erp_tech_svcs 3.0.10 → 3.0.11

data/lib/erp_tech_svcs/extensions/active_record/protected_with_capabilities.rb

@@ -0,0 +1,203 @@
+module ErpTechSvcs
+	module Extensions
+		module ActiveRecord
+			module ProtectedByCapabilities
+
+				def self.included(base)
+					base.extend(ClassMethods)
+				end
+
+				module ClassMethods
+
+				  def protected_with_capabilities
+				    extend ProtectedByCapabilities::SingletonMethods
+    				include ProtectedByCapabilities::InstanceMethods
+    				
+            has_many :capabilities, :as => :capability_resource
+
+            # get records filtered via query scope capabilities
+            # by default Compass AE treats query scopes as restrictions
+            # a user will see all records unless the user has a capability accessor with a query scope
+            scope :with_query_security, lambda{|*args|
+              raise ArgumentError if args.empty? || args.size > 2
+              user = args.first
+              capability_type_iids = args.second || []
+              capability_type_iids = [capability_type_iids] if capability_type_iids.is_a?(String)
+
+              scope_type = ScopeType.find_by_internal_identifier('query')
+              granted_capabilities = user.all_capabilities.collect{|c| c if c.scope_type_id == scope_type.id and c.capability_resource_type == self.name }.compact
+
+              unless capability_type_iids.empty?
+                capability_type_ids = capability_type_iids.collect{|type| convert_capability_type(type).id }
+                granted_capabilities = granted_capabilities.collect{|c| c if capability_type_ids.include?(c.capability_type_id)}.compact
+              end
+
+              query = nil
+              granted_capabilities.each do |scope_capability|
+                query = query.nil? ? where(scope_capability.scope_query) : query.where(scope_capability.scope_query)
+              end
+              query
+            }
+
+            # get records for this model without capabilities or that are not in a list of denied capabilities
+            scope :with_instance_security, lambda{|denied_capabilities|
+                                    query = joins("LEFT JOIN capabilities AS c ON c.capability_resource_id = #{self.table_name}.id AND c.capability_resource_type = '#{self.name}'").
+                                            group(columns.collect{|c| "#{self.table_name}.#{c.name}" })
+                                    query = (denied_capabilities.empty? ? query.where("c.id IS NULL OR c.id = c.id") : query.where("c.id IS NULL OR c.id NOT IN (?)", denied_capabilities.collect{|c| c.id }))
+                                    query                                    
+                                  }
+
+            # get records for this model that the given user has access to
+            # arguments: user, capability_type_iids 
+            # capability_type_iids is optional and can be a single string or an array of strings
+            # Example: which files can this user download? FileAsset.with_user_security(user, 'download').all
+            # Example: which website sections can this user either view or edit? WebsiteSection.with_user_security(user, ['view','edit']).all
+            scope :with_user_security, lambda{|*args|
+              raise ArgumentError if args.empty? || args.size > 2
+              user = args.first
+              capability_type_iids = args.second || []
+              capability_type_iids = [capability_type_iids] if capability_type_iids.is_a?(String)
+
+              scope_type = ScopeType.find_by_internal_identifier('instance')
+              granted_capabilities = user.all_capabilities.collect{|c| c if c.scope_type_id == scope_type.id and c.capability_resource_type == self.name }.compact
+
+              unless capability_type_iids.empty?
+                capability_type_ids = capability_type_iids.collect{|type| convert_capability_type(type).id }
+                granted_capabilities = granted_capabilities.collect{|c| c if capability_type_ids.include?(c.capability_type_id)}.compact
+              end
+              
+              with_query_security(*args).with_instance_security(instance_capabilities - granted_capabilities) 
+            }
+				  end
+				end
+				
+				module SingletonMethods
+          # class method to get all capabilities for this model
+          def capabilities
+            Capability.where('capability_resource_type = ?', get_superclass(self.name))
+          end
+
+          # class method to get all capabilities for this model
+          def all_capabilities
+            capabilities
+          end
+
+          # class method to get only class capabilities for this model
+          def class_capabilities
