permit 0.9.0 → 1.0.0

data/lib/permit/permit_rules.rb

@@ -1,4 +1,5 @@
 module Permit
+  # Collection of PermitRule objects defining authorization.
   class PermitRules
     include Permit::Support
 
@@ -44,20 +45,32 @@ module Permit
     #
     # @example Allow a person that is a member of a team to show
     #   allow :person, :who => :is_member, :of => :team, :to => :show
+    # @example Allow a person that is a member of any of the teams to index.
+    #   allow :person, :who => :is_member, :of => [:team1, :team2], :to => :index
     # @example Allow a person with either of the named roles for a resource to perform any "write" operations.
     #   allow [:project_admin, :project_manager], :of => :project, :to => :write
+    # @example Allow a person with the viewer role of either of the projects to show.
+    #   allow :viewer, :of => [:project1, :project2], :to => :show
     #
     # @param [Symbol, <Symbol>] roles the role(s) that the rule will apply to.
     # @param [Hash] options the options used to build the rule.
     # @option options [Symbol] :who the method to call on the target resource.
     # @option options [Symbol] :that alias for :who
-    # @option options [Symbol] :of the name of the instance variable holding the target 
+    # @option options [Symbol, nil, :any, <Symbol, nil>] :of the name of the instance variable holding the target 
     #   resource. If set to +:any+ then the match will apply to a person that has 
     #   a matching role authorization for any resource. If not given, or set to 
     #   +nil+, then the match will apply to a person that has a matching role 
     #   authorization for a nil resource. +:any/nil+ functionality only applies 
     #   when using named roles. (see Permit::NamedRoles).
-    # @option options [Symbol] :on alias for +:of+
+    # @option options [Symbol, nil, :any, <Symbol, nil>] :on alias for +:of+
+    # @option options [Symbol, String, Proc] :if code to evaluate at the end of the 
+    #   match if it is still valid. If it returns false, the rule will not 
+    #   match. If a proc if given, it will be passed the current subject and 
+    #   binding. A method will be called without any arguments.    
+    # @option options [Symbol, String, Proc] :unless code to evaluate at the end 
+    #   of the match if it is still valid. If it returns true, the rule will not 
+    #   match. If a proc if given, it will be passed the current subject and 
+    #   binding. A method will be called without any arguments.    
     # @option options [Symbol, <Symbol>] :to the action(s) to allow access to if this 
     #   rule matches. +:all+ may be given to indicate that access is given to all 
     #   actions if the rule matches. Actions will be expanded using the aliases
@@ -91,6 +104,14 @@ module Permit
     #   authorization for a nil resource. :any/nil functionality only applies 
     #   when using named roles. (see Permit::NamedRoles).
     # @option options [Symbol] :on alias for +:of+
+    # @option options [Symbol, String, Proc] :if code to evaluate at the end of the 
+    #   match if it is still valid. If it returns false, the rule will not 
+    #   match. The proc or method called, will be passed the current subject 
+    #   being matched, and the binding being used.
+    # @option options [Symbol, String, Proc] :unless code to evaluate at the end 
+    #   of the match if it is still valid. If it returns true, the rule will not 
+    #   match. The proc or method called, will be passed the current subject 
+    #   being matched, and the binding being used.
     # @option options [Symbol, <Symbol>] :from the action(s) to deny access to if this 
     #   rule matches. +:all+ may be given to indicate that access is denied to all 
     #   actions if the rule matches. Actions will be expanded using the aliases

data/lib/permit/support.rb

@@ -32,28 +32,49 @@ module Permit
     end
 
     protected
-    def authorization_conditions(role, resource, person = nil)
-      conditions = {}
-      conditions[Permit::Config.person_class.name.foreign_key] = person.id if person
-      conditions.merge! role_condition(role)
-      conditions.merge! resource_conditions(resource)
+    def authorization_conditions(roles, resources, person = nil)
+      params = {}
+      query = []
+      if person
+        query << "#{Permit::Config.person_class.name.foreign_key} = :person_id"
+        params[:person_id] = person.id
+      end
+      query << role_condition(roles, params)
+      query << resource_conditions(resources, params)
+
+      [query.compact.join(" AND "), params]
     end
 
