permit 0.9.0 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/VERSION.yml +4 -4
- data/lib/models/association.rb +48 -31
- data/lib/models/person.rb +13 -7
- data/lib/permit.rb +34 -23
- data/lib/permit/controller.rb +68 -17
- data/lib/permit/permit_rule.rb +48 -27
- data/lib/permit/permit_rules.rb +23 -2
- data/lib/permit/support.rb +34 -13
- data/permit.gemspec +3 -3
- data/spec/models/person_spec.rb +109 -31
- data/spec/models/role_spec.rb +7 -0
- data/spec/permit/controller_spec.rb +88 -48
- data/spec/permit/permit_rule_spec.rb +417 -104
- metadata +12 -5
@@ -10,6 +10,14 @@ def allow_person_rule(options = {})
|
|
10
10
|
allow_rule options
|
11
11
|
end
|
12
12
|
|
13
|
+
def true_conditional
|
14
|
+
true
|
15
|
+
end
|
16
|
+
|
17
|
+
def false_conditional
|
18
|
+
false
|
19
|
+
end
|
20
|
+
|
13
21
|
module Permit::Specs
|
14
22
|
describe PermitRule, "initialization" do
|
15
23
|
context "of roles" do
|
@@ -62,17 +70,17 @@ module Permit::Specs
|
|
62
70
|
|
63
71
|
it "should store accept the resource through :of" do
|
64
72
|
r = allow_rule :of => :team
|
65
|
-
r.
|
73
|
+
r.target_vars.should == [:team]
|
66
74
|
end
|
67
75
|
|
68
76
|
it "should accept the resource through :on" do
|
69
77
|
r = allow_rule :on => :project
|
70
|
-
r.
|
78
|
+
r.target_vars.should == [:project]
|
71
79
|
end
|
72
80
|
|
73
81
|
it "should not be modifiable" do
|
74
82
|
r = allow_rule :on => :project
|
75
|
-
lambda {r.
|
83
|
+
lambda {r.target_vars << :other}.should raise_error(TypeError, "can't modify frozen array")
|
76
84
|
end
|
77
85
|
end
|
78
86
|
|
@@ -107,7 +115,7 @@ module Permit::Specs
|
|
107
115
|
|
108
116
|
it "should accept the resource and method" do
|
109
117
|
r = allow_person_rule :who => :is_member, :of => :team
|
110
|
-
r.
|
118
|
+
r.target_vars.should == [:team]
|
111
119
|
r.method.should == :is_member
|
112
120
|
end
|
113
121
|
end
|
@@ -191,153 +199,344 @@ module Permit::Specs
|
|
191
199
|
end
|
192
200
|
end
|
193
201
|
|
194
|
-
context "
|
195
|
-
|
202
|
+
context "when the target resource does not exist" do
|
203
|
+
it "should raise an error" do
|
204
|
+
rule = allow_person_rule :who => :is_owner, :on => :oops
|
205
|
+
lambda {
|
206
|
+
rule.matches? @person, binding
|
207
|
+
}.should raise_error(PermitEvaluationError, "Target resource '@oops' did not exist in the given context.")
