id_please 0.1.0 → 0.3.0

data/Rakefile

@@ -11,6 +11,9 @@ begin
     gem.homepage = "http://github.com/tastyhat/id_please"
     gem.authors = ["James Stuart"]
     gem.add_development_dependency "thoughtbot-shoulda", ">= 0"
+    gem.add_development_dependency "thoughtbot-factory_girl", ">= 0"
+    gem.add_development_dependency "ruby-debug", ">= 0"
+    gem.add_dependency "searchlogic"
     # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
   end
   Jeweler::GemcutterTasks.new
@@ -21,7 +24,7 @@ end
 require 'rake/testtask'
 Rake::TestTask.new(:test) do |test|
   test.libs << 'lib' << 'test'
-  test.pattern = 'test/**/test_*.rb'
+  test.pattern = 'test/**/*_test.rb'
   test.verbose = true
 end
 
@@ -29,7 +32,7 @@ begin
   require 'rcov/rcovtask'
   Rcov::RcovTask.new do |test|
     test.libs << 'test'
-    test.pattern = 'test/**/test_*.rb'
+    test.pattern = 'test/**/*_test.rb'
     test.verbose = true
   end
 rescue LoadError

data/VERSION

@@ -1 +1 @@
-0.1.0
+0.3.0

data/id_please.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{id_please}
-  s.version = "0.1.0"
+  s.version = "0.3.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["James Stuart"]
-  s.date = %q{2010-01-22}
+  s.date = %q{2010-01-28}
   s.description = %q{Access control gem}
   s.email = %q{tastyhat@jamesstuart.org}
   s.extra_rdoc_files = [
@@ -31,9 +31,7 @@ Gem::Specification.new do |s|
      "lib/id_please/model_extensions/for_group.rb",
      "lib/id_please/model_extensions/for_object.rb",
      "lib/id_please/model_extensions/for_subject.rb",
-     "lib/id_please/model_extensions/for_user.rb",
-     "test/helper.rb",
-     "test/test_id_please.rb"
+     "lib/id_please/model_extensions/for_user.rb"
   ]
   s.homepage = %q{http://github.com/tastyhat/id_please}
   s.rdoc_options = ["--charset=UTF-8"]
@@ -41,8 +39,11 @@ Gem::Specification.new do |s|
   s.rubygems_version = %q{1.3.5}
   s.summary = %q{Access control gem for rails}
   s.test_files = [
-    "test/helper.rb",
-     "test/test_id_please.rb"
+    "test/id_please_test.rb",
+     "test/roles_test.rb",
+     "test/support/models.rb",
+     "test/support/schema.rb",
+     "test/test_helper.rb"
   ]
 
   if s.respond_to? :specification_version then
@@ -51,11 +52,20 @@ Gem::Specification.new do |s|
 
     if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
       s.add_development_dependency(%q<thoughtbot-shoulda>, [">= 0"])
+      s.add_development_dependency(%q<thoughtbot-factory_girl>, [">= 0"])
+      s.add_development_dependency(%q<ruby-debug>, [">= 0"])
+      s.add_runtime_dependency(%q<searchlogic>, [">= 0"])
     else
       s.add_dependency(%q<thoughtbot-shoulda>, [">= 0"])
+      s.add_dependency(%q<thoughtbot-factory_girl>, [">= 0"])
+      s.add_dependency(%q<ruby-debug>, [">= 0"])
+      s.add_dependency(%q<searchlogic>, [">= 0"])
     end
   else
     s.add_dependency(%q<thoughtbot-shoulda>, [">= 0"])
+    s.add_dependency(%q<thoughtbot-factory_girl>, [">= 0"])
+    s.add_dependency(%q<ruby-debug>, [">= 0"])
+    s.add_dependency(%q<searchlogic>, [">= 0"])
   end
 end
 

data/lib/id_please/config.rb

@@ -1,10 +1,14 @@
 module IdPlease
   @@config = {
     :default_role_class_name => 'Role',
-    :default_user_class_name => 'User',
+    :default_subject_class_name => 'User',
     :default_group_class_name => 'Group',
     :default_assignment_class_name => 'Assignment',
-    :default_user_method => :current_user
+    :default_group_role => 'member',
+    :default_subject_method => :current_user,
+    :default_association_name => :assigned_roles,
+    :groups_enabled => true,
+    :nested_groups => true
   }
 
   mattr_reader :config

data/lib/id_please/model_extensions/for_group.rb

@@ -0,0 +1,26 @@
+module IdPlease
+  module ModelExtensions
+    module ForGroup
+      def children(*args)
+        options = args.extract_options!
+        all_children = _auth_assign_class.role_name_eq(_auth_group_role).role_authorizable_eq(self).all(:include => :subject).collect(&:subject)
+      
+        if _auth_nested_groups == true && options[:nested] != false
+          all_children.select { |child| child._auth_is_group == true }.each do |child|
+            all_children << child.children
+          end
+        end
+      
+        all_children.flatten.uniq
+      end
+      
+      def has_role!(role_name, object = nil)
+        if object && object.kind_of?(self.class) && role_name.to_s == _auth_group_role && self.children.include?(object)
+          raise "Attempt to make circular membership loop"
+        else
+          super
+        end
+      end
+    end
+  end
+end

