right_on 0.1.0

data/lib/right_on/rights_manager.rb

@@ -0,0 +1,140 @@
+require 'input_reader'
+require 'rails/generators'
+
+# Extra require so generator can be used in rake task
+require 'right_on/generators/right_migration_generator'
+
+module RightOn
+  class RightsManager
+    class << self
+
+      def controllers
+        controllers_path = File.join("#{Rails.root}",'app','controllers')
+        controllers_suffix = '_controller.rb'
+        controllers_files = File.join(controllers_path, '**', '*' + controllers_suffix)
+        Dir[controllers_files].map do |f|
+          [File.dirname(f)[(controllers_path.length + 1)..-1],
+            File.basename(f,controllers_suffix)].compact.join('/')
+        end
+      end
+
+
+      def missing_rights
+        rights = Right.all.map(&:controller)
+        controllers.reject { |c| rights.include?(c) }
+      end
+
+
+      def add_right(options = {})
+        options = parse_right_options(options)
+        add_and_run_right_migration(options)
+        add_right_fixture(options)
+        puts "Added right #{options[:name]}"
+        add_right if options[:unattended].blank? && InputReader.get_boolean(:prompt => "Add another right?(Y/N)")
+      end
+
+
+      def add_right_record(options = {})
+        unless Right.find_by_name(options[:name])
+          Right.create(options.slice(:controller, :action, :name, :roles))
+        end
+      end
+
+
+      # Converts options from {:key => 'value', :key2 => 'value2', :blank => ''}
+      # to "--key=value --key2=value2" (Notice how blank is not included)
+      def build_unix_options(options = {})
+        options.select{|k,v| v.present?}.map do |key, value|
+          "--#{key}=#{value}"
+        end
+      end
+
+
+      def add_right_migration(options = {})
+        migration_options = options.slice(:controller, :action, :right)
+        puts options.inspect
+        puts "#{options[:name]} #{build_unix_options(migration_options)}"
+        migration_file = Rails::Generators.invoke("right_on:right_migration",
+          [options[:name]] + build_unix_options(migration_options)
+        )
+        raise "Could not generate migration" unless migration_file.present?
+        migration_file.first
+      end
+
+
+      def add_and_run_right_migration(options = {})
+        migration_file = add_right_migration(options)
+        ENV['VERSION'] = File.basename(migration_file).split('_').first
+        Rake::Task['db:migrate:up'].invoke
+        ENV.delete 'VERSION'
+        true
+      end
+
+
+      def add_right_fixture(options = {})
+        right_roles_yaml_path = File.join("#{Rails.root}",'db','fixtures','rights_roles.yml')
+        right_roles = YAML::load_file(right_roles_yaml_path)
+
+        group = options[:group].presence || options[:controller]
+
+        right_roles['rights'][group] ||= []
+        right_roles['rights'][group].delete(options[:controller])
+
+        right = right_roles['rights'][group].find do |right|
+          right.is_a?(Hash) && right.keys.include?(options[:controller])
+        end
+
+        if options[:action].present?
+          right ||= (right_roles['rights'][group] << {}).last
+          right[options[:controller]] ||= []
+          right[options[:controller]] << options[:action] unless right[options[:controller]].include?(options[:action])
+        elsif !right
+          right_roles['rights'][group] << options[:controller]
+        end
+
+        options[:bootstrap_roles].each do |role_title|
+          (right_roles['roles'][role_title] || []) << [options[:controller].presence,options[:action].presence].compact.join("#")
+        end
+
+        File.open(right_roles_yaml_path, "w") do |f|
+          f.write(right_roles.to_yaml)
+        end
+
+        true
+      end
+
+
+      private
+
+      def parse_right_options(options = {})
+        parsed_options = {}
+
+        parsed_options[:controller] = options[:controller].presence ||
+          InputReader.select_item(missing_rights, :prompt => "Right:", :allow_blank => true) ||
+          InputReader.get_string(:allow_blank => false, :prompt => "Controller:")
+
+        parsed_options[:action] = options[:action].presence ||
+          InputReader.get_string(:allow_blank => true, :prompt => "Action:")
+
+        parsed_options[:name] = options[:name].presence ||
+          InputReader.get_string(:allow_blank => true, :prompt => "Name:") ||
+          [parsed_options[:controller].presence, parsed_options[:action].presence].compact.join('#')
+
+        parsed_options[:group] = options[:group].presence ||
+          InputReader.get_string(:allow_blank => true, :prompt => "Group:")
+
+        parsed_options[:right] = options[:right].presence ||
+          InputReader.select_item(Right.all, :selection_attribute => :name, :allow_blank => true, :prompt => "Assign new right to anyone with right:").name
+
+        right_roles_yaml_path = File.join("#{Rails.root}",'db','fixtures','rights_roles.yml')
+        right_roles = YAML::load_file(right_roles_yaml_path)
+        bootstrap_roles = right_roles['roles'].keys
+        parsed_options[:bootstrap_roles] = options[:bootstrap_role].presence ||
+          InputReader.select_items(bootstrap_roles, :allow_blank => true, :prompt => "Assign to which bootstrap roles:")
+
+        parsed_options
+      end
+
+    end
+  end
+end

