role_authorization 0.1.6 → 0.2.0

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    role_authorization (0.1.3)
+    role_authorization (0.1.5)
 
 GEM
   remote: http://rubygems.org/

data/lib/rails/role_authorization.rb

@@ -1,7 +1,15 @@
 module RoleAuthorization
   class Railtie < Rails::Railtie
     initializer "role_authorization.initialize" do |app|
-      RoleAuthorization.enable
+      RoleAuthorization.load_rules
+      ::ActiveRecord::Base.send :extend, RoleAuthorization::ActiveRecord if defined?(::ActiveRecord)
+    end
+
+    # runs before every request in development
+    # and once in production before serving requests
+    # http://www.engineyard.com/blog/2010/extending-rails-3-with-railties
+    config.to_prepare do
+      RoleAuthorization::Roles.manager.try(:persist!)
     end
   end
 end

data/lib/role_authorization/active_record.rb

@@ -0,0 +1,7 @@
+module RoleAuthorization
+  module ActiveRecord
+    def acts_as_role_manager
+      RoleAuthorization::Roles.manager.setup(self)
+    end
+  end
+end

data/lib/role_authorization/controller/mapper.rb

@@ -0,0 +1,44 @@
+module RoleAuthorization
+  class Mapper
+    def initialize
+      @rules = Hash.new do |h,k|
+        h[k] = Array.new
+      end
+      self
+    end
+
+    def to_s
+      output = []
+      @rules.each_pair do |action, rules|
+        output << "Action :#{action}"
+        rules.map {|rule| output << "    #{rule.to_s}"}
+        output << ""
+        output << ""
+      end
+
+      output.join("\n")
+    end
+
+    def add_to_rules(rule_name, *options, &block)
+      rule = RoleAuthorization::Rules::Rule.new(*options, &block)
+
+      actions = ([rule.options[:only] || [:all]]).flatten.map(&:to_sym)
+
+      actions.map do |action|
+        @rules[action] << rule
+      end
+    end
+
+    def authorized?(controller_instance, controller, action, id = nil)
+      rules = @rules[action]
+
+      return false if rules.empty?
+
+      rules.map do |rule|
+        return true if rule.authorized?(controller_instance, controller, action, id)
+      end
+
+      return false
+    end
+  end
+end

data/lib/role_authorization/{ruleset.rb → controller/ruleset.rb}

@@ -9,22 +9,20 @@ module RoleAuthorization
       def cattr_ruleset(*syms)
         syms.each do |sym|
           class_eval(<<-EOS, __FILE__, __LINE__ + 1)
-            unless defined? @@#{sym}
-              @@#{sym} = Hash.new
-            end
-
             def self.#{sym}
+              @@#{sym} ||= Hash.new
               @@#{sym}
             end
 
             def self.#{sym}=(obj)
+              @@#{sym} ||= Hash.new
               @@#{sym} = obj
             end
 
             def self.add_to_#{sym}(name, set = nil, &block)
               ruleset = self.#{sym}
               if block_given?
-                ruleset[name] = RoleAuthorization::Mapper.new(self)
+                ruleset[name] = RoleAuthorization::Mapper.new
                 ruleset[name].instance_eval(&block)
               elsif !set.nil?
                 ruleset[name] = set