data/lib/id_please/model_extensions/for_object.rb

@@ -0,0 +1,123 @@
+module IdPlease
+  module ModelExtensions
+    module ForObject
+      ##
+      # Role check.
+      #
+      # @return [Boolean] Returns true if +subject+ has a role +role_name+ on this object.
+      #
+      # @param [Symbol,String] role_name Role name
+      # @param [Subject] subject Subject to add role for
+      # @see Acl9::ModelExtensions::Subject#has_role?
+      def accepts_role?(role_name, subject, options = {})
+        subject.has_role?(role_name, self, options)
+      end
+
+
+      
+      ##
+      # Add role on the object to specified subject.
+      #
+      # @param [Symbol,String] role_name Role name
+      # @param [Subject] subject Subject to add role for
+      # @see Acl9::ModelExtensions::Subject#has_role!
+      def accepts_role!(role_name, subject)
+        subject.has_role!(role_name, self)
+      end
+
+      
+      def list_subjects_all_roles(*args)
+        options = args.extract_options!
+        
+        find_subjects(nil, options)
+        
+      end
+      
+      def list_subjects_for(role_name, *args)
+        options = args.extract_options!
+        
+        find_subjects(role_name, options)
+      end
+        
+      
+      
+      def method_missing(method_sym, *arguments, &block)
+       # the first argument is a Symbol, so you need to_s it if you want to pattern match
+       if method_sym.to_s =~ /^list_(.+)$/
+         list_subjects_for($1.singularize, *arguments)
+       else
+         super
+       end
+      end
+      
+      
+      ##
+      # Free specified subject of a role on this object.
+      #
+      # @param [Symbol,String] role_name Role name
+      # @param [Subject] subject Subject to remove role from
+      # @see Acl9::ModelExtensions::Subject#has_no_role!
+      def accepts_no_role!(role_name, subject)
+        subject.has_no_role!(role_name, self)
+      end
+      
+      # ##
+      # # Are there any roles for the specified +subject+ on this object?
+      # #
+      # # @param [Subject] subject Subject to query roles
+      # # @return [Boolean] Returns true if +subject+ has any roles on this object.
+      # # @see Acl9::ModelExtensions::Subject#has_roles_for?
+      # def accepts_roles_by?(subject)
+      #   subject.has_roles_for? self
+      # end
+      # 
+      # alias :accepts_role_by? :accepts_roles_by?
+      # 
+      # ##
+      # # Which roles does +subject+ have on this object?
+      # #
+      # # @return [Array<Role>] Role instances, associated both with +subject+ and +object+
+      # # @param [Subject] subject Subject to query roles
+      # # @see Acl9::ModelExtensions::Subject#roles_for
+      # def accepted_roles_by(subject)
+      #   subject.roles_for self
+      # end
+      
+      private 
+      def get_role(role_name, object)
+        _auth_role_class.authorizable_eq(object).name_eq(role_name.to_s).first
+      end
+      
+      def find_subjects(role_name = nil, options = {})
+        base_subjects = if role_name
+          self._auth_assign_class.role_name_eq(role_name.to_s).role_authorizable_eq(self).all(:include => :subject).collect(&:subject).uniq
+        else
+          self._auth_assign_class.role_authorizable_eq(self).all(:include => :subject).collect(&:subject).uniq
+        end
+        
+        
+        if options[:check_groups] == false
+          base_subjects
+        else
+          to_find = base_subjects.dup
+          to_find.select { |subj| subj._auth_is_group }.each do |subj|
+            base_subjects << subj.children
+          end
+          
+          base_subjects.flatten.uniq
+        end
+      end
+      
+      protected
+      
+      def _auth_role_class
+        self.class._auth_role_class_name.constantize
+      end
+
+      def _auth_assign_class
+        self.class._auth_assign_class_name.constantize
+      end
+      
+    end
+  end
+end

