logical_authz 0.1.10 → 0.2.1

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2011 Judson Lester
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README

@@ -0,0 +1,117 @@
+LogicalAuthz
+============
+
+Provides simple, fast group based Authorization facilities for Rails apps.
+
+Example
+=======
+
+class MyController
+  needs_authorization :show, :index #other actions available to anyone
+  #needs_authorization <- this form makes the whole controller authorized
+
+  def show
+    ...
+  end
+end
+
+in spec/controller/my_controller_spec.rb:
+
+require 'logical_authz/spec_helper'
+describe MyController do
+  before do
+  end
+  it "should require authorization" do
+    get :show
+    controller.should_not be_authorized
+  end
+
+  describe "accessed by an authorized user" do
+    before do
+      login_as_authorized #whatever that means
+    end
+
+    it "should accept authorization" do
+      controller.should be_authorized
+    end
+  end
+end
+
+in app/views/my_view.html.haml
+- if authorized?(:action => show)
+  = show_my_url("Show")
+- else
+  Show
+
+What You Get
+============
+An authorization filter for controllers
+Some handy class method DSL action to adding the filter and controlling which 
+methods it applies to:
+
+needs_authorization(optional_array_of_actions) #or else the whole controller
+grant_aliases(:edit => [:update, :show]) #because if I can edit, I should be i      
+                                         #able to see it
+dynamic_authorization do |criteria|
+  whatever #Allows complete control over hardcoded authorization
+end
+admin_authorized(:optional, :actions) #shortcut for "Admin is always allowed"
+
+A couple of view helpers:
+authorized?(:controller => "name", :user => current_user, :action => :edit) 
+
+The fundamental authorization method:
+LogicalAuthz::is_authorized(:controller => "...", :group => "...", :action => 
+"...", :id => "...") # :user => '' will be translated in the user's groups.
+
+A set of spec matchers: authorized and forbidden.
+
+The Authorization Model
+=======================
+
+A permission related the following things: a group, a controller, an action, 
+and a id.  If a permission exists, it means that members of the group are 
+allowed to perform the controller#action with that params[:id].
+
+id is allowed to be nil, in which case members of the group are allowed to 
+perform that controller#action on any id.  Very useful for Post#create for 
+instance.
+
+action is allowed to be nil, in which case members of the group are allowed to 
+perform any action on the controller.
+
+Getting Started
+===============
+
+script/plugin install git@github.com:LRDesign/LogicalAuthz.git
+
+script/generate logical_authz_models -u User #<= this needs to be the name of your user model
+rake logical_authz:setup #<= adds some stuff to the end of db/seeds.rb
+
+edit the migrations to align them with your project - feel free to leave it alone
+edit config/initializers/authz.rb
+edit db/seeds.rb to add:
+require 'db/logical_authz_seeds'
+... and to create any permissions you want to start with
+
+In your ApplicationController add:
+  include LogicalAuthz::Application
+
+Gotchas
+=======
+
+LogicalAuthz uses flash to pass information about about authorization between
+controllers - as a result, if you're using a lazy flash display layout, you'll
+display a bunch of junk to the user.  Our opinion is that you should probably 
+only be automatically displaying :notice, :info, and :error to the user, but 
+regardless, the flash hash is too useful to only use for displaying information 
+to the user.
+
+If you don't already have a Group model, LogicalAuthz provides one.  If you do, 
+the generator may currently give you some headaches - the plan is to split out 
+the individual models and allow some of them to be omitted.  In the meantime, 
+either you could generate a different group (-g) and reconcile the result, or 
+remove the class_colision line from the generator.
+
+Copyright (c) 2010 Judson Lester and Logical Reality Design, released under the MIT license
+

data/app/controllers/groups_controller.rb

@@ -1,4 +1,4 @@
-require 'logical_authz'
+require 'logical_authz/common'
 
 #TODO: R3 respond_with
 class GroupsController < AuthzController

data/doc/README

@@ -0,0 +1,2 @@
+== This is a Really Cool Ruby Thing
+=== ( That deserves better documentation than this. )

data/lib/logical_authz.rb

@@ -1,110 +1 @@
-require 'logical_authz/access_control'
-require 'logical_authz/application'
-require 'logical_authz/configuration'
-
-module LogicalAuthz
-  PermissionSelect = "controller = :controller AND " +
-    "group_id IN (:group_ids) AND " +
-    "((action IS NULL AND subject_id IS NULL) OR " +
-    "(action IN (:action_names) AND " +
-    "(subject_id IS NULL OR subject_id = :subject_id)))"
-
-  class << self
-    def inspect_criteria(criteria)
-      criteria.inject({}) do |hash, name_value|
-        name, value = *name_value
-        case value
-        when ActiveRecord::Base
-          hash[name] = {value.class.name => value.id}
-        when ActionController::Base
-          hash[name] = value.class
-        else
-          hash[name] = value
-        end
-
-        hash
-      end.inspect
-    end
-
-    def find_controller(reference)
-      klass = nil
-
-      case reference
-      when Class
-        if LogicalAuthz::Application > reference
-          klass = reference
-        end
-      when LogicalAuthz::Application
-        klass = reference.class
-      when String, Symbol
-        klass_name = reference.to_s.camelize + "Controller"
-        begin 
-          klass = klass_name.constantize
-        rescue NameError
-        end
-      end
-
-      return klass
-    end
-
-    def check_controller(klass, from_criteria)
-      if klass.nil?
-        raise "Could not determine controller class - criteria[:controller] => #{from_criteria}"
-      end
-    end
-
-    def check_permitted(criteria)
-      select_on = {
-        :group_ids => criteria[:group].map {|grp| grp.id},
-        :controller => criteria[:controller_path],
-        :action_names => criteria[:action_aliases].map {|a| a.to_s},
-        :subject_id => criteria[:id] 
-      }
-
-      laz_debug{ "LogicalAuthz: checking permissions: #{select_on.inspect}" }
-      allowed = LogicalAuthz::Configuration::permission_model.exists?([PermissionSelect, select_on])
-      unless allowed
-        laz_debug{ "Denied: #{select_on.inspect}"}
-      else
-        laz_debug{ "Allowed: #{select_on.inspect}"}
-      end
-      return allowed
-    end
-
-
-    def is_authorized?(criteria=nil, authz_record=nil)
-      criteria ||= {}
-      authz_record ||= {}
-      authz_record.merge! :criteria => criteria, :result => nil, :reason => nil
-
-      laz_debug{"LogicalAuthz: asked to authorize #{inspect_criteria(criteria)}"}
-
-      controller_class = find_controller(criteria[:controller])
-      
-      laz_debug{"LogicalAuthz: determined controller: #{controller_class.name}"}
-
-      check_controller(controller_class, criteria[:controller])
-
-      unless controller_class.authorization_needed?(criteria[:action])
-        laz_debug{"LogicalAuthz: controller says no authz needed."}
-        authz_record.merge! :reason => :no_authorization_needed, :result => true
-      else
-        laz_debug{"LogicalAuthz: checking authorization"}
-
-        controller_class.normalize_criteria(criteria)
-
-        #TODO Fail if group unspecified and user unspecified?
-
-        unless (acl_result = controller_class.check_acls(criteria, authz_record)).nil?
-          authz_record[:result] = acl_result
-        else
-          authz_record.merge! :reason => :default, :result => controller_class.default_authorization
-        end
-      end
-
-      laz_debug{authz_record}
-
-      return authz_record[:result]
-    end
-  end
-end
+require 'logical_authz/engine'

data/lib/logical_authz/access_control.rb

@@ -272,7 +272,7 @@ module LogicalAuthz
       register :authenticated
 
       def default_name
-        "Authenicated"
+        "Authenticated"
       end
 
       def check(criteria)

data/lib/logical_authz/application.rb

@@ -23,6 +23,17 @@ module LogicalAuthz
       end
     end
 
+    def redirect_to_last_unauthorized(message = nil)
+      message ||= "Login successful"
+      if (laz_session = session[:logical_authz]) && (unauthorized = laz_session[:unauthzd_path])
+        laz_debug{{:going_to_last_unauth => laz_session}.inspect}
+        redirect_to(unauthorized, :flash => {:success => message})
+      else
+        laz_debug{{:going_root => laz_session}.inspect}
+        redirect_to(:root, :flash => {:success => message})
+      end
+    end
+
     def strip_record(record)
       laz_debug{"Logical Authz: stripping: #{record.inspect}"}
       {