data/lib/role_authorization/controller.rb

@@ -0,0 +1,117 @@
+module RoleAuthorization
+  module Controller
+    def self.included(base)
+      base.class_eval do
+        helper_method :authorized?
+        helper_method :accessible?
+      end
+      base.send :extend, RoleAuthorization::Ruleset::ClassMethods
+      base.send :cattr_ruleset, :ruleset, :allowable_groups
+
+      base.send :extend, ClassMethods
+      base.send :include, InstanceMethods
+    end
+
+    module ClassMethods
+      def allow_group(*args)
+        add_to_allowable_groups(self.controller_rule_name, args)
+        add_role_authorization_filter
+      end
+
+      def allow(&block)
+        add_to_ruleset(self.controller_rule_name, &block)
+        add_role_authorization_filter
+      end
+
+      def add_role_authorization_filter
+        callbacks = _process_action_callbacks
+        chain = callbacks.select {|cl| cl.klass.to_s.include?(name)}.collect(&:filter).select {|c| c.is_a?(Symbol)}
+        before_filter :check_request_authorization unless chain.include?(:check_request_authorization)
+      end
+
+      def controller_rule_name
+        @controller_rule_name ||= name.gsub('Controller', '').underscore.downcase
+      end
+
+      def controller_model
+        @controller_model ||= name.gsub('Controller', '').singularize
+      end
+    end # ClassMethods
+
+    module InstanceMethods
+      def check_request_authorization
+        unless authorized_action?(self, self.class.controller_rule_name, action_name.to_sym, params[:id])
+          raise SecurityError, "You do not have the required clearance to access this resource."
+        end
+      end
+
+      def authorized_action?(controller_klass, controller, action, id = nil)
+        # by default admins see everything
+        return true if admin?
+
+        ruleset = self.class.ruleset[controller]
+        groups = RoleAuthorization::AllowGroup.get(self.class.allowable_groups[controller])
+
+        if defined?(::DEBUG_AUTHORIZATION_RULES) == 'constant'
+          Rails.logger.info "#" * 30
+          Rails.logger.info controller.to_s
+          Rails.logger.info ruleset.to_s
+          Rails.logger.info "#" * 30
+        end
+
+        # we have no ruleset for this controller or any allow groups so deny
+        return false if ruleset.nil? && groups.empty?
+
+        # first check controller ruleset
+        unless ruleset.nil?
+          return true if ruleset.authorized?(controller_klass, controller, :all, id)
+          return true if ruleset.authorized?(controller_klass, controller, action, id)
+        end
+
+        # next check any allow groups
+        unless groups.empty?
+          groups.each do |group|
+            return true if group.authorized?(controller_klass, controller, :all, id)
+            return true if group.authorized?(controller_klass, controller, action, id)
+          end
+        end
+
+        # finally deny if they haven't passed any rules
+        return false
+      end
+
+      def authorized?(url, method = nil)
+        return false unless url
+        return true if admin?
+
+        method ||= (params[:method] || request.method)
+        url_parts = URI::split(url.strip)
+        path = url_parts[5]
+
+        begin
+          hash = Rails.application.routes.recognize_path(path, :method => method)
+          return authorized_action?(self, hash[:controller], hash[:action].to_sym, hash[:id]) if hash
+        rescue Exception => e
+          Rails.logger.error e.inspect
+          e.backtrace.each {|line| Rails.logger.error line }
+          # continue on
+        end
+
+        # Mailto link
+        return true if url =~ /^mailto:/
+
+        # Public file
+        file = File.join(Rails.root, 'public', url)
+        return true if File.exists?(file)
+
+        # Passing in different domain
+        return remote_url?(url_parts[2])
+      end
+
+      def remote_url?(domain = nil)
+        return false if domain.nil? || domain.strip.length == 0
+        request.host.downcase != domain.downcase
+      end
+    end # InstanceMethods
+  end
+end

data/lib/role_authorization/roles/manager.rb

@@ -0,0 +1,84 @@
+module RoleAuthorization
+  module Roles
+    class Manager
+      attr_accessor :global_roles, :object_roles
+      attr_accessor :group_definitions, :groups
+      attr_accessor :nicknames, :creations
+      attr_accessor :klass
+
+      def initialize
+        @global_roles = {}
+        @object_roles = []
+        @groups = Hash.new
+        @creations = Hash.new
+        @nicknames = Hash.new {|hash, key| key}
+
+        self
+      end
+
+      module InstanceMethods
+        def setup(klass)
+          @klass = klass
+          klass.send(:include, RoleAuthorization::Roles::Role)
+
+          # now that we know what class to use, create our role groups
+          @group_definitions.each_pair do |group_name, roles|
+            @groups[group_name.to_sym] = RoleAuthorization::Roles::RoleGroup.new(klass, roles)
+          end
+        end
+
+        def roles(*options)
+          @global_roles, @object_roles = if options.last.is_a?(Hash)
+                                           [options.pop, options].reverse
+                                         else
+                                           [options, {}]
+                                         end
+        end
+
+        def creation_rules(rules)
+          rules.each_pair do |key, allowed_roles|
+            @creations[key] = allowed_roles.flatten.uniq
+          end
+        end
+
+        def group(groups)
+          @group_definitions = groups
+        end
+
+        def nickname(nicknames)
+          @nicknames = nicknames
+        end
+
+        def any(new_scope = nil)
+          case new_scope
+          when nil
+            [global_roles, object_roles.values].flatten
+          when :global
+            global_roles
+          else
+            object_roles[new_scope]
+          end
+        end
+
+        # make sure our defined roles are in the database
+        # remove any roles taken out
+        def persist!
+          return if klass.nil?
+          return unless klass.new.respond_to?(:nickname)
+
+          persisted_roles = klass.all.inject({}) {|hash, record| hash[record.name.to_sym] = record; hash}
+
+          [global_roles, object_roles.values].flatten.map do |role_name|
+            if persisted_roles.delete(role_name).nil?
+              klass.create(:name => role_name, :nickname => nicknames[role_name])
+            end
+          end
+
+          # if we have persisted roles left we delete them
+          persisted_roles.values.map(&:destroy)
+        end
+      end
+      include InstanceMethods
+    end
+  end
+end

