grant 2.0.0 → 2.0.1

data/.gitignore

@@ -0,0 +1,5 @@
+coverage
+rdoc
+grant-*.gem
+tmp/
+pkg/

data/CHANGELOG.md

@@ -0,0 +1,11 @@
+## 2.0.0 (January 5, 2011)
+
+Features:
+
+  - Removed the ability to protect adding and removing from association collections. See the [related issue](https://github.com/nearinfinity/grant/issues#issue/1) for details
+
+## 1.0.1 (December 29, 2010)
+
+Changes:
+
+  - Changed Grant from strictly a Rails plugin to a Ruby gem. No functionality changes or bug fixes.

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in grant.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,43 @@
+PATH
+  remote: .
+  specs:
+    grant (2.0.1)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    activemodel (3.0.5)
+      activesupport (= 3.0.5)
+      builder (~> 2.1.2)
+      i18n (~> 0.4)
+    activerecord (3.0.5)
+      activemodel (= 3.0.5)
+      activesupport (= 3.0.5)
+      arel (~> 2.0.2)
+      tzinfo (~> 0.3.23)
+    activesupport (3.0.5)
+    arel (2.0.9)
+    builder (2.1.2)
+    diff-lcs (1.1.2)
+    i18n (0.5.0)
+    rspec (2.5.0)
+      rspec-core (~> 2.5.0)
+      rspec-expectations (~> 2.5.0)
+      rspec-mocks (~> 2.5.0)
+    rspec-core (2.5.1)
+    rspec-expectations (2.5.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.5.0)
+    sqlite3 (1.3.3)
+    sqlite3-ruby (1.3.3)
+      sqlite3 (>= 1.3.3)
+    tzinfo (0.3.24)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activerecord (> 3.0.0)
+  grant!
+  rspec (= 2.5.0)
+  sqlite3-ruby (= 1.3.3)

data/README.rdoc

@@ -26,7 +26,10 @@ Lastly, Grant can also be installed as a Rails plugin
 
 = Setup
 
-Grant needs to know who the current user is, but with no standard for doing so you'll have to do a little work to set things up. You simply need to set your current user model object as the Grant current user before any CRUD operations are performed. For example, in a Rails application you could add the following to your application_controller.rb
+Grant needs to know who the current user is, but with no standard for
+doing so you'll have to do a little work to set things up unless your
+ApplicationController exposes a current_user method. If you don't
+have a current_user method in ApplicationController, you simply need to set your current user model object as the Grant current user before any CRUD operations are performed. For example, in a Rails application you could add the following to your application_controller.rb
 
   class ApplicationController < ActionController::Base
     before_filter :set_current_user
@@ -38,14 +41,16 @@ Grant needs to know who the current user is, but with no standard for doing so y
     end
   end
 
+The above is essentially what Grant does if you have a current_user
+method in ApplicationController.
+
 = Usage
 
-To enable model security you simply include the Grant::ModelSecurity module in your model class. In the example below you see two grant statements. The first grants find (aka read) permission all the time. The second example grants create, update, and destroy permission when the passed block evaluates to true, which in this case happens when the model is editable by the current user. A Grant::Error is raised if any grant block evaluates to false or nil.
+To enable grant you simply start calling the grant method.
+Grant will initialize itself on the first invocation of the grant method
+in a class. In the example below you see two grant statements. The first grants find (aka read) permission all the time. The second example grants create, update, and destroy permission when the passed block evaluates to true, which in this case happens when the model is editable by the current user. A Grant::Error is raised if any grant block evaluates to false or nil.
 
   class Book < ActiveRecord::Base
-    include Grant::ModelSecurity
-    
-    has_many :tags
     grant(:find) { true }
     grant(:create, :update, :destroy) { |user, model| model.editable_by_user? user }
     
@@ -58,10 +63,12 @@ The valid actions to pass to a grant statement are :find, :create, :update, and
 
 = Integration
 
-There may be some instances where you need to perform an action on your model object without Grant stepping in and stopping you. In those cases you can include the Grant::Integration module for help.
+There may be some instances where you need to perform an action on your
+model object without Grant stepping in and stopping you. In those cases
+you can include the Grant::Status module for help.
 
   class BooksController < ApplicationController
-    include Grant::Integration
+    include Grant::Status
     
     def update
       book = Book.find(params[:id])
@@ -69,4 +76,4 @@ There may be some instances where you need to perform an action on your model ob
     end
   end
 
-Copyright (c) 2010 Near Infinity Corporation, released under the MIT license
+Copyright (c) 2011 Near Infinity Corporation, released under the MIT license

data/Rakefile

@@ -0,0 +1,33 @@
+$:.unshift File.expand_path("../lib", __FILE__)
+
+require 'rake'
+require 'rake/rdoctask'
+require 'rspec/core/rake_task'
+require 'bundler'
+
+Bundler::GemHelper.install_tasks
+
+desc 'Default: run specs'
+task :default => :spec
+
+desc "Run specs"
+RSpec::Core::RakeTask.new do |t|
+  t.rspec_opts = %w(-fs --color)
+end
+
+desc "Run specs with RCov"
+RSpec::Core::RakeTask.new(:rcov) do |t|
+  t.rspec_opts = %w(-fs --color)
+  t.rcov = true
+  t.rcov_opts = %w(--exclude "spec/*,gems/*")
+end
+
+desc 'Generate documentation for the gem.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Grant'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+

data/grant.gemspec

@@ -0,0 +1,23 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require 'grant/version'
+ 
+Gem::Specification.new do |s|
+  s.name        = "grant"
+  s.version     = Grant::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ["Jeff Kunkle", "Matt Wizeman"]
+  s.homepage    = "http://github.com/nearinfinity/grant"
+  s.summary     = "Conscious security constraints for your ActiveRecord model objects"
+  s.description = "Grant is a Ruby gem and Rails plugin that forces you to make explicit security decisions about the operations performed on your ActiveRecord models."
+  s.license     = "MIT"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  s.add_development_dependency('rspec', '2.5.0')
+  s.add_development_dependency('sqlite3-ruby', '1.3.3')
+  s.add_development_dependency('activerecord', '> 3.0.0')
+end

data/init.rb

@@ -0,0 +1 @@
+require 'grant'

data/lib/grant.rb

@@ -1,8 +1,26 @@
+require 'active_record'
+require 'grant/grantable'
+
+# TODO: Remove these two requires when backwards compatibility with grant 2.0.0
+# is no longer necessary
 require 'grant/integration'
 require 'grant/model_security'
-require 'grant/user'
-require 'grant/version'
 
 module Grant
   class Error < StandardError; end
-end
+end
+
+ActiveRecord::Base.send :include, Grant::Grantable
+
+if defined?(ActionController) and defined?(ActionController::Base)
+
+  require 'grant/user'
+
+  ActionController::Base.class_eval do
+    before_filter do
+      Grant::User.current_user = self.current_user if self.respond_to?(:current_user)
+    end
+  end
+
+end
+

data/lib/grant/config.rb

@@ -0,0 +1,22 @@
+module Grant
+  class Config
+    attr_reader :actions
+
+    def self.valid_actions
+      @valid_actions ||= [:create, :find, :update, :destroy]
+    end
+
+    def initialize(*args)
+      @actions = args.map(&:to_sym)
+      validate_actions(@actions)
+    end
+
+  private
+
+    def validate_actions(actions)
+      raise Grant::Error.new "at least one action in #{Config.valid_actions.inspect} must be specified" if actions.empty?
+      raise Grant::Error.new "#{Config.valid_actions.inspect} are the only valid actions" unless actions.all? { |a| Config.valid_actions.include?(a.to_sym) }
+    end
+
+  end
+end

data/lib/grant/grantable.rb

@@ -0,0 +1,41 @@
+require 'grant/status'
+require 'grant/config'
+require 'grant/grantor'
+
+module Grant
+  module Grantable
+
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+
+    module ClassMethods
+      def grant(*args, &blk)
+        include Grant::Status unless self.included_modules.include?(Grant::Status)
+        initialize_grant unless grant_initialized?
+
+        config = Grant::Config.new(*args)
+        config.actions.each do |action|
+          @grant_callbacks[action.to_sym].callback = blk
+        end
+      end
+
+      def initialize_grant
+        @grant_callbacks ||= {}
+        Grant::Config.valid_actions.each do |action|
+          grantor = Grant::Grantor.new(action)
+          @grant_callbacks[action] = grantor
+          send "#{action == :find ? 'after' : 'before'}_#{action}", grantor
+        end
+        @grant_initialized = true
+      end
+
+      def grant_initialized?
+        @grant_initialized == true
+      end
+    end
+
+    # ActiveRecord won't call the after_find handler unless it see's a specific after_find method defined
+    def after_find; end unless method_defined?(:after_find)
+  end
+end

