jrun-merb_doorman 0.0.1

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2008 Michael D. Ivey <ivey@gweezlebur.com>
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README

@@ -0,0 +1,29 @@
+merb_doorman
+============
+
+*** Want to contribute?  Some of the code isn't spec'd yet. ***
+
+
+Merb plugin that provides an allow/deny DSL for controlling access
+
+
+# mostly open:
+# there is an implicit "allow :all" as the last rule
+# rules continue to match until an allow is found, or we run out
+# of rules
+
+deny :host => "209.34.*"
+deny :user => "bill"       # calls current_user.login, but this is configurable
+deny :user_agent => /MSIE/
+deny {|c| c.params["arbitrary"] == "expressions"}
+
+
+# mostly closed:
+deny :all                           # removes implicit final allow :all
+allow :host => "*.example.com"
+allow :time => "8am-5pm" # not implemented yet
+
+# store a block for repeated usage
+Merb::Access.add_block :admin, {|c| c.current_user.admin?}
+
+allow :admin

data/Rakefile

@@ -0,0 +1,67 @@
+require 'rubygems'
+require 'rake/gempackagetask'
+require 'spec/rake/spectask'
+
+require 'merb-core'
+require 'merb-core/tasks/merb'
+
+GEM_NAME = "merb_doorman"
+GEM_VERSION = "0.0.1"
+AUTHOR = "Michael D. Ivey"
+EMAIL = "ivey@gweezlebur.com"
+HOMEPAGE = "http://github.com/ivey/merb_doorman/"
+SUMMARY = "Merb plugin that provides an allow/deny DSL for controlling access"
+
+spec = Gem::Specification.new do |s|
+  s.rubyforge_project = 'merb'
+  s.name = GEM_NAME
+  s.version = GEM_VERSION
+  s.platform = Gem::Platform::RUBY
+  s.has_rdoc = true
+  s.extra_rdoc_files = ["README", "LICENSE", 'TODO']
+  s.summary = SUMMARY
+  s.description = s.summary
+  s.author = AUTHOR
+  s.email = EMAIL
+  s.homepage = HOMEPAGE
+  s.add_dependency('merb-core', '>= 1.0')
+  s.require_path = 'lib'
+  s.files = %w(LICENSE README Rakefile TODO) + Dir.glob("{lib,spec}/**/*")
+end
+
+Rake::GemPackageTask.new(spec) do |pkg|
+  pkg.gem_spec = spec
+end
+
+desc "install the plugin as a gem"
+task :install do
+  Merb::RakeHelper.install(GEM_NAME, :version => GEM_VERSION)
+end
+
+desc "Uninstall the gem"
+task :uninstall do
+  Merb::RakeHelper.uninstall(GEM_NAME, :version => GEM_VERSION)
+end
+
+namespace :gem do
+  desc "Repackage, uninstall and install gem"
+  task :refresh do
+    Rake::Task[:spec].invoke    
+    Rake::Task[:repackage].invoke
+    Rake::Task[:uninstall].invoke
+    Rake::Task[:install].invoke    
+  end
+end
+
+desc "Create a gemspec file"
+task :gemspec do
+  File.open("#{GEM_NAME}.gemspec", "w") do |file|
+    file.puts spec.to_ruby
+  end
+end
+
+desc "Run the examples"
+Spec::Rake::SpecTask.new do |t|
+  t.spec_files = ["spec/**/*_spec.rb"]
+  t.spec_opts = %w[--color --format specdoc --diff]
+end

data/TODO

@@ -0,0 +1,3 @@
+* Multiple roles
+* :only, :exclude, :if
+* Something accessible from views

