RubyGems - lockdown - Versions diffs - 0.7.1 → 0.8.0 - Mend

lockdown 0.7.1 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (46) hide show

data/.DS_Store +0 -0
data/History.txt +3 -0
data/README.txt +1 -1
data/Rakefile +16 -1
data/lib/lockdown/context.rb +41 -0
data/lib/lockdown/database.rb +11 -14
data/lib/lockdown/frameworks/rails/controller.rb +57 -4
data/lib/lockdown/frameworks/rails/view.rb +1 -1
data/lib/lockdown/frameworks/rails.rb +21 -10
data/lib/lockdown/helper.rb +1 -1
data/lib/lockdown/permission.rb +204 -0
data/lib/lockdown/rules.rb +287 -0
data/lib/lockdown/session.rb +8 -6
data/lib/lockdown/system.rb +35 -88
data/lib/lockdown.rb +52 -49
data/rails_generators/.DS_Store +0 -0
data/rails_generators/lockdown/.DS_Store +0 -0
data/rails_generators/lockdown/lockdown_generator.rb +5 -5
data/rails_generators/lockdown/templates/.DS_Store +0 -0
data/rails_generators/lockdown/templates/lib/.DS_Store +0 -0
data/rails_generators/lockdown/templates/lib/lockdown/init.rb +27 -19
data/rails_generators/lockdown/templates/lib/lockdown/session.rb +1 -3
data/spec/lockdown/database_spec.rb +158 -0
data/spec/lockdown/frameworks/rails/controller_spec.rb +220 -0
data/spec/lockdown/frameworks/rails/view_spec.rb +87 -0
data/spec/lockdown/frameworks/rails_spec.rb +170 -0
data/spec/lockdown/permission_spec.rb +156 -0
data/spec/lockdown/rules_spec.rb +109 -0
data/spec/lockdown/session_spec.rb +88 -0
data/spec/lockdown/system_spec.rb +59 -0
data/spec/lockdown_spec.rb +19 -0
data/spec/rcov.opts +5 -0
data/spec/spec.opts +3 -0
data/spec/spec_helper.rb +1 -0
data/tasks/post_load.rake +2 -7
data/tasks/setup.rb +24 -3
metadata +23 -12
data/.gitignore +0 -5
data/Manifest.txt +0 -51
data/lib/lockdown/controller.rb +0 -64
data/lib/lockdown/frameworks/merb/controller.rb +0 -63
data/lib/lockdown/frameworks/merb/view.rb +0 -32
data/lib/lockdown/frameworks/merb.rb +0 -84
data/lib/lockdown/orms/data_mapper.rb +0 -70
data/lib/lockdown/rights.rb +0 -208
data/tasks/manifest.rake +0 -48

