permit 0.9.0

data/spec/models/person_spec.rb

@@ -0,0 +1,278 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+
+module Permit::Specs
+  describe "Permit::Models::Extensions::permit_person" do
+    
+    context "created instance methods" do
+      it "#authorizations should have all of the person's current authorizations" do
+
+      end
+
+      context "for checking authorizations" do
+        before do
+          @bob = Person.create :name => "bob"
+          @tom = Person.create :name => "tom"
+          @hotness = Project.create(:name => "hotness")
+          @maintenance = Project.create(:name => "maintenance")
+          Role.create :key => :site_admin, :name => 'site admin', :authorize_resource => false, :requires_resource => false
+          new_authz @bob, :site_admin, nil
+          new_authz @bob, :admin, @maintenance
+          new_authz @bob, :developer, @maintenance
+          new_authz @bob, :team_lead, @hotness
+
+          new_authz @tom, :admin, @hotness
+        end
+
+        context "#authorized?" do
+          it "should return true if the person has any of the roles for the resource" do
+            @bob.should be_authorized(:admin, @maintenance)
+          end
+
+          it "should return true if the person has any of the resources for the passed in Role object" do
+            r = Role.find_by_key 'admin'
+            @bob.should be_authorized(r, @maintenance)
+          end
+
+          it "should return false if the person does not have any of the roles for the resource" do
+            @bob.should_not be_authorized(:admin, @hotness)
+          end
+
+          it "should return false for a role that doesn't exist" do
+            @bob.should_not be_authorized(:lead_monkey_tech, @maintenance)
+          end
+
+          it "should return true if the person has a nil resource authorization for a role" do
+            @bob.should be_authorized(:site_admin, nil)
+          end
+        end
+
+        context "#authorized_all?" do
+          it "should return true if the person matches all of the roles for the resource" do
+            @bob.should be_authorized_all([:admin, :developer], @maintenance)
+          end
+
+          it "should return true if the person matches all of the roles for the resource when a Role object is passed" do
+            r = Role.find_by_key 'developer'
+            @bob.should be_authorized_all([r, :admin], @maintenance)
+          end
+
+          it "should return false if the person does not match all of the roles for the resource" do
+            @tom.should_not be_authorized_all([:admin, :team_lead], @hotness)
+          end
+
+          it "should return false if one of the roles does not exist" do
+            @tom.should_not be_authorized_all([:admin, :slinky_analyst], @hotness)
+          end
+        end
+      end
+
+      context "#authorize" do
+        before do
+          @sam = Person.create! :name => 'sam'
+          @superapp = Project.create! :name => 'superapp'
+          @dev = role(:developer)
+          @tester = role(:tester)
+        end
+
+        it "should authorize the person for all of the given roles" do
+          @sam.authorize([:developer, :tester], @superapp)
+          @sam.should have(2).authorizations
+          @sam.authorizations[0].role.key.should == 'developer'
+          @sam.authorizations[1].role.key.should == 'tester'
+        end
+
+        it "should authorize the person if given a role object" do
+          @sam.authorize([:developer, @tester], @superapp)
+          @sam.should have(2).authorizations
+          @sam.authorizations[0].role.key.should == 'developer'
+          @sam.authorizations[1].role.key.should == 'tester'
+        end
+
+        it "should authorize a person for a nil resource" do
+          @noresource = Role.create :key => 'noresource', :name => 'noresource', :requires_resource => false, :authorize_resource => false
+          @sam.authorize(@noresource, nil)
+          @sam.should have(1).authorization
+        end
+
+        it "should not duplicate an existing authorization for a person" do
+          @sam.authorize(:developer, @superapp)
+          @sam.authorize(:developer, @superapp)
+          @sam.should have(1).authorization
+        end
+
+        it "should raise an error if the authorization is invalid" do
+          lambda {
+            @sam.authorize(:chief_donkey_inspector, @superapp)
+          }.should raise_error(ActiveRecord::RecordInvalid, "Validation failed: Role can't be blank")
+        end
+
+        it "should return true if authorization is successful" do
+          @sam.authorize(:tester, @superapp).should be_true
+        end
+
+        it "should return true even if there are no authorizations to grant" do
+          @sam.authorize(:tester, @superapp)
+          @sam.authorize(:tester, @superapp).should be_true
+        end
+
+        it "should perform the authorizations in a transaction" do
+          # TODO: Find a way to spec. Can't seem to be done with sqlite because 
+          # of nested transactions not being allowed?
