restful_acl 2.0.7 → 2.1

data/{MIT-LICENSE → LICENSE}

@@ -1,4 +1,4 @@
-Copyright (c) 2008 Matt Darby
+Copyright (c) 2009 Matt Darby
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.textile

@@ -20,8 +20,8 @@ Add the gem to your environment.rb file as thus:
 
 RESTful_ACL requires two named routes: "error" and "denied". Add the following to your routes.rb file:
 <pre>
-  map.error '/error', :controller => 'some_controller', :action => 'error_action'
-  map.denied '/denied', :controller => 'some_controller', :action => 'denied_action'
+  map.error 'error', :controller => 'some_controller', :action => 'error_action'
+  map.denied 'denied', :controller => 'some_controller', :action => 'denied_action'
 </pre>
 
 h3. How to Use
@@ -32,15 +32,15 @@ Add @before_filter :has_permission?@ into any controller that you'd like to rest
 
 h4. Models
 
-Define a parent resource (if one exists) by using the @logical_parent@ method, and define the following five methods in the model of every resource you'd like to restrict access to. The five methods can contain anything you'd like so long as they return a boolean true or false. This allows you to define your User's roles any way you wish. 
+Define a parent resource (if one exists) by using the @logical_parent@ method, and define the following five methods in the model of every resource you'd like to restrict access to. The five methods can contain anything you'd like so long as they return a boolean true or false. This allows you to define your User's roles any way you wish.
 
 <pre>
   class Issue < ActiveRecord::Base
     logical_parent :some_model_name
-    
+
     # This method checks permissions for the :index action
     def self.is_indexable_by(user, parent = nil)
-      
+
     end
 
     # This method checks permissions for the :create and :new action
@@ -65,6 +65,17 @@ Define a parent resource (if one exists) by using the @logical_parent@ method, a
   end
 </pre>
 
+h5. Singleton Resources
+
+RESTful_ACL 2.1+ supports singleton resources. Just pass @:singleton@ to the @logical_parent@
+
+<pre>
+  class Car < ActiveRecord::Base
+    logical_parent :owner, :singleton
+    ...
+  end
+</pre>
+
 h4. View Helpers
 
 There are five view helpers also included in RESTful_ACL: @#indexable@, @#creatable@, @#readable@, @#updatable@, and @#deletable@. These enable you to do nifty things like:
@@ -83,18 +94,18 @@ Let's say that you have two resources: Project and Issue. A Project has many Iss
 <pre>
   class Issue < ActiveRecord::Base
     logical_parent :project
-    
+
     belongs_to :author
     belongs_to :project
 
     def self.is_indexable_by(user, parent = nil)
       user.projects.include?(parent)
     end
-  
+
     def self.is_creatable_by(user, parent = nil)
       user.projects.include?(parent)
     end
-  
+
     def is_updatable_by(user, parent = nil)
       user == author && parent.is_active?
     end
@@ -121,7 +132,7 @@ I normally do something along these lines in RSpec:
     before do
       @project = mock_model(Project)
       @author  = mock_model(User, :projects => [@project])
-    
+
       @issue = Issue.factory_girl(:issue, :author => @author, :project => @project)
     end
 
@@ -144,19 +155,6 @@ I normally do something along these lines in RSpec:
   end
 </pre>
 
-h3. Caveats
-
-RESTful_ACL doesn't work with nested singleton resources. Wha? Yeah. Those are things in routes.rb like:
-
-<pre>
-  # Note the singular forms in 'user.resource :profile'
-  map.resources :users do |user|
-    user.resource :profile
-  end
-</pre>
-
-In these situations I normally skip permission checking altogether as a Profile will always be mapped to the currently logged in User, regardless of the @params[:user_id]@ passed in. You don't trust those either right? Good.
-
 h3. Help
 
 Add a ticket to "RESTful_ACL's Lighthouse Account":http://mdarby.lighthouseapp.com/projects/28698-restful_acl/overview

data/Rakefile

@@ -1,22 +1,45 @@
+require 'rubygems'
 require 'rake'
-require 'rake/testtask'
-require 'rake/rdoctask'
 
-desc 'Default: run unit tests.'
-task :default => :test
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "restful_acl"
+    gem.summary = "A Ruby on Rails plugin that provides fine grained access control to RESTful resources."
+    gem.description = "A Ruby on Rails plugin that provides fine grained access control to RESTful resources."
+    gem.email = "matt@matt-darby.com"
+    gem.homepage = "http://github.com/mdarby/restful_acl"
+    gem.authors = ["Matt Darby"]
+    gem.add_development_dependency "rspec", ">= 1.2.9"
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: sudo gem install jeweler"
+end
+
+require 'spec/rake/spectask'
+Spec::Rake::SpecTask.new(:spec) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.spec_files = FileList['spec/**/*_spec.rb']
+end
 
-desc 'Test the restful_acl plugin.'
-Rake::TestTask.new(:test) do |t|
-  t.libs << 'lib'
-  t.pattern = 'test/**/*_test.rb'
-  t.verbose = true
+Spec::Rake::SpecTask.new(:rcov) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.pattern = 'spec/**/*_spec.rb'
+  spec.rcov = true
 end
 
-desc 'Generate documentation for the restful_acl plugin.'
-Rake::RDocTask.new(:rdoc) do |rdoc|
+task :spec => :check_dependencies
+
+task :default => :spec
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
   rdoc.rdoc_dir = 'rdoc'
-  rdoc.title    = 'RestfulAcl'
-  rdoc.options << '--line-numbers' << '--inline-source'
-  rdoc.rdoc_files.include('README')
+  rdoc.title = "restful_acl #{version}"
+  rdoc.rdoc_files.include('README*')
   rdoc.rdoc_files.include('lib/**/*.rb')
 end

data/lib/controller.rb

@@ -0,0 +1,114 @@
+module RestfulAclController
+
+  def self.included(base)
+    base.extend(ClassMethods)
+    base.send :include, ClassMethods
+  end
+
+  module ClassMethods
+
+    attr_accessor :object, :parent, :klass, :user
+
+    def has_permission?
+      return true if administrator?
+
+      load_actors(params[:id])
+
+      begin
+        # Let's let the Model decide what is acceptable
+        permission_denied unless case params[:action]
+          when "index"          then @klass.is_indexable_by(@user, @parent)
+          when "new", "create"  then @klass.is_creatable_by(@user, @parent)
+          when "show"           then @object.is_readable_by(@user, @parent)
+          when "edit", "update" then @object.is_updatable_by(@user, @parent)
+          when "destroy"        then @object.is_deletable_by(@user, @parent)
+          else check_non_restful_route
+        end
+
+      rescue NoMethodError => e
+        # Misconfiguration: A RESTful_ACL specific method is missing.
+        raise_error(e)
+      rescue
+        # Failsafe: If any funny business is going on, log and redirect
+        routing_error
+      end
+    end
+
+    private
+
+      def load_actors(id)
+        @user = current_user
+
+        # Load the Model based on the controller name
+        @klass = self.controller_name.classify.demodulize.constantize
+
+        if id.present?
+          # Load the object and possible parent requested
+          @object = @klass.find(params[:id])
+          @parent = @object.get_mom if @klass.has_parent?
+        else
+          # No object was requested, so we need to go to the URI to figure out the parent
+          @parent = get_mom_from_request_uri(@klass) if @klass.has_parent?
+
+          if @klass.is_singleton?
+            @object = @parent.send(@klass.to_s.tableize.singularize.to_sym)
+          else
+            # No object was requested (index, create actions)
+            @object = nil
+          end
+        end
+      end
+
+      def check_non_restful_route
+        if @object
+          @object.is_readable_by(@user, @parent)
+        elsif @klass
+          @klass.is_indexable_by(@user, @parent)
+        else
+          false # If all else fails, deny access
+        end
+      end
+
+      def get_method_from_error(error)
+        error.message.gsub('`', "'").split("'").at(1)
+      end
+
+      def raise_error(error)
+        method = get_method_from_error(error)
+        message = (is_class_method?(method)) ? "#{@klass}#self.#{method}" : "#{@klass}##{method}"
+        raise NoMethodError, "[RESTful_ACL] #{message}(user, parent = nil) seems to be missing?"
+      end
+
+      def is_class_method?(method)
+        method =~ /[index|creat]able/
+      end
+
+      def get_mom_from_request_uri(child_klass)
+        parent_klass = child_klass.mom.to_s
+        bits         = request.request_uri.split('/')
+        parent_id    = bits.at(bits.index(parent_klass.pluralize) + 1)
+
+        parent_klass.classify.constantize.find(parent_id)
+      end
+
+      def administrator?
+        @user.respond_to?("is_admin?") && @user.is_admin?
+      end
+
+      def blame
+        @user.respond_to?(:login) ? @user.login : @user.username
+      end
+
+      def permission_denied
+        logger.info("[RESTful_ACL] Permission denied to %s at %s for %s" % [(logged_in? ? blame : 'guest'), Time.now, request.request_uri])
+        redirect_to denied_url
+      end
+
+      def routing_error
+        logger.info("[RESTful_ACL] Routing error by %s at %s for %s" % [(logged_in? ? blame : 'guest'), Time.now, request.request_uri])
+        redirect_to error_url
+      end
+
+  end
+
+end

data/lib/{restful_acl_helper.rb → helper.rb}

@@ -48,11 +48,11 @@ module RestfulAclHelper
     end
 
     def parent_klass
-      klass.mom.to_s.classify.constantize
+      klass.parent.to_s.classify.constantize
     end
 
     def parent_id
-      params["#{klass.mom.to_s}_id"]
+      params["#{klass.parent.to_s}_id"]
     end
 
     def admin_enabled

data/lib/{restful_acl_model.rb → model.rb}

@@ -6,15 +6,21 @@ module RestfulAclModel
   end
 
   module ClassMethods
-    attr_accessor :mom
+    attr_accessor :mom, :singleton
+
+    def logical_parent(model, *options)
+      @mom = model
+      @singleton = options.include?(:singleton)
 
-    def logical_parent(model)
-      self.mom = model
       include RestfulAclModel::InstanceMethods
     end
 
     def has_parent?
-      !self.mom.nil?
+      @mom.present?
+    end
+
+    def is_singleton?
+      @singleton.present?
     end
 
   end
@@ -47,6 +53,7 @@ module RestfulAclModel
       def parent_id
         self.instance_eval("#{mom}_id")
       end
+
   end
 
 end

data/rails/init.rb

@@ -1,6 +1,6 @@
-require 'restful_acl_controller'
-require 'restful_acl_helper'
-require 'restful_acl_model'
+require 'controller'
+require 'helper'
+require 'model'
 
 ActionController::Base.send :include, RestfulAclController
 ActionView::Base.send :include, RestfulAclHelper

data/restful_acl.gemspec

@@ -0,0 +1,26 @@
+Gem::Specification.new do |s|
+  s.name        = "restful_acl"
+  s.version     = "2.1"
+  s.date        = "2009-11-23"
+  s.summary     = "Object-level access control"
+  s.email       = "matt@matt-darby.com"
+  s.homepage    = "http://github.com/mdarby/restful_acl"
+  s.description = "A Rails gem that provides fine grained access control to RESTful resources."
+  s.has_rdoc    = false
+  s.authors     = ["Matt Darby"]
+  s.files       = [
+    "LICENSE",
+    "README.textile",
+    "Rakefile",
+    "init.rb",
+    "lib/controller.rb",
+    "lib/helper.rb",
+    "lib/model.rb",
+    "rails/init.rb",
+    "restful_acl.gemspec",
+    "spec/restful_acl_spec.rb",
+    "spec/spec.opts",
+    "spec/spec_helper.rb",
+    "spec/widgets.rb"
+  ]
+end

data/spec/restful_acl_spec.rb

@@ -0,0 +1,75 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe "RestfulAcl" do
+
+  describe "when used in a RESTful resource" do
+
+    before do
+      @widget = Widget.new
+    end
+
+    describe "handling GET index" do
+      it "does something" do
+      end
+    end
+
+    describe "handling GET show" do
+
+    end
+
+    describe "handling GET new" do
+
+    end
+
+    describe "handling GET edit" do
+
+    end
+
+    describe "handling POST create" do
+
+    end
+
+    describe "handling PUT update" do
+
+    end
+
+    describe "handling DELETE destroy" do
+
+    end
+
+  end
+
+  describe "when used in a Singleton resource" do
+
+    describe "handling GET index" do
+
+    end
+
+    describe "handling GET show" do
+
+    end
+
+    describe "handling GET new" do
+
+    end
+
+    describe "handling GET edit" do
+
+    end
+
+    describe "handling POST create" do
+
+    end
+
+    describe "handling PUT update" do
+
+    end
+
+    describe "handling DELETE destroy" do
+
+    end
+
+
+  end
+
+end

data/spec/spec.opts

@@ -0,0 +1 @@
+--color

data/spec/spec_helper.rb

@@ -0,0 +1,10 @@
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+require 'rubygems'
+require 'restful_acl'
+require 'spec'
+require 'widgets'
+
+Spec::Runner.configure do |config|
+  
+end

data/spec/widgets.rb

@@ -0,0 +1,12 @@
+class ParentWidget
+end
+
+class Widget
+  include RestfulAclModel
+  logical_parent :parent_widget  
+end
+
+class SingletonWidget
+  include RestfulAclModel
+  logical_parent :parent_widget
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: restful_acl
 version: !ruby/object:Gem::Version 
-  version: 2.0.7
+  version: "2.1"
 platform: ruby
 authors: 
 - Matt Darby
@@ -9,11 +9,11 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2009-11-20 00:00:00 -05:00
+date: 2009-11-23 00:00:00 -05:00
 default_executable: 
 dependencies: []
 
-description: A Rails gem that provides fine grained access control to RESTful resources in a Rails 2.0+ application.
+description: A Rails gem that provides fine grained access control to RESTful resources.
 email: matt@matt-darby.com
 executables: []
 
@@ -22,16 +22,19 @@ extensions: []
 extra_rdoc_files: []
 
 files: 
-- MIT-LICENSE
+- LICENSE
 - README.textile
 - Rakefile
 - init.rb
-- install.rb
-- lib/restful_acl_controller.rb
-- lib/restful_acl_helper.rb
-- lib/restful_acl_model.rb
+- lib/controller.rb
+- lib/helper.rb
+- lib/model.rb
 - rails/init.rb
-- uninstall.rb
+- restful_acl.gemspec
+- spec/restful_acl_spec.rb
+- spec/spec.opts
+- spec/spec_helper.rb
+- spec/widgets.rb
 has_rdoc: false
 homepage: http://github.com/mdarby/restful_acl
 licenses: []

data/install.rb

@@ -1 +0,0 @@
-# Install hook code here

data/lib/restful_acl_controller.rb

@@ -1,100 +0,0 @@
-module RestfulAclController
-
-  def self.included(base)
-    base.extend(ClassMethods)
-    base.send :include, ClassMethods
-  end
-
-  module ClassMethods
-
-    def has_permission?
-      return true if administrator?
-
-      begin
-        # Load the Model based on the controller name
-        klass = self.controller_name.classify.demodulize.constantize
-
-        if params[:id]
-          # Load the object and possible parent requested
-          object = klass.find(params[:id])
-          parent = object.get_mom rescue nil
-        else
-          # No object was requested, so we need to go to the URI to figure out the parent
-          object = nil
-          parent = get_parent_from_request_uri(klass) if klass.has_parent?
-        end
-
-        # Let's let the Model decide what is acceptable
-        permission_denied unless case params[:action]
-          when "index"          then klass.is_indexable_by(current_user, parent)
-          when "new", "create"  then klass.is_creatable_by(current_user, parent)
-          when "show"           then object.is_readable_by(current_user, parent)
-          when "edit", "update" then object.is_updatable_by(current_user, parent)
-          when "destroy"        then object.is_deletable_by(current_user, parent)
-          else check_non_restful_route(current_user, klass, object, parent)
-        end
-
-      rescue NoMethodError => e
-        # Misconfiguration: A RESTful_ACL specific method is missing.
-        raise_error(klass, e)
-      rescue
-        # Failsafe: If any funny business is going on, log and redirect
-        routing_error
-      end
-    end
-
-    private
-
-      def check_non_restful_route(user, klass, object, parent)
-        if object
-          object.is_readable_by(user, parent)
-        elsif klass
-          klass.is_indexable_by(user, parent)
-        else
-          # If all else fails, deny access
-          false
-        end
-      end
-
-      def get_method_from_error(error)
-        error.message.gsub('`', "'").split("'").at(1)
-      end
-
-      def raise_error(klass, error)
-        method = get_method_from_error(error)
-        message = (is_class_method?(method)) ? "#{klass}#self.#{method}" : "#{klass}##{method}"
-        raise NoMethodError, "[RESTful_ACL] #{message}(user, parent = nil) seems to be missing?"
-      end
-
-      def is_class_method?(method)
-        method =~ /(indexable|creatable)/
-      end
-
-      def get_parent_from_request_uri(child_klass)
-        parent_klass = child_klass.mom.to_s
-        bits         = request.request_uri.split('/')
-        parent_id    = bits.at(bits.index(parent_klass.pluralize) + 1)
-
-        parent_klass.classify.constantize.find(parent_id)
-      end
-
-      def administrator?
-        current_user.respond_to?("is_admin?") && current_user.is_admin?
-      end
-
-      def permission_denied
-        logger.info("[RESTful_ACL] Permission denied to %s at %s for %s" %
-        [(logged_in? ? current_user.login : 'guest'), Time.now, request.request_uri])
-
-        redirect_to denied_url
-      end
-
-      def routing_error
-        logger.info("[RESTful_ACL] Routing error by %s at %s for %s" %
-        [(logged_in? ? current_user.login : 'guest'), Time.now, request.request_uri])
-
-        redirect_to error_url
-      end
-
-  end
-end

data/uninstall.rb

@@ -1 +0,0 @@
-# Uninstall hook code here