data/lib/merb_doorman.rb

@@ -0,0 +1,118 @@
+require 'merb_doorman/rule'
+require 'merb_doorman/helpers'
+
+module Merb
+  module Plugins
+    module Doorman
+      SUPPORTED_METHODS = [:block, :host, :role, :time, :user, :user_agent]
+      
+      def self.supported_method?(method)
+        SUPPORTED_METHODS.include?(method)
+      end
+              
+      def self.included(base)
+        base.extend(ClassMethods)        
+        base.send(:include, InstanceMethods)
+        base.class_eval do
+          before :_doorman_check_acl
+        end
+      end
+      
+      module ClassMethods
+        def _doorman_list
+          @_doorman_list ||= []
+        end
+      
+        def _doorman_default
+          @_doorman_default ||= :allow
+        end
+
+        def  deny(*args, &block)
+          _add_acl(:deny, args, block)
+        end
+
+        def allow(*args, &block)
+          _add_acl(:allow, args, block)
+        end
+      
+        def _clear_acl_list
+          @_doorman_list = nil
+        end
+      
+        def _add_acl(type, args, block)
+          opts = args.is_a?(Array) ? args.first : args
+          if opts == :all
+            @_doorman_default = type
+            return true
+          end
+          if block
+            _doorman_list << Rule.from_block(type, opts, &block)
+          else
+            _doorman_list << Rule.from_hash(type, opts)
+          end
+        end
+
+        def _doorman_user_block
+          Merb::Plugins.config[:merb_doorman][:user_block]
+        end
+      
+        def _doorman_role_block
+          Merb::Plugins.config[:merb_doorman][:role_block]
+        end
+      end
+      
+      module InstanceMethods
+        private
+        def _doorman_check_acl
+          allowed = false
+          self.class._doorman_list.each do |rule|
+            next unless rule.evaluate?(self.action_name)
+            if _check_rule(rule)
+              allowed = true
+            else
+              raise ::Merb::ControllerExceptions::Unauthorized
+            end
+          end
+          if self.class._doorman_default == :deny && !allowed
+            raise ::Merb::ControllerExceptions::Unauthorized
+          end
+        end
+
+        def _check_rule(rule)
+          match = case rule.method
+          when :block
+            rule.value.call(self)            
+          when :host
+            request.host =~ Regexp.new(rule.value)
+          when :role
+            self.class._doorman_role_block.call(self, rule.value)
+          when :time
+            false #not implemented
+          when :user
+            self.class._doorman_user_block.call(self, rule.value)
+          when :user_agent 
+            request.user_agent =~ Regexp.new(rule.value)
+          else
+            false
+          end
+          rule.deny? ? !match : match
+        end
+      end
+      
+    end
+  end
+end
+
+if defined?(Merb::Plugins)
+  Merb::Plugins.config[:merb_doorman][:user_block] = proc do |c, login|
+    c.respond_to?(:current_user) &&
+    c.current_user.login == login.to_s
+  end
+  Merb::Plugins.config[:merb_doorman][:role_block] = proc do |c, role|
+    c.respond_to?(:current_user) &&
+    c.current_user.respond_to?(:has_role?) &&
+    c.current_user.has_role?(role)
+  end
+  Merb::Controller.send(:include, Merb::Plugins::Doorman)
+  Merb::GlobalHelpers.send(:include, Merb::Plugins::Doorman::Helpers)
+end

data/lib/merb_doorman/helpers.rb

@@ -0,0 +1,22 @@
+module Merb
+  module Plugins
+    module Doorman
+      
+      module Helpers
+        def allow(*args, &blk)
+          _capture_within_rule_context(:allow, args, &blk)
+        end
+        
+        def deny(*args, &blk)
+          _capture_within_rule_context(:deny, args, &blk)
+        end        
+        
+        def _capture_within_rule_context(type, args, &blk)
+          _check_rule(Doorman::Rule.from_hash(type, args.first)) ? capture(&blk) : ""
+        end
+        private :_capture_within_rule_context
+      end
+      
+    end
+  end
+end

data/lib/merb_doorman/merbtasks.rb

@@ -0,0 +1,6 @@
+namespace :merb_doorman do
+  desc "Do something for merb_doorman"
+  task :default do
+    puts "merb_doorman doesn't do anything"
+  end
+end

