stffn-declarative_authorization 0.2.1 → 0.2.3
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG +2 -0
- data/Rakefile +8 -0
- data/app/controllers/authorization_rules_controller.rb +103 -0
- data/app/controllers/authorization_usages_controller.rb +19 -0
- data/app/helpers/authorization_rules_helper.rb +84 -0
- data/app/views/authorization_rules/graph.dot.erb +49 -0
- data/app/views/authorization_rules/graph.html.erb +39 -0
- data/app/views/authorization_rules/index.html.erb +15 -0
- data/app/views/authorization_usages/index.html.erb +45 -0
- data/config/routes.rb +6 -0
- data/lib/authorization.rb +514 -0
- data/lib/helper.rb +51 -0
- data/lib/in_controller.rb +311 -0
- data/lib/in_model.rb +130 -0
- data/lib/maintenance.rb +174 -0
- data/lib/obligation_scope.rb +281 -0
- data/lib/rails_legacy.rb +14 -0
- data/lib/reader.rb +391 -0
- data/test/authorization_test.rb +576 -0
- data/test/controller_test.rb +361 -0
- data/test/dsl_reader_test.rb +157 -0
- data/test/helper_test.rb +96 -0
- data/test/maintenance_test.rb +15 -0
- data/test/model_test.rb +794 -0
- data/test/schema.sql +32 -0
- data/test/test_helper.rb +99 -0
- metadata +26 -2
data/test/helper_test.rb
ADDED
@@ -0,0 +1,96 @@
|
|
1
|
+
require File.join(File.dirname(__FILE__), 'test_helper.rb')
|
2
|
+
require File.dirname(__FILE__) + '/../lib/in_controller.rb'
|
3
|
+
require File.dirname(__FILE__) + '/../lib/helper.rb'
|
4
|
+
|
5
|
+
|
6
|
+
class HelperMocksController < MocksController
|
7
|
+
filter_access_to :action, :require => :show, :context => :mocks
|
8
|
+
define_action_methods :action
|
9
|
+
end
|
10
|
+
class HelperTest < ActionController::TestCase
|
11
|
+
tests HelperMocksController
|
12
|
+
include Authorization::AuthorizationHelper
|
13
|
+
attr_reader :controller
|
14
|
+
|
15
|
+
def test_permit
|
16
|
+
reader = Authorization::Reader::DSLReader.new
|
17
|
+
reader.parse %{
|
18
|
+
authorization do
|
19
|
+
role :test_role do
|
20
|
+
has_permission_on :mocks, :to => :show
|
21
|
+
end
|
22
|
+
role :test_role_2 do
|
23
|
+
has_permission_on :mocks, :to => :update
|
24
|
+
end
|
25
|
+
end
|
26
|
+
}
|
27
|
+
user = MockUser.new(:test_role)
|
28
|
+
request!(user, :action, reader)
|
29
|
+
|
30
|
+
assert permitted_to?(:show, :mocks)
|
31
|
+
assert !permitted_to?(:update, :mocks)
|
32
|
+
|
33
|
+
block_evaled = false
|
34
|
+
permitted_to?(:show, :mocks) do
|
35
|
+
block_evaled = true
|
36
|
+
end
|
37
|
+
assert block_evaled
|
38
|
+
|
39
|
+
block_evaled = false
|
40
|
+
permitted_to?(:update, :mocks) do
|
41
|
+
block_evaled = true
|
42
|
+
end
|
43
|
+
assert !block_evaled
|
44
|
+
end
|
45
|
+
|
46
|
+
def test_permit_with_object
|
47
|
+
reader = Authorization::Reader::DSLReader.new
|
48
|
+
reader.parse %{
|
49
|
+
authorization do
|
50
|
+
role :test_role do
|
51
|
+
has_permission_on :mocks do
|
52
|
+
to :show
|
53
|
+
if_attribute :test_attr => is {user.test_attr}
|
54
|
+
end
|
55
|
+
end
|
56
|
+
end
|
57
|
+
}
|
58
|
+
user = MockUser.new(:test_role, :test_attr => 1)
|
59
|
+
mock = MockDataObject.new(:test_attr => 1)
|
60
|
+
mock_2 = MockDataObject.new(:test_attr => 2)
|
61
|
+
request!(user, :action, reader)
|
62
|
+
|
63
|
+
assert permitted_to?(:show, mock)
|
64
|
+
assert permitted_to?(:show, :mocks)
|
65
|
+
assert !permitted_to?(:show, mock_2)
|
66
|
+
end
|
67
|
+
|
68
|
+
def test_has_role
|
69
|
+
reader = Authorization::Reader::DSLReader.new
|
70
|
+
reader.parse %{
|
71
|
+
authorization do
|
72
|
+
role :test_role do
|
73
|
+
has_permission_on :mocks, :to => :show
|
74
|
+
end
|
75
|
+
end
|
76
|
+
}
|
77
|
+
user = MockUser.new(:test_role)
|
78
|
+
request!(user, :action, reader)
|
79
|
+
|
80
|
+
assert has_role?(:test_role)
|
81
|
+
assert !has_role?(:test_role2)
|
82
|
+
|
83
|
+
block_evaled = false
|
84
|
+
has_role?(:test_role) do
|
85
|
+
block_evaled = true
|
86
|
+
end
|
87
|
+
assert block_evaled
|
88
|
+
|
89
|
+
block_evaled = false
|
90
|
+
has_role?(:test_role2) do
|
91
|
+
block_evaled = true
|
92
|
+
end
|
93
|
+
assert !block_evaled
|
94
|
+
end
|
95
|
+
|
96
|
+
end
|
@@ -0,0 +1,15 @@
|
|
1
|
+
require File.join(File.dirname(__FILE__), 'test_helper.rb')
|
2
|
+
require File.join(File.dirname(__FILE__), %w{.. lib maintenance})
|
3
|
+
|
4
|
+
class MaintenanceTest < Test::Unit::TestCase
|
5
|
+
|
6
|
+
def test_usages_by_controllers
|
7
|
+
usage_test_controller = Class.new(ActionController::Base)
|
8
|
+
usage_test_controller.send(:define_method, :an_action) {}
|
9
|
+
usage_test_controller.filter_access_to :an_action
|
10
|
+
|
11
|
+
assert Authorization::Maintenance::Usage::usages_by_controller.
