role_authorization 0.1.0

data/lib/role_authorization/mapper.rb

@@ -0,0 +1,76 @@
+module RoleAuthorization
+  class Mapper
+    def initialize(controller_klass)
+      @controller_klass = controller_klass
+      @rules = Hash.new do |h,k|
+        h[k] = Hash.new do |h1,k1|
+          h1[k1] = Array.new
+        end
+      end
+      self
+    end
+
+    def to_s
+      output = []
+      @rules.each_pair do |action, rules|
+        output << "Action :#{action}"
+        output << "    allow roles #{rules[:roles].inspect}" unless rules[:roles].nil? || rules[:roles].empty?
+        rules[:rules].map {|rule| output << "    #{rule.to_s}"} if rules.has_key?(:rules)
+        output << ""
+        output << ""
+      end
+
+      output.join("\n")
+    end
+
+    # special role rules
+    def all(options={}, &block)
+      options.assert_valid_keys(:only)
+      rule(:all, :role, options, &block)
+    end
+
+    def role(user_role, options={}, &block)
+      options.assert_valid_keys(:check, :only)
+      rule(user_role, :role, options, &block)
+    end
+
+    def authorized?(controller_instance, controller, action, id = nil)
+      rules = @rules[action]
+
+      return false if rules.empty?
+      return true if rules[:roles].include?(:all)
+      unless controller_instance.session[:access_rights].nil?
+        return true if !(rules[:roles] & controller_instance.session[:access_rights]).empty?
+      end
+
+      if rules.has_key?(:rules)
+        rules[:rules].each do |rule|
+          return true if rule.authorized?(controller_instance, controller, action, id)
+        end
+      end
+
+      return false
+    end
+
+    private
+
+    # rule method
+    def rule(user_role, type, options={}, &block)
+      actions = [options.delete(:only) || [:all]].flatten.collect {|v| v.to_sym}
+
+      case type
+      when :role
+        irule = nil
+        role_or_type = user_role
+      else
+        irule = "RoleAuthorization::Rules::#{type.to_s.camelize}".constantize.new(@controller_klass, options.merge(:role => user_role), &block)
+        role_or_type = type
+      end
+
+      actions.each do |action|
+        @rules[action][:roles] << role_or_type if irule.nil?
+        @rules[action][:rules] << irule unless irule.nil?
+      end
+    end
+  end
+end

data/lib/role_authorization/rules/access.rb

@@ -0,0 +1,88 @@
+module RoleAuthorization
+  # define our rule helper in Mapper
+  class Mapper
+    def access(options={}, &block)
+      options.assert_valid_keys(:resource, :only, :no_send)
+      rule(:access, :access, options, &block)
+    end
+  end
+
+  module Rules
+    class Access < Basic
+      def initialize(controller, options, &block)
+        @controller_klass = controller
+        @options = {:no_send => false}.merge(options)
+        @block = block
+        @mapper = nil
+
+        unless @block.nil?
+          @mapper = RoleAuthorization::Mapper.new(@controller_klass)
+          @mapper.instance_eval(&@block)
+        end
+        self
+      end
+
+      def to_s
+        output = ["allow current_user with access role of requested #{[controller_name.singularize, @options[:check]].compact.join('.')}"]
+        output << @mapper.to_s
+      end
+
+      def authorized?(controller_instance, controller, action, id)
+        object = find_object(controller_instance, controller, action, id)
+        unless object.nil?
+          return true if controller_instance.accessible?(object.access_role)
+        end
+
+        if !@mapper.nil? && object.try(:access_role).nil?
+          return true if @mapper.authorized?(controller_instance, controller, action, object)
+        end
+        return false
+      end
+
+      def find_object(controller_instance, controller, action, id)
+        object = nil
+        instance_found = false
+
+        if id.is_a?(Integer) || id.is_a?(String)
+          # id is a parameter passed in
+          # we use the :resource option to find the right instance variable
+          object = controller_instance.instance_variable_get('@' + @options[:resource].to_s) rescue nil
+          instance_found = true unless object.nil?
+
+          if object.nil? && controller_instance.instance_variable_get('@' + controller)
+            collection = controller_instance.instance_variable_get('@' + controller)
+            object = collection.detect {|item| item.andand.id == id.to_i}
+          end
+
+          if object.nil?
+            model = controller.singularize.camelize.constantize
+            if model.respond_to?(:to_param_column)
+              finder = "find_by_#{model.to_param_column}".to_sym
+            else
+              finder = :find_by_id
+              id = id.to_i
+            end
+
+            object = model.send(finder, id)
+          end
+
+          unless object.nil?
+            if @options.has_key?(:resource) && !@options[:no_send] && !instance_found && object.respond_to?(@options[:resource])
+              object = object.send(@options[:resource])
+            end
+          end
+        elsif id.is_a?(ActiveRecord::Base) && @options.has_key?(:resource)
+          # id is already a model record so this is a nested rule
+
+          # first try to find it as an instance variable
+          object = controller_instance.instance_variable_get('@' + @options[:resource].to_s) rescue nil
+
+          # next we call id's method to find it
+          object = id.send(@options[:resource]) if object.nil?
+        end
+
+        return object
+      end
+    end # Access
+  end
+end

data/lib/role_authorization/rules/basic.rb

@@ -0,0 +1,22 @@
+module RoleAuthorization
+  module Rules
+    class Basic
+      def initialize(controller, options, &block)
+        @controller_klass = controller
+        self
+      end
+
+      def to_s
+        "deny all (basic rule)"
+      end
+
+      def controller_name
+        @controller_klass.to_s.gsub('Controller', '')
+      end
+
+      def authorized?(controller_instance, controller, action, id)
+        return false
+      end
+    end
+  end
+end

data/lib/role_authorization/rules/custom.rb

@@ -0,0 +1,32 @@
+module RoleAuthorization
+  # define our rule helper in Mapper
+  class Mapper
+    def custom(options={}, &block)
+      options.assert_valid_keys(:only, :description)
+      rule(:custom, :custom, options, &block)
+    end
+  end
+
+  module Rules
+    class Custom < Basic
+      def initialize(controller, options, &block)
+        @controller_klass = controller
+        @options = options
+        @block = block
+        self
+      end
+
+      def to_s
+        "allow when custom rule (#{@options[:description]}) returns true"
+      end
+
+      def authorized?(controller_instance, controller, action, id)
+        unless @block.nil?
+          result = @block.call(controller_instance)
+          return true unless result == false || result.nil?
+        end
+        return false
+      end
+    end
+  end
+end

data/lib/role_authorization/rules/logged_in.rb

@@ -0,0 +1,38 @@
+module RoleAuthorization
+  # define our rule helper in Mapper
+  class Mapper
+    def logged_in(options={}, &block)
+      options.assert_valid_keys(:only)
+      rule(:logged_in, :logged_in, options, &block)
+    end
+  end
+
+  module Exts
+    module View
+      def logged_in(&block)
+        if block_given? && !current_user.anonymous?
+          capture_haml(&block)
+        end
+      end
+    end
+  end
+
+  module Rules
+    class LoggedIn < Basic
+      def initialize(controller, options, &block)
+        @controller_klass = controller
+        @options = options
+        self
+      end
+
+      def to_s
+        "allow when current_user is logged in (not anonymous)"
+      end
+
+      def authorized?(controller_instance, controller, action, id)
+        return true unless controller_instance.current_user.anonymous?
+        return false
+      end
+    end
+  end
+end

data/lib/role_authorization/rules/object_role.rb

@@ -0,0 +1,51 @@
+module RoleAuthorization
+  # define our rule helper in Mapper
+  class Mapper
+    def object_role(user_role, options={}, &block)
+      options.assert_valid_keys(:only, :resource, :type)
+      rule(user_role, :object_role, options, &block)
+    end
+  end
+
+  module Rules
+    class ObjectRole < Basic
+      def initialize(controller, options, &block)
+        @controller_klass = controller
+        @options = options
+        self
+      end
+
+      def to_s
+        if @options[:resource]
+          "allow when current_user has the role (#{@options[:role]}) for a specific object (#{@options[:resource]})"
+        else
+          "allow when current_user has the role (#{@options[:role]}) for any object of type #{@options[:type]}"
+        end
+      end
+
+      def authorized?(controller_instance, controller, action, id)
+        object = @options[:resource].nil? ? nil : find_object(controller_instance) if @options[:resource]
+
+        if object
+          return true if controller_instance.current_user.has_object_role?(object, @options[:role])
+        elsif @options[:type].constantize.respond_to?(:enrolled)
+          return true if @options[:type].constantize.enrolled(@options[:role]).include?(controller_instance.current_user)
+        end
+
+        return false
+      end
+
+      def find_object(controller_instance)
+        # try to find as instance variable
+        object = controller_instance.instance_variable_get("@#{@options[:resource]}".to_sym) rescue nil
+
+        # try to find based on params
+        if object.nil? && !controller_instance.params["#{@options[:resource]}_id"].blank?
+          object = @options[:type].constantize.find_by_id(controller_instance.params["#{@options[:resource]}_id"])
+        end
+
+        object
+      end
+    end
+  end
+end

data/lib/role_authorization/rules/resource.rb

@@ -0,0 +1,106 @@
+module RoleAuthorization
+  # define our rule helper in Mapper
+  class Mapper
+    def resource(user_role, options={}, &block)
+      options.assert_valid_keys(:resource, :only, :no_send)
+      rule(user_role, :resource, options, &block)
+    end
+  end
+
+  module Rules
+    class Resource < Basic
+      def initialize(controller, options, &block)
+        @controller_klass = controller
+        @options = {:no_send => false}.merge(options)
+        @block = block
+        @mapper = nil
+
+        unless @block.nil?
+          @mapper = RoleAuthorization::Mapper.new(@controller_klass)
+          @mapper.instance_eval(&@block)
+        end
+        self
+      end
+
+      def to_s
+        output = ["allow current_user with role :#{@options[:role]} of requested resource #{@options[:resource]}"]
+        output << @mapper.to_s
+      end
+
+      def authorized?(controller_instance, controller, action, id)
+        object = find_object(controller_instance, controller, action, id)
+        return true if controller_instance.current_user.has_object_role?(@options[:role], object) unless object.nil?
+
+        unless @mapper.nil?
+          return true if @mapper.authorized?(controller_instance, controller, action, object)
+        end
+
+        return false
+      end
+
+      def find_object(controller_instance, controller, action, id)
+        object = nil
+        instance_found = false
+
+        if id.is_a?(Integer) || id.is_a?(String)
+          # id is a parameter passed in
+          # we use the :resource option to find the right instance variable
+          object = controller_instance.instance_variable_get('@' + @options[:resource].to_s) rescue nil
+          instance_found = true unless object.nil?
+
+          if controller_instance.instance_variable_defined?('@' + controller)
+            collection = controller_instance.instance_variable_get('@' + controller)
+            object = collection.detect {|item| item.andand.id == id.to_i}
+          end
+
+          if object.nil?
+            model = controller.singularize.camelize.constantize
+            if model.respond_to?(:to_param_column)
+              finder = "find_by_#{model.to_param_column}".to_sym
+            else
+              finder = :find_by_id
+              id = id.to_i
+            end
+
+            object = model.send(finder, id)
+          end
+
+          unless object.nil?
+            if @options.has_key?(:resource) && !@options[:no_send] && !instance_found && object.respond_to?(@options[:resource])
+              object = object.send(@options[:resource])
+            end
+          end
+        elsif id.is_a?(ActiveRecord::Base) && @options.has_key?(:resource)
+          # id is already a model record so this is a nested rule
+
+          # first try to find it as an instance variable
+          object = controller_instance.instance_variable_get('@' + @options[:resource].to_s) rescue nil
+
+          if id.respond_to?("#{@options[:resource]}_id") && controller_instance.instance_variable_defined?('@' + @options[:resource].to_s.pluralize)
+            collection = controller_instance.instance_variable_get('@' + @options[:resource].to_s.pluralize)
+            object = collection.detect {|item| item.andand.id == id.send("#{@options[:resource]}_id")}
+          end
+
+          # next we call id's method to find it
+          object = id.send(@options[:resource]) if object.nil?
+        elsif id.nil?
+          # no id means we must be using an association or parent resource for this rule
+
+          if @options.has_key?(:resource)
+            object_base = @options[:resource].to_s
+            object_id = controller_instance.params["#{object_base}_id".to_sym]
+
+            unless object_id.nil?
+              object = controller_instance.instance_variable_get('@' + object_base) rescue nil
+              object = nil unless object.id == object_id
+
+              object = object_base.to_s.camelize.constantize.find_by_id(object_id.to_i) if object.nil?
+            end
+          end
+        end
+
+        return object
+      end # find object
+    end
+  end
+end

data/lib/role_authorization/rules/user.rb

@@ -0,0 +1,70 @@
+module RoleAuthorization
+  # define our rule helper in Mapper
+  class Mapper
+    def user(options={}, &block)
+      options.assert_valid_keys(:check, :only, :resource, :association)
+      rule(:user, :user, options, &block)
+    end
+  end
+
+  module Rules
+    class User < Basic
+      def initialize(controller, options, &block)
+        @controller_klass = controller
+        @options = options
+        self
+      end
+
+      def to_s
+        "allow when current_user.id == #{[@options[:resource], @options[:association], @options[:check]].compact.join('.')}"
+      end
+
+      def authorized?(controller_instance, controller, action, id)
+        object = find_object(controller_instance, controller, action, id)
+
+        unless object.nil?
+          [object].flatten.each do |obj|
+            return true if controller_instance.current_user.owns?(obj.send(@options[:check]))
+          end
+        end
+
+        return false
+      end
+
+      def find_object(controller_instance, controller, action, id)
+        object = nil
+
+        if id.nil? && !@options[:resource].nil?
+          if controller_instance.instance_variable_defined?('@' + @options[:resource].to_s)
+            object = controller_instance.instance_variable_get('@' + @options[:resource].to_s)
+          end
+          model = @options[:resource].to_s.camelize.constantize
+        elsif id.is_a?(Integer) || id.is_a?(String)
+          if controller_instance.instance_variable_defined?('@' + controller)
+            collection = controller_instance.instance_variable_get('@' + controller)
+            object = collection.detect {|item| item.andand.id == id.to_i}
+          end
+          model = controller.singularize.camelize.constantize
+        elsif id.is_a?(ActiveRecord::Base) && @options.has_key?(:check)
+          object = id
+        end
+
+        if object.nil?
+          if model.respond_to?(:to_param_column)
+            finder = "find_by_#{model.to_param_column}".to_sym
+          else
+            finder = :find_by_id
+            id = id.to_i
+          end
+          object = model.send(finder, id)
+        end
+
+        unless object.nil? || @options[:check].nil?
+          object = @options[:association].nil? ? object : object.send(@options[:association])
+        end
+
+        object
+      end
+    end # User
+  end
+end

data/lib/role_authorization/ruleset.rb

@@ -0,0 +1,39 @@
+module RoleAuthorization
+  module Ruleset
+    def self.included(base)
+      base.send :extend, ClassMethods
+    end
+
+    module ClassMethods
+
+      def cattr_ruleset(*syms)
+        syms.each do |sym|
+          class_eval(<<-EOS, __FILE__, __LINE__ + 1)
+            unless defined? @@#{sym}
+              @@#{sym} = Hash.new
+            end
+
+            def self.#{sym}
+              @@#{sym}
+            end
+
+            def self.#{sym}=(obj)
+              @@#{sym} = obj
+            end
+
+            def self.add_to_#{sym}(name, set = nil, &block)
+              ruleset = self.#{sym}
+              if block_given?
+                ruleset[name] = RoleAuthorization::Mapper.new(self)
+                ruleset[name].instance_eval(&block)
+              elsif !set.nil?
+                ruleset[name] = set
+              end
+              self.#{sym} = ruleset
+            end
+          EOS
+        end
+      end
+    end
+  end
+end

data/lib/role_authorization/version.rb

@@ -0,0 +1,3 @@
+module RoleAuthorization
+  VERSION = "0.1.0"
+end

data/lib/role_authorization.rb

@@ -0,0 +1,3 @@
+require 'role_authorization/base'
+require 'rails/role_authorization' if defined?(Rails)
+

data/migrations/01_user_roles.rb

@@ -0,0 +1,30 @@
+class UserRoles < ActiveRecord::Migration
+  def self.up
+    create_table :user_roles do |t|
+      t.string :name
+      t.string :display_name
+      t.integer :priority
+
+      t.references :roleable, :polymorphic => true
+      t.timestamps
+    end
+
+    create_table :user_role_mappings do |t|
+      t.belongs_to :user
+      t.belongs_to :user_role
+      t.timestamps
+    end
+
+    add_index :user_roles, [:roleable_id, :roleable_type]
+    add_index :user_roles, [:roleable_id, :roleable_type, :name]
+    add_index :user_role_mappings, [:user_id]
+    add_index :user_role_mappings, [:user_role_id]
+
+    public_access = UserRole.create(:name => "public", :display_name => "Public Access", :priority => 600)
+  end
+
+  def self.down
+    drop_table :user_roles
+    drop_table :user_role_mappings
+  end
+end

data/role_authorization.gemspec

@@ -0,0 +1,23 @@
+$:.push File.expand_path("../lib", __FILE__)
+require "role_authorization/version"
+
+Gem::Specification.new do |s|
+  s.name        = "role_authorization"
+  s.version     = RoleAuthorization::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ["John 'asceth' Long"]
+  s.email       = ["machinist@asceth.com"]
+  s.homepage    = "http://github.com/asceth/role_authorization"
+  s.summary     = "Role Authorization gem for Rails"
+  s.description = "A gem for handling authorization in rails using roles"
+
+  s.rubyforge_project = "role_authorization"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  s.add_development_dependency 'rspec'
+  s.add_development_dependency 'rr'
+end