lockdown 0.9.8 → 1.0.0

data/lib/lockdown/frameworks/rails/controller.rb

@@ -4,11 +4,7 @@ module Lockdown
       module Controller
         
         def available_actions(klass)
-          if klass.respond_to?(:action_methods)
-            klass.action_methods
-          else
-            klass.public_instance_methods - klass.hidden_actions
-          end
+          klass.action_methods
         end
 
         def controller_name(klass)
@@ -17,6 +13,7 @@ module Lockdown
 
         # Locking methods
         module Lock
+
           def configure_lockdown
             check_session_expiry
             store_location
@@ -32,9 +29,11 @@ module Lockdown
 
           def check_request_authorization
             unless authorized?(path_from_hash(params))
-              raise SecurityError, "Authorization failed for params #{params.inspect}"
+              raise SecurityError, "Authorization failed! \nparams: #{params.inspect}\nsession: #{session.inspect}"
             end
           end
+
+          protected 
   
           def path_allowed?(url)
             session[:access_rights] ||= Lockdown::System.public_access
@@ -76,7 +75,7 @@ module Lockdown
             begin
               hash = ActionController::Routing::Routes.recognize_path(path, :method => method)
               return path_allowed?(path_from_hash(hash)) if hash
-            rescue Exception
+            rescue Exception => e
               # continue on
             end
 

data/lib/lockdown/frameworks/rails.rb

@@ -13,34 +13,39 @@ module Lockdown
           mod.extend Lockdown::Frameworks::Rails::Environment
           mixin
         end
-
+        
         def mixin
-          Lockdown.controller_parent.class_eval do
+          mixin_controller
+
+          Lockdown.view_helper.class_eval do
+            include Lockdown::Frameworks::Rails::View
+          end
+
+          Lockdown::System.class_eval do 
+            extend Lockdown::Frameworks::Rails::System
+          end
+        end
+
+        def mixin_controller(klass = Lockdown.controller_parent)
+          klass.class_eval do
             include Lockdown::Session
             include Lockdown::Frameworks::Rails::Controller::Lock
           end
 
-          Lockdown.controller_parent.helper_method :authorized?
+          klass.helper_method :authorized?
+
+          klass.hide_action(:set_current_user, :configure_lockdown, :check_request_authorization)
 
-          Lockdown.controller_parent.before_filter do |c|
+          klass.before_filter do |c|
             c.set_current_user
             c.configure_lockdown
             c.check_request_authorization
+            c.check_model_authorization
           end
 
-          Lockdown.controller_parent.filter_parameter_logging :password, 
-            :password_confirmation
+          klass.filter_parameter_logging :password, :password_confirmation
       
-          Lockdown.controller_parent.rescue_from SecurityError, 
-            :with => proc{|e| access_denied(e)}
-
-          Lockdown.view_helper.class_eval do
-            include Lockdown::Frameworks::Rails::View
-          end
-
-          Lockdown::System.class_eval do 
-            extend Lockdown::Frameworks::Rails::System
-          end
+          klass.rescue_from SecurityError, :with => proc{|e| access_denied(e)}
         end
       end # class block
 
@@ -54,12 +59,24 @@ module Lockdown
           "#{project_root}/lib/lockdown/init.rb"
         end
 
+        def view_helper
+          ::ActionView::Base 
+        end
+
+        # cache_classes is true in production and testing, need to
+        # modify the ApplicationController 
         def controller_parent
-          ::ActionController::Base
+          if ::Rails.env == 'development'
+            ActionController::Base
+          else
+            ApplicationController
+          end
         end
 
-        def view_helper
-          ::ActionView::Base 
+        # cache_classes is true in production and testing, need to
+        # do an instance eval instead
+        def add_controller_method(code)
+          Lockdown.controller_parent.class_eval code, __FILE__,__LINE__ +1
         end
 
         def controller_class_name(str)
@@ -70,6 +87,10 @@ module Lockdown
             Lockdown.camelize(str)
           end
         end
+
+        def fetch_controller_class(str)
+          eval("::#{controller_class_name(str)}")
+        end
       end
 
       module System
@@ -78,68 +99,6 @@ module Lockdown
         def skip_sync?
           Lockdown::System.fetch(:skip_db_sync_in).include?(ENV['RAILS_ENV'])
         end
-
-        def load_controller_classes
-          @controller_classes = {}
-         
-          maybe_load_framework_controller_parent
-
-          ApplicationController.helper_method :authorized?
-
-          ApplicationController.before_filter do |c|
-            c.set_current_user
-            c.configure_lockdown
-            c.check_request_authorization
-          end
-
-          ApplicationController.filter_parameter_logging :password, 
-            :password_confirmation
-      
-          ApplicationController.rescue_from SecurityError, 
-            :with => proc{|e| access_denied(e)}
-
-
-          Dir.chdir("#{Lockdown.project_root}/app/controllers") do
-            Dir["**/*.rb"].sort.each do |c|
-              next if c == "application.rb"
-              lockdown_load(c) 
-            end
-          end
-
-          if ENV['RAILS_ENV'] != 'production'
-            if ActiveSupport.const_defined?("Dependencies")
-              ActiveSupport::Dependencies.clear
-            else
-              Dependencies.clear
-            end
-          end
-        end
-
-        def maybe_load_framework_controller_parent
-          if ::Rails::VERSION::MAJOR >= 2 && ::Rails::VERSION::MINOR >= 3
-            filename = "application_controller.rb"
-          else
-            filename = "application.rb"
-          end
-          
-          require_or_load(filename)
-        end
-
-        def lockdown_load(filename)
-          klass = Lockdown.class_name_from_file(filename)
-
-          require_or_load(filename)
-
-          @controller_classes[klass] = Lockdown.qualified_const_get(klass) 
-        end
-
-        def require_or_load(filename)
-          if ActiveSupport.const_defined?("Dependencies")
-            ActiveSupport::Dependencies.require_or_load(filename)
-          else
-            Dependencies.require_or_load(filename)
-          end
-        end
       end # System
     end # Rails
   end # Frameworks

data/lib/lockdown/helper.rb

@@ -49,24 +49,6 @@ module Lockdown
       :administrators
     end
 
-    def qualified_const_defined?(klass)
-      if klass =~ /::/
-        namespace, klass = klass.split("::")
-        eval("#{namespace}.const_defined?(#{klass})") if const_defined?(namespace)
-      else
-        const_defined?(klass)
-      end
-    end
-
-    def qualified_const_get(klass)
-      if klass =~ /::/
-        namespace, klass = klass.split("::")
-        eval(namespace).const_get(klass)
-      else
-        const_get(klass)
-      end
-    end
-
     private
 
     def string_name(str_sym)

data/lib/lockdown/permission.rb

@@ -3,23 +3,46 @@ module Lockdown
   class PermissionScopeCollision < StandardError; end
 
   class Controller
-    attr_accessor :name, :access_methods
+    attr_accessor :name, :access_methods, :only_methods, :except_methods
 
     def initialize(name)
       @name = name
+      @except_methods = []
+    end
+
+    def set_access_methods
+      if @only_methods
+        @access_methods = paths_for(@name, *@only_methods)
+      else
+        @access_methods = paths_for(@name)
+      end
+
+      apply_exceptions
+    end
+
+    private
+
+    def apply_exceptions
+      @access_methods = @access_methods - @except_methods
+    end
+
+    def paths_for(str_sym, *methods)
+      Lockdown::System.paths_for(str_sym, *methods)
     end
   end
 
   class Model
-    attr_accessor :name, :controller_method, :model_method, :association
+    attr_accessor :name, :controller_method, :model_method, :association, :param
 
-    def initialize(name)
+    def initialize(name, param = :id)
       @name = name
+      @param = :id
     end
 
-    def association=(type)
-      @assocation = type
+    def class_name
+      self.name.to_s.camelize
     end
+ 
   end
   
   class Permission
@@ -42,16 +65,16 @@ module Lockdown
     # ==== Summary of model oriented methods:
     #
     #   # defines which model we're talking about
-    #   .to_model(:model_name)         
+    #   .to_model(:model)         
     #
-    #   # data_method must be available to the controller
-    #   .where(:data_method)           
+    #   # model_method is simply a public method on :model
+    #   .where(:model_method)           
     #
-    #   # model_name.value_method must equal data_method
-    #   .equals(:value_method)         
+    #   # controller_method must equal model_method
+    #   .equals(:controller_method)         
     #
-    #   # model_name.values_method.include?(data_method)
-    #   .is_in(:values_method)         
+    #   # controller_method.include?(model_method)
+    #   .is_in(:controller_method)         
     #   
     #
     # ==== Example:
@@ -84,7 +107,6 @@ module Lockdown
       validate_context
 
       controller = Controller.new(name_symbol)
-      controller.access_methods = paths_for(name_symbol)
       @controllers[name_symbol] = controller
       @current_context = Lockdown::ControllerContext.new(name_symbol)
       self
@@ -95,8 +117,7 @@ module Lockdown
     def only_methods(*methods)
       validate_context
 
-      current_controller.access_methods = paths_for(current_controller.name, 
-                                                    *methods)
+      current_controller.only_methods = methods
       @current_context = Lockdown::RootContext.new(@name)
       self
     end
@@ -104,39 +125,40 @@ module Lockdown
     def except_methods(*methods)
       validate_context
 
-      current_controller.access_methods = current_controller.access_methods - paths_for(current_controller.name, *methods)
+      current_controller.except_methods = methods
 
       @current_context = Lockdown::RootContext.new(@name)
       self
     end
 
-    def to_model(name_symbol)
+    def to_model(name_symbol, param = :id)
       validate_context
 
-      @models[name_symbol] = Model.new(name_symbol)
+      @models[name_symbol] = Model.new(name_symbol, param)
       @current_context = Lockdown::ModelContext.new(name_symbol)
       self
     end
 
-    def where(controller_method)
+    def where(model_method)
       validate_context
 
+      current_model.model_method = model_method
       @current_context = Lockdown::ModelWhereContext.new(current_context.name)
       self
     end
 
-    def equals(model_method)
+    def equals(controller_method)
       validate_context
 
-      associate_model_method(model_method, :equals)
+      associate_controller_method(controller_method, :==)
       @current_context = Lockdown::RootContext.new(@name)
       self
     end
 
-    def is_in(model_method)
+    def is_in(controller_method)
       validate_context
 
-      associate_model_method(model_method, :includes)
+      associate_controller_method(controller_method, :include?)
       @current_context = Lockdown::RootContext.new(@name)
       self
     end
@@ -183,8 +205,8 @@ module Lockdown
 
     private
 
-    def associate_model_method(model_method, association)
-      current_model.model_method = model_method
+    def associate_controller_method(controller_method, association)
+      current_model.controller_method = controller_method
       current_model.association = association
       @current_context = Lockdown::RootContext.new(@name)
     end
@@ -196,9 +218,5 @@ module Lockdown
         raise InvalidRuleContext, "Method: #{calling_method} was called on wrong context #{current_context}. Allowed methods are: #{current_context.allowed_methods.join(',')}."
       end
     end
-
-    def paths_for(controller, *methods)
-      Lockdown::System.paths_for(controller, *methods)
-    end
   end
 end

data/lib/lockdown/rules.rb

@@ -5,7 +5,6 @@ module Lockdown
     attr_accessor :options
     attr_accessor :permissions
     attr_accessor :user_groups
-    attr_accessor :controller_classes
 
     attr_reader :protected_access 
     attr_reader :public_access
@@ -254,24 +253,36 @@ module Lockdown
     end
 
     def process_rules
-      parse_permissions
       validate_user_groups
+      parse_permissions
     end
 
     private
 
+    def validate_user_groups
+      user_groups.each do |user_group, perms|
+        perms.each do |perm|
+          unless permission_exists?(perm)
+            msg ="User Group: #{user_group}, permission not found: #{perm}"
+            raise InvalidRuleAssignment, msg
+          end
+        end
+      end
+    end
+
     def parse_permissions
       permission_objects.each do |name, perm|
         @permissions[perm.name] ||= []
-
         set_controller_access(perm)
-
-        set_model_access(perm)
       end
+
+      set_model_access
     end
 
     def set_controller_access(perm)
       perm.controllers.each do |name, controller|
+        controller.set_access_methods
+
         @permissions[perm.name] |= controller.access_methods
 
         if perm.public_access?
@@ -282,40 +293,49 @@ module Lockdown
       end
     end
 
-    def set_model_access(perm)
-      perm.models.each do |model|
-        # Create inherited method on Lockdown.orm_parent that 
-        # will create a list of controller/actions the model
+    def set_model_access
+      method_definition =  "\tdef check_model_authorization\n\t#This method will check for access to model resources\n"
+
+      permission_objects.each do |name, perm|
+        next if perm.models.empty?
+
+        #Set filter for each controller
+        perm.controllers.each do |controller_name, controller|
+          #Set filter for each model on controller
+          perm.models.each do |model_name, model|
+            method_definition << define_restrict_model_access(controller, model)
+          end
+        end
       end
 
-      # Create method to access that list for link_to call validation
-      #Lockdown.orm_parent.instance_eval <<-RUBY, __FILE__,__LINE__ + 1
-      #  def self.inherited(klass)
-      #    super
-      #
-      #  end
-      #RUBY
-
-      # Create inherited method on Lockdown.controller_parent that
-      # will setup before_filter 
-      #Lockdown.controller_parent.instance_eval <<-RUBY, __FILE__,__LINE__ + 1
-      #  def self.inherited(klass)
-      #    super
-      #
-      #  end
-      #RUBY
-    end
+      method_definition << "\n\tend"
 
+      #puts "method_definition:\n #{method_definition}"
 
-    def validate_user_groups
-      user_groups.each do |user_group, perms|
-        perms.each do |perm|
-          unless permission_exists?(perm)
-            msg ="User Group: #{user_group}, permission not found: #{perm}"
-            raise InvalidRuleAssignment, msg
+      Lockdown.add_controller_method method_definition
+    end
+
+    def define_restrict_model_access(controller, model)
+      controller_class = Lockdown.fetch_controller_class(controller.name)
+
+      methods = controller.
+                  access_methods.
+                    collect{|am| am[am.index('/') + 1..-1].to_sym}.inspect
+
+      return <<-RUBY
+        if controller_name == "#{controller.name}" 
+          if #{methods}.include?(action_name.to_sym)
+            unless instance_variable_defined?(:@#{model.name})
+              @#{model.name} = #{model.class_name}.find(params[#{model.param.inspect}])
+            end
+            # Need to make sure we find the model first before checking admin status. 
+            return true if current_user_is_admin? 
+            unless #{model.controller_method}.#{model.association}(@#{model.name}.#{model.model_method})
+              raise SecurityError, "Access to #\{action_name\} denied to #{model.name}.id #\{@#{model.name}.id\}"
+            end
           end
         end
-      end
+      RUBY
     end
   end
 end

data/lib/lockdown/system.rb

@@ -5,9 +5,6 @@ module Lockdown
     def self.configure(&block)
       set_defaults 
 
-      # Defined by the framework
-      load_controller_classes
-
       # Lockdown::Rules defines the methods that are used inside block
       instance_eval(&block)
 
@@ -33,7 +30,7 @@ module Lockdown
     def self.paths_for(str_sym, *methods)
       str_sym = str_sym.to_s if str_sym.is_a?(Symbol)
       if methods.empty?
-        klass = fetch_controller_class(str_sym)
+        klass = Lockdown.fetch_controller_class(str_sym)
         methods = available_actions(klass) 
       end
       path_str = str_sym.gsub("__","\/") 
@@ -51,10 +48,5 @@ module Lockdown
 
       paths
     end
-
-    def self.fetch_controller_class(str)
-      controller_classes[Lockdown.controller_class_name(str)]
-    end
-  
  end # System class
 end # Lockdown

data/lib/lockdown.rb

@@ -3,7 +3,7 @@ require File.join(File.dirname(__FILE__), "lockdown", "helper")
 module Lockdown
   extend Lockdown::Helper
 
-  VERSION = '0.9.8'
+  VERSION = '1.0.0'
 
   # Returns the version string for the library.
   def self.version

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: lockdown
 version: !ruby/object:Gem::Version 
-  version: 0.9.8
+  version: 1.0.0
 platform: ruby
 authors: 
 - Andrew Stone
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2009-06-07 00:00:00 -04:00
+date: 2009-07-08 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -128,7 +128,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: lockdown
-rubygems_version: 1.3.3
+rubygems_version: 1.3.4
 signing_key: 
 specification_version: 3
 summary: Lockdown is an authorization system for RubyOnRails (ver >= 2