lockdown 0.5.22 → 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/Manifest.txt +11 -9
- data/Rakefile +27 -3
- data/app_generators/lockdown/templates/init.rb +4 -3
- data/bin/lockdown +0 -2
- data/lib/lockdown/classy-inheritance.rb +11 -190
- data/lib/lockdown/controller.rb +49 -221
- data/lib/lockdown/database.rb +108 -0
- data/lib/lockdown/frameworks/merb/controller.rb +59 -0
- data/lib/lockdown/frameworks/merb/view.rb +30 -0
- data/lib/lockdown/frameworks/merb.rb +74 -0
- data/lib/lockdown/frameworks/rails/controller.rb +110 -0
- data/lib/lockdown/frameworks/rails/view.rb +54 -0
- data/lib/lockdown/frameworks/rails.rb +93 -0
- data/lib/lockdown/helper.rb +27 -20
- data/lib/lockdown/orms/active_record.rb +66 -0
- data/lib/lockdown/orms/data_mapper.rb +68 -0
- data/lib/lockdown/rights.rb +208 -0
- data/lib/lockdown/session.rb +39 -0
- data/lib/lockdown/system.rb +54 -352
- data/lib/lockdown/version.rb +2 -2
- data/lib/lockdown.rb +24 -135
- metadata +30 -21
- data/README +0 -0
- data/config/hoe.rb +0 -74
- data/config/requirements.rb +0 -15
- data/lib/lockdown/controller_inspector.rb +0 -98
- data/lib/lockdown/model.rb +0 -37
- data/lib/lockdown/view.rb +0 -84
- data/tasks/deployment.rake +0 -34
- data/tasks/environment.rake +0 -7
- data/tasks/website.rake +0 -17
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
module Lockdown
|
|
2
|
+
module Orms
|
|
3
|
+
module DataMapper
|
|
4
|
+
class << self
|
|
5
|
+
def use_me?
|
|
6
|
+
Object.const_defined?("DataMapper") && DataMapper.const_defined?("Base")
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def included(mod)
|
|
10
|
+
mod.extend Lockdown::Orms::Datamapper::Helper
|
|
11
|
+
mixin
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def mixin
|
|
15
|
+
orm_parent.send :include, Lockdown::Orm::DataMapper::Stamps
|
|
16
|
+
end
|
|
17
|
+
end # class block
|
|
18
|
+
|
|
19
|
+
module Helper
|
|
20
|
+
def orm_parent
|
|
21
|
+
::DataMapper::Base
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
#TODO: These may be called from DataMapper::Base or DataMapper, not sure
|
|
25
|
+
#FIXME: If Datamapper is correct, need ::DataMapper
|
|
26
|
+
def database_execute(query)
|
|
27
|
+
DataMapper.database.execute(query)
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def database_query(query)
|
|
31
|
+
DataMapper.database.query(query)
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def database_table_exists?(klass)
|
|
35
|
+
DataMapper.database.table_exists?(klass)
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
module Stamps
|
|
40
|
+
def self.included(base)
|
|
41
|
+
base.class_eval do
|
|
42
|
+
alias_method :create_without_stamps, :create
|
|
43
|
+
alias_method :create, :create_with_stamps
|
|
44
|
+
alias_method :update_without_stamps, :update
|
|
45
|
+
alias_method :update, :update_with_stamps
|
|
46
|
+
end
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
def current_profile_id
|
|
50
|
+
Thread.current[:profile_id]
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
def create_with_stamps
|
|
54
|
+
profile_id = current_profile_id || Profile::SYSTEM
|
|
55
|
+
self[:created_by] = profile_id if self.respond_to?(:created_by)
|
|
56
|
+
self[:updated_by] = profile_id if self.respond_to?(:updated_by)
|
|
57
|
+
create_without_stamps
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
def update_with_stamps
|
|
61
|
+
profile_id = current_profile_id || Profile::SYSTEM
|
|
62
|
+
self[:updated_by] = profile_id if self.respond_to?(:updated_by)
|
|
63
|
+
update_without_stamps
|
|
64
|
+
end
|
|
65
|
+
end
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
end
|
|
@@ -0,0 +1,208 @@
|
|
|
1
|
+
module Lockdown
|
|
2
|
+
module Rights
|
|
3
|
+
attr_reader :permissions #:nodoc:
|
|
4
|
+
attr_reader :user_groups #:nodoc:
|
|
5
|
+
|
|
6
|
+
# :public_access allows access to all
|
|
7
|
+
attr_reader :public_access #:nodoc:
|
|
8
|
+
# :protected_access will restrict access to authenticated users.
|
|
9
|
+
attr_reader :protected_access #:nodoc:
