portier 1.0.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: c33d0423d1f9c49d68a3334e45a97174fcb13ab6
+  data.tar.gz: 5e359491e90f1d8cf608f5fd1caf589744f52ddc
+SHA512:
+  metadata.gz: c1b7cb91f5b65f7fc17b2f1c68070cf865a4a58aae84c4080418bc484922146f8b03802f4b17a6083fa6a11f26a23d15b5e82f4d8122856fa8d068b4c1ea289c
+  data.tar.gz: 785f54d140c86965f58e90fd417cd5b56ea34f033f488f210d84733de1a79b17b049a02b8de7173e87f9fd6a5b28a03a2b07a5468149666bed0a695437e85c9e

data/.gitignore

@@ -0,0 +1,9 @@
+*.gem
+.bundle
+.metrics
+.rspec
+Gemfile.lock
+coverage/*
+pkg/*
+spec/dummy/log
+tmp/*

data/.travis.yml

@@ -0,0 +1,5 @@
+language: ruby
+rvm:
+  - 2.0.0
+  - 1.9.3
+  - 1.9.2

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in portier.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,7 @@
+Copyright (c) 2014 Alchimik
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,171 @@
+Portier
+=======
+
+Portier is an gem that manage permissions in a rails project. The permission rules are flexible, non-obstrusive, scalable and can be applied to the controller actions, and views.
+
+Install
+-------
+
+In your Gemfile:
+
+```ruby
+gem 'portier'
+```
+
+Authorizing the controller requests
+-----------------------------------
+
+### Bootstrap Portier
+
+In order to let portier control the requests to your application, you need to add the before_filter below in your application_controller.rb. You also need to define a current_user method
+
+```ruby
+  # app/controllers/application_controller.rb
+
+  class ApplicationController < ActionController::Base
+    protect_from_forgery with: :exception
+
+    # This filter the requests using the permission files
+    before_filter :protect_app
+
+    # You can define the current_user anyway you want as long as it return the current user record.
+    def current_user
+      # This is only an example of current_user method. Feel free to do it the way you want.
+      begin
+        @current_user ||= User.find session[:current_user]
+      rescue
+        @current_user = nil
+      end
+    end
+    ...
+```
+
+### The Permission Files
+
+Once this is done, every controller will have to be match with a permission file. So, for the ```products_controller.rb``` you'll have to create the file ```app/permissions/products_permission.rb```.
+
+
+### Describing a permission file
+
+The permission file will define the access rules to every action called on the controller.
+
+```ruby
+  # app/permissions/products_permission.rb
+
+  class ProductsPermission < Portier::ApplicationPermission
+    # User will have access to any undescribed actions
+    def default
+      true
+    end
+
+    # The access will only granted if the product is available.
+    # product is provided by ApplicationPermission.
+    # product return the current product record
+    def show
+      product.available?
+    end
+
+    # You can set a custom error message with the method set_access_denied_message.
+    # This message will be available in the controllers and views throught the
+    # method access_denied_message. If it's not set, this method will return nil.
+    # set_access_denied_message always return false.
+    def create
+      if not current_user
+        set_access_denied_message "You need to log in to create this product."
+      elsif not current_user.can_create_product?
+        set_access_denied_message "You don't have the right to create product."
+      else
+        true
+      end
+    end
+
+    # The access to the edit/update actions will only be available
+    # if the current user is and Administrator
+    # The current_user method must be defined in your ApplicationController
+    def modify
+      current_user and current_user.admin?
+    end
+
+    # Revoke access to the destroy action.
+    def destroy
+      false
+    end
+  end
+
+  # consult = index and show
+  # add     = new and create
+  # modify  = edit and update
+
+  # Define the parameters that can be sent by the user.
+  # In your products_controller, you can call the method permitted_params.
+  # This method will be the equivalent of :
+  # params.require(:product).permit(:picture, :name, :description)
+  def permitted_params
+    if current_user and current_user.employe?
+      [:picture, :name, :description]
+    elsif current_user and current_user.admin?
+      [:picture, :name, :description, :price]
+    else
+      []
+    end
+  end
+```
+
+### The View Tags
+
+In order to filter content in the views, you can add tags in the special view_tags_permission.rb.
+
+```ruby
+  # app/permissions/view_tags_permission.rb
+
+  class ViewTagsPermission < Portier::ViewTagsPermission
+    # Only accept this tag if the user is an administrator
+    def show_the_admin_link
+      current_user.admin?
+    end
+  end
+```
+
+In your views, you can then use the can_view? method to filter content.
+
+```erb
+  <%# app/views/products/show.html.erb %>
+
+  <%= link_to 'Admin', admin_path if can_view? :show_the_admin_link %>
+```
+
+### can?
+
+In your views, you can also use the method ```can?``` to filter content.
+
+```erb
+  <%# app/views/products/show.html.erb %>
+
+  <%= link_to 'Edit product', edit_product_path(id: @product.id) if can? :edit, @product %>
+```
+
+Both ```can?``` and ```can_view?``` methods can take options
+
+```erb
+  <%# app/views/products/show.html.erb %>
+
+  <%= link_to 'Admin', admin_path if can_view? :show_the_admin_link, special: true %>
+```
+
+```ruby
+  # app/permissions/view_tags_permission.rb
+
+  class ViewTagsPermission < Portier::ViewTagsPermission
+    # Only accept this tag if the user is a special administrator
+    def show_the_admin_link
+      current_user.admin? and options[:special]
+    end
+  end
+```
+
+
+
+Copyright
+---------
+
+Copyright (c) 2014 Alchimik. See LICENSE for further details.

data/Rakefile

@@ -0,0 +1,11 @@
+require "bundler"
+require "rspec/core/rake_task"
+
+Bundler::GemHelper.install_tasks
+
+desc "Run all specs in spec directory"
+RSpec::Core::RakeTask.new(:spec) do |spec|
+  spec.pattern = "spec/**/*_spec.rb"
+end
+
+task default: :spec

data/lib/portier/.reek

@@ -0,0 +1,12 @@
+---
+DuplicateMethodCall:
+  allow_calls: ['options', 'params']
+  max_calls: 3
+IrresponsibleModule:
+  enabled: false
+TooManyStatements:
+  max_statements: 10
+UncommunicativeMethodName:
+  enabled: false
+UncommunicativeVariableName:
+  enabled: false

data/lib/portier/application_permission.rb

@@ -0,0 +1,89 @@
+#*************************************************************************************
+# Control the access for each controller actions
+#*************************************************************************************
+class Portier::ApplicationPermission < Portier::BasePermission
+  def self.action_tree(action)
+    case action.to_s
+      when 'index' then [:index, :consult, :default]
+      when 'show' then [:show, :consult, :default]
+      when 'new' then [:new, :add, :default]
+      when 'create' then [:create, :add, :default]
+      when 'edit' then [:edit, :modify, :default]
+      when 'update' then [:update, :modify, :default]
+      when 'destroy' then [:destroy, :default]
+      else [action.to_sym, :default]
+    end
+  end
+
+
+  def build_permitted_params
+    ps = self.respond_to?(:permitted_params) ? permitted_params : []
+
+    begin
+      params.require(record_name).permit ps
+    rescue
+      {}
+    end
+  end
+
+  def can?(action, record, options={})
+    @current_record = record
+    @options = options
+
+    granted? action
+  end
+
+  def default
+    false
+  end
+
+  def granted?(action)
+    action_tree(action).each { |act| return self.send(act) if self.respond_to?(act) }
+  end
+
+
+  private
+
+  def action_tree(action)
+    Portier::ApplicationPermission.action_tree(action)
+  end
+
+  def current_record
+    @current_record = find_record if not @current_record
+
+    @current_record
+  end
+
+  def find_record
+    if params[:id]
+      field = model.respond_to?(:default_id) ? model.default_id : :id
+
+      model.find_by Hash[field, params[:id]]
+    else
+      nil
+    end
+  end
+
+  def model
+    controller_name.singularize.camelize.constantize
+  end
+
+  def model_exists?
+    defined? model
+  end
+
+  def record_name
+    controller_name.singularize.to_sym
+  end
+
+
+  def method_missing(*args, &block)
+    if args.first == record_name and model_exists?
+      current_record
+    elsif current_record.class.to_s.downcase == args.first.to_s
+      current_record
+    else
+      raise NoMethodError.new("undefined local variable or method '#{args.first}' for #{self.class}")
+    end
+  end
+end

data/lib/portier/base.rb

@@ -0,0 +1,75 @@
+#*************************************************************************************
+# Check if the access is granted or refused depending on the permission
+# setted in the permission files.
+#*************************************************************************************
+class Portier::Base
+  attr_reader :application_controller, :current_user
+
+  delegate :request, to: :application_controller
+
+  def initialize(application_controller, current_user)
+    @application_controller = application_controller
+    @current_user = current_user
+  end
+
+  def access_denied_message
+    base_permission.access_denied_message
+  end
+
+  def authorize_action
+    raise Portier::AccessDenied if not base_permission.granted? action
+  end
+
+  def can?(action, object, options={})
+    object_name = if object.is_a? Symbol or object.is_a? String
+      object.to_s.singularize.pluralize
+    else
+      object.class.name.pluralize
+    end
+    permission = permission_for object_name
+    permission.can? action, object, options
+  end
+
+  def can_view?(tag, options={})
+    view_permission.can_view? tag, options
+  end
+
+  def permitted_params
+    base_permission.build_permitted_params if base_permission.respond_to? :permitted_params
+  end
+
+  private
+
+  def action
+    request[:action]
+  end
+
+  def base_permission
+    @base_permission ||= permission_for controller_name
+  end
+
+  def controller_name
+    request[:controller]
+  end
+
+  def permission_for(target)
+    begin
+      "#{target.camelize}Permission".constantize.new(application_controller, current_user)
+    rescue
+        raise Portier::Uninitalized, "You must define #{controller_name.camelize}Permission in app/permissions/#{controller_name}_permission.rb. See documentation for more details."
+    end
+  end
+
+  def view_permission
+    if not @view_permission_object
+      begin
+        @view_permission_object = "ViewTagsPermission".constantize.new(application_controller, current_user)
+      rescue
+        raise Portier::Uninitalized, "You must define ViewTagsPermission in app/permissions/view_tags_permission.rb in order to use view permission. See documentation for more details."
+      end
+    end
+
+    @view_permission_object
+  end
+
+end

data/lib/portier/base_permission.rb

@@ -0,0 +1,36 @@
+#*************************************************************************************
+# Basic Permission object to cut some duplication.
+# ApplicationPermission and ViewTagsPermission inherit from it
+#*************************************************************************************
+class Portier::BasePermission
+  attr_reader :access_denied_message, :application_controller, :current_user
+
+  delegate :params, to: :application_controller
+  delegate :request, to: :application_controller
+
+  def initialize(application_controller, current_user)
+    @application_controller = application_controller
+    @current_user = current_user
+    @access_denied_message = nil
+  end
+
+  def set_access_denied_message(message)
+    @access_denied_message = message
+
+    false
+  end
+
+  private
+
+  def controller
+    @application_controller
+  end
+
+  def controller_name
+    request[:controller]
+  end
+
+  def options
+    @options
+  end
+end

data/lib/portier/engine.rb

@@ -0,0 +1,7 @@
+module Portier
+  #*************************************************************************************
+  # Make the gem behave as an engine.
+  #*************************************************************************************
+  class Engine < Rails::Engine
+  end
+end

data/lib/portier/errors.rb

@@ -0,0 +1,19 @@
+module Portier
+  #*************************************************************************************
+  # Error that will be raised if access to the action is denied
+  #*************************************************************************************
+  class AccessDenied < StandardError
+  end
+
+  #*************************************************************************************
+  # Error that will be raised if the permission wasn't defined
+  #*************************************************************************************
+  class NoPermissionError < StandardError
+  end
+
+  #*************************************************************************************
+  # Error that will be raised if the permission isn't initialized
+  #*************************************************************************************
+  class Uninitalized < StandardError
+  end
+end

data/lib/portier/implants/action_controller_implant.rb

@@ -0,0 +1,37 @@
+#*************************************************************************************
+# Insert methods in the Action Controller of a Rails project.
+#*************************************************************************************
+module Portier::Implants::ActionControllerImplant
+  extend ActiveSupport::Concern
+
+  included do
+    helper_method :access_denied_message, :can?, :can_view?
+
+    rescue_from Portier::AccessDenied, with: :render_access_denied
+  end
+
+  def access_denied_message
+    @portier.access_denied_message
+  end
+
+  def can?(action, object, options={})
+    @portier.can? action, object, options
+  end
+
+  def can_view?(tag, options={})
+    @portier.can_view? tag, options
+  end
+
+  def permitted_params
+    @portier.permitted_params
+  end
+
+  def protect_app
+    @portier = Portier::Base.new(self, current_user)
+    @portier.authorize_action
+  end
+
+  def render_access_denied
+    render text: "access_denied", status: 401
+  end
+end

data/lib/portier/railtie.rb

@@ -0,0 +1,14 @@
+module Portier
+  class Railtie < Rails::Railtie
+    initializer "portier" do |app|
+      ActiveSupport.on_load :action_controller do
+        include Portier::Implants::ActionControllerImplant
+      end
+    end
+  end
+
+  module Implants
+  end
+end
+
+require 'portier/implants/action_controller_implant'

data/lib/portier/view_tags_permission.rb

@@ -0,0 +1,14 @@
+#*************************************************************************************
+# Control the access using a tag.
+#*************************************************************************************
+class Portier::ViewTagsPermission < Portier::BasePermission
+  def can_view?(tag, options={})
+    if self.respond_to? tag.to_sym
+      @options = options
+
+      self.send(tag.to_sym)
+    else
+      raise Portier::NoPermissionError, "You must define the method \"#{tag}\" in the view tags file (app/permissions/view_tags_permission.rb). See documentation for more details."
+    end
+  end
+end

data/lib/portier.rb

@@ -0,0 +1,12 @@
+module Portier
+end
+
+require "portier/engine"
+require 'portier/base'
+require 'portier/base_permission'
+require 'portier/application_permission'
+require 'portier/view_tags_permission'
+require 'portier/errors'
+require 'portier/railtie'
+
+

data/portier.gemspec

@@ -0,0 +1,22 @@
+Gem::Specification.new do |gem|
+  gem.name        = "portier"
+  gem.description = "Portier is an gem that manage permissions in a rails project. The permission rules are flexible, non-obstrusive, scalable and can be applied to the controller actions, and views."
+  gem.summary     = "Portier is an gem that manage permissions in a rails project. The permission rules are flexible, non-obstrusive, scalable and can be applied to the controller actions, and views."
+  gem.homepage    = "https://bitbucket.org/alchimikweb/portier"
+  gem.version     = "1.0.3"
+  gem.licenses    = ["MIT"]
+
+  gem.authors     = ["Sebastien Rosa"]
+  gem.email       = ["sebastien@alchimik.com"]
+
+  gem.files       = `git ls-files`.split($\)
+  gem.executables = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files  = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_dependency "rails", ['>= 4.0']
+  gem.add_development_dependency "sqlite3"
+  gem.add_development_dependency "rspec-rails"
+  gem.add_development_dependency "simplecov"
+  gem.add_development_dependency "simplecov-rcov-text"
+end

data/spec/controllers/application_controller_spec.rb

@@ -0,0 +1,81 @@
+require "spec_helper"
+
+describe ApplicationController do
+  controller do
+    before_filter :protect_app
+
+    def current_user
+      @user
+    end
+
+    def index
+      if can_view?(:granted_response, show: true)
+        render text: 'Granted!'
+      else
+        render text: 'Nothing'
+      end
+    end
+
+    def create
+      if can?(:create, :products)
+        render text: "Created! #{permitted_params}"
+      else
+        render text: "Not Created!"
+      end
+    end
+
+    def edit
+      render text: 'Refused!'
+    end
+
+    def destroy
+      render text: 'Destroyed!'
+    end
+  end
+
+  describe "when calling an open action" do
+    it 'should grant access' do
+      get :index
+
+      expect(response.status).to eq(200)
+      expect(response.body).to eq "Granted!"
+    end
+  end
+
+  describe "when calling a restricted action" do
+    it 'should not grant access' do
+      get :edit, id: '123'
+
+      expect(response.status).to eq(401)
+      expect(response.body).to eq "access_denied"
+    end
+  end
+
+  describe "when sending the role and the role is not allowed to be sent" do
+    it 'should not have role in the permitted_params' do
+      post :create, anonymou: { name: '123', email: 'a@at.com', role: 'admin' }
+
+      expect(response.status).to eq(200)
+      expect(response.body).to include('email')
+      expect(response.body).not_to include('role')
+    end
+  end
+
+  describe "when deleting an open record" do
+    it 'should grant access' do
+      delete :destroy, id: 'open'
+
+      expect(response.status).to eq(200)
+      expect(response.body).to eq "Destroyed!"
+    end
+  end
+
+  describe "when deleting an restricted record" do
+    it 'should not grant access' do
+      delete :destroy, id: 'restricted'
+
+      expect(response.status).to eq(401)
+      expect(response.body).to eq "access_denied"
+    end
+  end
+end

data/spec/dummy/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Dummy::Application.load_tasks

data/spec/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,3 @@
+class ApplicationController < ActionController::Base
+  protect_from_forgery with: :exception
+end

data/spec/dummy/app/controllers/examples_controller.rb

@@ -0,0 +1,11 @@
+class ExamplesController < ApplicationController
+  protect_from_forgery
+
+  def index
+    render text: 'dummy'
+  end
+
+  def show
+    render text: 'dummy'
+  end
+end

data/spec/dummy/app/helpers/application_helper.rb

@@ -0,0 +1,2 @@
+module ApplicationHelper
+end