stffn-declarative_authorization 0.2.1 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,96 @@
1
+ require File.join(File.dirname(__FILE__), 'test_helper.rb')
2
+ require File.dirname(__FILE__) + '/../lib/in_controller.rb'
3
+ require File.dirname(__FILE__) + '/../lib/helper.rb'
4
+
5
+
6
+ class HelperMocksController < MocksController
7
+ filter_access_to :action, :require => :show, :context => :mocks
8
+ define_action_methods :action
9
+ end
10
+ class HelperTest < ActionController::TestCase
11
+ tests HelperMocksController
12
+ include Authorization::AuthorizationHelper
13
+ attr_reader :controller
14
+
15
+ def test_permit
16
+ reader = Authorization::Reader::DSLReader.new
17
+ reader.parse %{
18
+ authorization do
19
+ role :test_role do
20
+ has_permission_on :mocks, :to => :show
21
+ end
22
+ role :test_role_2 do
23
+ has_permission_on :mocks, :to => :update
24
+ end
25
+ end
26
+ }
27
+ user = MockUser.new(:test_role)
28
+ request!(user, :action, reader)
29
+
30
+ assert permitted_to?(:show, :mocks)
31
+ assert !permitted_to?(:update, :mocks)
32
+
33
+ block_evaled = false
34
+ permitted_to?(:show, :mocks) do
35
+ block_evaled = true
36
+ end
37
+ assert block_evaled
38
+
39
+ block_evaled = false
40
+ permitted_to?(:update, :mocks) do
41
+ block_evaled = true
42
+ end
43
+ assert !block_evaled
44
+ end
45
+
46
+ def test_permit_with_object
47
+ reader = Authorization::Reader::DSLReader.new
48
+ reader.parse %{
49
+ authorization do
50
+ role :test_role do
51
+ has_permission_on :mocks do
52
+ to :show
53
+ if_attribute :test_attr => is {user.test_attr}
54
+ end
55
+ end
56
+ end
57
+ }
58
+ user = MockUser.new(:test_role, :test_attr => 1)
59
+ mock = MockDataObject.new(:test_attr => 1)
60
+ mock_2 = MockDataObject.new(:test_attr => 2)
61
+ request!(user, :action, reader)
62
+
63
+ assert permitted_to?(:show, mock)
64
+ assert permitted_to?(:show, :mocks)
65
+ assert !permitted_to?(:show, mock_2)
66
+ end
67
+
68
+ def test_has_role
69
+ reader = Authorization::Reader::DSLReader.new
70
+ reader.parse %{
71
+ authorization do
72
+ role :test_role do
73
+ has_permission_on :mocks, :to => :show
74
+ end
75
+ end
76
+ }
77
+ user = MockUser.new(:test_role)
78
+ request!(user, :action, reader)
79
+
80
+ assert has_role?(:test_role)
81
+ assert !has_role?(:test_role2)
82
+
83
+ block_evaled = false
84
+ has_role?(:test_role) do
85
+ block_evaled = true
86
+ end
87
+ assert block_evaled
88
+
89
+ block_evaled = false
90
+ has_role?(:test_role2) do
91
+ block_evaled = true
92
+ end
93
+ assert !block_evaled
94
+ end
95
+
96
+ end
@@ -0,0 +1,15 @@
1
+ require File.join(File.dirname(__FILE__), 'test_helper.rb')
2
+ require File.join(File.dirname(__FILE__), %w{.. lib maintenance})
3
+
4
+ class MaintenanceTest < Test::Unit::TestCase
5
+
6
+ def test_usages_by_controllers
7
+ usage_test_controller = Class.new(ActionController::Base)
8
+ usage_test_controller.send(:define_method, :an_action) {}
9
+ usage_test_controller.filter_access_to :an_action
10
+
11
+ assert Authorization::Maintenance::Usage::usages_by_controller.
12
+ include?(usage_test_controller)
13
+ end
14
+
15
+ end
@@ -0,0 +1,794 @@
1
+ require File.join(File.dirname(__FILE__), 'test_helper.rb')
2
+ require File.join(File.dirname(__FILE__), '..', 'lib', 'in_model.rb')
3
+
4
+ ActiveRecord::Base.send :include, Authorization::AuthorizationInModel
5
+ #ActiveRecord::Base.logger = Logger.new(STDOUT)
6
+
7
+ options = {:adapter => 'sqlite3', :timeout => 500, :database => ':memory:'}
8
+ ActiveRecord::Base.establish_connection(options)
9
+ ActiveRecord::Base.configurations = { 'sqlite3_ar_integration' => options }
10
+ ActiveRecord::Base.connection
11
+
12
+ File.read(File.dirname(__FILE__) + "/schema.sql").split(';').each do |sql|
13
+ ActiveRecord::Base.connection.execute(sql) unless sql.blank?
14
+ end
15
+
16
+ class TestModel < ActiveRecord::Base
17
+ has_many :test_attrs
18
+ has_many :test_attr_throughs, :through => :test_attrs
19
+ has_many :test_attrs_with_attr, :class_name => "TestAttr", :conditions => {:attr => 1}
20
+ has_many :test_attr_throughs_with_attr, :through => :test_attrs,
21
+ :class_name => "TestAttrThrough", :source => :test_attr_throughs,
22
+ :conditions => "test_attrs.attr = 1"
23
+ has_one :test_attr_has_one, :class_name => "TestAttr"
24
+ has_one :test_attr_throughs_with_attr_and_has_one, :through => :test_attrs,
25
+ :class_name => "TestAttrThrough", :source => :test_attr_throughs,
26
+ :conditions => "test_attrs.attr = 1"
27
+
28
+ # Primary key test
29
+ # take this out for Rails prior to 2.2
30
+ if ([Rails::VERSION::MAJOR, Rails::VERSION::MINOR] <=> [2, 2]) > -1
31
+ has_many :test_attrs_with_primary_id, :class_name => "TestAttr",
32
+ :primary_key => :test_attr_through_id, :foreign_key => :test_attr_through_id
33
+ has_many :test_attr_throughs_with_primary_id,
34
+ :through => :test_attrs_with_primary_id, :class_name => "TestAttrThrough",
35
+ :source => :n_way_join_item
36
+ end
37
+ end
38
+
39
+ class NWayJoinItem < ActiveRecord::Base
40
+ has_many :test_attrs
41
+ has_many :others, :through => :test_attrs, :source => :n_way_join_item
42
+ end
43
+
44
+ class TestAttr < ActiveRecord::Base
45
+ belongs_to :test_model
46
+ belongs_to :test_another_model, :class_name => "TestModel", :foreign_key => :test_another_model_id
47
+ belongs_to :n_way_join_item
48
+ has_many :test_attr_throughs
49
+ attr_reader :role_symbols
50
+ def initialize (*args)
51
+ @role_symbols = []
52
+ super(*args)
53
+ end
54
+ end
55
+
56
+ class TestAttrThrough < ActiveRecord::Base
57
+ belongs_to :test_attr
58
+ end
59
+
60
+ class TestModelSecurityModel < ActiveRecord::Base
61
+ has_many :test_attrs
62
+ using_access_control
63
+ end
64
+ class TestModelSecurityModelWithFind < ActiveRecord::Base
65
+ set_table_name "test_model_security_models"
66
+ has_many :test_attrs
67
+ using_access_control :include_read => true,
68
+ :context => :test_model_security_models
69
+ end
70
+
71
+ class ModelTest < Test::Unit::TestCase
72
+ def test_named_scope_multiple_deep_ored_belongs_to
73
+ reader = Authorization::Reader::DSLReader.new
74
+ reader.parse %{
75
+ authorization do
76
+ role :test_role do
77
+ has_permission_on :test_attrs, :to => :read do
78
+ if_attribute :test_model => {:test_attrs => contains {user}}
79
+ if_attribute :test_another_model => {:test_attrs => contains {user}}
80
+ end
81
+ end
82
+ end
83
+ }
84
+ Authorization::Engine.instance(reader)
85
+
86
+ test_model_1 = TestModel.create!
87
+ test_model_2 = TestModel.create!
88
+ test_attr_1 = TestAttr.create! :test_model_id => test_model_1.id,
89
+ :test_another_model_id => test_model_2.id
90
+
91
+ user = MockUser.new(:test_role, :id => test_attr_1)
92
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
93
+ TestAttr.delete_all
94
+ TestModel.delete_all
95
+ end
96
+
97
+ def test_named_scope_with_belongs_to_and_has_many_with_contains
98
+ reader = Authorization::Reader::DSLReader.new
99
+ reader.parse %{
100
+ authorization do
101
+ role :test_role do
102
+ has_permission_on :test_attrs, :to => :read do
103
+ if_attribute :test_model => { :test_attrs => contains { user.test_attr_value } }
104
+ end
105
+ end
106
+ end
107
+ }
108
+ Authorization::Engine.instance(reader)
109
+
110
+ test_attr_1 = TestAttr.create!
111
+ test_model_1 = TestModel.create!
112
+ test_model_1.test_attrs.create!
113
+
114
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.test_attrs.first.id )
115
+ assert_equal 1, TestAttr.with_permissions_to( :read, :context => :test_attrs, :user => user ).length
116
+ assert_equal 1, TestAttr.with_permissions_to( :read, :user => user ).length
117
+ assert_raise Authorization::NotAuthorized do
118
+ TestAttr.with_permissions_to( :update_test_attrs, :user => user )
119
+ end
120
+ TestAttr.delete_all
121
+ TestModel.delete_all
122
+ end
123
+
124
+ def test_named_scope_with_is
125
+ reader = Authorization::Reader::DSLReader.new
126
+ reader.parse %{
127
+ authorization do
128
+ role :test_role do
129
+ has_permission_on :test_models, :to => :read do
130
+ if_attribute :id => is { user.test_attr_value }
131
+ end
132
+ end
133
+ end
134
+ }
135
+ Authorization::Engine.instance(reader)
136
+
137
+ test_model_1 = TestModel.create!
138
+ TestModel.create!
139
+
140
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
141
+ assert_equal 1, TestModel.with_permissions_to(:read,
142
+ :context => :test_models, :user => user).length
143
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
144
+ assert_raise Authorization::NotAuthorized do
145
+ TestModel.with_permissions_to(:update_test_models, :user => user)
146
+ end
147
+ TestModel.delete_all
148
+ end
149
+
150
+ def test_named_scope_with_not_is
151
+ reader = Authorization::Reader::DSLReader.new
152
+ reader.parse %{
153
+ authorization do
154
+ role :test_role do
155
+ has_permission_on :test_models, :to => :read do
156
+ if_attribute :id => is_not { user.test_attr_value }
157
+ end
158
+ end
159
+ end
160
+ }
161
+ Authorization::Engine.instance(reader)
162
+
163
+ test_model_1 = TestModel.create!
164
+ TestModel.create!
165
+
166
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
167
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
168
+ TestModel.delete_all
169
+ end
170
+
171
+ def test_named_scope_with_empty_obligations
172
+ reader = Authorization::Reader::DSLReader.new
173
+ reader.parse %{
174
+ authorization do
175
+ role :test_role do
176
+ has_permission_on :test_models, :to => :read
177
+ end
178
+ end
179
+ }
180
+ Authorization::Engine.instance(reader)
181
+
182
+ TestModel.create!
183
+
184
+ user = MockUser.new(:test_role)
185
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
186
+ assert_raise Authorization::NotAuthorized do
187
+ TestModel.with_permissions_to(:update, :user => user)
188
+ end
189
+ TestModel.delete_all
190
+ end
191
+
192
+ def test_named_scope_multiple_obligations
193
+ reader = Authorization::Reader::DSLReader.new
194
+ reader.parse %{
195
+ authorization do
196
+ role :test_role do
197
+ has_permission_on :test_models, :to => :read do
198
+ if_attribute :id => is { user.test_attr_value }
199
+ end
200
+ has_permission_on :test_models, :to => :read do
201
+ if_attribute :id => is { user.test_attr_value_2 }
202
+ end
203
+ end
204
+ end
205
+ }
206
+ Authorization::Engine.instance(reader)
207
+
208
+ test_model_1 = TestModel.create!
209
+ test_model_2 = TestModel.create!
210
+
211
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id,
212
+ :test_attr_value_2 => test_model_2.id)
213
+ assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
214
+ TestModel.delete_all
215
+ end
216
+
217
+ def test_named_scope_multiple_and_empty_obligations
218
+ reader = Authorization::Reader::DSLReader.new
219
+ reader.parse %{
220
+ authorization do
221
+ role :test_role do
222
+ has_permission_on :test_models, :to => :read do
223
+ if_attribute :id => is { user.test_attr_value }
224
+ end
225
+ has_permission_on :test_models, :to => :read
226
+ end
227
+ end
228
+ }
229
+ Authorization::Engine.instance(reader)
230
+
231
+ test_model_1 = TestModel.create!
232
+ TestModel.create!
233
+
234
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
235
+ assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
236
+ TestModel.delete_all
237
+ end
238
+
239
+ def test_named_scope_multiple_attributes
240
+ reader = Authorization::Reader::DSLReader.new
241
+ reader.parse %{
242
+ authorization do
243
+ role :test_role do
244
+ has_permission_on :test_models, :to => :read do
245
+ if_attribute :id => is { user.test_attr_value }, :content => "bla"
246
+ end
247
+ end
248
+ end
249
+ }
250
+ Authorization::Engine.instance(reader)
251
+
252
+ test_model_1 = TestModel.create! :content => 'bla'
253
+ TestModel.create! :content => 'bla'
254
+ TestModel.create!
255
+
256
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
257
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
258
+ TestModel.delete_all
259
+ end
260
+
261
+ def test_named_scope_multiple_belongs_to
262
+ reader = Authorization::Reader::DSLReader.new
263
+ reader.parse %{
264
+ authorization do
265
+ role :test_role do
266
+ has_permission_on :test_attrs, :to => :read do
267
+ if_attribute :test_model => is {user}
268
+ if_attribute :test_another_model => is {user}
269
+ end
270
+ end
271
+ end
272
+ }
273
+ Authorization::Engine.instance(reader)
274
+
275
+ test_attr_1 = TestAttr.create! :test_model_id => 1, :test_another_model_id => 2
276
+
277
+ user = MockUser.new(:test_role, :id => 1)
278
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
279
+ TestAttr.delete_all
280
+ end
281
+
282
+ def test_named_scope_with_is_and_priv_hierarchy
283
+ reader = Authorization::Reader::DSLReader.new
284
+ reader.parse %{
285
+ privileges do
286
+ privilege :read do
287
+ includes :list, :show
288
+ end
289
+ end
290
+ authorization do
291
+ role :test_role do
292
+ has_permission_on :test_models, :to => :read do
293
+ if_attribute :id => is { user.test_attr_value }
294
+ end
295
+ end
296
+ end
297
+ }
298
+ Authorization::Engine.instance(reader)
299
+
300
+ test_model_1 = TestModel.create!
301
+ TestModel.create!
302
+
303
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
304
+ assert_equal 1, TestModel.with_permissions_to(:list,
305
+ :context => :test_models, :user => user).length
306
+ assert_equal 1, TestModel.with_permissions_to(:list, :user => user).length
307
+
308
+ TestModel.delete_all
309
+ end
310
+
311
+ def test_named_scope_with_is_and_belongs_to
312
+ reader = Authorization::Reader::DSLReader.new
313
+ reader.parse %{
314
+ authorization do
315
+ role :test_role do
316
+ has_permission_on :test_attrs, :to => :read do
317
+ if_attribute :test_model => is { user.test_model }
318
+ end
319
+ end
320
+ end
321
+ }
322
+ Authorization::Engine.instance(reader)
323
+
324
+ test_model_1 = TestModel.create!
325
+ test_model_1.test_attrs.create!
326
+ TestModel.create!.test_attrs.create!
327
+
328
+ user = MockUser.new(:test_role, :test_model => test_model_1)
329
+ assert_equal 1, TestAttr.with_permissions_to(:read,
330
+ :context => :test_attrs, :user => user).length
331
+
332
+ TestModel.delete_all
333
+ TestAttr.delete_all
334
+ end
335
+
336
+ def test_named_scope_with_deep_attribute
337
+ reader = Authorization::Reader::DSLReader.new
338
+ reader.parse %{
339
+ authorization do
340
+ role :test_role do
341
+ has_permission_on :test_attrs, :to => :read do
342
+ if_attribute :test_model => {:id => is { user.test_model_id } }
343
+ end
344
+ end
345
+ end
346
+ }
347
+ Authorization::Engine.instance(reader)
348
+
349
+ test_model_1 = TestModel.create!
