RubyGems - permit - Versions diffs - 0.9.0 → 1.0.0 - Mend

permit 0.9.0 → 1.0.0

Files changed (14) hide show

data/VERSION.yml +4 -4
data/lib/models/association.rb +48 -31
data/lib/models/person.rb +13 -7
data/lib/permit.rb +34 -23
data/lib/permit/controller.rb +68 -17
data/lib/permit/permit_rule.rb +48 -27
data/lib/permit/permit_rules.rb +23 -2
data/lib/permit/support.rb +34 -13
data/permit.gemspec +3 -3
data/spec/models/person_spec.rb +109 -31
data/spec/models/role_spec.rb +7 -0
data/spec/permit/controller_spec.rb +88 -48
data/spec/permit/permit_rule_spec.rb +417 -104
metadata +12 -5

data/spec/permit/permit_rule_spec.rb CHANGED Viewed

@@ -10,6 +10,14 @@ def allow_person_rule(options = {})
   allow_rule options
 end
+def true_conditional
+  true
+end
+def false_conditional
+  false
+end
 module Permit::Specs
   describe PermitRule, "initialization" do
     context "of roles" do
@@ -62,17 +70,17 @@ module Permit::Specs
       it "should store accept the resource through :of" do
         r = allow_rule :of => :team
-        r.target_var.should == :team
+        r.target_vars.should == [:team]
       end
       it "should accept the resource through :on" do
         r = allow_rule :on => :project
-        r.target_var.should == :project
+        r.target_vars.should == [:project]
       end
       it "should not be modifiable" do
         r = allow_rule :on => :project
-        lambda {r.target_var = :other}.should raise_error(NoMethodError)
+        lambda {r.target_vars << :other}.should raise_error(TypeError, "can't modify frozen array")
       end
     end
@@ -107,7 +115,7 @@ module Permit::Specs
         it "should accept the resource and method" do
           r = allow_person_rule :who => :is_member, :of => :team
-          r.target_var.should == :team
+          r.target_vars.should == [:team]
           r.method.should == :is_member
         end
       end
@@ -191,153 +199,344 @@ module Permit::Specs
         end
       end
-      context "using an is_* method" do
-        before {@rule = allow_person_rule :who => :is_owner, :on => :team}
+      context "when the target resource does not exist" do
+        it "should raise an error" do
+          rule = allow_person_rule :who => :is_owner, :on => :oops
+          lambda {
+            rule.matches? @person, binding
+          }.should raise_error(PermitEvaluationError, "Target resource '@oops' did not exist in the given context.")
+        end
+      end
+      context "with one resource" do
+        context "using an is_* method" do
+          before {@rule = allow_person_rule :who => :is_owner, :on => :team}
-        context "attempting #is_owner" do
-          it "should call #is_owner on the resource" do
-            @team.should_receive(:is_owner).with(@person).and_return(true)
-            @rule.matches?(@person, binding)
+          context "attempting #is_owner" do
+            it "should call #is_owner on the resource" do
+              @team.should_receive(:is_owner).with(@person).and_return(true)
+              @rule.matches?(@person, binding)
+            end
+            it "should return the result of the resource call" do
+              @team.stub!(:is_owner).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team.stub!(:is_owner).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
           end
-          it "should return the result of the resource call" do
-            @team.stub!(:is_owner).and_return(true)
-            @rule.matches?(@person, binding).should be_true
-            @team.stub!(:is_owner).and_return(false)
-            @rule.matches?(@person, binding).should be_false
+          context "attempting #is_owner?" do
+            it "should call #is_owner? on the resource" do
+              @team.should_receive(:is_owner?).with(@person).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+            end
+            it "should return the result of the resource call" do
+              @team.stub!(:is_owner?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team.stub!(:is_owner?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
           end
-        end
-        context "attempting #is_owner?" do
-          it "should call #is_owner? on the resource" do
-            @team.should_receive(:is_owner?).with(@person).and_return(true)
-            @rule.matches?(@person, binding).should be_true
+          context "attempting #owner?" do
+            it "should call #owner? on the resource" do
+              @team.should_receive(:owner?).with(@person).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
+            it "should return the result of the resource call" do
+              @team.stub!(:owner?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team.stub!(:owner?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
           end
-          it "should return the result of the resource call" do
-            @team.stub!(:is_owner?).and_return(true)
-            @rule.matches?(@person, binding).should be_true
-            @team.stub!(:is_owner?).and_return(false)
-            @rule.matches?(@person, binding).should be_false
+          context "attempting #owner" do
+            it "should call #owner on the resource" do
+              @team.should_receive(:owner).and_return(@person)