|
208
|
+
end
|
209
|
+
end
|
210
|
+
|
211
|
+
context "with one resource" do
|
212
|
+
context "using an is_* method" do
|
213
|
+
before {@rule = allow_person_rule :who => :is_owner, :on => :team}
|
196
214
|
|
197
|
-
|
198
|
-
|
199
|
-
|
200
|
-
|
215
|
+
context "attempting #is_owner" do
|
216
|
+
it "should call #is_owner on the resource" do
|
217
|
+
@team.should_receive(:is_owner).with(@person).and_return(true)
|
218
|
+
@rule.matches?(@person, binding)
|
219
|
+
end
|
220
|
+
|
221
|
+
it "should return the result of the resource call" do
|
222
|
+
@team.stub!(:is_owner).and_return(true)
|
223
|
+
@rule.matches?(@person, binding).should be_true
|
224
|
+
@team.stub!(:is_owner).and_return(false)
|
225
|
+
@rule.matches?(@person, binding).should be_false
|
226
|
+
end
|
201
227
|
end
|
202
228
|
|
203
|
-
|
204
|
-
|
205
|
-
|
206
|
-
|
207
|
-
|
229
|
+
context "attempting #is_owner?" do
|
230
|
+
it "should call #is_owner? on the resource" do
|
231
|
+
@team.should_receive(:is_owner?).with(@person).and_return(true)
|
232
|
+
@rule.matches?(@person, binding).should be_true
|
233
|
+
end
|
234
|
+
|
235
|
+
it "should return the result of the resource call" do
|
236
|
+
@team.stub!(:is_owner?).and_return(true)
|
237
|
+
@rule.matches?(@person, binding).should be_true
|
238
|
+
@team.stub!(:is_owner?).and_return(false)
|
239
|
+
@rule.matches?(@person, binding).should be_false
|
240
|
+
end
|
208
241
|
end
|
209
|
-
end
|
210
242
|
|
211
|
-
|
212
|
-
|
213
|
-
|
214
|
-
|
243
|
+
context "attempting #owner?" do
|
244
|
+
it "should call #owner? on the resource" do
|
245
|
+
@team.should_receive(:owner?).with(@person).and_return(false)
|
246
|
+
@rule.matches?(@person, binding).should be_false
|
247
|
+
end
|
248
|
+
|
249
|
+
it "should return the result of the resource call" do
|
250
|
+
@team.stub!(:owner?).and_return(true)
|
251
|
+
@rule.matches?(@person, binding).should be_true
|
252
|
+
@team.stub!(:owner?).and_return(false)
|
253
|
+
@rule.matches?(@person, binding).should be_false
|
254
|
+
end
|
215
255
|
end
|
216
256
|
|
217
|
-
|
218
|
-
|
219
|
-
|
220
|
-
|
221
|
-
|
257
|
+
context "attempting #owner" do
|
258
|
+
it "should call #owner on the resource" do
|
259
|
+
@team.should_receive(:owner).and_return(@person)
|
260
|
+
@rule.matches?(@person, binding).should be_true
|
261
|
+
end
|
262
|
+
|
263
|
+
it "should return the result of the comparison of the resource call with the current person" do
|
264
|
+
@team.stub!(:owner).and_return(@person)
|
265
|
+
@rule.matches?(@person, binding).should be_true
|
266
|
+
jim = Person.create :name => 'jim'
|
267
|
+
@team.stub!(:owner).and_return(jim)
|
268
|
+
@rule.matches?(@person, binding).should be_false
|
269
|
+
end
|
222
270
|
end
|
223
|
-
end
|
224
271
|
|
225
|
-
|
226
|
-
|
227
|
-
|
228
|
-
|
272
|
+
context "attempting #owners.exists?" do
|
273
|
+
it "should call #owners.exists? on the resource" do
|
274
|
+
owners = mock("owners")
|
275
|
+
owners.should_receive(:exists?).with(@person).and_return(true)
|
276
|
+
@team.stub!(:owners).and_return(owners)
|
277
|
+
@rule.matches?(@person, binding).should be_true
|
278
|
+
end
|
279
|
+
|
280
|
+
it "should return the result of the resource call" do
|
281
|
+
owners = mock("owners")
|
282
|
+
@team.stub!(:owners).and_return(owners)
|
283
|
+
owners.stub!(:exists?).and_return(true)
|
284
|
+
@rule.matches?(@person, binding).should be_true
|
285
|
+
owners.stub!(:exists?).and_return(false)
|
286
|
+
@rule.matches?(@person, binding).should be_false
|
287
|
+
end
|
229
288
|
end
|
230
289
|
|
231
|
-
it "should
|
232
|
-
@team.stub!(:
|
233
|
-
|
234
|
-
|
235
|
-
|
290
|
+
it "should raise an error if none of the attempted calls responded" do
|
291
|
+
@team.stub!(:respond_to?).and_return(false)
|
292
|
+
lambda {
|
293
|
+
@rule.matches?(@person, binding)
|
294
|
+
}.should raise_error(PermitEvaluationError, "Target object ':team' evaluated as #{@team.inspect} did not respond to any of the following: is_owner, is_owner?, owner, owner?, owners")
|
236
295
|
end
|
237
296
|
end
|
238
297
|
|
239
|
-
context "
|
240
|
-
|
241
|
-
|
242
|
-
|
243
|
-
|
298
|
+
context "using an is_*? method" do
|
299
|
+
before {@rule = allow_person_rule :who => :is_manager?, :on => :team}
|
300
|
+
|
301
|
+
context "attempting #is_manager?" do
|
302
|
+
it "should call #is_manager? on the resource" do
|
303
|
+
@team.should_receive(:is_manager?).with(@person).and_return(true)
|
304
|
+
@rule.matches?(@person, binding)
|
305
|
+
end
|
306
|
+
|
307
|
+
it "should return the result from the resource call" do
|
308
|
+
@team.stub!(:is_manager?).and_return(true)
|
309
|
+
@rule.matches?(@person, binding).should be_true
|
310
|
+
@team.stub!(:is_manager?).and_return(false)
|
311
|
+
@rule.matches?(@person, binding).should be_false
|
312
|
+
end
|
313
|
+
|
314
|
+
it "should not call #manager? if resource responds to #is_manager?" do
|
315
|
+
@team.stub!(:is_manager?).and_return(true)
|
316
|
+
@team.should_not_receive(:manager?)