+        end
+      end
+
+      context "revocations" do
+        before do
+          @sam = Person.create! :name => 'sam'
+          @superapp = Project.create! :name => 'superapp'
+          @lameapp = Project.create! :name => 'lameapp'
+          @dev = role(:developer)
+          @tester = role(:tester)
+
+          @sam.authorize [@dev, @tester], @superapp
+          @sam.authorize @dev, @lameapp
+        end
+
+        shared_examples_for "all revocations" do
+          it "should revoke all of the given roles on the given resource from the current person" do
+            @sam.send @revoke_method, [:developer, :tester], @superapp
+            @sam.should have(1).authorization
+            @sam.authorizations[0].resource.should == @lameapp
+          end
+
+          it "should revoke an authorization when given a role object" do
+            @sam.send @revoke_method, [@dev, @tester], @superapp
+            @sam.should have(1).authorization
+            @sam.authorizations[0].resource.should == @lameapp
+          end
+
+          it "should not revoke an identical authorization for another person" do
+            @bob = Person.create! :name => 'bob'
+            @bob.authorize :developer, @superapp
+
+            @sam.send @revoke_method, :developer, @superapp
+            @bob.should have(1).authorization
+          end
+
+          it "should revoke an authorization with a nil resource" do 
+            @noresource = Role.create :key => 'noresource', :name => 'noresource', :requires_resource => false, :authorize_resource => false
+            @sam.authorize(@noresource, nil)
+
+            @sam.send @revoke_method, :noresource, nil
+            @sam.should_not be_authorized(:noresource, nil)
+          end
+          
+          it "should raise an error if a revocation fails" do
+            Authorization.stub!(@ar_remove_method).and_raise(ActiveRecord::ActiveRecordError)
+            lambda {
+              @sam.send @revoke_method, :developer, @superapp
+            }.should raise_error(ActiveRecord::ActiveRecordError)
+          end
+
+          it "should perform revocations in a transaction" do
+            # TODO: Find a way to spec. Can't seem to be done with sqlite 
+            # because of nested transactions not being allowed?
+          end
+
+        end
+
+        context "#revoke" do
+          before do
+            @revoke_method = :revoke
+            @ar_remove_method = :destroy_all
+          end
+
+          it_should_behave_like "all revocations"
+
+          it "should return the revoked roles" do
+            revoked = @sam.revoke([:developer, :tester], @superapp)
+            revoked.size.should == 2
+            revoked[0].resource.should == @superapp
+            revoked[0].role.should == @dev
+            revoked[1].resource.should == @superapp
+            revoked[1].role.should == @tester
+          end
+        end
+
+        context "#revoke!" do
+          before do
+            @revoke_method = :revoke!
