fat_model_auth 2.0.1

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 [Brent Greeff]
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,172 @@
+= Fat Model Auth
+
+Wikipedia defines Authorization as 'the function of specifying access rights to resources'.
+Fat Model Auth allows the resources themselves to define these rights.
+
+== Fat Model Auth is a simple, clean authorization system for Rails
+
+* How simple?
+
+== Controller
+
+* Imagine you have a controller for Articles:
+      
+      before_filter :load_article
+      
+      def edit
+      end
+      
+      def update
+        # Update shazam
+      end
+      
+      private
+      
+      def load_article
+        Article.find(params[:id])
+      end
+
+* We want to ensure only the Articles Author can view the edit page or update
+* an Article.
+
+* Just Add a before filter:
+
+      before_filter :auth_required, :only => [:edit, :update]
+
+* Add it AFTER you load the article
+
+Go ahead and try and view the article
+
+* We are missing something:
+
+      undefined method 'allows' for #<Article:0x204a8d8>
+
+== Model
+
+* Just add the following to your Article model:
+
+      allows :edit, :update,
+        :if => proc {|article, user| article.author == user}
+
+* Need different rules for different actions:
+
+      allows :edit,
+        :if => proc {|article, user| article.author.name.eql? 'Jeff'}
+      
+      allows :update,
+        :if => proc {|article, user| article.allows_updating?}
+
+
+Control which functions are displayed to a user
+
+== View
+
+      <%= link_to('EDIT', edit_article_path(article)) if allowed_to? :edit => article -%>
+
+* What about groups of controls:
+
+      <% if allowed_to? :edit_or_destroy => article -%>
+        <funky>html</funky> 
+      <% end %>
+      
+
+Thats it.
+
+== Test First
+
+The rules that define access control, are defined in the model.
+If you are testing first, start with a unit test:
+
+* EDIT
+
+      assert @article.allows(@article.author).to_edit?
+      
+      deny @article.allows(@someone_else).to_edit?
+
+* UPDATE
+
+      assert @article.allows(@jeff).to_update?
+      
+      deny @article.allows(@sammy).to_update?
+
+These magic methods are created when you define 'allows' on your model.
+
+When you say 'auth_required' in a before filter:
+The plugin looks for an object based on the name of the controller:
+
+So if you put the before filter in the 'articles_controller'
+and you call the 'edit' action,
+
+it generates the following call:
+
+      @article.allows(current_user).to_edit?
+
+
+What happens if I am editing articles but I am not in the articles_controller?
+
+* Just add this to the controller
+      
+      class RestlessController < ApplicationController
+        def override_authority
+          @article
+        end
+      end
+
+== Remember
+
+1. A nil current_user will always return access_denied.
+
+== Access Denied is 404
+
+Thats right deal with it or fork it.
+
+Trying to access a resource without permission returns 404
+In other words:
+
+      "Say What?"
+
+== New & Create and complex conditons
+
+If you have complex conditions or when creating a new object
+it may not have the information you need in a before filter.
+
+You can always get the same result by being explicit in the method:
+      
+      # Articles controller
+      
+      def create
+        @article = current_user.articles.build(params[:article])
+        return if access_denied?
+      end
+
+== Testing my controllers
+
+      login_as @no_good_user
+      get :edit, :id => @article.id
+      
+      assert_response :not_found
+      assert_template 'public/404'
+
+If you are using mock user, you may want to stub the response
+
+@article.expects(:allows).returns(FatModelAuth::CannedGateKeeper.allows(:edit))
+
+or
+
+@article.expects(:allows).returns(FatModelAuth::CannedGateKeeper.denies(:edit))
+
+
+== Testing my views
+
+Who does that?
+
+step 1. Install should_pricot
+      
+      login_as @no_good_user
+      get :edit, :id => @article.id
+      
+      element('#power_user a[@href="/create/havok"]').should_be_missing
+
+
+
+Copyright (c) 2009 [Brent Greeff], released under the MIT license

data/Rakefile

@@ -0,0 +1,23 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the fat_model_auth plugin.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+desc 'Generate documentation for the fat_model_auth plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'FatModelAuth'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+2.0.0

data/lib/fat_model_auth.rb

@@ -0,0 +1,9 @@
+require 'fat_model_auth/canned_gate_keeper'
+require 'fat_model_auth/controller_helpers'
+require 'fat_model_auth/gate_keeper'
+require 'fat_model_auth/model_helpers'
+require 'fat_model_auth/view_helpers'
+
+ActionController::Base.send(:include, FatModelAuth::ControllerHelpers)
+ActiveRecord::Base.send(:extend, FatModelAuth::ModelHelpers)
+ActionView::Base.send(:include, FatModelAuth::ViewHelpers)

