mongoid_ability 0.0.1

data/lib/mongoid_ability/owner.rb

@@ -0,0 +1,59 @@
+module MongoidAbility
+  module Owner
+
+    def self.included base
+      base.extend ClassMethods
+      base.class_eval do
+        delegate :can?, :cannot?, to: :ability
+
+        before_save :cleanup_locks
+      end
+    end
+
+    # =====================================================================
+
+    module ClassMethods
+      # override if needed
+      # return for example :my_locks
+      def locks_relation_name
+        @locks_relation_name ||= relations.detect{ |name, meta| meta.class_name == lock_class_name }.first.to_sym
+      end
+
+      # override if your relation is named differently
+      def roles_relation_name
+        :roles
+      end
+
+      # override if needed
+      # return for example 'MyLock'
+      def lock_class_name
+        @lock_class_name ||= Object.subclasses.detect{ |cls| cls < MongoidAbility::Lock }.name
+      end
+    end
+
+    # =====================================================================
+
+    def locks_relation
+      self.send(self.class.locks_relation_name)
+    end
+
+    def roles_relation
+      self.send(self.class.roles_relation_name)
+    end
+
+    # ---------------------------------------------------------------------
+
+    def ability
+      @ability ||= MongoidAbility::Ability.new(self)
+    end
+
+    private # =============================================================
+
+    def cleanup_locks
+      locks_relation.select(&:open?).each do |lock|
+        lock.destroy if locks_relation.where(action: lock.action, subject_type: lock.subject_type, subject_id: lock.subject_id).any?(&:closed?)
+      end
+    end
+
+  end
+end

data/lib/mongoid_ability/subject.rb

@@ -0,0 +1,80 @@
+module MongoidAbility
+  module Subject
+
+    def self.included base
+      base.extend ClassMethods
+      base.class_eval do
+      end
+    end
+
+    # =====================================================================
+
+    module ClassMethods
+      def default_locks
+        @default_locks ||= []
+      end
+
+      def default_locks= val
+        @default_locks = val
+      end
+
+      def default_lock action, outcome
+        default_locks << lock_class_name.constantize.new(subject_type: self, action: action, outcome: outcome)
+      end
+
+      # ---------------------------------------------------------------------
+      
+      # override if needed
+      # return for example 'MyLock'
+      def lock_class_name
+        Object.subclasses.detect{ |cls| cls < MongoidAbility::Lock }.name
+      end
+
+      # ---------------------------------------------------------------------
+        
+      def self_and_ancestors_with_default_locks
+        self.ancestors.select{ |a| a.is_a?(Class) && a.respond_to?(:default_locks) }
+      end
+
+      def ancestors_with_default_locks
+        self_and_ancestors_with_default_locks - [self]
+      end
+
+      # ---------------------------------------------------------------------
+        
+      def accessible_by ability, action=:read
+        criteria = Mongoid::Criteria.new(self)
+
+        return criteria unless ability.user.present?
+
+        id_locks = [
+          ability.user,
+          ability.user.roles_relation
+        ].flatten.collect { |owner|
+          owner.locks_relation.for_subject_type(self.to_s).id_locks.for_action(action).to_a
+        }.flatten
+
+        if ability.can?(action, self)
+          criteria.nin({
+                         _id: id_locks.map(&:subject_id).select do |subject_id|
+                           subject = self.new
+                           subject.id = subject_id
+                           ability.cannot?(action, subject)
+                         end
+          })
+        else
+          criteria.in({
+                        _id: id_locks.map(&:subject_id).select do |subject_id|
+                          subject = self.new
+                          subject.id = subject_id
+                          ability.can?(action, subject)
+                        end
+          })
+        end
+      end
+    end
+
+    # =====================================================================
+
+  end
+end

data/lib/mongoid_ability/version.rb

@@ -0,0 +1,3 @@
+module MongoidAbility
+  VERSION = "0.0.1"
+end

data/mongoid_ability.gemspec

@@ -0,0 +1,31 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'mongoid_ability/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "mongoid_ability"
+  spec.version       = MongoidAbility::VERSION
+  spec.authors       = ["Tomas Celizna"]
+  spec.email         = ["tomas.celizna@gmail.com"]
+  spec.summary       = %q{Custom Ability class that allows CanCanCan authorization library store permissions in MongoDB via the Mongoid gem.}
+  spec.description   = %q{Custom Ability class that allows CanCanCan authorization library store permissions in MongoDB via the Mongoid gem.}
+  spec.homepage      = "https://github.com/tomasc/mongoid_ability"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "cancancan", "~> 1.9"
+  spec.add_dependency "mongoid", "~> 4.0"
+
+  spec.add_development_dependency "bundler", "~> 1.6"
+  spec.add_development_dependency "coveralls"
+  spec.add_development_dependency "database_cleaner"
+  spec.add_development_dependency "guard"
+  spec.add_development_dependency "guard-minitest"
+  spec.add_development_dependency "minitest"
+  spec.add_development_dependency "rake"
+end

data/test/mongoid_ability/ability_resolver_test.rb

@@ -0,0 +1,208 @@
+require "test_helper"
+  
+module MongoidAbility
+  describe AbilityResolver do
+
+    let(:user) { TestUser.new }
+    let(:role_editor) { TestRole.new(name: 'Editor') }
+    let(:role_sysop) { TestRole.new(name: 'SysOp') }
+
+    let(:ability_resolver_subject) { TestAbilityResolverSubject.new }
+    
+    subject { AbilityResolver.new(user, :read, TestAbilityResolverSubject.to_s) }
+    let(:subject_with_id) { AbilityResolver.new(user, :read, TestAbilityResolverSubject.to_s, ability_resolver_subject) }
+
+    # ---------------------------------------------------------------------
+    
+    describe 'errors' do
+      it 'raises NameError for invalid subject_type' do
+        -> { ar = AbilityResolver.new(user, :read, 'Foo') }.must_raise NameError
+      end
+
+      it 'raises StandardError when subject_type does not have default_locks' do
+        -> { ar = AbilityResolver.new(user, :read, Object.to_s) }.must_raise StandardError
+      end
+
+      it 'raises StandardError when subject_type class or its ancestors does not have default_lock' do
+        TestAbilityResolverSubject.stub(:default_locks, []) do
+          -> { ar = AbilityResolver.new(user, :read, TestAbilityResolverSubject.to_s) }.must_raise StandardError
+        end
+      end
+    end
+    
+    # ---------------------------------------------------------------------
+    
+    describe '#outcome' do
+      describe 'when locks on both user and its roles' do
+        before do
+          user.roles = [
+            role_sysop.tap { |r| r.test_locks = [
+              TestLock.new(action: :read, outcome: true, subject_type: TestAbilityResolverSubject.to_s)
+            ]}
+          ]
+          user.test_locks = [
+            TestLock.new(action: :read, outcome: false, subject_type: TestAbilityResolverSubject.to_s)
+          ]
+        end
+        it 'prefers users locks' do
+          subject.outcome.must_equal false
+        end
+      end
+      describe 'when locks on roles and on class' do
+        before do
+          user.roles = [
+            role_sysop.tap { |r| r.test_locks = [
+              TestLock.new(action: :read, outcome: false, subject_type: TestAbilityResolverSubject.to_s)
+            ]}
+          ]
+        end
+        it 'prefers role locks' do
+          subject.outcome.must_equal false
+        end
+      end
+    end
+
+    # ---------------------------------------------------------------------
+
+    describe '#user_outcome' do
+      describe 'no locks' do
+        it 'returns nil if no locks for subject_type and action exists' do
+          subject.user_outcome.must_be_nil
+        end
+      end
+
+      describe 'id locks' do
+        it 'returns outcome' do
+          user.test_locks = [
+            TestLock.new(action: :read, subject: ability_resolver_subject, outcome: true)
+          ]
+          subject_with_id.user_outcome.must_equal true
+        end
+
+        it 'prefers negative outcome' do
+          user.test_locks = [
+            TestLock.new(action: :read, subject: ability_resolver_subject, outcome: true),
+            TestLock.new(action: :read, subject: ability_resolver_subject, outcome: false)
+          ]
+          subject_with_id.user_outcome.must_equal false
+        end
+      end
+
+      describe 'class locks' do
+        it 'returns outcome' do
+          user.test_locks = [
+            TestLock.new(action: :read, subject_type: TestAbilityResolverSubject.to_s, outcome: true)
+          ]
+          subject.user_outcome.must_equal true
+        end
+
+        it 'prefers negative outcome' do
+          user.test_locks = [
+            TestLock.new(action: :read, subject_type: TestAbilityResolverSubject.to_s, outcome: true),
+            TestLock.new(action: :read, subject_type: TestAbilityResolverSubject.to_s, outcome: false)
+          ]
+          subject.user_outcome.must_equal false
+        end
+      end
+    end
+
+    # ---------------------------------------------------------------------
+
+    describe '#roles_outcome' do
+      describe 'no locks' do
+        it 'returns nil if no locks for subject_type exist in any of user roles' do
+          subject.roles_outcome.must_be_nil
+        end
+      end
+
+      describe 'id locks' do
+        it 'returns outcome' do
+          user.roles = [
+            role_sysop.tap{ |r| r.test_locks = [
+              TestLock.new(subject: ability_resolver_subject, action: :read, outcome: true)
+            ]},
+            role_editor
+          ]
+          subject_with_id.roles_outcome.must_equal true
+        end
+
+        it 'prefers negative outcome across one role' do
+          user.roles = [
+            role_sysop.tap{ |r| r.test_locks = [
+              TestLock.new(subject: ability_resolver_subject, action: :read, outcome: true),
+              TestLock.new(subject: ability_resolver_subject, action: :read, outcome: false)
+            ]},
+            role_editor
+          ]
+          subject_with_id.roles_outcome.must_equal false
+        end
+
+        it 'prefers positive outcome across multiple roles' do
+          user.roles = [
+            role_sysop.tap{ |r| r.test_locks = [
+              TestLock.new(subject: ability_resolver_subject, action: :read, outcome: true)
+            ]},
+            role_editor.tap{ |r| r.test_locks = [
+              TestLock.new(subject: ability_resolver_subject, action: :read, outcome: false)
+            ]}
+          ]
+          subject_with_id.roles_outcome.must_equal true
+        end
+      end
+
+      describe 'class locks' do
+        it 'returns outcome' do
+          user.roles = [
+            role_sysop.tap{ |r| r.test_locks = [
+              TestLock.new(subject_type: TestAbilityResolverSubject.to_s, action: :read, outcome: true)
+            ]},
+            role_editor
+          ]
+          subject.roles_outcome.must_equal true
+        end
+
+        it 'prefers negative outcome across one role' do
+          user.roles = [
+            role_sysop.tap{ |r| r.test_locks = [
+              TestLock.new(subject_type: TestAbilityResolverSubject.to_s, action: :read, outcome: true),
+              TestLock.new(subject_type: TestAbilityResolverSubject.to_s, action: :read, outcome: false)
+            ]},
+            role_editor
+          ]
+          subject.roles_outcome.must_equal false
+        end
+
+        it 'prefers positive outcome across multiple roles' do
+          user.roles = [
+            role_sysop.tap{ |r| r.test_locks = [
+              TestLock.new(subject_type: TestAbilityResolverSubject.to_s, action: :read, outcome: true)
+            ]},
+            role_editor.tap{ |r| r.test_locks = [
+              TestLock.new(subject_type: TestAbilityResolverSubject.to_s, action: :read, outcome: false)
+            ]}
+          ]
+
+          subject.roles_outcome.must_equal true
+        end
+      end
+    end
+
+    # ---------------------------------------------------------------------
+    
+    describe '#class_outcome' do
+      it 'returns outcome' do
+        subject.class_outcome.must_equal true
+      end
+
+      it 'prefers negative outcome across same class' do
+        TestAbilityResolverSubject.stub(:default_locks, [
+          TestLock.new(subject_type: TestAbilityResolverSubject.to_s, action: :read, outcome: false),
+          TestLock.new(subject_type: TestAbilityResolverSubject.to_s, action: :read, outcome: true)
+        ]) do
+          subject.class_outcome.must_equal false
+        end
+      end
+    end
+
+  end
+end

data/test/mongoid_ability/ability_test.rb

@@ -0,0 +1,91 @@
+require "test_helper"
+
+module MongoidAbility
+  describe Ability do
+
+    let(:user) { TestUser.new }
+    let(:ability) { Ability.new(user) }
+
+    # ---------------------------------------------------------------------
+    
+    describe 'user' do
+      it 'exposes user' do
+        ability.user.must_equal user
+      end
+    end
+
+    # ---------------------------------------------------------------------
+    
+    describe 'default locks' do
+      it 'propagates from superclass to all subclasses' do
+        ability.can?(:update, TestAbilitySubjectSuper1).must_equal true
+        ability.can?(:update, TestAbilitySubject).must_equal true
+      end
+
+      describe 'when defined for all superclasses' do
+        it 'propagates default locks to subclasses' do
+          ability.can?(:read, TestAbilitySubjectSuper2).must_equal false
+          TestAbilitySubjectSuper1.stub(:default_locks, [
+            TestLock.new(subject_type: TestAbilitySubjectSuper1.to_s, action: :read, outcome: false)
+          ]) do
+            ability.can?(:read, TestAbilitySubjectSuper1).must_equal false
+          end
+          TestAbilitySubject.stub(:default_locks, [
+            TestLock.new(subject_type: TestAbilitySubject.to_s, action: :read, outcome: true)
+          ]) do
+            ability.can?(:read, TestAbilitySubject).must_equal true
+          end
+        end      
+      end
+
+      describe 'when defined for some superclasses' do
+        it 'propagates default locks to subclasses' do
+          ability.can?(:read, TestAbilitySubjectSuper2).must_equal false
+          ability.can?(:read, TestAbilitySubjectSuper1).must_equal false
+          TestAbilitySubject.stub(:default_locks, [
+            TestLock.new(subject_type: TestAbilitySubjectSuper1.to_s, action: :read, outcome: true)
+          ]) do
+            ability.can?(:read, TestAbilitySubject).must_equal true
+          end
+        end  
+      end
+    end
+
+    # ---------------------------------------------------------------------
+    
+    describe 'user locks' do
+      describe 'when defined for superclass' do
+        before do
+          user.tap do |u|
+            u.test_locks = [TestLock.new(subject_type: TestAbilitySubjectSuper2.to_s, action: :read, outcome: true)]
+          end
+        end
+        it 'applies the superclass lock' do
+          ability.can?(:read, TestAbilitySubject).must_equal true
+        end
+      end
+    end
+
+    # ---------------------------------------------------------------------
+    
+    describe 'role locks' do
+      describe 'when defined for superclass' do
+        before do
+          user.tap do |u|
+            u.roles = [
+              TestRole.new(test_locks: [
+                TestLock.new(subject_type: TestAbilitySubjectSuper2.to_s, action: :read, outcome: true)
+              ])
+            ]
+          end
+        end
+        it 'applies the superclass lock' do
+          ability.can?(:read, TestAbilitySubject).must_equal true
+        end
+      end
+    end
+
+    # ---------------------------------------------------------------------
+    
+  end
+end