+            @ar_remove_method = :delete_all
+          end
+          
+          it_should_behave_like "all revocations"
+
+          it "should return the number of revoked roles" do
+            @sam.revoke!([:developer, :tester], @superapp).should == 2
+          end
+        end
+      end
+
+      context "for finding authorizations for a given resource" do
+        before do
+          @bob = Person.create :name => "bob"
+          @tom = Person.create :name => "tom"
+          @hotness = Project.create(:name => "hotness")
+          @maintenance = Project.create(:name => "maintenance")
+          Role.create :key => :site_admin, :name => 'site admin', :authorize_resource => false, :requires_resource => false
+          new_authz @bob, :site_admin, nil
+          new_authz @bob, :admin, @maintenance
+          new_authz @bob, :developer, @maintenance
+          new_authz @bob, :team_lead, @hotness
+
+          new_authz @tom, :admin, @hotness
+        end
+
+        it "#authorizations.roles_for should return the roles the current person has for the resource" do
+          roles = @bob.authorizations.roles_for @maintenance
+          roles.should have(2).items
+          roles[0].key.should == 'admin'
+          roles[1].key.should == 'developer'
+        end
+
+        it "#authorizations.for should return the authorizations the current person has for the resource" do
+          authz = @bob.authorizations.for @maintenance
+          authz.should have(2).items
+          authz[0].role.key.should == 'admin'
+          authz[0].resource.should == @maintenance
+          authz[1].role.key.should == 'developer'
+          authz[1].resource.should == @maintenance
+        end
+      end
+
+      context "for finding authorizations for given roles" do
+        before do
+          @bob = Person.create :name => "bob"
+          @tom = Person.create :name => "tom"
+          @hotness = Project.create(:name => "hotness")
+          @maintenance = Project.create(:name => "maintenance")
+          Role.create :key => :site_admin, :name => 'site admin', :authorize_resource => false, :requires_resource => false
+          new_authz @bob, :site_admin, nil
+          new_authz @bob, :admin, @maintenance
+          new_authz @bob, :developer, @maintenance
+          new_authz @bob, :team_lead, @hotness
+          new_authz @tom, :admin, @hotness
+        end
+
+        it "#authorizations.resources_as should return the roles the current person has for the resource" do
+          resources = @bob.authorizations.resources_as [:admin, :team_lead]
+          resources.should have(2).items
+          resources[0].should == @maintenance
+          resources[1].should == @hotness
+        end
+
+        it "#authorizations.resources_as should not return duplicates" do
+          resources = @bob.authorizations.resources_as [:admin, :developer]
+          resources.should have(1).item
+        end
+
+        it "#authorizations_as should return the authorizations the current person has for the given roles" do
+          authz = @bob.authorizations.as :admin
+          authz.should have(1).item
+          authz[0].role.key.should == 'admin'
+          authz[0].resource.should == @maintenance
+        end
+      end
+    end
+  end
+end

data/spec/models/role_spec.rb

@@ -0,0 +1,121 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+
+module Permit::Specs
+  describe "Permit::Models::Role#permit_role" do
+    describe "validations" do
+      it "should be invalid without a key" do
+        r = Role.new
+        r.should_not be_valid
+        r.should have(1).error_on(:key)
+        r.errors[:key].should == "can't be blank"
+      end
+
+      it "should be invalid with a non-unique key" do
+        Role.create :key => :test_role, :name => 'Test Role'
+        r = Role.new :key => 'test_role'
+        r.should_not be_valid
+        r.should have(1).error_on(:key)
+        r.errors[:key].should == "has already been taken"
+      end
+
+      it "should be invalid without a name" do
+        r = Role.new
+        r.should_not be_valid
+        r.should have(1).error_on(:name)
+        r.errors[:name].should == "can't be blank"
+      end
+
+      it "should be invalid if it requires a resource but doesn't allow resources" do
+        r = Role.new 
+        r.authorize_resource = false
+        r.requires_resource = true
+        r.should_not be_valid
+        r.should have(1).error_on(:requires_resource)
+        r.errors[:requires_resource].should == "cannot be true if authorize_resource is false"
+      end
+
+      it "should be valid with valid attributes" do
+        r = Role.new
+        r.key = :project_admin
+        r.name = "Project Administrator"
+        r.should be_valid
+      end
+    end
+
+    describe "resource requirement" do
+      it "should default authorize_resource to true" do
+        r = Role.new
+        r.authorize_resource.should be_true
+      end
+
+      it "should default requires_resource to true" do
+        r = Role.new 
+        r.requires_resource.should be_true
+      end
+    end
+
+    context "created instance methods" do
+      describe "setting the key" do
+        it "should convert the key to lower-case" do
+          r = Role.new
+          r.key = "Some_Role!"
