has_permission 0.2.8

data/VERSION.yml

@@ -0,0 +1,4 @@
+--- 
+:patch: 8
+:major: 0
+:minor: 2

data/lib/action_controller/has/permission.rb

@@ -0,0 +1,39 @@
+module ActionController
+  module Has
+    module Permission
+      def self.included(base)
+        base.extend(ClassMethods)
+      end
+
+      module ClassMethods
+        
+        def requires_permission(*args)
+          options = args.extract_options!
+          args.each do |target|
+            self.class_eval <<-_RUBY
+              def #{target}_with_permission
+                klass = #{options[:class] || "controller_name.classify.constantize"}
+                klass.with_permission(current_user).can_#{target}? || #{options[:access_denied] || "access_denied"}
+                #{target}_without_permission
+              end
+            _RUBY
+            alias_method_chain target, "permission"
+          end
+        end
+        
+        def permission_method_chain(*args)
+          args.each do |target|
+            self.class_eval <<-_RUBY
+              def #{target}_with_permission
+                #{target}_without_permission.with_permission(current_user)
+              end
+            _RUBY
+            alias_method_chain target, "permission"
+          end
+        end
+        
+      end
+      
+    end
+  end
+end

data/lib/active_record/has/permission.rb

@@ -0,0 +1,61 @@
+module ActiveRecord
+  module Has
+    module Permission
+      def self.included(base)
+        base.extend(ClassMethods)
+      end
+
+      module ClassMethods
+        
+        def has_permission(options = {})
+          class_eval <<-_DEF
+            def self.permission_namespace
+              "#{options[:namespace] || 'Permission'}"
+            end
+          _DEF
+          extend ActiveRecord::Has::Permission::SingletonMethods
+          include ActiveRecord::Has::Permission::InstanceMethods
+        end
+        
+      end
+      
+      module SingletonMethods
+        
+        def with_permission(user)
+          permission_class.new :user => user, :object => self
+        end
+        
+        def permission_class
+          if respond_to?(:base_class)
+            begin
+              [permission_namespace, "#{self.to_s}Permission"].join('::').constantize
+            rescue
+              [permission_namespace ,"#{self.base_class.to_s}Permission"].join('::').constantize
+            end
+          elsif respond_to?(:proxy_reflection)
+            begin
+              [permission_namespace, "#{self.proxy_reflection.class_name}Permsission"].join('::').constantize
+            rescue
+              [permission_namespace, "#{self.proxy_reflection.class_name.constantize.base_class.to_s}Permission"].join('::').constantize
+            end
+          else
+            begin
+              [permission_namespace, "#{self.to_s}Permission"].join('::').constantize
+            rescue
+              [permission_namespace, "#{self.superclass.to_s}Permission"].join('::').constantize
+            end
+          end
+        end
+      end
+      
+      module InstanceMethods
+        
+        def with_permission(user)
+          self.class.permission_class.new :user => user, :object => self
+        end
+      
+      end
+      
+    end
+  end
+end

data/lib/has_permission.rb

@@ -0,0 +1,11 @@
+require 'active_record'
+require 'active_record/has/permission'
+require 'action_controller'
+require 'action_controller/has/permission'
+require 'permission/base'
+require 'permission/array'
+require 'permission_exception'
+
+ActiveRecord::Base.send :include, ActiveRecord::Has::Permission
+ActionController::Base.send :include, ActionController::Has::Permission
+Array.send :include, Permission::Array

data/lib/permission/array.rb

@@ -0,0 +1,15 @@
+module Permission
+  module Array
+    
+    # helper method for adding to an array based on permission i.e. [].push_if("some feature", Feature.with_permission(current_user).can_write?)
+    def push_if(*args)
+      raise ArgumentError.new "wrong number of arguments (#{args.length} for 2)" if args.length < 2
+      if args.pop
+        push(*args)
+      else
+        self
+      end
+    end
+    
+  end
+end