data/lib/fat_model_auth/canned_gate_keeper.rb

@@ -0,0 +1,40 @@
+module FatModelAuth
+  class CannedGateKeeper
+    
+    def self.allows(method)
+      self.new(method => true)
+    end
+    
+    def self.denies(method)
+      self.new(method => false)
+    end
+    
+    def self.build(params)
+      self.new(params)
+    end
+    
+    def allows(user)
+      self
+    end
+    
+    def initialize(params)
+      @map = {}
+      add_rules(params)
+    end
+    
+    def add_rules(params)
+      for param in params
+        response = param.pop
+        @map["to_#{param.pop}?".to_sym] = lambda { response }
+      end
+    end
+    
+    def method_missing(method, *args)
+      unless @map.has_key? method
+        raise NoMethodError, "undefined method allows(user).#{method} for #{self.class}"
+      end
+      
+      @map[method].call
+    end
+  end
+end

data/lib/fat_model_auth/controller_helpers.rb

@@ -0,0 +1,45 @@
+module FatModelAuth
+  class AuthException < Exception; end
+  
+  module ControllerHelpers
+    protected
+    
+    def auth_required
+      authority = get_authority
+      
+      access_granted = authority.allows(current_user).send "to_#{params[:action]}?"
+      respond_with_404_page unless access_granted
+    end
+    
+    def access_denied?
+      authority = get_authority
+      
+      access_granted = authority.allows(current_user).send "to_#{params[:action]}?"
+      if access_granted
+        false
+      else
+        respond_with_404_page
+        true
+      end
+    end
+    
+    private
+    
+    def get_authority
+      if self.respond_to? :override_authority
+        authority = override_authority
+        raise FatModelAuth::AuthException, "override_authority defined but nil" if authority.nil?
+      else
+        authority_name = params[:controller].singularize
+        authority = instance_variable_get("@#{authority_name}")
+        raise FatModelAuth::AuthException, "#{authority_name} is nil" if authority.nil?
+      end
+      
+      return authority
+    end
+    
+    def respond_with_404_page
+      render "#{RAILS_ROOT}/public/404.html", :status => 404
+    end
+  end
+end

data/lib/fat_model_auth/gate_keeper.rb

@@ -0,0 +1,33 @@
+module FatModelAuth
+  class GateKeeper
+    
+    def initialize(params)
+      @map = {}
+      add_rules(params)
+    end
+    
+    def add_rules(params)
+      auth_condition = params.pop[:if]
+      methods = params
+      
+      for method in methods
+        @map["to_#{method}?".to_sym] = auth_condition
+      end
+    end
+    
+    def check(model, user)
+      @model = model
+      @user = user
+      self
+    end
+    
+    def method_missing(method, *args)
+      unless @map.has_key? method
+        raise NoMethodError, "undefined method allows(user).#{method} for #{@model.inspect}"
+      end
+      return false if @user.nil?
+      
+      @map[method].call(@model, @user)
+    end
+  end
+end

data/lib/fat_model_auth/model_helpers.rb

@@ -0,0 +1,20 @@
+module FatModelAuth
+  module ModelHelpers
+    def allows(*params)
+      if self.respond_to? :gate_keeper
+        class_eval do
+          self.gate_keeper.add_rules(params)
+        end
+      else
+        class_eval do
+          cattr_accessor :gate_keeper
+          self.gate_keeper = FatModelAuth::GateKeeper.new(params)
+          
+          define_method "allows" do |user|
+            self.gate_keeper.check(self, user)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/fat_model_auth/view_helpers.rb

@@ -0,0 +1,18 @@
+module FatModelAuth
+  module ViewHelpers
+    def allowed_to?(options)
+      authority = options.values.first
+      
+      get_actions(options).each do |action|
+        return true if authority.allows(current_user).send "to_#{action}?"
+      end
+      return false
+    end
+    
+    private
+    
+    def get_actions(options)
+      return options.keys.first.to_s.split('_or_')
+    end
+  end
+end

data/test/fat_model_auth_test.rb

@@ -0,0 +1,8 @@
+require 'test_helper'
+
+class FatModelAuthTest < ActiveSupport::TestCase
+  # Replace this with your real tests.
+  test "the truth" do
+    assert true
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,3 @@
+require 'rubygems'
+require 'active_support'
+require 'active_support/test_case'

metadata

@@ -0,0 +1,79 @@
+--- !ruby/object:Gem::Specification 
+name: fat_model_auth
+version: !ruby/object:Gem::Version 
+  hash: 13
+  prerelease: false
+  segments: 
+  - 2
+  - 0
+  - 1
+  version: 2.0.1
+platform: ruby
+authors: 
+- Brent Greeff
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-10-30 00:00:00 +01:00
+default_executable: 
+dependencies: []
+
+description: Clean resource based Authorisation plugin for Rails.
+email: email@brentgreeff.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- MIT-LICENSE
+- README.rdoc
+files: 
+- MIT-LICENSE
+- README.rdoc
+- Rakefile
+- VERSION
+- lib/fat_model_auth.rb
+- lib/fat_model_auth/canned_gate_keeper.rb
+- lib/fat_model_auth/controller_helpers.rb
+- lib/fat_model_auth/gate_keeper.rb
+- lib/fat_model_auth/model_helpers.rb
+- lib/fat_model_auth/view_helpers.rb
+- test/fat_model_auth_test.rb
+- test/test_helper.rb
+has_rdoc: true
+homepage: http://github.com/brentgreeff/fat_model_auth
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: Clean resource based Authorisation plugin for Rails.
+test_files: []
+