righter 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 3ac85163e735cd9d03caa544ba91b6d88539d9b6
+  data.tar.gz: 65bc2c981b1e7f5c149e03137b4aeb687259a929
+SHA512:
+  metadata.gz: e3e2cb186084e75d40995114023d84f625b6fbada0fa8aed906c255cefe294ea6d1c1b7691749e169fa4e64e9b9930e9b7ec87073eaa5f930061b4f00ca40f97
+  data.tar.gz: 0fb265cd1658460b5c2ddeab122008892326130527bda696b21b73d9eccf0fbc299e17b8b7c6d4581a9b2c9ffe2cc33c543f48be287cd1af37f1c88ef79b0dc6

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2015 adamliesko
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,28 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Righter'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task default: :test

data/app/models/righter_right.rb

@@ -0,0 +1,75 @@
+class RighterRight < ActiveRecord::Base
+  has_many :righter_rights_righter_roles, dependent: :destroy
+  has_many :righter_roles, -> { uniq }, through: :righter_rights_righter_roles
+  belongs_to :parent, class_name: 'RighterRight', foreign_key: :parent_id
+
+  scope :top_level_rights, lambda {
+    where parent_id: nil
+  }
+
+  scope :visible, lambda {
+    where hidden: [false, nil]
+  }
+
+  serialize :actions, Array
+  validates :name, uniqueness: true
+
+  after_save do
+    RighterRight.clear_cache
+  end
+
+  after_create do
+    RighterRight.clear_cache
+  end
+
+  after_destroy do
+    RighterRight.clear_cache
+  end
+
+  @@cache = nil
+
+  def self.load_cache
+    unless @@cache
+      @@cache = {}
+      RighterRight.find_each do |right|
+        @@cache[right.name.to_sym] = right
+      end
+    end
+  end
+
+  def self.cached_find_by_name(name)
+    load_cache
+    @@cache[name.to_sym]
+  end
+
+  def self.clear_cache
+    @@cache = nil
+  end
+
+  validate :validate_cycles
+
+  def validate_cycles(receiver = nil)
+    return unless parent_id
+    if receiver
+      if parent == receiver
+        receiver.errors.add :righter_right, "disallowed to create loops, collision with RighterRight #{name}"
+      else
+        parent.validate_cycles receiver
+      end
+    else
+      parent.validate_cycles self
+    end
+  end
+
+  def add_access_to(opts = {})
+    fail RighterError.new('controller cannot be nil') unless opts[:controller]
+    fail RighterError.new('actions should be in form of an array') unless opts[:actions].class == Array
+    self.controller = opts[:controller]
+    self.actions = opts[:actions]
+    save!
+  end
+
+  def children
+    self.class.where parent_id: id
+  end
+end

data/app/models/righter_rights_righter_role.rb

@@ -0,0 +1,4 @@
+class RighterRightsRighterRole < ActiveRecord::Base
+  belongs_to :righter_right
+  belongs_to :righter_role
+end

data/app/models/righter_role.rb

@@ -0,0 +1,82 @@
+class RighterRole < ActiveRecord::Base
+  has_many :righter_rights_righter_roles, dependent: :destroy
+  has_many :righter_rights, through: :righter_rights_righter_roles
+  has_many :righter_role_grants, dependent: :destroy
+  has_many :grantable_righter_roles, -> { uniq }, through: :righter_role_grants
+
+  validates :name, :human_name, uniqueness: true, presence: true
+
+  scope :visible, lambda {
+    where hidden: [false, nil]
+  }
+
+  after_destroy do
+    RighterRoleGrant.where(righter_role_id: id).destroy_all
+    RighterRoleGrant.where(grantable_righter_role_id: id).destroy_all
+  end
+
+  def add_right(right)
+    unless right.is_a?(RighterRight)
+      fail RighterError.new("RighterRole.add_right accepts only RighterRight instance as input (provided :#{right.class.inspect})")
+    end
+    righter_rights << right unless righter_rights.include?(right)
+    save!
+
+    if right.parent
+      add_right right.parent unless righter_rights.include?(right.parent)
+    end
+  end
+
+  def add_self_and_child_rights(right)
+    add_right right
+    right.children.each { |r| add_self_and_child_rights r }
+  end
+
+  def remove_right(right)
+    unless right.is_a?(RighterRight)
+      fail RighterError.new("RighterRole.remove_right accepts only RighterRight instance as input (provided :#{right.class.inspect})")
+    end
+
+    righter_rights.delete right
+
+    right.children.each do |child_r|
+      remove_right child_r
+    end
+  end
+
+  def allow_to_grant_role(role)
+    grantable_righter_roles << role unless grantable_righter_roles.include?(role)
+  end
+
+  def disallow_to_grant_role(role)
+    grantable_righter_roles.destroy(role)
+  end
+
+  def disallow_all_granted_roles
+    grantable_righter_roles.destroy_all
+  end
+
+  alias_method :grantable_roles, :grantable_righter_roles
+
+  def create_or_update_with_grants(name, human_name, granted_role_names)
+    passed_validation = false
+
+    self.name = name
+    self.human_name = human_name
+    self.class.transaction do
+      if save
+        passed_validation = true
+
+        disallow_all_granted_roles
+        if granted_role_names
+          granted_role_names.each do |role_name|
+            role_to_grant = self.class.find_by_name role_name # this is badly inneficient
+            allow_to_grant_role role_to_grant if role_to_grant
+          end
+        end
+      end
+    end
+
+    passed_validation
+  end
+end

