logical_authz 0.1.6

data/app/controllers/groups_controller.rb

@@ -0,0 +1,77 @@
+require 'logical_authz'
+
+#TODO: R3 respond_with
+class GroupsController < AuthzController
+  
+  PER_PAGE = 20
+
+  # GET /groups
+  # GET /groups.xml
+  def index
+    @groups = Group.all
+
+    respond_to do |format|
+      format.html # index.html.erb
+      format.xml  { render :xml => @groups }
+    end
+  end
+
+  def edit
+    @group = Group.find(params[:id])
+  end
+
+  def update
+    @group = Group.find(params[:id])
+    if @group.update_attributes(params[:group])
+      flash[:notice] = 'Group was successfully updated.'
+      redirect_to(@group)
+    else
+      render :action => "edit"
+    end
+  end
+
+  def show
+    @group = Group.find(params[:id])      
+  end
+
+  # GET /groups/new
+  # GET /groups/new.xml
+  def new
+    @group = Group.new
+
+    respond_to do |format|
+      format.html # new.html.erb
+      format.xml  { render :xml => @group }
+    end
+  end
+
+  # POST /groups
+  # POST /groups.xml
+  def create
+    @group = Group.new(params[:group])
+
+    respond_to do |format|
+      if @group.save
+        flash[:notice] = 'Group was successfully created.'
+        format.html { redirect_to(groups_path) }
+        format.xml  { render :xml => @group, :status => :created, :location => @group }
+      else
+        format.html { render :action => "new" }
+        format.xml  { render :xml => @group.errors, :status => :unprocessable_entity }
+      end
+    end
+  end
+
+  # DELETE /groups/1
+  # DELETE /groups/1.xml
+  def destroy
+    @group = Group.find(params[:id])
+    @group.destroy
+
+    respond_to do |format|
+      format.html { redirect_to(groups_url) }
+      format.xml  { head :ok }
+    end
+  end
+  
+end

data/app/controllers/groups_users_controller.rb

@@ -0,0 +1,27 @@
+class GroupsUsersController < AuthzController 
+  before_filter :get_instance_vars
+  
+  def create
+    if @user && @group
+      @user.groups << @group
+    end 
+    respond_to do |format|
+      format.html { redirect_to :back }
+    end 
+  end
+
+  def destroy
+    if @user && @group
+      @user.groups.delete(@group)
+    end 
+    respond_to do |format|
+      format.html { redirect_to :back }
+    end
+  end
+
+  private
+  def get_instance_vars   
+    @user = Group.member_class.find_by_id(params[:user_id])
+    @group = Group.find_by_id(params[:group_id])     
+  end
+end

data/app/controllers/permissions_controller.rb

@@ -0,0 +1,63 @@
+
+class PermissionsController < AuthzController                
+  needs_authorization
+  admin_authorized
+
+  before_filter :get_permission, :only => [:edit, :update, :destroy]
+
+  def index
+    @permissions = Permission.all
+  end
+
+  def new
+    @permission = Permission.new
+  end
+
+  def edit
+  end
+
+  def update
+    if @permssion.update_attributes(params[:permission])
+      flash[:notice] = "Permission updated"
+      redirect_to permissions_path
+    else
+      render :action => :edit
+    end
+  end
+
+  def destroy
+    @permission.try(:destroy)
+    redirect_to permissions_path
+  end
+
+  def create
+    group = Group.find_by_id(params[:group])
+    return if group.nil?
+
+    permission_selector = {
+      :controller => params[:p_controller], 
+      :action => params[:p_action], 
+      :subject_id => params[:object],
+      :group_id => group.id
+    }
+
+    if params["permission"] == "true"
+      Permission.create!(permission_selector)
+    else
+      perms = group.permissions.find(:all, :conditions => permission_selector)        
+      perms.each {|perm| perm.destroy}
+    end
+
+    respond_to do |format|
+      format.js 
+      format.html do
+        redirect_to :back
+      end
+    end
+  end
+
+  private
+  def get_permission
+    @permission = Permission.find_by_id(params[:id])
+  end
+end

