restful_acl 2.1.3 → 3.0.0

data/.gitignore

@@ -0,0 +1 @@
+pkg/*

data/README.textile

@@ -1,14 +1,20 @@
+h1. Major changes in 3.0 release!
+
+* RESTful_ACL has been completely refactored for speed and usability.
+* A full Cucumber test suite has been written (http://github.com/mdarby/restful_acl_app).
+* The view helpers @creatable@, @deletable@, @updatable@, @readable@ have been replaced by @allowed?@ (see below for more details).
+
 h2. RESTful_ACL
 
-A Ruby on Rails plugin that provides fine grained access control through the MVC stack to RESTful resources in a Ruby on Rails 2.0+ application. Authorization is as simple as true or false.
+RESTful_ACL is rails gem that provides a full stack, contextual access control to RESTful resources. Authorization is as simple as true or false.
 
 h3. What it does
 
-RESTful_ACL is a simple Access Control Layer for Ruby on Rails. It restricts access on a fine-grained level to any RESTful MVC stack. Every application is different and everyone likes to setup their User / Account / Role resources differently; this plugin will allow you to do your thing and keep that thing locked down.
+RESTful_ACL is a context-based permission engine. It provides full stack access control that is resource context aware. (If a parent is closed, a child is not editable, etc.)
 
 h3. Requirements
 
-RESTful_ACL requires the super amazing "RESTful_Authentication":https://github.com/technoweenie/restful-authentication plugin.
+RESTful_ACL requires the notion of a @current_user@. Most authenticaion plugins provide this (AuthLogic, RESTful_Authentication, etc.)
 
 h3. How to Install
 
@@ -18,11 +24,8 @@ Install the RESTful_ACL gem:
 Add the gem to your environment.rb file as thus:
 <pre>config.gem "restful_acl"</pre>
 
-RESTful_ACL requires two named routes: "error" and "denied". Add the following to your routes.rb file:
-<pre>
-  map.error 'error', :controller => 'some_controller', :action => 'error_action'
-  map.denied 'denied', :controller => 'some_controller', :action => 'denied_action'
-</pre>
+RESTful_ACL requires a named route named "denied". Add the following to your routes.rb file:
+<pre>map.denied 'denied', :controller => 'some_controller', :action => 'denied_action'</pre>
 
 h3. How to Use
 
@@ -71,16 +74,15 @@ RESTful_ACL 2.1+ supports singleton resources. Just pass @:singleton@ to the @lo
   end
 </pre>
 
-h4. View Helpers
+h4. View Helper
 
-There are five view helpers also included in RESTful_ACL: @#indexable@, @#creatable@, @#readable@, @#updatable@, and @#deletable@. These enable you to do nifty things like:
-<pre>
-= link_to ‘Foo Index’, foos_path if indexable
-= link_to 'Edit Foo', edit_foo_path(@foo) if updatable(@foo)
-= link_to 'Create Foo', new_foo_path if creatable
-= link_to 'View Foo', foo_path(@foo) if readable(@foo)
-= link_to 'Delete Foo', foo_path(@foo) if deletable(@foo), :method => :destroy
-</pre>
+RESTful_ACL provides you with a view helper named @allowed?@. Simply pass this method a block containing the URL you'd like to check permission on and it will do the rest.
+If the @current_user@ is allowed to access the requested link's action, the link will appear; otherwise no link will show.
+<pre>= allowed?{ link_to ‘Foo Index’, foos_path }
+= allowed?{ link_to 'Edit Foo', edit_foo_path(@foo) }
+= allowed?{ link_to 'Create Foo', new_foo_path }
+= allowed?{ link_to 'View Foo', foo_path(@foo) }
+= allowed?{ link_to 'Delete Foo', foo_path(@foo), :method => :delete }</pre>
 
 h3. Huh? Here's an example
 
@@ -127,7 +129,6 @@ I normally do something along these lines in RSpec:
     before do
       @project = mock_model(Project)
       @author  = mock_model(User, :projects => [@project])
-
       @issue = Issue.factory_girl(:issue, :author => @author, :project => @project)
     end
 