data/lib/id_please/model_extensions/for_subject.rb

@@ -0,0 +1,181 @@
+module IdPlease
+  module ModelExtensions
+    module ForSubject
+      def in_group!(group)
+        raise "Groups must be enabled for this model" unless _auth_groups_enabled
+        raise "Object passed in not a group" unless group.kind_of?(_auth_group_class)
+        
+        self.has_role!(_auth_group_role, group)
+      end
+
+      def in_group?(group)
+        raise "Groups must be enabled for this model" unless _auth_groups_enabled
+        raise "Object passed in not a group" unless group.kind_of?(_auth_group_class)
+        
+        self.has_role?(_auth_group_role, group)
+      end
+      
+      def not_in_group!(group)
+        raise "Groups must be enabled for this model" unless _auth_groups_enabled
+        raise "Object passed in not a group" unless group.kind_of?(_auth_group_class)
+        
+        self.has_no_role!(_auth_group_role, group)
+      end
+
+      def not_in_any_group!
+        raise "Groups must be enabled for this model" unless _auth_groups_enabled
+        
+        all_groups.each { |group| self.not_in_group!(group) }
+      end
+
+      
+      def groups(*args)
+        raise "Groups must be enabled for this model" unless _auth_groups_enabled
+        
+        options = args.extract_options!
+        all_groups = direct_parent_groups(self)
+        
+        if _auth_nested_groups && options[:nested] != false
+          infinite_loop_counter = 25
+          to_find = all_groups.dup
+          
+          until to_find.empty? || (infinite_loop_counter -=1) <= 0
+            to_find = direct_parent_groups(*to_find)
+            all_groups += to_find
+          end
+          
+          all_groups.uniq
+        else
+          all_groups
+        end
+        
+      end
+      
+        
+
+      def has_role?(role_name, object = nil, option_hash = {})
+        subjects_to_check = option_hash[:check_groups] == false ? [self] : self_and_groups
+      
+        !Role.authorizable_eq(object).name_eq(role_name.to_s).assignments_subject_eq(*subjects_to_check).empty?
+      end
+
+      def has_role!(role_name, object = nil)
+        role = get_role(role_name, object)
+        
+        if role.nil?
+          role_attrs = case object
+          when Class 
+            { :authorizable_type => object.to_s }
+          when nil 
+            {}
+          else 
+            { :authorizable => object }
+          end.merge(:name => role_name.to_s)
+          
+          role = self._auth_assigned_roles.create!(role_attrs)
+        else
+          unless assigned_to_role?(role)
+            self._auth_assigned_roles << role
+          end
+        end
+        
+        role
+      end
+      
+      def has_roles_for?(object)
+        !get_assigned_roles_for(object).empty?
+      end
+      
+      alias :has_role_for? :has_roles_for?
+      
+      def roles_for(object)
+        get_assigned_roles_for(object)
+      end
+      
+      def has_no_role!(role_name, object = nil)
+        role = get_role(role_name, object)
+        
+        remove_from_role(role)
+      end
+      
+      def has_no_roles_for!(object = nil)
+        roles_for(object).each { |role| remove_from_role(role) }
+      end
+      
+
+
+      ##
+      # Unassign all roles from +self+.
+      def has_no_roles!
+        roles = self._auth_assigned_roles.clone
+        roles.each do |role|
+          remove_from_role(role)
+        end
+      end
+
+      private 
+      
+      def direct_parent_groups(*subjects)
+        _auth_role_class.assignments_subject_eq(*subjects).name_eq(_auth_group_role).authorizable_type_eq(_auth_group_class_name).all(:include => :authorizable).collect(&:authorizable)
+      end
+
+      def self_and_groups
+        if _auth_groups_enabled
+          groups << self
+        else
+          [self]
+        end
+      end
+      
+      def remove_from_role(role)
+        if role
+          self._auth_assigned_roles.delete(role)
+      
+          role.destroy if self._auth_assign_class.role_id_eq(role).empty?
+        end
+      end
+      
+      def get_role(role_name, object)
+        _auth_role_class.authorizable_eq(object).name_eq(role_name.to_s).first
+      end
+      
+      def assigned_to_role?(role)
+        !!_auth_assign_class.subject_eq(self).role_id_eq(role).first
+      end
+      
+      def get_assigned_roles_for(object)
+        _auth_role_class.authorizable_eq(object).assignments_subject_eq(self)
+      end
+      
+      protected
+      
+      
+
+      def _auth_role_class
+        self.class._auth_role_class_name.constantize
+      end
+
+      def _auth_subject_class
+        self.class._auth_subject_class_name.constantize
+      end
+
+      def _auth_group_class
+        self.class._auth_group_class_name.constantize
+      end
+
+      def _auth_assign_class
+        self.class._auth_assign_class_name.constantize
+      end
+      
+      def _auth_role_assoc
+      	self.class._auth_role_assoc_name
+      end
+
+      def _auth_assigned_roles
+      	send(self._auth_role_assoc)
+      end
+      
+
+    end
+  end
+end

data/lib/id_please/model_extensions.rb

@@ -1,5 +1,3 @@
-require File.join(File.dirname(__FILE__), 'model_extensions', 'for_subject')
-require File.join(File.dirname(__FILE__), 'model_extensions', 'for_object')
 
 module IdPlease
   module ModelExtensions  #:nodoc:
@@ -8,132 +6,232 @@ module IdPlease
     end
 
     module ClassMethods
-      # Add #has_role? and other role methods to the class.
-      # Makes a class a auth. subject class.
-      #
-      # @param [Hash] options the options for tuning
-      # @option options [String] :role_class_name (Acl9::config[:default_role_class_name])
-      #                           Class name of the role class (e.g. 'AccountRole')
-      # @option options [String] :join_table_name (Acl9::config[:default_join_table_name])
-      #                           Join table name (e.g. 'accounts_account_roles')
-      # @option options [String] :association_name (Acl9::config[:default_association_name])
-      #                           Association name (e.g. ':roles')
-      # @example
-      #   class User < ActiveRecord::Base
-      #     acts_as_authorization_subject
-      #   end
-      #
-      #   user = User.new
-      #   user.roles             #=> returns Role objects, associated with the user
-      #   user.has_role!(...)
-      #   user.has_no_role!(...)
-      #
-      #   # other functions from Acl9::ModelExtensions::Subject are made available
-      #
-      # @see Acl9::ModelExtensions::Subject
-      #
       def acts_as_authorization_subject(options = {})
-      	assoc = options[:association_name] || Acl9::config[:default_association_name]
-        role = options[:role_class_name] || Acl9::config[:default_role_class_name]
-        join_table = options[:join_table_name] || Acl9::config[:default_join_table_name] ||
-                    join_table_name(undecorated_table_name(self.to_s), undecorated_table_name(role))
+      	assoc = options[:association_name] || IdPlease.config[:default_association_name]
+        role = options[:role_class_name] || IdPlease.config[:default_role_class_name]
+        role_assoc = role.downcase.underscore.to_sym
+        
+        group = options[:group_class_name] || IdPlease.config[:default_group_class_name]
+        
+        assign = options[:assignment_class_name] || IdPlease.config[:default_assignment_class_name]
+        assign_table = assign.constantize.table_name
+        
+        #TODO
+        groups_enabled = options.has_key?(:groups_enabled) ? options[:groups_enabled] : IdPlease.config[:groups_enabled]
+        nested_groups = options.has_key?(:nested_groups) ? options[:nested_groups] : IdPlease.config[:nested_groups]
+        group_role = options[:group_role] || IdPlease.config[:default_group_role]
+
+        has_many assign_table.to_sym, :class_name => assign, :as => :subject, :dependent => :destroy
+        has_many assoc, :through => assign_table.to_sym, :source => role_assoc
 
-        has_and_belongs_to_many assoc, :class_name => role, :join_table => join_table
 
         cattr_accessor :_auth_role_class_name, :_auth_subject_class_name,
-                       :_auth_role_assoc_name
+                       :_auth_groups_enabled, :_auth_nested_groups,
+                       :_auth_group_class_name, :_auth_assign_class_name,
+                       :_auth_role_assoc_name, :_auth_group_role,
+                       :_auth_is_group
 
         self._auth_role_class_name = role
         self._auth_subject_class_name = self.to_s
+        self._auth_assign_class_name = assign
+        self._auth_group_class_name = group
         self._auth_role_assoc_name = assoc
+        self._auth_group_role = group_role
+        self._auth_groups_enabled = groups_enabled
+        self._auth_nested_groups = nested_groups
+        self._auth_is_group = false
+        
 
-        include Acl9::ModelExtensions::ForSubject
+        include IdPlease::ModelExtensions::ForSubject
       end
+      
+      def acts_as_authorization_group(options = {})
+      	assoc = options[:association_name] || IdPlease.config[:default_association_name]
+        role = options[:role_class_name] || IdPlease.config[:default_role_class_name]
+        role_assoc = role.downcase.underscore.to_sym
+ 
+        subject = options[:subject_class_name] || IdPlease.config[:default_subject_class_name]
 
-      # Add role query and set methods to the class (making it an auth object class).
-      #
-      # @param [Hash] options the options for tuning
-      # @option options [String] :subject_class_name (Acl9::config[:default_subject_class_name])
-      #                          Subject class name (e.g. 'User', or 'Account)
-      # @option options [String] :role_class_name (Acl9::config[:default_role_class_name])
-      #                          Role class name (e.g. 'AccountRole')
-      # @example
-      #   class Product < ActiveRecord::Base
-      #     acts_as_authorization_object
-      #   end
-      #
-      #   product = Product.new
-      #   product.accepted_roles #=> returns Role objects, associated with the product
-      #   product.users          #=> returns User objects, associated with the product
-      #   product.accepts_role!(...)
-      #   product.accepts_no_role!(...)
-      #   # other functions from Acl9::ModelExtensions::Object are made available
-      #
-      # @see Acl9::ModelExtensions::Object
-      #
-      def acts_as_authorization_object(options = {})
-        subject = options[:subject_class_name] || Acl9::config[:default_subject_class_name]
-        subj_table = subject.constantize.table_name
-        subj_col = subject.underscore
+        assign = options[:assignment_class_name] || IdPlease.config[:default_assignment_class_name]
+        assign_table = assign.constantize.table_name
+        
+        #TODO
+
+        groups_enabled = options.has_key?(:groups_enabled) ? options[:groups_enabled] : IdPlease.config[:groups_enabled]
+        nested_groups = options.has_key?(:nested_groups) ? options[:nested_groups] : IdPlease.config[:nested_groups]
+        raise "Do not use acts_as_authorization_group if groups are disabled." unless groups_enabled
 
-        role       = options[:role_class_name] || Acl9::config[:default_role_class_name]
-        role_table = role.constantize.table_name
 
-        sql_tables = <<-EOS
-          FROM #{subj_table}
-          INNER JOIN #{role_table}_#{subj_table} ON #{subj_col}_id = #{subj_table}.id
-          INNER JOIN #{role_table}               ON #{role_table}.id = #{role.underscore}_id
-        EOS
+        group_role = options[:group_role] || IdPlease.config[:default_group_role]
 
-        sql_where = <<-'EOS'
-          WHERE authorizable_type = '#{self.class.base_class.to_s}'
-          AND authorizable_id = #{column_for_attribute(self.class.primary_key).text? ? "'#{id}'": id}
-        EOS
+        has_many assign_table.to_sym, :class_name => assign, :as => :subject, :dependent => :destroy
+        has_many assoc, :through => :assignments, :class_name => role, :source => role_assoc
 
-        has_many :accepted_roles, :as => :authorizable, :class_name => role, :dependent => :destroy
 
-        has_many :"#{subj_table}",
-          :finder_sql  => ("SELECT DISTINCT #{subj_table}.*" + sql_tables + sql_where),
-          :counter_sql => ("SELECT COUNT(DISTINCT #{subj_table}.id)" + sql_tables + sql_where),
-          :readonly => true
+        cattr_accessor :_auth_role_class_name, :_auth_subject_class_name,
+                       :_auth_groups_enabled, :_auth_nested_groups,
+                       :_auth_group_class_name, :_auth_assign_class_name,
+                       :_auth_role_assoc_name, :_auth_group_role,
+                       :_auth_is_group
+
+        self._auth_role_class_name = role
+        self._auth_subject_class_name = subject
+        self._auth_assign_class_name = assign
+        self._auth_group_class_name = self.to_s
+        self._auth_role_assoc_name = assoc
+        self._auth_groups_enabled = groups_enabled
+        self._auth_nested_groups = nested_groups
+        self._auth_group_role = group_role
+        self._auth_is_group = true
+
+        include IdPlease::ModelExtensions::ForSubject
+        include IdPlease::ModelExtensions::ForGroup
+        include IdPlease::ModelExtensions::ForObject
+      end
+      
+
 
-        include Acl9::ModelExtensions::ForObject
+      def acts_as_authorization_object(options = {})
+        subject = options[:subject_class_name] || IdPlease.config[:default_subject_class_name]
+        subj_table = subject.constantize.table_name
+      
+        role       = options[:role_class_name] || IdPlease.config[:default_role_class_name]
+        role_table = role.constantize.table_name
+      
+        assign = options[:assignment_class_name] || IdPlease.config[:default_assignment_class_name]
+        
+        groups_enabled = options[:groups_enabled] || IdPlease.config[:groups_enabled]
+        nested_groups = options[:nested_groups] || IdPlease.config[:nested_groups]
+        group_role = options[:group_role] || IdPlease.config[:group_role]
+        
+        
+        has_many role_table.to_sym, :dependent => :destroy, :as => :authorizable
+        
+        
+        cattr_accessor :_auth_role_class_name, :_auth_groups_enabled, 
+                       :_auth_nested_groups, :_auth_assign_class_name,
+                       :_auth_group_role
+
+        
+                       
+        self._auth_role_class_name = role
+        self._auth_assign_class_name = assign
+        self._auth_group_role = group_role
+        self._auth_groups_enabled = groups_enabled
+        self._auth_nested_groups = nested_groups
+      
+      
+        include IdPlease::ModelExtensions::ForObject
       end
 
-      # Make a class an auth role class.
-      #
-      # You'll probably never create or use objects of this class directly.
-      # Various auth. subject and object methods will do that for you
-      # internally.
-      #
-      # @param [Hash] options the options for tuning
-      # @option options [String] :subject_class_name (Acl9::config[:default_subject_class_name])
-      #                          Subject class name (e.g. 'User', or 'Account)
-      # @option options [String] :join_table_name (Acl9::config[:default_join_table_name])
-      #                           Join table name (e.g. 'accounts_account_roles')
-      #
-      # @example
-      #   class Role < ActiveRecord::Base
-      #     acts_as_authorization_role
-      #   end
-      #
-      # @see Acl9::ModelExtensions::Subject#has_role!
-      # @see Acl9::ModelExtensions::Subject#has_role?
-      # @see Acl9::ModelExtensions::Subject#has_no_role!
-      # @see Acl9::ModelExtensions::Object#accepts_role!
-      # @see Acl9::ModelExtensions::Object#accepts_role?
-      # @see Acl9::ModelExtensions::Object#accepts_no_role!
       def acts_as_authorization_role(options = {})
-        subject = options[:subject_class_name] || Acl9::config[:default_subject_class_name]
-        join_table = options[:join_table_name] || Acl9::config[:default_join_table_name] ||
-                     join_table_name(undecorated_table_name(self.to_s), undecorated_table_name(subject))
+        validates_presence_of :name
+        validates_uniqueness_of :name, :scope => [:authorizable_type, :authorizable_id]
+        
+        subject = options[:subject_class_name] || IdPlease.config[:default_subject_class_name]
+
+        assign = options[:assignment_class_name] || IdPlease.config[:default_assignment_class_name]
+        assign_table = assign.constantize.table_name
+
+        groups_enabled = options[:groups_enabled] || IdPlease.config[:groups_enabled]
 
-        has_and_belongs_to_many subject.demodulize.tableize.to_sym,
-          :class_name => subject,
-          :join_table => join_table
+        nested_groups = options[:nested_groups] || IdPlease.config[:nested_groups]
+        group_role = options[:group_role] || IdPlease.config[:group_role]
 
+        role_table = self.table_name
+      
+        has_many assign_table.to_sym, :dependent => :destroy
         belongs_to :authorizable, :polymorphic => true
+
+
+        self.named_scope :authorizable_eq, lambda { |*objs| 
+          obj_hash = {}
+          cond_sql = []
+          cond_parameters = []
+
+          if objs.include?(nil) || objs.empty? 
+            cond_sql << "#{role_table}.authorizable_type IS NULL AND #{role_table}.authorizable_id IS NULL"
+          end
+
+          objs.compact!
+
+          unless objs.nil? || objs.length == 0
+            obj_hash = {}
+
+            objs.each { |obj| 
+              obj_hash.has_key?(obj.class) ? obj_hash[obj.class] << obj.id : obj_hash[obj.class] = [obj.id]
+            }
+            
+
+            obj_hash.each_pair { |class_name, ids|
+              cond_sql << "#{role_table}.authorizable_type = '#{class_name}' AND #{role_table}.authorizable_id IN(?)"
+              cond_parameters << ids
+            }
+
+          end
+
+          {:conditions => [cond_sql.join(" OR "), *cond_parameters].compact} 
+        }
+
+        
+        include IdPlease::ModelExtensions::ForRole
+
+        
+        cattr_accessor :_auth_role_class_name, :_auth_groups_enabled, 
+                       :_auth_nested_groups, :_auth_assign_class_name
+        
+        self._auth_role_class_name = self.to_s
+        self._auth_assign_class_name = assign
+        
+        self._auth_groups_enabled = groups_enabled
+        self._auth_nested_groups = nested_groups
+        
+        
+
       end
+
+
+      def acts_as_authorization_assignment(options = {})
+        role = options[:role_class_name] || IdPlease.config[:default_role_class_name]
+        role_assoc = role.downcase.underscore.to_sym
+        
+        assignment_table = self.table_name
+        
+        belongs_to :subject, :polymorphic => true
+        #TODO :fix:
+        belongs_to role_assoc
+
+
+        self.named_scope :subject_eq, lambda { |*objs| 
+          obj_hash = {}
+          cond_sql = []
+          cond_parameters = []
+
+          if objs.include?(nil) || objs.empty? 
+            cond_sql << "#{assignment_table}.subject_type IS NULL AND #{assignment_table}.subject_id IS NULL"
+          end
+          
+          objs.compact!
+          
+          unless objs.nil? || objs.length == 0
+            obj_hash = {}
+          
+            objs.each { |obj| 
+              obj_hash.has_key?(obj.class) ? obj_hash[obj.class] << obj.id : obj_hash[obj.class] = [obj.id]
+            }
+
+
+            obj_hash.each_pair { |class_name, ids|
+              cond_sql << "#{assignment_table}.subject_type = '#{class_name}' AND #{assignment_table}.subject_id IN(?)"
+              cond_parameters << ids
+            }
+
+          end
+          {:conditions => [cond_sql.join(" OR "), *cond_parameters].compact} 
+
+        }
+      end
+
     end
   end
 end

data/lib/id_please.rb

@@ -2,6 +2,11 @@ require 'id_please/config'
 
 if defined? ActiveRecord::Base
   require 'id_please/model_extensions'
+  require 'id_please/model_extensions/for_subject'
+  require 'id_please/model_extensions/for_subject_with_group'
+  require 'id_please/model_extensions/for_object'
+  require 'id_please/model_extensions/for_group'
+  require 'id_please/model_extensions/for_role'
   ActiveRecord::Base.send(:include, IdPlease::ModelExtensions)
 end
 

data/test/roles_test.rb

@@ -0,0 +1,317 @@
+require 'test_helper'
+require 'support/models'
+load 'support/schema.rb'
+
+class ActiveSupport::TestCase
+  def self.should_handle_basic_role_manipulation(subject_class)
+    context "for #{subject_class.to_s}: " do
+      setup do
+        Role.delete_all
+        [subject_class, Foo, Bar, Uuid].each { |c| c.delete_all }
+        @subject1 = subject_class.create!
+        @subject2 = subject_class.create!
+        @foo = Foo.create!
+        @bar = Bar.create!
+        @uuid = Uuid.create!(:uuid => "C41642EE-2780-0001-189F-17F3101B26E0")
+      end
+
+      should "not have any roles by default" do
+        %w(user manager admin owner).each do |role|
+          assert_false @subject1.has_role?(role)
+          assert_false @subject1.has_role?(role, @foo)
+        end
+      end
+
+      context "Given a global role" do
+        setup do
+          @subject1.has_role!(:admin)
+        end
+
+        should_change "create a role successfully", :by => 1 do  
+          Role.count
+        end
+
+        should "not distinguish between symbols and strings" do
+          assert @subject1.has_role?("admin")
+        end
+
+        should "assign roles to a specific user" do
+          assert @subject1.has_role?(:admin)
+          assert_false @subject2.has_role?(:admin)
+        end
+
+        should "distinguish between names of roles" do
+          assert_false @subject1.has_role?(:manager)
+        end
+
+        should "not count a global role as an object role" do
+          assert_false @subject1.has_role?(:admin, @foo)
+          assert_false @subject1.has_roles_for?(@foo)
+        end
+
+        should "not let objects accept it" do
+          [@foo,@bar].each do |obj|
+            assert_false obj.accepts_role?(:admin, @subject1)
+          end
+        end
+
+        should "reading roles should not add another role" do
+          assert_no_difference "Role.count" do
+            @subject1.has_role!(:admin)
+          end
+        end
+
+        context "with two users" do
+          setup do
+            @subject2.has_role!(:admin)
+          end
+          
+          should "remove assignments to roles through has_no_role!" do
+            @subject1.has_no_role!(:admin)
+            assert_false @subject1.has_role?(:admin)
+          end
+
+          should "only delete roles when they have no assignments" do
+            assert_no_difference 'Role.count' do
+              @subject1.has_no_role!(:admin)
+            end
+
+            assert_difference 'Role.count', -1 do
+              @subject2.has_no_role!(:admin)
+            end
+
+            assert_false @subject1.has_role?(:admin)          
+            assert_false @subject2.has_role?(:admin)
+          end
+
+        end
+      end
+
+      context "Given an object role" do
+        setup do
+          @subject1.has_role!(:admin, @foo)
+        end
+
+        should_change "create a role successfully", :by => 1 do 
+          Role.count 
+        end
+
+        should "assign roles to a specific user" do
+          assert @subject1.has_role?(:admin, @foo)
+          assert @subject1.has_roles_for?(@foo)
+          assert @subject1.has_role_for?(@foo)
+
+          roles = @subject1.roles_for(@foo)
+          assert_equal 1, roles.length
+          assert_equal "admin", roles.first.name
+
+          assert_false @subject1.has_role?(:manager, @foo)
+          assert_false @subject2.has_role?(:admin, @foo)
+          assert_false @subject2.has_roles_for?(@foo)
+        end
+
+        should "let the object accept it" do 
+          assert @foo.accepts_role?(:admin, @subject1)
+          assert_false @bar.accepts_role?(:admin, @subject1)
+          
+          @bar.accepts_role!(:admin, @subject1)
+          assert @bar.accepts_role?(:admin, @subject1)
+          
+          @bar.accepts_no_role!(:admin, @subject1)
+          assert_false @bar.accepts_role?(:admin, @subject1)
+        end
+
+        should "allow the object to list its roles" do 
+          assert_equal 1, @foo.roles.size
+        end
+
+        should "not count an object role as an global role" do
+          assert_false @subject1.has_role?(:admin)
+        end
+
+        should "reuse roles" do
+          assert_no_difference 'Role.count' do
+            @subject2.has_role!(:admin, @foo)
+          end
+
+          assert_difference 'Role.count', 1 do
+            @subject2.has_role!(:manager, @foo)
+          end
+        end
+
+        context "with two users" do
+          setup do
+            @subject1.has_role!(:admin)
+            @subject2.has_role!(:admin, @foo)
+            @subject1.has_role!(:admin, @bar)
+          end
+
+          should "let objects be able to query their subjects" do
+            assert_same_elements @foo.list_subjects_for(:admin), [@subject1, @subject2]
+            assert_same_elements @foo.list_subjects_all_roles, [@subject1, @subject2]