|
12
|
+
include?(usage_test_controller)
|
13
|
+
end
|
14
|
+
|
15
|
+
end
|
data/test/model_test.rb
ADDED
@@ -0,0 +1,794 @@
|
|
1
|
+
require File.join(File.dirname(__FILE__), 'test_helper.rb')
|
2
|
+
require File.join(File.dirname(__FILE__), '..', 'lib', 'in_model.rb')
|
3
|
+
|
4
|
+
ActiveRecord::Base.send :include, Authorization::AuthorizationInModel
|
5
|
+
#ActiveRecord::Base.logger = Logger.new(STDOUT)
|
6
|
+
|
7
|
+
options = {:adapter => 'sqlite3', :timeout => 500, :database => ':memory:'}
|
8
|
+
ActiveRecord::Base.establish_connection(options)
|
9
|
+
ActiveRecord::Base.configurations = { 'sqlite3_ar_integration' => options }
|
10
|
+
ActiveRecord::Base.connection
|
11
|
+
|
12
|
+
File.read(File.dirname(__FILE__) + "/schema.sql").split(';').each do |sql|
|
13
|
+
ActiveRecord::Base.connection.execute(sql) unless sql.blank?
|
14
|
+
end
|
15
|
+
|
16
|
+
class TestModel < ActiveRecord::Base
|
17
|
+
has_many :test_attrs
|
18
|
+
has_many :test_attr_throughs, :through => :test_attrs
|
19
|
+
has_many :test_attrs_with_attr, :class_name => "TestAttr", :conditions => {:attr => 1}
|
20
|
+
has_many :test_attr_throughs_with_attr, :through => :test_attrs,
|
21
|
+
:class_name => "TestAttrThrough", :source => :test_attr_throughs,
|
22
|
+
:conditions => "test_attrs.attr = 1"
|
23
|
+
has_one :test_attr_has_one, :class_name => "TestAttr"
|
24
|
+
has_one :test_attr_throughs_with_attr_and_has_one, :through => :test_attrs,
|
25
|
+
:class_name => "TestAttrThrough", :source => :test_attr_throughs,
|
26
|
+
:conditions => "test_attrs.attr = 1"
|
27
|
+
|
28
|
+
# Primary key test
|
29
|
+
# take this out for Rails prior to 2.2
|
30
|
+
if ([Rails::VERSION::MAJOR, Rails::VERSION::MINOR] <=> [2, 2]) > -1
|
31
|
+
has_many :test_attrs_with_primary_id, :class_name => "TestAttr",
|
32
|
+
:primary_key => :test_attr_through_id, :foreign_key => :test_attr_through_id
|
33
|
+
has_many :test_attr_throughs_with_primary_id,
|
34
|
+
:through => :test_attrs_with_primary_id, :class_name => "TestAttrThrough",
|
35
|
+
:source => :n_way_join_item
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
class NWayJoinItem < ActiveRecord::Base
|
40
|
+
has_many :test_attrs
|
41
|
+
has_many :others, :through => :test_attrs, :source => :n_way_join_item
|
42
|
+
end
|
43
|
+
|
44
|
+
class TestAttr < ActiveRecord::Base
|
45
|
+
belongs_to :test_model
|
46
|
+
belongs_to :test_another_model, :class_name => "TestModel", :foreign_key => :test_another_model_id
|
47
|
+
belongs_to :n_way_join_item
|
48
|
+
has_many :test_attr_throughs
|
49
|
+
attr_reader :role_symbols
|
50
|
+
def initialize (*args)
|
51
|
+
@role_symbols = []
|
52
|
+
super(*args)
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
56
|
+
class TestAttrThrough < ActiveRecord::Base
|
57
|
+
belongs_to :test_attr
|
58
|
+
end
|
59
|
+
|
60
|
+
class TestModelSecurityModel < ActiveRecord::Base
|
61
|
+
has_many :test_attrs
|
62
|
+
using_access_control
|
63
|
+
end
|
64
|
+
class TestModelSecurityModelWithFind < ActiveRecord::Base
|
65
|
+
set_table_name "test_model_security_models"
|
66
|
+
has_many :test_attrs
|
67
|
+
using_access_control :include_read => true,
|
68
|
+
:context => :test_model_security_models
|
69
|
+
end
|
70
|
+
|
71
|
+
class ModelTest < Test::Unit::TestCase
|
72
|
+
def test_named_scope_multiple_deep_ored_belongs_to
|
73
|
+
reader = Authorization::Reader::DSLReader.new
|
74
|
+
reader.parse %{
|
75
|
+
authorization do
|
76
|
+
role :test_role do
|
77
|
+
has_permission_on :test_attrs, :to => :read do
|
78
|
+
if_attribute :test_model => {:test_attrs => contains {user}}
|
79
|
+
if_attribute :test_another_model => {:test_attrs => contains {user}}
|
80
|
+
end
|
81
|
+
end
|
82
|
+
end
|
83
|
+
}
|
84
|
+
Authorization::Engine.instance(reader)
|
85
|
+
|
86
|
+
test_model_1 = TestModel.create!
