RubyGems - role_authorization - Versions diffs - 0.1.0 - Mend

role_authorization 0.1.0

Files changed (30) hide show

data/.gemtest +1 -0
data/.gitignore +2 -0
data/.rspec +1 -0
data/.rvmrc +1 -0
data/Gemfile +3 -0
data/LICENSE +20 -0
data/README.md +8 -0
data/Rakefile +19 -0
data/lib/rails/role_authorization.rb +8 -0
data/lib/role_authorization/allow_group.rb +16 -0
data/lib/role_authorization/base.rb +116 -0
data/lib/role_authorization/exts/controller.rb +127 -0
data/lib/role_authorization/exts/model.rb +126 -0
data/lib/role_authorization/exts/session.rb +52 -0
data/lib/role_authorization/exts/user.rb +58 -0
data/lib/role_authorization/exts/view.rb +77 -0
data/lib/role_authorization/mapper.rb +76 -0
data/lib/role_authorization/rules/access.rb +88 -0
data/lib/role_authorization/rules/basic.rb +22 -0
data/lib/role_authorization/rules/custom.rb +32 -0
data/lib/role_authorization/rules/logged_in.rb +38 -0
data/lib/role_authorization/rules/object_role.rb +51 -0
data/lib/role_authorization/rules/resource.rb +106 -0
data/lib/role_authorization/rules/user.rb +70 -0
data/lib/role_authorization/ruleset.rb +39 -0
data/lib/role_authorization/version.rb +3 -0
data/lib/role_authorization.rb +3 -0
data/migrations/01_user_roles.rb +30 -0
data/role_authorization.gemspec +23 -0
metadata +106 -0

data/.gemtest ADDED Viewed

	@@ -0,0 +1 @@
1	+

data/.gitignore ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ *.gem
2	+

data/.rspec ADDED Viewed

	@@ -0,0 +1 @@
1	+ --colour

data/.rvmrc ADDED Viewed

	@@ -0,0 +1 @@
1	+ rvm use 1.9.2@gems

data/Gemfile ADDED Viewed

@@ -0,0 +1,3 @@
+source :rubygems
+gemspec

data/LICENSE ADDED Viewed

@@ -0,0 +1,20 @@
+Copyright (c) 2011 John "asceth" Long
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md ADDED Viewed

@@ -0,0 +1,8 @@
+Features
+--------
+Requirements
+------------
+Usage
+-----

data/Rakefile ADDED Viewed

@@ -0,0 +1,19 @@
+require "bundler"
+Bundler.setup
+require "rspec"
+require "rspec/core/rake_task"
+Rspec::Core::RakeTask.new(:spec)
+gemspec = eval(File.read(File.join(Dir.pwd, "role_authorization.gemspec")))
+task :build => "#{gemspec.full_name}.gem"
+task :test => :spec
+file "#{gemspec.full_name}.gem" => gemspec.files + ["role_authorization.gemspec"] do
+  system "gem build role_authorization.gemspec"
+  system "gem install role_authorization-#{RoleAuthorization::VERSION}.gem"
+end

data/lib/rails/role_authorization.rb ADDED Viewed

@@ -0,0 +1,8 @@
+module RoleAuthorization
+  class Railtie < Rails::Railtie
+    initializer "role_authorization.initialize" do |app|
+      RoleAuthorization.enable
+      RoleAuthorization.load_controller_classes
+    end
+  end
+end

data/lib/role_authorization/allow_group.rb ADDED Viewed

@@ -0,0 +1,16 @@
+module RoleAuthorization
+  module AllowGroup
+    include RoleAuthorization::Ruleset
+    cattr_ruleset :ruleset
+    class << self
+      def define(name, &block)
+        add_to_ruleset(name, &block)
+      end
+      def get(*names)
+        ruleset.values_at(names).compact
+      end
+    end
+  end
+end