|
317
|
+
@rule.matches?(@person, binding)
|
318
|
+
end
|
244
319
|
|
245
|
-
it "should return the result of the comparison of the resource call with the current person" do
|
246
|
-
@team.stub!(:owner).and_return(@person)
|
247
|
-
@rule.matches?(@person, binding).should be_true
|
248
|
-
jim = Person.create :name => 'jim'
|
249
|
-
@team.stub!(:owner).and_return(jim)
|
250
|
-
@rule.matches?(@person, binding).should be_false
|
251
320
|
end
|
252
|
-
end
|
253
321
|
|
254
|
-
|
255
|
-
|
256
|
-
|
257
|
-
|
258
|
-
|
259
|
-
|
322
|
+
context "attempting #manager?" do
|
323
|
+
it "should call #manager? on the resource" do
|
324
|
+
@team.should_receive(:manager?).with(@person).and_return(false)
|
325
|
+
@rule.matches?(@person, binding).should be_false
|
326
|
+
end
|
327
|
+
|
328
|
+
it "should return the result from the resource call" do
|
329
|
+
@team.stub!(:manager?).and_return(true)
|
330
|
+
@rule.matches?(@person, binding).should be_true
|
331
|
+
@team.stub!(:manager?).and_return(false)
|
332
|
+
@rule.matches?(@person, binding).should be_false
|
333
|
+
end
|
260
334
|
end
|
261
335
|
|
262
|
-
it "should
|
263
|
-
|
264
|
-
|
265
|
-
|
266
|
-
|
267
|
-
owners.stub!(:exists?).and_return(false)
|
268
|
-
@rule.matches?(@person, binding).should be_false
|
336
|
+
it "should raise an error if none of the attempted calls responded" do
|
337
|
+
@team.stub!(:respond_to?).and_return(false)
|
338
|
+
lambda {
|
339
|
+
@rule.matches?(@person, binding)
|
340
|
+
}.should raise_error(PermitEvaluationError, "Target object ':team' evaluated as #{@team.inspect} did not respond to any of the following: is_manager?, manager?")
