RubyGems - lockdown - Versions diffs - 0.3.15 → 0.4.0 - Mend

lockdown 0.3.15 → 0.4.0

Files changed (10) hide show

data/History.txt +6 -0
data/app_generators/lockdown/templates/init.rb +4 -0
data/lib/lockdown/helper.rb +10 -0
data/lib/lockdown/system.rb +147 -54
data/lib/lockdown/version.rb +2 -2
data/lib/lockdown.rb +29 -0
data/rails_generators/lockdown_all/templates/app/controllers/user_groups_controller.rb +3 -0
data/rails_generators/lockdown_all/templates/app/helpers/permissions_helper.rb +1 -1
data/rails_generators/lockdown_all/templates/db/migrate/create_admin_user_and_user_group.rb +0 -6
metadata +2 -2

data/History.txt CHANGED Viewed

@@ -1,3 +1,9 @@
+== 0.4.0 2008-05-04
+* Added: Automatically sync definitions in init.rb with database to remove migrations requirement
+* Added: Improved notification if invalid user group or permission is referenced in init.rb
+* Added: Check in user_groups controller to prevent url hack and modify/destroy user group defined in init.rb
+* Modified: Renamed access_rights_for_perm to access_rights_for_permission for consistency sake.  Change then method call in permissions_helper if you have this installed
 == 0.3.15 2008-05-03
 * Fixed: The controller inspection code was short-circuiting the Dependencies reload mechanism while in development mode.

data/app_generators/lockdown/templates/init.rb CHANGED Viewed

@@ -20,6 +20,10 @@ Lockdown::System.configure do
   # Set redirect to path on successful login:
   #       options[:successful_login_path] = "/"
   #
+  # Set the system to sync the Permissions and UserGroups defined here
+  # with the database.
+  #       options[:sync_init_rb_with_db] = true
+  #
   #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   # Define permissions
   #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

data/lib/lockdown/helper.rb CHANGED Viewed

@@ -22,6 +22,16 @@ module Lockdown
 			str_sym.is_a?(String) ? convert_reference_name(str_sym) : str_sym
 		end
+    def lockdown_symbol(value)
+      if value.respond_to?(:name)
+        symbol_name(value.name)
+      elsif value.is_a?(String)
+        symbol_name(value)
+      else
+        value
+      end
+    end
     def camelize(str)
       str.to_s.gsub(/\/(.?)/) { "::" + $1.upcase }.gsub(/(^|_)(.)/) { $2.upcase }
     end

