simon_says 0.0.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 8bea95d0e9c7c97c12f1f3dabcd8b419ed9f3e40
+  data.tar.gz: 6faef8c22e188dea0013ad8e41f425079c88284c
+SHA512:
+  metadata.gz: e599afe61d51efe4e44d286e7fd5cb14954642e8af3855d115dd0aea3cf4eae12c8c316aa74dd322b45ea62ea689cb650c76e3448edbfe316bb6a2560e7ae510
+  data.tar.gz: db9ffc036f4cbcb123109214d60c97334d534f43202b614a777341baaf39a7d9bda35b00c4b116abee98d0c0bb6ef884bc45b9a2eda7a56aa36f100bde90848c

data/.gitignore

@@ -0,0 +1,18 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/docs/
+/pkg/
+/spec/reports/
+/tmp/
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log
+
+*.gem
+
+/test/rails_app/db/*.sqlite3

data/.gitpublish

@@ -0,0 +1,3 @@
+export_dir=docs/
+remote=origin
+branch=gh-pages

data/.travis.yml

@@ -0,0 +1,9 @@
+language: ruby
+rvm:
+  - "2.1.4"
+before_script:
+  - cd test/rails_app/
+  - bundle exec rake db:migrate db:fixtures:load
+  - cd ../..
+script:
+  - bundle exec rake test

data/Gemfile

@@ -0,0 +1,13 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in auth_lib.gemspec
+gemspec
+
+group :development do
+  gem 'sqlite3'
+
+  gem 'rdoc'
+
+  gem 'guard'
+  gem 'guard-minitest'
+end

data/Guardfile

@@ -0,0 +1,13 @@
+# A sample Guardfile
+# More info at https://github.com/guard/guard#readme
+
+guard :minitest do
+  # with Minitest::Unit
+  watch(%r{^test/(.*)\/?(.*)_test\.rb$})
+  watch(%r{^lib/(.*/)?([^/]+)\.rb$})     { |m| "test/#{m[1]}#{m[2]}_test.rb" }
+  watch(%r{^test/test_helper\.rb$})      { 'test' }
+
+  # watch test Rails app
+  watch(%r{^test/rails_app/app/models/(.*)\.rb$})       { |m| "test/models/#{m[1]}_test.rb" }
+  watch(%r{^test/rails_app/app/controllers/(.*)\.rb$})  { |m| "test/controllers/#{m[1]}_test.rb" }
+end

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Michael Coyne
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,18 @@
+# SimonSays!
+
+![SimonSays
+Logo](https://raw.githubusercontent.com/SimplyBuilt/SimonSays/master/SimonSays.png)
+
+This gem is a simple, declarative, role-based access control system for Rails that
+works great with devise! Take a look at the [website](http://simonsays.onsimplybuilt.com) or
+[docs](http://www.rubydoc.info/github/SimplyBuilt/SimonSays/) for more details!
+
+![Build Status](https://travis-ci.org/SimplyBuilt/SimonSays.svg)
+
+## Contributing
+
+1. Fork it ( https://github.com/SimplyBuilt/SimonSays/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/ROADMAP.md

@@ -0,0 +1,9 @@
+# SimonSays Road Map
+
+## v2
+
+- Customization of authentication methods
+  - Currently we sort of assume you're using devise
+- More expressive `find_and_authorize` syntax
+- Add a way of authorizing against ALL roles not just any role
+- `grep -r TODO .`

data/Rakefile

@@ -0,0 +1,24 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+require 'rdoc/task'
+
+Rake::TestTask.new :test do |t|
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+namespace :docs do
+  RDoc::Task.new :generate do |rdoc|
+    rdoc.title = "SimonSays RDOC"
+    rdoc.main = "README.md"
+
+    rdoc.rdoc_dir = "docs"
+    rdoc.rdoc_files.include("README.md", "lib/**/*.rb")
+
+    rdoc.options << "--all"
+  end
+end
+
+
+task :default => :test

