erp_tech_svcs 3.0.11 → 3.0.12

data/app/models/group.rb

@@ -138,8 +138,30 @@ class Group < ActiveRecord::Base
     end
   end
 
+  def role_class_capabilities
+    scope_type = ScopeType.find_by_internal_identifier('class')
+    Capability.joins(:capability_type).joins(:capability_accessors).
+          where(:capability_accessors => { :capability_accessor_record_type => "SecurityRole" }).
+          where("capability_accessor_record_id IN (#{roles.select('security_roles.id').to_sql})").
+          where(:scope_type_id => scope_type.id)
+  end
+
+  def all_class_capabilities
+    scope_type = ScopeType.find_by_internal_identifier('class')
+    Capability.joins(:capability_type).joins(:capability_accessors).
+          where("(capability_accessors.capability_accessor_record_type = 'Group' AND
+                  capability_accessor_record_id = (#{self.id})) OR
+                 (capability_accessors.capability_accessor_record_type = 'SecurityRole' AND
+                  capability_accessor_record_id IN (#{roles.select('security_roles.id').to_sql}))").
+          where(:scope_type_id => scope_type.id)
+  end
+
+  def all_uniq_class_capabilities
+    all_class_capabilities.all.uniq
+  end
+
   def class_capabilities_to_hash
-    class_capabilities.map {|capability| 
+    all_uniq_class_capabilities.map {|capability| 
       { :capability_type_iid => capability.capability_type.internal_identifier, 
         :capability_resource_type => capability.capability_resource_type 
       }

data/app/models/user.rb

@@ -86,40 +86,70 @@ class User < ActiveRecord::Base
 
   # roles assigned to the groups this user belongs to
   def group_roles
-    groups.collect{|g| g.roles }.flatten.uniq
+    SecurityRole.joins(:parties).
+      where(:parties => {:business_party_type => 'Group'}).
+      where("parties.business_party_id IN (#{groups.select('groups.id').to_sql})")
   end
 
   # composite roles for this user
   def all_roles
-    (group_roles + roles).uniq
+    SecurityRole.joins(:parties).joins("LEFT JOIN users ON parties.id=users.party_id").
+      where("(parties.business_party_type='Group' AND 
+              parties.business_party_id IN (#{groups.select('groups.id').to_sql})) OR 
+             (users.id=#{self.id})")
+  end
+
+  def all_uniq_roles
+    all_roles.all.uniq
   end
 
   def group_capabilities
-    groups.collect{|r| r.capabilities }.flatten.uniq.compact
+    Capability.joins(:capability_type).joins(:capability_accessors).
+          where(:capability_accessors => { :capability_accessor_record_type => "Group" }).
+          where("capability_accessor_record_id IN (#{groups.select('groups.id').to_sql})")
   end
 
   def role_capabilities
-    all_roles.collect{|r| r.capabilities }.flatten.compact
+    Capability.joins(:capability_type).joins(:capability_accessors).
+          where(:capability_accessors => { :capability_accessor_record_type => "SecurityRole" }).
+          where("capability_accessor_record_id IN (#{all_roles.select('security_roles.id').to_sql})")
   end
 
   def all_capabilities
-    (role_capabilities + group_capabilities + capabilities).uniq
+    Capability.joins(:capability_type).joins(:capability_accessors).
+          where("(capability_accessors.capability_accessor_record_type = 'Group' AND
+                  capability_accessor_record_id IN (#{groups.select('groups.id').to_sql})) OR
+                 (capability_accessors.capability_accessor_record_type = 'SecurityRole' AND
+                  capability_accessor_record_id IN (#{all_roles.select('security_roles.id').to_sql})) OR
+                 (capability_accessors.capability_accessor_record_type = 'User' AND
+                  capability_accessor_record_id = #{self.id})")
+  end
+
+  def all_uniq_capabilities
+    all_capabilities.all.uniq
   end
 
   def group_class_capabilities
-    groups.collect{|g| g.class_capabilities }.flatten.uniq.compact
+    scope_type = ScopeType.find_by_internal_identifier('class')
+    group_capabilities.where(:scope_type_id => scope_type.id)
   end
 
   def role_class_capabilities
-    all_roles.collect{|r| r.class_capabilities }.flatten.uniq.compact
+    scope_type = ScopeType.find_by_internal_identifier('class')
+    role_capabilities.where(:scope_type_id => scope_type.id)
   end
 
   def all_class_capabilities
-    (role_class_capabilities + group_class_capabilities + class_capabilities).uniq
+    scope_type = ScopeType.find_by_internal_identifier('class')
+    all_capabilities.where(:scope_type_id => scope_type.id)
+  end
+
+  def all_uniq_class_capabilities
+    all_class_capabilities.all.uniq
   end
 
