates/migration.rb

@@ -0,0 +1,27 @@
+class ErbacCreateAuth < ActiveRecord::Migration
+  def change
+    create_table(:<%= options.auth_item[2] %>) do |t|
+      t.string	:name, null: false
+      t.integer :auth_type
+      t.text	:description
+      t.text	:bizrule
+      t.text	:data
+    end
+
+    create_table(:<%= options.auth_item_child[1] %>, id: false) do |t|
+      t.integer	:parent_id, null: false
+      t.integer :child_id, null: false
+    end
+
+    create_table(:<%= options.auth_assignment[2] %>) do |t|
+      t.integer	:item_id, null: false
+      t.integer :user_id, null: false
+      t.text	:bizrule
+      t.text	:data
+    end
+
+    add_index(:<%= options.auth_item[2] %>, :name, unique: true)
+    add_index(:<%= options.auth_item_child[1] %>, [:parent_id, :child_id], unique: true)
+    add_index(:<%= options.auth_assignment[2] %>, [:item_id, :user_id], unique: true)
+  end
+end

data/lib/generators/erbac/erbac_generator.rb

@@ -0,0 +1,65 @@
+require 'erbac/configure'
+
+module Erbac
+  module Generators
+    class ErbacGenerator < Rails::Generators::Base
+      source_root File.expand_path('../templates', __FILE__)
+      argument :user_class, type: :string, banner: "User", desc: "User class for the system, maybe User, Account or Admin etc. in  your case."
+
+      class_option :auth_item, type: :array, 
+        default: [Configure::AUTH_ITEM, Configure::AUTH_ITEM_CLASS, Configure::AUTH_ITEM_TABLE], 
+        banner: "#{Configure::AUTH_ITEM} #{Configure::AUTH_ITEM_CLASS} #{Configure::AUTH_ITEM_TABLE}", 
+        aliases: "-i", desc: "auth item, model and table"
+      class_option :auth_item_child, type: :array, 
+        default: [Configure::AUTH_ITEM_CHILD, Configure::AUTH_ITEM_CHILD_TABLE], 
+        banner: "#{Configure::AUTH_ITEM_CHILD} #{Configure::AUTH_ITEM_CHILD_TABLE}", 
+        aliases: "-c", desc: "auth item child and the join table"
+      class_option :auth_assignment, type: :array, 
+        default: [Configure::AUTH_ASSIGNMENT, Configure::AUTH_ASSIGNMENT_CLASS, Configure::AUTH_ASSIGNMENT_TABLE], 
+        banner: "#{Configure::AUTH_ASSIGNMENT} #{Configure::AUTH_ASSIGNMENT_CLASS} #{Configure::AUTH_ASSIGNMENT_TABLE}", 
+        aliases: "-a",  desc: "auth assignment and the join table"
+
+      hook_for :orm
+      namespace :erbac
+
+      desc "Generates RBAC(role base access control) models and migration files according to the USER"
+      # def show_parameters
+      #   puts "user:    " + self.user
+      #   puts "auth_item:       " + self.options[:auth_item].inspect
+      #   puts "auth_item_child: " + self.options[:auth_item_child].inspect
+      #   puts "auth_assignment: " + self.options[:auth_assignment].inspect
+      #   puts "options:         " + options.inspect
+      # end
+
+      def init_erbac_options
+        # TODO: check the validity of the name
+
+        # assert options.auth_item[0]
+        options.auth_item[1] ||= options.auth_item[0].classify || Configure::AUTH_ITEM_CLASS
+        options.auth_item[2] ||= options.auth_item[0].tableize || Configure::AUTH_ITEM_TABLE
+
+        # assert options.auth_item_child[0]
+        options.auth_item_child[1] || options.auth_item_child[0].tableize || Configure::AUTH_ITEM_CHILD_TABLE
+
+        # assert options.auth_assignment[0]
+        options.auth_assignment[1] || options.auth_assignment[0].classify || Configure::AUTH_ASSIGNMENT_CLASS
+        options.auth_assignment[2] || options.auth_assignment[0].tableize || Configure::AUTH_ASSIGNMENT_TABLE
+      end
+
+      def copy_initializer_file
+        template "initializer.rb", "config/initializers/erbac.rb"
+      end
+
+      def inject_user_class
+        invoke "erbac:user", [ self.user_class ]
+      end
+      
+      def show_readme
+        if behavior == :invoke
+          readme "README"
+        end
+      end
+
+    end
+  end
+end