-    def role_condition(roles)
-      return {} unless roles
+    def role_condition(roles, params = {})
+      return nil unless roles
 
       r = get_roles(roles)
       ids = r.collect {|role| role.id}
 
-      return (ids.empty? ? {} : {Permit::Config.role_class.name.foreign_key => ids})
+      if ids.empty?
+        return nil
+      else
+        params[:role_ids] = ids
+        "#{Permit::Config.role_class.name.foreign_key} in (:role_ids)"
+      end
     end
 
-    def resource_conditions(resource)
-      case resource
-      when :any then {}
-      when nil then {:resource_type => nil, :resource_id => nil}
-      else {:resource_type => resource.class.resource_type, :resource_id => resource.id}
+    def resource_conditions(resources, params = {})
+      constraints = []
+      permit_arrayify(resources).each_with_index do |resource, idx|
+        type, id = case resource
+        when :any then return nil
+        when nil then [nil, nil]
+        else [resource.class.resource_type, resource.id]
+        end
+
+        type_key = "resource_type_#{idx}".to_sym
+        id_key = "resource_id_#{idx}".to_sym
+        params.merge! type_key => type, id_key => id
+        op = type.nil? ? 'is' : '='
+        constraints << "(resource_type #{op} #{type_key.inspect} AND resource_id #{op} #{id_key.inspect})"
       end
+      return "(" << constraints.join(" OR ") << ")"
     end
 
     def get_role(role)

data/permit.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{permit}
-  s.version = "0.9.0"
+  s.version = "1.0.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Steve Valaitis"]
-  s.date = %q{2010-03-27}
+  s.date = %q{2010-04-14}
   s.email = %q{steve@digitalnothing.com}
   s.extra_rdoc_files = [
     "README.mkd"
@@ -60,7 +60,7 @@ Gem::Specification.new do |s|
   s.homepage = %q{http://github.com/dnd/permit}
   s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
-  s.rubygems_version = %q{1.3.5}
+  s.rubygems_version = %q{1.3.6}
   s.summary = %q{A flexible authorization plugin for Ruby on Rails.}
   s.test_files = [
     "spec/spec_helper.rb",

data/spec/models/person_spec.rb

@@ -14,6 +14,7 @@ module Permit::Specs
           @tom = Person.create :name => "tom"
           @hotness = Project.create(:name => "hotness")
           @maintenance = Project.create(:name => "maintenance")
+          @project_x = Project.create!(:name => "project x")
           Role.create :key => :site_admin, :name => 'site admin', :authorize_resource => false, :requires_resource => false
           new_authz @bob, :site_admin, nil
           new_authz @bob, :admin, @maintenance
@@ -23,45 +24,119 @@ module Permit::Specs
           new_authz @tom, :admin, @hotness
         end
 
-        context "#authorized?" do
-          it "should return true if the person has any of the roles for the resource" do
-            @bob.should be_authorized(:admin, @maintenance)
-          end
+        describe "#authorized?" do
+          context "for one resource" do
+            it "should return true if the person has any of the roles for the resource" do
+              @bob.should be_authorized([:admin, :team_lead], @maintenance)
+            end
 
-          it "should return true if the person has any of the resources for the passed in Role object" do
-            r = Role.find_by_key 'admin'
-            @bob.should be_authorized(r, @maintenance)
-          end
+            it "should return true if the person has any of the resources for the passed in Role object" do
+              r = Role.find_by_key 'admin'
+              @bob.should be_authorized(r, @maintenance)
+            end
+
+            it "should return false if the person does not have any of the roles for the resource" do
+              @bob.should_not be_authorized(:admin, @hotness)
+            end
+
+            it "should return false for a role that doesn't exist" do
+              @bob.should_not be_authorized(:lead_monkey_tech, @maintenance)
+            end
 
-          it "should return false if the person does not have any of the roles for the resource" do
-            @bob.should_not be_authorized(:admin, @hotness)
+            it "should return true if the person has a nil resource authorization for a role" do
+              @bob.should be_authorized(:site_admin, nil)
+            end
           end
 