   def class_capabilities_to_hash
-    all_class_capabilities.map {|capability| 
+    all_uniq_class_capabilities.map {|capability| 
       { :capability_type_iid => capability.capability_type.internal_identifier, 
         :capability_resource_type => capability.capability_resource_type 
       }

data/lib/erp_tech_svcs/extensions/active_record/has_capability_accessors.rb

@@ -77,7 +77,8 @@ module ErpTechSvcs
 
           # pass in (capability_type_iid, klass) or (capability) object
           def add_capability(*capability)
-            capability = capability.first.is_a?(String) ? get_or_create_capability(capability.first, capability.second) : capability.first
+            capability_type_iid = capability.first.is_a?(Symbol) ? capability.first.to_s : capability.first
+            capability = capability_type_iid.is_a?(String) ? get_or_create_capability(capability_type_iid, capability.second) : capability.first
             ca = CapabilityAccessor.find_or_create_by_capability_accessor_record_type_and_capability_accessor_record_id_and_capability_id(get_superclass, self.id, capability.id)
             self.reload
             ca
@@ -89,8 +90,12 @@ module ErpTechSvcs
 
           def get_or_create_capability(capability_type_iid, klass)
             capability_type = convert_capability_type(capability_type_iid)
-            scope_type = ScopeType.find_by_internal_identifier('class')
-            Capability.find_or_create_by_capability_resource_type_and_capability_type_id_and_scope_type_id(klass, capability_type.id, scope_type.id)
+            if klass.is_a?(String)
+              scope_type = ScopeType.find_by_internal_identifier('class')
+              Capability.find_or_create_by_capability_resource_type_and_capability_type_id_and_scope_type_id(klass, capability_type.id, scope_type.id)
+            else
+              klass.add_capability(capability_type_iid) # create instance capability
+            end
           end
 
           def get_capability(capability_type_iid, klass)
@@ -101,7 +106,8 @@ module ErpTechSvcs
 
           # pass in (capability_type_iid, klass) or (capability) object
           def remove_capability(*capability)
-            capability = capability.first.is_a?(String) ? get_or_create_capability(capability.first, capability.second) : capability.first
+            capability_type_iid = capability.first.is_a?(Symbol) ? capability.first.to_s : capability.first
+            capability = capability_type_iid.is_a?(String) ? get_or_create_capability(capability_type_iid, capability.second) : capability.first
             ca = capability_accessors.where(:capability_accessor_record_type => get_superclass, :capability_accessor_record_id => self.id, :capability_id => capability.id).first
             ca.destroy unless ca.nil?
             self.reload

data/lib/erp_tech_svcs/extensions/active_record/protected_with_capabilities.rb

@@ -9,15 +9,24 @@ module ErpTechSvcs
 
 				module ClassMethods
 
-				  def protected_with_capabilities
+				  def protected_with_capabilities(options = {})
 				    extend ProtectedByCapabilities::SingletonMethods
     				include ProtectedByCapabilities::InstanceMethods
-    				
-            has_many :capabilities, :as => :capability_resource
 
-            # get records filtered via query scope capabilities
-            # by default Compass AE treats query scopes as restrictions
-            # a user will see all records unless the user has a capability accessor with a query scope
+            has_many :capabilities, :as => :capability_resource
+    				
+            # protect all instance of this class by default
+            class_attribute :protect_all_instances
+            self.protect_all_instances = (options[:protect_all_instances].nil? ? false : options[:protect_all_instances])
+
+            # Get records filtered via query scope capabilities
+            # By default Compass AE treats query scopes as restrictions
+            # A user will see all records unless the user has a capability accessor with a query scope
+            # If you set :protect_all_instances => true it is honored via with_user_security & with_instance_security but NOT with_query_security
+            # arguments: user, capability_type_iids 
+            # capability_type_iids is optional and can be a single string or an array of strings
+            # Example: which files can this user download? FileAsset.with_query_security(user, 'download').all
+            # Example: which website sections can this user either view or edit? WebsiteSection.with_query_security(user, ['view','edit']).all
             scope :with_query_security, lambda{|*args|
               raise ArgumentError if args.empty? || args.size > 2
               user = args.first
@@ -25,11 +34,11 @@ module ErpTechSvcs
               capability_type_iids = [capability_type_iids] if capability_type_iids.is_a?(String)
 
