kibali 0.1.0 → 0.2.0

data/README.md

@@ -97,9 +97,12 @@ and the join table
 
 At the head of every controller for which you wish to control user access,
 you'll need to place an _access_control_ macro which is used to generate a 
-before_filter for the authorization checks. In the testing, I had to place the
-parameter in a seperate statement because syntax errors were encountered. That
-might be due to the limited test structure used. I'll show both forms here.
+before_filter for the authorization checks. The macro takes a hash of role
+specification parameters. These must be specified prior to the macro and
+then referenced as the macro's parameter parameter. I cannot be specified
+in-line because Rails is treating it as a before_filter and so expects a
+before_filter type of ( :only =>, :except => ) hash which would then apply
+to the before_filter itself and thus bypass any explicit checking.
 
 Unauthorized access yields an exception: Kibali::AccessDenied .
 Syntax errors in formulating the control parameters will also raise an exception: Kibali::SyntaxError .
@@ -108,7 +111,18 @@ You'll probably want to catch those exceptions and handle them gracefully, proba
 Notice that roles, limit_types, and controller actions are all expected to be symbols.
 
 You have complete freedom to define roles to be whatever you want: except for the reserved words: :all, :anonymous.
+The usage of :all, :anonymous is explained with the following logic.
 
+* if current_user.nil?, then proceed as :anonymous if :anonymous is referenced in the role_control_hash
+* if user's role is not referenced, then proceed as :all if :all is referenced in the role_control_hash
+* else proceed and evaluate the role_control_hash with user's role
+
+This means that :all will **only** be invoked if a user has a role which is **NOT** specified in the role_control_hash and
+if :all **is** specified in the hash. In that sense :unspecified would be more accurate than :all, but :all is shorter and 
+handier to work with.
+And it means that :anonymous will **only** be invoked if current_user.nil? is true and
+if :anonymous **is** specified in the hash.
+ 
 The access limitation types are: 
 
 * :allow, :to, :only -- control what access is allowed; all else will be denied
@@ -117,26 +131,17 @@ The access limitation types are:
 The action list can be empty; in which case, for :allow, all actions are permitted; and for :deny, no actions are permitted.
 If both limit_type and action_list are missing, then :allow => [] will be assumed.
 
-```
-class AnyController < ApplicationController
-
-   access_control {
-       :admin   => { :allow => [] },
-       :manager => { :deny  => [ :delete, :edit ] },
-       :member  => { :allow => [ :index, :show  ] }
-   }
-```
- 
-alternatively
-
 ```
 class AnyController < ApplicationController
 
    control_parameters = {
        :admin   => { :allow => [] },
        :manager => { :deny  => [ :delete, :edit ] },
-       :member  => { :allow => [ :index, :show  ] }
+       :member  => { :allow => [ :index, :show  ] },
+       :anonymous => { :allow => [:index ] },
+       :all       => { :deny  => [:edit, :update] }
    }
+
    access_control control_parameters
 ```
  

data/Rakefile

@@ -32,6 +32,7 @@ Jeweler::RubygemsDotOrgTasks.new
 task :test do
    ruby '-I test "test/test_kibali.rb"'
    ruby '-I test "test/test_access.rb"'
+   ruby '-I test "test/test_anon.rb"'
 end # test task
 
