right_on 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 0d604e3a0d52e8dd395888dce6b1d201138ea8b6
+  data.tar.gz: 62d8d15da688d03422d5a31b3641a577f92ec42b
+SHA512:
+  metadata.gz: 59b6d8bbf60c6328bfc0753b622a05603d53362a762f47f490b1cf39cf8f083f4e0423616fdc28f99e088db2d77d16052e44f4ea8fc8f99daf71e990aab9b3b0
+  data.tar.gz: 829f2b6d9050d1cd92b38f9e70cda0a41e325b72d35cc77443e2e70a17c382f3718c983ca41799eec0177131876ec0ba45b49d0c9018a9edba488552ad044173

data/.gitignore

@@ -0,0 +1,4 @@
+pkg
+coverage
+Gemfile.lock
+tmp

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format progress

data/.travis.yml

@@ -0,0 +1,14 @@
+language: ruby
+rvm:
+  - 2.3.0
+script: "bundle exec rake spec"
+gemfile:
+  - gemfiles/rails3.gemfile
+  - gemfiles/rails4.gemfile
+notifications:
+  email:
+    - support@travellink.com.au
+  flowdock:
+    secure: TZTbtSK+LDly7dRu0eYE3oro7fH0dktkyzeRo67ofPqO5Xdor6U6Eh2njeq6vqiL9tI+2V1MLv90I9tcLrbiz609sY6r+4byL8fQoDRjXMYcOr8bOcOSMldmKgf/42XmxgcFl9Xh+lWkdIdL9e4xdtsytbuK/EVGfA/DEW7E7DE=
+sudo: false
+cache: bundler

data/Gemfile

@@ -0,0 +1,7 @@
+source 'https://rubygems.org'
+gemspec
+
+group :development, :test do
+  gem 'rails'
+  gem 'dependent_restrict', github: 'sealink/dependent_restrict', branch: 'master'
+end

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) Tom Preston-Werner
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,60 @@
+Right On
+========
+
+[![Build Status](https://travis-ci.org/sealink/right_on.png?branch=master)](https://travis-ci.org/sealink/right_on)
+[![Coverage Status](https://coveralls.io/repos/sealink/right_on/badge.png)](https://coveralls.io/r/sealink/right_on)
+[![Dependency Status](https://gemnasium.com/sealink/right_on.png?travis)](https://gemnasium.com/sealink/right_on)
+[![Code Climate](https://codeclimate.com/github/sealink/right_on.png)](https://codeclimate.com/github/sealink/right_on)
+
+
+# DESCRIPTION
+
+Gives rails applications a way to manage rights/roles
+
+If you have a class User, then you can use it like so:
+
+```ruby
+class User < ActiveRecord::Base
+  include RightOn::RoleModel
+end
+```
+
+This will create a many-to-many relationship with roles
+
+Roles are sets of rights. Generally people will have multiple roles
+e.g. A senior bank teller might have the following roles:
+* Senior Bank Teller
+* Bank Teller
+* Bank Employee
+
+The Role class also has a many-to-many relationship with rights
+
+So a bank employee might have access to the building during regular hours
+e.g. has a right 'transactions/add' giving him access to the add method of the transactions controller
+
+Wheras the senior bank teller might be the only one with the 'tellers/create'
+Thus he is the only one who can create new tellers.
+
+There are a few types of rights:
+* Rights giving access to an entire controller (tellers)
+* Rights giving access to a single action within a controller (e.g. tellers/show)
+* Rights giving access to multiple actions within a controller (e.g. tellers/read_only or tellers/read_write)
+* Rights giving access to particular objects, e.g. a right gives you access to contact clients with a type "High Value Clients"
+* Rights giving custom access. To have affect you need to use the has_right? Helper in you views
+
+RightOn comes with controller methods to verify if the user has rights. Simply add the following in your app to controllers
+you want to enforce rights:
+
+```ruby
+include RightOn::ActionControllerExtensions
+
+before_filter :verify_rights
+```
+
+This will enforce that you have a right matching the controllers right
+You must have a method "current_user" which is the user model that you've made as the RoleModel
+
+# INSTALLATION
+
+Add to your Gemfile:
+gem 'right_on'