data/lib/logical_authz/common.rb

@@ -0,0 +1,110 @@
+require 'logical_authz/access_control'
+require 'logical_authz/application'
+require 'logical_authz/configuration'
+
+module LogicalAuthz
+  PermissionSelect = "controller = :controller AND " +
+    "group_id IN (:group_ids) AND " +
+    "((action IS NULL AND subject_id IS NULL) OR " +
+    "(action IN (:action_names) AND " +
+    "(subject_id IS NULL OR subject_id = :subject_id)))"
+
+  class << self
+    def inspect_criteria(criteria)
+      criteria.inject({}) do |hash, name_value|
+        name, value = *name_value
+        case value
+        when ActiveRecord::Base
+          hash[name] = {value.class.name => value.id}
+        when ActionController::Base
+          hash[name] = value.class
+        else
+          hash[name] = value
+        end
+
+        hash
+      end.inspect
+    end
+
+    def find_controller(reference)
+      klass = nil
+
+      case reference
+      when Class
+        if LogicalAuthz::Application > reference
+          klass = reference
+        end
+      when LogicalAuthz::Application
+        klass = reference.class
+      when String, Symbol
+        klass_name = reference.to_s.camelize + "Controller"
+        begin 
+          klass = klass_name.constantize
+        rescue NameError
+        end
+      end
+
+      return klass
+    end
+
+    def check_controller(klass, from_criteria)
+      if klass.nil?
+        raise "Could not determine controller class - criteria[:controller] => #{from_criteria}"
+      end
+    end
+
+    def check_permitted(criteria)
+      select_on = {
+        :group_ids => criteria[:group].map {|grp| grp.id},
+        :controller => criteria[:controller_path],
+        :action_names => criteria[:action_aliases].map {|a| a.to_s},
+        :subject_id => criteria[:id] 
+      }
+
+      laz_debug{ "LogicalAuthz: checking permissions: #{select_on.inspect}" }
+      allowed = LogicalAuthz::Configuration::permission_model.exists?([PermissionSelect, select_on])
+      unless allowed
+        laz_debug{ "Denied: #{select_on.inspect}"}
+      else
+        laz_debug{ "Allowed: #{select_on.inspect}"}
+      end
+      return allowed
+    end
+
+
+    def is_authorized?(criteria=nil, authz_record=nil)
+      criteria ||= {}
+      authz_record ||= {}
+      authz_record.merge! :criteria => criteria, :result => nil, :reason => nil
+
+      laz_debug{"LogicalAuthz: asked to authorize #{inspect_criteria(criteria)}"}
+
+      controller_class = find_controller(criteria[:controller])
+      
+      laz_debug{"LogicalAuthz: determined controller: #{controller_class.name}"}
+
+      check_controller(controller_class, criteria[:controller])
+
+      unless controller_class.authorization_needed?(criteria[:action])
+        laz_debug{"LogicalAuthz: controller says no authz needed."}
+        authz_record.merge! :reason => :no_authorization_needed, :result => true
+      else
+        laz_debug{"LogicalAuthz: checking authorization"}
+
+        controller_class.normalize_criteria(criteria)
+
+        #TODO Fail if group unspecified and user unspecified?
+
+        unless (acl_result = controller_class.check_acls(criteria, authz_record)).nil?
+          authz_record[:result] = acl_result
+        else
+          authz_record.merge! :reason => :default, :result => controller_class.default_authorization
+        end
+      end
+
+      laz_debug{authz_record}
+
+      return authz_record[:result]
+    end
+  end
+end

data/rails/init.rb

@@ -0,0 +1,8 @@
+ActionView::Base.send :include, LogicalAuthz::Helper
+#This is maybe slightly unfriendly - we won't be offended if you delete it from 
+#your local copies of the gem.  A configuration is coming in a near future 
+#version.  When you get weird errors like "can't dup nil!" in development that 
+#aren't there in production, don't blame us
+[controller_path, File::join(directory, "app", "helpers")].each do |reloaded_path|
+  ActiveSupport::Dependencies::load_once_paths.delete(reloaded_path)
+end