 task :default => :test

data/VERSION

@@ -1 +1 @@
-0.1.0
+0.2.0

data/kibali.gemspec

@@ -0,0 +1,77 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = "kibali"
+  s.version = "0.2.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Daudi Amani"]
+  s.date = "2012-11-24"
+  s.description = "simple Rails role authentication"
+  s.email = "dsaronin@gmail.com"
+  s.extra_rdoc_files = [
+    "LICENSE.txt",
+    "README.md"
+  ]
+  s.files = [
+    ".document",
+    "Gemfile",
+    "Gemfile.lock",
+    "LICENSE.txt",
+    "README.md",
+    "Rakefile",
+    "VERSION",
+    "kibali.gemspec",
+    "lib/kibali.rb",
+    "lib/kibali/access_control.rb",
+    "lib/kibali/base.rb",
+    "lib/kibali/control.rb",
+    "lib/kibali/railtie.rb",
+    "lib/kibali/subject_extensions.rb",
+    "markdown.rb",
+    "test/app/controllers/anon_controller.rb",
+    "test/app/controllers/application_controller.rb",
+    "test/app/controllers/empty_controller.rb",
+    "test/config.ru",
+    "test/config/routes.rb",
+    "test/ctlr_helper.rb",
+    "test/factories/units_factory.rb",
+    "test/helper.rb",
+    "test/script/rails",
+    "test/support/models.rb",
+    "test/support/schema.rb",
+    "test/test_access.rb",
+    "test/test_anon.rb",
+    "test/test_kibali.rb"
+  ]
+  s.homepage = "http://github.com/dsaronin@gmail.com/kibali"
+  s.licenses = ["MIT"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = "1.8.24"
+  s.summary = "rails role authentication"
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<rails>, ["~> 3.2.8"])
+      s.add_development_dependency(%q<rdoc>, ["~> 3.12"])
+      s.add_development_dependency(%q<jeweler>, ["~> 1.8.4"])
+      s.add_development_dependency(%q<sqlite3>, [">= 0"])
+    else
+      s.add_dependency(%q<rails>, ["~> 3.2.8"])
+      s.add_dependency(%q<rdoc>, ["~> 3.12"])
+      s.add_dependency(%q<jeweler>, ["~> 1.8.4"])
+      s.add_dependency(%q<sqlite3>, [">= 0"])
+    end
+  else
+    s.add_dependency(%q<rails>, ["~> 3.2.8"])
+    s.add_dependency(%q<rdoc>, ["~> 3.12"])
+    s.add_dependency(%q<jeweler>, ["~> 1.8.4"])
+    s.add_dependency(%q<sqlite3>, [">= 0"])
+  end
+end
+

data/lib/kibali/access_control.rb

@@ -22,26 +22,33 @@ module Kibali
      #                           action not matched        permitted
      #
      # ---------------------------------------------------------------------------------
+     # if current_user.nil?, proceed as :anonymous if so referenced in role_control_hash
+     # if user's role is not referenced, proceed as :all if so referenced in role_control_hash
+     # else proceed with user's role
  # ------------------------------------------------------------------------------
   def before( controller )
 
-     my_role = controller.current_user.get_role.name.to_sym
-
-         # if current_user's role not present; check if anonymous is
-     unless self.role_control_hash.member?( my_role )
-        # here if current_user's role not specificied in control list
-
-        if self.role_control_hash.member?( :anonymous )  # if anonymous is...
+     if controller.current_user.nil?   # no user defined; anonymous permitted?
+         
+        if self.role_control_hash.member?( :anonymous )  # if anonymous is referenced, continue...
            my_role = :anonymous    # ...then handle anonymously
         else   # unauthorized access of controller
            raise Kibali::AccessDenied 
         end   # if..then..else anonymous check
 
-     end   # unless current_user has a role to be checked
+     elsif !self.role_control_hash.member?( my_role = controller.current_user.get_role.name.to_sym )
+         
+        if self.role_control_hash.member?( :all )  # if all is referenced, continue...
+           my_role = :all    # ...then handle as all
+        else   # unauthorized access of controller
+           raise Kibali::AccessDenied 
+        end   # if..then..else anonymous check
+
+     end   # if..elsif check for anonymous or role not allowed
 
      expected_action = controller.action_name.to_sym  # action being attempted
 
-   permitted = true   # presume authorized
+     permitted = true   # presume authorized
 
          # now check the action_hash for action access
          # shown as a loop, but only the first entry is meaningful

data/test/app/controllers/anon_controller.rb

@@ -0,0 +1,28 @@
+class AnonController < ApplicationController
+  before_filter :set_current_user
+#  before_filter :trace_setup
+
+   control_hash = {
+       :admin     => { :allow => [] },
+       :anonymous => { :allow => [ :index ] },
+       :all       => { :deny  => [ :edit ] },
+   }
+
+   access_control control_hash
+
+
+  [:index, :show, :new, :edit, :update, :delete, :destroy].each do |act|
+    define_method(act) { render :text => 'OK' }
+  end
+
+protected
+
+  def trace_setup
+      puts ">>>>>> trace/self: #{self.class.name} <<<<<<"
+      puts ">>>>>> trace/current_user: #{self.respond_to?(:current_user).to_s} <<<<<<"
+      puts ">>>>>> trace/method_defined: #{EmptyController.method_defined?(:current_user).to_s} <<<<<<"
+      puts ">>>>>> trace/user is: #{current_user.name.to_s} <<<<<<"
+  end
+
+end
+

data/test/app/controllers/application_controller.rb

@@ -8,7 +8,9 @@ class ApplicationController < ActionController::Base
   #protected
 
   def set_current_user
-    if params[:user]
+    if params[:user].blank?
+       self.my_current_user = nil
+    else
       self.my_current_user = User.find params[:user]
     end
   end

data/test/test_access.rb

@@ -95,6 +95,15 @@ context "ctlr" do
 
 
 
+   should 'reject anonymous not referenced ' do 
+
+     assert_raise( Kibali::AccessDenied ) do
+        get :index, :user => ""
+     end  #  block
+
+   end  # should do
+
+
    should 'deny others all access ' do 
      @deshaun.has_role!( :wildblue )
 

data/test/test_anon.rb

@@ -0,0 +1,61 @@
+require 'ctlr_helper'
+
+require 'anon_controller'
+
+class AnonControllerTest < ActionController::TestCase
+
+context "ctlr" do
+
+    setup do
+      @demarcus = FactoryGirl.create( :user )
+      @deshaun =  FactoryGirl.create( :user )
+    end
+
+    teardown do
+       User.destroy_all
+       Role.destroy_all
+    end
+
+   should 'permit admin access _ implicit all 2' do 
+     @demarcus.has_role!( :admin )
+
+     get :index, :user => @demarcus.id.to_s
+     assert_response :success
+
+     get :show, :user => @demarcus.id.to_s
+     assert_response :success
+
+   end  # should do
+
+
+   should 'permit anonymous only access to index not show' do 
+
+     get :index, :user => ""
+     assert_response :success
+
+     assert_raise( Kibali::AccessDenied ) do
+        get :show, :user => ""
+     end  #  block
+
+   end  # should do
+
+
+   should 'unspecified access to everything except edit' do 
+     @deshaun.has_role!( :manager )
+
+     get :index, :user => @deshaun.id.to_s
+     assert_response :success
+     get :show, :user => @deshaun.id.to_s
+     assert_response :success
+
+     assert_raise( Kibali::AccessDenied ) do
+        get :edit, :user => @deshaun.id.to_s
+     end  #  block
+
+
+   end  # should do
+
+ 
+end # context
+
+end # class test

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: kibali
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-11-23 00:00:00.000000000 Z
+date: 2012-11-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -90,6 +90,7 @@ files:
 - README.md
 - Rakefile
 - VERSION
+- kibali.gemspec
 - lib/kibali.rb
 - lib/kibali/access_control.rb
 - lib/kibali/base.rb
@@ -97,6 +98,7 @@ files:
 - lib/kibali/railtie.rb
 - lib/kibali/subject_extensions.rb
 - markdown.rb
+- test/app/controllers/anon_controller.rb
 - test/app/controllers/application_controller.rb
 - test/app/controllers/empty_controller.rb
 - test/config.ru
@@ -108,6 +110,7 @@ files:
 - test/support/models.rb
 - test/support/schema.rb
 - test/test_access.rb
+- test/test_anon.rb
 - test/test_kibali.rb
 homepage: http://github.com/dsaronin@gmail.com/kibali
 licenses:
@@ -124,7 +127,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -244456607
+      hash: -877913475
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: