ixtlan-guard 0.7.0 → 0.7.2
Sign up to get free protection for your applications and to get access to all the features.
- data/features/generators.feature +0 -10
- data/features/step_definitions/simple_steps.rb +1 -82
- data/lib/ixtlan/guard/guard_ng.rb +77 -76
- data/lib/ixtlan/guard/guard_rails.rb +8 -8
- data/lib/ixtlan/guard/railtie.rb +1 -1
- data/spec/guard_cache_spec.rb +1 -1
- data/spec/guard_export_spec.rb +118 -90
- data/spec/guard_spec.rb +1 -16
- data/spec/guard_with_associations_spec.rb +114 -0
- data/spec/guard_with_associations_spec.rb~ +106 -0
- data/spec/guards/allow_all_defaults_guard.yml +1 -1
- data/spec/guards/defaults_guard.yml +1 -1
- data/spec/guards/no_defaults_guard.yml +1 -1
- data/spec/guards/only_defaults_guard.yml +1 -1
- data/spec/guards/regions_guard.yml +8 -0
- data/spec/guards/regions_guard.yml~ +2 -0
- data/spec/guards/users_guard.yml +1 -1
- metadata +8 -24
- data/lib/generators/active_record/templates/flavor_migration.rb +0 -13
- data/lib/generators/active_record/templates/flavor_model.rb +0 -8
- data/lib/generators/active_record/templates/group_model.rb +0 -43
- data/lib/generators/active_record/templates/group_user_migration.rb +0 -13
- data/lib/generators/active_record/templates/user_model.rb +0 -124
- data/lib/generators/active_record/user_management_models_generator.rb +0 -202
- data/lib/generators/erb/user_management_controller_generator.rb +0 -10
- data/lib/generators/ixtlan/maintenance_scaffold/USAGE +0 -8
- data/lib/generators/ixtlan/maintenance_scaffold/maintenance_scaffold_generator.rb +0 -40
- data/lib/generators/ixtlan/permissions_scaffold/USAGE +0 -8
- data/lib/generators/ixtlan/permissions_scaffold/permissions_scaffold_generator.rb +0 -33
- data/lib/generators/ixtlan/user_management_controller/USAGE +0 -8
- data/lib/generators/ixtlan/user_management_controller/user_management_controller_generator.rb +0 -23
- data/lib/generators/ixtlan/user_management_models/USAGE +0 -8
- data/lib/generators/ixtlan/user_management_models/user_management_models_generator.rb +0 -19
- data/lib/generators/ixtlan/user_management_scaffold/user_management_scaffold_generator.rb +0 -13
- data/lib/ixtlan/guard/controllers/maintenance_controller.rb +0 -45
- data/lib/ixtlan/guard/controllers/permissions_controller.rb +0 -41
- data/lib/ixtlan/guard/models/maintenance.rb +0 -55
- data/lib/ixtlan/guard/models/user_update_manager.rb +0 -95
- data/lib/ixtlan/guard/spec/user_management_models_spec.rb +0 -193
data/features/generators.feature
CHANGED
@@ -6,13 +6,3 @@ Feature: Generators for ixtlan-guard
|
|
6
6
|
And I execute "rails generate scaffold account name:string --skip"
|
7
7
|
And I execute "rake db:migrate test"
|
8
8
|
Then the output should contain "7 tests, 10 assertions, 0 failures, 0 errors"
|
9
|
-
|
10
|
-
Scenario: The user-management-model generator creates user/group models, etc
|
11
|
-
Given I create new rails application with template "user_management.template" and "user-management" specs
|
12
|
-
And I execute "rails generate rspec:install"
|
13
|
-
And I execute "rails generate ixtlan:user_management_models user group name:string domain name:string locale code:string"
|
14
|
-
# this tes env is needed since we execute the specs directly
|
15
|
-
And I execute "rails rake db:migrate -- -Drails.env=test"
|
16
|
-
# needed due to bug in rspec-maven-plugin with emtpy gem-path
|
17
|
-
And I execute "gem exec ../rubygems/bin/rspec spec/user_management_models_spec.rb"