|
87
|
+
test_model_2 = TestModel.create!
|
88
|
+
test_attr_1 = TestAttr.create! :test_model_id => test_model_1.id,
|
89
|
+
:test_another_model_id => test_model_2.id
|
90
|
+
|
91
|
+
user = MockUser.new(:test_role, :id => test_attr_1)
|
92
|
+
assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
|
93
|
+
TestAttr.delete_all
|
94
|
+
TestModel.delete_all
|
95
|
+
end
|
96
|
+
|
97
|
+
def test_named_scope_with_belongs_to_and_has_many_with_contains
|
98
|
+
reader = Authorization::Reader::DSLReader.new
|
99
|
+
reader.parse %{
|
100
|
+
authorization do
|
101
|
+
role :test_role do
|
102
|
+
has_permission_on :test_attrs, :to => :read do
|
103
|
+
if_attribute :test_model => { :test_attrs => contains { user.test_attr_value } }
|
104
|
+
end
|
105
|
+
end
|
106
|
+
end
|
107
|
+
}
|
108
|
+
Authorization::Engine.instance(reader)
|
109
|
+
|
110
|
+
test_attr_1 = TestAttr.create!
|
111
|
+
test_model_1 = TestModel.create!
|
112
|
+
test_model_1.test_attrs.create!
|
113
|
+
|
114
|
+
user = MockUser.new(:test_role, :test_attr_value => test_model_1.test_attrs.first.id )
|
115
|
+
assert_equal 1, TestAttr.with_permissions_to( :read, :context => :test_attrs, :user => user ).length
|
116
|
+
assert_equal 1, TestAttr.with_permissions_to( :read, :user => user ).length
|
117
|
+
assert_raise Authorization::NotAuthorized do
|
118
|
+
TestAttr.with_permissions_to( :update_test_attrs, :user => user )
|
119
|
+
end
|
120
|
+
TestAttr.delete_all
|
121
|
+
TestModel.delete_all
|
122
|
+
end
|
123
|
+
|
124
|
+
def test_named_scope_with_is
|
125
|
+
reader = Authorization::Reader::DSLReader.new
|
126
|
+
reader.parse %{
|
127
|
+
authorization do
|
128
|
+
role :test_role do
|
129
|
+
has_permission_on :test_models, :to => :read do
|
130
|
+
if_attribute :id => is { user.test_attr_value }
|
131
|
+
end
|
132
|
+
end
|
133
|
+
end
|
134
|
+
}
|
135
|
+
Authorization::Engine.instance(reader)
|
136
|
+
|
137
|
+
test_model_1 = TestModel.create!
|
138
|
+
TestModel.create!
|
139
|
+
|
140
|
+
user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
|
141
|
+
assert_equal 1, TestModel.with_permissions_to(:read,
|
142
|
+
:context => :test_models, :user => user).length
|
143
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
144
|
+
assert_raise Authorization::NotAuthorized do
|
145
|
+
TestModel.with_permissions_to(:update_test_models, :user => user)
|
146
|
+
end
|
147
|
+
TestModel.delete_all
|
148
|
+
end
|
149
|
+
|
150
|
+
def test_named_scope_with_not_is
|
151
|
+
reader = Authorization::Reader::DSLReader.new
|
152
|
+
reader.parse %{
|
153
|
+
authorization do
|
154
|
+
role :test_role do
|
155
|
+
has_permission_on :test_models, :to => :read do
|
156
|
+
if_attribute :id => is_not { user.test_attr_value }
|
157
|
+
end
|
158
|
+
end
|
159
|
+
end
|
160
|
+
}
|
161
|
+
Authorization::Engine.instance(reader)
|
162
|
+
|
163
|
+
test_model_1 = TestModel.create!
|
164
|
+
TestModel.create!
|
165
|
+
|
166
|
+
user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
|
167
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
168
|
+
TestModel.delete_all
|
169
|
+
end
|
170
|
+
|
171
|
+
def test_named_scope_with_empty_obligations
|
172
|
+
reader = Authorization::Reader::DSLReader.new
|
173
|
+
reader.parse %{
|
174
|
+
authorization do
|
175
|
+
role :test_role do
|
176
|
+
has_permission_on :test_models, :to => :read
|
177
|
+
end
|
178
|
+
end
|
179
|
+
}
|
180
|
+
Authorization::Engine.instance(reader)
|
181
|
+
|
182
|
+
TestModel.create!
|
183
|
+
|
184
|
+
user = MockUser.new(:test_role)
|
185
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
186
|
+
assert_raise Authorization::NotAuthorized do
|
187
|
+
TestModel.with_permissions_to(:update, :user => user)
|
188
|
+
end
|
189
|
+
TestModel.delete_all
|
190
|
+
end
|
191
|
+
|
192
|
+
def test_named_scope_multiple_obligations
|
193
|
+
reader = Authorization::Reader::DSLReader.new
|
194
|
+
reader.parse %{
|
195
|
+
authorization do
|
196
|
+
role :test_role do
|
197
|
+
has_permission_on :test_models, :to => :read do
|
198
|
+
if_attribute :id => is { user.test_attr_value }
|
199
|
+
end
|
200
|
+
has_permission_on :test_models, :to => :read do
|
201
|
+
if_attribute :id => is { user.test_attr_value_2 }
|
202
|
+
end
|
203
|
+
end
|
204
|
+
end
|
205
|
+
}
|
206
|
+
Authorization::Engine.instance(reader)
|
207
|
+
|
208
|
+
test_model_1 = TestModel.create!
|
209
|
+
test_model_2 = TestModel.create!
|
210
|
+
|
211
|
+
user = MockUser.new(:test_role, :test_attr_value => test_model_1.id,
|
212
|
+
:test_attr_value_2 => test_model_2.id)
|
213
|
+
assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
|
214
|
+
TestModel.delete_all
|
215
|
+
end
|
216
|
+
|
217
|
+
def test_named_scope_multiple_and_empty_obligations
|
218
|
+
reader = Authorization::Reader::DSLReader.new
|
219
|
+
reader.parse %{
|
220
|
+
authorization do
|
221
|
+
role :test_role do
|
222
|
+
has_permission_on :test_models, :to => :read do
|
223
|
+
if_attribute :id => is { user.test_attr_value }
|
224
|
+
end
|
225
|
+
has_permission_on :test_models, :to => :read
|
226
|
+
end
|
227
|
+
end
|
228
|
+
}
|
229
|
+
Authorization::Engine.instance(reader)
|
230
|
+
|
231
|
+
test_model_1 = TestModel.create!
|
232
|
+
TestModel.create!
|
233
|
+
|
234
|
+
user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
|
235
|
+
assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
|
236
|
+
TestModel.delete_all
|
237
|
+
end
|
238
|
+
|
239
|
+
def test_named_scope_multiple_attributes
|
240
|
+
reader = Authorization::Reader::DSLReader.new
|
241
|
+
reader.parse %{
|
242
|
+
authorization do
|
243
|
+
role :test_role do
|
244
|
+
has_permission_on :test_models, :to => :read do
|
245
|
+
if_attribute :id => is { user.test_attr_value }, :content => "bla"
|
246
|
+
end
|
247
|
+
end
|
248
|
+
end
|
249
|
+
}
|
250
|
+
Authorization::Engine.instance(reader)
|
251
|
+
|
252
|
+
test_model_1 = TestModel.create! :content => 'bla'
|
253
|
+
TestModel.create! :content => 'bla'
|
254
|
+
TestModel.create!
|
255
|
+
|
256
|
+
user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
|
257
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
258
|
+
TestModel.delete_all
|
259
|
+
end
|
260
|
+
|
261
|
+
def test_named_scope_multiple_belongs_to
|
262
|
+
reader = Authorization::Reader::DSLReader.new
|
263
|
+
reader.parse %{
|
264
|
+
authorization do
|
265
|
+
role :test_role do
|
266
|
+
has_permission_on :test_attrs, :to => :read do
|
267
|
+
if_attribute :test_model => is {user}
|
268
|
+
if_attribute :test_another_model => is {user}
|
269
|
+
end
|
270
|
+
end
|
271
|
+
end
|
272
|
+
}
|
273
|
+
Authorization::Engine.instance(reader)
|
274
|
+
|
275
|
+
test_attr_1 = TestAttr.create! :test_model_id => 1, :test_another_model_id => 2
|
276
|
+
|
277
|
+
user = MockUser.new(:test_role, :id => 1)
|
278
|
+
assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
|
279
|
+
TestAttr.delete_all
|
280
|
+
end
|
281
|
+
|
282
|
+
def test_named_scope_with_is_and_priv_hierarchy
|
283
|
+
reader = Authorization::Reader::DSLReader.new
|
284
|
+
reader.parse %{
|
285
|
+
privileges do
|
286
|
+
privilege :read do
|
287
|
+
includes :list, :show
|
288
|
+
end
|
289
|
+
end
|
290
|
+
authorization do
|
291
|
+
role :test_role do
|
292
|
+
has_permission_on :test_models, :to => :read do
|
293
|
+
if_attribute :id => is { user.test_attr_value }
|
294
|
+
end
|
295
|
+
end
|
296
|
+
end
|
297
|
+
}
|
298
|
+
Authorization::Engine.instance(reader)
|
299
|
+
|
300
|
+
test_model_1 = TestModel.create!
|
301
|
+
TestModel.create!
|
302
|
+
|
303
|
+
user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
|
304
|
+
assert_equal 1, TestModel.with_permissions_to(:list,
|
305
|
+
:context => :test_models, :user => user).length
|
306
|
+
assert_equal 1, TestModel.with_permissions_to(:list, :user => user).length
|
307
|
+
|
308
|
+
TestModel.delete_all
|
309
|
+
end
|
310
|
+
|
311
|
+
def test_named_scope_with_is_and_belongs_to
|
312
|
+
reader = Authorization::Reader::DSLReader.new
|
313
|
+
reader.parse %{
|
314
|
+
authorization do
|
315
|
+
role :test_role do
|
316
|
+
has_permission_on :test_attrs, :to => :read do
|
317
|
+
if_attribute :test_model => is { user.test_model }
|
318
|
+
end
|
319
|
+
end
|
320
|
+
end
|
321
|
+
}
|
322
|
+
Authorization::Engine.instance(reader)
|
323
|
+
|
324
|
+
test_model_1 = TestModel.create!
|
325
|
+
test_model_1.test_attrs.create!
|
326
|
+
TestModel.create!.test_attrs.create!
|
327
|
+
|
328
|
+
user = MockUser.new(:test_role, :test_model => test_model_1)
|
329
|
+
assert_equal 1, TestAttr.with_permissions_to(:read,
|
330
|
+
:context => :test_attrs, :user => user).length
|
331
|
+
|
332
|
+
TestModel.delete_all
|
333
|
+
TestAttr.delete_all
|
334
|
+
end
|
335
|
+
|
336
|
+
def test_named_scope_with_deep_attribute
|
337
|
+
reader = Authorization::Reader::DSLReader.new
|
338
|
+
reader.parse %{
|
339
|
+
authorization do
|
340
|
+
role :test_role do
|
341
|
+
has_permission_on :test_attrs, :to => :read do
|
342
|
+
if_attribute :test_model => {:id => is { user.test_model_id } }
|
343
|
+
end
|
344
|
+
end
|
345
|
+
end
|
346
|
+
}
|
347
|
+
Authorization::Engine.instance(reader)
|
348
|
+
|
349
|
+
test_model_1 = TestModel.create!
|
350
|
+
test_model_1.test_attrs.create!
|
351
|
+
TestModel.create!.test_attrs.create!
|
352
|
+
|
353
|
+
user = MockUser.new(:test_role, :test_model_id => test_model_1.id)
|
354
|
+
assert_equal 1, TestAttr.with_permissions_to(:read,
|
355
|
+
:context => :test_attrs, :user => user).length
|
356
|
+
|
357
|
+
TestModel.delete_all
|
358
|
+
TestAttr.delete_all
|
359
|
+
end
|
360
|
+
|
361
|
+
def test_named_scope_with_contains
|
362
|
+
reader = Authorization::Reader::DSLReader.new
|
363
|
+
reader.parse %{
|
364
|
+
authorization do
|
365
|
+
role :test_role do
|
366
|
+
has_permission_on :test_models, :to => :read do
|
367
|
+
if_attribute :test_attrs => contains { user }
|
368
|
+
end
|
369
|
+
end
|
370
|
+
end
|
371
|
+
}
|
372
|
+
Authorization::Engine.instance(reader)
|
373
|
+
|
374
|
+
test_model_1 = TestModel.create!
|
375
|
+
test_model_2 = TestModel.create!
|
376
|
+
test_model_1.test_attrs.create!
|
377
|
+
test_model_1.test_attrs.create!
|
378
|
+
test_model_2.test_attrs.create!
|
379
|
+
|
380
|
+
user = MockUser.new(:test_role,
|
381
|
+
:id => test_model_1.test_attrs.first.id)
|
382
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
383
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).find(:all, :conditions => {:id => test_model_1.id}).length
|
384
|
+
|
385
|
+
TestModel.delete_all
|
386
|
+
TestAttr.delete_all
|
387
|
+
end
|
388
|
+
|
389
|
+
def test_named_scope_with_does_not_contain
|
390
|
+
reader = Authorization::Reader::DSLReader.new
|
391
|
+
reader.parse %{
|
392
|
+
authorization do
|
393
|
+
role :test_role do
|
394
|
+
has_permission_on :test_models, :to => :read do
|
395
|
+
if_attribute :test_attrs => does_not_contain { user }
|
396
|
+
end
|
397
|
+
end
|
398
|
+
end
|
399
|
+
}
|
400
|
+
Authorization::Engine.instance(reader)
|
401
|
+
|
402
|
+
test_model_1 = TestModel.create!
|
403
|
+
test_model_2 = TestModel.create!
|
404
|
+
test_model_1.test_attrs.create!
|
405
|
+
test_model_2.test_attrs.create!
|
406
|
+
|
407
|
+
user = MockUser.new(:test_role,
|
408
|
+
:id => test_model_1.test_attrs.first.id)
|
409
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
410
|
+
|
411
|
+
TestModel.delete_all
|
412
|
+
TestAttr.delete_all
|
413
|
+
end
|
414
|
+
|
415
|
+
def test_named_scope_with_contains_conditions
|
416
|
+
reader = Authorization::Reader::DSLReader.new
|
417
|
+
reader.parse %{
|
418
|
+
authorization do
|
419
|
+
role :test_role do
|
420
|
+
has_permission_on :test_models, :to => :read do
|
421
|
+
if_attribute :test_attrs_with_attr => contains { user }
|
422
|
+
end
|
423
|
+
end
|
424
|
+
end
|
425
|
+
}
|
426
|
+
Authorization::Engine.instance(reader)
|
427
|
+
|
428
|
+
test_model_1 = TestModel.create!
|
429
|
+
test_model_2 = TestModel.create!
|
430
|
+
test_model_1.test_attrs_with_attr.create!
|
431
|
+
test_model_1.test_attrs.create!(:attr => 2)
|
432
|
+
test_model_2.test_attrs_with_attr.create!
|
433
|
+
test_model_2.test_attrs.create!(:attr => 2)
|
434
|
+
|
435
|
+
#assert_equal 1, test_model_1.test_attrs_with_attr.length
|
436
|
+
user = MockUser.new(:test_role,
|
437
|
+
:id => test_model_1.test_attrs.first.id)
|
438
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
439
|
+
user = MockUser.new(:test_role,
|
440
|
+
:id => test_model_1.test_attrs.last.id)
|
441
|
+
assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
|
442
|
+
|
443
|
+
TestModel.delete_all
|
444
|
+
TestAttr.delete_all
|
445
|
+
end
|
446
|
+
|
447
|
+
def test_named_scope_with_contains_through_conditions
|
448
|
+
reader = Authorization::Reader::DSLReader.new
|
449
|
+
reader.parse %{
|
450
|
+
authorization do
|
451
|
+
role :test_role do
|
452
|
+
has_permission_on :test_models, :to => :read do
|
453
|
+
if_attribute :test_attr_throughs_with_attr => contains { user }
|
454
|
+
end
|
455
|
+
end
|
456
|
+
end
|
457
|
+
}
|
458
|
+
Authorization::Engine.instance(reader)
|
459
|
+
|
460
|
+
test_model_1 = TestModel.create!
