revo-lockdown 0.9.6 → 1.6.2

data/.gitignore

@@ -0,0 +1,6 @@
+*.DS_Store
+*.swp
+pkg/**
+doc/**
+email.txt
+coverage/**

data/Rakefile

@@ -1,17 +1,9 @@
-# Look in the tasks/setup.rb file for the various options that can be
-# configured in this Rakefile. The .rake files in the tasks directory
-# are where the options are used.
-
-begin
-  require 'bones'
-  Bones.setup
-rescue LoadError
-  load 'tasks/setup.rb'
-end
-
-ensure_in_path 'lib'
-require 'lockdown'
+require 'rubygems'
+require 'rake'
+require 'rcov'
+require 'spec/rake/spectask'
 
+require 'lib/lockdown.rb'
 task :default => 'rcov'
 
 desc "Flog your code for Justice!"
@@ -27,15 +19,20 @@ Spec::Rake::SpecTask.new(:rcov) do |t|
   t.rcov_opts = IO.readlines("spec/rcov.opts").map {|l| l.chomp.split " "}.flatten
 end
 
-PROJ.name = 'lockdown'
-PROJ.authors = 'Andrew Stone'
-PROJ.email = 'andy@stonean.com'
-PROJ.url = 'http://stonean.com/wiki/lockdown'
-PROJ.version = Lockdown::VERSION
-PROJ.rubyforge.name = 'lockdown'
-
-PROJ.spec.opts << '--color'
-PROJ.exclude << ".swp"
-PROJ.exclude << ".gitignore"
-
-# EOF
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gemspec|
+    gemspec.name = "revo-lockdown"
+    gemspec.version = Lockdown.version
+    gemspec.rubyforge_project = "lockdown"
+    gemspec.summary = "Authorization system for Rails 2.x"
+    gemspec.description = "Restrict access to your controller actions.  Supports basic model level restrictions as well"
+    gemspec.email = "andy@stonean.com"
+    gemspec.homepage = "http://stonean.com/wiki/lockdown"
+    gemspec.authors = ["Andrew Stone", "Revo Pty. Ltd."]
+    gemspec.add_development_dependency('rspec')
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler not available. Install it with: sudo gem install technicalpickles-jeweler -s http://gems.github.com"
+end

data/lib/lockdown/database.rb

@@ -10,13 +10,17 @@ module Lockdown
         @permissions = Lockdown::System.get_permissions
         @user_groups = Lockdown::System.get_user_groups
 
+        unless ::Permission.table_exists? && Lockdown.user_group_class.table_exists?
+          Lockdown.logger.info ">> Lockdown tables not found.  Skipping database sync."
+          return
+        end
         create_new_permissions
 
         delete_extinct_permissions
       
         maintain_user_groups
       rescue Exception => e
-        puts ">> Lockdown sync failed: #{e}" 
+        Lockdown.logger.error ">> Lockdown sync failed: #{e.backtrace.join("\n")}" 
       end
 
       # Create permissions not found in the database
@@ -26,7 +30,7 @@ module Lockdown
           str = Lockdown.get_string(key)
           p = ::Permission.find(:first, :conditions => ["name = ?", str])
           unless p
-            puts ">> Lockdown: Permission not found in db: #{str}, creating."
+            Lockdown.logger.info ">> Lockdown: Permission not found in db: #{str}, creating."
             ::Permission.create(:name => str)
           end
         end
@@ -37,8 +41,14 @@ module Lockdown
         db_perms = ::Permission.find(:all).dup
         db_perms.each do |dbp|
           unless @permissions.include?(Lockdown.get_symbol(dbp.name))
-            puts ">> Lockdown: Permission no longer in init.rb: #{dbp.name}, deleting."
-            Lockdown.database_execute("delete from permissions_user_groups where permission_id = #{dbp.id}")
+            Lockdown.logger.info ">> Lockdown: Permission no longer in init.rb: #{dbp.name}, deleting."
+          ug_table = Lockdown.user_groups_hbtm_reference.to_s
+          if "permissions" < ug_table
+            join_table = "permissions_#{ug_table}"
+          else
+            join_table = "#{ug_table}_permissions"
+          end
+            Lockdown.database_execute("delete from #{join_table} where permission_id = #{dbp.id}")
             dbp.destroy
           end
         end
@@ -48,7 +58,7 @@ module Lockdown
         # Create user groups not found in the database
         @user_groups.each do |key|
           str = Lockdown.get_string(key)
-          unless ug = ::UserGroup.find(:first, :conditions => ["name = ?", str])
+          unless ug = Lockdown.user_group_class.find(:first, :conditions => ["name = ?", str])
             create_user_group(str, key)
           else
             # Remove permissions from user group not found in init.rb
@@ -61,14 +71,26 @@ module Lockdown
       end
 
       def create_user_group(name_str, key)
-        puts ">> Lockdown: UserGroup not in the db: #{name_str}, creating."
-        ug = ::UserGroup.create(:name => name_str)
+        Lockdown.logger.info ">> Lockdown: #{Lockdown::System.fetch(:user_group_model)} not in the db: #{name_str}, creating."
+        ug = Lockdown.user_group_class.create(:name => name_str)
         #Inefficient, definitely, but shouldn't have any issues across orms.
+        #
         Lockdown::System.permissions_for_user_group(key).each do |perm|
-          p = ::Permission.find(:first, :conditions => ["name = ?", 
-                                Lockdown.get_string(perm)])
 
-          Lockdown.database_execute "insert into permissions_user_groups(permission_id, user_group_id) values(#{p.id}, #{ug.id})"
+          if Lockdown::System.permission_assigned_automatically?(perm)
+            Lockdown.logger.info  ">> Permission #{perm} cannot be assigned to #{name_str}.  Already belongs to built in user group (public or protected)."
+            raise  InvalidPermissionAssignment, "Invalid permission assignment"
+          end
+
+          p = ::Permission.find(:first, :conditions => ["name = ?", Lockdown.get_string(perm)]) 
+
+          ug_table = Lockdown.user_groups_hbtm_reference.to_s
+          if "permissions" < ug_table
+            join_table = "permissions_#{ug_table}"
+          else
+            join_table = "#{ug_table}_permissions"
+          end
+          Lockdown.database_execute "insert into #{join_table}(permission_id, #{Lockdown.user_group_id_reference}) values(#{p.id}, #{ug.id})"
         end
       end
 
@@ -77,7 +99,7 @@ module Lockdown
           perm_sym = Lockdown.get_symbol(perm)
           perm_string = Lockdown.get_string(perm)
           unless Lockdown::System.permissions_for_user_group(key).include?(perm_sym)
-            puts ">> Lockdown: Permission: #{perm_string} no longer associated to User Group: #{ug.name}, deleting."
+            Lockdown.logger.info ">> Lockdown: Permission: #{perm_string} no longer associated to User Group: #{ug.name}, deleting."
             ug.permissions.delete(perm)
           end
         end
@@ -93,7 +115,7 @@ module Lockdown
           end
           # if not found, add it
           unless found
-            puts ">> Lockdown: Permission: #{perm_string} not found for User Group: #{ug.name}, adding it."
+            Lockdown.logger.info ">> Lockdown: Permission: #{perm_string} not found for User Group: #{ug.name}, adding it."
             p = ::Permission.find(:first, :conditions => ["name = ?", perm_string])
             ug.permissions << p
           end

data/lib/lockdown/errors.rb

@@ -0,0 +1,11 @@
+module Lockdown
+  class InvalidRuleAssignment < StandardError; end
+
+  class InvalidRuleContext < StandardError; end
+
+  class PermissionScopeCollision < StandardError; end
+
+  class InvalidPermissionAssignment < StandardError; end
+
+  class GroupUndefinedError < StandardError; end
+end

data/lib/lockdown/frameworks/rails/controller.rb

@@ -4,11 +4,7 @@ module Lockdown
       module Controller
         
         def available_actions(klass)
-          if klass.respond_to?(:action_methods)
-            klass.action_methods
-          else
-            klass.public_instance_methods - klass.hidden_actions
-          end
+          klass.action_methods
         end
 
         def controller_name(klass)
@@ -17,13 +13,17 @@ module Lockdown
 
         # Locking methods
         module Lock
+
           def configure_lockdown
+            Lockdown.maybe_parse_init
             check_session_expiry
             store_location
           end
 
+          # Basic auth functionality needs to be reworked as 
+          # Lockdown doesn't provide authentication functionality.
           def set_current_user
-            login_from_basic_auth? unless logged_in?
+            #login_from_basic_auth? unless logged_in?
             if logged_in?
               Thread.current[:who_did_it] = Lockdown::System.
                 call(self, :who_did_it)
@@ -32,9 +32,11 @@ module Lockdown
 
           def check_request_authorization
             unless authorized?(path_from_hash(params))
-              raise SecurityError, "Authorization failed for params #{params.inspect}"
+              raise SecurityError, "Authorization failed! \nparams: #{params.inspect}\nsession: #{session.inspect}"
             end
           end
+
+          protected 
   
           def path_allowed?(url)
             session[:access_rights] ||= Lockdown::System.public_access
@@ -61,6 +63,9 @@ module Lockdown
           end
       
           def authorized?(url, method = nil)
+            # Reset access unless caching?
+            add_lockdown_session_values unless Lockdown.caching?
+
             return false unless url
 
             return true if current_user_is_admin?
@@ -69,24 +74,31 @@ module Lockdown
 
             url_parts = URI::split(url.strip)
 
