permit 0.9.0

data/lib/permit/support.rb

@@ -0,0 +1,67 @@
+module Permit
+  module Support
+    module ClassMethods
+      def class_symbol
+        class_name.underscore.to_sym
+      end
+
+      def plural_class_symbol
+        class_name.pluralize.underscore.to_sym
+      end
+
+      private
+      def permit_authorized_model(custom_options = {})
+        options = {:class_name => Permit::Config.authorization_class.name, :extend => Permit::Models::AssociationExtensions}.merge(custom_options)
+        has_many Permit::Config.authorization_class.plural_class_symbol, options 
+
+        class_eval <<-END
+          protected
+          def permit_authorizations_proxy
+            #{Permit::Config.authorization_class.plural_class_symbol}
+          end
+        END
+      end
+    end
+
+    # Converts an object to an array of that object if it is not already one.
+    #
+    # @param [Object] o the object to be made into an Array
+    # @return [Array] the object as an array.
+    def permit_arrayify(o)
+      Array===o ? o : [o]
+    end
+
+    protected
+    def authorization_conditions(role, resource, person = nil)
+      conditions = {}
+      conditions[Permit::Config.person_class.name.foreign_key] = person.id if person
+      conditions.merge! role_condition(role)
+      conditions.merge! resource_conditions(resource)
+    end
+
+    def role_condition(roles)
+      return {} unless roles
+
+      r = get_roles(roles)
+      ids = r.collect {|role| role.id}
+
+      return (ids.empty? ? {} : {Permit::Config.role_class.name.foreign_key => ids})
+    end
+
+    def resource_conditions(resource)
+      case resource
+      when :any then {}
+      when nil then {:resource_type => nil, :resource_id => nil}
+      else {:resource_type => resource.class.resource_type, :resource_id => resource.id}
+      end
+    end
+
+    def get_role(role)
+      role.is_a?(Permit::Config.role_class) ? role : Permit::Config.role_class.find_by_key(role)
+    end
+
+    def get_roles(roles)
+      permit_arrayify(roles).collect {|r| get_role(r)}.compact
+    end
+  end
+end

data/lib/permit.rb

@@ -0,0 +1,134 @@
+require File.dirname(__FILE__) + '/permit/support'
+require File.dirname(__FILE__) + '/permit/permit_rule'
+require File.dirname(__FILE__) + '/permit/permit_rules'
+require File.dirname(__FILE__) + '/permit/controller'
+require File.dirname(__FILE__) + '/models/association'
+require File.dirname(__FILE__) + '/models/role'
+require File.dirname(__FILE__) + '/models/person'
+require File.dirname(__FILE__) + '/models/authorization'
+require File.dirname(__FILE__) + '/models/authorizable'
+
+module Permit
+  # allow|deny [:named_role|:person|:all|:guest|[]],
+  #   (([:who|:that] => :method,)
+  #   [:of|:on] => :instance_var,)
+  #   :to => [:action|[]]
+  #   (,:if => <method_name or proc>)
+  #   (,:unless => <method_name or proc>)
+  #
+
+  # Raised when a {PermitRule} cannot be configured.
+  class PermitConfigurationError < StandardError; end
+
+  # Raised when an error occurs during evaluation of a {PermitRule}.
+  class PermitEvaluationError < StandardError; end
+
+  # Contains the configuration rules that Permit will apply during its 
+  # processing.
+  #
+  # +role_class+, +authorization_class+, and +person_class+ are the model 
+  # classes defined as representing their respective names by defining the 
+  # corresponding <tt>permit_*</tt> method.   +authorizable_classes+ is an array 
+  # of all classes that are authorizable to roles by having defined 
+  # +permit_authorizable+.
+  class Config
+    @@authorization_class, @@person_class, @@role_class = nil, nil, nil
+    @@models_defined = false
+    @@authorizable_classes = []
+    @@controller_subject_method = nil
+
+    @@action_aliases = {
+      :create => [:new, :create], 
+      :update => [:edit, :update], 
+      :destroy => [:delete, :destroy],
+      :read => [:index, :show], 
+      :write => [:new, :create, :edit, :update]
+    }
+
+    # Indicates the response returned by {PermitRules#permitted?} when no rules 
+    # match. If set to +:allow+ then the person will be granted access. If set 
+    # to anything else, they will be denied.
+    @@default_access = :deny
+
+    class << self
+      # The class that currently represents authorizations in the system, as set
+      # by {set_core_models}.
+      def authorization_class; @@authorization_class; end
+      # The class that currently represents authorization subjects in the
+      # system, as set by {set_core_models}.
+      def person_class; @@person_class; end
+      # The class that curretly represents roles in the system, as set by
+      # {set_core_models}.
+      def role_class; @@role_class; end
+      # Classes that are marked as authorizable resources using
+      # {Permit::Models::AuthorizableExtensions::AuthorizableClassMethods#permit_authorizable permit_authorizable}.
+      def authorizable_classes; @@authorizable_classes; end
+
+      # Actions that when given to {PermitRules#allow}, and {PermitRules#deny} 
+      # will be expanded into the actions given in the value array.
+      def action_aliases; @@action_aliases; end
+
+      # Indicates the response that PermitRules will take if no
+      # authorizations match. If set to +:allow+ then a subject will be given
+      # access unless denied. By default this is set to +:deny+
+      #
+      # @return the current default access.
+      def default_access; @@default_access; end
+
+      # Sets the response that PermitRules will use when no rules match.
+      #
+      # @param [:allow, :deny] access the default response to use.
+      def default_access=(access); @@default_access = access; end
+
+      # The method to use to retrieve the current authorization subject when
+      # rules are being evaluated. If nil, then the method will be inferred from
+      # the subject set in the call to {set_core_models}.
+      #
+      # @return [Symbol, nil]
+      def controller_subject_method; @@controller_subject_method; end
+
+      # Sets the name of the method to use to retrieve the current subject
+      # while checking authorizations. Set to nil, to infer the value from the
+      # subject set in {set_core_models}, or :current_person if named
+      # authorizations are not being used.
+      #
+      # @param [nil, Symbol] method a symbol representing the method to use.
+      def controller_subject_method=(method); @@controller_subject_method = method; end
+
+      # Sets the core authorization, person, and role models to be used for
+      # named authorizations, and configures them with their respective permit_*
+      # methods.
+      #
+      # @param [Class] authorization an ActiveRecord model representing
+      #   authorizations.
+      # @param [Class] person an ActiveRecord model representing
+      #   people.
+      # @param [Class] role an ActiveRecord model representing
+      #   roles.
+      def set_core_models(authorization, person, role)
+        #raise PermitConfigurationError, "Core models cannot be redefined." if @@models_defined
+
+        @@authorization_class = authorization
+        @@person_class = person
+        @@role_class = role
+
+        @@authorization_class.send :permit_authorization
+        @@person_class.send :permit_person
+        @@role_class.send :permit_role
+      end
+
+      # Forces Permit to reload its core classes based off of those given in the
+      # initial call to Permit::Config.set_core_models. This is primarily needed 
+      # so that Permit will work in Rails development mode because of class 
+      # caching/reloading. These variables hang onto the original models as they 
+      # were defined and end up in a weird state. Production does not experience 
+      # this problem.
+      def reset_core_models
+        authz = Object.const_get authorization_class.name
+        person = Object.const_get person_class.name
+        role = Object.const_get role_class.name
+        Permit::Config.set_core_models(authz, person, role)
+      end
+    end
+  end
+end

data/permit.gemspec

@@ -0,0 +1,91 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{permit}
+  s.version = "0.9.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Steve Valaitis"]
+  s.date = %q{2010-03-27}
+  s.email = %q{steve@digitalnothing.com}
+  s.extra_rdoc_files = [
+    "README.mkd"
+  ]
+  s.files = [
+    ".gitignore",
+     ".yardopts",
+     "MIT-LICENSE",
+     "README.mkd",
+     "Rakefile",
+     "VERSION.yml",
+     "generators/permit/USAGE",
+     "generators/permit/permit_generator.rb",
+     "generators/permit/templates/authorization.rb",
+     "generators/permit/templates/initializer.rb",
+     "generators/permit/templates/migration.rb",
+     "generators/permit/templates/role.rb",
+     "init.rb",
+     "install.rb",
+     "lib/models/association.rb",
+     "lib/models/authorizable.rb",
+     "lib/models/authorization.rb",
+     "lib/models/person.rb",
+     "lib/models/role.rb",
+     "lib/permit.rb",
+     "lib/permit/controller.rb",
+     "lib/permit/permit_rule.rb",
+     "lib/permit/permit_rules.rb",
+     "lib/permit/support.rb",
+     "permit.gemspec",
+     "rails/init.rb",
+     "spec/models/alternate_models_spec.rb",
+     "spec/models/authorizable_spec.rb",
+     "spec/models/authorization_spec.rb",
+     "spec/models/person_spec.rb",
+     "spec/models/role_spec.rb",
+     "spec/permit/controller_spec.rb",
+     "spec/permit/permit_rule_spec.rb",
+     "spec/permit/permit_rules_spec.rb",
+     "spec/permit_spec.rb",
+     "spec/spec_helper.rb",
+     "spec/support/helpers.rb",
+     "spec/support/models.rb",
+     "spec/support/permits_controller.rb",
+     "tasks/permit_tasks.rake",
+     "uninstall.rb"
+  ]
+  s.homepage = %q{http://github.com/dnd/permit}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.5}
+  s.summary = %q{A flexible authorization plugin for Ruby on Rails.}
+  s.test_files = [
+    "spec/spec_helper.rb",
+     "spec/support/helpers.rb",
+     "spec/support/models.rb",
+     "spec/support/permits_controller.rb",
+     "spec/models/alternate_models_spec.rb",
+     "spec/models/person_spec.rb",
+     "spec/models/role_spec.rb",
+     "spec/models/authorizable_spec.rb",
+     "spec/models/authorization_spec.rb",
+     "spec/permit_spec.rb",
+     "spec/permit/permit_rules_spec.rb",
+     "spec/permit/controller_spec.rb",
+     "spec/permit/permit_rule_spec.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+    else
+    end
+  else
+  end
+end
+

data/rails/init.rb

@@ -0,0 +1,7 @@
+#require 'permit'
+
+ActiveRecord::Base.send :include,
+  Permit::Models::AuthorizationExtensions,
+  Permit::Models::AuthorizableExtensions,
+  Permit::Models::RoleExtensions,
+  Permit::Models::PersonExtensions

data/spec/models/alternate_models_spec.rb

@@ -0,0 +1,54 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+
+module Permit::Specs
+  class User < ActiveRecord::Base; end
+  class Entitlement < ActiveRecord::Base; end
+  class Job < ActiveRecord::Base; end
+
+  describe "Alternate core models" do
+    before :all do
+      @auth = Permit::Config.authorization_class
+      @person = Permit::Config.person_class
+      @role = Permit::Config.role_class
+
+      Permit::Config.set_core_models(Permit::Specs::Entitlement, Permit::Specs::User, Permit::Specs::Job)
+    end
+    
+    before do
+      @sam = User.create! :name => 'sam'
+      @superapp = Project.create! :name => 'superapp'
+      @lameapp = Project.create! :name => 'lameapp'
+      @dev = Job.create! :key => :developer, :name => 'developer'
+      @tester = Job.create! :key => :tester, :name => 'tester'
+
+      @sam.authorize [@dev, @tester], @superapp
+      @sam.authorize @dev, @lameapp
+    end
+
+    it "subject model should have an entitlements association" do
+      @sam.should have(3).entitlements
+    end
+
+    it "role model should have an entitlements association" do
+      @dev.should have(2).entitlements
+    end
+
+    describe "entitlements association" do
+      it "should have a users_as method" do
+        @dev.entitlements.users_as(@dev).should have(1).item
+      end
+
+      it "should have a users_for method" do
+        @dev.entitlements.users_for(@superapp).should have(1).item
+      end
+
+      it "should have a jobs_for method" do
+        @sam.entitlements.jobs_for(@superapp).should have(2).item
+      end
+    end
+    
+    after :all do
+      Permit::Config.set_core_models(@auth, @person, @role)
+    end
+  end
+end

data/spec/models/authorizable_spec.rb

@@ -0,0 +1,78 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+
+module Permit::Specs
+  describe "Permit::Models::Authorizable#permit_authorizable" do
+    describe "defined method self#resource_type" do
+      it "should return the db resource_type value" do
+        Project.resource_type.should == 'Permit::Specs::Project'
+      end
+    end
+
+    context "created instance methods" do
+      before do
+        @bob = Person.create :name => "bob"
+        @tom = Person.create :name => "tom"
+        @hotness = Project.create(:name => "hotness")
+        @maintenance = Project.create(:name => "maintenance")
+        Role.create :key => :site_admin, :name => 'site admin', :authorize_resource => false, :requires_resource => false
+        new_authz @bob, :site_admin, nil
+        new_authz @bob, :admin, @maintenance
+        new_authz @bob, :developer, @maintenance
+        new_authz @bob, :team_lead, @hotness
+
+        new_authz @tom, :admin, @hotness
+      end
+
+      context "authorizations" do
+        it "should have all authorizations that apply to the current resource" do
+          @hotness.should have(2).authorizations
+          @hotness.authorizations[0].person.should == @bob
+          @hotness.authorizations[0].role.key.should == 'team_lead'
+          @hotness.authorizations[1].person.should == @tom
+          @hotness.authorizations[1].role.key.should == 'admin'
+        end
+      end
+      
+      context "for finding authorizations for given roles" do
+        before do
+          @bob = Person.create :name => "bob"
+          @tom = Person.create :name => "tom"
+          @hotness = Project.create(:name => "hotness")
+          @maintenance = Project.create(:name => "maintenance")
+          Role.create :key => :site_admin, :name => 'site admin', :authorize_resource => false, :requires_resource => false
+          new_authz @bob, :site_admin, nil
+          new_authz @bob, :admin, @maintenance
+          new_authz @bob, :developer, @maintenance
+          new_authz @bob, :team_lead, @hotness
+
+          new_authz @tom, :admin, @hotness
+        end
+
+        it "#authorizations.people_as should return the people as the roles for the current resource" do
+          @jack = Person.create :name => 'jack'
+          @jack.authorize :admin, @maintenance
+          people = @maintenance.authorizations.people_as :admin
+          people.should have(2).items
+          people[0].should == @bob
+          people[1].should == @jack
+        end
+
+        it "#authorizations.people_as should not contain duplicates" do
+          people = @maintenance.authorizations.people_as [:admin, :developer]
+          people.should have(1).item
+          people[0].should == @bob
+        end
+
+        it "#authorizations.as should return the authorizations for given roles on the current resource" do
+          authz = @maintenance.authorizations.as [:admin, :developer]
+          authz.should have(2).items
+          authz[0].person.should == @bob
+          authz[0].role.key.should == 'admin'
+          authz[1].person.should == @bob
+          authz[1].role.key.should == 'developer'
+
+        end
+      end
+    end
+  end
+end

data/spec/models/authorization_spec.rb

@@ -0,0 +1,77 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+
+module Permit::Specs
+  describe "Permit::Models::AuthorizationExtensions#permit_authorization" do
+    describe "validations" do
+      it "should be invalid without a role" do
+        a = Authorization.new
+        a.should_not be_valid
+        a.should have(1).error_on(:role)
+        a.errors[:role].should == "can't be blank"
+      end
+
+      it "should be invalid without a person" do
+        a = Authorization.new
+        a.should_not be_valid
+        a.should have(1).error_on(:person)
+        a.errors[:person].should == "can't be blank"
+      end
+
+      it "should be invalid without a resource if the role requires one" do
+        r = Role.new :requires_resource => true
+        a = Authorization.new :role => r
+        a.should_not be_valid
+        a.should have(1).error_on(:resource)
+        a.errors[:resource].should == "can't be blank"
+      end
+
+      it "should be invalid with a resource if the role doesn't allow one" do
+        r = Role.new :authorize_resource => false, :requires_resource => false
+        a = Authorization.new :role => r
+        a.resource = Project.create :name => "First"
+
+        a.should_not be_valid
+        a.should have(1).error_on(:resource)
+        a.errors[:resource].should ==  "Specific resources may not be granted for this role."
+      end
+
+      it "should allow a resource if the role allows but doesn't require a resource" do
+        r = Role.new :authorize_resource => true, :requires_resource => false
+        a = Authorization.new :role => r
+        a.resource = Project.create :name => "First"
+
+        a.valid?
+        a.should have(0).errors_on(:resource)
+      end
+
+      it "should allow no resource if the role allows but doesn't require a resource" do
+        r = Role.new :authorize_resource => true, :requires_resource => false
+        a = Authorization.new :role => r
+
+        a.valid?
+        a.should have(0).errors_on(:resource)
+      end
+      
+      it "should be invalid if the person is already authorized for the given role and resource" do
+        p = Person.create :name => 'bob'
+        r = Role.create :key => :admin, :name => "Admin"
+        project = Project.create! :name => "First"
+        Authorization.create! :role => r, :person => p, :resource => project
+
+        a = Authorization.new :role => r, :person => p, :resource => project
+        a.should_not be_valid
+        a.should have(1).error_on(:role)
+        a.errors[:role].should == "This person is already authorized for this resource"
+      end
+
+      it "should be valid with valid attributes" do
+        p = Person.create :name => 'bob'
+        r = Role.create :key => :admin, :name => "Admin"
+        a = Authorization.new :role => r, :person => p
+        a.resource = Project.create :name => "First"
+
+        a.save.should be_true
+      end
+    end
+  end
+end