data/app/helpers/logical_authz_helper.rb

@@ -0,0 +1,158 @@
+require 'logical_authz/configuration'
+
+module LogicalAuthz
+  class << self
+    def laz_debug
+      if block_given? and LogicalAuthz::Configuration::debugging?
+        Rails::logger::debug do 
+          msg = yield
+          String === msg ? msg : msg.inspect
+        end
+      end
+    end
+  end
+
+  module Helper
+    def laz_debug
+      if block_given?
+        LogicalAuthz::laz_debug{yield}
+      end
+    end
+
+    def authorized?(criteria=nil)
+      criteria ||= {}
+
+      laz_debug{"Helper authorizing: #{LogicalAuthz.inspect_criteria(criteria)}"}
+
+      criteria = {
+        :controller => controller_path, 
+        :action => action_name, 
+        :id => params[:id] 
+      }.merge(criteria)
+      criteria[:params] = criteria.dup
+
+      unless criteria.has_key?(:group) or criteria.has_key?(:user)
+        controller = case self
+                     when ActionView::Base
+                       self.controller
+                     else
+                       self #XXX ???
+                     end
+        criteria[:user] = AuthnFacade.current_user(controller)
+      end
+
+      result = LogicalAuthz.is_authorized?(criteria)
+
+      return result
+    end 
+        
+    # returns an array of group names and ids (suitable for select_tag)
+    # for which <user> is not a member
+    def nonmembered_groups(user)
+      (LogicalAuthz::group_model.all - user.groups).map { |g| [ g.name, g.id ] }
+    end    
+
+    def groups
+      LogicalAuthz::group_model.all.map do |group|
+        [group.name, group.id ]
+      end
+    end
+
+    def controller_pairs
+      controllers = ActionController::Routing::possible_controllers
+      controllers -= %w{rails/info application authz rails_info}
+      controllers.map{|c| [c.classify, c]}
+    end
+
+    def criteria_from_url(url, html_options = nil)
+      return nil if url.nil?
+      uri = URI.parse(url_for(url))
+      path = uri.path
+      querystring = uri.query
+      http_method = (html_options.nil? ? nil : html_options[:method]) || :get
+      begin
+        params = Rails.application.routes.recognize_path(path, :method => http_method)
+      rescue ActionController::RoutingError => ex
+        Rails.logger.info{"Asked to authorize url: #{html_options.inspect} - couldn't route: #{ex.class.name}: #{ex.message}"}
+        return nil
+      end
+      querystring.blank? ? params : params.merge(Rack::Utils.parse_query(querystring).symbolize_keys!)
+    end
+
+    def authorized_url?(options, html_options = nil)
+      html_options ||= {}
+      params = {}
+      if Hash === options
+        params = options
+      else
+        params = criteria_from_url(options)
+      end
+      if params.nil?
+        true #We can't work out where it is, so we have no opinion
+        #XXX: Shouldn't this be false?
+      else
+        authorized?(params)
+      end
+    end
+
+    def authorized_menu(*items)
+      yield(items) if items.all? do |item|
+        authorized_url? [*item].last
+      end
+    end
+
+    def link_to_if_authorized(name, options = nil, html_options = nil)
+      options ||= {}
+      html_options ||= {}
+      url = options
+      if(authorized_url?(url, html_options))
+        link_to(name, options, html_options)
+      else
+        if block_given?
+          yield
+        else
+          ""
+        end
+      end
+    end
+
+    def button_to_if_authorized(name, options = {}, html_options = {})
+      url = options
+      if(authorized_url?(url, html_options))
+        button_to(name, options, html_options)
+      else
+        if block_given?
+          yield
+        else
+          ""
+        end
+      end
+    end
+
+    def link_to_remote_if_authorized(name, options = {}, html_options = nil)
+      url = options[:url]
+      if(authorized_url?(url, html_options))
+        link_to_remote(name, options, html_options)
+      else
+        if block_given?
+          yield
+        else
+          ""
+        end
+      end
+    end
+
+    def button_to_remote_if_authorized(name, options = {}, html_options = nil)
+      url = options[:url]
+      if(authorized_url?(url, html_options))
+        button_to_remote(name, options, html_options)
+      else
+        if block_given?
+          yield
+        else
+          ""
+        end
+      end
+    end
+  end
+end

data/app/views/groups/_controls.html.haml

@@ -0,0 +1,18 @@
+-page ||= @page
+                 
+- content_for(:aux) do
+  - page_block("Admin Tool: Permissions", :cssclass => "narrowcolumn admin") do
+ 
+    %p Set view and edit permissions on this page.
+    %table.listing         
+      %tr
+        %th Group
+        %th View?
+        %th Edit?
+      
+      - for group in Group.all
+        %tr
+          %td= h group.name
+        
+
+

data/app/views/groups/_form.html.haml

@@ -0,0 +1,4 @@
+= error_messages_for :group
+- form_for @group, :url => groups_path do |f|
+  = labeled_input f, :name
+  = unlabeled_submit(f)

data/app/views/groups/create.rjs

@@ -0,0 +1 @@
+page.replace_html :permissions, :partial => 'permissions/controls', :locals => { :page => page } 

data/app/views/groups/edit.html.haml

@@ -0,0 +1 @@
+= render :partial => "form"

