role_based_authorization 0.1.11 → 0.1.12

data/VERSION

@@ -1 +1 @@
-0.1.11
+0.1.12

data/lib/role_based_authorization.rb

@@ -1,2 +1,4 @@
 require 'role_based_authorization/authorization_logger.rb'
+require 'role_based_authorization/class_additions'
+require 'role_based_authorization/rule.rb'
 require 'role_based_authorization/role_based_authorization.rb'

data/lib/role_based_authorization/class_additions.rb

@@ -0,0 +1,66 @@
+module RoleBasedAuthorization
+# Defines the class methods that are to be added to the application controller
+ module ClassAdditions
+   # Returns the set of rules defined on this controller
+   def role_auth_rules
+     @@rules||={}
+     @@rules
+   end
+   
+   # Returns true if one of the given rules  matches the
+   # given options. rules must be an hash with a list of rules for
+   # each action
+   def find_matching_rule rules, options
+     user,actions,ids = *options.values_at(:user, :actions, :ids)
+
+     return actions.find do |action|
+       AUTHORIZATION_LOGGER.debug('current action: %s' % [action])      
+       action = action.to_sym
+       rules_for_action = rules[action]
+       rules_for_action && rules_for_action.find { |rule| rule.match(user, ids) }
+     end
+   end
+   
+   
+   # Defines the DSL for the authorization system. The syntax is:
+   #   permit  :actions => [list of actions], 
+   #       :to  => [list of roles], 
+   #       :if  => lambda_expression,
+   #       :object_id => object_id_symbol
+   # 
+   # you can add any number of these in anyone of your controller.
+   # 
+   # options:
+   # 
+   # <b>:to</b>::  
+   #   the list of roles interested by this rule. The actual contents of this list depends on what your application defines to be a role. If you use integers, it could be a vector like [1,4] or as [ROOT, ADMIN], where ROOT and ADMIN are symbolic costants containing the corresponding integer values. You can specify all roles by specifying :all in place of the role list.
+   # 
+   # <b>:actions</b>::  
+   #   the list of actions that are permitted to the mentioned roles. Actions are actual method names of the current controller and can be given as symbols or as strings. For instance ['index', 'show'] is equivalent to [:index, :show]. You can grant access to all actions by specifying :all instead of the action list. 
+   # 
+   # <b>:if</b>:: 
+   #   a lambda expression that verifies additional conditions. The lambda expression takes two arguments: the current user and the id of an object. For instance you may want to verify that "normal" users could only modify objects that they own. You can say that by specifying: 
+   #     permit :actions => [:edit, :update], 
+   #       :to => [NORMAL], 
+   #       :if => lambda { |user, obj_id| TheObject.find(obj_id).owner == user }
+   # 
+   # <b>:object_id</b>:: 
+   #   normally the object id passed to the lambda expression of the :if option is retrieved from the params hash using :id (i.e. normally obj_id = params[:id]), you can specify other identifiers using this option, e.g.:
+   #     :object_id => :product_id
+   #   specifies that :product_id should be used instead of :id.
+   
+   def permit options 
+     options[:controller] ||= controller_name
+     controller = options[:controller]
+     actions    = [*options[:actions]]  # create an array if options[:actions] is not already an array
+     
+     role_auth_rules[controller] ||= {}      
+     
+     actions.each do |action|
+       action = action.to_sym  # this allows for both symbols and strings to be used for action names
+       role_auth_rules[controller][action] ||= []
+       role_auth_rules[controller][action] << RoleBasedAuthorization::Rule.new(options[:to], options[:if], options[:object_id])
+     end
+   end  
+ end
+end

data/lib/role_based_authorization/role_based_authorization.rb

@@ -1,180 +1,68 @@
+
 module RoleBasedAuthorization
   # AuthorizationLogger instance that is used throughout the plugin for logging
   # events.
   AUTHORIZATION_LOGGER = AuthorizationLogger.new(File.join(RAILS_ROOT,'log','authorization.log'))
-  
-  module ClassMethods; end
-  
+    
   # Fires when the module is included into the controllers. It adds all class methods
-  # defined in the ClassMethods sub-module and the authorize_action? and if_authorized?
+  # defined in the ClassAdditions sub-module and the authorize_action? and if_authorized?
   # instance methods.
   def self.included(klass)
-   klass.extend(ClassMethods)
+   klass.extend(ClassAdditions)
    
    klass.class_eval do
      helper_method :authorize_action?
      helper_method :if_authorized?
    end
   end
-
-  # Defines the class methods that are to be added to the application controller
-  module ClassMethods
-    # Returns the set of rules defined on this controller
-    def role_auth_rules
-      @@rules||={}
-      @@rules
-    end
-    
-    # Defines the DSL for the authorization system. The syntax is:
-    #   permit  :actions => [list of actions], 
-    #       :to  => [list of roles], 
-    #       :if  => lambda_expression,
-    #       :object_id => object_id_symbol
-    # 
-    # you can add any number of these in anyone of your controller.
-    # 
-    # options:
-    # 
-    # <b>:to</b>::  
-    #   the list of roles interested by this rule. The actual contents of this list depends on what your application defines to be a role. If you use integers, it could be a vector like [1,4] or as [ROOT, ADMIN], where ROOT and ADMIN are symbolic costants containing the corresponding integer values. You can specify all roles by specifying :all in place of the role list.
-    # 
-    # <b>:actions</b>::  
-    #   the list of actions that are permitted to the mentioned roles. Actions are actual method names of the current controller and can be given as symbols or as strings. For instance ['index', 'show'] is equivalent to [:index, :show]. You can grant access to all actions by specifying :all instead of the action list. 
-    # 
-    # <b>:if</b>:: 
-    #   a lambda expression that verifies additional conditions. The lambda expression takes two arguments: the current user and the id of an object. For instance you may want to verify that "normal" users could only modify objects that they own. You can say that by specifying: 
-    #     permit :actions => [:edit, :update], 
-    #       :to => [NORMAL], 
-    #       :if => lambda { |user, obj_id| TheObject.find(obj_id).owner == user }
-    # 
-    # <b>:object_id</b>:: 
-    #   normally the object id passed to the lambda expression of the :if option is retrieved from the params hash using :id (i.e. normally obj_id = params[:id]), you can specify other identifiers using this option, e.g.:
-    #     :object_id => :product_id
-    #   specifies that :product_id should be used instead of :id.
-    
-    def permit options 
-      options[:controller] ||= controller_name
-      controller = options[:controller]
-      actions    = [*options[:actions]]  # create an array if options[:actions] is not already an array
       
-      role_auth_rules[controller] ||= {}      
-      
-      actions.each do |action|
-        action = action.to_sym  # this allows for both symbols and strings to be used for action names
-        role_auth_rules[controller][action] ||= []
-        role_auth_rules[controller][action] << RoleBasedAuthorization::Rule.new(options[:to], options[:if], options[:object_id])
-      end
-    end  
-  end
-  
-  
-  # Model an authorization rule. A rule is a triplet: <roles, cond, object_id>
-  # a rule match if the user role is in roles and cond (if not nil) is satisfied when objects
-  # are retrieved using object_id.
-  class Rule
-    # rule initialization. roles is mandatory, cond is optional, object_id defaults
-    # to :id if nil.
-    def initialize roles, cond, object_id
-      roles = [roles] unless roles.respond_to? :each
-            
-      @roles = roles
-      @cond = cond
-      @object_id = object_id || :id
-    end
-    
-    # return true if this rule matches the given user and objects
-    def match(user, objects)      
-      AUTHORIZATION_LOGGER.debug('trying '+self.inspect)
-      
-      matching = @roles.include?(:all)
-      
-      # checking for right role (no need to check them if already matching)
-      matching = !@roles.find { |role| !user.nil? && role == user.role }.nil? if !matching
-      
-      if @cond.nil?
-        return matching
-      else
-        # to have a proper match, also the condition must hold
-        return matching && @cond.call(user,objects[@object_id])
-      end
-    end
-    
-    # string representation for this rule
-    def inspect
-      str =  "rule(#{self.object_id}): allow roles [" + @roles.join(',') + "]"
-      str += " (only under condition object_id will be retrieved using '#{@object_id}')" if @cond
-      
-      str
-    end
-  end
-  
-  
   # Returns true if one of the rules defined for this controller matches
   # the given options
-  def exists_rule_matching_options? user, controllers, actions, ids
+  def exists_matching_rule? options
     rules = self.class.role_auth_rules
-    AUTHORIZATION_LOGGER.debug("current set of rules: %s" % [rules.inspect])
-    
-    
-    controllers.each do |controller|    
-      if( !controller.blank? && rules[controller].nil? )
-        # tries to load the controller. Rails automagically loads classes if their name
-        # is used anywhere. By trying to constantize the name of the controller, we
-        # force rails to load it.
-        controller_klass = (controller.to_s+'_controller').camelize.constantize
-      end
     
+    return options[:controllers].find do |controller|    
       AUTHORIZATION_LOGGER.debug("current controller: %s" % [controller])
+
+      rules_for_controller = rules[controller]
+
+      # tries to load the controller. Rails automagically loads classes if their name
+      # is used anywhere. By trying to constantize the name of the controller, we
+      # force rails to load it. Loading the controller class causes the insertion of the rules defined therein
+      # into the object pointed by rules_for_controller.
+      (controller.to_s+'_controller').camelize.constantize if( !controller.blank? && rules_for_controller.nil? )
     
-      actions.each do |action|
-        AUTHORIZATION_LOGGER.debug('current action: %s' % [action])
-        
-        action = action.to_sym
-        action_class = action.class
-        raise "Action should be a symbol -- not a #{action_class.name}!" if action_class != Symbol
-        
-        rules_for_this_action = rules[controller] && rules[controller][action]
-        next if rules_for_this_action.nil?
-        
-        return true if rules_for_this_action.find { |rule| rule.match(user, ids) }
-      end
+
+      rules_for_controller && self.class.find_matching_rule(rules_for_controller, options)
     end
-    
-    return false
   end
     
   # Main authorization logic. opts is an hash with the following keys
   # :user, :controller, :action:: self explanatory
   # :ids:: id to be used to retrieve relevant objects
-  def authorize_action? opts = {}  
-    # Option handling
-    user, ids, controller, action = *opts.values_at(:user, :ids, :controller, :action)
-    user ||= current_user
-
-    if respond_to?(:logged_in?) && !logged_in?
-      AUTHORIZATION_LOGGER.info("returning false (not logged in)")
-      return false
-    end
-        
-    ids ||= {}
-    ids.reverse_merge!( opts.reject { |key,value| key.to_s !~ /(_id\Z)|(\Aid\Z)/ } )
+  def do_authorize_action? opts
+    # exiting immediately if not logged in
+    return false if respond_to?(:logged_in?) && !logged_in?
     
-    user = current_user           if user.nil?        && respond_to?(:current_user)
-    controller = controller_name  if controller.nil?  && respond_to?(:controller_name)
+    opts.reverse_merge!( :user => current_user, :controller => controller_name, :ids => {} )
+    user, controller, action, ids = opts.values_at( :user, :controller, :action, :ids )
+    ids.reverse_merge!( opts.reject { |key,value| key.to_s !~ /(_id\Z)|(\Aid\Z)/ } )
     
-    AUTHORIZATION_LOGGER.info("user %s requested access to method %s:%s using ids:%s" %
-        [ user && (user.inspect + "(id:#{user.id} role:#{user.role})") || 'none',
-          controller,
-          action,
-          ids.inspect])
+    new_options = { :user         => user, 
+                    :controllers  => [controller,'application'], 
+                    :actions      => [:all,action], 
+                    :ids          => ids }
+                    
+    return exists_matching_rule?( new_options ) != nil
+  end
+  
+  # wraps some logging around do_authorize_action?.
+  def authorize_action? opts = {}
+    AUTHORIZATION_LOGGER.info("access request. options: %s" % [opts.inspect])
+    result = do_authorize_action? opts
+    AUTHORIZATION_LOGGER.info("returning #{result}")
     
-    if exists_rule_matching_options?( user, [controller,'application'], [:all,action] , ids )
-      AUTHORIZATION_LOGGER.info('returning true (access granted)')
-      return true 
-    else      
-      AUTHORIZATION_LOGGER.info('returning false (access denied)')
-      return false
-    end
+    return result
   end
   
   

data/lib/role_based_authorization/rule.rb

@@ -0,0 +1,43 @@
+module RoleBasedAuthorization
+
+  # Model an authorization rule. A rule is a triplet: <roles, cond, object_id>
+  # a rule match if the user role is in roles and cond (if not nil) is satisfied when objects
+  # are retrieved using object_id.
+  class Rule
+    # rule initialization. roles is mandatory, cond is optional, object_id defaults
+    # to :id if nil.
+    def initialize roles, cond, object_id
+      roles = [roles] unless roles.respond_to? :each
+
+      @roles = roles
+      @cond = cond
+      @object_id = object_id || :id
+    end
+
+    # return true if this rule matches the given user and objects
+    def match(user, objects)      
+      AUTHORIZATION_LOGGER.debug('trying '+self.inspect)
+
+      matching = @roles.include?(:all)
+
+      # checking for right role (no need to check them if already matching)
+      matching = !@roles.find { |role| !user.nil? && role == user.role }.nil? if !matching
+
+      if @cond.nil?
+        return matching
+      else
+        # to have a proper match, also the condition must hold
+        return matching && @cond.call(user,objects[@object_id])
+      end
+    end
+
+    # string representation for this rule
+    def inspect
+      str =  "rule(#{self.object_id}): allow roles [" + @roles.join(',') + "]"
+      str += " (only under condition object_id will be retrieved using '#{@object_id}')" if @cond
+
+      str
+    end
+  end
+
+end

data/role_based_authorization.gemspec

@@ -1,15 +1,15 @@
 # Generated by jeweler
 # DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# Instead, edit Jeweler::Tasks in rakefile, and run the gemspec command
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
   s.name = %q{role_based_authorization}
-  s.version = "0.1.11"
+  s.version = "0.1.12"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Roberto Esposito"]
-  s.date = %q{2010-02-17}
+  s.date = %q{2010-02-18}
   s.description = %q{Provides a simple DSL for specifying the authorization logic of your application. Install the gem, add a role attribute to your user model and your almost ready to go.}
   s.email = %q{boborbt@gmail.com}
   s.extra_rdoc_files = [
@@ -23,7 +23,9 @@ Gem::Specification.new do |s|
      "VERSION",
      "lib/role_based_authorization.rb",
      "lib/role_based_authorization/authorization_logger.rb",
+     "lib/role_based_authorization/class_additions.rb",
      "lib/role_based_authorization/role_based_authorization.rb",
+     "lib/role_based_authorization/rule.rb",
      "rails/init.rb",
      "role_based_authorization.gemspec",
      "test/role_based_authorization_test.rb",

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: role_based_authorization
 version: !ruby/object:Gem::Version 
-  version: 0.1.11
+  version: 0.1.12
 platform: ruby
 authors: 
 - Roberto Esposito
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-02-17 00:00:00 +01:00
+date: 2010-02-18 00:00:00 +01:00
 default_executable: 
 dependencies: []
 
@@ -29,7 +29,9 @@ files:
 - VERSION
 - lib/role_based_authorization.rb
 - lib/role_based_authorization/authorization_logger.rb
+- lib/role_based_authorization/class_additions.rb
 - lib/role_based_authorization/role_based_authorization.rb
+- lib/role_based_authorization/rule.rb
 - rails/init.rb
 - role_based_authorization.gemspec
 - test/role_based_authorization_test.rb