               scope_type = ScopeType.find_by_internal_identifier('query')
-              granted_capabilities = user.all_capabilities.collect{|c| c if c.scope_type_id == scope_type.id and c.capability_resource_type == self.name }.compact
+              granted_capabilities = user.all_capabilities.where(:scope_type_id => scope_type.id).where(:capability_resource_type => self.name)
 
               unless capability_type_iids.empty?
                 capability_type_ids = capability_type_iids.collect{|type| convert_capability_type(type).id }
-                granted_capabilities = granted_capabilities.collect{|c| c if capability_type_ids.include?(c.capability_type_id)}.compact
+                granted_capabilities = granted_capabilities.where("capability_type_id IN (?)", capability_type_ids.join(','))
               end
 
               query = nil
@@ -39,34 +48,45 @@ module ErpTechSvcs
               query
             }
 
-            # get records for this model without capabilities or that are not in a list of denied capabilities
-            scope :with_instance_security, lambda{|denied_capabilities|
-                                    query = joins("LEFT JOIN capabilities AS c ON c.capability_resource_id = #{self.table_name}.id AND c.capability_resource_type = '#{self.name}'").
-                                            group(columns.collect{|c| "#{self.table_name}.#{c.name}" })
-                                    query = (denied_capabilities.empty? ? query.where("c.id IS NULL OR c.id = c.id") : query.where("c.id IS NULL OR c.id NOT IN (?)", denied_capabilities.collect{|c| c.id }))
-                                    query                                    
-                                  }
-
-            # get records for this model that the given user has access to
+            # Get records for this model permitted via instance capabilities
+            # If :protect_all_instances => true return only instances user has explicitly been granted access to
+            # If :protect_all_instances => false return instances without capabilities or that user is granted access to (default)
             # arguments: user, capability_type_iids 
             # capability_type_iids is optional and can be a single string or an array of strings
-            # Example: which files can this user download? FileAsset.with_user_security(user, 'download').all
-            # Example: which website sections can this user either view or edit? WebsiteSection.with_user_security(user, ['view','edit']).all
-            scope :with_user_security, lambda{|*args|
+            # Example: which files can this user download? FileAsset.with_instance_security(user, 'download').all
+            # Example: which website sections can this user either view or edit? WebsiteSection.with_instance_security(user, ['view','edit']).all
+            scope :with_instance_security, lambda{|*args|
               raise ArgumentError if args.empty? || args.size > 2
               user = args.first
               capability_type_iids = args.second || []
               capability_type_iids = [capability_type_iids] if capability_type_iids.is_a?(String)
 
               scope_type = ScopeType.find_by_internal_identifier('instance')
-              granted_capabilities = user.all_capabilities.collect{|c| c if c.scope_type_id == scope_type.id and c.capability_resource_type == self.name }.compact
+              granted_capabilities = user.all_capabilities.where(:scope_type_id => scope_type.id).where(:capability_resource_type => self.name)
 
               unless capability_type_iids.empty?
                 capability_type_ids = capability_type_iids.collect{|type| convert_capability_type(type).id }
-                granted_capabilities = granted_capabilities.collect{|c| c if capability_type_ids.include?(c.capability_type_id)}.compact
+                granted_capabilities = granted_capabilities.where("capability_type_id IN (#{capability_type_ids.join(',')})")
               end
-              
-              with_query_security(*args).with_instance_security(instance_capabilities - granted_capabilities) 
+
+              denied_capabilities = instance_capabilities.select('capabilities.id').where("capabilities.id NOT IN (#{granted_capabilities.select('capabilities.id').to_sql})")
+              deny_count = denied_capabilities.count
+
+              join_type = (self.protect_all_instances ? 'JOIN' : 'LEFT JOIN')
+              query = joins("#{join_type} capabilities AS c ON c.capability_resource_id = #{self.table_name}.id AND c.capability_resource_type = '#{self.name}'").
+                      group(columns.collect{|c| "#{self.table_name}.#{c.name}" })
+              query = (deny_count == 0 ? query.where("c.id IS NULL OR c.id = c.id") : query.where("c.id IS NULL OR c.id NOT IN (#{denied_capabilities.to_sql})"))
+              query
+            }
+
+            # Get records for this model that the given user has access to
+            # arguments: user, capability_type_iids 
+            # capability_type_iids is optional and can be a single string or an array of strings
+            # Example: which files can this user download? FileAsset.with_user_security(user, 'download').all
+            # Example: which website sections can this user either view or edit? WebsiteSection.with_user_security(user, ['view','edit']).all
+            scope :with_user_security, lambda{|*args|
+              raise ArgumentError if args.empty? || args.size > 2              
+              with_instance_security(*args).with_query_security(*args)
             }
 				  end
 				end
@@ -102,9 +122,9 @@ module ErpTechSvcs
             capabilities.where(:scope_type_id => scope_type.id)
           end
 