data/Rakefile

@@ -0,0 +1,12 @@
+require "bundler/gem_tasks"
+
+desc 'Default: run specs.'
+task :default => :spec
+
+require 'rspec/core/rake_task'
+
+desc "Run specs"
+RSpec::Core::RakeTask.new do |t|
+  t.pattern = "./spec/**/*_spec.rb" # don't need this, it's default.
+  # Put spec opts in a file named .rspec in root
+end

data/db/migration.rb

@@ -0,0 +1,34 @@
+class RightOnMigration < ActiveRecord::Migration
+  def self.change
+    create_table :rights do |t|
+      t.string :name, :controller, :action, :limit => 150
+      t.timestamps
+    end
+
+    change_table :rights do |t|
+      t.index :action
+      t.index :name
+      t.index [:controller, :action]
+    end
+
+    create_table :rights_roles, :id => false do |t|
+      t.integer :right_id, :role_id
+    end
+
+    change_table :rights_roles do |t|
+      t.index [:right_id, :role_id]
+      t.index [:role_id, :right_id]
+    end
+
+    create_table :roles do |t|
+      t.string  :title
+      t.text    :description
+      t.integer :right_id
+      t.timestamps
+    end
+
+    change_table :roles do |t|
+      t.index :right_id
+    end
+  end
+end

data/db/rights_roles.yml

@@ -0,0 +1,16 @@
+rights:
+  general:
+    - models:
+      - index
+      - view
+      - change
+  admin:
+    - users
+
+roles:
+  simple_role:
+    - models@index
+  advanced_role:
+    - models
+    - models@index
+    - users

data/gemfiles/rails3.gemfile

@@ -0,0 +1,7 @@
+source 'https://rubygems.org'
+gemspec :path => '../'
+
+group :development, :test do
+  gem 'rails', '~> 3.2.0'
+  gem 'rails_4_backports' # find_by
+end

data/gemfiles/rails4.gemfile

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+gemspec :path => '../'
+
+group :development, :test do
+  gem 'rails', '~> 4.2'
+end

data/lib/right_on/action_controller_extensions.rb

@@ -0,0 +1,68 @@
+module RightOn
+
+  module ActionControllerExtensions
+
+    def self.included(base)
+      base.module_eval do
+        helper_method :access_allowed?, :access_allowed_to_controller?
+        class_attribute :rights_from
+        class_attribute :permission_denied_layout
+      end
+    end
+
+    # Checks the access privilege of the user and renders permission_denied page if required
+    def verify_rights
+      access_allowed?(controller_action_options) || permission_denied
+    end
+
+    # Checks the access privilege for a controller
+    def access_allowed_to_controller?(controller)
+      controller_class = "#{controller.to_s.camelcase}Controller".safe_constantize
+
+      # Handle inheritance of rights
+      if controller_class && controller_class.rights_from.present?
+        controller = controller_class.rights_from.to_s
+      end
+
+      access_allowed?(controller)
+    end
+
+    # Checks the access privilege of the user and returns true or false
+    def access_allowed?(opts={})
+      if opts.is_a?(String)
+        controller, action = opts.split('#')
+        opts = {:controller => controller, :action => action}
+      end
+      opts[:controller] ||= params[:controller]
+      opts[:action]     ||= params[:action]
+      current_user.rights.any? { |r| r.allowed?(opts.slice(:controller, :action)) }
+    end
+
+    # Called if a security check determines permission is denied
+    def permission_denied
+      @permission_denied_response = RightOn::PermissionDeniedResponse.new(params, controller_action_options)
+
+      respond_to do |format|
+        format.html { render status: 401, template: 'permission_denied', layout: (permission_denied_layout || false) }
+        format.json do
+          render status: 401, json: @permission_denied_response.to_json
+        end
+        format.js do
+          render :update, status: 401 do |page|
+            page.alert(@permission_denied_layout.text_message)
+          end
+        end
+      end
+
+      false
+    end
+
+    def controller_action_options
+      opts = params.slice(:controller, :action)
+      opts[:controller] = rights_from.to_s if rights_from
+      opts
+    end
+
+  end
+
+end