+            scope_capabilities('class')
+          end
+
+          # class method to get only query capabilities for this model
+          def query_capabilities
+            scope_capabilities('query')
+          end
+
+          # class method to get only instance capabilities for this model
+          def instance_capabilities
+            scope_capabilities('instance')
+          end
+
+          def scope_capabilities(scope_type_iid)
+            scope_type = ScopeType.find_by_internal_identifier(scope_type_iid)
+            capabilities.where(:scope_type_id => scope_type.id)
+          end
+
+          # collect unique roles on capabilities
+          def capability_roles
+            capabilities.collect{|c| c.roles }.flatten.uniq
+          end
+
+          # add a class level capability (capability_resource_id will be NULL)
+          # the purpose of this is primarily for actions like create where the record does not exist yet
+          # this will allow us to assign the create capability to a User or Role so that we can ask the question "can a user create a record for this model?"
+          def add_capability(capability_type_iid)
+            capability_type = convert_capability_type(capability_type_iid)
+            scope_type = ScopeType.find_by_internal_identifier('class')
+            Capability.find_or_create_by_capability_resource_type_and_capability_type_id_and_scope_type_id(get_superclass(self.name), capability_type.id, scope_type.id)
+          end   
+
+          def protect_with_capability(capability_type_iid)
+            add_capability(capability_type_iid)
+          end
+
+          def get_capability(capability_type_iid)
+            capability_type = convert_capability_type(capability_type_iid)
+            scope_type = ScopeType.find_by_internal_identifier('class')
+            capabilities.where(:capability_resource_type => get_superclass(self.name), :capability_type_id => capability_type.id, :scope_type_id => scope_type.id).first
+          end
+
+          # remove a class level capability
+          def remove_capability(capability_type_iid)
+            capability = get_capability(capability_type_iid)
+            capability.destroy unless capability.nil?
+          end
+
+          def unprotect_with_capability(capability_type_iid)
+            remove_capability(capability_type_iid)
+          end
+
+          def convert_capability_type(type)
+            return type if type.is_a?(CapabilityType)
+            return nil unless (type.is_a?(String) || type.is_a?(Symbol))
+            ct = CapabilityType.find_by_internal_identifier(type.to_s)
+            return ct unless ct.nil?
+            CapabilityType.create(:internal_identifier => type.to_s, :description => type.to_s.titleize)
+          end
+				end
+						
+				module InstanceMethods
+
+          def add_capability(capability_type_iid)
+            capability_type = convert_capability_type(capability_type_iid)
+            scope_type = ScopeType.find_by_internal_identifier('instance')
+            capability = Capability.find_or_create_by_capability_resource_type_and_capability_resource_id_and_capability_type_id_and_scope_type_id(get_superclass, self.id, capability_type.id, scope_type.id)
+            self.reload
+            capability
+          end   
+
+          def protect_with_capability(capability_type_iid)
+            add_capability(capability_type_iid)
+          end
+
+          def get_capability(capability_type_iid)
+            capability_type = convert_capability_type(capability_type_iid)
+            capabilities.where(:capability_type_id => capability_type.id).first
+          end   
+
+          def protected_with_capability?(capability_type_iid)
+            !get_capability(capability_type_iid).nil?
+          end
+
+          def allow_access?(user, capability_type_iid)
+            if !self.protected_with_capability?(capability_type_iid.to_s) or (user and user.has_capability?(capability_type_iid.to_s, self))
+              return true
+            else
+              return false
+            end
+          end
+
+          def remove_capability(capability_type_iid)
+            capability = get_capability(capability_type_iid)
+            capability.destroy unless capability.nil?
+            self.reload
+            capability
+          end
+
+          def unprotect_with_capability(capability_type_iid)
+            remove_capability(capability_type_iid)
+          end
+
+				  def protected_with_capabilities?
+            !capabilities.empty?
+          end
+
+          private
+          def convert_capability_type(type)
+            self.class.convert_capability_type(type)
+          end
+
+				end
+			end
+		end
+	end
+end

