erbac 0.0.0 → 0.0.1

data/.gitignore

@@ -10,7 +10,3 @@
 #remove gemfile
 *.gem
 pkg/*.gem
-
-#remove bat and sh files
-*.bat
-*.sh

data/README.md

@@ -0,0 +1,126 @@
+# Erbac
+
+Q: First things first, you might ask, why the name?
+
+A: Well, it is actually a transplantation of [yiiframework][yii]'s [Role Based Access Control][yii-rbac] system.
+
+[yii]: http://www.yiiframework.com/
+[yii-rbac]: http://www.yiiframework.com/doc/guide/1.1/en/topics.auth#role-based-access-control
+
+## How to Use
+1. Installation  
+	> Put it in the Gemfile:
+	> ```gem 'erbac'```  
+	> then run 
+	> ```bundle install```.
+
+2. Generation  
+	> In your command line tools, try to input  
+	> ```rails generate erbac```  
+	> here is the options for the gem:
+	
+		Usage:
+		  rails generate erbac User [options]
+		
+		Options:
+		  -i, [--auth-item=auth_item AuthItem auth_items]                          # auth item, model and table
+		                                                                           # Default: ["auth_item", "AuthItem", "auth_items"]
+		  -c, [--auth-item-child=auth_item_child auth_item_children]               # auth item child and the join table
+		                                                                           # Default: ["auth_item_child", "auth_item_children"]
+		  -a, [--auth-assignment=auth_assignment AuthAssignment auth_assignments]  # auth assignment and the join table
+		                                                                           # Default: ["auth_assignment", "AuthAssignment", "auth_assignments"]
+		  -o, [--orm=NAME]                                                         # Orm to be invoked
+		                                                                           # Default: active_record
+		
+		Generates RBAC(role base access control) models and migration files according to the USER
+
+	Here, the 'User' is the Model from your project's 'User' model:
+	> ``` rails g erbac User ```  
+	> or  
+	> ``` rails g erbac Account ```  
+	> or  
+	> ``` rails g erbac Admin ```  
+	> or whatever is suitable for your system.
+	
+	And an example of customization with 'auth\_item':  
+	> ``` rails g erbac User --i my_auth_item ```  
+	> equals  
+	> ``` rails g erbac User --i my_auth_item MyAuthItem my_auth_items ```  
+	> 
+	> ``` rails g erbac User --i my_auth_item YourAuthItem ```  
+	> equals  
+	> ``` rails g erbac User --i my_auth_item YourAuthItem my_auth_items ```
+	> 
+	> ``` rails g erbac User --i my_auth_item YourAuthItem their_auth_items ```
+	
+	The same holds true for option -c and -a.  
+	You don't change -o option for it only support active record right now...
+
+3. Configuration  
+	A file name erbac.rb will be generated in "rails_root/config/initializer/erbac.rb", you can see many of the options commented out as default value, and there are two points worth noting:
+	* strict\_check\_mode  
+		* __NB: first of all, if bizrule.nil? or bizrule.empty? holds, it will pass.__
+		* set to true: if bizrule evaluates to be true, it will pass, or else, won't pass. 
+		* set to false: if bizrule evaluates to be false, it won't pass, or else, will pass.
+
+	* default roles
+		roles in this array will be checked first, if none of them passed, a normal check will be carried on.
+
+4. Role/Task/Operation creation and assignment  
+	Just the same as yii, but in a Object Oriented way(with the help of Erbac helper module), example will be found at spec/support/data.rb file of this project.
+
+5. Use
+	Use ``` check_access? ``` of Erbac or the 'User' model, find the sample codes from spec/user\_instance\_spec.rb file.  
+	You can also use the raw execute\_biz\_rule? to find out whether it hold only for _ONLY This_ item, whilst check\_access? checks it RECURSIVELY.
+	
+
+## Inside the Erbac ##
+the model we use is defined here:
+
+		authorA = User.new(name: "authorA")
+		authorB = User.new(name: "authorB")
+
+		oper_create_post = Erbac.create_operation "createPost", description: "create a post"
+		oper_read_post = Erbac.create_operation 'readPost', description: 'read a post'
+		oper_update_post = Erbac.create_operation 'updatePost', description: 'update a post'
+		oper_delete_post = Erbac.create_operation 'deletePost', description: 'delete a post'
+		
+		task_update_own_post = Erbac.create_task "updateOwnPost", description: "update a post by author himself", bizrule: "self == params[:post].author"
+		task_update_own_post.add_child oper_update_post
+
+		role_reader = Erbac.create_role "reader"
+		role_reader.add_child oper_read_post
+
+		role_author = Erbac.create_role "author"
+		role_author.add_child role_reader
+		role_author.add_child oper_create_post
+		role_author.add_child task_update_own_post
+
+		Erbac.assign role_author, authorA
+		Erbac.assign role_author, authorB
+
+		first_post = Post.create! header: "first post", author_id: @authorA.id
+
+		authorA.check_access?(oper_update_post, post: first_post)
+		
+		
+
+check_access? will check the privileges RECURSIVELY, in a top down sequence:
+
+* check the item and if it passes
+	* check if this item is a default role, if so, return true
+	* check assignment, if it passes, find all the parents items and do the check again, return true if any of them return true
+
+So in the code above, erbac will check oper_update_post first, then task\_update\_own\_post, then role\_author, bingo, it is passing the check.
+
+Now you know why an nil or empty string bizrule will cause a pass, if not, the check_access? will not work properly RECURSIVELY.
+
+## Cautions ##
+
+* When you define your bizrule, either do it with in an empty string, or not assign to it at all, space string will not work preperly, thus break the check link and cause an logic error.  (" ".empty? == false)
+* 'bizrule's will be check in two cases: auth\_assignment and auth\_item, so you can customize your auth_assignment to micro control your access.
+
+## TODOs ##
+* It only support Active Record, in the model layer.
+
+

data/build.bat

@@ -0,0 +1,4 @@
+@echo off
+call git add .
+call rake build
+:: call gem install ./pkg/erbac-version.gem

data/build.sh

@@ -0,0 +1,3 @@
+git add .
+rake build
+# gem install ./pkg/erbac-0.0.0.gem

data/erbac.gemspec

@@ -11,7 +11,7 @@ Gem::Specification.new do |s|
   
   s.authors     = ["dx"]
   s.email       = 'bitcheap@gmail.com'
-  s.homepage    = 'http://utocity.com'
+  s.homepage    = 'https://github.com/douxing/erbac'
   
   s.files       = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")

data/lib/erbac/active_record_support.rb

@@ -11,9 +11,6 @@ module Erbac
 		      class_name: Erbac.auth_assignment_class,
 		      foreign_key: "user_id"
 
-		    accepts_nested_attributes_for Erbac.auth_assignment.pluralize.to_sym, allow_destroy: true
-		    attr_accessible (Erbac.auth_assignment.pluralize + "_attributes").to_sym
-
 		  	has_many Erbac.auth_item.pluralize.to_sym, 
 		      through: Erbac.auth_assignment.pluralize.to_sym,
 		      source: Erbac.auth_item.pluralize.to_sym
@@ -92,9 +89,6 @@ module Erbac
 		      class_name: Erbac.auth_assignment_class,
 		      foreign_key: "item_id"
 
-		    accepts_nested_attributes_for Erbac.auth_assignment.pluralize.to_sym, allow_destroy: true
-		    attr_accessible (Erbac.auth_assignment.pluralize + "_attributes").to_sym
-
 		    has_many Erbac.user_class.underscore.pluralize.to_sym, 
 		      through: Erbac.auth_assignment.pluralize.to_sym,
 		      source: Erbac.user_class.underscore.pluralize.to_sym
@@ -133,7 +127,7 @@ module Erbac
 		    end
 
 		    define_method :has_child? do |item|
-		      self.children.include? child
+		      self.children.include? item
 		    end
 
 		    define_method :assign do |user, bizrule=nil, data=nil|

data/lib/erbac/auth_manage.rb

@@ -11,7 +11,9 @@ module Erbac
   			define_method ("create_" + type) do |name, options={}|
 	  			options[:name] = name
 	  			options[:auth_type] = Erbac.auth_item_class.constantize.const_get("TYPE_" + type.upcase)
-	  			Erbac.auth_item_class.constantize.create options
+	  			item = Erbac.auth_item_class.constantize.new options
+          item.save!
+          item
   			end
 
   			define_method ("get_" + type.pluralize) do |user|
@@ -19,11 +21,6 @@ module Erbac
   			end
   		end
 
-  		def check_access(*args)
-        user = args[1].is_a? Erbac.user_class.constantize ? args[1] : Erbac.user_class.constantize.anonymous
-  			user.check_access? args.first, args.extract_options!
-  		end
-
   		def add_item_child(parent, child)
         parent.add_child child
   		end
@@ -79,24 +76,10 @@ module Erbac
           raise TypeError, "Should pass in #{Erbac.auth_item_class} instance as the first parameter. Got #{args.first.to_s}", caller
         end
 
-        if (args[1].is_a? Erbac.user_class.constantize)
-          args[1].check_access? args.first, args.extract_options!
-        else
-          bizrule_sandbox args.first.bizrule, args.extract_options!, args.first.data
-        end
+        user = (args[1].is_a? Erbac.user_class.constantize) ? args[1] : Erbac.user_class.constantize.anonymous
+        user.check_access? args.first, args.extract_options!
       end
 
-  		protected
-  		def bizrule_sandbox(bizrule, params={}, data=nil)
-  			if (bizrule.nil? or bizrule.empty?)
-  				true
-  			else
-  				proc do
-  					$SAFE = 4 # here is a military area
-						Erbac.restrict_check_mode ? (eval bizrule) == true : (eval bizrule) != false
-					end.call
-  			end
-  		end
   	end
   end
 end

data/lib/erbac/version.rb

@@ -1,3 +1,3 @@
 module Erbac
-  VERSION = "0.0.0".freeze
+  VERSION = "0.0.1".freeze
 end

data/spec/erbac/user_instance_spec.rb

@@ -24,8 +24,10 @@ describe Erbac do
 	describe User do
 		subject {nil}
 
-		it "can not read" do
-	  	Erbac.check_access?(@role_reader, subject).should be_false
+		it "can not do any thing" do
+			AuthItem.find_each do |auth|
+		  	Erbac.check_access?(auth, subject, post: @first_post).should be_false
+		  end
 	  end
 	end
 
@@ -95,9 +97,9 @@ describe Erbac do
 
 	  it "can edit as editor" do
 	  	subject.check_access?(@role_editor).should be_true
-	  	Erbac.check_access?(@role_editor, subject).should be_false
+	  	Erbac.check_access?(@role_editor, subject).should be_true
 	  	subject.check_access?(@oper_update_post, post: @first_post).should be_true
-	  	Erbac.check_access?(@oper_update_post, subject, post: @first_post).should be_false
+	  	Erbac.check_access?(@oper_update_post, subject, post: @first_post).should be_true
 	  end
 
 		it "can not delete" do
@@ -111,50 +113,64 @@ describe Erbac do
 
   	it "can read" do
 	  	subject.check_access?(@role_reader).should be_true
+	  	Erbac.check_access?(@role_reader, subject).should be_true
 	  end
 
 	  it "can edit self post as task" do
 	  	subject.check_access?(@task_update_own_post, post: @first_post).should be_true
+	  	Erbac.check_access?(@task_update_own_post, subject, post: @first_post).should be_true
 	  	subject.check_access?(@task_update_own_post, post: @second_post).should be_false
+	  	Erbac.check_access?(@task_update_own_post, subject, post: @first_post).should be_true
 	  end
 
 	  it "can edit self post as update operation" do
 	  	subject.check_access?(@oper_update_post, post: @first_post).should be_true
+	  	Erbac.check_access?(@oper_update_post, subject, post: @first_post).should be_true
 	  	subject.check_access?(@oper_update_post, post: @second_post).should be_false
+	  	Erbac.check_access?(@oper_update_post, subject, post: @second_post).should be_false
 	  end 
 
 	  it "can not edit as editor" do
 	  	subject.check_access?(@role_editor).should be_false
+	  	Erbac.check_access?(@role_editor, subject).should be_false
 	  end
 
 		it "can not delete" do
-	  	subject.check_access?(@role_admin).should be_false
+	  	subject.check_access?(@oper_delete_post).should be_false
+	  	Erbac.check_access?(@oper_delete_post, subject).should be_false
 	  end 
   end
 
   describe User do
-  	subject { User.where(name: "administrator").first }
+  	subject { User.where(name: "admin").first }
 
