ixtlan-guard 0.6.1 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/lib/ixtlan/guard/guard_ng.rb +16 -4
- data/lib/ixtlan/guard/guard_rails.rb +3 -4
- data/spec/guard_export_spec.rb +19 -5
- data/spec/guard_spec.rb +13 -1
- data/spec/guards/allow_all_defaults_guard.yml +3 -0
- data/spec/guards/allow_all_defaults_guard.yml~ +3 -0
- data/spec/guards/allow_alldefaults.yml~ +3 -0
- data/spec/guards/only_defaults_guard.yml +2 -0
- data/spec/guards/only_defaults_guard.yml~ +3 -0
- metadata +8 -3
@@ -34,7 +34,7 @@ module Ixtlan
|
|
34
34
|
def allowed_groups(resource, action, current_groups)
|
35
35
|
allowed = @config.allowed_groups(resource, action) - blocked_groups + @superuser
|
36
36
|
if allowed.member?('*')
|
37
|
-
current_groups
|
37
|
+
current_groups - (blocked_groups - @superuser)
|
38
38
|
else
|
39
39
|
intersect(allowed, current_groups)
|
40
40
|
end
|
@@ -43,7 +43,7 @@ module Ixtlan
|
|
43
43
|
def allowed?(resource, action, current_groups, flavor = nil, &block)
|
44
44
|
current_groups = current_groups.collect { |g| g.to_s }
|
45
45
|
allowed_groups = self.allowed_groups(resource, action, current_groups)
|
46
|
-
|
46
|
+
logger.debug { "guard #{resource}##{action}: #{allowed_groups.size > 0}" }
|
47
47
|
if allowed_groups.size > 0
|
48
48
|
if block
|
49
49
|
g = allowed_groups.detect do |group|
|
@@ -77,8 +77,20 @@ module Ixtlan
|
|
77
77
|
perm = Node.new(:permission)
|
78
78
|
perm[:resource] = resource
|
79
79
|
perm[:actions] = nodes
|
80
|
-
defaults =
|
81
|
-
|
80
|
+
defaults = actions.delete('defaults') || []
|
81
|
+
defaults = intersect(current_groups, defaults + @superuser) unless defaults.member?('*')
|
82
|
+
# no actions
|
83
|
+
# deny = false: !defaults.member?('*')
|
84
|
+
# deny = true: defaults.member?('*') || current_groups.member?(@superuser[0])
|
85
|
+
deny = if actions.size == 0
|
86
|
+
defaults.member?('*') || current_groups.member?(@superuser[0])
|
87
|
+
else
|
88
|
+
# actions
|
89
|
+
# deny = false : defaults == []
|
90
|
+
# deny = true : defaults.member?('*')
|
91
|
+
defaults.size != 0 || defaults.member?('*')
|
92
|
+
end
|
93
|
+
perm[:deny] = deny
|
82
94
|
actions.each do |action, groups|
|
83
95
|
node = Node.new(:action)
|
84
96
|
allowed_groups =
|
@@ -3,9 +3,7 @@ module Ixtlan
|
|
3
3
|
module Guard #:nodoc:
|
4
4
|
def self.included(base)
|
5
5
|
base.send(:include, InstanceMethods)
|
6
|
-
|
7
|
-
base.send(:include, GroupsMethod)
|
8
|
-
end
|
6
|
+
base.send(:include, GroupsMethod)
|
9
7
|
end
|
10
8
|
|
11
9
|
module GroupsMethod
|
@@ -40,9 +38,10 @@ module Ixtlan
|
|
40
38
|
end
|
41
39
|
|
42
40
|
def check(flavor = nil, &block)
|
41
|
+
group_method = respond_to?(:current_user_group_names) ? :current_user_group_names : :groups_for_current_user
|
43
42
|
unless guard.allowed?(params[:controller],
|
44
43
|
params[:action],
|
45
|
-
|
44
|
+
send(group_method),
|
46
45
|
flavor,
|
47
46
|
&block)
|
48
47
|
if flavor
|
data/spec/guard_export_spec.rb
CHANGED
@@ -18,6 +18,7 @@ describe Ixtlan::Guard::GuardNG do
|
|
18
18
|
subject.permissions(['unknown_group']).should == [
|
19
19
|
#allow nothing
|
20
20
|
{:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
|
21
|
+
{:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
|
21
22
|
{:permission=>
|
22
23
|
{
|
23
24
|
:resource=>"no_defaults",
|
@@ -36,12 +37,15 @@ describe Ixtlan::Guard::GuardNG do
|
|
36
37
|
#allow nothing
|
37
38
|
{:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
|
38
39
|
#allow nothing
|
39
|
-
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}}
|
40
|
+
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
|
41
|
+
# allow anything but index
|
42
|
+
{:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}}]
