popel-active_acl_plus 0.4.4

data/lib/active_acl/base.rb

@@ -0,0 +1,29 @@
+module ActiveAcl
+  CONTROLLERS={}
+  GROUP_CLASSES={}
+  ACCESS_CLASSES={}
+  
+  def self.register_group(klass,handler)
+    GROUP_CLASSES[klass.base_class.name]=handler
+  end
+  def self.register_object(klass,handler)
+    ACCESS_CLASSES[klass.base_class.name]=handler
+  end
+  def self.group_handler(klass)
+    GROUP_CLASSES[klass.base_class.name]
+  end
+  def self.object_handler(klass)
+    ACCESS_CLASSES[klass.base_class.name]
+  end
+  def self.is_access_group?(klass)
+    !!GROUP_CLASSES[klass.base_class.name]
+  end
+  def self.is_access_object?(klass)
+    !!ACCESS_CLASSES[klass.base_class.name]
+  end
+  def self.from_classes 
+    ACCESS_CLASSES.keys.collect do |x| 
+      x.split('::').join('/').underscore.pluralize.to_sym
+    end
+  end
+end

data/lib/active_acl/cache/memcache_adapter.rb

@@ -0,0 +1,46 @@
+# This is a cache adapter for the second level cache
+# using the memcache daemon (http://www.danga.com/memcached).
+# Sets itself as the cache adapter if the source file is loaded so a simple
+# require is enough to activate the memcache. Before using the memcache, make sure to set MemcacheAdapter.cache.
+# 
+# In environment.rb:
+#   require 'active_acl/cache/memcache_adapter'
+#   ActiveAcl::Cache::MemcacheAdapter.cache = MemCache.new('localhost:11211', :namespace => 'my_namespace')
+# you can also set the time to leave:
+#   ActiveAcl::OPTIONS[:cache_privilege_timeout]= time_in_seconds
+#
+# Detailed instructions on how to set up the server can be found at http://dev.robotcoop.com/Libraries/memcache-client.
+class ActiveAcl::Cache::MemcacheAdapter
+
+  # returns the memcache server
+  def self.cache #:nodoc:
+    @@cache
+  end
+  
+  # sets the memcache server
+  def self.cache=(cache) #:nodoc:
+    @@cache = cache
+  end
+  
+  # get a value from the cache
+  def self.get(key) #:nodoc:
+    value = @@cache.get(key)
+    Rails.logger.debug 'GACL::SECOND_LEVEL_CACHE::' + (value.nil? ? 'MISS ' : 'HIT ')+ key.to_s
+    value
+  end
+  
+  # set a value to the cache, specifying the time to live (ttl). 
+  # Set ttl to 0 for unlimited.
+  def self.set(key, value, ttl) #:nodoc:
+    @@cache.set(key, value, ttl)
+    Rails.logger.debug 'GACL::SECOND_LEVEL_CACHE::SET ' + key.to_s + ' TO ' + value.inspect.to_s + ' TTL ' + ttl.to_s    
+  end
+  
+  # purge data from cache.
+  def self.delete(key) #:nodoc:
+    @@cache.delete(key)
+    Rails.logger.debug 'GACL::SECOND_LEVEL_CACHE::DELETE ' + key.to_s    
+  end
+end
+
+ActiveAcl::OPTIONS[:cache] = ActiveAcl::Cache::MemcacheAdapter

data/lib/active_acl/cache/no_cache_adapter.rb

@@ -0,0 +1,22 @@
+# This module contains different second level cache implementations. The second
+# level cache caches the instance cache of an access object between requests. 
+# Cache adapter can be set with ActiveAcl::OPTIONS[:cache].
+module ActiveAcl::Cache #:nodoc:
+ 
+  # The default second level cache dummy implementation, not implementing any 
+  # caching functionality at all.
+  class NoCacheAdapter #:nodoc:
+    def self.get(key)
+      Rails.logger.debug 'ACTIVE_ACL::SECOND_LEVEL_CACHE::DISABLED::MISS ' + key.to_s
+      nil
+    end
+      
+    def self.set(key, value, ttl)
+      Rails.logger.debug 'ACTIVE_ACL::SECOND_LEVEL_CACHE::DISABLED::SET ' + key.to_s + ' TO ' + value.inspect + ' TTL ' + ttl.to_s    
+    end
+    
+    def self.delete(key)
+      Rails.logger.debug 'ACTIVE_ACL::SECOND_LEVEL_CACHE::DISABLED::DELETE ' + key.to_s    
+    end
+  end
+end

