mikldt-authenticates_access 0.0.0

data/.gitignore

@@ -0,0 +1,7 @@
+log/*.log
+tmp/**/*
+db/*.sqlite3
+doc/api
+doc/app
+vendor
+.*.swp

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 Andrew H. Armenia
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README

@@ -0,0 +1,86 @@
+AuthenticatesAccess
+===================
+
+AuthenticatesAccess can be used to implement model-based authentication and
+authorization features in your application. It is based around the concept
+of "accessors", or model objects which are used as tokens to access other
+model objects. Accessors might be users, groups, or sessions. 
+AuthenticatesAccess allows the use of methods within the accessors or within
+the accessed objects to determine whether certain actions should be allowed.
+
+Example
+=======
+
+Models need to define the access restrictions which will apply. If the concept
+of "ownership" is to be used, it is necessary to define which attribute 
+refers to the object's owner. The owner should fill the role of accessor
+in the application.
+
+class User < ActiveRecord::Base
+  # user has an is_admin attribute
+  
+  # don't let non-admins change the is_admin attribute
+  authenticates_writes_to :is_admin, :with_accessor_method => :is_admin
+
+  # allow users to save their own profile
+  authenticates_saves :with => :allow_owner
+
+  # allow admins to save the profile as well
+  authenticates_saves :with_accessor_method => :is_admin
+
+  # note that ownership doesn't confer all privileges!
+  # has_owner :self means that the accessor's ID will be compared
+  # with this object's own ID for the allow_owner test.
+  has_owner :self
+
+  # also, allow admins to save any user profile
+  authenticates_saves :with_accessor_method => :is_admin 
+end
+
+class Comment < ActiveRecord::Base
+  belongs_to :user
+
+  # allow users to edit their own comments (but not others)
+
+  # has_owner :user means that user.id will be compared to accessor.id
+  # for the allow_owner test to pass.
+  has_owner :user
+  
+  # register the ownership test for any saves
+  authenticates_saves :with => :allow_owner
+
+  # this will also allow admins to edit any comments
+  authenticates_saves :with_accessor_method => :is_admin
+
+  # this makes the creating user the owner of the comment
+  autosets_owner_on_create
+end
+
+The application controller should set an accessor to be used:
+
+class ApplicationController < ActionController::Base
+  before_filter :setup_accessor
+
+  protected
+
+  def setup_accessor
+    ActiveRecord::Base.accessor = logged_in_user
+  end   
+
+  def logged_in_user
+    User.find(session[:user_id])
+  end
+end
+
+The views may use methods to determine which attributes may currently 
+be written, or whether the object may be modified at all.
+
+<% if @user.allowed_to_save(:is_admin) %> 
+<%= f.check_box :is_admin %>
+<% end %>
+
+<% if user.allowed_to_save %>
+<%= link_to 'Edit', edit_user_path(user) %>
+<% end %>
+
+Copyright (c) 2009 Andrew H. Armenia, released under the MIT license.

data/Rakefile

@@ -0,0 +1,39 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the authenticates_access plugin.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+desc 'Generate documentation for the authenticates_access plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'AuthenticatesAccess'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gemspec|
+    gemspec.name = "mikldt-authenticates_access"
+    gemspec.summary = "Model-based Authorization on Rails!"
+    gemspec.description = "Model-based read and write user authorization in Rails"
+    gemspec.email = "mikldt@gmail.com"
+    gemspec.homepage = "http://github.com/mikldt/authenticates_access"
+    gemspec.authors = ["Michael DiTore"]
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler not available. Install it with: gem install jeweler"
+end
+

data/VERSION

@@ -0,0 +1 @@
+0.0.0

data/init.rb

@@ -0,0 +1,6 @@
+# Install our class and instance methods into ActiveRecord
+RAILS_DEFAULT_LOGGER.error("Loading AuthenticatesAccess...")
+
+ActiveRecord::Base.class_eval do
+  extend AuthenticatesAccess::ClassMethods
+end

data/install.rb

@@ -0,0 +1 @@
+# Install hook code here

data/lib/authenticates_access.rb

@@ -0,0 +1,440 @@
+# AuthenticatesAccess
+
+module AuthenticatesAccess
+  class AuthMethod < Struct.new(:type, :name, :options)
+  end
+
+  class AuthMethodList < Array
+    def add_method(options)
+      if options[:with_accessor_method]
+        self << AuthMethod.new( :accessor, options[:with_accessor_method], options )
+      elsif options[:with]
+        self << AuthMethod.new( :model, options[:with], options )
+      else
+        fail "Either :with or :with_accessor_method must be specified"
+      end
+    end
+
+    def check(targets)
+      # start out assuming we have not passed any tests
+      # if one passes this gets set to true
+      passed = false
+
+      self.each do |method|
+        unless targets[method.type].nil?
+          target = targets[method.type]
+          if run_method(target, method.name.to_sym, method.options[:options])
+            passed = true
+          end
+        end
+      end
+      passed
+    end
+    
+    protected
+
+    # Run a method on the object if it's available, otherwise return false.
+    def run_method(object, method, options)
+      if object.nil?
+        false
+      elsif object.respond_to?(method)
+        if options
+          object.send(method, options)
+        else
+          object.send(method)
+        end
+      else
+        false
+      end
+    end
+
+  end
+
+  
+  module ClassMethods
+    # Set an accessor to be used
+    def accessor=(accessor)
+      @@accessor = accessor
+    end
+
+    # Return the accessor being used by the model classes
+    def accessor
+      @@accessor ||= nil
+      @@accessor
+    end
+
+    # Include the instance methods used to implement authentication
+    def authenticates_access
+      include InstanceMethods
+    end
+
+    # Used to require an authentication test to be passed on the accessor
+    # before the model may be saved or destroyed. If the test fails, an exception
+    # will be thrown. Multiple calls build a chain of tests. If any test
+    # passes, the accessor is considered authenticated. Attribute writes will
+    # also be disallowed if the object may not be saved by the accessor
+    # 
+    # examples:
+    #
+    # authenticates_saves :with_accessor_method => :is_admin
+    #   will only allow the object to be saved if the accessor's is_admin
+    #   method returns true
+    #
+    # authenticates_saves :with => :allow_owner
+    #   will only allow the object to be saved if its own allow_owner
+    #   method returns true
+    #
+    def authenticates_saves(options={})
+      unless @save_method_list
+        authenticates_access
+        before_save :auth_save_filter
+        before_destroy :auth_save_filter
+        @save_method_list = AuthMethodList.new
+      end
+
+      @save_method_list.add_method(options)      
+    end
+
+    # Used to require that an authentication test is passed on the accessor
+    # before data may be read from the model.
+    def authenticates_reads(options={})
+      unless @read_method_list
+        authenticates_access
+        #Sadly, no easy way to block reads at this level
+        @read_method_list = AuthMethodList.new
+      end
+
+      @read_method_list.add_method(options)
+    end
+
+    
+    # Used to specify that a given attribute should only be written to if the
+    # accessor passes a test. The test may be a method of the accessor or
+    # of the object itself, which should return a boolean value.. If the test 
+    # fails, the attribute write will be ignored. Multiple calls build up
+    # a chain of tests: if any test in the chain passes, the accessor is
+    # considered authorized.
+    #
+    # Examples:
+    #
+    # authenticates_writes_to :is_admin, :with_accessor_method => :is_admin
+    #   would only allow admins to grant or revoke the admin privileges of others
+    #
+    # authenticates_writes_to :title, :with => :allow_owner
+    #   would only allow the owner of this object to edit its title
+    #
+    def authenticates_writes_to(attr, options={})
+      authenticates_access
+      @write_validation_map ||= {}
+      @write_validation_map[attr.to_s] ||= AuthMethodList.new
+      @write_validation_map[attr.to_s].add_method(options)
+    end
+
+    # Used to specify that a given attribute may only be read if the
+    # accessor passes a test.  Behaves similarly to authenticates_writes_to
+    def authenticates_reads_from(attr, options={})
+      authenticates_access
+      @read_validation_map ||= {}
+      @read_validation_map[attr.to_s] ||= AuthMethodList.new
+      @read_validation_map[attr.to_s].add_method(options)
+    end
+
+    # You might use this one to only allow authenticated users to create objects
+    def authenticates_creation(options={})
+      unless @create_method_list
+        authenticates_access
+        before_create :auth_create_filter
+        @create_method_list = AuthMethodList.new
+        extend CreationControl
+      end
+
+      @create_method_list.add_method(options)
+    end
+
+    # Used to specify that a given attribute represents an accessor that is
+    # an owner of this object. This creates an allow_owner method which
+    # may be used to allow the object's owner to save the object, or edit
+    # certain attributes, as well as an owner_id method which returns the
+    # owner's ID. Currently, accessors are compared by their ID in the database,
+    # so accessors should be of the same class to avoid security holes.
+    # (i.e. if both User and Group are used as accessors, a User with ID 7 can
+    # access objects owned by a Group with ID 7).
+    # This may be fixed in the future.
+    #
+    # Example:
+    # belongs_to :user
+    # has_owner :user
+    # authenticates_saves :with => :allow_owner
+    #
+    # or:
+    #
+    # has_owner
+    # def owner_id
+    #   id
+    # end
+    #
+    def has_owner(attr=nil)
+      unless attr.nil?
+        id_accessor = "#{attr.to_s}_id"
+        id_mutator = "#{attr.to_s}_id="
+        if attr == :self
+          # special case the self attribute but don't allow ownership change
+          define_method(:owner_id) do
+            id
+          end
+        else
+          define_method(:owner) do
+            self.send(attr)
+          end
+          define_method(:owner_id) do
+            self.send(id_accessor)
+          end
+          define_method("owner_id=") do |new_value|
+            self.send(id_mutator,new_value)
+          end
+        end
+      end
+      include Ownership 
+    end
+
+    # If declared, the accessor used to create this object automatically
+    # becomes its owner.
+    # 
+    # Examples:
+    #
+    # class Comment < ActiveRecord::Base
+    #   belongs_to :member
+    #   has_owner :member
+    #   autosets_owner_on_create
+    #   authenticates_saves :with => :allow_owner
+    # end
+    #
+    def autosets_owner_on_create
+      has_owner # this will do nothing if the user has already set up has_owner :something
+      # the hook runs before validation so we can validate_associated
+      before_validation_on_create :autoset_owner
+    end
+
+
+    def authenticates_saves_method_list
+      @save_method_list ||= nil
+      @save_method_list
+    end
+
+    def authenticates_reads_method_list
+      @read_method_list ||= nil
+      @read_method_list
+    end
+
+    def write_validations(attr)
+      @write_validation_map ||= nil
+      if @write_validation_map
+        @write_validation_map[attr]
+      else
+        nil
+      end
+    end
+
+    def read_validations(attr)
+      @read_validation_map ||= nil
+      if @read_validation_map
+        @read_validation_map[attr]
+      else
+        nil
+      end
+    end
+   
+  end
+
+  module InstanceMethods
+    # Shorthand to get at the accessor of interest
+    def accessor
+      self.class.accessor
+    end
+
+    def bypass_auth
+      @bypass_auth = true
+      yield
+      @bypass_auth = false
+    end
+
+    # Auto-set the owner id to the accessor id before save if the object is new
+    def autoset_owner
+      bypass_auth do
+        if accessor
+          self.owner_id ||= accessor.id
+        end
+      end
+
+      true # this is very important!
+    end
+
+
+    # before_save/before_destroy hook installed by authenticates_saves
+    def auth_save_filter
+      if not allowed_to_save
+        # An interesting thought: could this throw an HTTP error?
+        false
+      else
+        true
+      end
+    end
+    
+    # before_save/before_destroy hook installed by authenticates_saves
+    def auth_create_filter
+      if not self.class.allowed_to_create
+        false
+      else
+        true
+      end
+    end
+    # Included for completeness, this could be used to filter out accessors
+    # who can't read an object. Sadly, there's no way to install this, yet.
+    def auth_read_filter
+      if not allowed_to_read
+        false
+      else
+        true
+      end
+    end
+
+    # This method may be used to determine whether the current accessor has 
+    # privileges to save the object. Returns true if so, false otherwise.
+    def allowed_to_save
+      method_list = self.class.authenticates_saves_method_list
+      if method_list.nil?
+        # No method list, so it's allowed
+        true
+      elsif method_list.check :accessor => accessor, :model => self
+        # Method list passed, so allowed
+        true
+      else
+        # Method list failed, so denied
+        false
+      end
+    end
+
+    # This method may be used to determine whether the current accessor has
+    # privileges to read data from the object. Returns true if so, else false.
+    def allowed_to_read
+      method_list = self.class.authenticates_reads_method_list
+      if method_list.nil?
+        # No method list, so it's allowed
+        true
+      elsif method_list.check :accessor => accessor, :model => self
+        # Method list passed, so allowed
+        true
+      else
+        # Method list failed, so denied
+        false
+      end
+    end
+
+    # Overload of write_attribute to implement the filtration
+    def write_attribute(name, value)
+      # Simply check if the accessor is allowed to write the field
+      # (if so, go to superclass and do it)
+      @bypass_auth ||= false
+      if allowed_to_write(name) || @bypass_auth
+        super(name, value)
+      end
+    end
+
+    # Overload of read_attribute to filter data access
+    def read_attribute(name)
+      @bypass_auth ||= false
+      if allowed_to_read_from(name) || @bypass_auth
+        super(name)
+      end
+    end
+
+    # This method may be used to determine if the current accessor may write
+    # to a given attribute. Returns true if so, false otherwise.
+    def allowed_to_write(name)
+      # no point allowing attribute writes if we can't save them?
+      if allowed_to_save
+        name = name.to_s
+        validation_methods = self.class.write_validations(name)  
+        if validation_methods.nil?
+          # We haven't registered any filters on this attribute, so allow the write.
+          true
+        elsif validation_methods.check :accessor => accessor, :model => self
+          # One of the authentication methods worked, so allow the write.
+          true
+        else
+          # We had filters but none of them passed. Disallow write.
+          false
+        end
+      else
+        false
+      end
+    end
+
+    # This method may be used to determine if the current accessor may read
+    # a given attribute. Returns true if so, false otherwise.
+    def allowed_to_read_from(name)
+      # no point allowing attribute writes if we can't save them?
+      if allowed_to_read
+        name = name.to_s
+        validation_methods = self.class.read_validations(name)  
+        if validation_methods.nil?
+          # We haven't registered any filters on this attribute, so allow the write.
+          true
+        elsif validation_methods.check :accessor => accessor, :model => self
+          # One of the authentication methods worked, so allow the write.
+          true
+        else
+          # We had filters but none of them passed. Disallow write.
+          false
+        end
+      else
+        false
+      end
+    end
+
+
+    # This method may be used to determine if the current accessor may write
+    # to a given attribute. Returns true if so, false otherwise.
+    # for now, if you can save, you can destroy
+    def allowed_to_destroy      
+      allowed_to_save
+    end
+  end
+
+  module Ownership
+    # This method implements a simple test: whether the object is owned by 
+    # the accessor. See has_owner in ClassMethods. Note that new records,
+    # with no owner, will always pass this test. This allows the 
+    # (not-yet-existent) owner (i.e. the creator) to write any attributes 
+    # that they would have had access to anyway. Use authenticates_creation
+    # to allow only certain accessors the right to create objects.
+    def allow_owner(options={})
+      if new_record?
+        true
+      elsif accessor.nil?
+        false # maybe this is failing up the works?
+      else
+        # must define an owner_id method for this to work
+        accessor.id == owner_id
+      end
+    end
+  end
+
+  module CreationControl
+    def allowed_to_create
+      method_list = @create_method_list
+      if method_list.nil?
+        # No method list, so it's allowed
+        true
+      elsif method_list.check :accessor => accessor
+        # Method list passed, so allowed
+        true
+      else
+        # Method list failed, so denied
+        false
+      end
+    end
+  end
+
+end
+

data/mikldt-authenticates_access.gemspec

@@ -0,0 +1,63 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{mikldt-authenticates_access}
+  s.version = "0.0.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Michael DiTore"]
+  s.date = %q{2010-01-24}
+  s.description = %q{Model-based read and write user authorization in Rails}
+  s.email = %q{mikldt@gmail.com}
+  s.extra_rdoc_files = [
+    "README"
+  ]
+  s.files = [
+    ".gitignore",
+     "MIT-LICENSE",
+     "README",
+     "Rakefile",
+     "VERSION",
+     "init.rb",
+     "install.rb",
+     "lib/authenticates_access.rb",
+     "mikldt-authenticates_access.gemspec",
+     "tasks/authenticates_access_tasks.rake",
+     "test/admin_item.rb",
+     "test/authenticates_access_test.rb",
+     "test/database.yml",
+     "test/fixtures/admin_items.yml",
+     "test/fixtures/owned_items.yml",
+     "test/fixtures/users.yml",
+     "test/owned_item.rb",
+     "test/test_helper.rb",
+     "test/user.rb",
+     "uninstall.rb"
+  ]
+  s.homepage = %q{http://github.com/mikldt/authenticates_access}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.5}
+  s.summary = %q{Model-based Authorization on Rails!}
+  s.test_files = [
+    "test/authenticates_access_test.rb",
+     "test/user.rb",
+     "test/test_helper.rb",
+     "test/owned_item.rb",
+     "test/admin_item.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+    else
+    end
+  else
+  end
+end
+

data/tasks/authenticates_access_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :authenticates_access do
+#   # Task goes here
+# end

data/test/admin_item.rb

@@ -0,0 +1,3 @@
+class AdminItem < ActiveRecord::Base
+  authenticates_saves :with_accessor_method => :is_admin
+end

data/test/authenticates_access_test.rb

@@ -0,0 +1,108 @@
+require 'test_helper'
+
+class AuthenticatesAccessTest < ActiveSupport::TestCase
+  test "authenticates_saves :with => :allow_owner positive" do
+    ActiveRecord::Base.accessor = users(:user1)
+    item = owned_items(:item3)
+    item.description = "I changed the text"
+    assert item.save
+  end
+
+  test "authenticates_saves :with => :allow_owner negative" do
+    ActiveRecord::Base.accessor = users(:user1)
+    item = owned_items(:item4)
+    item.description = "I changed the text"
+    flunk if item.save 
+  end
+
+  test "authenticates_saves :with => :allow_owner on new object" do
+    ActiveRecord::Base.accessor = users(:user1)
+    item = OwnedItem.new(:description => "This should work")
+    assert item.save
+    assert item.user_id == users(:user1).id
+  end
+
+  test "authenticates_creates negative" do
+    ActiveRecord::Base.accessor = users(:user1)
+    user = User.new(
+      :is_admin => true, 
+      :name => "cracker", 
+      :bio => "I like breaking into things"
+    )
+    flunk if user.save
+  end
+
+  test "authenticates_creates positive" do
+    ActiveRecord::Base.accessor = users(:admin)
+    user = User.new(
+      :is_admin => false, 
+      :name => "some legit user", 
+      :bio => "This should work"
+    )
+    assert user.save
+  end
+
+  test "authenticates_writes_to negative" do
+    ActiveRecord::Base.accessor = users(:user1)
+    user2 = users(:user2)
+    user2.is_admin = true
+    flunk if user2.is_admin
+  end
+
+  test "authenticates_writes_to positive" do
+    ActiveRecord::Base.accessor = users(:admin)
+    user2 = users(:user2)
+    user2.is_admin = true
+    assert user2.is_admin
+  end
+
+  test "allowed_to_create positive" do
+    ActiveRecord::Base.accessor = users(:admin)
+    assert User.allowed_to_create
+  end
+
+  test "allowed_to_create negative" do
+    ActiveRecord::Base.accessor = users(:user1)
+    flunk if User.allowed_to_create
+  end
+
+  test "allowed_to_write positive" do
+    ActiveRecord::Base.accessor = users(:admin)
+    assert users(:user1).allowed_to_write(:is_admin)
+    assert users(:user1).allowed_to_write(:bio)
+
+    ActiveRecord::Base.accessor = users(:user1)
+    assert users(:user1).allowed_to_write(:bio)
+
+    flunk if users(:user2).allowed_to_write(:bio)
+  end
+
+  test "allowed_to_write negative" do
+    ActiveRecord::Base.accessor = users(:user1)
+    flunk if users(:user1).allowed_to_write(:is_admin)
+  end
+
+  test "allowed_to_save as user1" do
+    ActiveRecord::Base.accessor = users(:user1)
+    assert owned_items(:item3).allowed_to_save
+    flunk if owned_items(:item4).allowed_to_save
+  end
+    
+  test "can_create_but_not_change_owner" do
+    ActiveRecord::Base.accessor = users(:user1)
+    flunk if ActiveRecord::Base.accessor.is_admin
+    created = CreatedItem.new(:description => "something")
+    assert created.save
+    assert created.owner_id == users(:user1).id
+    created.owner_id = 1234
+    assert created.owner_id == users(:user1).id
+  end
+
+  test "admin_can_set_owner" do
+    ActiveRecord::Base.accessor = users(:admin)
+    created = CreatedItem.new(:description => "something")
+    created.owner_id = users(:user1).id
+    assert created.save
+    assert created.owner_id == users(:user1).id
+  end
+end

data/test/database.yml

@@ -0,0 +1,5 @@
+sqlite3:
+  database: ":memory:"
+  adapter: sqlite3
+  timeout: 500
+

data/test/fixtures/admin_items.yml

@@ -0,0 +1,3 @@
+item1:
+  description: "This text should not change"
+

data/test/fixtures/owned_items.yml

@@ -0,0 +1,16 @@
+item1:
+  user_id: 1
+  description: "I'm owned by the admin"
+
+item2:
+  user_id: 2
+  description: "I'm owned by the other admin"
+
+item3:
+  user_id: 3
+  description: "I'm owned by user1"
+
+item4: 
+  user_id: 4
+  description: "I'm owned by user2"
+

data/test/fixtures/users.yml

@@ -0,0 +1,23 @@
+admin:
+  id: 1
+  name: The Administrator
+  is_admin: true
+  bio: I like writing code and doing other things
+
+admin2:
+  id: 2
+  name: Another Administrator
+  is_admin: true
+  bio: I am also an administrator
+
+user1:
+  id: 3
+  name: User 1
+  is_admin: false
+  bio: I own some things but not others
+
+user2:
+  id: 4
+  name: User 2
+  is_admin: false
+  bio: I am like user 1

data/test/owned_item.rb

@@ -0,0 +1,7 @@
+class OwnedItem < ActiveRecord::Base
+  belongs_to :user
+  has_owner :user
+  autosets_owner_on_create
+
+  authenticates_saves :with => :allow_owner
+end

data/test/test_helper.rb

@@ -0,0 +1,75 @@
+require 'rubygems'
+require 'active_support'
+require 'active_support/test_case'
+
+# workaround for rails being on crack (maybe?)
+require 'test/unit'
+require 'test/unit/testcase'
+require 'active_support/testing/setup_and_teardown'
+#require 'active_support/testing/assertions'
+
+# load up the plugin in question
+require 'active_record'
+require 'active_record/fixtures'
+require 'authenticates_access'
+
+ActiveRecord::Base.class_eval do
+  extend AuthenticatesAccess::ClassMethods
+end
+
+root_dir = File.dirname(__FILE__)
+
+# do cocaine to make ActiveRecord happy
+ActiveRecord::Base.configurations = YAML::load(File.open(File.join(root_dir, 'database.yml')))
+
+# bring up some database stuff
+ActiveRecord::Base.establish_connection({
+  :adapter => 'sqlite3',
+  :dbfile => ':memory:'
+})
+
+def build_schema
+  # define a crude schema
+  ActiveRecord::Schema.define do
+    create_table "users", :force => true do |t|
+      t.column "name", :string
+      t.column "is_admin", :boolean
+      t.column "bio", :text
+    end
+
+    create_table "owned_items", :force => true do |t|
+      t.column "user_id", :integer
+      t.column "description", :text
+    end
+
+    create_table "admin_items", :force => true do |t|
+      t.column "description", :text
+    end
+
+    create_table "created_items", :force => true do |t|
+      t.column "user_id", :integer
+      t.column "description", :text
+    end
+  end
+
+end
+
+class ActiveSupport::TestCase
+  # 2.3.2 seems to need this?
+  begin 
+    include ActiveRecord::TestFixtures
+  rescue NameError
+    puts "You appear to be using a pre-2.3 version of Rails. No need to include ActiveRecord::TestFixtures..."
+  end
+
+  self.fixture_path = File.join(File.dirname(__FILE__), "fixtures")
+
+  build_schema
+
+  self.use_transactional_fixtures = true
+  self.use_instantiated_fixtures = false
+
+  # load up fixtures
+  fixtures :all
+end
+

data/test/user.rb

@@ -0,0 +1,14 @@
+class User < ActiveRecord::Base
+  # users own themselves, so to speak
+  has_owner :self
+
+  # only admins can write to the is_admin and can_create fields
+  authenticates_writes_to :is_admin, :with_accessor_method => :is_admin
+  authenticates_writes_to :can_create, :with_accessor_method => :is_admin
+  # users can save their own profiles
+  authenticates_saves :with => :allow_owner
+  # admins can save anyone's profile
+  authenticates_saves :with_accessor_method => :is_admin
+  # admins can create users
+  authenticates_creation :with_accessor_method => :is_admin
+end

data/uninstall.rb

@@ -0,0 +1 @@
+# Uninstall hook code here

metadata

@@ -0,0 +1,78 @@
+--- !ruby/object:Gem::Specification 
+name: mikldt-authenticates_access
+version: !ruby/object:Gem::Version 
+  version: 0.0.0
+platform: ruby
+authors: 
+- Michael DiTore
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-01-24 00:00:00 -05:00
+default_executable: 
+dependencies: []
+
+description: Model-based read and write user authorization in Rails
+email: mikldt@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README
+files: 
+- .gitignore
+- MIT-LICENSE
+- README
+- Rakefile
+- VERSION
+- init.rb
+- install.rb
+- lib/authenticates_access.rb
+- mikldt-authenticates_access.gemspec
+- tasks/authenticates_access_tasks.rake
+- test/admin_item.rb
+- test/authenticates_access_test.rb
+- test/database.yml
+- test/fixtures/admin_items.yml
+- test/fixtures/owned_items.yml
+- test/fixtures/users.yml
+- test/owned_item.rb
+- test/test_helper.rb
+- test/user.rb
+- uninstall.rb
+has_rdoc: true
+homepage: http://github.com/mikldt/authenticates_access
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: Model-based Authorization on Rails!
+test_files: 
+- test/authenticates_access_test.rb
+- test/user.rb
+- test/test_helper.rb
+- test/owned_item.rb
+- test/admin_item.rb