langalex-totally-restful-authorization 0.0.1

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 Alexander Lang
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README

@@ -0,0 +1,56 @@
+totally restful authorization
+==============================
+
+This plugin adds an authorization layer to your rails app that is <del>completely</del> totally transparent to your restful controllers. all you have to is include a module in your controller and provide 4 methods in your model that control who is allowed to access it or not. the controllers will then automatically block or allow the usual crud actions (new, create, edit, update, show, destroy) to run or not.
+
+How it works
+============
+
+Include the PermisionCheck Module in your restful controller...
+
+class ApplicationController < ActionController::Base
+  include PermissionCheck
+end
+
+... and then declare the permissions in your model:
+
+class User
+	updatable_by :admin # updatable if updater.admin? return true
+	updatable_by :self, :except => [:admin] # special role self, allow all attributes except some to be updated
+	updatable_by :newbie, :only => [:description] # only allow some attribute to be updated
+	
+	viewable_by :anyone # special role, includes nil
+	viewable_by :developer, :condition => lambda{|user, viewer| user.non_developer? && viewer.account_activated?} # use conditions for more complex permissions
+	
+	destroyable_by [:admin, :root] # declare multiple roles at once
+end
+
+Or implement one or more of these four methods directly:
+
+class User
+  def updatable_by?(user, field = nil)
+    true
+  end
+  
+  def creatable_by?(user, field = nil)
+    true
+  end
+  
+  def destroyable_by?(user)
+    true
+  end
+  
+  def	viewable_by?(user)
+    true
+  end
+end
+
+The fields parameter is either nil to determine if an object can be updated at all or a symbol of a field name. The user parameter is taken from the current_user in your controller (so you have to provide a current_user method, or install restful_authentication or something like that).
+
+From now on your controller will run a before filter before the new/create/edit/update/destroy/show actions to make sure that the current_user is allowed to update/create/destroy/view the model. If you don't declare any permissions no actions can be performed on your model.
+
+=================================================================
+
+For questions, patches etc. contact alex[at]upstream-berlin.com
+
+Copyright (c) 2008 Alexander Lang, released under the MIT license

data/Rakefile

@@ -0,0 +1,26 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "totally-restful-authorization"
+    gem.summary = %Q{This plugin adds an authorization layer to your rails app that is totally transparent to your restful controllers and a DSL for declaring permissions on your models.}
+    gem.email = "alex@upstream-berlin.com"
+    gem.homepage = "http://github.com/langalex/totally_restful_authorization"
+    gem.authors = ["Alexander Lang"]
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: sudo gem install jeweler"
+end
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/*_test.rb'
+  test.verbose = true
+end
+
+task :default => :test

data/VERSION

@@ -0,0 +1 @@
+0.0.1

data/lib/totally_restful_authorization.rb

@@ -0,0 +1,16 @@
+$LOAD_PATH << File.dirname(__FILE__) + '/lib'
+
+require 'totally_restful_authorization/permission_check'
+require 'totally_restful_authorization/permission_dsl'
+
+if defined?(ActiveRecord::Base)
+  ActiveRecord::Base.send :include, PermissionDsl
+end
+
+if defined?(ActionController::Base)
+  ActionController::Base.class_eval do
+    def self.check_authorization
+      include TotallyRestfulAuthorization::PermissionCheck
+    end
+  end
+end