data/lib/merb_doorman/rule.rb

@@ -0,0 +1,61 @@
+module Merb
+  module Plugins
+    module Doorman
+      class InvalidRule < StandardError
+        def initialize(*args)
+          super "merb_doorman: invalid rule #{args.inspect}"
+        end
+      end
+      
+      class Rule
+        def self.from_hash(type, opts)
+          rule = new(type)
+          
+          h = opts.except(:only, :exclude)
+          raise InvalidRule.new(type, opts) if h.size > 1
+          
+          rule.method = h.keys.first.to_sym
+          unless Doorman.supported_method?(rule.method)
+            raise InvalidRule.new(type, opts)
+          end
+          rule.value = h.values.first
+          rule.limits = extract_limits(opts)
+          rule
+        end
+        
+        def self.from_block(type, opts = nil, &block)
+          raise InvalidRule.new(type, opts, block) unless block.arity == 1
+          opts ||= {}
+          
+          rule = new(type)
+          rule.method = :block
+          rule.value = block
+          rule.limits = extract_limits(opts)
+          rule
+        end
+        
+        def self.extract_limits(h)
+          h.only(:only, :exclude).inject({}) do |limits, kv| 
+            limits.merge!(kv.first => Array(kv.last))
+          end
+        end
+
+        attr_accessor :type, :method, :value, :limits
+        
+        def initialize(type)
+          @type, @limits = type, {}
+        end
+        
+        def deny?
+          type == :deny
+        end
+        
+        def evaluate?(action_name)
+          (!limits.key?(:only) || limits[:only].include?(action_name)) &&
+          (!limits.key?(:exclude) || !limits[:exclude].include?(action_name))
+        end
+      end
+      
+    end
+  end
+end

data/spec/allow_all_spec.rb

@@ -0,0 +1,16 @@
+require File.dirname(__FILE__) + '/spec_helper'
+
+class AllowAllByDefault < Merb::Plugins::Doorman::TestController; end
+
+class ExplicitAllowAll < Merb::Plugins::Doorman::TestController
+  allow :all  
+end
+
+[AllowAllByDefault, ExplicitAllowAll].each do |controller|
+  describe controller, 'request' do
+    it "should be authorized when explicitly denying all" do
+      response = request(url(:controller => controller.controller_name))
+      response.should be_authorized
+    end
+  end
+end

data/spec/class_methods_spec.rb

@@ -0,0 +1,46 @@
+require File.dirname(__FILE__) + '/spec_helper'
+
+describe Merb::Plugins::Doorman::ClassMethods do
+  include Merb::Plugins::Doorman::ClassMethods
+
+  before(:each) do
+    _clear_acl_list
+  end
+
+  it "should store the ACL" do
+    _doorman_list.should be_an_instance_of(Array)
+  end
+
+  it "should have a deny method" do
+    lambda { deny :all }.should_not raise_error
+  end
+
+  it "should store a deny entry on the ACL" do
+    s = _doorman_list.size
+    deny :host => "192.168.*"
+    _doorman_list.should have(s + 1).elements
+  end
+
+  it "should have an allow method" do
+    lambda { allow :all }.should_not raise_error
+  end
+
+  it "should store an allow entry on the ACL" do
+    s = _doorman_list.size
+    allow :user_agent => /MSIE/
+    _doorman_list.should have(s + 1).elements
+  end
+
+  it "should allow valid ACL entries" do
+    lambda { deny :host => "192.168.*" }.should_not raise_error
+    lambda { deny :user => "bill" }.should_not raise_error
+    lambda { deny :user_agent => /MSIE/ }.should_not raise_error
+    lambda { deny :time => "8am-5pm" }.should_not raise_error
+    lambda { deny {|c| c.foo } }.should_not raise_error
+  end
+
+  it "should reject invalid ACL entries" do
+    lambda { deny :foo => "3" }.should raise_error
+    lambda { deny { foo } }.should raise_error
+  end
+end

data/spec/deny_all_spec.rb

@@ -0,0 +1,12 @@
+require File.dirname(__FILE__) + '/spec_helper'
+
+class DenyAll < Merb::Plugins::Doorman::TestController
+  deny :all  
+end
+
+describe DenyAll, 'request' do
+  it "should be unauthorized when explicitly denying all" do
+    response = request(url(:controller => DenyAll))
+    response.should be_unauthorized
+  end
+end

data/spec/fixtures/controllers/exceptions.rb

@@ -0,0 +1,5 @@
+class Exceptions < Merb::Controller
+  def unauthorized
+    render 'Unauthorized'
+  end
+end

data/spec/fixtures/controllers/test_controller.rb

@@ -0,0 +1,17 @@
+module Merb
+  module Plugins
+    module Doorman
+      
+      class TestController < Merb::Controller
+        self._template_root = File.dirname(__FILE__) / ".." / "views"
+        
+        class_inheritable_accessor :current_user
+        self.current_user ||= User.new
+        
+        def show; render('Allowed Access') end
+        def index; render('Allowed Access') end
+      end
+      
+    end
+  end
+end

data/spec/fixtures/controllers/test_helpers.rb

@@ -0,0 +1,5 @@
+class TestHelpers < Merb::Plugins::Doorman::TestController
+  def example_setup_is_ok; render end
+  def allow_via_role; render end
+  def deny_via_role; render end  
+end

data/spec/fixtures/model/user.rb

@@ -0,0 +1,14 @@
+module Merb
+  module Plugins
+    module Doorman
+      
+      class User
+        attr_accessor :login, :roles
+        def initialize; reset end
+        def reset; @login, @roles = '', [] end
+        def has_role?(role); @roles.include?(role) end
+      end
+      
+    end
+  end
+end

data/spec/fixtures/views/test_helpers/allow_via_role.html.erb

@@ -0,0 +1,3 @@
+<%= allow(:role => :admin) do %>
+  <h1>Allowed</h1>
+<% end =%>

data/spec/fixtures/views/test_helpers/deny_via_role.html.erb

@@ -0,0 +1,3 @@
+<%= deny(:role => :troll) do %>
+  <h1>Allowed</h1>
+<% end =%>

data/spec/fixtures/views/test_helpers/example_setup_is_ok.html.erb

@@ -0,0 +1 @@
+<h1>Good to go</h1>

data/spec/host_spec.rb

@@ -0,0 +1,49 @@
+require File.dirname(__FILE__) + '/spec_helper'
+
+class AccessControllByHost < Merb::Plugins::Doorman::TestController
+  allow :all
+  allow :host => "allowed.example.org"
+  deny :host => "denied.example.org"
+end
+describe AccessControllByHost, 'request' do
+  it "should be unauthorized when the host is not explicitly allowed" do
+    response = request(url(:controller => AccessControllByHost))
+    response.should be_unauthorized
+  end
+  
+  it "should be authorized when the host is allowed" do
+    response = request(url(:controller => AccessControllByHost), 'SERVER_NAME' => 'allowed.example.org')
+    response.should be_authorized
+  end
+  
+  it "should be unauthorized when the host is denied" do
+    response = request(url(:controller => AccessControllByHost), 'SERVER_NAME' => 'denied.example.org')
+    response.should be_unauthorized
+  end
+end
+
+class AccessControllDenyAllExceptHost < Merb::Plugins::Doorman::TestController
+  deny :all
+  allow :host => "allowed.example.org"
+end
+describe AccessControllDenyAllExceptHost, 'request' do
+  it "should be authorized when the host is allowed" do
+    response = request(url(:controller => AccessControllDenyAllExceptHost))
+    response.should be_unauthorized
+    response = request(url(:controller => AccessControllDenyAllExceptHost), 'SERVER_NAME' => 'allowed.example.org')
+    response.should be_authorized
+  end
+end
+
+class AccessControllAllowAllExceptHost < Merb::Plugins::Doorman::TestController
+  allow :all
+  deny :host => "denied.example.org"
+end
+describe AccessControllDenyAllExceptHost, 'request' do
+  it "should be authorized when the host is allowed" do
+    response = request(url(:controller => AccessControllAllowAllExceptHost))
+    response.should be_authorized
+    response = request(url(:controller => AccessControllAllowAllExceptHost), 'SERVER_NAME' => 'denied.example.org')
+    response.should be_unauthorized
+  end
+end

data/spec/matchers/authorized_matcher.rb

@@ -0,0 +1,19 @@
+class BeAuthorized
+  def matches?(response)
+    @response = response
+    response.status == 200 && response.body == 'Allowed Access'
+  end
+
+  # ==== Returns
+  # String:: The failure message.
+  def failure_message
+    "expected the response from #{@response.url} #{$/} to have the status 200 Ok and body 'Allowed Access'" <<
+    "#{$/} but the status is #{@response.status} and the body is '#{@response.body}'"
+  end
+
+  # ==== Returns
+  # String:: The failure message to be displayed in negative matches.
+  def negative_failure_message
+    "expected the response from #{@response.url} #{$/} not to have the status 200 Ok and body 'Allowed Access'"
+  end
+end

data/spec/matchers/unauthorized_matcher.rb

@@ -0,0 +1,19 @@
+class BeUnauthorized
+  def matches?(response)
+    @response = response
+    response.status == 401 && response.body == 'Unauthorized'
+  end
+
+  # ==== Returns
+  # String:: The failure message.
+  def failure_message
+    "expected the response from #{@response.url} #{$/} to have the status 401 Unauthorized and body 'Unauthorized'" <<
+    "#{$/} but the status is #{@response.status} and the body is '#{@response.body}'"
+  end
+
+  # ==== Returns
+  # String:: The failure message to be displayed in negative matches.
+  def negative_failure_message
+    "expected the response from #{@response.url} #{$/} not to have the status 200 Ok and body 'Allowed Access'"
+  end
+end

data/spec/merb_doorman/helpers_spec.rb

@@ -0,0 +1,43 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+
+describe Merb::Plugins::Doorman::Helpers do
+  it "examples should be setup successfully" do
+    response = request(url(:controller => TestHelpers, :action => :example_setup_is_ok))
+    response.body.should == "<h1>Good to go</h1>"
+  end
+  
+  describe "#allow" do
+    before(:each) do
+      TestHelpers.current_user.reset
+    end
+    
+    it "should render the result of the block when allowed" do
+      TestHelpers.current_user.roles << :admin          
+      response = request(url(:controller => TestHelpers, :action => :allow_via_role))
+      response.body.should == "\n  <h1>Allowed</h1>\n"
+    end
+    
+    it "should not return the result of the block when not allowed" do
+      response = request(url(:controller => TestHelpers, :action => :allow_via_role))
+      response.body.should == ""
+    end
+  end
+  
+  describe "#deny" do
+    before(:each) do
+      TestHelpers.current_user.reset
+    end
+    
+    it "should not return the result of the block when denied" do
+      TestHelpers.current_user.roles << :troll      
+      response = request(url(:controller => TestHelpers, :action => :deny_via_role))
+      response.body.should == ""
+    end
+    
+    it "should render the result of the block when not denied" do
+      TestHelpers.current_user.roles << :anything_but_troll
+      response = request(url(:controller => TestHelpers, :action => :deny_via_role))
+      response.body.should == "\n  <h1>Allowed</h1>\n"
+    end
+  end
+end

