permissify 0.0.1

data/CHANGELOG.rdoc

@@ -0,0 +1,4 @@
+0.0.1 12-05-2x
+
+* git me a permissify gem
+

data/Gemfile

@@ -0,0 +1,52 @@
+# source 'https://rubygems.org'
+# 
+# gem 'rails', '3.2.3'
+# 
+# # Bundle edge Rails instead:
+# # gem 'rails', :git => 'git://github.com/rails/rails.git'
+# 
+# gem 'mysql'
+# 
+# gem 'json'
+# 
+# # Gems used only for assets and not required
+# # in production environments by default.
+# group :assets do
+#   gem 'sass-rails',   '~> 3.2.3'
+#   gem 'coffee-rails', '~> 3.2.1'
+# 
+#   # See https://github.com/sstephenson/execjs#readme for more supported runtimes
+#   # gem 'therubyracer', :platform => :ruby
+# 
+#   gem 'uglifier', '>= 1.0.3'
+# end
+# 
+# gem 'jquery-rails'
+# 
+# # To use ActiveModel has_secure_password
+# # gem 'bcrypt-ruby', '~> 3.0.0'
+# 
+# # To use Jbuilder templates for JSON
+# # gem 'jbuilder'
+# 
+# # Use unicorn as the app server
+# # gem 'unicorn'
+# 
+# # Deploy with Capistrano
+# # gem 'capistrano'
+# 
+# # To use debugger
+# # gem 'ruby-debug'
+# 
+# gem 'authlogic', '>= 3.1.0'
+
+source "http://rubygems.org"
+
+# gem "sqlite3"
+# TODO : any activerecord version dependency?
+# gem "activerecord", '~> 3.0.9', :require => "active_record"
+gem "activerecord", :require => "active_record"
+# gem "with_model", "~> 0.2.5"
+# gem "meta_where"
+
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+Copyright (c) 2012 Frederick Fix
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

data/README.rdoc

@@ -0,0 +1,134 @@
+= Permissify
+
+Based on/inspired by CanCan {<img src="https://secure.travis-ci.org/ryanb/cancan.png" />}[http://travis-ci.org/ryanb/cancan]
+
+Wiki[https://github.com/rickfix/permissify/wiki] | RDocs[http://rdoc.info/projects/rickfix/permissify] 
+
+Permissify is an authorization library for Ruby on Rails which restricts what resources a given model (i.e. user) is, or combination of models (user and merchant) are, allowed to access. 
+
+Abilities are defined in a single location (the +Ability+ class).
+
+If you wish to permissify users with a set of roles... your roles class is permissified and you specify (through seeds, administration or some other mechanism) permissions to each ability.
+
+Permissify expects a user to have many and belong to roles.
+The following interfaces must be supported...
+
+
+In the system which this gem was extracted, users where assigned many roles and businesses where are assigned many products (or, more accurately, product bundles).  In views, access to ability-restricted navigation was typically affected by checking, (example is for merchant user admin) 'allowed_to?(:view, :merchant_user_admin)'.  Under the hood, at least one of the user's roles must have permission to view merchant user admin AND at least one of the merchant's products must also have permission to view merchant user admin.  Remember those Venn diagrams from 4th grade? Permissify is performing unions and intersections for you.  It also allows you to specify if a particular abiltiy is only governed by a single model (role or product or ...).
+
+
+== Installation
+
+In <b>Rails 3</b>, add this to your Gemfile and run the +bundle+ command.
+
+  gem "permissify"
+
+In <b>Rails 2</b>, add this to your environment.rb file.
+
+  config.gem "permissify"
+
+
+== Getting Started
+
+Permissify expects a +current_user+ method to exist in the controller. First, set up some authentication (such as Authlogic[https://github.com/binarylogic/authlogic] or Devise[https://github.com/plataformatec/devise]). See {Changing Defaults}[https://github.com/rickfix/permissify/wiki/changing-defaults] if you need different behavior.
+
+
+=== 1. Define Abilities
+
+User permissions are defined in an +Ability+ class. Permissify x.y includes a Rails 3 generator for creating this class.
+
+  rails g permissify:ability
+
+In Rails 2.3, just add a new class in `app/models/ability.rb` with the folowing contents:
+
+  class Ability
+    include Permissify::Ability
+
+    def initialize(user)
+    end
+  end
+
+See {Defining Abilities}[https://github.com/rickfix/permissify/wiki/defining-abilities] for details.
+
+
+=== 2. Check Abilities & Authorization
+
+The current user's permissions can then be checked using the <tt>can?</tt> and <tt>cannot?</tt> methods in the view and controller.
+
+  <% if can? :update, @article %>
+    <%= link_to "Edit", edit_article_path(@article) %>
+  <% end %>
+
+See {Checking Abilities}[https://github.com/rickfix/permissify/wiki/checking-abilities] for more information
+
+The <tt>authorize!</tt> method in the controller will raise an exception if the user is not able to perform the given action.
+
+  def show
+    @article = Article.find(params[:id])
+    authorize! :read, @article
+  end
+
+Setting this for every action can be tedious, therefore the +load_and_authorize_resource+ method is provided to automatically authorize all actions in a RESTful style resource controller. It will use a before filter to load the resource into an instance variable and authorize it for every action.
+
+  class ArticlesController < ApplicationController
+    load_and_authorize_resource
+
+    def show
+      # @article is already loaded and authorized
+    end
+  end
+
+See {Authorizing Controller Actions}[https://github.com/rickfix/permissify/wiki/authorizing-controller-actions] for more information.
+
+
+=== 3. Handle Unauthorized Access
+
+If the user authorization fails, a <tt>Permissify::AccessDenied</tt> exception will be raised. You can catch this and modify its behavior in the +ApplicationController+.
+
+  class ApplicationController < ActionController::Base
+    rescue_from Permissify::AccessDenied do |exception|
+      redirect_to root_url, :alert => exception.message
+    end
+  end
+
+See {Exception Handling}[https://github.com/rickfix/permissify/wiki/exception-handling] for more information.
+
+
+=== 4. Lock It Down
+
+If you want to ensure authorization happens on every action in your application, add +check_authorization+ to your ApplicationController.
+
+  class ApplicationController < ActionController::Base
+    check_authorization
+  end
+
+This will raise an exception if authorization is not performed in an action. If you want to skip this add +skip_authorization_check+ to a controller subclass. See {Ensure Authorization}[https://github.com/rickfix/permissify/wiki/Ensure-Authorization] for more information.
+
+
+== Wiki Docs
+
+* {Upgrading to 1.6}[https://github.com/rickfix/permissify/wiki/Upgrading-to-1.6]
+* {Defining Abilities}[https://github.com/rickfix/permissify/wiki/Defining-Abilities]
+* {Checking Abilities}[https://github.com/rickfix/permissify/wiki/Checking-Abilities]
+* {Authorizing Controller Actions}[https://github.com/rickfix/permissify/wiki/Authorizing-Controller-Actions]
+* {Exception Handling}[https://github.com/rickfix/permissify/wiki/Exception-Handling]
+* {Changing Defaults}[https://github.com/rickfix/permissify/wiki/Changing-Defaults]
+* {See more}[https://github.com/rickfix/permissify/wiki]
+
+
+== Project Status
+
+Unfortunately I have not had time to actively work on this project recently. If you find a critical issue where it does not work as documented please {ping me on twitter}[http://twitter.com/rbates] and I'll take a look.
+
+
+== Questions or Problems?
+
+If you have any issues with Permissify which you cannot find the solution to in the documentation[https://github.com/rickfix/permissify/wiki], please add an {issue on GitHub}[https://github.com/rickfix/permissify/issues] or fork the project and send a pull request.
+
+To get the specs running you should call +bundle+ and then +rake+. See the {spec/README}[https://github.com/rickfix/permissify/blob/master/spec/README.rdoc] for more information.
+
+
+== Special Thanks
+
+Permissify was inspired by declarative_authorization[https://github.com/stffn/declarative_authorization/] and aegis[https://github.com/makandra/aegis]. Also many thanks to the Permissify contributors[https://github.com/rickfix/permissify/contributors]. See the CHANGELOG[https://github.com/rickfix/permissify/blob/master/CHANGELOG.rdoc] for the full list.
+

data/Rakefile

@@ -0,0 +1,18 @@
+require 'rubygems'
+require 'rake'
+require 'rspec/core/rake_task'
+
+desc "Run RSpec"
+RSpec::Core::RakeTask.new do |t|
+  t.verbose = false
+end
+
+desc "Run specs for all adapters"
+task :spec_all do
+  %w[active_record].each do |model_adapter|
+    puts "MODEL_ADAPTER = #{model_adapter}"
+    system "rake spec MODEL_ADAPTER=#{model_adapter}"
+  end
+end
+
+task :default => :spec

data/init.rb

@@ -0,0 +1 @@
+require 'permissify'

data/lib/generators/permissify/ability/USAGE

@@ -0,0 +1,3 @@
+Description:
+  The permissify:ability generator creates an Ability class in the models directory.
+  You can move this file anywhere you want as long as it is in the load path.