data/lib/right_on/role.rb

@@ -0,0 +1,16 @@
+module RightOn
+  class Role < ActiveRecord::Base
+
+    has_and_belongs_to_many :rights, :class_name => 'RightOn::Right'
+
+    validates_presence_of :title
+    validates_uniqueness_of :title
+
+    def to_s
+      self.title.try(:titleize)
+    end
+
+    alias_method :name, :to_s
+
+  end
+end

data/lib/right_on/role_model.rb

@@ -0,0 +1,33 @@
+module RightOn
+  module RoleModel
+    def self.included(base)
+      base.module_eval 'has_and_belongs_to_many :roles, :class_name => "RightOn::Role"'
+      Role.module_eval "has_and_belongs_to_many :#{base.table_name}"
+    end
+
+    def roles_allowed_to_assign
+      Role.accessible_to(self)
+    end
+
+    def rights
+      @rights ||=
+        Right
+          .select('distinct rights.*')
+          .joins(:roles)
+          .where('rights_roles.role_id IN (?)', role_ids)
+    end
+
+    def has_access_to?(client_type)
+      has_right?(client_type.right)
+    end
+
+    def has_right?(right_or_string)
+      right = right_or_string.is_a?(Right) ? right_or_string : Right.find_by_name(right_or_string)
+      rights.include?(right)
+    end
+
+    def has_privileges_of?(other_user)
+      (other_user.rights - rights).empty?
+    end
+  end
+end

data/lib/right_on/tasks/rights_roles.rake

@@ -0,0 +1,12 @@
+namespace :rights do
+  desc "Check for controllers without rights"
+  task :check => :environment do
+    puts "Missing rights for controllers:"
+    puts RightOn::RightsManager.missing_rights
+  end
+  
+  desc "Add rights for missing controllers"
+  task :add, [:controller, :action] => :environment do |t, args|
+    RightOn::RightsManager.add_right(args)
+  end
+end

data/lib/right_on/tasks/seeds_rights.rake

@@ -0,0 +1,28 @@
+namespace "db" do
+  namespace "seed" do
+    desc "Seed initial rights to each role"
+    task :rights => :environment do
+      load "#{Rails.root}/db/fixtures/rights_roles.rb" 
+    end
+
+    namespace "rights" do
+      desc "Remove existing rights data and reinitiate it with seeds."
+      task :redo => :environment do
+        message = []
+        message << "This rake task will delete all existing rights and reload Roles with the default rights"
+        message << "Every roles will lose their existing rights unless specified in db/fixtures/rights_roles.yml"
+
+        RakeUserInterface.confirmation_required(message) do
+          RightOn::Right.transaction do
+            if RightOn::Right.count > 0
+              puts "Removing existing Right data..."
+              RightOn::Right.destroy_all
+            end
+
+            Rake::Task["db:seed:rights"].invoke
+          end
+        end
+      end
+    end
+  end
+end

data/lib/right_on/version.rb

@@ -0,0 +1,3 @@
+module RightOn
+  VERSION = '0.1.0'
+end

data/lib/right_on.rb

@@ -0,0 +1,12 @@
+module RightOn
+  require 'active_record'
+
+  require 'dependent_restrict'
+  require 'right_on/restricted_by_right'
+  ActiveRecord::Base.send(:include, RestrictedByRight)
+
+  require 'rails'
+  require 'right_on/railtie'
+  require 'right_on/rights_manager'
+end
+

data/right_on.gemspec

@@ -0,0 +1,33 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'right_on/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'right_on'
+  spec.version       = RightOn::VERSION
+  spec.authors       = ["Michael Noack", "Alessandro Berardi"]
+  spec.email         = 'development@travellink.com.au'
+  spec.description   = "This helps systems manage rights and roles on a controller/action basis."
+  spec.summary       = "Set of extensions to core rails to give rights and roles."
+  spec.homepage      = 'http://github.com/sealink/right_on'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency('activerecord', [">= 3.2.0", "< 5.0.0"])
+  spec.add_dependency('activesupport', [">= 3.2.0", "< 5.0.0"])
+  spec.add_dependency('dependent_restrict', [">= 0.2.1"])
+  spec.add_dependency('input_reader', ["~> 0.0"])
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'simplecov-rcov'
+  spec.add_development_dependency 'coveralls'
+  spec.add_development_dependency 'sqlite3'
+  spec.add_development_dependency 'travis'
+end

