RubyGems - permit - Versions diffs - 0.9.0 → 1.0.0 - Mend

permit 0.9.0 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

data/VERSION.yml +4 -4
data/lib/models/association.rb +48 -31
data/lib/models/person.rb +13 -7
data/lib/permit.rb +34 -23
data/lib/permit/controller.rb +68 -17
data/lib/permit/permit_rule.rb +48 -27
data/lib/permit/permit_rules.rb +23 -2
data/lib/permit/support.rb +34 -13
data/permit.gemspec +3 -3
data/spec/models/person_spec.rb +109 -31
data/spec/models/role_spec.rb +7 -0
data/spec/permit/controller_spec.rb +88 -48
data/spec/permit/permit_rule_spec.rb +417 -104
metadata +12 -5

data/spec/permit/permit_rule_spec.rb CHANGED Viewed

@@ -10,6 +10,14 @@ def allow_person_rule(options = {})
   allow_rule options
 end
+def true_conditional
+  true
+end
+def false_conditional
+  false
+end
 module Permit::Specs
   describe PermitRule, "initialization" do
     context "of roles" do
@@ -62,17 +70,17 @@ module Permit::Specs
       it "should store accept the resource through :of" do
         r = allow_rule :of => :team
-        r.target_var.should == :team
+        r.target_vars.should == [:team]
       end
       it "should accept the resource through :on" do
         r = allow_rule :on => :project
-        r.target_var.should == :project
+        r.target_vars.should == [:project]
       end
       it "should not be modifiable" do
         r = allow_rule :on => :project
-        lambda {r.target_var = :other}.should raise_error(NoMethodError)
+        lambda {r.target_vars << :other}.should raise_error(TypeError, "can't modify frozen array")
       end
     end
@@ -107,7 +115,7 @@ module Permit::Specs
         it "should accept the resource and method" do
           r = allow_person_rule :who => :is_member, :of => :team
-          r.target_var.should == :team
+          r.target_vars.should == [:team]
           r.method.should == :is_member
         end
       end
@@ -191,153 +199,344 @@ module Permit::Specs
         end
       end
-      context "using an is_* method" do
-        before {@rule = allow_person_rule :who => :is_owner, :on => :team}
+      context "when the target resource does not exist" do
+        it "should raise an error" do
+          rule = allow_person_rule :who => :is_owner, :on => :oops
+          lambda {
+            rule.matches? @person, binding
+          }.should raise_error(PermitEvaluationError, "Target resource '@oops' did not exist in the given context.")
+        end
+      end
+      context "with one resource" do
+        context "using an is_* method" do
+          before {@rule = allow_person_rule :who => :is_owner, :on => :team}
-        context "attempting #is_owner" do
-          it "should call #is_owner on the resource" do
-            @team.should_receive(:is_owner).with(@person).and_return(true)
-            @rule.matches?(@person, binding)
+          context "attempting #is_owner" do
+            it "should call #is_owner on the resource" do
+              @team.should_receive(:is_owner).with(@person).and_return(true)
+              @rule.matches?(@person, binding)
+            end
+            it "should return the result of the resource call" do
+              @team.stub!(:is_owner).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team.stub!(:is_owner).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
           end
-          it "should return the result of the resource call" do
-            @team.stub!(:is_owner).and_return(true)
-            @rule.matches?(@person, binding).should be_true
-            @team.stub!(:is_owner).and_return(false)
-            @rule.matches?(@person, binding).should be_false
+          context "attempting #is_owner?" do
+            it "should call #is_owner? on the resource" do
+              @team.should_receive(:is_owner?).with(@person).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+            end
+            it "should return the result of the resource call" do
+              @team.stub!(:is_owner?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team.stub!(:is_owner?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
           end
-        end
-        context "attempting #is_owner?" do
-          it "should call #is_owner? on the resource" do
-            @team.should_receive(:is_owner?).with(@person).and_return(true)
-            @rule.matches?(@person, binding).should be_true
+          context "attempting #owner?" do
+            it "should call #owner? on the resource" do
+              @team.should_receive(:owner?).with(@person).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
+            it "should return the result of the resource call" do
+              @team.stub!(:owner?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team.stub!(:owner?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
           end
-          it "should return the result of the resource call" do
-            @team.stub!(:is_owner?).and_return(true)
-            @rule.matches?(@person, binding).should be_true
-            @team.stub!(:is_owner?).and_return(false)
-            @rule.matches?(@person, binding).should be_false
+          context "attempting #owner" do
+            it "should call #owner on the resource" do
+              @team.should_receive(:owner).and_return(@person)