data/lib/role_authorization/base.rb ADDED Viewed

@@ -0,0 +1,116 @@
+module RoleAuthorization
+  class << self
+    # shortcut for <tt>enable_actionpack; enable_activerecord</tt>
+    def enable
+      # load rule mapper
+      load 'role_authorization/mapper.rb'
+      load 'role_authorization/ruleset.rb'
+      load 'role_authorization/allow_group.rb'
+      load 'role_authorization/rules/basic.rb'
+      # load default rules
+      Dir.chdir(File.dirname(__FILE__)) do
+        Dir["rules/*.rb"].each do |rule_definition|
+          require "#{File.dirname(__FILE__)}/#{rule_definition}"
+        end
+      end
+      # load application rules
+      Dir.chdir(Rails.root) do
+        Dir["lib/rules/*.rb"].each do |rule_definition|
+          require "#{Rails.root}/#{rule_definition}"
+        end
+      end
+      # load allow groups
+      Dir.chdir(Rails.root) do
+        Dir["lib/allow_groups/*.rb"].each do |allow_group|
+          require "#{Rails.root}/#{allow_group}"
+        end
+      end
+      enable_actionpack
+      enable_activerecord
+    end
+    def enable_actionpack
+      load 'role_authorization/exts/view.rb'
+      unless ActionView::Base.instance_methods.include? :link_to_or_show
+        ActionView::Base.class_eval { include Exts::View }
+      end
+      load 'role_authorization/exts/session.rb'
+      load 'role_authorization/exts/controller.rb'
+      unless ActionController::Base.instance_methods.include? :authorized?
+        ActionController::Base.class_eval { include Exts::Session }
+        ActionController::Base.class_eval { include Exts::Controller }
+      end
+    end
+    def enable_activerecord
+      load 'role_authorization/exts/model.rb'
+      unless ActiveRecord::Base.instance_methods.include? :roleable
+        ActiveRecord::Base.class_eval { include Exts::Model }
+      end
+      load 'role_authorization/exts/user.rb'
+    end
+    def load_controller_classes
+      @controller_classes = {}
+      maybe_load_framework_controller_parent
+      Dir.chdir("#{Rails.root}/app/controllers") do
+        Dir["**/*.rb"].sort.each do |c|
+          next if c.include?("application")
+          rola_load(c)
+        end
+      end
+#       if ENV['RAILS_ENV'] != 'production'
+#         if ActiveSupport.const_defined?("Dependencies")
+#           ActiveSupport::Dependencies.clear
+#         else
+#           Dependencies.clear
+#         end
+#       end
+    end
+    def maybe_load_framework_controller_parent
+      if ::Rails::VERSION::MAJOR >= 3 || (::Rails::VERSION::MAJOR >= 2 && ::Rails::VERSION::MINOR >= 3)
+        filename = "application_controller.rb"
+      else
+        filename = "application.rb"
+      end
+      require_or_load(filename)
+    end
+    def rola_load(filename)
+      klass = class_name_from_file(filename)
+      require_or_load(filename)
+      @controller_classes[klass] = qualified_const_get(klass)
+    end
+    def require_or_load(filename)
+      if ActiveSupport.const_defined?("Dependencies")
+        ActiveSupport::Dependencies.require_or_load(filename)
+      else
+        Dependencies.require_or_load(filename)
+      end
+    end
+    def class_name_from_file(str)
+      str.split(".")[0].split("/").collect{|s| s.camelize }.join("::")
+    end
+    def qualified_const_get(klass)
+      if klass =~ /::/
+        namespace, klass = klass.split("::")
+        eval(namespace).const_get(klass)
+      else
+        const_get(klass)
+      end
+    end
+  end
+end