data/lib/lockdown/rules.rb ADDED Viewed

@@ -0,0 +1,287 @@
+module Lockdown
+  class InvalidRuleAssignment < StandardError; end
+  module Rules
+    attr_accessor :options
+    attr_accessor :permissions
+    attr_accessor :user_groups
+    attr_accessor :controller_classes
+    attr_reader :protected_access
+    attr_reader :public_access
+    attr_reader :permission_objects
+    def set_defaults
+      @permissions  = {}
+      @user_groups  = {}
+      @options      = {}
+      @permission_objects = {}
+      @controller_classes = []
+      @public_access      = []
+      @protected_access   = []
+      @options = {
+        :session_timeout => (60 * 60),
+        :logout_on_access_violation => false,
+        :access_denied_path => "/",
+        :successful_login_path => "/",
+        :subdirectory => nil,
+        :skip_db_sync_in => ["test"],
+        :link_separator => ' | '
+      }
+    end
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # =Rule defining methods.  e.g. Methods used in lib/lockdown/init.rb
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # Creates new permission object
+    #   Refer to the Permission object for the full functionality
+    def set_permission(name)
+      @permission_objects[name] = Lockdown::Permission.new(name)
+    end
+    # Defines public access by the permission symbols
+    #
+    # ==== Example
+    #   set_public_access(:permission_one, :permission_two)
+    #
+    def set_public_access(*perms)
+      perms.each do |perm_symbol|
+        perm = permission_objects.find{|name, pobj| pobj.name == perm_symbol}
+        if perm
+          perm[1].set_as_public_access
+        else
+          msg = "Permission not found: #{perm_symbol}"
+          raise InvalidRuleAssigment, msg
+        end
+      end
+    end
+    # Defines protected access by the permission symbols
+    #
+    # ==== Example
+    #   set_public_access(:permission_one, :permission_two)
+    #
+    def set_protected_access(*perms)
+      perms.each do |perm_symbol|
+        perm = permission_objects.find{|name, pobj| pobj.name == perm_symbol}
+        if perm
+          perm[1].set_as_protected_access
+        else
+          msg = "Permission not found: #{perm_symbol}"
+          raise InvalidRuleAssigment, msg
+        end
+      end
+    end
+    # Define a user groups by name and permission symbol(s)
+    #
+    # ==== Example
+    #   set_user_group(:managment_group, :permission_one, :permission_two)
+    #
+    def set_user_group(name, *perms)
+      user_groups[name] ||= []
+      perms.each do |perm|
+        user_groups[name].push(perm)
+      end
+    end
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # =Convenience methods for permissions and user groups
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # Returns array of permission names as symbols
+    def get_permissions
+      permissions.keys
+    end
+    # Is the permission defined?
+    def permission_exists?(permission_symbol)
+      get_permissions.include?(permission_symbol)
+    end
+    alias_method :has_permission?, :permission_exists?
+    # returns true if the permission is public
+    def public_access?(permmision_symbol)
+      public_access.include?(permmision_symbol)
+    end
+    # returns true if the permission is public
+    def protected_access?(permmision_symbol)
+      protected_access.include?(permmision_symbol)
+    end
+    # These permissions are assigned by the system
+    def permission_assigned_automatically?(permmision_symbol)
+      public_access?(permmision_symbol) || protected_access?(permmision_symbol)
+    end
+    # Returns array of user group names as symbols
+    def get_user_groups
+      user_groups.keys
+    end
+    # Is the user group defined?
+    #   The :administrators user group always exists
+    def user_group_exists?(user_group_symbol)
+      return true if user_group_symbol == Lockdown.administrator_group_symbol
+      get_user_groups.include?(user_group_symbol)
+    end
+    alias_method :has_user_group?, :user_group_exists?
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # =Convenience methods for permissions and user groups
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # Pass in a user object to be associated to the administrator user group
