skill_tree 0.0.1

data/lib/skill_tree/resource.rb

@@ -0,0 +1,21 @@
+require 'skill_tree/resource/callbacks.rb'
+require 'skill_tree/resource/class_methods.rb'
+require 'skill_tree/resource/instance_methods.rb'
+require 'skill_tree/resource/relations.rb'
+require 'skill_tree/resource/scopes.rb'
+
+module SkillTree
+  module Resource
+    module Initializer
+      def as_skill_tree_resource(options = {})
+        send :include, SkillTree::Resource::InstanceMethods
+        send :include, SkillTree::Resource::Relations
+        send :include, SkillTree::Resource::Scopes
+        send :include, SkillTree::Resource::Callbacks
+        send :extend, SkillTree::Resource::ClassMethods
+        send :skill_tree_options=, options
+      end
+    end
+  end
+end
+ActiveRecord::Base.send :extend, SkillTree::Resource::Initializer

data/lib/skill_tree/resource/callbacks.rb

@@ -0,0 +1,20 @@
+module SkillTree
+  module Resource
+    module Callbacks
+      def self.included(base)
+        base.before_save do |model|
+          unless model.acl
+            acl = SkillTree::Parser::Initializer.default_acl_for(model)
+            model.acl = acl if acl
+          end
+        end
+        base.after_save :skill_tree_setup_resource_owner
+      end
+
+      def skill_tree_setup_resource_owner
+        admin = skill_tree_options[:admin]
+        send(admin).role!(:admin, self) if admin && acl && try(admin)
+      end
+    end
+  end
+end

data/lib/skill_tree/resource/class_methods.rb

@@ -0,0 +1,10 @@
+module SkillTree
+  module Resource
+    module ClassMethods
+      def self.extended(base)
+        base.send :cattr_accessor, :skill_tree_options
+        base.send :class_variable_set, :@@skill_tree_options, {}
+      end
+    end
+  end
+end

data/lib/skill_tree/resource/instance_methods.rb

@@ -0,0 +1,52 @@
+module SkillTree
+  module Resource
+    module InstanceMethods
+      def acl
+        acl_ownerships.first.acl if acl_ownerships.first
+      end
+
+      def acl=(value)
+        if acl_ownerships.empty?
+          acl_ownerships.new(acl: value)
+        else
+          fail SkillTree::AclAlreadySet,
+               "#{self.class.name} already has an acl. Use .acl! instead."
+        end
+      end
+
+      def acl!(value)
+        new_acl = parse_acl(value)
+        ActiveRecord::Base.transaction do
+          acl_ownerships.destroy_all
+          acl_ownerships.create!(acl: new_acl)
+        end if new_acl != acl
+      end
+
+      def permissions_for(user)
+        role = SkillTree::Models::Role.find_for(user, self)
+        SkillTree::Models::Permission.joins(
+          acl_mappings: [:role, :acl])
+          .where('("roles"."id" = ?)', role)
+          .where('("acls"."id" = ?)', acl)
+      end
+
+      def default_permission?(action, role = :user)
+        acls.joins(acl_mappings: [:permission, :role])
+          .where('"permissions"."name" = ?', action.to_s)
+          .where('"roles"."name" = ?', role.to_s).any?
+      end
+
+      alias_method :has_default_permission?, :default_permission?
+
+      private
+
+      def parse_acl(value)
+        if value.is_a? ActiveRecord::Base
+          value
+        else
+          SkillTree::Models::Acl.find_by!(name: value.to_s)
+        end
+      end
+    end
+  end
+end

data/lib/skill_tree/resource/relations.rb

@@ -0,0 +1,18 @@
+module SkillTree
+  module Resource
+    module Relations
+      def self.included(base)
+        base.has_many :acl_ownerships,
+                      as: :resource,
+                      class_name: 'SkillTree::Models::AclOwnership'
+        base.has_many :acls,
+                      through: :acl_ownerships,
+                      class_name: 'SkillTree::Models::Acl'
+        base.has_many :roles, through: :acls,
+                              class_name: 'SkillTree::Models::Role'
+        base.has_many :user_roles,
+                      as: :resource, class_name: 'SkillTree::Models::UserRole'
+      end
+    end
+  end
+end

data/lib/skill_tree/resource/scopes.rb

@@ -0,0 +1,38 @@
+module SkillTree
+  module Resource
+    module Scopes
+      extend ActiveSupport::Concern
+      included do
+        scope :where_user_can, lambda { |user, action|
+          if user
+            where_logged_user_can(action, user.id)
+          else
+            where_guest_can(action)
+          end
+        }
+
+        scope :with_permissions, lambda {
+          joins(acls: { acl_mappings: [:permission, :role] })
+        }
+
+        scope :where_guest_can, lambda { |action|
+          with_permissions
+            .where('"permissions"."name" = ?', action.to_s)
+            .where('"roles"."name" = ?', 'guest')
+        }
+
+        scope :where_logged_user_can, lambda { |action, user_id|
+          with_permissions
+            .joins("LEFT OUTER JOIN \"user_roles\""\
+              " ON \"user_roles\".\"resource_id\" = \"#{table_name}\".\"id\""\
+              " AND \"user_roles\".\"resource_type\" = '#{name}'")
+            .where('"permissions"."name" = ?', action.to_s)
+            .where('("user_roles"."role_id" = "roles"."id"'\
+                   ' AND "user_roles"."user_id" = ?) OR ("roles"."name" = ?)',
+                   user_id, 'user')
+            .uniq
+        }
+      end
+    end
+  end
+end

