rails-doorman 0.1.0

data/LICENSE

@@ -0,0 +1,21 @@
+Copyright (c) 2008 Michael D. Ivey <ivey@gweezlebur.com>
+Copyright (c) 2009 Jeremy Burks <jeremy.burks@gmail.com>
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,94 @@
+= rails-doorman
+
++rails-doorman+ is an authorization plugin for Ruby on Rails applications. This code was orignally written by Michael D. Ivey for Merb.
+
+== Configuration
+
+Doorman expects the controller to respond to +current_user+
+
+The +:role+ option expects +current_user+ to respond to +has_role?(role_name)+. To change the default assign the option a new value:
+
+  Doorman.options[:has_role_method]
+
+The +:user+ option expects +current_user+ to respond to +login+. To change the default assign the option a new value:
+
+  Doorman.options[:user_identifier_method]
+
+== Usage
+
+=== Controllers
+
+  class Admin::ArticlesController < AdminController
+    allow :role => :admin
+  end
+
+  allow :role => :admin                         # current_user.has_role?(:admin)
+  deny :role => :troll 
+  allow :role => :admin, :exclude => :show
+  allow :role => :troll, :only => :index
+
++rails-doorman+ supports more than roles.
+
+  allow :user => :nancy                     # current_user.login.to_sym == 'nancy'.to_sym
+  allow :host => 'allowed.example.org'      # request.host =~ Regexp.new('allowed.example.org')
+  deny :host => 'denied.example.org'
+  deny :user_agent => /MSIE/                # request.user_agent =~ Regexp.new(/MSIE/)
+
+=== Views
+
+All rules can be used in views.
+
+  <% allow(:role => :admin) do %>
+    <h1>Allowed</h1>
+  <% end %>
+
+  <% deny(:role => :troll) do %>
+    <h1>Allowed</h1>
+  <% end %>
+
+=== Unauthorized
+
+When a rule fails a Doorman::Unauthorized error is raised. The error
+can be caught in ApplicationController#rescue_action_in_public.
+
+  class ApplicationController < ActionController::Base
+    private
+    def rescue_action_in_public(exception)
+      case exception
+      when Doorman::InvalidRule
+        render :text => 'Invalid Rule', :status => '500 Internal Server Error'
+      when Doorman::Unauthorized
+        render :text => 'Unauthorized', :status => '401 Unauthorized'
+      else
+        super(exception)
+      end
+    end
+  end
+
+== Resources
+
+Development
+
+* http://github.com/jrun/rails-doorman
+
+Source
+
+* git://github.com/jrun/rails-doorman.git
+
+Bugs
+
+* http://github.com/jrun/rails-doorman/issues
+
+
+== TODO
+
+=== Rule inheritance
+
+Controller subclasses do not inherit its parents rules. This is more
+like a bug than a todo.
+
+===  More configurable
+
++rails-doorman+ should be configurable but in what ways?
+
+

data/Rakefile

@@ -0,0 +1,89 @@
+require 'rubygems'
+require 'spec/rake/spectask'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = 'rails-doorman'
+    gem.summary = 'Ruby on Rails authorization plugin'
+    gem.description = 'Ruby on Rails authorization plugin'
+    gem.has_rdoc = false
+    gem.email = 'jeremy.burks@gmail.com'
+    gem.homepage = "http://jrun.github.com/rails-doorman"
+    gem.authors = ["Jeremy Burks"]
+    gem.files = %w(LICENSE README.rdoc Rakefile) + Dir.glob("{rails,lib,spec,features}/**/*")
+    gem.add_dependency('rails', '>= 2.3.2')
+    gem.add_development_dependency "rspec", ">= 1.2.9"
+    gem.add_development_dependency "rspec-rails", ">= 1.2.9"
+    gem.add_development_dependency "cucumber", ">= 0"
+    gem.add_development_dependency 'yard', '~> 0.4.0'    
+    gem.add_development_dependency 'grancher', '> 0'
+
+    desc "Install development dependencies."
+    task :setup do
+      gems = ::Gem::SourceIndex.from_installed_gems
+      gem.dependencies.each do |dep|
+        if gems.find_name(dep.name, dep.version_requirements).empty?
+          puts "Installing dependency: #{dep}"
+          system %Q|gem install #{dep.name} -v "#{dep.version_requirements}"  --development|
+        end
+      end
+    end
+    
+    desc "Build and reinstall the gem locally."
+    task :reinstall => :build  do
+      version = File.read('VERSION')
+      if (system("gem list #{gem.name} -l") || "")  =~ /#{gem.name}-#{version}/
+        system "gem uninstall #{gem.name}"
+      end
+      system "gem install --no-rdoc --no-ri -l pkg/#{gem.name}-#{version}"
+    end
+  end
+
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: sudo gem install jeweler"
+end
+
+desc "Run the examples"
+Spec::Rake::SpecTask.new do |t|
+  t.spec_files = ["spec/**/*_spec.rb"]
+  t.spec_opts = %w[--color --format specdoc --diff]  
+end
+
+Spec::Rake::SpecTask.new(:rcov) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.pattern = 'spec/**/*_spec.rb'
+  spec.rcov = true
+end
+
+require 'cucumber/rake/task'
+Cucumber::Rake::Task.new(:features) do |t|
+  t.cucumber_opts = "--format pretty"
+end
+
+task :spec => :check_dependencies
+task :default => [:spec, :features]
+task :build => [:spec, :features, :yard]
+
+begin
+  require 'yard'
+  YARD::Rake::YardocTask.new
+rescue LoadError
+  task :yard do
+    abort "YARD is not available. Run 'rake setup' to install all development dependencies."
+  end
+end
+
+begin
+  require 'grancher/task'
+  Grancher::Task.new do |g|
+    g.branch = 'gh-pages'
+    g.push_to = 'origin'
+    g.directory 'doc'
+  end
+rescue LoadError
+  task :publish do
+    abort "grancher is not available. Run 'rake setup' to install all development dependencies."
+  end
+end

data/features/doorman.feature

@@ -0,0 +1,99 @@
+Feature: Manage Access
+  In order to 
+  As a
+  I want to
+
+  Scenario: Allow all by default
+    When I go to /allow_all_by_default
+    Then I should be authorized
+
+  Scenario: Explicitly allow all
+    When I go to /explicitly_allow_all
+    Then I should be authorized
+
+  Scenario: Unauthorized when explicitly denying all
+    When I go to /deny_all
+    Then I should not be authorized
+
+  Scenario: Authorized when the user is allowed
+    Given I am Nancy
+    When I go to /allowed_user
+    Then I should be authorized
+
+  Scenario: Unauthorized when the user is not allowed
+    Given I am Jackie Boy
+    When I go to /allowed_user
+    Then I should not be authorized
+
+  Scenario: Authorized when the user belongs to the allowed rule
+    Given I have the role admin
+    When I go to /allowed_role
+    Then I should be authorized
+
+  Scenario: Unauthorized when the user does not belong to the rule
+    Given I have the role not_admin
+    When I go to /allowed_role
+    Then I should not be authorized
+
+  Scenario: Authorized when the user does not belong to the denied role
+    When I go to /denied_role
+    Then I should be authorized
+
+  Scenario: Unauthorized when the user belongs to the denied role
+    Given I have the role troll
+    When I go to /denied_role
+    Then I should not be authorized
+
+  Scenario: Authorized when the user belongs to an allowed role
+    Given I have the role admin
+    When I go to /allowed_and_denied_roles
+    Then I should be authorized
+
+  Scenario: Unauthorized when the user belongs to the denied role
+    Given I have the role troll
+    When I go to /allowed_and_denied_roles
+    Then I should not be authorized
+
+  Scenario: Unauthorized when the user does not belong to the role
+     Given I have no roles
+     When I go to /allowed_role_with_only/show
+     Then I should not be authorized
+
+  Scenario: Authorized when he user belongs to the role
+    Given I have the role admin
+    When I go to /allowed_role_with_only/show
+    Then I should be authorized
+    Given I have no roles
+    When I go to /allowed_role_with_only
+    Then I should be authorized
+
+  Scenario: Authorized when the rule does not apply to the action
+    Given I have the role admin
+    When I go to /allowed_role_with_only
+    Then I should be authorized
+
+  Scenario: Unauthorized when the host is not explicitly allowed
+    When I go to /access_control_by_host
+    Then I should not be authorized
+
+  Scenario: Unauthorized when authorizing via role and there is not a current user
+    When There is no current user
+    And  I go to /allowed_role
+    Then I should not be authorized
+
+
+  Scenario: View Helpers - Allow
+    Given I have the role admin
+    When I go to /view_helpers/allow_via_role
+    Then I should see "Allowed"
+    Given I have no roles
+    When I go to /view_helpers/allow_via_role
+    Then I should not see "Allowed"
+
+  Scenario: View Helpers - Deny
+    Given I have no roles
+    When I go to /view_helpers/deny_via_role
+    Then I should see "Allowed"
+    Given I have the role troll
+    When I go to /view_helpers/deny_via_role
+    Then I should not see "Allowed"

data/features/step_definitions/common_steps.rb

@@ -0,0 +1,25 @@
+Given /^I am (.*)$/ do |name|
+  ApplicationController.reset_current_user
+  ApplicationController.current_user.login = name.downcase
+end
+
+Given /^I have no roles$/ do
+  ApplicationController.reset_current_user
+end
+
+Given /^I have the role (.*)$/ do |role|
+  Given "I have no roles"
+  ApplicationController.current_user.roles << role.to_sym
+end
+
+Then /^I should be authorized$/ do
+  response.should be_authorized
+end
+
+Then /^I should not be authorized$/ do
+  response.should be_unauthorized
+end
+
+When /^There is no current user$/ do
+  ApplicationController.nil_current_user
+end

data/features/step_definitions/webrat_steps.rb

@@ -0,0 +1,115 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "..", "support", "paths"))
+
+# Commonly used webrat steps
+# http://github.com/brynary/webrat
+
+Given /^I am on (.+)$/ do |page_name|
+  visit path_to(page_name)
+end
+
+When /^I go to (.+)$/ do |page_name|
+  visit path_to(page_name)
+end
+
+When /^I press "([^\"]*)"$/ do |button|
+  click_button(button)
+end
+
+When /^I follow "([^\"]*)"$/ do |link|
+  click_link(link)
+end
+
+When /^I fill in "([^\"]*)" with "([^\"]*)"$/ do |field, value|
+  fill_in(field, :with => value) 
+end
+
+When /^I select "([^\"]*)" from "([^\"]*)"$/ do |value, field|
+  select(value, :from => field) 
+end
+
+# Use this step in conjunction with Rail's datetime_select helper. For example:
+# When I select "December 25, 2008 10:00" as the date and time 
+When /^I select "([^\"]*)" as the date and time$/ do |time|
+  select_datetime(time)
+end
+
+# Use this step when using multiple datetime_select helpers on a page or 
+# you want to specify which datetime to select. Given the following view:
+#   <%= f.label :preferred %><br />
+#   <%= f.datetime_select :preferred %>
+#   <%= f.label :alternative %><br />
+#   <%= f.datetime_select :alternative %>
+# The following steps would fill out the form:
+# When I select "November 23, 2004 11:20" as the "Preferred" data and time
+# And I select "November 25, 2004 10:30" as the "Alternative" data and time
+When /^I select "([^\"]*)" as the "([^\"]*)" date and time$/ do |datetime, datetime_label|
+  select_datetime(datetime, :from => datetime_label)
+end
+
+# Use this step in conjunction with Rail's time_select helper. For example:
+# When I select "2:20PM" as the time
+# Note: Rail's default time helper provides 24-hour time-- not 12 hour time. Webrat
+# will convert the 2:20PM to 14:20 and then select it. 
+When /^I select "([^\"]*)" as the time$/ do |time|
+  select_time(time)
+end
+
+# Use this step when using multiple time_select helpers on a page or you want to
+# specify the name of the time on the form.  For example:
+# When I select "7:30AM" as the "Gym" time
+When /^I select "([^\"]*)" as the "([^\"]*)" time$/ do |time, time_label|
+  select_time(time, :from => time_label)
+end
+
+# Use this step in conjunction with Rail's date_select helper.  For example:
+# When I select "February 20, 1981" as the date
+When /^I select "([^\"]*)" as the date$/ do |date|
+  select_date(date)
+end
+
+# Use this step when using multiple date_select helpers on one page or
+# you want to specify the name of the date on the form. For example:
+# When I select "April 26, 1982" as the "Date of Birth" date
+When /^I select "([^\"]*)" as the "([^\"]*)" date$/ do |date, date_label|
+  select_date(date, :from => date_label)
+end
+
+When /^I check "([^\"]*)"$/ do |field|
+  check(field) 
+end
+
+When /^I uncheck "([^\"]*)"$/ do |field|
+  uncheck(field) 
+end
+
+When /^I choose "([^\"]*)"$/ do |field|
+  choose(field)
+end
+
+When /^I attach the file at "([^\"]*)" to "([^\"]*)"$/ do |path, field|
+  attach_file(field, path)
+end
+
+Then /^I should see "([^\"]*)"$/ do |text|
+  response.should contain(text)
+end
+
+Then /^I should not see "([^\"]*)"$/ do |text|
+  response.should_not contain(text)
+end
+
+Then /^the "([^\"]*)" field should contain "([^\"]*)"$/ do |field, value|
+  field_labeled(field).value.should =~ /#{value}/
+end
+
+Then /^the "([^\"]*)" field should not contain "([^\"]*)"$/ do |field, value|
+  field_labeled(field).value.should_not =~ /#{value}/
+end
+    
+Then /^the "([^\"]*)" checkbox should be checked$/ do |label|
+  field_labeled(label).should be_checked
+end
+
+Then /^I should be on (.+)$/ do |page_name|
+  URI.parse(current_url).path.should == path_to(page_name)
+end