+    # The group will be created if it doesn't exist
+    def make_user_administrator(usr)
+      usr.user_groups << UserGroup.
+        find_or_create_by_name(Lockdown.administrator_group_string)
+    end
+    # Returns array of controller/action values all logged in users can access.
+    def standard_authorized_user_rights
+      public_access + protected_access
+    end
+    # Return array of controller/action values user can access.
+    def access_rights_for_user(usr)
+      return unless usr
+      return :all if administrator?(usr)
+      rights = standard_authorized_user_rights
+      usr.user_groups.each do |grp|
+        permissions_for_user_group(grp).each do |perm|
+          rights += access_rights_for_permission(perm)
+        end
+      end
+      rights
+    end
+    # Return array of controller/action for a permission
+    def access_rights_for_permission(perm)
+      sym = Lockdown.get_symbol(perm)
+      permissions[sym]
+    rescue
+      raise SecurityError, "Permission requested is not defined: #{sym}"
+    end
+    # Test user for administrator rights
+    def administrator?(usr)
+      user_has_user_group?(usr, Lockdown.administrator_group_symbol)
+    end
+    # Pass in user object and symbol for name of user group
+    def user_has_user_group?(usr, sym)
+      usr.user_groups.any? do |ug|
+        Lockdown.convert_reference_name(ug.name) == sym
+      end
+    end
+    # Use this for the management screen to restrict user group list to the
+    # user.  This will prevent a user from creating a user with more power than
+    # him/her self.
+    def user_groups_assignable_for_user(usr)
+      return [] if usr.nil?
+      if administrator?(usr)
+        UserGroup.find_by_sql <<-SQL
+          select user_groups.* from user_groups order by user_groups.name
+        SQL
+      else
+        UserGroup.find_by_sql <<-SQL
+            select user_groups.* from user_groups, user_groups_users
+             where user_groups.id = user_groups_users.user_group_id
+             and user_groups_users.user_id = #{usr.id}
+             order by user_groups.name
+        SQL
+      end
+    end
+    # Similar to user_groups_assignable_for_user, this method should be
+    # used to restrict users from creating a user group with more power than
+    # they have been allowed.
+    def permissions_assignable_for_user(usr)
+      return [] if usr.nil?
+      if administrator?(usr)
+        get_permissions.collect do |k|
+          ::Permission.find_by_name(Lockdown.get_string(k))
+        end.compact
+      else
+        user_groups_assignable_for_user(usr).collect do |g|
+          g.permissions
+        end.flatten.compact
+      end
+    end
+    # Returns and array of permission symbols for the user group
+    def permissions_for_user_group(ug)
+      sym = Lockdown.get_symbol(ug)
+      perm_array = []
+      if has_user_group?(sym)
+        permissions = user_groups[sym] || []
+      else
+        permissions = ug.permissions
+      end
+      permissions.each do |perm|
+        perm_sym = Lockdown.get_symbol(perm)
+        unless permission_exists?(perm_sym)
+          msg = "Permission associated to User Group is invalid: #{perm}"
+          raise SecurityError, msg
+        end
+        perm_array << perm_sym
+      end
+      perm_array
+    end
+    def process_rules
+      parse_permissions
+      validate_user_groups
+    end
+    private
+    def parse_permissions
+      permission_objects.each do |name, perm|
+        @permissions[perm.name] ||= []
+        perm.controllers.each do |name, controller|
+          @permissions[perm.name] << controller.access_methods
+          if perm.public_access?
+            @public_access.concat controller.access_methods
+          elsif perm.protected_access?
+            @protected_access.concat controller.access_methods
+          end
+        end
+      end
+    end
+    def validate_user_groups
+      user_groups.each do |user_group, perms|
+        perms.each do |perm|
+          unless permission_exists?(perm)
+            msg ="User Group: #{user_group}, permission not found: #{perm}"
+            raise InvalidRuleAssignment, msg
+          end
+        end
+      end
+    end
+  end
+end

data/lib/lockdown/session.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 module Lockdown
   module Session
+    protected
     def nil_lockdown_values
       [:expiry_time, :user_id, :user_name, :user_profile_id, :access_rights].each do |val|
         session[val] = nil if session[val]
@@ -18,16 +20,16 @@ module Lockdown
       session[:access_rights] == :all
     end
-    private
     def add_lockdown_session_values(user)
       session[:access_rights] = Lockdown::System.access_rights_for_user(user)
     end
     def access_in_perm?(perm)
-      Lockdown::System.permissions[perm].each do |ar|
-        return true if session_access_rights_include?(ar)
-      end unless Lockdown::System.permissions[perm].nil?
+      if Lockdown::System.permissions[perm]
+        Lockdown::System.permissions[perm].each do |ar|
+          return true if session_access_rights_include?(ar)
+        end
+      end
       false
     end
@@ -36,4 +38,4 @@ module Lockdown
       session[:access_rights].include?(str)
     end
   end # Session
-end # Lockdown
+end # Lockdown

data/lib/lockdown/system.rb CHANGED Viewed

@@ -1,106 +1,53 @@
-require File.join(File.dirname(__FILE__), "rights")
-require File.join(File.dirname(__FILE__), "database")
 module Lockdown
   class System
-    class << self
-      include Lockdown::Rights
-      attr_accessor :options #:nodoc:
-      attr_accessor :controller_classes #:nodoc:
+    extend Lockdown::Rules
-      def configure(&block)
-        set_defaults
+    def self.configure(&block)
+      set_defaults
-        instance_eval(&block)
+      # Defined by the framework
+      load_controller_classes
-        Lockdown::Database.sync_with_db unless skip_sync?
+      # Lockdown::Rules defines the methods that are used inside block
+      instance_eval(&block)
-      end
+      # Lockdown::Rules defines process_rules
+      process_rules
-      # Return option value for key
-      def fetch(key)
-        (@options||={})[key]
-      end
+      Lockdown::Database.sync_with_db unless skip_sync?
+    end
-      # *syms is a splat of controller symbols,
-      # e.g all_methods(:users, :authors, :books)
-      def all_methods(*syms)
-        syms.collect{ |sym| paths_for(sym) }.flatten
-      end
-      # controller name (sym) and a splat of methods to
-      # exclude from result
-      #
-      # All user methods except destroy:
-      # e.g all_except_methods(:users, :destroy)
-      def all_except_methods(sym, *methods)
-        paths_for(sym) - paths_for(sym, *methods)
-      end
-      # controller name (sym) and a splat of methods to
-      # to build the result
-      #
-      # Only user methods index (list), show (good for readonly access):
-      # e.g only_methods(:users, :index, :show)
-      def only_methods(sym, *methods)
-        paths_for(sym, *methods)
-      end
+    def self.fetch(key)
+      (@options||={})[key]
+    end
-      # all controllers, all actions
-      #
-      # This is admin access
-      def all_controllers_all_methods
-        controllers = controller_classes
-        controllers.collect do |str, klass|
-          paths_for( controller_name(klass), available_actions(klass) )
-        end.flatten!
-      end
+    protected
-      def fetch_controller_class(str)
-        controller_classes[Lockdown.controller_class_name(str)]
+    def self.paths_for(str_sym, *methods)
+      str_sym = str_sym.to_s if str_sym.is_a?(Symbol)
+      if methods.empty?
+        klass = fetch_controller_class(str_sym)
+        methods = available_actions(klass)
       end
-      protected
-      def set_defaults
-        load_controller_classes
-        initialize_rights
-        @options = {
-          :session_timeout => (60 * 60),
-          :logout_on_access_violation => false,
-          :access_denied_path => "/",
-          :successful_login_path => "/",
-          :subdirectory => nil,
-          :skip_db_sync_in => ["test"]
-        }
-      end
-      private
-      def paths_for(str_sym, *methods)
-        str_sym = str_sym.to_s if str_sym.is_a?(Symbol)
-        if methods.empty?
-          klass = fetch_controller_class(str_sym)
-          methods = available_actions(klass)
-        end
-        path_str = str_sym.gsub("__","\/")
+      path_str = str_sym.gsub("__","\/")
-        subdir = Lockdown::System.fetch(:subdirectory)
-        path_str = "#{subdir}/#{path_str}" if subdir
+      subdir = Lockdown::System.fetch(:subdirectory)
+      path_str = "#{subdir}/#{path_str}" if subdir
-        controller_actions = methods.flatten
-        returning = controller_actions.collect{|meth| "#{path_str}/#{meth.to_s}" }
+      controller_actions = methods.flatten.collect{|m| m.to_s}
-        if controller_actions.include?("index")
-          returning += [path_str]
-        end
+      paths = controller_actions.collect{|meth| "#{path_str}/#{meth.to_s}" }
-        returning
+      if controller_actions.include?("index")
+        paths += [path_str]
       end
-    end # class block
-  end # System class
+      paths
+    end
+    def self.fetch_controller_class(str)
+      controller_classes[Lockdown.controller_class_name(str)]
+    end
+ end # System class
 end # Lockdown

data/lib/lockdown.rb CHANGED Viewed

@@ -1,67 +1,70 @@
 require File.join(File.dirname(__FILE__), "lockdown", "helper")
 module Lockdown
-  # :stopdoc:
-  VERSION = '0.7.1'
-  LIBPATH = ::File.expand_path(::File.dirname(__FILE__)) + ::File::SEPARATOR
-  PATH = ::File.dirname(LIBPATH) + ::File::SEPARATOR
-  # :startdoc:
-  class << self
-    include Lockdown::Helper
+  extend Lockdown::Helper
-    # Returns the version string for the library.
-    def version
-      VERSION
-    end
-    # Returns the qualified path to the init file
-    def init_file
-     "#{Dir.pwd}/lib/lockdown/init.rb"
-    end
+  VERSION = '0.8.0'
+  # Returns the version string for the library.
+  def self.version
+    VERSION
+  end
+  def self.major_version
+    version.split('.')[0].to_i
+  end
-    # Mixin Lockdown code to the appropriate framework and ORM
-    def mixin
-      if mixin_resource?("frameworks")
-        unless mixin_resource?("orms")
-          raise NotImplementedError, "ORM unknown to Lockdown!"
-        end
+  def self.minor_version
+    version.split('.')[1].to_i
+  end
+  def self.patch_version
+    version.split('.')[2].to_i
+  end
+  # Mixin Lockdown code to the appropriate framework and ORM
+  def self.mixin
+    if mixin_resource?("frameworks")
+      unless mixin_resource?("orms")
+        raise NotImplementedError, "ORM unknown to Lockdown!"
+      end
-        if File.exists?(Lockdown.init_file)
-          puts "=> Requiring Lockdown rules engine: #{Lockdown.init_file} \n"
-          require Lockdown.init_file
-        else
-          puts "=> Note:: Lockdown couldn't find init file: #{Lockdown.init_file}\n"
-        end
+      if File.exists?(Lockdown.init_file)
+        puts "=> Requiring Lockdown rules engine: #{Lockdown.init_file} \n"
+        require Lockdown.init_file
       else
-        puts "=> Note:: Lockdown cannot determine framework and therefore is not active.\n"
+        puts "=> Note:: Lockdown couldn't find init file: #{Lockdown.init_file}\n"
       end
-    end # mixin
+    else
+      puts "=> Note:: Lockdown cannot determine framework and therefore is not active.\n"
+    end
+  end # mixin
-    # :stopdoc:
-    private
+  private
-    def mixin_resource?(str)
-      wildcard_path = File.join( File.dirname(__FILE__), 'lockdown', str , '*.rb' )
-      Dir[wildcard_path].each do |f|
-        require f
-        module_name = File.basename(f).split(".")[0]
-        module_class = eval("Lockdown::#{str.capitalize}::#{Lockdown.camelize(module_name)}")
-        if module_class.use_me?
-          include module_class
-          return true
-        end
+  def self.mixin_resource?(str)
+    wildcard_path = File.join( File.dirname(__FILE__), 'lockdown', str , '*.rb' )
+    Dir[wildcard_path].each do |f|
+      require f
+      module_name = File.basename(f).split(".")[0]
+      module_class = eval("Lockdown::#{str.capitalize}::#{Lockdown.camelize(module_name)}")
+      if module_class.use_me?
+        include module_class
+        return true
       end
-      false
-    end # mixin_resource?
-  end # class block
+    end
+    false
+  end # mixin_resource?
 end # Lockdown
-require File.join(File.dirname(__FILE__), "lockdown", "system")
-require File.join(File.dirname(__FILE__), "lockdown", "controller")
 require File.join(File.dirname(__FILE__), "lockdown", "session")
+require File.join(File.dirname(__FILE__), "lockdown", "context")
+require File.join(File.dirname(__FILE__), "lockdown", "permission")
+require File.join(File.dirname(__FILE__), "lockdown", "database")
+require File.join(File.dirname(__FILE__), "lockdown", "rules")
+require File.join(File.dirname(__FILE__), "lockdown", "system")
 puts "=> Mixing in Lockdown version: #{Lockdown.version} \n"
 Lockdown.mixin

data/rails_generators/.DS_Store ADDED Viewed

Binary file

data/rails_generators/lockdown/.DS_Store ADDED Viewed

Binary file

data/rails_generators/lockdown/lockdown_generator.rb CHANGED Viewed

@@ -137,7 +137,7 @@ class LockdownGenerator < Rails::Generator::Base
   end
   def add_login_permissions
-    add_permissions "set_permission :sessions_management, all_methods(:sessions)"
+    add_permissions "set_permission(:sessions_management).with_controller(:sessions)"
     add_predefined_user_group "set_public_access :sessions_management"
   end
@@ -157,10 +157,10 @@ class LockdownGenerator < Rails::Generator::Base
   def add_management_permissions
     perms = []
-    perms << "set_permission :users_management, all_methods(:#{@namespace.blank? ? "users" : "#{@namespace}__users"})"
-    perms << "set_permission :user_groups_management, all_methods(:#{@namespace.blank? ? "user_groups" : "#{@namespace}__user_groups"})"
-    perms << "set_permission :permissions_management, all_methods(:#{@namespace.blank? ? "permissions" : "#{@namespace}__permissions"})"
-    perms << "set_permission :my_account, only_methods(:#{@namespace.blank? ? "users" : "#{@namespace}__users"}, :edit, :update, :show)"
+    perms << "set_permission(:users_management).with_controller(:#{@namespace.blank? ? "users" : "#{@namespace}__users"})"
+    perms << "set_permission(:user_groups_management).with_controller(:#{@namespace.blank? ? "user_groups" : "#{@namespace}__user_groups"})"
+    perms << "set_permission(:permissions_management).with_controller(:#{@namespace.blank? ? "permissions" : "#{@namespace}__permissions"})"
+    perms << "set_permission(:my_account).with_controller(:#{@namespace.blank? ? "users" : "#{@namespace}__users"}).only_methods(:edit, :update, :show)"
     add_permissions perms.join("\n  ")

data/rails_generators/lockdown/templates/.DS_Store ADDED Viewed

Binary file

data/rails_generators/lockdown/templates/lib/.DS_Store ADDED Viewed

Binary file