right_on 0.3.0 → 0.4.0

data/lib/right_on/rule.rb

@@ -0,0 +1,51 @@
+module RightOn
+  class Rule
+    def self.rule_for(right)
+      self.new(right).call
+    end
+
+    def initialize(right)
+      @right = right
+    end
+
+    def call
+      validate!
+
+      CanCan::Rule.new(can?, action, subject, conditions, nil)
+    end
+
+    private
+
+    def validate!
+      fail RightOn::Error, 'must specify an action' unless @right.action.present?
+    end
+
+    def can?
+      @right.can
+    end
+
+    def action
+      @right.action.to_sym
+    end
+
+    def subject
+      model_class || @right.subject
+    end
+
+    def conditions
+      model_class ? @right.conditions : nil
+    end
+
+    def model_class
+      return nil unless @right.subject.present?
+
+      begin
+        model_class = self.class.const_get(@right.subject)
+      rescue NameError
+        model_class = Class
+      end
+
+      return model_class if model_class.ancestors.include?(ActiveRecord::Base)
+    end
+  end
+end

data/lib/right_on/version.rb

@@ -1,3 +1,3 @@
 module RightOn
-  VERSION = '0.3.0'
+  VERSION = '0.4.0'
 end

data/right_on.gemspec

@@ -18,8 +18,9 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
-  spec.add_dependency 'activerecord', '>= 3.2.0'
-  spec.add_dependency 'activesupport', '>= 3.2.0'
+  spec.add_dependency 'cancancan'
+  spec.add_dependency 'activerecord', '>= 4.0.0'
+  spec.add_dependency 'activesupport', '>= 4.0.0'
   spec.add_dependency 'input_reader', '~> 0.0'
   spec.add_development_dependency 'bundler', '~> 1.3'
   spec.add_development_dependency 'rake'
@@ -27,6 +28,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'coverage-kit'
   spec.add_development_dependency 'simplecov-rcov'
   spec.add_development_dependency 'coveralls'
+  spec.add_development_dependency 'rubocop'
   spec.add_development_dependency 'sqlite3'
   spec.add_development_dependency 'travis'
 end

data/spec/ability_spec.rb

@@ -0,0 +1,29 @@
+require 'active_support/all'
+require 'cancan/ability'
+require 'right_on/error'
+require 'right_on/rule'
+require 'right_on/ability'
+require 'spec_helper'
+
+describe RightOn::Ability do
+  describe 'private #add_rule_for' do
+    subject(:ability) {
+      class TestAbility
+        include RightOn::Ability
+      end
+
+      TestAbility.new
+    }
+    let(:right) {
+      double(name: 'Do Something', can: true, action: 'action', subject: 'subject', conditions: {})
+    }
+
+    before do
+      ability.send(:add_rule_for, right)
+    end
+
+    it 'should add a rule to the ability' do
+      expect(ability.send(:rules).count).to eq(1)
+    end
+  end
+end

data/spec/by_group_spec.rb

@@ -0,0 +1,22 @@
+require 'spec_helper'
+
+RightOn.rights_yaml 'db/rights_roles.yml'
+
+describe RightOn::ByGroup do
+  let(:rights) { Bootstrap.various_rights_with_actions }
+
+  it 'should identify correct groups' do
+    rights # load rights
+    expect(RightOn::ByGroup.rights).to eq(
+      'general' => [
+        rights[:models],
+        rights[:models_index],
+        rights[:models_view],
+        rights[:models_change]
+      ],
+      'admin' => [
+        rights[:users]
+      ]
+    )
+  end
+end

data/spec/controller_additions_spec.rb

@@ -0,0 +1,134 @@
+require 'active_support/all'
+require 'action_controller'
+require 'cancan/ability'
+require 'cancan/controller_additions'
+require 'cancan/exceptions'
+require 'cancan/rule'
+require 'right_on/ability'
+require 'right_on/controller_additions'
+require 'right_on/error'
+require 'right_on/rule'
+require 'active_record'
+require 'spec_helper'
+
+# Mock this so we don't need to include active record
+module RightOn
+  class Right
+    def self.where(args)
+    end
+  end
+end
+
+describe RightOn::ControllerAdditions do
+  let(:rule_override) { false }
+  before do
+    allow(RightOn::Right).to receive(:where).and_return(double(exists?: rule_override))
+  end
+
+  subject(:controller) {
+    class Ability
+      include RightOn::Ability
+
+      def initialize(user)
+
+      end
+    end
+
+    class Controller < ActionController::Base
+      include RightOn::ControllerAdditions
+
+      def rights_from
+        nil
+      end
+
+      private
+
+      def params
+        { controller: 'controller', action: 'action' }
+      end
+
+      def current_user
+        nil
+      end
+    end
+
+    Controller.new
+  }
+
+  describe 'private #authorize_action!' do
+    context 'when the ability has a matching rule' do
+      let(:right) {
+        double(name: 'Do Something', can: true, action: 'access', subject: 'controller#action', conditions: {})
+      }
+
+      before do
+        controller.send(:current_ability).send(:add_rule_for, right)
+      end
+
+      it 'should grant access to controller#action' do
+        expect{controller.send(:authorize_action!)}.to_not(
+          raise_error(CanCan::AccessDenied, 'You are not authorized to access this page.'))
+      end
+    end
+
+    context 'when the ability does not have a matching rule' do
+      let(:right) {
+        double(name: 'Do Something', can: true, action: 'access', subject: 'controller#other_action', conditions: {})
+      }
+
+      before do
+        controller.send(:current_ability).send(:add_rule_for, right)
+      end
+
+      it 'should grant access to controller#action' do
+        expect{controller.send(:authorize_action!)}.to(
+          raise_error(CanCan::AccessDenied, 'You are not authorized to access this page.'))
+      end
+    end
+
+    context 'when the ability has a specific rule overriding the general rule' do
+      let(:rule_override) { true }
+      let(:right) {
+        double(name: 'Generic', can: true, action: 'access', subject: 'controller', conditions: {})
+      }
+
+      before do
+        controller.send(:current_ability).send(:add_rule_for, right)
+      end
+
+      it 'should not grant access to controller#action' do
+        expect{controller.send(:authorize_action!)}.to(
+          raise_error(CanCan::AccessDenied, 'You are not authorized to access this page.'))
+      end
+    end
+  end
+
+  describe 'private #authorize_action!' do
+    let(:controller) {
+      class Controller < ActionController::Base
+        def rights_from
+          :other_controller
+        end
+
+        private
+
+        def params
+          { controller: 'controller', action: 'action' }
+        end
+
+        def current_user
+          nil
+        end
+      end
+
+      Controller.new
+    }
+
+    context 'when rights from is a symbol' do
+      specify do
+        expect{controller.send(:authorize_action!)}.to(
+          raise_error(CanCan::AccessDenied, 'You are not authorized to access this page.'))
+      end
+    end
+  end
+end

data/spec/{permission_defnied_spec.rb → permission_denied_response_spec.rb}

@@ -5,9 +5,8 @@ describe RightOn::PermissionDeniedResponse do
   let(:params) { { controller: 'users' } }
   subject { RightOn::PermissionDeniedResponse.new(params, controller_action_options) }
 
-  let(:allowed) {
-    double(name: 'create_user', allowed?: true, roles: [double(title: 'Users')])
-  }
+  let(:create_user_right) { double(name: 'create_user', allowed?: true, roles: [double(title: 'Users')]) }
+  let(:allowed) { double(allowed?: true) }
   let(:denied) { double(allowed?: false) }
 
   let(:no_right_for_page) {
@@ -17,12 +16,13 @@ describe RightOn::PermissionDeniedResponse do
   let(:no_roles_for_page) { 'N/A (as no right is assigned for this action)' }
 
   before do
-    stub_const 'RightOn::Right', double(all: [right])
+    stub_const 'RightOn::RightAllowed', double(new: right_allowed)
+    stub_const 'RightOn::Right', double(all: [create_user_right])
   end
 
   context '#text_message' do
     context 'when right exists' do
-      let(:right) { allowed }
+      let(:right_allowed) { allowed }
 
       specify {
         expect(subject.text_message).to eq(
@@ -35,14 +35,14 @@ describe RightOn::PermissionDeniedResponse do
     end
 