-          # collect unique roles on capabilities
+          # return unique roles on capabilities for this model
           def capability_roles
-            capabilities.collect{|c| c.roles }.flatten.uniq
+            SecurityRole.joins(:capability_accessors => :capability).where(:capability_accessors => {:capabilities => {:capability_resource_type => get_superclass(self.name) }}).all.uniq
           end
 
           # add a class level capability (capability_resource_id will be NULL)
@@ -147,6 +167,11 @@ module ErpTechSvcs
 						
 				module InstanceMethods
 
+          # convenience method to access class method
+          def protect_all_instances
+            self.class.protect_all_instances
+          end
+
           def add_capability(capability_type_iid)
             capability_type = convert_capability_type(capability_type_iid)
             scope_type = ScopeType.find_by_internal_identifier('instance')
@@ -165,11 +190,11 @@ module ErpTechSvcs
           end   
 
           def protected_with_capability?(capability_type_iid)
-            !get_capability(capability_type_iid).nil?
+            !get_capability(capability_type_iid).nil? or protect_all_instances
           end
 
           def allow_access?(user, capability_type_iid)
-            if !self.protected_with_capability?(capability_type_iid.to_s) or (user and user.has_capability?(capability_type_iid.to_s, self))
+            if (!self.protect_all_instances and !self.protected_with_capability?(capability_type_iid.to_s)) or (user and user.has_capability?(capability_type_iid.to_s, self))
               return true
             else
               return false

data/lib/erp_tech_svcs/utils/compass_access_negotiator.rb

@@ -13,15 +13,17 @@ module ErpTechSvcs
                                   where(:capability_resource_type => klass).
                                   where(:scope_type_id => scope_type.id).
                                   where(:capability_types => {:internal_identifier => capability_type_iid}).first
+          return nil if capability.nil? # capability not found so return nil
         else
           scope_type = ScopeType.find_by_internal_identifier('instance')
           capability = klass.capabilities.joins(:capability_type).
                               where(:scope_type_id => scope_type.id).
                               where(:capability_types => {:internal_identifier => capability_type_iid}).first
-          return true if capability.nil? # object is not secured, so return true
+          # if capability not found, we see if all instances are protected
+          # if all instance are protected, return false, otherwise true
+          return !klass.protect_all_instances if capability.nil?
         end
-        result = all_capabilities.find{|c| c == capability }
-        result.nil? ? false : true
+        all_capabilities.include?(capability)
       end
 
       # pass in (capability_type_iid, class name or any class instance, a block of code)

data/lib/erp_tech_svcs/version.rb

@@ -2,7 +2,7 @@ module ErpTechSvcs
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 0
-    TINY  = 11
+    TINY  = 12
 
     STRING = [MAJOR, MINOR, TINY].compact.join('.')
   end

data/spec/dummy/db/data_migrations/20110109173616_create_capability_scope_types.erp_tech_svcs.rb

@@ -0,0 +1,15 @@
+# This migration comes from erp_tech_svcs (originally 20110109173616)
+class CreateCapabilityScopeTypes
+  
+  def self.up
+    CapabilityType.create(:internal_identifier => 'download', :description => 'Download') if CapabilityType.where("internal_identifier = 'download'").first.nil?
+
+    ScopeType.create(:description => 'Instance', :internal_identifier => 'instance') if ScopeType.where("internal_identifier = 'instance'").first.nil?
+    ScopeType.create(:description => 'Class', :internal_identifier => 'class') if ScopeType.where("internal_identifier = 'class'").first.nil?
+    ScopeType.create(:description => 'Query', :internal_identifier => 'query') if ScopeType.where("internal_identifier = 'query'").first.nil?
+  end
+  
+  def self.down
+  end
+
+end

data/spec/dummy/db/data_migrations/20110525001935_add_usd_currency.erp_base_erp_svcs.rb

@@ -0,0 +1,12 @@
+# This migration comes from erp_base_erp_svcs (originally 20110525001935)
+class AddUsdCurrency
+  
+  def self.up
+    Currency.create(:name => 'US Dollar', :internal_identifier => 'USD', :major_unit_symbol => "$")
+  end
+  
+  def self.down
+    Currency.usd.destroy
+  end
+
+end

data/spec/dummy/db/data_migrations/20110609150135_add_iso_codes.erp_base_erp_svcs.rb

