heimdallr-resource 1.0.1 → 1.0.2

data/CHANGELOG.md

@@ -1,7 +1,12 @@
 # Changelog
 
+## 1.0.2
+
+* Additional methods resources assignation [@whitequark][]
+
 ## 1.0.1
 
 * load_and_authorize_resource accepts just one hash parameter from now [@_inossidabile][]
 
 [@_inossidabile]: http://twitter.com/#!/_inossidabile
+[@whitequark]: http://twitter.com/#!/whitequark

data/README.md

@@ -5,43 +5,101 @@ Heimdallr Resource is a gem which provides CanCan-like interface for writing sec
 controllers on top of [Heimdallr](http://github.com/roundlake/heimdallr)-protected
 models.
 
-``` ruby
+Overview
+--------
+
+API of Heimdallr Resource basically consists of two methods, `load_resource` and `authorize_resource`.
+Both work by adding a filter in standard Rails filter chain and obey the `:only` and `:except` options.
+
+`load_resource` loads a record or scope and wraps it in a Heimadllr proxy. For `index` action, a scope is loaded. For `show`, `new`, `create`, `edit`, `update` and `destroy` a record is loaded. No further action is performed by Heimdallr Resource.
+
+`authorize_resource` verifies if the current security context allows for creating or updating the records. The checks are performed for `new`, `create`, `edit` and `update` actions. `index` will simply follow the defined `:fetch` scope.
+
+```ruby
 class CricketController < ApplicationController
   include Heimdallr::Resource
 