+          end
+
+          should "dynamically build methods to query" do
+            assert_same_elements @foo.list_subjects_for(:admin), @foo.list_admins
+          end
+
+          should "remove assignments to object roles through has_no_role!" do
+            @subject1.has_no_role!(:admin, @foo)
+
+            assert @subject1.has_role?(:admin)
+            assert @subject1.has_role?(:admin, @bar)
+            assert_false @subject1.has_role?(:admin, @foo)
+          end
+
+          should "only delete roles when they have no assignments" do
+            assert_difference 'Role.count', 0 do
+              @subject2.has_no_role!(:admin, @foo)
+            end
+
+            assert_false @subject2.has_role?(:admin)
+
+            assert_difference 'Role.count', -1 do
+              @subject1.has_no_role!(:admin, @foo)
+            end
+
+            assert_false @subject1.has_role?(:admin, @foo)          
+          end
+          
+          should "delete all roles for a given object with has_no_roles_for!" do
+            assert_difference 'Role.count', 1 do
+              @subject1.has_role!(:manager, @bar)
+            end
+            
+            assert_difference '@subject1.assigned_roles.size', -2 do 
+              @subject1.has_no_roles_for!(@bar)
+            end
+            
+            assert_false @subject1.has_roles_for?(@bar)
+            assert @subject1.has_role?(:admin)
+            assert @subject1.has_role?(:admin, @foo)
+          end
+          
+          should "delete all roles with has_no_roles!" do
+            @subject1.has_no_roles!
+            assert_equal @subject1.assigned_roles.length, 0
+          end
+        end
+
+      end
+
+    end
+  end
+end
+
+class RolesTest < ActiveSupport::TestCase
+  context "role testing" do
+    should_handle_basic_role_manipulation(User)
+    should_handle_basic_role_manipulation(Group)
+    should_handle_basic_role_manipulation(UserNoGroup)
+
+    should "models without groups enabled raise errors when group commands are queried" do
+      @usernogroup = UserNoGroup.create!
+      assert_raises RuntimeError do 
+        @usernogroup.groups
+      end
+    end
+    
+    context "group testing: " do
+      setup do
+        @user1 = User.create!
+        @user2 = User.create!
+        @user3 = User.create!
+        @group1 = Group.create!
+        @group2 = Group.create!
+        @group3 = Group.create!
+        @group4 = Group.create!
+        @group5 = Group.create!
+
+        
+        @foo = Foo.create!
+        @bar = Bar.create!
+      end
+      
+      should "be able to assign users to a group" do
+        @user1.in_group!(@group1)
+        @user2.in_group!(@group1)
+        @user1.in_group!(@group2)
+        
+        assert_same_elements @user1.groups, [@group1, @group2]
+        assert_same_elements @group1.children, [@user1, @user2]
+        assert_equal @group2.children, [@user1]
+        
+        @user1.not_in_group!(@group1)
+        
+        assert_same_elements @user1.groups, [@group2]
+      end
+      
+      context "given test users and groups" do
+        setup do
+          @user1.in_group!(@group1)
+          @group1.in_group!(@group2)
+          @group2.in_group!(@group4)
+
+          @user1.in_group!(@group3)
+          @user2.in_group!(@group2)
+        end
+
+        should "avoid circularity" do
+          @group4.in_group!(@group5)
+          
+          assert_raises RuntimeError do 
+            @group5.in_group!(@group4)
+          end
+
+          assert_raises RuntimeError do 
+            @group5.in_group!(@group1)
+          end
+        end
+        
+        should "not follow meaningless member assignments" do
+          @group5.has_role!(:member, @user1)
+          assert_equal @group5.children, []
+        end
+
+        should "handle nested groups" do
+          assert_same_elements @user1.groups(:nested => false), [@group1, @group3]
+          assert_same_elements @user1.groups, [@group1, @group2, @group3, @group4]
+          assert_same_elements @user2.groups, [@group2, @group4]
+          
+          assert_same_elements @group4.children, [@group2, @group1, @user1, @user2]
+          assert_same_elements @group2.children, [@group1, @user1, @user2]
+          
+          assert @group4.accepts_role?(:member, @user1)
+          assert @group2.accepts_role?(:member, @user1)
+          
+          assert_false @group4.accepts_role?(:member, @user1, :check_groups => false)
+        end
+        
+        should "check roles based on groups" do
+
+          assert @user2.has_role?(:member, @group2)
+        
+          @group2.has_role!(:owner, @foo)
+          
+          assert @user2.has_role?(:owner, @foo)
+          assert_false @user2.has_role?(:owner, @foo, :check_groups => false)
+          
+          assert @user1.has_role?(:owner, @foo)
+          assert_false @user1.has_role?(:owner, @foo, :check_groups => false)
+          
+          
+          assert_same_elements @foo.list_owners, [@group2, @group1, @user1, @user2]
+          assert_same_elements @foo.list_owners(:check_groups => false), [@group2]
+          
+          assert @foo.accepts_role?(:owner, @user1)
+          assert_false @foo.accepts_role?(:owner, @user1, :check_groups => false)
+        end
+        
+      end
+      
+    end
+  end
+  
+end
+
+