data/lib/right_on/generators/USAGE

@@ -0,0 +1,8 @@
+Description:
+    Generates a new database migration for adding a right. 
+    Pass the right name and an optional list of attribute pairs as arguments.
+
+    A migration class is generated in db/migrate prefixed by a timestamp of the current date and time.
+
+Example:
+    `rails generate right_on:right_migration my_controllers/my_new_controller#my_new_action`

data/lib/right_on/generators/right_migration_generator.rb

@@ -0,0 +1,59 @@
+module RightOn
+  module Generators
+    class RightMigrationGenerator < Rails::Generators::Base
+      
+      include Rails::Generators::Migration
+      
+      source_root File.expand_path('../templates', __FILE__)
+      
+      argument :name, :type => :string, :required => false
+      
+      class_option :controller, :type => :string, :required => false, 
+        :desc => "Indicates the right's controller"
+      class_option :action,     :type => :string, :required => false, 
+        :desc => "Indicates the right's action"
+      class_option :right,      :type => :string, :required => false, 
+        :desc => "Indicates an existing right. Any role including this right will also include the new right"
+      
+      
+      def generate_migration
+        raise ArgumentError, "Either name or controller must be specified" if right_controller.blank?
+        migration_template "right_migration.rb", "db/migrate/add_#{parsed_right_name}_right.rb"
+      end
+      
+      
+      # Implement the required interface for Rails::Generators::Migration.
+      def self.next_migration_number(dirname) #:nodoc:
+        next_migration_number = current_migration_number(dirname) + 1
+        ActiveRecord::Migration.next_migration_number(next_migration_number)
+      end
+      
+      private
+         
+      def right_controller
+        (options[:controller] || name.to_s.split('#')[0]).to_s.underscore.presence
+      end
+      
+      
+      def right_action
+        (options[:action] || name.to_s.split('#')[1]).to_s.underscore.presence
+      end
+      
+      
+      def right_name
+        name.presence || [right_controller, right_action].compact.join('#')
+      end
+
+
+      def right_for_roles
+        options[:right]
+      end
+      
+      
+      def parsed_right_name
+        right_name.gsub('/','_').gsub('#','_').underscore
+      end
+      
+    end
+  end
+end

data/lib/right_on/generators/templates/right_migration.rb

@@ -0,0 +1,32 @@
+class Add<%= parsed_right_name.camelize %>Right < ActiveRecord::Migration
+
+  class Right < ActiveRecord::Base
+    has_and_belongs_to_many :roles
+
+    validates_presence_of :name
+    validates_uniqueness_of :name
+  end
+
+  class Role < ActiveRecord::Base
+    has_and_belongs_to_many :rights
+
+    validates_presence_of :title
+    validates_uniqueness_of :title
+  end
+
+  def self.up
+    right_for_roles = Right.find_by_name("<%= right_for_roles %>")
+    Right.create(
+      :controller => '<%= right_controller %>'.presence,
+      :action     => '<%= right_action %>'.presence,
+      :name       => '<%= right_name %>'.presence,
+      :roles      => right_for_roles.roles
+    )
+  end
+  
+  
+  def self.down
+    Right.destroy_all(:name => '<%= right_name %>')
+  end
+  
+end

data/lib/right_on/permission_denied_response.rb

@@ -0,0 +1,43 @@
+module RightOn
+  class PermissionDeniedResponse
+    attr_reader :right_allowed, :roles_allowed, :controller_name
+
+    def initialize(params, controller_action_options)
+      @params = params
+      @right_allowed = Right.all.detect{|right| right.allowed?(controller_action_options)}
+      @roles_allowed = @right_allowed.roles if @right_allowed
+      @controller_name = @params[:controller] unless @right_allowed
+    end
+
+    def text_message
+      if @right_allowed
+        <<-MESSAGE
+You are not authorised to perform the requested operation.
+Right required: #{@right_allowed}
+This right is given to the following roles: #{@roles_allowed.map(&:title).join(", ")}.
+Contact your system manager to be given this right.
+MESSAGE
+      else
+        no_right_for_page
+      end
+    end
+
+    def to_json
+      {
+        error: 'Permission Denied',
+        right_allowed: (@right_allowed ? @right_allowed.name : no_right_for_page),
+        roles_for_right: (@roles_allowed ? @roles_allowed.map(&:title) : no_roles_for_page)
+      }
+    end
+
+    private
+
+    def no_right_for_page
+      "No right is defined for this page: #{@controller_name}. Contact your system manager to notify this problem."
+    end
+
+    def no_roles_for_page
+      'N/A (as no right is assigned for this action)'
+    end
+  end
+end

data/lib/right_on/rails.rb

@@ -0,0 +1,5 @@
+require 'right_on/role_model'
+require 'right_on/right'
+require 'right_on/role'
+require 'right_on/action_controller_extensions'
+require 'right_on/permission_denied_response'

data/lib/right_on/railtie.rb

@@ -0,0 +1,12 @@
+class Railtie < Rails::Railtie
+  initializer 'right_on.initialize' do
+    ActiveSupport.on_load(:active_record) do
+      require 'right_on/rails'
+    end
+  end
+
+  rake_tasks do
+    load "right_on/tasks/seeds_rights.rake"
+    load "right_on/tasks/rights_roles.rake"
+  end
+end

data/lib/right_on/restricted_by_right.rb

@@ -0,0 +1,56 @@
+module RightOn
+  module RestrictedByRight
+
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+
+    module ClassMethods
+      def restricted_by_right(options = {})
+        options ||= {}
+        group = options.fetch(:group, 'other')
+
+        @right_on_config ||= {}
+        @right_on_config[:restricted_by_right_group] = group
+
+        Right.associate_group(self, group)
+
+        class << self
+          def accessible_to(user)
+            all.select{|o| user.rights.include?(o.right)}
+          end
+        end
+
+        include InstanceMethods
+
+        belongs_to :right, :class_name => 'RightOn::Right'
+        before_create :create_access_right!
+        after_destroy :destroy_access_right!
+      end
+
+      def restricted_by_right_group
+        (@right_on_config || {})[:restricted_by_right_group]
+      end
+    end
+
+    module InstanceMethods
+
+      private
+
+        def create_access_right!
+          right_name = "#{self.class.name.titleize}: #{name}"
+          self.right = find_right(right_name) || Right.create!(:name => right_name)
+        end
+
+        def find_right(name)
+          Right.find_by(:name => name)
+        end
+
+        def destroy_access_right!
+          self.right.try(:destroy)
+        end
+
+    end
+
+  end
+end

data/lib/right_on/right.rb

@@ -0,0 +1,171 @@
+require 'active_record'
+
+module RightOn
+  class Right < ActiveRecord::Base
+
+    has_and_belongs_to_many :roles, :class_name => 'RightOn::Role'
+
+    validates_presence_of :name
+    validates_uniqueness_of :name
+
+    scope :ordered, -> { order :name }
+
+    after_save :clear_cache
+    after_destroy :clear_cache
+
+    attr_accessor :group
+
+    class << self
+      @@restricted_by_right_classes = []
+
+      def associate_group(klass, group)
+        # Prevent issues when reloading class using restricted_by_right
+        unless @@restricted_by_right_classes.include?(klass)
+          @@restricted_by_right_classes << klass
+        end
+        has_one klass.table_name.singularize.to_sym, :dependent => :restrict
+      end
+
+      def rights_yaml(file_path)
+        @@rights_yaml = file_path
+      end
+
+      def by_groups
+        rights = []
+        rights += regular_rights_with_group
+        rights += restricted_rights_with_group
+        rights.group_by(&:group)
+      end
+
+      def regular_rights_with_group
+        yaml = YAML::load_file(@@rights_yaml)
+        rights = []
+        rights_by_name = Hash[Right.all.map{|r| [r.name, r]}]
+        yaml['rights'].each_pair do |group, right_names|
+          rights_for_group = []
+          right_names.each do |right_name|
+            if right_name.is_a?(String) # controller
+              r = rights_by_name[right_name]
+              raise right_name if r.nil?
+              rights_for_group << r
+            else right_name.is_a?(Hash) # controller + actions
+              controller, actions = right_name.first
+              r = rights_by_name[controller]
+              if r
+                rights_for_group << r
+              end
+              actions.each do |action|
+                name = "#{controller}##{action}"
+                r = rights_by_name[name]
+                raise name.inspect + "****" + right_name.inspect + '---' + action_right.inspect if r.nil?
+                rights_for_group << r
+              end
+            end
+          end
+          rights_for_group.each{|r| r.group = group}
+          rights += rights_for_group
+        end
+        rights
+      end
+
+      def restricted_rights_with_group
+        rights = []
+        @@restricted_by_right_classes.each do |klass|
+          group = klass.restricted_by_right_group
+          rights += all_rights(klass).map(&:right).each do |right|
+            right.group = group
+          end
+        end
+        rights
+      end
+
+      def all_rights(klass)
+        klass.includes(:right).all
+      end
+    end
+
+    # Is this right allowed for the given context?
+    #
+    # Context params is an option hash:
+    #   :controller => controller name
+    #   :action     => action name
+    #
+    # The context tells us the state of the request being made.
+
+    def allowed?(context={})
+      return false unless controller == context[:controller]
+      if action
+        action_permitted?(context[:action])
+      else
+        # right without action works if no specific right exists
+        # e.g. can't edit if there's a edit or change right defined
+        # as you must used that specific right
+        specific_rights = Array(APPLICABLE_RIGHTS[context[:action].to_sym]) + [context[:action]]
+        specific_rights.all?{|action| Right["#{context[:controller]}##{action}"].nil?}
+      end
+    end
+
+    APPLICABLE_RIGHTS = {
+      :new     => [:change],
+      :edit    => [:change],
+      :update  => [:change],
+      :create  => [:change],
+      :destroy => [:change],
+      :index   => [:change, :view],
+      :show    => [:change, :view]
+    }
+
+    CHANGE_ACTIONS = %w(new edit update create destroy index show)
+
+    VIEW_ACTIONS = %w(index show)
+
+    def action_permitted?(context_action)
+      case action.to_sym
+      when :change
+        CHANGE_ACTIONS.include?(context_action)
+      when :view
+        VIEW_ACTIONS.include?(context_action)
+      else
+        action == context_action
+      end
+    end
+
+    def sensible_name
+      name.humanize.titleize.gsub(/#/, ' - ')
+    end
+
+    def to_s
+      name
+    end
+
+    def self.cache
+      @@cache ||= Rails.cache
+    end
+
+    def self.cache=(cache)
+      @@cache = cache
+    end
+
+    def self.clear_cache
+      cache.delete('Right.all')
+    end
+
+    def clear_cache
+      self.class.clear_cache
+    end
+
+    attr_accessor :rights
+    def self.[](name)
+      @rights = cache.read('Right.all') || calculate_and_write_cache
+      @rights[name]
+    end
+
+    private
+    def self.calculate_and_write_cache
+      right_cache = Hash[Right.all.map{|r|[r.name, r.id]}]
+      cache.write('Right.all', right_cache) or raise RuntimeError, "Could not cache rights"
+      right_cache
+    end
+
+  end
+end