patrick-lockdown 2.0.4.1

data/lib/lockdown/database.rb

@@ -0,0 +1,122 @@
+# encoding: utf-8
+
+module Lockdown
+  class Database
+    class << self
+      # This is very basic and could be handled better using orm specific
+      # functionality, but I wanted to keep it generic to avoid creating 
+      # an interface for each the different orm implementations. 
+      # We'll see how it works...
+      def sync_with_db
+        @permissions = Lockdown::Configuration.permission_names
+        @user_groups = Lockdown::Configuration.user_group_names
+
+        unless ::Permission.table_exists? && Lockdown.user_group_class.table_exists?
+          Lockdown.logger.info ">> Lockdown tables not found.  Skipping database sync."
+          return
+        end
+
+        create_new_permissions
+
+        delete_extinct_permissions
+      
+        maintain_user_groups
+      end
+
+      # Create permissions not found in the database
+      def create_new_permissions
+        @permissions.each do |name|
+          next if Lockdown::Configuration.permission_assigned_automatically?(name)
+          p = ::Permission.find(:first, :conditions => ["name = ?", name])
+          unless p
+            Lockdown.logger.info ">> Lockdown: Permission not found in db: #{name}, creating."
+            ::Permission.create(:name => name)
+          end
+        end
+      end
+
+      # Delete the permissions not found in init.rb
+      def delete_extinct_permissions
+        db_perms = ::Permission.find(:all).dup
+        db_perms.each do |dbp|
+          unless @permissions.include?(dbp.name)
+            Lockdown.logger.info ">> Lockdown: Permission no longer in init.rb: #{dbp.name}, deleting."
+          ug_table = Lockdown.user_groups_hbtm_reference.to_s
+          if "permissions" < ug_table
+            join_table = "permissions_#{ug_table}"
+          else
+            join_table = "#{ug_table}_permissions"
+          end
+            Lockdown.database_execute("delete from #{join_table} where permission_id = #{dbp.id}")
+            dbp.destroy
+          end
+        end
+      end
+
+      def maintain_user_groups
+        # Create user groups not found in the database
+        @user_groups.each do |name|
+          unless ug = Lockdown.user_group_class.find(:first, :conditions => ["name = ?", name])
+            create_user_group(name)
+          else
+            # Remove permissions from user group not found in init.rb
+            remove_invalid_permissions(ug)
+
+            # Add in permissions from init.rb not found in database
+            add_valid_permissions(ug)
+          end
+        end
+      end
+
+      def create_user_group(name)
+        Lockdown.logger.info ">> Lockdown: #{Lockdown::Configuration.user_group_model} not in the db: #{name}, creating."
+        ug = Lockdown.user_group_class.create(:name => name)
+        #Inefficient, definitely, but shouldn't have any issues across orms.
+        #
+        Lockdown::Configuration.user_group_permissions_names(name).each do |perm|
+
+          if Lockdown::Configuration.permission_assigned_automatically?(perm)
+            Lockdown.logger.info  ">> Permission #{perm} cannot be assigned to #{name}.  Already belongs to built in user group (public or protected)."
+            raise  InvalidPermissionAssignment, "Invalid permission assignment"
+          end
+
+          p = ::Permission.find(:first, :conditions => ["name = ?", perm]) 
+
+          ug_table = Lockdown.user_groups_hbtm_reference.to_s
+          if "permissions" < ug_table
+            join_table = "permissions_#{ug_table}"
+          else
+            join_table = "#{ug_table}_permissions"
+          end
+          Lockdown.database_execute "insert into #{join_table}(permission_id, #{Lockdown.user_group_id_reference}) values(#{p.id}, #{ug.id})"
+        end
+      end
+
+      def remove_invalid_permissions(ug)
+        ug.permissions.each do |perm|
+          unless Lockdown::Configuration.user_group_permissions_names(ug.name).include?(perm.name)
+            Lockdown.logger.info ">> Lockdown: Permission: #{perm.name} no longer associated to User Group: #{ug.name}, deleting."
+            ug.permissions.delete(perm)
+          end
+        end
+      end
+
+      def add_valid_permissions(ug)
+        Lockdown::Configuration.user_group_permissions_names(ug.name).each do |perm_name|
+          found = false
+          # see if permission exists
+          ug.permissions.each do |p|
+            found = true if p.name == perm_name
+          end
+          # if not found, add it
+          unless found
+            Lockdown.logger.info ">> Lockdown: Permission: #{perm_name} not found for User Group: #{ug.name}, adding it."
+            p = ::Permission.find(:first, :conditions => ["name = ?", perm_name])
+            ug.permissions << p
+          end
+        end
+      end
+
+    end # class block
+  end # Database
+end #Lockdown