data/app/models/righter_role_grant.rb

@@ -0,0 +1,7 @@
+class RighterRoleGrant < ActiveRecord::Base
+  belongs_to :righter_role
+  belongs_to :grantable_righter_role, class_name: 'RighterRole'
+
+  validates :righter_role_id, presence: true
+  validates :grantable_righter_role_id, presence: true
+end

data/app/models/righter_roles_user.rb

@@ -0,0 +1,2 @@
+class RighterRolesUser < ActiveRecord::Base
+end

data/db/migrate/20150910000000_create_righter_rights.rb

@@ -0,0 +1,21 @@
+class CreateRighterRights < ActiveRecord::Migration
+  def self.up
+    create_table :righter_rights do |t|
+      t.string :name
+      t.string :human_name
+      t.string :controller
+      t.integer :resource_id
+      t.string :resource_class
+      t.text :actions
+      t.integer :parent_id
+      t.boolean :hidden, default: false
+      t.timestamps null: false
+    end
+
+    add_index :righter_rights, :parent_id, name: 'index_rr_on_pid'
+  end
+
+  def self.down
+    drop_table :righter_rights
+  end
+end

data/db/migrate/20150910000001_create_righter_roles.rb

@@ -0,0 +1,20 @@
+class CreateRighterRoles < ActiveRecord::Migration
+  def self.up
+    create_table :righter_roles do |t|
+      t.string :name
+      t.string :human_name
+      t.boolean :hidden, default: false
+      t.timestamps null: false
+    end
+
+    create_table :righter_role_grants do |t|
+      t.integer :righter_role_id
+      t.integer :grantable_righter_role_id
+    end
+  end
+
+  def self.down
+    drop_table :righter_roles
+    drop_table :righter_role_grants
+  end
+end

data/db/migrate/20150910000002_righter_roles_righter_access_rights.rb

@@ -0,0 +1,14 @@
+class RighterRolesRighterAccessRights < ActiveRecord::Migration
+  def self.up
+    create_table :righter_rights_righter_roles do |t|
+      t.integer :righter_role_id
+      t.integer :righter_right_id
+    end
+
+    add_index :righter_rights_righter_roles, [:righter_role_id, :righter_right_id], name: 'index_ir_on_iroi_irii'
+  end
+
+  def self.down
+    drop_table :righter_rights_righter_roles
+  end
+end

data/db/migrate/20150910000003_create_righter_roles_users.rb

@@ -0,0 +1,14 @@
+class CreateRighterRolesUsers < ActiveRecord::Migration
+  def self.up
+    create_table :righter_roles_users do |t|
+      t.integer :righter_role_id
+      t.integer :user_id
+    end
+
+    add_index :righter_roles_users, [:user_id, :righter_role_id], name: 'index_rr_on_ui_rroi'
+  end
+
+  def self.down
+    drop_table :righter_roles_users
+  end
+end

data/lib/init.rb

@@ -0,0 +1 @@
+require "#{File.dirname(__FILE__)}/righter.rb"

data/lib/injections/righter_for_application_controller.rb

@@ -0,0 +1,31 @@
+module RighterForApplicationController
+  def self.included(controller_klass)
+    controller_klass.before_filter :enforce_righter
+  end
+
+  def enforce_righter
+    u = righter_user
+    fail RighterNoUserError.new unless u
+    c = params[:controller].to_sym
+    a = params[:action].to_sym
+    unless u.righter_accessible?(controller: c, action: a)
+      fail RighterError.new("user #{u.login} is trying to reach prohibited content: #{c}/#{a}")
+    end
+  end
+
+  def enforce_resource_security(right_name, resource, options = {}) # currently need to call this manually as soon as the instance of the resource is retrieved in the controller action
+    u = righter_user
+    fail RighterNoUserError.new unless u
+
+    options.merge!(resource: resource, right: right_name)
+    unless u.righter_accessible?(options)
+      fail RighterError.new("user #{u.login} is not authorized to '#{right_name}' resource #{resource.inspect}")
+    end
+  end
+
+  # Override this method in your application
+  # @return [User]
+  def righter_user
+    User.current_user
+  end
+end

data/lib/injections/righter_for_resource.rb

@@ -0,0 +1,110 @@
+module RighterForResource
+  extend ActiveSupport::Concern
+
+  included do
+    extend ClassMethodsForActiveRecord if ancestors.include?(ActiveRecord::Base)
+  end
+
+  module ClassMethods
+    def create_righter_right(right_name_prefix, options = {})
+      options[:resource] = self unless options[:resource].present?
+      resource = options[:resource]
+      if options[:parent_right]
+        if options[:parent_right].is_a? Proc
+          parent_right = options[:parent_right].call(resource)
+        else
+          parent_right = options[:parent_right]
+        end
+
+        parent = RighterRight.cached_find_by_name(parent_right) if parent_right
+      end
+
+      right = RighterRight.create(name: right_name(right_name_prefix, options),
+                                  resource_class: resource.righter_right_resource_class,
+                                  resource_id: resource.righter_right_resource_id,
+                                  hidden: false,
+                                  parent: parent,
+                                  human_name: resource.righter_right_human_name(right_name_prefix))
+
+      if options[:auto_associate_roles]
+        options[:auto_associate_roles].each do |role_name|
+          role = RighterRole.find_by_name(role_name)
+          role.add_right(right)
+        end
+      end
+      right
+    end
+
+    def destroy_righter_right(right_name_prefix, options = {})
+      righter_right(right_name_prefix, options).destroy
+    end
+
+    def righter_right(right_name_prefix, options = {})
+      RighterRight.cached_find_by_name(right_name(right_name_prefix, options))
+    end
+
+    def righter_right_resource_class
+      name # name of the class
+    end
+
+    def righter_right_resource_id
+      nil # class resources have no explicit ID
+    end
+
+    def righter_right_human_name(right_name_prefix)
+      "#{right_name_prefix} #{righter_right_resource_class} #{righter_right_resource_id}"
+    end
+
+    private
+
+    def right_name(right_name_prefix, options = {})
+      unless right_name_prefix.present?
+        fail RighterArgumentError.new('No prefix for righter_right name provided...')
+      end
+      resource = options[:resource]
+      resource ||= self
+      resource_class = resource.righter_right_resource_class
+      resource_id = resource.righter_right_resource_id
+      resource_id.present? ? "#{right_name_prefix}_#{resource_class}_#{resource_id}" : "#{right_name_prefix}_#{resource_class}"
+    end
+  end
+
+  def create_righter_right(right_name_prefix, options = {})
+    options = options.merge(resource: self)
+    self.class.create_righter_right(right_name_prefix, options)
+  end
+
+  def destroy_righter_right(right_name_prefix, options = {})
+    options = options.merge(resource: self)
+    self.class.destroy_righter_right(right_name_prefix, options)
+  end
+
+  def righter_right(right_name_prefix, options = {})
+    options = options.merge(resource: self)
+    self.class.righter_right(right_name_prefix, options)
+  end
+
+  def righter_right_resource_class
+    self.class.name
+  end
+
+  def righter_right_resource_id
+    return id if respond_to?(:id)
+    fail RighterError.new("Don't know how to compute instance_id for resource role. Please implement righter_right_resource_id method for this resource.")
+  end
+
+  def righter_right_human_name(right_name_prefix)
+    "#{right_name_prefix} #{righter_right_resource_class} #{righter_right_resource_id}"
+  end
+
+  module ClassMethodsForActiveRecord
+    def auto_manage_righter_right(right_name_prefix, options = {})
+      unless right_name_prefix.present?
+        fail RighterArgumentError.new('No prefix for autocreated right name provided...')
+      end
+
+      after_create { create_righter_right(right_name_prefix, options) } # called on instance level
+      before_destroy { destroy_righter_right(right_name_prefix, options) } # called on instance level
+    end
+  end
+end