data/lib/active_acl/db/active_record_adapter.rb

@@ -0,0 +1,15 @@
+# Includes different DBMS adapters, some of them using C extensions to speed up DB access.
+# DB adapter can be set with ActiveAcl::OPTIONS[:db].
+module ActiveAcl::DB #:nodoc:
+  
+  # Uses ActiveRecord for privilege queries. Should be compatible to all
+  # db types.
+  class ActiveRecordAdapter #:nodoc:
+    # Execute sql query against the DB, returning an array of results.
+    def self.query(sql) 
+      ActiveRecord::Base.connection.select_all(sql)
+    end
+  end
+end
+
+ActiveAcl::OPTIONS[:db] = ActiveAcl::DB::ActiveRecordAdapter

data/lib/active_acl/db/mysql_adapter.rb

@@ -0,0 +1,29 @@
+require 'mysql'
+
+# allow access to the real Mysql connection
+class ActiveRecord::ConnectionAdapters::MysqlAdapter #:nodoc:
+  attr_reader :connection #:nodoc:
+end
+
+# Uses the native MySQL connection to do privilege selects. Should be around 20 % faster than
+# ActiveRecord adapter. Sets itself as the DB adapter if the source file is loaded, so requiring it
+# is enough to get it activated.
+class ActiveAcl::DB::MySQLAdapter #:nodoc:
+
+  # Execute sql query against the DB, returning an array of results.
+  def self.query(sql)
+    Rails.logger.debug 'GACL::DB::EXECUTING QUERY ' + sql if Rails.logger.debug?
+    connection = ActiveRecord::Base.connection.connection
+    connection.query_with_result = true
+    
+    result = connection.query(sql)
+    rows = []
+    result.each_hash do |hash|
+      rows << hash
+    end if result
+    result.free
+    rows
+  end
+end
+
+ActiveAcl::OPTIONS[:db] = ActiveAcl::DB::MySQLAdapter

data/lib/active_acl/grant.rb

@@ -0,0 +1,53 @@
+module ActiveAcl
+  module Acts 
+    module Grant 
+      # grant_privilege!(Blog::DELETE,
+      # :on => blog,
+      # :section => 'blogging' or a Hash or an ActiveAcl::AclSection
+      # :acl => 'blogging_of_admins' or a hash or an ActiveAvl::Acl
+      # :target_as_object => true/false target is treated as access_object         
+      def grant_privilege!(privilege,options={})
+        section = options[:section] || 'generic'
+        target = options[:on]
+        acl = options[:acl] || "#{privilege.active_acl_description}"
+        ActiveAcl::Acl.transaction do
+          unless acl.kind_of?(ActiveAcl::Acl)
+            case section
+              when String
+              section = ActiveAcl::AclSection.find_or_create_by_iname(section)
+              when Hash
+              section = ActiveAcl::AclSection.create(section)
+              #else section should be an ActiveAcl::AclSection
+            end
+            section.save! if section.new_record?
+          end
+          
+          case acl
+            when String
+            acl=ActiveAcl::Acl.find_or_create_by_iname(acl)
+            acl.section=section unless acl.section
+            when Hash
+            acl=ActiveAcl::Acl.create(acl.merge({:section => section}))
+          end
+          acl.save! if acl.new_record?
+           
+          acl.privileges << privilege
+          if ActiveAcl.is_access_group?(self.class) 
+            acl.requester_groups << self unless acl.requester_groups.include?(self)
+          else
+            acl.requesters << self unless acl.requesters.include?(self)
+          end
+          if target
+            if ActiveAcl.is_access_group?(target.class) && !options[:target_as_object] 
+              acl.target_groups << target unless acl.target_groups.include?(target)
+            else
+              acl.targets << target unless acl.targets.include?(target)
+            end 
+          end
+          active_acl_clear_cache! if ActiveAcl.is_access_object?(self.class)
+        end
+        acl
+      end
+    end #module
+  end
+end

data/lib/active_acl/handler/nested_set.rb

@@ -0,0 +1,33 @@
+module ActiveAcl
+  module Acts #:nodoc:
+    module AccessGroup #:nodoc:
+      class NestedSet #:nodoc:
+        attr_reader :left_column,:right_column
+        def initialize(options)
+          
+          @left_column = options[:left_column] || :lft 
+          @right_column = options[:right_column] || :rgt
+          #          :controller => ActiveAcl::OPTIONS[:default_group_selector_controller],
+          #          :action => ActiveAcl::OPTIONS[:default_group_selector_action]}
+          
+        end
+        def group_sql(object_handler,target = false)
+          target_requester = (target ? 'target' : 'requester')
+          if object_handler.habtm?
+            "(SELECT DISTINCT g2.id FROM #{object_handler.join_table} ml 
+               LEFT JOIN #{object_handler.group_table_name} g1 ON ml.#{object_handler.association_foreign_key} = g1.id CROSS JOIN #{object_handler.group_table_name} g2
+               WHERE ml.#{object_handler.foreign_key} = %{#{target_requester}_id} AND (g2.#{left_column} <= g1.#{left_column} AND g2.#{right_column} >= g1.#{right_column}))"
+          else
+            "(SELECT DISTINCT g2.id FROM #{object_handler.group_table_name} g1 CROSS JOIN #{object_handler.group_table_name} g2
+               WHERE g1.id = %{#{target_requester}_group_id} AND (g2.#{left_column} <= g1.#{left_column} AND g2.#{right_column} >= g1.#{right_column}))"
+          end
+          #"r_groups.#{left_column} - r_groups.#{right_column} ASC" 
+        end
+        def order_by(object_handler,target=false)
+          target_requester = (target ? 't' : 'r')
+          "#{target_requester}_groups.#{left_column} - #{target_requester}_groups.#{right_column} ASC"
+        end
+      end #class
+    end
+  end
+end

data/lib/active_acl/handler/object_handler.rb

@@ -0,0 +1,253 @@
+module ActiveAcl #:nodoc:
+  module Acts #:nodoc:
+    module AccessObject #:nodoc:
+      
+      # handels grouped objects
+      # the group is a nested_set
+      class ObjectHandler #:nodoc:
+        attr_reader :klass,:group_class_name,:join_table,:group_table_name,
+        :foreign_key,:association_foreign_key,:group_handler
+        def initialize(klass,options={})
+          @klass = klass
+          if options[:grouped_by]
+            @group_class_name = options[:grouped_by].to_s.classify
+            @group_handler=ActiveAcl.group_handler(@group_class_name.constantize)
+            @group_table_name=@group_class_name.constantize.table_name
+            @join_table = options[:join_table] || [klass.name.pluralize.underscore.gsub(/\//,'_'), group_class_name.pluralize.underscore.gsub(/\//,'_')].sort.join('_')  
+            @foreign_key = options[:foreign_key] || "#{klass.name.demodulize.underscore}_id" 
+            @association_foreign_key = options[:association_foreign_key] || "#{group_class_name.demodulize.underscore}_id"
+            @habtm = options[:habtm] || (options[:grouped_by].to_s.demodulize.singularize != options[:grouped_by].to_s.demodulize)
+          end
+          
+          logger=Rails.logger
+          logger.debug "ActiveAcl: registered ObjectHandler for #{klass}"
+          logger.debug "grouped: #{self.grouped?}, habtm: #{habtm?}"
+          #set the SQL fragments
+          prepare_requester_sql
+          prepare_target_sql
+        end
+        def habtm?
+          @habtm
+        end
+        def grouped?
+          !!@group_class_name
+        end
+        
+        def klass_name 
+          klass.base_class.name
+        end
+        
+        #checks the privilege of a requester on a target (optional)
+        def has_privilege?(requester,privilege,target=nil)
+          value = get_cached(requester,privilege,target)
+          
+          return value unless value.nil? #got the cached and return
+          #todo check cash l2
+          
+          vars={'requester_id' => requester.id}
+          vars['requester_group_id'] = requester.send(association_foreign_key) if !self.habtm? && self.grouped?
+          sql = ''
+          sql << query_r_select
+          if target
+            t_handler=target.active_acl_handler
+            
+            sql << t_handler.query_t_select
+            sql << "\n WHERE "
+            sql << query_r_where_3d
+            sql << t_handler.query_t_where
+            sql << "\n ORDER BY "
+            
+            #TODO: ordering is a mess (use an array?)
+            order = (grouped? ? order_by_3d.dup : [])
+            if t_handler.grouped? 
+              order << "(CASE WHEN t_g_links.acl_id IS NULL THEN 0 ELSE 1 END) ASC"
+              order << t_handler.group_handler.order_by(target,true)
+              vars['target_group_id'] = target.send(t_handler.association_foreign_key) unless t_handler.habtm?
+            end
+            order << 'acls.updated_at DESC'
+            sql << order.join(',')
+            
+            sql << " LIMIT 1"
+            vars['privilege_id'] = privilege.id
+            vars['target_id'] = target.id
+            vars['target_type'] = target.class.base_class.name
+          else
+            sql << " WHERE "
+            sql << query_r_where_2d
+            sql << "\n ORDER BY "
+            sql << order_by_2d
+          end
+          
+          #replacing the vars in the SQL
+          sql=sql.gsub(/%{[^}]+}/) do |var|
+            vars[var[2..-2]] || var
+          end
+          
+          results = ActiveAcl::OPTIONS[:db].query(sql) #get the query from the db
+          value=set_cached(requester,privilege,target,results)
+          return value
+        end
+        #gets the instance cache from the background store or a hash
+        def get_instance_cache(requester)
+          cache.get(requester_cache_id(requester)) || {}
+        end
+        #destroy the 2nd level cache
+        def delete_cached(requester)
+          cache.delete(requester_cache_id(requester))
+        end
+        
+        attr_reader :query_t_select,:query_t_where
+        
+        #Things go private from here ----------------
+        private
+        def cache
+          ActiveAcl::OPTIONS[:cache]
+        end
+        
+        #builds a instance_cache key for a query
+        def query_id(requester,privilege,target)
+          privilege_id = (privilege.kind_of?(ActiveAcl::Privilege) ? privilege.id : privilege)  
+          [privilege_id, klass.base_class.name, requester.id, (target ? target.class.base_class.name : ''), (target ? target.id.to_s : '')].join('-')
+        end
+        
+        #builds the cache key for a requester for beackground cache
+        def requester_cache_id(requester)
+          'active_acl_instance-' + klass.base_class.name + '-' + requester.id.to_s
+        end
+        
+        # Caching is done on different levels:
+        # Requesting a 2d privilege should fill the instance cache with all 2d privileges
+        # Requesting a 3d should be stored in the instance cache
+        # changing the instance cache stores it to the backstore (if any exists) 
+        def get_cached(requester,privilege,target)
+          
+          instance_cache=requester.active_acl_instance_cache          
+          q_id=query_id(requester,privilege,target)
+          # try to get from instance cache
+          if (value=instance_cache[q_id]).nil? #cache miss?
+            if target.nil? && requester.active_acl_cached_2d?
+              Rails.logger.debug 'ACTIVE_ACL::INSTANCE_CACHE::DENY ' + q_id
+              return false #it should be cached but it's not there: DENY
+            else
+              return nil #we don't cache all 3d acl: DB LOOKUP
+            end
+          else #found in cache: return the results
+            Rails.logger.debug 'ACTIVE_ACL::INSTANCE_CACHE::' + (value ? 'GRANT ' : 'DENY ') + q_id 
+            return value 
+          end
+          nil
+        end
+        
+        def set_cached(requester,privilege,target,results)
+          
+          this_query_id=query_id(requester,privilege,target)
+          instance_cache=requester.active_acl_instance_cache
+          
+          if target.nil? #no target? then results are all 2d privileges of the requester
+            last_privilege_value = nil
+            results.each do |row|
+              if row['privilege_id'] != last_privilege_value
+                last_privilege_value = row['privilege_id']
+                q_id=query_id(requester,last_privilege_value,nil)
+                #TODO: put the true comparison into the db handler
+                v=((row['allow'] == '1') or (row['allow'] == 't'))
+                instance_cache[q_id] = v
+              end
+            end
+            requester.active_acl_cached_2d! #mark the cache as filled (at least 2d)
+            # the result should be in the cache now or we return false 
+            value=instance_cache[this_query_id] || false
+          else #3d request?
+            if results.empty?
+              value=false
+              instance_cache[this_query_id] = value
+            else #3d and a hit
+              value = ((results[0]['allow'].to_s == '1') or (results[0]['allow'].to_s == 't'))
+              instance_cache[this_query_id] = value
+            end
+          end
+          raise "something went realy wrong!" if value.nil?
+          
+          #cache the whole instance cache
+          cache.set(requester_cache_id(requester),instance_cache,ActiveAcl::OPTIONS[:cache_privilege_timeout])
+          
+          value
+        end
+        
+        # build ACL query strings once, 
+        # so we don't need to do this on every request
+        # SQL: 
+        # we always need acl,and privileges, and requester_links
+        # we need the target_links if its a 3d query
+        # we need the target_groups if the it's a 3d query and the target is grouped
+        # we need the requester_groups if the requester is grouped
+        # the ordering depens on 2d/3d
+        # We'll build the SQL on demand and cache it so it'll 
+        # be a function of: requester,target,privilege 
+        attr_reader :query_r_select, :query_r_where_2d, :query_r_where_3d, :order_by_3d,:order_by_2d
+        def prepare_requester_sql
+          @query_r_select = <<-QUERY
+            SELECT acls.id, acls.allow, privileges.id AS privilege_id FROM #{ActiveAcl::OPTIONS[:acls_table]} acls 
+            LEFT JOIN #{ActiveAcl::OPTIONS[:acls_privileges_table]} acls_privileges ON acls_privileges.acl_id=acls.id 
+            LEFT JOIN #{ActiveAcl::OPTIONS[:privileges_table]} privileges ON privileges.id = acls_privileges.privilege_id
+            LEFT JOIN #{ActiveAcl::OPTIONS[:requester_links_table]} r_links ON r_links.acl_id=acls.id
+            QUERY
+          if grouped?
+            requester_groups_table = group_class_name.constantize.table_name
+            requester_group_type = group_class_name.constantize.name
+            
+            @query_r_select << "
+            LEFT JOIN #{ActiveAcl::OPTIONS[:requester_group_links_table]} r_g_links ON acls.id = r_g_links.acl_id AND r_g_links.requester_group_type = '#{requester_group_type}'
+            LEFT JOIN #{requester_groups_table} r_groups ON r_g_links.requester_group_id = r_groups.id
+            "
+          end
+          
+          @query_r_where_3d = "acls.enabled = #{klass.connection.quote(true)} AND (privileges.id = %{privilege_id}) "
+          @query_r_where_2d = "acls.enabled = #{klass.connection.quote(true)}"
+          query = " AND ((r_links.requester_id=%{requester_id}  
+          AND r_links.requester_type='#{klass.base_class.name}')"
+          if grouped?
+            
+            query << " OR (r_g_links.requester_group_id IN #{group_handler.group_sql(self)})) "
+          else
+            query << ")" 
+          end
+          @query_r_where_3d << query
+          @query_r_where_2d << query
+          
+          
+          #@query_r_where_2d << '(t_g_links.acl_id IS NULL)) '
+          @order_by_3d = []
+          @order_by_3d << "(CASE WHEN r_g_links.acl_id IS NULL THEN 0 ELSE 1 END) ASC"
+          @order_by_3d << group_handler.order_by(self) if grouped?
+          
+           
+          
+          #TODO ordering of groups
+          @order_by_2d = 'privileges.id,'
+          @order_by_2d << "(CASE WHEN r_g_links.acl_id IS NULL THEN 0 ELSE 1 END) ASC," if grouped?
+          @order_by_2d << "acls.updated_at DESC"
+        end
+        
+        def prepare_target_sql
+          @query_t_select = " LEFT JOIN #{ActiveAcl::OPTIONS[:target_links_table]} t_links ON t_links.acl_id=acls.id"
+          if grouped?
+            target_groups_table = @group_class_name.constantize.table_name
+            target_group_type = @group_class_name.constantize.name
+            
+            @query_t_select << " LEFT JOIN #{ActiveAcl::OPTIONS[:target_group_links_table]} t_g_links ON t_g_links.acl_id=acls.id
+                                AND t_g_links.target_group_type = '#{target_group_type}'
+                                LEFT JOIN #{target_groups_table} t_groups ON t_groups.id=t_g_links.target_group_id"
+          end 
+          @query_t_where = " AND ((t_links.target_id=%{target_id}
+                             AND t_links.target_type = '%{target_type}' )"
+          if grouped?
+            @query_t_where << " OR t_g_links.target_group_id IN #{group_handler.group_sql(self,true)})"
+          else
+            @query_t_where << ")"
+          end
+        end
+      end
+    end
+  end
+end