data/lib/lockdown/system.rb CHANGED Viewed

@@ -20,8 +20,11 @@ module Lockdown
       attr_accessor :controller_classes #:nodoc:
       def configure(&block)
-				self.set_defaults
-        self.instance_eval(&block)
+				set_defaults
+        instance_eval(&block)
+        if options[:use_db_models] && options[:sync_init_rb_with_db]
+          sync_with_db
+        end
       end
       def [](key)
@@ -41,67 +44,99 @@ module Lockdown
 				@permissions.keys
       end
+      def permission_exists?(perm)
+        get_permissions.include?(perm)
+      end
       def set_user_group(name, *perms)
         @user_groups[name] ||= []
-        perms.each{|perm| @user_groups[name].push(perm)}
+        perms.each do |perm|
+          unless permission_exists?(perm)
+            raise SecurityError, "For UserGroup (#{name}), permission is invalid: #{perm}"
+          end
+          @user_groups[name].push(perm)
+        end
       end
 			def get_user_groups
 				@user_groups.keys
       end
+      def permissions_for_user_group(ug)
+        sym = lockdown_symbol(ug)
+        if has_user_group?(sym)
+          @user_groups[sym].each do |perm|
+            unless permission_exists?(perm)
+              raise SecurityError, "Permission associated to User Group is invalid: #{perm}"
+            end
+            yield perm
+          end
+        elsif ug.responds_to?(:name)
+          # This user group was defined in the database
+          ug.permissions.each do |perm|
+            perm_sym = symbol_name(perm.name)
+            unless permission_exists?(perm_sym)
+              raise SecurityError, "Permission associated to User Group is invalid: #{perm_sym}"
+            end
+            yield perm_sym
+          end
+        else
+          raise SecurityError, "UserGroup is not known: #{ug.inspect}"
+        end
+      end
+      def access_rights_for_permission(perm)
+        sym = lockdown_symbol(perm)
+        unless permission_exists?(sym)
+          raise SecurityError, "Permission requested is not defined: #{sym}"
+        end
+        @permissions[sym]
+      end
+      def public_access?(perm)
+        @public_access.include?(perm)
+      end
 			def set_public_access(*perms)
 				perms.each{|perm| @public_access += @permissions[perm]}
 			end
+      def protected_access?(perm)
+        @protected_access.include?(perm)
+      end
 			def set_protected_access(*perms)
 				perms.each{|perm| @protected_access += @permissions[perm]}
 			end
+      def permission_assigned_automatically?(perm)
+        public_access?(perm) || protected_access?(perm)
+      end
 			def standard_authorized_user_rights
 				Lockdown::System.public_access + Lockdown::System.protected_access
       end
-			#
-			# Create a user group record in the database
-			#
-			def create_user_group(str_sym)
-				return unless @options[:use_db_models]
-				ug = UserGroup.create(:name => string_name(str_sym))
-				#
-				# No need to create permissions records for administrators
-				#
-				ug_sym = symbol_name(ug.name)
-				return if ug_sym == administrator_group_symbol
-				if self.has_user_group?(ug)
-					@user_groups[ug_sym].collect do |perm|
-						Permission.create(:name => string_name(perm))
-					end
-				end
-			end
-			def create_administrator_user_group
-				return unless @options[:use_db_models]
-				Lockdown::System.create_user_group administrator_group_symbol
-  		end
 			#
 			# Determine if the user group is defined in init.rb
 			#
 			def has_user_group?(ug)
-				return true if symbol_name(ug.name) == administrator_group_symbol
-				@user_groups.each do |key,value|
-					return true if key == symbol_name(ug.name)
+        sym = lockdown_symbol(ug)
+				return true if sym == administrator_group_symbol
+				get_user_groups.each do |key|
+					return true if key == sym
 				end
-				return false
+				false
 			end
 			#
 			# Delete a user group record from the database
 			#
 			def delete_user_group(str_sym)
-				ug = UserGroup.find_by_name(string_name(str_sym))
+				ug = UserGroup.find(:first, :conditions => ["name = ?",string_name(str_sym)])
 				ug.destroy unless ug.nil?
 			end
@@ -113,24 +148,14 @@ module Lockdown
 				if @options[:use_db_models]
 					usr.user_groups.each do |grp|
-						if @user_groups.has_key? symbol_name(grp.name)
-							@user_groups[symbol_name(grp.name)].each do |perm|
-								rights += @permissions[perm]
-							end
-						else
-							grp.permissions.each do |perm|
-								rights += @permissions[symbol_name(perm.name)]
-							end
-						end
+            permissions_for_user_group(grp) do |perm|
+              rights += access_rights_for_permission(perm)
+            end
 					end
 				end
 				rights
 			end
-			def access_rights_for_perm(perm)
-        (perms = @permissions[symbol_name(perm.name)]) == nil ? [] : perms
-      end
 			#
 			# Use this for the management screen to restrict user group list to the
 			# user.  This will prevent a user from creating a user with more power than
@@ -168,9 +193,13 @@ module Lockdown
 			end
 			def make_user_administrator(usr)
+        unless Lockdown.database_table_exists?(UserGroup)
+          create_administrator_user_group
+        end
 				usr.user_groups << UserGroup.find_or_create_by_name(administrator_group_string)
 			end
 			def administrator?(usr)
 				user_has_user_group?(usr, administrator_group_symbol)
 			end
@@ -196,16 +225,22 @@ module Lockdown
         @private_access = []
 				@options = {
-					:use_db_models => true,
-					:session_timeout => (60 * 60),
-					:logout_on_access_violation => false,
-					:access_denied_path => "/",
-					:successful_login_path => "/"
-				}
+          :use_db_models => true,
+          :sync_init_rb_with_db => true,
+          :session_timeout => (60 * 60),
+          :logout_on_access_violation => false,
+          :access_denied_path => "/",
+          :successful_login_path => "/"
+        }
       end
 			private
+			def create_administrator_user_group
+				return unless @options[:use_db_models]
+				UserGroup.create :name => administrator_group_name
+  		end
 			def user_has_user_group?(usr, sym)
 				usr.user_groups.each do |ug|
 					return true if convert_reference_name(ug.name) == sym
@@ -227,7 +262,7 @@ module Lockdown
       end
       def controller_class_name_from_file(str)
-        str.split(".")[0].split("/").collect{|str| camelize(str) }.join("::")
+        str.split(".")[0].split("/").collect{|s| camelize(s) }.join("::")
       end
       def controller_class_name(str)
@@ -274,6 +309,64 @@ module Lockdown
           const_get(klass)
         end
       end
-    end # class block
+      #
+      # This is very basic and could be handled better using orm specific
+      # functionality, but I wanted to keep it generic to avoid creating
+      # an interface for each the different orm implementations.
+      # We'll see how it works...
+      #
+      def sync_with_db
+        return unless database_configured?
+        # Create permissions not found in the database
+        get_permissions.each do |key|
+          next if permission_assigned_automatically?(key)
+          str = string_name(key)
+          p = Permission.find(:first, :conditions => ["name = ?", str])
+          unless p
+            puts ">> Lockdown: Permission not found in db: #{str}, creating."
+            Permission.create(:name => str)
+          end
+        end
+        #
+        # Delete the permissions not found in init.rb
+        #
+        db_perms = Permission.find(:all).dup
+        perm_keys = get_permissions
+        db_perms.each do |dbp|
+          unless perm_keys.include?(symbol_name(dbp.name))
+            puts ">> Lockdown: Permission no longer in init.rb: #{dbp.name}, deleting."
+            Lockdown.database_execute("delete from permissions_user_groups where permission_id = #{dbp.id}")
+            dbp.destroy
+          end
+        end
+        # Create user groups not found in the database
+        get_user_groups.each do |key|
+          str = string_name(key)
+          ug = UserGroup.find(:first, :conditions => ["name = ?", str])
+          unless ug
+            puts ">> Lockdown: UserGroup not in the db: #{str}, creating."
+            ug = UserGroup.create(:name => str)
+            #Inefficient, definitely, but shouldn't have any issues across orms.
+            permissions_for_user_group(key) do |perm|
+              p = Permission.find(:first, :conditions => ["name = ?", string_name(perm)])
+              Lockdown.database_execute <<-SQL
+                insert into permissions_user_groups(permission_id, user_group_id)
+                values(#{p.id}, #{ug.id})
+              SQL
+            end
+          end
+        end
+      end
+      def database_configured?
+        return unless const_defined?("Permission") && const_defined?("UserGroup")
+        Lockdown.database_table_exists?(Permission) &&
+                      Lockdown.database_table_exists?(UserGroup)
+      end
+     end # class block
   end # System class
 end # Lockdown

