ixtlan-guard 0.6.1 → 0.7.0
Sign up to get free protection for your applications and to get access to all the features.
- data/lib/ixtlan/guard/guard_ng.rb +16 -4
- data/lib/ixtlan/guard/guard_rails.rb +3 -4
- data/spec/guard_export_spec.rb +19 -5
- data/spec/guard_spec.rb +13 -1
- data/spec/guards/allow_all_defaults_guard.yml +3 -0
- data/spec/guards/allow_all_defaults_guard.yml~ +3 -0
- data/spec/guards/allow_alldefaults.yml~ +3 -0
- data/spec/guards/only_defaults_guard.yml +2 -0
- data/spec/guards/only_defaults_guard.yml~ +3 -0
- metadata +8 -3
|
@@ -34,7 +34,7 @@ module Ixtlan
|
|
|
34
34
|
def allowed_groups(resource, action, current_groups)
|
|
35
35
|
allowed = @config.allowed_groups(resource, action) - blocked_groups + @superuser
|
|
36
36
|
if allowed.member?('*')
|
|
37
|
-
current_groups
|
|
37
|
+
current_groups - (blocked_groups - @superuser)
|
|
38
38
|
else
|
|
39
39
|
intersect(allowed, current_groups)
|
|
40
40
|
end
|
|
@@ -43,7 +43,7 @@ module Ixtlan
|
|
|
43
43
|
def allowed?(resource, action, current_groups, flavor = nil, &block)
|
|
44
44
|
current_groups = current_groups.collect { |g| g.to_s }
|
|
45
45
|
allowed_groups = self.allowed_groups(resource, action, current_groups)
|
|
46
|
-
|
|
46
|
+
logger.debug { "guard #{resource}##{action}: #{allowed_groups.size > 0}" }
|
|
47
47
|
if allowed_groups.size > 0
|
|
48
48
|
if block
|
|
49
49
|
g = allowed_groups.detect do |group|
|
|
@@ -77,8 +77,20 @@ module Ixtlan
|
|
|
77
77
|
perm = Node.new(:permission)
|
|
78
78
|
perm[:resource] = resource
|
|
79
79
|
perm[:actions] = nodes
|
|
80
|
-
defaults =
|
|
81
|
-
|
|
80
|
+
defaults = actions.delete('defaults') || []
|
|
81
|
+
defaults = intersect(current_groups, defaults + @superuser) unless defaults.member?('*')
|
|
82
|
+
# no actions
|
|
83
|
+
# deny = false: !defaults.member?('*')
|
|
84
|
+
# deny = true: defaults.member?('*') || current_groups.member?(@superuser[0])
|
|
85
|
+
deny = if actions.size == 0
|
|
86
|
+
defaults.member?('*') || current_groups.member?(@superuser[0])
|
|
87
|
+
else
|
|
88
|
+
# actions
|
|
89
|
+
# deny = false : defaults == []
|
|
90
|
+
# deny = true : defaults.member?('*')
|
|
91
|
+
defaults.size != 0 || defaults.member?('*')
|
|
92
|
+
end
|
|
93
|
+
perm[:deny] = deny
|
|
82
94
|
actions.each do |action, groups|
|
|
83
95
|
node = Node.new(:action)
|
|
84
96
|
allowed_groups =
|
|
@@ -3,9 +3,7 @@ module Ixtlan
|
|
|
3
3
|
module Guard #:nodoc:
|
|
4
4
|
def self.included(base)
|
|
5
5
|
base.send(:include, InstanceMethods)
|
|
6
|
-
|
|
7
|
-
base.send(:include, GroupsMethod)
|
|
8
|
-
end
|
|
6
|
+
base.send(:include, GroupsMethod)
|
|
9
7
|
end
|
|
10
8
|
|
|
11
9
|
module GroupsMethod
|
|
@@ -40,9 +38,10 @@ module Ixtlan
|
|
|
40
38
|
end
|
|
41
39
|
|
|
42
40
|
def check(flavor = nil, &block)
|
|
41
|
+
group_method = respond_to?(:current_user_group_names) ? :current_user_group_names : :groups_for_current_user
|
|
43
42
|
unless guard.allowed?(params[:controller],
|
|
44
43
|
params[:action],
|
|
45
|
-
|
|
44
|
+
send(group_method),
|
|
46
45
|
flavor,
|
|
47
46
|
&block)
|
|
48
47
|
if flavor
|
data/spec/guard_export_spec.rb
CHANGED
|
@@ -18,6 +18,7 @@ describe Ixtlan::Guard::GuardNG do
|
|
|
18
18
|
subject.permissions(['unknown_group']).should == [
|
|
19
19
|
#allow nothing
|
|
20
20
|
{:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
|
|
21
|
+
{:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
|
|
21
22
|
{:permission=>
|
|
22
23
|
{
|
|
23
24
|
:resource=>"no_defaults",
|
|
@@ -36,12 +37,15 @@ describe Ixtlan::Guard::GuardNG do
|
|
|
36
37
|
#allow nothing
|
|
37
38
|
{:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
|
|
38
39
|
#allow nothing
|
|
39
|
-
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}}
|
|
40
|
+
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
|
|
41
|
+
# allow anything but index
|
|
42
|
+
{:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}}]
|
|
40
43
|
end
|
|
41
44
|
it 'should deny some without defaults but wildcard "*" actions' do
|
|
42
45
|
subject.permissions(['no_admin']).should == [
|
|
43
46
|
#allow nothing
|
|
44
47
|
{:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
|
|
48
|
+
{:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
|
|
45
49
|
{:permission=>
|
|
46
50
|
{
|
|
47
51
|
:resource=>"no_defaults",
|
|
@@ -63,20 +67,25 @@ describe Ixtlan::Guard::GuardNG do
|
|
|
63
67
|
#allow nothing
|
|
64
68
|
{:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
|
|
65
69
|
#allow nothing
|
|
66
|
-
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}}
|
|
70
|
+
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
|
|
71
|
+
# allow anything but index
|
|
72
|
+
{:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}}]
|
|
67
73
|
end
|
|
68
74
|
it 'should allow "root"' do
|
|
69
75
|
subject.permissions(['root']).should == [
|
|
70
76
|
{:permission=>{:resource=>"users", :actions=>[], :deny=>true}},
|
|
77
|
+
{:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
|
|
71
78
|
{:permission=>{:resource=>"no_defaults", :actions=>[], :deny=>true}},
|
|
72
79
|
{:permission=>{:resource=>"defaults", :actions=>[], :deny=>true}},
|
|
73
80
|
{:permission=>{:resource=>"person", :actions=>[], :deny=>true}},
|
|
74
|
-
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>true}}
|
|
81
|
+
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>true}},
|
|
82
|
+
{:permission=>{:resource=>"allow_all_defaults", :actions=>[], :deny=>true}}]
|
|
75
83
|
end
|
|
76
84
|
it 'should allow with default group' do
|
|
77
85
|
subject.permissions(['_master']).should == [
|
|
78
86
|
#allow nothing
|
|
79
87
|
{:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
|
|
88
|
+
{:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
|
|
80
89
|
{:permission=>
|
|
81
90
|
{
|
|
82
91
|
:resource=>"no_defaults",
|
|
@@ -96,12 +105,15 @@ describe Ixtlan::Guard::GuardNG do
|
|
|
96
105
|
#allow nothing
|
|
97
106
|
{:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
|
|
98
107
|
#allow nothing
|
|
99
|
-
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}}
|
|
108
|
+
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
|
|
109
|
+
# allow anything but index
|
|
110
|
+
{:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}}]
|
|
100
111
|
end
|
|
101
112
|
it 'should allow with non-default group' do
|
|
102
113
|
subject.permissions(['_admin']).should == [
|
|
103
114
|
#allow nothing
|
|
104
115
|
{:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
|
|
116
|
+
{:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
|
|
105
117
|
{:permission=>
|
|
106
118
|
{
|
|
107
119
|
:resource=>"no_defaults",
|
|
@@ -122,7 +134,9 @@ describe Ixtlan::Guard::GuardNG do
|
|
|
122
134
|
#allow nothing
|
|
123
135
|
{:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
|
|
124
136
|
#allow nothing
|
|
125
|
-
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}}
|
|
137
|
+
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
|
|
138
|
+
# allow anything but index
|
|
139
|
+
{:permission=>{:resource=>"allow_all_defaults", :actions=>[], :deny=>true}}]
|
|
126
140
|
end
|
|
127
141
|
end
|
|
128
142
|
|
data/spec/guard_spec.rb
CHANGED
|
@@ -29,17 +29,22 @@ describe Ixtlan::Guard::GuardNG do
|
|
|
29
29
|
end
|
|
30
30
|
|
|
31
31
|
it 'should pass "allow all groups" with user with any groups' do
|
|
32
|
-
subject.allowed?(:users, :index, [:
|
|
32
|
+
subject.allowed?(:users, :index, [:any_possible_group]).should be_true
|
|
33
|
+
subject.allowed?(:only_defaults, :index, [:any_possible_group]).should be_true
|
|
33
34
|
end
|
|
34
35
|
|
|
35
36
|
it 'should pass' do
|
|
36
37
|
subject.allowed?(:users, :update, [:users]).should be_true
|
|
38
|
+
subject.allowed?(:only_defaults, :update, [:users]).should be_true
|
|
39
|
+
