ixtlan-guard 0.7.2 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,150 @@
1
+ require 'spec_helper'
2
+ require 'ixtlan/guard/guard'
3
+ require 'ixtlan/guard/guard_rails'
4
+ require 'logger'
5
+ class Logger
6
+ def debug(&block)
7
+ end
8
+ end
9
+
10
+ module Rails
11
+ def self.application
12
+ self
13
+ end
14
+ def self.config
15
+ self
16
+ end
17
+ def self.guard
18
+ @guard ||=
19
+ begin
20
+ logger = Logger.new(STDOUT)
21
+ Ixtlan::Guard::Guard.new(:guards_dir => File.join(File.dirname(__FILE__), "guards"),
22
+ :logger => logger)
23
+ end
24
+ end
25
+ end
26
+
27
+ class Controller
28
+ include Ixtlan::Guard::ActionController
29
+
30
+ attr_accessor :params
31
+ def new_user
32
+ user = Object.new
33
+ def user.groups(groups = ['users'])
34
+ @groups ||= groups
35
+ end
36
+ user
37
+ end
38
+ def current_user
39
+ @user ||= new_user
40
+ end
41
+ end
42
+ class RestrictedController < Controller
43
+
44
+ guard_filter :only => [:index] do |groups|
45
+ groups.select {|g| g =~ /^user/ }
46
+ end
47
+
48
+ guard_filter :except => [:index] do |groups|
49
+ groups.select {|g| g == 'admin' }
50
+ end
51
+
52
+
53
+ end
54
+
55
+ describe Ixtlan::Guard::ActionController do
56
+
57
+ describe "without filter" do
58
+ subject do
59
+ Controller.new
60
+ end
61
+
62
+ it 'should return a guard' do
63
+ subject.send(:guard).should_not be_nil
64
+ end
65
+
66
+ it 'should have current_groups' do
67
+ subject.send(:current_groups).should_not be_nil
68
+ end
69
+
70
+ it 'should have no guard_filters' do
71
+ subject.class.guard_filters.should == []
72
+ end
73
+
74
+ it 'raise error on unknown resource' do
75
+ lambda{subject.send(:check, "edit", "unknown_resource")}.should raise_error( Ixtlan::Guard::GuardException)
76
+ end
77
+
78
+ it 'should pass' do
79
+ subject.send(:check, "index", "users").should == ["users"]
80
+ begin
81
+ subject.params = {:controller => "users", :action => "index" }
82
+ subject.send(:authorize).should be_true
83
+ subject.params.delete(:action)
84
+ subject.send(:allowed?, "index").should be_true
85
+ ensure
86
+ subject.params = {}
87
+ end
88
+ end
89
+
90
+ it 'should not pass' do
91
+ subject.send(:check, "doit", "no_defaults").should be_nil
92
+ begin
93
+ subject.params = {:controller => "no_defaults", :action => "doit" }
94
+ lambda{subject.send(:authorize)}.should raise_error(Ixtlan::Guard::PermissionDenied)
95
+ subject.params.delete(:action)
96
+ subject.send(:allowed?, "doitagain").should be_false
97
+ ensure
98
+ subject.params = {}
99
+ end
100
+ end
101
+ end
102
+
103
+ describe "with filter" do
104
+ subject do
105
+ c = RestrictedController.new
106
+ c.current_user.groups ['users', 'useradmin', 'admin']
107
+ c
108
+ end
109
+
110
+ it 'should return a guard' do
111
+ subject.send(:guard).should_not be_nil
112
+ end
113
+
114
+ it 'should have current_groups' do
115
+ subject.send(:current_groups).should_not be_nil
116
+ end
117
+
118
+ it 'should have no guard_filters' do
119
+ subject.class.guard_filters.size.should == 2
120
+ end
121
+
122
+ it 'raise error on unknown resource' do
123
+ lambda{subject.send(:check, "edit", "unknown_resource")}.should raise_error( Ixtlan::Guard::GuardException)
124
+ end
125
+
126
+ it 'should pass' do
127
+ subject.send(:check, "destroy", "person").should == ["admin"]
128
+ begin
129
+ subject.params = {:controller => "person", :action => "destroy" }
130
+ subject.send(:authorize).should be_true
131
+ subject.params.delete(:action)
132
+ subject.send(:allowed?, "destroy").should be_true
133
+ ensure
134
+ subject.params = {}
135
+ end
136
+ end
137
+
138
+ it 'should not pass' do
139
+ subject.send(:check, "edit", "person").should be_nil
140
+ begin
141
+ subject.params = {:controller => "person", :action => "edit" }
142
+ lambda{subject.send(:authorize)}.should raise_error(Ixtlan::Guard::PermissionDenied)
143
+ subject.params.delete(:action)
144
+ subject.send(:allowed?, "edit").should be_false
145
+ ensure
146
+ subject.params = {}
147
+ end
148
+ end
149
+ end
150
+ end
@@ -0,0 +1,150 @@
1
+ require 'spec_helper'
2