data/spec/merb_doorman/rule_spec.rb

@@ -0,0 +1,89 @@
+require File.dirname(__FILE__) / '../spec_helper'
+
+Rule = Merb::Plugins::Doorman::Rule
+
+describe Merb::Plugins::Doorman::Rule do
+  describe '.from_hash' do
+    it "should set the method using the opts first key" do
+      rule = Rule.from_hash(:allow, :role => :whatever)
+      rule.method.should == :role
+    end
+    
+    it "should set the value using the opts first value" do
+      rule = Rule.from_hash(:allow, :role => :whatever)
+      rule.value.should == :whatever
+    end
+    
+    it "should move :only from options to limits" do
+      rule = Rule.from_hash(:allow, :role => :whatever, :only => :index)
+      rule.limits[:only].should_not be_nil
+      rule.limits[:role].should be_nil
+    end
+    
+    it "should move :exclude from options to limits" do
+      rule = Rule.from_hash(:allow, :role => :whatever, :exclude => :index)
+      rule.limits[:exclude].should_not be_nil
+      rule.limits[:role].should be_nil
+    end
+    
+    it "should convert a single :only value to an Array" do
+      rule = Rule.from_hash(:allow, :role => :admin, :only => :index)
+      rule.limits[:only].should == [:index]
+    end
+    
+    it "should convert a single :exclude value to an Array" do
+      rule = Rule.from_hash(:allow, :role => :admin, :exclude => :index)
+      rule.limits[:exclude].should == [:index]
+    end
+    
+    it "should raise an InvalidRule error when the options hash as too many values" do
+      lambda do
+        Rule.from_hash(:allow, :role => :admin, :user => :bob)
+      end.should raise_error(Merb::Plugins::Doorman::InvalidRule)
+    end
+    
+    it "should raise an InvalidRule error when the method isn't supported" do
+      lambda do
+        Rule.from_hash(:allow, :not_suppoted => :whatever)
+      end.should raise_error(Merb::Plugins::Doorman::InvalidRule)
+    end
+  end
+  
+  describe '.from_block' do
+    def block
+      proc {|ignored| true }
+    end
+    
+    it "should set the method to :block" do
+      rule = Rule.from_block(:allow, &block)
+      rule.method.should == :block
+    end
+    
+    it "should set the value to the block" do
+      rule = Rule.from_block(:allow, &block)
+      rule.value.should be_instance_of(Proc)      
+      rule.value.call(:ignored).should be_true
+    end
+    
+    it "should move :only from options to limits" do
+      rule = Rule.from_block(:allow, :only => :index, &block)
+      rule.limits[:only].should == [:index]
+    end
+    
+    it "should move :exclude from options to limits" do
+      rule = Rule.from_block(:allow, :exclude => [:index, :show], &block)
+      rule.limits[:exclude].should == [:index, :show]
+    end
+    
+    it "should convert a single :only value to an Array" do
+      rule = Rule.from_block(:allow, :exclude => :index, &block)
+      rule.limits[:exclude].should == [:index]
+    end
+    
+    it "should raise an InvalidRule error when the blocks arity is not one" do
+      lambda do
+        Rule.from_block(:allow) {}
+      end.should raise_error(Merb::Plugins::Doorman::InvalidRule)
+    end
+  end
+end

