lockdown 0.1.2 → 0.1.3

data/rails_generators/lockdown_all/templates/app/helpers/permissions_helper.rb

@@ -0,0 +1,13 @@
+module PermissionsHelper
+  def permission_name_value
+		h @permission.name 
+  end
+
+  def permission_access_rights_value
+		@permission.access_rights.collect{|r| r}.join("<br/>") if @permission.access_rights
+  end
+
+	def permission_users_value
+		@permission.all_users.collect{|u| link_to_or_show(u.full_name, u)}.join("<br/>")
+  end
+end

data/rails_generators/lockdown_all/templates/app/helpers/user_groups_helper.rb

@@ -0,0 +1,35 @@
+module UserGroupsHelper
+  def user_group_name_value
+    if @action_name == "show"
+       h @user_group.name 
+    else
+       text_field_tag "user_group[name]", @user_group.name
+    end
+  end
+
+  def user_group_permissions_value
+    if @action_name == "show"
+       @user_group.permissions.collect{|p| p.name + "<br/>"}
+    else
+			rvalue = %{<ul id="all_permissions" class="checklist">}
+			@all_permissions.each_with_index do |perm,i|
+				bg = row_class(i)
+				input_id = "perm_#{perm.id}"
+				checked = (@user_group.permission_ids.include?(perm.id) ? "checked" : "")
+				bg << "_" << checked if checked.length > 0
+				rvalue << <<-HTML
+					<li class="#{bg}">
+						<label id="lbl_#{input_id}" for="#{input_id}" onclick="do_highlight('#{input_id}')">
+							<input id="#{input_id}" name="#{input_id}" type="checkbox" #{checked}/>&nbsp;&nbsp;#{perm.name}
+						</label>
+					</li>
+				HTML
+       end
+			 rvalue << "</ul>"
+    end
+  end
+
+	def user_group_users_value
+		@user_group.all_users.collect{|u| link_to_or_show(u.full_name, u)}.join("<br/>")
+  end
+end

data/rails_generators/lockdown_all/templates/app/helpers/users_helper.rb

@@ -0,0 +1,78 @@
+module UsersHelper
+  def profile_first_name_value
+    if @action_name == "show"
+      h @profile.first_name 
+    else
+      text_field_tag "profile[first_name]", @profile.first_name
+    end
+  end
+
+  def profile_last_name_value
+    if @action_name == "show"
+      h @profile.last_name 
+    else
+      text_field_tag "profile[last_name]", @profile.last_name
+    end
+  end
+
+  def profile_email_value
+    if @action_name == "show"
+      h @profile.email 
+    else
+      text_field_tag "profile[email]", @profile.email 
+    end
+  end
+
+  def user_login_value
+    if @action_name == "show"
+      h @user.login 
+    else
+      text_field_tag "user[login]", @user.login
+    end
+  end
+
+  def user_password_value
+    if @action_name == "show"
+      h "Hidden for security..."
+    else
+      %{<input autocomplete="off" type="password" name="user[password]" id="user_password"/>}
+    end
+  end
+
+  def user_password_confirmation_value
+    if @action_name == "show"
+      h "Hidden for security..."
+    else
+      %{<input autocomplete="off" type="password" name="user[password_confirmation]" id="user_password_confirmation"/>}
+    end
+  end
+
+  def user_user_groups_value
+    if @action_name == "show"
+      @user.user_groups.collect{|ug| ug.name + "<br/>"}
+    else
+      rvalue = %{<ul id="all_user_groups" class="checklist">}
+      #
+      # Restrict user group list to the list of the current user.
+      # This prevents a user from creating someone with more access than
+      # him/herself.
+      #
+      @user_groups_for_user.each_with_index do |ug,i|
+        bg = row_class(i)
+        input_id = "ug_#{ug.id}"
+        checked = (@user.user_group_ids.include?(ug.id) ? "checked" : "")
+        bg << "_" << checked if checked.length > 0
+        rvalue << <<-HTML
+          <li class="#{bg}">
+            <label id="lbl_#{input_id}" for="#{input_id}" onclick="do_highlight('#{input_id}')">
+            <input id="#{input_id}" name="#{input_id}" type="checkbox" #{checked}/>&nbsp;&nbsp;#{ug.name}
+            </label>
+          </li>
+        HTML
+      end
+      rvalue << "</ul>"
+    end
+  end
+
+
+end

data/rails_generators/lockdown_all/templates/app/models/permission.rb

@@ -0,0 +1,80 @@
+#
+# This is merely an extension of the Lockdown::Permissions module to
+# allow for database manipulation of Permissions
+#
+# This is typically done via management screens.
+#
+class Permission < ActiveRecord::Base
+  include Lockdown::Helper
+  has_and_belongs_to_many :user_groups
+  
+  before_save :ensure_lockdown_permission_exists
+  
+	class << self
+    include Lockdown::Helper
+		#
+    # Use this in your migrations to create a db record for management
+    # functionality.  
+    # 
+    # Permission must be defined in:
+    #		RAILS_ROOT/config/initializers/lockdown/access.rb
+    #
+		def create_record(sym)
+      raise NameError.new("#{sym} is not defined.") unless Lockdown::Permissions.respond_to?(sym)
+      create(:name => convert_reference_name(sym) )
+		end
+
+    #
+    # Use this in your migrations to delete the permission identified by sym.
+    #
+    def delete_record(sym)
+      privi = find_by_sym(sym)
+      privi.destroy unless privi.nil?
+    end
+
+		    
+    def find_by_sym(sym)
+      if ENV['RAILS_ENV'] == "test"
+        new(:name => convert_reference_name(sym))
+      else
+        find_by_name(convert_reference_name(sym))
+      end
+    end
+
+    def all_but_public
+      find(:all).delete_if do |perm| 
+        Lockdown::UserGroups.public_access.include?(convert_reference_name(perm.name))
+      end
+    end
+  end # end class block
+
+
+	def access_rights
+		sym = convert_reference_name(self.name) 
+    Lockdown::Permissions[sym]
+  end
+
+	def all_users
+		User.find_by_sql <<-SQL
+			select users.* 
+			from users, user_groups_users, permissions_user_groups
+			where users.id = user_groups_users.user_id 
+			and user_groups_users.user_group_id = permissions_user_groups.user_group_id
+			and permissions_user_groups.permission_id = #{self.id}
+		SQL
+  end
+  protected
+	#
+	# Cannot create a permission record in the db that is not defined
+	# in config/initializers/lock_down_access
+	#
+	# Creating a db record is to simplify the creation of user groups
+	# via management screens.
+	#
+	def ensure_lockdown_permission_exists
+		unless Lockdown::Permissions.respond_to?(convert_reference_name(self.name))
+			raise NameError.new("#{sym} is not defined.")
+		end
+	end
+    
+end

data/rails_generators/lockdown_all/templates/app/models/user.rb

@@ -0,0 +1,96 @@
+require 'digest/sha1'
+class User < ActiveRecord::Base
+  include Lockdown::Helper
+  has_and_belongs_to_many :user_groups
+  belongs_to :profile
+  
+  # Virtual attributes
+  attr_accessor :password
+
+  validates_presence_of     :login
+  validates_presence_of     :password,                   :if => :password_required?
+  validates_presence_of     :password_confirmation,      :if => :password_required?
+  validates_length_of       :password, :within => 4..40, :if => :password_required?
+  validates_confirmation_of :password,                   :if => :password_required?
+  validates_length_of       :login,    :within => 3..40
+  validates_uniqueness_of   :login, :case_sensitive => false
+  
+  validates_presence_of :profile
+	validates_associated	:profile
+  
+	before_save :prepare_for_save
+
+	after_create :assign_registered_users_user_group
+  
+  attr_accessible :login, :password, :password_confirmation
+  
+  # Authenticates a user by their login name and unencrypted password.  Returns the user or nil.
+  def self.authenticate(login, password)
+    u = find :first, :conditions => ['login = ?', login] # need to get the salt
+    u && u.authenticated?(password) ? u : nil
+  end
+
+  # Encrypts some data with the salt.
+  def self.encrypt(password, salt)
+    Digest::SHA1.hexdigest("--#{salt}--#{password}--")
+  end
+
+	def self.all
+		find :all, :include => [:profile, :user_groups] 
+  end
+
+  # Encrypts the password with the user salt
+  def encrypt(password)
+    self.class.encrypt(password, salt)
+  end
+
+  def authenticated?(password)
+    crypted_password == encrypt(password)
+  end
+  
+  def access_rights
+    rvalue = Lockdown::UserGroups[:public_access]
+    self.user_groups.each{|grp| rvalue += grp.access_rights}
+    rvalue
+  end
+
+  def email
+    self.profile.email
+  end
+  
+  def full_name
+    self.profile.first_name + " " + self.profile.last_name
+  end
+  
+	def administrator?
+		has_user_group? :administrators
+  end
+
+  def has_user_group?(sym)
+    self.user_groups.each do |ug|
+      return true if convert_reference_name(ug.name) == sym
+    end
+    false
+  end
+
+  protected
+		def assign_registered_users_user_group
+			self.user_groups << UserGroup.find_by_sym(:registered_users)
+    end 
+
+    def prepare_for_save
+			encrypt_password
+			self.profile.save
+    end
+      
+    def encrypt_password
+      return if password.blank?
+      self.salt = Digest::SHA1.hexdigest("--#{Time.now.to_s}--#{login}--") if new_record?
+      self.crypted_password = encrypt(password)
+    end
+    
+    def password_required?
+      (crypted_password.blank? || !password.blank?)
+    end
+    
+end

data/rails_generators/lockdown_all/templates/app/models/user_group.rb

@@ -0,0 +1,177 @@
+class UserGroup < ActiveRecord::Base
+  include Lockdown::Helper
+  has_and_belongs_to_many :permissions
+  has_and_belongs_to_many :users
+
+  validates_presence_of :name
+	
+	before_update :protect_private
+	before_destroy :protect_private_and_protected
+  
+  class << self
+    include Lockdown::Helper
+    #
+    # Pull from the Lockdown::UserGroups module if defined.
+    # Otherwise. load from db.
+    #
+    def [](sym)
+	    return Lockdown::UserGroups[sym] if Lockdown::UserGroups.respond_to? sym
+      ug = UserGroup.find_by_name(convert_reference_name(sym))
+			ug.access_rights
+    end
+    
+    def find_by_sym(sym)
+      if ENV['RAILS_ENV'] == "test"
+        new(:name => convert_reference_name(sym))
+      else
+        find_by_name(convert_reference_name(sym))
+      end
+    end
+
+		def find_by_name(str)
+			find :first, :conditions => ["name = ?",str] 
+    end
+    
+		#
+    # Use this in your migrations to create a db record for management
+    # functionality.  
+    #
+    def create_record(sym)
+      raise NameError.new("#{sym} is not defined.") unless Lockdown::UserGroups.respond_to?(sym)
+      ug = create(:name => convert_reference_name(sym))
+      unless Lockdown::UserGroups.private_records.include?(sym)
+        Lockdown::UserGroups.permissions(sym).each do |perm|
+          ug.permissions << Permission.find_or_create_by_name(convert_reference_name(perm))
+        end
+      end
+    end
+
+    #
+    # Use this in your migrations to add permissions to a user group 
+    # identified by sym.
+    #
+    # privies are param(s) of symbols
+    # e.g. add_permissions(:public_access, :view_catalog)
+    #
+    def add_permissions(sym, *privies)
+			ug = find_by_sym(sym)
+			raise NameError.new("#{sym} is not defined.") if ug.nil?
+			privies.each do |priv|
+				ug.permissions << Permission.find_or_create_by_name(convert_reference_name(priv))
+			end
+    end
+    
+    #
+    # Use this in your migrations to remove permissions from a user group 
+    # identified by sym.
+    #
+    # privies are param(s) of symbols
+    # e.g. add_permissions(:catalog_management, :manage_categories,
+    #                     :manage_products)
+    #
+    def remove_permissions(sym, *privies)
+			ug = find_by_sym(sym)
+			raise NameError.new("#{sym} is not defined.") if ug.nil?
+			privies.each do |priv|
+				ug.permissions.delete Permission.find_by_name(convert_reference_name(priv))
+			end
+    end
+    
+    #
+    # Use this in your migrations to delete the user group identified by sym.
+    #
+    def delete_record(sym)
+      ug = find_by_sym(sym)
+      ug.destroy unless ug.nil?
+    end
+    
+		#
+		# Use this for the management screen to restrict user group list to the
+    # user.  This will prevent a user from creating a user with more power than
+    # him/herself.
+    # 
+    # Public Access and Registered Users groups are automatically assigned, 
+    # so having it on the management screen is just confusing and will lead
+    # to errors by mistakingly removing them.
+		#
+		def find_assignable_for_user(usr)
+			if usr.administrator?
+				find :all, 
+							:conditions => "name != 'Public Access' and name != 'Registered Users'", 
+							:order => :name
+			else
+				find_by_sql <<-SQL
+					select user_groups.* from user_groups, user_groups_users
+					where user_groups.id = user_groups_users.user_group_id
+						and user_groups.name != 'Public Access'
+						and user_groups.name != 'Registered Users'
+						and user_groups_users.user_id = #{usr.id}	 
+					order by user_groups.name
+				SQL
+      end
+    end
+
+		#
+		# Use this for the content associations to restrict user group list for
+    # content association to the current user. 
+    # 
+    # For example, in a content management system, I may be able creat pages
+    # but want to restrict the users who can view the page.  This will return
+    # a list of user groups I can grant access to this page.
+    # 
+		#
+		def find_content_assignable_for_user(usr)
+			if usr.administrator?
+				find :all
+			else
+				find_by_sql <<-SQL
+					select user_groups.* from user_groups, user_groups_users
+					where user_groups.id = user_groups_users.user_group_id
+						and user_groups_users.user_id = #{usr.id}	 
+					order by user_groups.name
+				SQL
+      end
+    end
+  end # end class block
+  
+  #
+  # Return an array of the permissions for the UserGroup object
+  #
+  def all_permissions
+    if permissions.empty?
+      sym = convert_reference_name(self.name)
+      Lockdown::UserGroups.static_permissions(sym)
+    else
+			syms_from_names(permissions)
+    end
+  rescue Exception => e
+    []
+  end
+
+	def all_users
+		User.find_by_sql <<-SQL
+			select users.* 
+			from users, user_groups_users
+			where users.id = user_groups_users.user_id 
+			and user_groups_users.user_group_id = #{self.id}
+			SQL
+	end
+
+	def access_rights
+		Lockdown::Permissions.access_rights_for  syms_from_names(self.permissions)
+  end
+
+	def private_record?
+		Lockdown::UserGroups.respond_to? convert_reference_name(self.name) 
+  end
+
+	def system_assigned?
+		self.private_record?
+  end
+
+	def protect_private
+		if self.private_record?
+			raise SecurityError, "Trying to update a private UserGroup"
+		end
+  end
+end