lockdown_vail 1.6.2.1

data/lib/lockdown/rules.rb

@@ -0,0 +1,372 @@
+module Lockdown
+  module Rules
+    attr_accessor :options
+    attr_accessor :permissions
+    attr_accessor :user_groups
+
+    attr_reader :protected_access 
+    attr_reader :public_access
+
+    attr_reader :permission_objects
+ 
+    def set_defaults
+      @permissions  = {}
+      @user_groups  = {}
+      @options      = {}
+
+      @permission_objects = {}
+
+      @public_access      = []
+      @protected_access   = []
+
+      @options = {
+        :session_timeout => (60 * 60),
+        :who_did_it => :current_user_id,
+        :default_who_did_it => 1,
+        :logout_on_access_violation => false,
+        :access_denied_path => "/",
+        :successful_login_path => "/",
+        :subdirectory => nil,
+        :skip_db_sync_in => ["test"],
+        :link_separator => ' | ',
+        :user_group_model => "UserGroup",
+        :user_model => "User" 
+      }
+    end
+
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # =Rule defining methods.  e.g. Methods used in lib/lockdown/init.rb
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+    # Creates new permission object 
+    #   Refer to the Permission object for the full functionality
+    def set_permission(name)
+      @permission_objects[name] = Lockdown::Permission.new(name)
+    end
+
+    # Defines public access by the permission symbols
+    #
+    # ==== Example
+    #   set_public_access(:permission_one, :permission_two)
+    #
+    def set_public_access(*perms)
+      perms.each do |perm_symbol|
+        perm = find_permission_object(perm_symbol)
+        if perm
+          perm.set_as_public_access 
+        else
+          msg = "Permission not found: #{perm_symbol}"
+          raise Lockdown::InvalidRuleAssignment, msg
+        end
+      end
+    end
+
+    # Defines protected access by the permission symbols
+    #
+    # ==== Example
+    #   set_public_access(:permission_one, :permission_two)
+    #
+    def set_protected_access(*perms)
+      perms.each do |perm_symbol|
+        perm = find_permission_object(perm_symbol)
+        if perm
+          perm.set_as_protected_access 
+        else
+          msg = "Permission not found: #{perm_symbol}"
+          raise Lockdown::InvalidRuleAssignment, msg
+        end
+      end
+    end
+
+    # Define a user groups by name and permission symbol(s)
+    #
+    # ==== Example
+    #   set_user_group(:managment_group, :permission_one, :permission_two)
+    #
+    def set_user_group(name, *perms)
+      user_groups[name] ||= []
+      perms.each do |perm|
+        if permission_assigned_automatically?(perm)
+          raise Lockdown::InvalidPermissionAssignment, "Permission is assigned automatically.  Please remove it from #{name} user group"
+        end
+        user_groups[name].push(perm)
+      end
+    end
+ 
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # =Convenience methods for permissions and user groups
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    
+    # Returns array of permission names as symbols
+    def get_permissions
+      permissions.keys
+    end
+
+    # Is the permission defined?
+    def permission_exists?(permission_symbol)
+      get_permissions.include?(permission_symbol)
+    end
+
+    alias_method :has_permission?, :permission_exists?
+    
+    # returns true if the permission is public
+    def public_access?(perm_symbol)
+      obj = find_permission_object(perm_symbol)
+      obj.nil? ? false : obj.public_access? 
+    end
+
+    # returns true if the permission is public
+    def protected_access?(perm_symbol)
+      obj = find_permission_object(perm_symbol)
+      obj.nil? ? false : obj.protected_access?
+    end
+
+    # These permissions are assigned by the system 
+    def permission_assigned_automatically?(permmision_symbol)
+      public_access?(permmision_symbol) || protected_access?(permmision_symbol)
+    end
+
+    # Returns array of user group names as symbols
+    def get_user_groups
+      user_groups.keys
+    end
+
+    # Is the user group defined?
+    #   The :administrators user group always exists
+    def user_group_exists?(user_group_symbol)
+      return true if user_group_symbol == Lockdown.administrator_group_symbol
+      get_user_groups.include?(user_group_symbol)
+    end
+
+    alias_method :has_user_group?, :user_group_exists?
+
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # =Convenience methods for permissions and user groups
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+    # Pass in a user object to be associated to the administrator user group 
+    # The group will be created if it doesn't exist
+    def make_user_administrator(usr)
+      user_groups = usr.send(Lockdown.user_groups_hbtm_reference)
+      user_groups << Lockdown.user_group_class.
+        find_or_create_by_name(Lockdown.administrator_group_string)
+    end
+
+
+    # Returns array of controller/action values all logged in users can access.
+    def standard_authorized_user_rights
+      public_access + protected_access 
+    end
+
+    # Return array of controller/action values user can access.
+    def access_rights_for_user(usr)
+      return unless usr
+      return :all if administrator?(usr)
+
+      rights = standard_authorized_user_rights
+        
+      user_groups = usr.send(Lockdown.user_groups_hbtm_reference)
+      user_groups.each do |grp|
+        permissions_for_user_group(grp).each do |perm|
+          rights += access_rights_for_permission(perm) 
+        end
+      end
+      rights
+    end
+
+    # Return array of controller/action for a user group
+    def access_rights_for_user_group(user_group_sym)
+      res = []
+      permissions_for_user_group(user_group_sym).each do |perm|
+        res << access_rights_for_permission(perm)
+      end
+      res.flatten
+    end
+
+    # Return array of controller/action for a permission
+    def access_rights_for_permission(perm)
