RubyGems - grant - Versions diffs - 1.0.1 → 2.0.0 - Mend

grant 1.0.1 → 2.0.0

Files changed (7) hide show

data/README.rdoc CHANGED

@@ -2,7 +2,7 @@
 Grant is a Ruby gem and Rails plugin that forces you to make explicit security decisions about the operations performed on your ActiveRecord models. It provides a declarative way to specify rules granting permission to perform CRUD operations on ActiveRecord objects.
-Grant does not allow you to specify which operations are restricted. Instead, it restricts all CRUD operations unless they're explicitly granted to the user. It also restricts adding or removing items to/from has_many and has_and_belongs_to_many associations. Only allowing operations explicitly granted forces you to make conscious security decisions. Grant will not help you make those decisions, but it won't let you forget to.
+Grant does not allow you to specify which operations are restricted. Instead, it restricts all CRUD operations unless they're explicitly granted to the user. Only allowing operations explicitly granted forces you to make conscious security decisions. Grant will not help you make those decisions, but it won't let you forget to.
 Additional information beyond that found in this README is available on the wiki[https://github.com/nearinfinity/grant/wiki].
@@ -40,7 +40,7 @@ Grant needs to know who the current user is, but with no standard for doing so y
 = Usage
-To enable model security you simply include the Grant::ModelSecurity module in your model class. In the example below you see three grant statements. The first grants find (aka read) permission all the time. The second example grants create, update, and destroy permission when the passed block evaluates to true, which in this case happens when the model is editable by the current user. Similarly, the third grant statement permits additions and removals from the tags association when it's block evaluates to true. A Grant::Error is raised if any grant block evaluates to false or nil.
+To enable model security you simply include the Grant::ModelSecurity module in your model class. In the example below you see two grant statements. The first grants find (aka read) permission all the time. The second example grants create, update, and destroy permission when the passed block evaluates to true, which in this case happens when the model is editable by the current user. A Grant::Error is raised if any grant block evaluates to false or nil.
   class Book < ActiveRecord::Base
     include Grant::ModelSecurity
@@ -48,14 +48,13 @@ To enable model security you simply include the Grant::ModelSecurity module in y
     has_many :tags
     grant(:find) { true }
     grant(:create, :update, :destroy) { |user, model| model.editable_by_user? user }
-    grant(:add => :tags, :remove => :tags) { |user, model, associated_model| model.editable_by_user? user }
     def editable_by_user? user
       user.administrator? || user.has_role?(:editor)
     end
   end
-The valid actions to pass to a grant statement are :find, :create, :update, :destroy, :add, and :remove. The first four options are passed as symbols while :add and :remove are hash keys to association names they protect. Any number of options can be passed to a single grant statement, which is very useful if each of the actions share the same logic for determining access.
+The valid actions to pass to a grant statement are :find, :create, :update, and :destroy. Each action can be passed as a Symbol or String. Any number of actions can be passed to a single grant statement, which is very useful if each of the actions share the same logic for determining access.
 = Integration

data/lib/grant/config_parser.rb CHANGED

@@ -2,24 +2,20 @@ module Grant
   class ConfigParser
     def self.extract_config(args)
-      hash = (args.pop if args.last.is_a?(::Hash)) || {}
-      normalize_config args, hash
-      validate_config args, hash
-      [args, hash]
+      normalize_config args
+      validate_config args
+      args
     end
     private
-      def self.normalize_config(actions, associations)
+      def self.normalize_config(actions)
         actions.each_with_index { |item, index| actions[index] = item.to_sym unless item.kind_of? Symbol }
-        associations.each_pair { |k, v| associations[k.to_sym] = associations.delete(k) unless k.kind_of? Symbol }
       end
-      def self.validate_config(actions, associations)
-        raise Grant::Error.new("at least one :create, :find, :update, or :destroy action must be specified") if actions.empty? && associations.empty?
+      def self.validate_config(actions)
+        raise Grant::Error.new("at least one :create, :find, :update, or :destroy action must be specified") if actions.empty?
         raise Grant::Error.new(":create, :find, :update, and :destroy are the only valid actions") unless actions.all? { |a| [:create, :find, :update, :destroy].include? a }
-        raise Grant::Error.new(":add and :remove are the only valid association specifications") unless associations.keys.all? { |k| [:add, :remove].include? k }
       end
   end

data/lib/grant/model_security.rb CHANGED

@@ -13,7 +13,7 @@ module Grant
             grant_raise_error(grant_current_user, '#{action}', self) unless grant_disabled?
           end
         RUBY
-        base.send callback.to_sym, "grant_#{callback}".to_sym
+        base.send(callback.to_sym, "grant_#{callback}".to_sym)
       end
       base.extend ClassMethods
@@ -30,28 +30,17 @@ module Grant
       Grant::ThreadStatus.disabled? || @grant_disabled
     end
-    def grant_raise_error(user, action, model, association_id=nil, associated_model=nil)
+    def grant_raise_error(user, action, model, association_id=nil)
       msg = ["#{action} permission",
         "not granted to #{user.class.name}:#{user.id}",
         "for resource #{model.class.name}:#{model.id}"]
-      msg.insert(1, "to #{association_id}:#{associated_model.class.name} association") if association_id && associated_model
       raise Grant::Error.new(msg.join(' '))
     end
     module ClassMethods
       def grant(*args, &blk)
-        actions, associations = Grant::ConfigParser.extract_config(args)
-        associations.each_pair do |action, association_ids|
-          Array(association_ids).each do |association_id|
-            grant_callback = "grant_#{action}_#{association_id}".to_sym
-            define_method(grant_callback) do |associated_model|
-              grant_raise_error(grant_current_user, action, self, association_id, associated_model) unless grant_disabled? || blk.call(grant_current_user, self, associated_model)
-            end
-          end
-        end
+        actions = Grant::ConfigParser.extract_config(args)
         actions.each do |action|
           grant_callback = (action.to_sym == :find ? "grant_after_find" : "grant_before_#{action}").to_sym
           define_method(grant_callback) do
@@ -59,43 +48,8 @@ module Grant
           end
         end
       end
-      def has_and_belongs_to_many(association_id, options={}, &extension)
-        add_grant_association_callback(:add, association_id, options)
-        add_grant_association_callback(:remove, association_id, options)
-        super
-      end
-      def has_many(association_id, options={}, &extension)
-        add_grant_association_callback(:add, association_id, options)
-        add_grant_association_callback(:remove, association_id, options)
-        super
-      end
-      private
-        def add_grant_association_callback(action, association_id, options)
-          callback_name = "before_#{action}".to_sym
-          callback = "grant_#{action}_#{association_id}".to_sym
-          unless self.instance_methods.include? callback.to_s
-            class_eval <<-RUBY
-              def #{callback}(associated_model)
-                grant_raise_error(grant_current_user, '#{action}', self, '#{association_id}', associated_model) unless grant_disabled?
-              end
-            RUBY
-          end
-          if options.has_key? callback_name
-            if options[callback_name].kind_of? Array
-              options[callback_name].insert(0, callback)
-            else
-              options[callback_name] = [callback, options[callback_name]]
-            end
-          else
-            options[callback_name] = callback
-          end
-        end
     end
   end
 end

data/lib/grant/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Grant
-  VERSION = "1.0.1"
+  VERSION = "2.0.0"
 end

data/spec/config_parser_spec.rb CHANGED

@@ -4,56 +4,29 @@ require 'grant'
 describe Grant::ConfigParser do
   describe 'Configuration' do
-    it "should parse actions and associations from a config array" do
-      config = Grant::ConfigParser.extract_config([:create, 'update', {:add => [:people, :places], 'remove' => :people}])
+    it "should parse actions from a config array" do
+      config = Grant::ConfigParser.extract_config([:create, 'update'])
       config.should_not be_nil
-      config.should have(2).items
-      config[0].should =~ [:create, :update]
-      config[1].should == {:add => [:people, :places], :remove => :people}
+      config.should =~ [:create, :update]
     end
-    it "should parse actions from a config array when associations are absent" do
-      config = Grant::ConfigParser.extract_config([:create, :update])
-      config.should_not be_nil
-      config.should have(2).items
-      config[0].should =~ [:create, :update]
-      config[1].should == {}
-    end
-    it "should parse actions and associations from a config array when options are absent" do
-      config = Grant::ConfigParser.extract_config([:create, 'update', {:add => ['people', :places]}])
-      config.should_not be_nil
-      config.should have(2).items
-      config[0].should =~ [:create, :update]
-      config[1].should == {:add => ['people', :places]}
-    end
     it "should parse actions" do
       config = Grant::ConfigParser.extract_config([:create])
       config.should_not be_nil
-      config.should have(2).items
-      config[0].should =~ [:create]
-      config[1].should == {}
+      config.should =~ [:create]
     end
   end
   describe 'Configuration Validation' do
-    it "should raise a Grant::Error if no action or association is specified" do
+    it "should raise a Grant::Error if no action is specified" do
       lambda {
-        Grant::ConfigParser.instance_eval { validate_config([], {}) }
+        Grant::ConfigParser.instance_eval { validate_config([]) }
       }.should raise_error(Grant::Error)
     end
     it "should raise a Grant::Error if an invalid action is specified" do
       lambda {
-        Grant::ConfigParser.instance_eval { validate_config([:create, :udate], {:add => [:people, :places]}) }
-      }.should raise_error(Grant::Error)
-    end
-    it "should raise a Grant::Error if an invalid association is specified" do
-      lambda {
-        Grant::ConfigParser.instance_eval { validate_config([:destroy], {:add => :people, :update => :places}) }
+        Grant::ConfigParser.instance_eval { validate_config([:create, :udate]) }
       }.should raise_error(Grant::Error)
     end
   end

data/spec/model_security_spec.rb CHANGED

@@ -13,15 +13,6 @@ describe Grant::ModelSecurity do
     it 'should establish failing ActiveRecord callbacks for before_create, before_update, before_destroy, and after_find when included' do
       verify_standard_callbacks(new_model_class.new)
     end
-    it 'should establish failing ActiveRecord callbacks for any has_many or has_and_belongs_to_many associations' do
-      c = new_model_class
-      c.instance_eval do
-        has_many :users
-        has_and_belongs_to_many :groups
-      end
-      verify_association_callbacks(c.new)
-    end
   end
   describe '#grant' do
@@ -55,59 +46,12 @@ describe Grant::ModelSecurity do
       c = new_model_class.instance_eval { grant(:create, :update, :destroy, :find) { true }; self }
       verify_standard_callbacks(c.new, :create, :update, :destroy, :find)
     end
-    it 'should allow adding to an association to succeed when granted' do
-      c = new_model_class
-      c.instance_eval do
-        has_many :users
-        has_and_belongs_to_many :groups
-        grant(:add => [:users, :groups]) { true }
-      end
-      verify_association_callbacks(c.new, :add_users, :add_groups)
-    end
-    it 'should allow adding to an association to succeed when granted above association declarations' do
-      c = new_model_class
-      c.instance_eval do
-        grant(:add => [:users, :groups]) { true }
-        has_many :users
-        has_and_belongs_to_many :groups, :before_add => [:bogus1, :bogus2]
-        define_method(:bogus1) {}
-        define_method(:bogus2) {}
-      end
-      verify_association_callbacks(c.new, :add_users, :add_groups)
-    end
-    it 'should allow removing from an association to succeed when granted' do
-      c = new_model_class
-      c.instance_eval do
-        has_many :users
-        has_and_belongs_to_many :groups, :before_remove => :bogus1
-        grant(:remove => [:users, :groups]) { true }
-        define_method(:bogus1) {}
-      end
-      verify_association_callbacks(c.new, :remove_users, :remove_groups)
-    end
-    it 'should allow removing from an association to succeed when granted above association declarations' do
-      c = new_model_class
-      c.instance_eval do
-        grant(:remove => [:users, :groups]) { true }
-        has_many :users
-        has_and_belongs_to_many :groups
-      end
-      verify_association_callbacks(c.new, :remove_users, :remove_groups)
-    end
   end
   def verify_standard_callbacks(instance, *succeeding_callbacks)
     verify_callbacks([:create, :update, :destroy, :find], instance, nil, succeeding_callbacks)
   end
-  def verify_association_callbacks(instance, *succeeding_callbacks)
-    verify_callbacks([:add_users, :remove_users, :add_groups, :remove_groups], instance, new_model_class.new, succeeding_callbacks)
-  end
   def verify_callbacks(all_actions, instance, associated_model, succeeding_callbacks)
     all_actions.each do |action|
       expectation = succeeding_callbacks.include?(action) ? :should_not : :should
@@ -139,24 +83,6 @@ describe Grant::ModelSecurity do
     def self.after_find(method)
       define_method(:find) { send method }
     end
-    def self.has_many(association_id, options, &extension)
-      define_method("add_#{association_id}".to_sym) do |associated_model|
-        Array(options[:before_add]).each { |callback| send(callback, associated_model) }
-      end
-      define_method("remove_#{association_id}".to_sym) do |associated_model|
-        Array(options[:before_remove]).each { |callback| send(callback, associated_model) }
-      end
-    end
-    def self.has_and_belongs_to_many(association_id, options, &extension)
-      define_method("add_#{association_id}".to_sym) do |associated_model|
-        Array(options[:before_add]).each { |callback| send(callback, associated_model) }
-      end
-      define_method("remove_#{association_id}".to_sym) do |associated_model|
-        Array(options[:before_remove]).each { |callback| send(callback, associated_model) }
-      end
-    end
   end
 end

metadata CHANGED

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: grant
 version: !ruby/object:Gem::Version
-  hash: 21
+  hash: 15
   prerelease: false
   segments:
-  - 1
+  - 2
   - 0
-  - 1
-  version: 1.0.1
+  - 0
+  version: 2.0.0
 platform: ruby
 authors:
 - Jeff Kunkle
@@ -16,7 +16,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2010-12-29 00:00:00 -05:00
+date: 2011-01-05 00:00:00 -05:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency