role-auth 0.1.9

data/lib/role-auth/checker.rb

@@ -0,0 +1,46 @@
+module RoleAuth
+
+  # The Checker class checks the permissions of the current User.
+  # It is accessable via RoleAuth.checker.
+  class Checker
+
+    Alias = {:destroy => :delete, :index => :list, :show => :read, :new => :create, :edit => :update}
+
+    # @param [Parser] parser The parser
+    # @param [String] eval_string The ruby code for checking the defined tasks
+    def initialize(parser,eval_string)
+      @parser = parser
+      # puts eval_string
+      instance_eval(eval_string)
+    end
+
+    # Attribute accessor
+    #
+    # @return [Hash] The Hash representation of the defined roles
+    def roles ; @parser.roles; end
+
+    def can?(task, object, options = {}, user = User.current)
+      raise ArgumentError, 'User is missing. Did you forget to set User.current?' unless user
+      self.send(Alias[task] || task, user, object, options)
+    end
+
+    def is?(role_name, options, user = User.current)
+      role_definition = @parser.roles[role_name]
+      child_roles = role_definition[:descendants].dup << role_name
+
+      # Check the :on parameter
+      return false if options[:on] && role_definition[:on] && options[:on].class != role_definition[:on]
+
+      user.roles.any? do |role|
+        child_roles.include?(role.name.to_sym) && ( !role_definition[:on] || !role.type || (role.type == role_definition[:on].to_s && options[:on] && (role.object_id.nil? || role.object_id == options[:on].id)))
+      end
+    end
+
+    private
+
+    def method_missing(name, *args)
+      file = caller.find{|line| line !~ /lib\/role-auth/}
+      puts "RoleAuth warning: Task #{name} hasn't been defined but you tried to access it in #{file}"
+    end
+  end
+end

data/lib/role-auth/parser.rb

@@ -0,0 +1,250 @@
+module RoleAuth
+
+  # Within the Parser class your authorization file will be evaled.
+  class Parser
+    attr_reader :tasks, :restrictions, :permissions, :roles
+
+    DEFAULT_TASKS = [:create, :update, :delete, :list, :read]
+
+    # @param [File] authorization_file The authorization file which will be evaled.
+    def initialize(authorization_file)
+      @permissions = Hash.new {|h,k| h[k] = (Hash.new {|h,k| h[k] = {}})}
+      @restrictions = Hash.new {|h,k| h[k] = (Hash.new {|h,k| h[k] = {}})}
+      @tasks, @roles = {}, {}
+
+      DEFAULT_TASKS.each {|t| task(t)}
+      instance_eval(authorization_file.read)
+      process_roles
+      process_tasks
+    end
+
+    # Define a new role which can be given to a user.
+    #
+    # @example
+    # role :moderator, :on => Site do
+    #   is :user
+    #   can :moderate, Comment
+    # end
+    #
+    # @param [Symbol] name The name of the Role.
+    # @param [Hash] options
+    # @option options [Class] :on The Role will be bound to instances of the given Class.
+    # @yield Defines the details of the role
+    def role(name, options = {})
+      @roles[name] = options.merge(:name => name, :is => [], :descendants => [])
+      @role = InternalRole.new(name,options)
+      yield if block_given?
+      @role = nil
+    end
+
+    # Define parent roles for the current role.
+    # The current role will behave exactly like the given roles.
+    #
+    # Can only be called within a role block.
+    #
+    # @example define many parents
+    # is :moderator, :author, :user
+    #
+    # @param [Symbol, ...] parent_roles
+    def is(*parent_roles)
+      @roles[@role.name][:is] += parent_roles
+    end
+
+    # Define a permission for the current role.
+    #
+    # Can only be called within a role block.
+    #
+    # @example Author permissions
+    # can :delete, :update, Post, :if => [%{ !post.published }, only_changed(:content)]
+    # can :create, Post, :if => %{ !post.published }
+    #
+    # @example alternative definition
+    # task :update_and_delete_unpublished, :is => [:delete, :update], :if => %{ !post.published }
+    # can :update_and_delete_unpublished, Post, if => only_changed(:content)
+    # can :create, Post, :if => %{ !post.published }
+    #
+    # @overload can(*tasks, *classes, options = {})
+    #   @param [Symbol, ...] tasks One or more tasks to bind the permission to
+    #   @param [Class, ...] classes One or more classes to bind the permission to
+    #   @param [Hash] options
+    def can(*args)
+      add_permission(@permissions, *args)
+    end
+
+    # Define a restriction ( a negative permission ) for the current role.
+    #
+    # Can only be called within a role block.
+    #
+    # @example
+    # can_not :delete, Post
+    #
+    # @see #can Argument details and further examples
+    def can_not(*args)
+      args.last.is_a?(Hash) ? args.last[:restriction]= true : args << {:restriction => true}
+      add_permission(@restrictions, *args)
+    end
+
+    # Define a new task.
+    #
+    # @example Define an entirely new task
+    # task :push
+    #
+    # @example Define a publish task
+    # task :publish, :is => :update, :if => only_changed(:published)
+    #
+    # @example Define a joined manage task
+    # task :manage, :is => [:update, :create, :delete]
+    #
+    # @see #can More examples for the :if option
+    # @see DEFAULT_TASKS Default tasks
+    #
+    # @param [Symbol] name The name of the task.
+    # @param [Hash] options
+    # @option options [Symbol, Array<Symbol>] :is Optional parent tasks. The options of the parents will be inherited.
+    # @option options [String, Hash, Array<String,Hash>] :if The conditions for this task.
+    def task(name, options = {})
+      options[:is] = options[:is].is_a?(Array) ? options[:is] : [options[:is]].compact
+      @tasks[name] = Task.new(name,options)
+    end
+
+    # Define fields that can be changed by the current user.
+    # Use this on an :if attribute of #can, #can_not, #task.
+    #
+    # @see #task Usage examples with a task definition
+    #
+    # @return [Hash] An internal representation
+    def only_changed(*fields)
+      {:change => fields}
+    end
+
+    # Restrict access to the owner of the object.
+    # Use this on an :if attribute of #can, #can_not, #task.
+    def is_owner
+      "object.user_id == user.id"
+    end
+
+    protected
+
+    # Creates an internal Permission
+    #
+    # @param [Hash] target Either the permissions or the restrictions hash
+    # @param [Array] args The function arguments to the #can, #can_not methods
+    def add_permission(target, *args)
+      raise '#can and #can_not have to be used inside a role block' unless @role
+      options = args.last.is_a?(Hash) ? args.pop : {}
+      tasks = []
+      models = []
+
+      models << args.pop if args.last == :any
+      args.each {|arg| arg.is_a?(Symbol) ? tasks << arg : models << arg}
+
+      tasks.each do |task|
+        models.each do |model|
+          if permission = target[task][model][@role]
+            permission.load_options(options)
+          else
+            target[task][model][@role] = Permission.new(@role, task, model, options)
+          end
+        end
+      end
+    end
+
+    # Flattens the tasks. It sets the ancestors and the alternative tasks
+    def process_tasks
+      @tasks.each_value do |task|
+        task.options[:ancestors] = []
+        set_ancestor_tasks(task)
+        set_alternative_tasks(task) if @permissions.key? task.name
+      end
+    end
+
+    # Set the ancestors on task.
+    #
+    # @param [Task] task The task for which the ancestors are set
+    # @param [Task] ancestor The ancestor to process. This is the recursive parameter
+    def set_ancestor_tasks(task, ancestor = nil)
+      task.options[:ancestors] += (ancestor || task).options[:is]
+      (ancestor || task).options[:is].each do |parent_task|
+        set_ancestor_tasks(task, @tasks[parent_task])
+      end
+    end
+
+    # Set the alternatives of the task.
+    # Alternatives are the nearest ancestors, which are used in permission definitions.
+    #
+    # @param [Task] task The task for which the alternatives are set
+    # @param [Task] ancestor The ancestor to process. This is the recursive parameter
+    def set_alternative_tasks(task, ancestor = nil)
+      (ancestor || task).options[:is].each do |task_name|
+        if @permissions.key? task_name
+          (@tasks[task_name].options[:alternatives] ||= []) << task.name
+        else
+          set_alternative_tasks(task, @tasks[task_name])
+        end
+      end
+    end
+
+    # Flattens the roles. It sets all descendants of a role.
+    def process_roles
+      @roles.each_value {|role| set_descendant_roles(role)}
+    end
+
+    # Set the descendant_role as a descendant of the ancestor
+    def set_descendant_roles(descendant_role, ancestor_role = nil)
+      role = ancestor_role || descendant_role
+      return unless role[:is]
+
+      role[:is].each do |role_name|
+        (@roles[role_name][:descendants] ||= []) << descendant_role[:name]
+        set_descendant_roles(descendant_role, @roles[role_name])
+      end
+    end
+
+    # InternalRole because otherwise it might conflict with other Role classes
+    InternalRole = Struct.new('InternalRole', :name, :options)
+    Task = Struct.new('Task', :name, :options)
+
+    class Permission
+      attr_reader :role, :task, :model, :options
+      def initialize(role, task, model, options)
+        @role, @task, @model = role, task, model
+        @options = Hash.new {|h,k| h[k]=[]}
+        @options[:if] = Hash.new {|h,k| h[k]=[]}
+
+        load_options(options)
+        load_options(@role.options)
+      end
+
+      def load_options(options)
+        return unless options.is_a? Hash
+        [:on].each do |key|
+          @options[key] << options[key] if options.key? key
+        end
+        add_if(options[:if])
+      end
+
+      def add_if(options)
+        case options
+        when Hash then @options[:if].update(options)
+        when Array then options.each { |entry| add_if(entry) }
+        when String then @options[:if][:string] << options
+        end
+      end
+
+      # Load the options of the task and all ancestor tasks.
+      # The tasks are not necessarily accessable at the creation of the permission.
+      #
+      # @param parser[Parser] the parser which provides the tasks
+      def load_task_options(parser)
+        return if @loaded_task_options || parser.tasks[@task].nil?
+        load_options(parser.tasks[@task].options)
+        parser.tasks[@task].options[:ancestors].each do |task|
+          load_options(parser.tasks[task].options)
+        end
+        @loaded_task_options = true
+      end
+
+    end
+
+  end
+end

data/lib/role-auth/version.rb

@@ -0,0 +1,3 @@
+module RoleAuth
+  VERSION="0.1.9"
+end

data/role-auth.gemspec

@@ -0,0 +1,28 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'role-auth/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "role-auth"
+  spec.version       = RoleAuth::VERSION
+  spec.authors       = ["Jonas von Andrian"]
+  spec.email         = ["jvadev@gmail.com"]
+  spec.description   = %q{Rolebased authorization}
+  spec.summary       = %q{Compatible with dm and merb. Compiles into Ruby statements}
+  spec.homepage      = "http://github.com/johnny/role-auth"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "sqlite3"
+  spec.add_development_dependency "rspec"
+  spec.add_development_dependency "dm-core"
+  spec.add_development_dependency "dm-migrations"
+  spec.add_development_dependency "dm-sqlite-adapter"
+  spec.add_development_dependency "do_sqlite3"
+end

data/spec/authorization_file_spec.rb

@@ -0,0 +1,62 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe 'authorization2' do
+  before(:all) do
+    User = Memory::User
+    load_authorization_file('authorization2')
+    sysop_role = Memory::Role.new('sysop')
+    Memory::User.current = Memory::User.new(1,[sysop_role])
+  end
+  it 'should define default actions :create, :delete, :update' do
+    can?(:create, Memory::Site).should be_true
+    can?(:update, Memory::Site).should be_true
+    can?(:delete, Memory::Site).should be_true
+  end
+
+  it 'should not raise on uninitialised method' do
+    lambda { can?(:praise, Memory::Site) }.should_not raise_error
+  end
+end
+
+describe 'authorization3' do
+
+  before(:all) do
+    User = Memory::User
+    load_authorization_file('authorization3')
+    role = Memory::Role.new('user')
+    Memory::User.current = Memory::User.new(1,[role])
+  end
+
+  it 'should override update' do
+    site = Memory::Site
+    can?(:update, Memory::Post.new(1, site, 2)).should be_false
+    can?(:update, Memory::Post.new(1, site, 1)).should be_true
+  end
+
+  it 'should accept class as argument' do
+    can?(:create, Memory::Post).should be_true
+  end
+
+  it 'should handle User classes gracefully' do
+    can?(:create, User).should be_true
+  end
+
+end
+
+describe 'authorization4' do
+
+  before(:all) do
+    User = Memory::User
+    load_authorization_file('authorization4')
+    role = Memory::Role.new('user')
+    Memory::User.current = Memory::User.new(1,[role])
+  end
+
+  it 'can_not has precidence over can' do
+    can?(:create, Memory::Site).should be_false
+    can?(:create, Memory::Role).should be_false
+    can?(:create, Memory::Post).should be_false
+    can?(:delete, Memory::Site).should be_nil
+  end
+
+end

data/spec/datamapper_spec.rb

@@ -0,0 +1,250 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+sysop = DataMapper::User.create
+admin = DataMapper::User.create
+alternative_admin = DataMapper::User.create
+author = DataMapper::User.create
+class_author = DataMapper::User.create
+general_author = DataMapper::User.create
+alternative_author = DataMapper::User.create
+moderator = DataMapper::User.create
+moderator_author = DataMapper::User.create
+site_admin = DataMapper::User.create
+user = DataMapper::User.create
+
+sysop_role = DataMapper::Role.create(:name => 'sysop', :user => sysop)
+admin_role = DataMapper::Role.create(:name => 'admin', :user => admin)
+alternative_admin_role = DataMapper::Role.create(:name => 'alternative_admin', :user => alternative_admin)
+author_role = DataMapper::Role.create(:name =>'author', :type => 'DataMapper::Site', :object_id => 1, :user => author)
+general_author_role = DataMapper::Role.create(:name =>'author', :user => general_author)
+class_author_role = DataMapper::Role.create(:name =>'author', :type => 'DataMapper::Site', :user => class_author)
+alternative_author_role = DataMapper::Role.create(:name => 'alternative_author', :type => 'DataMapper::Site', :object_id => 1, :user => alternative_author)
+moderator_author_role = DataMapper::Role.create(:name => 'moderator_author', :user => moderator_author)
+moderator_role = DataMapper::Role.create(:name => 'moderator', :user => moderator)
+site_admin_role = DataMapper::Role.create(:name => 'site_admin', :type => 'DataMapper::Site', :object_id => 1, :user => site_admin)
+user_role = DataMapper::Role.create(:name => 'user', :user => user)
+# guest_role = DataMapper::Role.new('guest')
+
+site = DataMapper::Site.create
+
+own_post = DataMapper::Post.create(:site_id => site.id, :user => author)
+other_authors_post = DataMapper::Post.create(:site_id => site.id, :user => sysop)
+published_post = DataMapper::Post.create(:site => site, :user => author, :published => true)
+comment = DataMapper::Comment.create(:site => site, :post => own_post)
+comment_on_published_post = DataMapper::Comment.create(:site => site, :post => published_post)
+
+other_site = DataMapper::Site.create
+
+other_post = DataMapper::Post.create(:site => other_site, :user => author)
+other_comment = DataMapper::Comment.create(:site => other_site, :post => other_post)
+
+describe "RoleAuth DataMapper" do
+  before :all do
+    Comment = DataMapper::Comment
+    Site = DataMapper::Site
+    Role = DataMapper::Role
+    Post = DataMapper::Post
+    User = DataMapper::User
+    load_authorization_file
+    @site = site
+    @own_post = own_post
+    @other_authors_post = other_authors_post
+    @published_post = published_post
+    @comment = comment
+    @comment_on_published_post = comment_on_published_post
+    @other_site = other_site
+    @other_post = other_post
+    @other_comment = other_comment
+  end
+
+  before :each do
+    @own_post.reload
+  end
+
+  after :all do
+    User.current = nil
+  end
+
+  def update_attributes(object, *attrs)
+    object.reload
+    attrs.each do |attr|
+      case attr
+        when :content then object.content = Time.now.to_s
+        when :published then object.published = !object.published
+        when :user_id then object.user_id = (User.current.id + 1)
+      end
+    end
+  end
+
+  describe 'admin' do
+    include_context "admin_role"
+    before(:all){ User.current = admin }
+  end
+
+  describe 'alternative admin' do
+    include_context "admin_role"
+    before(:all){ User.current = alternative_admin }
+  end
+
+  describe 'author on site instance' do
+    include_context "author_role"
+    before(:all){ User.current = author }
+  end
+
+  describe 'author on Site class' do
+    include_context "class_author_role"
+    before(:all) do
+      User.current = nil
+      @own_post = DataMapper::Post.create(:site_id => site.id, :user => class_author)
+      @comment = DataMapper::Comment.create(:site => site, :post => @own_post)
+      @published_post = DataMapper::Post.create(:site => site, :user => class_author, :published => true)
+      User.current = class_author
+    end
+  end
+
+  describe 'author' do
+    include_context "general_author_role"
+    before(:all) do
+      User.current = nil
+      @own_post = DataMapper::Post.create(:site_id => site.id, :user => general_author)
+      @comment = DataMapper::Comment.create(:site => site, :post => @own_post)
+      @published_post = DataMapper::Post.create(:site => site, :user => general_author, :published => true)
+      User.current = general_author
+    end
+  end
+
+  describe 'alternative author' do
+    include_context "author_role"
+    before(:all) do
+      User.current = alternative_author
+      @own_post = DataMapper::Post.create(:site => site, :user => alternative_author)
+      @published_post = DataMapper::Post.create(:site => site, :user => alternative_author, :published => true)
+      @comment = DataMapper::Comment.create(:site => site, :post => @own_post)
+      @comment_on_published_post = DataMapper::Comment.create(:site => site, :post => @published_post)
+    end
+  end
+
+  describe 'moderator author' do
+    include_context "moderator_author_role"
+    before(:all) do
+      User.current = moderator_author
+      @own_post = DataMapper::Post.create(:site => site, :user => moderator_author)
+      @published_post = DataMapper::Post.create(:site => site, :user => moderator_author, :published => true)
+      @comment = DataMapper::Comment.create(:site => site, :post => @own_post)
+      @comment_on_published_post = DataMapper::Comment.create(:site => site, :post => @published_post)
+    end
+  end
+
+  describe 'moderator' do
+    include_context "moderator_role"
+    before(:all) do
+      User.current = nil
+      @own_post = DataMapper::Post.create(:site_id => site.id, :user => moderator)
+      @comment = DataMapper::Comment.create(:site => site, :post => @own_post)
+      User.current = moderator
+    end
+  end
+
+  describe 'site admin' do
+    include_context "site_admin_role"
+    before :all do
+      User.current = site_admin
+      @own_post = DataMapper::Post.create(:site_id => site.id, :user => site_admin)
+      @comment = DataMapper::Comment.create(:site => site, :post => @own_post)
+    end
+  end
+
+  describe 'sysop' do
+    include_context "sysop_role"
+    before(:all){ User.current = sysop }
+  end
+
+  describe 'user' do
+    include_context "user_role"
+    before(:all){ User.current = user }
+  end
+
+  describe 'callbacks' do
+    def create_post(options = {})
+      lambda {Post.create({:user => User.current}.merge(options))}
+    end
+    def new_post(options = {})
+      lambda {Post.new({:user => User.current}.merge(options))}
+    end
+    def update(post, options = {})
+      lambda {post.reload.update(options)}
+    end
+    def destroy(post)
+      lambda {post.destroy}
+    end
+    it 'should work with create' do
+      User.current = user
+      create_post(:site => site).should raise_error
+      User.current = author
+      create_post(:site => site).should_not raise_error
+      create_post(:site_id => site.id).should_not raise_error
+      create_post(:site => other_site).should raise_error
+      create_post.should raise_error
+      User.current = moderator_author
+      create_post(:site => site).should_not raise_error
+      create_post(:site => other_site).should_not raise_error
+    end
+    it 'should work with destroy' do
+      post = Post.create(:user => author, :site => site)
+      published_post = Post.create(:user => author, :site => site, :published => true)
+      other_post = Post.create(:user => moderator_author, :site => site)
+
+      User.current = user
+      destroy(post).should raise_error
+
+      User.current = author
+      destroy(post).should_not raise_error
+      destroy(published_post).should raise_error
+      destroy(other_post).should raise_error
+
+      User.current = moderator_author
+      destroy(other_post).should_not raise_error
+      destroy(published_post).should raise_error
+
+      User.current = admin
+      destroy(published_post).should_not raise_error
+    end
+    it 'should work with initialize' do
+      User.current = user
+      new_post(:site => site).should raise_error
+      User.current = author
+      new_post(:site => site).should_not raise_error
+      new_post(:site_id => site.id).should_not raise_error
+      new_post(:site => other_site).should raise_error
+      new_post.should raise_error
+      User.current = moderator_author
+      new_post(:site => site).should_not raise_error
+      new_post(:site => other_site).should_not raise_error
+    end
+    it 'should work with update' do
+      post = Post.create(:user => user, :site => site)
+      other_post = Post.create(:user => moderator_author, :site => site)
+      published_post = Post.create(:user => author, :site => site, :published => true)
+
+      User.current = user
+      update(post, :content => rands).should raise_error
+      User.current = author
+      post = Post.create(:user => author, :site => site)
+      update(post, :content => rands).should_not raise_error
+      update(post).should_not raise_error
+      update(post, :content => rands, :published => true).should raise_error
+      update(post, :published => true).should raise_error
+      update(published_post, :content => rands).should raise_error
+      update(published_post).should_not raise_error
+      User.current = moderator_author
+      update(post, :published => true).should_not raise_error
+      update(post, :content => rands).should raise_error
+      update(published_post, :published => false).should_not raise_error
+      update(other_post, :published => true, :content => rands).should_not raise_error
+    end
+
+    def rands
+      (rand*Time.now.to_i).to_s
+    end
+  end
+end