+          r.key.should == "some_role!"
+        end
+
+        it "should convert the key from a symbol to a string" do
+          r = Role.new
+          r.key = :symbol_role
+          r.key.should == "symbol_role"
+        end
+
+        it "should not fail when given nil" do
+          r = Role.new :key => 'bob'
+          r.key = nil
+          r.key.should be_nil
+        end
+      end
+
+      
+      context "for finding authorizations for a given resource" do
+        before do
+          @bob = Person.create :name => "bob"
+          @tom = Person.create :name => "tom"
+          @hotness = Project.create(:name => "hotness")
+          @maintenance = Project.create(:name => "maintenance")
+          Role.create :key => :site_admin, :name => 'site admin', :authorize_resource => false, :requires_resource => false
+          @admin = Role.create :key => 'admin', :name => 'admin'
+          new_authz @bob, :site_admin, nil
+          new_authz @bob, :developer, @maintenance
+          new_authz @bob, :team_lead, @hotness
+          @bob.authorize @admin, @maintenance
+
+          @tom.authorize @admin, @hotness
+        end
+
+        it "#authorizations.people_for should return the people authorized for the resource on the current role" do
+          @jack = Person.create :name => 'jack'
+          @jack.authorize @admin, @maintenance
+          people = @admin.authorizations.people_for @maintenance
+          people.should have(2).items
+          people[0].should == @bob
+          people[1].should == @jack
+        end
+
+        it "#authorizations.for should return the authorizations the current role has for the resource" do
+          authz = @admin.authorizations.for @maintenance
+          authz.should have(1).items
+          authz[0].role.key.should == 'admin'
+          authz[0].person.should == @bob
+          authz[0].resource.should == @maintenance
+        end
+
+        it "#authorizations should have all authorizations that apply to the current role" do
+          @admin.authorizations.should have(2).items
+          @admin.authorizations[0].person.should == @bob
+          @admin.authorizations[1].person.should == @tom
+        end
+      end
+    end
+
+  end
+end

data/spec/permit/controller_spec.rb

@@ -0,0 +1,308 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+
+module Permit::Specs
+  class EmployeeAdmin < ActiveRecord::Base
+  end
+
+  class BaseController < ActionController::Base
+    include Permit::ControllerExtensions
+
+    def current_person; end
+  end
+
+  class ProjectsController < BaseController
+    permit :some_option => true do
+      deny :guest, :from => :all
+      allow :person, :to => :all
+    end
+
+    before_filter :something_after_permit
+
+    def index
+      render :text => 'index called'
+    end
+
+    def show
+      render :text => 'show called'
+    end
+
+    def something_after_permit; end
+
+    def access_denied
+      render :text => 'guest denied', :status => 401
+    end
+
+    #These methods are just to aid in testing
+    def pub_authorized?(roles, resource)
+      authorized?(roles, resource)
+    end
+
+    def pub_allowed?(roles, options = {})
+      allowed?(roles, options)
+    end
+
+    def pub_denied?(roles, options = {})
+      denied?(roles, options)
+    end
+  end
+
+  class TeamsController < BaseController
+    permit :default_access => :allow do
+      deny :guest, :from => :index
+    end
+  end
+
+  class DefinedDenialsController < ActionController::Base
+    include Permit::ControllerExtensions
+
+    permit do
+      deny :everyone, :from => :all
+    end
+
+    def index;end
+
+    def current_person; end
+
+    def access_denied
+      render :text => 'base denied message', :status => 401
+    end
+  end
+
+  ActionController::Routing::Routes.draw do |map|
+    map.namespace :permit do |p|
+      p.namespace :specs do |s|
+        s.resources :projects
+        s.resources :defined_denials
+      end
+    end
+  end
+
+  describe ControllerExtensions, :type => :controller do
+    controller_name 'permit/specs/projects'
+
+    describe "#permit" do
+      it "should create the rules in permit_rules" do
+      end
+
+      it "should send any given options to permit_rules" do
+        controller.permit_rules.options[:some_option].should be_true
+      end
+
+      it "should have the same rules as another instance of the same controller" do
+        controller.permit_rules.should be(ProjectsController.new.permit_rules)
+      end
+
+      it "should not have the same rules as another controller" do
+        teams = TeamsController.new
+        teams.permit_rules.action_allow_rules.should have(0).item
+        teams.permit_rules.action_deny_rules.should have(1).item
+        team_deny_rule = teams.permit_rules.action_deny_rules[:index][0]
+        team_deny_rule.roles.should == [:guest]
+
+        controller.permit_rules.action_allow_rules.should have(1).item
+        controller.permit_rules.action_deny_rules.should have(1).item
+
+        project_allow_rule = controller.permit_rules.action_allow_rules[:all][0]
+        project_allow_rule.roles.should == [:person]
+
+        project_deny_rule = controller.permit_rules.action_deny_rules[:all][0]
+        project_deny_rule.roles.should == [:guest]
+      end
+    end
+
+    describe "checking authorizations" do
+      it "should properly call @@permit_rules#permitted? when checking authorizations" do
+        guest = Guest.new
+        controller.stub!(:current_person).and_return(guest)
+        controller.permit_rules.should_receive(:permitted?).with(guest, :show, instance_of(Binding)).and_return(false)
+        get :show, :id => 1
+      end
+
+      describe "when authorized" do
+        it "should call the action" do
+          controller.stub!(:current_person).and_return(Person.create :name => 'bob')
+          get :index
+          response.body.should == 'index called'
+        end
+      end
+
+      describe "when not authorized" do
+        before do
+          controller.stub!(:current_person).and_return(Guest.new)
+        end
+
+        it "should stop the before_filter chain if not authorized" do
+          controller.should_not_receive(:something_after_permit)
+          get :index
+        end
+
+        it "should not call the action" do
+          controller.should_not_receive(:index)
+          get :index
+        end
+
+        it "should have a 401 status" do
+          get :index
+          response.status.should == '401 Unauthorized'
+        end
+
+        it "should render a 401 error" do
+          get :index
+          response.body.should == "guest denied"
+        end
+      end
+
+      describe "getting the authorization subject" do
+        it "should use the config value when present" do
+          Permit::Config.stub!(:controller_subject_method).and_return(:logged_user)
+          controller.should_receive(:logged_user).and_return(Guest.new)
+          get :index
+        end
+
+        it "should infer the method name from the config person_class" do
+          Permit::Config.stub!(:person_class).and_return(Permit::Specs::EmployeeAdmin)
+          controller.should_receive(:current_employee_admin).and_return(Guest.new)
+          get :index
+        end
+
+        it "should default to 'current_person'" do
+          Permit::Config.stub!(:controller_subject_method).and_return(nil)
+          Permit::Config.stub!(:person_class).and_return(nil)
+          controller.should_receive(:current_person).and_return(Guest.new)
+          get :index
+        end
+      end
+    end
+
+    describe "helpers" do
+      describe "#authorized?" do
+        context "for a guest" do
+          before {controller.stub!(:current_person).and_return(Guest.new)}
+
+          it "should return false for a guest" do
+            controller.pub_authorized?(:some_role, :any).should be_false
+          end
+
+          it "should not try to call #authorized? on the guest" do
+            controller.current_person.should_not_receive(:authorized?)
+          end
+        end
+
+        context "for an authenticated person" do
+          before do
+            @bob = Person.create! :name => 'bob'
+            new_authz @bob, :admin
+
+            controller.stub!(:current_person).and_return(@bob)
+          end
+
+          it "should properly call #authorized? on the person" do
+            @bob.should_receive(:authorized?).with(:admin, :any)
+            controller.pub_authorized?(:admin, :any)
+          end
+
+          it "should return false if the person is not authorized" do
+            controller.pub_authorized?(:monkey_tech, nil).should be_false
+          end
+
+          it "should return true if the person is authorized" do
+            controller.pub_authorized?(:admin, :any).should be_true
+          end
+        end
+      end
+
+      describe "#allowed?" do
+        it "should properly build the rule" do
+          controller.stub!(:current_person).and_return(Guest.new)
+          rule = PermitRule.new :admin, :on => :team
+          PermitRule.should_receive(:new).with(:admin, hash_including(:on => :team)).and_return(rule)
+          controller.pub_allowed?(:admin, :on => :team)
+        end
+
+        it "should properly call #matches? on the rule" do
+          bob = Person.create! :name => 'bob'
+          controller.stub!(:current_person).and_return(bob)
+          rule = PermitRule.new :guest
+          rule.should_receive(:matches?).with(bob, instance_of(Binding))
+          PermitRule.stub!(:new).and_return(rule)
+          controller.pub_allowed?(:guest)
+        end
+
+        it "should return the result of the rule match" do
+          controller.stub!(:current_person).and_return(Guest.new)
+          rule = PermitRule.new :guest
+          PermitRule.stub!(:new).and_return(rule)
+
+          rule.stub!(:matches?).and_return(true)
+          controller.pub_allowed?(:guest).should be_true
+          
+          rule.stub!(:matches?).and_return(false)
+          controller.pub_allowed?(:guest).should be_false
+        end
+      end
+
+      describe "#denied?" do
+        it "should properly build the rule" do
+          controller.stub!(:current_person).and_return(Guest.new)
+          rule = PermitRule.new :admin, :on => :team
+          PermitRule.should_receive(:new).with(:admin, hash_including(:on => :team)).and_return(rule)
+          controller.pub_denied?(:admin, :on => :team)
+        end
+
+        it "should properly call #matches? on the rule" do
+          bob = Person.create! :name => 'bob'
+          controller.stub!(:current_person).and_return(bob)
+          rule = PermitRule.new :guest
+          rule.should_receive(:matches?).with(bob, instance_of(Binding))
+          PermitRule.stub!(:new).and_return(rule)
+          controller.pub_denied?(:guest)
+        end
+
+        it "should return the opposite of the rule match" do
+          controller.stub!(:current_person).and_return(Guest.new)
+          rule = PermitRule.new :guest
+          PermitRule.stub!(:new).and_return(rule)
+
+          rule.stub!(:matches?).and_return(true)
+          controller.pub_denied?(:guest).should be_false
+          
+          rule.stub!(:matches?).and_return(false)
+          controller.pub_denied?(:guest).should be_true
+        end
+      end
+    end
+
+    describe "resetting core models" do
+      before {controller.stub!(:current_person).and_return(Guest.new)}
+
+      it "should reset the core models in development mode" do
+        # Can't find a good way to test this since development mode needs to be
+        # simulated before the controller is loaded.
+
+        #Rails.env.stub!(:development?).and_return(true)
+        #Permit::Config.should_receive(:reset_core_models)
+        #get :index
+      end
+
+      it "should not reset the core models when not in dev mode" do 
+        controller.should_not_receive(:reset_permit_core)
+        Permit::Config.should_not_receive(:reset_core_models)
+        get :index
+      end
+    end
+  end
+
+  describe ControllerExtensions, :type => :controller do
+    controller_name 'permit/specs/defined_denials'
+
+    describe "checking authorizations" do
+      context "when #access_denied is previously defined in the class" do
+        it "should call the class's method" do
+          controller.stub!(:current_person).and_return(Guest.new)
+          get :index
+          response.body.should == 'base denied message'
+        end
+      end
+    end
+  end
+end