data/lib/totally_restful_authorization/permission_check.rb

@@ -0,0 +1,82 @@
+module TotallyRestfulAuthorization
+  module PermissionCheck
+    def self.included(base)
+      base.before_filter :check_instance_permissions, :only => [:update, :destroy, :edit, :show]
+      base.before_filter :check_create_permissions, :only => [:create, :new]
+    end
+  
+    private
+  
+    def check_instance_permissions
+      begin
+        deny_access_unless permission_granted?(object)
+      rescue => e
+        p e.message
+        raise e
+      end
+    end
+  
+    def check_create_permissions
+      begin
+      deny_access_unless permission_granted?(build_object)
+      rescue => e
+        p e.message
+        raise e
+      end
+    end
+  
+    def object
+      object_class.find params[:id]
+    end
+  
+    def build_object
+      object_class.new
+    end
+  
+    def object_class
+      Class.const_get self.class.name[0..-12]
+    end
+  
+    def permission_granted?(_object)
+      if _object.respond_to? actionable_method.to_sym
+        _object.send(actionable_method, current_user)
+      else
+        true
+      end
+    end
+  
+    def actionable_method
+      "#{map_to_permission(actionable_name)}_by?"
+    end
+  
+    def deny_access_unless(boolean)
+      if boolean
+        true
+      else
+        permission_denied
+        false
+      end
+    end
+  
+    def permission_denied
+      render :text => 'Permission Denied', :status => 403
+    end
+  
+    def actionable_name
+      if params[:action][-1,1]  == 'e'
+        "#{params[:action][0..-2]}able"
+      else
+        "#{params[:action]}able"
+      end
+    end
+  
+    def map_to_permission(actionable)
+      {
+        'editable' => 'updatable',
+        'showable' => 'viewable',
+        'newable' => 'creatable'
+      }[actionable] || actionable
+    end
+  
+  end
+end

data/lib/totally_restful_authorization/permission_dsl.rb

@@ -0,0 +1,130 @@
+module TotallyRestfulAuthorization
+  module PermissionDsl
+    def self.included(base)
+      base.class_eval do
+      
+        base.send :extend, ClassMethods
+      
+        private
+      
+        def self.view_permissions
+          @@view_permissions ||= {self.name => {}}
+          @@view_permissions[self.name] ||= {}
+        end
+      
+        def self.create_permissions
+          @@create_permissions ||= {self.name => {}}
+          @@create_permissions[self.name] ||= {}
+        end
+      
+        def self.update_permissions
+          @@update_permissions ||= {self.name => {}}
+          @@update_permissions[self.name] ||= {}
+          @@update_permissions[self.name]
+        end
+      
+        def self.destroy_permissions
+          @@destroy_permissions ||= {self.name => {}}
+          @@destroy_permissions[self.name] ||= {}
+        end
+      
+      end
+    end
+  
+    module ClassMethods
+      def updatable_by(role, options = {})
+        add_options update_permissions, role, options
+      end
+    
+      def viewable_by(role, options = {})
+        add_options view_permissions, role, options
+      end
+    
+      def creatable_by(role, options = {})
+        add_options create_permissions, role, options
+      end
+    
+      def destroyable_by(role, options = {})
+        add_options destroy_permissions, role, options
+      end
+    
+      private
+    
+      def add_options(permissions, role, options)
+        if role.respond_to?(:each)
+          role.each do |_role|
+            add_options permissions, _role, options
+          end
+        else
+          permissions[role] ||= []
+          permissions[role] << options
+        end
+      end
+    end
+  
+    def updatable_by?(user, field = nil)
+      check_permissions self.class.update_permissions, user, field
+    end
+  
+    def viewable_by?(user, field = nil)
+      check_permissions self.class.view_permissions, user, field
+    end
+  
+    def creatable_by?(user, field = nil)
+      check_permissions self.class.create_permissions, user, field
+    end
+  
+    def destroyable_by?(user, field = nil)
+      check_permissions self.class.destroy_permissions, user, field
+    end
+  
+    private
+  
+    def check_permissions(permissions, user, field)
+      permissions.keys.inject(false) do |result, role|
+        result || check_permission(permissions[role], role, user, field)
+      end
+    end
+  
+    def check_permission(permission, role, user, field)
+      permission.inject(false) do |result, role_options|
+        result || (user_has_role(user, role) && field_in_only_list(field, role_options) &&
+          !field_in_except_list(field, role_options) && condition_met(user, role_options))
+      end
+    end
+  
+    def user_has_role(user, role)
+      if role == :self
+        user == self
+      elsif role == :anyone
+        true
+      else
+        user && user.send("#{role}?")
+      end
+    end
+  
+    def field_in_only_list(field, options)
+      if options[:only]
+        options[:only].include?(field)
+      else
+        true
+      end
+    end
+  
+    def field_in_except_list(field, options)
+      if options[:except]
+        options[:except].include?(field)
+      else
+        false
+      end
+    end
+  
+    def condition_met(user, options)
+      if options[:condition]
+        options[:condition].call(self, user)
+      else
+        true
+      end
+    end
+  end
+end

data/rails/init.rb

@@ -0,0 +1 @@
+require File.dirname(__FILE__) + '../lib/totally_restful_authorization'

data/test/test_helper.rb

@@ -0,0 +1,12 @@
+require 'rubygems'
+gem 'mocha'
+gem 'actionpack'
+require 'actionpack'
+require 'action_controller'
+require 'action_controller/test_process'
+require 'test/unit'
+require 'mocha'
+
+require File.dirname(__FILE__) + '/../lib/totally_restful_authorization'
+
+

data/test/unit/permission_check_test.rb

@@ -0,0 +1,168 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+ActionController::Routing::Routes.draw do |map|
+  map.connect ':controller/:action/:id'
+end
+
+class Model; end
+
+class ModelsController < ActionController::Base
+  attr_accessor :current_user
+  check_authorization
+  
+  def update
+    @model = Model.find params[:id]
+    @model.attributes= {}
+  end
+  
+  def show
+    @model = Model.find params[:id]
+    render :text => 'show'
+  end
+  
+  def edit
+    render :text => 'edit'
+  end
+  
+  def new
+    render :text => 'new'
+  end
+  
+  def create
+    Model.create
+  end
+  
+  def destroy
+    @model = Model.find params[:id]
+    @model.destroy
+  end
+end
+
+class PermissionCheckTest < ActionController::TestCase
+  
+  def setup
+    @user = stub 'user'
+    @controller = ModelsController.new
+    @controller.current_user = @user
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    @model = stub 'test'
+    Model.stubs(:find).with('1').returns(@model)
+    Model.stubs(:new).returns(@model)
+  end
+  
+  def test_doesnt_update_if_model_not_updatable
+    @model.stubs(:respond_to?).with(:updatable_by?).returns(true)
+    @model.stubs(:updatable_by?).with(@user).returns(false)
+    @model.expects(:attributes=).never
+    post :update, :id => 1
+  end
+  
+  def test_updates_if_model_updatable
+    @model.stubs(:respond_to?).with(:updatable_by?).returns(true)
+    @model.stubs(:updatable_by?).with(@user).returns(true)
+    @model.expects(:attributes=)
+    post :update, :id => 1
+  end
+  
+  def test_updates_if_model_doesnt_respond_to_updatable
+    @model.expects(:attributes=)
+    post :update, :id => 1
+  end
+  
+  def test_doesnt_show_if_not_viewable
+    @model.stubs(:respond_to?).with(:viewable_by?).returns(true)
+    @model.stubs(:viewable_by?).with(@user).returns(false)
+    get :show, :id => 1
+    assert_response 403
+    assert_nil assigns(:model)
+  end
+  
+  def test_shows_if_viewable
+    @model.stubs(:respond_to?).with(:viewable_by?).returns(true)
+    @model.stubs(:viewable_by?).with(@user).returns(true)
+    get :show, :id => 1
+    assert_response :success
+  end
+
+  def test_shows_if_models_doesnt_respond_to_viewable
+    get :show, :id => 1
+    assert_response :success
+  end
+  
+  def test_doesnt_edit_if_model_not_updatable
+    @model.stubs(:respond_to?).with(:updatable_by?).returns(true)
+    @model.stubs(:updatable_by?).with(@user).returns(false)
+    get :edit, :id => 1
+    assert_response 403
+  end
+  
+  def test_does_edit_if_model_updatable
+    @model.stubs(:respond_to?).with(:updatable_by?).returns(true)
+    @model.stubs(:updatable_by?).with(@user).returns(true)
+    get :edit, :id => 1
+    assert_response 200
+  end
+  
+  def test_does_edit_if_model_doesnt_respond_to_viewable
+    get :edit, :id => 1
+    assert_response 200
+  end
+  
+  def test_doesnt_new_if_model_not_creatable
+    @model.stubs(:respond_to?).with(:creatable_by?).returns(true)
+    @model.stubs(:creatable_by?).with(@user).returns(false)
+    get :new
+    assert_response 403
+  end
+  
+  def test_does_new_if_model_creatable
+    @model.stubs(:respond_to?).with(:creatable_by?).returns(true)
+    @model.stubs(:creatable_by?).with(@user).returns(true)
+    get :new
+    assert_response :success
+  end
+  
+  def test_does_new_if_model_doesnt_respond_to_creatable
+    get :new
+    assert_response :success
+  end
+  
+  def test_doesnt_create_if_model_not_creatable
+    @model.stubs(:respond_to?).with(:creatable_by?).returns(true)
+    @model.stubs(:creatable_by?).with(@user).returns(false)
+    Model.expects(:create).never
+    post :create
+  end
+  
+  def test_creates_if_model_creatable
+    @model.stubs(:respond_to?).with(:creatable_by?).returns(true)
+    @model.stubs(:creatable_by?).with(@user).returns(true)
+    Model.expects(:create)
+    post :create
+  end
+  
+  def test_creates_if_model_doesnt_respond_to_creatable
+    Model.expects(:create)
+    post :create
+  end
+  
+  def test_doesnt_destroy_if_model_not_destroyable
+    @model.stubs(:respond_to?).with(:destroyable_by?).returns(true)
+    @model.stubs(:destroyable_by?).with(@user).returns(false)
+    @model.expects(:destroy).never
+    post :destroy, :id => 1
+  end
+  
+  def test_destroy_if_model_destroyable
+    @model.stubs(:respond_to?).with(:destroyable_by?).returns(true)
+    @model.stubs(:destroyable_by?).with(@user).returns(true)
+    @model.expects(:destroy)
+    post :destroy, :id => 1
+  end
+  
+  def test_destroy_if_model_doesnt_respond_to_destroyable
+    @model.expects(:destroy)
+    post :destroy, :id => 1
+  end
+end

data/test/unit/permission_dsl_test.rb

@@ -0,0 +1,121 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+class PermissionDslTest < Test::Unit::TestCase
+  class Model
+    include TotallyRestfulAuthorization::PermissionDsl
+  end
+  
+  def setup
+    @clazz = Model
+    @clazz.update_permissions.clear
+    @clazz.view_permissions.clear
+    @clazz.update_permissions.clear
+    @clazz.destroy_permissions.clear
+    @clazz.create_permissions.clear
+  end
+  
+  def test_is_not_updatable_if_no_permissions_declared
+    assert !@clazz.new.updatable_by?(stub('user'))
+  end
+  
+  def test_understands_multiple_roles_at_once
+    @clazz.send :updatable_by, [:admin, :superadmin]
+    assert @clazz.new.updatable_by?(stub('admin', :admin? => true, :superadmin? => false))
+    assert @clazz.new.updatable_by?(stub('superadmin', :admin? => false, :superadmin? => true))
+  end
+  
+  def test_is_not_updatable_for_nil
+    @clazz.send :updatable_by, :admin
+    assert !@clazz.new.updatable_by?(nil)
+  end
+  
+  def test_special_role_self_is_interpreted_as_user_is_same_as_object
+    @clazz.send :updatable_by, :self
+    _self = @clazz.new
+    assert _self.updatable_by?(_self)
+  end
+  
+  def test_special_role_anyone_is_interpreted_as_any_object
+    @clazz.send :updatable_by, :anyone
+    assert @clazz.new.updatable_by?('yet another object')
+  end
+  
+  def test_anyone_allows_nil
+    @clazz.send :updatable_by, :anyone
+    assert @clazz.new.updatable_by?(nil)
+  end
+  
+  def test_allows_role_access_to_entire_object
+    @clazz.send :updatable_by, :admin
+    assert @clazz.new.updatable_by?(stub('admin', :admin? => true))
+  end
+  
+  def test_forbids_user_without_role_access_to_object
+    @clazz.send :updatable_by, :admin
+    assert !@clazz.new.updatable_by?(stub('admin', :admin? => false))
+  end
+  
+  def test_allows_role_access_only_to_specific_field
+    @clazz.send :updatable_by, :admin, :only => [:name]
+    assert @clazz.new.updatable_by?(stub('admin', :admin? => true), :name)
+  end
+  
+  def test_forbids_role_access_to_fields_not_in_only_array
+    @clazz.send :updatable_by, :admin, :only => [:name]
+    assert !@clazz.new.updatable_by?(stub('admin', :admin? => true), :email)
+  end
+  
+  def test_allows_role_access_to_fields_not_in_except_array
+    @clazz.send :updatable_by, :admin, :except => [:email]
+    assert @clazz.new.updatable_by?(stub('admin', :admin? => true), :name)
+  end
+  
+  def test_forbids_role_access_to_fields_in_except_array
+    @clazz.send :updatable_by, :admin, :except => [:email]
+    assert !@clazz.new.updatable_by?(stub('admin', :admin? => true), :email)
+  end
+  
+  def test_allows_access_if_conditions_met
+    @clazz.send :updatable_by, :admin, :condition => lambda{|model, updater| updater.admin?}
+    assert @clazz.new.updatable_by?(stub('admin', :admin? => true))
+  end
+  
+  def test_forbids_access_if_condition_not_met
+    @clazz.send :updatable_by, :admin, :condition => lambda{|model, updater| !updater.admin?}
+    assert !@clazz.new.updatable_by?(stub('admin', :admin? => true))
+  end
+  
+  def test_multiple_role_declarations_dont_overwrite_one_another
+    @clazz.send :updatable_by, :admin
+    @clazz.send :updatable_by, :user
+    assert @clazz.new.updatable_by?(stub('admin', :admin? => true, :user? => false))
+  end
+  
+  def test_multiple_option_declarations_per_role_dont_overwrite_one_another
+    @clazz.send :updatable_by, :admin, :only => [:user]
+    @clazz.send :updatable_by, :admin, :only => [:email]
+    assert @clazz.new.updatable_by?(stub('admin', :admin? => true), :user)
+  end
+  
+  def test_viewable_by?
+    @clazz.send :viewable_by, :admin
+    assert @clazz.new.viewable_by?(stub('admin', :admin? => true))
+  end
+  
+  def test_creatable_by?
+    @clazz.send :creatable_by, :admin
+    assert @clazz.new.creatable_by?(stub('admin', :admin? => true))
+  end
+  
+  def test_destroyable_by?
+    @clazz.send :destroyable_by, :admin
+    assert @clazz.new.destroyable_by?(stub('admin', :admin? => true))
+  end
+  
+  def test_declarations_in_inherited_class_dont_interferce_with_superclass
+    @clazz2 = Class.new @clazz
+    @clazz2.send :destroyable_by, :admin
+    assert !@clazz.new.destroyable_by?(stub('admin', :admin? => true))
+  end
+
+end

metadata

@@ -0,0 +1,66 @@
+--- !ruby/object:Gem::Specification 
+name: langalex-totally-restful-authorization
+version: !ruby/object:Gem::Version 
+  version: 0.0.1
+platform: ruby
+authors: 
+- Alexander Lang
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-06-12 00:00:00 -07:00
+default_executable: 
+dependencies: []
+
+description: 
+email: alex@upstream-berlin.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README
+files: 
+- LICENSE
+- README
+- Rakefile
+- VERSION
+- lib/totally_restful_authorization.rb
+- lib/totally_restful_authorization/permission_check.rb
+- lib/totally_restful_authorization/permission_dsl.rb
+- rails/init.rb
+- test/test_helper.rb
+- test/unit/permission_check_test.rb
+- test/unit/permission_dsl_test.rb
+has_rdoc: true
+homepage: http://github.com/langalex/totally_restful_authorization
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.2.0
+signing_key: 
+specification_version: 2
+summary: This plugin adds an authorization layer to your rails app that is totally transparent to your restful controllers and a DSL for declaring permissions on your models.
+test_files: 
+- test/test_helper.rb
+- test/unit/permission_check_test.rb
+- test/unit/permission_dsl_test.rb