|
18
|
-
Then the output should contain "14 examples, 0 failures"
|
@@ -1,82 +1 @@
|
|
1
|
-
require '
|
2
|
-
require File.join(File.dirname(__FILE__), 'ruby_maven')
|
3
|
-
|
4
|
-
def rmvn
|
5
|
-
@rmvn ||= Maven::RubyMaven.new
|
6
|
-
end
|
7
|
-
|
8
|
-
def copy_tests(tests)
|
9
|
-
FileUtils.mkdir_p(@app_directory)
|
10
|
-
FileUtils.cp_r(File.join('templates', "tests-#{tests}", "."),
|
11
|
-
File.join(@app_directory, 'test'))
|
12
|
-
end
|
13
|
-
|
14
|
-
def copy_specs(specs)
|
15
|
-
FileUtils.mkdir_p(@app_directory)
|
16
|
-
FileUtils.cp_r(File.join('templates', "specs-#{specs}", "."),
|
17
|
-
File.join(@app_directory, 'spec'))
|
18
|
-
end
|
19
|
-
|
20
|
-
def create_rails_application(template)
|
21
|
-
name = template.sub(/.template$/, '')
|
22
|
-
@app_directory = File.join('target', name)
|
23
|
-
|
24
|
-
# rails version from gemspec
|
25
|
-
gemspec = File.read(Dir.glob("*.gemspec")[0])
|
26
|
-
rails_version = gemspec.split("\n").detect { |l| l =~ /development_dep.*rails/ }.sub(/'$/, '').sub(/.*'/, '')
|
27
|
-
|
28
|
-
rmvn.options['-Dplugin.version'] = '0.28.4-SNAPSHOT'
|
29
|
-
rmvn.options['-Drails.version'] = rails_version
|
30
|
-
rmvn.options['-Dgem.home'] = ENV['GEM_HOME']
|
31
|
-
rmvn.options['-Dgem.path'] = ENV['GEM_PATH']
|
32
|
-
rmvn.options['-o'] = nil
|
33
|
-
|
34
|
-
FileUtils.rm_rf(@app_directory)
|
35
|
-
|
36
|
-
rmvn.exec("rails", "new", @app_directory, "-f")
|
37
|
-
|
38
|
-
# TODO that should be done via the rails new task !!!
|
39
|
-
rmvn.exec_in(@app_directory, "rails", "rake", "rails:template LOCATION=" + File.expand_path("templates/#{template}"))
|
40
|
-
end
|
41
|
-
|
42
|
-
Given /^I create new rails application with template "(.*)"$/ do |template|
|
43
|
-
create_rails_application(template)
|
44
|
-
end
|
45
|
-
|
46
|
-
Given /^I create new rails application with template "(.*)" and "(.*)" tests$/ do |template, tests|
|
47
|
-
create_rails_application(template)
|
48
|
-
copy_tests(tests)
|
49
|
-
end
|
50
|
-
|
51
|
-
Given /^I create new rails application with template "(.*)" and "(.*)" specs$/ do |template, specs|
|
52
|
-
create_rails_application(template)
|
53
|
-
copy_specs(specs)
|
54
|
-
end
|
55
|
-
|
56
|
-
Given /^me an existing rails application "(.*)"$/ do |name|
|
57
|
-
@app_directory = File.join('target', name)
|
58
|
-
end
|
59
|
-
|
60
|
-
Given /^me an existing rails application "(.*)" and "(.*)" tests$/ do |name, tests|
|
61
|
-
@app_directory = File.join('target', name)
|
62
|
-
copy_tests(tests)
|
63
|
-
end
|
64
|
-
|
65
|
-
Given /^me an existing rails application "(.*)" and "(.*)" specs$/ do |name, specs|
|
66
|
-
@app_directory = File.join('target', name)
|
67
|
-
copy_specs(specs)
|
68
|
-
end
|
69
|
-
|
70
|
-
And /^I execute \"(.*)\"$/ do |args|
|
71
|
-
rmvn.options['-l'] = "output.log"
|
72
|
-
rmvn.exec_in(@app_directory, args)
|
73
|
-
end
|
74
|
-
|
75
|
-
Then /^the output should contain \"(.*)\"$/ do |expected|
|
76
|
-
result = File.read(File.join(@app_directory, "output.log"))
|
77
|
-
expected.split(/\"?\s+and\s+\"?/).each do |exp|
|
78
|
-
puts exp
|
79
|
-
(result =~ /.*#{exp}.*/).should_not be_nil
|
80
|
-
end
|
81
|
-
end
|
82
|
-
|
1
|
+
require 'maven/cucumber_steps'
|
@@ -4,6 +4,8 @@ module Ixtlan
|
|
4
4
|
module Guard
|
5
5
|
class GuardNG
|
6
6
|
|
7
|
+
attr_reader :superuser
|
8
|
+
|
7
9
|
def initialize(options = {})
|
8
10
|
options[:guards_dir] ||= File.expand_path(".")
|
9
11
|
@superuser = [(options[:superuser] || "root").to_s]
|
@@ -31,45 +33,67 @@ module Ixtlan
|
|
31
33
|
end
|
32
34
|
end
|
33
35
|
|
34
|
-
def allowed_groups(
|
35
|
-
allowed = @config.allowed_groups(
|
36
|
+
def allowed_groups(resource_name, action, current_group_names)
|
37
|
+
allowed = @config.allowed_groups(resource_name, action) - blocked_groups + @superuser
|
36
38
|
if allowed.member?('*')
|
37
|
-
current_groups
|
39
|
+
# keep superuser in current_groups if in there
|
40
|
+
current_group_names - (blocked_groups - @superuser)
|
38
41
|
else
|
39
|
-
|
42
|
+
allowed & current_group_names
|
40
43
|
end
|
41
44
|
end
|
42
45
|
|
43
|
-
def
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
46
|
+
def group_map(current_groups)
|
47
|
+
names = current_groups.collect do |g|
|
48
|
+
key = case g
|
49
|
+
when String
|
50
|
+
g
|
51
|
+
when Symbol
|
52
|
+
g.to_s
|
53
|
+
else
|
54
|
+
g.name.to_s
|
55
|
+
end
|
56
|
+
[key, g]
|
57
|
+
end
|
58
|
+
Hash[*(names.flatten)]
|
59
|
+
end
|
60
|
+
private :group_map
|
61
|
+
|
62
|
+
def allowed?(resource_name, action, current_groups, association = nil, &block)
|
63
|
+
group_map = group_map(current_groups)
|
64
|
+
allowed_group_names = allowed_groups(resource_name, action, group_map.keys)
|
65
|
+
logger.debug { "guard #{resource_name}##{action}: #{allowed_group_names.size > 0}" }
|
66
|
+
if allowed_group_names.size > 0
|
67
|
+
if block || association
|
68
|
+
group_allowed?(group_map, allowed_group_names, association, &block)
|
60
69
|
else
|
61
70
|
true
|
62
71
|
end
|
63
72
|
else
|
64
|
-
unless @config.has_guard?(
|
65
|
-
raise ::Ixtlan::Guard::GuardException.new("no guard config for '#{
|
73
|
+
unless @config.has_guard?(resource_name)
|
74
|
+
raise ::Ixtlan::Guard::GuardException.new("no guard config for '#{resource_name}'")
|
66
75
|
else
|
67
76
|
false
|
68
77
|
end
|
69
78
|
end
|
70
79
|
end
|
71
80
|
|
72
|
-
def
|
81
|
+
def group_allowed?(group_map, allowed_group_names, association, &block)
|
82
|
+
g = allowed_group_names.detect do |group_name|
|
83
|
+
block.call(group_map[group_name], association)
|
84
|
+
end if association && block
|
85
|
+
logger.debug do
|
86
|
+
if g
|
87
|
+
"found group #{g} for #{association}"
|
88
|
+
else
|
89
|
+
"no group found for #{association}"
|
90
|
+
end
|
91
|
+
end
|
92
|
+
g != nil
|
93
|
+
end
|
94
|
+
|
95
|
+
def permissions(current_groups, &block)
|
96
|
+
group_map = group_map(current_groups)
|
73
97
|
perms = []
|
74
98
|
m = @config.map_of_all
|
75
99
|
m.each do |resource, actions|
|
@@ -77,79 +101,56 @@ module Ixtlan
|
|
77
101
|
perm = Node.new(:permission)
|
78
102
|
perm[:resource] = resource
|
79
103
|
perm[:actions] = nodes
|
80
|
-
|
81
|
-
|
82
|
-
# no actions
|
83
|
-
# deny = false: !defaults.member?('*')
|
84
|
-
# deny = true: defaults.member?('*') || current_groups.member?(@superuser[0])
|
104
|
+
default_actions = actions.delete('defaults') || []
|
105
|
+
default_actions = group_map.keys & (default_actions + @superuser) unless default_actions.member?('*')
|
85
106
|
deny = if actions.size == 0
|
86
|
-
|
107
|
+
# no actions
|
108
|
+
# deny = false: !default_actions.member?('*')
|
109
|
+
# deny = true: default_actions.member?('*') || current_group_names.member?(@superuser[0])
|
110
|
+
default_actions.member?('*') || group_map.keys.member?(@superuser[0]) || !group_map.keys.detect {|g| default_actions.member? g }.nil?
|
87
111
|
else
|
88
112
|
# actions
|
89
|
-
# deny = false :
|
90
|
-
# deny = true :
|
91
|
-
|
113
|
+
# deny = false : default_actions == []
|
114
|
+
# deny = true : default_actions.member?('*')
|
115
|
+
default_actions.size != 0 || default_actions.member?('*')
|
92
116
|
end
|
93
117
|
perm[:deny] = deny
|
94
118
|
actions.each do |action, groups|
|
119
|
+
group_names = groups.collect { |g| g.is_a?(Hash) ? g.keys : g }.flatten if groups
|
95
120
|
node = Node.new(:action)
|
96
121
|
allowed_groups =
|
97
|
-
if groups &&
|
98
|
-
|
122
|
+
if groups && group_names.member?('*')
|
123
|
+
group_map.values
|
99
124
|
else
|
100
|
-
|
125
|
+
names = group_map.keys & ((group_names || []) + @superuser)
|
126
|
+
names.collect { |name| group_map[name] }
|
101
127
|
end
|
102
128
|
if (deny && allowed_groups.size == 0) || (!deny && allowed_groups.size > 0)
|
103
129
|
node[:name] = action
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
nodes << node
|
110
|
-
end
|
111
|
-
end
|
112
|
-
perms << perm
|
113
|
-
end
|
114
|
-
perms
|
115
|
-
end
|
116
|
-
|
117
|
-
def permission_map(current_groups, flavors = {})
|
118
|
-
# TODO fix it - think first !!
|
119
|
-
perms = {}
|
120
|
-
m = @config.map_of_all
|
121
|
-
m.each do |resource, actions|
|
122
|
-
nodes = {}
|
123
|
-
actions.each do |action, groups|
|
124
|
-
if action == 'defaults'
|
125
|
-
nodes[action] = {}
|
126
|
-
else
|
127
|
-
allowed_groups = intersect(current_groups, (groups || []) + @superuser)
|
128
|
-
if allowed_groups.size > 0
|
129
|
-
f = {}
|
130
|
-
flavors.each do |fl, block|
|
131
|
-
flav = block.call(allowed_groups)
|
132
|
-
f[fl] = flav if flav.size > 0
|
130
|
+
if block
|
131
|
+
if allowed_groups.size > 0
|
132
|
+
node.content.merge!(block.call(resource, action, allowed_groups) || {})
|
133
|
+
else
|
134
|
+
perm.content.merge!(block.call(resource, action, group_map.values) || {})