   load_and_authorize_resource
 
-  # or set the name explicitly:
-  #
-  # load_and_authorize_resource :resource => :cricket
-
-  # if nested:
-  #
-  # routes.rb:
-  #   resources :categories do
-  #     resources :crickets
-  #   end
-  #
-  # load_and_authorize_resource :through => :category
-
   def index
     # @crickets is loaded and secured here
   end
+  
+  def show
+    # @cricket is loaded by .find(params[:id]) and secured here
+  end
+  
+  def create
+    # @cricket is created, filled with params[:cricket] and secured here
+  end
+
+  def update
+    # @cricket is loaded by .find(params[:id]) and secured here.
+    # Fields from params[:cricket] won't be applied automatically!
+  end
+
+  def show
+    # @cricket is loaded by .find(params[:id]) and secured here.
+  end
+
+  def destroy
+    # @cricket is loaded by .find(params[:id]) and secured here.
+  end
 end
 ```
 
-Overview
---------
+Custom entity
+-------------
 
-API of Heimdallr Resource basically consists of two methods, `load_resource` and `authorize_resource`.
-Both work by adding a filter in standard Rails filter chain and obey the `:only` and `:except` options.
+To explicitly specify which class should be used as a Heimdallr model you can use the following option:
+
+```ruby
+# This will use the Entity class
+load_and_authorize :resource => :'entity'
+# This will use the Namespace::OtherEntity class
+load_and_authorize :resource => :'namespace/other_entity' 
+```
+
+Namespaces
+----------
+By default Heimdallr Resource will seek for the namespace just like it does with the class. So for `Foo::Bars` controller it will try to bind to `Foo::Bar` model.
+
+Custom methods (besides CRUD)
+-----------------------------
+
+By default Heimdallr Resource will consider non-CRUD methods a `:record` methods (like `show`). So it will try to find entity using `params[:id]`. To modify this behavior to make it work like `index` or `create`, you can explicitly define the way it should handle the methods.
+
+```ruby
+load_and_authorize :collection => [:search], :new_record => [:special_create], :record => [:attack]
+```
+
+Inlined resources
+-----------------
+If you have inlined resource with such routing:
 
-`load_resource` loads a record or scope and wraps it in a Heimadllr proxy. For `index` action, a scope is
-loaded. For `show`, `new`, `create`, `edit`, `update` and `destroy` a record is loaded. No further action
-is performed by Heimdallr Resource.
+```ruby
+resources :foos do
+  resources :bars do
+    resources :bazs
+  end
+end
+```
+
+Rails will provide `params[:foo_id]` and `params[:bar_id]` inside `BazsController`. To make Heimdallr search through and assign the parent entities you can use this syntax:
+
+```ruby
+load_and_authorize_resource :through => :foo
+# or even
+load_and_authorize_resource :through => [:foo, :bar]
+```
+
+If the whole path or some if its parts are optional, you can specify the `:shallow` option.
+
+```ruby
+load_and_authorize_resource :through => [:foo, :bar], :shallow => true
+```
 
-`authorize_resource` verifies if the current security context allows for creating or updating the records.
-The checks are performed for `new`, `create`, `edit` and `update` actions.
+In the latter case it will work from any route, the direct or inlined one.
 
 Credits
 -------

data/heimdallr-resource.gemspec

@@ -3,7 +3,7 @@ $:.push File.expand_path("../lib", __FILE__)
 
 Gem::Specification.new do |s|
   s.name        = "heimdallr-resource"
-  s.version     = "1.0.1"
+  s.version     = "1.0.2"
   s.authors     = ["Peter Zotov", "Boris Staal"]
   s.email       = ["whitequark@whitequark.org", "boris@roundlake.ru"]
   s.homepage    = "http://github.com/roundlake/heimdallr-resource"

data/lib/heimdallr/resource.rb

@@ -5,7 +5,7 @@ module Heimdallr
   module ResourceImplementation
     class << self
       def prepare_options(klass, options)
-        options.merge! :resource => (options[:resource] || klass.name.sub(/Controller$/, '').underscore).to_s
+        options = options.merge :resource => (options[:resource] || klass.name.sub(/Controller$/, '').underscore).to_s
 
         filter_options = {}
         filter_options[:only]   = options.delete(:only)   if options.has_key?(:only)
@@ -17,60 +17,125 @@ module Heimdallr
       def load(controller, options)
         unless controller.instance_variable_defined?(ivar_name(controller, options))
           if options.has_key? :through
-            if options[:singleton]
-              scope = controller.instance_variable_get(:"@#{options[:through]}").
-                          send(:"#{options[:resource]}")
+            target = load_target(controller, options)
+
+            if target
+              if options[:singleton]
+                scope = target.send(:"#{options[:resource].parameterize('_')}")
+              else
+                scope = target.send(:"#{options[:resource].parameterize('_').pluralize}")
+              end
+            elsif options[:shallow]
+              scope = options[:resource].classify.constantize.scoped
             else
-              scope = controller.instance_variable_get(:"@#{options[:through]}").
-                          send(:"#{options[:resource].pluralize}")
+              raise "Cannot fetch #{options[:resource]} via #{options[:through]}"
             end
           else
-            scope = options[:resource].camelize.constantize.scoped
+            scope = options[:resource].classify.constantize.scoped
           end
 
-          case controller.params[:action]
-          when 'index'
-            controller.instance_variable_set(ivar_name(controller, options), scope)
-          when 'new', 'create'
-            controller.instance_variable_set(ivar_name(controller, options),
-                scope.new(controller.params[options[:resource]]))
-          when 'show', 'edit', 'update', 'destroy'
-            controller.instance_variable_set(ivar_name(controller, options),
-                scope.find(controller.params[:"#{options[:resource]}_id"] ||
-                           controller.params[:id]))
-          end
+          loaders = {
+            collection: -> {
+              controller.instance_variable_set(ivar_name(controller, options), scope)
+            },
+
+            new_record: -> {
+              controller.instance_variable_set(ivar_name(controller, options),
+                  scope.new(controller.params[options[:resource].split('/').last]))
+            },
+
+            record: -> {
+              controller.instance_variable_set(ivar_name(controller, options),
+                  scope.find(controller.params[:"#{options[:resource]}_id"] ||
+                             controller.params[:id]))
+            },
+
+            related_record: -> {
+              if controller.params[:"#{options[:resource]}_id"]
+                controller.instance_variable_set(ivar_name(controller, options),
+                    scope.find(controller.params[:"#{options[:resource]}_id"]))
+              end
+            }
+          }
+
+          loaders[action_type(controller.params[:action], options)].()
         end
       end
 
       def authorize(controller, options)
-        controller.instance_variable_set(ivar_name(controller, options.merge(:insecure => true)),
-            controller.instance_variable_get(ivar_name(controller, options)))
+        value = controller.instance_variable_get(ivar_name(controller, options))
+        return unless value
+
+        controller.instance_variable_set(ivar_name(controller, options.merge(:insecure => true)), value)
 
-        value = controller.instance_variable_get(ivar_name(controller, options)).
-              restrict(controller.security_context)
+        value = value.restrict(controller.security_context)
         controller.instance_variable_set(ivar_name(controller, options), value)
 
         case controller.params[:action]
         when 'new', 'create'
+          value.assign_attributes(value.reflect_on_security[:restrictions].fixtures[:create])
+
           unless value.reflect_on_security[:operations].include? :create
             raise Heimdallr::AccessDenied, "Cannot create model"
           end
+
         when 'edit', 'update'
+          value.assign_attributes(value.reflect_on_security[:restrictions].fixtures[:update])
+
           unless value.reflect_on_security[:operations].include? :update
             raise Heimdallr::AccessDenied, "Cannot update model"
           end
+
         when 'destroy'
           unless value.destroyable?
             raise Heimdallr::AccessDenied, "Cannot delete model"
           end
-        end
+        end unless options[:related]
+      end
+
+      def load_target(controller, options)
+        Array.wrap(options[:through]).map do |parent|
+          loaded = controller.instance_variable_get(:"@#{parent}")
+          unless loaded
+            load(controller, :resource => parent.to_s, :related => true)
+            loaded = controller.instance_variable_get(:"@#{parent}")
+          end
+          if loaded && options[:authorize_chain]
+            authorize(controller, :resource => parent.to_s, :related => true)
+          end
+          controller.instance_variable_get(:"@#{parent}")
+        end.reject(&:nil?).first
       end
 
       def ivar_name(controller, options)
-        if controller.params[:action] == 'index'
-          :"@#{options[:resource].pluralize}"
+        if action_type(controller.params[:action], options) == :collection
+          :"@#{options[:resource].parameterize('_').pluralize}"
         else
-          :"@#{options[:resource]}"
+          :"@#{options[:resource].parameterize('_')}"
+        end
+      end
+
+      def action_type(action, options)
+        if options[:related]
+          :related_record
+        else
+          action = action.to_sym
+          case action
+          when :index
+            :collection
+          when :new, :create
+            :new_record
+          when :show, :edit, :update, :destroy
+            :record
+          else
+            if options[:collection] && options[:collection].include?(action)
+              :collection
+            elsif options[:new] && options[:new].include?(action)
+              :new_record
+            else
+              :record
+            end
+          end
         end
       end
     end
@@ -82,12 +147,14 @@ module Heimdallr
 
     module ClassMethods
       def load_and_authorize_resource(options={})
+        options[:authorize_chain] = true
         load_resource(options)
         authorize_resource(options)
       end
 
       def load_resource(options={})
         options, filter_options = Heimdallr::ResourceImplementation.prepare_options(self, options)
+        self.own_heimdallr_options = options
 
         before_filter filter_options do |controller|
           Heimdallr::ResourceImplementation.load(controller, options)
@@ -96,11 +163,19 @@ module Heimdallr
 
       def authorize_resource(options={})
         options, filter_options = Heimdallr::ResourceImplementation.prepare_options(self, options)
+        self.own_heimdallr_options = options
 
         before_filter filter_options do |controller|
           Heimdallr::ResourceImplementation.authorize(controller, options)
         end
       end
+
+      protected
+
+      def own_heimdallr_options=(options)
+        cattr_accessor :heimdallr_options
+        self.heimdallr_options = options
+      end
     end
   end
 end

data/spec/dummy/app/controllers/entity_controller.rb

@@ -26,4 +26,8 @@ class EntityController < ApplicationController
   def destroy
     render :nothing => true
   end
+
+  def penetrate
+    render :nothing => true
+  end
 end

data/spec/dummy/config/routes.rb

@@ -1,4 +1,8 @@
 Dummy::Application.routes.draw do
-  resources :entity
+  resources :entity do
+    member do
+      post :penetrate
+    end
+  end
   resources :fluffies
 end

data/spec/resource_spec.rb

@@ -69,5 +69,13 @@ describe EntityController, :type => :controller do
       User.mock @maria
       expect { post :destroy, {:id => @public.id} }.should raise_error
     end
+
+    it "assigns the custom methods" do
+      User.mock @john
+      post :penetrate, {:id => @public.id}
+
+      assigns(:entity).should be_kind_of Heimdallr::Proxy::Record
+      assigns(:entity).id.should == @public.id
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: heimdallr-resource
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.2
   prerelease: 
 platform: ruby
 authors:
@@ -10,11 +10,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-04-08 00:00:00.000000000 Z
+date: 2012-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec-rails
-  requirement: &70267893225580 !ruby/object:Gem::Requirement
+  requirement: &70169121125720 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -22,10 +22,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70267893225580
+  version_requirements: *70169121125720
 - !ruby/object:Gem::Dependency
   name: activerecord
-  requirement: &70267893201220 !ruby/object:Gem::Requirement
+  requirement: &70169121125180 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -33,10 +33,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70267893201220
+  version_requirements: *70169121125180
 - !ruby/object:Gem::Dependency
   name: sqlite3
-  requirement: &70267893200560 !ruby/object:Gem::Requirement
+  requirement: &70169121124440 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -44,10 +44,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70267893200560
+  version_requirements: *70169121124440
 - !ruby/object:Gem::Dependency
   name: tzinfo
-  requirement: &70267893199740 !ruby/object:Gem::Requirement
+  requirement: &70169121116540 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -55,10 +55,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70267893199740
+  version_requirements: *70169121116540
 - !ruby/object:Gem::Dependency
   name: heimdallr
-  requirement: &70267893198820 !ruby/object:Gem::Requirement
+  requirement: &70169121115860 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -66,7 +66,7 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *70267893198820
+  version_requirements: *70169121115860
 description: Heimdallr-Resource provides CanCan-like interface for Heimdallr-secured
   objects.
 email: