permitter 0.0.1

data/spec/dummy/public/404.html

@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The page you were looking for doesn't exist (404)</title>
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+  }
+
+  div.dialog {
+    width: 25em;
+    margin: 4em auto 0 auto;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 4em 0 4em;
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  body > p {
+    width: 33em;
+    margin: 0 auto 1em;
+    padding: 1em 0;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/404.html -->
+  <div class="dialog">
+    <h1>The page you were looking for doesn't exist.</h1>
+    <p>You may have mistyped the address or the page may have moved.</p>
+  </div>
+  <p>If you are the application owner check the logs for more information.</p>
+</body>
+</html>

data/spec/dummy/public/422.html

@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The change you wanted was rejected (422)</title>
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+  }
+
+  div.dialog {
+    width: 25em;
+    margin: 4em auto 0 auto;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 4em 0 4em;
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  body > p {
+    width: 33em;
+    margin: 0 auto 1em;
+    padding: 1em 0;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/422.html -->
+  <div class="dialog">
+    <h1>The change you wanted was rejected.</h1>
+    <p>Maybe you tried to change something you didn't have access to.</p>
+  </div>
+  <p>If you are the application owner check the logs for more information.</p>
+</body>
+</html>

data/spec/dummy/public/500.html

@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>We're sorry, but something went wrong (500)</title>
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+  }
+
+  div.dialog {
+    width: 25em;
+    margin: 4em auto 0 auto;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 4em 0 4em;
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  body > p {
+    width: 33em;
+    margin: 0 auto 1em;
+    padding: 1em 0;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/500.html -->
+  <div class="dialog">
+    <h1>We're sorry, but something went wrong.</h1>
+  </div>
+  <p>If you are the application owner check the logs for more information.</p>
+</body>
+</html>

data/spec/factories/project.rb

@@ -0,0 +1,6 @@
+FactoryGirl.define do
+  factory :project do
+    sequence (:title) { |n| "ti#{n}tle" }
+    sticky false
+  end
+end

data/spec/factories/user.rb

@@ -0,0 +1,10 @@
+FactoryGirl.define do
+  factory :user do
+    sequence (:username) { |n| "user#{n}name" }
+
+    factory :admin do
+      admin true
+    end
+
+  end
+end

data/spec/models/permission_spec.rb

@@ -0,0 +1,72 @@
+require "spec_helper"
+
+describe Permission do
+  let(:admin) { build(:admin) }
+  let(:user1) { create(:user) }
+  let(:user2) { create(:user) }
+  let(:project1) { build(:project, user: user1) }
+  let(:project2) { build(:project, user: user2) }
+
+
+  describe "as admin" do
+    subject { Permission.new(admin) }
+
+    it "allows anything" do
+      should allow_action(:anything, :here)
+      should allow_param(:anything, :here)
+    end
+  end
+
+
+  describe "for user" do
+    subject { Permission.new(user1) }
+
+    it "projects" do
+      should allow_action(:projects, :index)
+      should allow_action(:projects, :new)
+      should allow_action(:projects, :create)
+      should allow_action(:projects, :show)
+      should_not allow_action(:projects, :edit)
+      should_not allow_action(:projects, :update)
+      should_not allow_action(:projects, :edit, project2)
+      should_not allow_action(:projects, :update, project2)
+      should allow_action(:projects, :edit, project1)
+      should allow_action(:projects, :update, project1)
+      should_not allow_action(:projects, :destroy)
+      should_not allow_action(:projects, :destroy, project1)
+      should_not allow_action(:projects, :destroy, project2)
+      should allow_param(:project, :title)
+      should_not allow_param(:project, :sticky)
+    end
+
+    it 'users' do
+      should allow_action(:users, :index)
+      should_not allow_action(:users, :show)
+      should_not allow_action(:users, :show, user2)
+      should allow_action(:users, :show, user1)
+    end
+  end
+
+
+  describe "for visitor" do
+    subject { Permission.new(nil) }
+
+    it "projects" do
+      should allow_action(:projects, :index)
+      should_not allow_action(:projects, :new)
+      should_not allow_action(:projects, :create)
+      should_not allow_action(:projects, :show)
+      should_not allow_action(:projects, :edit)
+      should_not allow_action(:projects, :update)
+      should_not allow_action(:projects, :destroy)
+      should_not allow_action(:projects, :show, project1)
+      should_not allow_action(:projects, :edit, project1)
+      should_not allow_action(:projects, :update, project1)
+      should_not allow_action(:projects, :destroy, project1)
+      should_not allow_action(:projects, :show, project2)
+      should_not allow_action(:projects, :edit, project2)
+      should_not allow_action(:projects, :update, project2)
+      should_not allow_action(:projects, :destroy, project2)
+    end
+  end
+end