data/spec/action_controller_extensions_spec.rb

@@ -0,0 +1,34 @@
+require 'spec_helper'
+
+require 'action_controller'
+class AdminController < ActionController::Base
+  include RightOn::ActionControllerExtensions
+  def current_user
+    Thread.current[:user]
+  end
+end
+
+describe AdminController do
+  let(:basic_user) { User.where(name: 'basic').first }
+  let(:admin_user) { User.where(name: 'admin').first }
+
+  before do
+    Bootstrap.reset_database
+    controller.params = {controller: 'admin', action: 'index'}
+  end
+
+  let(:controller) { AdminController.new }
+  context 'basic user' do
+    before { Thread.current[:user] = basic_user }
+    it 'should not allow access' do
+      expect(controller.access_allowed?).to be false
+    end
+  end
+
+  context 'admin user' do
+    before { Thread.current[:user] = admin_user }
+    it 'should allow access' do
+      expect(controller.access_allowed?).to be true
+    end
+  end
+end

data/spec/right_on_spec.rb

@@ -0,0 +1,206 @@
+require 'spec_helper'
+
+describe User do
+  let(:basic_user) { User.where(name: 'basic').first }
+  let(:admin_user) { User.where(name: 'admin').first }
+
+  before do
+    Bootstrap.reset_database
+  end
+
+  it 'should compare privileges' do
+    expect(admin_user.has_privileges_of?(basic_user)).to eq true
+    expect(basic_user.has_privileges_of?(admin_user)).to eq false
+  end
+end
+
+describe RightOn::Right do
+  before do
+    RightOn::Right.delete_all
+    Model.delete_all
+
+    @model = Model.create!(:name => 'Test')
+
+    @users  = RightOn::Right.create!(:name => 'users', :controller => 'users')
+    @other  = RightOn::Right.create!(:name => 'models', :controller => 'models')
+    @index  = RightOn::Right.create!(:name => 'models#index', :controller => 'models', :action => 'index')
+    @change = RightOn::Right.create!(:name => 'models#change', :controller => 'models', :action => 'change')
+    @view   = RightOn::Right.create!(:name => 'models#view', :controller => 'models', :action => 'view')
+  end
+
+  it 'should display nicely with sensible_name and to_s' do
+    expect(@model.right.to_s).to eq 'Model: Test'
+    expect(@other.to_s).to eq 'models'
+    expect(@index.to_s).to eq 'models#index'
+
+    expect(@model.right.sensible_name).to eq 'Model: Test'
+    expect(@other.sensible_name).to eq 'Models'
+    expect(@index.sensible_name).to eq 'Models - Index'
+  end
+
+  it 'should create right for restricted right' do
+    right = @model.right
+    expect(right).to_not be_nil
+    expect(right.name).to eq 'Model: Test'
+    expect{right.destroy}.to raise_error(ActiveRecord::DetailedDeleteRestrictionError)
+  end
+
+  it 'should identify correct groups' do
+    rights = RightOn::Right.regular_rights_with_group.sort_by{|r| r.name} # Sort for ruby 1.9 compatibility
+    expect(rights.map(&:name)).to eq %w(models models#change models#index models#view users)
+    expect(rights.map(&:group)).to eq %w(general general general general admin)
+
+    expect(RightOn::Right.by_groups).to eq(
+      'general' => [@other, @index, @view, @change],
+      'admin' => [@users],
+      'other' => [@model.right]
+    )
+  end
+
+  it 'should determine if it is allowed based on context' do
+    index_action = {:controller => 'models', :action => 'index'}
+    edit_action  = {:controller => 'models', :action => 'edit'}
+    hello_action = {:controller => 'models', :action => 'hello'}
+
+    expect(@model.right.allowed?(index_action)).to eq false
+
+    expect(@users.allowed?(:controller => 'users', :action => 'index')).to eq true
+    expect(@users.allowed?(:controller => 'users', :action => 'edit' )).to eq true
+    expect(@users.allowed?(:controller => 'users', :action => 'hello')).to eq true
+
+    expect(@other.allowed?(index_action)).to eq false # as specific action exists
+    expect(@other.allowed?(edit_action )).to eq false # as specific action exists
+    expect(@other.allowed?(hello_action)).to eq true # as hello isn't defined
+
+    expect(@index.allowed?(index_action)).to eq true
+    expect(@index.allowed?(edit_action )).to eq false
+    expect(@index.allowed?(hello_action)).to eq false
+
+    expect(@view.allowed?(index_action)).to eq true
