rails-doorman 0.1.0

data/features/support/authorized_matcher.rb

@@ -0,0 +1,29 @@
+class BeAuthorized
+  def matches?(response)
+    @response = response
+    @response.status == "200 OK" && @response.body == 'Allowed Access'
+  end
+
+  # ==== Returns
+  # String:: The failure message.
+  def failure_message
+<<-EOS
+expected the response from #{@response.request.url}
+to have the status 200 OK and body 'Allowed Access'"
+but the status is #{@response.status} and the body is '#{@response.body}'"
+EOS
+end
+
+  # ==== Returns
+  # String:: The failure message to be displayed in negative matches.
+  def negative_failure_message
+<<-EOS
+expected the response from #{@response.request.url}
+not to have the status 200 Ok and body 'Allowed Access'"
+EOS
+  end
+end
+
+def be_authorized
+  BeAuthorized.new
+end

data/features/support/env.rb

@@ -0,0 +1,16 @@
+ENV["RAILS_ENV"] ||= "test"
+
+require File.expand_path(File.dirname(__FILE__) + '/../../spec/fixtures/app/config/environment')  
+require 'cucumber/rails/world'
+require 'cucumber/rails/rspec'
+require 'cucumber/formatter/unicode'
+
+require 'webrat'
+require 'webrat/core/matchers'
+
+# grrr, finding this sucked
+ActionController::Base.allow_rescue = true
+
+Webrat.configure do |config|  
+  config.mode = :rails
+end

data/features/support/paths.rb

@@ -0,0 +1,19 @@
+module NavigationHelpers
+  # Maps a static name to a static route.
+  #
+  # This method is *not* designed to map from a dynamic name to a 
+  # dynamic route like <tt>post_comments_path(post)</tt>. For dynamic 
+  # routes like this you should *not* rely on #path_to, but write 
+  # your own step definitions instead. Example:
+  #
+  #   Given /I am on the comments page for the "(.+)" post/ |name|
+  #     post = Post.find_by_name(name)
+  #     visit post_comments_path(post)
+  #   end
+  #
+  def path_to(page_name)
+    page_name
+  end
+end
+
+World(NavigationHelpers)

data/features/support/unauthorized_matcher.rb

@@ -0,0 +1,29 @@
+class BeUnauthorized
+  def matches?(response)
+    @response = response
+    @response.status == '401 Unauthorized' && @response.body == 'Unauthorized'
+  end
+
+  # ==== Returns
+  # String:: The failure message.
+  def failure_message
+<<-EOS
+expected the response from #{@response.request.url}
+to have the status 401 Unauthorized and body 'Unauthorized'"
+but the status is #{@response.status} and the body is '#{@response.body}'"
+EOS
+  end
+
+  # ==== Returns
+  # String:: The failure message to be displayed in negative matches.
+  def negative_failure_message
+<<-EOS
+expected the response from #{@response.request.url}
+not to have the status 200 Ok and body 'Allowed Access'"
+EOS
+  end
+end
+
+def be_unauthorized
+  BeUnauthorized.new
+end

data/lib/doorman.rb

@@ -0,0 +1,111 @@
+require 'doorman/rule'
+require 'doorman/helpers'
+
+module Doorman
+  class Unauthorized < StandardError; end
+  
+  class << self
+    def options
+      @options ||= {
+        :user_identifier_method => :login,
+        :has_role_method => :has_role?
+      }
+    end
+    
+    SUPPORTED_METHODS = [:block, :host, :role, :user, :user_agent].freeze
+    
+    def supported_method?(method)
+      SUPPORTED_METHODS.include?(method)
+    end
+              
+    def included(base)
+      base.extend(ClassMethods)
+      base.class_eval do
+        include InstanceMethods
+        include SharedMethods
+        helper Doorman::SharedMethods, Doorman::Helpers
+        before_filter :_doorman_check_acl
+      end
+    end
+  end
+      
+  module ClassMethods
+    def _doorman_list
+      @_doorman_list ||= []
+    end
+    
+    def _doorman_default
+      @_doorman_default ||= :allow
+    end
+    
+    def  deny(*args, &block)
+      _add_acl(:deny, args, block)
+    end
+    
+    def allow(*args, &block)
+      _add_acl(:allow, args, block)
+    end
+    
+    def _clear_acl_list
+      @_doorman_list = nil
+    end
+    
+    def _add_acl(type, args, block)
+      opts = args.is_a?(Array) ? args.first : args
+      if opts == :all
+        @_doorman_default = type
+        return true
+      end
+      if block
+        _doorman_list << Rule.from_block(type, opts, &block)
+      else
+        _doorman_list << Rule.from_hash(type, opts)
+      end
+    end
+  end
+  
+  module InstanceMethods
+    private
+    def _doorman_check_acl
+      allowed = false
+      self.class._doorman_list.each do |rule|
+        next unless rule.evaluate?(self.action_name)
+        if _check_rule(rule)
+          allowed = true
+        else
+          raise Unauthorized
+        end
+      end
+      if self.class._doorman_default == :deny && !allowed
+        raise Unauthorized
+      end
+    end
+  end
+
+  module SharedMethods
+    # self can either be in a controller or view context. 
+    private
+    def _check_rule(rule)
+      match = case rule.method
+        when :block
+          rule.value.call(self)            
+        when :host
+          request.host =~ Regexp.new(rule.value)
+        when :role
+          current_user && current_user.send(Doorman.options[:has_role_method], rule.value)
+        when :user
+          current_user && current_user.send(Doorman.options[:user_identifier_method]).to_sym  == rule.value.to_sym
+        when :user_agent 
+          request.user_agent =~ Regexp.new(rule.value)
+        else
+          false
+        end
+      rule.deny? ? !match : match
+    end
+  end
+  
+end
+
+ActionController::Base.class_eval do
+  include Doorman
+end

data/lib/doorman/helpers.rb

@@ -0,0 +1,17 @@
+
+module Doorman
+  module Helpers
+    def allow(*args, &blk)
+      _capture_within_rule_context(:allow, args, &blk)
+    end
+    
+    def deny(*args, &blk)
+      _capture_within_rule_context(:deny, args, &blk)
+    end        
+    
+    def _capture_within_rule_context(type, args, &blk)
+      _check_rule(Doorman::Rule.from_hash(type, args.first)) ? blk.call  : ""
+    end
+    private :_capture_within_rule_context
+  end  
+end

data/lib/doorman/rule.rb

@@ -0,0 +1,59 @@
+
+module Doorman
+  class InvalidRule < StandardError
+    def initialize(*args)
+      super "rails_doorman: invalid rule #{args.inspect}"
+    end
+  end
+      
+  class Rule
+    def self.from_hash(type, opts)
+      rule = new(type)
+      h = opts.except(:only, :exclude)
+      if h.size > 1
+        raise InvalidRule.new(type, opts)
+      end
+      rule.method = h.keys.first.to_sym
+      unless Doorman.supported_method?(rule.method)
+        raise InvalidRule.new(type, opts)
+      end
+      rule.value = h.values.first
+      rule.limits = extract_limits(opts)
+      rule
+    end
+    
+    def self.from_block(type, opts = nil, &block)
+      unless block.arity == 1
+        raise InvalidRule.new(type, opts, block)
+      end
+      opts ||= {}
+      rule = new(type)
+      rule.method = :block
+      rule.value = block
+      rule.limits = extract_limits(opts)
+      rule
+    end
+    
+    def self.extract_limits(h)
+      h.slice(:only, :exclude).inject({}) do |limits, kv| 
+        limits.merge!(kv.first => Array(kv.last).map {|limit| limit.to_sym })
+      end
+    end
+    
+    attr_accessor :type, :method, :value, :limits
+    
+    def initialize(type)
+      @type, @limits = type, {}
+    end
+    
+    def deny?
+      type == :deny
+    end
+    
+    def evaluate?(action_name)
+      (!limits.key?(:only) || limits[:only].include?(action_name.to_sym)) &&
+        (!limits.key?(:exclude) || !limits[:exclude].include?(action_name.to_sym))
+    end
+  end
+  
+end

data/rails/init.rb

@@ -0,0 +1 @@
+require 'doorman'

data/spec/fixtures/app/README

@@ -0,0 +1,243 @@
+== Welcome to Rails
+
+Rails is a web-application framework that includes everything needed to create 
+database-backed web applications according to the Model-View-Control pattern. 
+
+This pattern splits the view (also called the presentation) into "dumb" templates
+that are primarily responsible for inserting pre-built data in between HTML tags.
+The model contains the "smart" domain objects (such as Account, Product, Person,
+Post) that holds all the business logic and knows how to persist themselves to
+a database. The controller handles the incoming requests (such as Save New Account,
+Update Product, Show Post) by manipulating the model and directing data to the view.
+
+In Rails, the model is handled by what's called an object-relational mapping
+layer entitled Active Record. This layer allows you to present the data from
+database rows as objects and embellish these data objects with business logic
+methods. You can read more about Active Record in
+link:files/vendor/rails/activerecord/README.html.
+
+The controller and view are handled by the Action Pack, which handles both
+layers by its two parts: Action View and Action Controller. These two layers
+are bundled in a single package due to their heavy interdependence. This is
+unlike the relationship between the Active Record and Action Pack that is much
+more separate. Each of these packages can be used independently outside of
+Rails.  You can read more about Action Pack in
+link:files/vendor/rails/actionpack/README.html.
+
+
+== Getting Started
+
+1. At the command prompt, start a new Rails application using the <tt>rails</tt> command
+   and your application name. Ex: rails myapp
+2. Change directory into myapp and start the web server: <tt>script/server</tt> (run with --help for options)
+3. Go to http://localhost:3000/ and get "Welcome aboard: You're riding the Rails!"
+4. Follow the guidelines to start developing your application
+
+
+== Web Servers
+
+By default, Rails will try to use Mongrel if it's are installed when started with script/server, otherwise Rails will use WEBrick, the webserver that ships with Ruby. But you can also use Rails
+with a variety of other web servers.
+
+Mongrel is a Ruby-based webserver with a C component (which requires compilation) that is
+suitable for development and deployment of Rails applications. If you have Ruby Gems installed,
+getting up and running with mongrel is as easy as: <tt>gem install mongrel</tt>.
+More info at: http://mongrel.rubyforge.org
+
+Say other Ruby web servers like Thin and Ebb or regular web servers like Apache or LiteSpeed or
+Lighttpd or IIS. The Ruby web servers are run through Rack and the latter can either be setup to use
+FCGI or proxy to a pack of Mongrels/Thin/Ebb servers.
+
+== Apache .htaccess example for FCGI/CGI
+
+# General Apache options
+AddHandler fastcgi-script .fcgi
+AddHandler cgi-script .cgi
+Options +FollowSymLinks +ExecCGI
+
+# If you don't want Rails to look in certain directories,
+# use the following rewrite rules so that Apache won't rewrite certain requests
+# 
+# Example:
+#   RewriteCond %{REQUEST_URI} ^/notrails.*
+#   RewriteRule .* - [L]
+
+# Redirect all requests not available on the filesystem to Rails
+# By default the cgi dispatcher is used which is very slow
+# 
+# For better performance replace the dispatcher with the fastcgi one
+#
+# Example:
+#   RewriteRule ^(.*)$ dispatch.fcgi [QSA,L]
+RewriteEngine On
+
+# If your Rails application is accessed via an Alias directive,
+# then you MUST also set the RewriteBase in this htaccess file.
+#
+# Example:
+#   Alias /myrailsapp /path/to/myrailsapp/public
+#   RewriteBase /myrailsapp
+
+RewriteRule ^$ index.html [QSA]
+RewriteRule ^([^.]+)$ $1.html [QSA]
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule ^(.*)$ dispatch.cgi [QSA,L]
+
+# In case Rails experiences terminal errors
+# Instead of displaying this message you can supply a file here which will be rendered instead
+# 
+# Example:
+#   ErrorDocument 500 /500.html
+
+ErrorDocument 500 "<h2>Application error</h2>Rails application failed to start properly"
+
+
+== Debugging Rails
+
+Sometimes your application goes wrong.  Fortunately there are a lot of tools that
+will help you debug it and get it back on the rails.
+
+First area to check is the application log files.  Have "tail -f" commands running
+on the server.log and development.log. Rails will automatically display debugging
+and runtime information to these files. Debugging info will also be shown in the
+browser on requests from 127.0.0.1.
+
+You can also log your own messages directly into the log file from your code using
+the Ruby logger class from inside your controllers. Example:
+
+  class WeblogController < ActionController::Base
+    def destroy
+      @weblog = Weblog.find(params[:id])
+      @weblog.destroy
+      logger.info("#{Time.now} Destroyed Weblog ID ##{@weblog.id}!")
+    end
+  end
+
+The result will be a message in your log file along the lines of:
+
+  Mon Oct 08 14:22:29 +1000 2007 Destroyed Weblog ID #1
+
+More information on how to use the logger is at http://www.ruby-doc.org/core/
+
+Also, Ruby documentation can be found at http://www.ruby-lang.org/ including:
+
+* The Learning Ruby (Pickaxe) Book: http://www.ruby-doc.org/docs/ProgrammingRuby/
+* Learn to Program: http://pine.fm/LearnToProgram/  (a beginners guide)
+
+These two online (and free) books will bring you up to speed on the Ruby language
+and also on programming in general.
+
+
+== Debugger
+
+Debugger support is available through the debugger command when you start your Mongrel or
+Webrick server with --debugger. This means that you can break out of execution at any point
+in the code, investigate and change the model, AND then resume execution! 
+You need to install ruby-debug to run the server in debugging mode. With gems, use 'gem install ruby-debug'
+Example:
+
+  class WeblogController < ActionController::Base
+    def index
+      @posts = Post.find(:all)
+      debugger
+    end
+  end
+
+So the controller will accept the action, run the first line, then present you
+with a IRB prompt in the server window. Here you can do things like:
+
+  >> @posts.inspect
+  => "[#<Post:0x14a6be8 @attributes={\"title\"=>nil, \"body\"=>nil, \"id\"=>\"1\"}>,
+       #<Post:0x14a6620 @attributes={\"title\"=>\"Rails you know!\", \"body\"=>\"Only ten..\", \"id\"=>\"2\"}>]"
+  >> @posts.first.title = "hello from a debugger"
+  => "hello from a debugger"
+
+...and even better is that you can examine how your runtime objects actually work:
+
+  >> f = @posts.first
+  => #<Post:0x13630c4 @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>
+  >> f.
+  Display all 152 possibilities? (y or n)
+
+Finally, when you're ready to resume execution, you enter "cont"
+
+
+== Console
+
+You can interact with the domain model by starting the console through <tt>script/console</tt>.
+Here you'll have all parts of the application configured, just like it is when the
+application is running. You can inspect domain models, change values, and save to the
+database. Starting the script without arguments will launch it in the development environment.
+Passing an argument will specify a different environment, like <tt>script/console production</tt>.
+
+To reload your controllers and models after launching the console run <tt>reload!</tt>
+
+== dbconsole
+
+You can go to the command line of your database directly through <tt>script/dbconsole</tt>.
+You would be connected to the database with the credentials defined in database.yml.
+Starting the script without arguments will connect you to the development database. Passing an
+argument will connect you to a different database, like <tt>script/dbconsole production</tt>.
+Currently works for mysql, postgresql and sqlite.
+
+== Description of Contents
+
+app
+  Holds all the code that's specific to this particular application.
+
+app/controllers
+  Holds controllers that should be named like weblogs_controller.rb for
+  automated URL mapping. All controllers should descend from ApplicationController
+  which itself descends from ActionController::Base.
+
+app/models
+  Holds models that should be named like post.rb.
+  Most models will descend from ActiveRecord::Base.
+
+app/views
+  Holds the template files for the view that should be named like
+  weblogs/index.html.erb for the WeblogsController#index action. All views use eRuby
+  syntax.
+
+app/views/layouts
+  Holds the template files for layouts to be used with views. This models the common
+  header/footer method of wrapping views. In your views, define a layout using the
+  <tt>layout :default</tt> and create a file named default.html.erb. Inside default.html.erb,
+  call <% yield %> to render the view using this layout.
+
+app/helpers
+  Holds view helpers that should be named like weblogs_helper.rb. These are generated
+  for you automatically when using script/generate for controllers. Helpers can be used to
+  wrap functionality for your views into methods.
+
+config
+  Configuration files for the Rails environment, the routing map, the database, and other dependencies.
+
+db
+  Contains the database schema in schema.rb.  db/migrate contains all
+  the sequence of Migrations for your schema.
+
+doc
+  This directory is where your application documentation will be stored when generated
+  using <tt>rake doc:app</tt>
+
+lib
+  Application specific libraries. Basically, any kind of custom code that doesn't
+  belong under controllers, models, or helpers. This directory is in the load path.
+
+public
+  The directory available for the web server. Contains subdirectories for images, stylesheets,
+  and javascripts. Also contains the dispatchers and the default HTML files. This should be
+  set as the DOCUMENT_ROOT of your web server.
+
+script
+  Helper scripts for automation and generation.
+
+test
+  Unit and functional tests along with fixtures. When using the script/generate scripts, template
+  test files will be generated for you and placed in this directory.
+
+vendor
+  External libraries that the application depends on. Also includes the plugins subdirectory.
+  If the app has frozen rails, those gems also go here, under vendor/rails/.
+  This directory is in the load path.