data/spec/permitter/controller_additions_spec.rb

@@ -0,0 +1,44 @@
+require "spec_helper"
+
+class StubbedPermission
+  include Permitter::Permission
+
+  def initialize(user)
+    allow_action :foo, :bar
+  end
+
+end
+
+
+describe Permitter::ControllerAdditions do
+  before(:each) do
+    @params = HashWithIndifferentAccess.new
+    @current_user = nil
+
+    @controller_class = Class.new
+    @controller = @controller_class.new
+
+    @controller.stub(:params) { @params }
+    @controller_class.stub(:helper_method) { :helper_method }
+    @controller.stub(:current_permissions) { StubbedPermission.new(@current_user) }
+
+    @controller_class.send(:include, Permitter::ControllerAdditions)
+  end
+
+  it "provides an allowed_action? method which goes through the current permissions" do
+    expect(@controller.allowed_action?(:foo, :bar)).to be true
+    expect(@controller.allowed_action?(:foo, :baz)).to be false
+  end
+
+  it "authorize_user! should raise Unauthorized when user not authoried" do
+    authorization = ->(action) do
+      @params.merge!(controller: "foo", action: action)
+      @controller.instance_eval{ authorize_user! }
+    end
+
+    expect(-> {authorization.call('bar')}).to_not raise_error
+    expect(-> {authorization.call('baz')}).to raise_error Permitter::Unauthorized
+  end
+
+
+end

data/spec/permitter/exceptions_spec.rb

@@ -0,0 +1,36 @@
+require "spec_helper"
+
+describe Permitter::Unauthorized do
+  describe "with action and subject" do
+    before(:each) do
+      @exception = Permitter::Unauthorized.new(nil, :some_action, :some_subject)
+    end
+
+    it "has action and subject accessors" do
+      expect(@exception.action).to eq :some_action
+      expect(@exception.subject).to eq :some_subject
+    end
+
+    it "has a changable default message" do
+      expect(@exception.message).to eq "You are not authorized to access this page."
+      @exception.default_message = "Unauthorized!"
+      expect(@exception.message).to eq "Unauthorized!"
+    end
+  end
+
+  describe "with only a message" do
+    before(:each) do
+      @exception = Permitter::Unauthorized.new("Access denied!")
+    end
+
+    it "has nil action and subject" do
+      expect(@exception.action).to be nil
+      expect(@exception.subject).to be nil
+    end
+
+    it "has passed message" do
+      expect(@exception.message).to eq "Access denied!"
+    end
+  end
+
+end

data/spec/permitter/matchers_spec.rb

@@ -0,0 +1,9 @@
+require "spec_helper"
+
+describe "allow_action" do
+  it "delegates to allow_action?" do
+    object = Object.new
+    expect(object).to receive(:allowed_action?).with(:foo, :bar) { true }
+    expect(object).to allow_action(:foo, :bar)
+  end
+end

