lockdown 0.5.22 → 0.6.0

data/lib/lockdown/system.rb

@@ -1,22 +1,12 @@
+require File.join(File.dirname(__FILE__), "rights")
+require File.join(File.dirname(__FILE__), "database")
+
 module Lockdown
   class System
     class << self
-      include Lockdown::ControllerInspector
+      include Lockdown::Rights
 
       attr_accessor :options #:nodoc:
-      
-      attr_accessor :permissions #:nodoc:
-      attr_accessor :user_groups #:nodoc:
-
-      # :public_access allows access to all
-      attr_accessor :public_access #:nodoc:
-      # :protected_access will restrict access to authenticated users.
-      attr_accessor :protected_access #:nodoc:
-
-      # Future functionality:
-      # :private_access will restrict access to model data to their creators.
-      # attr_accessor :private_access 
-
       attr_accessor :controller_classes #:nodoc:
 
       def configure(&block)
@@ -24,382 +14,94 @@ module Lockdown
 
         instance_eval(&block)
 
-        if options[:use_db_models] && options[:sync_init_rb_with_db]
-          sync_with_db
+        unless Lockdown::System.fetch(:skip_db_sync_in).include?(ENV['RAILS_ENV']) 
+          Lockdown::Database.sync_with_db
         end
       end
 
+      # Return option value for key
       def fetch(key)
         (@options||={})[key]
       end
-      
-      def set_permission(name, *method_arrays)
-        @permissions[name] ||= []
-        method_arrays.each{|ary| @permissions[name] += ary}
-      end
-      
-      def get_permissions
-        @permissions.keys
-      end
-
-      def permission_exists?(perm)
-        get_permissions.include?(perm)
-      end
-
-      def set_user_group(name, *perms)
-        @user_groups[name] ||= []
-        perms.each do |perm| 
-          unless permission_exists?(perm)
-            raise SecurityError, "For UserGroup (#{name}), permission is invalid: #{perm}"
-          end
-          @user_groups[name].push(perm)
-        end
-      end
-
-      def get_user_groups
-        @user_groups.keys
-      end
-
-      def permissions_for_user_group(ug)
-        sym = lockdown_symbol(ug)
-        
-        if has_user_group?(sym)
-          @user_groups[sym].each do |perm|
-            unless permission_exists?(perm)
-              raise SecurityError, "Permission associated to User Group is invalid: #{perm}"
-            end
-            yield perm
-          end
-        elsif ug.respond_to?(:name)
-          # This user group was defined in the database
-          ug.permissions.each do |perm|
-            perm_sym = lockdown_symbol(perm.name)
-            unless permission_exists?(perm_sym)
-              raise SecurityError, "Permission associated to User Group is invalid: #{perm_sym}"
-            end
-            yield perm_sym
-          end
-        else
-          raise SecurityError, "UserGroup is not known: #{ug.inspect}"
-        end
-      end
-
-      def access_rights_for_permission(perm)
-        sym = lockdown_symbol(perm)
-        
-        unless permission_exists?(sym)
-          raise SecurityError, "Permission requested is not defined: #{sym}"
-        end
-        @permissions[sym]
-      end
-      
-      def public_access?(perm)
-        @public_access.include?(perm)
-      end
 