+              @rule.matches?(@person, binding).should be_true
+            end
+            it "should return the result of the comparison of the resource call with the current person" do
+              @team.stub!(:owner).and_return(@person)
+              @rule.matches?(@person, binding).should be_true
+              jim = Person.create :name => 'jim'
+              @team.stub!(:owner).and_return(jim)
+              @rule.matches?(@person, binding).should be_false
+            end
           end
-        end
-        context "attempting #owner?" do
-          it "should call #owner? on the resource" do
-            @team.should_receive(:owner?).with(@person).and_return(false)
-            @rule.matches?(@person, binding).should be_false
+          context "attempting #owners.exists?" do
+            it "should call #owners.exists? on the resource" do
+              owners = mock("owners")
+              owners.should_receive(:exists?).with(@person).and_return(true)
+              @team.stub!(:owners).and_return(owners)
+              @rule.matches?(@person, binding).should be_true
+            end
+            it "should return the result of the resource call" do
+              owners = mock("owners")
+              @team.stub!(:owners).and_return(owners)
+              owners.stub!(:exists?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              owners.stub!(:exists?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
           end
-          it "should return the result of the resource call" do
-            @team.stub!(:owner?).and_return(true)
-            @rule.matches?(@person, binding).should be_true
-            @team.stub!(:owner?).and_return(false)
-            @rule.matches?(@person, binding).should be_false
+          it "should raise an error if none of the attempted calls responded" do
+            @team.stub!(:respond_to?).and_return(false)
+            lambda {
+              @rule.matches?(@person, binding)
+            }.should raise_error(PermitEvaluationError,  "Target object ':team' evaluated as #{@team.inspect} did not respond to any of the following: is_owner, is_owner?, owner, owner?, owners")
           end
         end
-        context "attempting #owner" do
-          it "should call #owner on the resource" do
-            @team.should_receive(:owner).and_return(@person)
-            @rule.matches?(@person, binding).should be_true
-          end
+        context "using an is_*? method" do
+          before {@rule = allow_person_rule :who => :is_manager?, :on => :team}
+          context "attempting #is_manager?" do
+            it "should call #is_manager? on the resource" do
+              @team.should_receive(:is_manager?).with(@person).and_return(true)
+              @rule.matches?(@person, binding)
+            end
+            it "should return the result from the resource call" do
+              @team.stub!(:is_manager?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team.stub!(:is_manager?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
+            it "should not call #manager? if resource responds to #is_manager?" do
+              @team.stub!(:is_manager?).and_return(true)
+              @team.should_not_receive(:manager?)
+              @rule.matches?(@person, binding)
+            end
-          it "should return the result of the comparison of the resource call with the current person" do
-            @team.stub!(:owner).and_return(@person)
-            @rule.matches?(@person, binding).should be_true
-            jim = Person.create :name => 'jim'
-            @team.stub!(:owner).and_return(jim)
-            @rule.matches?(@person, binding).should be_false
           end
-        end
-        context "attempting #owners.exists?" do
-          it "should call #owners.exists? on the resource" do
-            owners = mock("owners")
-            owners.should_receive(:exists?).with(@person).and_return(true)
-            @team.stub!(:owners).and_return(owners)
-            @rule.matches?(@person, binding).should be_true
+          context "attempting #manager?" do
+            it "should call #manager? on the resource" do
+              @team.should_receive(:manager?).with(@person).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
+            it "should return the result from the resource call" do
+              @team.stub!(:manager?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team.stub!(:manager?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
           end
-          it "should return the result of the resource call" do
-            owners = mock("owners")
-            @team.stub!(:owners).and_return(owners)
-            owners.stub!(:exists?).and_return(true)
-            @rule.matches?(@person, binding).should be_true
-            owners.stub!(:exists?).and_return(false)
-            @rule.matches?(@person, binding).should be_false
+          it "should raise an error if none of the attempted calls responded" do
+            @team.stub!(:respond_to?).and_return(false)
+            lambda {
+              @rule.matches?(@person, binding)
+            }.should raise_error(PermitEvaluationError,  "Target object ':team' evaluated as #{@team.inspect} did not respond to any of the following: is_manager?, manager?")