|
133
135
|
end
|
134
|
-
nodes[action] = f
|
135
|
-
else
|
136
|
-
nodes[action] = nil # indicates not default action
|
137
136
|
end
|
137
|
+
nodes << node
|
138
138
|
end
|
139
139
|
end
|
140
|
-
|
140
|
+
# TODO is that right like this ?
|
141
|
+
# only default_actions, i.e. no actions !!!
|
142
|
+
if block && actions.size == 0 && deny
|
143
|
+
perm.content.merge!(block.call(resource, nil, group_map.values) || {})
|
144
|
+
end
|
145
|
+
perms << perm
|
141
146
|
end
|
142
147
|
perms
|
143
148
|
end
|
144
|
-
|
145
|
-
private
|
146
|
-
|
147
|
-
def intersect(set1, set2)
|
148
|
-
set1 - (set1 - set2)
|
149
|
-
end
|
150
149
|
end
|
151
150
|
class Node < Hash
|
152
|
-
|
151
|
+
|
152
|
+
attr_reader :content
|
153
|
+
|
153
154
|
def initialize(name)
|
154
155
|
map = super
|
155
156
|
@content = {}
|
@@ -12,9 +12,7 @@ module Ixtlan
|
|
12
12
|
|
13
13
|
def groups_for_current_user
|
14
14
|
if respond_to?(:current_user) && current_user
|
15
|
-
current_user.groups
|
16
|
-
group.name
|
17
|
-
end
|
15
|
+
current_user.groups
|
18
16
|
else
|
19
17
|
[]
|
20
18
|
end
|
@@ -37,23 +35,25 @@ module Ixtlan
|
|
37
35
|
Rails.application.config.guard
|
38
36
|
end
|
39
37
|
|
40
|
-
def check(
|
41
|
-
group_method = respond_to?(:
|
38
|
+
def check(association = nil, &block)
|
39
|
+
group_method = respond_to?(:current_user_groups) ? :current_user_groups : :groups_for_current_user
|
42
40
|
unless guard.allowed?(params[:controller],
|
43
41
|
params[:action],
|
44
42
|
send(group_method),
|
45
|
-
|
43
|
+
association,
|
46
44
|
&block)
|
47
|
-
if
|
48
|
-
raise ::Ixtlan::Guard::PermissionDenied.new("permission denied for '#{params[:controller]}##{params[:action]}##{
|
45
|
+
if association
|
46
|
+
raise ::Ixtlan::Guard::PermissionDenied.new("permission denied for '#{params[:controller]}##{params[:action]}##{association.class}(#{association.id})'")
|
49
47
|
else
|
50
48
|
raise ::Ixtlan::Guard::PermissionDenied.new("permission denied for '#{params[:controller]}##{params[:action]}'")
|
51
49
|
end
|
52
50
|
end
|
53
51
|
true
|
54
52
|
end
|
53
|
+
alias :authorize :check
|
55
54
|
|
56
55
|
def authorization
|
56
|
+
warn "DEPRECATED: use 'authorize' instead"
|
57
57
|
check
|
58
58
|
end
|
59
59
|
end
|
data/lib/ixtlan/guard/railtie.rb
CHANGED
@@ -23,7 +23,7 @@ module Ixtlan
|
|
23
23
|
app.config.guard = Ixtlan::Guard::GuardNG.new(options)
|
24
24
|
|
25
25
|
::ActionController::Base.send(:include, Ixtlan::ActionController::Guard)
|
26
|
-
::ActionController::Base.send(:before_filter, :
|
26
|
+
::ActionController::Base.send(:before_filter, :authorize)
|
27
27
|
::ActionView::Base.send(:include, Ixtlan::Allowed)
|
28
28
|
end
|
29
29
|
|
data/spec/guard_cache_spec.rb
CHANGED
@@ -9,7 +9,7 @@ $source1 = File.join(File.dirname(__FILE__), "guards", "users1_guard.yml")
|
|
9
9
|
$source2 = File.join(File.dirname(__FILE__), "guards", "users2_guard.yml")
|
10
10
|
$logger = Logger.new(STDOUT)
|
11
11
|
def $logger.debug(&block)
|
12
|
-
info("\n\t[debug] " + block.call)
|
12
|
+
# info("\n\t[debug] " + block.call)
|
13
13
|
end
|
14
14
|
|
15
15
|
describe Ixtlan::Guard::GuardNG do
|
data/spec/guard_export_spec.rb
CHANGED
@@ -7,7 +7,7 @@ describe Ixtlan::Guard::GuardNG do
|
|
7
7
|
subject do
|
8
8
|
logger = Logger.new(STDOUT)
|
9
9
|
def logger.debug(&block)
|
10
|
-
|
10
|
+
# info("\n\t[debug] " + block.call)
|
11
11
|
end
|
12
12
|
Ixtlan::Guard::GuardNG.new(:guards_dir => File.join(File.dirname(__FILE__), "guards"), :logger => logger )
|
13
13
|
end
|
@@ -15,37 +15,46 @@ describe Ixtlan::Guard::GuardNG do