data/lib/generators/erbac/templates/README

@@ -0,0 +1,13 @@
+===============================================================================
+
+An initializer file has been created here: config/initializers/erbac.rb, you 
+can change erbac settings to match your needs. 
+Defaults values are commented out.
+
+A Role class has been created in app/models (with the name you gave as 
+argument otherwise the default is auth_item.rb), you can add your own business logic 
+inside.
+
+Inside your User class (or the name you gave as argument otherwise the default 
+is user.rb), erbac method has been inserted to provide erbac methods.
+

data/lib/generators/erbac/templates/initializer.rb

@@ -0,0 +1,27 @@
+Erbac.configure do |config|
+	# For the time being, maybe in the long term, it only support ActiveRecord...
+
+	# Uncomment the item to override the default
+
+	# if this is set to true, bizrule should return true restrictly
+	# else bizrule will pass if they don't return false
+	# NB in ruby 0 != false and 1 != true
+	# config.strict_check_mode = true
+
+	# check these roles first
+	# config.default_roles = []
+
+	# models and database tables
+	<%= "# " if user_class == Erbac::Configure::USER_CLASS %>config.user_class = <%= %Q("#{user_class}") %>
+
+	<%= "# " if options.auth_item[0] == Erbac::Configure::AUTH_ITEM %>config.auth_item = <%= %Q("#{options.auth_item[0]}") %>
+	<%= "# " if options.auth_item[1] == Erbac::Configure::AUTH_ITEM_CLASS %>config.auth_item_class = <%= %Q("#{options.auth_item[1]}") %>
+	<%= "# " if options.auth_item[2] == Erbac::Configure::AUTH_ITEM_TABLE %>config.auth_item_table = <%= %Q("#{options.auth_item[2]}") %>
+
+	<%= "# " if options.auth_item_child[0] == Erbac::Configure::AUTH_ITEM_CHILD %>config.auth_item_child = <%= %Q("#{options.auth_item_child[0]}") %>
+	<%= "# " if options.auth_item_child[1] == Erbac::Configure::AUTH_ITEM_CHILD_TABLE %>config.auth_item_child_table = <%= %Q("#{options.auth_item_child[1]}") %>
+
+	<%= "# " if options.auth_assignment[0] == Erbac::Configure::AUTH_ASSIGNMENT %>config.auth_assignment = <%= %Q("#{options.auth_assignment[0]}") %>
+	<%= "# " if options.auth_assignment[1] == Erbac::Configure::AUTH_ASSIGNMENT_CLASS %>config.auth_assignment = <%= %Q("#{options.auth_assignment[1]}") %>
+	<%= "# " if options.auth_assignment[2] == Erbac::Configure::AUTH_ASSIGNMENT_TABLE %>config.auth_assignment_table = <%= %Q("#{options.auth_assignment[2]}") %>
+end

data/lib/generators/erbac/user_generator.rb

@@ -0,0 +1,27 @@
+require 'rails/generators/migration'
+require 'active_support/core_ext'
+
+module Erbac
+  module Generators
+    class UserGenerator < Rails::Generators::Base
+      argument :user_class, type: :string, default: "User"
+
+      desc "Inject erbac method in the User|Account|Admin|* class."
+
+      def inject_user_content
+        inject_into_file(model_path, "  control_access\n", :after => inject_erbac_method)
+      end
+      
+      protected
+
+      def inject_erbac_method
+        /class[ |\t]+#{user_class}\n|class[ |\t]+#{user_class}.*\n|class[ |\t]+#{user_class.demodulize}\n|class[ |\t]+#{user_class.demodulize}.*\n/
+      end
+      
+      def model_path
+        File.join("app", "models", "#{self.user_class.underscore}.rb")
+      end
+      
+    end
+  end
+end