           end
         end
-        it "should raise an error if none of the attempted calls responded" do
-          @team.stub!(:respond_to?).and_return(false)
-          lambda {
+        context "using any other method" do
+          before {@rule = allow_person_rule :who => :has_permission, :on => :team}
+          it "should call the method on the resource" do
+            @team.should_receive(:has_permission).with(@person)
             @rule.matches?(@person, binding)
-          }.should raise_error(PermitEvaluationError,  "Target object ':team' evaluated as #{@team.inspect} did not respond to any of the following: is_owner, is_owner?, owner, owner?, owners")
+          end
+          it "should raise an error if the attempted call did not respond" do
+            @team.stub!(:respond_to?).and_return(false)
+            lambda {
+              @rule.matches?(@person, binding)
+            }.should raise_error(PermitEvaluationError,  "Target object ':team' evaluated as #{@team.inspect} did not respond to any of the following: has_permission")
+          end
         end
       end
-      context "using an is_*? method" do
-        before {@rule = allow_person_rule :who => :is_manager?, :on => :team}
+      context "with multiple resources" do
+        context "using an is_* method" do
+          before do
+            @team2 = Team.new
+            @team.stub!(:is_owner).and_return(false)
+            @rule = allow_person_rule :who => :is_owner, :on => [:team, :team2]
+          end
-        context "attempting #is_manager?" do
-          it "should call #is_manager? on the resource" do
-            @team.should_receive(:is_manager?).with(@person).and_return(true)
+          it "should attempt to call the first resource first" do
+            @team2.should_not_receive(:is_owner)
+            @team.should_receive(:is_owner).with(@person).and_return(true)
             @rule.matches?(@person, binding)
           end
-          it "should return the result from the resource call" do
-            @team.stub!(:is_manager?).and_return(true)
-            @rule.matches?(@person, binding).should be_true
-            @team.stub!(:is_manager?).and_return(false)
-            @rule.matches?(@person, binding).should be_false
+          context "attempting #is_owner" do
+            it "should call #is_owner on the resource" do
+              @team2.should_receive(:is_owner).with(@person).and_return(true)
+              @rule.matches?(@person, binding)
+            end
+            it "should return the result of the resource call" do
+              @team2.stub!(:is_owner).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team2.stub!(:is_owner).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
           end
-          it "should not call #manager? if resource responds to #is_manager?" do
-            @team.stub!(:is_manager?).and_return(true)
-            @team.should_not_receive(:manager?)
-            @rule.matches?(@person, binding)
+          context "attempting #is_owner?" do
+            it "should call #is_owner? on the resource" do
+              @team2.should_receive(:is_owner?).with(@person).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+            end
+            it "should return the result of the resource call" do
+              @team2.stub!(:is_owner?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team2.stub!(:is_owner?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
           end
-        end
+          context "attempting #owner?" do
+            it "should call #owner? on the resource" do
+              @team2.should_receive(:owner?).with(@person).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
+            it "should return the result of the resource call" do
+              @team2.stub!(:owner?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team2.stub!(:owner?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
+          end
-        context "attempting #manager?" do
-          it "should call #manager? on the resource" do
-            @team.should_receive(:manager?).with(@person).and_return(false)
-            @rule.matches?(@person, binding).should be_false
+          context "attempting #owner" do
+            it "should call #owner on the resource" do
+              @team2.should_receive(:owner).and_return(@person)
+              @rule.matches?(@person, binding).should be_true
+            end
+            it "should return the result of the comparison of the resource call with the current person" do
+              @team2.stub!(:owner).and_return(@person)
+              @rule.matches?(@person, binding).should be_true
+              jim = Person.create :name => 'jim'
+              @team2.stub!(:owner).and_return(jim)
+              @rule.matches?(@person, binding).should be_false
+            end
           end
-          it "should return the result from the resource call" do
-            @team.stub!(:manager?).and_return(true)
-            @rule.matches?(@person, binding).should be_true
-            @team.stub!(:manager?).and_return(false)
-            @rule.matches?(@person, binding).should be_false
+          context "attempting #owners.exists?" do
+            it "should call #owners.exists? on the resource" do
+              owners = mock("owners")
+              owners.should_receive(:exists?).with(@person).and_return(true)
+              @team2.stub!(:owners).and_return(owners)
+              @rule.matches?(@person, binding).should be_true
+            end
+            it "should return the result of the resource call" do
+              owners = mock("owners")
+              @team2.stub!(:owners).and_return(owners)
+              owners.stub!(:exists?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              owners.stub!(:exists?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
+          end
+          it "should raise an error if none of the attempted calls responded" do
+            @team2.stub!(:respond_to?).and_return(false)
+            lambda {
+              @rule.matches?(@person, binding)
+            }.should raise_error(PermitEvaluationError,  "Target object ':team2' evaluated as #{@team2.inspect} did not respond to any of the following: is_owner, is_owner?, owner, owner?, owners")
           end
         end
-        it "should raise an error if none of the attempted calls responded" do
-          @team.stub!(:respond_to?).and_return(false)
-          lambda {
+        context "using an is_*? method" do
+          before do
+            @team2 = Team.new
+            @team.stub!(:is_manager?).and_return(false)
+            @rule = allow_person_rule :who => :is_manager?, :on => [:team, :team2]
+          end
+          it "should attempt to call the first resource first" do
+            @team2.should_not_receive(:is_manager?)
+            @team.should_receive(:is_manager?).with(@person).and_return(true)
             @rule.matches?(@person, binding)
-          }.should raise_error(PermitEvaluationError,  "Target object ':team' evaluated as #{@team.inspect} did not respond to any of the following: is_manager?, manager?")
-        end
-      end
+          end
+          context "attempting #is_manager?" do
+            it "should call #is_manager? on the resource" do
+              @team2.should_receive(:is_manager?).with(@person).and_return(true)
+              @rule.matches?(@person, binding)
+            end
+            it "should return the result from the resource call" do
+              @team2.stub!(:is_manager?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team2.stub!(:is_manager?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
+            it "should not call #manager? if resource responds to #is_manager?" do
+              @team2.stub!(:is_manager?).and_return(true)
+              @team2.should_not_receive(:manager?)
+              @rule.matches?(@person, binding)
+            end
-      context "using any other method" do
-        before {@rule = allow_person_rule :who => :has_permission, :on => :team}
-        it "should call the method on the resource" do
-          @team.should_receive(:has_permission).with(@person)
-          @rule.matches?(@person, binding)
+          end
+          context "attempting #manager?" do
+            it "should call #manager? on the resource" do
+              @team2.should_receive(:manager?).with(@person).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
+            it "should return the result from the resource call" do
+              @team2.stub!(:manager?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team2.stub!(:manager?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
+          end
+          it "should raise an error if none of the attempted calls responded" do
+            @team2.stub!(:respond_to?).and_return(false)
+            lambda {
+              @rule.matches?(@person, binding)
+            }.should raise_error(PermitEvaluationError,  "Target object ':team2' evaluated as #{@team2.inspect} did not respond to any of the following: is_manager?, manager?")
+          end
         end
-        it "should raise an error if the attempted call did not respond" do
-          @team.stub!(:respond_to?).and_return(false)
-          lambda {
+        context "using any other method" do
+          before {@rule = allow_person_rule :who => :has_permission, :on => :team}
+          before do
+            @team2 = Team.new
+            @team.stub!(:has_permission).and_return(false)
+            @rule = allow_person_rule :who => :has_permission, :on => [:team, :team2]
+          end
+          it "should attempt to call the first resource first" do
+            @team2.should_not_receive(:has_permission)
+            @team.should_receive(:has_permission).with(@person).and_return(true)
             @rule.matches?(@person, binding)
-          }.should raise_error(PermitEvaluationError,  "Target object ':team' evaluated as #{@team.inspect} did not respond to any of the following: has_permission")
+          end
+          it "should call the method on the resource" do
+            @team2.should_receive(:has_permission).with(@person)
+            @rule.matches?(@person, binding)
+          end
+          it "should raise an error if the attempted call did not respond" do
+            @team2.stub!(:respond_to?).and_return(false)
+            lambda {
+              @rule.matches?(@person, binding)
+            }.should raise_error(PermitEvaluationError,  "Target object ':team2' evaluated as #{@team.inspect} did not respond to any of the following: has_permission")
+          end
         end
       end
     end
     context "for a named authorization" do
@@ -370,6 +569,15 @@ module Permit::Specs
           r = allow_rule :roles => :monkey_tech, :of => :maintenance
           r.matches?(@bob, binding).should be_false
         end
+        context "that does not exist" do
+          it "should raise an error" do
+            rule = allow_rule :roles => :site_admin, :of => :oops
+            lambda {
+              rule.matches? @bob, binding
+            }.should raise_error(PermitEvaluationError, "Target resource '@oops' did not exist in the given context.")