data/tasks/setup_logical_authz.rake

@@ -0,0 +1,19 @@
+namespace :logical_authz do
+  task :append_seeds do
+    File::open(File::join(RAILS_ROOT, "db", "seeds.rb"), "a+") do |seeds_file|
+      seeds_file.rewind
+      if seeds_file.grep(/.*module PermissionSeeds.*/).empty?
+        puts "Appending logical_authz seeds to db/seeds.rb"
+        seeds_file.seek(-1, IO::SEEK_END)
+
+        File::open(File::join(File::dirname(__FILE__), 
+                              "..", "..", "db", "seeds.rb"), "r") do |src|
+          seeds_file.write(src.read)
+        end
+      end 
+    end
+  end
+
+  desc "Setup logical_authz in your application"
+  task :setup => [:append_seeds]
+end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: logical_authz
 version: !ruby/object:Gem::Version 
-  hash: 15
+  hash: 21
   prerelease: 
   segments: 
   - 0
+  - 2
   - 1
-  - 10
-  version: 0.1.10
+  version: 0.2.1
 platform: ruby
 authors: 
 - Judson Lester
@@ -15,19 +15,131 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-03-02 00:00:00 -08:00
+date: 2011-06-06 00:00:00 -07:00
 default_executable: 
-dependencies: []
-
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rake-gemcutter
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 27
+        segments: 
+        - 0
+        - 1
+        - 0
+        version: 0.1.0
+  type: :development
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: hanna
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 27
+        segments: 
+        - 0
+        - 1
+        - 0
+        version: 0.1.0
+  type: :development
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: mailfactory
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 7
+        segments: 
+        - 1
+        - 4
+        - 0
+        version: 1.4.0
+  type: :development
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 2
+        - 0
+        version: "2.0"
+  type: :development
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: bundler
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 23
+        segments: 
+        - 1
+        - 0
+        - 0
+        version: 1.0.0
+  type: :development
+  version_requirements: *id005
+- !ruby/object:Gem::Dependency 
+  name: rcov
+  prerelease: false
+  requirement: &id006 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id006
 description: "  LogicalAuthorization allows authorization in a finely grained framework, including\n  ACLs and database based permissions, designed to slide into your project seamlessly.\n\n  You should be able to add logical_authz to your Gemfile and add needs_authorization to\n  your base controller class and be done.\n"
-email: judson@lrdesign.com
+email: 
+- judson@lrdesign.com
 executables: []
 
 extensions: []
 
-extra_rdoc_files: []
-
+extra_rdoc_files: 
+- doc/README
 files: 
+- LICENSE
+- README
+- app/views/permissions/index.html.haml
+- app/views/permissions/create.rjs
+- app/views/permissions/new.html.haml
+- app/views/permissions/_controls.html.haml
+- app/views/permissions/_form.html.haml
+- app/views/permissions/edit.html.haml
+- app/views/groups/index.html.haml
+- app/views/groups/create.rjs
+- app/views/groups/new.html.haml
+- app/views/groups/_controls.html.haml
+- app/views/groups/_form.html.haml
+- app/views/groups/edit.html.haml
+- app/views/groups/show.html.haml
+- app/controllers/groups_controller.rb
+- app/controllers/permissions_controller.rb
+- app/controllers/groups_users_controller.rb
+- app/helpers/logical_authz_helper.rb
 - lib/tasks/rspec.rake
 - lib/logical_authz.rb
 - lib/logical_authz/configuration.rb
@@ -56,26 +168,11 @@ files:
 - lib/logical_authz/generators/models/templates/migrations/create_permissions.rb
 - lib/logical_authz/generators/routes/generator.rb
 - lib/logical_authz/engine.rb
+- lib/logical_authz/common.rb
 - lib/logical_authz/access_control.rb
 - lib/logical_authz/application.rb
-- app/views/permissions/index.html.haml
-- app/views/permissions/create.rjs
-- app/views/permissions/new.html.haml
-- app/views/permissions/_controls.html.haml
-- app/views/permissions/_form.html.haml
-- app/views/permissions/edit.html.haml
-- app/views/groups/index.html.haml
-- app/views/groups/create.rjs
-- app/views/groups/new.html.haml
-- app/views/groups/_controls.html.haml
-- app/views/groups/_form.html.haml
-- app/views/groups/edit.html.haml
-- app/views/groups/show.html.haml
-- app/controllers/groups_controller.rb
-- app/controllers/permissions_controller.rb
-- app/controllers/groups_users_controller.rb
-- app/helpers/logical_authz_helper.rb
-- config/initializers/activate.rb
+- rails/init.rb
+- tasks/setup_logical_authz.rake
 - generators/logical_authz_specs/logical_authz_specs_generator.rb
 - generators/logical_authz/logical_authz_generator.rb
 - generators/logical_authz/templates/app/views/layouts/_explain_authz.html.haml.erb
@@ -83,21 +180,20 @@ files:
 - generators/logical_authz/templates/README
 - generators/logical_authz_models/logical_authz_models_generator.rb
 - generators/logical_authz_routes/logical_authz_routes_generator.rb
-- spec/spec_helper.rb
-- spec/gem_test_suite.rb
+- doc/README
 has_rdoc: true
 homepage: http://lrdesign.com/tools
-licenses: []
-
+licenses: 
+- MIT
 post_install_message: Another tidy package brought to you by Logical Reality Design
 rdoc_options: 
 - --inline-source
 - --main
 - doc/README
 - --title
-- logical_authz-0.1.10 RDoc
+- logical_authz-0.2.1 RDoc
 require_paths: 
-- lib
+- lib/
 required_ruby_version: !ruby/object:Gem::Requirement 
   none: false
   requirements: 
@@ -123,5 +219,5 @@ rubygems_version: 1.4.2
 signing_key: 
 specification_version: 3
 summary: Full fledged authorization, starting from one line
-test_files: 
-- spec/gem_test_suite.rb
+test_files: []
+