data/lib/role_authorization/exts/controller.rb ADDED Viewed

@@ -0,0 +1,127 @@
+module RoleAuthorization
+  module Exts
+    module Controller
+      def self.included(base)
+        base.class_eval do
+          rescue_from SecurityError, :with => proc {|e| access_denied(e)}
+          helper_method :authorized?
+          helper_method :accessible?
+        end
+        base.send :extend, RoleAuthorization::Ruleset::ClassMethods
+        base.send :cattr_ruleset, :ruleset, :allowable_groups
+        base.send :extend, ClassMethods
+        base.send :include, InstanceMethods
+      end
+      module ClassMethods
+        def allow_group(*args)
+          add_to_allowable_groups(self.controller_rule_name, args)
+          add_role_authorization_filter
+        end
+        def allow(&block)
+          add_to_ruleset(self.controller_rule_name, &block)
+          add_role_authorization_filter
+        end
+        def add_role_authorization_filter
+          callbacks = _process_action_callbacks
+          chain = callbacks.select {|cl| cl.klass.to_s.include?(name)}.collect(&:filter).select {|c| c.is_a?(Symbol)}
+          before_filter :check_request_authorization unless chain.include?(:check_request_authorization)
+        end
+        def controller_rule_name
+          @controller_rule_name ||= name.gsub('Controller', '').underscore.downcase
+        end
+        def controller_model
+          @controller_model ||= name.gsub('Controller', '').singularize
+        end
+      end # ClassMethods
+      module InstanceMethods
+        def check_request_authorization
+          unless authorized_action?(self, self.class.controller_rule_name, action_name.to_sym, params[:id])
+            raise SecurityError, "You do not have the required clearance to access this resource."
+          end
+        end
+        def authorized_action?(controller_klass, controller, action, id = nil)
+          # by default admins see everything
+          return true if current_user_is_admin?
+          ruleset = self.class.ruleset[controller]
+          groups = RoleAuthorization::AllowGroup.get(self.class.allowable_groups[controller])
+          if defined?(DEBUG_AUTHORIZATION_RULES) == 'constant'
+            Rails.logger.info "#" * 60
+            Rails.logger.info ruleset.to_s
+            Rails.logger.info "#" * 60
+          end
+          # we have no ruleset for this controller or any allow groups so deny
+          return false if ruleset.nil? && groups.empty?
+          # first check controller ruleset
+          unless ruleset.nil?
+            return true if ruleset.authorized?(controller_klass, controller, :all, id)
+            return true if ruleset.authorized?(controller_klass, controller, action, id)
+          end
+          # next check any allow groups
+          unless groups.empty?
+            groups.each do |group|
+              return true if group.authorized?(controller_klass, controller, :all, id)
+              return true if group.authorized?(controller_klass, controller, action, id)
+            end
+          end
+          # finally deny if they haven't passed any rules
+          return false
+        end
+        def accessible?(access_role)
+          return true if current_user_is_admin?
+          return false if access_role.nil?
+          return true if access_role.name.to_sym == :public
+          return false if session[:access_rights].nil?
+          session[:access_rights].include?(access_role.name.to_sym)
+        end
+        def authorized?(url, method = nil)
+          return false unless url
+          return true if current_user_is_admin?
+          method ||= (params[:method] || request.method)
+          url_parts = URI::split(url.strip)
+          path = url_parts[5]
+          begin
+            hash = Rails.application.routes.recognize_path(path, :method => method)
+            return authorized_action?(self, hash[:controller], hash[:action].to_sym, hash[:id]) if hash
+          rescue Exception => e
+            Rails.logger.error e.inspect
+            Rails.logger.error e.backtrace
+            # continue on
+          end
+          # Mailto link
+          return true if url =~ /^mailto:/
+          # Public file
+          file = File.join(RAILS_ROOT, 'public', url)
+          return true if File.exists?(file)
+          # Passing in different domain
+          return remote_url?(url_parts[2])
+        end
+        def remote_url?(domain = nil)
+          return false if domain.nil? || domain.strip.length == 0
+          request.host.downcase != domain.downcase
+        end
+      end # InstanceMethods
+    end
+  end
+end