|
269
341
|
end
|
270
342
|
end
|
271
343
|
|
272
|
-
|
273
|
-
@team
|
274
|
-
|
344
|
+
context "using any other method" do
|
345
|
+
before {@rule = allow_person_rule :who => :has_permission, :on => :team}
|
346
|
+
it "should call the method on the resource" do
|
347
|
+
@team.should_receive(:has_permission).with(@person)
|
275
348
|
@rule.matches?(@person, binding)
|
276
|
-
|
349
|
+
end
|
350
|
+
|
351
|
+
it "should raise an error if the attempted call did not respond" do
|
352
|
+
@team.stub!(:respond_to?).and_return(false)
|
353
|
+
lambda {
|
354
|
+
@rule.matches?(@person, binding)
|
355
|
+
}.should raise_error(PermitEvaluationError, "Target object ':team' evaluated as #{@team.inspect} did not respond to any of the following: has_permission")
|
356
|
+
end
|
277
357
|
end
|
278
358
|
end
|
279
359
|
|
280
|
-
context "
|
281
|
-
|
360
|
+
context "with multiple resources" do
|
361
|
+
context "using an is_* method" do
|
362
|
+
before do
|
363
|
+
@team2 = Team.new
|
364
|
+
@team.stub!(:is_owner).and_return(false)
|
365
|
+
@rule = allow_person_rule :who => :is_owner, :on => [:team, :team2]
|
366
|
+
end
|
282
367
|
|
283
|
-
|
284
|
-
|
285
|
-
@team.should_receive(:
|
368
|
+
it "should attempt to call the first resource first" do
|
369
|
+
@team2.should_not_receive(:is_owner)
|
370
|
+
@team.should_receive(:is_owner).with(@person).and_return(true)
|
286
371
|
@rule.matches?(@person, binding)
|
287
372
|
end
|
288
373
|
|
289
|
-
|
290
|
-
|
291
|
-
|
292
|
-
|
293
|
-
|
374
|
+
context "attempting #is_owner" do
|
375
|
+
it "should call #is_owner on the resource" do
|
376
|
+
@team2.should_receive(:is_owner).with(@person).and_return(true)
|
377
|
+
@rule.matches?(@person, binding)
|
378
|
+
end
|
379
|
+
|
380
|
+
it "should return the result of the resource call" do
|
381
|
+
@team2.stub!(:is_owner).and_return(true)
|
382
|
+
@rule.matches?(@person, binding).should be_true
|
383
|
+
@team2.stub!(:is_owner).and_return(false)
|
384
|
+
@rule.matches?(@person, binding).should be_false
|
385
|
+
end
|
294
386
|
end
|
295
387
|
|
296
|
-
|
297
|
-
|
298
|
-
|
299
|
-
|
388
|
+
context "attempting #is_owner?" do
|
389
|
+
it "should call #is_owner? on the resource" do
|
390
|
+
@team2.should_receive(:is_owner?).with(@person).and_return(true)
|
391
|
+
@rule.matches?(@person, binding).should be_true
|
392
|
+
end
|
393
|
+
|
394
|
+
it "should return the result of the resource call" do
|
395
|
+
@team2.stub!(:is_owner?).and_return(true)
|
396
|
+
@rule.matches?(@person, binding).should be_true
|
397
|
+
@team2.stub!(:is_owner?).and_return(false)
|
398
|
+
@rule.matches?(@person, binding).should be_false
|
399
|
+
end
|
300
400
|
end
|
301
401
|
|
302
|
-
|
402
|
+
context "attempting #owner?" do
|
403
|
+
it "should call #owner? on the resource" do
|
404
|
+
@team2.should_receive(:owner?).with(@person).and_return(false)
|
405
|
+
@rule.matches?(@person, binding).should be_false
|
406
|
+
end
|
407
|
+
|
408
|
+
it "should return the result of the resource call" do
|
409
|
+
@team2.stub!(:owner?).and_return(true)
|
410
|
+
@rule.matches?(@person, binding).should be_true
|
411
|
+
@team2.stub!(:owner?).and_return(false)
|
412
|
+
@rule.matches?(@person, binding).should be_false
|
413
|
+
end
|
414
|
+
end
|
303
415
|
|
304
|
-
|
305
|
-
|
306
|
-
|
307
|
-
|
416
|
+
context "attempting #owner" do
|
417
|
+
it "should call #owner on the resource" do
|
418
|
+
@team2.should_receive(:owner).and_return(@person)
|
419
|
+
@rule.matches?(@person, binding).should be_true
|
420
|
+
end
|
421
|
+
|
422
|
+
it "should return the result of the comparison of the resource call with the current person" do
|
423
|
+
@team2.stub!(:owner).and_return(@person)
|
424
|
+
@rule.matches?(@person, binding).should be_true
|
425
|
+
jim = Person.create :name => 'jim'
