role-authz 0.0.2 → 1.0.0

data/Rakefile

@@ -13,7 +13,7 @@ require 'merb-core'
 require 'merb-core/tasks/merb'
 
 GEM_NAME = "role-authz"
-GEM_VERSION = "0.0.2"
+GEM_VERSION = "1.0.0"
 AUTHOR = "Jorge Villatoro"
 EMAIL = "jorge@tomatocannon.com"
 HOMEPAGE = "http://www.github.com/thelazyfox/role-authz"
@@ -78,5 +78,5 @@ begin
     end
   end
 rescue LoadError
-  # rspec not installed
+  puts "rspec not installed"
 end

data/lib/role-authz/authorization/authorization.rb

@@ -1,7 +1,7 @@
 module Authorization
   @roles = {}
   
-  def self.roles_for(operator, target)
+  def self.roles_for(operator, target=nil)
     list = []
     @roles.each do |name, proc|
       if proc.call(operator, target)
@@ -12,6 +12,10 @@ module Authorization
   end
   
   def self.add_role(name, &block)
-    @roles[name] = block
+    if block.parameters.count == 2
+      @roles[name] = block
+    else
+      raise InvalidRole
+    end
   end
 end

data/lib/role-authz/authorization/controller_helper.rb

@@ -1,7 +1,4 @@
-module Authorization
-  class OpenForRoleStatement < Exception; end
-  class NoCurrentForRoleStatement < Exception; end
-  
+module Authorization  
   class ControllerHelper
     def initialize
       @working_roles = []
@@ -10,7 +7,7 @@ module Authorization
   
     def for_roles(*the_roles)
       raise OpenForRoleStatement unless @working_roles.empty?
-      @working_roles += the_roles
+      @working_roles = the_roles.clone
       self
     end
     alias_method :for_role, :for_roles
@@ -18,9 +15,7 @@ module Authorization
     def allow(*the_actions)
       raise NoCurrentForRoleStatement unless !@working_roles.empty?
       @working_roles.each do |current_role|
-        if !@permissions_list.include?(current_role)
-          @permissions_list[current_role] = []
-        end
+        @permissions_list[current_role] ||= []
         @permissions_list[current_role] += the_actions
       end
       @working_roles.clear

data/lib/role-authz/authorization/controller_mixin.rb

@@ -8,6 +8,7 @@ class Merb::Controller
   end
   
   def self.authorize(klass, &block)
+    klass.class_inheritable_accessor :_authorization_proxy
     klass._authorization_proxy = self
     self._authorization_target = klass
     self._authorization ||= Authorization::ControllerHelper.new
@@ -25,8 +26,7 @@ class Merb::Controller
   end
   
   def ensure_authorized
-    operator = nil
-    operator = session.user if session.authenticated?
+    operator = (session.user if session.authenticated?)
     roles = Authorization.roles_for(operator, authorization_target)
     roles.each do |role|
       actions = self.class._authorization.actions_for(role)

data/lib/role-authz/authorization/exceptions.rb

@@ -0,0 +1,5 @@
+module Authorization
+  class OpenForRoleStatement < Exception; end
+  class NoCurrentForRoleStatement < Exception; end
+  class InvalidRole < Exception; end
+end

data/lib/role-authz/authorization/object_mixin.rb

@@ -1,8 +1,5 @@
 class Object
-  class_inheritable_accessor :_authorization_proxy
-  
   def self.authorizable!
     include Authorization::OperatorMixin
   end
-
 end

data/lib/role-authz/authorization/operator_mixin.rb

@@ -1,18 +1,21 @@
 module Authorization::OperatorMixin
-
   def authorized?(args = {})
     @roles ||= Authorization.roles_for(self, args[:target])
-    if args[:action].nil?
-      @roles.include?(args[:role])
-    else
+    
+    if args.key?(:role)
+      return @roles.include?(args[:role])
+    elsif args.key?(:target) && args.key?(:action)
       target = args[:target]._authorization_proxy unless args[:target]._authorization_proxy.nil?
       
       @roles.each do |role|
         actions = target._authorization.actions_for(role)
         return true if actions.include?(args[:action]) || actions.include?(:all)
       end
-      false
     end
+    false
   end
   
+  def roles_for(target)
+    Authorization.roles_for(self, target)
+  end
 end

data/spec/authorization_spec.rb

@@ -0,0 +1,50 @@
+require File.expand_path('../spec_helper', __FILE__)
+
+describe "Authorization" do
+  before :each do
+    Authorization.clear!
+  end
+  
+  describe ".add_role(name, &block)" do
+    it "accepts valid roles" do
+      Authorization.should respond_to(:add_role)
+      lambda do 
+        Authorization.add_role(:foo) do |operator, target|
+          if operator == "jorge"
+            true
+          else
+            false
+          end
+        end
+      end.should_not raise_error
+    end
+    
+    it "raises InvalidRole exception when the role block is invalid" do
+      lambda do
+        Authorization.add_role(:foo) {|operator| true}
+      end.should raise_error
+    end
+  end
+  
+  describe ".roles_for(operator, target)" do
+    it "returns correct roles for operator, target pairs" do
+      Authorization.add_role(:foo) do |operator, target|
+        if operator == "foo"
+          true
+        else
+          false
+        end
+      end
+      Authorization.add_role(:bar) do |operator, target|
+        if operator == "bar"
+          true
+        else
+          false
+        end
+      end
+      
+      Authorization.roles_for("foo",nil).should == [:foo]
+      Authorization.roles_for("bar",nil).should == [:bar]
+    end
+  end
+end

data/spec/controller_spec.rb

@@ -0,0 +1,157 @@
+require File.expand_path('../spec_helper', __FILE__)
+
+describe "ControllerMixin" do
+  before :each do
+    Authorization.clear!
+    @controller = Class.new Merb::Controller
+  end
+  
+  describe ".role(name, &block)" do
+    it "defines roles the the specified name and block" do
+      lambda do
+        @controller.role(:admin) { |operator,target| operator=="admin" }
+        @controller.role(:user)  { |operator,target| operator=="user" }
+        @controller.role(:owner) { |operator,target| operator==target }
+      end.should_not raise_error
+      
+      Authorization.roles_for("user").should == [:user]
+      Authorization.roles_for("admin").should == [:admin]
+      Authorization.roles_for("owner","owner").should == [:owner]
+      Authorization.roles_for("user","user").should include(:user, :owner)
+    end
+    
+    it "raises an exception when the block does not accept 2 arguments" do
+      lambda {@controller.role(:foo) {|operator|}}.should raise_error
+    end
+  end
+  
+  describe ".authorize(target, &block)" do
+    it "can specify self as the target" do
+      @controller.should respond_to(:authorize)
+      lambda {@controller.authorize(@controller) {}}.should_not raise_error
+    end
+    
+    it "can sepcify a resource as a target" do
+      @resource = Class.new
+      
+      @controller.should respond_to(:authorize)
+      lambda {@controller.authorize(@resource) {}}.should_not raise_error
+      @resource.should respond_to(:_authorization_proxy)
+      @resource._authorization_proxy.should == @controller
+    end
+    
+    it "enforces #ensure_authorized as a before filter" do
+      lambda {@controller.authorize(@controller) {}}.should_not raise_error
+      @controller._before_filters.flatten.should include(:ensure_authorized)
+    end
+  end
+  
+  describe "#ensure_authorized" do
+    it "raises the Unauthenticated exception when unauthenticated" do
+      session = mock("session")
+      session.stub!(:authenticated?).and_return(false)
+      
+      controller = @controller.new(nil)
+      controller.stub!(:session).and_return(session)
+      controller.stub!(:params).and_return({:action => :foo})
+      controller.should respond_to(:ensure_authorized)
+      lambda do
+        controller.ensure_authorized
+      end.should raise_exception(Merb::Controller::Unauthenticated)
+    end
+    
+    it "raises the Unauthorized exception when no permissions match" do
+      session = mock("session");
+      session.stub!(:authenticated?).and_return(true)
+      session.stub!(:user).and_return("user")
+      
+      controller = @controller.new(nil)
+      controller.stub!(:session).and_return(session)
+      controller.stub!(:params).and_return({:action => :foo})
+      controller.should respond_to(:ensure_authorized)
+      lambda do
+        controller.ensure_authorized
+      end.should raise_exception(::Merb::Controller::Unauthorized)
+    end
+    
+    it "raises no exceptions when a permission matches" do
+      session = mock("session");
+      session.stub!(:authenticated?).and_return(true)
+      session.stub!(:user).and_return("user")
+      
+      @controller.role(:user) {|operator,target|operator=="user"}
+      @controller.authorize(@controller) do
+        for_role(:user).allow(:foo)
+      end
+      
+      controller = @controller.new(nil)
+      controller.stub!(:session).and_return(session)
+      controller.stub!(:params).and_return({:action => :foo})
+      
+      controller.should respond_to(:ensure_authorized)
+      lambda {controller.ensure_authorized}.should_not raise_exception
+    end
+  end
+end
+
+describe "ControllerHelper" do
+  before :each do
+    @authorization = Authorization::ControllerHelper.new
+  end
+  
+  describe "#for_roles(*the_roles)" do
+    it "selects roles for which to define permissions" do
+      @authorization.instance_eval do
+        for_roles(:user).allow(:bar)
+      end
+      @authorization.actions_for(:user).should include(:bar)
+      @authorization.actions_for(:foo).should_not include(:bar)
+    end
+    
+    it "raises an exception when called directly after #for_roles" do
+      lambda do
+        @authorization.instance_eval do
+          for_roles(:user)
+          for_roles(:admin)
+        end
+      end.should raise_error
+    end
+    
+    it "has the alias #for_role" do
+      @authorization.should respond_to(:for_role)
+    end
+  end
+  
+  describe "#allow(*the_actions)" do
+    it "sets permissions to be set for the specified roles" do
+      @authorization.instance_eval do
+        for_roles(:user).allow(:foo)
+        for_roles(:admin).allow(:bar)
+      end
+      
+      @authorization.actions_for(:user).should include(:foo)
+      @authorization.actions_for(:user).should_not include(:bar)
+      @authorization.actions_for(:admin).should include(:bar)
+      @authorization.actions_for(:admin).should_not include(:foo)
+    end
+    
+    it "raises an exception when not called directly after #for_roles" do
+      lambda do
+        @authorization.instance_eval do
+          allow(:foo)
+        end
+      end.should raise_error
+    end
+  end
+  
+  describe "#actions_for(role)" do
+    it "returns the previously set actions for the specified role" do
+      @authorization.instance_eval do
+        for_role(:user).allow(:foo)
+      end
+      
+      @authorization.should respond_to(:actions_for)
+      @authorization.actions_for(:user).should include(:foo)
+    end
+  end
+end

data/spec/operator_spec.rb

@@ -0,0 +1,71 @@
+require File.expand_path('../spec_helper', __FILE__)
+
+describe "OperatorMixin" do
+  describe "#authorized?(args)" do
+    before do
+      Authorization.clear!
+      @user = Class.new
+      @user.instance_eval {authorizable!}
+      @admin = @user.clone
+      @controller = Class.new Merb::Controller
+      @controller.role(:admin) {|operator,target|operator.kind_of?(@admin)}
+      @controller.role(:user) {|operator,target|operator.kind_of?(@user)}
+      @controller.role(:owner) {|operator,target|target.respond_to?(:owner)&&target.owner==operator}
+      @controller.authorize(@controller) do
+        for_role(:admin).allow(:foo)
+        for_role(:user).allow(:bar)
+      end
+      
+    end
+    
+    it "returns true when the requested role matches" do
+      @admin.new.authorized?(:role=>:admin).should be_true
+      @user.new.authorized?(:role=>:user).should be_true
+    end
+    
+    it "returns false when the requested role does not match" do
+      @admin.new.authorized?(:role=>:user).should be_false
+      @user.new.authorized?(:role=>:admin).should be_false
+    end
+    
+    it "returns false when only an action is specified" do
+      @admin.new.authorized?(:action=>:bar).should be_false
+      @admin.new.authorized?(:action=>:foo).should be_false
+    end
+    
+    it "returns true when the requested target+action matches" do
+      user = @user.new
+      resource = Class.new
+      resource.stub!(:owner).and_return(user)
+      @controller.clone.authorize(resource) {for_role(:owner).allow(:foo)}
+      
+      user.authorized?(:target=>resource,:action=>:foo).should be_true
+    end
+    
+    it "returns false when the requested target+action does not match" do
+      user = @user.new
+      resource = Class.new
+      resource.stub!(:owner).and_return(user.clone)
+      @controller.clone.authorize(resource) {for_role(:owner).allow(:foo)}
+      
+      user.authorized?(:target=>resource,:action=>:foo).should be_false
+    end
+    
+  end
+  
+  describe "#roles_for" do
+    it "returns the roles for self on the specified target" do
+      @user = Class.new
+      @user.instance_eval {authorizable!}
+      user = @user.new
+      
+      resource = Class.new
+      resource.stub!(:owner).and_return(user)
+      Authorization.add_role(:user){|operator,target|operator.kind_of?(@user)}
+      Authorization.add_role(:owner){|operator,target|target.respond_to?(:owner)&&target.owner==operator}
+      
+      user.roles_for(resource).should include(:owner)
+      user.clone.roles_for(resource).should_not include(:owner)
+    end
+  end
+end

data/spec/role-authz_spec.rb

@@ -1,7 +1,14 @@
-require File.dirname(__FILE__) + '/spec_helper'
+require File.expand_path('../spec_helper', __FILE__)
 
-describe "role-authz" do
-  it "should do nothing" do
-    true.should == true
+describe "ObjectMixin" do
+  describe ".authorizable!" do
+    it "includes OperatorMixin" do      
+      class Foo
+        authorizable!
+      end
+    
+      Foo.ancestors.should include(::Authorization::OperatorMixin)
+    end
   end
-end
+end
+

data/spec/spec_helper.rb

@@ -1 +1,11 @@
-$:.push File.join(File.dirname(__FILE__), '..', 'lib')
+# Loads up Merb and the Plugin
+require 'merb-core'
+require 'spec'
+require File.expand_path("../../lib/role-authz", __FILE__)
+
+# Simple helper to clear out the auth role list
+module Authorization
+  def self.clear!
+    @roles.clear
+  end
+end

metadata

@@ -3,10 +3,10 @@ name: role-authz
 version: !ruby/object:Gem::Version 
   prerelease: false
   segments: 
+  - 1
   - 0
   - 0
-  - 2
-  version: 0.0.2
+  version: 1.0.0
 platform: ruby
 authors: 
 - Jorge Villatoro
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-08-12 00:00:00 -05:00
+date: 2011-02-11 00:00:00 -06:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -50,9 +50,13 @@ files:
 - lib/role-authz/authorization/authorization.rb
 - lib/role-authz/authorization/controller_helper.rb
 - lib/role-authz/authorization/controller_mixin.rb
+- lib/role-authz/authorization/exceptions.rb
 - lib/role-authz/authorization/object_mixin.rb
 - lib/role-authz/authorization/operator_mixin.rb
 - lib/role-authz.rb
+- spec/authorization_spec.rb
+- spec/controller_spec.rb
+- spec/operator_spec.rb
 - spec/role-authz_spec.rb
 - spec/spec_helper.rb
 has_rdoc: true
@@ -69,7 +73,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
-      hash: -4311421285429235749
+      hash: 1726181753105293631
       segments: 
       - 0
       version: "0"
@@ -78,7 +82,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
-      hash: -4311421285429235749
+      hash: 1726181753105293631
       segments: 
       - 0
       version: "0"