|
|
15
15
|
context '#permissions' do
|
16
16
|
|
17
17
|
it 'should deny all without defaults but wildcard "*" actions' do
|
18
|
-
subject.permissions(['unknown_group']).should == [
|
18
|
+
subject.permissions(['unknown_group']).sort { |n,m| n[:resource] <=> m[:resource] }.should == [
|
19
19
|
#allow nothing
|
20
|
-
{:permission=>{:resource=>"
|
21
|
-
|
20
|
+
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
|
21
|
+
# allow anything but index
|
22
|
+
{:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}},
|
22
23
|
{:permission=>
|
23
24
|
{
|
24
|
-
:resource=>"
|
25
|
+
:resource=>"defaults",
|
25
26
|
:actions=>[{:action=>{:name=>"index"}}],
|
26
27
|
:deny=>false #allow
|
27
28
|
}
|
28
29
|
},
|
29
|
-
{
|
30
|
-
:permission=>
|
30
|
+
{:permission=>
|
31
31
|
{
|
32
|
-
:resource=>"
|
32
|
+
:resource=>"no_defaults",
|
33
33
|
:actions=>[{:action=>{:name=>"index"}}],
|
34
34
|
:deny=>false #allow
|
35
35
|
}
|
36
36
|
},
|
37
|
+
{:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
|
37
38
|
#allow nothing
|
38
39
|
{:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
|
39
40
|
#allow nothing
|
40
|
-
{:permission=>{:resource=>"
|
41
|
-
#
|
42
|
-
{:permission=>{:resource=>"
|
41
|
+
{:permission=>{:resource=>"regions", :actions=>[], :deny=>false}},
|
42
|
+
#allow nothing
|
43
|
+
{:permission=>{:resource=>"users", :actions=>[], :deny=>false}}]
|
43
44
|
end
|
44
45
|
it 'should deny some without defaults but wildcard "*" actions' do
|
45
|
-
subject.permissions(['no_admin']).should == [
|
46
|
+
subject.permissions(['no_admin']).sort { |n,m| n[:resource] <=> m[:resource] }.should == [
|
46
47
|
#allow nothing
|
47
|
-
{:permission=>{:resource=>"
|
48
|
-
|
48
|
+
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
|
49
|
+
# allow anything but index
|
50
|
+
{:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}},
|
51
|
+
{:permission=>
|
52
|
+
{
|
53
|
+
:resource=>"defaults",
|
54
|
+
:actions=>[{:action=>{:name=>"index"}}],
|
55
|
+
:deny=>false #allow
|
56
|
+
}
|
57
|
+
},
|
49
58
|
{:permission=>
|
50
59
|
{
|
51
60
|
:resource=>"no_defaults",
|
@@ -56,36 +65,39 @@ describe Ixtlan::Guard::GuardNG do
|
|
56
65
|
:deny=>false #allow
|
57
66
|
}
|
58
67
|
},
|
59
|
-
{
|
60
|
-
:permission=>
|
61
|
-
{
|
62
|
-
:resource=>"defaults",
|
63
|
-
:actions=>[{:action=>{:name=>"index"}}],
|
64
|
-
:deny=>false #allow
|
65
|
-
}
|
66
|
-
},
|
68
|
+
{:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
|
67
69
|
#allow nothing
|
68
70
|
{:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
|
69
71
|
#allow nothing
|
70
|
-
{:permission=>{:resource=>"
|
71
|
-
#
|
72
|
-
{:permission=>{:resource=>"
|
72
|
+
{:permission=>{:resource=>"regions", :actions=>[], :deny=>false}},
|
73
|
+
#allow nothing
|
74
|
+
{:permission=>{:resource=>"users", :actions=>[], :deny=>false}}]
|
73
75
|
end
|
74
76
|
it 'should allow "root"' do
|
75
|
-
subject.permissions(['root']).should == [
|
76
|
-
{:permission=>{:resource=>"
|
77
|
-
{:permission=>{:resource=>"
|
78
|
-
{:permission=>{:resource=>"no_defaults", :actions=>[], :deny=>true}},
|
77
|
+
subject.permissions(['root']).sort { |n,m| n[:resource] <=> m[:resource] }.should == [
|
78
|
+
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>true}},
|
79
|
+
{:permission=>{:resource=>"allow_all_defaults", :actions=>[], :deny=>true}},
|
79
80
|
{:permission=>{:resource=>"defaults", :actions=>[], :deny=>true}},
|
81
|
+
{:permission=>{:resource=>"no_defaults", :actions=>[], :deny=>true}},
|
82
|
+
{:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