data/spec/permitter/model_additions_spec.rb

@@ -0,0 +1,138 @@
+require "spec_helper"
+
+class Category < ActiveRecord::Base
+  unless connection.tables.include?(table_name)
+    connection.create_table(table_name) do |t|
+      t.boolean :visible
+    end
+  end
+  has_many :articles
+end
+
+class Article < ActiveRecord::Base
+  unless connection.tables.include?(table_name)
+    connection.create_table(table_name) do |t|
+      t.integer :category_id
+      t.string :name
+      t.boolean :published
+      t.boolean :secret
+      t.integer :priority
+    end
+  end
+  belongs_to :category
+  has_many :comments
+end
+
+class Comment < ActiveRecord::Base
+  unless connection.tables.include?(table_name)
+    connection.create_table(table_name) do |t|
+      t.integer :article_id
+      t.boolean :spam
+    end
+  end
+  belongs_to :article
+end
+
+describe Permitter::ModelAdditions do
+  before do
+    Article.delete_all
+    Comment.delete_all
+
+    @permissions = Object.new
+    @permissions.extend(Permitter::Permission)
+
+    @article_table = Article.table_name
+    @comment_table = Comment.table_name
+  end
+
+  it "does not fetch any records when no permissions are defined" do
+    Article.create!
+
+    expect(Article.permitted_by(@permissions)).to be_empty
+  end
+
+  it "fetches all articles when one can read all" do
+    @permissions.allow_action(:articles, :show)
+
+    article1 = Article.create!
+    article2 = Article.create!
+
+    expect(@permissions).to allow_action(:articles, :show)
+    expect(Article.permitted_by(@permissions)).to eq([article1, article2])
+  end
+
+  it "fetches only the articles that are published" do
+    block = Proc.new { |article| article.published == true }
+
+    @permissions.allow_action(:articles, :show, &block)
+
+    article1 = Article.create!(published: true)
+    article2 = Article.create!(published: false)
+
+    expect(@permissions).to allow_action(:articles, :show, article1)
+    expect(@permissions).to_not allow_action(:articles, :show, article2)
+    expect(Article.permitted_by(@permissions)).to eq([article1])
+  end
+
+  it "fetches any articles which are published or secret" do
+    block = Proc.new { |article| (article.published == true) | (article.secret == true) }
+
+    @permissions.allow_action(:articles, :show, &block)
+
+    article1 = Article.create!(published: true,  secret: false)
+    article2 = Article.create!(published: true,  secret: true)
+    article3 = Article.create!(published: false, secret: true)
+    article4 = Article.create!(published: false, secret: false)
+
+    expect(@permissions).to allow_action(:articles, :show, article1)
+    expect(@permissions).to allow_action(:articles, :show, article2)
+    expect(@permissions).to allow_action(:articles, :show, article3)
+    expect(@permissions).to_not allow_action(:articles, :show, article4)
+    expect(Article.permitted_by(@permissions)).to eq([article1, article2, article3])
+  end
+
+  it "fetches only the articles that are published and not secret" do
+    block = Proc.new { |article| (article.published == true) & (article.secret == false) }
+
+    @permissions.allow_action(:articles, :show, &block)
+
+    article1 = Article.create!(published: true,  secret: false)
+    article2 = Article.create!(published: true,  secret: true)
+    article3 = Article.create!(published: false, secret: true)
+    article4 = Article.create!(published: false, secret: false)
+
+    expect(@permissions).to allow_action(:articles, :show, article1)
+    expect(@permissions).to_not allow_action(:articles, :show, article2)
+    expect(@permissions).to_not allow_action(:articles, :show, article3)
+    expect(@permissions).to_not allow_action(:articles, :show, article4)
+    expect(Article.permitted_by(@permissions)).to eq([article1])
+  end
+
+  it "only reads comments for articles which are published" do
+    block = Proc.new { article.published == true }
+
+    @permissions.allow_action(:comments, :permitted, &block)
+
+    comment1 = Comment.create!(article: Article.create!(published: true))
+    comment2 = Comment.create!(article: Article.create!(published: false))
+
+    @comments = Comment.joins(:article).permitted_by(@permissions, :permitted)
+    expect(@comments).to eq([comment1])
+
+    @comments = Comment.joins{article}.permitted_by(@permissions, :permitted)
+    expect(@comments).to eq([comment1])
+  end
+
+  it "only reads comments for visible categories through articles" do
+    block = Proc.new { article.category.visible == true }
+
+    @permissions.allow_action(:comments, :permitted, &block)
+
+    comment1 = Comment.create!(article: Article.create!(category: Category.create!(visible: true)))
+    comment2 = Comment.create!(article: Article.create!(category: Category.create!(visible: false)))
+
+    @comments = Comment.joins{article.category}.permitted_by(@permissions, :permitted)
+    expect(@comments).to eq([comment1])
+  end
+
+end