|
426
|
+
@team2.stub!(:owner).and_return(jim)
|
427
|
+
@rule.matches?(@person, binding).should be_false
|
428
|
+
end
|
308
429
|
end
|
309
430
|
|
310
|
-
|
311
|
-
|
312
|
-
|
313
|
-
|
314
|
-
|
431
|
+
context "attempting #owners.exists?" do
|
432
|
+
it "should call #owners.exists? on the resource" do
|
433
|
+
owners = mock("owners")
|
434
|
+
owners.should_receive(:exists?).with(@person).and_return(true)
|
435
|
+
@team2.stub!(:owners).and_return(owners)
|
436
|
+
@rule.matches?(@person, binding).should be_true
|
437
|
+
end
|
438
|
+
|
439
|
+
it "should return the result of the resource call" do
|
440
|
+
owners = mock("owners")
|
441
|
+
@team2.stub!(:owners).and_return(owners)
|
442
|
+
owners.stub!(:exists?).and_return(true)
|
443
|
+
@rule.matches?(@person, binding).should be_true
|
444
|
+
owners.stub!(:exists?).and_return(false)
|
445
|
+
@rule.matches?(@person, binding).should be_false
|
446
|
+
end
|
447
|
+
end
|
448
|
+
|
449
|
+
it "should raise an error if none of the attempted calls responded" do
|
450
|
+
@team2.stub!(:respond_to?).and_return(false)
|
451
|
+
lambda {
|
452
|
+
@rule.matches?(@person, binding)
|
453
|
+
}.should raise_error(PermitEvaluationError, "Target object ':team2' evaluated as #{@team2.inspect} did not respond to any of the following: is_owner, is_owner?, owner, owner?, owners")
|
315
454
|
end
|
316
455
|
end
|
317
456
|
|
318
|
-
|
319
|
-
|
320
|
-
|
457
|
+
context "using an is_*? method" do
|
458
|
+
before do
|
459
|
+
@team2 = Team.new
|
460
|
+
@team.stub!(:is_manager?).and_return(false)
|
461
|
+
@rule = allow_person_rule :who => :is_manager?, :on => [:team, :team2]
|
462
|
+
end
|
463
|
+
|
464
|
+
it "should attempt to call the first resource first" do
|
465
|
+
@team2.should_not_receive(:is_manager?)
|
466
|
+
@team.should_receive(:is_manager?).with(@person).and_return(true)
|
321
467
|
@rule.matches?(@person, binding)
|
322
|
-
|
323
|
-
|
324
|
-
|
468
|
+
end
|
469
|
+
|
470
|
+
context "attempting #is_manager?" do
|
471
|
+
it "should call #is_manager? on the resource" do
|
472
|
+
@team2.should_receive(:is_manager?).with(@person).and_return(true)
|
473
|
+
@rule.matches?(@person, binding)
|
474
|
+
end
|
475
|
+
|
476
|
+
it "should return the result from the resource call" do
|
477
|
+
@team2.stub!(:is_manager?).and_return(true)
|
478
|
+
@rule.matches?(@person, binding).should be_true
|
479
|
+
@team2.stub!(:is_manager?).and_return(false)
|
480
|
+
@rule.matches?(@person, binding).should be_false
|
481
|
+
end
|
482
|
+
|
483
|
+
it "should not call #manager? if resource responds to #is_manager?" do
|
484
|
+
@team2.stub!(:is_manager?).and_return(true)
|
485
|
+
@team2.should_not_receive(:manager?)
|
486
|
+
@rule.matches?(@person, binding)
|
487
|
+
end
|
325
488
|
|
326
|
-
|
327
|
-
|
328
|
-
|
329
|
-
|
330
|
-
|
489
|
+
end
|
490
|
+
|
491
|
+
context "attempting #manager?" do
|
492
|
+
it "should call #manager? on the resource" do
|
493
|
+
@team2.should_receive(:manager?).with(@person).and_return(false)
|
494
|
+
@rule.matches?(@person, binding).should be_false
|
495
|
+
end
|
496
|
+
|
497
|
+
it "should return the result from the resource call" do
|
498
|
+
@team2.stub!(:manager?).and_return(true)
|
499
|
+
@rule.matches?(@person, binding).should be_true
|
500
|
+
@team2.stub!(:manager?).and_return(false)
|
501
|
+
@rule.matches?(@person, binding).should be_false
|
502
|
+
end
|
503
|
+
end
|
504
|
+
|
505
|
+
it "should raise an error if none of the attempted calls responded" do
|
506
|
+
@team2.stub!(:respond_to?).and_return(false)
|
507
|
+
lambda {
|
508
|
+
@rule.matches?(@person, binding)
|
509
|
+
}.should raise_error(PermitEvaluationError, "Target object ':team2' evaluated as #{@team2.inspect} did not respond to any of the following: is_manager?, manager?")