data/lib/simon_says/authorizer.rb

@@ -0,0 +1,157 @@
+module SimonSays
+  module Authorizer
+    extend ActiveSupport::Concern
+
+    class Denied < Exception
+      def initialize(as, required, actual)
+        # TODO i18n for err message (as should be singluarized with 1 flag)
+        super "Access denied; #{required * ', '} role is required. Current access is #{actual * ', '}"
+      end
+    end
+
+    included do
+      class_attribute :default_authorization_scope
+    end
+
+    # Once +Authorizer+ is included these methods become
+    # available to your controllers.
+    module ClassMethods
+      # Authentication convenience method (to keep things declarative).
+      # This method just setups a +before_filter+
+      #
+      # * +scope+ is a symbol or string and should correspond to some sort
+      #   of authentication scope (ie: +authenticate_user!+)
+      # * +opts+ filter options
+      #
+      # ====== Example
+      #
+      #    authenticate :user, expect: :index
+      #
+      def authenticate(scope, opts = {})
+        before_filter :"authenticate_#{scope}!", filter_options(opts)
+      end
+
+      # Find and authorize a resource.
+      #
+      # * +resource+ the name of resource to find
+      # * +roles+ one or more role symbols
+      # * the last argument may also be a filter options hash
+      #
+      # ====== Example
+      #
+      #     find_and_authorize :document, :create, :update :publish, through: :memberships
+      def find_and_authorize(resource, *roles)
+        opts = roles.extract_options!
+
+        before_filter(filter_options(opts)) do
+          find_resource resource, opts
+
+          authorize roles, opts unless roles.empty?
+        end
+      end
+
+      # Find a resource
+      #
+      # * +resource+ the name of the resource to find
+      # * +opts+ filter options
+      def find_resource(resource, opts = {})
+        before_filter(filter_options(opts)) do
+          find_resource resource, opts
+        end
+      end
+
+      # Authorize against a given resource
+      #
+      # * +resource+ the name of the resource to authorize against. The
+      #   resource should include +Roleable+ and define some set of
+      #   roles. This method also expect the record to be available as
+      #   an instance variable (which is the case if +find_resource+ is
+      #   called before hand)
+      # * +roles+ one or more role symbols
+      # * the last argument may also be a filter options hash
+      def authorize_resource(resource, *roles)
+        before_filter(filter_options(roles.extract_options!)) do
+          authorize(roles, { resource: resource })
+        end
+      end
+
+      def filter_options(options) # :nodoc:
+        { except: options.delete(:except), only: options.delete(:only) }
+      end
+    end
+
+    # @returns Primary resource found; need for +authorize+ calls
+    def find_resource(resource, options = {}) # :nodoc:
+      resource = resource.to_s
+
+      scope, query = resource_scope_and_query(resource, options)
+      through = options[:through] ? options[:through].to_s : nil
+
+      assoc = through || (options[:from] ? resource.pluralize : nil)
+      scope = scope.send(assoc) if assoc
+
+      record = scope.where(query).first!
+
+      if through
+        instance_variable_set "@#{through.singularize}", record
+        record = record.send(resource)
+      end
+
+      instance_variable_set "@#{resource}", record
+    end
+
+
+    def authorize(required = nil, options) # :nodoc:
+      if through = options[:through]
+        name = through.to_s.singularize.to_sym
+      else
+        name = options[:resource]
+      end
+
+      attr = Roleable.registry[name]
+      required ||= options[attr.to_sym]
+
+      required = [required] unless Array === required
+      record = instance_variable_get("@#{name}")
+
+      if record.nil? # must be devise scope
+        record = send("current_#{name}")
+        send "authenticate_#{name}!"
+      end
+
+      actual = record.send(attr)
+
+      # actual roles must have at least
+      # one required role (array intersection)
+      ((required & actual).size > 0).tap do |res|
+        raise Denied.new(attr, required, actual) unless res
+      end
+    end
+
+    private
+
+    def resource_scope_and_query(resource, options) # :nodoc:
+      if options[:through]
+        field = "#{resource}_id"
+
+        query = { field => params[field] } if params[field]
+        scope = send(self.class.default_authorization_scope)
+
+      elsif options[:from]
+        scope = instance_variable_get("@#{options[:from]}") || send(options[:from])
+
+      else
+        klass = (options[:class_name] || resource).to_s
+        # TODO support array of namespaces?
+        klass = "#{options[:namespace]}/#{klass}" if options[:namespace]
+
+        scope = klass.classify.constantize
+      end
+
+      field ||= :id
+      query ||= { field => params[:id] }
+
+      return scope, query
+    end
+  end
+end

