role-auth 0.1.9

data/.gitignore

@@ -0,0 +1,15 @@
+#specific files
+
+# dirs
+.bundle
+bin
+pkg
+
+# tempfiles
+*[~#]
+.#*
+*_flymake*
+/.emacs-project
+/.irbrc
+*_out
+*.log

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in sequel-localize.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,48 @@
+PATH
+  remote: .
+  specs:
+    role-auth (0.1.9)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.3.5)
+    data_objects (0.10.13)
+      addressable (~> 2.1)
+    diff-lcs (1.2.4)
+    dm-core (1.2.1)
+      addressable (~> 2.3)
+    dm-do-adapter (1.2.0)
+      data_objects (~> 0.10.6)
+      dm-core (~> 1.2.0)
+    dm-migrations (1.2.0)
+      dm-core (~> 1.2.0)
+    dm-sqlite-adapter (1.2.0)
+      dm-do-adapter (~> 1.2.0)
+      do_sqlite3 (~> 0.10.6)
+    do_sqlite3 (0.10.13)
+      data_objects (= 0.10.13)
+    rake (10.1.0)
+    rspec (2.14.1)
+      rspec-core (~> 2.14.0)
+      rspec-expectations (~> 2.14.0)
+      rspec-mocks (~> 2.14.0)
+    rspec-core (2.14.4)
+    rspec-expectations (2.14.0)
+      diff-lcs (>= 1.1.3, < 2.0)
+    rspec-mocks (2.14.1)
+    sqlite3 (1.3.7)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler
+  dm-core
+  dm-migrations
+  dm-sqlite-adapter
+  do_sqlite3
+  rake
+  role-auth!
+  rspec
+  sqlite3

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2009-2013 Jonas von Andrian
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,58 @@
+# role-auth
+
+there is no inheritance between permissions created within a role block
+
+there is inheritance between task definitions
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'sequel-localize'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install sequel-localize
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Assumptions
+
+* changes to the object are finished before the update hook
+** merb before: Filters are executed in order of definition
+* standard REST Controller
+* on scopes defined on the Model
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+
+
+## TODO
+* give possibility to inspect rules
+** Hints why it failed
+** nice Printout of ruby code
+* docs
+* publish
+
+## Ideas
+
+* Adapter specific way of finding roles
+* custom aliases
+
+## Notes
+* Inheritance between parts of roles is bad. It can have unintended side effects.
+
+## Copyright
+
+Copyright (c) 2010 Jonas von Andrian. See LICENSE for details.

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/lib/role-auth.rb

@@ -0,0 +1,86 @@
+__DIR__ = File.dirname(__FILE__)
+
+$LOAD_PATH.unshift __DIR__ unless
+  $LOAD_PATH.include?(__DIR__) ||
+  $LOAD_PATH.include?(File.expand_path(__DIR__))
+
+%w{checker builder parser}.each do |file|
+  require "role-auth/#{file}"
+end
+
+module RoleAuth
+
+  class AuthorizationError < StandardError; end
+
+  DEFAULT_CONFIGURATION = {
+    :user_class => 'User',
+    :exception_class => AuthorizationError
+  }
+
+  attr_accessor :checker
+  module_function :checker, :checker=
+
+  module_function
+
+  def config=(options = {})
+    @config = DEFAULT_CONFIGURATION.merge(options)
+  end
+  def config
+    @config ||= DEFAULT_CONFIGURATION
+  end
+
+  def instance_name(model)
+    model.to_s[/([^:]*)$/,1].downcase
+  end
+
+  module InstanceMethods
+
+    def user!
+      User.current || raise(ArgumentError, "User.current is not set")
+    end
+
+    def can?(task, object, options = {})
+      user!.can?(task, object, options)
+    end
+
+    def can!(task, object, options = {})
+      user!.can!(task, object, options)
+    end
+
+    def is?(role, options = {})
+      user!.is?(role, options)
+    end
+
+  end
+
+  module UserClassMethods
+    def self.included(klass)
+      klass.extend ClassMethods
+    end
+
+    def can?(task, object, options = {})
+      RoleAuth.checker.can?(task, object, options, self)
+    end
+
+    def can!(task, object, options = {})
+      can?(task, object, options) || raise(RoleAuth.config[:exception_class])
+    end
+
+    def is?(role_name, options = {})
+      RoleAuth.checker.is?(role_name, options, self)
+    end
+
+    module ClassMethods
+      def current=(user)
+        Thread.current[:user] = user
+      end
+      def current
+        Thread.current[:user]
+      end
+    end
+  end
+end
+
+%w{ data_mapper merb}.each do |file|
+  require "role-auth/adapters/#{file}" if Object.const_defined? file.split('_').map{|e| e.capitalize}.join
+end

data/lib/role-auth/adapters/data_mapper.rb

@@ -0,0 +1,60 @@
+class RoleAuth::DataMapperDSLBuilder < RoleAuth::DSLBuilder
+  use_for DataMapper::Model
+  class << self
+    def change(entries)
+      symbol_entries = entries.uniq.collect {|e| ":#{e}" }.join(', ')
+      "(_object.dirty_attributes.keys.map{ |attr| attr.name} - [#{symbol_entries}]).empty?"
+    end
+  end
+end # RoleAuth::DataMapperDSLBuilder
+
+module RoleAuth::Adapters
+  module DataMapper
+    module Hook
+      def check_permission_before(*args)
+        options = args.last.is_a?(Hash) ? args.pop : {}
+        include RoleAuth::InstanceMethods
+        extend RoleAuth::Adapters::DataMapper::ClassMethods
+        args.each do |filter|
+          self.send "_create_permission_filter_before_#{filter}", options
+        end
+      end
+    end # Hook
+    module ClassMethods
+      protected
+      def _create_permission_filter_before(action, options)
+        options_literal = options[:on] ? ", :on => #{RoleAuth.instance_name(options[:on])}" : ''
+        self.class_eval <<-RUBY
+          before :#{action} do
+            can!(:#{options[:as] || action}, self #{options_literal}) if ::#{RoleAuth.config[:user_class]}.current
+          end
+        RUBY
+      end
+
+      def _create_permission_filter_before_initialize(options)
+        options_literal = if options[:on]
+                            instance_name = RoleAuth.instance_name(options[:on])
+                            ", :on => attributes[:#{instance_name}] || ::#{options[:on]}.get(attributes[:#{instance_name}_id])"
+                          end || ''
+        self.class_eval <<-RUBY
+          def initialize(attributes = {})
+            can!(:create, self #{options_literal}) if ::#{RoleAuth.config[:user_class]}.current
+            super
+          end
+        RUBY
+      end
+
+
+      def _create_permission_filter_before_create(options)
+        _create_permission_filter_before(:create, options)
+      end
+      def _create_permission_filter_before_update(options)
+        _create_permission_filter_before(:update, options)
+      end
+      def _create_permission_filter_before_destroy(options)
+        _create_permission_filter_before(:destroy, options.merge(:as => :delete))
+      end
+    end # ClassMethods
+  end # DataMapper
+end # RoleAuth::Adapters
+DataMapper::Model.append_extensions(RoleAuth::Adapters::DataMapper::Hook)

data/lib/role-auth/adapters/merb.rb

@@ -0,0 +1,39 @@
+module RoleAuth::Adapters
+  module Merb
+    def lockdown(*args)
+      options = args.last.is_a?(Hash) ? args.pop : {}
+      options[:object] ||= _guess_model_class_from_controller_name
+
+      actions = args.empty? ? public_methods(false) : args
+
+      _define_lockdown(options)
+      before :"_lockdown_#{options[:object]}", :only => actions
+    end
+
+    def _guess_model_class_from_controller_name
+      self.to_s[/([^:]*)$/,1].singularize
+    end
+
+    def _define_lockdown(options)
+      options_hash = options[:on] ? ", :on => #{options[:on]}" : ''
+      self.class_eval <<-RUBY, __FILE__, __LINE__ + 1
+        def _lockdown_#{options[:object]}
+          can! params[:action].to_sym, #{options[:object]} #{options_hash}
+        end
+RUBY
+    end
+  end # Merb
+end # RoleAuth::Adapters
+
+Merb::AbstractController.send(:include, RoleAuth::InstanceMethods)
+Merb::AbstractController.send(:extend, RoleAuth::Adapters::Merb)
+
+class Merb::BootLoader::RoleAuth < Merb::BootLoader
+  after AfterAppLoads
+  class << self
+    def run
+      RoleAuth.config = Merb::Plugins.config[:role-auth].blank? ? {:exception_class => Merb::ControllerExceptions::Forbidden} : Merb::Plugins.config[:role-auth]
+      RoleAuth::Builder.new(File.new(Merb.root/'config/authorization_rules.rb')).build
+    end
+  end
+end

data/lib/role-auth/builder.rb

@@ -0,0 +1,141 @@
+module RoleAuth
+  class Builder
+
+    def initialize(authorization_file)
+      @parser = Parser.new(authorization_file)
+    end
+
+    def build
+      task_methods = @parser.tasks.keys.collect do |task|
+        next if task == :do
+        build_task(task)
+      end.join
+      RoleAuth.checker = Checker.new(@parser, task_methods)
+    end
+
+    protected
+
+    def build_task(task)
+      permission_case_clauses = []
+
+      pcc = build_case_clause(@parser.permissions, task)
+      rcc = build_case_clause(@parser.restrictions, task)
+
+      permission_case_clauses << "(#{pcc})" if !pcc.empty?
+      permission_case_clauses << "!(#{rcc})" if !rcc.empty?
+      %!
+### #{task}
+def #{task}(user, object, options = {})
+  _user, _object, _options = user, object, options
+  (#{permission_case_clauses.join(" && \n   ")}) #{build_alternative_permissions_clause(task)}
+end
+    !
+    end
+
+    def build_alternative_permissions_clause(parent_task)
+      return if @parser.tasks[parent_task].options[:alternatives].nil?
+      "|| " + @parser.tasks[parent_task].options[:alternatives].map do |task_name|
+        "#{task_name}(_user, _object, _options)"
+      end.join(" || ")
+    end
+
+    def build_any_clause(permissions, task)
+      clause = build_permission_clauses(permissions, task, :any)
+      clause.empty? ? "" : clause
+    end
+
+    def build_case_clause(permissions, task)
+      when_clauses = (permissions[task].keys + permissions[:do].keys).uniq.map do |model|
+        next if model == :any
+        build_when_clause(permissions, task, model)
+      end.join
+      if when_clauses.empty?
+        build_any_clause(permissions, task)
+      else
+        any_clause = build_any_clause(permissions, task)
+        case_clause =  %!
+case _object.is_a?(Class) ? _object.to_s : _object.class.to_s
+  #{when_clauses}
+end!
+        any_clause.empty? ? case_clause : "#{any_clause} || #{case_clause}"
+      end
+    end
+
+    def build_when_clause(permissions, task, model)
+      permission_clauses = build_permission_clauses(permissions, task, model)
+      return if permission_clauses.empty?
+      %!
+when '#{model}' then
+#{RoleAuth.instance_name(model)} = _object
+#{permission_clauses}!
+    end
+
+    def build_permission_clauses(permissions, task, model)
+      mixed_permissions = permissions[task][model].values + permissions[:do][model].values
+      mixed_permissions.map { |perm| build_permission(perm) }.join(" ||\n")
+    end
+
+    def build_permission(permission)
+      permission.load_task_options(@parser)
+      build_role_clause(permission) + build_permission_parts(permission)
+    end
+
+    def build_role_clause(permission)
+      roles = (@parser.roles[permission.role.name][:descendants].dup << permission.role.name)
+
+      instance_assignment = ''
+      block = "%w{ #{roles.join(" ")} }.include?( user_role.name )"
+
+      if !permission.options[:on].empty?
+        model = permission.options[:on].first
+        instance_name = RoleAuth.instance_name(model)
+        instance_value = permission.model.instance_methods.include?(instance_name.to_sym) ? "_options[:on] || _object.#{instance_name}" : "_options[:on]"
+
+        instance_assignment = "((#{instance_name} = #{instance_value} || (_object.is_a?(#{model}) ? _object : nil)) || true) &&"
+        block = "#{block} && ( user_role.type != '#{model}' || ( !#{instance_name}.nil? && (user_role.object_id.nil? || user_role.object_id == #{instance_name}.id )))"
+      end
+      "#{instance_assignment} _user.roles.any? {|user_role| #{block} }"
+    end
+
+    def build_permission_parts(permission)
+      return "" if permission.options[:if].empty?
+      dsl_parser = DSLBuilder.pick(permission.model)
+      " && " + permission.options[:if].collect do |type, entries|
+        dsl_parser.send type, entries
+      end.join(" && ")
+    end
+
+  end
+
+  class DSLBuilder
+    class << self
+      def pick(model)
+        pair = builders.find do | builder, base_class |
+          model.is_a? base_class
+        end
+        pair ? pair[0] : self
+      end
+
+      def string(entries)
+        "(#{entries.join(") && (")})"
+      end
+
+      def change(entries)
+        symbol_entries = entries.uniq.collect {|e| ":#{e}" }.join(', ')
+        "(_object.updated_attributes - [#{symbol_entries}]).empty?"
+      end
+
+      protected
+
+      def builders
+        @@builders ||= {}
+      end
+
+      def use_for(base_class)
+        builders[self] = base_class
+      end
+
+    end
+  end
+
+end