data/lib/erp_tech_svcs/extensions.rb

@@ -1,7 +1,9 @@
 #active record extensions
+require 'erp_tech_svcs/extensions/active_record/base'
 require 'erp_tech_svcs/extensions/active_record/has_file_assets'
-require 'erp_tech_svcs/extensions/active_record/has_roles'
-require 'erp_tech_svcs/extensions/active_record/has_capabilities'
+require 'erp_tech_svcs/extensions/active_record/has_security_roles'
+require 'erp_tech_svcs/extensions/active_record/protected_with_capabilities'
+require 'erp_tech_svcs/extensions/active_record/has_capability_accessors'
 require 'erp_tech_svcs/extensions/active_record/acts_as_versioned'
 require 'erp_tech_svcs/extensions/active_record/has_relational_dynamic_attributes'
 

data/lib/erp_tech_svcs/file_support/manager.rb

@@ -93,7 +93,7 @@ module ErpTechSvcs
               #attempt set security if this file is a file_asset model
               file = files.find{|file| file.directory == parent[:id].gsub(root,'') and file.name == item[:text]}
               unless file.nil?
-                child_hash[:isSecured] = file.has_capabilities?
+                child_hash[:isSecured] = file.is_secured?
                 child_hash[:iconCls] = 'icon-document_lock' if child_hash[:isSecured]
                 child_hash[:size] = file.data_file_size
                 child_hash[:width] = file.width

data/lib/erp_tech_svcs/file_support/s3_manager.rb

@@ -99,7 +99,7 @@ module ErpTechSvcs
 
       def update_file(path, content)
         file = FileAsset.where(:name => ::File.basename(path)).where(:directory => ::File.dirname(path)).first
-        acl = (file.has_capabilities? ? :private : :public_read) unless file.nil?
+        acl = (file.is_secured? ? :private : :public_read) unless file.nil?
         options = (file.nil? ? {} : {:acl => acl, :content_type => file.content_type })
         path = path.sub(%r{^/},'')
         bucket.objects[path].write(content, options)
@@ -127,7 +127,7 @@ module ErpTechSvcs
           message = FILE_DOES_NOT_EXIST
         else
           file = FileAsset.where(:name => ::File.basename(path)).where(:directory => ::File.dirname(path)).first
-          acl = (file.has_capabilities? ? :private : :public_read) unless file.nil?
+          acl = (file.is_secured? ? :private : :public_read) unless file.nil?
           options = (file.nil? ? {} : {:acl => acl})
           name = File.basename(path)
           path = path.sub(%r{^/},'')
@@ -154,7 +154,7 @@ module ErpTechSvcs
         new_path = path_pieces.join('/')
         begin
           file = FileAsset.where(:name => ::File.basename(path)).where(:directory => ::File.dirname(path)).first
-          acl = (file.has_capabilities? ? :private : :public_read) unless file.nil?
+          acl = (file.is_secured? ? :private : :public_read) unless file.nil?
           options = (file.nil? ? {} : {:acl => acl})
           path = path.sub(%r{^/},'')
           new_path = new_path.sub(%r{^/},'')

data/lib/erp_tech_svcs/utils/compass_access_negotiator.rb

@@ -2,36 +2,41 @@ module ErpTechSvcs
   module Utils
     module CompassAccessNegotiator
 
-      def has_capability?(model, capability_type, resource)
-        result = true
-        result = model.user_has_capability?(capability_type.to_s, resource, self) if model.has_capabilities?
-        result
-      end
-
-      def with_capability(model, capability_type, resource, &block)
-        if model.has_capabilities?
-          if model.user_has_capability?(capability_type.to_s, resource, self)
-            yield
-          else
-            raise ErpTechSvcs::Utils::CompassAccessNegotiator::Errors::UserDoesNotHaveCapability
-          end
+      # pass in (capability_type_iid, class name) or (capability_type_iid, any class instance)
+      # Example: can user upload files? user.has_capability?('upload', 'FileAsset')
+      # Example: can download this file? user.has_capability?('download', file_asset)
+      def has_capability?(capability_type_iid, klass)
+        capability_type_iid = capability_type_iid.to_s if capability_type_iid.is_a?(Symbol)
+        if klass.is_a?(String)
+          scope_type = ScopeType.find_by_internal_identifier('class')
+          capability = Capability.joins(:capability_type).
+                                  where(:capability_resource_type => klass).
+                                  where(:scope_type_id => scope_type.id).
+                                  where(:capability_types => {:internal_identifier => capability_type_iid}).first
         else
-          yield
+          scope_type = ScopeType.find_by_internal_identifier('instance')
+          capability = klass.capabilities.joins(:capability_type).
+                              where(:scope_type_id => scope_type.id).
+                              where(:capability_types => {:internal_identifier => capability_type_iid}).first
+          return true if capability.nil? # object is not secured, so return true
         end
+        result = all_capabilities.find{|c| c == capability }
+        result.nil? ? false : true
       end
 