data/lib/simon_says/roleable.rb

@@ -0,0 +1,107 @@
+module SimonSays
+  module Roleable
+    extend ActiveSupport::Concern
+
+    def self.registry # :nodoc:
+      # "global" registry we'll use when authorizing
+      @registry ||= {}
+    end
+
+    module ClassMethods
+      ##
+      # Provides a declarative method to introduce role based
+      # access controller through a give integer mask.
+      #
+      # By default it'll use an attributed named +role_mask+. You can
+      # use the +:as+ option to change the prefix for the +_mask+
+      # attribute. This will also alter the names of the dynamically
+      # generated methods.
+      #
+      # ===== Example
+      #
+      #   class User < ActiveRecord::Base
+      #     include SimonSays::Roleable
+      #
+      #     has_roles :read, :write, :delete
+      #   end
+      #
+      #   class Editor < ActiveRecord::Base
+      #     include SimonSays::Roleable
+      #
+      #     has_roles :create, :update, :publish, as: :access
+      #   end
+      #
+      # ===== Dynamic Methods
+      #
+      # Several methods are dynamically genreated when calling +has_roles+.
+      # The methods generated include a setter, a getter and a predicate
+      # method. For examples:
+      #
+      #   User.new.roles
+      #   => []
+      #
+      #   User.new(roles: :read).roles
+      #   => [:read]
+      #
+      #   User.new.tap { |u| u.roles = :write, :read }.roles
+      #   => [:read, :write]
+      #
+      #   User.new(roles: [:read, :write]).has_roles? :read, :write
+      #   => true
+      #
+      #   User.new(roles: :read).has_role? :read
+      #   => true
+      #
+      # Here's an example using the +:as+ prefix option:
+      #
+      #   Editor.new(access: %w[create update publish]).access
+      #   => [:create, :update, :publish]
+      #
+      #   Editor.new(access: :publish).has_access? :create
+      #   => false
+      #
+      def has_roles *roles
+        options = roles.extract_options!
+
+        name = (options[:as] || :roles).to_s
+        singular = name.singularize
+        const = name.upcase
+
+        Roleable.registry[model_name.to_s.downcase.to_sym] ||= name
+
+        roles.map!(&:to_sym)
+
+        class_eval <<-RUBY_EVAL, __FILE__, __LINE__
+          #{const} = %i[#{roles * ' '}]
+
+          def #{name}=(args)
+            args = [args] unless Array === args
+            args.map!(&:to_sym)
+
+            self[:#{name}_mask] = (args & #{const}).map { |i| 2 ** #{const}.index(i) }.sum
+          end
+
+          def #{name}
+            #{const}.reject { |i| ((#{name}_mask || 0) & 2 ** #{const}.index(i)).zero? }
+          end
+
+          def has_#{name}?(*args)
+            (#{name} & args).size > 0
+          end
+        RUBY_EVAL
+
+        if name != singular
+          class_eval <<-RUBY_EVAL
+            alias has_#{singular}? has_#{name}?
+          RUBY_EVAL
+        end
+
+        # Declare a scope for finding records with a given role set
+        # TODO support an array roles (must match ALL)
+        scope "with_#{name}", ->(role) {
+          where("(#{name}_mask & ?) > 0", 2**roles.index(role))
+        }
+      end
+    end
+  end
+end

data/lib/simon_says/version.rb

@@ -0,0 +1,3 @@
+module SimonSays
+  VERSION = "0.0.3"
+end

data/lib/simon_says.rb

@@ -0,0 +1,8 @@
+require 'active_support'
+
+require "simon_says/version"
+require "simon_says/roleable"
+require "simon_says/authorizer"
+
+module SimonSays
+end

data/simon_says.gemspec

@@ -0,0 +1,28 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'simon_says/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "simon_says"
+  spec.version       = SimonSays::VERSION
+  spec.authors       = ["Michael Coyne"]
+  spec.email         = ["mikeycgto@gmail.com"]
+  spec.summary       = %q{Light-weight, declarative authorization and access control for Rails}
+  spec.description   = %q{This gem is a simple, easy-to-use declarative role-based access control system for Rails}
+  spec.homepage      = "https://github.com/SimplyBuilt/SimonSays"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "activesupport", "~> 4.0"
+
+  spec.add_development_dependency "bundler", "~> 1.7"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rails", "~> 4.1"
+  spec.add_development_dependency "responders", "~> 1.0"
+  spec.add_development_dependency "mocha", "~> 1.1"
+end