|
40
43
|
end
|
41
44
|
it 'should deny some without defaults but wildcard "*" actions' do
|
42
45
|
subject.permissions(['no_admin']).should == [
|
43
46
|
#allow nothing
|
44
47
|
{:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
|
48
|
+
{:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
|
45
49
|
{:permission=>
|
46
50
|
{
|
47
51
|
:resource=>"no_defaults",
|
@@ -63,20 +67,25 @@ describe Ixtlan::Guard::GuardNG do
|
|
63
67
|
#allow nothing
|
64
68
|
{:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
|
65
69
|
#allow nothing
|
66
|
-
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}}
|
70
|
+
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
|
71
|
+
# allow anything but index
|
72
|
+
{:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}}]
|
67
73
|
end
|
68
74
|
it 'should allow "root"' do
|
69
75
|
subject.permissions(['root']).should == [
|
70
76
|
{:permission=>{:resource=>"users", :actions=>[], :deny=>true}},
|
77
|
+
{:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
|
71
78
|
{:permission=>{:resource=>"no_defaults", :actions=>[], :deny=>true}},
|
72
79
|
{:permission=>{:resource=>"defaults", :actions=>[], :deny=>true}},
|
73
80
|
{:permission=>{:resource=>"person", :actions=>[], :deny=>true}},
|
74
|
-
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>true}}
|
81
|
+
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>true}},
|
82
|
+
{:permission=>{:resource=>"allow_all_defaults", :actions=>[], :deny=>true}}]
|
75
83
|
end
|
76
84
|
it 'should allow with default group' do
|
77
85
|
subject.permissions(['_master']).should == [
|
78
86
|
#allow nothing
|
79
87
|
{:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
|
88
|
+
{:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
|
80
89
|
{:permission=>
|
81
90
|
{
|
82
91
|
:resource=>"no_defaults",
|
@@ -96,12 +105,15 @@ describe Ixtlan::Guard::GuardNG do
|
|
96
105
|
#allow nothing
|
97
106
|
{:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
|
98
107
|
#allow nothing
|
99
|
-
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}}
|
108
|
+
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
|
109
|
+
# allow anything but index
|
110
|
+
{:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}}]
|
100
111
|
end
|
101
112
|
it 'should allow with non-default group' do
|
102
113
|
subject.permissions(['_admin']).should == [
|
103
114
|
#allow nothing
|
104
115
|
{:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
|
116
|
+
{:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
|
105
117
|
{:permission=>
|
106
118
|
{
|
107
119
|
:resource=>"no_defaults",
|
@@ -122,7 +134,9 @@ describe Ixtlan::Guard::GuardNG do
|
|
122
134
|
#allow nothing
|
123
135
|
{:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
|
124
136
|
#allow nothing
|
125
|
-
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}}
|
137
|
+
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
|
138
|
+
# allow anything but index
|
139
|
+
{:permission=>{:resource=>"allow_all_defaults", :actions=>[], :deny=>true}}]
|
126
140
|
end
|
127
141
|
end
|
128
142
|
|
data/spec/guard_spec.rb
CHANGED
@@ -29,17 +29,22 @@ describe Ixtlan::Guard::GuardNG do
|
|
29
29
|
end
|
30
30
|
|
31
31
|
it 'should pass "allow all groups" with user with any groups' do
|
32
|
-
subject.allowed?(:users, :index, [:
|
32
|
+
subject.allowed?(:users, :index, [:any_possible_group]).should be_true
|
33
|
+
subject.allowed?(:only_defaults, :index, [:any_possible_group]).should be_true
|
33
34
|
end
|
34
35
|
|
35
36
|
it 'should pass' do
|
36
37
|
subject.allowed?(:users, :update, [:users]).should be_true
|
38
|
+
subject.allowed?(:only_defaults, :update, [:users]).should be_true
|
39
|
+