350
+ test_model_1.test_attrs.create!
351
+ TestModel.create!.test_attrs.create!
352
+
353
+ user = MockUser.new(:test_role, :test_model_id => test_model_1.id)
354
+ assert_equal 1, TestAttr.with_permissions_to(:read,
355
+ :context => :test_attrs, :user => user).length
356
+
357
+ TestModel.delete_all
358
+ TestAttr.delete_all
359
+ end
360
+
361
+ def test_named_scope_with_contains
362
+ reader = Authorization::Reader::DSLReader.new
363
+ reader.parse %{
364
+ authorization do
365
+ role :test_role do
366
+ has_permission_on :test_models, :to => :read do
367
+ if_attribute :test_attrs => contains { user }
368
+ end
369
+ end
370
+ end
371
+ }
372
+ Authorization::Engine.instance(reader)
373
+
374
+ test_model_1 = TestModel.create!
375
+ test_model_2 = TestModel.create!
376
+ test_model_1.test_attrs.create!
377
+ test_model_1.test_attrs.create!
378
+ test_model_2.test_attrs.create!
379
+
380
+ user = MockUser.new(:test_role,
381
+ :id => test_model_1.test_attrs.first.id)
382
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
383
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).find(:all, :conditions => {:id => test_model_1.id}).length
384
+
385
+ TestModel.delete_all
386
+ TestAttr.delete_all
387
+ end
388
+
389
+ def test_named_scope_with_does_not_contain
390
+ reader = Authorization::Reader::DSLReader.new
391
+ reader.parse %{
392
+ authorization do
393
+ role :test_role do
394
+ has_permission_on :test_models, :to => :read do
395
+ if_attribute :test_attrs => does_not_contain { user }
396
+ end
397
+ end
398
+ end
399
+ }
400
+ Authorization::Engine.instance(reader)
401
+
402
+ test_model_1 = TestModel.create!
403
+ test_model_2 = TestModel.create!
404
+ test_model_1.test_attrs.create!
405
+ test_model_2.test_attrs.create!
406
+
407
+ user = MockUser.new(:test_role,
408
+ :id => test_model_1.test_attrs.first.id)
409
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
410
+
411
+ TestModel.delete_all
412
+ TestAttr.delete_all
413
+ end
414
+
415
+ def test_named_scope_with_contains_conditions
416
+ reader = Authorization::Reader::DSLReader.new
417
+ reader.parse %{
418
+ authorization do
419
+ role :test_role do
420
+ has_permission_on :test_models, :to => :read do
421
+ if_attribute :test_attrs_with_attr => contains { user }
422
+ end
423
+ end
424
+ end
425
+ }
426
+ Authorization::Engine.instance(reader)
427
+
428
+ test_model_1 = TestModel.create!
429
+ test_model_2 = TestModel.create!
430
+ test_model_1.test_attrs_with_attr.create!
431
+ test_model_1.test_attrs.create!(:attr => 2)
432
+ test_model_2.test_attrs_with_attr.create!
433
+ test_model_2.test_attrs.create!(:attr => 2)
434
+
435
+ #assert_equal 1, test_model_1.test_attrs_with_attr.length
436
+ user = MockUser.new(:test_role,
437
+ :id => test_model_1.test_attrs.first.id)
438
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
439
+ user = MockUser.new(:test_role,
440
+ :id => test_model_1.test_attrs.last.id)
441
+ assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
442
+
443
+ TestModel.delete_all
444
+ TestAttr.delete_all
445
+ end
446
+
447
+ def test_named_scope_with_contains_through_conditions
448
+ reader = Authorization::Reader::DSLReader.new
449
+ reader.parse %{
450
+ authorization do
451
+ role :test_role do
452
+ has_permission_on :test_models, :to => :read do
453
+ if_attribute :test_attr_throughs_with_attr => contains { user }
454
+ end
455
+ end
456
+ end
457
+ }
458
+ Authorization::Engine.instance(reader)
459
+
460
+ test_model_1 = TestModel.create!
461
+ test_model_2 = TestModel.create!
462
+ test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
463
+ test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
464
+ test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
465
+ test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
466
+
467
+ #assert_equal 1, test_model_1.test_attrs_with_attr.length
468
+ user = MockUser.new(:test_role,
469
+ :id => test_model_1.test_attr_throughs.first.id)
470
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
471
+ user = MockUser.new(:test_role,
472
+ :id => test_model_1.test_attr_throughs.last.id)
473
+ assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
474
+
475
+ TestModel.delete_all
476
+ TestAttrThrough.delete_all
477
+ TestAttr.delete_all
478
+ end
479
+
480
+ # take this out for Rails prior to 2.2
481
+ if ([Rails::VERSION::MAJOR, Rails::VERSION::MINOR] <=> [2, 2]) > -1
482
+ def test_named_scope_with_contains_through_primary_key
483
+ reader = Authorization::Reader::DSLReader.new
484
+ reader.parse %{
485
+ authorization do
486
+ role :test_role do
487
+ has_permission_on :test_models, :to => :read do
488
+ if_attribute :test_attr_throughs_with_primary_id => contains { user }
489
+ end
490
+ end
491
+ end
492
+ }
493
+ Authorization::Engine.instance(reader)
494
+
495
+ test_attr_through_1 = TestAttrThrough.create!
496
+ test_item = NWayJoinItem.create!
497
+ test_model_1 = TestModel.create!(:test_attr_through_id => test_attr_through_1.id)
498
+ test_attr_1 = TestAttr.create!(:test_attr_through_id => test_attr_through_1.id,
499
+ :n_way_join_item_id => test_item.id)
500
+
501
+ user = MockUser.new(:test_role,
502
+ :id => test_attr_through_1.id)
503
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
504
+
505
+ TestModel.delete_all
506
+ TestAttrThrough.delete_all
507
+ TestAttr.delete_all
508
+ end
509
+ end
510
+
511
+ def test_named_scope_with_is_and_has_one
512
+ reader = Authorization::Reader::DSLReader.new
513
+ reader.parse %{
514
+ authorization do :test_attr_has_one
515
+ role :test_role do
516
+ has_permission_on :test_models, :to => :read do
517
+ if_attribute :test_attr_has_one => is { user.test_attr }
518
+ end
519
+ end
520
+ end
521
+ }
522
+ Authorization::Engine.instance(reader)
523
+
524
+ test_model_1 = TestModel.create!
525
+ test_attr_1 = test_model_1.test_attrs.create!
526
+ TestModel.create!.test_attrs.create!
527
+
528
+ user = MockUser.new(:test_role, :test_attr => test_attr_1)
529
+ assert_equal 1, TestModel.with_permissions_to(:read,
530
+ :context => :test_models, :user => user).length
531
+
532
+ TestModel.delete_all
533
+ TestAttr.delete_all
534
+ end
535
+
536
+ def test_named_scope_with_is_and_has_one_through_conditions
537
+ reader = Authorization::Reader::DSLReader.new
538
+ reader.parse %{
539
+ authorization do
540
+ role :test_role do
541
+ has_permission_on :test_models, :to => :read do
542
+ if_attribute :test_attr_throughs_with_attr_and_has_one => contains { user }
543
+ end
544
+ end
545
+ end
546
+ }
547
+ Authorization::Engine.instance(reader)
548
+
549
+ test_model_1 = TestModel.create!
550
+ test_model_2 = TestModel.create!
551
+ test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
552
+ test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
553
+ test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
554
+ test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
555
+
556
+ #assert_equal 1, test_model_1.test_attrs_with_attr.length
557
+ user = MockUser.new(:test_role,
558
+ :id => test_model_1.test_attr_throughs.first.id)
559
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
560
+ user = MockUser.new(:test_role,
561
+ :id => test_model_1.test_attr_throughs.last.id)
562
+ assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
563
+
564
+ TestModel.delete_all
565
+ TestAttr.delete_all
566
+ end
567
+
568
+ def test_named_scope_with_is_in
569
+ reader = Authorization::Reader::DSLReader.new
570
+ reader.parse %{
571
+ authorization do
572
+ role :test_role do
573
+ has_permission_on :test_attrs, :to => :read do
574
+ if_attribute :test_model => is_in { [user.test_model, user.test_model_2] }
575
+ end
576
+ end
577
+ end
578
+ }
579
+ Authorization::Engine.instance(reader)
580
+
581
+ test_model_1 = TestModel.create!
582
+ test_model_2 = TestModel.create!
583
+ test_model_1.test_attrs.create!
584
+ TestModel.create!.test_attrs.create!
585
+
586
+ user = MockUser.new(:test_role, :test_model => test_model_1,
587
+ :test_model_2 => test_model_2)
588
+ assert_equal 1, TestAttr.with_permissions_to(:read,
589
+ :context => :test_attrs, :user => user).length
590
+
591
+ TestModel.delete_all
592
+ TestAttr.delete_all
593
+ end
594
+
595
+ def test_named_scope_with_not_is_in
596
+ reader = Authorization::Reader::DSLReader.new
597
+ reader.parse %{
598
+ authorization do
599
+ role :test_role do
600
+ has_permission_on :test_attrs, :to => :read do
601
+ if_attribute :test_model => is_not_in { [user.test_model, user.test_model_2] }
602
+ end
603
+ end
604
+ end
605
+ }
606
+ Authorization::Engine.instance(reader)
607
+
608
+ test_model_1 = TestModel.create!
609
+ test_model_2 = TestModel.create!
610
+ test_model_1.test_attrs.create!
611
+ TestModel.create!.test_attrs.create!
612
+
613
+ user = MockUser.new(:test_role, :test_model => test_model_1,
614
+ :test_model_2 => test_model_2)
615
+ assert_equal 1, TestAttr.with_permissions_to(:read,
616
+ :context => :test_attrs, :user => user).length
617
+
618
+ TestModel.delete_all
619
+ TestAttr.delete_all
620
+ end
621
+
622
+ def test_named_scope_with_if_permitted_to
623
+ reader = Authorization::Reader::DSLReader.new
624
+ reader.parse %{
625
+ authorization do
626
+ role :test_role do
627
+ has_permission_on :test_models, :to => :read do
628
+ if_attribute :test_attrs => contains { user }
629
+ end
630
+ has_permission_on :test_attrs, :to => :read do
631
+ if_permitted_to :read, :test_model
632
+ end
633
+ end
634
+ end
635
+ }
636
+ Authorization::Engine.instance(reader)
637
+
638
+ test_model_1 = TestModel.create!
639
+ test_attr_1 = test_model_1.test_attrs.create!
640
+
641
+ user = MockUser.new(:test_role, :id => test_attr_1.id)
642
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
643
+ TestModel.delete_all
644
+ TestAttr.delete_all
645
+ end
646
+
647
+ def test_named_scope_with_if_permitted_to_and_empty_obligations
648
+ reader = Authorization::Reader::DSLReader.new
649
+ reader.parse %{
650
+ authorization do
651
+ role :test_role do
652
+ has_permission_on :test_models, :to => :read
653
+ has_permission_on :test_attrs, :to => :read do
654
+ if_permitted_to :read, :test_model
655
+ end
656
+ end
657
+ end
658
+ }
659
+ Authorization::Engine.instance(reader)
660
+
661
+ test_model_1 = TestModel.create!
662
+ test_attr_1 = test_model_1.test_attrs.create!
663
+
664
+ user = MockUser.new(:test_role)
665
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
666
+ TestModel.delete_all
667
+ TestAttr.delete_all
668
+ end
669
+
670
+ def test_model_security
671
+ reader = Authorization::Reader::DSLReader.new
672
+ reader.parse %{
673
+ authorization do
674
+ role :test_role_unrestricted do
675
+ has_permission_on :test_model_security_models do
676
+ to :read, :create, :update, :delete
677
+ end
678
+ end
679
+ role :test_role do
680
+ has_permission_on :test_model_security_models do
681
+ to :read, :create, :update, :delete
682
+ if_attribute :attr => is { 1 }
683
+ end
684
+ end
685
+ role :test_role_restricted do
686
+ end
687
+ end
688
+ }
689
+ Authorization::Engine.instance(reader)
690
+
691
+ Authorization.current_user = MockUser.new(:test_role)
692
+ assert(object = TestModelSecurityModel.create)
693
+ Authorization.current_user = MockUser.new(:test_role_restricted)
694
+ assert_raise Authorization::NotAuthorized do
695
+ object.update_attributes(:attr_2 => 2)
696
+ end
697
+ Authorization.current_user = MockUser.new(:test_role)
698
+ assert_nothing_raised { object.update_attributes(:attr_2 => 2) }
699
+ object.reload
700
+ assert_equal 2, object.attr_2
701
+ object.destroy
702
+ assert_raise ActiveRecord::RecordNotFound do
703
+ TestModelSecurityModel.find(object.id)
704
+ end
705
+
706
+ assert_raise Authorization::AttributeAuthorizationError do
707
+ TestModelSecurityModel.create :attr => 2
708
+ end
709
+ object = TestModelSecurityModel.create
710
+ assert_raise Authorization::AttributeAuthorizationError do
711
+ object.update_attributes(:attr => 2)
712
+ end
713
+ Authorization.current_user = MockUser.new(:test_role_unrestricted)
714
+ object = TestModelSecurityModel.create :attr => 2
715
+ object_with_find = TestModelSecurityModelWithFind.create :attr => 2
716
+ Authorization.current_user = MockUser.new(:test_role)
717
+ assert_nothing_raised do
718
+ object.class.find(object.id)
719
+ end
720
+ assert_raise Authorization::AttributeAuthorizationError do
721
+ object_with_find.class.find(object_with_find.id)
722
+ end
723
+ assert_raise Authorization::AttributeAuthorizationError do
724
+ object.update_attributes(:attr_2 => 2)
725
+ end
726
+ # TODO test this:
727
+ #assert_raise Authorization::AuthorizationError do
728
+ # object.update_attributes(:attr => 1)
729
+ #end
730
+ assert_raise Authorization::AttributeAuthorizationError do
731
+ object.destroy
732
+ end
733
+
734
+ Authorization.current_user = MockUser.new(:test_role_2)
735
+ assert_raise Authorization::NotAuthorized do
736
+ TestModelSecurityModel.create
737
+ end
738
+ end
739
+
740
+ def test_model_security_with_assoc
741
+ reader = Authorization::Reader::DSLReader.new
742
+ reader.parse %{
743
+ authorization do
744
+ role :test_role do
745
+ has_permission_on :test_model_security_models do
746
+ to :create, :update, :delete
747
+ if_attribute :test_attrs => contains { user }
748
+ end
749
+ end
750
+ end
751
+ }
752
+ Authorization::Engine.instance(reader)
753
+
754
+ test_attr = TestAttr.create
755
+ test_attr.role_symbols << :test_role
756
+ Authorization.current_user = test_attr
757
+ assert(object = TestModelSecurityModel.create(:test_attrs => [test_attr]))
758
+ assert_nothing_raised do
759
+ object.update_attributes(:attr_2 => 2)
760
+ end
761
+ object.reload
762
+ assert_equal 2, object.attr_2
763
+ object.destroy
764
+ assert_raise ActiveRecord::RecordNotFound do
765
+ TestModelSecurityModel.find(object.id)
766
+ end
767
+ end
768
+
769
+ def test_using_access_control
770
+ assert !TestModel.using_access_control?
771
+ assert TestModelSecurityModel.using_access_control?
772
+ end
773
+
774
+ def test_authorization_permit_association_proxy
775
+ reader = Authorization::Reader::DSLReader.new
776
+ reader.parse %{
777
+ authorization do
778
+ role :test_role do
779
+ has_permission_on :test_attrs, :to => :read do
780
+ if_attribute :test_model => {:content => "content" }
781
+ end
782
+ end
783
+ end
784
+ }
785
+ engine = Authorization::Engine.instance(reader)
786
+
787
+ test_model = TestModel.create(:content => "content")
788
+ assert engine.permit?(:read, :object => test_model.test_attrs,
789
+ :user => MockUser.new(:test_role))
790
+ assert !engine.permit?(:read, :object => TestAttr.new,
791
+ :user => MockUser.new(:test_role))
792
+ TestModel.delete_all
793
+ end
794
+ end