padrino-admin 0.2.9 → 0.4.5

data/Rakefile

@@ -10,13 +10,14 @@ begin
     gem.email = "nesquena@gmail.com"
     gem.homepage = "http://github.com/padrino/padrino-framework/tree/master/padrino-admin"
     gem.authors = ["Padrino Team", "Nathan Esquenazi", "Davide D'Agostino", "Arthur Chiu"]
-    gem.add_runtime_dependency     "sinatra",       ">= 0.9.2"
-    gem.add_runtime_dependency     "padrino-core",  ">= 0.1.1"
-    gem.add_development_dependency "haml",          ">= 2.2.1"
-    gem.add_development_dependency "shoulda",       ">= 0"
-    gem.add_development_dependency "mocha",         ">= 0.9.7"
-    gem.add_development_dependency "rack-test",     ">= 0.5.0"
-    gem.add_development_dependency "webrat",        ">= 0.5.1"
+    gem.add_runtime_dependency     "json_pure",       ">= 1.2.0"
+    gem.add_runtime_dependency     "padrino-core",    ">= 0.1.1"
+    gem.add_development_dependency "dm-core",         ">= 0.10.2"
+    gem.add_development_dependency "haml",            ">= 2.2.1"
+    gem.add_development_dependency "shoulda",         ">= 0"
+    gem.add_development_dependency "mocha",           ">= 0.9.7"
+    gem.add_development_dependency "rack-test",       ">= 0.5.0"
+    gem.add_development_dependency "webrat",          ">= 0.5.1"
     # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
   end
   Jeweler::GemcutterTasks.new
@@ -26,7 +27,7 @@ end
 
 require 'rake/testtask'
 Rake::TestTask.new(:test) do |test|
-  test.libs << 'lib' << 'test'
+  test.libs << 'test'
   test.pattern = 'test/**/test_*.rb'
   test.verbose = true
 end

data/VERSION

@@ -1 +1 @@
-0.2.9
+0.4.5

data/lib/padrino-admin.rb

@@ -1,2 +1,11 @@
-require 'padrino-gen'
-Dir[File.dirname(__FILE__) + '/padrino-admin/**/*.rb'].each {|file| require file }
+require 'padrino-core'
+
+Dir[File.dirname(__FILE__) + '/padrino-admin/*.rb'].each {|file| require file }
+Dir[File.dirname(__FILE__) + '/padrino-admin/{access_control,adapters,ext_js,generators,utils}/*.rb'].each {|file| require file }
+
+Padrino::Application.send(:cattr_accessor, :access_control)
+Padrino::Application.send(:access_control=, Class.new(Padrino::AccessControl::Base))
+String.send(:include, Padrino::Admin::Utils::Crypt)
+
+# Load our locales
+I18n.load_path += Dir["#{File.dirname(__FILE__)}/padrino-admin/locale/*.yml"]