data/spec/erbac/user_instance_spec.rb

@@ -0,0 +1,160 @@
+require "spec_helper"
+
+describe Erbac do
+	before(:all) do
+		@authorA = User.where(name: "authorA").first
+		@authorB = User.where(name: "authorB").first
+		@editor = User.where(name: "editor").first
+		@admin  = User.where(name: "administrator").first
+
+		@first_post = Post.create! header: "first post", author_id: @authorA.id
+		@second_post = Post.create! header: "second post", author_id: @authorB.id
+
+		@role_reader = AuthItem.where(name: "reader").first
+		@role_author = AuthItem.where(name: "author").first
+  	@role_editor = AuthItem.where(name: "editor").first
+  	@role_admin = AuthItem.where(name: "admin").first
+
+  	@task_update_own_post = AuthItem.where(name: "updateOwnPost").first
+
+  	@oper_update_post = AuthItem.where(name: "updatePost").first
+  	@oper_delete_post = AuthItem.where(name: "deletePost").first
+	end
+
+	describe User do
+		subject {nil}
+
+		it "can not read" do
+	  	Erbac.check_access?(@role_reader, subject).should be_false
+	  end
+	end
+
+	describe User do
+  	subject { User.where(name: "visitor").first } 
+
+	  it "can not read" do
+	  	subject.check_access?(@role_reader).should be_false
+	  	Erbac.check_access?(@role_reader, subject).should be_false
+	  end
+
+	  it "can not edit as author" do
+	  	subject.check_access?(@role_author).should be_false
+	  	Erbac.check_access?(@role_author, subject).should be_false
+	  end
+
+	  it "can not edit as editor" do
+	  	subject.check_access?(@role_editor).should be_false
+	  	Erbac.check_access?(@role_editor, subject).should be_false
+	  end
+
+		it "can not delete" do
+	  	subject.check_access?(@oper_delete_post).should be_false
+	  	Erbac.check_access?(@oper_delete_post, subject).should be_false
+	  end 
+  end
+
+
+  describe User do
+  	subject { User.where(name: "reader").first } 
+
+  	it "can read" do
+	  	subject.check_access?(@role_reader).should be_true
+	  	Erbac.check_access?(@role_reader, subject).should be_true
+	  end
+
+	  it "can not edit as author" do
+	  	subject.check_access?(@role_author).should be_false
+	  	Erbac.check_access?(@role_author, subject).should be_false
+	  end
+
+	  it "can not edit as editor" do
+	  	subject.check_access?(@role_editor).should be_false
+	  	Erbac.check_access?(@role_editor, subject).should be_false
+	  end
+
+		it "can not delete" do
+	  	subject.check_access?(@oper_delete_post).should be_false
+	  	Erbac.check_access?(@oper_delete_post, subject).should be_false
+	  end 
+  end
+
+  describe User do
+  	subject { User.where(name: "editor").first } 
+
+  	it "can read" do
+	  	subject.check_access?(@role_reader).should be_true
+	  	Erbac.check_access?(@role_reader, subject).should be_true
+	  end
+
+	  it "can not edit as author" do
+	  	subject.check_access?(@role_author).should be_false
+	  	Erbac.check_access?(@role_author, subject).should be_false
+	  	subject.check_access?(@task_update_own_post, post: @first_post).should be_false
+	  	Erbac.check_access?(@task_update_own_post, subject, post: @first_post).should be_false
+	  end
+
+	  it "can edit as editor" do
+	  	subject.check_access?(@role_editor).should be_true
+	  	Erbac.check_access?(@role_editor, subject).should be_false
+	  	subject.check_access?(@oper_update_post, post: @first_post).should be_true
+	  	Erbac.check_access?(@oper_update_post, subject, post: @first_post).should be_false
+	  end
+
+		it "can not delete" do
+	  	subject.check_access?(@oper_delete_post).should be_false
+	  	Erbac.check_access?(@oper_delete_post, subject).should be_false
+	  end 
+  end
+
+  describe User do
+  	subject { User.where(name: "authorA").first }
+
+  	it "can read" do
+	  	subject.check_access?(@role_reader).should be_true
+	  end
+
+	  it "can edit self post as task" do
+	  	subject.check_access?(@task_update_own_post, post: @first_post).should be_true
+	  	subject.check_access?(@task_update_own_post, post: @second_post).should be_false
+	  end
+
+	  it "can edit self post as update operation" do
+	  	subject.check_access?(@oper_update_post, post: @first_post).should be_true
+	  	subject.check_access?(@oper_update_post, post: @second_post).should be_false
+	  end 
+
+	  it "can not edit as editor" do
+	  	subject.check_access?(@role_editor).should be_false
+	  end
+
+		it "can not delete" do
+	  	subject.check_access?(@role_admin).should be_false
+	  end 
+  end
+
+  describe User do
+  	subject { User.where(name: "administrator").first }
+
+  	it "can read" do
+	  	subject.check_access?(@role_reader).should be_true
+	  end
+
+	  it "can edit self post as task" do
+	  	subject.check_access?(@task_update_own_post, post: @first_post).should be_false
+	  	subject.check_access?(@task_update_own_post, post: @second_post).should be_false
+	  end
+
+	  it "can edit self post as update operation" do
+	  	subject.check_access?(@oper_update_post, post: @first_post).should be_true
+	  	subject.check_access?(@oper_update_post, post: @second_post).should be_true
+	  end 
+
+	  it "can not edit as editor" do
+	  	subject.check_access?(@role_editor).should be_true
+	  end
+
+		it "can not delete" do
+	  	subject.check_access?(@oper_delete_post).should be_true
+	  end 
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,9 @@
+require 'rubygems'
+require 'rails/all'
+require 'erbac'
+require "bundler/setup"
+
+Erbac.configure
+
+load File.dirname(__FILE__) + "/support/adapters/active_record.rb"
+load File.dirname(__FILE__) + '/support/data.rb'

