lockdown 0.7.1 → 0.8.0

data/lib/lockdown/rules.rb

@@ -0,0 +1,287 @@
+module Lockdown
+  class InvalidRuleAssignment < StandardError; end
+
+  module Rules
+    attr_accessor :options
+    attr_accessor :permissions
+    attr_accessor :user_groups
+    attr_accessor :controller_classes
+
+    attr_reader :protected_access 
+    attr_reader :public_access
+
+    attr_reader :permission_objects
+ 
+    def set_defaults
+      @permissions  = {}
+      @user_groups  = {}
+      @options      = {}
+
+      @permission_objects = {}
+
+      @controller_classes = []
+      @public_access      = []
+      @protected_access   = []
+
+      @options = {
+        :session_timeout => (60 * 60),
+        :logout_on_access_violation => false,
+        :access_denied_path => "/",
+        :successful_login_path => "/",
+        :subdirectory => nil,
+        :skip_db_sync_in => ["test"],
+        :link_separator => ' | '
+      }
+    end
+
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # =Rule defining methods.  e.g. Methods used in lib/lockdown/init.rb
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+    # Creates new permission object 
+    #   Refer to the Permission object for the full functionality
+    def set_permission(name)
+      @permission_objects[name] = Lockdown::Permission.new(name)
+    end
+
+    # Defines public access by the permission symbols
+    #
+    # ==== Example
+    #   set_public_access(:permission_one, :permission_two)
+    #
+    def set_public_access(*perms)
+      perms.each do |perm_symbol|
+        perm = permission_objects.find{|name, pobj| pobj.name == perm_symbol}
+        if perm
+          perm[1].set_as_public_access 
+        else
+          msg = "Permission not found: #{perm_symbol}"
+          raise InvalidRuleAssigment, msg
+        end
+      end
+    end
+
+    # Defines protected access by the permission symbols
+    #
+    # ==== Example
+    #   set_public_access(:permission_one, :permission_two)
+    #
+    def set_protected_access(*perms)
+      perms.each do |perm_symbol|
+        perm = permission_objects.find{|name, pobj| pobj.name == perm_symbol}
+        if perm
+          perm[1].set_as_protected_access 
+        else
+          msg = "Permission not found: #{perm_symbol}"
+          raise InvalidRuleAssigment, msg
+        end
+      end
+    end
+
+    # Define a user groups by name and permission symbol(s)
+    #
+    # ==== Example
+    #   set_user_group(:managment_group, :permission_one, :permission_two)
+    #
+    def set_user_group(name, *perms)
+      user_groups[name] ||= []
+      perms.each do |perm|
+        user_groups[name].push(perm)
+      end
+    end
+ 
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # =Convenience methods for permissions and user groups
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    
+    # Returns array of permission names as symbols
+    def get_permissions
+      permissions.keys
+    end
+
+    # Is the permission defined?
+    def permission_exists?(permission_symbol)
+      get_permissions.include?(permission_symbol)
+    end
+
+    alias_method :has_permission?, :permission_exists?
+    
+    # returns true if the permission is public
+    def public_access?(permmision_symbol)
+      public_access.include?(permmision_symbol)
+    end
+
+    # returns true if the permission is public
+    def protected_access?(permmision_symbol)
+      protected_access.include?(permmision_symbol)
+    end
+
+    # These permissions are assigned by the system 
+    def permission_assigned_automatically?(permmision_symbol)
+      public_access?(permmision_symbol) || protected_access?(permmision_symbol)
+    end
+
+    # Returns array of user group names as symbols
+    def get_user_groups
+      user_groups.keys
+    end
+
+    # Is the user group defined?
+    #   The :administrators user group always exists
+    def user_group_exists?(user_group_symbol)
+      return true if user_group_symbol == Lockdown.administrator_group_symbol
+      get_user_groups.include?(user_group_symbol)
+    end
+
+    alias_method :has_user_group?, :user_group_exists?
+
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # =Convenience methods for permissions and user groups
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+    # Pass in a user object to be associated to the administrator user group 