|
461
|
+
test_model_2 = TestModel.create!
|
462
|
+
test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
|
463
|
+
test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
|
464
|
+
test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
|
465
|
+
test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
|
466
|
+
|
467
|
+
#assert_equal 1, test_model_1.test_attrs_with_attr.length
|
468
|
+
user = MockUser.new(:test_role,
|
469
|
+
:id => test_model_1.test_attr_throughs.first.id)
|
470
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
471
|
+
user = MockUser.new(:test_role,
|
472
|
+
:id => test_model_1.test_attr_throughs.last.id)
|
473
|
+
assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
|
474
|
+
|
475
|
+
TestModel.delete_all
|
476
|
+
TestAttrThrough.delete_all
|
477
|
+
TestAttr.delete_all
|
478
|
+
end
|
479
|
+
|
480
|
+
# take this out for Rails prior to 2.2
|
481
|
+
if ([Rails::VERSION::MAJOR, Rails::VERSION::MINOR] <=> [2, 2]) > -1
|
482
|
+
def test_named_scope_with_contains_through_primary_key
|
483
|
+
reader = Authorization::Reader::DSLReader.new
|
484
|
+
reader.parse %{
|
485
|
+
authorization do
|
486
|
+
role :test_role do
|
487
|
+
has_permission_on :test_models, :to => :read do
|
488
|
+
if_attribute :test_attr_throughs_with_primary_id => contains { user }
|
489
|
+
end
|
490
|
+
end
|
491
|
+
end
|
492
|
+
}
|
493
|
+
Authorization::Engine.instance(reader)
|
494
|
+
|
495
|
+
test_attr_through_1 = TestAttrThrough.create!
|
496
|
+
test_item = NWayJoinItem.create!
|
497
|
+
test_model_1 = TestModel.create!(:test_attr_through_id => test_attr_through_1.id)
|
498
|
+
test_attr_1 = TestAttr.create!(:test_attr_through_id => test_attr_through_1.id,
|
499
|
+
:n_way_join_item_id => test_item.id)
|
500
|
+
|
501
|
+
user = MockUser.new(:test_role,
|
502
|
+
:id => test_attr_through_1.id)
|
503
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
504
|
+
|
505
|
+
TestModel.delete_all
|
506
|
+
TestAttrThrough.delete_all
|
507
|
+
TestAttr.delete_all
|
508
|
+
end
|
509
|
+
end
|
510
|
+
|
511
|
+
def test_named_scope_with_is_and_has_one
|
512
|
+
reader = Authorization::Reader::DSLReader.new
|
513
|
+
reader.parse %{
|
514
|
+
authorization do :test_attr_has_one
|
515
|
+
role :test_role do
|
516
|
+
has_permission_on :test_models, :to => :read do
|
517
|
+
if_attribute :test_attr_has_one => is { user.test_attr }
|
518
|
+
end
|
519
|
+
end
|
520
|
+
end
|
521
|
+
}
|
522
|
+
Authorization::Engine.instance(reader)
|
523
|
+
|
524
|
+
test_model_1 = TestModel.create!
|
525
|
+
test_attr_1 = test_model_1.test_attrs.create!
|
526
|
+
TestModel.create!.test_attrs.create!
|
527
|
+
|
528
|
+
user = MockUser.new(:test_role, :test_attr => test_attr_1)
|
529
|
+
assert_equal 1, TestModel.with_permissions_to(:read,
|
530
|
+
:context => :test_models, :user => user).length
|
531
|
+
|
532
|
+
TestModel.delete_all
|
533
|
+
TestAttr.delete_all
|
534
|
+
end
|
535
|
+
|
536
|
+
def test_named_scope_with_is_and_has_one_through_conditions
|
537
|
+
reader = Authorization::Reader::DSLReader.new
|
538
|
+
reader.parse %{
|
539
|
+
authorization do
|
540
|
+
role :test_role do
|
541
|
+
has_permission_on :test_models, :to => :read do
|
542
|
+
if_attribute :test_attr_throughs_with_attr_and_has_one => contains { user }
|
543
|
+
end
|
544
|
+
end
|
545
|
+
end
|
546
|
+
}
|
547
|
+
Authorization::Engine.instance(reader)
|
548
|
+
|
549
|
+
test_model_1 = TestModel.create!
|
550
|
+
test_model_2 = TestModel.create!
