lockdown 0.5.22 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,68 @@
1
+ module Lockdown
2
+ module Orms
3
+ module DataMapper
4
+ class << self
5
+ def use_me?
6
+ Object.const_defined?("DataMapper") && DataMapper.const_defined?("Base")
7
+ end
8
+
9
+ def included(mod)
10
+ mod.extend Lockdown::Orms::Datamapper::Helper
11
+ mixin
12
+ end
13
+
14
+ def mixin
15
+ orm_parent.send :include, Lockdown::Orm::DataMapper::Stamps
16
+ end
17
+ end # class block
18
+
19
+ module Helper
20
+ def orm_parent
21
+ ::DataMapper::Base
22
+ end
23
+
24
+ #TODO: These may be called from DataMapper::Base or DataMapper, not sure
25
+ #FIXME: If Datamapper is correct, need ::DataMapper
26
+ def database_execute(query)
27
+ DataMapper.database.execute(query)
28
+ end
29
+
30
+ def database_query(query)
31
+ DataMapper.database.query(query)
32
+ end
33
+
34
+ def database_table_exists?(klass)
35
+ DataMapper.database.table_exists?(klass)
36
+ end
37
+ end
38
+
39
+ module Stamps
40
+ def self.included(base)
41
+ base.class_eval do
42
+ alias_method :create_without_stamps, :create
43
+ alias_method :create, :create_with_stamps
44
+ alias_method :update_without_stamps, :update
45
+ alias_method :update, :update_with_stamps
46
+ end
47
+ end
48
+
49
+ def current_profile_id
50
+ Thread.current[:profile_id]
51
+ end
52
+
53
+ def create_with_stamps
54
+ profile_id = current_profile_id || Profile::SYSTEM
55
+ self[:created_by] = profile_id if self.respond_to?(:created_by)
56
+ self[:updated_by] = profile_id if self.respond_to?(:updated_by)
57
+ create_without_stamps
58
+ end
59
+
60
+ def update_with_stamps
61
+ profile_id = current_profile_id || Profile::SYSTEM
62
+ self[:updated_by] = profile_id if self.respond_to?(:updated_by)
63
+ update_without_stamps
64
+ end
65
+ end
66
+ end
67
+ end
68
+ end
@@ -0,0 +1,208 @@
1
+ module Lockdown
2
+ module Rights
3
+ attr_reader :permissions #:nodoc:
4
+ attr_reader :user_groups #:nodoc:
5
+
6
+ # :public_access allows access to all
7
+ attr_reader :public_access #:nodoc:
8
+ # :protected_access will restrict access to authenticated users.
9
+ attr_reader :protected_access #:nodoc:
10
+
11
+ # Future functionality:
12
+ # :private_access will restrict access to model data to their creators.
13
+ # attr_accessor :private_access
14
+
15
+ # Sets permission with arrays of access_rights, e.g.:
16
+ # ["controller_a/method_1", "controller_a/method_2", ...]
17
+
18
+ def initialize_rights
19
+ @permissions ||= {}
20
+ @user_groups ||= {}
21
+
22
+ @public_access ||= []
23
+ @protected_access ||= []
24
+ end
25
+
26
+ def set_permission(name, *method_arrays)
27
+ permissions[name] ||= []
28
+ method_arrays.each{|ary| permissions[name] += ary}
29
+ end
30
+
31
+ # Permissions are stored as a hash with the value being the method_arrays
32
+ def get_permissions
33
+ permissions.keys
34
+ end
35
+
36
+ def permission_exists?(perm)
37
+ get_permissions.include?(perm)
38
+ end
39
+
40
+ def access_rights_for_permission(perm)
41
+ sym = Lockdown.get_symbol(perm)
42
+
43
+ unless permission_exists?(sym)
44
+ raise SecurityError, "Permission requested is not defined: #{sym}"
45
+ end
46
+ permissions[sym]
47
+ end
48
+
49
+ def set_user_group(name, *perms)
50
+ user_groups[name] ||= []
51
+ perms.each do |perm|
52
+ unless permission_exists?(perm)
53
+ raise SecurityError, "For UserGroup (#{name}), permission is invalid: #{perm}"
54
+ end
55
+ user_groups[name].push(perm)
56
+ end
57
+ end
58
+
59
+ def get_user_groups
60
+ user_groups.keys
61
+ end
62
+
63
+ def user_group_exists?(ug)
64
+ get_user_groups.include?(ug)
65
+ end
66
+
67
+ # Determine if the user group is defined in init.rb
68
+ def has_user_group?(ug)
69
+ sym = Lockdown.get_symbol(ug)
70
+
71
+ return true if sym == Lockdown.administrator_group_symbol
72
+ user_group_exists?(sym)
73
+ end
74
+
75
+ def set_public_access(*perms)
76
+ perms.each{|perm| @public_access += permissions[perm]}
77
+ end
78
+
79
+ def public_access?(perm)
80
+ public_access.include?(perm)
81
+ end
82
+
83
+ def set_protected_access(*perms)
84
+ perms.each{|perm| @protected_access += permissions[perm]}
85
+ end
86
+
87
+ def protected_access?(perm)
88
+ protected_access.include?(perm)
89
+ end
90
+
91
+ def permission_assigned_automatically?(perm)
92
+ public_access?(perm) || protected_access?(perm)
93
+ end
94
+
95
+ # Test user for administrator rights
96
+ def administrator?(usr)
97
+ user_has_user_group?(usr, Lockdown.administrator_group_symbol)
98
+ end
99
+
100
+ # Returns array of controller/action values administrators can access.