|
510
|
+
end
|
331
511
|
end
|
332
512
|
|
333
|
-
|
334
|
-
@team
|
335
|
-
|
513
|
+
context "using any other method" do
|
514
|
+
before {@rule = allow_person_rule :who => :has_permission, :on => :team}
|
515
|
+
before do
|
516
|
+
@team2 = Team.new
|
517
|
+
@team.stub!(:has_permission).and_return(false)
|
518
|
+
@rule = allow_person_rule :who => :has_permission, :on => [:team, :team2]
|
519
|
+
end
|
520
|
+
|
521
|
+
it "should attempt to call the first resource first" do
|
522
|
+
@team2.should_not_receive(:has_permission)
|
523
|
+
@team.should_receive(:has_permission).with(@person).and_return(true)
|
336
524
|
@rule.matches?(@person, binding)
|
337
|
-
|
525
|
+
end
|
526
|
+
|
527
|
+
it "should call the method on the resource" do
|
528
|
+
@team2.should_receive(:has_permission).with(@person)
|
529
|
+
@rule.matches?(@person, binding)
|
530
|
+
end
|
531
|
+
|
532
|
+
it "should raise an error if the attempted call did not respond" do
|
533
|
+
@team2.stub!(:respond_to?).and_return(false)
|
534
|
+
lambda {
|
535
|
+
@rule.matches?(@person, binding)
|
536
|
+
}.should raise_error(PermitEvaluationError, "Target object ':team2' evaluated as #{@team.inspect} did not respond to any of the following: has_permission")
|
537
|
+
end
|
338
538
|
end
|
339
539
|
end
|
340
|
-
|
341
540
|
end
|
342
541
|
|
343
542
|
context "for a named authorization" do
|
@@ -370,6 +569,15 @@ module Permit::Specs
|
|
370
569
|
r = allow_rule :roles => :monkey_tech, :of => :maintenance
|
371
570
|
r.matches?(@bob, binding).should be_false
|
372
571
|
end
|
572
|
+
|
573
|
+
context "that does not exist" do
|
574
|
+
it "should raise an error" do
|
575
|
+
rule = allow_rule :roles => :site_admin, :of => :oops
|
576
|
+
lambda {
|
577
|
+
rule.matches? @bob, binding
|
578
|
+
}.should raise_error(PermitEvaluationError, "Target resource '@oops' did not exist in the given context.")
|
579
|
+
end
|
580
|
+
end
|
373
581
|
end
|
374
582
|
|
375
583
|
context "without a resource" do
|
@@ -395,6 +603,18 @@ module Permit::Specs
|
|
395
603
|
r.matches?(@tom, binding).should be_false
|
396
604
|
end
|
397
605
|
end
|
606
|
+
|
607
|
+
context "with multiple resources" do
|
608
|
+
it "should return true if the person is authorized for one of the resources" do
|
609
|
+
r = allow_rule :roles => :admin, :of => [:hotness, :maintenance]
|
610
|
+
r.matches?(@bob, binding).should be_true
|
611
|
+
end
|
612
|
+
|
613
|
+
it "should return false if the person is not authorized for any of the resources" do
|
614
|
+
r = allow_rule :roles => :developer, :of => [:hotness, :maintenance]
|
615
|
+
r.matches?(@tom, binding).should be_false
|
616
|
+
end
|
617
|
+
end
|
398
618
|
end
|
399
619
|
|
400
620
|
context "for multiple named authorizations" do
|
@@ -422,6 +642,15 @@ module Permit::Specs
|
|
422
642
|
r = allow_rule :roles => [:site_admin, :monkey_tech], :of => :maintenance
|
423
643
|
r.matches?(@bob, binding).should be_false
|
424
644
|
end
|
645
|
+
|
646
|
+
context "that does not exist" do
|
647
|
+
it "should raise an error" do
|
648
|
+
rule = allow_rule :roles => [:site_admin, :team_lead], :of => :oops
|
649
|
+
lambda {
|
650
|
+
rule.matches? @bob, binding
|
651
|
+
}.should raise_error(PermitEvaluationError, "Target resource '@oops' did not exist in the given context.")