|
551
|
+
test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
|
552
|
+
test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
|
553
|
+
test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
|
554
|
+
test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
|
555
|
+
|
556
|
+
#assert_equal 1, test_model_1.test_attrs_with_attr.length
|
557
|
+
user = MockUser.new(:test_role,
|
558
|
+
:id => test_model_1.test_attr_throughs.first.id)
|
559
|
+
assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
|
560
|
+
user = MockUser.new(:test_role,
|
561
|
+
:id => test_model_1.test_attr_throughs.last.id)
|
562
|
+
assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
|
563
|
+
|
564
|
+
TestModel.delete_all
|
565
|
+
TestAttr.delete_all
|
566
|
+
end
|
567
|
+
|
568
|
+
def test_named_scope_with_is_in
|
569
|
+
reader = Authorization::Reader::DSLReader.new
|
570
|
+
reader.parse %{
|
571
|
+
authorization do
|
572
|
+
role :test_role do
|
573
|
+
has_permission_on :test_attrs, :to => :read do
|
574
|
+
if_attribute :test_model => is_in { [user.test_model, user.test_model_2] }
|
575
|
+
end
|
576
|
+
end
|
577
|
+
end
|
578
|
+
}
|
579
|
+
Authorization::Engine.instance(reader)
|
580
|
+
|
581
|
+
test_model_1 = TestModel.create!
|
582
|
+
test_model_2 = TestModel.create!
|
583
|
+
test_model_1.test_attrs.create!
|
584
|
+
TestModel.create!.test_attrs.create!
|
585
|
+
|
586
|
+
user = MockUser.new(:test_role, :test_model => test_model_1,
|
587
|
+
:test_model_2 => test_model_2)
|
588
|
+
assert_equal 1, TestAttr.with_permissions_to(:read,
|
589
|
+
:context => :test_attrs, :user => user).length
|
590
|
+
|
591
|
+
TestModel.delete_all
|
592
|
+
TestAttr.delete_all
|
593
|
+
end
|
594
|
+
|
595
|
+
def test_named_scope_with_not_is_in
|
596
|
+
reader = Authorization::Reader::DSLReader.new
|
597
|
+
reader.parse %{
|
598
|
+
authorization do
|
599
|
+
role :test_role do
|
600
|
+
has_permission_on :test_attrs, :to => :read do
|
601
|
+
if_attribute :test_model => is_not_in { [user.test_model, user.test_model_2] }
|
602
|
+
end
|
603
|
+
end
|
604
|
+
end
|
605
|
+
}
|
606
|
+
Authorization::Engine.instance(reader)
|
607
|
+
|
608
|
+
test_model_1 = TestModel.create!
|
609
|
+
test_model_2 = TestModel.create!
|
610
|
+
test_model_1.test_attrs.create!
|
611
|
+
TestModel.create!.test_attrs.create!
|
612
|
+
|
613
|
+
user = MockUser.new(:test_role, :test_model => test_model_1,
|
614
|
+
:test_model_2 => test_model_2)
|
615
|
+
assert_equal 1, TestAttr.with_permissions_to(:read,
|
616
|
+
:context => :test_attrs, :user => user).length
|
617
|
+
|
618
|
+
TestModel.delete_all
|
619
|
+
TestAttr.delete_all
|
620
|
+
end
|
621
|
+
|
622
|
+
def test_named_scope_with_if_permitted_to
|
623
|
+
reader = Authorization::Reader::DSLReader.new
|
624
|
+
reader.parse %{
|
625
|
+
authorization do
|
626
|
+
role :test_role do
|
627
|
+
has_permission_on :test_models, :to => :read do
|
628
|
+
if_attribute :test_attrs => contains { user }
|
629
|
+
end
|
630
|
+
has_permission_on :test_attrs, :to => :read do
|
631
|
+
if_permitted_to :read, :test_model
|
632
|
+
end
|
633
|
+
end
|
634
|
+
end
|
635
|
+
}
|
636
|
+
Authorization::Engine.instance(reader)
|
637
|
+
|
638
|
+
test_model_1 = TestModel.create!
|
639
|
+
test_attr_1 = test_model_1.test_attrs.create!
|
640
|
+
|
641
|
+
user = MockUser.new(:test_role, :id => test_attr_1.id)
|
642
|
+
assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
|
643
|
+
TestModel.delete_all
|
644
|
+
TestAttr.delete_all
|
645
|
+
end
|
646
|
+
|
647
|
+
def test_named_scope_with_if_permitted_to_and_empty_obligations
|
648
|
+
reader = Authorization::Reader::DSLReader.new
|
649
|
+
reader.parse %{
|
650
|
+
authorization do
|
651
|
+
role :test_role do
|
652
|
+
has_permission_on :test_models, :to => :read
|
653
|
+
has_permission_on :test_attrs, :to => :read do
|
654
|
+
if_permitted_to :read, :test_model
|
655
|
+
end
|
656
|
+
end
|
657
|
+
end
|
658
|
+
}
|
659
|
+
Authorization::Engine.instance(reader)
|
660
|
+
|
661
|
+
test_model_1 = TestModel.create!
|
662
|
+
test_attr_1 = test_model_1.test_attrs.create!