-      def set_public_access(*perms)
-        perms.each{|perm| @public_access += @permissions[perm]}
+      # *syms is a splat of controller symbols,
+      # e.g all_methods(:users, :authors, :books)
+      def all_methods(*syms)
+        syms.collect{ |sym| paths_for(sym) }.flatten
       end
-
-      def protected_access?(perm)
-        @protected_access.include?(perm)
-      end
-
-      def set_protected_access(*perms)
-        perms.each{|perm| @protected_access += @permissions[perm]}
-      end
-			
-      def permission_assigned_automatically?(perm)
-        public_access?(perm) || protected_access?(perm)
-      end
-
-      def standard_authorized_user_rights
-        Lockdown::System.public_access + Lockdown::System.protected_access 
-      end
-
-      #
-      # Determine if the user group is defined in init.rb
+    
+      # controller name (sym) and a splat of methods to 
+      # exclude from result
       #
-      def has_user_group?(ug)
-        sym = lockdown_symbol(ug)
-
-        return true if sym == administrator_group_symbol
-        get_user_groups.each do |key|
-          return true if key == sym
-        end
-        false
-      end
-
-      #
-      # Delete a user group record from the database
-      #
-      def delete_user_group(str_sym)
-        ug = UserGroup.find(:first, :conditions => ["name = ?",lockdown_string(str_sym)])
-        ug.destroy unless ug.nil?
-      end
-
-      def access_rights_for_user(usr)
-        return unless usr
-        return :all if administrator?(usr)
-
-        rights = standard_authorized_user_rights
-        
-        if @options[:use_db_models]
-          usr.user_groups.each do |grp|
-            permissions_for_user_group(grp) do |perm|
-              rights += access_rights_for_permission(perm) 
-            end
-          end
-        end
-        rights
-      end
-
-      #
-      # Use this for the management screen to restrict user group list to the
-      # user.  This will prevent a user from creating a user with more power than
-      # him/her self.
+      # All user methods except destroy:
+      # e.g all_except_methods(:users, :destroy)
+      def all_except_methods(sym, *methods)
+        paths_for(sym) - paths_for(sym, *methods) 
+      end
+    
+      # controller name (sym) and a splat of methods to 
+      # to build the result
       # 
-      #
-      def user_groups_assignable_for_user(usr)
-        return [] if usr.nil?
-        
-        if administrator?(usr)
-          UserGroup.find(:all, :order => :name)
-        else
-          UserGroup.find_by_sql <<-SQL
-            select user_groups.* from user_groups, user_groups_users
-             where user_groups.id = user_groups_users.user_group_id
-             and user_groups_users.user_id = #{usr.id}	 
-             order by user_groups.name
-          SQL
-        end
+      # Only user methods index (list), show (good for readonly access):
+      # e.g only_methods(:users, :index, :show)
+      def only_methods(sym, *methods)
+        paths_for(sym, *methods)
       end
 
+      # all controllers, all actions
       #
-      # Similar to user_groups_assignable_for_user, this method should be
-      # used to restrict users from creating a user group with more power than
-      # they have been allowed.
-      #
-      def permissions_assignable_for_user(usr)
-        return [] if usr.nil?
-        if administrator?(usr)
-          @permissions.keys.collect{|k| Permission.find_by_name(lockdown_string(k)) }.compact
-        else
-          groups = user_groups_assignable_for_user(usr)
-          groups.collect{|g| g.permissions}.flatten.compact
-        end
+      # This is admin access
+      def all_controllers_all_methods
+        controllers = controller_classes
+        controllers.collect do |str, klass|
+          paths_for( controller_name(klass), available_actions(klass) )
+        end.flatten!
       end
 
-      def make_user_administrator(usr)
-        unless Lockdown.database_table_exists?(UserGroup)
-          create_administrator_user_group 
-        end
-
-        usr.user_groups << UserGroup.find_or_create_by_name(administrator_group_string)
-      end
-      
-      def administrator?(usr)
-        user_has_user_group?(usr, administrator_group_symbol)
-      end
-
-      def administrator_rights
-        all_controllers
-      end
-      
       def fetch_controller_class(str)
-        @controller_classes[lockdown_class_name(str)]
+        controller_classes[Lockdown.controller_class_name(str)]
       end
-      
+    
       protected 
 
       def set_defaults
         load_controller_classes
 
-        @permissions = {}
-        @user_groups = {}
-        
-        @public_access = []
-        @protected_access = []
-        @private_access = []
+        initialize_rights
 
         @options = {
-          :use_db_models => true,
-          :sync_init_rb_with_db => true,
           :session_timeout => (60 * 60),
           :logout_on_access_violation => false,
           :access_denied_path => "/",
-          :successful_login_path => "/"
+          :successful_login_path => "/",
+          :subdirectory => nil,
+          :skip_db_sync_in => ["test"]
         }
       end
 