-      def has_access_to_widget?(widget)
-        widget.has_access?(self)
-      end
-
-      def valid_widgets(application)
-        widgets = []
-        application.widgets.each do |widget|
-          widgets << widget if self.has_access_to_widget?(widget)
+      # pass in (capability_type_iid, class name or any class instance, a block of code)
+      # Example: do something if user can download this file: 
+      # user.with_capability('download', file_asset) do
+      #   something
+      # end
+      def with_capability(capability_type_iid, klass_instance, &block)
+        if self.has_capability?(capability_type_iid, klass_instance)
+          yield
+        else
+          raise ErpTechSvcs::Utils::CompassAccessNegotiator::Errors::UserDoesNotHaveCapability
         end
-        widgets
       end
-      
+
       module Errors
         class CapabilityDoesNotExist < StandardError 
           def to_s

data/lib/erp_tech_svcs/version.rb

@@ -2,7 +2,7 @@ module ErpTechSvcs
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 0
-    TINY  = 10
+    TINY  = 11
 
     STRING = [MAJOR, MINOR, TINY].compact.join('.')
   end

data/spec/lib/erp_tech_svcs/extensions/active_record/has_roles_spec.rb

@@ -4,9 +4,9 @@ describe ErpTechSvcs::Extensions::ActiveRecord::HasRoles do
   before(:all) do
     @user = Factory(:user)
     @user_2 = Factory(:user)
-    @admin_role = Role.create(:internal_identifier => 'admin')
-    @employee_role = Role.create(:internal_identifier => 'employee')
-    @manager_role = Role.create(:internal_identifier => 'manager')
+    @admin_role = SecurityRole.create(:internal_identifier => 'admin')
+    @employee_role = SecurityRole.create(:internal_identifier => 'employee')
+    @manager_role = SecurityRole.create(:internal_identifier => 'manager')
   end
   
   it "should allow you to add a role" do
@@ -54,14 +54,13 @@ describe ErpTechSvcs::Extensions::ActiveRecord::HasRoles do
   it "should allow you to check access for user on model" do
     @user.add_roles(@admin_role)
     @user_2.add_roles(@admin_role)
-    @user_2.has_access?(@user).should eq true
     @user.remove_all_roles
     @user_2.remove_all_roles
   end
 
   after(:all) do
     User.destroy_all
-    Role.destroy_all
+    SecurityRole.destroy_all
   end
 
   

data/spec/models/role_spec.rb

@@ -3,7 +3,7 @@ require 'spec_helper'
 describe Role do
 
   before(:all) do
-    @role = Role.create(:internal_identifier => 'employee')
+    @role = SecurityRole.create(:internal_identifier => 'employee')
   end
 
   it "can transform into xml" do
@@ -11,7 +11,7 @@ describe Role do
   end
 
   after(:all) do
-    Role.destroy_all
+    SecurityRole.destroy_all
   end
 
 end

data/spec/models/secured_model_spec.rb

@@ -3,7 +3,7 @@ require 'spec_helper'
 describe SecuredModel do
 
   it "can find models by Class and role" do
-    admin_role = Role.create(:description => 'Admin', :internal_identifier => 'admin')
+    admin_role = SecurityRole.create(:description => 'Admin', :internal_identifier => 'admin')
     admin_user = User.create(:username => "admin",:email => "admin@portablemind.com")
     admin_user.add_role('admin')
 

data/spec/models/user_spec.rb

@@ -7,7 +7,7 @@ describe User do
   end
 
   it "should allow you to add and remove roles" do
-    role = Role.create(:internal_identifier => 'employee')
+    role = SecurityRole.create(:internal_identifier => 'employee')
     @user.add_role(role)
     @user.has_role?(role).should eq true
     @user.remove_role(role)
@@ -21,7 +21,7 @@ describe User do
 
   after(:all) do
     User.destroy_all
-    Role.destroy_all
+    SecurityRole.destroy_all
   end
 
 end