-            url = url_parts[5]
+            path = url_parts[5]
 
-            return true if path_allowed?(url)
+            return true if path_allowed?(path)
 
             begin
-              hash = ActionController::Routing::Routes.recognize_path(url, :method => method)
+              hash = ActionController::Routing::Routes.recognize_path(path, :method => method)
               return path_allowed?(path_from_hash(hash)) if hash
-            rescue Exception
+            rescue Exception => e
               # continue on
             end
 
+            # Mailto link
+            return true if url =~ /^mailto:/
+
+            # Public file
+            file = File.join(RAILS_ROOT, 'public', url)
+            return true if File.exists?(file)
+
             # Passing in different domain
             return remote_url?(url_parts[2])
           end
     
-          def access_denied(e)
+          def ld_access_denied(e)
 
-            RAILS_DEFAULT_LOGGER.info "Access denied: #{e}"
+            Lockdown.logger.info "Access denied: #{e}"
 
             if Lockdown::System.fetch(:logout_on_access_violation)
               reset_session

data/lib/lockdown/frameworks/rails/view.rb

@@ -15,7 +15,7 @@ module Lockdown
         def link_to_secured(name, options = {}, html_options = nil)
           url = url_for(options)
 
-          method = html_options ? html_options[:method] : nil
+          method = html_options ? html_options[:method] : :get
 
          url_to_authorize = remove_subdirectory(url)
 
@@ -28,7 +28,7 @@ module Lockdown
         def button_to_secured(name, options = {}, html_options = nil)
           url = url_for(options)
 
-          method = html_options ? html_options[:method] : nil
+          method = html_options ? html_options[:method] : :get
 
           url_to_authorize = remove_subdirectory(url)
 

data/lib/lockdown/frameworks/rails.rb

@@ -13,34 +13,39 @@ module Lockdown
           mod.extend Lockdown::Frameworks::Rails::Environment
           mixin
         end
-
+        
         def mixin
-          Lockdown.controller_parent.class_eval do
+          mixin_controller
+
+          Lockdown.view_helper.class_eval do
+            include Lockdown::Frameworks::Rails::View
+          end
+
+          Lockdown.system.class_eval do 
+            extend Lockdown::Frameworks::Rails::System
+          end
+        end
+
+        def mixin_controller(klass = Lockdown.controller_parent)
+          klass.class_eval do
             include Lockdown::Session
             include Lockdown::Frameworks::Rails::Controller::Lock
           end
 
-          Lockdown.controller_parent.helper_method :authorized?
+          klass.helper_method :authorized?
+
+          klass.hide_action(:set_current_user, :configure_lockdown, :check_request_authorization, :check_model_authorization)
 
-          Lockdown.controller_parent.before_filter do |c|
+          klass.before_filter do |c|
             c.set_current_user
             c.configure_lockdown
             c.check_request_authorization
+            c.check_model_authorization
           end
 
-          Lockdown.controller_parent.filter_parameter_logging :password, 
-            :password_confirmation
+          klass.filter_parameter_logging :password, :password_confirmation
       
-          Lockdown.controller_parent.rescue_from SecurityError, 
-            :with => proc{|e| access_denied(e)}
-
-          Lockdown.view_helper.class_eval do
-            include Lockdown::Frameworks::Rails::View
-          end
-
-          Lockdown::System.class_eval do 
-            extend Lockdown::Frameworks::Rails::System
-          end
+          klass.rescue_from SecurityError, :with => proc{|e| ld_access_denied(e)}
         end
       end # class block
 
@@ -54,12 +59,28 @@ module Lockdown
           "#{project_root}/lib/lockdown/init.rb"
         end
 
+        def view_helper
+          ::ActionView::Base 
+        end
+
+        # cache_classes is true in production and testing, need to
+        # modify the ApplicationController 
         def controller_parent
-          ActionController::Base
+          if caching?
+            ApplicationController
+          else
+            ActionController::Base
+          end
+        end
+        
+        def caching?
+          ::Rails.configuration.cache_classes
         end
 
-        def view_helper
-          ActionView::Base 
+        # cache_classes is true in production and testing, need to
+        # do an instance eval instead
+        def add_controller_method(code)
+          Lockdown.controller_parent.class_eval code, __FILE__,__LINE__ +1
         end
 
         def controller_class_name(str)
@@ -70,75 +91,21 @@ module Lockdown
             Lockdown.camelize(str)
           end
         end
+
+        def fetch_controller_class(str)
+          eval("::#{controller_class_name(str)}")
+        end
       end
 
       module System
         include Lockdown::Frameworks::Rails::Controller
 
         def skip_sync?
-          Lockdown::System.fetch(:skip_db_sync_in).include?(ENV['RAILS_ENV'])
+          Lockdown.system.fetch(:skip_db_sync_in).include?(framework_environment)
         end
-
-        def load_controller_classes
-          @controller_classes = {}
-         
-          maybe_load_framework_controller_parent
-
-          ApplicationController.helper_method :authorized?
-
-          ApplicationController.before_filter do |c|
-            c.set_current_user
-            c.configure_lockdown
-            c.check_request_authorization
-          end
-
-          ApplicationController.filter_parameter_logging :password, 
-            :password_confirmation
-      
-          ApplicationController.rescue_from SecurityError, 
-            :with => proc{|e| access_denied(e)}
-
-
-          Dir.chdir("#{Lockdown.project_root}/app/controllers") do
-            Dir["**/*.rb"].sort.each do |c|
-              next if c == "application.rb"
-              lockdown_load(c) 
-            end
-          end
-
-          if ENV['RAILS_ENV'] != 'production'
-            if ActiveSupport.const_defined?("Dependencies")
-              ActiveSupport::Dependencies.clear
-            else
-              Dependencies.clear
-            end
-          end
-        end
-
-        def maybe_load_framework_controller_parent
-          if ::Rails::VERSION::MAJOR >= 2 && ::Rails::VERSION::MINOR >= 3
-            filename = "application_controller.rb"
-          else
-            filename = "application.rb"
-          end
-          
-          require_or_load(filename)
-        end
-
-        def lockdown_load(filename)
-          klass = Lockdown.class_name_from_file(filename)
-
-          require_or_load(filename)
-
-          @controller_classes[klass] = Lockdown.qualified_const_get(klass) 
-        end
-
-        def require_or_load(filename)
-          if ActiveSupport.const_defined?("Dependencies")
-            ActiveSupport::Dependencies.require_or_load(filename)
-          else
-            Dependencies.require_or_load(filename)
-          end
+        
+        def framework_environment
+          ::Rails.env
         end
       end # System
     end # Rails

data/lib/lockdown/helper.rb

@@ -1,3 +1,5 @@
+require 'active_support'
+
 module Lockdown
   module Helper
     def class_name_from_file(str)
@@ -10,10 +12,42 @@ module Lockdown
       if str_sym.is_a?(Symbol)
         titleize(str_sym)
       else
-        underscore(str_sym).tr(' ','_').to_sym
+       str_sym.underscore.tr(' ','_').to_sym
       end
     end
 
+    def user_group_class
+      eval(user_group_model_string)
+    end
+
+    def user_groups_hbtm_reference
+      user_group_model_string.underscore.pluralize.to_sym
+    end
+
+    def user_group_id_reference
+      user_group_model_string.underscore + "_id"
+    end
+
+    def user_class
+      eval(user_model_string)
+    end
+
+    def users_hbtm_reference
+      user_model_string.underscore.pluralize.to_sym
+    end
+
+    def user_id_reference
+      user_model_string.underscore + "_id"
+    end
+
+    def user_group_model_string
+      Lockdown.system.fetch(:user_group_model) || "UserGroup"
+    end
+    
+    def user_model_string
+      Lockdown.system.fetch(:user_model) || "User"
+    end
+    
     def get_string(value)
       if value.respond_to?(:name)
         string_name(value.name)
@@ -49,24 +83,6 @@ module Lockdown
       :administrators
     end
 
-    def qualified_const_defined?(klass)
-      if klass =~ /::/
-        namespace, klass = klass.split("::")
-        eval("#{namespace}.const_defined?(#{klass})") if const_defined?(namespace)
-      else
-        const_defined?(klass)
-      end
-    end
-
-    def qualified_const_get(klass)
-      if klass =~ /::/
-        namespace, klass = klass.split("::")
-        eval(namespace).const_get(klass)
-      else
-        const_get(klass)
-      end
-    end
-
     private
 
     def string_name(str_sym)