+    expect(@view.allowed?(edit_action )).to eq false
+    expect(@view.allowed?(hello_action)).to eq false
+
+    expect(@change.allowed?(index_action)).to eq true
+    expect(@change.allowed?(edit_action )).to eq true
+    expect(@change.allowed?(hello_action)).to eq false
+  end
+end
+
+describe RightOn::Right, "when created" do
+  it "should validate presence of name" do
+    subject.valid?
+    expect(subject.errors[:name]).to_not be_blank
+  end
+end
+
+describe RightOn::Right, "with a name and controller" do
+  before do
+    @new_right = RightOn::Right.new(:name => "tickets", :controller => "tickets")
+    @new_right.save!
+  end
+
+  it "should create a new right" do
+    expect(@new_right.name).to eq "tickets"
+    expect(@new_right.controller).to eq "tickets"
+    expect(@new_right.save).to eq true
+  end
+
+end
+
+describe RightOn::Right, "with a name, controller and action" do
+  before do
+    @new_right = RightOn::Right.new(:name => "tickets@destroy", :controller => "tickets", :action => "destroy")
+  end
+
+  it "should create a new right" do
+    expect(@new_right.name).to eq "tickets@destroy"
+    expect(@new_right.controller).to eq "tickets"
+    expect(@new_right.action).to eq "destroy"
+    expect(@new_right.save).to eq true
+  end
+end
+
+describe RightOn::Right, "with only a name" do
+  before do
+    @new_right = RightOn::Right.new(:name => "tickets2")
+  end
+
+  it "should create a new right" do
+    expect(@new_right.save).to eq true
+  end
+end
+
+describe RightOn::Right, "with the same name" do
+  before do
+    @old_right = RightOn::Right.new(:name => "tickets3", :controller => "tickets")
+    @old_right.save!
+    @new_right = RightOn::Right.new(:name => "tickets3", :controller => "tickets")
+  end
+
+  it "should not create a new right" do
+    expect(@new_right.save).to eq false
+  end
+end
+
+describe RightOn::Role, "can have many rights" do
+  let(:role1) { RightOn::Role.new(:title => 'role 1') }
+
+  specify { expect(role1.to_s).to eq 'Role 1' }
+
+  context 'when assigned rights' do
+    let(:right1) { RightOn::Right.create!(:name => 'right 1') }
+    let(:right2) { RightOn::Right.create!(:name => 'right 2') }
+
+    before do
+      role1.save!
+      role1.rights = [right1, right2]
+    end
+
+    after do
+      role1.destroy
+      right1.destroy
+      right2.destroy
+    end
+
+    it "should have and belong to many" do
+      expect(role1.rights.size).to eq 2
+      expect(right1.roles.size).to eq 1
+      expect(right2.roles.size).to eq 1
+    end
+  end
+end
+
+describe 'when checking accessibility to a controller' do
+
+  let(:test_controller_right) { RightOn::Right.new(name: 'test', controller: 'test') }
+  let(:user) { double(rights: [test_controller_right]) }
+  let(:controller) { 'test' }
+  let(:action) { 'index' }
+  let(:params) { {controller: 'test', action: 'index'} }
+
+  before do
+    stub_const 'TestController', double(current_user: user, params: params)
+    TestController.extend RightOn::ActionControllerExtensions
+    allow(TestController).to receive(:rights_from).and_return(nil)
+  end
+
+  specify { expect(TestController.access_allowed?(controller)).to be_truthy }
+  specify { expect(TestController.access_allowed?('other')).to be_falsey }
+  specify { expect(TestController.access_allowed_to_controller?(controller)).to be_truthy }
+  specify { expect(TestController.access_allowed_to_controller?('other')).to be_falsey }
+
+  describe 'when inheriting rights' do
+    let(:controller) { 'test_inherited' }
+
+    before do
+      stub_const 'TestInheritedController', double(current_user: user, params: params)
+      TestInheritedController.extend RightOn::ActionControllerExtensions
+      allow(TestInheritedController).to receive(:rights_from).and_return(:test)
+    end
+
+    specify { expect(TestInheritedController.access_allowed?(controller)).to be_falsey }
+    specify { expect(TestInheritedController.access_allowed?('other')).to be_falsey }
+    specify { expect(TestInheritedController.access_allowed_to_controller?(controller)).to be_truthy }
+    specify { expect(TestInheritedController.access_allowed_to_controller?('other')).to be_falsey }
+  end
+end