data/lib/role_authorization/roles/role.rb

@@ -0,0 +1,66 @@
+module RoleAuthorization
+  module Roles
+    module Role
+      def self.included(base)
+        base.send :extend, ClassMethods
+        base.send :include, InstanceMethods
+        base.class_eval do
+          validates_uniqueness_of :name
+          serialize :user_ids
+        end
+      end
+
+      module InstanceMethods
+        def users(scope = nil)
+          if user_ids.is_a?(Hash)
+            User.where(:id => user_ids[scope])
+          else
+            User.where(:id => user_ids)
+          end
+        end
+
+        def add_user(user_id, scope = nil)
+          unserialized_user_ids = self.user_ids
+
+          if scope.nil? || scope.is_a?(Symbol) || scope.is_a?(String) || scope.is_a?(Class)
+            unserialized_user_ids ||= Array.new
+            unserialized_user_ids << user_id
+            unserialized_user_ids.uniq!
+          else
+            unserialized_user_ids ||= Hash.new
+            unserialized_user_ids[scope.id] ||= Array.new
+            unserialized_user_ids[scope.id] << user_id
+            unserialized_user_ids[scope.id].uniq!
+          end
+
+          self.user_ids = unserialized_user_ids
+
+          save
+        end
+
+        def remove_user(user_id, scope = nil)
+          unserialized_user_ids = self.user_ids
+
+          if scope.nil? || scope.is_a?(Symbol) || scope.is_a?(String) || scope.is_a?(Class)
+            unserialized_user_ids ||= Array.new
+            unserialized_user_ids.delete(user_id)
+          else
+            unserialized_user_ids ||= Hash.new
+            unserialized_user_ids[scope.id] ||= Array.new
+            unserialized_user_ids[scope.id].delete(user_id)
+          end
+
+          self.user_ids = unserialized_user_ids
+
+          save
+        end
+      end
+
+      module ClassMethods
+        def group(group_name)
+          RoleAuthorization::Roles.manager.groups[group_name.to_sym]
+        end
+      end
+    end
+  end
+end

data/lib/role_authorization/roles/role_group.rb

@@ -0,0 +1,16 @@
+module RoleAuthorization
+  module Roles
+    class RoleGroup
+      attr_accessor :klass, :roles
+
+      def initialize(klass, roles)
+        @klass = klass
+        @roles = roles
+      end
+
+      def users
+        klass.find_all_by_name(roles).map(&:users)
+      end
+    end
+  end
+end

data/lib/role_authorization/roles.rb

@@ -0,0 +1,14 @@
+module RoleAuthorization
+  module Roles
+    module ClassMethods
+      def configure(&block)
+        (@role_manager ||= RoleAuthorization::Roles::Manager.new).instance_eval(&block)
+      end
+
+      def manager
+        @role_manager
+      end
+    end
+    extend ClassMethods
+  end
+end

data/lib/role_authorization/rules/defaults.rb

@@ -0,0 +1,25 @@
+RoleAuthorization::Rules.define :all do
+  true
+end
+
+RoleAuthorization::Rules.define :role do
+  controller_instance.current_user.roles(options[:scope] || :global).include?(options[:role])
+end
+
+RoleAuthorization::Rules.define :user do
+  resource = controller_instance.instance_variable_get("@#{options[:resource]}".to_sym)
+
+  if resource.nil?
+    false
+  else
+    controller_instance.current_user.try(:id) == resource.try(options[:check])
+  end
+end
+
+RoleAuthorization::Rules.define :custom do
+  unless options[:block].nil?
+    true if options[:block].call(controller_instance) == true
+  else
+    false
+  end
+end

data/lib/role_authorization/rules/rule.rb

@@ -0,0 +1,33 @@
+module RoleAuthorization
+  module Rules
+    class Rule
+      attr_accessor :role, :options
+      attr_accessor :returning
+
+      # for calls to authorized?
+      attr_accessor :controller_instance, :controller, :action, :id
+
+      def initialize(*options, &block)
+        @returning = block
+        @options, @role = if options.is_a?(Hash)
+                            [options, nil]
+                          elsif options.last.is_a?(Hash)
+                            [options.pop, options.first]
+                          else
+                            [{}, options.first]
+                          end
+
+        self
+      end
+
+      def authorized?(*args)
+        @controller_instance, @controller, @action, @id = args
+
+        instance_eval(&returning)
+      end
+    end
+  end
+end
+
+
+