|
|
10
|
+
|
|
11
|
+
# Future functionality:
|
|
12
|
+
# :private_access will restrict access to model data to their creators.
|
|
13
|
+
# attr_accessor :private_access
|
|
14
|
+
|
|
15
|
+
# Sets permission with arrays of access_rights, e.g.:
|
|
16
|
+
# ["controller_a/method_1", "controller_a/method_2", ...]
|
|
17
|
+
|
|
18
|
+
def initialize_rights
|
|
19
|
+
@permissions ||= {}
|
|
20
|
+
@user_groups ||= {}
|
|
21
|
+
|
|
22
|
+
@public_access ||= []
|
|
23
|
+
@protected_access ||= []
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def set_permission(name, *method_arrays)
|
|
27
|
+
permissions[name] ||= []
|
|
28
|
+
method_arrays.each{|ary| permissions[name] += ary}
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
# Permissions are stored as a hash with the value being the method_arrays
|
|
32
|
+
def get_permissions
|
|
33
|
+
permissions.keys
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def permission_exists?(perm)
|
|
37
|
+
get_permissions.include?(perm)
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def access_rights_for_permission(perm)
|
|
41
|
+
sym = Lockdown.get_symbol(perm)
|
|
42
|
+
|
|
43
|
+
unless permission_exists?(sym)
|
|
44
|
+
raise SecurityError, "Permission requested is not defined: #{sym}"
|
|
45
|
+
end
|
|
46
|
+
permissions[sym]
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
def set_user_group(name, *perms)
|
|
50
|
+
user_groups[name] ||= []
|
|
51
|
+
perms.each do |perm|
|
|
52
|
+
unless permission_exists?(perm)
|
|
53
|
+
raise SecurityError, "For UserGroup (#{name}), permission is invalid: #{perm}"
|
|
54
|
+
end
|
|
55
|
+
user_groups[name].push(perm)
|
|
56
|
+
end
|
|
57
|
+
end
|
|
58
|
+
|
|
59
|
+
def get_user_groups
|
|
60
|
+
user_groups.keys
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
def user_group_exists?(ug)
|
|
64
|
+
get_user_groups.include?(ug)
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
# Determine if the user group is defined in init.rb
|
|
68
|
+
def has_user_group?(ug)
|
|
69
|
+
sym = Lockdown.get_symbol(ug)
|
|
70
|
+
|
|
71
|
+
return true if sym == Lockdown.administrator_group_symbol
|
|
72
|
+
user_group_exists?(sym)
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
def set_public_access(*perms)
|
|
76
|
+
perms.each{|perm| @public_access += permissions[perm]}
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
def public_access?(perm)
|
|
80
|
+
public_access.include?(perm)
|
|
81
|
+
end
|
|
82
|
+
|
|
83
|
+
def set_protected_access(*perms)
|
|
84
|
+
perms.each{|perm| @protected_access += permissions[perm]}
|
|
85
|
+
end
|
|
86
|
+
|
|
87
|
+
def protected_access?(perm)
|
|
88
|
+
protected_access.include?(perm)
|
|
89
|
+
end
|
|
90
|
+
|
|
91
|
+
def permission_assigned_automatically?(perm)
|
|
92
|
+
public_access?(perm) || protected_access?(perm)
|
|
93
|
+
end
|
|
94
|
+
|
|
95
|
+
# Test user for administrator rights
|
|
96
|
+
def administrator?(usr)
|
|
97
|
+
user_has_user_group?(usr, Lockdown.administrator_group_symbol)
|
|
98
|
+
end
|
|
99
|
+
|
|
100
|
+
# Returns array of controller/action values administrators can access.
|
|
101
|
+
def administrator_rights
|
|
102
|
+
Lockdown::System.all_controllers_all_methods
|
|
103
|
+
end
|
|
104
|
+
|
|
105
|
+
def make_user_administrator(usr)
|
|
106
|
+
unless Lockdown.database_table_exists?(UserGroup)
|
|
107
|
+
create_administrator_user_group
|
|
108
|
+
end
|
|
109
|
+
|
|
110
|
+
usr.user_groups << UserGroup.find_or_create_by_name(Lockdown.administrator_group_string)
|
|
111
|
+
end
|
|
112
|
+
|
|
113
|
+
# Returns array of controller/action values all logged in users can access.
|
|
114
|
+
def standard_authorized_user_rights
|
|
115
|
+
Lockdown::System.public_access + Lockdown::System.protected_access
|
|
116
|
+
end
|
|
117
|
+
|
|
118
|
+
# Return array of controller/action values user can access.
|
|
119
|
+
def access_rights_for_user(usr)
|
|
120
|
+
return unless usr
|
|
121
|
+
return :all if administrator?(usr)
|
|
122
|
+
|
|
123
|
+
rights = standard_authorized_user_rights
|
|
124
|
+
|
|
125
|
+
usr.user_groups.each do |grp|
|
|
126
|
+
permissions_for_user_group(grp) do |perm|
|
|
127
|
+
rights += access_rights_for_permission(perm)
|
|
128
|
+
end
|
|
129
|
+
end
|
|
130
|
+
rights
|
|
131
|
+
end
|
|
132
|
+
|
|
133
|
+
# Use this for the management screen to restrict user group list to the
|
|
134
|
+
# user. This will prevent a user from creating a user with more power than
|
|
135
|
+
# him/her self.
|
|
136
|
+
def user_groups_assignable_for_user(usr)
|
|
137
|
+
return [] if usr.nil?