data/spec/support/adapters/active_record.rb

@@ -0,0 +1,33 @@
+require 'active_record'
+
+RSpec::Matchers::OperatorMatcher.register(ActiveRecord::Relation, '=~', RSpec::Matchers::BuiltIn::MatchArray)
+ActiveRecord::Base.establish_connection(:adapter => "sqlite3", :database => ":memory:")
+ActiveRecord::Base.send :include, Erbac::ActiveRecordSupport
+
+load File.dirname(__FILE__) + '/../schema.rb'
+
+# ActiveRecord models
+class User < ActiveRecord::Base
+	attr_accessible :name
+  control_access
+
+  has_many :my_posts, class_name: "Post", inverse_of: :author
+  has_many :co_posts, class_name: "Post", inverse_of: :co_workers
+
+end
+
+class AuthItem < ActiveRecord::Base
+	attr_accessible :name, :auth_type, :description, :bizrule, :data
+  control_auth_item
+end
+
+class AuthAssignment < ActiveRecord::Base
+	attr_accessible :item_id, :user_id, :bizrule, :data
+  control_auth_assignment
+end
+
+class Post < ActiveRecord::Base
+	attr_accessible :header, :author_id
+	belongs_to :author, class_name: "User", inverse_of: :my_posts
+	belongs_to :co_workers, class_name: "User", inverse_of: :co_posts
+end