+    # The group will be created if it doesn't exist
+    def make_user_administrator(usr)
+      usr.user_groups << UserGroup.
+        find_or_create_by_name(Lockdown.administrator_group_string)
+    end
+
+
+    # Returns array of controller/action values all logged in users can access.
+    def standard_authorized_user_rights
+      public_access + protected_access 
+    end
+
+    # Return array of controller/action values user can access.
+    def access_rights_for_user(usr)
+      return unless usr
+      return :all if administrator?(usr)
+
+      rights = standard_authorized_user_rights
+        
+      usr.user_groups.each do |grp|
+        permissions_for_user_group(grp).each do |perm|
+          rights += access_rights_for_permission(perm) 
+        end
+      end
+      rights
+    end
+
+    # Return array of controller/action for a permission
+    def access_rights_for_permission(perm)
+      sym = Lockdown.get_symbol(perm)
+
+      permissions[sym]
+    rescue 
+      raise SecurityError, "Permission requested is not defined: #{sym}"
+    end
+
+
+    # Test user for administrator rights
+    def administrator?(usr)
+      user_has_user_group?(usr, Lockdown.administrator_group_symbol)
+    end
+
+    # Pass in user object and symbol for name of user group
+    def user_has_user_group?(usr, sym)
+      usr.user_groups.any? do |ug|
+        Lockdown.convert_reference_name(ug.name) == sym
+      end
+    end
+
+    # Use this for the management screen to restrict user group list to the
+    # user.  This will prevent a user from creating a user with more power than
+    # him/her self.
+    def user_groups_assignable_for_user(usr)
+      return [] if usr.nil?
+        
+      if administrator?(usr)
+        UserGroup.find_by_sql <<-SQL
+          select user_groups.* from user_groups order by user_groups.name
+        SQL
+      else
+        UserGroup.find_by_sql <<-SQL
+            select user_groups.* from user_groups, user_groups_users
+             where user_groups.id = user_groups_users.user_group_id
+             and user_groups_users.user_id = #{usr.id}	 
+             order by user_groups.name
+        SQL
+      end
+    end
+
+    # Similar to user_groups_assignable_for_user, this method should be
+    # used to restrict users from creating a user group with more power than
+    # they have been allowed.
+    def permissions_assignable_for_user(usr)
+      return [] if usr.nil?
+      if administrator?(usr)
+        get_permissions.collect do |k| 
+          ::Permission.find_by_name(Lockdown.get_string(k))
+        end.compact
+      else
+        user_groups_assignable_for_user(usr).collect do |g| 
+          g.permissions
+        end.flatten.compact
+      end
+    end
+
+    # Returns and array of permission symbols for the user group
+    def permissions_for_user_group(ug)
+      sym = Lockdown.get_symbol(ug)
+      perm_array = []  
+
+      if has_user_group?(sym)
+        permissions = user_groups[sym] || []
+      else
+        permissions = ug.permissions
+      end
+
+
+      permissions.each do |perm|
+        perm_sym = Lockdown.get_symbol(perm)
+
+        unless permission_exists?(perm_sym)
+          msg = "Permission associated to User Group is invalid: #{perm}"
+          raise SecurityError, msg
+        end
+
+        perm_array << perm_sym
+      end
+
+      perm_array 
+    end
+
+    def process_rules
+      parse_permissions
+      validate_user_groups
+    end
+
+    private
+
+    def parse_permissions
+      permission_objects.each do |name, perm|
+        @permissions[perm.name] ||= []
+        perm.controllers.each do |name, controller|
+          @permissions[perm.name] << controller.access_methods
+
+          if perm.public_access?
+            @public_access.concat controller.access_methods
+          elsif perm.protected_access?
+            @protected_access.concat controller.access_methods
+          end
+        end
+      end
+    end
+
+    def validate_user_groups
+      user_groups.each do |user_group, perms|
+        perms.each do |perm|
+          unless permission_exists?(perm)
+            msg ="User Group: #{user_group}, permission not found: #{perm}"
+            raise InvalidRuleAssignment, msg
+          end
+        end
+      end
+    end
+  end
+end