data/lib/skill_tree/subject.rb

@@ -0,0 +1,53 @@
+module SkillTree
+  module Subject
+    module Initializer
+      def as_skill_tree_subject
+        send :include, SkillTree::Subject::InstanceMethods
+      end
+    end
+    module InstanceMethods
+      def self.included(base)
+        base.send :has_many, :user_roles,
+                  class_name: 'SkillTree::Models::UserRole'
+        base.send :has_many, :roles,
+                  through: :user_roles, class_name: 'SkillTree::Models::Role'
+      end
+
+      def can?(action, resource)
+        resource.default_permission?(action) ||
+          permitted_with_role?(action, resource)
+      end
+      alias_method :allowed_to?, :can?
+
+      def role?(role_name, resource)
+        user_roles.joins(:role)
+          .where(roles: { name: role_name.to_s })
+          .where(resource: resource).any?
+      end
+
+      def role!(role, resource)
+        role = SkillTree::Models::Role.find_by_name!(role)
+        user_role = user_roles.find_or_initialize_by(resource: resource)
+        user_role.update!(role: role)
+      end
+
+      def unrole!(role, resource)
+        role = SkillTree::Models::Role.find_by_name!(role)
+        active_roles = user_roles.where(role: role, resource: resource)
+        active_roles.destroy_all
+      end
+
+      alias_method :has_role?, :role?
+
+      private
+
+      def permitted_with_role?(action, resource)
+        user_roles.joins(role: { acl_mappings: [:permission, :acl] })
+          .where('"permissions"."name" = ?', action.to_s)
+          .where('"acls"."id" = ?', resource.acl)
+          .where(resource: resource).any?
+      end
+    end
+  end
+end
+ActiveRecord::Base.send :extend, SkillTree::Subject::Initializer

data/lib/skill_tree/version.rb

@@ -0,0 +1,3 @@
+module SkillTree
+  VERSION = '0.0.1'
+end

data/spec/db/schema.rb

@@ -0,0 +1,59 @@
+ActiveRecord::Schema.define(version: 0) do
+  create_table :users do |t|
+    t.string :name
+  end
+
+  create_table :posts do |t|
+    t.string :text
+  end
+
+  create_table :post_with_authors do |t|
+    t.string :text
+    t.references :user
+  end
+
+  create_table :acls do |t|
+    t.string :name, null: false
+    t.integer :version, null: false
+  end
+  add_index :acls, :name, unique: true
+
+  create_table :roles do |t|
+    t.string :name, null: false
+  end
+  add_index :roles, :name, unique: true
+
+  create_table :permissions do |t|
+    t.string :name, null: false
+  end
+  add_index :permissions, :name, unique: true
+
+  create_table :acl_mappings do |t|
+    t.references :acl, null: false
+    t.references :role, null: false
+    t.references :permission, null: true
+
+    t.timestamps null: false
+  end
+
+  add_index :acl_mappings, [:acl_id, :role_id, :permission_id], unique: true
+
+  create_table :user_roles do |t|
+    t.references :user
+    t.references :role, null: false
+    t.references :resource, polymorphic: true
+
+    t.timestamps null: false
+  end
+  add_index :user_roles, [:resource_type, :resource_id]
+  # Only can't be admin of a resource multiple times
+  add_index :user_roles, [:user_id, :role_id, :resource_type, :resource_id],
+            unique: true, name: :user_roles_avoid_duplicate_roles
+
+  create_table :acl_ownerships do |t|
+    t.references :acl, null: false
+    t.references :resource, polymorphic: true
+  end
+  # There can be only one-to-many relationship with a resource
+  add_index :acl_ownerships, [:resource_type, :resource_id], unique: true
+end