|
80
83
|
{:permission=>{:resource=>"person", :actions=>[], :deny=>true}},
|
81
|
-
{:permission=>{:resource=>"
|
82
|
-
{:permission=>{:resource=>"
|
84
|
+
{:permission=>{:resource=>"regions", :actions=>[], :deny=>true}},
|
85
|
+
{:permission=>{:resource=>"users", :actions=>[], :deny=>true}}]
|
83
86
|
end
|
84
87
|
it 'should allow with default group' do
|
85
|
-
subject.permissions(['_master']).should == [
|
88
|
+
subject.permissions(['_master']).sort { |n,m| n[:resource] <=> m[:resource] }.should == [
|
86
89
|
#allow nothing
|
87
|
-
{:permission=>{:resource=>"
|
88
|
-
|
90
|
+
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
|
91
|
+
# allow anything but index
|
92
|
+
{:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}},
|
93
|
+
{:permission=>
|
94
|
+
{
|
95
|
+
:resource=>"defaults",
|
96
|
+
:actions=>[{:action=>{:name=>"show"}},
|
97
|
+
{:action=>{:name=>"destroy"}}],
|
98
|
+
:deny=>true
|
99
|
+
}
|
100
|
+
},
|
89
101
|
{:permission=>
|
90
102
|
{
|
91
103
|
:resource=>"no_defaults",
|
@@ -93,83 +105,99 @@ describe Ixtlan::Guard::GuardNG do
|
|
93
105
|
:deny=>false #allow
|
94
106
|
}
|
95
107
|
},
|
96
|
-
{
|
97
|
-
|
108
|
+
{:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
|
109
|
+
#allow nothing
|
110
|
+
{:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
|
111
|
+
#allow nothing
|
112
|
+
{:permission=>{:resource=>"regions", :actions=>[], :deny=>false}},
|
113
|
+
#allow nothing
|
114
|
+
{:permission=>{:resource=>"users", :actions=>[], :deny=>false}}]
|
115
|
+
end
|
116
|
+
|
117
|
+
it 'should allow with non-default group' do
|
118
|
+
subject.permissions(['_admin']).sort { |n,m| n[:resource] <=> m[:resource] }.should == [
|
119
|
+
#allow nothing
|
120
|
+
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
|
121
|
+
# allow anything but index
|
122
|
+
{:permission=>{:resource=>"allow_all_defaults", :actions=>[], :deny=>true}},
|
123
|
+
{:permission=>
|
98
124
|
{
|
99
125
|
:resource=>"defaults",
|
100
|
-
:actions=>[{:action=>{:name=>"
|
101
|
-
|
102
|
-
|
126
|
+
:actions=>[{:action=>{:name=>"edit"}},
|
127
|
+
{:action=>{:name=>"index"}},
|
128
|
+
{:action=>{:name=>"show"}}],
|
129
|
+
:deny=>false # allow
|
103
130
|
}
|
104
131
|
},
|
132
|
+
{:permission=>
|
133
|
+
{
|
134
|
+
:resource=>"no_defaults",
|
135
|
+
:actions=>[{:action=>{:name=>"index"}}],
|
136
|
+
:deny=>false #allow
|
137
|
+
}
|
138
|
+
},
|
139
|
+
{:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
|
105
140
|
#allow nothing
|
106
141
|
{:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
|
142
|
+
#allow nothing
|
143
|
+
{:permission=>{:resource=>"regions", :actions=>[], :deny=>false}},
|
144
|
+
#allow nothing
|
145
|
+
{:permission=>{:resource=>"users", :actions=>[], :deny=>false}}]
|
146
|
+
end
|
147
|
+
|
148
|
+
it 'should allow with association' do
|
149
|
+
group = Object.new
|
150
|
+
def group.name
|
151
|
+
"region"
|
152
|
+
end
|
153
|
+
subject.permissions([group])do |resource, action, groups|
|
154
|
+
if resource == 'regions'
|
155
|
+
case action
|
156
|
+
when 'show'
|
157
|
+
{:associations => [:europe, :asia]}
|
158
|
+
else
|
159
|
+
{}
|
160
|
+
end
|
161
|
+
else
|
162
|
+
{}
|
163
|
+
end
|
164
|
+
end.sort { |n,m| n[:resource] <=> m[:resource] }.should == [
|
107
165
|
#allow nothing
|
108
166
|
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
|
109
167
|
# allow anything but index
|
110
|
-
{:permission=>{:resource=>"allow_all_defaults", :actions=>[{:action=>{:name=>"index"}}], :deny=>true}}]
|
111
|
-
end
|
112
|
-