data/test/support/models.rb

@@ -0,0 +1,33 @@
+
+class Assignment < ActiveRecord::Base
+  acts_as_authorization_assignment
+end
+
+class Role < ActiveRecord::Base
+  acts_as_authorization_role
+end
+
+class User < ActiveRecord::Base
+  acts_as_authorization_subject
+end
+
+class UserNoGroup < ActiveRecord::Base
+  acts_as_authorization_subject :groups_enabled => false, :nested_groups => false
+end
+
+class Group < ActiveRecord::Base
+  acts_as_authorization_group
+end
+
+class Foo < ActiveRecord::Base
+  acts_as_authorization_object
+end
+
+class Bar < ActiveRecord::Base
+  acts_as_authorization_object
+end
+
+class Uuid < ActiveRecord::Base
+  set_primary_key "uuid"  
+  acts_as_authorization_object
+end

data/test/support/schema.rb

@@ -0,0 +1,36 @@
+ActiveRecord::Schema.define(:version => 0) do
+  create_table "assignments", :force => true do |t|
+    t.integer  "subject_id",                 :null => false
+    t.string   "subject_type", :limit => 20, :null => false
+    t.integer  "role_id",                    :null => false
+    t.timestamps
+  end
+  
+  create_table "users", :force => true do |t| end
+  
+  create_table "user_no_groups", :force => true do |t| end
+  
+  create_table "roles", :force => true do |t|
+    t.string   "name",        :limit => 50, :null => false
+    t.integer  "authorizable_id"
+    t.string   "authorizable_type", :limit => 30
+    t.timestamps
+  end
+  
+  create_table "groups", :force => true do |t| end
+  
+  create_table "foos", :force => true do |t|
+    t.timestamps
+  end
+
+  create_table "bars", :force => true do |t|
+    t.timestamps
+  end
+
+
+  create_table "uuids", :id => false, :force => true do |t|
+    t.string "uuid"
+    t.timestamps
+  end
+  
+end

data/test/test_helper.rb

@@ -0,0 +1,44 @@
+require 'rubygems'
+
+begin
+  require 'ruby-debug'
+rescue LoadError
+  puts "ruby-debug not loaded"
+end
+
+
+require 'active_record'
+require 'active_support'
+require 'active_support/test_case'
+
+
+gem 'sqlite3-ruby'
+gem 'searchlogic'
+require 'searchlogic'
+require "shoulda"
+
+
+
+ROOT = File.join(File.dirname(__FILE__), '..')
+RAILS_ROOT = ROOT
+RAILS_ENV = "test"
+
+
+$LOAD_PATH << File.join(ROOT, 'lib')
+$LOAD_PATH << File.join(ROOT, 'lib', 'id_please')
+
+require File.join(ROOT, 'lib', 'id_please.rb')
+
+config = YAML::load(IO.read(File.dirname(__FILE__) + '/database.yml'))
+ActiveRecord::Base.logger = Logger.new(File.dirname(__FILE__) + "/debug.log")
+ActiveRecord::Base.establish_connection(config['test'])
+
+
+
+
+module Test::Unit::Assertions
+  def assert_false(object, message="")
+    assert_equal(false, object, message)
+  end
+end
+

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: id_please
 version: !ruby/object:Gem::Version 
-  version: 0.1.0
+  version: 0.3.0
 platform: ruby
 authors: 
 - James Stuart
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-01-22 00:00:00 -05:00
+date: 2010-01-28 00:00:00 -05:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -22,6 +22,36 @@ dependencies:
       - !ruby/object:Gem::Version 
         version: "0"
     version: 
+- !ruby/object:Gem::Dependency 
+  name: thoughtbot-factory_girl
+  type: :development
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: ruby-debug
+  type: :development
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: searchlogic
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+    version: 
 description: Access control gem
 email: tastyhat@jamesstuart.org
 executables: []
@@ -47,8 +77,6 @@ files:
 - lib/id_please/model_extensions/for_object.rb
 - lib/id_please/model_extensions/for_subject.rb
 - lib/id_please/model_extensions/for_user.rb
-- test/helper.rb
-- test/test_id_please.rb
 has_rdoc: true
 homepage: http://github.com/tastyhat/id_please
 licenses: []
@@ -78,5 +106,8 @@ signing_key:
 specification_version: 3
 summary: Access control gem for rails
 test_files: 
-- test/helper.rb
-- test/test_id_please.rb
+- test/id_please_test.rb
+- test/roles_test.rb
+- test/support/models.rb
+- test/support/schema.rb
+- test/test_helper.rb

data/test/helper.rb

@@ -1,12 +0,0 @@
-require 'rubygems'
-require 'test/unit'
-require 'shoulda'
-require 'active_record'
-require 'active_support'
-
-$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
-$LOAD_PATH.unshift(File.dirname(__FILE__))
-require 'id_please'
-
-class Test::Unit::TestCase
-end

data/test/test_id_please.rb

@@ -1,7 +0,0 @@
-require 'helper'
-
-class TestIdPlease < Test::Unit::TestCase
-  should "probably rename this file and start testing for real" do
-    # flunk "hey buddy, you should probably rename this file and start testing for real"
-  end
-end