stffn-declarative_authorization 0.2.1 → 0.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/CHANGELOG +2 -0
- data/Rakefile +8 -0
- data/app/controllers/authorization_rules_controller.rb +103 -0
- data/app/controllers/authorization_usages_controller.rb +19 -0
- data/app/helpers/authorization_rules_helper.rb +84 -0
- data/app/views/authorization_rules/graph.dot.erb +49 -0
- data/app/views/authorization_rules/graph.html.erb +39 -0
- data/app/views/authorization_rules/index.html.erb +15 -0
- data/app/views/authorization_usages/index.html.erb +45 -0
- data/config/routes.rb +6 -0
- data/lib/authorization.rb +514 -0
- data/lib/helper.rb +51 -0
- data/lib/in_controller.rb +311 -0
- data/lib/in_model.rb +130 -0
- data/lib/maintenance.rb +174 -0
- data/lib/obligation_scope.rb +281 -0
- data/lib/rails_legacy.rb +14 -0
- data/lib/reader.rb +391 -0
- data/test/authorization_test.rb +576 -0
- data/test/controller_test.rb +361 -0
- data/test/dsl_reader_test.rb +157 -0
- data/test/helper_test.rb +96 -0
- data/test/maintenance_test.rb +15 -0
- data/test/model_test.rb +794 -0
- data/test/schema.sql +32 -0
- data/test/test_helper.rb +99 -0
- metadata +26 -2
data/test/helper_test.rb
ADDED
@@ -0,0 +1,96 @@
|
|
1
|
+
require File.join(File.dirname(__FILE__), 'test_helper.rb')
|
2
|
+
require File.dirname(__FILE__) + '/../lib/in_controller.rb'
|
3
|
+
require File.dirname(__FILE__) + '/../lib/helper.rb'
|
4
|
+
|
5
|
+
|
6
|
+
class HelperMocksController < MocksController
|
7
|
+
filter_access_to :action, :require => :show, :context => :mocks
|
8
|
+
define_action_methods :action
|
9
|
+
end
|
10
|
+
class HelperTest < ActionController::TestCase
|
11
|
+
tests HelperMocksController
|
12
|
+
include Authorization::AuthorizationHelper
|
13
|
+
attr_reader :controller
|
14
|
+
|
15
|
+
def test_permit
|
16
|
+
reader = Authorization::Reader::DSLReader.new
|
17
|
+
reader.parse %{
|
18
|
+
authorization do
|
19
|
+
role :test_role do
|
20
|
+
has_permission_on :mocks, :to => :show
|
21
|
+
end
|
22
|
+
role :test_role_2 do
|
23
|
+
has_permission_on :mocks, :to => :update
|
24
|
+
end
|
25
|
+
end
|
26
|
+
}
|
27
|
+
user = MockUser.new(:test_role)
|
28
|
+
request!(user, :action, reader)
|
29
|
+
|
30
|
+
assert permitted_to?(:show, :mocks)
|
31
|
+
assert !permitted_to?(:update, :mocks)
|
32
|
+
|
33
|
+
block_evaled = false
|
34
|
+
permitted_to?(:show, :mocks) do
|
35
|
+
block_evaled = true
|
36
|
+
end
|
37
|
+
assert block_evaled
|
38
|
+
|
39
|
+
block_evaled = false
|
40
|
+
permitted_to?(:update, :mocks) do
|
41
|
+
block_evaled = true
|
42
|
+
end
|
43
|
+
assert !block_evaled
|
44
|
+
end
|
45
|
+
|
46
|
+
def test_permit_with_object
|
47
|
+
reader = Authorization::Reader::DSLReader.new
|
48
|
+
reader.parse %{
|
49
|
+
authorization do
|
50
|
+
role :test_role do
|
51
|
+
has_permission_on :mocks do
|
52
|
+
to :show
|
53
|
+
if_attribute :test_attr => is {user.test_attr}
|
54
|
+
end
|
55
|
+
end
|
56
|
+
end
|
57
|
+
}
|
58
|
+
user = MockUser.new(:test_role, :test_attr => 1)
|
59
|
+
mock = MockDataObject.new(:test_attr => 1)
|
60
|
+
mock_2 = MockDataObject.new(:test_attr => 2)
|
61
|
+
request!(user, :action, reader)
|
62
|
+
|
63
|
+
assert permitted_to?(:show, mock)
|
64
|
+
assert permitted_to?(:show, :mocks)
|
65
|
+
assert !permitted_to?(:show, mock_2)
|
66
|
+
end
|
67
|
+
|
68
|
+
def test_has_role
|
69
|
+
reader = Authorization::Reader::DSLReader.new
|
70
|
+
reader.parse %{
|
71
|
+
authorization do
|
72
|
+
role :test_role do
|
73
|
+
has_permission_on :mocks, :to => :show
|
74
|
+
end
|
75
|
+
end
|
76
|
+
}
|
77
|
+
user = MockUser.new(:test_role)
|
78
|
+
request!(user, :action, reader)
|
79
|
+
|
80
|
+
assert has_role?(:test_role)
|
81
|
+
assert !has_role?(:test_role2)
|
82
|
+
|
83
|
+
block_evaled = false
|
84
|
+
has_role?(:test_role) do
|
85
|
+
block_evaled = true
|
86
|
+
end
|
87
|
+
assert block_evaled
|
88
|
+
|
89
|
+
block_evaled = false
|
90
|
+
has_role?(:test_role2) do
|
91
|
+
block_evaled = true
|
92
|
+
end
|
93
|
+
assert !block_evaled
|
94
|
+
end
|
95
|
+
|
96
|
+
end
|
@@ -0,0 +1,15 @@
|
|
1
|
+
require File.join(File.dirname(__FILE__), 'test_helper.rb')
|
2
|
+
require File.join(File.dirname(__FILE__), %w{.. lib maintenance})
|
3
|
+
|
4
|
+
class MaintenanceTest < Test::Unit::TestCase
|
5
|
+
|
6
|
+
def test_usages_by_controllers
|
7
|
+
usage_test_controller = Class.new(ActionController::Base)
|
8
|
+
usage_test_controller.send(:define_method, :an_action) {}
|
9
|
+
usage_test_controller.filter_access_to :an_action
|
10
|
+
|
11
|
+
assert Authorization::Maintenance::Usage::usages_by_controller.