it 'should allow with non-default group' do
|
113
|
-
subject.permissions(['_admin']).should == [
|
114
|
-
#allow nothing
|
115
|
-
{:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
|
116
|
-
{:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
|
117
168
|
{:permission=>
|
118
169
|
{
|
119
|
-
|
120
|
-
|
121
|
-
|
170
|
+
:resource=>"allow_all_defaults",
|
171
|
+
:actions=>[{:action=>{:name=>"index"}}],
|
172
|
+
:deny=>true
|
122
173
|
}
|
123
174
|
},
|
124
|
-
{
|
125
|
-
:permission=>
|
175
|
+
{:permission=>
|
126
176
|
{
|
127
177
|
:resource=>"defaults",
|
128
|
-
:actions=>[{:action=>{:name=>"
|
129
|
-
{:action=>{:name=>"index"}},
|
130
|
-
{:action=>{:name=>"show"}}],
|
178
|
+
:actions=>[{:action=>{:name=>"index"}}],
|
131
179
|
:deny=>false # allow
|
132
180
|
}
|
133
181
|
},
|
182
|
+
{:permission=>
|
183
|
+
{
|
184
|
+
:resource=>"no_defaults",
|
185
|
+
:actions=>[{:action=>{:name=>"index"}}],
|
186
|
+
:deny=>false #allow
|
187
|
+
}
|
188
|
+
},
|
189
|
+
{:permission=>{:resource=>"only_defaults", :actions=>[], :deny=>true}},
|
134
190
|
#allow nothing
|
135
191
|
{:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
|
136
|
-
#allow nothing
|
137
|
-
{:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}},
|
138
|
-
# allow anything but index
|
139
|
-
{:permission=>{:resource=>"allow_all_defaults", :actions=>[], :deny=>true}}]
|
140
|
-
end
|
141
|
-
end
|
142
192
|
|
143
|
-
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
subject.permission_map(['users']).should == {"users"=>{"defaults"=>{}}, "person"=>{"defaults"=>nil, "destroy"=>nil, "index"=>nil}, "accounts"=>{"defaults"=>nil, "destroy"=>nil, "show"=>nil}}
|
153
|
-
end
|
154
|
-
|
155
|
-
it 'should export with flavor' do
|
156
|
-
pending "check expectations before implementing specs"
|
157
|
-
|
158
|
-
flavors = { 'admin' => ['example', 'dummy'], 'manager' => ['example', 'master'] }
|
159
|
-
|
160
|
-
domains = Proc.new do |groups|
|
161
|
-
groups.collect do |g|
|
162
|
-
flavors[g] || []
|
163
|
-
end.flatten.uniq
|
164
|
-
end
|
165
|
-
|
166
|
-
subject.permission_map(['admin'], 'domains' => domains).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>{'domains'=>["example", "dummy"]}, "index"=>{'domains'=>["example", "dummy"]}}, "accounts"=>{"defaults"=>nil, "destroy"=>{'domains'=>["example", "dummy"]}, "show"=>nil}}
|
167
|
-
|
168
|
-
subject.permission_map(['manager'], 'domains' => domains).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>nil, "index"=>{"domains"=>["example", "master"]}}, "accounts"=>{"defaults"=>nil, "destroy"=>nil, "show"=>{"domains"=>["example", "master"]}}}
|
169
|
-
|
170
|
-
subject.permission_map(['manager', 'admin'], 'domains' => domains).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>{"domains"=>["example", "dummy"]}, "index"=>{"domains"=>["example", "master", "dummy"]}}, "accounts"=>{"defaults"=>nil, "destroy"=>{"domains"=>["example", "dummy"]}, "show"=>{"domains"=>["example", "master"]}}}
|
171
|
-
|
172
|
-
subject.permission_map(['users'], 'domains' => domains).should == {"users"=>{"defaults"=>{}}, "person"=>{"defaults"=>nil, "destroy"=>nil, "index"=>nil}, "accounts"=>{"defaults"=>nil, "destroy"=>nil, "show"=>nil}}
|
193
|
+
{:permission=>
|
194
|
+
{:resource=>"regions",
|
195
|
+
:actions=>
|
196
|
+
[{:action=>{:name=>"show", :associations=>[:europe, :asia]}},
|
197
|
+
{:action=>{:name=>"create"}}],
|
198
|
+
:deny=>false}},
|
199
|
+
#allow nothing
|
200
|
+
{:permission=>{:resource=>"users", :actions=>[], :deny=>false}}]
|
173
201
|
end
|
174
202
|
end
|
175
203
|
end
|