subject.allowed?(:allow_all_defaults, :update, [:users]).should be_true
|
37
40
|
end
|
38
41
|
|
39
42
|
it 'should not pass with user when in blocked group' do
|
40
43
|
subject.block_groups([:users])
|
41
44
|
begin
|
42
45
|
subject.allowed?(:users, :update, [:users]).should be_false
|
46
|
+
subject.allowed?(:only_defaults, :update, [:users]).should be_false
|
47
|
+
subject.allowed?(:allow_all_defaults, :update, [:users]).should be_false
|
43
48
|
ensure
|
44
49
|
subject.block_groups([])
|
45
50
|
end
|
@@ -49,6 +54,8 @@ describe Ixtlan::Guard::GuardNG do
|
|
49
54
|
subject.block_groups([:accounts])
|
50
55
|
begin
|
51
56
|
subject.allowed?(:users, :update, [:users]).should be_true
|
57
|
+
subject.allowed?(:only_defaults, :update, [:users]).should be_true
|
58
|
+
subject.allowed?(:allow_all_defaults, :update, [:users]).should be_true
|
52
59
|
ensure
|
53
60
|
subject.block_groups([])
|
54
61
|
end
|
@@ -58,6 +65,8 @@ describe Ixtlan::Guard::GuardNG do
|
|
58
65
|
subject.block_groups([:root])
|
59
66
|
begin
|
60
67
|
subject.allowed?(:users, :update, [:root]).should be_true
|
68
|
+
subject.allowed?(:only_defaults, :update, [:root]).should be_true
|
69
|
+
subject.allowed?(:allow_all_defaults, :update, [:root]).should be_true
|
61
70
|
ensure
|
62
71
|
subject.block_groups([])
|
63
72
|
end
|
@@ -65,10 +74,13 @@ describe Ixtlan::Guard::GuardNG do
|
|
65
74
|
|
66
75
|
it 'should not pass' do
|
67
76
|
subject.allowed?(:users, :update, [:accounts]).should be_false
|
77
|
+
subject.allowed?(:allow_all_defaults, :index, [:users]).should be_false
|
68
78
|
end
|
69
79
|
|
70
80
|
it 'should should use defaults on unknown action' do
|
71
81
|
subject.allowed?(:users, :unknow, [:users]).should be_true
|
82
|
+
subject.allowed?(:only_defaults, :unknow, [:users]).should be_true
|
83
|
+
subject.allowed?(:allow_all_defaults, :update, [:users]).should be_true
|
72
84
|
end
|
73
85
|
|
74
86
|
it 'should pass with right group and allowed flavor' do
|
metadata
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
name: ixtlan-guard
|
3
3
|
version: !ruby/object:Gem::Version
|
4
4
|
prerelease:
|
5
|
-
version: 0.
|
5
|
+
version: 0.7.0
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
8
8
|
- mkristian
|
@@ -10,7 +10,7 @@ autorequire:
|
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
12
|
|
13
|
-
date: 2011-
|
13
|
+
date: 2011-11-04 00:00:00 +05:30
|
14
14
|
default_executable:
|
15
15
|
dependencies:
|
16
16
|
- !ruby/object:Gem::Dependency
|
@@ -21,7 +21,7 @@ dependencies:
|
|
21
21
|
requirements:
|
22
22
|
- - ~>
|
23
23
|
- !ruby/object:Gem::Version
|
24
|
-
version: 0.
|
24
|
+
version: 0.7.0
|
25
25
|
type: :runtime
|
26
26
|
version_requirements: *id001
|
27
27
|
- !ruby/object:Gem::Dependency
|
@@ -140,8 +140,11 @@ files:
|
|
140
140
|
- spec/guards/accounts1_guard.yml~
|
141
141
|
- spec/guards/users_guard.yml
|
142
142
|
- spec/guards/users2_guard.yml
|
143
|
+
- spec/guards/only_defaults_guard.yml
|
144
|
+
- spec/guards/allow_alldefaults.yml~
|
143
145
|
- spec/guards/accounts2_guard.yml~
|
144
146
|
- spec/guards/users2_guard.yml~
|
147
|
+
- spec/guards/only_defaults_guard.yml~
|
145
148
|
- spec/guards/users_guard.yml~
|
146
149
|
- spec/guards/users1_guard.yml~
|
147
150
|
- spec/guards/tools_guard.yml~
|
@@ -151,6 +154,8 @@ files:
|
|
151
154
|
- spec/guards/person_guard.yml
|
152
155
|
- spec/guards/accounts_guard.yml
|
153
156
|
- spec/guards/no_defaults_guard.yml~
|
157
|
+
- spec/guards/allow_all_defaults_guard.yml
|
158
|
+
- spec/guards/allow_all_defaults_guard.yml~
|
154
159
|
- spec/guards/defaults_guard.yml~
|
155
160
|
- features/step_definitions/ruby_maven.rb
|
156
161
|
- features/step_definitions/simple_steps.rb
|