data/lib/permission/base.rb

@@ -0,0 +1,85 @@
+module Permission
+  class Base
+    require 'forwardable'
+    extend Forwardable
+    
+    # delegate important object methods so they don't return the values for the proxy - am I missing any??
+    def_delegators :@object, :==, :=~, :class, :enum_for, :eql?, :new, :freeze, :frozen?, 
+      :hash, :id, :instance_of?, :is_a?, :kind_of?,
+      :method, :methods, :object_id, :respond_to?, :send,
+      :taint, :tainted?, :to_a, :to_enum, :to_s, :to_yaml, :to_yaml_properties, :to_yaml_style,
+      :type, :untaint, :to_param
+      
+    attr_accessor :user, :object
+  
+    DEFAULT_FINDERS = /^((find|with).*|first|last|all|children|paginate|scoped|count)$/
+    DEFAULT_SEARCHES = /^search_.*/
+    
+    def initialize(params)
+      @user = params[:user]
+      @object = params[:object]
+    end
+  
+    def method_missing(method, *args)
+      object.send(method, *args)
+    end
+  
+    def update_attribute(name, value)
+      if can_write?(name)
+        object.update_attribute(name, value)
+      else
+        raise PermissionException.new("#{user} does not have permission to access #{name} on #{object}")
+      end
+    end
+    
+    def update_attributes(attributes)
+      object.update_attributes(attributes.reject{|key,value| !can_write?(key) })
+    end
+    
+    def attribute_names
+      object.attribute_names.reject{|key| !can_read?(key) }
+    end
+    
+    def column_names
+      object.column_names.reject{|key| !can_read?(key) }
+    end
+    
+    def attributes
+      object.attributes.reject{|key,value| !can_read?(key) }
+    end
+    
+    def read_attribute(attr_name)
+      if can_read?(attr_name)
+        object.read_attribute(attr_name)
+      else
+        raise PermissionException.new("#{user} does not have permission to access #{attr_name} on #{object}")
+      end
+    end
+    
+    def write_attribute(attr_name, value)
+      if can_write?(attr_name)
+        object.write_attribute(attr_name, value)
+      else
+        raise PermissionException.new("#{user} does not have permission to access #{attr_name} on #{object}")
+      end
+    end
+    
+    def can_read?(attr_name)
+      true
+    end
+    
+    def can_write?(attr_name)
+      true
+    end
+    
+    protected
+  
+    def check_roles(user, roles, object)
+      roles.each do |role|
+        return true if user != nil && user.has_role?(user, object)
+      end
+      false
+    end
+  end
+  
+end

data/lib/permission_exception.rb

@@ -0,0 +1,2 @@
+class PermissionException < Exception
+end

data/test/array_test.rb

@@ -0,0 +1,16 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class ArrayTest < Test::Unit::TestCase
+
+  should "have method push_if" do
+    assert_equal true, [].methods.include?("push_if")
+  end
+  
+  should "not push if condition is false" do
+    assert_equal [], [].push_if("test", false)
+  end
+  
+  should "push if condition is true" do
+    assert_equal ["test"], [].push_if("test", true)
+  end
+end

data/test/has_permission_test.rb

@@ -0,0 +1,133 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class HasPermissionTest < Test::Unit::TestCase
+  context "model instance" do
+    setup do
+      @model = Model.new
+    end
+    
+    should "not intercept method" do
+      assert_equal "no permission", @model.some_method
+    end
+    
+    should "intercept method" do
+      assert_equal "with permission", @model.with_permission(nil).some_method
+    end
+    
+    should "use model id" do
+      assert_equal @model.id, @model.with_permission(nil).id
+    end
+    
+    should "use model to_param" do
+      assert_equal @model.to_param, @model.with_permission(nil).to_param
+    end
+    
+    should "use model class" do
+      assert_equal @model.class, @model.with_permission(nil).class
+    end
+    
+    should "use model ==" do
+      assert @model.with_permission(nil) == @model
+    end
+    
+    should "use model eql?" do
+      assert @model.with_permission(nil).eql?(@model)
+    end
+    
+    should "throw PermissionException for attribute that does not allow reading" do
+      assert_raise PermissionException do
+        @model.with_permission(nil).read_attribute(:no_access)
+      end
+    end
+    
+    should "allow access for readable attribute" do
+      @model.with_permission(nil).read_attribute(:read_access)
+    end
+    
+    should "throw PermissionException for attribute that does not allow writing" do
+      assert_raise PermissionException do
+        @model.with_permission(nil).write_attribute(:no_access, "test")
+      end
+    end
+    
+    should "allow access for writeable attribute" do
+      @model.with_permission(nil).write_attribute(:write_access, "test")
+    end
+    
+    should "only allow writeable attribute for update attributes" do
+      @model.expects(:update_attributes).with(:write_access => "test")
+      @model.with_permission(nil).update_attributes(:no_access => "test", :write_access => "test")
+    end
+
+    should "only allow readable attributes for attributes" do
+      assert_equal [:read_access], @model.with_permission(nil).attributes.keys
+    end
+    
+    should "only allow readable attributes for attribute_names" do
+      assert_equal [:read_access], @model.with_permission(nil).attribute_names
+    end
+    
+    should "only allow readable attributes for column_names" do
+      assert_equal [:read_access], @model.with_permission(nil).column_names
+    end
+    
+    should "only allow writeable attribute for update attribute" do
+      assert_raise PermissionException do
+        @model.with_permission(nil).update_attribute(:no_access, "test")
+      end
+    end
+    
+  end
+
+  context "model class" do
+    should "not intercept method" do
+      assert_equal ["no permission"], Model.all
+    end
+    
+    should "intercept method" do
+      assert_equal ["with permission"], Model.with_permission(nil).all
+    end
+  end
+  
+  context "controller permission" do
+    setup do
+      @controller = ModelController.new
+    end
+    
+    should "call access denied for index" do
+      @controller.expects(:access_denied).once
+      @controller.index
+    end
+    
+    context "with options" do
+      setup do
+        @controller2 = Model2Controller.new
+      end
+      
+      should "call no access for index" do
+        @controller2.expects(:no_access).once
+        @controller2.index
+      end
+      
+    end
+  end
+  
+  should "use default namespace setting" do
+    assert_equal Permission::ModelPermission, Model.permission_class
+  end
+  
+  should "override default namespace setting" do
+    assert_equal ModelBPermission, ModelB.permission_class
+  end
+  
+  should "use class to_s method" do
+    assert_equal Model.to_s, Model.with_permission(nil).to_s
+  end
+  
+  should "use class class method" do
+    assert_equal Model.class, Model.with_permission(nil).class
+  end
+  
+  # TODO need to test proxy associations somehow
+  
+end

