radiant-rbac_base-extension 1.3.0

data/.gitignore

@@ -0,0 +1 @@
+.svn

data/HELP_developer.md

@@ -0,0 +1,18 @@
+With RBAC Base you can develop extensions that require their own roles.
+
+## Developing for RBAC Base
+To create an extension that uses it's own role, simply add fields to the
+database:
+  
+    Role.create(:role_name => 'Finance', :allow_empty => false, :description => 'Only users in the Finance role may view financial data')
+    
+Then, your extension will automatically be able to use `current_user.finance?`
+to return a boolean value based on the user being in that role.
+
+By setting `allow_empty` to `false`, the role management interface will
+not allow the last user to be removed from your role.
+
+Once you have the role you need, you can even set the visibility of any
+tabs that you create in your extension with your new role:
+
+    admin.tabs.add "Finance", "/admin/finance", :after => "Pages", :visibility => [:finance]

data/README.markdown

@@ -0,0 +1,30 @@
+# RBAC (Role Based Access Control) Base
+
+This extension is used by authors of other extensions to hide those 
+extensions from users based on admin defined groups. Standard Radiant
+groups consist of admin and developer. This adds the ability
+to create groups such as finance.
+
+Installing:  
+Run 'rake radiant:extensions:rbac_base:migrate'
+
+Installing the public files:  
+Run 'rake radiant:extensions:rbac_base:update'
+
+RBAC Base adds a `roles` table, a `roles_users` table, and creates 
+the `has_and_belongs_to_many` relationship between users and roles.
+
+By default, a configuration setting will allow Admin users to see
+everything. You may change this by setting
+
+    Radiant::Config['roles.admin.sees_everything'] = 'false'
+    
+Then you can, for example, use extensions that require their own roles but
+prevent your client from seeing unimportant technical details or areas that
+may be beyond his or her understanding. So your client may be in the 'Admin'
+role so that they can manage users, but would be restricted from seeing 
+details from your extension.
+
+See more details in HELP_developer.md
+
+Built by Saturn Flyer http://www.saturnflyer.com

data/Rakefile

@@ -0,0 +1,137 @@
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "radiant-rbac_base-extension"
+    gem.summary = %Q{RBAC Base Extension for Radiant CMS}
+    gem.description = %Q{Flexible user role management for Radiant.}
+    gem.email = "jim@saturnflyer.com"
+    gem.homepage = "http://github.com/saturnflyer/radiant-rbac_base-extension"
+    gem.authors = ["Jim Gay"]
+    gem.add_dependency 'radiant', '>= 0.9'
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. This is only required if you plan to package rbac_base as a gem."
+end
+
+# In rails 1.2, plugins aren't available in the path until they're loaded.
+# Check to see if the rspec plugin is installed first and require
+# it if it is.  If not, use the gem version.
+
+# Determine where the RSpec plugin is by loading the boot
+unless defined? RADIANT_ROOT
+  ENV["RAILS_ENV"] = "test"
+  case
+  when ENV["RADIANT_ENV_FILE"]
+    require File.dirname(ENV["RADIANT_ENV_FILE"]) + "/boot"
+  when File.dirname(__FILE__) =~ %r{vendor/radiant/vendor/extensions}
+    require "#{File.expand_path(File.dirname(__FILE__) + "/../../../../../")}/config/boot"
+  else
+    require "#{File.expand_path(File.dirname(__FILE__) + "/../../../")}/config/boot"
+  end
+end
+
+require 'rake'
+require 'rake/rdoctask'
+require 'rake/testtask'
+
+rspec_base = File.expand_path(RADIANT_ROOT + '/vendor/plugins/rspec/lib')
+$LOAD_PATH.unshift(rspec_base) if File.exist?(rspec_base)
+require 'spec/rake/spectask'
+require 'cucumber'
+require 'cucumber/rake/task'
+
+# Cleanup the RADIANT_ROOT constant so specs will load the environment
+Object.send(:remove_const, :RADIANT_ROOT)
+
+extension_root = File.expand_path(File.dirname(__FILE__))
+
+task :default => :spec
+task :stats => "spec:statsetup"
+
+desc "Run all specs in spec directory"
+Spec::Rake::SpecTask.new(:spec) do |t|
+  t.spec_opts = ['--options', "\"#{extension_root}/spec/spec.opts\""]
+  t.spec_files = FileList['spec/**/*_spec.rb']
+end
+
+task :features => 'spec:integration'
+
+namespace :spec do
+  desc "Run all specs in spec directory with RCov"
+  Spec::Rake::SpecTask.new(:rcov) do |t|
+    t.spec_opts = ['--options', "\"#{extension_root}/spec/spec.opts\""]
+    t.spec_files = FileList['spec/**/*_spec.rb']
+    t.rcov = true
+    t.rcov_opts = ['--exclude', 'spec', '--rails']
+  end
+  
+  desc "Print Specdoc for all specs"
+  Spec::Rake::SpecTask.new(:doc) do |t|
+    t.spec_opts = ["--format", "specdoc", "--dry-run"]
+    t.spec_files = FileList['spec/**/*_spec.rb']
+  end
+
+  [:models, :controllers, :views, :helpers].each do |sub|
+    desc "Run the specs under spec/#{sub}"
+    Spec::Rake::SpecTask.new(sub) do |t|
+      t.spec_opts = ['--options', "\"#{extension_root}/spec/spec.opts\""]
+      t.spec_files = FileList["spec/#{sub}/**/*_spec.rb"]
+    end
+  end
+  
+  desc "Run the Cucumber features"
+  Cucumber::Rake::Task.new(:integration) do |t|
+    t.fork = true
+    t.cucumber_opts = ['--format', (ENV['CUCUMBER_FORMAT'] || 'pretty')]
+    # t.feature_pattern = "#{extension_root}/features/**/*.feature"
+    t.profile = "default"
+  end
+
+  # Setup specs for stats
+  task :statsetup do
+    require 'code_statistics'
+    ::STATS_DIRECTORIES << %w(Model\ specs spec/models)
+    ::STATS_DIRECTORIES << %w(View\ specs spec/views)
+    ::STATS_DIRECTORIES << %w(Controller\ specs spec/controllers)
+    ::STATS_DIRECTORIES << %w(Helper\ specs spec/views)
+    ::CodeStatistics::TEST_TYPES << "Model specs"
+    ::CodeStatistics::TEST_TYPES << "View specs"
+    ::CodeStatistics::TEST_TYPES << "Controller specs"
+    ::CodeStatistics::TEST_TYPES << "Helper specs"
+    ::STATS_DIRECTORIES.delete_if {|a| a[0] =~ /test/}
+  end
+
+  namespace :db do
+    namespace :fixtures do
+      desc "Load fixtures (from spec/fixtures) into the current environment's database.  Load specific fixtures using FIXTURES=x,y"
+      task :load => :environment do
+        require 'active_record/fixtures'
+        ActiveRecord::Base.establish_connection(RAILS_ENV.to_sym)
+        (ENV['FIXTURES'] ? ENV['FIXTURES'].split(/,/) : Dir.glob(File.join(RAILS_ROOT, 'spec', 'fixtures', '*.{yml,csv}'))).each do |fixture_file|
+          Fixtures.create_fixtures('spec/fixtures', File.basename(fixture_file, '.*'))
+        end
+      end
+    end
+  end
+end
+
+desc 'Generate documentation for the rbac_base extension.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'RbacBaseExtension'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+# For extensions that are in transition
+desc 'Test the rbac_base extension.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+# Load any custom rakefiles for extension
+Dir[File.dirname(__FILE__) + '/tasks/*.rake'].sort.each { |f| require f }

data/VERSION

@@ -0,0 +1 @@
+1.3.0

data/app/controllers/admin/roles_controller.rb

@@ -0,0 +1,91 @@
+class Admin::RolesController < ApplicationController
+  only_allow_access_to :index, :show, :new, :create, :edit, :update, :remove_user, :add_user, :users, :destroy,
+    :when => :admin,
+    :denied_url => { :controller => 'pages', :action => 'index' },
+    :denied_message => 'You must have administrative privileges to edit Roles.'
+  skip_before_filter :verify_authenticity_token, :only => [:users, :remove_user, :add_user]
+  def index
+    @roles = Role.find(:all)
+    @role = Role.new
+  end
+  
+  def show
+    @role = Role.find(params[:id])
+  end
+  
+  def edit
+    
+  end
+  def new
+    
+  end
+  def update
+    @role = Role.find(params[:id])
+    if @role.update_attributes(params[:role])
+      redirect_to admin_role_path(@role)
+    else
+      render :action => 'show'
+    end
+  end
+  
+  def create
+    @role = Role.new(params[:role])
+    @role.save!
+    redirect_to admin_roles_path
+  rescue ActiveRecord::RecordInvalid => invalid
+    flash[:error] = invalid.record.errors.full_messages
+    render :action => :index
+  end
+  
+  def destroy
+    @role = Role.find(params[:id])
+    @role.destroy unless @role.standard?
+    redirect_to admin_roles_path()
+  rescue ActiveRecord::RecordNotFound
+    flash[:error] = 'The specified Role could not be found.'
+    redirect_to :action => :index
+  end
+  
+  def users
+    role = Role.find(params[:role_id])
+    
+    available_users = User.find(:all, :conditions => ['id NOT IN (SELECT user_id FROM roles_users WHERE role_id = ?)', role.id])
+    taken_users = role.users
+    
+    result = {:available => [], :taken => []}
+    
+    available_users.each do | usr |
+      result[:available] << [usr.id, usr.name]
+    end
+    
+    taken_users.each do | usr |
+      result[:taken] << [usr.id, usr.name]
+    end
+    
+    respond_to do |format|
+      format.js { render :json => result.to_json }
+    end
+  end
+  
+  def add_user
+    role = Role.find(params[:role_id])
+    user = User.find(params[:id])
+    
+    if role.users << user
+      render :json => {:status => "Ok", :role_id => role.id, :user_id => user.id }.to_json
+    else
+      render :json => {:status => "Error", :user_id => user.id }.to_json
+    end
+  end
+  
+  def remove_user 
+    role = Role.find(params[:role_id])
+    user = User.find(params[:id])
+    
+    if role.remove_user(user)
+      render :json => {:status => "Ok", :role_id => role.id, :user_id => user.id }.to_json
+    else
+      render :json => {:status => "Error", :user_id => user.id }.to_json
+    end
+  end
+end

data/app/helpers/admin/alterations_helper.rb

@@ -0,0 +1,9 @@
+module Admin::AlterationsHelper
+  def roles(user)
+    list = []
+    user.roles.each do |role|
+      list << role.role_name
+    end
+    list.join(', ')
+  end
+end

data/app/helpers/admin/roles_helper.rb

@@ -0,0 +1,5 @@
+module Admin::RolesHelper
+  def role_spinner(which)
+    image('spinner.gif', :alt => "loading...")
+  end
+end

data/app/models/role.rb

@@ -0,0 +1,33 @@
+class Role < ActiveRecord::Base
+  has_and_belongs_to_many :users
+  validates_uniqueness_of :role_name
+  belongs_to :created_by, :class_name => 'User'
+  belongs_to :updated_by, :class_name => 'User'
+  
+  default_scope :order => ["role_name"]
+  
+  class ProtectedRoleError < StandardError; end
+  
+  before_destroy :verify_non_standard
+  
+  RADIANT_STANDARDS = ['admin', 'designer']
+  
+  def verify_non_standard
+    if standard?
+      raise Role::ProtectedRoleError, "`#{self[:role_name]}' is a protected role and may not be removed."
+    end
+  end
+  
+  def remove_user(user)
+    if users.size <= 1 && allow_empty == false
+      return false
+    else
+      users.delete(user)
+      return true
+    end
+  end
+  
+  def standard?
+    RADIANT_STANDARDS.include?(role_name.downcase)
+  end
+end

data/app/models/role_action_observer.rb

@@ -0,0 +1,13 @@
+class RoleActionObserver < ActiveRecord::Observer
+  observe Role
+  
+  cattr_accessor :current_user
+  
+  def before_create(model)
+    model.created_by = @@current_user
+  end
+  
+  def before_update(model)
+    model.updated_by = @@current_user
+  end
+end

data/app/models/role_user.rb

@@ -0,0 +1,2 @@
+class RoleUser < ActiveRecord::Base
+end

data/app/views/admin/roles/_add_role_form.html.haml

@@ -0,0 +1,4 @@
+- form_for @role, :url => admin_roles_path do |form|
+  %p
+    = form.text_field :role_name
+    = save_model_button(@role)

data/app/views/admin/roles/index.html.haml

@@ -0,0 +1,30 @@
+%h1 Role Management
+%p Use this screen to manage your user roles.
+%p 
+  %strong Caution:
+  Roles are defined as a security mechanism for the extensions that are restricted by user role. User roles are normally added by these extensions at installation time. Removing roles may cause problems with the role based security.  
+  %strong Only remove roles if you absolutely must.
+%h2 Roles
+%table.index
+  %thead
+    %tr
+      %th Role
+      %th # Users
+      %th Description
+      %th Modify
+  %tbody
+    - unless @roles.blank?
+      - @roles.each do |role|
+        %tr
+          %td= link_to role.role_name, admin_role_path(role)
+          %td= role.users.count
+          %td= role.description
+          %td.remove
+            - unless role.standard?
+              = link_to 'Remove', admin_role_path(role), :confirm => "Are you sure?", :method => :delete
+    - else
+      %tr
+        %td{ :colspan => 4} No Roles yet created.
+#actions
+  = render :partial => 'add_role_form'
+- include_stylesheet 'rbac/rbac'

data/app/views/admin/roles/show.html.haml

@@ -0,0 +1,29 @@
+- include_javascript 'admin/dragdrop'
+- include_javascript 'rbac/admin/role_details'
+- include_stylesheet 'rbac/rbac'
+- @body_classes ||= [].tap{|a| a << 'reversed'}
+%h1= @role.role_name
+%script{:language => "javascript"}
+  = "var role_id = #{@role.id};"
+%p Drag and drop users between the lists below to add or remove them from this role. The changes that you make will take effect immediately.
+%h2 Active Users
+%ul#taken_users.UserList{:multiple => "multiple"}
+  %li#busy_taken.rbac_busy_marker= role_spinner 'taken'
+
+%h2 Available Users
+%ul#available_users.UserList{:multiple => "multiple"}
+  %li#busy_available.rbac_busy_marker= role_spinner 'available'
+
+%h3 Edit Role Details
+.form-area
+  - form_for @role, :url => admin_role_path(@role) do |f|
+    %p.title
+      = f.label :description
+      = f.text_field :description, :class => 'textbox'
+    %p
+      = f.check_box :allow_empty, :class => 'checkbox'
+      = f.label :allow_empty, "Allow this role to have no users.", :class => 'checkbox'
+    %p
+      = f.submit
+      or
+      = link_to "Cancel", admin_roles_path()

data/app/views/admin/users/preferences.html.haml

@@ -0,0 +1,34 @@
+%h1 User Preferences
+
+- form_tag do
+  %table.fieldset{:cellpadding=>0, :cellspacing=>0, :border=>0}
+    %tr
+      %th.label
+        %label{:for=>"user_password"} Password
+      %td.field
+        = password_field "user", "password", :class => 'textbox', :value => '', :maxlength => 40
+      %td.help{:rowspan=>2}
+        At least 5 characters. Leave password blank for it to remain unchanged.
+    %tr
+      %th.label
+        %label{:for=>"user_password_confirmation"} Confirm Password
+      %td.field
+        = password_field "user", "password_confirmation", :class => 'textbox', :value => '', :maxlength => 40
+    %tr
+      %th.label
+        %label{:for=>"user_email"} E-mail
+      %td.field
+        = text_field "user", "email", :class => 'textbox', :maxlength => 255
+      %td.help Optional.
+    - unless @user.roles.blank?
+      %tr
+        %th.label Your Roles
+        %td
+          = roles(@user)
+        %td.help Your roles are assigned to you by an Admin and control your access to parts of this interface.
+  %p.buttons
+    = save_model_button @user
+    or
+    = link_to 'Cancel', admin_url
+
+= javascript_tag "$('user_password').activate();"