-      private
-      
-      def create_administrator_user_group
-        return unless @options[:use_db_models]
-        UserGroup.create :name => administrator_group_name
-      end
-      
-      def user_has_user_group?(usr, sym)
-        usr.user_groups.each do |ug|
-          return true if convert_reference_name(ug.name) == sym
-        end
-        false
-      end
-
-      def load_controller_classes
-        @controller_classes = {}
-         
-        maybe_load_framework_controller_parent
-
-        Dir.chdir("#{Lockdown.project_root}/app/controllers") do
-          Dir["**/*.rb"].sort.each do |c|
-            next if c == "application.rb"
-            lockdown_load(c) 
-          end
-        end
-
-        if Lockdown.rails_app? && ENV['RAILS_ENV'] != 'production'
-          if ActiveSupport.const_defined?("Dependencies")
-            ActiveSupport::Dependencies.clear
-          else
-            Dependencies.clear
-          end
-        end
-      end
-
-      def lockdown_class_name_from_file(str)
-        str.split(".")[0].split("/").collect{|s| camelize(s) }.join("::")
-      end
+      private 
 
-      def lockdown_class_name(str)
-        if str.include?("__")
-          controller_class_name(str.split("__").collect{|p| camelize(p)}.join("::"))
-        else
-          controller_class_name(camelize(str))
+      def paths_for(str_sym, *methods)
+        str_sym = str_sym.to_s if str_sym.is_a?(Symbol)
+        if methods.empty?
+          klass = fetch_controller_class(str_sym)
+          methods = available_actions(klass) 
         end
-      end
+        path_str = str_sym.gsub("__","\/") 
+        
+        subdir = Lockdown::System.fetch(:subdirectory)
+        path_str = "#{subdir}/#{path_str}" if subdir
 
-      def maybe_load_framework_controller_parent
-        if Lockdown.rails_app?
-          if ActiveSupport.const_defined?("Dependencies")
-            ActiveSupport::Dependencies.require_or_load("application.rb")
-          else
-            Dependencies.require_or_load("application.rb")
-          end
-        else
-          load("application.rb") unless const_defined?("Application")
-        end
-      end
-      
-      def lockdown_load(file)
-        klass = lockdown_class_name_from_file(file)
-        if Lockdown.rails_app?
-          if ActiveSupport.const_defined?("Dependencies")
-            ActiveSupport::Dependencies.require_or_load(file)
-          else
-            Dependencies.require_or_load(file)
-          end
-        else
-          load(file) unless qualified_const_defined?(klass)
-        end
-        @controller_classes[klass] = qualified_const_get(klass) 
-      end
+        controller_actions = methods.flatten
+        returning = controller_actions.collect{|meth| "#{path_str}/#{meth.to_s}" }
 
-      def qualified_const_defined?(klass)
-        if klass =~ /::/
-          namespace, klass = klass.split("::")
-          eval("#{namespace}.const_defined?(#{klass})") if const_defined?(namespace)
-        else
-          const_defined?(klass)
+        if controller_actions.include?("index")
+          returning += [path_str]
         end
-      end
 
-      def qualified_const_get(klass)
-        if klass =~ /::/
-          namespace, klass = klass.split("::")
-          eval(namespace).const_get(klass)
-        else
-          const_get(klass)
-        end
+        returning
       end
 