subject.allowed?(:allow_all_defaults, :update, [:users]).should be_true
|
|
37
40
|
end
|
|
38
41
|
|
|
39
42
|
it 'should not pass with user when in blocked group' do
|
|
40
43
|
subject.block_groups([:users])
|
|
41
44
|
begin
|
|
42
45
|
subject.allowed?(:users, :update, [:users]).should be_false
|
|
46
|
+
subject.allowed?(:only_defaults, :update, [:users]).should be_false
|
|
47
|
+
subject.allowed?(:allow_all_defaults, :update, [:users]).should be_false
|
|
43
48
|
ensure
|
|
44
49
|
subject.block_groups([])
|
|
45
50
|
end
|
|
@@ -49,6 +54,8 @@ describe Ixtlan::Guard::GuardNG do
|
|
|
49
54
|
subject.block_groups([:accounts])
|
|
50
55
|
begin
|
|
51
56
|
subject.allowed?(:users, :update, [:users]).should be_true
|
|
57
|
+
subject.allowed?(:only_defaults, :update, [:users]).should be_true
|
|
58
|
+
subject.allowed?(:allow_all_defaults, :update, [:users]).should be_true
|
|
52
59
|
ensure
|
|
53
60
|
subject.block_groups([])
|
|
54
61
|
end
|
|
@@ -58,6 +65,8 @@ describe Ixtlan::Guard::GuardNG do
|
|
|
58
65
|
subject.block_groups([:root])
|
|
59
66
|
begin
|
|
60
67
|
subject.allowed?(:users, :update, [:root]).should be_true
|
|
68
|
+
subject.allowed?(:only_defaults, :update, [:root]).should be_true
|
|
69
|
+
subject.allowed?(:allow_all_defaults, :update, [:root]).should be_true
|
|
61
70
|
ensure
|
|
62
71
|
subject.block_groups([])
|
|
63
72
|
end
|
|
@@ -65,10 +74,13 @@ describe Ixtlan::Guard::GuardNG do
|
|
|
65
74
|
|
|
66
75
|
it 'should not pass' do
|
|
67
76
|
subject.allowed?(:users, :update, [:accounts]).should be_false
|
|
77
|
+
subject.allowed?(:allow_all_defaults, :index, [:users]).should be_false
|
|
68
78
|
end
|
|
69
79
|
|
|
70
80
|
it 'should should use defaults on unknown action' do
|
|
71
81
|
subject.allowed?(:users, :unknow, [:users]).should be_true
|
|
82
|
+
subject.allowed?(:only_defaults, :unknow, [:users]).should be_true
|
|
83
|
+
subject.allowed?(:allow_all_defaults, :update, [:users]).should be_true
|
|
72
84
|
end
|
|
73
85
|
|
|
74
86
|
it 'should pass with right group and allowed flavor' do
|
metadata
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
name: ixtlan-guard
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
4
|
prerelease:
|
|
5
|
-
version: 0.
|
|
5
|
+
version: 0.7.0
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
8
8
|
- mkristian
|
|
@@ -10,7 +10,7 @@ autorequire:
|
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
12
|
|
|
13
|
-
date: 2011-
|
|
13
|
+
date: 2011-11-04 00:00:00 +05:30
|
|
14
14
|
default_executable:
|
|
15
15
|
dependencies:
|
|
16
16
|
- !ruby/object:Gem::Dependency
|
|
@@ -21,7 +21,7 @@ dependencies:
|
|
|
21
21
|
requirements:
|
|
22
22
|
- - ~>
|
|
23
23
|
- !ruby/object:Gem::Version
|
|
24
|
-
version: 0.
|
|
24
|
+
version: 0.7.0
|
|
25
25
|
type: :runtime
|
|
26
26
|
version_requirements: *id001
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
@@ -140,8 +140,11 @@ files:
|
|
|
140
140
|
- spec/guards/accounts1_guard.yml~
|
|
141
141
|
- spec/guards/users_guard.yml
|
|
142
142
|
- spec/guards/users2_guard.yml
|
|
143
|
+
- spec/guards/only_defaults_guard.yml
|
|
144
|
+
- spec/guards/allow_alldefaults.yml~
|
|
143
145
|
- spec/guards/accounts2_guard.yml~
|
|
144
146
|
- spec/guards/users2_guard.yml~
|
|
147
|
+
- spec/guards/only_defaults_guard.yml~
|
|
145
148
|
- spec/guards/users_guard.yml~
|
|
146
149
|
- spec/guards/users1_guard.yml~
|
|
147
150
|
- spec/guards/tools_guard.yml~
|
|
@@ -151,6 +154,8 @@ files:
|
|
|
151
154
|
- spec/guards/person_guard.yml
|
|
152
155
|
- spec/guards/accounts_guard.yml
|
|
153
156
|
- spec/guards/no_defaults_guard.yml~
|
|
157
|
+
- spec/guards/allow_all_defaults_guard.yml
|
|
158
|
+
- spec/guards/allow_all_defaults_guard.yml~
|
|
154
159
|
- spec/guards/defaults_guard.yml~
|
|
155
160
|
- features/step_definitions/ruby_maven.rb
|
|
156
161
|
- features/step_definitions/simple_steps.rb
|