data/lib/lockdown/session.rb

@@ -1,5 +1,7 @@
 module Lockdown
   module Session
+    protected
+
     def nil_lockdown_values
       [:expiry_time, :user_id, :user_name, :user_profile_id, :access_rights].each do |val|
         session[val] = nil if session[val]
@@ -18,16 +20,16 @@ module Lockdown
       session[:access_rights] == :all
     end
 
-    private
-
     def add_lockdown_session_values(user)
       session[:access_rights] = Lockdown::System.access_rights_for_user(user)
     end
 
     def access_in_perm?(perm)
-      Lockdown::System.permissions[perm].each do |ar|
-        return true if session_access_rights_include?(ar)
-      end unless Lockdown::System.permissions[perm].nil?
+      if Lockdown::System.permissions[perm]
+        Lockdown::System.permissions[perm].each do |ar|
+          return true if session_access_rights_include?(ar)
+        end 
+      end
       false
     end
 
@@ -36,4 +38,4 @@ module Lockdown
       session[:access_rights].include?(str)
     end
   end # Session
-end # Lockdown
+end # Lockdown

data/lib/lockdown/system.rb

@@ -1,106 +1,53 @@
-require File.join(File.dirname(__FILE__), "rights")
-require File.join(File.dirname(__FILE__), "database")
-
 module Lockdown
   class System
-    class << self
-      include Lockdown::Rights
-
-      attr_accessor :options #:nodoc:
-      attr_accessor :controller_classes #:nodoc:
+    extend Lockdown::Rules
 
-      def configure(&block)
-        set_defaults
+    def self.configure(&block)
+      set_defaults 
 
-        instance_eval(&block)
+      # Defined by the framework
+      load_controller_classes
 
-        Lockdown::Database.sync_with_db unless skip_sync?
+      # Lockdown::Rules defines the methods that are used inside block
+      instance_eval(&block)
 
-      end
+      # Lockdown::Rules defines process_rules
+      process_rules
 
-      # Return option value for key
-      def fetch(key)
-        (@options||={})[key]
-      end
+      Lockdown::Database.sync_with_db unless skip_sync?
+    end
 
-      # *syms is a splat of controller symbols,
-      # e.g all_methods(:users, :authors, :books)
-      def all_methods(*syms)
-        syms.collect{ |sym| paths_for(sym) }.flatten
-      end
-    
-      # controller name (sym) and a splat of methods to 
-      # exclude from result
-      #
-      # All user methods except destroy:
-      # e.g all_except_methods(:users, :destroy)
-      def all_except_methods(sym, *methods)
-        paths_for(sym) - paths_for(sym, *methods) 
-      end
-    
-      # controller name (sym) and a splat of methods to 
-      # to build the result
-      # 
-      # Only user methods index (list), show (good for readonly access):
-      # e.g only_methods(:users, :index, :show)
-      def only_methods(sym, *methods)
-        paths_for(sym, *methods)
-      end
+    def self.fetch(key)
+      (@options||={})[key]
+    end
 
-      # all controllers, all actions
-      #
-      # This is admin access
-      def all_controllers_all_methods
-        controllers = controller_classes
-        controllers.collect do |str, klass|
-          paths_for( controller_name(klass), available_actions(klass) )
-        end.flatten!
-      end
+    protected 
 