data/lib/padrino-admin/access_control.rb

@@ -0,0 +1,353 @@
+module Padrino
+  
+  class AccessControlError < StandardError; end
+  
+  # This module give to a padrino application an access control functionality like:
+  #   
+  #   class EcommerceDemo < Padrino::Application
+  #     enable :authentication
+  #     set :redirect_back_or_default, "/login" # or your page
+  #     set :use_orm, :active_record # or :data_mapper, :mongo_mapper
+  # 
+  #     access_control.roles_for :any do
+  #       role.require_login "/cart"
+  #       role.require_login "/account"
+  #       role.allow "/account/create"
+  #     end
+  #   end
+  # 
+  # In the EcommerceDemo, we <tt>only</tt> require logins for all paths that start with "/cart" like:
+  # 
+  #   - "/cart/add"
+  #   - "/cart/empty"
+  #   - "/cart/checkout"
+  # 
+  # same thing for "/account" so we require a login for:
+  # 
+  #   - "/account"
+  #   - "/account/edit"
+  #   - "/account/update"
+  # 
+  # but if we call "/account/create" we don't need to be logged in our site for do that.
+  # In EcommerceDemo example we set <tt>redirect_back_or_default</tt> so if a <tt>unlogged</tt> 
+  # user try to access "/account/edit" will be redirected to "/login" when login is done will be 
+  # redirected to "/account/edit".
+  # 
+  # If we need something more complex aka roles/permissions we can do that in the same simple way
+  # 
+  #   class AdminDemo < Padrino::Application
+  #     enable :authentication
+  #     set :redirect_to_default, "/" # or your page
+  #     
+  #     access_control.roles_for :any do |role|
+  #       role.allow "/sessions"
+  #     end
+  #   
+  #     access_control.roles_for :admin do |role, account|
+  #       role.allow "/"
+  #       role.deny  "/posts"
+  #     end
+  #     
+  #     access_control.roles_for :editor do |role, account|
+  #       role.allow "/posts"
+  #     end
+  #   end
+  # 
+  #   If a user logged with role admin can:
+  #   
+  #   - Access to all paths that start with "/session" like "/sessions/{new,create}"
+  #   - Access to any page except those that start with "/posts"
+  # 
+  #   If a user logged with role editor can:
+  # 
+  #   - Access to all paths that start with "/session" like "/sessions/{new,create}"
+  #   - Access <tt>only</tt> to paths that start with "/posts" like "/post/{new,edit,destroy}"
+  # 
+  # Finally we have another good fatures, the possibility in the same time we build role build also <tt>tree</tt>.
+  # Figure this scenario: in my admin every account need their own menu, so an Account with role editor have
+  # a menu different than an Account with role admin.
+  # 
+  # So:
+  # 
+  #   class AdminDemo < Padrino::Application
+  #     enable :authentication
+  #     set :redirect_to_default, "/" # or your page
+  #     
+  #     access_control.roles_for :any do |role|
+  #       role.allow "/sessions"
+  #     end
+  #     
+  #     access_control.roles_for :admin do |role, current_account|
+  #       
+  #       role.project_module :settings do |project|
+  #         project.menu :accounts, "/accounts" do |accounts|
+  #           accounts.add :new, "/accounts/new" do |account|
+  #             account.add :administrator, "/account/new/?role=administrator"               
+  #             account.add :editor,        "/account/new/?role=editor"
+  #           end
+  #         end
+  #         project.menu :spam_rules, "/manage_spam"
+  #       end
+  #       
+  #       role.project_module :categories do |project|
+  #         current_account.categories.each do |category|
+  #           project.menu category.name, "/categories/#{category.id}.js"
+  #         end
+  #       end
+  #     end
+  #     
+  #     access_control.roles_for :editor do |role, current_account|
+  #       
+  #       role.project_module :posts do |posts|
+  #         post.menu :list, "/posts"
+  #         post.menu :new,  "/posts/new"
+  #       end
+  #     end
+  # 
+  # In this example when we build our menu tree we are also defining roles so:
+  # 
+  # An Admin Account have access to:
+  # 
+  # - All paths that start with "/sessions"
+  # - All paths that start with "/accounts"
+  # - All paths that start with "/manage_spam"
+  # 
+  # An Editor Account have access to:
+  # 
+  # - All paths that start with "/posts"
+  # 
+  # Remember that you always deny a specific actions or allow globally others.
+  # 
+  # Remember that when you define role_for :a_role, you have also access to the Model Account.
+  #
+  module AccessControl
+
+    def self.registered(app)
+      app.helpers Padrino::AccessControl::Helpers
+      app.before { login_required }
+      app.set :redirect_to_default, "/"
+      if app.respond_to?(:use_orm)
+        Padrino::Admin::Adapters.register(app.use_orm)
+      else
+        raise Padrino::ApplicationSetupError, "You must define in your app the setting :use_orm!"
+      end
+    end
+
+    class Base
+
+      class << self
+        
+        def inherited(base) #:nodoc:
+          base.class_eval("@@cache={}; @authorizations=[]; @roles=[]; @mappers=[]")
+          base.send(:cattr_reader, :cache)
+          super
+        end
+        
+        # We map project modules for a given role or roles
+        def roles_for(*roles, &block)
+          raise Padrino::AccessControlError, "Role #{role} must be present and must be a symbol!" if roles.any? { |r| !r.kind_of?(Symbol) } || roles.empty?
+          raise Padrino::AccessControlError, "You can't merge :any with other roles"              if roles.size > 1 && roles.any? { |r| r == :any }
+
+          if roles == [:any]
+            @authorizations << Authorization.new(&block)
+          else
+            raise Padrino::AccessControlError, "For use custom roles you need to define an Account Class" unless defined?(Account)
+            @roles.concat(roles)
+            @mappers << Proc.new { |account| Mapper.new(account, *roles, &block) }
+          end
+        end
+
+        # Returns (allowed && denied paths).
+        # If an account given we also give allowed & denied paths for their role.
+        def auths(account=nil)
+          if account
+            cache[account.id] ||= Auths.new(@authorizations, @mappers, account)
+          else
+            cache[:any] ||= Auths.new(@authorizations)
+          end
+        end
+      end
+    end
+
+    class Auths
+      attr_reader :allowed, :denied, :project_modules
+
+      def initialize(authorizations, mappers=nil, account=nil)
+        @allowed, @denied = [], []
+        unless authorizations.empty?
+          @allowed = authorizations.collect(&:allowed).flatten
+          @denied  = authorizations.collect(&:denied).flatten
+        end
+        if mappers && !mappers.empty?
+          maps = mappers.collect { |m|  m.call(account) }.reject { |m| !m.allowed? }
+          @allowed.concat(maps.collect(&:allowed).flatten)
+          @denied.concat(maps.collect(&:denied).flatten)
+          @project_modules = maps.collect(&:project_modules).flatten.uniq
+        else
+          @project_modules = []
+        end
+        @allowed.uniq!
+        @denied.uniq!
+      end
+
+      def can?(request_path)
+        return true if @allowed.empty?
+        @allowed.any? { |path| request_path =~ /^#{path}/ } && !cannot?(request_path)
+      end
+
+      def cannot?(request_path)
+        return false if @denied.empty?
+        @denied.any? { |path| request_path =~ /^#{path}/ }
+      end
+
+    end
+
+    class Authorization
+      attr_reader :allowed, :denied
+
+      def initialize(&block)
+        @allowed = []
+        @denied  = []
+        yield self
+      end
+
+      def allow(path)
+        @allowed << path unless @allowed.include?(path)
+      end
+
+      def require_login(path)
+        @denied << path unless @denied.include?(path)
+      end
+      alias :deny :require_login
+    end
+
+    class Mapper
+      attr_reader :project_modules, :roles, :denied
+
+      def initialize(account, *roles, &block) #:nodoc:
+        @project_modules = []
+        @allowed         = []
+        @denied          = []
+        @roles           = roles
+        @account         = account.dup
+        yield(self, @account)
+      end
+
+      # Create a new project module
+      def project_module(name, path=nil, &block)
+        @project_modules << ProjectModule.new(name, path, &block)
+      end
+
+      # Globally allow an paths for the current role
+      def allow(path)
+        @allowed << path unless @allowed.include?(path)
+      end
+
+      # Globally deny an pathsfor the current role
+      def deny(path)
+        @denied << path unless @allowed.include?(path)
+      end
+
+      # Return true if role is included in given roles
+      def allowed?
+        @roles.any? { |r| r == @account.role.to_s.downcase.to_sym }
+      end
+
+      # Return allowed paths
+      def allowed
+        @project_modules.each { |pm| @allowed.concat(pm.allowed)  }
+        @allowed.uniq
+      end
+    end
+
+    class ProjectModule
+      attr_reader :name, :menus, :path
+
+      def initialize(name, path=nil, options={}, &block)#:nodoc:
+        @name     = name
+        @options  = options
+        @allowed  = []
+        @menus    = []
+        @path     = path
+        @allowed << path if path
+        yield self
+      end
+
+      # Build a new menu and automaitcally add the action on the allowed actions.
+      def menu(name, path=nil, options={}, &block)
+        @menus << Menu.new(name, path, options, &block)
+      end
+
+      # Return allowed controllers
+      def allowed
+        @menus.each { |m| @allowed.concat(m.allowed) }
+        @allowed.uniq
+      end
+
+      # Return the original name or try to translate or humanize the symbol
+      def human_name
+        @name.is_a?(Symbol) ? I18n.t("admin.menus.#{@name}", :default => @name.to_s.humanize) : @name
+      end
+
+      # Return symbol for the given project module
+      def uid
+        @name.to_s.downcase.gsub(/[^a-z0-9]+/, '').gsub(/-+$/, '').gsub(/^-+$/, '').to_sym
+      end
+
+      # Return ExtJs Config for this project module
+      def config
+        options = @options.merge(:text => human_name)
+        options.merge!(:menu => @menus.collect(&:config)) if @menus.size > 0
+        options.merge!(:handler => ExtJs::Variable.new("function(){ Admin.app.load('#{path}') }")) if @path
+        options
+      end
+    end
+
+    class Menu
+      attr_reader :name, :options, :items, :path
+
+      def initialize(name, path=nil, options={}, &block) #:nodoc:
+        @name    = name
+        @path    = path
+        @options = options
+        @allowed = []
+        @items   = []        
+        @allowed << path if path
+        yield self if block_given?
+      end
+
+      # Add a new submenu to the menu
+      def add(name, path=nil, options={}, &block)
+        @items << Menu.new(name, path, options, &block)
+      end
+
+      # Return allowed controllers
+      def allowed
+        @items.each { |i| @allowed.concat(i.allowed) }
+        @allowed.uniq
+      end
+
+      # Return the original name or try to translate or humanize the symbol
+      def human_name
+        @name.is_a?(Symbol) ? I18n.t("admin.menus.#{@name}", :default => @name.to_s.humanize) : @name
+      end
+
+      # Return a unique id for the given project module
+      def uid
+        @name.to_s.downcase.gsub(/[^a-z0-9]+/, '').gsub(/-+$/, '').gsub(/^-+$/, '').to_sym
+      end
+
+      # Return ExtJs Config for this menu
+      def config
+        if @path.blank? && @items.empty?
+          options = human_name
+        else
+          options = @options.merge(:text => human_name)
+          options.merge!(:menu => @items.collect(&:config)) if @items.size > 0
+          options.merge!(:handler => ExtJs::Variable.new("function(){ Admin.app.load('#{path}') }")) if @path
+        end
+        options
+      end
+    end
+  end
+end

data/lib/padrino-admin/access_control/helpers.rb

@@ -0,0 +1,81 @@
+module Padrino
+  module AccessControl
+    module Helpers
+
+      # Returns true if <tt>current_account</tt> is logged and active.
+      def logged_in?
+        !current_account.nil?
+      end
+
+      # Returns the current_account, it's an instance of <tt>Account</tt> model
+      def current_account
+        @current_account ||= login_from_session
+      end
+
+      # Ovverride the current_account, you must provide an instance of Account Model
+      # 
+      #   Examples:
+      #   
+      #     current_account = Account.last
+      # 
+      def set_current_account(account)
+        session[session_name] = account.id rescue nil
+        @current_account      = account
+      end
+
+      # Returns true if the <tt>current_account</tt> is allowed to see the requested path
+      # 
+      # For configure this role please refer to: <tt>Padrino::AccessControl::Base</tt>
+      def allowed?
+        access_control.auths(current_account).can?(request.path_info)
+      end
+
+      # Returns a helper to pass in a <tt>before_filter</tt> for check if
+      # an account are: <tt>logged_in?</tt> and <tt>allowed?</tt>
+      # 
+      # By default this method is used in BackendController so is not necessary
+      def login_required
+        store_location if options.respond_to?(:redirect_back_or_default)
+        return access_denied unless allowed?
+      end
+
+      # Store in session[:return_to] the request.fullpath
+      def store_location
+        session[:return_to] = request.fullpath
+      end
+
+      # Redirect the account to the page that requested an authentication or
+      # if the account is not allowed/logged return it to a default page
+      def redirect_back_or_default(default)
+        redirect_to(session[:return_to] || default)
+        session[:return_to] = nil
+      end
+
+    private
+      def access_denied #:nodoc:
+        # If request a javascript we alert the user
+        if request.xhr?
+          "alert('You don\'t have permission for this resource')"
+        # If we request a normal page we redirect and we store request.full_path
+        elsif options.respond_to?(:redirect_back_or_default)
+          redirect_back_or_default(options.redirect_back_or_default)
+        # If we don't want redirect a user to back but always to a path
+        elsif options.respond_to?(:redirect_to_default)
+          redirect(options.redirect_to_default)
+        # If no match we halt with 401
+        else
+          halt 401, "You don't have permission for this resource"
+        end
+        false
+      end
+
+      def session_name
+        options.app_name.to_sym
+      end
+
+      def login_from_session #:nodoc:
+        Account.first(:conditions => { :id => session[session_name] }) if defined?(Account)
+      end
+    end
+  end
+end