-          it "should return false for a role that doesn't exist" do
-            @bob.should_not be_authorized(:lead_monkey_tech, @maintenance)
+          context "for multiple resources" do
+            it "should return true if the person has any of the roles for the resources" do
+              @bob.should be_authorized([:admin, :team_lead], [@maintenance, @project_x])
+            end
+
+            it "should return true if the person has any of the resources for the passed in Role object" do
+              r = Role.find_by_key 'admin'
+              @bob.should be_authorized(r, [@maintenance, @hotness])
+            end
+
+            it "should return false if the person does not have any of the roles for the resources" do
+              @bob.should_not be_authorized(:admin, [@hotness, @project_x])
+            end
+
+            it "should return false for a role that doesn't exist" do
+              @bob.should_not be_authorized(:lead_monkey_tech, [@maintenance, @hotness])
+            end
+
+            it "should return true if the person has a nil resource authorization for a role" do
+              @bob.should be_authorized(:site_admin, [nil, @project_x])
+            end
           end
 
-          it "should return true if the person has a nil resource authorization for a role" do
-            @bob.should be_authorized(:site_admin, nil)
+          context "for any resource" do
+            it "should return true if the person has any of the roles for any resource" do
+              @bob.should be_authorized([:admin, :team_lead], :any)
+            end
+
+            it "should return false if the person does not have any of the roles for any resources" do
+              @tom.should_not be_authorized([:team_lead, :monkey_tech], :any)
+            end
           end
         end
 
-        context "#authorized_all?" do
-          it "should return true if the person matches all of the roles for the resource" do
-            @bob.should be_authorized_all([:admin, :developer], @maintenance)
-          end
+        describe "#authorized_all?" do
+          context "for one resource" do
+            it "should return true if the person matches all of the roles for the resource" do
+              @bob.should be_authorized_all([:admin, :developer], @maintenance)
+            end
 
-          it "should return true if the person matches all of the roles for the resource when a Role object is passed" do
-            r = Role.find_by_key 'developer'
-            @bob.should be_authorized_all([r, :admin], @maintenance)
+            it "should return true if the person matches all of the roles for the resource when a Role object is passed" do
+              r = Role.find_by_key 'developer'
+              @bob.should be_authorized_all([r, :admin], @maintenance)
+            end
+
+            it "should return false if the person does not match all of the roles for the resource" do
+              @tom.should_not be_authorized_all([:admin, :team_lead], @hotness)
+            end
+
+            it "should return false if one of the roles does not exist" do
+              @tom.should_not be_authorized_all([:admin, :slinky_analyst], @hotness)
+            end
           end
 
-          it "should return false if the person does not match all of the roles for the resource" do
-            @tom.should_not be_authorized_all([:admin, :team_lead], @hotness)
+          context "for multiple resources" do
+            it "should return true if the person matches all of the roles for the resource" do
+              @bob.authorize([:admin, :developer], @project_x)
+              @bob.should be_authorized_all([:admin, :developer], [@maintenance, @project_x])
+            end
+
+            it "should return true if the person matches all of the roles for the resource when a Role object is passed" do
+              @bob.authorize([:admin, :developer], @project_x)
+              r = Role.find_by_key 'developer'
+              @bob.should be_authorized_all([r, :admin], [@maintenance, @project_x])
+            end
+
+            it "should return false if the person does not match all of the roles for the resource" do
+              @tom.should_not be_authorized_all([:admin, :team_lead], @hotness)
+            end
+
+            it "should return false if the person does not match all of the roles for the resources" do
+              @bob.authorize :admin, @project_x
+              @bob.should_not be_authorized_all([:admin, :developer], [@maintenance, @project_x])
+            end
+
+            it "should return false if one of the roles does not exist" do
+              @tom.should_not be_authorized_all([:admin, :slinky_analyst], [@hotness, @maintenance])
+            end
           end
 
-          it "should return false if one of the roles does not exist" do
-            @tom.should_not be_authorized_all([:admin, :slinky_analyst], @hotness)
+          context "for any resource" do
+            it "should return true if the person has all of the roles for any resource" do
+              @bob.authorize :admin, @project_x
+              @bob.should be_authorized_all([:admin, :team_lead], :any)
+            end
+
+            it "should return false if the person does not have all of the roles for any resource" do
+              @tom.should_not be_authorized_all([:admin, :team_lead], :any)
+            end
           end
         end
       end
@@ -223,20 +298,23 @@ module Permit::Specs
           new_authz @tom, :admin, @hotness
         end
 
