erp_tech_svcs 3.1.0 → 3.1.1

data/app/models/group.rb

@@ -140,15 +140,29 @@ class Group < ActiveRecord::Base
   end
 
   def role_class_capabilities
-    roles.collect{|r| r.class_capabilities }.flatten.uniq.compact
+    scope_type = ScopeType.find_by_internal_identifier('class')
+    Capability.joins(:capability_type).joins(:capability_accessors).
+          where(:capability_accessors => { :capability_accessor_record_type => "SecurityRole" }).
+          where("capability_accessor_record_id IN (#{roles.select('security_roles.id').to_sql})").
+          where(:scope_type_id => scope_type.id)
   end
 
   def all_class_capabilities
-    (role_class_capabilities + class_capabilities).uniq
+    scope_type = ScopeType.find_by_internal_identifier('class')
+    Capability.joins(:capability_type).joins(:capability_accessors).
+          where("(capability_accessors.capability_accessor_record_type = 'Group' AND
+                  capability_accessor_record_id = (#{self.id})) OR
+                 (capability_accessors.capability_accessor_record_type = 'SecurityRole' AND
+                  capability_accessor_record_id IN (#{roles.select('security_roles.id').to_sql}))").
+          where(:scope_type_id => scope_type.id)
+  end
+
+  def all_uniq_class_capabilities
+    all_class_capabilities.all.uniq
   end
 
   def class_capabilities_to_hash
-    all_class_capabilities.map {|capability| 
+    all_uniq_class_capabilities.map {|capability| 
       { :capability_type_iid => capability.capability_type.internal_identifier, 
         :capability_resource_type => capability.capability_resource_type 
       }

data/app/models/user.rb

@@ -46,7 +46,7 @@ class User < ActiveRecord::Base
     passed_roles.flatten!
     passed_roles.each do |role|
       role_iid = role.is_a?(SecurityRole) ?  role.internal_identifier : role.to_s
-      all_roles.each do |this_role|
+      all_uniq_roles.each do |this_role|
         result = true if (this_role.internal_identifier == role_iid)
         break if result
       end
@@ -103,40 +103,70 @@ class User < ActiveRecord::Base
 
   # roles assigned to the groups this user belongs to
   def group_roles
-    groups.collect{|g| g.roles }.flatten.uniq
+    SecurityRole.joins(:parties).
+      where(:parties => {:business_party_type => 'Group'}).
+      where("parties.business_party_id IN (#{groups.select('groups.id').to_sql})")
   end
 
   # composite roles for this user
   def all_roles
-    (group_roles + roles).uniq
+    SecurityRole.joins(:parties).joins("LEFT JOIN users ON parties.id=users.party_id").
+      where("(parties.business_party_type='Group' AND 
+              parties.business_party_id IN (#{groups.select('groups.id').to_sql})) OR 
+             (users.id=#{self.id})")
+  end
+
+  def all_uniq_roles
+    all_roles.all.uniq
   end
 
   def group_capabilities
-    groups.collect{|r| r.capabilities }.flatten.uniq.compact
+    Capability.joins(:capability_type).joins(:capability_accessors).
+          where(:capability_accessors => { :capability_accessor_record_type => "Group" }).
+          where("capability_accessor_record_id IN (#{groups.select('groups.id').to_sql})")
   end
 
   def role_capabilities
-    all_roles.collect{|r| r.capabilities }.flatten.compact
+    Capability.joins(:capability_type).joins(:capability_accessors).
+          where(:capability_accessors => { :capability_accessor_record_type => "SecurityRole" }).
+          where("capability_accessor_record_id IN (#{all_roles.select('security_roles.id').to_sql})")
   end
 
   def all_capabilities
-    (role_capabilities + group_capabilities + capabilities).uniq
+    Capability.joins(:capability_type).joins(:capability_accessors).
+          where("(capability_accessors.capability_accessor_record_type = 'Group' AND
+                  capability_accessor_record_id IN (#{groups.select('groups.id').to_sql})) OR
+                 (capability_accessors.capability_accessor_record_type = 'SecurityRole' AND
+                  capability_accessor_record_id IN (#{all_roles.select('security_roles.id').to_sql})) OR
+                 (capability_accessors.capability_accessor_record_type = 'User' AND
+                  capability_accessor_record_id = #{self.id})")
+  end
+
+  def all_uniq_capabilities
+    all_capabilities.all.uniq
   end
 
   def group_class_capabilities
-    groups.collect{|g| g.class_capabilities }.flatten.uniq.compact
+    scope_type = ScopeType.find_by_internal_identifier('class')
+    group_capabilities.where(:scope_type_id => scope_type.id)
   end
 
   def role_class_capabilities
-    all_roles.collect{|r| r.class_capabilities }.flatten.uniq.compact
+    scope_type = ScopeType.find_by_internal_identifier('class')
+    role_capabilities.where(:scope_type_id => scope_type.id)
   end
 
   def all_class_capabilities
-    (role_class_capabilities + group_class_capabilities + class_capabilities).uniq
+    scope_type = ScopeType.find_by_internal_identifier('class')
+    all_capabilities.where(:scope_type_id => scope_type.id)
+  end
+
+  def all_uniq_class_capabilities
+    all_class_capabilities.all.uniq
   end
 
   def class_capabilities_to_hash
-    all_class_capabilities.map {|capability| 
+    all_uniq_class_capabilities.map {|capability| 
       { :capability_type_iid => capability.capability_type.internal_identifier, 
         :capability_resource_type => capability.capability_resource_type 
       }

data/lib/erp_tech_svcs/extensions/active_record/has_capability_accessors.rb

@@ -77,7 +77,8 @@ module ErpTechSvcs
 
           # pass in (capability_type_iid, klass) or (capability) object
           def add_capability(*capability)
-            capability = capability.first.is_a?(String) ? get_or_create_capability(capability.first, capability.second) : capability.first
+            capability_type_iid = capability.first.is_a?(Symbol) ? capability.first.to_s : capability.first
+            capability = capability_type_iid.is_a?(String) ? get_or_create_capability(capability_type_iid, capability.second) : capability.first
             ca = CapabilityAccessor.find_or_create_by_capability_accessor_record_type_and_capability_accessor_record_id_and_capability_id(get_superclass, self.id, capability.id)
             self.reload
             ca
@@ -89,8 +90,12 @@ module ErpTechSvcs
 
           def get_or_create_capability(capability_type_iid, klass)
             capability_type = convert_capability_type(capability_type_iid)
-            scope_type = ScopeType.find_by_internal_identifier('class')
-            Capability.find_or_create_by_capability_resource_type_and_capability_type_id_and_scope_type_id(klass, capability_type.id, scope_type.id)
+            if klass.is_a?(String)
+              scope_type = ScopeType.find_by_internal_identifier('class')
+              Capability.find_or_create_by_capability_resource_type_and_capability_type_id_and_scope_type_id(klass, capability_type.id, scope_type.id)
+            else
+              klass.add_capability(capability_type_iid) # create instance capability
+            end
           end
 
           def get_capability(capability_type_iid, klass)
@@ -101,7 +106,8 @@ module ErpTechSvcs
 
           # pass in (capability_type_iid, klass) or (capability) object
           def remove_capability(*capability)
-            capability = capability.first.is_a?(String) ? get_or_create_capability(capability.first, capability.second) : capability.first
+            capability_type_iid = capability.first.is_a?(Symbol) ? capability.first.to_s : capability.first
+            capability = capability_type_iid.is_a?(String) ? get_or_create_capability(capability_type_iid, capability.second) : capability.first
             ca = capability_accessors.where(:capability_accessor_record_type => get_superclass, :capability_accessor_record_id => self.id, :capability_id => capability.id).first
             ca.destroy unless ca.nil?
             self.reload

data/lib/erp_tech_svcs/extensions/active_record/protected_with_capabilities.rb

@@ -9,15 +9,24 @@ module ErpTechSvcs
 
 				module ClassMethods
 
-				  def protected_with_capabilities
+				  def protected_with_capabilities(options = {})
 				    extend ProtectedByCapabilities::SingletonMethods
     				include ProtectedByCapabilities::InstanceMethods
-    				
-            has_many :capabilities, :as => :capability_resource
 
-            # get records filtered via query scope capabilities
-            # by default Compass AE treats query scopes as restrictions
-            # a user will see all records unless the user has a capability accessor with a query scope
+            has_many :capabilities, :as => :capability_resource
+    				
+            # protect all instance of this class by default
+            class_attribute :protect_all_instances
+            self.protect_all_instances = (options[:protect_all_instances].nil? ? false : options[:protect_all_instances])
+
+            # Get records filtered via query scope capabilities
+            # By default Compass AE treats query scopes as restrictions
+            # A user will see all records unless the user has a capability accessor with a query scope
+            # If you set :protect_all_instances => true it is honored via with_user_security & with_instance_security but NOT with_query_security
+            # arguments: user, capability_type_iids 
+            # capability_type_iids is optional and can be a single string or an array of strings
+            # Example: which files can this user download? FileAsset.with_query_security(user, 'download').all
+            # Example: which website sections can this user either view or edit? WebsiteSection.with_query_security(user, ['view','edit']).all
             scope :with_query_security, lambda{|*args|
               raise ArgumentError if args.empty? || args.size > 2
               user = args.first
@@ -25,11 +34,11 @@ module ErpTechSvcs
               capability_type_iids = [capability_type_iids] if capability_type_iids.is_a?(String)
 
               scope_type = ScopeType.find_by_internal_identifier('query')
-              granted_capabilities = user.all_capabilities.collect{|c| c if c.scope_type_id == scope_type.id and c.capability_resource_type == self.name }.compact
+              granted_capabilities = user.all_capabilities.where(:scope_type_id => scope_type.id).where(:capability_resource_type => self.name)
 
               unless capability_type_iids.empty?
                 capability_type_ids = capability_type_iids.collect{|type| convert_capability_type(type).id }
-                granted_capabilities = granted_capabilities.collect{|c| c if capability_type_ids.include?(c.capability_type_id)}.compact
+                granted_capabilities = granted_capabilities.where("capability_type_id IN (?)", capability_type_ids.join(','))
               end
 
               query = nil
@@ -39,34 +48,45 @@ module ErpTechSvcs
               query
             }
 
-            # get records for this model without capabilities or that are not in a list of denied capabilities
-            scope :with_instance_security, lambda{|denied_capabilities|
-                                    query = joins("LEFT JOIN capabilities AS c ON c.capability_resource_id = #{self.table_name}.id AND c.capability_resource_type = '#{self.name}'").
-                                            group(columns.collect{|c| "#{self.table_name}.#{c.name}" })
-                                    query = (denied_capabilities.empty? ? query.where("c.id IS NULL OR c.id = c.id") : query.where("c.id IS NULL OR c.id NOT IN (?)", denied_capabilities.collect{|c| c.id }))
-                                    query                                    
-                                  }
-
-            # get records for this model that the given user has access to
+            # Get records for this model permitted via instance capabilities
+            # If :protect_all_instances => true return only instances user has explicitly been granted access to
+            # If :protect_all_instances => false return instances without capabilities or that user is granted access to (default)
             # arguments: user, capability_type_iids 
             # capability_type_iids is optional and can be a single string or an array of strings
-            # Example: which files can this user download? FileAsset.with_user_security(user, 'download').all
-            # Example: which website sections can this user either view or edit? WebsiteSection.with_user_security(user, ['view','edit']).all
-            scope :with_user_security, lambda{|*args|
+            # Example: which files can this user download? FileAsset.with_instance_security(user, 'download').all
+            # Example: which website sections can this user either view or edit? WebsiteSection.with_instance_security(user, ['view','edit']).all
+            scope :with_instance_security, lambda{|*args|
               raise ArgumentError if args.empty? || args.size > 2
               user = args.first
               capability_type_iids = args.second || []
               capability_type_iids = [capability_type_iids] if capability_type_iids.is_a?(String)
 
               scope_type = ScopeType.find_by_internal_identifier('instance')
-              granted_capabilities = user.all_capabilities.collect{|c| c if c.scope_type_id == scope_type.id and c.capability_resource_type == self.name }.compact
+              granted_capabilities = user.all_capabilities.where(:scope_type_id => scope_type.id).where(:capability_resource_type => self.name)
 
               unless capability_type_iids.empty?
                 capability_type_ids = capability_type_iids.collect{|type| convert_capability_type(type).id }
-                granted_capabilities = granted_capabilities.collect{|c| c if capability_type_ids.include?(c.capability_type_id)}.compact
+                granted_capabilities = granted_capabilities.where("capability_type_id IN (#{capability_type_ids.join(',')})")
               end
-              
-              with_query_security(*args).with_instance_security(instance_capabilities - granted_capabilities) 
+
+              denied_capabilities = instance_capabilities.select('capabilities.id').where("capabilities.id NOT IN (#{granted_capabilities.select('capabilities.id').to_sql})")
+              deny_count = denied_capabilities.count
+
+              join_type = (self.protect_all_instances ? 'JOIN' : 'LEFT JOIN')
+              query = joins("#{join_type} capabilities AS c ON c.capability_resource_id = #{self.table_name}.id AND c.capability_resource_type = '#{self.name}'").
+                      group(columns.collect{|c| "#{self.table_name}.#{c.name}" })
+              query = (deny_count == 0 ? query.where("c.id IS NULL OR c.id = c.id") : query.where("c.id IS NULL OR c.id NOT IN (#{denied_capabilities.to_sql})"))
+              query
+            }
+
+            # Get records for this model that the given user has access to
+            # arguments: user, capability_type_iids 
+            # capability_type_iids is optional and can be a single string or an array of strings
+            # Example: which files can this user download? FileAsset.with_user_security(user, 'download').all
+            # Example: which website sections can this user either view or edit? WebsiteSection.with_user_security(user, ['view','edit']).all
+            scope :with_user_security, lambda{|*args|
+              raise ArgumentError if args.empty? || args.size > 2              
+              with_instance_security(*args).with_query_security(*args)
             }
 				  end
 				end
@@ -102,9 +122,9 @@ module ErpTechSvcs
             capabilities.where(:scope_type_id => scope_type.id)
           end
 
-          # collect unique roles on capabilities
+          # return unique roles on capabilities for this model
           def capability_roles
-            capabilities.collect{|c| c.roles }.flatten.uniq
+            SecurityRole.joins(:capability_accessors => :capability).where(:capability_accessors => {:capabilities => {:capability_resource_type => get_superclass(self.name) }}).all.uniq
           end
 
           # add a class level capability (capability_resource_id will be NULL)
@@ -147,6 +167,11 @@ module ErpTechSvcs
 						
 				module InstanceMethods
 
+          # convenience method to access class method
+          def protect_all_instances
+            self.class.protect_all_instances
+          end
+
           def add_capability(capability_type_iid)
             capability_type = convert_capability_type(capability_type_iid)
             scope_type = ScopeType.find_by_internal_identifier('instance')
@@ -165,11 +190,11 @@ module ErpTechSvcs
           end   
 
           def protected_with_capability?(capability_type_iid)
-            !get_capability(capability_type_iid).nil?
+            !get_capability(capability_type_iid).nil? or protect_all_instances
           end
 
           def allow_access?(user, capability_type_iid)
-            if !self.protected_with_capability?(capability_type_iid.to_s) or (user and user.has_capability?(capability_type_iid.to_s, self))
+            if (!self.protect_all_instances and !self.protected_with_capability?(capability_type_iid.to_s)) or (user and user.has_capability?(capability_type_iid.to_s, self))
               return true
             else
               return false

data/lib/erp_tech_svcs/utils/compass_access_negotiator.rb

@@ -13,15 +13,17 @@ module ErpTechSvcs
                                   where(:capability_resource_type => klass).
                                   where(:scope_type_id => scope_type.id).
                                   where(:capability_types => {:internal_identifier => capability_type_iid}).first
+          return nil if capability.nil? # capability not found so return nil
         else
           scope_type = ScopeType.find_by_internal_identifier('instance')
           capability = klass.capabilities.joins(:capability_type).
                               where(:scope_type_id => scope_type.id).
                               where(:capability_types => {:internal_identifier => capability_type_iid}).first
-          return true if capability.nil? # object is not secured, so return true
+          # if capability not found, we see if all instances are protected
+          # if all instance are protected, return false, otherwise true
+          return !klass.protect_all_instances if capability.nil?
         end
-        result = all_capabilities.find{|c| c == capability }
-        result.nil? ? false : true
+        all_capabilities.include?(capability)
       end
 
       # pass in (capability_type_iid, class name or any class instance, a block of code)

data/lib/erp_tech_svcs/version.rb

@@ -2,7 +2,7 @@ module ErpTechSvcs
   module VERSION #:nodoc:
     MAJOR = 3
     MINOR = 1
-    TINY  = 0
+    TINY  = 1
 
     STRING = [MAJOR, MINOR, TINY].compact.join('.')
   end

data/lib/tasks/erp_tech_svcs_tasks.rake

@@ -8,8 +8,8 @@ namespace :erp_tech_svcs do
 
       #sync shared
       puts "Syncing Shared Assets..."
-      file_support.sync(File.join(file_support.root, '/images'), CompassAeInstance.first)
-      file_support.sync(File.join(file_support.root, '/files'), CompassAeInstance.first)
+      file_support.sync(File.join(file_support.root, '/images'), CompassAeInstance.find_by_internal_identifier('base'))
+      file_support.sync(File.join(file_support.root, '/files'), CompassAeInstance.find_by_internal_identifier('base'))
       puts "Complete"
 
       #sync websites

data/spec/lib/erp_tech_svcs/extensions/active_record/has_roles_spec.rb

@@ -4,17 +4,20 @@ describe ErpTechSvcs::Extensions::ActiveRecord::HasSecurityRoles do
   before(:all) do
     @user = FactoryGirl.create(:user)
     @user_2 = FactoryGirl.create(:user)
-    @admin_role = SecurityRole.create(:description => 'Admin', :internal_identifier => 'admin')
-    @employee_role = SecurityRole.create(:description => 'Employee', :internal_identifier => 'employee')
-    @manager_role = SecurityRole.create(:description => 'Manager', :internal_identifier => 'manager')
+
+    @admin_role = SecurityRole.find_or_create_by_description_and_internal_identifier(:description => 'Admin', :internal_identifier => 'admin')
+    @employee_role = SecurityRole.find_or_create_by_description_and_internal_identifier(:description => 'Employee', :internal_identifier => 'employee')
+    @manager_role = SecurityRole.find_or_create_by_description_and_internal_identifier(:description => 'Manager', :internal_identifier => 'manager')
   end
   
   it "should allow you to add a role" do
     @user.add_role(@admin_role)
+    @user.remove_all_roles
   end
 
   it "should allow you to add multiple roles by Role instance or iid" do
     @user.add_roles(@admin_role, 'manager')
+    @user.remove_all_roles
   end
 
   it "should allow you to add multiple roles by array or arguments" do
@@ -35,11 +38,13 @@ describe ErpTechSvcs::Extensions::ActiveRecord::HasSecurityRoles do
   end
 
   it "should allow you to remove a role" do
+    @user.add_role(@admin_role)
     @user.remove_role(@admin_role)
     @user.has_role?(@admin_role).should eq false
   end
 
   it "should allow you to remove multiple roles by Role instance or iid" do
+    @user.add_roles(@admin_role, 'manager')
     @user.remove_roles(@employee_role, 'manager')
     @user.has_role?(@employee_role).should eq false
     @user.has_role?('manager').should eq false

data/spec/spec_helper.rb

@@ -20,6 +20,8 @@ Spork.prefork do
   require File.expand_path(DUMMY_APP_ROOT + "/config/environment.rb",  __FILE__)
 
   ActiveRecord::Base.configurations = YAML::load(IO.read(DUMMY_APP_ROOT + "/config/database.yml"))
+  `rake db:drop RAILS_ENV=spec`
+  `rake db:create RAILS_ENV=spec`
   ActiveRecord::Base.establish_connection(ENV["DB"] || "spec")
   ActiveRecord::Migration.verbose = false
 
@@ -43,12 +45,12 @@ Spork.each_run do
   #We have to execute the migrations from dummy app directory
   Dir.chdir DUMMY_APP_ROOT
   `rake db:drop RAILS_ENV=spec`
+  `rake db:create RAILS_ENV=spec`
   Dir.chdir ENGINE_RAILS_ROOT
 
   #We have to execute the migratiapp:compass_ae:install:data_migrationsons from dummy app directory
   Dir.chdir DUMMY_APP_ROOT
   
-  
   `rake compass_ae:install:migrations RAILS_ENV=spec`
   `rake compass_ae:install:data_migrations RAILS_ENV=spec`
   `rake db:migrate RAILS_ENV=spec`

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: erp_tech_svcs
 version: !ruby/object:Gem::Version
-  version: 3.1.0
+  version: 3.1.1
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-01-11 00:00:00.000000000 Z
+date: 2013-02-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: erp_base_erp_svcs
@@ -305,18 +305,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
-      segments:
-      - 0
-      hash: 697401427352755655
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
-      segments:
-      - 0
-      hash: 697401427352755655
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.24