data/lib/lockdown/version.rb CHANGED Viewed

@@ -1,8 +1,8 @@
 module Lockdown #:nodoc:
   module VERSION #:nodoc:
     MAJOR = 0
-    MINOR = 3
-    TINY  = 15
+    MINOR = 4
+    TINY  = 0
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

data/lib/lockdown.rb CHANGED Viewed

@@ -47,6 +47,35 @@ module Lockdown
       end
     end
+    def database_execute(query)
+      if active_record_orm?
+        ActiveRecord::Base.connection.execute(query)
+      elsif datamapper_orm?
+        DataMapper.database.execute(query)
+      else
+        raise NotImplementedError, "ORM unknown to Lockdown!  Lockdown recognizes DataMapper and ActiveRecord"
+      end
+    end
+    def database_query(query)
+      if active_record_orm?
+        ActiveRecord::Base.connection.execute(query)
+      elsif datamapper_orm?
+        DataMapper.database.query(query)
+      else
+        raise NotImplementedError, "ORM unknown to Lockdown!  Lockdown recognizes DataMapper and ActiveRecord"
+      end
+    end
+    def database_table_exists?(klass)
+      if active_record_orm?
+        klass.table_exists?
+      elsif datamapper_orm?
+        DataMapper.database.table_exists?(klass)
+      else
+        raise NotImplementedError, "ORM unknown to Lockdown!  Lockdown recognizes DataMapper and ActiveRecord"
+      end
+    end
     private
     def project_related_value(merb_val, rails_val)

data/rails_generators/lockdown_all/templates/app/controllers/user_groups_controller.rb CHANGED Viewed

@@ -88,6 +88,9 @@ class UserGroupsController < ApplicationController
 	def find_user_group
     @user_group = UserGroup.find(params[:id])
+    if @action_name != "show" && Lockdown::System.has_user_group?(@user_group)
+      raise SecurityError,"Invalid attempt to modify user group."
+    end
   end
 	def update_permissions

data/rails_generators/lockdown_all/templates/app/helpers/permissions_helper.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module PermissionsHelper
   end
   def permission_access_rights_value
-    Lockdown::System.access_rights_for_perm(@permission).collect{|r| r}.join("<br/>")
+    Lockdown::System.access_rights_for_permission(@permission).collect{|r| r}.join("<br/>")
   end
 	def permission_users_value

data/rails_generators/lockdown_all/templates/db/migrate/create_admin_user_and_user_group.rb CHANGED Viewed

@@ -1,11 +1,5 @@
 class CreateAdminUserAndUserGroup < ActiveRecord::Migration
   def self.up
-		#
-		# Creating an administrators user group database record
-    # to allow for the creation of other administrators
-		#
-		Lockdown::System.create_administrator_user_group
 		# TODO: Change the password
     u = User.new(	:password => "password",
 									:password_confirmation => "password",

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: lockdown
 version: !ruby/object:Gem::Version
-  version: 0.3.15
+  version: 0.4.0
 platform: ruby
 authors:
 - Andrew Stone
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2008-05-03 00:00:00 -04:00
+date: 2008-05-05 00:00:00 -04:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency