stasi 0.0.1.alpha → 0.1.0

data/Gemfile.lock

@@ -1,8 +1,7 @@
 PATH
   remote: .
   specs:
-    stasi (0.0.1.alpha)
-      activesupport (>= 4.0.0)
+    stasi (0.1.0)
       dsl_eval (>= 0.0.2)
 
 GEM
@@ -31,6 +30,7 @@ PLATFORMS
   java
 
 DEPENDENCIES
+  activesupport (>= 4.0.0)
   bundler (~> 1.3)
   minitest (~> 4.2)
   rake

data/README.md

@@ -17,30 +17,52 @@ include Robotnik::Authorization::Watch
 Then you can check permissions this way :
 
 ```ruby
-user.can? :read, :posts
+user.can? :read, @post
 ```
 
 You define permissions in an initializer :
 
 ```ruby
 Robotnik::Authorization::Law.define do
+
+  default do
+    can :read, Post
+  end
   
   status :admin do
-    can read, :posts
-    can :destroy, :posts
+    can :edit, Post, if: Proc.new{ |post| post.editable }
+    can :destroy, Post
   end
   
   status :guest do
-    can :read, :post
+    can :comment, :commentable
   end
   
 end
 ```
 
 Undefined permissions default to `false`.
-`:admin` and `:guest`, in this example, must be methods on the `user` object.
+`:admin` and `:guest`, in this example, must be method names on the `user` object. The only method name that is not allowed is `:default`, as `status :default` is equivalent to `default`.
+
+The `can` method takes two arguments : an action name as a symbol, and a resource. The resource can be :
+
+* a class, eg. `Post`
+* a symbol, eg. `:commentable`. The authorization will be applied if `@post.commentable` returns `true`. This method can take one argument, in which case, the user object will be passed to it.
+
+Optionnally, the `can` method can take a hash with conditions (hash keys can be `if` and `unless`, values can be Proc. The resource tested will be yielded).
+Finally, the `can` method can take a block, in which case the `can?` method will return the return value of the block. This is useful when defining abilities on collections :
+
+```ruby
+  can :index, Post do |posts|
+    posts.where(published: true)
+  end
+```
+
+The `cannot` method takes only two arguments : the action name, and the resource.
 
 ## Milestones
 
-* pass directly object, and not a symbol
+* yield user to blocks and procs in defining abilities
+* pass symbol or proc to `:if` and `:unless` conditions
+* alias actions :manage, :all, :read => [:index, :show], :create => [:new, :create], …
 * load specific permissions from db

data/lib/stasi.rb

@@ -1,6 +1,4 @@
 require 'dsl_eval'
-require 'active_support/core_ext/hash'
-require 'active_support/core_ext/class/attribute_accessors'
 
 require 'stasi/authorization/law'
 require 'stasi/authorization/status'

data/lib/stasi/authorization/law.rb

@@ -5,8 +5,6 @@ module Robotnik
       #--- Class methods ---#
       
           include Robotnik::DslEval
-          
-          cattr_reader :law
       
           def self.define &block
             @@law = self.new.evaluate(&block)
@@ -16,23 +14,31 @@ module Robotnik
             @@law = nil
           end
           
+          def self.law
+            @@law
+          end
+          
       #--- Instance methods ---#
       
+          attr_reader :statuses
+          
+          def initialize
+            @statuses = []
+          end
+      
           def status method, &block
             init_role_for(method).evaluate &block
           end
           
-          def statuses
-            rules.keys
+          def default &block
+            status :default, &block
           end
           
-          def can? *args
-            subject, args = args.shift, args
+          def can? action, resource, options
             verdict = false
             statuses.each do |status|
-              if subject.send status
-                verdict = rules[status].can? *args
-                break
+              if status == :default || status.to_proc.call(options[:agent])
+                verdict = rules[status].can? action.to_sym, resource, options
               end
             end
             verdict
@@ -41,11 +47,14 @@ module Robotnik
       private
       
           def rules
-            @rules ||= {}.with_indifferent_access
+            @rules ||= {}
           end
           
           def init_role_for method
-            rules[method] ||= Robotnik::Authorization::Status.new
+            rules[method] ||= begin
+              @statuses << method
+              Robotnik::Authorization::Status.new
+            end
           end
       
     end

data/lib/stasi/authorization/status.rb

@@ -14,31 +14,45 @@ module Robotnik
           rules[resource][action] = false
         end
         
-        def can? action, resource, subject
-          begin
-            condition = rules[resource][action]
-            case condition
-              when true, false then condition
-              else
-                return condition.call(subject) if condition.respond_to?(:call)
-                deliberation = true
-                deliberation = deliberation && condition[:if].call(subject) if condition.has_key?(:if)
-                deliberation = deliberation && (! condition[:unless].call(subject)) if deliberation && condition.has_key?(:unless)
-                deliberation
+        def can? action, resource, options={}
+          verdict = false
+          rules.each do |rule_condition, actions|
+            if Robotnik::Authorization::Status.matches? rule_condition, resource, options
+              action_condition = actions[action]
+              verdict = case action_condition
+                when true, false then action_condition
+                else
+                  if action_condition.respond_to?(:call)
+                    action_condition.call(resource)
+                  else
+                    deliberation = true
+                    deliberation = deliberation && action_condition[:if].call(resource) if action_condition.has_key?(:if)
+                    deliberation = deliberation && (! action_condition[:unless].call(resource)) if deliberation && action_condition.has_key?(:unless)
+                    deliberation
+                  end
+              end
             end
-          rescue NoMethodError
-            false
+          end
+          verdict
+        end
+        
+        def self.matches? rule_condition, resource, options
+          rule_condition = rule_condition.to_proc if rule_condition.respond_to?(:to_proc)
+          begin
+            rule_condition === resource
+          rescue ArgumentError
+            rule_condition.call(resource, options[:agent])
           end
         end
         
       private
         
         def rules
-          @rules ||= {}.with_indifferent_access
+          @rules ||= {}
         end
         
         def init_rule_for resource
-          rules[resource] ||= {}.with_indifferent_access
+          rules[resource] ||= {}
         end
         
     end

data/lib/stasi/authorization/watch.rb

@@ -3,7 +3,9 @@ module Robotnik
     module Watch
       
       def can? *args
-        Robotnik::Authorization::Law.law.can? *(args.unshift(self))
+        args[2] ||= {}
+        args[2][:agent] = self
+        Robotnik::Authorization::Law.law.can? *args
       end
       
     end

data/test/law_test.rb

@@ -8,7 +8,7 @@ class LawTest < ActiveSupport::TestCase
   
   test "it has rules" do
     rules = @law.send :rules
-    assert_instance_of ActiveSupport::HashWithIndifferentAccess, rules
+    assert_instance_of Hash, rules
   end
   
   test "it initiates rules for role" do
@@ -20,20 +20,20 @@ class LawTest < ActiveSupport::TestCase
   
   test "it yields status for authorization definition" do
     @law.status :admin do
-      can :read, :book
+      can :read, Object
     end
-    assert @law.instance_variable_get('@rules')[:admin].can? :read, :book, nil
+    assert @law.instance_variable_get('@rules')[:admin].can? :read, Object.new
   end
   
   test "it has statuses" do
     @law.status :admin do
     end
-    assert_equal ['admin'], @law.statuses
+    assert_equal [:admin], @law.statuses
   end
   
   test "it tests status on given object" do
-    object = Object.new
-    class << object
+    user = Object.new
+    class << user
       def admin
         true
       end
@@ -42,13 +42,13 @@ class LawTest < ActiveSupport::TestCase
       end
     end
     @law.status :admin do
-      can :read, :book
+      can :read, Object
     end
     @law.status :not_admin do
-      cannot :read, :book
+      cannot :read, Object
     end
-    assert @law.can? object, :read, :book, nil
-    class << object
+    assert @law.can? :read, Object.new, {agent: user}
+    class << user
       def admin
         false
       end
@@ -56,19 +56,19 @@ class LawTest < ActiveSupport::TestCase
         true    
       end
     end
-    refute @law.can? object, :read, :book, nil
+    refute @law.can? :read, Object.new, {agent: user}
   end
   
   test "it returns false if no status returns true" do
-    object = Object.new
-    class << object
+    user = Object.new
+    class << user
       def admin
         false
       end
     end
     @law.status :admin do
     end
-    refute @law.can? object, :do, :something, nil
+    refute @law.can? :do, :something, {agent: user}
   end
   
   test "it defines a new law at class level" do
@@ -76,7 +76,33 @@ class LawTest < ActiveSupport::TestCase
       status :admin do
       end
     end
-    assert_equal ['admin'], Robotnik::Authorization::Law.law.statuses
+    assert_equal [:admin], Robotnik::Authorization::Law.law.statuses
+  end
+  
+  test "it parses all stauses" do
+    user = Object.new
+    class << user
+      def is_a_a
+        true
+      end
+      def is_a_b
+        true
+      end
+    end
+    @law.status :is_a_a do
+      can :read, Object
+    end
+    @law.status :is_a_b do
+      cannot :read, Object
+    end
+    refute @law.can? :read, Object.new, {agent: user}
+  end
+  
+  test "it accepts defaults" do
+    @law.default do
+      can :read, Object
+    end
+    assert @law.can? :read, Object.new, {agent: Object.new}
   end
 
 end

data/test/status_test.rb

@@ -2,59 +2,113 @@ require 'test_helper'
 
 class StatusTest < ActiveSupport::TestCase
   
+  Book = Class.new
+  
   def setup
     @status = Robotnik::Authorization::Status.new
   end
 
   test "it has rules" do
     rules = @status.send :rules
-    assert_instance_of ActiveSupport::HashWithIndifferentAccess, rules
+    assert_instance_of Hash, rules
   end
   
   test "it initiates rules for resource" do
     @status.send :init_rule_for, :resource
     rules = @status.instance_variable_get('@rules')
     assert rules.has_key? :resource
-    assert_instance_of ActiveSupport::HashWithIndifferentAccess, rules[:resource]
+    assert_instance_of Hash, rules[:resource]
   end
   
   test "it defines prohibition" do
-    @status.cannot :read, :book
-    refute @status.can? :read, :book, nil
+    @status.cannot :read, Book
+    refute @status.can? :read, Book.new
+    assert_equal false, @status.instance_variable_get('@rules')[Book][:read]
   end
   
   test "it defines strict authorization" do
-    @status.can :read, :book
-    assert @status.can? :read, :book, nil
+    @status.can :read, Book
+    assert @status.can? :read, Book.new
+    assert_equal true, @status.instance_variable_get('@rules')[Book][:read]
   end
   
   test "it defines authorization with if and unless options" do
+    Post = Struct.new :name
     assertions = [true, false, false, true, false, true, false, false]
     [[true, nil], [nil, true], [false, nil], [nil, false], [true, true], [true, false], [false, true], [false, false]].each_with_index do |conditions, i|
       conditions_hash = {}
       [:if, :unless].each_with_index do |operator, j|
         unless conditions[j].nil?
           if conditions[j]
-            conditions_hash[operator] = Proc.new{ |num| num == 1 }
+            conditions_hash[operator] = Proc.new{ |post| post.name == 'test' }
           else
-            conditions_hash[operator] = Proc.new{ |num| num != 1 }
+            conditions_hash[operator] = Proc.new{ |post| post.name != 'test' }
           end
         end
       end
-      @status.can :read, :book, conditions_hash
-      assert_equal assertions[i], @status.can?(:read, :book, 1)
+      @status.can :read, Post, conditions_hash
+      assert_equal assertions[i], @status.can?(:read, Post.new('test'))
     end
   end
   