data/app/views/groups/index.html.haml

@@ -0,0 +1,14 @@
+-set_headline "Groups"
+
+%ul.actions
+  %li= link_to_if_authorized("Create New Group", new_group_path)
+
+%table.listing
+  %tr
+    %th Group Name
+  - @groups.each do |group|
+    %tr
+      %td= link_to_if_authorized(group.name, group_path(group))
+      %td
+        = link_to_if_authorized("Edit", edit_group_path(group))
+        = link_to_if_authorized("Delete", group_path(group), :method => :delete)

data/app/views/groups/new.html.haml

@@ -0,0 +1,2 @@
+- set_headline "Grant Permission"
+= render :partial => "form.html.haml"

data/app/views/groups/show.html.haml

@@ -0,0 +1,6 @@
+-set_headline "Group: " + @group.name
+
+%h3 Members
+%ul
+-@group.members.each do |member|
+  %li= member.name

data/app/views/permissions/_controls.html.haml

@@ -0,0 +1,18 @@
+-page ||= @page
+                 
+- content_for(:aux) do
+  - page_block("Admin Tool: Permissions", :cssclass => "narrowcolumn admin") do
+ 
+    %p Set view and edit permissions on this page.
+    %table.listing         
+      %tr
+        %th Group
+        %th View?
+        %th Edit?
+      
+      - for group in Group.all
+        %tr
+          %td= h group.name
+        
+
+

data/app/views/permissions/_form.html.haml

@@ -0,0 +1,8 @@
+= error_messages_for :permission
+- form_for @permission, :url => permissions_path do |f|
+  = hidden_field_tag(:permission, true)
+  = labeled_input f, :group, :input => select(:permission, :group_id, groups)
+  = labeled_input f, :controller, :input => select(:permission, :controller, controller_pairs)
+  = labeled_input f, :action
+  = labeled_input f, :subject_id, :text => "id"
+  = unlabeled_submit(f)

data/app/views/permissions/create.rjs

@@ -0,0 +1 @@
+page.replace_html :permissions, :partial => 'permissions/controls', :locals => { :page => page } 

data/app/views/permissions/edit.html.haml

@@ -0,0 +1 @@
+= render :partial => _form.html.haml

data/app/views/permissions/index.html.haml

@@ -0,0 +1,20 @@
+-set_headline "Permissions"
+
+%ul.actions
+  %li= link_to_if_authorized("Grant New Permission", new_permission_path)
+
+%table.listing
+  %tr
+    %th Group
+    %th Controller
+    %th Action
+    %th Object ID
+  - @permissions.each do |permission|
+    %tr
+      %td= permission.group.name
+      %td= permission.controller
+      %td= permission.action || "*"
+      %td= permission.subject_id || "*"
+      %td
+        = link_to_if_authorized("Edit", edit_permission_path(permission))
+        = link_to_if_authorized("Delete", permission_path(permission), :method => :delete)

data/app/views/permissions/new.html.haml

@@ -0,0 +1,2 @@
+- set_headline "Grant Permission"
+= render :partial => "form.html.haml"

data/config/initializers/activate.rb

@@ -0,0 +1 @@
+require 'logical_authz'

data/generators/logical_authz/logical_authz_generator.rb

@@ -0,0 +1,13 @@
+class LogicalAuthzGenerator < LogicalAuthz::Generator
+  def manifest
+    record do |manifest|
+      manifest.dependency "logical_authz_models", [], options
+      manifest.dependency "logical_authz_specs", [], options
+      manifest.dependency "logical_authz_routes", [], options
+
+      manifest.template "app/controllers/authz_controller.rb.erb", "app/controllers/authz_controller.rb"
+      manifest.template "app/views/layouts/_explain_authz.html.haml", "app/views/layouts/_explain_authz.html.haml.erb"
+      manifest.readme "README"
+    end
+  end
+end

data/generators/logical_authz/templates/README

@@ -0,0 +1,11 @@
+
+
+
+You'll want to add this to your db/seeds.rb:
+require 'db/logical_authz_seeds'
+
+You'll also want to add this to your ApplicationController:
+  include LogicalAuthz::Application
+
+
+Thanks for using Logical Authorization!

data/generators/logical_authz/templates/app/controllers/authz_controller.rb.erb

@@ -0,0 +1,4 @@
+class AuthzController < ApplicationController
+  needs_authorization
+  admin_authorized
+end

data/generators/logical_authz/templates/app/views/layouts/_explain_authz.html.haml.erb

@@ -0,0 +1,21 @@
+- unless flash.has_key? :logical_authz_record
+  -# Authorization not required
+- else
+  - if flash[:logical_authz_record][:result]
+    -# Authorization successful
+  - else
+    - laz_rec = flash[:logical_authz_record]
+    - if LogicalAuthz::AuthnFacade::current_user(controller).nil?
+      You aren't
+      = link_to("logged in", login_path)
+    - else
+      - case laz_rec[:reason]
+      - when :default, :rule_triggered
+        You aren't permitted to access 
+        = laz_rec[:authz_path]
+      - when :no_authorization_needed
+        You were denied access to 
+        = laz_rec[:authz_path]
+        although authorization isn't required - something is probably wrong.
+      - else
+        You were denied authorization

data/generators/logical_authz_models/logical_authz_models_generator.rb

@@ -0,0 +1,22 @@
+class LogicalAuthzModelsGenerator < LogicalAuthz::Generator
+  default_options(:permission_class => "Permission", 
+                  :group_class => "Group",
+                  :admin_group => "Administration")
+
+  def manifest 
+    raise "User class name (--user) is required!" unless options[:user_class]
+
+    record do |manifest|
+      #Yeah, I know, and I'm sorry.  It should be okay, though.
+      ActiveRecord::Base.timestamped_migrations = false
+      manifest.class_collisions options[:group_class], options[:permission_class]
+      manifest.template "app/models/group.rb.erb", "app/models/#{template_data[:group_field]}.rb", :assigns => template_data
+      manifest.template "app/models/permission.rb.erb", "app/models/#{template_data[:permission_field]}.rb", :assigns => template_data
+      manifest.template "config/initializers/logical_authz.rb.erb", "config/initializers/logical_authz.rb", :assigns => template_data
+      manifest.template "db/seeds_logical_authz.rb.erb", "db/seeds_logical_authz.rb", :assigns => template_data
+      manifest.migration_template "migrations/create_groups.rb.erb", "db/migrate", :migration_file_name => "create_#{template_data[:group_table]}", :assigns => template_data
+      manifest.migration_template "migrations/create_permissions.rb.erb", "db/migrate", :migration_file_name => "create_#{template_data[:permission_table]}", :assigns => template_data
+      manifest.migration_template "migrations/create_users_groups.rb.erb", "db/migrate", :migration_file_name => "create_#{template_data[:user_table]}_#{template_data[:group_table]}", :assigns => template_data
+    end
+  end
+end

data/generators/logical_authz_routes/logical_authz_routes_generator.rb

@@ -0,0 +1,12 @@
+class LogicalAuthzRoutesGenerator < LogicalAuthz::Generator
+  def manifest
+    record do |manifest|
+      manifest.named_route :group_user, '/group_user', :controller => 'groups_users', :action => 'create', :conditions => { :method => :post }
+      manifest.named_route :ungroup_user, '/ungroup_user', :controller => 'groups_users', :action => 'destroy', :conditions => { :method => :delete }
+      manifest.named_route :permit_page, '/permit', :controller => 'permissions', :action => 'create', :conditions => { :method => :post } 
+      manifest.named_route :forbid_page, '/forbid', :controller => 'permissions', :action => 'destroy', :conditions => { :method => :delete }
+      manifest.route_resources :groups
+      manifest.named_route :default_unauthorized, '/', :controller => "home", :action => "index"
+    end
+  end
+end

data/generators/logical_authz_specs/logical_authz_specs_generator.rb

@@ -0,0 +1,26 @@
+class LogicalAuthzSpecsGenerator < LogicalAuthz::Generator
+  default_options(:permission_class => "Permission", 
+                  :group_class => "Group",
+                  :admin_group => "Administration")
+
+  def manifest
+    record do |manifest|
+      manifest.directory "spec/factories"
+      manifest.directory "spec/support"
+      manifest.directory "spec/controllers"
+      manifest.directory "spec/helpers"
+
+      manifest.with_options :assigns => template_data do |templ|
+        templ.template "spec/factories/az_accounts.rb.erb", "spec/factories/logical_authz_#{template_data[:user_table]}.rb"
+        templ.template "spec/factories/az_groups.rb.erb", "spec/factories/logical_authz_#{template_data[:group_table]}.rb"
+        templ.template "spec/factories/permissions.rb.erb", "spec/factories/logical_authz_#{template_data[:permission_table]}.rb"
+        templ.template "spec/support/logical_authz.rb.erb", "spec/support/logical_authz.rb"
+        templ.template "spec/support/mock_auth.rb.erb", "spec/support/mock_auth.rb"
+        templ.template "spec/controllers/permissions_controller_spec.rb.erb", "spec/controllers/permissions_controller_spec.rb"
+        templ.template "spec/controllers/groups_controller_spec.rb.erb", "spec/controllers/groups_controller_spec.rb"
+        templ.template "spec/controllers/groups_users_controller_spec.rb.erb", "spec/controllers/groups_users_controller_spec.rb"
+        templ.template "spec/helpers/logical_authz_helper_spec.rb.erb", "spec/helpers/logical_authz_helper_spec.rb"
+      end
+    end
+  end
+end