-      def fetch_controller_class(str)
-        controller_classes[Lockdown.controller_class_name(str)]
+    def self.paths_for(str_sym, *methods)
+      str_sym = str_sym.to_s if str_sym.is_a?(Symbol)
+      if methods.empty?
+        klass = fetch_controller_class(str_sym)
+        methods = available_actions(klass) 
       end
-    
-      protected 
-
-      def set_defaults
-        load_controller_classes
-
-        initialize_rights
-
-        @options = {
-          :session_timeout => (60 * 60),
-          :logout_on_access_violation => false,
-          :access_denied_path => "/",
-          :successful_login_path => "/",
-          :subdirectory => nil,
-          :skip_db_sync_in => ["test"]
-        }
-      end
-
-      private 
-
-      def paths_for(str_sym, *methods)
-        str_sym = str_sym.to_s if str_sym.is_a?(Symbol)
-        if methods.empty?
-          klass = fetch_controller_class(str_sym)
-          methods = available_actions(klass) 
-        end
-        path_str = str_sym.gsub("__","\/") 
+      path_str = str_sym.gsub("__","\/") 
         
-        subdir = Lockdown::System.fetch(:subdirectory)
-        path_str = "#{subdir}/#{path_str}" if subdir
+      subdir = Lockdown::System.fetch(:subdirectory)
+      path_str = "#{subdir}/#{path_str}" if subdir
 
-        controller_actions = methods.flatten
-        returning = controller_actions.collect{|meth| "#{path_str}/#{meth.to_s}" }
+      controller_actions = methods.flatten.collect{|m| m.to_s}
 
-        if controller_actions.include?("index")
-          returning += [path_str]
-        end
+      paths = controller_actions.collect{|meth| "#{path_str}/#{meth.to_s}" }
 
-        returning
+      if controller_actions.include?("index")
+        paths += [path_str]
       end
 
-    end # class block
-  end # System class
+      paths
+    end
+
+    def self.fetch_controller_class(str)
+      controller_classes[Lockdown.controller_class_name(str)]
+    end
+  
+ end # System class
 end # Lockdown

data/lib/lockdown.rb

@@ -1,67 +1,70 @@
 require File.join(File.dirname(__FILE__), "lockdown", "helper")
 
 module Lockdown
-  # :stopdoc:
-  VERSION = '0.7.1'
-  LIBPATH = ::File.expand_path(::File.dirname(__FILE__)) + ::File::SEPARATOR
-  PATH = ::File.dirname(LIBPATH) + ::File::SEPARATOR
-  # :startdoc:
-  
-  class << self
-    include Lockdown::Helper
+  extend Lockdown::Helper
 
-    # Returns the version string for the library.
-    def version
-      VERSION
-    end
- 
-    # Returns the qualified path to the init file
-    def init_file
-     "#{Dir.pwd}/lib/lockdown/init.rb"
-    end
+  VERSION = '0.8.0'
+
+  # Returns the version string for the library.
+  def self.version
+    VERSION
+  end
+
+  def self.major_version
+    version.split('.')[0].to_i
+  end
 
-    # Mixin Lockdown code to the appropriate framework and ORM
-    def mixin
-      if mixin_resource?("frameworks")
-        unless mixin_resource?("orms")
-          raise NotImplementedError, "ORM unknown to Lockdown!"
-        end
+  def self.minor_version
+    version.split('.')[1].to_i
+  end
+
+  def self.patch_version
+    version.split('.')[2].to_i
+  end
+
+  # Mixin Lockdown code to the appropriate framework and ORM
+  def self.mixin
+    if mixin_resource?("frameworks")
+      unless mixin_resource?("orms")
+        raise NotImplementedError, "ORM unknown to Lockdown!"
+      end
 
-        if File.exists?(Lockdown.init_file)
-          puts "=> Requiring Lockdown rules engine: #{Lockdown.init_file} \n"
-          require Lockdown.init_file
-        else
-          puts "=> Note:: Lockdown couldn't find init file: #{Lockdown.init_file}\n"
-        end
+      if File.exists?(Lockdown.init_file)
+        puts "=> Requiring Lockdown rules engine: #{Lockdown.init_file} \n"
+        require Lockdown.init_file
       else
-        puts "=> Note:: Lockdown cannot determine framework and therefore is not active.\n"
+        puts "=> Note:: Lockdown couldn't find init file: #{Lockdown.init_file}\n"
       end
-    end # mixin
+    else
+      puts "=> Note:: Lockdown cannot determine framework and therefore is not active.\n"
+    end
+  end # mixin
 