   	it "can read" do
 	  	subject.check_access?(@role_reader).should be_true
+	  	Erbac.check_access?(@role_reader, subject).should be_true
 	  end
 
 	  it "can edit self post as task" do
 	  	subject.check_access?(@task_update_own_post, post: @first_post).should be_false
+	  	Erbac.check_access?(@task_update_own_post, subject, post: @first_post).should be_false
 	  	subject.check_access?(@task_update_own_post, post: @second_post).should be_false
+	  	Erbac.check_access?(@task_update_own_post, subject, post: @second_post).should be_false
 	  end
 
 	  it "can edit self post as update operation" do
 	  	subject.check_access?(@oper_update_post, post: @first_post).should be_true
+	  	Erbac.check_access?(@oper_update_post, subject, post: @first_post).should be_true
 	  	subject.check_access?(@oper_update_post, post: @second_post).should be_true
+	  	Erbac.check_access?(@oper_update_post, subject, post: @second_post).should be_true
 	  end 
 
 	  it "can not edit as editor" do
 	  	subject.check_access?(@role_editor).should be_true
+	  	Erbac.check_access?(@role_editor, subject).should be_true
 	  end
 
 		it "can not delete" do
 	  	subject.check_access?(@oper_delete_post).should be_true
+	  	Erbac.check_access?(@role_editor, subject).should be_true
 	  end 
   end
 end

data/spec/support/adapters/active_record.rb

@@ -8,7 +8,7 @@ load File.dirname(__FILE__) + '/../schema.rb'
 
 # ActiveRecord models
 class User < ActiveRecord::Base
-	attr_accessible :name
+	# attr_accessible :name
   control_access
 
   has_many :my_posts, class_name: "Post", inverse_of: :author
@@ -17,17 +17,17 @@ class User < ActiveRecord::Base
 end
 
 class AuthItem < ActiveRecord::Base
-	attr_accessible :name, :auth_type, :description, :bizrule, :data
+	# attr_accessible :name, :auth_type, :description, :bizrule, :data
   control_auth_item
 end
 
 class AuthAssignment < ActiveRecord::Base
-	attr_accessible :item_id, :user_id, :bizrule, :data
+	# attr_accessible :item_id, :user_id, :bizrule, :data
   control_auth_assignment
 end
 
 class Post < ActiveRecord::Base
-	attr_accessible :header, :author_id
+	# attr_accessible :header, :author_id
 	belongs_to :author, class_name: "User", inverse_of: :my_posts
 	belongs_to :co_workers, class_name: "User", inverse_of: :co_posts
 end

data/spec/support/data.rb

@@ -2,12 +2,18 @@ User.destroy_all
 AuthItem.destroy_all
 
 # users
-visitor = User.create! name: "visitor"
-reader = User.create! name: "reader"
-authorA = User.create! name: "authorA"
-authorB = User.create! name: "authorB"
-editor = User.create! name: "editor"
-admin = User.create! name: "administrator"
+visitor = User.new(name: "visitor")
+visitor.save!
+reader = User.new(name: "reader")
+reader.save!
+authorA = User.new(name: "authorA")
+authorA.save!
+authorB = User.new(name: "authorB")
+authorB.save!
+editor = User.new(name: "editor")
+editor.save!
+admin = User.new(name: "admin")
+admin.save!
 
 oper_create_post = Erbac.create_operation "createPost", description: "create a post"
 oper_read_post = Erbac.create_operation 'readPost', description: 'read a post'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: erbac
 version: !ruby/object:Gem::Version
-  version: 0.0.0
+  version: 0.0.1
   prerelease: 
 platform: ruby
 authors:
@@ -116,7 +116,10 @@ files:
 - .gitignore
 - Gemfile
 - Gemfile.lock
+- README.md
 - Rakefile
+- build.bat
+- build.sh
 - erbac.gemspec
 - lib/erbac.rb
 - lib/erbac/action_controller_support.rb
@@ -139,7 +142,7 @@ files:
 - spec/support/adapters/active_record.rb
 - spec/support/data.rb
 - spec/support/schema.rb
-homepage: http://utocity.com
+homepage: https://github.com/douxing/erbac
 licenses: []
 post_install_message: 
 rdoc_options: []