+          end
+        end
       end
       context "without a resource" do
@@ -395,6 +603,18 @@ module Permit::Specs
           r.matches?(@tom, binding).should be_false
         end
       end
+      context "with multiple resources" do
+        it "should return true if the person is authorized for one of the resources" do
+          r = allow_rule :roles => :admin, :of => [:hotness, :maintenance]
+          r.matches?(@bob, binding).should be_true
+        end
+        it "should return false if the person is not authorized for any of the resources" do
+          r = allow_rule :roles => :developer, :of => [:hotness, :maintenance]
+          r.matches?(@tom, binding).should be_false
+        end
+      end
     end
     context "for multiple named authorizations" do
@@ -422,6 +642,15 @@ module Permit::Specs
           r = allow_rule :roles => [:site_admin, :monkey_tech], :of => :maintenance
           r.matches?(@bob, binding).should be_false
         end
+        context "that does not exist" do
+          it "should raise an error" do
+            rule = allow_rule :roles => [:site_admin, :team_lead], :of => :oops
+            lambda {
+              rule.matches? @bob, binding
+            }.should raise_error(PermitEvaluationError, "Target resource '@oops' did not exist in the given context.")
+          end
+        end
       end
       context "without a resource" do
@@ -447,6 +676,90 @@ module Permit::Specs
           r.matches?(@tom, binding).should be_false
         end
       end
+      context "with multiple resources" do
+        it "should return true if the person is authorized for one of the resources" do
+          r = allow_rule :roles => [:developer, :site_admin], :of => [:hotness, :maintenance]
+          r.matches?(@bob, binding).should be_true
+        end
+        it "should return false if the person is not authorized for any of the resources" do
+          r = allow_rule :roles => [:admin, :site_admin], :of => [nil, :maintenance]
+          r.matches?(@tom, binding).should be_false
+        end
+      end
+    end
+    describe ":if condition" do
+      before {@guest = Guest.new}
+      context "for a proc" do
+        it "should properly call a proc" do
+          p = Proc.new {|person, b| return false}
+          p.should_receive(:call).with(@guest, instance_of(Binding))
+          r = allow_rule :roles => :everyone, :if => p
+          r.matches? @guest, binding
+        end
+        it "should not match when the condition is false" do
+          r = allow_rule :roles => :everyone, :if => Proc.new {|p,b| false}
+          r.matches?(@guest, binding).should be_false
+        end
+        it "should match when the condition is true" do
+          r = allow_rule :roles => :everyone, :if => Proc.new {|p,b| true}
+          r.matches?(@guest, binding).should be_true
+        end
+      end
+      context "for a method" do
+        it "should not match when the condition is false" do
+          r = allow_rule :roles => :everyone, :if => :false_conditional
+          r.matches?(@guest, binding).should be_false
+        end
+        it "should match when the condition is true" do
+          r = allow_rule :roles => :everyone, :if => :true_conditional
+          r.matches?(@guest, binding).should be_true
+        end
+      end
+    end
+    describe ":unless condition" do
+      before {@guest = Guest.new}
+      context "for a proc" do
+        it "should properly call a proc" do
+          p = Proc.new {|person, b| return false}
+          p.should_receive(:call).with(@guest, instance_of(Binding))
+          r = allow_rule :roles => :everyone, :unless => p
+          r.matches? @guest, binding
+        end
+        it "should not match when the condition is true" do
+          r = allow_rule :roles => :everyone, :unless => Proc.new {|p,b| true}
+          r.matches?(@guest, binding).should be_false
+        end
+        it "should match when the condition is false" do
+          r = allow_rule :roles => :everyone, :unless => Proc.new {|p,b| false}
+          r.matches?(@guest, binding).should be_true
+        end
+      end
+      context "for a method" do
+        it "should not match when the condition is true" do
+          r = allow_rule :roles => :everyone, :unless => :true_conditional
+          r.matches?(@guest, binding).should be_false
+        end
+        it "should match when the condition is false" do
+          r = allow_rule :roles => :everyone, :unless => :false_conditional
+          r.matches?(@guest, binding).should be_true
+        end
+      end
     end
   end
 end