ixtlan-guard 0.6.1 → 0.7.0

data/lib/ixtlan/guard/guard_ng.rb

@@ -34,7 +34,7 @@ module Ixtlan
       def allowed_groups(resource, action, current_groups)
         allowed = @config.allowed_groups(resource, action) - blocked_groups + @superuser
         if allowed.member?('*')
-          current_groups
+          current_groups - (blocked_groups - @superuser)
         else
           intersect(allowed, current_groups)
         end
@@ -43,7 +43,7 @@ module Ixtlan
       def allowed?(resource, action, current_groups, flavor = nil, &block)
         current_groups = current_groups.collect { |g| g.to_s }
         allowed_groups = self.allowed_groups(resource, action, current_groups)
-        logger.debug { "guard #{resource}##{action}: #{allowed_groups.size > 0}" }
+       logger.debug { "guard #{resource}##{action}: #{allowed_groups.size > 0}" }
         if allowed_groups.size > 0
           if block
             g = allowed_groups.detect do |group|
@@ -77,8 +77,20 @@ module Ixtlan
           perm = Node.new(:permission)
           perm[:resource] = resource
           perm[:actions] = nodes
-          defaults = intersect(current_groups, (actions.delete('defaults') || []) + @superuser)
-          deny = perm[:deny] = defaults.size != 0
+          defaults = actions.delete('defaults') || []
+          defaults = intersect(current_groups, defaults + @superuser) unless defaults.member?('*')
+          # no actions
+          # deny = false: !defaults.member?('*')
+          # deny = true: defaults.member?('*') || current_groups.member?(@superuser[0])
+          deny = if actions.size == 0
+                   defaults.member?('*') || current_groups.member?(@superuser[0])
+                 else
+                   # actions
+                   # deny = false : defaults == []
+                   # deny = true : defaults.member?('*')
+                   defaults.size != 0 || defaults.member?('*')
+                 end
+          perm[:deny] = deny
           actions.each do |action, groups|
             node = Node.new(:action)
             allowed_groups = 

data/lib/ixtlan/guard/guard_rails.rb

@@ -3,9 +3,7 @@ module Ixtlan
     module Guard #:nodoc:
       def self.included(base)
         base.send(:include, InstanceMethods)
-        unless base.respond_to?(:groups_for_current_user)
-          base.send(:include, GroupsMethod)
-        end
+        base.send(:include, GroupsMethod)
       end
 
       module GroupsMethod
@@ -40,9 +38,10 @@ module Ixtlan
         end
 
         def check(flavor = nil, &block)
+          group_method = respond_to?(:current_user_group_names) ? :current_user_group_names : :groups_for_current_user
           unless guard.allowed?(params[:controller], 
                                 params[:action],
-                                groups_for_current_user, 
+                                send(group_method),
                                 flavor, 
                                 &block)
             if flavor

data/spec/guard_export_spec.rb

@@ -18,6 +18,7 @@ describe Ixtlan::Guard::GuardNG do
       subject.permissions(['unknown_group']).should == [
          #allow nothing
          {:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
+         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
          {:permission=>
            {
              :resource=>"no_defaults",
@@ -36,12 +37,15 @@ describe Ixtlan::Guard::GuardNG do
          #allow nothing
          {:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
          #allow nothing
-         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}}]
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
+         # allow anything but index
+         {:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}}]
     end
     it 'should deny some without defaults but wildcard "*" actions' do
       subject.permissions(['no_admin']).should == [
          #allow nothing
          {:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
+         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
          {:permission=>
            {
              :resource=>"no_defaults",
@@ -63,20 +67,25 @@ describe Ixtlan::Guard::GuardNG do
          #allow nothing
          {:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
          #allow nothing
-         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}}]
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
+         # allow anything but index
+         {:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}}]
     end
     it 'should allow "root"' do
       subject.permissions(['root']).should == [
          {:permission=>{:resource=>"users", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
          {:permission=>{:resource=>"no_defaults", :actions=>[], :deny=>true}},
          {:permission=>{:resource=>"defaults", :actions=>[], :deny=>true}},
          {:permission=>{:resource=>"person", :actions=>[], :deny=>true}},
-         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>true}}]
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"allow_all_defaults", :actions=>[], :deny=>true}}]
     end   
     it 'should allow with default group' do
       subject.permissions(['_master']).should == [
          #allow nothing
          {:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
+         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
          {:permission=>
            {
              :resource=>"no_defaults",
@@ -96,12 +105,15 @@ describe Ixtlan::Guard::GuardNG do
          #allow nothing
          {:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
          #allow nothing
-         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}}]
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
+         # allow anything but index
+         {:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}}]
     end 
     it 'should allow with non-default group' do
       subject.permissions(['_admin']).should == [
          #allow nothing
          {:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
+         {:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
          {:permission=>
            {
              :resource=>"no_defaults",
@@ -122,7 +134,9 @@ describe Ixtlan::Guard::GuardNG do
          #allow nothing
          {:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
          #allow nothing
-         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}}]
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
+         # allow anything but index
+         {:permission=>{:resource=>"allow_all_defaults", :actions=>[], :deny=>true}}]
     end
   end
 