data/spec/role_spec.rb

@@ -0,0 +1,81 @@
+require File.dirname(__FILE__) + '/spec_helper'
+
+class AllowedRole < Merb::Plugins::Doorman::TestController
+  allow :role => :admin
+end
+describe AllowedRole, 'request' do
+  before(:each) do
+    AllowedRole.current_user.reset
+  end
+  
+  it "should be authorized when the current user belongs to the allowed role" do
+    AllowedRole.current_user.roles << :admin
+    response = request(url(:controller => AllowedRole))
+    response.should be_authorized
+  end
+  
+  it "should be unauthorized when the current user does not belong to the allowed role" do
+    response = request(url(:controller => AllowedRole))
+    response.should be_unauthorized
+    
+    AllowedRole.current_user.roles << :not_admin
+    response = request(url(:controller => AllowedRole))
+    response.should be_unauthorized
+  end
+end
+
+class DeniedRole < Merb::Plugins::Doorman::TestController
+  deny :role => :troll
+end
+describe DeniedRole, 'request' do
+  before(:each) do
+    DeniedRole.current_user.reset
+  end
+  
+  it "should be authorized when the current user does not belong to the denied role" do
+    response = request(url(:controller => DeniedRole))
+    response.should be_authorized
+  end
+  
+  it "should be unauthorized when the current user belongs to the denied role" do
+    DeniedRole.current_user.roles << :troll
+    response = request(url(:controller => DeniedRole))
+    response.should be_unauthorized
+  end
+end
+
+class AllowedAndDeniedRoles < Merb::Plugins::Doorman::TestController
+  allow :role => :admin
+  deny :role => :troll
+end
+describe AllowedAndDeniedRoles, 'request' do
+  before(:each) do
+    AllowedAndDeniedRoles.current_user.reset
+  end
+  
+  it "should be authorized when the current user belongs to the allowed role" do
+    AllowedAndDeniedRoles.current_user.roles << :admin    
+    response = request(url(:controller => AllowedAndDeniedRoles))
+    response.should be_authorized
+  end
+  
+  it "should be unauthorized when the current user belongs to the denied role" do
+    AllowedAndDeniedRoles.current_user.roles << :troll
+    response = request(url(:controller => AllowedAndDeniedRoles))
+    response.should be_unauthorized
+  end
+end
+
+class AllowedOnly < Merb::Plugins::Doorman::TestController
+  allow :role => :admin, :only => :show
+end
+describe AllowedAndDeniedRoles, 'request' do
+  before(:each) do
+    AllowedOnly.current_user.reset
+  end
+  
+  it "should be authorized when the rule does not apply to the action" do
+    response = request(url(:controller => AllowedOnly, :action => :index))
+    response.should be_authorized
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,42 @@
+$TESTING=true
+$:.push File.join(File.dirname(__FILE__), '..', 'lib')
+require 'rubygems'
+require 'merb-core'
+require 'merb_doorman'
+
+this_dir = File.dirname(__FILE__)
+
+Merb.push_path(:matchers, this_dir  / "matchers")
+Merb.push_path(:fixture_model, this_dir / "fixtures/model")
+Merb.push_path(:fixture_controller, this_dir / "fixtures/controllers")
+
+Merb.start :environment => 'test', :adapter => 'runner'
+
+def be_authorized
+  BeAuthorized.new
+end
+
+def be_unauthorized
+  BeUnauthorized.new
+end
+
+Spec::Runner.configure do |config|
+  config.include Merb::Test::RequestHelper
+  config.before(:all) do
+    Merb::Router.prepare { default_routes }
+  end
+end
+
+# # deny :user => "bill"       # calls current_user.login, but this is configurable
+# # deny {|c| c.params["arbitrary"] == "expressions"}
+# #
+# #
+# # # mostly closed:
+# # deny :all                           # removes implicit final allow :all
+# # allow :host => "*.example.com"
+# # allow :time => "8am-5pm"
+# #
+# # # store a block for repeated usage
+# # Merb::Access.add_block :admin, {|c| c.current_user.admin?}
+# #
+# # allow :admin

data/spec/user_agent_spec.rb

@@ -0,0 +1,19 @@
+require File.dirname(__FILE__) + '/spec_helper'
+
+class AccessControllByUserAgent < Merb::Plugins::Doorman::TestController
+  deny :user_agent => /MSIE/
+  allow :user_agent => /iPhone/
+end
+
+describe AccessControllByUserAgent, 'request' do
+  it "should be authorized when the user agent is allowed" do
+    response = request(url(:controller => AccessControllByUserAgent.controller_name), 'HTTP_USER_AGENT' => 'Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5F136 Safari/525.20')
+    response.should be_authorized
+  end
+  
+  it "should be unauthorized when the user agent is denied" do
+    response = request(url(:controller => AccessControllByUserAgent.controller_name), 'HTTP_USER_AGENT' => 'Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90; MSIECrawler)')
+    response.should be_unauthorized
+  end
+end
+

data/spec/user_spec.rb

@@ -0,0 +1,73 @@
+require File.dirname(__FILE__) + '/spec_helper'
+
+class AllowedUser < Merb::Plugins::Doorman::TestController
+  allow :user => :nancy
+end
+describe AllowedUser, 'request' do
+  before(:each) do
+    AllowedUser.current_user.reset
+  end
+  
+  it "should be authorized when the current user has an allowed login" do
+    AllowedUser.current_user.login = 'nancy'
+    response = request(url(:controller => AllowedUser))
+    response.should be_authorized
+  end
+  
+  it "should be unauthorized when the current user does not have an allowed login" do
+    response = request(url(:controller => AllowedUser))
+    response.should be_unauthorized
+    
+    AllowedUser.current_user.login = 'jackie boy'
+    response = request(url(:controller => AllowedUser))
+    response.should be_unauthorized
+  end
+end
+
+class DeniedUser < Merb::Plugins::Doorman::TestController
+  deny :user => 'roark'
+  deny :user => 'kevin'  
+end
+describe DeniedUser, 'request' do
+  before(:each) do
+    DeniedUser.current_user.reset
+  end
+  
+  it "should be authorized when the current user does not have a denied login" do
+    DeniedUser.current_user.login = 'nancy'    
+    response = request(url(:controller => DeniedUser))
+    response.should be_authorized
+  end
+  
+  it "should be unauthorized when the current user has a denied login" do
+    DeniedUser.current_user.login = 'roark'
+    response = request(url(:controller => DeniedUser))
+    response.should be_unauthorized
+    
+    DeniedUser.current_user.login = 'kevin'
+    response = request(url(:controller => DeniedUser))
+    response.should be_unauthorized
+  end
+end
+
+class AllowedAndDeniedUsers < Merb::Plugins::Doorman::TestController
+  allow :role => :admin
+  deny :role => :troll
+end
+describe AllowedAndDeniedUsers, 'request' do
+  before(:each) do
+    AllowedAndDeniedUsers.current_user.reset
+  end
+  
+  it "should be authorized when the current user belongs to the allowed role" do
+    AllowedAndDeniedUsers.current_user.roles << :admin    
+    response = request(url(:controller => AllowedAndDeniedUsers))
+    response.should be_authorized
+  end
+  
+  it "should be unauthorized when the current user belongs to the denied role" do
+    AllowedAndDeniedUsers.current_user.roles << :troll
+    response = request(url(:controller => AllowedAndDeniedUsers))
+    response.should be_unauthorized
+  end
+end

metadata

@@ -0,0 +1,97 @@
+--- !ruby/object:Gem::Specification 
+name: jrun-merb_doorman
+version: !ruby/object:Gem::Version 
+  version: 0.0.1
+platform: ruby
+authors: 
+- Michael D. Ivey
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2008-11-16 00:00:00 -08:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: merb-core
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "1.0"
+    version: 
+description: Merb plugin that provides an allow/deny DSL for controlling access
+email: ivey@gweezlebur.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README
+- LICENSE
+- TODO
+files: 
+- LICENSE
+- README
+- Rakefile
+- TODO
+- lib/merb_doorman
+- lib/merb_doorman/helpers.rb
+- lib/merb_doorman/merbtasks.rb
+- lib/merb_doorman/rule.rb
+- lib/merb_doorman.rb
+- spec/allow_all_spec.rb
+- spec/class_methods_spec.rb
+- spec/deny_all_spec.rb
+- spec/fixtures
+- spec/fixtures/controllers
+- spec/fixtures/controllers/exceptions.rb
+- spec/fixtures/controllers/test_controller.rb
+- spec/fixtures/controllers/test_helpers.rb
+- spec/fixtures/model
+- spec/fixtures/model/user.rb
+- spec/fixtures/views
+- spec/fixtures/views/test_helpers
+- spec/fixtures/views/test_helpers/allow_via_role.html.erb
+- spec/fixtures/views/test_helpers/deny_via_role.html.erb
+- spec/fixtures/views/test_helpers/example_setup_is_ok.html.erb
+- spec/host_spec.rb
+- spec/matchers
+- spec/matchers/authorized_matcher.rb
+- spec/matchers/unauthorized_matcher.rb
+- spec/merb_doorman
+- spec/merb_doorman/helpers_spec.rb
+- spec/merb_doorman/rule_spec.rb
+- spec/role_spec.rb
+- spec/spec_helper.rb
+- spec/user_agent_spec.rb
+- spec/user_spec.rb
+has_rdoc: true
+homepage: http://github.com/ivey/merb_doorman/
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: merb
+rubygems_version: 1.2.0
+signing_key: 
+specification_version: 2
+summary: Merb plugin that provides an allow/deny DSL for controlling access
+test_files: []
+