data/spec/support/data.rb

@@ -0,0 +1,43 @@
+User.destroy_all
+AuthItem.destroy_all
+
+# users
+visitor = User.create! name: "visitor"
+reader = User.create! name: "reader"
+authorA = User.create! name: "authorA"
+authorB = User.create! name: "authorB"
+editor = User.create! name: "editor"
+admin = User.create! name: "administrator"
+
+oper_create_post = Erbac.create_operation "createPost", description: "create a post"
+oper_read_post = Erbac.create_operation 'readPost', description: 'read a post'
+oper_update_post = Erbac.create_operation 'updatePost', description: 'update a post'
+oper_delete_post = Erbac.create_operation 'deletePost', description: 'delete a post'
+
+task_update_own_post = Erbac.create_task "updateOwnPost", description: "update a post by author himself", bizrule: "self == params[:post].author"
+task_update_own_post.add_child oper_update_post
+
+role_reader = Erbac.create_role "reader"
+role_reader.add_child oper_read_post
+
+role_author = Erbac.create_role "author"
+role_author.add_child role_reader
+role_author.add_child oper_create_post
+role_author.add_child task_update_own_post
+
+role_editor = Erbac.create_role "editor"
+role_editor.add_child role_reader
+role_editor.add_child oper_update_post
+
+role_admin = Erbac.create_role "admin"
+role_admin.add_child role_editor
+role_admin.add_child role_author
+role_admin.add_child oper_delete_post
+
+Erbac.assign role_reader, reader
+Erbac.assign role_author, authorA
+Erbac.assign role_author, authorB
+Erbac.assign role_editor, editor
+Erbac.assign role_admin, admin
+
+

data/spec/support/schema.rb

@@ -0,0 +1,44 @@
+ActiveRecord::Schema.define do
+  self.verbose = false
+
+  create_table(:users) do |t|
+    t.string :name, null: false
+  end
+
+  create_table(:auth_items) do |t|
+    t.string  :name, null: false
+    t.integer :auth_type
+    t.text  :description
+    t.text  :bizrule
+    t.text  :data
+  end
+
+  create_table(:auth_item_children, id: false) do |t|
+    t.integer :parent_id, null: false
+    t.integer :child_id, null: false
+  end
+
+  create_table(:auth_assignments) do |t|
+    t.integer :item_id, null: false
+    t.integer :user_id, null: false
+    t.text  :bizrule
+    t.text  :data
+  end
+
+  create_table(:posts) do |t|
+    t.string :header
+    t.integer :author_id
+  end
+
+  create_table(:posts_users, id: false) do |t|
+    t.integer :user_id, null: false
+    t.integer :post_id, null: false
+  end
+
+  add_index(:auth_items, :name, unique: true)
+  add_index(:auth_item_children, [:parent_id, :child_id], unique: true)
+  add_index(:auth_assignments, [:item_id, :user_id], unique: true)
+  add_index(:posts, :author_id)
+  add_index(:posts_users, [:user_id, :post_id], unique: true)
+
+end

metadata

@@ -0,0 +1,166 @@
+--- !ruby/object:Gem::Specification
+name: erbac
+version: !ruby/object:Gem::Version
+  version: 0.0.0
+  prerelease: 
+platform: ruby
+authors:
+- dx
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-07-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: activerecord
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+description: A simple hello world gem
+email: bitcheap@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- Gemfile.lock
+- Rakefile
+- erbac.gemspec
+- lib/erbac.rb
+- lib/erbac/action_controller_support.rb
+- lib/erbac/active_record_support.rb
+- lib/erbac/auth_manage.rb
+- lib/erbac/configure.rb
+- lib/erbac/errors.rb
+- lib/erbac/railtie.rb
+- lib/erbac/utils.rb
+- lib/erbac/version.rb
+- lib/generators/active_record/erbac_generator.rb
+- lib/generators/active_record/templates/README
+- lib/generators/active_record/templates/migration.rb
+- lib/generators/erbac/erbac_generator.rb
+- lib/generators/erbac/templates/README
+- lib/generators/erbac/templates/initializer.rb
+- lib/generators/erbac/user_generator.rb
+- spec/erbac/user_instance_spec.rb
+- spec/spec_helper.rb
+- spec/support/adapters/active_record.rb
+- spec/support/data.rb
+- spec/support/schema.rb
+homepage: http://utocity.com
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: Yii rbac transplatation!
+test_files: []