-      #
-      # This is very basic and could be handled better using orm specific
-      # functionality, but I wanted to keep it generic to avoid creating 
-      # an interface for each the different orm implementations. 
-      # We'll see how it works...
-      #
-      def sync_with_db
-        # Create permissions not found in the database
-        get_permissions.each do |key|
-          next if permission_assigned_automatically?(key)
-          str = lockdown_string(key)
-          p = Permission.find(:first, :conditions => ["name = ?", str])
-          unless p
-            puts ">> Lockdown: Permission not found in db: #{str}, creating."
-            Permission.create(:name => str)
-          end
-        end
-
-        #
-        # Delete the permissions not found in init.rb
-        #
-        db_perms = Permission.find(:all).dup
-        perm_keys = get_permissions
-        db_perms.each do |dbp|
-          unless perm_keys.include?(lockdown_symbol(dbp.name))
-            puts ">> Lockdown: Permission no longer in init.rb: #{dbp.name}, deleting."
-            Lockdown.database_execute("delete from permissions_user_groups where permission_id = #{dbp.id}")
-            dbp.destroy
-          end
-        end
-
-        # Create user groups not found in the database
-        get_user_groups.each do |key|
-          str = lockdown_string(key)
-          ug = UserGroup.find(:first, :conditions => ["name = ?", str])
-          unless ug
-            puts ">> Lockdown: UserGroup not in the db: #{str}, creating."
-            ug = UserGroup.create(:name => str)
-            #Inefficient, definitely, but shouldn't have any issues across orms.
-            permissions_for_user_group(key) do |perm|
-              p = Permission.find(:first, :conditions => ["name = ?", lockdown_string(perm)])
-              Lockdown.database_execute <<-SQL 
-                insert into permissions_user_groups(permission_id, user_group_id)
-                values(#{p.id}, #{ug.id})
-              SQL
-            end
-          else
-            # Remove permissions from user group not found in init.rb
-            ug.permissions.each do |perm|
-              perm_sym = lockdown_symbol(perm)
-              perm_string = lockdown_string(perm)
-              unless @user_groups[key].include?(perm_sym)
-                puts ">> Lockdown: Permission: #{perm_string} no longer associated to User Group: #{ug.name}, deleting."
-                ug.permissions.delete(perm)
-              end
-            end
-
-            # Add in permissions from init.rb not found in database
-            @user_groups[key].each do |perm|
-              perm_string = lockdown_string(perm)
-              found = false
-              # see if permission exists
-              ug.permissions.each do |p|
-                found = true if lockdown_string(p) == perm_string 
-              end
-              # if not found, add it
-              unless found
-                puts ">> Lockdown: Permission: #{perm_string} not found for User Group: #{ug.name}, adding it."
-                p = Permission.find(:first, :conditions => ["name = ?", perm_string])
-                ug.permissions << p
-              end
-            end
-          end
-        end
-      rescue Exception => e
-        puts ">> Lockdown sync failed: #{e}" 
-      end
     end # class block
   end # System class
 end # Lockdown

data/lib/lockdown/version.rb

@@ -1,8 +1,8 @@
 module Lockdown #:nodoc:
   module VERSION #:nodoc:
     MAJOR = 0
-    MINOR = 5
-    TINY  = 22
+    MINOR = 6
+    TINY  = 0
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

data/lib/lockdown.rb

@@ -1,151 +1,40 @@
-$:.unshift(File.dirname(__FILE__)) unless
-  $:.include?(File.dirname(__FILE__)) || $:.include?(File.expand_path(File.dirname(__FILE__)))
+require File.join(File.dirname(__FILE__), "lockdown", "classy-inheritance")
+require File.join(File.dirname(__FILE__), "lockdown", "helper")
 
 module Lockdown
   class << self
-    def format_controller_action(url)
-      new_url = url.split("/").delete_if{|p| p.to_i > 0 || p.length == 0}.join("/")
-      new_url += "/index" unless new_url =~ /\//
-      new_url
-    end
-
-    def format_controller(ctr)
-      ctr.split("/").delete_if{|p| p.length == 0}.join("/")
-    end
-
-    def project_root
-      project_related_value("Merb.root", "RAILS_ROOT")
-    end
-                       
-    def merb_app?
-      Object.const_defined?("Merb") && Merb.const_defined?("AbstractController")
-    end
-
-    def rails_app?
-      Object.const_defined?("ActionController") && ActionController.const_defined?("Base")
-    end
-
-    def controller_parent
-      project_related_value("Merb::Controller", "ActionController::Base")
-    end
-
-    def datamapper_orm?
-      Object.const_defined?("DataMapper") && DataMapper.const_defined?("Base")
-    end
-
-    def active_record_orm?
-      Object.const_defined?("ActiveRecord") && ActiveRecord.const_defined?("Base")
-    end
-
-    def orm_parent
-      if datamapper_orm?
-        DataMapper::Base
-      elsif active_record_orm?
-        ActiveRecord::Base
-      else
-        raise NotImplementedError, "ORM unknown to Lockdown!  Lockdown recognizes DataMapper and ActiveRecord"
-      end
-    end
-
-    def database_execute(query)
-      if active_record_orm?
-        ActiveRecord::Base.connection.execute(query)
-      elsif datamapper_orm?
-        DataMapper.database.execute(query)
-      else
-        raise NotImplementedError, "ORM unknown to Lockdown!  Lockdown recognizes DataMapper and ActiveRecord"
-      end
-    end
+    include Lockdown::Helper
 