     context 'when right not allowed' do
-      let(:right) { denied }
+      let(:right_allowed) { denied }
       specify { expect(subject.text_message).to eq no_right_for_page }
     end
   end
 
   context '#to_json' do
     context 'when right exists' do
-      let(:right) { allowed }
+      let(:right_allowed) { allowed }
       specify {
         expect(subject.to_json).to eq(
           error: 'Permission Denied',
@@ -53,7 +53,7 @@ describe RightOn::PermissionDeniedResponse do
     end
 
     context 'when right allowed' do
-      let(:right) { denied }
+      let(:right_allowed) { denied }
       specify {
         expect(subject.to_json).to eq(
           error: 'Permission Denied',

data/spec/right_allowed_spec.rb

@@ -0,0 +1,89 @@
+require 'active_record'
+require 'active_support/cache/memory_store'
+require 'right_on/right'
+require 'right_on/right_allowed'
+require 'spec_helper'
+require 'support/bootstrap'
+
+describe RightOn::RightAllowed do
+  def right_double(name)
+    default_attrs = { id: rand(1_000_000), action: nil }
+    double default_attrs.merge(Bootstrap.build_right_attrs(name))
+  end
+
+  let(:cache) { ActiveSupport::Cache::MemoryStore.new }
+
+  before do
+    stub_const 'Rails', double(cache: cache)
+    RightOn::RightAllowed.clear_cache
+    stub_const 'RightOn::Right', double(all: all)
+  end
+
+  context 'for simple case with one controller right' do
+    let(:all) { [users] }
+    let(:users) { right_double('users') }
+
+    subject { RightOn::RightAllowed.new('users', action).allowed?(users) }
+
+    context 'index action' do
+      let(:action) { 'index' }
+      it { is_expected.to be true }
+    end
+
+    context 'edit action' do
+      let(:action) { 'edit' }
+      it { is_expected.to be true }
+    end
+
+    context 'hello action' do
+      let(:action) { 'hello' }
+      it { is_expected.to be true }
+    end
+  end
+
+  context 'for complex rights' do
+    let(:all) { [other, index, change, view] }
+
+    let(:index_action) { RightOn::RightAllowed.new('models', 'index') }
+    let(:edit_action)  { RightOn::RightAllowed.new('models', 'edit')  }
+    let(:hello_action) { RightOn::RightAllowed.new('models', 'hello') }
+
+    let(:other)  { right_double('models') }
+    let(:index)  { right_double('models#index') }
+    let(:change) { right_double('models#change') }
+    let(:view)   { right_double('models#view') }
+
+    context 'index action' do
+      specify do
+        # as specific action exists
+        expect(index_action.allowed?(other)).to eq false
+
+        expect(index_action.allowed?(index)).to eq true
+        expect(index_action.allowed?(view)).to eq true
+        expect(index_action.allowed?(change)).to eq true
+      end
+    end
+
+    context 'edit action' do
+      specify do
+        # as specific action exists
+        expect(edit_action.allowed?(other)).to eq false
+
+        expect(edit_action.allowed?(index)).to eq false
+        expect(edit_action.allowed?(view)).to eq false
+        expect(edit_action.allowed?(change)).to eq true
+      end
+    end
+
+    context 'hello action' do
+      specify do
+        # as hello isn't defined
+        expect(hello_action.allowed?(other)).to eq true
+
+        expect(hello_action.allowed?(index)).to eq false
+        expect(hello_action.allowed?(view)).to eq false
+        expect(hello_action.allowed?(change)).to eq false
+      end
+    end
+  end
+end

data/spec/right_on_spec.rb

@@ -1,139 +1,86 @@
 require 'spec_helper'
 