data/lib/lockdown/delivery.rb

@@ -0,0 +1,28 @@
+# encoding: utf-8
+
+module Lockdown
+  class Delivery
+    class << self
+      # @return [true|false] if the given path is allowed
+      def allowed?(path, access_rights = nil)
+        begin
+          ::Authorization.configure
+        rescue NameError
+        end
+
+        access_rights ||= Lockdown::Configuration.public_access
+
+        access_rights_regex = Lockdown.regex(access_rights)
+
+        path += "/" unless path =~ /\/$/
+        path = "/" + path unless path =~ /^\//
+
+        if (access_rights_regex =~ path) == 0
+          return true 
+        end
+
+        return false
+      end
+    end # class block
+  end # Delivery
+end # Lockdown

data/lib/lockdown/errors.rb

@@ -0,0 +1,7 @@
+# encoding: utf-8
+
+module Lockdown
+  class PermissionNotFound < StandardError; end
+
+  class InvalidPermissionAssignment < StandardError; end
+end

data/lib/lockdown/frameworks/rails.rb

@@ -0,0 +1,77 @@
+# encoding: utf-8
+
+require File.join(File.dirname(__FILE__), "rails", "controller")
+require File.join(File.dirname(__FILE__), "rails", "view")
+
+module Lockdown
+  module Frameworks
+    module Rails
+      class << self
+        def included(mod)
+          mod.extend Lockdown::Frameworks::Rails::Environment
+          mixin
+        end
+        
+        def mixin
+          mixin_controller
+
+          Lockdown.view_helper.class_eval do
+            include Lockdown::Frameworks::Rails::View
+          end
+
+          Lockdown::Configuration.class_eval do 
+            def self.skip_sync?
+              skip_db_sync_in.include?(::Rails.env)
+            end
+          end
+        end
+
+        def mixin_controller(klass = Lockdown.controller_parent)
+          klass.class_eval do
+            include Lockdown::Session
+            include Lockdown::Frameworks::Rails::Controller::Lock
+          end
+
+          klass.helper_method :authorized?
+
+          klass.hide_action(:set_current_user, :configure_lockdown, :check_request_authorization)
+
+          klass.before_filter do |c|
+            c.set_current_user
+            c.configure_lockdown
+            c.check_request_authorization
+          end
+
+          klass.filter_parameter_logging :password, :password_confirmation
+      
+          klass.rescue_from SecurityError, :with => proc{|e| ld_access_denied(e)}
+        end
+      end # class block
+
+      module Environment
+
+        def project_root
+          ::RAILS_ROOT
+        end
+
+        def view_helper
+          ::ActionView::Base 
+        end
+
+        # cache_classes is true in production and testing, need to
+        # modify the ApplicationController 
+        def controller_parent
+          if caching?
+            ApplicationController
+          else
+            ActionController::Base
+          end
+        end
+        
+        def caching?
+          ::Rails.configuration.cache_classes
+        end
+      end
+    end # Rails
+  end # Frameworks
+end # Lockdown

data/lib/lockdown/frameworks/rails/controller.rb

@@ -0,0 +1,145 @@
+module Lockdown
+  module Frameworks
+    module Rails
+      module Controller
+        # Locking methods
+        module Lock
+
+          def configure_lockdown
+            store_location
+          end
+
+          # Basic auth functionality needs to be reworked as
+          # Lockdown doesn't provide authentication functionality.
+          def set_current_user
+            if logged_in?
+              whodat = send(Lockdown::Configuration.who_did_it)
+              Thread.current[:who_did_it] = whodat
+            end
+          end
+
+          def check_request_authorization
+            unless authorized?(path_from_hash(params))
+              parameters = respond_to?(:filter_parameters) ? filter_parameters(params) : params.dup
+              raise SecurityError, "Authorization failed! \nparams: #{parameters.inspect}\nsession: #{session.inspect}"
+            end
+          end
+
+          protected
+
+          def store_location
+            if request.get? && (session[:thispage] != sent_from_uri)
+              session[:prevpage] = session[:thispage] || ''
+              session[:thispage] = sent_from_uri
+            end
+          end
+
+          def sent_from_uri
+            request.fullpath
+          end
+
+          def authorized?(url, method = nil)
+            # Reset access unless caching?
+            add_lockdown_session_values unless Lockdown.caching?
+
+            return false unless url
+
+            method ||= (params[:method] || request.method)
+
+            url_parts = URI::split(url.strip)
+
+            path = url_parts[5]
+
+            subdir = Lockdown::Configuration.subdirectory
+            if subdir && subdir == path[1,subdir.length]
+              path = path[(subdir.length+1)..-1]
+            end
+
+            if Lockdown::Delivery.allowed?(path, session[:access_rights])
+              return true
+            end
+
+            path_parts = path.split('/')
+
+            if path_parts.last == "index"
+              path_parts.pop
+              new_path = path_parts.join('/')
+              return Lockdown::Delivery.allowed?(new_path, session[:access_rights])
+            end
+
+            begin
+              if ::Rails.respond_to?(:application)
+                router = ::Rails.application.routes
+              else
+                router = ActionController::Routing::Routes
+              end
+
+              hash = router.recognize_path(path, :method => method)
+
+              if hash
+                return Lockdown::Delivery.allowed?(path_from_hash(hash),
+                                                      session[:access_rights])
+              end
+            rescue ActionController::RoutingError
+              # continue on
+            end
+
+            # Mailto link
+            if url =~ /^mailto:/
+              return true
+            end
+
+            # Public file
+            file = File.join(::Rails.root, 'public', url)
+            if File.exists?(file)
+              return true
+            end
+
+            # Passing in different domain
+            return remote_url?(url_parts[2])
+          end
+
+          def ld_access_denied(e)
+
+            Lockdown.logger.info "Access denied: #{e}"
+
+            if Lockdown::Configuration.logout_on_access_violation
+              reset_session
+            end
+            respond_to do |format|
+              format.html do
+                store_location
+                redirect_to Lockdown::Configuration.access_denied_path
+                return
+              end
+              format.xml do
+                headers["Status"] = "Unauthorized"
+                headers["WWW-Authenticate"] = %(Basic realm="Web Password")
+                render :text => e.message, :status => "401 Unauthorized"
+                return
+              end
+            end
+          end
+
+          def path_from_hash(hash)
+            hash[:controller].to_s + "/" + hash[:action].to_s
+          end
+
+          def remote_url?(domain = nil)
+            return false if domain.nil? || domain.strip.length == 0
+            request.host.downcase != domain.downcase
+          end
+
+          def redirect_back_or_default(default)
+            if session[:prevpage].nil? || session[:prevpage].blank?
+              redirect_to(default)
+            else
+              redirect_to(session[:prevpage])
+            end
+          end
+        end # Lock
+      end # Controller
+    end # Rails
+  end # Frameworks
+end # Lockdown
+

data/lib/lockdown/frameworks/rails/view.rb

@@ -0,0 +1,51 @@
+module Lockdown
+  module Frameworks
+    module Rails
+      module View
+        def self.included(base)
+          base.class_eval do
+            alias_method :link_to_open, :link_to
+            alias_method :link_to, :link_to_secured
+
+            alias_method :button_to_open, :button_to
+            alias_method :button_to, :button_to_secured
+          end
+        end
+
+        def link_to_secured(name, options = {}, html_options = nil)
+          url = url_for(options)
+
+          method = html_options && html_options[:method] ? html_options[:method] : :get
+
+          if authorized?(url, method)
+            return link_to_open(name, url, html_options)
+          end
+          return ""
+        end
+
+        def button_to_secured(name, options = {}, html_options = nil)
+          url = url_for(options)
+
+          method = html_options ? html_options[:method] : :get
+
+          if authorized?(url, method)
+            return button_to_open(name, url, html_options)
+          end
+          return ""
+        end
+
+        def link_to_or_show(name, options = {}, html_options = nil)
+          lnk = link_to(name, options, html_options)
+          lnk.length == 0 ? name : lnk
+        end
+
+        def links(*lis)
+          rvalue = []
+          lis.each{|link| rvalue << link if link.length > 0 }
+          rvalue.join( Lockdown::Configuration.link_separator )
+        end
+      end # View
+    end # Rails
+  end # Frameworks
+end # Lockdown
+

data/lib/lockdown/helper.rb

@@ -0,0 +1,40 @@
+# encoding: utf-8
+
+require 'active_support/core_ext'
+
+module Lockdown
+  module Helper
+    # @return [Regexp] with \A \z boundaries
+    def regex(string)
+      Regexp.new(/\A#{string}\z/)
+    end
+
+    def administrator_group_name
+      'Administrators'
+    end
+
+    def user_group_class
+      eval("::#{Lockdown::Configuration.user_group_model}")
+    end
+
+    def user_groups_hbtm_reference
+      Lockdown::Configuration.user_group_model.underscore.pluralize.to_sym
+    end
+
+    def user_group_id_reference
+      Lockdown::Configuration.user_group_model.underscore + "_id"
+    end
+
+    def user_class
+      eval("::#{Lockdown::Configuration.user_model}")
+    end
+
+    def users_hbtm_reference
+      Lockdown::Configuration.user_model.underscore.pluralize.to_sym
+    end
+
+    def user_id_reference
+      Lockdown::Configuration.user_model.underscore + "_id"
+    end
+  end
+end