@@ -0,0 +1,19 @@
+# This migration comes from erp_base_erp_svcs (originally 20110609150135)
+require 'yaml'
+
+class AddIsoCodes
+  
+  def self.up
+    #find the erp_base_erp_svcs engine
+	  engine_path = Rails::Application::Railties.engines.find{|item| item.engine_name == 'erp_base_erp_svcs'}.config.root.to_s
+	
+	  GeoCountry.load_from_file(File.join(engine_path,'db/data_sets/geo_countries.yml'))
+    GeoZone.load_from_file(File.join(engine_path,'db/data_sets/geo_zones.yml'))
+  end
+  
+  def self.down
+    GeoCountry.delete_all
+    GeoZone.delete_all
+  end
+
+end

data/spec/dummy/db/data_migrations/20110802200222_schedule_delete_expired_sessions_job.erp_tech_svcs.rb

@@ -0,0 +1,16 @@
+# This migration comes from erp_tech_svcs (originally 20110802200222)
+class ScheduleDeleteExpiredSessionsJob
+  
+  def self.up
+    #insert data here
+    date = Date.tomorrow
+    start_time = DateTime.civil(date.year, date.month, date.day, 2, 0, 1, -(5.0/24.0))
+
+    ErpTechSvcs::Sessions::DeleteExpiredSessionsJob.schedule_job(start_time)
+  end
+  
+  def self.down
+    #remove data here
+  end
+
+end

data/spec/dummy/db/data_migrations/20110913145838_setup_compass_ae_instance.erp_base_erp_svcs.rb

@@ -0,0 +1,12 @@
+# This migration comes from erp_base_erp_svcs (originally 20110913145838)
+class SetupCompassAeInstance
+  
+  def self.up
+    CompassAeInstance.create(version: 3.1)
+  end
+  
+  def self.down
+    #remove data here
+  end
+
+end

data/spec/dummy/db/data_migrations/20111111144706_setup_audit_log_types.erp_tech_svcs.rb

@@ -0,0 +1,22 @@
+# This migration comes from erp_tech_svcs (originally 20111111144706)
+class SetupAuditLogTypes
+  
+  def self.up
+    application_alt = AuditLogType.create(:description => 'Application', :internal_identifier => 'application')
+
+    [
+      {:description => 'Custom Message', :internal_identifier => 'custom_message'},
+      {:description => 'Successful Logout', :internal_identifier => 'successful_logout'},
+      {:description => 'Successful Login', :internal_identifier => 'successful_login'},
+      {:description => 'Accessed Area', :internal_identifier => 'accessed_area'},
+      {:description => 'Session Timeout', :internal_identifier => 'session_timeout'}
+    ].each do |alt_hash|
+        AuditLogType.create(alt_hash).move_to_child_of(application_alt)
+    end
+  end
+  
+  def self.down
+    AuditLogType.destroy_all
+  end
+
+end

data/spec/dummy/db/data_migrations/20121116155018_create_group_relationship_and_role_types.erp_tech_svcs.rb

@@ -0,0 +1,20 @@
+# This migration comes from erp_tech_svcs (originally 20121116155018)
+class CreateGroupRelationshipAndRoleTypes
+  
+  def self.up
+    #insert data here
+    to_role = RoleType.create(:description => 'Security Group', :internal_identifier => 'group')
+    from_role = RoleType.create(:description => 'Security Group Member', :internal_identifier => 'group_member')
+    RelationshipType.create(:description => 'Security Group Membership', 
+                            :name => 'Group Membership', 
+                            :internal_identifier => 'group_membership',
+                            :valid_from_role => from_role,
+                            :valid_to_role => to_role
+                          )
+  end
+  
+  def self.down
+    #remove data here
+  end
+
+end

data/spec/dummy/db/data_migrations/20121130212146_note_capabilities.erp_tech_svcs.rb

@@ -0,0 +1,24 @@
+# This migration comes from erp_tech_svcs (originally 20121130212146)
+class NoteCapabilities
+  
+  def self.up
+    #insert data here
+    admin = SecurityRole.find_or_create_by_description_and_internal_identifier(:description => 'Admin', :internal_identifier => 'admin')
+    employee = SecurityRole.find_or_create_by_description_and_internal_identifier(:description => 'Employee', :internal_identifier => 'employee')
+
+    admin.add_capability('create', 'Note')
+    admin.add_capability('delete', 'Note')
+    admin.add_capability('edit', 'Note')
+    admin.add_capability('view', 'Note')
+
+    employee.add_capability('create', 'Note')
+    employee.add_capability('delete', 'Note')
+    employee.add_capability('edit', 'Note')
+    employee.add_capability('view', 'Note')
+  end
+  
+  def self.down
+    #remove data here
+  end
+
+end