lockdown 1.6.5 → 2.0.0

data/lib/lockdown/rspec_helper.rb

@@ -1,118 +0,0 @@
-module Lockdown
-  module RspecHelper
-    def self.included(mod)
-      Lockdown.maybe_parse_init
-    end
-
-    def login_admin
-      login_user(:admin)
-    end
-
-    def login_with_groups(*user_group_symbols)
-      access_rights = Lockdown::System.standard_authorized_user_rights
-      user_group_symbols.each do |ugs|
-        access_rights << Lockdown::System.access_rights_for_user_group(ugs)
-      end
-      login_user
-      controller.session[:access_rights] = access_rights.flatten
-    end
-
-    alias login_with_group login_with_groups 
-
-    def login_with_permissions(*permissions_symbols)
-      access_rights = Lockdown::System.standard_authorized_user_rights
-      permissions_symbols.each do |ps|
-        access_rights << Lockdown::System.access_rights_for_permission(ps)
-      end
-      login_user
-      controller.session[:access_rights] = access_rights.flatten.uniq
-    end
-    
-    alias login_with_permission login_with_permissions    
-
-    def login_standard
-      login_user
-    end
-
-    def public_user
-      setup_public_user
-    end
-
-
-    private
-
-    def login_user(user_type = :standard)
-      initialize_user(user_type)
-
-      create_user_session
-
-      controller.stub!(:current_user).and_return(@current_user)
-    end
-
-    def setup_public_user
-      controller.session[:access_rights] = Lockdown::System.public_access
-    end
-
-    def all_actions(hash = {})
-      methods = controller.send :action_methods
-
-      if excepts = hash.delete(:except)
-        excepts = Array.new(excepts)
-        methods.reject!{|m| excepts.include?(m.to_sym)}
-      end
-
-      Lockdown::System.paths_for(controller.controller_name,methods.to_a).sort
-    end
-
-    def only_actions(*actions)
-      Lockdown::System.paths_for(controller.controller_name,actions).sort
-    end
-
-    def allowed_actions
-      if rights = controller.session[:access_rights]
-        if rights == :all
-          all_actions
-        else
-          name = controller.controller_name
-          rights.collect{|r| r if r =~ /^#{name}\// || r == name}.compact.sort
-        end
-      else
-        []
-      end
-    end
-
-    def initialize_user(user_type)
-      @current_user = mock_user
-
-      if user_type == :admin
-        set_user_group(Lockdown.administrator_group_symbol)
-      end
-    end
-
-    # You may want to override this method
-    def mock_user
-      mock_model  User,
-                  :user_groups => [],
-                  :first_name => 'John',
-                  :last_name  => 'Smith',
-                  :password   => "mysecret",
-                  :password_confirmation   => "mysecret"
-    end
-
-    def create_user_session
-      controller.send :add_lockdown_session_values, @current_user
-    end
-
-    # Lockdown.convert_reference_name converts :users to "Users" 
-    def set_user_group(sym)
-      user_group = mock_user_group
-      user_group.stub!(:name).and_return( Lockdown.convert_reference_name(sym) )
-      @current_user.stub!(Lockdown.user_groups_hbtm_reference).and_return([user_group])
-    end
-
-    # You may want to override this method
-    def mock_user_group
-      mock_model(UserGroup)
-    end
-  end
-end

data/lib/lockdown/rules.rb

@@ -1,372 +0,0 @@
-module Lockdown
-  module Rules
-    attr_accessor :options
-    attr_accessor :permissions
-    attr_accessor :user_groups
-
-    attr_reader :protected_access 
-    attr_reader :public_access
-
-    attr_reader :permission_objects
- 
-    def set_defaults
-      @permissions  = {}
-      @user_groups  = {}
-      @options      = {}
-
-      @permission_objects = {}
-
-      @public_access      = []
-      @protected_access   = []
-
-      @options = {
-        :session_timeout => (60 * 60),
-        :who_did_it => :current_user_id,
-        :default_who_did_it => 1,
-        :logout_on_access_violation => false,
-        :access_denied_path => "/",
-        :successful_login_path => "/",
-        :subdirectory => nil,
-        :skip_db_sync_in => ["test"],
-        :link_separator => ' | ',
-        :user_group_model => "UserGroup",
-        :user_model => "User" 
-      }
-    end
-
-    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-    # =Rule defining methods.  e.g. Methods used in lib/lockdown/init.rb
-    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-    # Creates new permission object 
-    #   Refer to the Permission object for the full functionality
-    def set_permission(name)
-      @permission_objects[name] = Lockdown::Permission.new(name)
-    end
-
-    # Defines public access by the permission symbols
-    #
-    # ==== Example
-    #   set_public_access(:permission_one, :permission_two)
-    #
-    def set_public_access(*perms)
-      perms.each do |perm_symbol|
-        perm = find_permission_object(perm_symbol)
-        if perm
-          perm.set_as_public_access 
-        else
-          msg = "Permission not found: #{perm_symbol}"
-          raise Lockdown::InvalidRuleAssignment, msg
-        end
-      end
-    end
-
-    # Defines protected access by the permission symbols
-    #
-    # ==== Example
-    #   set_public_access(:permission_one, :permission_two)
-    #
-    def set_protected_access(*perms)
-      perms.each do |perm_symbol|
-        perm = find_permission_object(perm_symbol)
-        if perm
-          perm.set_as_protected_access 
-        else
-          msg = "Permission not found: #{perm_symbol}"
-          raise Lockdown::InvalidRuleAssignment, msg
-        end
-      end
-    end
-
-    # Define a user groups by name and permission symbol(s)
-    #
-    # ==== Example
-    #   set_user_group(:managment_group, :permission_one, :permission_two)
-    #
-    def set_user_group(name, *perms)
-      user_groups[name] ||= []
-      perms.each do |perm|
-        if permission_assigned_automatically?(perm)
-          raise Lockdown::InvalidPermissionAssignment, "Permission is assigned automatically.  Please remove it from #{name} user group"
-        end
-        user_groups[name].push(perm)
-      end
-    end
- 
-    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-    # =Convenience methods for permissions and user groups
-    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-    
-    # Returns array of permission names as symbols
-    def get_permissions
-      permissions.keys
-    end
-
-    # Is the permission defined?
-    def permission_exists?(permission_symbol)
-      get_permissions.include?(permission_symbol)
-    end
-
-    alias_method :has_permission?, :permission_exists?
-    
-    # returns true if the permission is public
-    def public_access?(perm_symbol)
-      obj = find_permission_object(perm_symbol)
-      obj.nil? ? false : obj.public_access? 
-    end
-
-    # returns true if the permission is public
-    def protected_access?(perm_symbol)
-      obj = find_permission_object(perm_symbol)
-      obj.nil? ? false : obj.protected_access?
-    end
-
-    # These permissions are assigned by the system 
-    def permission_assigned_automatically?(permmision_symbol)
-      public_access?(permmision_symbol) || protected_access?(permmision_symbol)
-    end
-
-    # Returns array of user group names as symbols
-    def get_user_groups
-      user_groups.keys
-    end
-
-    # Is the user group defined?
-    #   The :administrators user group always exists
-    def user_group_exists?(user_group_symbol)
-      return true if user_group_symbol == Lockdown.administrator_group_symbol
-      get_user_groups.include?(user_group_symbol)
-    end
-
-    alias_method :has_user_group?, :user_group_exists?
-
-    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-    # =Convenience methods for permissions and user groups
-    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-    # Pass in a user object to be associated to the administrator user group 
-    # The group will be created if it doesn't exist
-    def make_user_administrator(usr)
-      user_groups = usr.send(Lockdown.user_groups_hbtm_reference)
-      user_groups << Lockdown.user_group_class.
-        find_or_create_by_name(Lockdown.administrator_group_string)
-    end
-
-
-    # Returns array of controller/action values all logged in users can access.
-    def standard_authorized_user_rights
-      public_access + protected_access 
-    end
-
-    # Return array of controller/action values user can access.
-    def access_rights_for_user(usr)
-      return unless usr
-      return :all if administrator?(usr)
-
-      rights = standard_authorized_user_rights
-        
-      user_groups = usr.send(Lockdown.user_groups_hbtm_reference)
-      user_groups.each do |grp|
-        permissions_for_user_group(grp).each do |perm|
-          rights += access_rights_for_permission(perm) 
-        end
-      end
-      rights
-    end
-
-    # Return array of controller/action for a user group
-    def access_rights_for_user_group(user_group_sym)
-      res = []
-      permissions_for_user_group(user_group_sym).each do |perm|
-        res << access_rights_for_permission(perm)
-      end
-      res.flatten
-    end
-
-    # Return array of controller/action for a permission
-    def access_rights_for_permission(perm)
-      sym = Lockdown.get_symbol(perm)
-
-      permissions[sym]
-    rescue 
-      raise SecurityError, "Permission requested is not defined: #{sym}"
-    end
-
-
-    # Test user for administrator rights
-    def administrator?(usr)
-      user_has_user_group?(usr, Lockdown.administrator_group_symbol)
-    end
-
-    # Pass in user object and symbol for name of user group
-    def user_has_user_group?(usr, sym)
-      user_groups = usr.send(Lockdown.user_groups_hbtm_reference)
-      user_groups.any? do |ug|
-        Lockdown.convert_reference_name(ug.name) == sym
-      end
-    end
-
-    # Use this for the management screen to restrict user group list to the
-    # user.  This will prevent a user from creating a user with more power than
-    # him/her self.
-    def user_groups_assignable_for_user(usr)
-      return [] if usr.nil?
-      ug_table = Lockdown.user_groups_hbtm_reference.to_s
-      if administrator?(usr)
-        Lockdown.user_group_class.find_by_sql <<-SQL
-          select #{ug_table}.* from #{ug_table} order by #{ug_table}.name
-        SQL
-      else
-        usr_table = Lockdown.users_hbtm_reference.to_s
-        if usr_table < ug_table
-          join_table = "#{usr_table}_#{ug_table}"
-        else
-          join_table = "#{ug_table}_#{usr_table}"
-        end
-        Lockdown.user_group_class.find_by_sql <<-SQL
-            select #{ug_table}.* from #{ug_table}, #{join_table}
-             where #{ug_table}.id = #{join_table}.#{Lockdown.user_group_id_reference}
-             and #{join_table}.#{Lockdown.user_id_reference} = #{usr.id}	 
-             order by #{ug_table}.name
-        SQL
-      end
-    end
-
-    # Similar to user_groups_assignable_for_user, this method should be
-    # used to restrict users from creating a user group with more power than
-    # they have been allowed.
-    def permissions_assignable_for_user(usr)
-      return [] if usr.nil?
-      if administrator?(usr)
-        get_permissions.collect do |k| 
-          ::Permission.find_by_name(Lockdown.get_string(k))
-        end.compact
-      else
-        user_groups_assignable_for_user(usr).collect do |g| 
-          g.permissions
-        end.flatten.compact
-      end
-    end
-
-    # Returns and array of permission symbols for the user group
-    def permissions_for_user_group(ug)
-      sym = Lockdown.get_symbol(ug)
-      perm_array = []  
-
-      if has_user_group?(sym)
-        permissions = user_groups[sym] || []
-      else
-        if ug.respond_to?(:permissions)
-          permissions = ug.permissions
-        else
-          raise GroupUndefinedError, "#{ug} not found in init.rb and does not respond to #permissions"
-        end
-      end
-
-
-      permissions.each do |perm|
-        perm_sym = Lockdown.get_symbol(perm)
-
-        unless permission_exists?(perm_sym)
-          msg = "Permission associated to User Group is invalid: #{perm}"
-          raise SecurityError, msg
-        end
-
-        perm_array << perm_sym
-      end
-
-      perm_array 
-    end
-
-    def process_rules
-      parse_permissions
-      validate_user_groups
-    end
-
-    private
-
-    def find_permission_object(perm_symbol)
-      obj = permission_objects.find{|name, pobj| pobj.name == perm_symbol}
-      obj[1] if obj
-    end
-
-    def validate_user_groups
-      user_groups.each do |user_group, perms|
-        perms.each do |perm|
-          unless permission_exists?(perm)
-            msg ="User Group: #{user_group}, permission not found: #{perm}"
-            raise Lockdown::InvalidRuleAssignment, msg
-          end
-        end
-      end
-    end
-
-    def parse_permissions
-      permission_objects.each do |name, perm|
-        @permissions[perm.name] ||= []
-        set_controller_access(perm)
-      end
-
-      set_model_access
-    end
-
-    def set_controller_access(perm)
-      perm.controllers.each do |name, controller|
-        controller.set_access_methods
-
-        @permissions[perm.name] |= controller.access_methods
-
-        if perm.public_access?
