model_security_generator 0.0.1

data/model_security_generator.rb

@@ -0,0 +1,75 @@
+class ModelSecurityGenerator < Rails::Generator::NamedBase
+  def manifest
+    record do |m|
+      # Check for class naming collisions.
+      m.class_collisions class_path, "User", "UserController", "UserMailer", "UserSupport", "Modal", "ModalHelper", "ModelSecurity", "ModelSecurityHelper"
+
+      # Libraries
+      m.file "modal.rb", "lib/modal.rb"
+      m.file "model_security.rb", "lib/model_security.rb"
+      m.file "once.rb", "lib/once.rb"
+      m.file "user_support.rb", "lib/user_support.rb"
+
+      # Helpers
+      m.file "modal_helper.rb", "app/helpers/modal_helper.rb"
+      m.file "model_security_helper.rb", "app/helpers/model_security_helper.rb"
+
+      # User
+      m.file "user.rb", File.join("app/models", "user.rb")
+      m.file "user_controller.rb", File.join("app/controllers", "user_controller.rb")
+
+      # User mailer
+      m.file "user_mailer.rb", File.join("app/models", "user_mailer.rb")
+
+      # Testing related stuff
+      m.file "user_controller_test.rb", "test/functional/user_controller_test.rb"
+      m.file "user_test.rb", "test/unit/user_test.rb"
+      m.file "mock_mailer.rb", "test/mocks/test/user_mailer.rb"
+      m.file "mock_time.rb", "test/mocks/test/time.rb"
+      m.file "users.yml", "test/fixtures/users.yml"
+
+      # Schemas, configuration and miscellaneous
+      m.file "schema.sql", "db/schema.sql"
+      m.file "users.sql", "db/users.sql"
+
+      # Layout and stylesheet.
+      m.file "scaffold.rhtml", "app/views/layouts/scaffold.rhtml"
+      m.file "scaffold.css", "public/stylesheets/scaffold.css"
+      m.file "standard.rhtml", "app/views/layouts/standard.rhtml"
+      m.file "standard.css", "public/stylesheets/standard.css"
+
+      # Views
+      m.directory File.join("app/views", "user", file_name)
+      user_views.each do |action|
+        m.file "view_#{action}.rhtml",
+        File.join("app/views", "user", file_name, "#{action}.rhtml")
+      end
+
+      # Partials
+      m.directory File.join("app/views", "user", file_name)
+      partial_views.each do |action|
+        m.file "_view_#{action}.rhtml",
+        File.join("app/views", "user", file_name, "_#{action}.rhtml")
+      end
+
+      # Mailer
+      m.directory File.join("app/views", "user_mailer")
+      mailer_views.each do |action|
+        m.file "mailer_#{action}.rhtml",
+        File.join("app/views", "user_mailer", "#{action}.rhtml")
+      end
+    end
+  end
+
+  def user_views
+    %w(activate edit forgot_password_done list login login_admin logout new show success)
+  end
+
+  def partial_views
+    %w(form)
+  end
+
+  def mailer_views
+    %w(forgot_password new_user)
+  end
+end

data/templates/_view_form.rhtml

@@ -0,0 +1,27 @@
+<%= error_messages_for 'user' %>
+
+<!--[form:user]-->
+<table>
+<% for column in User.content_columns %>
+  <% if User.display?(column.name) %>
+    <tr>
+      <th>
+        <label for="user_#{column.name}">
+	  <%= column.human_name %>:
+	</label>
+      </th>
+      <td>
+        <% if column.name.index('password') %>
+	  <%= password_field('user', column.name) %>
+	<% else %>
+	  <%= text_field('user', column.name) %>
+	<% end %>
+      </td>
+    </tr>
+  <% end %>
+<% end %>
+
+</table>
+
+<!--[eoform:user]-->
+

data/templates/mailer_forgot_password.rhtml

@@ -0,0 +1,18 @@
+<h1>Recover Your Login or Re-Set Your Password</h1>
+
+<p>
+Please enter the email address you used when you registered your login.
+A message will be sent to that email with the information you'll need to
+reset your password.
+</p>
+<%= start_form_tag :action => 'forgot_password' %>
+  <table>
+    <tr>
+      <th><label for="user_email">Email</label></th>
+      <td><%= text_field 'user', 'email' %></td>
+    </tr>
+  </table>
+  <%= submit_tag "Send Email" %>
+<%= end_form_tag %>
+
+<%= link_to 'Back', :action => 'list' %>

data/templates/mailer_new_user.rhtml

@@ -0,0 +1,10 @@
+Dear <%= @user.name %>,
+
+Your login '<%= @user.login %>' has been created, but you must now activate it.
+To do so, please access the following URL before <%= @user.token_expiry %>:
+
+<%= @url %>
+
+  Many Thanks
+
+  The Management

data/templates/mock_mailer.rb

@@ -0,0 +1,16 @@
+require 'models/user_mailer.rb'
+
+ActionMailer::Base.class_eval {
+  @@inject_one_error = false
+  cattr_accessor :inject_one_error
+
+  private
+  def perform_delivery_test(mail)
+    if inject_one_error
+      ActionMailer::Base::inject_one_error = false
+      raise "Failed to send email" if raise_delivery_errors
+    else
+      deliveries << mail
+    end
+  end
+}

data/templates/mock_time.rb

@@ -0,0 +1,17 @@
+require 'time'
+
+Time.class_eval { 
+  @@advance_by_days = 0
+  cattr_accessor :advance_by_days
+
+  class << Time
+    alias now_old now
+    def now
+      if Time.advance_by_days != 0
+        return Time.at(now_old.to_i + Time.advance_by_days * 60 * 60 * 24 + 1)
+      else
+        now_old
+      end
+    end
+  end
+}

data/templates/modal.rb

@@ -0,0 +1,82 @@
+# Implement modal web pages. When you are done with one of these pages, they
+# will redirect you to an internal page anchor within the page that linked to
+# them. In other words, you don't just go back to the referring page. You go
+# back to the place within the referring page where the link was.
+#
+# This implementation is in two parts: the library module Modal, and the view
+# helper ModalHelper.
+#
+module Modal
+
+  # This is meant to be called as a before filter by the ApplicationController.
+  # It always returns true and thus will not interrupt your action.
+  #
+  # The link_modal and modal_form methods generate an internal page
+  # anchor and a +ret+ parameter that will be passed in a GET or PUT.
+  # The anchor refers the location within the calling page to return to
+  # after a modal action, and +ret+ encodes the URL of that anchor.
+  # store_return retrieves +ret+ from the request and saves it in a
+  # return-to address URL in the session. The return-to URL will be used
+  # by redirect_back_or_default to return to a location within the calling
+  # page that linked to the current page. This is nicer than simply returning
+  # to the top of the page, especially when returning to a long page like
+  # a list of blog comments, because the reader will probably want to continue
+  # reading at that point.
+  #
+  # If the request does not contain a +ret+ parameter and the return-to
+  # address is not set and REFERER is set in the environment, the
+  # return-to address is set to REFERER.
+  # 
+  def modal_setup
+    # Set modal return.
+    if r = @params['ret']
+      self.return_location = r.sub(/\.L/, '#L')
+    elsif return_location.nil?
+      self.return_location = @request.env['HTTP_REFERER']
+    end
+    true
+  end
+
+  # Get the location to return to after a modal action. The argument should
+  # be a string containing a URL.
+  def return_location
+    @session[:return_to]
+  end
+
+  # Set the location to return to after a modal action. The return value should
+  # be a string containing a URL.
+  def return_location= a
+    @session[:return_to] = a
+  end
+
+  # Store the location to return to after a modal action from the request URI.
+  # This is usually called before redirecting to another action.
+  def store_location
+    self.return_location = @request.request_uri
+  end
+
+  # Redirect to the stored return location. If no stored return location
+  # is available, redirect to the default action given in the arguments.
+  # The arguments are just like those of redirect_to.
+  def redirect_back_or_default(attributes = {}, *method_params)
+    r = return_location
+    if r
+      redirect_to_url r
+      self.return_location = nil
+    else
+      redirect_to attributes, method_params
+    end
+  end
+
+  # Create a URL optionally including an internal anchor. If the +id+ argument
+  # is given, that will be used to create the name of the internal anchor. It's
+  # generally a number, but anything that will convert to a string that does
+  # not contain characters that would have special meaning within a URL, like
+  # spaces, will do.
+  def return_url(id = nil)
+    s = @request.request_uri.sub(/\??ret=[^\&$]*/,'')
+    s += '.L' + id.to_s if id
+    s
+  end
+
+end

data/templates/modal_helper.rb

@@ -0,0 +1,29 @@
+require 'modal'
+
+module ModalHelper
+  include Modal
+
+  # Include "ret" in a form, for modal forms.
+  def modal_form(id = nil)
+    s = '<input type="hidden" name="ret" value="' + return_url(id) + '"'
+    s += 'id="L' + id.to_s + '"' if id
+    s += '/>'
+    s
+  end
+
+  # Include "ret" in a link, for modal links.
+  def modal_link_to(name, id = nil, options = {}, html_options = nil, *dict_params)
+    html_options = {} if not html_options
+    html_options['id'] = 'L' + id.to_s if id
+    html_options = html_options.stringify_keys
+    convert_confirm_option_to_javascript!(html_options)
+    if options.is_a?(String)
+      l = content_tag "a", name || options, html_options.merge("href" => options)
+    else
+      s = url_for(options, dict_params)
+      s += ('?ret=' + return_url(id))
+      l = content_tag("a", (name || url_for(options, dict_params)), html_options.merge("href" => s))
+    end
+    l
+  end
+end

data/templates/model_security.rb

@@ -0,0 +1,334 @@
+# The ModelSecurity module allows you to specify security permissions on any
+# or all of the attributes of a model implemented using ActiveRecord.
+#
+# Security permissions are
+# specified in the declaration of the model's class, similarly to the way
+# you can specify validators. The specification includes the names of
+# attributes to which permissions apply, and an optional permission test that
+# should return true or false depending on whether the access should be allowed
+# or denied.
+#
+#  let_read :attribute|:all [[, :attribute ] ...], [:if => :test-name] [do block end]
+#  let_write :attribute|:all [[, :attribute ] ...], [:if => :test-name] [do block end]
+#  let_access :attribute|:all [[, :attribute ] ...], [:if => :test-name] [do block end]
+#
+# let_read specifies when the attribute can be read, let_write specifies when
+# it can be written, and let_access does both.
+#
+# If no permission test is specified, that is the same as specifying a test
+# that always returns true. Two stub tests are provided:
+#
+#  :always?
+#
+# Always returns true.
+#
+#  :never?
+#
+# Always returns false.
+#
+# You can easily add your own tests as instance methods of your model:
+#
+#  let_read :phone_number :if => :admin?
+#
+#  def admin?
+#    return $current_login.is_the_administrator
+#  end
+#
+# If the permission test is specified using the syntax
+#  :if => :test-name
+# it will be run as a method of the model this way:
+#  self.send(:test-name)
+#
+# If the permission test is specified as a block, using *do* and *end*,
+# it will be called with the binding of the active record instance that
+# is being accessed.
+#
+# Permission tests can also be strings, and these are passed to eval().
+#
+# The special attribute name :all means that a test will be applied to all
+# attributes of the model. Any tests for :all are run first, then any tests
+# for the specific attribute. Any test that returns true ends the run, further
+# tests will not be evaluated.
+#
+# If *no* security permissions are declared for an attribute or :all, that
+# attribute may always be accessed. Once a test for :all is delcared, that
+# test will apply to all attributes of the model.
+#
+# The security tests themselves may access any data with impunity. A global
+# variable is used to disable further security testing while a security test
+# is in progress.
+#
+# = Display Control
+#
+# A companion mechanism is used to control views, including scaffold views,
+# using a syntax similar to that for security specifications:
+#
+#  let_display :attribute|:all [[, :attribute ] ...], [:if => :test-name] [do block end]
+#
+# let_display is mostly useful for specifying if a table view should have a
+# column for a particular attribute. Its tests must be declared as class
+# methods of the model, while the tests of let_read, let_write, and
+# let_access are instance methods. This is because the information declared
+# by let_display is accessed before iteration over active records begins.
+#
+#
+# = Accessing Security Test Results
+#
+# ModelSecurity provides two instance methods, readable? and writable?
+# to inform the program if a particular attribute can be accessed. The class
+# method display? will return true or false depending upon whether a
+# particular attribute should be displayed. These can
+# be used to modify a view so that any non-writable data will not be presented
+# in an editable field. ModelSecurityHelper overloads the methods that are
+# usually
+# used to edit models so that they will not attempt to read or write what they
+# aren't permitted and will render appropriately for the permissions on any
+# model attribute. Those methods are: check_box, file_field, hidden_field,
+# password_field, radio_button, text_area, text_field.
+# ModelSecurityHelper also replaces the scaffold views with versions that
+# never access data when not permitted to, render appropriately for the
+# permissions on an attribute, and omit columns for which display? returns
+# false.
+#
+#
+# = Exceptions
+#
+# ActiveRecord provides two internal methods that perform normal attribute
+# accesses: read_attribute, and write_attribute. These are overloaded to
+# perform security testing, and will raise *SecurityError* when an unpermitted
+# access is attempted.
+#
+module ModelSecurity
+end
+
+require 'once'
+
+module ModelSecurity::BothClassAndInstanceMethods
+private
+  # Run a single test. 
+  def run_test t
+    case t.class.name
+    when 'Proc'
+      return t.call(binding)
+    when 'Symbol'
+      return self.send(t)
+    when 'String'
+      return eval(t)
+    else
+      return false
+    end
+  end
+
+  # This does the permission test for readable?, writable?, and display?. 
+  # A global variable is used to short-circuit recursion.
+  # 
+  # FIX: The global variable should be replaced with a thread-local variable
+  # once I learn how to make one. 
+  #
+  def run_tests(d, attribute)
+    global = d[:all]
+    local = d[attribute.to_sym]
+    result = true
+
+    if (global or local) and ($in_test_permission != true)
+      $in_test_permission = true
+      result = (run_test(global) or run_test(local))
+      $in_test_permission = false
+    end
+    return result
+  end
+
+public
+  # Stub test for let_read and friends. Always returns true.
+  def always?
+    true
+  end
+
+  # Stub test for let_read and friends. Always returns false.
+  def never?
+    false
+  end
+end
+
+module ModelSecurity
+  include ModelSecurity::BothClassAndInstanceMethods
+
+private
+  # This does the permission test for readable? or writable?.
+  def test_permission(permission, attribute)
+    if (d = self.class.read_inheritable_attribute(permission))
+      return run_tests(d, attribute)
+    else
+      return true
+    end
+  end
+
+  # Responsible for raising an exception when an unpermitted security
+  # access is attempted. *permission* is :let_read or :let_write.
+  # *attribute* is the name of the attribute upon which an access is
+  # being attempted.
+  #
+  # FIX: Is exception information displayed in production mode? I put a lot
+  # of sensitive data in this exception.
+  #
+  def security_error(permission, attribute)
+    global = nil
+    local = nil
+
+    if (d = self.class.read_inheritable_attribute(permission))
+      global = d[:all]
+      local = d[attribute.to_sym]
+    end
+
+    message = "SECURITY VIOLATON: #{permission} on attribute #{attribute}" \
+     "\n\tof object: #{self.inspect}."
+
+    if global
+      message << "\n\tTest for :all is #{global.inspect}."
+    end
+
+    if local
+      message << "\n\tTest for :#{attribute} is #{local.inspect}."
+    end
+
+    raise SecurityError.new(message)
+  end
+
+public
+  # Ruby interpreter magic to cause the class methods herein to work correctly
+  # while a class including this module is still being declared.
+  def self.append_features(base)
+    super
+    base.extend(ClassMethods)
+  end
+
+  # Return true if a read of *attribute* is permitted.
+  # *attribute* should be a symbol, and should be the
+  # name of a database field for this model.
+  def readable?(attribute)
+    test_permission(:let_read, attribute)
+  end
+
+  # Overloads ActiveRecord::Base#read_attribute. Read the attribute if that is
+  # permitted. Otherwise, throw an exception.
+  def read_attribute(name)
+    if not readable?(name)
+      security_error(:let_read, name)
+    end
+    old_read_attribute(name)
+  end
+
+  # Return true if a write of *attribute* is permitted.
+  # *attribute* should be a symbol, and should be the
+  # name of a database field for this model.
+  def writable?(attribute)
+    test_permission(:let_write, attribute)
+  end
+  
+  # Overloads ActiveRecord::Base#write_attribute. Write the attribute if that is
+  # permitted. Otherwise, throw an exception.
+  def write_attribute(name, value)
+    if not writable?(name)
+      security_error(:let_write, name)
+      raise SecurityError
+    end
+    old_write_attribute(name, value)
+  end
+end
+
+# Class methods for ModelSecurity. They are broken out this way so that they
+# can be fed to base.extend(), Ruby interpreter magic so that class methods
+# of this module work while a class including it is being defined.
+# Uses a Rails-internal inheritable-attribute mechanism so that this data in a
+# derived class survives modification of similar data in its base class.
+#
+# I'm not sure that write_inheritable_attribute() is the right way to go, either
+# here or in the way that validators are declared. Why not declare the data
+# independently in each subclass and then use *super* to traverse the
+# inheritance graph when accessing it?
+# 
+module ModelSecurity::ClassMethods
+private
+  include ModelSecurity::BothClassAndInstanceMethods
+
+  # Internal function where the work of let_read, let_write, let_access,
+  # and let_display is done. Store the tests to be run for each attribute
+  # in the class, to be evaluated later. *permission* is :let_read,
+  # :let_write, or :let_display. *arguments* is a list of attributes
+  # upon which security permissions are being declared and a hash
+  # containing all options, currently just :if . *block*, if given,
+  # contains a security test.
+  #
+  def let(permission, arguments, block)
+    attributes = []	# List of attributes that this permission applies to.
+    parameters = {}	# Optional parameters, currently only :if
+    procedure = nil	# Permission-test procedure.
+
+    arguments.each { | argument |
+      case argument.class.name
+      when 'Hash'
+	  parameters.merge! argument
+	else
+	  attributes << argument
+	end
+    }
+    if not block.nil?
+      procedure = block
+    elsif (p = parameters[:if])
+      procedure = p
+    else
+      procedure = :always?
+    end
+
+    d = {}
+    attributes.each { | name | d[name] = procedure }
+    write_inheritable_hash(permission, d)
+  end
+
+public
+  # Return true if display of the attribute is permitted. *attribute* is a
+  # symbol, and should match a field in the database schema corresponding to
+  # this model.
+  def display?(attribute)
+    if (d = read_inheritable_attribute(:let_display))
+      return run_tests(d, attribute)
+    else
+      return true
+    end
+  end
+
+  # Declare whether reads and writes are permitted on the named attributes.
+  def let_access(*arguments, &block)
+    let(:let_read, arguments, block)
+    let(:let_write, arguments, block)
+  end
+
+  # Declare whether display of the named attribute is permitted.
+  def let_display(*arguments, &block)
+    let(:let_display, arguments, block)
+  end
+
+
+  # Declare whether read is permitted upon the named attributes.
+  def let_read(*arguments, &block)
+    let(:let_read, arguments, block)
+  end
+
+  # Declare whether write is permitted upon the named attributes.
+  def let_write(*arguments, &block)
+    let(:let_write, arguments, block)
+  end
+end
+
+class ActiveRecord::Base
+private
+  once ('@aliasesDone') {
+    # Provides access to the pre-overload version of read_attribute, which
+    # is called by the overloaded version.
+    alias old_read_attribute read_attribute
+
+    # Provides access to the pre-overload version of write_attribute, which
+    # is called by the overloaded version.
+    alias old_write_attribute write_attribute
+  }
+end

data/templates/model_security_helper.rb

@@ -0,0 +1,64 @@
+module ActionView::Helpers::FormHelper
+private
+
+  def self.restrict(name)
+    module_eval <<-"end_eval", __FILE__, __LINE__
+      alias old_#{name} #{name}
+      def #{name}(object, method, options = {})
+        restricted_input(:old_#{name}, object, method, options) \
+      end
+    end_eval
+  end
+
+  def restricted_input(old_name, object, method, options, *extra, &block)
+    o = instance_variable_get("@" + object)
+    writable = o.writable?(method)
+    if o.readable?(method)
+      if writable
+	if block
+	  return yield(object, method, options, extra)
+	else
+	  return send(old_name, object, method, options)
+	end
+      else
+        return o.send(method)
+      end
+    elseif writable
+      options[:value] = ''
+      if block
+	return yield(object, method, options, extra)
+      else
+	return send(old_name, object, method, options)
+      end
+    end
+  end
+
+  once ('@aliasesDone') { # Evaluating this twice would break it.
+    alias old_check_box check_box
+    alias old_radio_button radio_button
+  }
+
+  SimpleMethods = \
+   ['file_field', 'hidden_field', 'password_field', 'text_area', 'text_field']
+
+public
+
+  once ('@simpleMethodsDone') { # because it calls alias.
+    SimpleMethods.each { | name | restrict(name) }
+  }
+
+  def check_box(object, method, options = {}, checked_value = "1", unchecked_value = "0")
+    restricted_input(:old_check_box, object, method, options, checked_value, unchecked_value) {
+      | object, method, options, extra |
+      old_check_box(object, method, options, extra[0], extra[1])
+    } 
+  end
+
+  def radio_button(object, method, tag_value, options = {})
+    restricted_input(:old_radio_button, object, method, options, tag_value) {
+      | object, method, options, extra |
+      old_radio_button(object, method, extra[0], options)
+    }
+  end
+end
+