-describe User do
-  let(:basic_user) { User.where(name: 'basic').first }
-  let(:admin_user) { User.where(name: 'admin').first }
-
-  before do
-    Bootstrap.reset_database
-  end
-
-  it 'should compare privileges' do
-    expect(admin_user.has_privileges_of?(basic_user)).to eq true
-    expect(basic_user.has_privileges_of?(admin_user)).to eq false
-  end
-end
-
 describe RightOn::Right do
-  before do
-    RightOn::Right.delete_all
-    Model.delete_all
-
-    @model = Model.create!(:name => 'Test')
-
-    @users  = RightOn::Right.create!(:name => 'users', :controller => 'users')
-    @other  = RightOn::Right.create!(:name => 'models', :controller => 'models')
-    @index  = RightOn::Right.create!(:name => 'models#index', :controller => 'models', :action => 'index')
-    @change = RightOn::Right.create!(:name => 'models#change', :controller => 'models', :action => 'change')
-    @view   = RightOn::Right.create!(:name => 'models#view', :controller => 'models', :action => 'view')
-  end
+  let(:rights) { Bootstrap.various_rights_with_actions }
+  let(:users)  { rights[:users] }
+  let(:other)  { rights[:models] }
+  let(:index)  { rights[:models_index] }
+  let(:change) { rights[:models_change] }
+  let(:view)   { rights[:models_view] }
 
   it 'should display nicely with sensible_name and to_s' do
-    expect(@other.to_s).to eq 'models'
-    expect(@index.to_s).to eq 'models#index'
-
-    expect(@other.sensible_name).to eq 'Models'
-    expect(@index.sensible_name).to eq 'Models - Index'
-  end
+    expect(other.to_s).to eq 'models'
+    expect(index.to_s).to eq 'models#index'
 
-  it 'should identify correct groups' do
-    expect(RightOn::Right.by_groups).to eq(
-      'general' => [@other, @index, @view, @change],
-      'admin' => [@users]
-    )
-  end
-
-  it 'should determine if it is allowed based on context' do
-    index_action = {:controller => 'models', :action => 'index'}
-    edit_action  = {:controller => 'models', :action => 'edit'}
-    hello_action = {:controller => 'models', :action => 'hello'}
-
-    expect(@users.allowed?(:controller => 'users', :action => 'index')).to eq true
-    expect(@users.allowed?(:controller => 'users', :action => 'edit' )).to eq true
-    expect(@users.allowed?(:controller => 'users', :action => 'hello')).to eq true
-
-    expect(@other.allowed?(index_action)).to eq false # as specific action exists
-    expect(@other.allowed?(edit_action )).to eq false # as specific action exists
-    expect(@other.allowed?(hello_action)).to eq true # as hello isn't defined
-
-    expect(@index.allowed?(index_action)).to eq true
-    expect(@index.allowed?(edit_action )).to eq false
-    expect(@index.allowed?(hello_action)).to eq false
-
-    expect(@view.allowed?(index_action)).to eq true
-    expect(@view.allowed?(edit_action )).to eq false
-    expect(@view.allowed?(hello_action)).to eq false
-
-    expect(@change.allowed?(index_action)).to eq true
-    expect(@change.allowed?(edit_action )).to eq true
-    expect(@change.allowed?(hello_action)).to eq false
+    expect(other.sensible_name).to eq 'Models'
+    expect(index.sensible_name).to eq 'Models - Index'
   end
 end
 
-describe RightOn::Right, "when created" do
-  it "should validate presence of name" do
+describe RightOn::Right, 'when created' do
+  it 'should validate presence of name' do
     subject.valid?
     expect(subject.errors[:name]).to_not be_blank
   end
 end
 
-describe RightOn::Right, "with a name and controller" do
+describe RightOn::Right, 'with a name and controller' do
   before do
-    @new_right = RightOn::Right.new(:name => "tickets", :controller => "tickets")
+    @new_right = RightOn::Right.new(name: 'tickets', controller: 'tickets')
     @new_right.save!
   end
 
-  it "should create a new right" do
-    expect(@new_right.name).to eq "tickets"
-    expect(@new_right.controller).to eq "tickets"
+  it 'should create a new right' do
+    expect(@new_right.name).to eq 'tickets'
+    expect(@new_right.controller).to eq 'tickets'
     expect(@new_right.save).to eq true
   end
 
 end
 
-describe RightOn::Right, "with a name, controller and action" do
+describe RightOn::Right, 'with a name, controller and action' do
   before do
-    @new_right = RightOn::Right.new(:name => "tickets@destroy", :controller => "tickets", :action => "destroy")
+    @new_right = RightOn::Right.new(name: 'tickets@destroy', controller: 'tickets', action: 'destroy')
   end
 
-  it "should create a new right" do
-    expect(@new_right.name).to eq "tickets@destroy"
-    expect(@new_right.controller).to eq "tickets"
-    expect(@new_right.action).to eq "destroy"
+  it 'should create a new right' do
+    expect(@new_right.name).to eq 'tickets@destroy'
+    expect(@new_right.controller).to eq 'tickets'
+    expect(@new_right.action).to eq 'destroy'
     expect(@new_right.save).to eq true
   end
 end
 
-describe RightOn::Right, "with only a name" do
+describe RightOn::Right, 'with only a name' do
   before do
-    @new_right = RightOn::Right.new(:name => "tickets2")
+    @new_right = RightOn::Right.new(name: 'tickets2')
   end
 
-  it "should create a new right" do
+  it 'should create a new right' do
     expect(@new_right.save).to eq true
   end
 end
 
-describe RightOn::Right, "with the same name" do
+describe RightOn::Right, 'with the same name' do
   before do
-    @old_right = RightOn::Right.new(:name => "tickets3", :controller => "tickets")
+    @old_right = RightOn::Right.new(name: 'tickets3', controller: 'tickets')
     @old_right.save!
-    @new_right = RightOn::Right.new(:name => "tickets3", :controller => "tickets")
+    @new_right = RightOn::Right.new(name: 'tickets3', controller: 'tickets')
   end
 
-  it "should not create a new right" do
+  it 'should not create a new right' do
     expect(@new_right.save).to eq false
   end
 end
 
-describe RightOn::Role, "can have many rights" do
-  let(:role1) { RightOn::Role.new(:title => 'role 1') }
+describe RightOn::Role, 'can have many rights' do
+  let(:role1) { RightOn::Role.new(title: 'role 1') }
 
   specify { expect(role1.to_s).to eq 'Role 1' }
 
   context 'when assigned rights' do
-    let(:right1) { RightOn::Right.create!(:name => 'right 1') }
-    let(:right2) { RightOn::Right.create!(:name => 'right 2') }
+    let(:right1) { RightOn::Right.create!(name: 'right 1') }
+    let(:right2) { RightOn::Right.create!(name: 'right 2') }
 
     before do
       role1.save!
@@ -146,45 +93,10 @@ describe RightOn::Role, "can have many rights" do
       right2.destroy
     end
 
-    it "should have and belong to many" do
+    it 'should have and belong to many' do
       expect(role1.rights.size).to eq 2
       expect(right1.roles.size).to eq 1
       expect(right2.roles.size).to eq 1
     end
   end
 end
-
-describe 'when checking accessibility to a controller' do
-
-  let(:test_controller_right) { RightOn::Right.new(name: 'test', controller: 'test') }
-  let(:user) { double(rights: [test_controller_right]) }
-  let(:controller) { 'test' }
-  let(:action) { 'index' }
-  let(:params) { {controller: 'test', action: 'index'} }
-
-  before do
-    stub_const 'TestController', double(current_user: user, params: params)
-    TestController.extend RightOn::ActionControllerExtensions
-    allow(TestController).to receive(:rights_from).and_return(nil)
-  end
-
-  specify { expect(TestController.access_allowed?(controller)).to be_truthy }
-  specify { expect(TestController.access_allowed?('other')).to be_falsey }
-  specify { expect(TestController.access_allowed_to_controller?(controller)).to be_truthy }
-  specify { expect(TestController.access_allowed_to_controller?('other')).to be_falsey }
-
-  describe 'when inheriting rights' do
-    let(:controller) { 'test_inherited' }
-
-    before do
-      stub_const 'TestInheritedController', double(current_user: user, params: params)
-      TestInheritedController.extend RightOn::ActionControllerExtensions
-      allow(TestInheritedController).to receive(:rights_from).and_return(:test)
-    end
-
-    specify { expect(TestInheritedController.access_allowed?(controller)).to be_falsey }
-    specify { expect(TestInheritedController.access_allowed?('other')).to be_falsey }
-    specify { expect(TestInheritedController.access_allowed_to_controller?(controller)).to be_truthy }
-    specify { expect(TestInheritedController.access_allowed_to_controller?('other')).to be_falsey }
-  end
-end