role-authz 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- data/LICENSE +20 -0
- data/README +77 -0
- data/Rakefile +82 -0
- data/TODO +2 -0
- data/lib/role-authz.rb +22 -0
- data/lib/role-authz/authorization/authorization.rb +17 -0
- data/lib/role-authz/authorization/controller_helper.rb +34 -0
- data/lib/role-authz/authorization/controller_mixin.rb +41 -0
- data/lib/role-authz/authorization/object_mixin.rb +8 -0
- data/lib/role-authz/authorization/operator_mixin.rb +18 -0
- data/spec/role-authz_spec.rb +7 -0
- data/spec/spec_helper.rb +1 -0
- metadata +93 -0
data/LICENSE
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
Copyright (c) 2010 Jorge Villatoro
|
2
|
+
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
4
|
+
a copy of this software and associated documentation files (the
|
5
|
+
"Software"), to deal in the Software without restriction, including
|
6
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
7
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
8
|
+
permit persons to whom the Software is furnished to do so, subject to
|
9
|
+
the following conditions:
|
10
|
+
|
11
|
+
The above copyright notice and this permission notice shall be
|
12
|
+
included in all copies or substantial portions of the Software.
|
13
|
+
|
14
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
15
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
16
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
17
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
18
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
19
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
20
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README
ADDED
@@ -0,0 +1,77 @@
|
|
1
|
+
RoleAuthz - Simple role-based authorization
|
2
|
+
===========================================
|
3
|
+
|
4
|
+
Roles
|
5
|
+
------
|
6
|
+
|
7
|
+
class Application < Merb::Controller
|
8
|
+
role :name do |operator, target|
|
9
|
+
# return true or false, depending on
|
10
|
+
# whether or not this operator/target
|
11
|
+
# combination can have this role
|
12
|
+
end
|
13
|
+
# Examples:
|
14
|
+
role :admin do |operator, target|
|
15
|
+
operator.respond_to?(:admin) && operator.admin
|
16
|
+
end
|
17
|
+
role :owner do |operator, target|
|
18
|
+
target.respond_to?(:owner) && target.owner == operator
|
19
|
+
end
|
20
|
+
role :guest do |operator, target|
|
21
|
+
operator.nil?
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
Permissions
|
26
|
+
-----------
|
27
|
+
|
28
|
+
#### For resources:
|
29
|
+
|
30
|
+
class Posts < Application
|
31
|
+
authorize Post do
|
32
|
+
for_role(:admin).allow(:all)
|
33
|
+
for_role(:owner).allow(:all)
|
34
|
+
for_role(:guest).allow(:index, :show)
|
35
|
+
end
|
36
|
+
end
|
37
|
+
|
38
|
+
#### For controllers:
|
39
|
+
|
40
|
+
class NotAResourceController < Application
|
41
|
+
authorize self do
|
42
|
+
for_role(:guest).allow(:foo)
|
43
|
+
end
|
44
|
+
# foo is just an action
|
45
|
+
end
|
46
|
+
|
47
|
+
#### Global:
|
48
|
+
|
49
|
+
class Application < Merb::Controller
|
50
|
+
# your role definitions
|
51
|
+
authorize self do
|
52
|
+
for_role(:admin).allow(:all)
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
56
|
+
Operators (user classes)
|
57
|
+
------------------------
|
58
|
+
|
59
|
+
Operator classes must call authorizable! somewhere.
|
60
|
+
|
61
|
+
#### Example:
|
62
|
+
class User
|
63
|
+
include DataMapper::Resource
|
64
|
+
authorizable!
|
65
|
+
|
66
|
+
property :id, Serial
|
67
|
+
property :login, String
|
68
|
+
end
|
69
|
+
|
70
|
+
Operators may use the authorized? method to check authorization.
|
71
|
+
|
72
|
+
#### Examples:
|
73
|
+
|
74
|
+
user = User.get(n)
|
75
|
+
user.authorized?(:target => @post, :action => :edit)
|
76
|
+
user.authorized?(:target => Posts, :action => :new)
|
77
|
+
user.authorized?(:role => :admin)
|
data/Rakefile
ADDED
@@ -0,0 +1,82 @@
|
|
1
|
+
begin
|
2
|
+
# Just in case the bundle was locked
|
3
|
+
# This shouldn't happen in a dev environment but lets be safe
|
4
|
+
require '.bundle/environment'
|
5
|
+
rescue LoadError
|
6
|
+
require 'rubygems'
|
7
|
+
require 'bundler'
|
8
|
+
Bundler.setup
|
9
|
+
end
|
10
|
+
require 'rake/gempackagetask'
|
11
|
+
|
12
|
+
require 'merb-core'
|
13
|
+
require 'merb-core/tasks/merb'
|
14
|
+
|
15
|
+
GEM_NAME = "role-authz"
|
16
|
+
GEM_VERSION = "0.0.1"
|
17
|
+
AUTHOR = "Jorge Villatoro"
|
18
|
+
EMAIL = "jorge@tomatocannon.com"
|
19
|
+
HOMEPAGE = "http://www.github.com/thelazyfox/role-authz"
|
20
|
+
SUMMARY = "A merb plugin that provides simple role based authorization"
|
21
|
+
|
22
|
+
spec = Gem::Specification.new do |s|
|
23
|
+
s.rubyforge_project = 'merb'
|
24
|
+
s.name = GEM_NAME
|
25
|
+
s.version = GEM_VERSION
|
26
|
+
s.platform = Gem::Platform::RUBY
|
27
|
+
s.has_rdoc = true
|
28
|
+
s.extra_rdoc_files = ["README", "LICENSE", "TODO"]
|
29
|
+
s.summary = SUMMARY
|
30
|
+
s.description = s.summary
|
31
|
+
s.author = AUTHOR
|
32
|
+
s.email = EMAIL
|
33
|
+
s.homepage = HOMEPAGE
|
34
|
+
s.add_dependency('merb-core', '>= 1.1.3')
|
35
|
+
s.require_path = 'lib'
|
36
|
+
s.files = %w(LICENSE README Rakefile TODO) + Dir.glob("{lib,spec}/**/*")
|
37
|
+
|
38
|
+
end
|
39
|
+
|
40
|
+
Rake::GemPackageTask.new(spec) do |pkg|
|
41
|
+
pkg.gem_spec = spec
|
42
|
+
end
|
43
|
+
|
44
|
+
desc "install the plugin as a gem"
|
45
|
+
task :install do
|
46
|
+
Merb::RakeHelper.install(GEM_NAME, :version => GEM_VERSION)
|
47
|
+
end
|
48
|
+
|
49
|
+
desc "Uninstall the gem"
|
50
|
+
task :uninstall do
|
51
|
+
Merb::RakeHelper.uninstall(GEM_NAME, :version => GEM_VERSION)
|
52
|
+
end
|
53
|
+
|
54
|
+
desc "Create a gemspec file"
|
55
|
+
task :gemspec do
|
56
|
+
File.open("#{GEM_NAME}.gemspec", "w") do |file|
|
57
|
+
file.puts spec.to_ruby
|
58
|
+
end
|
59
|
+
end
|
60
|
+
|
61
|
+
begin
|
62
|
+
require 'spec'
|
63
|
+
require 'spec/rake/spectask'
|
64
|
+
|
65
|
+
task :default => [ :spec ]
|
66
|
+
|
67
|
+
desc 'Run specifications'
|
68
|
+
Spec::Rake::SpecTask.new(:spec) do |t|
|
69
|
+
t.spec_opts << '--options' << 'spec/spec.opts' if File.exists?('spec/spec.opts')
|
70
|
+
t.spec_opts << '--color' << '--format' << 'specdoc'
|
71
|
+
begin
|
72
|
+
require 'rcov'
|
73
|
+
t.rcov_opts << '--exclude' << 'spec'
|
74
|
+
t.rcov_opts << '--text-summary'
|
75
|
+
t.rcov_opts << '--sort' << 'coverage' << '--sort-reverse'
|
76
|
+
rescue LoadError
|
77
|
+
# rcov not installed
|
78
|
+
end
|
79
|
+
end
|
80
|
+
rescue LoadError
|
81
|
+
# rspec not installed
|
82
|
+
end
|
data/lib/role-authz.rb
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
# make sure we're running inside Merb
|
2
|
+
if defined?(Merb::Plugins)
|
3
|
+
|
4
|
+
require 'merb-auth-core'
|
5
|
+
# Merb gives you a Merb::Plugins.config hash...feel free to put your stuff in your piece of it
|
6
|
+
Merb::Plugins.config[:role_authz] = {}
|
7
|
+
|
8
|
+
path = File.dirname(__FILE__)
|
9
|
+
Dir[path / "role-authz" / "authorization" / "**/*.rb"].each do |f|
|
10
|
+
require f
|
11
|
+
end
|
12
|
+
|
13
|
+
Merb::BootLoader.before_app_loads do
|
14
|
+
# require code that must be loaded before the application
|
15
|
+
end
|
16
|
+
|
17
|
+
Merb::BootLoader.after_app_loads do
|
18
|
+
# code that can be required after the application loads
|
19
|
+
end
|
20
|
+
|
21
|
+
Merb::Plugins.add_rakefiles "role-authz/merbtasks"
|
22
|
+
end
|
@@ -0,0 +1,17 @@
|
|
1
|
+
module Authorization
|
2
|
+
@roles = {}
|
3
|
+
|
4
|
+
def self.roles_for(operator, target)
|
5
|
+
list = []
|
6
|
+
@roles.each do |name, proc|
|
7
|
+
if proc.call(operator, target)
|
8
|
+
list += [name]
|
9
|
+
end
|
10
|
+
end
|
11
|
+
list
|
12
|
+
end
|
13
|
+
|
14
|
+
def self.add_role(name, &block)
|
15
|
+
@roles[name] = block
|
16
|
+
end
|
17
|
+
end
|
@@ -0,0 +1,34 @@
|
|
1
|
+
module Authorization
|
2
|
+
class OpenForRoleStatement < Exception; end
|
3
|
+
class NoCurrentForRoleStatement < Exception; end
|
4
|
+
|
5
|
+
class ControllerHelper
|
6
|
+
def initialize
|
7
|
+
@working_roles = []
|
8
|
+
@permissions_list = {}
|
9
|
+
end
|
10
|
+
|
11
|
+
def for_roles(*the_roles)
|
12
|
+
raise OpenForRoleStatement unless @working_roles.empty?
|
13
|
+
@working_roles += the_roles
|
14
|
+
self
|
15
|
+
end
|
16
|
+
alias_method :for_role, :for_roles
|
17
|
+
|
18
|
+
def allow(*the_actions)
|
19
|
+
raise NoCurrentForRoleStatement unless !@working_roles.empty?
|
20
|
+
@working_roles.each do |current_role|
|
21
|
+
if !@permissions_list.include?(current_role)
|
22
|
+
@permissions_list[current_role] = []
|
23
|
+
end
|
24
|
+
@permissions_list[current_role] += the_actions
|
25
|
+
end
|
26
|
+
@working_roles.clear
|
27
|
+
self
|
28
|
+
end
|
29
|
+
|
30
|
+
def actions_for(role)
|
31
|
+
@permissions_list[role] || []
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
@@ -0,0 +1,41 @@
|
|
1
|
+
class Merb::Controller
|
2
|
+
class Unauthorized < Merb::Controller::Forbidden; end
|
3
|
+
class_inheritable_accessor :_authorization
|
4
|
+
class_inheritable_accessor :_authorization_target
|
5
|
+
|
6
|
+
def self.role(name, &block)
|
7
|
+
Authorization.add_role(name, &block)
|
8
|
+
end
|
9
|
+
|
10
|
+
def self.authorize(klass, &block)
|
11
|
+
klass._authorization_proxy = self
|
12
|
+
self._authorization_target = klass
|
13
|
+
self._authorization ||= Authorization::ControllerHelper.new
|
14
|
+
self._authorization.instance_eval(&block) if block_given?
|
15
|
+
before :ensure_authorized
|
16
|
+
self._authorization
|
17
|
+
end
|
18
|
+
|
19
|
+
def authorization_target
|
20
|
+
if _authorization_target.respond_to?(:get)
|
21
|
+
_authorization_target.get(params[:id])
|
22
|
+
else
|
23
|
+
nil
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
27
|
+
def ensure_authorized
|
28
|
+
operator = nil
|
29
|
+
operator = session.user if session.authenticated?
|
30
|
+
roles = Authorization.roles_for(operator, authorization_target)
|
31
|
+
roles.each do |role|
|
32
|
+
actions = self.class._authorization.actions_for(role)
|
33
|
+
return true if actions.include?(params[:action].to_sym) || actions.include?(:all)
|
34
|
+
end
|
35
|
+
if session.authenticated?
|
36
|
+
raise Unauthorized
|
37
|
+
else
|
38
|
+
raise Unauthenticated
|
39
|
+
end
|
40
|
+
end
|
41
|
+
end
|
@@ -0,0 +1,18 @@
|
|
1
|
+
module Authorization::OperatorMixin
|
2
|
+
|
3
|
+
def authorized?(args = {})
|
4
|
+
@roles ||= Authorization.roles_for(self, args[:target])
|
5
|
+
if args[:action].nil?
|
6
|
+
@roles.include?(args[:role])
|
7
|
+
else
|
8
|
+
target = args[:target]._authorization_proxy unless args[:target]._authorization_proxy.nil?
|
9
|
+
|
10
|
+
@roles.each do |role|
|
11
|
+
actions = target._authorization.actions_for(role)
|
12
|
+
return true if actions.include?(args[:action]) || actions.include?(:all)
|
13
|
+
end
|
14
|
+
false
|
15
|
+
end
|
16
|
+
end
|
17
|
+
|
18
|
+
end
|
data/spec/spec_helper.rb
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
$:.push File.join(File.dirname(__FILE__), '..', 'lib')
|
metadata
ADDED
@@ -0,0 +1,93 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: role-authz
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
prerelease: false
|
5
|
+
segments:
|
6
|
+
- 0
|
7
|
+
- 0
|
8
|
+
- 1
|
9
|
+
version: 0.0.1
|
10
|
+
platform: ruby
|
11
|
+
authors:
|
12
|
+
- Jorge Villatoro
|
13
|
+
autorequire:
|
14
|
+
bindir: bin
|
15
|
+
cert_chain: []
|
16
|
+
|
17
|
+
date: 2010-08-12 00:00:00 -05:00
|
18
|
+
default_executable:
|
19
|
+
dependencies:
|
20
|
+
- !ruby/object:Gem::Dependency
|
21
|
+
name: merb-core
|
22
|
+
requirement: &id001 !ruby/object:Gem::Requirement
|
23
|
+
none: false
|
24
|
+
requirements:
|
25
|
+
- - ">="
|
26
|
+
- !ruby/object:Gem::Version
|
27
|
+
segments:
|
28
|
+
- 1
|
29
|
+
- 1
|
30
|
+
- 3
|
31
|
+
version: 1.1.3
|
32
|
+
type: :runtime
|
33
|
+
prerelease: false
|
34
|
+
version_requirements: *id001
|
35
|
+
description: A merb plugin that provides simple role based authorization
|
36
|
+
email: jorge@tomatocannon.com
|
37
|
+
executables: []
|
38
|
+
|
39
|
+
extensions: []
|
40
|
+
|
41
|
+
extra_rdoc_files:
|
42
|
+
- README
|
43
|
+
- LICENSE
|
44
|
+
- TODO
|
45
|
+
files:
|
46
|
+
- LICENSE
|
47
|
+
- README
|
48
|
+
- Rakefile
|
49
|
+
- TODO
|
50
|
+
- lib/role-authz/authorization/authorization.rb
|
51
|
+
- lib/role-authz/authorization/controller_helper.rb
|
52
|
+
- lib/role-authz/authorization/controller_mixin.rb
|
53
|
+
- lib/role-authz/authorization/object_mixin.rb
|
54
|
+
- lib/role-authz/authorization/operator_mixin.rb
|
55
|
+
- lib/role-authz.rb
|
56
|
+
- spec/role-authz_spec.rb
|
57
|
+
- spec/spec_helper.rb
|
58
|
+
has_rdoc: true
|
59
|
+
homepage: http://www.github.com/thelazyfox/role-authz
|
60
|
+
licenses: []
|
61
|
+
|
62
|
+
post_install_message:
|
63
|
+
rdoc_options: []
|
64
|
+
|
65
|
+
require_paths:
|
66
|
+
- lib
|
67
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
68
|
+
none: false
|
69
|
+
requirements:
|
70
|
+
- - ">="
|
71
|
+
- !ruby/object:Gem::Version
|
72
|
+
hash: 2034184392538483349
|
73
|
+
segments:
|
74
|
+
- 0
|
75
|
+
version: "0"
|
76
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
77
|
+
none: false
|
78
|
+
requirements:
|
79
|
+
- - ">="
|
80
|
+
- !ruby/object:Gem::Version
|
81
|
+
hash: 2034184392538483349
|
82
|
+
segments:
|
83
|
+
- 0
|
84
|
+
version: "0"
|
85
|
+
requirements: []
|
86
|
+
|
87
|
+
rubyforge_project: merb
|
88
|
+
rubygems_version: 1.3.7
|
89
|
+
signing_key:
|
90
|
+
specification_version: 3
|
91
|
+
summary: A merb plugin that provides simple role based authorization
|
92
|
+
test_files: []
|
93
|
+
|