+ require 'ixtlan/guard/guard'
3
+ require 'ixtlan/guard/guard_rails'
4
+ require 'logger'
5
+ class Logger
6
+ def debug(&block)
7
+ end
8
+ end
9
+
10
+ class Rails
11
+ def self.application
12
+ self
13
+ end
14
+ def self.config
15
+ self
16
+ end
17
+ def self.guard
18
+ @guard ||=
19
+ begin
20
+ logger = Logger.new(STDOUT)
21
+ Ixtlan::Guard::Guard.new(:guards_dir => File.join(File.dirname(__FILE__), "guards"),
22
+ :logger => logger)
23
+ end
24
+ end
25
+ end
26
+
27
+ class Controller
28
+ include Ixtlan::ActionController::Guard
29
+
30
+ attr_accessor :params
31
+ def new_user
32
+ user = Object.new
33
+ def user.groups(groups = ['users'])
34
+ @groups ||= groups
35
+ end
36
+ user
37
+ end
38
+ def current_user
39
+ @user ||= new_user
40
+ end
41
+ end
42
+ class RestrictedController < Controller
43
+
44
+ guard_filter :only => [:index] do |groups|
45
+ groups.select {|g| g =~ /^user/ }
46
+ end
47
+
48
+ guard_filter :except => [:index] do |groups|
49
+ groups.select {|g| g == 'admin' }
50
+ end
51
+
52
+
53
+ end
54
+
55
+ describe Ixtlan::ActionController::Guard do
56
+
57
+ describe "without filter" do
58
+ subject do
59
+ Controller.new
60
+ end
61
+
62
+ it 'should return a guard' do
63
+ subject.send(:guard).should_not be_nil
64
+ end
65
+
66
+ it 'should have current_groups' do
67
+ subject.send(:current_groups).should_not be_nil
68
+ end
69
+
70
+ it 'should have no guard_filters' do
71
+ subject.class.guard_filters.should == []
72
+ end
73
+
74
+ it 'raise error on unknown resource' do
75
+ lambda{subject.send(:check, "edit", "unknown_resource")}.should raise_error( Ixtlan::Guard::GuardException)
76
+ end
77
+
78
+ it 'should pass' do
79
+ subject.send(:check, "index", "users").should == ["users"]
80
+ begin
81
+ subject.params = {:controller => "users", :action => "index" }
82
+ subject.send(:authorize).should be_true
83
+ subject.params.delete(:action)
84
+ subject.send(:allowed?, "index").should be_true
85
+ ensure
86
+ subject.params = {}
87
+ end
88
+ end
89
+
90
+ it 'should not pass' do
91
+ subject.send(:check, "doit", "no_defaults").should be_nil
92
+ begin
93
+ subject.params = {:controller => "no_defaults", :action => "doit" }
94
+ lambda{subject.send(:authorize)}.should raise_error(Ixtlan::Guard::PermissionDenied)
95
+ subject.params.delete(:action)
96
+ subject.send(:allowed?, "doitagain").should be_false
97
+ ensure
98
+ subject.params = {}
99
+ end
100
+ end
101
+ end
102
+
103
+ describe "with filter" do
104
+ subject do
105
+ c = RestrictedController.new
106
+ c.current_user.groups ['users', 'useradmin', 'admin']
107
+ c
108
+ end
109
+
110
+ it 'should return a guard' do
111
+ subject.send(:guard).should_not be_nil
112
+ end
113
+
114
+ it 'should have current_groups' do
115
+ subject.send(:current_groups).should_not be_nil
116
+ end
117
+
118
+ it 'should have no guard_filters' do
119
+ subject.class.guard_filters.size.should == 2
120
+ end
121
+
122
+ it 'raise error on unknown resource' do
123
+ lambda{subject.send(:check, "edit", "unknown_resource")}.should raise_error( Ixtlan::Guard::GuardException)
124
+ end
125
+
126
+ it 'should pass' do
127
+ subject.send(:check, "destroy", "person").should == ["admin"]
128
+ begin
129
+ subject.params = {:controller => "person", :action => "destroy" }
130
+ subject.send(:authorize).should be_true
131
+ subject.params.delete(:action)
132
+ subject.send(:allowed?, "destroy").should be_true
133
+ ensure
134
+ subject.params = {}
135
+ end
136
+ end
137
+
138
+ it 'should not pass' do
139
+ subject.send(:check, "edit", "person").should be_nil
140
+ begin
141
+ subject.params = {:controller => "person", :action => "edit" }
142
+ lambda{subject.send(:authorize)}.should raise_error(Ixtlan::Guard::PermissionDenied)
143
+ subject.params.delete(:action)
144
+ subject.send(:allowed?, "edit").should be_false
145
+ ensure
146
+ subject.params = {}
147
+ end
148
+ end
149
+ end
150
+ end
data/spec/guard_spec.rb CHANGED
@@ -1,19 +1,19 @@
1
1
  require 'spec_helper'
2
- require 'ixtlan/guard/guard_ng'
2
+ require 'ixtlan/guard/guard'
3
3
  require 'logger'
4
4
 
5
- describe Ixtlan::Guard::GuardNG do
5
+ describe Ixtlan::Guard::Guard do
6
6
 
7
7
  subject do
8
8
  logger = Logger.new(STDOUT)
9
9
  def logger.debug(&block)
10
10
  #info("\n\t[debug] " + block.call)
11
11
  end
12
- Ixtlan::Guard::GuardNG.new(:guards_dir => File.join(File.dirname(__FILE__), "guards"), :logger => logger )
12
+ Ixtlan::Guard::Guard.new(:guards_dir => File.join(File.dirname(__FILE__), "guards"), :logger => logger )
13
13
  end
14
14
 
15
15
  it 'should fail with missing guard dir' do
16
- lambda {Ixtlan::Guard::GuardNG.new(:guards_dir => "does_not_exists") }.should raise_error(Ixtlan::Guard::GuardException)
16
+ lambda {Ixtlan::Guard::Guard.new(:guards_dir => "does_not_exists") }.should raise_error(Ixtlan::Guard::GuardException)
17
17
  end
18
18
 
19
19
  it 'should initialize' do
@@ -28,13 +28,15 @@ describe Ixtlan::Guard::GuardNG do
28
28
  subject.allowed?(:users, :show, [:root]).should be_true
29
29
  end
30
30
 
31
- it 'should pass "allow all groups" with user with any groups' do
32
- subject.allowed?(:users, :index, [:any_possible_group]).should be_true
31
+ it 'should pass "allow all groups" with any groups' do
32
+ # users resource ask for a block since it is restricted
33
+ subject.allowed?(:users, :index, [:any_possible_group]){|g| g}.should be_true
33
34
  subject.allowed?(:only_defaults, :index, [:any_possible_group]).should be_true
34
35
  end
35
36
 
36
37
  it 'should pass' do
37
- subject.allowed?(:users, :update, [:users]).should be_true
38
+ # users resource ask for a block since it is restricted
39
+ subject.allowed?(:users, :update, [:users]){|g| g}.should be_true
38
40
  subject.allowed?(:only_defaults, :update, [:users]).should be_true
39
41
  subject.allowed?(:allow_all_defaults, :update, [:users]).should be_true
40
42
  end
@@ -42,7 +44,8 @@ describe Ixtlan::Guard::GuardNG do
42
44
  it 'should not pass with user when in blocked group' do
43
45
  subject.block_groups([:users])
44
46
  begin
45
- subject.allowed?(:users, :update, [:users]).should be_false
47
+ # users resource ask for a block since it is restricted
48
+ subject.allowed?(:users, :update, [:users]){|g| g}.should be_false
46
49
  subject.allowed?(:only_defaults, :update, [:users]).should be_false
47
50
  subject.allowed?(:allow_all_defaults, :update, [:users]).should be_false
48
51
  ensure
@@ -53,7 +56,8 @@ describe Ixtlan::Guard::GuardNG do
53
56
  it 'should pass with user when not in blocked group' do
54
57
  subject.block_groups([:accounts])
55
58
  begin
56
- subject.allowed?(:users, :update, [:users]).should be_true
59
+ # users resource ask for a block since it is restricted
60
+ subject.allowed?(:users, :update, [:users]){|g| g}.should be_true
57
61
  subject.allowed?(:only_defaults, :update, [:users]).should be_true
58
62
  subject.allowed?(:allow_all_defaults, :update, [:users]).should be_true
59
63
  ensure
@@ -64,7 +68,8 @@ describe Ixtlan::Guard::GuardNG do
64
68
  it 'should not block root group' do
65
69
  subject.block_groups([:root])
66
70
  begin
67
- subject.allowed?(:users, :update, [:root]).should be_true
71
+ # users resource ask for a block since it is restricted
72
+ subject.allowed?(:users, :update, [:root]){|g| g}.should be_true
68
73
  subject.allowed?(:only_defaults, :update, [:root]).should be_true
69
74
  subject.allowed?(:allow_all_defaults, :update, [:root]).should be_true
70
75
  ensure
@@ -78,7 +83,8 @@ describe Ixtlan::Guard::GuardNG do
78
83
  end
79
84
 