data/test/controllers/admin/reports_controller_test.rb

@@ -0,0 +1,92 @@
+require 'test_helper'
+
+class Admin::ReportsControllerTest < ActionController::TestCase
+  setup do
+    @support = admins(:support)
+    @marketing = admins(:marketing)
+  end
+
+  test "index with access" do
+    @controller.current_admin = @support
+
+    get :index, format: :json
+
+    assert_response :success
+  end
+
+  test "index without access" do
+    @controller.current_admin = @marketing
+
+    assert_raises SimonSays::Authorizer::Denied do
+      get :index, format: :json
+    end
+  end
+
+  test "create with access" do
+    @controller.current_admin = @support
+
+    assert_difference 'Admin::Report.count' do
+      post :create, report: { title: 'Test' }, format: :json
+    end
+  end
+
+  test "create without access" do
+    @controller.current_admin = @marketing
+
+    assert_raises SimonSays::Authorizer::Denied do
+      post :create, report: { title: 'Test' }, format: :json
+    end
+  end
+
+  test "show with access" do
+    @controller.current_admin = @support
+
+    get :show, id: admin_reports(:report_one), format: :json
+
+    refute_nil assigns(:report)
+    assert_response :success
+  end
+
+  test "show without access" do
+    @controller.current_admin = @marketing
+
+    assert_raises SimonSays::Authorizer::Denied do
+      get :show, id: admin_reports(:report_one), format: :json
+    end
+  end
+
+  test "update with access" do
+    @controller.current_admin = @support
+
+    patch :show, id: admin_reports(:report_one), report: { title: 'Test' }, format: :json
+
+    refute_nil assigns(:report)
+    assert_response :success
+  end
+
+  test "update without access" do
+    @controller.current_admin = @marketing
+
+    assert_raises SimonSays::Authorizer::Denied do
+      patch :show, id: admin_reports(:report_one), report: { title: 'Test' }, format: :json
+    end
+  end
+
+  test "destroy with access" do
+    @controller.current_admin = @support
+
+    assert_difference 'Admin::Report.count', -1 do
+      delete :destroy, id: admin_reports(:report_one), format: :json
+    end
+
+    refute_nil assigns(:report)
+  end
+
+  test "destroy without access" do
+    @controller.current_admin = @marketing
+
+    assert_raises SimonSays::Authorizer::Denied do
+      delete :destroy, id: admin_reports(:report_one), format: :json
+    end
+  end
+end

data/test/controllers/documents_controller_test.rb

@@ -0,0 +1,87 @@
+require 'test_helper'
+
+class DocumentsControllerTest < ActionController::TestCase
+  setup do
+    @alpha = documents(:alpha)
+    @beta  = documents(:beta)
+
+    @bob = users(:bob)
+    @jim = users(:jim)
+  end
+
+  def as_bob!
+    @controller.current_user = @bob
+  end
+
+  def as_jim!
+    @controller.current_user = @jim
+  end
+
+  test "show" do
+    as_bob!
+
+    get :show, id: @alpha.id, format: :json
+
+    refute_nil assigns(:document)
+    assert_response :success
+  end
+
+  test "show without through relationship" do
+    as_jim!
+
+    assert_raises ActiveRecord::RecordNotFound do
+      get :show, id: @alpha.id, format: :json
+    end
+  end
+
+  test "update with access" do
+    as_bob!
+
+    patch :update, id: @alpha.id, document: { title: 'Test' }, format: :json
+
+    refute_nil assigns(:document)
+    assert_response :success
+  end
+
+  test "update without access" do
+    as_bob!
+
+    assert_raises SimonSays::Authorizer::Denied do
+      patch :update, id: @beta.id, document: { title: 'Test' }, format: :json
+    end
+  end
+
+  test "update without through relationship" do
+    as_jim!
+
+    assert_raises ActiveRecord::RecordNotFound do
+      patch :update, id: @alpha.id, document: { title: 'Test' }, format: :json
+    end
+  end
+
+  test "destroy with access" do
+    as_bob!
+
+    assert_difference 'Document.count', -1 do
+      delete :destroy, id: @alpha.id, format: :json
+    end
+
+    refute_nil assigns(:document)
+  end
+
+  test "destroy without access" do
+    as_bob!
+
+    assert_raises SimonSays::Authorizer::Denied do
+      delete :destroy, id: @beta.id, format: :json
+    end
+  end
+
+  test "destroy without through relationship" do
+    as_jim!
+
+    assert_raises ActiveRecord::RecordNotFound do
+      delete :destroy, id: @beta.id, format: :json
+    end
+  end
+end

data/test/models/admin_test.rb

@@ -0,0 +1,7 @@
+require 'test_helper'
+
+class AdminModelTest < ActiveSupport::TestCase
+  test "Admin is in registry" do
+    assert_includes SimonSays::Roleable.registry, :admin
+  end
+end

data/test/models/membership_test.rb

@@ -0,0 +1,7 @@
+require 'test_helper'
+
+class MembershipModelTest < ActiveSupport::TestCase
+  test "Membership is in registry" do
+    assert_includes SimonSays::Roleable.registry, :membership
+  end
+end

data/test/rails_app/.gitignore

@@ -0,0 +1,16 @@
+# See https://help.github.com/articles/ignoring-files for more about ignoring files.
+#
+# If you find yourself ignoring temporary files generated by your text editor
+# or operating system, you probably want to add a global ignore instead:
+#   git config --global core.excludesfile '~/.gitignore_global'
+
+# Ignore bundler config.
+/.bundle
+
+# Ignore the default SQLite database.
+/db/*.sqlite3
+/db/*.sqlite3-journal
+
+# Ignore all logfiles and tempfiles.
+/log/*.log
+/tmp