grant 2.0.2 → 2.1.0

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 2.1.0 (July 5, 2011)
+
+Features:
+
+  - Pass action to grant decision block. [#5](https://github.com/nearinfinity/grant/issues/5)
+  - Allow subclasses to redefine grant statements. [#4](https://github.com/nearinfinity/grant/issues/4)
+  - Allow checking of grant status without raising an error. [#3](https://github.com/nearinfinity/grant/issues/3)
+
 ## 2.0.0 (January 5, 2011)
 
 Features:
@@ -8,4 +16,4 @@ Features:
 
 Changes:
 
-  - Changed Grant from strictly a Rails plugin to a Ruby gem. No functionality changes or bug fixes.
+  - Changed Grant from strictly a Rails plugin to a Ruby gem. No functionality changes or bug fixes.

data/README.rdoc

@@ -11,17 +11,17 @@ Additional information beyond that found in this README is available on the wiki
 To install the Grant gem, simply run
 
   gem install grant
-  
+
 To use it with a Rails 3 project or other project using Bundler, add the following line to your Gemfile
 
   gem 'grant'
-  
+
 For your Rails 2.x project, add the following to your environment.rb file
 
   config.gem 'grant'
 
 Lastly, Grant can also be installed as a Rails plugin
-  
+
   script/plugin install git://github.com/nearinfinity/grant.git
 
 = Setup
@@ -52,7 +52,7 @@ in a class. In the example below you see two grant statements. The first grants
 
   class Book < ActiveRecord::Base
     grant(:find) { true }
-    grant(:create, :update, :destroy) { |user, model| model.editable_by_user? user }
+    grant(:create, :update, :destroy) { |user, model, action| model.editable_by_user? user }
     
     def editable_by_user? user
       user.administrator? || user.has_role?(:editor) 
@@ -61,6 +61,37 @@ in a class. In the example below you see two grant statements. The first grants
 
 The valid actions to pass to a grant statement are :find, :create, :update, and :destroy. Each action can be passed as a Symbol or String. Any number of actions can be passed to a single grant statement, which is very useful if each of the actions share the same logic for determining access.
 
+If you'd like to find out if a certain action is granted without attempting
+the action and having Grant potentially raise an error, you can use the 
+`granted?` method.
+
+  book = Book.first
+  book.granted?(:destroy, some_user)
+
+If you don't pass a user as the second argument to `granted?`, the 
+`Grant::User.current_user` will be assumed.
+
+= Inheritance
+
+Subclasses inherit all the `grant` statements defined on their parent, but 
+are free to override any of them individually simply by redefining them. 
+For example:
+
+  class Book < ActiveRecord::Base
+    self.abstract_class = true
+    grant(:create, :find, :destroy) { true }
+    grant(:update) { false }
+  end
+
+  class Ebook < ActiveRecord::Base
+    grant(:update) { true }
+    grant(:destroy) { false }
+  end
+
+Instances of the parent class `Book` can always be created, found, and destroyed,
+but never updated. However, `Ebook` instances can be created, found, and updated,
+but never destroyed.
+
 = Integration
 
 There may be some instances where you need to perform an action on your

data/grant.gemspec

@@ -12,11 +12,13 @@ Gem::Specification.new do |s|
   s.description = "Grant is a Ruby gem and Rails plugin that forces you to make explicit security decisions about the operations performed on your ActiveRecord models."
   s.license     = "MIT"
 
-  s.files         = `git ls-files`.split("\n")
+  s.files         = `git ls-files`.split("\n").reject { |path| path =~ /^(Gemfile|.gitignore|Rakefile)/ }
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.require_paths = ["lib"]
 
+  s.add_dependency('activerecord', '> 3.0.0')
+
   s.add_development_dependency('rspec', '2.5.0')
   s.add_development_dependency('sqlite3-ruby', '1.3.3')
   s.add_development_dependency('activerecord', '> 3.0.0')

data/lib/grant/grantable.rb

@@ -6,36 +6,39 @@ module Grant
   module Grantable
 
     def self.included(base)
-      base.extend(ClassMethods)
+      base.send :extend, ClassMethods
     end
 
     module ClassMethods
       def grant(*args, &blk)
-        include Grant::Status unless self.included_modules.include?(Grant::Status)
-        initialize_grant unless grant_initialized?
+        unless self.included_modules.include?(InstanceMethods)
+          include InstanceMethods
+          include Grant::Status
 
-        config = Grant::Config.new(*args)
-        config.actions.each do |action|
-          @grant_callbacks[action.to_sym].callback = blk
+          [:find, :create, :update, :destroy].each do |action|
+            send :class_attribute, "grantor_#{action}".to_sym
+            send "grantor_#{action}=".to_sym, Grant::Grantor.new(action) { false }
+            send "#{action == :find ? 'after' : 'before'}_#{action}".to_sym, "grant_#{action}".to_sym
+          end
         end
-      end
 
-      def initialize_grant
-        @grant_callbacks ||= {}
-        Grant::Config.valid_actions.each do |action|
-          grantor = Grant::Grantor.new(action)
-          @grant_callbacks[action] = grantor
-          send "#{action == :find ? 'after' : 'before'}_#{action}", grantor
+        Grant::Config.new(*args).actions.each do |action|
+          send "grantor_#{action}=".to_sym, Grant::Grantor.new(action, &blk)
         end
-        @grant_initialized = true
       end
+    end
+
+    module InstanceMethods
+      def grant_find; grantor_find.authorize!(self); end
+      def grant_create; grantor_create.authorize!(self); end
+      def grant_update; grantor_update.authorize!(self); end
+      def grant_destroy; grantor_destroy.authorize!(self); end
 
-      def grant_initialized?
-        @grant_initialized == true
+      def granted?(action, user=Grant::User.current_user)
+        grantor = send("grantor_#{action}")
+        grantor.authorized?(self, user)
       end
     end
 
-    # ActiveRecord won't call the after_find handler unless it see's a specific after_find method defined
-    def after_find; end unless method_defined?(:after_find)
   end
 end

data/lib/grant/grantor.rb

@@ -5,12 +5,22 @@ module Grant
   class Grantor
     include Status
 
-    attr_writer :callback
+    def initialize(action, &callback)
+      @action = action
+      @callback = callback
+    end
+
+    def authorize!(model, user=Grant::User.current_user)
+      unless grant_disabled?
+        without_grant do
+          raise Grant::Error.new(user, @action, model) unless @callback.call(user, model, @action)
+        end
+      end
+    end
 
-    def initialize(action)
-      self.class.send(:define_method, "#{action == :find ? 'after' : 'before'}_#{action}") do |model|
-        user = Grant::User.current_user
-        raise Grant::Error.new(user, action, model) unless grant_disabled? || (@callback != nil && @callback.call(user, model))
+    def authorized?(model, user=Grant::User.current_user)
+      without_grant do
+        @callback.call(user, model, @action)
       end
     end
   end

data/lib/grant/integration.rb

@@ -1,7 +1,5 @@
 # TODO: Remove this file when backwards compatibility with grant 2.0.0
 # is no longer necessary
 module Grant
-  module Integration
-    include Status
-  end
+  Integration = Grant::Status
 end

data/lib/grant/model_security.rb

@@ -3,7 +3,5 @@
 require 'grant/grantable'
 
 module Grant
-  module ModelSecurity
-    include Grant::Grantable unless self.included_modules.include?(Grant::Grantable)
-  end
+  ModelSecurity = Grant::Grantable
 end

data/lib/grant/status.rb

@@ -56,5 +56,6 @@ module Grant
       result
     end
 
+    module_function :grant_enabled?, :grant_disabled?, :disable_grant, :enable_grant, :without_grant, :with_grant, :do_as
   end
 end

data/lib/grant/version.rb

@@ -1,3 +1,3 @@
 module Grant
-  VERSION = "2.0.2"
+  VERSION = "2.1.0"
 end

data/spec/grantable_spec.rb

@@ -22,22 +22,15 @@ describe Grant::Grantable do
     Model.included_modules.should include(Grant::Status)
   end
 
-  it 'should setup failing Grant::Grantor objects for create, find, update, and destroy callbacks when initialized' do
+  it 'should setup failing callbacks when initialized' do
     m = Model.create
-    Model.initialize_grant
+    Model.instance_eval { grant(:create) { false } }
     lambda { Model.create }.should raise_error(Grant::Error)
     lambda { Model.find(m.id) }.should raise_error(Grant::Error)
     lambda { m.update_attributes(:name => 'new') }.should raise_error(Grant::Error)
     lambda { m.destroy }.should raise_error(Grant::Error)
   end
 
-  it 'should indicate whether Grant has been initialized' do
-    redefine_model
-    Model.should_not be_grant_initialized
-    Model.initialize_grant
-    Model.should be_grant_initialized
-  end
-
   it 'should associate callbacks with active record create, find, update, and destroy callbacks' do
     redefine_model do
       grant(:create) { true }
@@ -75,11 +68,12 @@ describe Grant::Grantable do
     lambda { Model.create }.should raise_error(Grant::Error)
   end
 
-  it 'should provide callbacks with the user and model being protected' do
+  it 'should provide callbacks with the user, model, and action being protected' do
     redefine_model do
-      grant(:create) do |user, model|
+      grant(:create) do |user, model, action|
         user.should == Grant::User.current_user
         model.should_not == nil
+        action.should == :create
         true
       end
     end
@@ -87,6 +81,72 @@ describe Grant::Grantable do
     Model.create
   end
 
+  it 'should allow subclasses to independenty redefine grant statements' do
+    redefine_model do
+      grant(:create) { true }
+      grant(:find) { true }
+      grant(:update) { false }
+      grant(:destroy) { true }
+    end
+
+    class SubModel < Model
+      set_table_name 'models'
+      grant(:update) { true }
+      grant(:destroy) { false }
+    end
+
+    m = SubModel.create
+    m = SubModel.find(m.id)
+    m.update_attributes(:name => 'new')
+    lambda { m.destroy }.should raise_error(Grant::Error)
+
+    m = Model.create
+    m = Model.find(m.id)
+    lambda { m.update_attributes(:name => 'new') }.should raise_error(Grant::Error)
+    m.destroy
+  end
+
+  describe '#granted?' do
+    it 'should allow invoking the grant callbacks to determine whether an action has been granted' do
+      redefine_model do
+        grant(:create) { true }
+        grant(:find) { true }
+        grant(:update) { false }
+        grant(:destroy) { false }
+      end
+
+      model = Model.new
+      model.granted?(:create).should be_true
+      model.granted?(:find).should be_true
+      model.granted?(:update).should be_false
+      model.granted?(:destroy).should be_false
+    end
+
+    it 'should allow a non-current user to be specified' do
+      user = User.create
+
+      redefine_model do
+        grant(:create) do |u, m, a|
+          u.should == user
+          Grant::User.current_user.should_not == user
+        end
+      end
+
+      model = Model.new
+      model.granted?(:create, user)
+    end
+
+    it 'should not raise an error if the action has not been granted' do
+      redefine_model do
+        grant(:create) { false }
+      end
+
+      model = Model.new
+      lambda { model.granted?(:create) }.should_not raise_error
+      model.granted?(:create).should be_false
+    end
+  end
+
   def redefine_model(&blk)
     clazz = Class.new(ActiveRecord::Base, &blk)
     Object.send :remove_const, 'Model'

data/spec/grantor_spec.rb

@@ -4,18 +4,55 @@ require 'grant/grantor'
 
