heimdallr-resource 1.0.3 → 1.2.0

data/.rspec

@@ -1,2 +1 @@
---color
---format progress
+--tty --color --format progress

data/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## 1.2.0
+
+* Numerous fixes [@alerticus][], [@voidseeker][]
+* :instance_name option [@voidseeker][]
+* :through_association option [@voidseeker][]
+* Improved specs [@alerticus][], [@voidseeker][]
+
 ## 1.0.2
 
 * Additional methods resources assignation [@whitequark][]
@@ -8,5 +15,7 @@
 
 * load_and_authorize_resource accepts just one hash parameter from now [@_inossidabile][]
 
+[@voidseeker]: https://github.com/voidseeker
+[@alerticus]: http://github.com/AlexanderPavlenko
 [@_inossidabile]: http://twitter.com/#!/_inossidabile
 [@whitequark]: http://twitter.com/#!/whitequark

data/README.md

@@ -5,15 +5,17 @@ Heimdallr Resource is a gem which provides CanCan-like interface for writing sec
 controllers on top of [Heimdallr](http://github.com/roundlake/heimdallr)-protected
 models.
 
+![Travis CI](https://secure.travis-ci.org/roundlake/heimdallr-resource.png)
+
 Overview
 --------
 
-API of Heimdallr Resource basically consists of two methods, `load_resource` and `authorize_resource`.
+API of Heimdallr Resource basically consists of two methods, `load_resource` and `load_and_authorize_resource`.
 Both work by adding a filter in standard Rails filter chain and obey the `:only` and `:except` options.
 
 `load_resource` loads a record or scope and wraps it in a Heimadllr proxy. For `index` action, a scope is loaded. For `show`, `new`, `create`, `edit`, `update` and `destroy` a record is loaded. No further action is performed by Heimdallr Resource.
 
-`authorize_resource` verifies if the current security context allows for creating or updating the records. The checks are performed for `new`, `create`, `edit` and `update` actions. `index` will simply follow the defined `:fetch` scope.
+`load_and_authorize_resource` loads a record and verifies if the current security context allows for creating, updating or destroying the records. The checks are performed for `new`, `create`, `edit`, `update` and `destroy` actions. `index` and `show` will simply follow the defined `:fetch` scope.
 
 ```ruby
 class CricketController < ApplicationController
@@ -70,7 +72,7 @@ Custom methods (besides CRUD)
 By default Heimdallr Resource will consider non-CRUD methods a `:record` methods (like `show`). So it will try to find entity using `params[:id]`. To modify this behavior to make it work like `index` or `create`, you can explicitly define the way it should handle the methods.
 
 ```ruby
-load_and_authorize :collection => [:search], :new_record => [:special_create], :record => [:attack]
+load_and_authorize :collection => [:search], :new_record => [:special_create]
 ```
 
 Inlined resources
@@ -106,8 +108,10 @@ Credits
 
 <img src="http://roundlake.ru/assets/logo.png" align="right" />
 
-* Peter Zotov ([@whitequark](http://twitter.com/#!/whitequark))
-* Boris Staal ([@_inossidabile](http://twitter.com/#!/_inossidabile))
+* Peter Zotov ([@whitequark](http://twitter.com/whitequark))
+* Boris Staal ([@_inossidabile](http://twitter.com/_inossidabile))
+* Alexander Pavlenko ([@alerticus](https://twitter.com/alerticus))
+* Shamil Fattakhov ([@voidseeker](https://github.com/voidseeker))
 
 LICENSE
 -------

data/heimdallr-resource.gemspec

@@ -3,9 +3,9 @@ $:.push File.expand_path("../lib", __FILE__)
 
 Gem::Specification.new do |s|
   s.name        = "heimdallr-resource"
-  s.version     = "1.0.3"
-  s.authors     = ["Peter Zotov", "Boris Staal"]
-  s.email       = ["whitequark@whitequark.org", "boris@roundlake.ru"]
+  s.version     = "1.2.0"
+  s.authors     = ["Peter Zotov", "Boris Staal", "Alexander Pavlenko", "Shamil Fattakhov"]
+  s.email       = ["whitequark@whitequark.org", "boris@roundlake.ru", "a.pavlenko@roundlake.ru"]
   s.homepage    = "http://github.com/roundlake/heimdallr-resource"
   s.summary     = %q{Heimdallr-Resource provides CanCan-like interface for Heimdallr-secured objects.}
   s.description = s.summary
@@ -16,6 +16,7 @@ Gem::Specification.new do |s|
   s.require_paths = ["lib"]
 
   s.add_development_dependency "rspec-rails"
+  s.add_development_dependency "rr"
   s.add_development_dependency "activerecord"
   s.add_development_dependency "sqlite3"
   s.add_development_dependency "tzinfo"

data/lib/heimdallr-resource.rb

@@ -0,0 +1,2 @@
+require 'heimdallr/resource'
+require 'heimdallr/resource_implementation'

data/lib/heimdallr/resource.rb

@@ -1,210 +1,40 @@
 module Heimdallr
-  # {AccessDenied} exception is to be raised when access is denied to an action.
-  class AccessDenied < StandardError; end
-
-  module ResourceImplementation
-    class << self
-      def prepare_options(klass, options)
-        options = options.merge :resource => (options[:resource] || klass.name.sub(/Controller$/, '').underscore).to_s
-
-        filter_options = {}
-        filter_options[:only]   = options.delete(:only)   if options.has_key?(:only)
-        filter_options[:except] = options.delete(:except) if options.has_key?(:except)
-
-        [ options, filter_options ]
-      end
-
-      def load(controller, options)
-        unless controller.instance_variable_defined?(ivar_name(controller, options))
-          if options.has_key? :through
-            target = load_target(controller, options)
-
-            if target
-              if options[:singleton]
-                scope = target.send(:"#{variable_name(options)}")
-              else
-                scope = target.send(:"#{variable_name(options).pluralize}")
-              end
-            elsif options[:shallow]
-              scope = class_name(options).constantize.scoped
-            else
-              raise "Cannot fetch #{options[:resource]} via #{options[:through]}"
-            end
-          else
-            scope = class_name(options).constantize.scoped
-          end
-
-          loaders = {
-            collection: -> {
-              controller.instance_variable_set(ivar_name(controller, options), scope)
-            },
-
-            new_record: -> {
-              controller.instance_variable_set(
-                ivar_name(controller, options),
-                scope.new(controller.params[params_key_name(options)] || {})
-              )
-            },
-
-            record: -> {
-              controller.instance_variable_set(
-                ivar_name(controller, options),
-                scope.find([:"#{params_key_name(options)}_id", :id].map{|key| controller.params[key] }.reject(&:blank?)[0])
-              )
-            },
-
-            related_record: -> {
-              unless controller.params[:"#{params_key_name(options)}_id"].blank?
-                controller.instance_variable_set(
-                  ivar_name(controller, options),
-                  scope.find(controller.params[:"#{params_key_name(options)}_id"])
-                )
-              end
-            }
-          }
-
-          loaders[action_type(controller.params[:action], options)].()
-        end
-      end
-
-      def authorize(controller, options)
-        value = controller.instance_variable_get(ivar_name(controller, options))
-        return unless value
-
-        controller.instance_variable_set(ivar_name(controller, options.merge(:insecure => true)), value)
-
-        value = value.restrict(controller.security_context)
-        controller.instance_variable_set(ivar_name(controller, options), value)
-
-        case controller.params[:action]
-        when 'new', 'create'
-          value.assign_attributes(value.reflect_on_security[:restrictions].fixtures[:create])
-
-          unless value.reflect_on_security[:operations].include? :create
-            raise Heimdallr::AccessDenied, "Cannot create model"
-          end
-
-        when 'edit', 'update'
-          value.assign_attributes(value.reflect_on_security[:restrictions].fixtures[:update])
-
-          unless value.reflect_on_security[:operations].include? :update
-            raise Heimdallr::AccessDenied, "Cannot update model"
-          end
-
-        when 'destroy'
-          unless value.destroyable?
-            raise Heimdallr::AccessDenied, "Cannot delete model"
-          end
-        end unless options[:related]
-      end
-
-      def load_target(controller, options)
-        Array.wrap(options[:through]).map do |parent|
-          loaded = controller.instance_variable_get(:"@#{variable_name parent}")
-          unless loaded
-            load(controller, :resource => parent.to_s, :related => true)
-            loaded = controller.instance_variable_get(:"@#{variable_name parent}")
-          end
-          if loaded && options[:authorize_chain]
-            authorize(controller, :resource => parent.to_s, :related => true)
-          end
-          controller.instance_variable_get(:"@#{variable_name parent}")
-        end.reject(&:nil?).first
-      end
-
-      def ivar_name(controller, options)
-        if action_type(controller.params[:action], options) == :collection
-          :"@#{variable_name(options).pluralize}"
-        else
-          :"@#{variable_name(options)}"
-        end
-      end
-
-      def action_type(action, options)
-        if options[:related]
-          :related_record
-        else
-          action = action.to_sym
-          case action
-          when :index
-            :collection
-          when :new, :create
-            :new_record
-          when :show, :edit, :update, :destroy
-            :record
-          else
-            if options[:collection] && options[:collection].include?(action)
-              :collection
-            elsif options[:new] && options[:new].include?(action)
-              :new_record
-            else
-              :record
-            end
-          end
-        end
-      end
-
-      def variable_name(options)
-        if options.kind_of? Hash
-          options[:resource]
-        else
-          options.to_s
-        end.parameterize('_')
-      end
-
-      def class_name(options)
-        if options.kind_of? Hash
-          options[:resource]
-        else
-          options.to_s
-        end.classify
-      end
-
-      def params_key_name(options)
-        if options.kind_of? Hash
-          options[:resource]
-        else
-          options.to_s
-        end.split('/').last
-      end
-    end
-  end
 
   # {Resource} is a mixin providing CanCan-like interface for Rails controllers.
   module Resource
     extend ActiveSupport::Concern
 
     module ClassMethods
-      def load_and_authorize_resource(options={})
-        options[:authorize_chain] = true
-        load_resource(options)
-        authorize_resource(options)
+      def load_resource(options = {})
+        Heimdallr::ResourceImplementation.add_before_filter self, :load_resource, options
       end
 
-      def load_resource(options={})
-        options, filter_options = Heimdallr::ResourceImplementation.prepare_options(self, options)
-        self.own_heimdallr_options = options
-
-        before_filter filter_options do |controller|
-          Heimdallr::ResourceImplementation.load(controller, options)
-        end
+      def load_and_authorize_resource(options = {})
+        Heimdallr::ResourceImplementation.add_before_filter self, :load_and_authorize_resource, options
       end
 
-      def authorize_resource(options={})
-        options, filter_options = Heimdallr::ResourceImplementation.prepare_options(self, options)
-        self.own_heimdallr_options = options
-
-        before_filter filter_options do |controller|
-          Heimdallr::ResourceImplementation.authorize(controller, options)
+      def skip_authorization_check(options = {})
+        prepend_before_filter options do |controller|
+          controller.instance_variable_set :@_skip_authorization_check, true
         end
       end
 
-      protected
-
+    protected
       def own_heimdallr_options=(options)
-        cattr_accessor :heimdallr_options
+        class << self
+          attr_accessor :heimdallr_options
+        end
         self.heimdallr_options = options
       end
     end
+
+  protected
+    def skip_authorization_check?
+      @_skip_authorization_check
+    end
   end
-end
+
+  # {AccessDenied} exception is to be raised when access is denied to an action.
+  class AccessDenied < StandardError; end
+  
+end

data/lib/heimdallr/resource_implementation.rb

@@ -0,0 +1,190 @@
+module Heimdallr
+  class ResourceImplementation
+    def self.add_before_filter(controller_class, method, options)
+      options, filter_options = Heimdallr::ResourceImplementation.prepare_options controller_class, options
+      controller_class.send :own_heimdallr_options=, options
+
+      controller_class.class_eval do
+        before_filter filter_options do |controller|
+          Heimdallr::ResourceImplementation.new(controller, options).send method
+        end
+      end
+    end
+
+    def self.prepare_options(controller_class, options)
+      options = options.dup
+      options[:resource] ||= controller_class.name.sub(/Controller$/, '').singularize.underscore
+
+      filter_keys = [:only, :except]
+
+      filter_options = filter_keys.inject({}) do |hash, key|
+        hash[key] = options.delete key if options.has_key? key
+        hash
+      end
+
+      [options, filter_options]
+    end
+
+    def initialize(controller, options)
+      @controller = controller
+      @options = options
+    end
+
+    def load_resource
+      ResourceLoader.new(@controller, @options).load
+    end
+
+    def load_and_authorize_resource
+      resource = ResourceLoader.new(@controller, @options, :restricted => true).load
+      authorize_resource resource unless @controller.send :skip_authorization_check?
+      resource
+    end
+
+    def authorize_resource(resource)
+      case @controller.params[:action]
+      when 'new', 'create'
+        raise Heimdallr::AccessDenied, "Cannot create model" unless resource.creatable?
+        resource.assign_attributes resource.reflect_on_security[:restrictions].fixtures[:create]
+
+      when 'edit', 'update'
+        raise Heimdallr::AccessDenied, "Cannot update model" unless resource.modifiable?
+        resource.assign_attributes resource.reflect_on_security[:restrictions].fixtures[:update]
+
+      when 'destroy'
+        raise Heimdallr::AccessDenied, "Cannot delete model" unless resource.destroyable?
+      end
+    end
+
+    class ResourceLoader
+      def initialize(controller, options, loader_options = {})
+        @restricted = loader_options[:restricted]
+        @parent = loader_options[:parent]
+        @controller = controller
+        @options = options
+        @params = controller.params
+      end
+
+      def load
+        return @controller.instance_variable_get(ivar_name) if @controller.instance_variable_defined? ivar_name
+
+        if !@parent && @options.has_key?(:through)
+          parent_resource = load_parent
+          raise "Cannot fetch #{@options[:resource]} through #{@options[:through]}" unless parent_resource || @options[:shallow]
+        else
+          parent_resource = nil
+        end
+
+        resource = self.send action_type, resource_scope(parent_resource), parent_resource
+        @controller.instance_variable_set ivar_name, resource unless resource.nil?
+        resource
+      end
+
+      def load_parent
+        Array.wrap(@options[:through]).map { |parent|
+          ResourceLoader.new(@controller, {:resource => parent}, :restricted => @restricted, :parent => true).load
+        }.reject(&:nil?).first
+      end
+
+      def resource_scope(parent_resource)
+        if parent_resource
+          if @options[:through_association]
+            parent_resource.send @options[:through_association]
+          elsif @options[:singleton]
+            parent_resource.send :"#{variable_name}"
+          else
+            parent_resource.send :"#{variable_name.pluralize}"
+          end
+        else
+          if @restricted
+            class_name.constantize.restrict(@controller.security_context)
+          else
+            class_name.constantize.scoped
+          end
+        end
+      end
+
+      def collection(scope, parent_resource)
+        scope
+      end
+
+      def new_resource(scope, parent_resource)
+        attributes = @params[params_key_name] || {}
+
+        if @options[:singleton] && parent_resource
+          if scope.nil?
+            parent_resource.send singleton_builder_name, attributes
+          else
+            scope.assign_attributes attributes
+            scope
+          end
+        else
+          scope.new attributes
+        end
+      end
+
+      def resource(scope, parent_resource)
+        if @options[:singleton] && parent_resource
+          scope
+        else
+          key = [:"#{params_key_name}_id", :id].map{|key| @params[key] }.find &:present?
+          scope.send(@options[:finder] || :find, key)
+        end
+      end
+
+      def parent_resource(scope, parent_resource)
+        key = @params[:"#{params_key_name}_id"]
+        return if key.blank?
+        scope.send(@options[:finder] || :find, key)
+      end
+
+      def action_type
+        if @parent
+          :parent_resource
+        else
+          case action = @params[:action].to_sym
+          when :index
+            :collection
+          when :new, :create
+            :new_resource
+          when :show, :edit, :update, :destroy
+            :resource
+          else
+            if @options[:collection] && @options[:collection].include?(action)
+              :collection
+            elsif @options[:new_record] && @options[:new_record].include?(action)
+              :new_resource
+            else
+              :resource
+            end
+          end
+        end
+      end
+
+      def ivar_name
+        name = (@options[:instance_name] || variable_name).to_s
+        name = name.pluralize if action_type == :collection
+        :"@#{name}"
+      end
+
+      def resource_name
+        @options[:resource].to_s
+      end
+
+      def variable_name
+        resource_name.parameterize('_')
+      end
+
+      def class_name
+        resource_name.classify
+      end
+
+      def params_key_name
+        resource_name.split('/').last
+      end
+
+      def singleton_builder_name
+        :"build_#{@options[:through_association] || variable_name}"
+      end
+    end
+  end
+end