+      sym = Lockdown.get_symbol(perm)
+
+      permissions[sym]
+    rescue 
+      raise SecurityError, "Permission requested is not defined: #{sym}"
+    end
+
+
+    # Test user for administrator rights
+    def administrator?(usr)
+      user_has_user_group?(usr, Lockdown.administrator_group_symbol)
+    end
+
+    # Pass in user object and symbol for name of user group
+    def user_has_user_group?(usr, sym)
+      user_groups = usr.send(Lockdown.user_groups_hbtm_reference)
+      user_groups.any? do |ug|
+        Lockdown.convert_reference_name(ug.name) == sym
+      end
+    end
+
+    # Use this for the management screen to restrict user group list to the
+    # user.  This will prevent a user from creating a user with more power than
+    # him/her self.
+    def user_groups_assignable_for_user(usr)
+      return [] if usr.nil?
+      ug_table = Lockdown.user_groups_hbtm_reference.to_s
+      if administrator?(usr)
+        Lockdown.user_group_class.find_by_sql <<-SQL
+          select #{ug_table}.* from #{ug_table} order by #{ug_table}.name
+        SQL
+      else
+        usr_table = Lockdown.users_hbtm_reference.to_s
+        if usr_table < ug_table
+          join_table = "#{usr_table}_#{ug_table}"
+        else
+          join_table = "#{ug_table}_#{usr_table}"
+        end
+        Lockdown.user_group_class.find_by_sql <<-SQL
+            select #{ug_table}.* from #{ug_table}, #{join_table}
+             where #{ug_table}.id = #{join_table}.#{Lockdown.user_group_id_reference}
+             and #{join_table}.#{Lockdown.user_id_reference} = #{usr.id}	 
+             order by #{ug_table}.name
+        SQL
+      end
+    end
+
+    # Similar to user_groups_assignable_for_user, this method should be
+    # used to restrict users from creating a user group with more power than
+    # they have been allowed.
+    def permissions_assignable_for_user(usr)
+      return [] if usr.nil?
+      if administrator?(usr)
+        get_permissions.collect do |k| 
+          ::Permission.find_by_name(Lockdown.get_string(k))
+        end.compact
+      else
+        user_groups_assignable_for_user(usr).collect do |g| 
+          g.permissions
+        end.flatten.compact
+      end
+    end
+
+    # Returns and array of permission symbols for the user group
+    def permissions_for_user_group(ug)
+      sym = Lockdown.get_symbol(ug)
+      perm_array = []  
+
+      if has_user_group?(sym)
+        permissions = user_groups[sym] || []
+      else
+        if ug.respond_to?(:permissions)
+          permissions = ug.permissions
+        else
+          raise GroupUndefinedError, "#{ug} not found in init.rb and does not respond to #permissions"
+        end
+      end
+
+
+      permissions.each do |perm|
+        perm_sym = Lockdown.get_symbol(perm)
+
+        unless permission_exists?(perm_sym)
+          msg = "Permission associated to User Group is invalid: #{perm}"
+          raise SecurityError, msg
+        end
+
+        perm_array << perm_sym
+      end
+
+      perm_array 
+    end
+
+    def process_rules
+      parse_permissions
+      validate_user_groups
+    end
+
+    private
+
+    def find_permission_object(perm_symbol)
+      obj = permission_objects.find{|name, pobj| pobj.name == perm_symbol}
+      obj[1] if obj
+    end
+
+    def validate_user_groups
+      user_groups.each do |user_group, perms|
+        perms.each do |perm|
+          unless permission_exists?(perm)
+            msg ="User Group: #{user_group}, permission not found: #{perm}"
+            raise Lockdown::InvalidRuleAssignment, msg
+          end
+        end
+      end
+    end
+
+    def parse_permissions
+      permission_objects.each do |name, perm|
+        @permissions[perm.name] ||= []
+        set_controller_access(perm)
+      end
+
+      set_model_access
+    end
+
+    def set_controller_access(perm)
+      perm.controllers.each do |name, controller|
+        controller.set_access_methods
+
+        @permissions[perm.name] |= controller.access_methods
+
+        if perm.public_access?
+          @public_access |= controller.access_methods
+        elsif perm.protected_access?
+          @protected_access |= controller.access_methods
+        end
+      end
+    end
+
+    def set_model_access
+      method_definition =  "\tdef check_model_authorization\n\t#This method will check for access to model resources\n"
+
+      permission_objects.each do |name, perm|
+        next if perm.models.empty?
+
+        #Set filter for each controller
+        perm.controllers.each do |controller_name, controller|
+          #Set filter for each model on controller
+          perm.models.each do |model_name, model|
+            method_definition << define_restrict_model_access(controller, model)
+          end
+        end
+      end
+
+      method_definition << "\n\tend"
+
+      Lockdown.add_controller_method method_definition
+    end
+
+    def define_restrict_model_access(controller, model)
+      controller_class = Lockdown.fetch_controller_class(controller.name)
+
+      methods = controller.
+                  access_methods.
+                    collect do |am| 
+                      am[am.index('/') + 1..-1].to_sym if am.index('/')
+                    end.compact.inspect
+
+      return <<-RUBY
+        if controller_name == "#{controller.name}" 
+          if #{methods}.include?(action_name.to_sym)
+            unless instance_variable_defined?(:@#{model.name})
+              @#{model.name} = #{model.class_name}.find(params[#{model.param.inspect}])
+            end
+            # Need to make sure we find the model first before checking admin status. 
+            return true if current_user_is_admin? 
+            unless @#{model.name}.#{model.model_method}.#{model.association}(#{model.controller_method})
+              raise SecurityError, "Access to #\{action_name\} denied to #{model.name}.id #\{@#{model.name}.id\}"
+            end
+          end
+        end
+      RUBY
+    end
+  end
+end

data/lib/lockdown/session.rb

@@ -0,0 +1,66 @@
+module Lockdown
+  module Session
+
+    protected
+
+    def access_rights_from_session
+      groups = session[:user_groups] || []  # => [:consumer, :collaborator]
+      groups.inject([]) {|ar, g| ar += Lockdown::System.access_rights_for_user_group(g) }
+    end
+
+    def add_lockdown_session_values(user = nil)
+      user ||= current_user
+      
+      if user
+        session[:user_groups] = groups_for_user(user)
+        session[:current_user_id] = user.id
+      end
+    end
+    
+    def groups_for_user(user)
+      user.send(Lockdown.user_groups_hbtm_reference).map {|ug| Lockdown.get_symbol(ug) }
+    end
+
+    def logged_in?
+      current_user_id.to_i > 0
+    end
+
+    def current_user_id
+      session[:current_user_id]
+    end
+
+    def current_user_is_admin?
+      session[:access_rights] == :all
+    end
+
+    def current_user_access_in_group?(grp)
+      return true if current_user_is_admin?
+        Lockdown::System.user_groups[grp].each do |perm|
+          return true if access_in_perm?(perm)
+        end
+      false
+    end
+
+    def access_in_perm?(perm)
+      if Lockdown::System.permissions[perm]
+        Lockdown::System.permissions[perm].each do |ar|
+          return true if session_access_rights_include?(ar)
+        end 
+      end
+      false
+    end
+
+    def session_access_rights_include?(str)
+      return false unless session[:access_rights]
+      session[:access_rights].include?(str)
+    end
+
+    def reset_lockdown_session
+      [:expiry_time, :current_user_id, :access_rights, :user_groups].each do |val|
+        session[val] = nil if session[val]
+      end
+    end 
+
+    alias_method :nil_lockdown_values, :reset_lockdown_session
+  end # Session
+end # Lockdown

data/lib/lockdown/system.rb

@@ -0,0 +1,58 @@
+module Lockdown
+  class System
+    extend Lockdown::Rules
+
+    def self.configure(&block)
+      set_defaults 
+
+      # Lockdown::Rules defines the methods that are used inside block
+      instance_eval(&block)
+
+      # Lockdown::Rules defines process_rules
+      process_rules
+
+      Lockdown::Database.sync_with_db unless skip_sync?
+
+      @initialized = true if Lockdown.caching?
+    end
+
+    def self.initialized?
+      @initialized
+    end
+
+    def self.fetch(key)
+      (@options||={})[key]
+    end
+
+    def self.call(object, system_option)
+      method = fetch(system_option)
+      if method.is_a?(Symbol) && object.respond_to?(method)
+        object.send(method) 
+      end
+    end
+
+    protected 
+
+    def self.paths_for(str_sym, *methods)
+      str_sym = str_sym.to_s if str_sym.is_a?(Symbol)
+      if methods.empty?
+        klass = Lockdown.fetch_controller_class(str_sym)
+        methods = available_actions(klass) 
+      end
+      path_str = str_sym.gsub("__","\/") 
+        
+      subdir = Lockdown::System.fetch(:subdirectory)
+      path_str = "#{subdir}/#{path_str}" if subdir
+
+      controller_actions = methods.flatten.collect{|m| m.to_s}
+
+      paths = controller_actions.collect{|meth| "#{path_str}/#{meth.to_s}" }
+
+      if controller_actions.include?("index")
+        paths += [path_str]
+      end
+
+      paths
+    end
+ end # System class
+end # Lockdown