data/lib/grant/grantor.rb

@@ -0,0 +1,23 @@
+require 'grant/status'
+
+module Grant
+  class Grantor
+    include Status
+
+    attr_writer :callback
+
+    def initialize(action)
+      self.class.send(:define_method, "#{action == :find ? 'after' : 'before'}_#{action}") do |model|
+        user = Grant::User.current_user
+        error(user, action, self) unless grant_disabled? || (@callback != nil && @callback.call(user, model))
+      end
+    end
+
+    def error(user, action, model)
+      msg = ["#{action} permission",
+        "not granted to #{user.class.name}:#{user.id}",
+        "for resource #{model.class.name}:#{model.id}"]
+      raise Grant::Error.new(msg.join(' '))
+    end
+  end
+end

data/lib/grant/integration.rb

@@ -1,49 +1,7 @@
-require 'grant/thread_status'
-
+# TODO: Remove this file when backwards compatibility with grant 2.0.0
+# is no longer necessary
 module Grant
   module Integration
-    
-    def without_grant
-      previously_disabled = grant_disabled?
-      disable_grant
-      
-      begin
-        result = yield if block_given?
-      ensure
-        enable_grant unless previously_disabled
-      end
-      
-      result
-    end
-    
-    def with_grant
-      previously_disabled = grant_disabled?
-      enable_grant
-      
-      begin
-        result = yield if block_given?
-      ensure
-        disable_grant if previously_disabled
-      end
-      
-      result
-    end
-    
-    def disable_grant
-      Grant::ThreadStatus.disable
-    end
-    
-    def enable_grant
-      Grant::ThreadStatus.enable
-    end
-    
-    def grant_disabled?
-      Grant::ThreadStatus.disabled?
-    end
-    
-    def grant_enabled?
-      Grant::ThreadStatus.enabled?
-    end
-    
+    include Status
   end
-end
+end

data/lib/grant/model_security.rb

@@ -1,55 +1,9 @@
-require 'grant/config_parser'
-require 'grant/user'
-require 'grant/thread_status'
+# TODO: Remove this file when backwards compatibility with grant 2.0.0
+# is no longer necessary
+require 'grant/grantable'
 
 module Grant
   module ModelSecurity
-    
-    def self.included(base)
-      [:create, :update, :destroy, :find].each do |action|
-        callback = (action == :find ? "after_#{action}" : "before_#{action}")
-        base.class_eval <<-RUBY
-          def grant_#{callback}
-            grant_raise_error(grant_current_user, '#{action}', self) unless grant_disabled?
-          end
-        RUBY
-        base.send(callback.to_sym, "grant_#{callback}".to_sym)
-      end
-    
-      base.extend ClassMethods
-    end
-  
-    # ActiveRecord won't call the after_find handler unless it see's a specific after_find method defined
-    def after_find; end
-  
-    def grant_current_user
-      Grant::User.current_user
-    end
-  
-    def grant_disabled?
-      Grant::ThreadStatus.disabled? || @grant_disabled
-    end
-    
-    def grant_raise_error(user, action, model, association_id=nil)
-      msg = ["#{action} permission",
-        "not granted to #{user.class.name}:#{user.id}",
-        "for resource #{model.class.name}:#{model.id}"]
-
-      raise Grant::Error.new(msg.join(' '))
-    end
-  
-    module ClassMethods
-      def grant(*args, &blk)
-        actions = Grant::ConfigParser.extract_config(args)
-        actions.each do |action|
-          grant_callback = (action.to_sym == :find ? "grant_after_find" : "grant_before_#{action}").to_sym
-          define_method(grant_callback) do
-            grant_raise_error(grant_current_user, action, self) unless grant_disabled? || blk.call(grant_current_user, self)
-          end
-        end
-      end
-    end
-    
+    include Grant::Grantable unless self.included_modules.include?(Grant::Grantable)
   end
-  
 end

data/lib/grant/spec_helpers.rb

@@ -1,21 +1,21 @@
-require 'grant/integration'
+require 'grant/status'
 
 module Grant
   module SpecHelpers
-    include Grant::Integration
-  
+    include Grant::Status
+
     def self.included(base)
       base.class_eval do
         before(:each) do
           disable_grant
         end
-      
+
         after(:each) do
           enable_grant
         end
       end
     end
-    
+
   end
 end