data/spec/skill_tree/controller_spec.rb

@@ -0,0 +1,103 @@
+require 'spec_helper'
+
+describe TestController, type: :controller do
+  before(:each) do
+    stub_const('Rails', double(root: double))
+    allow(Rails.root).to receive(:join)
+      .and_return('spec/support/acls/subject_acl.rb')
+    SkillTree::Parser::Initializer.parse!
+  end
+
+  let(:user) { User.create! }
+
+  let(:admin) do
+    user = User.create!
+    user.role! :admin, resource
+    user
+  end
+
+  let!(:resource) { Post.create! }
+
+  it '#index' do
+    expect_any_instance_of(TestController).not_to receive(:update)
+    expect { get :index }.to raise_error SkillTree::NotAuthorizedError
+  end
+
+  it '#show' do
+    expect_any_instance_of(TestController).not_to receive(:update)
+    expect { get :index }.to raise_error SkillTree::NotAuthorizedError
+  end
+
+  it '#update' do
+    expect_any_instance_of(TestController).to receive(:update)
+    get :update
+  end
+
+  describe '#create' do
+    it 'is open for a logged user' do
+      allow_any_instance_of(TestController).to receive(:current_user)
+        .and_return(user)
+      expect_any_instance_of(TestController).to receive(:create)
+      get :create
+    end
+
+    it 'is blocked for a guest' do
+      expect_any_instance_of(TestController).not_to receive(:create)
+      expect { get :create }.to raise_error SkillTree::NotAuthorizedError
+    end
+  end
+
+  describe '#destroy' do
+    it 'is open for an admin' do
+      allow_any_instance_of(TestController).to receive(:current_user)
+        .and_return(admin)
+      expect_any_instance_of(TestController).to receive(:destroy)
+      get :destroy
+    end
+
+    it 'is blocked for a logged user' do
+      allow_any_instance_of(TestController).to receive(:current_user)
+        .and_return(user)
+      expect_any_instance_of(TestController).not_to receive(:destroy)
+      expect { get :destroy }.to raise_error SkillTree::NotAuthorizedError
+    end
+
+    it 'is blocked for a guest' do
+      expect_any_instance_of(TestController).not_to receive(:destroy)
+      expect { get :destroy }.to raise_error SkillTree::NotAuthorizedError
+    end
+  end
+end
+
+describe Test2Controller, type: :controller do
+  before(:each) do
+    stub_const('Rails', double(root: double))
+    allow(Rails.root).to receive(:join)
+      .and_return('spec/support/acls/subject_acl.rb')
+    SkillTree::Parser::Initializer.parse!
+  end
+
+  let(:user) { User.create! }
+  let!(:resource) { Post.create! }
+
+  describe '#index' do
+    it 'returns error if the user is not logged in' do
+      expect_any_instance_of(Test2Controller).not_to receive(:index)
+      expect { get :index }.to raise_error SkillTree::NotAuthorizedError
+    end
+
+    it 'works only when user is logged in' do
+      allow_any_instance_of(Test2Controller).to receive(:current_user)
+        .and_return(user)
+
+      expect_any_instance_of(Test2Controller).to receive(:index)
+      get :index
+    end
+  end
+
+  describe '#current_acl' do
+    it 'differs between classes with common parent' do
+      expect(TestController.current_acl).not_to eq(Test2Controller.current_acl)
+    end
+  end
+end

data/spec/skill_tree/generators/install_generator_spec.rb

@@ -0,0 +1,34 @@
+require 'spec_helper'
+
+describe SkillTree::InstallGenerator, type: :generator do
+  destination File.expand_path('../../tmp', __FILE__)
+  arguments %w()
+
+  before(:all) do
+    prepare_destination
+    run_generator
+  end
+
+  it 'creates a migration, an acl and an initializer' do
+    expect(destination_root).to have_structure {
+      no_file 'test.rb'
+      directory 'config' do
+        directory 'initializers' do
+          file 'skill_tree.rb' do
+            contains 'SkillTree.init!'
+          end
+        end
+        file 'acl.rb' do
+          contains 'Example acl.rb file'
+        end
+      end
+      directory 'db' do
+        directory 'migrate' do
+          migration 'create_skill_tree_acl_system' do
+            contains 'class CreateSkillTreeAclSystem'
+          end
+        end
+      end
+    }
+  end
+end

data/spec/skill_tree/models/acl_mapping_spec.rb

@@ -0,0 +1,46 @@
+require 'spec_helper'
+
+describe SkillTree::Models::AclMapping, type: :model do
+  it 'belongs to an acl' do
+    expect(subject).to respond_to(:acl)
+  end
+
+  it 'validates presence of acl' do
+    expect(subject).to have(1).error_on(:acl)
+    subject.acl = build(:acl)
+    expect(subject).to have(0).error_on(:acl)
+  end
+
+  it 'belongs to a role' do
+    expect(subject).to respond_to(:role)
+  end
+
+  it 'validates presence of role' do
+    expect(subject).to have(1).error_on(:role)
+    subject.role = build(:role)
+    expect(subject).to have(0).error_on(:role)
+  end
+
+  it 'belongs to a permission' do
+    expect(subject).to respond_to(:permission)
+  end
+
+  it 'validates presence of permission' do
+    expect(subject).to have(1).error_on(:permission)
+    subject.permission = build(:permission)
+    expect(subject).to have(0).error_on(:permission)
+  end
+
+  it 'validates uniqueness of relations' do
+    acl_mapping = create(:acl_mapping,
+                         role: create(:role, name: 'a'),
+                         acl: create(:acl, name: 'b', version: 0),
+                         permission: create(:permission, name: 'c'))
+    subject.assign_attributes(
+      role: acl_mapping.role,
+      acl: acl_mapping.acl,
+      permission: acl_mapping.permission
+    )
+    expect(subject).to have(1).error_on(:acl_id)
+  end
+end