|
|
138
|
+
|
|
139
|
+
if administrator?(usr)
|
|
140
|
+
UserGroup.find_by_sql <<-SQL
|
|
141
|
+
select user_groups.* from user_groups order by user_groups.name
|
|
142
|
+
SQL
|
|
143
|
+
else
|
|
144
|
+
UserGroup.find_by_sql <<-SQL
|
|
145
|
+
select user_groups.* from user_groups, user_groups_users
|
|
146
|
+
where user_groups.id = user_groups_users.user_group_id
|
|
147
|
+
and user_groups_users.user_id = #{usr.id}
|
|
148
|
+
order by user_groups.name
|
|
149
|
+
SQL
|
|
150
|
+
end
|
|
151
|
+
end
|
|
152
|
+
|
|
153
|
+
# Similar to user_groups_assignable_for_user, this method should be
|
|
154
|
+
# used to restrict users from creating a user group with more power than
|
|
155
|
+
# they have been allowed.
|
|
156
|
+
def permissions_assignable_for_user(usr)
|
|
157
|
+
return [] if usr.nil?
|
|
158
|
+
if administrator?(usr)
|
|
159
|
+
get_permissions.collect{|k| Permission.find_by_name(Lockdown.get_string(k)) }.compact
|
|
160
|
+
else
|
|
161
|
+
user_groups_assignable_for_user(usr).collect{|g| g.permissions}.flatten.compact
|
|
162
|
+
end
|
|
163
|
+
end
|
|
164
|
+
|
|
165
|
+
def permissions_for_user_group(ug)
|
|
166
|
+
sym = Lockdown.get_symbol(ug)
|
|
167
|
+
perm_array = []
|
|
168
|
+
|
|
169
|
+
if has_user_group?(sym)
|
|
170
|
+
permissions = user_groups[sym] || []
|
|
171
|
+
else
|
|
172
|
+
permissions = ug.permissions
|
|
173
|
+
end
|
|
174
|
+
|
|
175
|
+
|
|
176
|
+
permissions.each do |perm|
|
|
177
|
+
perm_sym = Lockdown.get_symbol(perm)
|
|
178
|
+
|
|
179
|
+
unless permission_exists?(perm_sym)
|
|
180
|
+
raise SecurityError, "Permission associated to User Group is invalid: #{perm}"
|
|
181
|
+
end
|
|
182
|
+
|
|
183
|
+
if block_given?
|
|
184
|
+
yield perm_sym
|
|
185
|
+
else
|
|
186
|
+
perm_array << perm_sym
|
|
187
|
+
end
|
|
188
|
+
end
|
|
189
|
+
|
|
190
|
+
return perm_array unless block_given?
|
|
191
|
+
end
|
|
192
|
+
|
|
193
|
+
|
|
194
|
+
private
|
|
195
|
+
|
|
196
|
+
def user_has_user_group?(usr, sym)
|
|
197
|
+
usr.user_groups.each do |ug|
|
|
198
|
+
return true if Lockdown.convert_reference_name(ug.name) == sym
|
|
199
|
+
end
|
|
200
|
+
false
|
|
201
|
+
end
|
|
202
|
+
|
|
203
|
+
def create_administrator_user_group
|
|
204
|
+
UserGroup.create :name => Lockdown.administrator_group_string
|
|
205
|
+
end
|
|
206
|
+
|
|
207
|
+
end
|
|
208
|
+
end
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
module Lockdown
|
|
2
|
+
module Session
|
|
3
|
+
def nil_lockdown_values
|
|
4
|
+
[:expiry_time, :user_id, :user_name, :user_profile_id, :access_rights].each do |val|
|
|
5
|
+
session[val] = nil if session[val]
|
|
6
|
+
end
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def current_user_access_in_group?(grp)
|
|
10
|
+
return true if current_user_is_admin?
|
|
11
|
+
Lockdown::System.user_groups[grp].each do |perm|
|
|
12
|
+
return true if access_in_perm?(perm)
|
|
13
|
+
end
|
|
14
|
+
false
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
def current_user_is_admin?
|
|
18
|
+
session[:access_rights] == :all
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
private
|
|
22
|
+
|
|
23
|
+
def add_lockdown_session_values(user)
|
|
24
|
+
session[:access_rights] = Lockdown::System.access_rights_for_user(user)
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
def access_in_perm?(perm)
|
|
28
|
+
Lockdown::System.permissions[perm].each do |ar|
|
|
29
|
+
return true if session_access_rights_include?(ar)
|
|
30
|
+
end unless Lockdown::System.permissions[perm].nil?
|
|
31
|
+
false
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def session_access_rights_include?(str)
|
|
35
|
+
return false unless session[:access_rights]
|
|
36
|
+
session[:access_rights].include?(str)
|
|
37
|
+
end
|
|
38
|
+
end # Session
|
|
39
|
+
end # Lockdown
|