data/VERSION

@@ -1 +1 @@
-2.1.3
+3.0.0

data/lib/restful_acl/base.rb

@@ -0,0 +1,75 @@
+module RestfulAcl
+  class Base
+
+    attr_accessor :object, :parent, :user, :controller_name, :uri, :action, :object_id
+
+
+    def initialize(options = {})
+      @object_id       = options[:object_id]
+      @user            = options[:user]
+      @uri             = options[:uri]
+      @action          = options[:action]
+      @controller_name = options[:controller_name]
+
+      if @object_id.present?
+        load_actors_from_id
+      else
+        load_actors_from_uri
+      end
+    end
+
+    def load_actors_from_id
+      @object = object_class.find(@object_id)
+      @parent = @object.get_mom if object_class.has_parent?
+    end
+
+    def load_actors_from_uri
+      @parent = load_parent_from_uri if object_class.has_parent?
+      @object = (object_class.is_singleton?) ? load_singleton_object : nil
+    end
+
+    def load_singleton_object
+      @parent.send(object_class.to_s.tableize.singularize.to_sym)
+    end
+
+    def load_parent_from_uri
+      parent_klass = object_class.mom.to_s
+      bits         = @uri.split('/')
+      parent_id    = bits.at(bits.index(parent_klass.pluralize) + 1)
+
+      parent_klass.classify.constantize.find(parent_id)
+    end
+
+    def object_class
+      @object_class ||= @controller_name.classify.demodulize.constantize
+    end
+
+    def admin?
+      @user.respond_to?("is_admin?") && @user.is_admin?
+    end
+
+    def allowed?
+      return true if admin?
+
+      case @action
+        when "index"          then object_class.is_indexable_by(@user, @parent)
+        when "new", "create"  then object_class.is_creatable_by(@user, @parent)
+        when "show"           then @object.is_readable_by(@user, @parent)
+        when "edit", "update" then @object.is_updatable_by(@user, @parent)
+        when "destroy"        then @object.is_deletable_by(@user, @parent)
+        else check_non_restful_route
+      end
+    end
+
+    def check_non_restful_route
+      if @object.present?
+        @object.is_readable_by(@user, @parent)
+      elsif object_class.present?
+        object_class.is_indexable_by(@user, @parent)
+      else
+        false # If all else fails, deny access
+      end
+    end
+
+  end
+end

data/lib/restful_acl/controller.rb

@@ -1,114 +1,38 @@
-module RestfulAclController
+module RestfulAcl
+  module Controller
 
-  def self.included(base)
-    base.extend(ClassMethods)
-    base.send :include, ClassMethods
-  end
-
-  module ClassMethods
-
-    attr_accessor :restful_object, :restful_parent, :restful_klass, :restful_user
-
-    def has_permission?
-      return true if administrator?
+    def self.included(base)
+      base.extend(ClassMethods)
+      base.send :include, ClassMethods
+    end
 
-      load_actors(params[:id])
+    module ClassMethods
 
-      begin
-        # Let's let the Model decide what is acceptable
-        permission_denied unless case params[:action]
-          when "index"          then @restful_klass.is_indexable_by(@restful_user, @restful_parent)
-          when "new", "create"  then @restful_klass.is_creatable_by(@restful_user, @restful_parent)
-          when "show"           then @restful_object.is_readable_by(@restful_user, @restful_parent)
-          when "edit", "update" then @restful_object.is_updatable_by(@restful_user, @restful_parent)
-          when "destroy"        then @restful_object.is_deletable_by(@restful_user, @restful_parent)
-          else check_non_restful_route
-        end
+      def has_permission?
+        options = {
+          :controller_name => self.controller_name,
+          :object_id       => params[:id],
+          :uri             => request.request_uri,
+          :user            => current_user,
+          :action          => params[:action]
+        }
 
-      rescue NoMethodError => e
-        # Misconfiguration: A RESTful_ACL specific method is missing.
-        raise_error(e)
-      rescue
-        # Failsafe: If any funny business is going on, log and redirect
-        routing_error
+        permission_denied unless RestfulAcl::Base.new(options).allowed?
       end
-    end
-
-    private
 
-      def load_actors(id)
-        @restful_user = current_user
 
-        # Load the Model based on the controller name
-        @restful_klass = self.controller_name.classify.demodulize.constantize
+      private
 
-        if id.present?
-          # Load the object and possible parent requested
-          @restful_object = @restful_klass.find(params[:id])
-          @restful_parent = @restful_object.get_mom if @restful_klass.has_parent?
-        else
-          # No object was requested, so we need to go to the URI to figure out the parent
-          @restful_parent = get_morestful_frorestful_request_uri(@restful_klass) if @restful_klass.has_parent?
-
-          if @restful_klass.is_singleton?
-            @restful_object = @restful_parent.send(@restful_klass.to_s.tableize.singularize.to_sym)
-          else
-            # No object was requested (index, create actions)
-            @restful_object = nil
-          end
+        def permission_denied
+          logger.info("[RESTful_ACL] Permission denied to %s at %s for %s" % [blame, Time.now, request.request_uri])
+          redirect_to denied_url
         end
-      end
 
-      def check_non_restful_route
-        if @restful_object
-          @restful_object.is_readable_by(@restful_user, @restful_parent)
-        elsif @restful_klass
-          @restful_klass.is_indexable_by(@restful_user, @restful_parent)
-        else
-          false # If all else fails, deny access
+        def blame
+          (@current_user.present?) ? "User ##{@current_user.id}" : "GUEST"
         end
-      end
-
-      def get_method_frorestful_error(error)
-        error.message.gsub('`', "'").split("'").at(1)
-      end
-
-      def raise_error(error)
-        method = get_method_frorestful_error(error)
-        message = (is_class_method?(method)) ? "#{@restful_klass}#self.#{method}" : "#{@restful_klass}##{method}"
-        raise NoMethodError, "[RESTful_ACL] #{message}(user, parent = nil) seems to be missing?"
-      end
 
-      def is_class_method?(method)
-        method =~ /[index|creat]able/
-      end
-
-      def get_morestful_frorestful_request_uri(child_klass)
-        parent_klass = child_klass.mom.to_s
-        bits         = request.request_uri.split('/')
-        parent_id    = bits.at(bits.index(parent_klass.pluralize) + 1)
-
-        parent_klass.classify.constantize.find(parent_id)
-      end
-
-      def administrator?
-        @restful_user.respond_to?("is_admin?") && @restful_user.is_admin?
-      end
-
-      def blame
-        @restful_user.respond_to?(:login) ? @restful_user.login : @restful_user.username
-      end
-
-      def permission_denied
-        logger.info("[RESTful_ACL] Permission denied to %s at %s for %s" % [(logged_in? ? blame : 'guest'), Time.now, request.request_uri])
-        redirect_to denied_url
-      end
-
-      def routing_error
-        logger.info("[RESTful_ACL] Routing error by %s at %s for %s" % [(logged_in? ? blame : 'guest'), Time.now, request.request_uri])
-        redirect_to error_url
-      end
+    end
 
   end
-
 end

data/lib/restful_acl/errors.rb

@@ -0,0 +1,6 @@
+module RestfulAcl
+  
+  class UnrecognizedURLError < StandardError
+  end
+  
+end

data/lib/restful_acl/helper.rb

@@ -1,62 +1,12 @@
-module RestfulAclHelper
-  def indexable
-    return true if admin_enabled
-    klass.is_indexable_by(current_user, parent_obj)
-  end
-
-  def creatable
-    return true if admin_enabled
-    klass.is_creatable_by(current_user, parent_obj)
-  end
-  alias_method :createable, :creatable
-
-
-  def updatable(object)
-    return true if admin_enabled
-
-    parent = object.get_mom rescue nil
-    object.is_updatable_by(current_user, parent)
-  end
-  alias_method :updateable, :updatable
+module RestfulAcl
+  module Helper
 
+    def allowed?(&block)
+      options = UrlParser.new(current_user, &block).options_hash
+      access = RestfulAcl::Base.new(options)
 
-  def deletable(object)
-    return true if admin_enabled
-
-    parent = object.get_mom rescue nil
-    object.is_deletable_by(current_user, parent)
-  end
-  alias_method :deleteable, :deletable
-
-
-  def readable(object)
-    return true if admin_enabled
-
-    parent = object.get_mom rescue nil
-    object.is_readable_by(current_user, parent)
-  end
-
-
-  private
-
-    def klass
-      params[:controller].classify.demodulize.constantize
-    end
-
-    def parent_obj
-      parent_klass.find(parent_id) rescue nil
-    end
-
-    def parent_klass
-      klass.parent.to_s.classify.constantize
-    end
-
-    def parent_id
-      params["#{klass.parent.to_s}_id"]
+      yield if access.allowed?
     end
 
-    def admin_enabled
-      current_user.respond_to?("is_admin?") && current_user.is_admin?
-    end
-
-end
+  end
+end

data/lib/restful_acl/model.rb

@@ -1,59 +1,61 @@
-module RestfulAclModel
+module RestfulAcl
+  module Model
 
-  def self.included(base)
-    base.extend(ClassMethods)
-    base.send :include, ClassMethods
-  end
+    def self.included(base)
+      base.extend(ClassMethods)
+      base.send :include, ClassMethods
+    end
 
-  module ClassMethods
-    attr_accessor :mom, :singleton
+    module ClassMethods
+      attr_accessor :mom, :singleton
 
-    def logical_parent(model, *options)
-      @mom = model
-      @singleton = options.include?(:singleton)
+      def logical_parent(model, *options)
+        @mom = model
+        @singleton = options.include?(:singleton)
 
-      include RestfulAclModel::InstanceMethods
-    end
+        include InstanceMethods
+      end
 
-    def has_parent?
-      @mom.present?
-    end
+      def has_parent?
+        @mom.present?
+      end
+
+      def is_singleton?
+        @singleton.present?
+      end
 
-    def is_singleton?
-      @singleton.present?
     end
 
-  end
 
+    module InstanceMethods
 
-  module InstanceMethods
+      def get_mom
+        parent_klass.find(parent_id) if has_parent?
+      end
 
-    def get_mom
-      parent_klass.find(parent_id) if has_parent?
-    end
+      private
 
-    private
+        def klass
+          self.class
+        end
 
-      def klass
-        self.class
-      end
+        def mom
+          klass.mom
+        end
 
-      def mom
-        klass.mom
-      end
+        def has_parent?
+          !mom.nil?
+        end
 
-      def has_parent?
-        !mom.nil?
-      end
+        def parent_klass
+          mom.to_s.classify.constantize
+        end
 
-      def parent_klass
-        mom.to_s.classify.constantize
-      end
+        def parent_id
+          self.instance_eval("#{mom}_id")
+        end
 
-      def parent_id
-        self.instance_eval("#{mom}_id")
-      end
+    end
 
   end
-
-end
+end

data/lib/restful_acl/string.rb

@@ -0,0 +1,8 @@
+class String
+  
+  def singular?
+    other = self.dup
+    other.pluralize != self
+  end
+  
+end

data/lib/restful_acl/url_parser.rb

@@ -0,0 +1,102 @@
+# This class takes a User and block of text containing a URL and deduces the requested action
+# and any object that that action will be taken upon.
+#
+# Author:: Matt Darby (mailto:matt@matt-darby.com)
+# Copyright:: Copyright(c) 2009 Matt Darby
+# License:: MIT
+
+class UrlParser
+
+  TypesOfURLs = [
+    {:name => "parent_with_specific_child", :controller_bit => 3, :object_id_bit => 4,   :regex => /\/(\w+)\/(\d+)[\w|-]*\/(\w+)\/(\d+)[\w|-]*$/},
+    {:name => "parent_with_edit_child",     :controller_bit => 3, :object_id_bit => 4,   :regex => /\/(\w+)\/(\d+)[\w|-]*\/(\w+)\/(\d+)[\w|-]*\/edit$/},
+    {:name => "parent_with_child_index",    :controller_bit => 3, :object_id_bit => nil, :regex => /\/(\w+)\/(\d+)[\w|-]*\/(\w+)$/},
+    {:name => "parent_with_new_child",      :controller_bit => 3, :object_id_bit => nil, :regex => /\/(\w+)\/(\d+)[\w|-]*\/(\w+)\/new$/},
+    {:name => "edit_singleton_child",       :controller_bit => 3, :object_id_bit => nil, :regex => /\/(\w+)\/(\d+)[\w|-]*\/(\w+)\/edit$/},
+    {:name => "new_singleton_child",        :controller_bit => 3, :object_id_bit => nil, :regex => /\/(\w+)\/(\d+)[\w|-]*\/(\w+)\/new$/},
+    {:name => "edit_parent",                :controller_bit => 1, :object_id_bit => 2,   :regex => /\/(\w+)\/edit$/},
+    {:name => "new_parent",                 :controller_bit => 1, :object_id_bit => nil, :regex => /\/(\w+)\/new$/},
+    {:name => "specific_parent",            :controller_bit => 1, :object_id_bit => 2,   :regex => /\/(\w+)\/(\d+)[\w|-]*$/},
+    {:name => "parent_index",               :controller_bit => 1, :object_id_bit => nil, :regex => /\/(\w+)$/}
+  ]
+
+  URL        = /href="([\w|\/|-]+)"/
+  AJAXURL    = /url:'([\w|\/|-]+)'/
+  NewURL     = /\/new$/
+  EditURL    = /\/edit$/
+  ObjectURL  = /\/(\d+)[\w|-]*$/
+  DestroyURL = /.*m\.setAttribute\('value', 'delete'\).*/
+
+  attr_accessor :text, :user, :url
+
+  # Dynamically define methods based off of TypesOfURLs hash
+  TypesOfURLs.each do |type|
+    define_method(type[:name]) do |url, controller_bit, object_id_bit, regex|
+      data            = regex.match(url)
+      controller_name = data[controller_bit]
+      object_id       = (object_id_bit.present?) ? data[object_id_bit] : nil
+      action          = requested_action(controller_name)
+
+      {
+        :controller_name => controller_name,
+        :object_id       => object_id,
+        :action          => action,
+        :uri             => requested_url,
+        :user            => @user
+      }
+    end
+  end
+
+
+  def initialize(user, &block)
+    @text = yield
+    @user = user
+    @url  = requested_url
+  end
+
+  # Parse a URL and return a hash suitable for usage with RESTful_ACL
+  # * :controller_name => The requested action's controller's name,
+  # * :object_id       => The requested ID of the object in question (nil when Index, New, Create actions),
+  # * :action          => The requested RESTful action (index, show, etc.),
+  # * :uri             => The requested URL,
+  # * :user            => The current user (used for context in RESTful_ACL)
+  def options_hash
+    invoke_url_type_method(deduce_url_type)
+  end
+
+
+  private
+
+    # Call the dynamically created method with arguments from deduced hash
+    def invoke_url_type_method(type)
+      send(type[:name], @url, type[:controller_bit], type[:object_id_bit], type[:regex])
+    end
+
+    # Deduce the requested URL's "type" based on the TypesOfURLs hash
+    def deduce_url_type
+      TypesOfURLs.detect{|type| type[:regex].match(@url)}
+    end
+
+    # Find the requested URL out of the text block received
+    def requested_url
+      link = case @text
+        when URL then URL.match(@text)[1]
+        when AJAXURL then AJAXURL.match(@text)[1]
+        else raise RestfulAcl::UnrecognizedURLError, "'#{@text}' doesn't seem to contain a valid URL?"
+      end
+    end
+
+    # Deduce the requested action based on URL type
+    # (or text block as :destroy links are defined via javascript)
+    def requested_action(controller_name)
+      return "destroy" if @text =~ DestroyURL
+
+      case @url
+        when EditURL then "edit"
+        when NewURL then "new"
+        when ObjectURL || controller_name.singular? then "show"
+        else "index"
+      end
+    end
+
+end

data/lib/restful_acl.rb

@@ -1,3 +1,7 @@
+require 'restful_acl/string'
+require 'restful_acl/url_parser'
+require 'restful_acl/base'
 require 'restful_acl/controller'
 require 'restful_acl/helper'
 require 'restful_acl/model'
+require 'restful_acl/errors'

data/rails/init.rb

@@ -1,7 +1,7 @@
 require 'restful_acl'
 
-ActionController::Base.send :include, RestfulAclController
-ActionView::Base.send :include, RestfulAclHelper
-ActiveRecord::Base.send :include, RestfulAclModel
+ActionController::Base.send :include, RestfulAcl::Controller
+ActionView::Base.send :include, RestfulAcl::Helper
+ActiveRecord::Base.send :include, RestfulAcl::Model
 
 RAILS_DEFAULT_LOGGER.debug "** [RESTful_ACL] loaded"

data/restful_acl.gemspec

@@ -5,28 +5,34 @@
 
 Gem::Specification.new do |s|
   s.name = %q{restful_acl}
-  s.version = "2.1.3"
+  s.version = "3.0.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Matt Darby"]
-  s.date = %q{2009-11-24}
+  s.date = %q{2009-11-28}
   s.description = %q{A Ruby on Rails plugin that provides fine grained access control to RESTful resources.}
   s.email = %q{matt@matt-darby.com}
   s.extra_rdoc_files = [
     "README.textile"
   ]
   s.files = [
-    "MIT-LICENSE",
+    ".gitignore",
+     "MIT-LICENSE",
      "README.textile",
      "Rakefile",
      "VERSION",
      "init.rb",
      "lib/restful_acl.rb",
+     "lib/restful_acl/base.rb",
      "lib/restful_acl/controller.rb",
+     "lib/restful_acl/errors.rb",
      "lib/restful_acl/helper.rb",
      "lib/restful_acl/model.rb",
+     "lib/restful_acl/string.rb",
+     "lib/restful_acl/url_parser.rb",
      "rails/init.rb",
      "restful_acl.gemspec",
+     "spec/spec_helper.rb",
      "uninstall.rb"
   ]
   s.homepage = %q{http://github.com/mdarby/restful_acl}
@@ -34,6 +40,9 @@ Gem::Specification.new do |s|
   s.require_paths = ["lib"]
   s.rubygems_version = %q{1.3.5}
   s.summary = %q{A Ruby on Rails plugin that provides fine grained access control to RESTful resources.}
+  s.test_files = [
+    "spec/spec_helper.rb"
+  ]
 
   if s.respond_to? :specification_version then
     current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION

data/spec/spec_helper.rb

@@ -0,0 +1,11 @@
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+require 'restful_acl'
+require 'spec'
+require 'spec/autorun'
+require 'rubygems'
+require 'activesupport'
+
+Spec::Runner.configure do |config|
+  
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: restful_acl
 version: !ruby/object:Gem::Version 
-  version: 2.1.3
+  version: 3.0.0
 platform: ruby
 authors: 
 - Matt Darby
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2009-11-24 00:00:00 -05:00
+date: 2009-11-28 00:00:00 -05:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -31,17 +31,23 @@ extensions: []
 extra_rdoc_files: 
 - README.textile
 files: 
+- .gitignore
 - MIT-LICENSE
 - README.textile
 - Rakefile
 - VERSION
 - init.rb
 - lib/restful_acl.rb
+- lib/restful_acl/base.rb
 - lib/restful_acl/controller.rb
+- lib/restful_acl/errors.rb
 - lib/restful_acl/helper.rb
 - lib/restful_acl/model.rb
+- lib/restful_acl/string.rb
+- lib/restful_acl/url_parser.rb
 - rails/init.rb
 - restful_acl.gemspec
+- spec/spec_helper.rb
 - uninstall.rb
 has_rdoc: true
 homepage: http://github.com/mdarby/restful_acl
@@ -71,5 +77,5 @@ rubygems_version: 1.3.5
 signing_key: 
 specification_version: 3
 summary: A Ruby on Rails plugin that provides fine grained access control to RESTful resources.
-test_files: []
-
+test_files: 
+- spec/spec_helper.rb