 describe Grant::Grantor do
 
-  describe '#initialize' do
-    it 'should define a before_create callback method when passed create as an argument' do
-      Grant::Grantor.new(:create).should respond_to(:before_create)
+  describe '#authorize!' do
+    it 'should pass the user, model, and action to the supplied callback block' do
+      model = Object.new
+      user = Object.new
+      Grant::User.current_user = user
+
+      grantor = Grant::Grantor.new(:update) do |u, m, a|
+        u.should == user
+        m.should == model
+        a.should == :update
+        true
+      end
+
+      grantor.authorize!(model)
     end
-    it 'should define an after_find callback method when passed find as an argument' do
-      Grant::Grantor.new(:find).should respond_to(:after_find)
+
+    it 'should turn off grant when calling the supplied callback block' do
+      grantor = Grant::Grantor.new(:destroy) do |user, model, action|
+        Grant::Status.grant_disabled?.should be_true
+        true
+      end
+
+      grantor.authorize!(Object.new)
     end
-    it 'should define a before_update callback method when passed update as an argument' do
-      Grant::Grantor.new(:update).should respond_to(:before_update)
+  end
+
+  describe '#authorized?' do
+    it 'should pass the user, model, and action to the supplied callback block' do
+      model = Object.new
+      user = Object.new
+      Grant::User.current_user = user
+
+      grantor = Grant::Grantor.new(:update) do |u, m, a|
+        u.should == user
+        m.should == model
+        a.should == :update
+        true
+      end
+
+      grantor.authorized?(model).should be_true
     end
-    it 'should define a before_destroy callback method when passed destroy as an argument' do
-      Grant::Grantor.new(:destroy).should respond_to(:before_destroy)
+
+    it 'should turn off grant when calling the supplied callback block' do
+      grantor = Grant::Grantor.new(:destroy) do |user, model, action|
+        Grant::Status.grant_disabled?.should be_true
+        false
+      end
+
+      grantor.authorized?(Object.new).should be_false
     end
   end
 

data/spec/status_spec.rb

@@ -3,16 +3,24 @@ require 'grant/status'
 
 describe Grant::Status do
   it "should be enabled if set to enabled" do
-    obj = Class.new { include Grant::Status }.new
-    obj.enable_grant
-    obj.should be_grant_enabled
-    obj.should_not be_grant_disabled
+    obj = Class.new do
+      include Grant::Status
+      def enable; enable_grant; end
+    end.new
+
+    obj.enable
+    Grant::Status.grant_enabled?.should be_true
+    Grant::Status.grant_disabled?.should be_false
   end
 
   it "should be disabled if set to disabled" do
-    obj = Class.new { include Grant::Status }.new
-    obj.disable_grant
-    obj.should_not be_grant_enabled
-    obj.should be_grant_disabled
+    obj = Class.new do
+      include Grant::Status
+      def disable; disable_grant; end
+    end.new
+
+    obj.disable
+    Grant::Status.grant_enabled?.should be_false
+    Grant::Status.grant_disabled?.should be_true
   end
 end

metadata

@@ -5,9 +5,9 @@ version: !ruby/object:Gem::Version
   prerelease: 
   segments: 
   - 2
+  - 1
   - 0
-  - 2
-  version: 2.0.2
+  version: 2.1.0
 platform: ruby
 authors: 
 - Jeff Kunkle
@@ -16,13 +16,29 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-03-22 00:00:00 -04:00
+date: 2011-07-05 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
-  name: rspec
+  name: activerecord
   prerelease: false
   requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">"
+      - !ruby/object:Gem::Version 
+        hash: 7
+        segments: 
+        - 3
+        - 0
+        - 0
+        version: 3.0.0
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - "="
@@ -34,11 +50,11 @@ dependencies:
         - 0
         version: 2.5.0
   type: :development
-  version_requirements: *id001
+  version_requirements: *id002
 - !ruby/object:Gem::Dependency 
   name: sqlite3-ruby
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
+  requirement: &id003 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - "="
@@ -50,11 +66,11 @@ dependencies:
         - 3
         version: 1.3.3
   type: :development
-  version_requirements: *id002
+  version_requirements: *id003
 - !ruby/object:Gem::Dependency 
   name: activerecord
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
+  requirement: &id004 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ">"
@@ -66,7 +82,7 @@ dependencies:
         - 0
         version: 3.0.0
   type: :development
-  version_requirements: *id003
+  version_requirements: *id004
 description: Grant is a Ruby gem and Rails plugin that forces you to make explicit security decisions about the operations performed on your ActiveRecord models.
 email: 
 executables: []
@@ -76,13 +92,9 @@ extensions: []
 extra_rdoc_files: []
 