80
85
  it 'should should use defaults on unknown action' do
81
- subject.allowed?(:users, :unknow, [:users]).should be_true
86
+ # users resource ask for a block since it is restricted
87
+ subject.allowed?(:users, :unknow, [:users]){|g| g}.should be_true
82
88
  subject.allowed?(:only_defaults, :unknow, [:users]).should be_true
83
89
  subject.allowed?(:allow_all_defaults, :update, [:users]).should be_true
84
90
  end
@@ -1,5 +1,5 @@
1
1
  require 'spec_helper'
2
- require 'ixtlan/guard/guard_ng'
2
+ require 'ixtlan/guard/guard'
3
3
  require 'logger'
4
4
 
5
5
  class Group
@@ -12,103 +12,119 @@ class Group
12
12
  end
13
13
  end
14
14
 
15
- describe Ixtlan::Guard::GuardNG do
15
+ describe Ixtlan::Guard::Guard do
16
16
 
17
17
  subject do
18
18
  logger = Logger.new(STDOUT)
19
19
  def logger.debug(&block)
20
20
  # info("\n\t[debug] " + block.call)
21
21
  end
22
- Ixtlan::Guard::GuardNG.new(:guards_dir => File.join(File.dirname(__FILE__), "guards"), :logger => logger )
22
+ Ixtlan::Guard::Guard.new(:guards_dir => File.join(File.dirname(__FILE__), "guards"), :logger => logger )
23
23
  end
24
24
 
25
- it 'should pass without association without block' do
26
- subject.allowed?(:users, :update, [Group.new(:users)]).should be_true
25
+ it 'should pass without block' do
26
+ subject.allowed?(:users, :edit, [Group.new(:users)]).should be_true
27
27
  end
28
28
 
29
- it 'should deny without association with block' do
30
- subject.allowed?(:users, :update, [Group.new(:users)]){}.should be_false
29
+ it 'should deny with block returning empty array' do
30
+ subject.allowed?(:users, :update, [Group.new(:users)]){ |groups| [] }.should be_false
31
31
  end
32
32
 
33
- it 'should deny with association without block' do
34
- subject.allowed?(:users, :update, [Group.new(:users, :manager)], :manager).should be_false
33
+ it 'should allow root user' do
34
+ subject.allowed?(:users, :update, [Group.new(:root)]){ |groups| [] }.should be_true
35
35
  end
36
36
 
37
- it 'should pass with matching association with block' do
38
- subject.allowed?(:users, :update, [Group.new(:users, :manager)], :manager) do |group, association|
39
- group.domains.detect {|d| d == association.to_s }
40
- end.should be_false
37
+ it 'should pass with matching association' do
38
+ subject.allowed?(:users, :update, [Group.new(:users, :manager)]) do |groups|
39
+ groups.select { |g| g.domains.member? :manager }
40
+ end.should be_true
41
41
  end
42
42
 
43
- it 'should fail with mismatching association with block' do
44
- subject.allowed?(:users, :update, [Group.new(:users, :manager)], :nomanager) do |group, association|
45
- group.domains.detect {|d| d == association }
43
+ it 'should fail with mismatching association' do
44
+ subject.allowed?(:users, :update, [Group.new(:users, :manager)]) do |groups|
45
+ groups.select { |g| g.domains.detect {|d| d == 'nomanager' } }
46
46
  end.should be_false
47
47
  end
48
48
 