data/config/initializers/activate.rb

@@ -1 +0,0 @@
-require 'logical_authz'

data/spec/gem_test_suite.rb

@@ -1,17 +0,0 @@
-puts Dir::pwd
-require 'test/unit'
-begin
-  require 'spec'
-rescue LoadError
-  false
-end
-
-class RSpecTest < Test::Unit::TestCase
-  def test_that_rspec_is_available
-    assert_nothing_raised("\n\n *  RSpec isn't available - please run: gem install rspec  *\n\n"){ ::Spec }
-  end
-
-  def test_that_specs_pass
-    assert(system(*%w{spec -f e -p **/*.rb spec}),"\n\n *  Specs failed  *\n\n")
-  end
-end

data/spec/spec_helper.rb

@@ -1,43 +0,0 @@
-ENV["RAILS_ENV"] ||= 'test'
-
-$" << File.expand_path(File.join(File.dirname(__FILE__), '..','..','..','..','app','controllers','authz_controller.rb'))
-
-
-require File.expand_path(File.join(File.dirname(__FILE__),'..','..','..','..','config','environment'))
-require 'spec/rails' 
-require 'logical_authz/spec_helper'
-
-# Requires supporting files with custom matchers and macros, etc,
-# in ./support/ and its subdirectories.
-Dir[File.expand_path(File.join(File.dirname(__FILE__),'support','**','*.rb'))].each {|f| require f}
-
-plugin_spec_dir = File.dirname(__FILE__)
-$: << File::join(plugin_spec_dir, "spec_helper", "models")
-RSpec::Runner.configure do |config|
-  # If you're not using ActiveRecord you should remove these
-  # lines, delete config/database.yml and disable :active_record
-  # in your config/boot.rb
-#  config.use_transactional_fixtures = true
-  config.use_instantiated_fixtures  = true
-  config.fixture_path = File::join(File.dirname(__FILE__), 'fixtures')
-  config.global_fixtures = [
-    :az_accounts, :groups, :permissions
-  ]
-end
-               
-ActiveRecord::Base.logger = Logger.new(plugin_spec_dir + "/debug.log")
-
-databases = YAML::load(IO.read(plugin_spec_dir + "/db/database.yml"))
-ActiveRecord::Base.establish_connection(databases[ENV["DB"] || "sqlite3"])
-load(File.join(plugin_spec_dir, "db", "schema.rb"))
-
-require File::join(plugin_spec_dir, "mock_auth")
-require File::join(plugin_spec_dir, "routes")
-
-Dir.glob(File::join(plugin_spec_dir, "factories", "*.rb")) do |path|
-  require path
-end
-
-
-Group::member_class = AzAccount
-