data/spec/guard_spec.rb

@@ -29,17 +29,22 @@ describe Ixtlan::Guard::GuardNG do
   end
 
   it 'should pass "allow all groups" with user with any groups' do
-    subject.allowed?(:users, :index, [:any]).should be_true
+    subject.allowed?(:users, :index, [:any_possible_group]).should be_true
+    subject.allowed?(:only_defaults, :index, [:any_possible_group]).should be_true
   end
 
   it 'should pass' do
     subject.allowed?(:users, :update, [:users]).should be_true
+    subject.allowed?(:only_defaults, :update, [:users]).should be_true
+    subject.allowed?(:allow_all_defaults, :update, [:users]).should be_true
   end
 
   it 'should not pass with user when in blocked group' do
     subject.block_groups([:users])
     begin
       subject.allowed?(:users, :update, [:users]).should be_false
+      subject.allowed?(:only_defaults, :update, [:users]).should be_false
+    subject.allowed?(:allow_all_defaults, :update, [:users]).should be_false
     ensure
       subject.block_groups([])
     end
@@ -49,6 +54,8 @@ describe Ixtlan::Guard::GuardNG do
     subject.block_groups([:accounts])
     begin
       subject.allowed?(:users, :update, [:users]).should be_true
+      subject.allowed?(:only_defaults, :update, [:users]).should be_true
+      subject.allowed?(:allow_all_defaults, :update, [:users]).should be_true
     ensure
       subject.block_groups([])
     end
@@ -58,6 +65,8 @@ describe Ixtlan::Guard::GuardNG do
     subject.block_groups([:root])
     begin
       subject.allowed?(:users, :update, [:root]).should be_true
+      subject.allowed?(:only_defaults, :update, [:root]).should be_true
+    subject.allowed?(:allow_all_defaults, :update, [:root]).should be_true
     ensure
       subject.block_groups([])
     end
@@ -65,10 +74,13 @@ describe Ixtlan::Guard::GuardNG do
 
   it 'should not pass' do
     subject.allowed?(:users, :update, [:accounts]).should be_false
+    subject.allowed?(:allow_all_defaults, :index, [:users]).should be_false
   end
 
   it 'should should use defaults on unknown action' do
     subject.allowed?(:users, :unknow, [:users]).should be_true
+    subject.allowed?(:only_defaults, :unknow, [:users]).should be_true
+    subject.allowed?(:allow_all_defaults, :update, [:users]).should be_true
   end
 
   it 'should pass with right group and allowed flavor' do

data/spec/guards/allow_all_defaults_guard.yml

@@ -0,0 +1,3 @@
+allow_all_defaults:
+  defaults: [*, and_something_else_which_does_matter]
+  index: [_admin]

data/spec/guards/allow_all_defaults_guard.yml~

@@ -0,0 +1,3 @@
+allow_all_defaults:
+  defaults: [*, and_something_else_which_does_matter]
+  index: [admin] 

data/spec/guards/allow_alldefaults.yml~

@@ -0,0 +1,3 @@
+only_defaults:
+  defaults: [*, and_something_else_which_does_matter]
+  index: [admin] 

data/spec/guards/only_defaults_guard.yml

@@ -0,0 +1,2 @@
+only_defaults:
+  defaults: [*, and_something_else_which_does_matter]

data/spec/guards/only_defaults_guard.yml~

@@ -0,0 +1,3 @@
+only_defaults:
+  defaults: [*, and_something_else_which_does_matter]
+  index: [admin] 

metadata

@@ -2,7 +2,7 @@
 name: ixtlan-guard
 version: !ruby/object:Gem::Version 
   prerelease: 
-  version: 0.6.1
+  version: 0.7.0
 platform: ruby
 authors: 
   - mkristian
@@ -10,7 +10,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-10-16 00:00:00 +05:30
+date: 2011-11-04 00:00:00 +05:30
 default_executable: 
 dependencies: 
   - !ruby/object:Gem::Dependency 
@@ -21,7 +21,7 @@ dependencies:
       requirements: 
         - - ~>
           - !ruby/object:Gem::Version 
-            version: 0.6.0
+            version: 0.7.0
     type: :runtime
     version_requirements: *id001
   - !ruby/object:Gem::Dependency 
@@ -140,8 +140,11 @@ files:
   - spec/guards/accounts1_guard.yml~
   - spec/guards/users_guard.yml
   - spec/guards/users2_guard.yml
+  - spec/guards/only_defaults_guard.yml
+  - spec/guards/allow_alldefaults.yml~
   - spec/guards/accounts2_guard.yml~
   - spec/guards/users2_guard.yml~
+  - spec/guards/only_defaults_guard.yml~
   - spec/guards/users_guard.yml~
   - spec/guards/users1_guard.yml~
   - spec/guards/tools_guard.yml~
@@ -151,6 +154,8 @@ files:
   - spec/guards/person_guard.yml
   - spec/guards/accounts_guard.yml
   - spec/guards/no_defaults_guard.yml~
+  - spec/guards/allow_all_defaults_guard.yml
+  - spec/guards/allow_all_defaults_guard.yml~
   - spec/guards/defaults_guard.yml~
   - features/step_definitions/ruby_maven.rb
   - features/step_definitions/simple_steps.rb