|
663
|
+
|
664
|
+
user = MockUser.new(:test_role)
|
665
|
+
assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
|
666
|
+
TestModel.delete_all
|
667
|
+
TestAttr.delete_all
|
668
|
+
end
|
669
|
+
|
670
|
+
def test_model_security
|
671
|
+
reader = Authorization::Reader::DSLReader.new
|
672
|
+
reader.parse %{
|
673
|
+
authorization do
|
674
|
+
role :test_role_unrestricted do
|
675
|
+
has_permission_on :test_model_security_models do
|
676
|
+
to :read, :create, :update, :delete
|
677
|
+
end
|
678
|
+
end
|
679
|
+
role :test_role do
|
680
|
+
has_permission_on :test_model_security_models do
|
681
|
+
to :read, :create, :update, :delete
|
682
|
+
if_attribute :attr => is { 1 }
|
683
|
+
end
|
684
|
+
end
|
685
|
+
role :test_role_restricted do
|
686
|
+
end
|
687
|
+
end
|
688
|
+
}
|
689
|
+
Authorization::Engine.instance(reader)
|
690
|
+
|
691
|
+
Authorization.current_user = MockUser.new(:test_role)
|
692
|
+
assert(object = TestModelSecurityModel.create)
|
693
|
+
Authorization.current_user = MockUser.new(:test_role_restricted)
|
694
|
+
assert_raise Authorization::NotAuthorized do
|
695
|
+
object.update_attributes(:attr_2 => 2)
|
696
|
+
end
|
697
|
+
Authorization.current_user = MockUser.new(:test_role)
|
698
|
+
assert_nothing_raised { object.update_attributes(:attr_2 => 2) }
|
699
|
+
object.reload
|
700
|
+
assert_equal 2, object.attr_2
|
701
|
+
object.destroy
|
702
|
+
assert_raise ActiveRecord::RecordNotFound do
|
703
|
+
TestModelSecurityModel.find(object.id)
|
704
|
+
end
|
705
|
+
|
706
|
+
assert_raise Authorization::AttributeAuthorizationError do
|
707
|
+
TestModelSecurityModel.create :attr => 2
|
708
|
+
end
|
709
|
+
object = TestModelSecurityModel.create
|
710
|
+
assert_raise Authorization::AttributeAuthorizationError do
|
711
|
+
object.update_attributes(:attr => 2)
|
712
|
+
end
|
713
|
+
Authorization.current_user = MockUser.new(:test_role_unrestricted)
|
714
|
+
object = TestModelSecurityModel.create :attr => 2
|
715
|
+
object_with_find = TestModelSecurityModelWithFind.create :attr => 2
|
716
|
+
Authorization.current_user = MockUser.new(:test_role)
|
717
|
+
assert_nothing_raised do
|
718
|
+
object.class.find(object.id)
|
719
|
+
end
|
720
|
+
assert_raise Authorization::AttributeAuthorizationError do
|
721
|
+
object_with_find.class.find(object_with_find.id)
|
722
|
+
end
|
723
|
+
assert_raise Authorization::AttributeAuthorizationError do
|
724
|
+
object.update_attributes(:attr_2 => 2)
|
725
|
+
end
|
726
|
+
# TODO test this:
|
727
|
+
#assert_raise Authorization::AuthorizationError do
|
728
|
+
# object.update_attributes(:attr => 1)
|
729
|
+
#end
|
730
|
+
assert_raise Authorization::AttributeAuthorizationError do
|
731
|
+
object.destroy
|
732
|
+
end
|
733
|
+
|
734
|
+
Authorization.current_user = MockUser.new(:test_role_2)
|
735
|
+
assert_raise Authorization::NotAuthorized do
|
736
|
+
TestModelSecurityModel.create
|
737
|
+
end
|
738
|
+
end
|
739
|
+
|
740
|
+
def test_model_security_with_assoc
|
741
|
+
reader = Authorization::Reader::DSLReader.new
|
742
|
+
reader.parse %{
|
743
|
+
authorization do
|
744
|
+
role :test_role do
|
745
|
+
has_permission_on :test_model_security_models do
|
746
|
+
to :create, :update, :delete
|
747
|
+
if_attribute :test_attrs => contains { user }
|
748
|
+
end
|
749
|
+
end
|
750
|
+
end
|
751
|
+
}
|
752
|
+
Authorization::Engine.instance(reader)
|
753
|
+
|
754
|
+
test_attr = TestAttr.create
|
755
|
+
test_attr.role_symbols << :test_role
|
756
|
+
Authorization.current_user = test_attr
|
757
|
+
assert(object = TestModelSecurityModel.create(:test_attrs => [test_attr]))
|
758
|
+
assert_nothing_raised do
|
759
|
+
object.update_attributes(:attr_2 => 2)
|
760
|
+
end
|
761
|
+
object.reload
|
762
|
+
assert_equal 2, object.attr_2
|
763
|
+
object.destroy
|
764
|
+
assert_raise ActiveRecord::RecordNotFound do
|
765
|
+
TestModelSecurityModel.find(object.id)
|
766
|
+
end
|
767
|
+
end
|
768
|
+
|
769
|
+
def test_using_access_control
|
770
|
+
assert !TestModel.using_access_control?
|
771
|
+
assert TestModelSecurityModel.using_access_control?
|
772
|
+
end
|
773
|
+
|
774
|
+
def test_authorization_permit_association_proxy
|
775
|
+
reader = Authorization::Reader::DSLReader.new
|
776
|
+
reader.parse %{
|
777
|
+
authorization do
|
778
|
+
role :test_role do
|
779
|
+
has_permission_on :test_attrs, :to => :read do
|
780
|
+
if_attribute :test_model => {:content => "content" }
|
781
|
+
end
|
782
|
+
end
|
783
|
+
end
|
784
|
+
}
|
785
|
+
engine = Authorization::Engine.instance(reader)
|
786
|
+
|
787
|
+
test_model = TestModel.create(:content => "content")
|
788
|
+
assert engine.permit?(:read, :object => test_model.test_attrs,
|
789
|
+
:user => MockUser.new(:test_role))
|
790
|
+
assert !engine.permit?(:read, :object => TestAttr.new,
|
791
|
+
:user => MockUser.new(:test_role))
|
792
|
+
TestModel.delete_all
|
793
|
+
end
|
794
|
+
end
|