-    # :stopdoc:
-    private
+  private
 
-    def mixin_resource?(str)
-      wildcard_path = File.join( File.dirname(__FILE__), 'lockdown', str , '*.rb' ) 
-      Dir[wildcard_path].each do |f|
-        require f
-        module_name = File.basename(f).split(".")[0]
-        module_class = eval("Lockdown::#{str.capitalize}::#{Lockdown.camelize(module_name)}")
-        if module_class.use_me?
-          include module_class
-          return true
-        end
+  def self.mixin_resource?(str)
+    wildcard_path = File.join( File.dirname(__FILE__), 'lockdown', str , '*.rb' ) 
+    Dir[wildcard_path].each do |f|
+      require f
+      module_name = File.basename(f).split(".")[0]
+      module_class = eval("Lockdown::#{str.capitalize}::#{Lockdown.camelize(module_name)}")
+      if module_class.use_me?
+        include module_class
+        return true
       end
-      false
-    end # mixin_resource?
-  end # class block
+    end
+    false
+  end # mixin_resource?
 end # Lockdown
 
-
-require File.join(File.dirname(__FILE__), "lockdown", "system")
-require File.join(File.dirname(__FILE__), "lockdown", "controller")
 require File.join(File.dirname(__FILE__), "lockdown", "session")
+require File.join(File.dirname(__FILE__), "lockdown", "context")
+require File.join(File.dirname(__FILE__), "lockdown", "permission")
+require File.join(File.dirname(__FILE__), "lockdown", "database")
+require File.join(File.dirname(__FILE__), "lockdown", "rules")
+require File.join(File.dirname(__FILE__), "lockdown", "system")
 
 puts "=> Mixing in Lockdown version: #{Lockdown.version} \n"
+
 Lockdown.mixin
 

data/rails_generators/lockdown/lockdown_generator.rb

@@ -137,7 +137,7 @@ class LockdownGenerator < Rails::Generator::Base
   end
 
   def add_login_permissions
-    add_permissions "set_permission :sessions_management, all_methods(:sessions)"
+    add_permissions "set_permission(:sessions_management).with_controller(:sessions)"
     
     add_predefined_user_group "set_public_access :sessions_management"
   end
@@ -157,10 +157,10 @@ class LockdownGenerator < Rails::Generator::Base
 
   def add_management_permissions
     perms = []
-    perms << "set_permission :users_management, all_methods(:#{@namespace.blank? ? "users" : "#{@namespace}__users"})"
-    perms << "set_permission :user_groups_management, all_methods(:#{@namespace.blank? ? "user_groups" : "#{@namespace}__user_groups"})"
-    perms << "set_permission :permissions_management, all_methods(:#{@namespace.blank? ? "permissions" : "#{@namespace}__permissions"})"
-    perms << "set_permission :my_account, only_methods(:#{@namespace.blank? ? "users" : "#{@namespace}__users"}, :edit, :update, :show)"
+    perms << "set_permission(:users_management).with_controller(:#{@namespace.blank? ? "users" : "#{@namespace}__users"})"
+    perms << "set_permission(:user_groups_management).with_controller(:#{@namespace.blank? ? "user_groups" : "#{@namespace}__user_groups"})"
+    perms << "set_permission(:permissions_management).with_controller(:#{@namespace.blank? ? "permissions" : "#{@namespace}__permissions"})"
+    perms << "set_permission(:my_account).with_controller(:#{@namespace.blank? ? "users" : "#{@namespace}__users"}).only_methods(:edit, :update, :show)"
 
     add_permissions perms.join("\n  ")