iq-acl 1.0.2

data/.gitignore

@@ -0,0 +1,6 @@
+.DS_Store
+/doc
+/cov
+/pkg
+/.document
+/.yardoc

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 Jamie Hill, SonicIQ Ltd.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,51 @@
+= IQ::ACL
+
+This aim of this gem is to provide a series of classes to handle common ACL requirements. Currently provided is the IQ::ACL::Basic class which although super simple, is also extremely powerful. Read more about usage on the IQ::ACL::Basic page.
+
+== Install
+  gem install iq-acl
+  
+== Usage
+  auth = IQ::ACL::Basic.new({
+    '*'                 => { 'terry' => 'r' },
+    'projects'          => { 'jonny' => 'rw' },
+    'projects/private'  => { 'billy' => 'rw', 'terry' => nil },
+    'projects/public'   => { 'terry' => 'rw', '*' => 'r' }
+  })
+
+  auth.authorize! 'guest', 'projects'         #=> raises IQ::ACL::AccessDeniedError
+  auth.authorize! 'jonny', 'projects'         #=> 'rw'
+  auth.authorize! 'billy', 'projects'         #=> raises IQ::ACL::AccessDeniedError
+  auth.authorize! 'terry', 'projects'         #=> 'r'
+  auth.authorize! 'guest', 'projects/private' #=> raises IQ::ACL::AccessDeniedError
+  auth.authorize! 'jonny', 'projects/private' #=> 'rw'
+  auth.authorize! 'billy', 'projects/private' #=> 'rw'
+  auth.authorize! 'terry', 'projects/private' #=> raises IQ::ACL::AccessDeniedError
+  auth.authorize! 'guest', 'projects/public'  #=> 'r'
+  auth.authorize! 'jonny', 'projects/public'  #=> 'r'
+  auth.authorize! 'billy', 'projects/public'  #=> 'r'
+  auth.authorize! 'terry', 'projects/public'  #=> 'rw
+
+  # A block may be given to <tt>authorize!</tt> that should return true if
+  # the yielded rights are adequate for the user, for example the following
+  # will raise an IQ::ACL::AccessDeniedError as 'terry' does not have write access
+  # to the 'projects' path. If 'terry' had write access to the 'projects'
+  # path, the exception would not be thrown.
+
+  auth.authorize! 'terry', 'projects' do |rights|
+    rights.include?('w')
+  end
+
+== Note on Patches/Pull Requests
+ 
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add tests for it. This is important so I don't break it in a
+  future version unintentionally.
+* Commit, do not mess with rakefile, version, or history.
+  (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.
+
+== Copyright
+
+Copyright (c) 2010 Jamie Hill, SonicIQ Ltd.. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,53 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "iq-acl"
+    gem.summary = %Q{Super simple access control.}
+    gem.description = %Q{IQ::ACL provides a super simple way of implementing access control.}
+    gem.email = "jamie@soniciq.com"
+    gem.homepage = "http://github.com/iq/iq-acl"
+    gem.authors = ["Jamie Hill, SonicIQ Ltd."]
+    gem.add_development_dependency "thoughtbot-shoulda", ">= 0"
+    gem.add_development_dependency "yard", ">= 0"
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
+end
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/*_test.rb'
+  test.verbose = true
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new do |test|
+    test.libs << 'test'
+    test.pattern = 'test/**/*_test.rb'
+    test.verbose = true
+  end
+rescue LoadError
+  task :rcov do
+    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+  end
+end
+
+task :test => :check_dependencies
+
+task :default => :test
+
+begin
+  require 'yard'
+  YARD::Rake::YardocTask.new
+rescue LoadError
+  task :yardoc do
+    abort "YARD is not available. In order to run yardoc, you must: sudo gem install yard"
+  end
+end

data/VERSION

@@ -0,0 +1 @@
+1.0.2

data/iq-acl.gemspec

@@ -0,0 +1,58 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{iq-acl}
+  s.version = "1.0.2"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Jamie Hill, SonicIQ Ltd."]
+  s.date = %q{2010-05-31}
+  s.description = %q{IQ::ACL provides a super simple way of implementing access control.}
+  s.email = %q{jamie@soniciq.com}
+  s.extra_rdoc_files = [
+    "LICENSE",
+     "README.rdoc"
+  ]
+  s.files = [
+    ".gitignore",
+     "LICENSE",
+     "README.rdoc",
+     "Rakefile",
+     "VERSION",
+     "iq-acl.gemspec",
+     "lib/iq-acl.rb",
+     "lib/iq/acl.rb",
+     "lib/iq/acl/basic.rb",
+     "test/helper.rb",
+     "test/iq/acl_test.rb"
+  ]
+  s.homepage = %q{http://github.com/iq/iq-acl}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.6}
+  s.summary = %q{Super simple access control.}
+  s.test_files = [
+    "test/helper.rb",
+     "test/iq/acl_test.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+      s.add_development_dependency(%q<thoughtbot-shoulda>, [">= 0"])
+      s.add_development_dependency(%q<yard>, [">= 0"])
+    else
+      s.add_dependency(%q<thoughtbot-shoulda>, [">= 0"])
+      s.add_dependency(%q<yard>, [">= 0"])
+    end
+  else
+    s.add_dependency(%q<thoughtbot-shoulda>, [">= 0"])
+    s.add_dependency(%q<yard>, [">= 0"])
+  end
+end
+

data/lib/iq/acl/basic.rb

@@ -0,0 +1,81 @@
+# This class provides a really simple way of handling access control. By simply
+# supplying a hash of paths with user privileges for each of them, a powerful
+# ACL system can be created. Wildcards (in this case asterisks) can be used to
+# denote global rules.
+# 
+# @example
+#   auth = IQ::ACL::Basic.new({
+#     '*'                 => { 'terry' => 'r' },
+#     'projects'          => { 'jonny' => 'rw' },
+#     'projects/private'  => { 'billy' => 'rw', 'terry' => nil },
+#     'projects/public'   => { 'terry' => 'rw', '*' => 'r' }
+#   })
+# 
+#   auth.authorize! 'guest', 'projects'         #=> raises IQ::ACL::AccessDeniedError
+#   auth.authorize! 'jonny', 'projects'         #=> 'rw'
+#   auth.authorize! 'billy', 'projects'         #=> raises IQ::ACL::AccessDeniedError
+#   auth.authorize! 'terry', 'projects'         #=> 'r'
+#   auth.authorize! 'guest', 'projects/private' #=> raises IQ::ACL::AccessDeniedError
+#   auth.authorize! 'jonny', 'projects/private' #=> 'rw'
+#   auth.authorize! 'billy', 'projects/private' #=> 'rw'
+#   auth.authorize! 'terry', 'projects/private' #=> raises IQ::ACL::AccessDeniedError
+#   auth.authorize! 'guest', 'projects/public'  #=> 'r'
+#   auth.authorize! 'jonny', 'projects/public'  #=> 'r'
+#   auth.authorize! 'billy', 'projects/public'  #=> 'r'
+#   auth.authorize! 'terry', 'projects/public'  #=> 'rw
+# 
+# A block may be given to authorize! that should return true if the yielded
+# rights are adequate for the user, for example the following will raise an
+# IQ::ACL::AccessDeniedError as 'terry' does not have write access to the
+# 'projects' path. If 'terry' had write access to the 'projects' path, the
+# exception would not be thrown.
+# 
+# @example
+#   auth.authorize! 'terry', 'projects' do |rights|
+#     rights.include?('w')
+#   end
+#
+class IQ::ACL::Basic
+  
+  # Returns a new instance to be authenticated against.
+  # 
+  # @param [Hash]
+  def initialize(permissions)
+    raise ArgumentError, 'Must supply permissions as a hash' unless permissions.is_a?(Hash)
+    @permissions = permissions
+  end
+  
+  # Returns the rights that a user has for a given path. When the user has no
+  # access to the given path, an IQ::ACL::AccessDeniedError is raised. When a
+  # block is given the user rights are yielded as the block parameter and the
+  # block is expected to return true when the rights are sufficient.
+  # 
+  # @param [String] user
+  # @param [String] path
+  # 
+  # @return [String] the right for the given user
+  def authorize!(user, path)
+    raise ArgumentError, 'Path must be a string' unless path.is_a?(String)
+    
+    segments = path.split('/')
+    rights = until segments.empty?
+      if rights = permissions[segments.join('/')]
+        access = rights[user] || rights['*']
+        access_denied! if (rights.has_key?(user) || rights.has_key?('*')) && access.nil?
+        break access if access
+      end
+      segments.pop
+    end || (global = permissions['*']) && (global[user] || global['*']) || access_denied!
+    
+    access_denied! if block_given? && (yield(rights) != true)
+    rights
+  end
+
+  private
+  
+  attr_reader :permissions
+  
+  def access_denied!
+    raise IQ::ACL::AccessDeniedError, 'User does not have access to path'
+  end
+end

data/lib/iq/acl.rb

@@ -0,0 +1,21 @@
+module IQ # :nodoc:
+  module ACL # :nodoc:
+    def self.version
+      VERSION::STRING
+    end
+
+    module VERSION #:nodoc:
+      MAJOR = 1
+      MINOR = 0
+      TINY  = 1
+
+      STRING = [MAJOR, MINOR, TINY].join('.')
+    end
+    
+    autoload :Basic, File.join(File.dirname(__FILE__), 'acl', 'basic')
+    
+    # This error is raised when a user does not have access to a supplied path.
+    class AccessDeniedError < StandardError
+    end
+  end
+end

data/lib/iq-acl.rb

@@ -0,0 +1 @@
+require 'iq/acl'

data/test/helper.rb

@@ -0,0 +1,10 @@
+require 'rubygems'
+require 'test/unit'
+require 'shoulda'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'iq/acl'
+
+class Test::Unit::TestCase
+end

data/test/iq/acl_test.rb

@@ -0,0 +1,146 @@
+require File.join(File.dirname(__FILE__), '..', 'helper')
+
+class IQ::ACLTest < Test::Unit::TestCase
+  context "initialize" do
+    should "raise when argument is not a hash" do
+      assert_raise(ArgumentError) { IQ::ACL::Basic.new('not a hash') }
+    end
+
+    should "store supplied hash in instance variable" do
+      assert_equal(
+        { 'the' => 'permissions' }, IQ::ACL::Basic.new('the' => 'permissions').instance_variable_get('@permissions')
+      )
+    end
+  end
+  
+  context "authorize!" do
+    should "respond" do
+      assert_respond_to IQ::ACL::Basic.new({}), :authorize!
+    end
+
+    should "accept username as first argument" do
+      instance = IQ::ACL::Basic.new('the/path' => { 'the user' => true })
+      assert_nothing_raised(ArgumentError) { instance.authorize!('the user', 'the/path') }
+    end
+
+    should "accept path as second argument" do
+      instance = IQ::ACL::Basic.new('the/path' => { 'the user' => true })
+      assert_nothing_raised(ArgumentError) { instance.authorize!('the user', 'the/path') }
+    end
+
+    should "raise when path is not a string" do
+      assert_raise(ArgumentError) { IQ::ACL::Basic.new({}).authorize!('the user', :not_a_string) }
+    end
+
+    should "raise access denied error when no match" do
+      assert_raise(IQ::ACL::AccessDeniedError) { IQ::ACL::Basic.new({}).authorize!('the user', 'will/not/match') }
+    end
+    
+    should "raise when user access explicitly set to nil for given path even when a parent privilege set" do
+      instance = IQ::ACL::Basic.new('the' => { 'the user' => 'ok' }, 'the/path' => { 'the user' => nil })
+      assert_raise(IQ::ACL::AccessDeniedError) { instance.authorize!('the user', 'the/path') }
+    end
+    
+    should "raise when user access explicitly set to nil for given path even when root global set" do
+      instance = IQ::ACL::Basic.new('*' => { 'the user' => 'ok' }, 'the/path' => { 'the user' => nil })
+      assert_raise(IQ::ACL::AccessDeniedError) { instance.authorize!('the user', 'the/path') }
+    end
+    
+    should "raise when user access not known but global set to nil for given path even when parent privilege set" do
+      instance = IQ::ACL::Basic.new('the' => { 'the user' => 'ok' }, 'the/path' => { 'the user' => nil })
+      assert_raise(IQ::ACL::AccessDeniedError) { instance.authorize!('the user', 'the/path') }
+    end
+    
+    should "raise when user access not known but global set to nil for given path even when root global set" do
+      instance = IQ::ACL::Basic.new('*' => { 'the user' => 'ok' }, 'the/path' => { '*' => nil })
+      assert_raise(IQ::ACL::AccessDeniedError) { instance.authorize!('the user', 'the/path') }
+    end
+
+    should "return result of direct match in permissions hash with path and user when available" do
+      instance = IQ::ACL::Basic.new('the/path' => { 'the user' => 'the access' })
+      assert_equal 'the access', instance.authorize!('the user', 'the/path')
+    end
+    
+    should "return result of direct match in permissions hash with path and user when available special case" do
+      instance = IQ::ACL::Basic.new('projects/rails-site.com' => { 'rails_site' => 'rw' })
+      assert_equal 'rw', instance.authorize!('rails_site', 'projects/rails-site.com')
+    end
+
+    should "return result of direct match in permissions hash with path and star user when user not found" do
+      instance = IQ::ACL::Basic.new('the/path' => { '*' => 'the access' })
+      assert_equal 'the access', instance.authorize!('the user', 'the/path')
+    end
+
+    should "return result of parent match in permissions hash with path and user over global user when no match" do
+      instance = IQ::ACL::Basic.new('the' => { 'the user' => 'the access', '*' => 'global access' })
+      assert_equal 'the access', instance.authorize!('the user', 'the/path')
+    end
+
+    should "return result of parent match in permissions hash with path and star user when user not found" do
+      instance = IQ::ACL::Basic.new('the' => { '*' => 'the access' })
+      assert_equal 'the access', instance.authorize!('the user', 'the/path')
+    end
+
+    should "continue down permissions tree until a match with path and user is found over global access" do
+      instance = IQ::ACL::Basic.new('the/long' => { 'the user' => 'the access', '*' => 'global access' })
+      assert_equal 'the access', instance.authorize!('the user', 'the/long/big/nested/path')
+    end
+
+    should "continue down permissions tree until a match with path and star user when user not found" do
+      instance = IQ::ACL::Basic.new('the/long' => { '*' => 'the access' })
+      assert_equal 'the access', instance.authorize!('the user', 'the/long/big/nested/path')
+    end
+
+    should "return result of user in star entry of permissions hash over star user when no other matches" do
+      instance = IQ::ACL::Basic.new('*' => { 'the user' => 'the access', '*' => 'global access' }, 'other/path' => {})
+      assert_equal 'the access', instance.authorize!('the user', 'the/path')
+    end
+
+    should "return result of star user in star entry of permissions hash when no user match" do
+      instance = IQ::ACL::Basic.new('*' => { '*' => 'the access' }, 'other/path' => {})
+      assert_equal 'the access', instance.authorize!('the user', 'the/path')
+    end
+    
+    context "using a block" do
+      should "yield the user rights when block given" do
+        instance = IQ::ACL::Basic.new('the/path' => { 'the user' => 'the access' })
+        the_rights = nil
+        instance.authorize!('the user', 'the/path') do |rights|
+          the_rights = rights
+          true
+        end
+        assert_equal 'the access', the_rights
+      end
+    
+      should "raise access denied error if block evaluates to false" do
+        instance = IQ::ACL::Basic.new('the/path' => { 'the user' => 'the access' })
+
+        assert_raise(IQ::ACL::AccessDeniedError) do
+          instance.authorize!('the user', 'the/path') do |rights|
+            false
+          end
+        end
+      end
+    
+      should "raise access denied error if block evaluates to anything other than true" do
+        instance = IQ::ACL::Basic.new('the/path' => { 'the user' => 'the access' })
+
+        assert_raise(IQ::ACL::AccessDeniedError) do
+          instance.authorize!('the user', 'the/path') do |rights|
+            'not true'
+          end
+        end
+      end
+    
+      should "not raise access denied error when block evaluates to true" do
+        instance = IQ::ACL::Basic.new('the/path' => { 'the user' => 'the access' })
+
+        assert_nothing_raised(IQ::ACL::AccessDeniedError) do
+          instance.authorize!('the user', 'the/path') do |rights|
+            true
+          end
+        end
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,97 @@
+--- !ruby/object:Gem::Specification 
+name: iq-acl
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 1
+  - 0
+  - 2
+  version: 1.0.2
+platform: ruby
+authors: 
+- Jamie Hill, SonicIQ Ltd.
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-05-31 00:00:00 +01:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: thoughtbot-shoulda
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: yard
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id002
+description: IQ::ACL provides a super simple way of implementing access control.
+email: jamie@soniciq.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.rdoc
+files: 
+- .gitignore
+- LICENSE
+- README.rdoc
+- Rakefile
+- VERSION
+- iq-acl.gemspec
+- lib/iq-acl.rb
+- lib/iq/acl.rb
+- lib/iq/acl/basic.rb
+- test/helper.rb
+- test/iq/acl_test.rb
+has_rdoc: true
+homepage: http://github.com/iq/iq-acl
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.6
+signing_key: 
+specification_version: 3
+summary: Super simple access control.
+test_files: 
+- test/helper.rb
+- test/iq/acl_test.rb