   test "it defines authorizations with a block" do
-    @status.can :read, :book do |num|
-      num * 2
+    Book.class_eval do
+      attr_accessor :collection
+      def self.all
+        Book.new.tap do |book|
+          book.collection = [1, 2, 3, 4]
+        end
+      end
     end
-    assert_equal 6, @status.can?(:read, :book, 3)
+    @status.can :read, Book do |books|
+      books.collection.first 2
+    end
+    assert_equal [1, 2], @status.can?(:read, Book.all)
   end
   
   test "it defaults to forbidden if permission is not defined" do
-    refute @status.can? :be, :free, :nil
-  end  
+    refute @status.can? :be, :free
+  end
+  
+  test "it accepts a class" do
+    @status.can :read, Object
+    assert @status.can? :read, Object.new
+    assert @status.can? :read, Object
+  end
+  
+  test "it accepts a symbol as a method name" do
+    o = Object.new
+    class << o
+      def taggable
+        true
+      end
+    end
+    @status.can :read, :taggable
+    assert @status.can? :read, o
+  end
+  
+  test "it accepts a symbol for a method with one argument and evaluates it with the agent" do
+    o = Object.new
+    class << o
+      def taggable user
+        user[:name] == 'test'
+      end
+    end
+    @status.can :read, :taggable
+    assert @status.can? :read, o, {agent: {name: 'test'}}
+    refute @status.can? :read, o, {agent: {name: 'tested'}}
+  end
+  
+  test "the last matching condition is returned" do
+    o = Object.new
+    class << o
+      def taggable
+        true
+      end
+    end
+    @status.cannot :read, Object
+    @status.can :read, :taggable
+    assert @status.can? :read, o
+  end
 
 end

data/test/test_helper.rb

@@ -5,5 +5,4 @@ require 'minitest/unit'
 require 'active_support/test_case'
 require 'minitest/autorun'
 require 'turn'
-require 'turn/colorize'
 require 'turn/autorun'

data/test/watch_test.rb

@@ -2,20 +2,8 @@ require 'test_helper'
 
 class WatchTest < ActiveSupport::TestCase
 
-  test "calls the law class can? with self as first arg" do
-    object = Object.new
-    object.extend Robotnik::Authorization::Watch
-    class << object
-      def admin
-        true
-      end
-    end
-    Robotnik::Authorization::Law.define do
-      status :admin do
-        can :do, :something
-      end
-    end
-    assert object.can?(:do, :something, :stupid)
+  test "passes the watched agent in the options hash" do
+    skip "could not figure out how to use assert_send"
   end
   
 end

metadata

@@ -1,8 +1,8 @@
 --- !ruby/object:Gem::Specification
 name: stasi
 version: !ruby/object:Gem::Version
-  prerelease: 6
-  version: 0.0.1.alpha
+  prerelease:
+  version: 0.1.0
 platform: ruby
 authors:
 - Paul Vonderscher
@@ -76,34 +76,34 @@ dependencies:
   prerelease: false
   type: :development
 - !ruby/object:Gem::Dependency
-  name: dsl_eval
+  name: activesupport
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
-        version: 0.0.2
+        version: 4.0.0
     none: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
-        version: 0.0.2
+        version: 4.0.0
     none: false
   prerelease: false
-  type: :runtime
+  type: :development
 - !ruby/object:Gem::Dependency
-  name: activesupport
+  name: dsl_eval
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
-        version: 4.0.0
+        version: 0.0.2
     none: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
-        version: 4.0.0
+        version: 0.0.2
     none: false
   prerelease: false
   type: :runtime
@@ -144,9 +144,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
   none: false
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>'
+  - - '>='
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
   none: false
 requirements: []
 rubyforge_project: