hobo 0.8.3 → 0.8.4

data/lib/hobo/model_controller.rb

@@ -7,6 +7,7 @@ module Hobo
     VIEWLIB_DIR = "taglibs"
 
     DONT_PAGINATE_FORMATS = [ Mime::CSV, Mime::YAML, Mime::JSON, Mime::XML, Mime::ATOM, Mime::RSS ]
+    WILL_PAGINATE_OPTIONS = [ :page, :per_page, :total_entries, :count, :finder]
 
     READ_ONLY_ACTIONS  = [:index, :show]
     WRITE_ONLY_ACTIONS = [:create, :update, :destroy]
@@ -30,7 +31,7 @@ module Hobo
 
           rescue_from ActiveRecord::RecordNotFound, :with => :not_found
 
-          rescue_from Hobo::Model::PermissionDeniedError,  :with => :permission_denied
+          rescue_from Hobo::PermissionDeniedError,         :with => :permission_denied
           rescue_from Hobo::Lifecycles::LifecycleKeyError, :with => :permission_denied
 
           alias_method_chain :render, :hobo_model
@@ -57,7 +58,7 @@ module Hobo
         dir = "#{RAILS_ROOT}/app/controllers#{'/' + subsite if subsite}"
         Dir.entries(dir).each do |f|
           if f =~ /^[a-zA-Z_][a-zA-Z0-9_]*_controller\.rb$/
-            name = f.sub(/.rb$/, '').camelize
+            name = f.remove(/.rb$/).camelize
             name = "#{subsite.camelize}::#{name}" if subsite
             name.constantize
           end
@@ -69,12 +70,7 @@ module Hobo
       names = (@controller_names || []).select { |n| subsite ? n =~ /^#{subsite.camelize}::/ : n !~ /::/ }
       
       names.map do |name|
-        begin
-          name.constantize
-        rescue NameError
-          @controller_names.delete name
-          nil
-        end
+        name.safe_constantize || (@controller_names.delete name; nil)
       end.compact
     end
     
@@ -85,7 +81,7 @@ module Hobo
       attr_writer :model
       
       def model_name
-        name.sub(/Controller$/, "").singularize
+        name.demodulize.remove(/Controller$/).singularize
       end
       
       def model
@@ -115,7 +111,7 @@ module Hobo
           # Make sure we have a copy of the options - it is being mutated somewhere
           opts = {}.merge(options)
           self.this = find_instance(opts) unless opts[:no_find]
-          raise Hobo::Model::PermissionDeniedError unless Hobo.can_call?(current_user, @this, method)
+          raise Hobo::PermissionDeniedError unless Hobo.can_call?(current_user, @this, method)
           if got_block
             instance_eval(&block)
           else
@@ -178,21 +174,23 @@ module Hobo
 
       def def_lifecycle_actions
         if model.has_lifecycle?
-          model::Lifecycle.creator_names.each do |creator|
-            def_auto_action creator do
-              creator_page_action creator
+          model::Lifecycle.publishable_creators.each do |creator|
+            name = creator.name
+            def_auto_action name do
+              creator_page_action name
             end
-            def_auto_action "do_#{creator}" do
-              do_creator_action creator
+            def_auto_action "do_#{name}" do
+              do_creator_action name
             end
           end
 
-          model::Lifecycle.transition_names.each do |transition|
-            def_auto_action transition do
-              transition_page_action transition
+          model::Lifecycle.publishable_transitions.each do |transition|
+            name = transition.name
+            def_auto_action name do
+              transition_page_action name
             end
-            def_auto_action "do_#{transition}" do
-              do_transition_action transition
+            def_auto_action "do_#{name}" do
+              do_transition_action name
             end
           end
         end
@@ -220,7 +218,11 @@ module Hobo
             define_method(name, &block)
           else
             if scope = options.delete(:scope)
-              define_method(name) { hobo_index scope, options.dup }
+              if scope.is_a?(Symbol)
+                define_method(name) { hobo_index model.send(scope), options.dup }
+              else
+                define_method(name) { hobo_index scope, options.dup }
+              end
             else
               define_method(name) { hobo_index options.dup }
             end
@@ -310,8 +312,8 @@ module Hobo
         # GET users/signup, and would show the form, while 'do_signup'
         # would be routed to POST /users/signup)
         if model.has_lifecycle?
-          (model::Lifecycle.creator_names.map { |c| [c, "do_#{c}"] } +
-           model::Lifecycle.transition_names.map { |t| [t, "do_#{t}"] }).flatten.*.to_sym
+          (model::Lifecycle.publishable_creators.map { |c| [c.name, "do_#{c.name}"] } +
+           model::Lifecycle.publishable_transitions.map { |t| [t.name, "do_#{t.name}"] }).flatten.*.to_sym
         else
           []
         end
@@ -353,11 +355,10 @@ module Hobo
     def valid?; this.errors.empty?; end
 
 
-    def re_render_form(default_action)
+    def re_render_form(default_action=nil)
       if params[:page_path]
         controller, view = Controller.controller_and_view_for(params[:page_path])
         view = default_action if view == Dryml::EMPTY_PAGE
-        @this = instance_variable_get("@#{controller.singularize}")
         render :template => "#{controller}/#{view}"
       else
         render :action => default_action
@@ -369,7 +370,7 @@ module Hobo
       after_submit = params[:after_submit]
 
       # The after_submit post parameter takes priority
-      (after_submit == "stay-here" ? session[:previous_page_path] : after_submit) ||
+      (after_submit == "stay-here" ? previous_page_path : after_submit) ||
 
         # Then try the record's show page
         (!destroyed && object_url(@this)) ||
@@ -384,6 +385,12 @@ module Hobo
         home_page
     end
     
+
+    # TODO: Get rid of this joke of an idea that fails miserably if you open another browser window.
+    def previous_page_path
+      session[:previous_page_path]
+    end
+    
     
     def redirect_after_submit(*args)
       options = args.extract_options!
@@ -427,7 +434,7 @@ module Hobo
         options.reverse_merge!(:page => params[:page] || 1)
         finder.paginate(options)
       else
-        finder.all(options)
+        finder.all(options.except(*WILL_PAGINATE_OPTIONS))
       end
     end
     
@@ -437,7 +444,7 @@ module Hobo
       klass = refl.klass
       id = params["#{klass.name.underscore}_id"]
       owner = klass.find(id)
-      instance_variable_set("@#{owner.class.name.underscore}", owner)
+      instance_variable_set("@#{owner_association}", owner)
       [owner, owner.send(model.reverse_reflection(owner_association).name)]
     end
 
@@ -469,7 +476,7 @@ module Hobo
 
 
     def hobo_new(record=nil, &b)
-      self.this = record || model.user_new!(current_user)
+      self.this = record || model.user_new(current_user)
       response_block(&b)
     end
     
@@ -484,7 +491,7 @@ module Hobo
     def hobo_create(*args, &b)
       options = args.extract_options!
       self.this = args.first || new_for_create
-      this.user_save_changes(current_user, options[:attributes] || attribute_parameters || {})
+      this.user_update_attributes(current_user, options[:attributes] || attribute_parameters || {})
       create_response(:new, &b)
     end
     
@@ -493,7 +500,7 @@ module Hobo
       options = args.extract_options!
       owner, association = find_owner_and_association(owner)
       self.this = args.first || association.new
-      this.user_save_changes(current_user, options[:attributes] || attribute_parameters || {})
+      this.user_update_attributes(current_user, options[:attributes] || attribute_parameters || {})
       create_response(:"new_for_#{owner}", &b)    
     end
 
@@ -506,7 +513,7 @@ module Hobo
     def new_for_create
       type_param = subtype_for_create
       create_model = type_param ? type_param.constantize : model
-      create_model.new
+      create_model.user_new(current_user)
     end
     
     
@@ -542,7 +549,7 @@ module Hobo
 
       self.this = args.first || find_instance
       changes = options[:attributes] || attribute_parameters or raise RuntimeError, "No update specified in params"
-      this.user_save_changes(current_user, changes)
+      this.user_update_attributes(current_user, changes)
 
       # Ensure current_user isn't out of date
       @current_user = @this if @this == current_user
@@ -605,38 +612,49 @@ module Hobo
 
     # --- Lifecycle Actions --- #
 
+    def creator_page_action(name, &b)
+      self.this = model.new
+      this.exempt_from_edit_checks = true
+      @creator = model::Lifecycle.creator(name)
+      raise Hobo::PermissionDeniedError unless @creator.allowed?(current_user)
+      response_block &b
+    end
+
+
     def do_creator_action(name, options={}, &b)
-      @creator = model::Lifecycle.creators[name.to_s]
+      @creator = model::Lifecycle.creator(name)
       self.this = @creator.run!(current_user, attribute_parameters)
       response_block(&b) or
         if valid?
           redirect_after_submit options
         else
+          this.exempt_from_edit_checks = true
           re_render_form(name)
         end
     end
 
 
-    def creator_page_action(name)
-      self.this = model.new
-      this.exempt_from_edit_checks = true
-      @creator = model::Lifecycle.creators[name.to_s] or raise ArgumentError, "No such creator in lifecycle: #{name}"
-    end
-
-
-    def prepare_for_transition(name, options={})
+    def prepare_transition(name, options)
+      key = options.delete(:key) || params[:key]
+      
       self.this = find_instance do |record|
         # The block allows us to perform actions on the records before the permission check
         record.exempt_from_edit_checks = true
-        record.lifecycle.provided_key = params[:key]
+        record.lifecycle.provided_key = key
       end
-      @transition = this.lifecycle.find_transition(name, current_user)
+      this.lifecycle.find_transition(name, current_user) or raise Hobo::PermissionDeniedError
+    end
+
+
+    def transition_page_action(name, options={}, &b)
+      @transition = prepare_transition(name, options)
+      response_block &b
     end
 
 
     def do_transition_action(name, *args, &b)
       options = args.extract_options!
-      prepare_for_transition(name)
+      @transition = prepare_transition(name, options)
       @transition.run!(this, current_user, attribute_parameters)
       response_block(&b) or
         if valid?
@@ -647,11 +665,6 @@ module Hobo
     end
 
 
-    def transition_page_action(name, *args)
-      options = args.extract_options!
-      prepare_for_transition(name, options)
-    end
-
     # --- Miscelaneous Actions --- #
 
     def hobo_completions(attribute, finder, options={})
@@ -667,7 +680,7 @@ module Hobo
       ordering = params["#{model.name.underscore}_ordering"]
       if ordering
         ordering.each_with_index do |id, position|
-          model.user_update(current_user, id, :position => position+1)
+          model.find(id).user_update_attributes(current_user, :position => position+1)
         end
         hobo_ajax_response || render(:nothing => true)
       else
@@ -680,8 +693,8 @@ module Hobo
     # --- Response helpers --- #
 
     def permission_denied(error)
-      self.this = nil # Otherwise this gets sent user_view
-      if :permission_denied.in?(self.class.superclass.instance_methods)
+      self.this = true # Otherwise this gets sent user_view
+      if "permission_denied".in?(self.class.superclass.instance_methods)
         super
       else
         respond_to do |wants|
@@ -701,7 +714,7 @@ module Hobo
 
 
     def not_found(error)
-      if :not_found_response.in?(self.class.superclass.instance_methods)
+      if "not_found_response".in?(self.class.superclass.instance_methods)
         super
       elsif render_tag("not-found-page", {}, :status => 404)
         # cool

data/lib/hobo/model_router.rb

@@ -173,14 +173,17 @@ module Hobo
 
     def owner_routes
       controller.owner_actions.each_pair do |owner, actions|
-        collection         = model.reverse_reflection(owner).name
+        collection_refl = model.reverse_reflection(owner)
+        raise HoboError, "Hob routing error -- can't find reverse association for #{model}##{owner} " +
+                         "(e.g. the :has_many that corresponds to a :belongs_to)" if collection_refl.nil?
+        collection         = collection_refl.name
         owner_class        = model.reflections[owner].klass.name.underscore
 
         owner = owner.to_s.singularize if model.reflections[owner].macro == :has_many
 
         collection_path = "#{owner_class.pluralize}/:#{owner_class}_id/#{collection}"
 
-        actions.each do |action| 
+        actions.each do |action|
           case action
           when :index
             linkable_route("#{plural}_for_#{owner}",          collection_path,          "index_for_#{owner}",

data/lib/hobo/permissions.rb

@@ -0,0 +1,397 @@
+module Hobo
+  
+  module Permissions
+    
+    def self.enable
+      Hobo::Permissions::Associations.enable
+    end
+    
+    def self.included(klass)
+      klass.extend ClassMethods
+      
+      create_with_callbacks  = find_aliased_name klass, :create_with_callbacks
+      update_with_callbacks  = find_aliased_name klass, :update_with_callbacks
+      destroy_with_callbacks = find_aliased_name klass, :destroy_with_callbacks
+      
+      klass.class_eval do
+        alias_method create_with_callbacks,  :create_with_callbacks_with_hobo_permission_check
+        alias_method update_with_callbacks,  :update_with_callbacks_with_hobo_permission_check
+        alias_method destroy_with_callbacks, :destroy_with_callbacks_with_hobo_permission_check
+
+        attr_accessor :acting_user, :origin, :origin_attribute
+
+        bool_attr_accessor :exempt_from_edit_checks
+        
+        define_callbacks :after_user_new
+      end
+    end
+    
+    def self.find_aliased_name(klass, method_name)
+      # The method +method_name+ will have been aliased. We jump through some hoops to figure out
+      # what it's new name is
+      method_name = method_name.to_s
+      method = klass.instance_method method_name
+      methods = klass.private_instance_methods + klass.instance_methods
+      new_name = methods.select {|m| klass.instance_method(m) == method }.find { |m| m != method_name }
+    end
+    
+    module ClassMethods
+      
+      def user_find(user, *args)
+        record = find(*args)
+        yield(record) if block_given?
+        record.user_view user
+        record
+      end
+
+
+      def user_new(user, attributes={})
+        new(attributes) do |r|
+          r.set_creator user
+          yield r if block_given? 
+          r.user_view(user)
+          r.send :callback, :after_user_new
+        end
+      end
+
+
+      def user_create(user, attributes={}, &block)
+        if attributes.is_a?(Array)
+          attributes.map { |attrs| user_create(user, attrs) }
+        else
+          record = user_new(user, attributes, &block)
+          record.user_save(user)
+          record
+        end
+      end
+
+
+      def user_create!(user, attributes={}, &block)
+        if attributes.is_a?(Array)
+          attributes.map { |attrs| user_create(user, attrs) }
+        else
+          record = user_new(user, attributes, &block)
+          record.user_save!(user)
+          record
+        end
+      end
+      
+      def viewable_by?(user, attribute=nil)
+        new.viewable_by?(user, attribute)
+      end
+      
+    end
+    
+    
+    # --- Hook ActiveRecord CRUD actions --- #
+    
+    
+    def permission_check_required?
+      # Lifecycle steps are exempt from permission checks
+      acting_user && !(self.class.has_lifecycle? && lifecycle.active_step)
+    end
+        
+    def create_with_callbacks_with_hobo_permission_check(*args)
+      return false if callback(:before_create) == false
+      
+      if permission_check_required?
+        create_permitted? or raise PermissionDeniedError, "#{self.class.name}#create"
+      end
+      
+      result = create_without_callbacks
+      callback(:after_create)
+      result
+    end
+
+    def update_with_callbacks_with_hobo_permission_check(*args)
+      return false if callback(:before_update) == false
+      
+      if permission_check_required?
+        update_permitted? or raise PermissionDeniedError, "#{self.class.name}#update"
+      end
+      
+      result = update_without_callbacks(*args)
+      callback(:after_update)
+      result
+    end
+
+    def destroy_with_callbacks_with_hobo_permission_check
+      return false if callback(:before_destroy) == false
+      
+      if permission_check_required?
+        destroy_permitted? or raise PermissionDeniedError, "#{self.class.name}#.destroy"
+      end
+      
+      result = destroy_without_callbacks
+      callback(:after_destroy)
+      result
+    end
+    
+    # -------------------------------------- #
+    
+
+    # --- Permissions API --- #
+    
+    
+    def with_acting_user(user)
+      old = acting_user
+      self.acting_user = user
+      result = yield
+      self.acting_user = old
+      result
+    end
+    
+    def user_save(user)
+      with_acting_user(user) { save }
+    end
+        
+    def user_save!(user)
+      with_acting_user(user) { save! }
+    end
+
+    def user_destroy(user)
+      with_acting_user(user) { destroy }
+    end
+        
+    def user_view(user, attribute=nil)
+      raise PermissionDeniedError unless viewable_by?(user, attribute)
+    end
+        
+    def user_update_attributes(user, attributes)
+      with_acting_user(user) do
+        self.attributes = attributes
+        save
+      end
+    end
+
+    def user_update_attributes!(user, attributes)
+      with_acting_user(user) do
+        self.attributes = attributes
+        save!
+      end
+    end
+    
+    def creatable_by?(user)
+      with_acting_user(user) { create_permitted? }
+    end
+
+    def updatable_by?(user)
+      with_acting_user(user) { update_permitted? }
+    end
+    
+    def destroyable_by?(user)
+      with_acting_user(user) { destroy_permitted? }
+    end
+    
+    def method_callable_by?(user, method)
+      permission_method = "#{method}_call_permitted?"
+      respond_to?(permission_method) && with_acting_user(current_user) { send(permission_method) }
+    end
+    
+    def viewable_by?(user, attribute=nil)
+      if attribute
+        attribute = attribute.to_s.sub(/\?$/, '').to_sym
+        return false if attribute && self.class.never_show?(attribute)
+      end
+      with_acting_user(user) { view_permitted?(attribute) }
+    end
+    
+    
+    def editable_by?(user, attribute=nil)
+      return false if attribute_protected?(attribute)
+      
+      return true if exempt_from_edit_checks?
+
+      # Can't view implies can't edit
+      return false unless viewable_by?(user, attribute)
+      
+      if attribute
+        attribute = attribute.to_s.sub(/\?$/, '').to_sym
+
+        # Try the attribute-specic edit-permission method if there is one
+        if has_hobo_method?(meth = "#{attribute}_edit_permitted?")
+          with_acting_user(user) { send(meth) } 
+        end
+      
+        # No setter = no edit permission
+        return false if !respond_to?("#{attribute}=")
+
+        refl = self.class.reflections[attribute.to_sym]
+        if refl && refl.macro != :belongs_to # a belongs_to is handled the same as a regular attribute
+          return association_editable_by?(user, refl)
+        end
+      end
+
+      with_acting_user(user) { edit_permitted?(attribute) }
+    end
+    
+    
+    def attribute_protected?(attribute)
+      attribute = attribute.to_s
+      
+      return true if attributes_protected_by_default.include? attribute
+      
+      if self.class.accessible_attributes
+        return true if !self.class.accessible_attributes.include?(attribute)
+      elsif self.class.protected_attributes
+        return true if self.class.protected_attributes.include?(attribute)
+      end
+      
+      # Readonly attributes can be set on creation but not thereafter
+      return self.class.readonly_attributes.include?(attribute) if !new_record? && self.class.readonly_attributes
+      
+      false
+    end
+    
+    
+    def association_editable_by?(user, reflection)      
+      # has_one and polymorphic associations are not editable (for now)
+      return false if reflection.macro == :has_one || reflection.options[:polymorphic]
+      
+      return false unless reflection.options[:accessible]
+            
+      record = if (through = reflection.through_reflection)
+                 # For edit permission on a has_many :through,
+                 # the user needs create+destroy permission on the join model
+                 send(through.name).new_candidate
+               else
+                 # For edit permission on a regular has_many,
+                 # the user needs create/destroy permission on the member model
+                 send(reflection.name).new_candidate
+               end
+      record.creatable_by?(user) && record.destroyable_by?(user)
+    end
+    
+    # ----------------------- #
+    
+    
+    # --- Permission Declaration Helpers --- #
+    
+    def only_changed?(*attributes)
+      attributes = attributes.map do |attr|
+        with_attribute_or_belongs_to_keys(attr) { |a, ftype| ftype ? [a, ftype] : a }
+      end.flatten
+      
+      changed.all? { |attr| attributes.include?(attr) }
+    end
+    
+    def none_changed?(*attributes)
+      attributes = attributes.map do |attr|
+        with_attribute_or_belongs_to_keys(attr) { |a, ftype| ftype ? [a, ftype] : a }
+      end.flatten
+      
+      attributes.all? { |attr| !changed.include?(attr) }
+    end
+
+    def any_changed?(*attributes)
+      attributes.any? do |attr|
+        with_attribute_or_belongs_to_keys(attr) do |a, ftype|
+          if ftype
+            changed.include?(a) || changed.include?(ftype)
+          else
+            changed.include?(a)
+          end
+        end
+      end
+    end
+
+    def all_changed?(*attributes)
+      attributes = prepare_attributes_for_change_helpers(attributes)
+      attributes.all? do |attr|
+        with_attribute_or_belongs_to_keys(attr) do |a, ftype|
+          if ftype
+            changed.include?(a) || changed.include?(ftype)
+          else
+            changed.include?(a)
+          end
+        end
+      end
+    end    
+    
+    def with_attribute_or_belongs_to_keys(attribute)
+      if (refl = self.class.reflections[attribute.to_sym]) && refl.macro == :belongs_to
+        if refl.options[:polymorphic]
+          yield refl.primary_key_name, refl.options[:foreign_type]
+        else
+          yield refl.primary_key_name, nil
+        end
+      else
+        yield attribute.to_s, nil
+      end
+    end
+      
+    
+    
+    # -------------------------------------- #
+    
+    
+    # --- Default *_permitted? methods --- #
+    
+    # Conservative default permissions #
+    def create_permitted?;  false end
+    def update_permitted?;  false end
+    def destroy_permitted?; false end
+    
+    # Allow viewing by default
+    def view_permitted?(attribute) true end
+      
+    # By default, attempt to derive edit permission from create/update permission
+    def edit_permitted?(attribute)
+      Hobo::Permissions.unknownify_attribute(self, attribute) if attribute
+      new_record? ? create_permitted? : update_permitted?
+    rescue Hobo::UndefinedAccessError
+      # The permission is dependent on the unknown value
+      # so this attribute is not editable
+      false
+    ensure
+      Hobo::Permissions.deunknownify_attribute(self, attribute) if attribute
+    end
+  
+  
+    # Add some singleton methods to +record+ so give the effect that +attribute+ is unknown. That is,
+    # attempts to access the attribute will result in a Hobo::UndefinedAccessError
+    def self.unknownify_attribute(record, attr)
+      record.metaclass.class_eval do
+        
+        define_method attr do
+          raise Hobo::UndefinedAccessError
+        end
+        
+        define_method "#{attr}_change" do
+          raise Hobo::UndefinedAccessError
+        end
+        
+        define_method "#{attr}_was" do
+          read_attribute attr
+        end
+        
+        define_method "#{attr}_changed?" do
+          true
+        end
+
+        def changed?
+          true
+        end
+      
+        define_method :changed do
+          changed_attributes.keys | [attr]
+        end
+      
+        def changes
+          raise Hobo::UndefinedAccessError
+        end
+        
+      end
+      
+    end
+    
+    # Best. Name. Ever
+    def self.deunknownify_attribute(record, attr)
+      [attr, "#{attr}_change", "#{attr}_was", "#{attr}_changed?", :changed?, :changed, :changes].each do |m|
+        record.metaclass.send :remove_method, m.to_sym
+      end
+    end
+  end
+  
+end
+