data/spec/role_model_spec.rb

@@ -0,0 +1,45 @@
+require 'spec_helper'
+
+describe RightOn::RoleModel do
+  let(:admin_role) { RightOn::Role.create!(title: 'admin') }
+  let(:product_right) { RightOn::Right.create!(name: 'Products', controller: 'products') }
+
+  before do
+    RightOn::Role.delete_all
+    RightOn::Right.delete_all
+    admin_role.rights << product_right
+  end
+
+  let(:basic_user) { User.create! }
+  let(:admin) { User.create!(roles: [admin_role]) }
+
+  it 'basic user should have no access' do
+    expect(basic_user.rights).to be_empty
+    expect(basic_user.has_right?('Products')).to be false
+    expect(basic_user.has_right?(product_right)).to be false
+  end
+
+  it 'admin user should have full access' do
+    expect(admin.rights.size).to eq 1
+    expect(admin.has_right?('Products')).to be true
+    expect(admin.has_right?(product_right)).to be true
+  end
+
+  it '#has_privileges_of?' do
+    expect(admin.has_privileges_of?(basic_user)).to be true
+    expect(basic_user.has_privileges_of?(admin)).to be false
+  end
+
+  context 'when associating rights of other objects' do
+    let(:model1) { Model.create! }
+
+    before do
+      admin_role.rights << model1.right
+    end
+
+    it '#has_access_to?' do
+      expect(admin.has_access_to?(model1)).to be true
+      expect(basic_user.has_access_to?(model1)).to be false
+    end
+  end
+end

data/spec/schema.rb

@@ -0,0 +1,44 @@
+ActiveRecord::Schema.define(:version => 1) do
+  create_table :rights do |t|
+    t.string   :name, :controller, :action, :limit => 150
+    t.timestamps null: true
+  end
+
+  change_table :rights do |t|
+    t.index :action
+    t.index [:controller, :action]
+    t.index :name
+  end
+
+  create_table :rights_roles, :id => false do |t|
+    t.integer :right_id, :role_id
+  end
+
+  change_table :rights_roles do |t|
+    t.index [:right_id, :role_id]
+    t.index [:role_id, :right_id]
+  end
+
+  create_table :roles do |t|
+    t.string  :title
+    t.text    :description
+    t.integer :right_id
+    t.timestamps null: true
+  end
+
+  add_index :roles, :right_id
+
+  create_table :models do |t|
+    t.string  :name
+    t.integer :right_id
+  end
+
+  create_table :users do |t|
+    t.string :name
+  end
+
+  create_table :roles_users do |t|
+    t.integer :role_id, :user_id
+  end
+end
+

data/spec/spec_helper.rb

@@ -0,0 +1,42 @@
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# Require this file using `require "spec_helper.rb"` to ensure that it is only
+# loaded once.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+
+require 'rubygems'
+require 'bundler/setup'
+Bundler.require :default, :test
+
+require 'support/bootstrap'
+require 'support/coverage_loader'
+
+require 'right_on'
+require 'right_on/rails'
+
+RSpec.configure do |config|
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+  config.before :all do
+    RightOn::Right.cache = ActiveSupport::Cache::MemoryStore.new
+  end
+end
+
+DB_FILE = 'tmp/test_db'
+FileUtils.mkdir_p File.dirname(DB_FILE)
+FileUtils.rm_f DB_FILE
+
+ActiveRecord::Base.establish_connection :adapter => 'sqlite3', :database => DB_FILE
+
+load('spec/schema.rb')
+
+RightOn::Right.rights_yaml 'db/rights_roles.yml'
+
+class Model < ActiveRecord::Base
+  restricted_by_right
+end
+
+class User < ActiveRecord::Base
+  include RightOn::RoleModel
+end

data/spec/support/bootstrap.rb

@@ -0,0 +1,15 @@
+class Bootstrap
+  def self.reset_database
+    RightOn::Right.delete_all
+    RightOn::Role.delete_all
+    User.delete_all
+
+    basic_right = RightOn::Right.create!(:name => 'basic', :controller => 'basic')
+    admin_right = RightOn::Right.create!(:name => 'admin', :controller => 'admin')
+    basic_role  = RightOn::Role.create!(:title => 'Basic', :rights => [basic_right])
+    admin_role  = RightOn::Role.create!(:title => 'Admin', :rights => [admin_right])
+
+    User.create!(name: 'basic', roles: [basic_role])
+    User.create!(name: 'admin', roles: [basic_role, admin_role])
+  end
+end