49
49
  it 'should add associations to node' do
50
- subject.permissions([Group.new('admin', [:german, :french])]) do |resource, action, groups|
50
+ perms = subject.permissions([Group.new('admin', [:german, :french])]) do |resource, groups|
51
51
  if groups && groups.first && groups.first.name == 'admin'
52
- { :domains => groups.first.domains }
52
+ groups.first.domains
53
53
  else
54
54
  {}
55
55
  end
56
- end.sort { |m,n| m[:resource] <=> n[:resource]}.should ==
57
- [{
58
- :permission=>{
59
- :resource=>"accounts",
60
- :actions=>[{:action=>{
61
- :name=>"destroy",
62
- :domains=>[:german, :french]}}],
63
- :deny=>false}},
64
- {
65
- :permission=>{
66
- :resource=>"allow_all_defaults",
67
- :actions=>[{:action=>{:name=>"index"}}],
68
- :deny=>true,
69
- :domains=>[:german, :french]}},
70
- {
71
- :permission=>{
72
- :resource=>"defaults",
73
- :actions=>[{:action=>{
74
- :name=>"index",
75
- :domains=>[:german, :french]}}],
76
- :deny=>false}},
77
- {
78
- :permission=>{
79
- :resource=>"no_defaults",
80
- :actions=>[{:action=>{
81
- :name=>"index",
82
- :domains=>[:german, :french]}}],
83
- :deny=>false}},
84
- {
85
- :permission=>{
86
- :resource=>"only_defaults",
87
- :domains=>[:german, :french],
88
- :actions=>[],
89
- :deny=>true}},
90
- {
91
- :permission=>{
92
- :resource=>"person",
93
- :actions=> [{:action=>{
94
- :name=>"destroy",
95
- :domains=>[:german, :french]}},
96
- {:action=>{
97
- :name=>"index",
98
- :domains=>[:german, :french]}}],
99
- :deny=>false}},
100
- {
101
- :permission=>{
102
- :resource=>"regions",
103
- :actions=>[
104
- {:action=>{:name=>"show", :domains=>[:german, :french]}},
105
- {:action=>{:name=>"create", :domains=>[:german, :french]}}
106
- ],
107
- :deny=>false}},
108
- {
109
- :permission=>{
110
- :resource=>"users",
111
- :actions=>[],
112
- :deny=>false}}]
56
+ end
57
+
58
+ expected = {}
59
+ expected[:accounts] = {
60
+ :permission=>{
61
+ :resource=>"accounts",
62
+ :actions=>[{:action=>{
63
+ :name=>"destroy",
64
+ :associations=>[:german, :french]}}],
65
+ :deny=>false}
66
+ }
67
+ expected[:allow_all_defaults] = {
68
+ :permission=>{
69
+ :resource=>"allow_all_defaults",
70
+ :actions=>[{:action=>{:name=>"index"}}],
71
+ :deny=>true,
72
+ :associations=>[:german, :french]}
73
+ }
74
+ expected[:defaults] = {
75
+ :permission=>{
76
+ :resource=>"defaults",
77
+ :actions=>[{:action=>{
78
+ :name=>"index",
79
+ :associations=>[:german, :french]}}],
80
+ :deny=>false}
81
+ }
82
+ expected[:no_defaults] = {
83
+ :permission=>{
84
+ :resource=>"no_defaults",
85
+ :actions=>[{:action=>{
86
+ :name=>"index",
87
+ :associations=>[:german, :french]}}],
88
+ :deny=>false}
89
+ }
90
+ expected[:only_defaults] = {
91
+ :permission=>{
92
+ :resource=>"only_defaults",
93
+ :actions=>[],
94
+ :associations=>[:german, :french],
95
+ :deny=>true}
96
+ }
97
+ expected[:person]= {
98
+ :permission=>{
99
+ :resource=>"person",
100
+ :actions=> [{:action=>{
101
+ :name=>"destroy",
102
+ :associations=>[:german, :french]}},
103
+ {:action=>{
104
+ :name=>"index",
105
+ :associations=>[:german, :french]}}],
106
+ :deny=>false}
107
+ }
108
+ expected[:regions] = {
109
+ :permission=>{
110
+ :resource=>"regions",
111
+ :actions=>[
112
+ {:action=>{:name=>"create", :associations=>[:german, :french]}},
113
+ {:action=>{:name=>"show", :associations=>[:german, :french]}}
114
+ ],
115
+ :deny=>false}
116
+ }
117
+ expected[:users] = {
118
+ :permission=>{
119
+ :resource=>"users",
120
+ :actions=>[],
121
+ :deny=>false}
122
+ }
123
+ perms.each do |perm|
124
+ if perm[:actions]
125
+ perm[:actions].sort!{ |n,m| n.content[:name] <=> m.content[:name] }
126
+ end
127
+ expected[perm[:resource].to_sym].should == perm
128
+ end
113
129
  end
114
130
  end