data/test/test_helper.rb

@@ -0,0 +1,149 @@
+require 'rubygems'
+require 'test/unit'
+require 'shoulda'
+require 'mocha'
+
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'has_permission'
+
+# this doesn't seem like the best way to do this - maybe someone will suggest a better method
+
+class Model
+
+  include ActiveRecord::Has::Permission
+  
+  has_permission
+  
+  def read_attribute(attr_name)
+    "test"
+  end
+  
+  def write_attribute(attr_name, value)
+    value
+  end
+  
+  def column_names
+    [:read_access, :no_access]
+  end
+  
+  def attribute_names
+    [:read_access, :no_access]
+  end
+  
+  def attributes
+    {:read_access => "test", :no_access => "test"}
+  end
+  
+  def some_method
+    "no permission"
+  end
+  
+  def self.all
+    ["no permission"]
+  end
+  
+end
+
+class ModelB
+  include ActiveRecord::Has::Permission
+  
+  has_permission :namespace => ''
+end
+
+class ModelBPermission < Permission::Base
+  def can_index?
+    false
+  end
+  
+  def can_show?
+    true
+  end
+end
+
+module Permission
+  class ModelPermission < Permission::Base
+  
+    def can_index?
+      false
+    end
+    
+    def can_show?
+      true
+    end
+    
+    def can_read?(attr_name)
+      case attr_name
+        when :read_access : true
+        when :no_access : false
+        else true
+      end
+    end
+    
+    def can_write?(attr_name)
+      case attr_name.to_s
+        when "write_access" : true
+        when "no_access" : false
+        else true
+      end
+    end
+    
+    def some_method
+      "with permission"
+    end
+  
+    def method_missing(method, *args)
+      if method.to_s.match(DEFAULT_FINDERS)
+        ["with permission"]
+      else
+        object.send(method, *args)
+      end
+    end
+  end
+end
+
+class ModelController
+  include ActionController::Has::Permission
+  
+  def controller_name
+    "model"
+  end
+  
+  def index
+    "index"
+  end
+  
+  def show
+    "show"
+  end
+  
+  def current_user
+    nil
+  end
+  
+  requires_permission :index, :show
+end
+
+class Model2Controller
+  include ActionController::Has::Permission
+  
+  def controller_name
+    "model"
+  end
+  
+  def index
+    "index"
+  end
+  
+  def show
+    "show"
+  end
+  
+  def current_user
+    nil
+  end
+  
+  requires_permission :index, :show, :access_denied => 'no_access', :class => ModelB
+end
+
+class Test::Unit::TestCase
+end

metadata

@@ -0,0 +1,65 @@
+--- !ruby/object:Gem::Specification 
+name: has_permission
+version: !ruby/object:Gem::Version 
+  version: 0.2.8
+platform: ruby
+authors: 
+- Brian Johnson
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-03-26 00:00:00 -07:00
+default_executable: 
+dependencies: []
+
+description: Fine grained access control based on method interception. This is a proxy that allows you to define permissions on your models without breaking MVC by putting user code in your models.
+email: github@brianjohnson.cc
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- VERSION.yml
+- lib/action_controller/has/permission.rb
+- lib/active_record/has/permission.rb
+- lib/has_permission.rb
+- lib/permission/array.rb
+- lib/permission/base.rb
+- lib/permission_exception.rb
+- test/array_test.rb
+- test/has_permission_test.rb
+- test/test_helper.rb
+has_rdoc: true
+homepage: http://github.com/johnsbrn/has_permission
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --inline-source
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 2
+summary: Access control library
+test_files: []
+