|
12
|
+
include?(usage_test_controller)
|
13
|
+
end
|
14
|
+
|
15
|
+
end
|
data/test/model_test.rb
ADDED
@@ -0,0 +1,794 @@
|
|
1
|
+
require File.join(File.dirname(__FILE__), 'test_helper.rb')
|
2
|
+
require File.join(File.dirname(__FILE__), '..', 'lib', 'in_model.rb')
|
3
|
+
|
4
|
+
ActiveRecord::Base.send :include, Authorization::AuthorizationInModel
|
5
|
+
#ActiveRecord::Base.logger = Logger.new(STDOUT)
|
6
|
+
|
7
|
+
options = {:adapter => 'sqlite3', :timeout => 500, :database => ':memory:'}
|
8
|
+
ActiveRecord::Base.establish_connection(options)
|
9
|
+
ActiveRecord::Base.configurations = { 'sqlite3_ar_integration' => options }
|
10
|
+
ActiveRecord::Base.connection
|
11
|
+
|
12
|
+
File.read(File.dirname(__FILE__) + "/schema.sql").split(';').each do |sql|
|
13
|
+
ActiveRecord::Base.connection.execute(sql) unless sql.blank?
|
14
|
+
end
|
15
|
+
|
16
|
+
class TestModel < ActiveRecord::Base
|
17
|
+
has_many :test_attrs
|
18
|
+
has_many :test_attr_throughs, :through => :test_attrs
|
19
|
+
has_many :test_attrs_with_attr, :class_name => "TestAttr", :conditions => {:attr => 1}
|
20
|
+
has_many :test_attr_throughs_with_attr, :through => :test_attrs,
|
21
|
+
:class_name => "TestAttrThrough", :source => :test_attr_throughs,
|
22
|
+
:conditions => "test_attrs.attr = 1"
|
23
|
+
has_one :test_attr_has_one, :class_name => "TestAttr"
|
24
|
+
has_one :test_attr_throughs_with_attr_and_has_one, :through => :test_attrs,
|
25
|
+
:class_name => "TestAttrThrough", :source => :test_attr_throughs,
|
26
|
+
:conditions => "test_attrs.attr = 1"
|
27
|
+
|
28
|
+
# Primary key test
|
29
|
+
# take this out for Rails prior to 2.2
|
30
|
+
if ([Rails::VERSION::MAJOR, Rails::VERSION::MINOR] <=> [2, 2]) > -1
|
31
|
+
has_many :test_attrs_with_primary_id, :class_name => "TestAttr",
|
32
|
+
:primary_key => :test_attr_through_id, :foreign_key => :test_attr_through_id
|
33
|
+
has_many :test_attr_throughs_with_primary_id,
|
34
|
+
:through => :test_attrs_with_primary_id, :class_name => "TestAttrThrough",
|
35
|
+
:source => :n_way_join_item
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
class NWayJoinItem < ActiveRecord::Base
|
40
|
+
has_many :test_attrs
|
41
|
+
has_many :others, :through => :test_attrs, :source => :n_way_join_item
|
42
|
+
end
|
43
|
+
|
44
|
+
class TestAttr < ActiveRecord::Base
|
45
|
+
belongs_to :test_model
|
46
|
+
belongs_to :test_another_model, :class_name => "TestModel", :foreign_key => :test_another_model_id
|
47
|
+
belongs_to :n_way_join_item
|
48
|
+
has_many :test_attr_throughs
|
49
|
+
attr_reader :role_symbols
|
50
|
+
def initialize (*args)
|
51
|
+
@role_symbols = []
|
52
|
+
super(*args)
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
56
|
+
class TestAttrThrough < ActiveRecord::Base
|
57
|
+
belongs_to :test_attr
|
58
|
+
end
|
59
|
+
|
60
|
+
class TestModelSecurityModel < ActiveRecord::Base
|
61
|
+
has_many :test_attrs
|
62
|
+
using_access_control
|
63
|
+
end
|
64
|
+
class TestModelSecurityModelWithFind < ActiveRecord::Base
|
65
|
+
set_table_name "test_model_security_models"
|
66
|
+
has_many :test_attrs
|
67
|
+
using_access_control :include_read => true,
|
68
|
+
:context => :test_model_security_models
|
69
|
+
end
|
70
|
+
|
71
|
+
class ModelTest < Test::Unit::TestCase
|
72
|
+
def test_named_scope_multiple_deep_ored_belongs_to
|
73
|
+
reader = Authorization::Reader::DSLReader.new
|
74
|
+
reader.parse %{
|
75
|
+
authorization do
|
76
|
+
role :test_role do
|
77
|
+
has_permission_on :test_attrs, :to => :read do
|
78
|
+
if_attribute :test_model => {:test_attrs => contains {user}}
|
79
|
+
if_attribute :test_another_model => {:test_attrs => contains {user}}
|
80
|
+
end
|
81
|
+
end
|
82
|
+
end
|
83
|
+
}
|
84
|
+
Authorization::Engine.instance(reader)
|
85
|
+
|
86
|
+
test_model_1 = TestModel.create!
|
87
|
+
test_model_2 = TestModel.create!
|
88
|
+
test_attr_1 = TestAttr.create! :test_model_id => test_model_1.id,
|
89
|
+
:test_another_model_id => test_model_2.id
|
90
|
+
|
91
|
+
user = MockUser.new(:test_role, :id => test_attr_1)
|
92
|
+
assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
|
93
|
+
TestAttr.delete_all
|
94
|
+
TestModel.delete_all
|
95
|
+
end
|
96
|
+
|
97
|
+
def test_named_scope_with_belongs_to_and_has_many_with_contains
|
98
|
+
reader = Authorization::Reader::DSLReader.new
|
99
|
+
reader.parse %{
|
100
|
+
authorization do
|
101
|
+
role :test_role do
|
102
|
+
has_permission_on :test_attrs, :to => :read do
|
103
|
+
if_attribute :test_model => { :test_attrs => contains { user.test_attr_value } }
|
104
|
+
end
|
105
|
+
end
|
106
|
+
end
|
107
|
+
}
|
108
|
+
Authorization::Engine.instance(reader)
|
109
|
+
|
110
|
+
test_attr_1 = TestAttr.create!
|
111
|
+
test_model_1 = TestModel.create!
|
112
|
+
test_model_1.test_attrs.create!
|
113
|
+
|
114
|
+
user = MockUser.new(:test_role, :test_attr_value => test_model_1.test_attrs.first.id )
|
115
|
+
assert_equal 1, TestAttr.with_permissions_to( :read, :context => :test_attrs, :user => user ).length
|
116
|
+
assert_equal 1, TestAttr.with_permissions_to( :read, :user => user ).length
|
117
|
+
assert_raise Authorization::NotAuthorized do
|
118
|
+
TestAttr.with_permissions_to( :update_test_attrs, :user => user )
|
119
|
+
end
|
120
|
+
TestAttr.delete_all
|
121
|
+
TestModel.delete_all
|
122
|
+
end
|
123
|
+
|
124
|
+
def test_named_scope_with_is
|
125
|
+
reader = Authorization::Reader::DSLReader.new
|
126
|
+
reader.parse %{
|
127
|
+
authorization do
|
128
|
+
role :test_role do
|
129
|
+
has_permission_on :test_models, :to => :read do
|
130
|
+
if_attribute :id => is { user.test_attr_value }
|
131
|
+
end
|
132
|
+
end
|
133
|
+
end
|
134
|
+
}
|
135
|
+
Authorization::Engine.instance(reader)
|
136
|
+
|
137
|
+
test_model_1 = TestModel.create!
|
138
|
+
TestModel.create!
|
139
|
+
|
140
|
+
user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
|
141
|
+
assert_equal 1, TestModel.with_permissions_to(:read,
|
142
|
+
:context => :test_models, :user => user).length
|
143
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
144
|
+
assert_raise Authorization::NotAuthorized do
|
145
|
+
TestModel.with_permissions_to(:update_test_models, :user => user)
|
146
|
+
end
|
147
|
+
TestModel.delete_all
|
148
|
+
end
|
149
|
+
|
150
|
+
def test_named_scope_with_not_is
|
151
|
+
reader = Authorization::Reader::DSLReader.new
|
152
|
+
reader.parse %{
|
153
|
+
authorization do
|
154
|
+
role :test_role do
|
155
|
+
has_permission_on :test_models, :to => :read do
|
156
|
+
if_attribute :id => is_not { user.test_attr_value }
|
157
|
+
end
|
158
|
+
end
|
159
|
+
end
|
160
|
+
}
|
161
|
+
Authorization::Engine.instance(reader)
|
162
|
+
|
163
|
+
test_model_1 = TestModel.create!
|
164
|
+
TestModel.create!
|
165
|
+
|
166
|
+
user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
|
167
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
168
|
+
TestModel.delete_all
|
169
|
+
end
|
170
|
+
|
171
|
+
def test_named_scope_with_empty_obligations
|
172
|
+
reader = Authorization::Reader::DSLReader.new
|
173
|
+
reader.parse %{
|
174
|
+
authorization do
|
175
|
+
role :test_role do
|
176
|
+
has_permission_on :test_models, :to => :read
|
177
|
+
end
|
178
|
+
end
|
179
|
+
}
|
180
|
+
Authorization::Engine.instance(reader)
|
181
|
+
|
182
|
+
TestModel.create!
|
183
|
+
|
184
|
+
user = MockUser.new(:test_role)
|
185
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
186
|
+
assert_raise Authorization::NotAuthorized do
|
187
|
+
TestModel.with_permissions_to(:update, :user => user)
|
188
|
+
end
|
189
|
+
TestModel.delete_all
|
190
|
+
end
|
191
|
+
|
192
|
+
def test_named_scope_multiple_obligations
|
193
|
+
reader = Authorization::Reader::DSLReader.new
|
194
|
+
reader.parse %{
|
195
|
+
authorization do
|
196
|
+
role :test_role do
|
197
|
+
has_permission_on :test_models, :to => :read do
|
198
|
+
if_attribute :id => is { user.test_attr_value }
|
199
|
+
end
|
200
|
+
has_permission_on :test_models, :to => :read do
|
201
|
+
if_attribute :id => is { user.test_attr_value_2 }
|
202
|
+
end
|
203
|
+
end
|
204
|
+
end
|
205
|
+
}
|
206
|
+
Authorization::Engine.instance(reader)
|
207
|
+
|
208
|
+
test_model_1 = TestModel.create!
|
209
|
+
test_model_2 = TestModel.create!
|
210
|
+
|
211
|
+
user = MockUser.new(:test_role, :test_attr_value => test_model_1.id,
|
212
|
+
:test_attr_value_2 => test_model_2.id)
|
213
|
+
assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
|
214
|
+
TestModel.delete_all
|
215
|
+
end
|
216
|
+
|
217
|
+
def test_named_scope_multiple_and_empty_obligations
|
218
|
+
reader = Authorization::Reader::DSLReader.new
|
219
|
+
reader.parse %{
|
220
|
+
authorization do
|
221
|
+
role :test_role do
|
222
|
+
has_permission_on :test_models, :to => :read do
|
223
|
+
if_attribute :id => is { user.test_attr_value }
|
224
|
+
end
|
225
|
+
has_permission_on :test_models, :to => :read
|
226
|
+
end
|
227
|
+
end
|
228
|
+
}
|
229
|
+
Authorization::Engine.instance(reader)
|
230
|
+
|
231
|
+
test_model_1 = TestModel.create!
|
232
|
+
TestModel.create!
|
233
|
+
|
234
|
+
user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
|
235
|
+
assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
|
236
|
+
TestModel.delete_all
|
237
|
+
end
|
238
|
+
|
239
|
+
def test_named_scope_multiple_attributes
|
240
|
+
reader = Authorization::Reader::DSLReader.new
|
241
|
+
reader.parse %{
|
242
|
+
authorization do
|
243
|
+
role :test_role do
|
244
|
+
has_permission_on :test_models, :to => :read do
|
245
|
+
if_attribute :id => is { user.test_attr_value }, :content => "bla"
|
246
|
+
end
|
247
|
+
end
|
248
|
+
end
|
249
|
+
}
|
250
|
+
Authorization::Engine.instance(reader)
|
251
|
+
|
252
|
+
test_model_1 = TestModel.create! :content => 'bla'
|
253
|
+
TestModel.create! :content => 'bla'
|
254
|
+
TestModel.create!
|
255
|
+
|
256
|
+
user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
|
257
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
258
|
+
TestModel.delete_all
|
259
|
+
end
|
260
|
+
|
261
|
+
def test_named_scope_multiple_belongs_to
|
262
|
+
reader = Authorization::Reader::DSLReader.new
|
263
|
+
reader.parse %{
|
264
|
+
authorization do
|
265
|
+
role :test_role do
|
266
|
+
has_permission_on :test_attrs, :to => :read do
|
267
|
+
if_attribute :test_model => is {user}
|
268
|
+
if_attribute :test_another_model => is {user}
|
269
|
+
end
|
270
|
+
end
|
271
|
+
end
|
272
|
+
}
|
273
|
+
Authorization::Engine.instance(reader)
|
274
|
+
|
275
|
+
test_attr_1 = TestAttr.create! :test_model_id => 1, :test_another_model_id => 2
|
276
|
+
|
277
|
+
user = MockUser.new(:test_role, :id => 1)
|
278
|
+
assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
|
279
|
+
TestAttr.delete_all
|
280
|
+
end
|
281
|
+
|
282
|
+
def test_named_scope_with_is_and_priv_hierarchy
|
283
|
+
reader = Authorization::Reader::DSLReader.new
|
284
|
+
reader.parse %{
|
285
|
+
privileges do
|
286
|
+
privilege :read do
|
287
|
+
includes :list, :show
|
288
|
+
end
|
289
|
+
end
|
290
|
+
authorization do
|
291
|
+
role :test_role do
|
292
|
+
has_permission_on :test_models, :to => :read do
|
293
|
+
if_attribute :id => is { user.test_attr_value }
|
294
|
+
end
|
295
|
+
end
|
296
|
+
end
|
297
|
+
}
|
298
|
+
Authorization::Engine.instance(reader)
|
299
|
+
|
300
|
+
test_model_1 = TestModel.create!
|
301
|
+
TestModel.create!
|
302
|
+
|
303
|
+
user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
|
304
|
+
assert_equal 1, TestModel.with_permissions_to(:list,
|
305
|
+
:context => :test_models, :user => user).length
|
306
|
+
assert_equal 1, TestModel.with_permissions_to(:list, :user => user).length
|
307
|
+
|
308
|
+
TestModel.delete_all
|
309
|
+
end
|
310
|
+
|
311
|
+
def test_named_scope_with_is_and_belongs_to
|
312
|
+
reader = Authorization::Reader::DSLReader.new
|
313
|
+
reader.parse %{
|
314
|
+
authorization do
|
315
|
+
role :test_role do
|
316
|
+
has_permission_on :test_attrs, :to => :read do
|
317
|
+
if_attribute :test_model => is { user.test_model }
|
318
|
+
end
|
319
|
+
end
|
320
|
+
end
|
321
|
+
}
|
322
|
+
Authorization::Engine.instance(reader)
|
323
|
+
|
324
|
+
test_model_1 = TestModel.create!
|
325
|
+
test_model_1.test_attrs.create!
|
326
|
+
TestModel.create!.test_attrs.create!
|
327
|
+
|
328
|
+
user = MockUser.new(:test_role, :test_model => test_model_1)
|
329
|
+
assert_equal 1, TestAttr.with_permissions_to(:read,
|
330
|
+
:context => :test_attrs, :user => user).length
|
331
|
+
|
332
|
+
TestModel.delete_all
|
333
|
+
TestAttr.delete_all
|
334
|
+
end
|
335
|
+
|
336
|
+
def test_named_scope_with_deep_attribute
|
337
|
+
reader = Authorization::Reader::DSLReader.new
|
338
|
+
reader.parse %{
|
339
|
+
authorization do
|
340
|
+
role :test_role do
|
341
|
+
has_permission_on :test_attrs, :to => :read do
|
342
|
+
if_attribute :test_model => {:id => is { user.test_model_id } }
|
343
|
+
end
|
344
|
+
end
|
345
|
+
end
|
346
|
+
}
|
347
|
+
Authorization::Engine.instance(reader)
|
348
|
+
|
349
|
+
test_model_1 = TestModel.create!
|
350
|
+
test_model_1.test_attrs.create!
|
351
|
+
TestModel.create!.test_attrs.create!
|
352
|
+
|
353
|
+
user = MockUser.new(:test_role, :test_model_id => test_model_1.id)
|
354
|
+
assert_equal 1, TestAttr.with_permissions_to(:read,
|
355
|
+
:context => :test_attrs, :user => user).length
|
356
|
+
|
357
|
+
TestModel.delete_all
|
358
|
+
TestAttr.delete_all
|
359
|
+
end
|
360
|
+
|
361
|
+
def test_named_scope_with_contains
|
362
|
+
reader = Authorization::Reader::DSLReader.new
|
363
|
+
reader.parse %{
|
364
|
+
authorization do
|
365
|
+
role :test_role do
|
366
|
+
has_permission_on :test_models, :to => :read do
|
367
|
+
if_attribute :test_attrs => contains { user }
|
368
|
+
end
|
369
|
+
end
|
370
|
+
end
|
371
|
+
}
|
372
|
+
Authorization::Engine.instance(reader)
|
373
|
+
|
374
|
+
test_model_1 = TestModel.create!
|
375
|
+
test_model_2 = TestModel.create!
|
376
|
+
test_model_1.test_attrs.create!
|
377
|
+
test_model_1.test_attrs.create!
|
378
|
+
test_model_2.test_attrs.create!
|
379
|
+
|
380
|
+
user = MockUser.new(:test_role,
|
381
|
+
:id => test_model_1.test_attrs.first.id)
|
382
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
383
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).find(:all, :conditions => {:id => test_model_1.id}).length
|
384
|
+
|
385
|
+
TestModel.delete_all
|
386
|
+
TestAttr.delete_all
|
387
|
+
end
|
388
|
+
|
389
|
+
def test_named_scope_with_does_not_contain
|
390
|
+
reader = Authorization::Reader::DSLReader.new
|
391
|
+
reader.parse %{
|
392
|
+
authorization do
|
393
|
+
role :test_role do
|
394
|
+
has_permission_on :test_models, :to => :read do
|
395
|
+
if_attribute :test_attrs => does_not_contain { user }
|
396
|
+
end
|
397
|
+
end
|
398
|
+
end
|
399
|
+
}
|
400
|
+
Authorization::Engine.instance(reader)
|
401
|
+
|
402
|
+
test_model_1 = TestModel.create!
|
403
|
+
test_model_2 = TestModel.create!
|
404
|
+
test_model_1.test_attrs.create!
|
405
|
+
test_model_2.test_attrs.create!
|
406
|
+
|
407
|
+
user = MockUser.new(:test_role,
|
408
|
+
:id => test_model_1.test_attrs.first.id)
|
409
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
410
|
+
|
411
|
+
TestModel.delete_all
|
412
|
+
TestAttr.delete_all
|
413
|
+
end
|
414
|
+
|
415
|
+
def test_named_scope_with_contains_conditions
|
416
|
+
reader = Authorization::Reader::DSLReader.new
|
417
|
+
reader.parse %{
|
418
|
+
authorization do
|
419
|
+
role :test_role do
|
420
|
+
has_permission_on :test_models, :to => :read do
|
421
|
+
if_attribute :test_attrs_with_attr => contains { user }
|
422
|
+
end
|
423
|
+
end
|
424
|
+
end
|
425
|
+
}
|
426
|
+
Authorization::Engine.instance(reader)
|
427
|
+
|
428
|
+
test_model_1 = TestModel.create!
|
429
|
+
test_model_2 = TestModel.create!
|
430
|
+
test_model_1.test_attrs_with_attr.create!
|
431
|
+
test_model_1.test_attrs.create!(:attr => 2)
|
432
|
+
test_model_2.test_attrs_with_attr.create!
|
433
|
+
test_model_2.test_attrs.create!(:attr => 2)
|
434
|
+
|
435
|
+
#assert_equal 1, test_model_1.test_attrs_with_attr.length
|
436
|
+
user = MockUser.new(:test_role,
|
437
|
+
:id => test_model_1.test_attrs.first.id)
|
438
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
439
|
+
user = MockUser.new(:test_role,
|
440
|
+
:id => test_model_1.test_attrs.last.id)
|
441
|
+
assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
|
442
|
+
|
443
|
+
TestModel.delete_all
|
444
|
+
TestAttr.delete_all
|
445
|
+
end
|
446
|
+
|
447
|
+
def test_named_scope_with_contains_through_conditions
|
448
|
+
reader = Authorization::Reader::DSLReader.new
|
449
|
+
reader.parse %{
|
450
|
+
authorization do
|
451
|
+
role :test_role do
|
452
|
+
has_permission_on :test_models, :to => :read do
|
453
|
+
if_attribute :test_attr_throughs_with_attr => contains { user }
|
454
|
+
end
|
455
|
+
end
|
456
|
+
end
|
457
|
+
}
|
458
|
+
Authorization::Engine.instance(reader)
|
459
|
+
|
460
|
+
test_model_1 = TestModel.create!
|
461
|
+
test_model_2 = TestModel.create!
|
462
|
+
test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
|
463
|
+
test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
|
464
|
+
test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
|
465
|
+
test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
|
466
|
+
|
467
|
+
#assert_equal 1, test_model_1.test_attrs_with_attr.length
|
468
|
+
user = MockUser.new(:test_role,
|
469
|
+
:id => test_model_1.test_attr_throughs.first.id)
|
470
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
471
|
+
user = MockUser.new(:test_role,
|
472
|
+
:id => test_model_1.test_attr_throughs.last.id)
|
473
|
+
assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
|
474
|
+
|
475
|
+
TestModel.delete_all
|
476
|
+
TestAttrThrough.delete_all
|
477
|
+
TestAttr.delete_all
|
478
|
+
end
|
479
|
+
|
480
|
+
# take this out for Rails prior to 2.2
|
481
|
+
if ([Rails::VERSION::MAJOR, Rails::VERSION::MINOR] <=> [2, 2]) > -1
|
482
|
+
def test_named_scope_with_contains_through_primary_key
|
483
|
+
reader = Authorization::Reader::DSLReader.new
|
484
|
+
reader.parse %{
|
485
|
+
authorization do
|
486
|
+
role :test_role do
|
487
|
+
has_permission_on :test_models, :to => :read do
|
488
|
+
if_attribute :test_attr_throughs_with_primary_id => contains { user }
|
489
|
+
end
|
490
|
+
end
|
491
|
+
end
|
492
|
+
}
|
493
|
+
Authorization::Engine.instance(reader)
|
494
|
+
|
495
|
+
test_attr_through_1 = TestAttrThrough.create!
|
496
|
+
test_item = NWayJoinItem.create!
|
497
|
+
test_model_1 = TestModel.create!(:test_attr_through_id => test_attr_through_1.id)
|
498
|
+
test_attr_1 = TestAttr.create!(:test_attr_through_id => test_attr_through_1.id,
|
499
|
+
:n_way_join_item_id => test_item.id)
|
500
|
+
|
501
|
+
user = MockUser.new(:test_role,
|
502
|
+
:id => test_attr_through_1.id)
|
503
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
504
|
+
|
505
|
+
TestModel.delete_all
|
506
|
+
TestAttrThrough.delete_all
|
507
|
+
TestAttr.delete_all
|
508
|
+
end
|
509
|
+
end
|
510
|
+
|
511
|
+
def test_named_scope_with_is_and_has_one
|
512
|
+
reader = Authorization::Reader::DSLReader.new
|
513
|
+
reader.parse %{
|
514
|
+
authorization do :test_attr_has_one
|
515
|
+
role :test_role do
|
516
|
+
has_permission_on :test_models, :to => :read do
|
517
|
+
if_attribute :test_attr_has_one => is { user.test_attr }
|
518
|
+
end
|
519
|
+
end
|
520
|
+
end
|
521
|
+
}
|
522
|
+
Authorization::Engine.instance(reader)
|
523
|
+
|
524
|
+
test_model_1 = TestModel.create!
|
525
|
+
test_attr_1 = test_model_1.test_attrs.create!
|
526
|
+
TestModel.create!.test_attrs.create!
|
527
|
+
|
528
|
+
user = MockUser.new(:test_role, :test_attr => test_attr_1)
|
529
|
+
assert_equal 1, TestModel.with_permissions_to(:read,
|
530
|
+
:context => :test_models, :user => user).length
|
531
|
+
|
532
|
+
TestModel.delete_all
|
533
|
+
TestAttr.delete_all
|
534
|
+
end
|
535
|
+
|
536
|
+
def test_named_scope_with_is_and_has_one_through_conditions
|
537
|
+
reader = Authorization::Reader::DSLReader.new
|
538
|
+
reader.parse %{
|
539
|
+
authorization do
|
540
|
+
role :test_role do
|
541
|
+
has_permission_on :test_models, :to => :read do
|
542
|
+
if_attribute :test_attr_throughs_with_attr_and_has_one => contains { user }
|
543
|
+
end
|
544
|
+
end
|
545
|
+
end
|
546
|
+
}
|
547
|
+
Authorization::Engine.instance(reader)
|
548
|
+
|
549
|
+
test_model_1 = TestModel.create!
|
550
|
+
test_model_2 = TestModel.create!
|
551
|
+
test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
|
552
|
+
test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
|
553
|
+
test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
|
554
|
+
test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
|
555
|
+
|
556
|
+
#assert_equal 1, test_model_1.test_attrs_with_attr.length
|
557
|
+
user = MockUser.new(:test_role,
|
558
|
+
:id => test_model_1.test_attr_throughs.first.id)
|
559
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
560
|
+
user = MockUser.new(:test_role,
|
561
|
+
:id => test_model_1.test_attr_throughs.last.id)
|
562
|
+
assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
|
563
|
+
|
564
|
+
TestModel.delete_all
|
565
|
+
TestAttr.delete_all
|
566
|
+
end
|
567
|
+
|
568
|
+
def test_named_scope_with_is_in
|
569
|
+
reader = Authorization::Reader::DSLReader.new
|
570
|
+
reader.parse %{
|
571
|
+
authorization do
|
572
|
+
role :test_role do
|
573
|
+
has_permission_on :test_attrs, :to => :read do
|
574
|
+
if_attribute :test_model => is_in { [user.test_model, user.test_model_2] }
|
575
|
+
end
|
576
|
+
end
|
577
|
+
end
|
578
|
+
}
|
579
|
+
Authorization::Engine.instance(reader)
|
580
|
+
|
581
|
+
test_model_1 = TestModel.create!
|
582
|
+
test_model_2 = TestModel.create!
|
583
|
+
test_model_1.test_attrs.create!
|
584
|
+
TestModel.create!.test_attrs.create!
|
585
|
+
|
586
|
+
user = MockUser.new(:test_role, :test_model => test_model_1,
|
587
|
+
:test_model_2 => test_model_2)
|
588
|
+
assert_equal 1, TestAttr.with_permissions_to(:read,
|
589
|
+
:context => :test_attrs, :user => user).length
|
590
|
+
|
591
|
+
TestModel.delete_all
|
592
|
+
TestAttr.delete_all
|
593
|
+
end
|
594
|
+
|
595
|
+
def test_named_scope_with_not_is_in
|
596
|
+
reader = Authorization::Reader::DSLReader.new
|
597
|
+
reader.parse %{
|
598
|
+
authorization do
|
599
|
+
role :test_role do
|
600
|
+
has_permission_on :test_attrs, :to => :read do
|
601
|
+
if_attribute :test_model => is_not_in { [user.test_model, user.test_model_2] }
|
602
|
+
end
|
603
|
+
end
|
604
|
+
end
|
605
|
+
}
|
606
|
+
Authorization::Engine.instance(reader)
|
607
|
+
|
608
|
+
test_model_1 = TestModel.create!
|
609
|
+
test_model_2 = TestModel.create!
|
610
|
+
test_model_1.test_attrs.create!
|
611
|
+
TestModel.create!.test_attrs.create!
|
612
|
+
|
613
|
+
user = MockUser.new(:test_role, :test_model => test_model_1,
|
614
|
+
:test_model_2 => test_model_2)
|
615
|
+
assert_equal 1, TestAttr.with_permissions_to(:read,
|
616
|
+
:context => :test_attrs, :user => user).length
|
617
|
+
|
618
|
+
TestModel.delete_all
|
619
|
+
TestAttr.delete_all
|
620
|
+
end
|
621
|
+
|
622
|
+
def test_named_scope_with_if_permitted_to
|
623
|
+
reader = Authorization::Reader::DSLReader.new
|
624
|
+
reader.parse %{
|
625
|
+
authorization do
|
626
|
+
role :test_role do
|
627
|
+
has_permission_on :test_models, :to => :read do
|
628
|
+
if_attribute :test_attrs => contains { user }
|
629
|
+
end
|
630
|
+
has_permission_on :test_attrs, :to => :read do
|
631
|
+
if_permitted_to :read, :test_model
|
632
|
+
end
|
633
|
+
end
|
634
|
+
end
|
635
|
+
}
|
636
|
+
Authorization::Engine.instance(reader)
|
637
|
+
|
638
|
+
test_model_1 = TestModel.create!
|
639
|
+
test_attr_1 = test_model_1.test_attrs.create!
|
640
|
+
|
641
|
+
user = MockUser.new(:test_role, :id => test_attr_1.id)
|
642
|
+
assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
|
643
|
+
TestModel.delete_all
|
644
|
+
TestAttr.delete_all
|
645
|
+
end
|
646
|
+
|
647
|
+
def test_named_scope_with_if_permitted_to_and_empty_obligations
|
648
|
+
reader = Authorization::Reader::DSLReader.new
|
649
|
+
reader.parse %{
|
650
|
+
authorization do
|
651
|
+
role :test_role do
|
652
|
+
has_permission_on :test_models, :to => :read
|
653
|
+
has_permission_on :test_attrs, :to => :read do
|
654
|
+
if_permitted_to :read, :test_model
|
655
|
+
end
|
656
|
+
end
|
657
|
+
end
|
658
|
+
}
|
659
|
+
Authorization::Engine.instance(reader)
|
660
|
+
|
661
|
+
test_model_1 = TestModel.create!
|
662
|
+
test_attr_1 = test_model_1.test_attrs.create!
|
663
|
+
|
664
|
+
user = MockUser.new(:test_role)
|
665
|
+
assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
|
666
|
+
TestModel.delete_all
|
667
|
+
TestAttr.delete_all
|
668
|
+
end
|
669
|
+
|
670
|
+
def test_model_security
|
671
|
+
reader = Authorization::Reader::DSLReader.new
|
672
|
+
reader.parse %{
|
673
|
+
authorization do
|
674
|
+
role :test_role_unrestricted do
|
675
|
+
has_permission_on :test_model_security_models do
|
676
|
+
to :read, :create, :update, :delete
|
677
|
+
end
|
678
|
+
end
|
679
|
+
role :test_role do
|
680
|
+
has_permission_on :test_model_security_models do
|
681
|
+
to :read, :create, :update, :delete
|
682
|
+
if_attribute :attr => is { 1 }
|
683
|
+
end
|
684
|
+
end
|
685
|
+
role :test_role_restricted do
|
686
|
+
end
|
687
|
+
end
|
688
|
+
}
|
689
|
+
Authorization::Engine.instance(reader)
|
690
|
+
|
691
|
+
Authorization.current_user = MockUser.new(:test_role)
|
692
|
+
assert(object = TestModelSecurityModel.create)
|
693
|
+
Authorization.current_user = MockUser.new(:test_role_restricted)
|
694
|
+
assert_raise Authorization::NotAuthorized do
|
695
|
+
object.update_attributes(:attr_2 => 2)
|
696
|
+
end
|
697
|
+
Authorization.current_user = MockUser.new(:test_role)
|
698
|
+
assert_nothing_raised { object.update_attributes(:attr_2 => 2) }
|
699
|
+
object.reload
|
700
|
+
assert_equal 2, object.attr_2
|
701
|
+
object.destroy
|
702
|
+
assert_raise ActiveRecord::RecordNotFound do
|
703
|
+
TestModelSecurityModel.find(object.id)
|
704
|
+
end
|
705
|
+
|
706
|
+
assert_raise Authorization::AttributeAuthorizationError do
|
707
|
+
TestModelSecurityModel.create :attr => 2
|
708
|
+
end
|
709
|
+
object = TestModelSecurityModel.create
|
710
|
+
assert_raise Authorization::AttributeAuthorizationError do
|
711
|
+
object.update_attributes(:attr => 2)
|
712
|
+
end
|
713
|
+
Authorization.current_user = MockUser.new(:test_role_unrestricted)
|
714
|
+
object = TestModelSecurityModel.create :attr => 2
|
715
|
+
object_with_find = TestModelSecurityModelWithFind.create :attr => 2
|
716
|
+
Authorization.current_user = MockUser.new(:test_role)
|
717
|
+
assert_nothing_raised do
|
718
|
+
object.class.find(object.id)
|
719
|
+
end
|
720
|
+
assert_raise Authorization::AttributeAuthorizationError do
|
721
|
+
object_with_find.class.find(object_with_find.id)
|
722
|
+
end
|
723
|
+
assert_raise Authorization::AttributeAuthorizationError do
|
724
|
+
object.update_attributes(:attr_2 => 2)
|
725
|
+
end
|
726
|
+
# TODO test this:
|
727
|
+
#assert_raise Authorization::AuthorizationError do
|
728
|
+
# object.update_attributes(:attr => 1)
|
729
|
+
#end
|
730
|
+
assert_raise Authorization::AttributeAuthorizationError do
|
731
|
+
object.destroy
|
732
|
+
end
|
733
|
+
|
734
|
+
Authorization.current_user = MockUser.new(:test_role_2)
|
735
|
+
assert_raise Authorization::NotAuthorized do
|
736
|
+
TestModelSecurityModel.create
|
737
|
+
end
|
738
|
+
end
|
739
|
+
|
740
|
+
def test_model_security_with_assoc
|
741
|
+
reader = Authorization::Reader::DSLReader.new
|
742
|
+
reader.parse %{
|
743
|
+
authorization do
|
744
|
+
role :test_role do
|
745
|
+
has_permission_on :test_model_security_models do
|
746
|
+
to :create, :update, :delete
|
747
|
+
if_attribute :test_attrs => contains { user }
|
748
|
+
end
|
749
|
+
end
|
750
|
+
end
|
751
|
+
}
|
752
|
+
Authorization::Engine.instance(reader)
|
753
|
+
|
754
|
+
test_attr = TestAttr.create
|
755
|
+
test_attr.role_symbols << :test_role
|
756
|
+
Authorization.current_user = test_attr
|
757
|
+
assert(object = TestModelSecurityModel.create(:test_attrs => [test_attr]))
|
758
|
+
assert_nothing_raised do
|
759
|
+
object.update_attributes(:attr_2 => 2)
|
760
|
+
end
|
761
|
+
object.reload
|
762
|
+
assert_equal 2, object.attr_2
|
763
|
+
object.destroy
|
764
|
+
assert_raise ActiveRecord::RecordNotFound do
|
765
|
+
TestModelSecurityModel.find(object.id)
|
766
|
+
end
|
767
|
+
end
|
768
|
+
|
769
|
+
def test_using_access_control
|
770
|
+
assert !TestModel.using_access_control?
|
771
|
+
assert TestModelSecurityModel.using_access_control?
|
772
|
+
end
|
773
|
+
|
774
|
+
def test_authorization_permit_association_proxy
|
775
|
+
reader = Authorization::Reader::DSLReader.new
|
776
|
+
reader.parse %{
|
777
|
+
authorization do
|
778
|
+
role :test_role do
|
779
|
+
has_permission_on :test_attrs, :to => :read do
|
780
|
+
if_attribute :test_model => {:content => "content" }
|
781
|
+
end
|
782
|
+
end
|
783
|
+
end
|
784
|
+
}
|
785
|
+
engine = Authorization::Engine.instance(reader)
|
786
|
+
|
787
|
+
test_model = TestModel.create(:content => "content")
|
788
|
+
assert engine.permit?(:read, :object => test_model.test_attrs,
|
789
|
+
:user => MockUser.new(:test_role))
|
790
|
+
assert !engine.permit?(:read, :object => TestAttr.new,
|
791
|
+
:user => MockUser.new(:test_role))
|
792
|
+
TestModel.delete_all
|
793
|
+
end
|
794
|
+
end
|