data/lib/generators/permissify/ability/ability_generator.rb

@@ -0,0 +1,11 @@
+module Permissify
+  module Generators
+    class AbilityGenerator < Rails::Generators::Base
+      source_root File.expand_path('../template', __FILE__)
+
+      def generate_ability
+        copy_file "ability.rb", "app/models/ability.rb"
+      end
+    end
+  end
+end

data/lib/generators/permissify/ability/template/ability.rb

@@ -0,0 +1,31 @@
+# TODO : talk about how this could be an active record, but just needs to support a set of interfaces (all, all_for, others?)
+class Ability
+  class << self
+    include SystemFixtures::Abilities
+    @@abilities = []
+
+    def all; seed if @@abilities.empty?; @@abilities; end
+    
+    def all_for(applicability_types)
+      applicability_types = [applicability_types] if applicability_types.kind_of?(String)
+      all.select{|a| (a[:applicability] & applicability_types) == applicability_types}
+    end
+    
+    def create_permissions_hash(view_only_categories=[], remove_categories=[], applicability_types = 'Role')
+      @@permissions = {}
+      all_for(applicability_types).each{|permission| @@permissions[permission[:key]] = {'0' => '1'}}
+      view_only_categories.each{|category| view_only(category)}
+      remove_categories.each{|category| remove(category)}
+      @@permissions
+    end
+    
+    private
+    def view_only(category); %w(create update delete).each{|action| @@permissions.delete("#{category}_#{action}")};  end
+    def remove(permission_prefix); @@permissions.keys.each{|key| @@permissions.delete(key) if key.starts_with?(permission_prefix)}; end
+    def add(key, category, section, action, applicability, number_of_values, position, default_values, admin_expression='', category_allows = :multiple)
+      @@abilities <<  { :key => key, :category => category, :section => section, :action => action,
+                        :applicability => applicability, :number_of_values => number_of_values, :position => position,
+                        :default_values => default_values, :administration_expression => admin_expression, :category_allows => category_allows}
+    end
+  end
+end

data/lib/generators/permissify/product/USAGE

@@ -0,0 +1,3 @@
+Description:
+  The permissify:product generator creates a Product class in the models directory.
+  You can move this file anywhere you want as long as it is in the load path.

data/lib/generators/permissify/role/USAGE

@@ -0,0 +1,3 @@
+Description:
+  The permissify:role generator creates a Role class in the models directory.
+  You can move this file anywhere you want as long as it is in the load path.

data/lib/generators/permissify/role/role_generator.rb

@@ -0,0 +1,16 @@
+module Permissify
+  module Generators
+    class RoleGenerator < Rails::Generators::Base
+      source_root File.expand_path('../template', __FILE__)
+
+      def generate_ability
+        copy_file "role.rb", "app/models/role.rb"
+        # also make the following?
+        # d app/models/system_fixtures
+        # f app/models/system_fixtures/roles.rb
+        # d app/models/permissions
+        # f app/models/permissions/roles.rb
+      end
+    end
+  end
+end