|
652
|
+
end
|
653
|
+
end
|
425
654
|
end
|
426
655
|
|
427
656
|
context "without a resource" do
|
@@ -447,6 +676,90 @@ module Permit::Specs
|
|
447
676
|
r.matches?(@tom, binding).should be_false
|
448
677
|
end
|
449
678
|
end
|
679
|
+
|
680
|
+
context "with multiple resources" do
|
681
|
+
it "should return true if the person is authorized for one of the resources" do
|
682
|
+
r = allow_rule :roles => [:developer, :site_admin], :of => [:hotness, :maintenance]
|
683
|
+
r.matches?(@bob, binding).should be_true
|
684
|
+
end
|
685
|
+
|
686
|
+
it "should return false if the person is not authorized for any of the resources" do
|
687
|
+
r = allow_rule :roles => [:admin, :site_admin], :of => [nil, :maintenance]
|
688
|
+
r.matches?(@tom, binding).should be_false
|
689
|
+
end
|
690
|
+
end
|
691
|
+
end
|
692
|
+
|
693
|
+
describe ":if condition" do
|
694
|
+
before {@guest = Guest.new}
|
695
|
+
|
696
|
+
context "for a proc" do
|
697
|
+
it "should properly call a proc" do
|
698
|
+
p = Proc.new {|person, b| return false}
|
699
|
+
p.should_receive(:call).with(@guest, instance_of(Binding))
|
700
|
+
r = allow_rule :roles => :everyone, :if => p
|
701
|
+
|
702
|
+
r.matches? @guest, binding
|
703
|
+
end
|
704
|
+
|
705
|
+
it "should not match when the condition is false" do
|
706
|
+
r = allow_rule :roles => :everyone, :if => Proc.new {|p,b| false}
|
707
|
+
r.matches?(@guest, binding).should be_false
|
708
|
+
end
|
709
|
+
|
710
|
+
it "should match when the condition is true" do
|
711
|
+
r = allow_rule :roles => :everyone, :if => Proc.new {|p,b| true}
|
712
|
+
r.matches?(@guest, binding).should be_true
|
713
|
+
end
|
714
|
+
end
|
715
|
+
|
716
|
+
context "for a method" do
|
717
|
+
it "should not match when the condition is false" do
|
718
|
+
r = allow_rule :roles => :everyone, :if => :false_conditional
|
719
|
+
r.matches?(@guest, binding).should be_false
|
720
|
+
end
|
721
|
+
|
722
|
+
it "should match when the condition is true" do
|
723
|
+
r = allow_rule :roles => :everyone, :if => :true_conditional
|
724
|
+
r.matches?(@guest, binding).should be_true
|
725
|
+
end
|
726
|
+
end
|
727
|
+
end
|
728
|
+
|
729
|
+
describe ":unless condition" do
|
730
|
+
before {@guest = Guest.new}
|
731
|
+
|
732
|
+
context "for a proc" do
|
733
|
+
it "should properly call a proc" do
|
734
|
+
p = Proc.new {|person, b| return false}
|
735
|
+
p.should_receive(:call).with(@guest, instance_of(Binding))
|
736
|
+
r = allow_rule :roles => :everyone, :unless => p
|
737
|
+
|
738
|
+
r.matches? @guest, binding
|
739
|
+
end
|
740
|
+
|
741
|
+
it "should not match when the condition is true" do
|
742
|
+
r = allow_rule :roles => :everyone, :unless => Proc.new {|p,b| true}
|
743
|
+
r.matches?(@guest, binding).should be_false
|
744
|
+
end
|
745
|
+
|
746
|
+
it "should match when the condition is false" do
|
747
|
+
r = allow_rule :roles => :everyone, :unless => Proc.new {|p,b| false}
|
748
|
+
r.matches?(@guest, binding).should be_true
|
749
|
+
end
|
750
|
+
end
|
751
|
+
|
752
|
+
context "for a method" do
|
753
|
+
it "should not match when the condition is true" do
|
754
|
+
r = allow_rule :roles => :everyone, :unless => :true_conditional
|
755
|
+
r.matches?(@guest, binding).should be_false
|
756
|
+
end
|
757
|
+
|
758
|
+
it "should match when the condition is false" do
|
759
|
+
r = allow_rule :roles => :everyone, :unless => :false_conditional
|
760
|
+
r.matches?(@guest, binding).should be_true
|
761
|
+
end
|
762
|
+
end
|
450
763
|
end
|
451
764
|
end
|
452
765
|
end
|