-        it "#authorizations.roles_for should return the roles the current person has for the resource" do
-          roles = @bob.authorizations.roles_for @maintenance
-          roles.should have(2).items
+        it "#authorizations.roles_for should return the roles the current person has for the resources" do
+          roles = @bob.authorizations.roles_for [@maintenance, @hotness]
+          roles.should have(3).items
           roles[0].key.should == 'admin'
           roles[1].key.should == 'developer'
+          roles[2].key.should == 'team_lead'
         end
 
-        it "#authorizations.for should return the authorizations the current person has for the resource" do
-          authz = @bob.authorizations.for @maintenance
-          authz.should have(2).items
+        it "#authorizations.for should return the authorizations the current person has for the resources" do
+          authz = @bob.authorizations.for [@maintenance, @hotness]
+          authz.should have(3).items
           authz[0].role.key.should == 'admin'
           authz[0].resource.should == @maintenance
           authz[1].role.key.should == 'developer'
           authz[1].resource.should == @maintenance
+          authz[2].role.key.should == 'team_lead'
+          authz[2].resource.should == @hotness
         end
       end
 

data/spec/models/role_spec.rb

@@ -101,6 +101,13 @@ module Permit::Specs
           people[1].should == @jack
         end
 
+        it "#authorizations.people_for should return the people authorized for the resources on the current role" do
+          people = @admin.authorizations.people_for [@maintenance, @hotness]
+          people.should have(2).items
+          people[0].should == @bob
+          people[1].should == @tom
+        end
+
         it "#authorizations.for should return the authorizations the current role has for the resource" do
           authz = @admin.authorizations.for @maintenance
           authz.should have(1).items

data/spec/permit/controller_spec.rb

@@ -37,12 +37,12 @@ module Permit::Specs
       authorized?(roles, resource)
     end
 
-    def pub_allowed?(roles, options = {})
-      allowed?(roles, options)
+    def pub_allowed?(*args)
+      allowed?(*args)
     end
 
-    def pub_denied?(roles, options = {})
-      denied?(roles, options)
+    def pub_denied?(*args)
+      denied?(*args)
     end
   end
 
@@ -212,62 +212,102 @@ module Permit::Specs
       end
 
       describe "#allowed?" do
-        it "should properly build the rule" do
-          controller.stub!(:current_person).and_return(Guest.new)
-          rule = PermitRule.new :admin, :on => :team
-          PermitRule.should_receive(:new).with(:admin, hash_including(:on => :team)).and_return(rule)
-          controller.pub_allowed?(:admin, :on => :team)
+        context "for a rule" do
+          it "should properly build the rule" do
+            controller.stub!(:current_person).and_return(Guest.new)
+            rule = PermitRule.new :admin, :on => :team
+            PermitRule.should_receive(:new).with(:admin, hash_including(:on => :team)).and_return(rule)
+            controller.pub_allowed?(:admin, :on => :team)
+          end
+
+          it "should properly call #matches? on the rule" do
+            bob = Person.create! :name => 'bob'
+            controller.stub!(:current_person).and_return(bob)
+            rule = PermitRule.new :guest
+            rule.should_receive(:matches?).with(bob, instance_of(Binding))
+            PermitRule.stub!(:new).and_return(rule)
+            controller.pub_allowed?(:guest)
+          end
+
+          it "should return the result of the rule match" do
+            controller.stub!(:current_person).and_return(Guest.new)
+            rule = PermitRule.new :guest
+            PermitRule.stub!(:new).and_return(rule)
+
+            rule.stub!(:matches?).and_return(true)
+            controller.pub_allowed?(:guest).should be_true
+
+            rule.stub!(:matches?).and_return(false)
+            controller.pub_allowed?(:guest).should be_false
+          end
         end
 
-        it "should properly call #matches? on the rule" do
-          bob = Person.create! :name => 'bob'
-          controller.stub!(:current_person).and_return(bob)
-          rule = PermitRule.new :guest
-          rule.should_receive(:matches?).with(bob, instance_of(Binding))
-          PermitRule.stub!(:new).and_return(rule)
-          controller.pub_allowed?(:guest)
+        context "for an action on the current controller" do
+          it "should evaluate the rules for the action on the current controller" do
+            guest = Guest.new
+            controller.stub!(:current_person).and_return(guest)
+            ProjectsController.permit_rules.should_receive(:permitted?).with(guest, :show, instance_of(Binding)).and_return(true)
+            controller.pub_allowed?(:action => :show).should be_true
+          end
         end
 
-        it "should return the result of the rule match" do
-          controller.stub!(:current_person).and_return(Guest.new)
-          rule = PermitRule.new :guest
-          PermitRule.stub!(:new).and_return(rule)
-
-          rule.stub!(:matches?).and_return(true)
-          controller.pub_allowed?(:guest).should be_true
-          
-          rule.stub!(:matches?).and_return(false)
-          controller.pub_allowed?(:guest).should be_false
+        context "for an action on a different controller" do
+          it "should evaluate the rules for the action on the given controller" do
+            guest = Guest.new
+            controller.stub!(:current_person).and_return(guest)
+            TeamsController.permit_rules.should_receive(:permitted?).with(guest, :index, instance_of(Binding)).and_return(true)
+            controller.pub_allowed?(:controller => 'permit/specs/teams', :action => :index).should be_true
+          end
         end
       end
 
       describe "#denied?" do
-        it "should properly build the rule" do
-          controller.stub!(:current_person).and_return(Guest.new)
-          rule = PermitRule.new :admin, :on => :team
-          PermitRule.should_receive(:new).with(:admin, hash_including(:on => :team)).and_return(rule)
-          controller.pub_denied?(:admin, :on => :team)
+        context "for a rule" do
+          it "should properly build the rule" do
+            controller.stub!(:current_person).and_return(Guest.new)
+            rule = PermitRule.new :admin, :on => :team
+            PermitRule.should_receive(:new).with(:admin, hash_including(:on => :team)).and_return(rule)
+            controller.pub_denied?(:admin, :on => :team)
+          end
+
+          it "should properly call #matches? on the rule" do
+            bob = Person.create! :name => 'bob'
+            controller.stub!(:current_person).and_return(bob)
+            rule = PermitRule.new :guest
+            rule.should_receive(:matches?).with(bob, instance_of(Binding))
+            PermitRule.stub!(:new).and_return(rule)
+            controller.pub_denied?(:guest)
+          end
+
+          it "should return the opposite of the rule match" do
+            controller.stub!(:current_person).and_return(Guest.new)
+            rule = PermitRule.new :guest
+            PermitRule.stub!(:new).and_return(rule)
+
+            rule.stub!(:matches?).and_return(true)
+            controller.pub_denied?(:guest).should be_false
+
+            rule.stub!(:matches?).and_return(false)
+            controller.pub_denied?(:guest).should be_true
+          end
         end
 
-        it "should properly call #matches? on the rule" do
-          bob = Person.create! :name => 'bob'
-          controller.stub!(:current_person).and_return(bob)
-          rule = PermitRule.new :guest
-          rule.should_receive(:matches?).with(bob, instance_of(Binding))
-          PermitRule.stub!(:new).and_return(rule)
-          controller.pub_denied?(:guest)
+        context "for an action on the current controller" do
+          it "should evaluate the rules for the action on the current controller" do
+            guest = Guest.new
+            controller.stub!(:current_person).and_return(guest)
+            ProjectsController.permit_rules.should_receive(:permitted?).with(guest, :show, instance_of(Binding)).and_return(true)
+            controller.pub_denied?(:action => :show).should be_false
+          end
         end
 
-        it "should return the opposite of the rule match" do
-          controller.stub!(:current_person).and_return(Guest.new)
-          rule = PermitRule.new :guest
-          PermitRule.stub!(:new).and_return(rule)
-
-          rule.stub!(:matches?).and_return(true)
-          controller.pub_denied?(:guest).should be_false
-          
-          rule.stub!(:matches?).and_return(false)
-          controller.pub_denied?(:guest).should be_true
+        context "for an action on a different controller" do
+          it "should evaluate the rules for the action on the given controller" do
+            guest = Guest.new
+            controller.stub!(:current_person).and_return(guest)
+            TeamsController.permit_rules.should_receive(:permitted?).with(guest, :index, instance_of(Binding)).and_return(true)
+            controller.pub_denied?(:controller => 'permit/specs/teams', :action => :index).should be_false
+          end
         end
       end
     end