protector-cancan 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 24a492131115dea9a185a89b83c01e3fd3dde523
+  data.tar.gz: 0d0ef48a9f0e1ed21f0a0bc6d46c3fcb3d513dc3
+SHA512:
+  metadata.gz: e98380fa0ecc0a8238304ba9716dffabdf634a3e5e9dc12ca806b6ca749032e0cb2610c213bab330241b76ac28db69f263cd676f7036fe1990b3b572117a8122
+  data.tar.gz: 956455e9fed66a3700a14d4ec3dcee8763a1a92da5f750e0d535f32e646ef54718d879b2ae4aae355bece3d1dcb6146d572b004915e5e9f7903d164ecde0476c

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.rspec

@@ -0,0 +1,3 @@
+--tty
+--color
+--format progress

data/Gemfile

@@ -0,0 +1,15 @@
+source 'https://rubygems.org'
+
+gemspec
+
+gem 'rake'
+gem 'pry'
+gem 'rspec'
+
+gem 'combustion', github: 'pat/combustion'
+gem 'rails', '>= 4.0.0'
+gem 'rspec-rails'
+
+gem 'sqlite3', platform: :ruby
+gem 'jdbc-sqlite3', platform: :jruby, require: 'jdbc/sqlite3'
+gem 'activerecord-jdbcsqlite3-adapter', platform: :jruby, github: 'jruby/activerecord-jdbc-adapter'

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Boris Staal
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,73 @@
+# Protector::Cancan
+
+Integrates [Protector](https://github.com/inossidabile/protector) and [CanCan](https://github.com/ryanb/cancan).
+
+Protector and CanCan are all about the same thing: access control. They however act on different fronts: Protector works on a model level and CanCan is all about controllers defense. With this gem you don't have to choose anymore: make them work together for the best result.
+
+The integration makes CanCan aware of Protector restrictions. You still can have separate `Ability` instance and even extend (or override) what comes from Protector.
+
+Additionally CanCan will automatically restrict instances with `current_user` during `load_resource` part.
+
+## Installation
+
+You are expected to have generated CanCan ability by this moment. Proceed to [CanCan installation tutorial](https://github.com/ryanb/cancan#1-define-abilities) to make one if you don't.
+
+Add this line to your application's Gemfile:
+
+    gem 'protector-cancan'
+
+And then execute:
+
+    $ bundle
+
+Now modify your `Ability` definition in the following way:
+
+```ruby
+class Ability
+  include CanCan::Ability
+
+  def intialize(user)
+    import_protector user # <- add this
+  end
+end
+```
+
+## Example
+
+For the case when you have the following model defined:
+
+```ruby
+class Dummy < ActiveRecord::Base
+  protect do |user|
+    can :read if user
+  end
+end
+```
+
+If you call `can? :read, Dummy`, the gem will evaluate `Dummy` protection block against value passed to `import_protector` (by default it's `current_user`) and expand CanCan rules with resulting meta.
+
+So in this particular case we will get `true` if `current_user` is set and `false` otherwise.
+
+And that's how controller is going to work:
+
+```ruby
+class DummiesController
+  load_and_authorize_resources
+
+  def index    # Will be accessible if current_user isn't blank
+    @dummies   # => Dummy.restrict!(current_user)
+  end
+
+  def show     # Will be accessible if current_user isn't blank
+    @dummy     # => Dummy.find(params[:id]).restrict!(current_user)
+  end
+end
+```
+
+## Maintainers
+
+* Boris Staal, [@inossidabile](http://staal.io)
+
+## License
+
+It is free software, and may be redistributed under the terms of MIT license.

data/Rakefile

@@ -0,0 +1,7 @@
+require 'bundler/setup'
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/lib/protector/cancan/ability.rb

@@ -0,0 +1,54 @@
+require 'set'
+
+module Protector
+  module CanCan
+    module Ability
+
+      def import_protector(subject)
+        @protector_subject = subject
+        @protector_subject_defined = true
+      end
+
+      def protector_subject
+        @protector_subject
+      end
+
+      def protector_subject?
+        !!@protector_subject_defined
+      end
+
+      def self.included(mod)
+        mod.class_eval do
+
+          def can_with_protector?(action, entity, *extra_args)
+            if entity.respond_to?(:restrict!) && @protector_subject_defined
+              @protector_models ||= Set.new
+
+              model = entity
+              model = model.class unless model.is_a?(Class)
+
+              unless @protector_models.include?(model)
+                meta = entity.is_a?(Class) ? entity.protector_meta.evaluate(@protector_subject)
+                                           : entity.protector_meta(@protector_subject)
+
+                meta.access.each do |action, fields|
+                  action = :read if action == :view # *doh*
+                  can action, model unless fields.empty?
+                end
+
+                can :destroy, model if meta.destroyable?
+
+                @protector_models << model
+              end
+            end
+
+            can_without_protector? action, entity, *extra_args
+          end
+
+          alias_method_chain :can?, :protector
+
+        end
+      end
+    end
+  end
+end

data/lib/protector/cancan/resource.rb

@@ -0,0 +1,36 @@
+module Protector
+  module CanCan
+    module Resource extend ActiveSupport::Concern
+      included do
+        alias_method_chain :load_resource, :protector
+        alias_method_chain :load_collection, :protector
+      end
+
+      def load_resource_with_protector(*args)
+        resource = load_resource_without_protector(*args)
+
+        if resource.respond_to?(:restrict!) \
+            && !resource.protector_subject? \
+            && current_ability.protector_subject?
+
+          resource = resource.restrict!(current_ability.protector_subject)
+        end
+        
+        resource
+      end
+
+      def load_collection_with_protector(*args)
+        collection = load_collection_without_protector(*args)
+
+        if collection.respond_to?(:restrict!) \
+            && !collection.protector_subject? \
+            && current_ability.protector_subject?
+
+          collection = collection.restrict!(current_ability.protector_subject)
+        end
+        
+        collection
+      end
+    end
+  end
+end

data/lib/protector/cancan/version.rb

@@ -0,0 +1,5 @@
+module Protector
+  module Cancan
+    VERSION = "0.1.0"
+  end
+end

data/lib/protector/cancan.rb

@@ -0,0 +1,10 @@
+require 'protector'
+require 'cancan'
+require 'active_support/all'
+require 'protector/cancan/ability'
+require 'protector/cancan/resource'
+require 'protector/cancan/version'
+
+CanCan::Ability.send :include, Protector::CanCan::Ability
+CanCan::ControllerResource.send :include, Protector::CanCan::Resource
+CanCan::InheritedResource.send :include, Protector::CanCan::Resource

data/protector-cancan.gemspec

@@ -0,0 +1,24 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'protector/cancan/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "protector-cancan"
+  spec.version       = Protector::Cancan::VERSION
+  spec.authors       = ["Boris Staal"]
+  spec.email         = ["boris@staal.io"]
+  spec.description   = %q{Integration layer between Protector and CanCan}
+  spec.summary       = spec.description
+  spec.homepage      = "https://github.com/inossidabile/protector-cancan"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "protector", ">= 0.5.3"
+  spec.add_dependency "cancan"
+  spec.add_dependency "activesupport"
+end

data/spec/controllers/dummies_spec.rb

@@ -0,0 +1,90 @@
+require 'spec_helpers/boot'
+
+describe DummiesController do
+  before(:all) do
+    Dummy.create! id: 1
+  end
+
+  after(:all) do
+    Dummy.find(1).destroy
+  end
+
+  describe "entities assignation" do
+    context "without integration" do
+      it "works for index" do
+        expect{ get :index }.to raise_error(CanCan::AccessDenied)
+      end
+
+      it "works for show" do
+        expect{ get :show, id: 1 }.to raise_error(CanCan::AccessDenied)
+      end
+
+      it "works for create" do
+        expect{ post :create }.to raise_error(CanCan::AccessDenied)
+      end
+
+      it "works for edit" do
+        expect{ get :edit, id: 1 }.to raise_error(CanCan::AccessDenied)
+      end
+
+      it "works for update" do
+        expect{ put :edit, id: 1 }.to raise_error(CanCan::AccessDenied)
+      end
+
+      it "works for destroy" do
+        expect{ delete :destroy, id: 1 }.to raise_error(CanCan::AccessDenied)
+      end
+    end
+
+    context "with integration" do
+      it "works for index" do
+        get :index, protector: true
+        expect(response).to be_success
+        assigns(:dummies).protector_subject?.should == true
+        assigns(:dummies).protector_subject.should == 'user'
+      end
+
+      it "works for show" do
+        get :show, id: 1, protector: true
+        expect(response).to be_success
+        assigns(:dummy).protector_subject?.should == true
+        assigns(:dummy).protector_subject.should == 'user'
+      end
+
+      it "works for create" do
+        post :create, protector: true
+        expect(response).to be_success
+        assigns(:dummy).protector_subject?.should == true
+        assigns(:dummy).protector_subject.should == 'user'
+      end
+
+      it "works for edit" do
+        get :edit, id: 1, protector: true
+        expect(response).to be_success
+        assigns(:dummy).protector_subject?.should == true
+        assigns(:dummy).protector_subject.should == 'user'
+      end
+
+      it "works for update" do
+        put :edit, id: 1, protector: true
+        expect(response).to be_success
+        assigns(:dummy).protector_subject?.should == true
+        assigns(:dummy).protector_subject.should == 'user'
+      end
+
+      it "works for destroy" do
+        delete :destroy, id: 1, protector: true
+        expect(response).to be_success
+        assigns(:dummy).protector_subject?.should == true
+        assigns(:dummy).protector_subject.should == 'user'
+      end
+
+      it "does not override set subject" do
+        get :test, protector: true
+        expect(response).to be_success
+        assigns(:dummies).protector_subject?.should == true
+        assigns(:dummies).protector_subject.should == 'test'
+      end
+    end
+  end
+end

data/spec/internal/app/controllers/dummies_controller.rb

@@ -0,0 +1,46 @@
+class DummiesController < ActionController::Base
+  before_filter(only: :test) do
+    @dummies = Dummy.restrict!('test')
+  end
+
+  load_and_authorize_resource
+
+  def index
+    render nothing: true
+  end
+
+  def show
+    render nothing: true
+  end
+
+  def create
+    render nothing: true
+  end
+
+  def edit
+    render nothing: true
+  end
+
+  def update
+    render nothing: true
+  end
+
+  def destroy
+    render nothing: true
+  end
+
+  def test
+    render nothing: true
+  end
+
+  protected
+
+    def current_user
+      'user'
+    end
+
+    def current_ability
+      ability = params[:protector] ? ProtectorAbility : DefaultAbility
+      @current_ability ||= ability.new(current_user)
+    end
+end

data/spec/internal/app/models/default_ability.rb

@@ -0,0 +1,6 @@
+class DefaultAbility
+  include CanCan::Ability
+
+  def initialize(user)
+  end
+end

data/spec/internal/app/models/dummy.rb

@@ -0,0 +1,11 @@
+class Dummy < ActiveRecord::Base
+  protect do |user|
+    can :view
+    can :create
+    can :update
+    can :destroy
+    can :test
+  end
+
+  belongs_to :user
+end

data/spec/internal/app/models/protector_ability.rb

@@ -0,0 +1,7 @@
+class ProtectorAbility
+  include CanCan::Ability
+
+  def initialize(user)
+    import_protector user
+  end
+end

data/spec/internal/config/database.yml

@@ -0,0 +1,4 @@
+test:
+  adapter: <%= "jdbc" if defined? JRUBY_VERSION %>sqlite3
+  database: ":memory:"
+  verbosity: quiet

data/spec/internal/config/routes.rb

@@ -0,0 +1,7 @@
+Rails.application.routes.draw do
+  resources :dummies do
+    collection do
+      get :test
+    end
+  end
+end

data/spec/internal/db/schema.rb

@@ -0,0 +1,5 @@
+ActiveRecord::Schema.define do
+  create_table(:dummies) do |t|
+    t.timestamps
+  end
+end

data/spec/internal/log/.gitignore

@@ -0,0 +1 @@
+*.log

data/spec/lib/protector/cancan/ability_spec.rb

@@ -0,0 +1,64 @@
+require 'spec_helpers/boot'
+
+describe Protector::CanCan::Ability do
+  let(:_Model) do
+    Class.new(ActiveRecord::Base) do
+      self.table_name = 'dummies'
+    end
+  end
+
+  let(:_Ability) do
+    Class.new do
+      include CanCan::Ability
+    end
+  end
+
+  it "defaults properly" do
+    _Ability.new.protector_subject?.should == false
+  end
+
+  it "initializes properly" do
+    _Ability.class_eval do
+      def initialize(user)
+        import_protector user
+      end
+    end
+
+    ability = _Ability.new('user')
+
+    ability.protector_subject?.should == true
+    ability.protector_subject.should == 'user'
+    ability.can?(:read, _Model).should == false
+    ability.can?(:create, _Model).should == false
+    ability.can?(:update, _Model).should == false
+    ability.can?(:destroy, _Model).should == false
+  end
+
+  it "proxies rules" do
+    _Ability.class_eval do
+      def initialize(user)
+        import_protector user
+      end
+    end
+
+    _Model.class_eval do
+      protect do |user|
+        can :view
+        can :create
+        can :update
+        can :destroy
+        can :test
+      end
+    end
+
+    ability = _Ability.new('user')
+
+    ability.protector_subject?.should == true
+    ability.protector_subject.should == 'user'
+    ability.can?(:read, _Model).should == true
+    ability.can?(:create, _Model).should == true
+    ability.can?(:update, _Model).should == true
+    ability.can?(:destroy, _Model).should == true
+    ability.can?(:test, _Model).should == true
+  end
+end

data/spec/spec_helpers/boot.rb

@@ -0,0 +1,19 @@
+require 'rspec'
+require 'combustion'
+
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = 'random'
+end
+
+Combustion.initialize! :active_record, :action_controller
+
+require 'rspec/rails'
+require 'rspec/autorun'

metadata

@@ -0,0 +1,119 @@
+--- !ruby/object:Gem::Specification
+name: protector-cancan
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Boris Staal
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-07-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: protector
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 0.5.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 0.5.3
+- !ruby/object:Gem::Dependency
+  name: cancan
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Integration layer between Protector and CanCan
+email:
+- boris@staal.io
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/protector/cancan.rb
+- lib/protector/cancan/ability.rb
+- lib/protector/cancan/resource.rb
+- lib/protector/cancan/version.rb
+- protector-cancan.gemspec
+- spec/controllers/dummies_spec.rb
+- spec/internal/app/controllers/dummies_controller.rb
+- spec/internal/app/models/default_ability.rb
+- spec/internal/app/models/dummy.rb
+- spec/internal/app/models/protector_ability.rb
+- spec/internal/config/database.yml
+- spec/internal/config/routes.rb
+- spec/internal/db/schema.rb
+- spec/internal/log/.gitignore
+- spec/lib/protector/cancan/ability_spec.rb
+- spec/spec_helpers/boot.rb
+homepage: https://github.com/inossidabile/protector-cancan
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.2
+signing_key: 
+specification_version: 4
+summary: Integration layer between Protector and CanCan
+test_files:
+- spec/controllers/dummies_spec.rb
+- spec/internal/app/controllers/dummies_controller.rb
+- spec/internal/app/models/default_ability.rb
+- spec/internal/app/models/dummy.rb
+- spec/internal/app/models/protector_ability.rb
+- spec/internal/config/database.yml
+- spec/internal/config/routes.rb
+- spec/internal/db/schema.rb
+- spec/internal/log/.gitignore
+- spec/lib/protector/cancan/ability_spec.rb
+- spec/spec_helpers/boot.rb