101
+ def administrator_rights
102
+ Lockdown::System.all_controllers_all_methods
103
+ end
104
+
105
+ def make_user_administrator(usr)
106
+ unless Lockdown.database_table_exists?(UserGroup)
107
+ create_administrator_user_group
108
+ end
109
+
110
+ usr.user_groups << UserGroup.find_or_create_by_name(Lockdown.administrator_group_string)
111
+ end
112
+
113
+ # Returns array of controller/action values all logged in users can access.
114
+ def standard_authorized_user_rights
115
+ Lockdown::System.public_access + Lockdown::System.protected_access
116
+ end
117
+
118
+ # Return array of controller/action values user can access.
119
+ def access_rights_for_user(usr)
120
+ return unless usr
121
+ return :all if administrator?(usr)
122
+
123
+ rights = standard_authorized_user_rights
124
+
125
+ usr.user_groups.each do |grp|
126
+ permissions_for_user_group(grp) do |perm|
127
+ rights += access_rights_for_permission(perm)
128
+ end
129
+ end
130
+ rights
131
+ end
132
+
133
+ # Use this for the management screen to restrict user group list to the
134
+ # user. This will prevent a user from creating a user with more power than
135
+ # him/her self.
136
+ def user_groups_assignable_for_user(usr)
137
+ return [] if usr.nil?
138
+
139
+ if administrator?(usr)
140
+ UserGroup.find_by_sql <<-SQL
141
+ select user_groups.* from user_groups order by user_groups.name
142
+ SQL
143
+ else
144
+ UserGroup.find_by_sql <<-SQL
145
+ select user_groups.* from user_groups, user_groups_users
146
+ where user_groups.id = user_groups_users.user_group_id
147
+ and user_groups_users.user_id = #{usr.id}
148
+ order by user_groups.name
149
+ SQL
150
+ end
151
+ end
152
+
153
+ # Similar to user_groups_assignable_for_user, this method should be
154
+ # used to restrict users from creating a user group with more power than
155
+ # they have been allowed.
156
+ def permissions_assignable_for_user(usr)
157
+ return [] if usr.nil?
158
+ if administrator?(usr)
159
+ get_permissions.collect{|k| Permission.find_by_name(Lockdown.get_string(k)) }.compact
160
+ else
161
+ user_groups_assignable_for_user(usr).collect{|g| g.permissions}.flatten.compact
162
+ end
163
+ end
164
+
165
+ def permissions_for_user_group(ug)
166
+ sym = Lockdown.get_symbol(ug)
167
+ perm_array = []
168
+
169
+ if has_user_group?(sym)
170
+ permissions = user_groups[sym] || []
171
+ else
172
+ permissions = ug.permissions
173
+ end
174
+
175
+
176
+ permissions.each do |perm|
177
+ perm_sym = Lockdown.get_symbol(perm)
178
+
179
+ unless permission_exists?(perm_sym)
180
+ raise SecurityError, "Permission associated to User Group is invalid: #{perm}"
181
+ end
182
+
183
+ if block_given?
184
+ yield perm_sym
185
+ else
186
+ perm_array << perm_sym
187
+ end
188
+ end
189
+
190
+ return perm_array unless block_given?
191
+ end
192
+
193
+
194
+ private
195
+
196
+ def user_has_user_group?(usr, sym)
197
+ usr.user_groups.each do |ug|
198
+ return true if Lockdown.convert_reference_name(ug.name) == sym
199
+ end
200
+ false
201
+ end
202
+
203
+ def create_administrator_user_group
204
+ UserGroup.create :name => Lockdown.administrator_group_string
205
+ end
206
+
207
+ end
208
+ end
@@ -0,0 +1,39 @@
1
+ module Lockdown
2
+ module Session
3
+ def nil_lockdown_values
4
+ [:expiry_time, :user_id, :user_name, :user_profile_id, :access_rights].each do |val|
5
+ session[val] = nil if session[val]
6
+ end
7
+ end
8
+
9
+ def current_user_access_in_group?(grp)
10
+ return true if current_user_is_admin?
11
+ Lockdown::System.user_groups[grp].each do |perm|
12
+ return true if access_in_perm?(perm)
13
+ end
14
+ false
15
+ end
16
+
17
+ def current_user_is_admin?
18
+ session[:access_rights] == :all
19
+ end
20
+
21
+ private
22
+
23
+ def add_lockdown_session_values(user)
24
+ session[:access_rights] = Lockdown::System.access_rights_for_user(user)
25
+ end
26
+
27
+ def access_in_perm?(perm)
28
+ Lockdown::System.permissions[perm].each do |ar|
29
+ return true if session_access_rights_include?(ar)
30
+ end unless Lockdown::System.permissions[perm].nil?
31
+ false
32
+ end
33
+
34
+ def session_access_rights_include?(str)
35
+ return false unless session[:access_rights]
36
+ session[:access_rights].include?(str)
37
+ end
38
+ end # Session
39
+ end # Lockdown