data/lib/generators/permissify/role/template/role.rb

@@ -0,0 +1,66 @@
+class Role < ActiveRecord::Base
+  DOMAIN_TYPES = %w(Admin Dealer Corporate Brand Merchant)
+  include Permissions::Model
+  # is_paranoid
+  has_and_belongs_to_many :users, :order => "userable_type ASC"
+  # default_scope :conditions => {:deleted_at => nil}, :order => "roles.name"
+  validates_presence_of   :name, :domain_type
+  validates_uniqueness_of :name
+  before_create :initialize_permissions
+  before_validation :initialize_non_permission_values
+  serialize :permissions
+  serialize :can_manage_roles
+  after_save :propagate_managed_by
+    
+  class << self
+    include Permissions::ModelClass
+    include SystemFixtures::Roles
+    def super_user;       locate(1, 'super user');      end
+    def system_admin;     locate(2, 'system admin');    end
+    def dealer_admin;     locate(3, 'dealer admin');    end
+    def corporate_admin;  locate(4, 'corporate admin'); end
+    def brand_admin;      locate(5, 'brand admin');     end
+    def merchant_admin;   locate(6, 'merchant admin');  end
+  end
+  
+  def initialize_non_permission_values
+    establish_from_permissions_model.nil? ? default_non_permissions_values : copy_non_permissions_values
+  end
+  
+  def default_non_permissions_values
+    self.can_manage_roles ||= []
+    self.domain_type = DOMAIN_TYPES.last if self.domain_type.blank?
+    self.name = self.name.gsub("'","")
+  end
+  
+  def copy_non_permissions_values
+    self.domain_type = self.from_permissions_model.domain_type
+    self.managed_by  = self.from_permissions_model.managed_by
+    self.can_manage_roles = self.from_permissions_model.can_manage_roles
+  end
+  
+  def manages_roles
+    return [] if quoted_role_names.blank?
+    self.class.find(:all, :conditions => ["name in (#{quoted_role_names})"], :order => :name)
+  end
+  
+  def remove(permissions_list); permissions_list.each{|permission| self.permissions.delete(permission)}; save; end
+  
+  def quoted_role_names; self.can_manage_roles.collect{|n| "'#{n}'"}.join(', ') rescue []; end
+  
+  def managed_by=(role_name_list); @managed_by = role_name_list; end
+  def managed_by
+    @managed_by ||= Role.all.select{|r| r.can_manage_roles.include?(self.name)}.collect(&:name)
+  end
+  
+  def propagate_managed_by
+    Role.all.each{ |r| r.update_manages_roles(managed_by.include?(r.name), self.name) } unless @managed_by.nil?
+  end
+  
+  def update_manages_roles(manages_role_name, role_name)
+    old = self.manages_roles
+    old = [] if old.blank?
+    new_value = manages_role_name ? old | [role_name] : old - [role_name]
+    update_attribute(:can_manage_roles, new_value) if old != new_value
+  end
+end

data/lib/permissify/aggregate.rb

@@ -0,0 +1,79 @@
+module Permissions::Aggregate
+  attr_accessor :abilities
+  
+  def permissions_union # [integer values].max
+    @union ||= construct_union
+  end
+  
+  def construct_union
+    union = {}
+    self.send(permissions_association).collect(&:permissions).each do |permissions_hash|
+      permissions_hash.each do |key, descriptor|
+        descriptor ||= {'0' => false}
+        if union[key].nil?
+          union[key] = descriptor
+        else
+          arbitrate(union, descriptor, key, :max)
+        end
+        union[key]['0'] = (union[key]['0'] == '1' || descriptor['0'] == '1')
+      end
+    end
+    union
+  end
+  
+  def permissions_intersection(product_permissions) # [integer values].min
+    return @intersection if @intersection
+    @intersection = {}
+    permissions_union
+
+    Ability.all_for(%w(Product Role)).each do |ability|
+      key = ability[:key]
+      descriptor = @union[key]
+      product_descriptor = product_permissions[key]
+      if permissable?(descriptor) && permissable?(product_descriptor)
+        @intersection[key] = descriptor
+        arbitrate(@intersection, product_descriptor, key, :min)
+      else
+        @intersection[key] = null_permission
+      end
+    end
+
+    include_permissions_unless_common_to_role_and_product('Product', product_permissions)
+    include_permissions_unless_common_to_role_and_product('Role', @union)
+    @intersection
+  end
+  
+  def permissable?(descriptor); descriptor && (descriptor['0'] == true || descriptor['0'] == '1'); end
+  def subscribed_to?(feature); allowed_to?('on', feature); end
+  def allowed_to?(action, feature); (permissions_union["#{feature}_#{action}"]['0'] == true rescue false); end
+  
+  def include_permissions_unless_common_to_role_and_product(applicability_type, applicable_permissions)
+    Ability.all_for(applicability_type).each do |ability|
+      key = ability[:key]
+      descriptor = applicable_permissions[key]
+      unless @intersection.has_key?(key)
+        if permissable?(descriptor)
+          descriptor['0'] = true
+          @intersection[key] = descriptor
+          arbitrate(@intersection, descriptor, key, :min)
+        else
+          @intersection[key] = null_permission
+        end
+      end
+    end
+  end
+  
+  private
+  def arbitrate(aggregation, other_descriptor, key, min_or_max) # assuming all permission 'args' are integers stored as strings
+    1.upto(other_descriptor.size-1) do |i|
+      is = i.to_s; aggregation[key][is] = [aggregation[key][is].to_i, other_descriptor[is].to_i].send(min_or_max) # .to_s ?
+    end
+  end
+  def null_permission; {'0' => false, '1' => 0}; end
+  
+  def permissions_association # kinda icky
+    klass = self.respond_to?(:product_tiers) ? self.class : Business
+    @permissions_association ||= {User => :roles, klass => :product_tiers}[self.class]
+    @permissions_association ||= :permission_objects
+  end
+end

data/lib/permissify/model.rb

@@ -0,0 +1,26 @@
+module Permissions::Model
+  attr_accessor :from, :from_permissions_model
+  
+  def establish_from_permissions_model
+    self.from_permissions_model ||= self.from.nil? ? nil : self.class.find(self.from)
+  end
+  
+  def initialize_permissions
+    self.permissions ||= self.from.nil? ? {} : establish_from_permissions_model.permissions
+  end
+  
+  def allows?(ability_key) ; logger.debug(ability_key.inspect.to_s); 
+    allowed = self.permissions[ability_key];
+    allowed && allowed['0']; 
+    end
+  def remove_permissions(keys)
+    keys = [keys] if keys.class == String
+    keys.each{ |k| self.permissions[k] = nil}
+    self.save
+  end
+  def update_permissions(new_or_updated_permissions)
+    self.permissions = self.permissions.merge(new_or_updated_permissions)
+    self.save
+  end
+  def underscored_name_symbol; self.class.underscored_name_symbol(self.name); end
+end

data/lib/permissify/model_class.rb

@@ -0,0 +1,34 @@
+module Permissions::ModelClass
+  def retire_permissions_objects(retire_sql)
+    ActiveRecord::Base.connection.execute retire_sql
+  end
+
+  def create_seeds(table_name, seed_specifications)
+    @model_class_seed_specifications = seed_specifications
+    seed_specifications.each do |id, name|
+      permissions_model = locate(id, name)
+      permissions_model.permissions = send("#{underscored_name_symbol(name)}_permissions")
+      permissions_model.save
+    end
+    ActiveRecord::Base.connection.execute "ALTER TABLE #{table_name} AUTO_INCREMENT = 101;"
+  end
+
+  def create_with_id(table, id, name)
+    permissions = send("#{underscored_name_symbol(name)}_permissions")
+    permissions_model = new
+    permissions_model.name = name
+    permissions_model.permissions = permissions
+    permissions_model.save
+    ActiveRecord::Base.connection.execute "UPDATE #{table}s SET id=#{id} WHERE id=#{permissions_model.id};"
+    find(id)
+  end
+  
+  def locate(id, name)
+    model_with_id   = find_by_id(id)
+    model_with_id ||= send("create_#{underscored_name_symbol(name)}")
+  end
+
+  def underscored_name_symbol(name)
+    name.to_s.downcase.gsub('-','_').gsub(':','').gsub('  ',' ').gsub(' ','_')    
+  end
+end

data/lib/permissify.rb

@@ -0,0 +1,3 @@
+require 'permissify/abc'
+require 'permissify/def'
+require 'permissify/dir/xyz'

metadata

@@ -0,0 +1,114 @@
+--- !ruby/object:Gem::Specification 
+name: permissify
+version: !ruby/object:Gem::Version 
+  hash: 29
+  prerelease: 
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- Frederick Fix
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2012-05-29 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 23
+        segments: 
+        - 2
+        - 6
+        - 0
+        version: 2.6.0
+  type: :development
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: rails
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 21
+        segments: 
+        - 3
+        - 0
+        - 9
+        version: 3.0.9
+  type: :development
+  version_requirements: *id002
+description: Not so simple authorization solution for Rails.
+email: rickfix80004@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- lib/generators/permissify/ability/ability_generator.rb
+- lib/generators/permissify/ability/template/ability.rb
+- lib/generators/permissify/ability/USAGE
+- lib/generators/permissify/product/USAGE
+- lib/generators/permissify/role/role_generator.rb
+- lib/generators/permissify/role/template/role.rb
+- lib/generators/permissify/role/USAGE
+- lib/permissify/aggregate.rb
+- lib/permissify/model.rb
+- lib/permissify/model_class.rb
+- lib/permissify.rb
+- CHANGELOG.rdoc
+- Gemfile
+- LICENSE
+- Rakefile
+- README.rdoc
+- init.rb
+homepage: http://github.com/rickfix/permissify
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 19
+      segments: 
+      - 1
+      - 3
+      - 4
+      version: 1.3.4
+requirements: []
+
+rubyforge_project: permissify
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: Not so simple authorization solution for Rails.
+test_files: []
+