lockdown 0.7.1 → 0.8.0

data/rails_generators/lockdown/templates/lib/lockdown/init.rb

@@ -22,6 +22,9 @@ Lockdown::System.configure do
   # Set redirect to path on successful login:
   #       options[:successful_login_path] = "/"
   #
+  # Set separator on links call
+  #       options[:links_separator] = "|"
+  #
   # If deploying to a subdirectory, set that here. Defaults to nil
   #       options[:subdirectory] = "blog"
   #       *Notice: Do not add leading or trailing slashes,
@@ -31,17 +34,15 @@ Lockdown::System.configure do
   # Define permissions
   #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   #
-  # set_permission(:product_management, all_methods(:products))
+  # set_permission(:product_management).
+  #   with_controller(:products)
   #
   # :product_management is the name of the permission which is later
   # referenced by the set_user_group method
   #
-  # :all_methods(:products) will return an array of all controller actions
-  # for the products controller
-  #
-  # If you need to reference a namespaced controller use two underscores:
-  # :admin__products would tell lockdown to look for:
-  # app/controllers/admin/products_controller.rb
+  # .with_controller(:products) defaults to all action_methods available on that
+  #  controller.  You can change this behaviour by chaining on except_methods or
+  #  only_methods.  (see examples below)
   #
   # if products is your standard RESTful resource you'll get:
   #   ["products/index , "products/show",
@@ -49,23 +50,30 @@ Lockdown::System.configure do
   #    "products/create", "products/update",
   #    "products/destroy"]
   #
-  # You can pass multiple parameters to concat permissions such as:
+  # You can chain method calls to restrict the methods for one controller
+  # or you can add multiple controllers to one permission.
   #      
-  #	  set_permission(:security_management,all_methods(:users),
-  #                                       all_methods(:user_groups),
-  #                                       all_methods(:permissions) )
+  #   set_permission(:security_management).
+  #     with_controller(:users).
+  #     and_controller(:user_groups).
+  #     and_controller(:permissions) 
   #
-  # In addition to all_methods(:controller) there are:
+  # In addition to with_controller(:controller) there are:
   #
-  #       only_methods(:controller, :only_method_1, :only_method_2)
+  #   set_permission(:some_nice_permission_name).
+  #     with_controller(:some_controller_name).
+  #       only_methods(:only_method_1, :only_method_2)
   #
-  #       all_except_methods(:controller, :except_method_1, :except_method_2)
+  #   set_permission(:some_nice_permission_name).
+  #     with_controller(:some_controller_name).
+  #       except_methods(:except_method_1, :except_method_2)
+  #
+  #   set_permission(:some_nice_permission_name).
+  #     with_controller(:some_controller_name).
+  #       except_methods(:except_method_1, :except_method_2).
+  #     and_controller(:another_controller_name).
+  #     and_controller(:yet_another_controller_name)
   #
-  # Some other sample permissions:
-  # 
-  #  set_permission(:sessions, all_methods(:sessions))
-  #  set_permission(:my_account, only_methods(:users, :edit, :update, :show))
-  # 
   # Define your permissions here:
 
   #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

data/rails_generators/lockdown/templates/lib/lockdown/session.rb

@@ -56,10 +56,8 @@ module Lockdown
 end # Lockdown module
 
 ActionController::Base.class_eval do
- include Lockdown::Session
-end
+  include Lockdown::Session
 
-ActionController::Base.class_eval do 
   helper_method :logged_in?, 
     :current_user,
     :current_user_name, 

data/spec/lockdown/database_spec.rb

@@ -0,0 +1,158 @@
+require File.join(File.dirname(__FILE__), %w[.. spec_helper])
+
+describe Lockdown::Database do
+  before do
+    Lockdown::System.stub!(:get_permissions).and_return([:permission])
+    Lockdown::System.stub!(:get_user_groups).and_return([:user_group])
+  end
+
+  describe "#sync_with_db" do
+    it "should call create_new_permissions, delete_extinct_permissions and maintain_user_groups" do
+      Lockdown::Database.should_receive :create_new_permissions
+      Lockdown::Database.should_receive :delete_extinct_permissions
+      Lockdown::Database.should_receive :maintain_user_groups
+
+      Lockdown::Database.sync_with_db
+    end
+  end
+
+  describe "#create_new_permissions" do
+    it "should create permission from @permissions" do
+      Lockdown::System.stub!(:permission_assigned_automatically?).and_return(false)
+
+      Permission = mock('Permission') unless defined?(Permission)
+      Permission.stub!(:find).and_return(false)
+      Permission.should_receive(:create).with(:name => 'Permission')
+
+      Lockdown::Database.create_new_permissions
+    end
+  end
+
+  describe "#delete_extinct_permissions" do
+    it "should create permission from @permissions" do
+      permission = mock('permission')
+      permission.stub!(:id).and_return("3344")
+      permission.stub!(:name).and_return("sweet permission")
+      permissions = [permission]
+
+      Permission = mock('Permission') unless defined?(Permission)
+      Permission.stub!(:find).with(:all).and_return(permissions)
+
+      Lockdown.should_receive(:database_execute).
+        with("delete from permissions_user_groups where permission_id = 3344")
+      permission.should_receive(:destroy)
+
+      Lockdown::Database.delete_extinct_permissions
+    end
+  end
+
+  describe "#maintain_user_groups" do
+    before do
+      UserGroup = mock('UserGroup') unless defined?(UserGroup)
+    end
+
+    it "should create user group for non-existent user group" do
+      UserGroup.should_receive(:find).
+        with(:first, :conditions => ["name = ?", "User Group"]).
+        and_return(false)
+      
+      Lockdown::Database.should_receive(:create_user_group).
+        with("User Group",:user_group)
+
+      Lockdown::Database.maintain_user_groups
+    end
+
+    it "should sync user group permissions for existing user group" do
+      ug = mock('user group')
+
+      UserGroup.should_receive(:find).
+        with(:first, :conditions => ["name = ?", "User Group"]).
+        and_return(ug)
+      
+      Lockdown::Database.should_receive(:remove_invalid_permissions).
+        with(ug,:user_group)
+
+      Lockdown::Database.should_receive(:add_valid_permissions).
+        with(ug,:user_group)
+
+      Lockdown::Database.maintain_user_groups
+    end
+  end
+
+  describe "#create_user_group" do
+    it "should create new user group" do
+      ug = mock('user group')
+      ug.stub!(:id).and_return(123)
+
+      UserGroup = mock('UserGroup') unless defined?(UserGroup)
+
+      UserGroup.should_receive(:create).
+        with(:name => "some group").
+        and_return(ug)
+
+      Lockdown::System.stub!(:permissions_for_user_group).
+        and_return([:perm])
+
+      perm = mock('permission')
+      perm.stub!(:id).and_return(3344)
+
+      Permission = mock('Permission') unless defined?(Permission)
+
+      Permission.should_receive(:find).
+        with(:first, :conditions => ["name = ?",'Perm']).
+        and_return(perm)
+
+      Lockdown.should_receive(:database_execute).
+        with("insert into permissions_user_groups(permission_id, user_group_id) values(3344, 123)")
+
+      Lockdown::Database.create_user_group("some group",  :some_group)
+    end
+  end
+
+  describe "#remove_invalid_permissions" do
+    it "should remove permissions that no longer exist" do
+      permissions = [:good_perm, :bad_perm]
+
+      user_group = mock("user group", :name => "user group")
+
+      #returns what's in the database
+      user_group.stub!(:permissions).and_return(permissions)
+
+      #return what's defined in init.rb
+      Lockdown::System.stub!(:permissions_for_user_group).
+        and_return([:good_perm])
+
+      #delete what's not in init.rb 
+      permissions.should_receive(:delete).with(:bad_perm)
+
+      Lockdown::Database.remove_invalid_permissions(user_group, :user_group)
+    end
+  end
+
+  describe "#add_invalid_permissions" do
+    it "should add permissions that are defined in init.rb" do
+      #return what's defined in init.rb
+      Lockdown::System.stub!(:permissions_for_user_group).
+        and_return([:defined_perm, :undefined_perm])
+
+      permissions = [:defined_perm]
+
+      user_group = mock("user group", :name => "user group")
+
+      #returns what's in the database
+      user_group.stub!(:permissions).and_return(permissions)
+
+      Permission = mock('Permission') unless defined?(Permission)
+
+      #get the permission object for the undefined_perm
+      Permission.should_receive(:find).
+        with(:first, :conditions => ["name = ?",'Undefined Perm']).
+        and_return(:undefined_perm)
+
+      #add the perm to the user group
+      permissions.should_receive(:<<).with(:undefined_perm)
+
+      Lockdown::Database.add_valid_permissions(user_group, :user_group)
+    end
+  end
+end

data/spec/lockdown/frameworks/rails/controller_spec.rb

@@ -0,0 +1,220 @@
+require File.join(File.dirname(__FILE__), %w[.. .. .. spec_helper])
+
+class TestAController
+  extend Lockdown::Frameworks::Rails::Controller
+  include Lockdown::Frameworks::Rails::Controller::Lock::InstanceMethods
+end
+
+describe Lockdown::Frameworks::Rails::Controller do
+  before do
+    @controller = TestAController
+
+    @actions = %w(posts/index posts/show posts/new posts/edit posts/create posts/update posts/destroy)
+
+    @lockdown = mock("lockdown")
+  end
+
+  describe "#available_actions" do
+    it "should return action_methods" do
+      post_controller = mock("PostController")
+      post_controller.stub!(:action_methods).and_return(@actions)
+
+      @controller.available_actions(post_controller).
+        should == @actions
+    end
+
+    it "should eql public_instance_methods - hidden_actions unless action_methods" do
+      post_controller = mock("PostController")
+      post_controller.stub!(:public_instance_methods).and_return(["m1", "m2", "h1"])
+      post_controller.stub!(:hidden_actions).and_return(["h1"])
+      @controller.available_actions(post_controller).
+        should == ["m1", "m2"]
+    end
+  end
+
+  describe "#controller_name" do
+    it "should return action_methods" do
+      post_controller = mock("PostController")
+      post_controller.stub!(:controller_name).and_return("PostController")
+
+      @controller.controller_name(post_controller).should == "PostController"
+    end
+  end
+
+end
+
+describe Lockdown::Frameworks::Rails::Controller::Lock do
+  before do
+    @controller = TestAController.new
+
+    @actions = %w(posts/index posts/show posts/new posts/edit posts/create posts/update posts/destroy)
+
+    @session = {:access_rights => @actions}
+
+    @controller.stub!(:session).and_return(@session)
+  end
+  
+  describe "#configure_lockdown" do
+    it "should call check_session_expiry and store_location" do
+      @controller.should_receive(:check_session_expiry)
+      @controller.should_receive(:store_location)
+
+      @controller.configure_lockdown
+    end
+  end
+
+  describe "#set_current_user" do
+    it "should set the profile_id in Thread.current" do
+      @controller.stub!(:logged_in?).and_return(true)
+      @controller.stub!(:current_profile_id).and_return(1234)
+
+      @controller.set_current_user
+
+      Thread.current[:profile_id].should == 1234
+    end
+  end
+
+  describe "#check_request_authorization" do
+    it "should raise SecurityError if not authorized" do
+      @controller.stub!(:authorized?).and_return(false)
+      @controller.stub!(:params).and_return({:p => 1})
+
+      lambda{@controller.check_request_authorization}.
+        should raise_error(SecurityError)
+
+    end
+  end
+
+  describe "#path_allowed" do
+    it "should return false for an invalid path" do
+      @controller.path_allowed?("/no/good").should be_false
+    end
+  end
+
+  describe "#check_session_expiry" do
+    it "should set expiry if null" do
+      Lockdown::System.stub!(:fetch).with(:session_timeout).and_return(10)
+      @session[:expiry_time].should be_nil
+      @controller.check_session_expiry
+      @session[:expiry_time].should_not be_nil
+    end
+  end
+
+  describe "#store_location" do
+    it "should set prevpage and thispage" do
+      request = mock("request")
+      request.stub!(:method).and_return(:get)
+      @controller.stub!(:request).and_return(request)
+
+      @controller.stub!(:sent_from_uri).and_return("/blop")
+      @controller.store_location
+
+      @session[:prevpage].should == ''
+      @session[:thispage].should == '/blop'
+    end
+  end
+
+  describe "#sent_from_uri" do
+    it "should return request.request_uri" do
+      request = mock("request")
+      request.stub!(:request_uri).and_return("/blip")
+
+      @controller.stub!(:request).and_return(request)
+
+      @controller.sent_from_uri.should == "/blip"
+    end
+  end
+
+  describe "#authorized?" do
+    before do
+      @sample_url = "http://stonean.com/posts/index"
+      @a_path = "/a_path"
+
+      request = mock("request")
+      request.stub!(:method).and_return(:get)
+      @controller.stub!(:request).and_return(request)
+
+      stonean_parts = ["http", nil, "stonean.com", nil, nil, "posts/index", nil, nil, nil]
+
+      a_path_parts = [nil, nil, nil, nil, nil, "/a_path", nil, nil, nil]
+
+      URI = mock('uri class') unless defined?(URI)
+      URI.stub!(:split).with(@sample_url).and_return(stonean_parts)
+      URI.stub!(:split).with(@a_path).and_return(a_path_parts)
+    end
+
+    it "should return false if url is nil" do
+      @controller.authorized?(nil).should be_false
+    end
+
+    it "should return true if current_user_is_admin" do
+      @controller.stub!(:current_user_is_admin?).and_return(true)
+      @controller.authorized?(@a_path).should be_true
+    end
+
+    it "should return false if path not in access_rights" do
+      @controller.authorized?(@a_path).should be_false
+    end
+
+    it "should return true if path is in access_rights" do
+      @controller.authorized?(@sample_url).should be_true
+    end
+
+  end
+
+  describe "#access_denied" do
+  end
+
+  describe "#path_from_hash" do
+    it "should return controller/action string" do
+      hash = {:controller => "users", :action => "show", :id => "1"}
+      @controller.path_from_hash(hash).should == "users/show"
+    end
+  end
+
+  describe "#remote_url?" do
+    it "should return false if domain is nil" do
+      @controller.remote_url?.should be_false
+    end
+
+    it "should return false if domain matches request domain" do
+      request = mock("request")
+      request.stub!(:host).and_return("stonean.com")
+      @controller.stub!(:request).and_return(request)
+      @controller.remote_url?("stonean.com").should be_false
+    end
+
+    it "should return true if subdomain differs" do
+      request = mock("request")
+      request.stub!(:host).and_return("blog.stonean.com")
+      @controller.stub!(:request).and_return(request)
+      @controller.remote_url?("stonean.com").should be_true
+    end
+
+    it "should return true if host doesn't match  domain" do
+      request = mock("request")
+      request.stub!(:host).and_return("stonean.com")
+      @controller.stub!(:request).and_return(request)
+      @controller.remote_url?("google.com").should be_true
+    end
+  end
+
+  describe "#redirect_back_or_default" do
+    it "should redirect to default without session[:prevpage]" do
+      @controller.should_receive(:redirect_to).with("/")
+      @controller.redirect_back_or_default("/")
+    end
+
+    it "should redirect to session[:prevpage]" do
+      @session[:prevpage] = "/previous"
+      @controller.should_receive(:redirect_to).with("/previous")
+      @controller.redirect_back_or_default("/")
+    end
+  end
+
+  describe "#login_from_basic_auth?" do
+  end
+
+  describe "#get_auth_data" do
+  end
+end

data/spec/lockdown/frameworks/rails/view_spec.rb

@@ -0,0 +1,87 @@
+require File.join(File.dirname(__FILE__), %w[.. .. .. spec_helper])
+
+class TestAView
+  def link_to
+    "link_to"
+  end
+
+  def button_to
+    "button_to"
+  end
+
+  include Lockdown::Frameworks::Rails::View
+end
+
+describe Lockdown::Frameworks::Rails::Controller do
+
+  before do
+    @view = TestAView.new
+
+    @view.stub!(:url_for).and_return("posts/new")
+
+    @options = {:controller => "posts", :action => "new"}
+  end
+
+  describe "#link_to_secured" do
+    it "should return the link if authorized" do
+      link = "<a href='http://a.com'>my_link</a>"
+      @view.stub!(:authorized?).and_return(true)
+      @view.stub!(:link_to_open).and_return(link)
+
+      @view.link_to_secured("my link", @options).should == link
+    end
+
+     it "should return an empty string if authorized" do
+      @view.stub!(:authorized?).and_return(false)
+
+      @view.link_to_secured("my link", @options).should == ""
+    end 
+  end
+
+  describe "#button_to_secured" do
+    it "should return the link if authorized" do
+      link = "<a href='http://a.com'>my_link</a>"
+      @view.stub!(:authorized?).and_return(true)
+      @view.stub!(:button_to_open).and_return(link)
+
+      @view.button_to_secured("my link", @options).should == link
+    end
+
+     it "should return an empty string if authorized" do
+      @view.stub!(:authorized?).and_return(false)
+
+      @view.button_to_secured("my link", @options).should == ""
+    end 
+  end
+
+  describe "#link_to_or_show" do
+    it "should return the name if link_to returned an empty string" do
+      @view.stub!(:link_to).and_return('')
+
+      @view.link_to_or_show("my_link", @options).
+        should == "my_link"
+    end
+
+    it "should return the link if access is allowed" do
+      link = "<a href='http://a.com'>my_link</a>"
+      @view.stub!(:link_to).and_return(link)
+
+      @view.link_to_or_show("my_link", @options).
+        should == link
+    end
+  end
+
+  describe "#link_to_or_show" do
+    it "should return links separated by | " do
+      links = ["link_one", "link_two"]
+
+      @view.links(links).should == links.join(' | ')
+    end
+
+    it "should return links separated by | and handle empty strings" do
+      links = ["link_one", "link_two", ""]
+
+      @view.links(links).should == links.join(' | ')
+    end
+  end
+end