 files: 
-- .gitignore
 - CHANGELOG.md
-- Gemfile
-- Gemfile.lock
 - LICENSE
 - README.rdoc
-- Rakefile
 - grant.gemspec
 - init.rb
 - lib/grant.rb

data/.gitignore

@@ -1,5 +0,0 @@
-coverage
-rdoc
-grant-*.gem
-tmp/
-pkg/

data/Gemfile

@@ -1,4 +0,0 @@
-source "http://rubygems.org"
-
-# Specify your gem's dependencies in grant.gemspec
-gemspec

data/Gemfile.lock

@@ -1,43 +0,0 @@
-PATH
-  remote: .
-  specs:
-    grant (2.0.1)
-
-GEM
-  remote: http://rubygems.org/
-  specs:
-    activemodel (3.0.5)
-      activesupport (= 3.0.5)
-      builder (~> 2.1.2)
-      i18n (~> 0.4)
-    activerecord (3.0.5)
-      activemodel (= 3.0.5)
-      activesupport (= 3.0.5)
-      arel (~> 2.0.2)
-      tzinfo (~> 0.3.23)
-    activesupport (3.0.5)
-    arel (2.0.9)
-    builder (2.1.2)
-    diff-lcs (1.1.2)
-    i18n (0.5.0)
-    rspec (2.5.0)
-      rspec-core (~> 2.5.0)
-      rspec-expectations (~> 2.5.0)
-      rspec-mocks (~> 2.5.0)
-    rspec-core (2.5.1)
-    rspec-expectations (2.5.0)
-      diff-lcs (~> 1.1.2)
-    rspec-mocks (2.5.0)
-    sqlite3 (1.3.3)
-    sqlite3-ruby (1.3.3)
-      sqlite3 (>= 1.3.3)
-    tzinfo (0.3.24)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  activerecord (> 3.0.0)
-  grant!
-  rspec (= 2.5.0)
-  sqlite3-ruby (= 1.3.3)

data/Rakefile

@@ -1,33 +0,0 @@
-$:.unshift File.expand_path("../lib", __FILE__)
-
-require 'rake'
-require 'rake/rdoctask'
-require 'rspec/core/rake_task'
-require 'bundler'
-
-Bundler::GemHelper.install_tasks
-
-desc 'Default: run specs'
-task :default => :spec
-
-desc "Run specs"
-RSpec::Core::RakeTask.new do |t|
-  t.rspec_opts = %w(-fs --color)
-end
-
-desc "Run specs with RCov"
-RSpec::Core::RakeTask.new(:rcov) do |t|
-  t.rspec_opts = %w(-fs --color)
-  t.rcov = true
-  t.rcov_opts = %w(--exclude "spec/*,gems/*")
-end
-
-desc 'Generate documentation for the gem.'
-Rake::RDocTask.new(:rdoc) do |rdoc|
-  rdoc.rdoc_dir = 'rdoc'
-  rdoc.title    = 'Grant'
-  rdoc.options << '--line-numbers' << '--inline-source'
-  rdoc.rdoc_files.include('README.rdoc')
-  rdoc.rdoc_files.include('lib/**/*.rb')
-end
-