data/lib/role_authorization/rules.rb

@@ -0,0 +1,12 @@
+module RoleAuthorization
+  module Rules
+    module ClassMethods
+      def define(rule_name, &block)
+        RoleAuthorization::Mapper.send(:define_method, rule_name) do |*args|
+          add_to_rules(rule_name, *args, &block)
+        end
+      end
+    end
+    extend ClassMethods
+  end
+end

data/lib/role_authorization/user.rb

@@ -0,0 +1,121 @@
+module RoleAuthorization
+  module User
+    def self.included(base)
+      base.send :extend, ClassMethods
+      base.send :include, InstanceMethods
+
+      base.class_eval do
+        serialize :serialized_roles
+      end
+    end
+
+    module ClassMethods
+      def enroll(user_id, role_name)
+        user = find_by_id(user_id.to_i)
+        user.enroll(role_name) unless user.nil?
+      end # enroll
+
+      def withdraw(user_id, role_name)
+        user = find_by_id(user_id.to_i)
+        user.withdraw(role_name) unless user.nil?
+      end # withdraw
+    end # ClassMethods
+
+    module InstanceMethods
+      def scope_with(scope = nil)
+        return [nil, nil] if scope.nil?
+
+        if scope.is_a?(Symbol) || scope.is_a?(String)
+          [scope, nil]
+        elsif scope.is_a?(Class)
+          [scope.to_s.downcase.to_sym, nil]
+        else
+          [scope.class.to_s.downcase.to_sym, scope.id]
+        end
+      end
+
+      def roles(scope = nil)
+        scope, scope_id = scope_with(scope)
+
+        (serialized_roles || {}).inject([]) do |array, (key, value)|
+          if key == :global && scope.nil?
+            array << value
+          else
+            if scope.nil? || (key == scope.to_sym && scope_id.nil?)
+              array << value.values
+            else
+              array << value[scope_id]
+            end
+          end
+
+          array
+        end.flatten.uniq
+      end
+
+      def has_role?(role, scope = nil)
+        roles(scope).include?(role)
+      end
+
+      # adds a role to the user
+      def enroll(role_name, scope = nil)
+        return true if has_role?(role_name.to_sym, scope)
+
+        scope, scope_id = scope_with(scope)
+        self.serialized_roles ||= Hash.new
+
+        if scope.nil?
+          self.serialized_roles[:global] ||= Array.new
+          self.serialized_roles[:global] << role_name.to_sym
+        else
+          if scope_id.nil?
+            self.serialized_roles[scope] ||= Array.new
+            self.serialized_roles[scope] << role_name.to_sym
+          else
+            self.serialized_roles[scope] ||= Hash.new
+            self.serialized_roles[scope][scope_id] ||= Array.new
+            self.serialized_roles[scope][scope_id] << role_name.to_sym
+          end
+        end
+
+        if save
+          RoleAuthorization::Roles.manager.klass.find_by_name(role_name).add_user(self.id, scope)
+          true
+        else
+          false
+        end
+      end
+
+      def withdraw(role_name, scope = nil)
+        return true unless has_role?(role_name.to_sym, scope)
+
+        scope, scope_id = scope_with(scope)
+        serialized_roles ||= Hash.new
+
+        if scope.nil?
+          self.serialized_roles[:global] ||= Array.new
+          self.serialized_roles[:global].delete(role_name.to_sym)
+        else
+          if scope_id.nil?
+            self.serialized_roles[scope] ||= Array.new
+            self.serialized_roles[scope].delete(role_name.to_sym)
+          else
+            self.serialized_roles[scope] ||= Hash.new
+            self.serialized_roles[scope][scope_id] ||= Array.new
+            self.serialized_roles[scope][scope_id].delete(role_name.to_sym)
+          end
+        end
+
+        if save
+          RoleAuthorization::Roles.manager.klass.find_by_name(role_name).remove_user(self.id, scope)
+          true
+        else
+          false
+        end
+      end
+
+      def admin?
+        has_role?(:all, :global)
+      end
+    end # InstanceMethods
+  end
+end

data/lib/role_authorization/version.rb

@@ -1,3 +1,3 @@
 module RoleAuthorization
-  VERSION = "0.1.6"
+  VERSION = "0.2.0"
 end