-          @public_access |= controller.access_methods
-        elsif perm.protected_access?
-          @protected_access |= controller.access_methods
-        end
-      end
-    end
-
-    def set_model_access
-      method_definition =  "\tdef check_model_authorization\n\t#This method will check for access to model resources\n"
-
-      permission_objects.each do |name, perm|
-        next if perm.models.empty?
-
-        #Set filter for each controller
-        perm.controllers.each do |controller_name, controller|
-          #Set filter for each model on controller
-          perm.models.each do |model_name, model|
-            method_definition << define_restrict_model_access(controller, model)
-          end
-        end
-      end
-
-      method_definition << "\n\tend"
-
-      Lockdown.add_controller_method method_definition
-    end
-
-    def define_restrict_model_access(controller, model)
-      controller_class = Lockdown.fetch_controller_class(controller.name)
-
-      methods = controller.
-                  access_methods.
-                    collect do |am| 
-                      am[am.index('/') + 1..-1].to_sym if am.index('/')
-                    end.compact.inspect
-
-      return <<-RUBY
-        if controller_name == "#{controller.name}" 
-          if #{methods}.include?(action_name.to_sym)
-            unless instance_variable_defined?(:@#{model.name})
-              @#{model.name} = #{model.class_name}.find(params[#{model.param.inspect}])
-            end
-            # Need to make sure we find the model first before checking admin status. 
-            return true if current_user_is_admin? 
-            unless @#{model.name}.#{model.model_method}.#{model.association}(#{model.controller_method})
-              raise SecurityError, "Access to #\{action_name\} denied to #{model.name}.id #\{@#{model.name}.id\}"
-            end
-          end
-        end
-      RUBY
-    end
-  end
-end

data/lib/lockdown/system.rb

@@ -1,58 +0,0 @@
-module Lockdown
-  class System
-    extend Lockdown::Rules
-
-    def self.configure(&block)
-      set_defaults 
-
-      # Lockdown::Rules defines the methods that are used inside block
-      instance_eval(&block)
-
-      # Lockdown::Rules defines process_rules
-      process_rules
-
-      Lockdown::Database.sync_with_db unless skip_sync?
-
-      @initialized = true if Lockdown.caching?
-    end
-
-    def self.initialized?
-      @initialized
-    end
-
-    def self.fetch(key)
-      (@options||={})[key]
-    end
-
-    def self.call(object, system_option)
-      method = fetch(system_option)
-      if method.is_a?(Symbol) && object.respond_to?(method)
-        object.send(method) 
-      end
-    end
-
-    protected 
-
-    def self.paths_for(str_sym, *methods)
-      str_sym = str_sym.to_s if str_sym.is_a?(Symbol)
-      if methods.empty?
-        klass = Lockdown.fetch_controller_class(str_sym)
-        methods = available_actions(klass) 
-      end
-      path_str = str_sym.gsub("__","\/") 
-        
-      subdir = Lockdown::System.fetch(:subdirectory)
-      path_str = "#{subdir}/#{path_str}" if subdir
-
-      controller_actions = methods.flatten.collect{|m| m.to_s}
-
-      paths = controller_actions.collect{|meth| "#{path_str}/#{meth.to_s}" }
-
-      if controller_actions.include?("index")
-        paths += [path_str]
-      end
-
-      paths
-    end
- end # System class
-end # Lockdown