-    def database_query(query)
-      if active_record_orm?
-        ActiveRecord::Base.connection.execute(query)
-      elsif datamapper_orm?
-        DataMapper.database.query(query)
+    def mixin
+      if mixin_resource?("frameworks")
+        unless mixin_resource?("orms")
+          raise NotImplementedError, "ORM unknown to Lockdown!"
+        end
       else
-        raise NotImplementedError, "ORM unknown to Lockdown!  Lockdown recognizes DataMapper and ActiveRecord"
+        raise NotImplementedError, "Framework unknown to Lockdown!"
       end
     end
 
-    def database_table_exists?(klass)
-      if active_record_orm?
-        klass.table_exists?
-      elsif datamapper_orm?
-        DataMapper.database.table_exists?(klass)
-      else
-        raise NotImplementedError, "ORM unknown to Lockdown!  Lockdown recognizes DataMapper and ActiveRecord"
-      end
-    end
     private
 
-    def project_related_value(merb_val, rails_val)
-      if merb_app?
-        eval(merb_val)
-      elsif rails_app?
-        eval(rails_val)
-      else
-        raise NotImplementedError, "Project type unkown to Lockdown"
-      end
-
-    end
-  end # class block
-  
-  require File.join("lockdown", "helper.rb")
-  require File.join("lockdown", "controller_inspector.rb")
-  require File.join("lockdown", "system.rb")
-  require File.join("lockdown", "controller.rb")
-  require File.join("lockdown", "model.rb")
-  require File.join("lockdown", "view.rb")
-
-  module Session
-    include Lockdown::Helper
-
-    def nil_lockdown_values
-      [:expiry_time, :user_id, :user_name, :user_profile_id, :access_rights].each do |val|
-        session[val] = nil if session[val]
-      end
-    end 
-    
-    #
-    # Does the current user have access to at least one permission
-    # in the user group?
-    #
-    def current_user_access_in_group?(grp)
-      return true if current_user_is_admin?
-        Lockdown::System.user_groups[grp].each do |perm|
-          return true if access_in_perm?(perm)
+    def mixin_resource?(str)
+      Dir["#{File.dirname(__FILE__)}/lockdown/#{str}/*.rb"].each do |f|
+        require "#{f}"
+        mod = File.basename(f).split(".")[0]
+        mklass = eval("Lockdown::#{str.capitalize}::#{Lockdown.camelize(mod)}")
+        if mklass.use_me?
+          include mklass
+          return true
         end
+      end
       false
     end
+  end # class block
+end # Lockdown
 
-    def current_user_is_admin?
-      session[:access_rights] == :all
-    end
-
-    private
-
-    #
-    # session[:access_rights] are the keys to Lockdown.
-    #
-    # session[:access_rights] holds the array of "controller/action" strings 
-    # allowed for the user.
-    #
-    #
-    def add_lockdown_session_values(user)
-      session[:access_rights] = Lockdown::System.access_rights_for_user(user)
-    end
-
-    def access_in_perm?(perm)
-      Lockdown::System.permissions[perm].each do |ar|
-        return true if session_access_rights_include?(ar)
-      end unless Lockdown::System.permissions[perm].nil?
-      false
-    end
 
-    def session_access_rights_include?(str)
-      return false unless session[:access_rights]
-      session[:access_rights].include?(str)
-    end
-  end
-end
+require File.join(File.dirname(__FILE__), "lockdown", "system")
+require File.join(File.dirname(__FILE__), "lockdown", "controller")
+require File.join(File.dirname(__FILE__), "lockdown", "session")
 
+Lockdown.mixin