express_access 1.0.0.a

data/test/fixtures/express_access/roles.yml

@@ -0,0 +1,34 @@
+DEFAULTS: &DEFAULTS
+  created_at: <%= Time.now %>
+  updated_at: <%= Time.now %>
+
+author:
+  name: Author
+  parent:
+  description: An author -- someone who writes.
+  after_sign_in_path: "/posts"
+  <<: *DEFAULTS
+
+editor:
+  name: Editor
+  parent: author
+  description: Editor - someone who edits.
+  <<: *DEFAULTS
+
+publisher:
+  name: Publisher
+  parent: author
+  description: Publishers - someone who publishes.
+  <<: *DEFAULTS
+
+admin:
+  name: Admin
+  parent: publisher
+  description: Keys to the kingdom.
+  <<: *DEFAULTS
+
+expresser:
+  name: Expresser
+  parent:
+  description: Expresser - someone who manages an appexpress site
+  <<: *DEFAULTS

data/test/fixtures/express_access/user_permissions.yml

@@ -0,0 +1,5 @@
+# Read about fixtures at http://api.rubyonrails.org/classes/ActiveRecord/FixtureSet.html
+
+editor_specific:
+  user: editor
+  permission: user_specific_permission

data/test/fixtures/express_access/user_roles.yml

@@ -0,0 +1,19 @@
+admin_admin:
+  user: admin
+  role: admin
+
+author_author:
+  user: author
+  role: author
+
+editor_editor:
+  user: editor
+  role: editor
+
+publisher_publisher:
+  user: publisher
+  role: publisher
+
+expresser_expresser:
+  user: expresser
+  role: expresser

data/test/fixtures/users.yml

@@ -0,0 +1,22 @@
+admin:
+  email: admin@example.com
+  encrypted_password: "$2a$10$3HSyBlfJ2zY3GPxEe1MmC.N8MKsSNYxv/lQR5yEW/ZsCKEzEjU/Vm"
+
+author:
+  email: author@example.com
+  encrypted_password: "$2a$10$3HSyBlfJ2zY3GPxEe1MmC.N8MKsSNYxv/lQR5yEW/ZsCKEzEjU/Vm"
+
+editor:
+  email: editor@example.com
+  encrypted_password: "$2a$10$3HSyBlfJ2zY3GPxEe1MmC.N8MKsSNYxv/lQR5yEW/ZsCKEzEjU/Vm"
+
+publisher:
+  email: publisher@example.com
+  encrypted_password: "$2a$10$3HSyBlfJ2zY3GPxEe1MmC.N8MKsSNYxv/lQR5yEW/ZsCKEzEjU/Vm"
+
+nobody:
+  email: nobody@example.com
+  encrypted_password: "$2a$10$3HSyBlfJ2zY3GPxEe1MmC.N8MKsSNYxv/lQR5yEW/ZsCKEzEjU/Vm"
+
+expresser:
+  email: expresser@example.com

data/test/helpers/express_access/permissions_helper_test.rb

@@ -0,0 +1,6 @@
+require 'test_helper'
+
+module ExpressAccess
+  class PermissionsHelperTest < ActionView::TestCase
+  end
+end

data/test/helpers/express_access/roles_helper_test.rb

@@ -0,0 +1,6 @@
+require 'test_helper'
+
+module ExpressAccess
+  class RolesHelperTest < ActionView::TestCase
+  end
+end

data/test/integration/navigation_test.rb

@@ -0,0 +1,33 @@
+require 'test_helper'
+
+class NavigationTest < ActionDispatch::IntegrationTest
+  fixtures :all
+
+  test "redirect to login if not logged in" do
+    get '/posts'
+    assert_redirected_to new_user_session_path
+  end
+
+  test 'current user sees posts if they have permission' do
+    post_via_redirect user_session_path,
+                      "user[email]" => 'editor@example.com',
+                      "user[password]" => 'asdfasdf'
+    assert_equal "/", path
+    get '/posts'
+    assert_response :success
+  end
+
+  test "current user is redirected to the after_sign_in_path" do
+    post_via_redirect user_session_path,
+                      "user[email]" => "author@example.com",
+                      "user[password]" => "asdfasdf"
+    assert_equal "/posts", path
+  end
+
+  test "current user is redirected to the root_path if user's after_sign_in_path is nil" do
+    post_via_redirect user_session_path,
+                      "user[email]" => "editor@example.com",
+                      "user[password]" => "asdfasdf"
+    assert_equal "/", path
+  end
+end

data/test/lib/authorization_filter_test.rb

@@ -0,0 +1,64 @@
+require 'test_helper'
+
+module ExpressAccess
+  class AuthorizationFilterTest < ActiveSupport::TestCase
+    def setup
+      ExpressAccess.initialize_user!
+    end
+
+    def controller(controller, action, path, user)
+      OpenStruct.new( request: OpenStruct.new(
+          params: {
+            controller: controller,
+            action: action,
+            path: path
+          },
+          env: '123.123.123.123'
+        ),
+        current_user: user.nil? ? nil : users(user),
+        "access_authorization_failed!" => nil,
+        "authenticate_user!" => nil,
+      )
+    end
+
+    test 'if controller has current user and if current user has permission' do
+      assert_nil ExpressAccess::AuthorizationFilter.before(controller("posts", "edit", "posts/1/edit", :editor))
+    end
+
+    test 'if controller has current user and if current user has no permission' do
+      mock_obj = Minitest::Mock.new
+      mock_obj.expect(:call, nil)
+      c = controller("admin", "index", "admin", :editor)
+      c.stub(:access_authorization_failed!, mock_obj) do
+        ExpressAccess::AuthorizationFilter.before(c)
+      end
+      mock_obj.verify
+    end
+
+    test 'if controller has no current user and Devise is not defined' do
+      TempDevise = Devise
+      Object.send(:remove_const, :Devise)
+      assert_nil defined?(Devise)
+      mock_obj = Minitest::Mock.new
+      mock_obj.expect(:call, nil)
+      c = controller("admin", "index", "admin", :editor)
+      c.stub(:access_authorization_failed!, mock_obj) do
+        ExpressAccess::AuthorizationFilter.before(c)
+      end
+      mock_obj.verify
+      ::Devise = TempDevise
+      assert_equal 'constant', defined?(Devise)
+    end
+
+    test 'if controller has no current user and Devise is defined' do
+      assert_equal 'constant', defined?(Devise)
+      mock_obj = Minitest::Mock.new
+      mock_obj.expect(:call, nil)
+      c = controller("admin", "index", "admin", nil)
+      c.stub(:authenticate_user!, mock_obj) do
+        ExpressAccess::AuthorizationFilter.before(c)
+      end
+      mock_obj.verify
+    end
+  end
+end

data/test/lib/generators/express_access/install/install_generator_test.rb

@@ -0,0 +1,16 @@
+require 'test_helper'
+require 'generators/express_access/install/install_generator'
+
+module ExpressAccess
+  class ExpressAccess::InstallGeneratorTest < Rails::Generators::TestCase
+    tests ExpressAccess::InstallGenerator
+    destination Rails.root.join('tmp/generators')
+    setup :prepare_destination
+
+    # test "generator runs without errors" do
+    #   assert_nothing_raised do
+    #     run_generator ["arguments"]
+    #   end
+    # end
+  end
+end

data/test/models/express_access/audit_log_test.rb

@@ -0,0 +1,9 @@
+require 'test_helper'
+
+module ExpressAccess
+  class AuditLogTest < ActiveSupport::TestCase
+    # test "the truth" do
+    #   assert true
+    # end
+  end
+end

data/test/models/express_access/permission_test.rb

@@ -0,0 +1,50 @@
+require 'test_helper'
+
+module ExpressAccess
+  class PermissionTest < ActiveSupport::TestCase
+
+    test "Permission.[] looks up permissions" do
+      assert Permission[:admin]
+    end
+
+    # test '.for returns the most specific applicable permission'
+
+    def assert_permission(name, is_for: [])
+      named_args = {controller: is_for[0], action: is_for[1], path: is_for[2]}
+      assert_equal Permission[name].name, Permission.for(**named_args).try(:name)
+    end
+
+    test 'controller#action specific permissions have priority' do
+      assert_permission 'posts#edit', is_for:    ['posts', 'edit', '/admin/posts/123/edit']
+      assert_permission 'posts#edit', is_for:    ['posts', 'edit', '/posts/123/edit']
+      assert_permission 'posts#edit', is_for:    ['posts', 'edit', 'askdjfklasdfhjk']
+
+      assert_permission 'posts#publish', is_for: ['posts', 'publish', '/admin/posts/123/publish']
+    end
+
+    test 'resource permission overrides controller#action when path is longer' do
+      assert_permission '/posts/999', is_for: ['posts', 'publish', '/posts/999/publish']
+    end
+
+    test 'bare controller permission protects a controller regardless of path' do
+      assert_permission 'posts', is_for: ['posts', 'show', '/admin/posts/123']
+      assert_permission 'posts', is_for: ['posts', 'whatever', nil]
+      assert_permission 'posts', is_for: ['posts', 'index', '/']
+    end
+
+    test 'locked parent path locks sub paths' do
+      assert_permission '/accounting', is_for: ['invoices', 'index', '/accounting/invoices']
+      assert_permission '/accounting', is_for: ['invoices', 'create', '/accounting/invoices']
+    end
+
+    test 'sub path permission takes precedence over parent path permission' do
+      assert_permission '/accounting/gl', is_for: ['gl/entry', 'index', '/accounting/gl/entries']
+      assert_permission '/accounting/gl', is_for: ['gl/entry', 'create', '/accounting/gl/entries']
+    end
+
+
+    test ".for returns nil for requests that have no applicable permission" do
+      assert_nil Permission.for(controller: 'jhasdkfjgha', action: 'index', path: '/asdfkgnqe/')
+    end
+  end
+end

data/test/models/express_access/role_permission_test.rb

@@ -0,0 +1,9 @@
+require 'test_helper'
+
+module ExpressAccess
+  class RolePermissionTest < ActiveSupport::TestCase
+    # test "the truth" do
+    #   assert true
+    # end
+  end
+end

data/test/models/express_access/role_test.rb

@@ -0,0 +1,36 @@
+require 'test_helper'
+
+module ExpressAccess
+  class RoleTest < ActiveSupport::TestCase
+
+    test "there are 5 roles" do
+      assert_equal 5, Role.count
+    end
+
+    test "#expressers return users with role of expresser" do
+      assert_equal 1, Role.expressers.count
+    end
+
+    test "parent relationships are set properly" do
+      assert_equal Role[:author], Role[:editor].parent
+      assert_equal Role[:author], Role[:publisher].parent
+    end
+
+    test "top_level scope identifies roles without a parent" do
+      [Role[:expresser], Role[:author]].each do |role|
+        assert_includes Role.top_level, role
+      end
+    end
+
+    test "roles have permissions" do
+      assert_includes Role[:author].permissions, Permission[:posts]
+      assert_not_includes Role[:author].permissions, Permission[:posts_edit]
+      assert_includes Role[:editor].permissions, Permission[:"posts#edit"]
+    end
+
+    test "roles inherit permissions from parent roles" do
+      assert_includes Role[:editor].permissions, Permission[:posts]
+    end
+
+  end
+end

data/test/models/express_access/user_permission_test.rb

@@ -0,0 +1,9 @@
+require 'test_helper'
+
+module ExpressAccess
+  class UserPermissionTest < ActiveSupport::TestCase
+    # test "the truth" do
+    #   assert true
+    # end
+  end
+end

data/test/models/express_access/user_role_test.rb

@@ -0,0 +1,9 @@
+require 'test_helper'
+
+module ExpressAccess
+  class UserRoleTest < ActiveSupport::TestCase
+    # test "the truth" do
+    #   assert true
+    # end
+  end
+end

data/test/models/express_access/user_test.rb

@@ -0,0 +1,77 @@
+require 'test_helper'
+
+module ExpressAccess
+  class UserTest < ActiveSupport::TestCase
+
+    setup do
+      ExpressAccess.initialize_user!
+    end
+
+    test "ExpressAccess::User included in ::User" do
+      assert_includes ::User.ancestors, ExpressAccess::User
+    end
+
+    test "user has direct permissions" do
+      assert_includes users(:editor).direct_permissions, Permission[:something_special]
+    end
+
+    test "user permissions include direct_permissions" do
+      assert users(:editor).direct_permissions.to_set <= users(:editor).permissions
+    end
+
+    test "#may? is true if a user has that permission" do
+      assert users(:editor).may?(:something_special)
+      assert users(:editor).may_do?(:something_special)
+    end
+
+    test "user has roles" do
+      assert users(:editor).roles.includes(Role[:editor])
+    end
+
+    test "user has permissions through role" do
+      assert users(:editor).may_do?("posts#edit")
+    end
+
+    test "user permissions includes role and direct permissions" do
+      assert users(:editor).direct_permissions.to_set <= users(:editor).permissions
+      assert users(:editor).role_permissions.to_set <= users(:editor).permissions
+    end
+
+    test "user provides sexy method_missing dsl" do
+      assert users(:editor).may_edit?(:posts)
+    end
+
+    # that which is not forbidden is permitted
+    test "user may do something if no such permission exists" do
+      assert users(:editor).may_destroy?(:posts)
+    end
+
+    test "user may not do something if they do not have permission" do
+      assert_not users(:nobody).may_edit?(:posts)
+    end
+
+    test "user can be assigned direct_permissions" do
+      refute users(:author).may_do?(:something_special)
+      users(:author).direct_permission_ids = [Permission[:something_special].id]
+      assert users(:author).may_do?(:something_special)
+    end
+
+    test "#after_sign_in_path retrieves after_sign_in_path from roles" do
+      author = users(:author)
+
+      assert_equal "/posts", author.after_sign_in_path
+    end
+
+    test "#after_sign_in_path returns nil if any of the user's roles don't have #after_sign_in_path value" do
+      editor = users(:editor)
+
+      assert_nil editor.after_sign_in_path
+    end
+
+    test "#after_sign_in_path returns nil if user has no roles" do
+      nobody = users(:nobody)
+
+      assert_nil nobody.after_sign_in_path
+    end
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,19 @@
+# Configure Rails Environment
+ENV["RAILS_ENV"] = "test"
+
+require File.expand_path("../dummy/config/environment.rb",  __FILE__)
+require "rails/test_help"
+require 'minitest/rg'
+require 'minitest/mock'
+require 'pry'
+
+Rails.backtrace_cleaner.remove_silencers!
+
+# Load support files
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each { |f| require f }
+
+
+if ActiveSupport::TestCase.respond_to?(:fixture_path=)
+  ActiveSupport::TestCase.fixture_path = File.expand_path("../fixtures", __FILE__)
+  ActiveSupport::TestCase.fixtures :all
+end