+              @rule.matches?(@person, binding).should be_true
+            end
+            it "should return the result of the comparison of the resource call with the current person" do
+              @team.stub!(:owner).and_return(@person)
+              @rule.matches?(@person, binding).should be_true
+              jim = Person.create :name => 'jim'
+              @team.stub!(:owner).and_return(jim)
+              @rule.matches?(@person, binding).should be_false
+            end
           end
-        end
-        context "attempting #owner?" do
-          it "should call #owner? on the resource" do
-            @team.should_receive(:owner?).with(@person).and_return(false)
-            @rule.matches?(@person, binding).should be_false
+          context "attempting #owners.exists?" do
+            it "should call #owners.exists? on the resource" do
+              owners = mock("owners")
+              owners.should_receive(:exists?).with(@person).and_return(true)
+              @team.stub!(:owners).and_return(owners)
+              @rule.matches?(@person, binding).should be_true
+            end
+            it "should return the result of the resource call" do
+              owners = mock("owners")
+              @team.stub!(:owners).and_return(owners)
+              owners.stub!(:exists?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              owners.stub!(:exists?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
           end
-          it "should return the result of the resource call" do
-            @team.stub!(:owner?).and_return(true)
-            @rule.matches?(@person, binding).should be_true
-            @team.stub!(:owner?).and_return(false)
-            @rule.matches?(@person, binding).should be_false
+          it "should raise an error if none of the attempted calls responded" do
+            @team.stub!(:respond_to?).and_return(false)
+            lambda {
+              @rule.matches?(@person, binding)
+            }.should raise_error(PermitEvaluationError,  "Target object ':team' evaluated as #{@team.inspect} did not respond to any of the following: is_owner, is_owner?, owner, owner?, owners")
           end
         end
-        context "attempting #owner" do
-          it "should call #owner on the resource" do
-            @team.should_receive(:owner).and_return(@person)
-            @rule.matches?(@person, binding).should be_true
-          end
+        context "using an is_*? method" do
+          before {@rule = allow_person_rule :who => :is_manager?, :on => :team}
+          context "attempting #is_manager?" do
+            it "should call #is_manager? on the resource" do
+              @team.should_receive(:is_manager?).with(@person).and_return(true)
+              @rule.matches?(@person, binding)
+            end
+            it "should return the result from the resource call" do
+              @team.stub!(:is_manager?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team.stub!(:is_manager?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
+            it "should not call #manager? if resource responds to #is_manager?" do
+              @team.stub!(:is_manager?).and_return(true)
+              @team.should_not_receive(:manager?)
+              @rule.matches?(@person, binding)
+            end
-          it "should return the result of the comparison of the resource call with the current person" do
-            @team.stub!(:owner).and_return(@person)
-            @rule.matches?(@person, binding).should be_true
-            jim = Person.create :name => 'jim'
-            @team.stub!(:owner).and_return(jim)
-            @rule.matches?(@person, binding).should be_false
           end
-        end
-        context "attempting #owners.exists?" do
-          it "should call #owners.exists? on the resource" do
-            owners = mock("owners")
-            owners.should_receive(:exists?).with(@person).and_return(true)
-            @team.stub!(:owners).and_return(owners)
-            @rule.matches?(@person, binding).should be_true
+          context "attempting #manager?" do
+            it "should call #manager? on the resource" do
+              @team.should_receive(:manager?).with(@person).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
+            it "should return the result from the resource call" do
+              @team.stub!(:manager?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team.stub!(:manager?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
           end
-          it "should return the result of the resource call" do
-            owners = mock("owners")
-            @team.stub!(:owners).and_return(owners)
-            owners.stub!(:exists?).and_return(true)
-            @rule.matches?(@person, binding).should be_true
-            owners.stub!(:exists?).and_return(false)
-            @rule.matches?(@person, binding).should be_false
+          it "should raise an error if none of the attempted calls responded" do
+            @team.stub!(:respond_to?).and_return(false)
+            lambda {
+              @rule.matches?(@person, binding)
+            }.should raise_error(PermitEvaluationError,  "Target object ':team' evaluated as #{@team.inspect} did not respond to any of the following: is_manager?, manager?")
           end
         end
-        it "should raise an error if none of the attempted calls responded" do
-          @team.stub!(:respond_to?).and_return(false)
-          lambda {
+        context "using any other method" do
+          before {@rule = allow_person_rule :who => :has_permission, :on => :team}
+          it "should call the method on the resource" do
+            @team.should_receive(:has_permission).with(@person)
             @rule.matches?(@person, binding)
-          }.should raise_error(PermitEvaluationError,  "Target object ':team' evaluated as #{@team.inspect} did not respond to any of the following: is_owner, is_owner?, owner, owner?, owners")
+          end
+          it "should raise an error if the attempted call did not respond" do
+            @team.stub!(:respond_to?).and_return(false)
+            lambda {
+              @rule.matches?(@person, binding)
+            }.should raise_error(PermitEvaluationError,  "Target object ':team' evaluated as #{@team.inspect} did not respond to any of the following: has_permission")
+          end
         end
       end
-      context "using an is_*? method" do
-        before {@rule = allow_person_rule :who => :is_manager?, :on => :team}
+      context "with multiple resources" do
+        context "using an is_* method" do
+          before do
+            @team2 = Team.new
+            @team.stub!(:is_owner).and_return(false)
+            @rule = allow_person_rule :who => :is_owner, :on => [:team, :team2]
+          end
-        context "attempting #is_manager?" do
-          it "should call #is_manager? on the resource" do
-            @team.should_receive(:is_manager?).with(@person).and_return(true)
+          it "should attempt to call the first resource first" do
+            @team2.should_not_receive(:is_owner)
+            @team.should_receive(:is_owner).with(@person).and_return(true)
             @rule.matches?(@person, binding)
           end
-          it "should return the result from the resource call" do
-            @team.stub!(:is_manager?).and_return(true)
-            @rule.matches?(@person, binding).should be_true
-            @team.stub!(:is_manager?).and_return(false)
-            @rule.matches?(@person, binding).should be_false
+          context "attempting #is_owner" do
+            it "should call #is_owner on the resource" do
+              @team2.should_receive(:is_owner).with(@person).and_return(true)
+              @rule.matches?(@person, binding)
+            end
+            it "should return the result of the resource call" do
+              @team2.stub!(:is_owner).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team2.stub!(:is_owner).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
           end
-          it "should not call #manager? if resource responds to #is_manager?" do
-            @team.stub!(:is_manager?).and_return(true)
-            @team.should_not_receive(:manager?)
-            @rule.matches?(@person, binding)
+          context "attempting #is_owner?" do
+            it "should call #is_owner? on the resource" do
+              @team2.should_receive(:is_owner?).with(@person).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+            end
+            it "should return the result of the resource call" do
+              @team2.stub!(:is_owner?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team2.stub!(:is_owner?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
           end
-        end
+          context "attempting #owner?" do
+            it "should call #owner? on the resource" do
+              @team2.should_receive(:owner?).with(@person).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
+            it "should return the result of the resource call" do
+              @team2.stub!(:owner?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team2.stub!(:owner?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
+          end
-        context "attempting #manager?" do
-          it "should call #manager? on the resource" do
-            @team.should_receive(:manager?).with(@person).and_return(false)
-            @rule.matches?(@person, binding).should be_false
+          context "attempting #owner" do
+            it "should call #owner on the resource" do
+              @team2.should_receive(:owner).and_return(@person)
+              @rule.matches?(@person, binding).should be_true
+            end
+            it "should return the result of the comparison of the resource call with the current person" do
+              @team2.stub!(:owner).and_return(@person)
+              @rule.matches?(@person, binding).should be_true
+              jim = Person.create :name => 'jim'
+              @team2.stub!(:owner).and_return(jim)
+              @rule.matches?(@person, binding).should be_false
+            end
           end
-          it "should return the result from the resource call" do
-            @team.stub!(:manager?).and_return(true)
-            @rule.matches?(@person, binding).should be_true
-            @team.stub!(:manager?).and_return(false)
-            @rule.matches?(@person, binding).should be_false
+          context "attempting #owners.exists?" do
+            it "should call #owners.exists? on the resource" do
+              owners = mock("owners")
+              owners.should_receive(:exists?).with(@person).and_return(true)
+              @team2.stub!(:owners).and_return(owners)
+              @rule.matches?(@person, binding).should be_true
+            end
+            it "should return the result of the resource call" do
+              owners = mock("owners")
+              @team2.stub!(:owners).and_return(owners)
+              owners.stub!(:exists?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              owners.stub!(:exists?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
+          end
+          it "should raise an error if none of the attempted calls responded" do
+            @team2.stub!(:respond_to?).and_return(false)
+            lambda {
+              @rule.matches?(@person, binding)
+            }.should raise_error(PermitEvaluationError,  "Target object ':team2' evaluated as #{@team2.inspect} did not respond to any of the following: is_owner, is_owner?, owner, owner?, owners")
           end
         end
-        it "should raise an error if none of the attempted calls responded" do
-          @team.stub!(:respond_to?).and_return(false)
-          lambda {
+        context "using an is_*? method" do
+          before do
+            @team2 = Team.new
+            @team.stub!(:is_manager?).and_return(false)
+            @rule = allow_person_rule :who => :is_manager?, :on => [:team, :team2]
+          end
+          it "should attempt to call the first resource first" do
+            @team2.should_not_receive(:is_manager?)
+            @team.should_receive(:is_manager?).with(@person).and_return(true)
             @rule.matches?(@person, binding)
-          }.should raise_error(PermitEvaluationError,  "Target object ':team' evaluated as #{@team.inspect} did not respond to any of the following: is_manager?, manager?")
-        end
-      end
+          end
+          context "attempting #is_manager?" do
+            it "should call #is_manager? on the resource" do
+              @team2.should_receive(:is_manager?).with(@person).and_return(true)
+              @rule.matches?(@person, binding)
+            end
+            it "should return the result from the resource call" do
+              @team2.stub!(:is_manager?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team2.stub!(:is_manager?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
+            it "should not call #manager? if resource responds to #is_manager?" do
+              @team2.stub!(:is_manager?).and_return(true)
+              @team2.should_not_receive(:manager?)
+              @rule.matches?(@person, binding)
+            end
-      context "using any other method" do
-        before {@rule = allow_person_rule :who => :has_permission, :on => :team}
-        it "should call the method on the resource" do
-          @team.should_receive(:has_permission).with(@person)
-          @rule.matches?(@person, binding)
+          end
+          context "attempting #manager?" do
+            it "should call #manager? on the resource" do
+              @team2.should_receive(:manager?).with(@person).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
+            it "should return the result from the resource call" do
+              @team2.stub!(:manager?).and_return(true)
+              @rule.matches?(@person, binding).should be_true
+              @team2.stub!(:manager?).and_return(false)
+              @rule.matches?(@person, binding).should be_false
+            end
+          end
+          it "should raise an error if none of the attempted calls responded" do
+            @team2.stub!(:respond_to?).and_return(false)
+            lambda {
+              @rule.matches?(@person, binding)
+            }.should raise_error(PermitEvaluationError,  "Target object ':team2' evaluated as #{@team2.inspect} did not respond to any of the following: is_manager?, manager?")
+          end
         end
-        it "should raise an error if the attempted call did not respond" do
-          @team.stub!(:respond_to?).and_return(false)
-          lambda {
+        context "using any other method" do
+          before {@rule = allow_person_rule :who => :has_permission, :on => :team}
+          before do
+            @team2 = Team.new
+            @team.stub!(:has_permission).and_return(false)
+            @rule = allow_person_rule :who => :has_permission, :on => [:team, :team2]
+          end
+          it "should attempt to call the first resource first" do
+            @team2.should_not_receive(:has_permission)
+            @team.should_receive(:has_permission).with(@person).and_return(true)
             @rule.matches?(@person, binding)
-          }.should raise_error(PermitEvaluationError,  "Target object ':team' evaluated as #{@team.inspect} did not respond to any of the following: has_permission")
+          end
+          it "should call the method on the resource" do
+            @team2.should_receive(:has_permission).with(@person)
+            @rule.matches?(@person, binding)
+          end
+          it "should raise an error if the attempted call did not respond" do
+            @team2.stub!(:respond_to?).and_return(false)
+            lambda {
+              @rule.matches?(@person, binding)
+            }.should raise_error(PermitEvaluationError,  "Target object ':team2' evaluated as #{@team.inspect} did not respond to any of the following: has_permission")
+          end
         end
       end
     end
     context "for a named authorization" do
@@ -370,6 +569,15 @@ module Permit::Specs
           r = allow_rule :roles => :monkey_tech, :of => :maintenance
           r.matches?(@bob, binding).should be_false
         end
+        context "that does not exist" do
+          it "should raise an error" do
+            rule = allow_rule :roles => :site_admin, :of => :oops
+            lambda {
+              rule.matches? @bob, binding
+            }.should raise_error(PermitEvaluationError, "Target resource '@oops' did not exist in the given context.")
+          end
+        end
       end
       context "without a resource" do
@@ -395,6 +603,18 @@ module Permit::Specs
           r.matches?(@tom, binding).should be_false
         end
       end
+      context "with multiple resources" do
+        it "should return true if the person is authorized for one of the resources" do
+          r = allow_rule :roles => :admin, :of => [:hotness, :maintenance]
+          r.matches?(@bob, binding).should be_true
+        end
+        it "should return false if the person is not authorized for any of the resources" do
+          r = allow_rule :roles => :developer, :of => [:hotness, :maintenance]
+          r.matches?(@tom, binding).should be_false
+        end
+      end
     end
     context "for multiple named authorizations" do
@@ -422,6 +642,15 @@ module Permit::Specs
           r = allow_rule :roles => [:site_admin, :monkey_tech], :of => :maintenance
           r.matches?(@bob, binding).should be_false
         end
+        context "that does not exist" do
+          it "should raise an error" do
+            rule = allow_rule :roles => [:site_admin, :team_lead], :of => :oops
+            lambda {
+              rule.matches? @bob, binding
+            }.should raise_error(PermitEvaluationError, "Target resource '@oops' did not exist in the given context.")
+          end
+        end
       end
       context "without a resource" do
@@ -447,6 +676,90 @@ module Permit::Specs
           r.matches?(@tom, binding).should be_false
         end
       end
+      context "with multiple resources" do
+        it "should return true if the person is authorized for one of the resources" do
+          r = allow_rule :roles => [:developer, :site_admin], :of => [:hotness, :maintenance]
+          r.matches?(@bob, binding).should be_true
+        end
+        it "should return false if the person is not authorized for any of the resources" do
+          r = allow_rule :roles => [:admin, :site_admin], :of => [nil, :maintenance]
+          r.matches?(@tom, binding).should be_false
+        end
+      end
+    end
+    describe ":if condition" do
+      before {@guest = Guest.new}
+      context "for a proc" do
+        it "should properly call a proc" do
+          p = Proc.new {|person, b| return false}
+          p.should_receive(:call).with(@guest, instance_of(Binding))
+          r = allow_rule :roles => :everyone, :if => p
+          r.matches? @guest, binding
+        end
+        it "should not match when the condition is false" do
+          r = allow_rule :roles => :everyone, :if => Proc.new {|p,b| false}
+          r.matches?(@guest, binding).should be_false
+        end
+        it "should match when the condition is true" do
+          r = allow_rule :roles => :everyone, :if => Proc.new {|p,b| true}
+          r.matches?(@guest, binding).should be_true
+        end
+      end
+      context "for a method" do
+        it "should not match when the condition is false" do
+          r = allow_rule :roles => :everyone, :if => :false_conditional
+          r.matches?(@guest, binding).should be_false
+        end
+        it "should match when the condition is true" do
+          r = allow_rule :roles => :everyone, :if => :true_conditional
+          r.matches?(@guest, binding).should be_true
+        end
+      end
+    end
+    describe ":unless condition" do
+      before {@guest = Guest.new}
+      context "for a proc" do
+        it "should properly call a proc" do
+          p = Proc.new {|person, b| return false}
+          p.should_receive(:call).with(@guest, instance_of(Binding))
+          r = allow_rule :roles => :everyone, :unless => p
+          r.matches? @guest, binding
+        end
+        it "should not match when the condition is true" do
+          r = allow_rule :roles => :everyone, :unless => Proc.new {|p,b| true}
+          r.matches?(@guest, binding).should be_false
+        end
+        it "should match when the condition is false" do
+          r = allow_rule :roles => :everyone, :unless => Proc.new {|p,b| false}
+          r.matches?(@guest, binding).should be_true
+        end
+      end
+      context "for a method" do
+        it "should not match when the condition is true" do
+          r = allow_rule :roles => :everyone, :unless => :true_conditional
+          r.matches?(@guest, binding).should be_false
+        end
+        it "should match when the condition is false" do
+          r = allow_rule :roles => :everyone, :unless => :false_conditional
+          r.matches?(@guest, binding).should be_true
+        end
+      end
     end
   end
 end