data/lib/role_authorization/exts/model.rb ADDED Viewed

@@ -0,0 +1,126 @@
+module RoleAuthorization
+  module Exts
+    module Model
+      def self.included(base)
+        base.send :extend, ClassMethods
+        base.send :include, InstanceMethods
+      end
+      module ClassMethods
+        def roleable_options
+          @roleable_options
+        end
+        def roleable_options=(options)
+          @roleable_options = options
+        end
+        def roleable options = {}
+          has_many :roles, :as => :roleable, :dependent => :delete_all
+          after_create :create_roles
+          send(:extend, SpecificClassMethods)
+          options[:name] ||= :class
+          options[:priority] ||= {}
+          options[:creation_priority] ||= {}
+          options[:roles] ||= [:default]
+          options[:roles].each do |role_name|
+            options[:priority][role_name] ||= 1
+            options[:creation_priority][role_name] ||= 1
+          end
+          options[:cache] = {}
+          @roleable_options = options
+        end # roleable
+        def enrolled(role_name)
+          roles = Role.all(:conditions => {:roleable_type => self.to_s, :name => role_name.to_s})
+          unless roles.empty?
+            roles.collect(&:users).flatten
+          else
+            []
+          end
+        end
+      end # ClassMethods
+      module SpecificClassMethods
+        def reset_roles
+          all.map(&:reset_roles)
+        end
+      end
+      module InstanceMethods
+        def reset_roles
+          options = self.class.roleable_options
+          mroles = roles.all
+          rejected_roles = mroles.reject {|r| options[:roles].include?(r.name.to_sym)}
+          rejected_roles.map {|rejected_role| rejected_role.destroy}
+          valid_roles = mroles - rejected_roles
+          valid_role_names = valid_roles.collect(&:name)
+          new_roles = options[:roles].select {|role| !valid_role_names.include?(role.to_sym)}
+          valid_roles.each do |role|
+            if roles.find_by_name(role.name.to_s).nil?
+              roles.create(:name => role.name.to_s,
+                           :display_name => "#{self.send(options[:name])} #{role.name.to_s}",
+                           :creation_priority => options[:creation_priority][role.name.to_s],
+                           :priority => options[:priority][role.name.to_s])
+            end
+          end
+          new_roles.each do |role|
+            roles.create(:name => role.to_s,
+                         :display_name => "#{self.send(options[:name])} #{role.to_s}",
+                         :creation_priority => options[:creation_priority][role],
+                         :priority => options[:priority][role])
+          end
+          roles(true).all
+        end
+        def enroll(user, role)
+          options = self.class.roleable_options
+          role = role.is_a?(Integer) ? roles.find_by_id(role) : roles.find_by_name(role.to_s)
+          user_id = ((user.is_a?(Integer) || user.is_a?(String)) ? user.to_i : user.id)
+          unless role.nil?
+            role.user_roles.create(:user_id => user_id)
+          end
+        end
+        alias_method :assign, :enroll
+        def enrolled(role)
+          role = roles.find_by_name(role.to_s)
+          unless role.nil?
+            role.users
+          else
+            []
+          end
+        end
+        def withdraw(user, role = nil)
+          options = self.class.roleable_options
+          role = role.is_a?(Integer) ? roles.find_by_id(role, :include => :user_roles) : roles.find_by_name(role.to_s, :include => :user_roles)
+          user_id = ((user.is_a?(Integer) || user.is_a?(String)) ? user.to_i : user.id)
+          unless role.nil?
+            role.user_roles.first(:conditions => {:user_id => user_id}).try(:destroy)
+          else
+            UserRole.all(:conditions => {:user_id => user_id, :role_id => role_ids}).map(&:destroy)
+          end
+        end
+        private
+        def create_roles
+          options = self.class.roleable_options
+          options[:roles].each do |role|
+            roles.create(:name => role.to_s,
+                         :display_name => "#{self.send(options[:name])} #{role.to_s}",
+                         :creation_priority => options[:creation_priority][role],
+                         :priority => options[:priority][role])
+          end
+        end # create_user_roles
+      end # InstanceMethods
+    end
+  end
+end

data/lib/role_authorization/exts/session.rb ADDED Viewed

@@ -0,0 +1,52 @@
+module RoleAuthorization
+  module Exts
+    module Session
+      def self.included(base)
+        base.send :include, InstanceMethods
+        base.class_eval do
+          helper_method :current_user_is_admin?
+          helper_method :admin?
+          helper_method :access_in_role?
+        end
+      end
+      module InstanceMethods
+        protected
+        def add_role_authorization_session_values(user = nil)
+          user ||= current_user
+          if user
+            roles = user.roles.where({:roleable_id => nil}).all
+            session[:access_rights] = roles.collect {|role| role.name.to_sym}
+          end
+        end
+        def current_user_is_admin?
+          !session[:access_rights].nil? && session[:access_rights].include?(:all)
+        end
+        def admin?
+          current_user_is_admin?
+        end
+        def access_in_role?(role)
+          return true if current_user_is_admin?
+          return true if session_access_rights_include?(role)
+          false
+        end
+        def session_access_rights_include?(role)
+          return false unless session[:access_rights]
+          session[:access_rights].include?(role)
+        end
+        def reset_role_authorization_session
+          [:access_rights].each do |val|
+            session[val] = nil if session[val]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/role_authorization/exts/user.rb ADDED Viewed

@@ -0,0 +1,58 @@
+module RoleAuthorization
+  module Exts
+    module User
+      def self.included(base)
+        base.send :extend, ClassMethods
+        base.send :include, InstanceMethods
+        base.class_eval do
+          has_many :user_roles, :dependent => :delete_all
+          has_many :roles, :through => :user_roles
+        end
+      end
+      module ClassMethods
+        def enroll(user_id, role_name)
+          user = find_by_id(user_id.to_i)
+          user.enroll(role_name) unless user.nil?
+        end # enroll
+        def withdraw(user_id, role_name)
+          user = find_by_id(user_id.to_i)
+          user.withdraw(role_name) unless user.nil?
+        end # withdraw
+      end # ClassMethods
+      module InstanceMethods
+        # has_object_role? simply needs to return true or false whether a user has a role or not.
+        # It may be a good idea to have "admin" roles return true always
+        # Return false always for anonymous users
+        def has_object_role?(role, object)
+          return false if self.anonymous?
+          @object_user_roles ||= roles.all(:conditions => ["roleable_type IS NOT NULL and roleable_id IS NOT NULL"])
+          result = @object_user_roles.detect do |r|
+            r.roleable_type == object.class.to_s && r.roleable_id == object.id && r.name == role.to_s
+          end
+          !result.nil?
+        end
+        # adds a role to the user
+        def enroll(role_name)
+          role_id = role_name.is_a?(Integer) ? role_name : Role.find_by_name(role_name.to_s).try(:id)
+          user_roles.create(:role_id => role_id) if !role_id.nil? && self.user_roles.find_by_role_id(role_id).nil?
+        end
+        def withdraw(role_name)
+          role_id = role_name.is_a?(Integer) ? role_name : Role.find_by_name(role_name.to_s).try(:id)
+          UserRole.delete_all(["user_id = ? AND role_id = ?", self.id, role_id]) unless role_id.nil?
+        end
+        def admin?
+          return true if roles.include?(Role.get(:all))
+          false
+        end
+      end # InstanceMethods
+    end
+  end
+end

data/lib/role_authorization/exts/view.rb ADDED Viewed

@@ -0,0 +1,77 @@
+module RoleAuthorization
+  module Exts
+    module View
+       def self.included(base)
+         base.class_eval do
+           alias_method :link_to_open, :link_to
+           alias_method :link_to, :link_to_secured
+           alias_method :button_to_open, :button_to
+           alias_method :button_to, :button_to_secured
+           alias_method :form_for_open, :form_for
+           alias_method :form_for, :form_for_secured
+         end
+       end
+      def form_for_secured(record_or_name_or_array, *args, &proc)
+        options = args.last.is_a?(Hash) ? args.last : {}
+        url = url_for(options[:url])
+        method = (options[:html] && options[:html].has_key?(:method)) ? options[:html][:method] : :post
+        if authorized?(url, method)
+          return form_for_open(record_or_name_or_array, *args, &proc)
+        else
+          return ""
+        end
+      end
+      def link_to_secured(name, options = {}, html_options = nil)
+        url = url_for(options)
+        method = (html_options && html_options.has_key?(:method)) ? html_options[:method] : :get
+        if authorized?(url, method)
+          return link_to_open(name, url, html_options)
+        else
+          return ""
+        end
+      end
+      def button_to_secured(name, options = {}, html_options = nil)
+        url = url_for(options)
+        method = (html_options && html_options.has_key?(:method)) ? html_options[:method] : :post
+        if authorized?(url, method)
+          return button_to_open(name, url, html_options)
+        else
+          return ""
+        end
+      end
+      def role(*user_roles, &block)
+        if block_given? && !session[:access_rights].blank? && !(user_roles & session[:access_rights]).empty?
+          capture_haml(&block)
+        end
+      end
+      def permitted_to?(url, method, &block)
+        capture_haml(&block) if block_given? && authorized?(url, method)
+      end
+      def link_to_or_show(name, options = {}, html_options = nil)
+        lnk = link_to(name, options, html_options)
+        lnk.length == 0 ? name : lnk
+      end
+      def links(*lis)
+        rvalue = []
+        lis.each{|link| rvalue << link if link.length > 0 }
+        rvalue.join(' | ')
+      end
+    end # View
+  end
+end