stffn-declarative_authorization 0.2.5 → 0.3.0

data/CHANGELOG

@@ -1,10 +1,13 @@
-* New option :join_by for has_permission_on to allow AND'ing of statements in one has_permission_on block
 
-* Allow using_access_control to be called directly on ActiveRecord::Base, globally enabling model security
+** RELEASE 0.3 (April 20, 2009) **
 
-* New operator:  intersects_with, comparing two Enumerables in if_attribute
+* New option :join_by for has_permission_on to allow AND'ing of statements in one has_permission_on block [sb]
 
-* Improved if_permitted_to syntax:  if the attribute is left out, permissions are checked on for the current object
+* Allow using_access_control to be called directly on ActiveRecord::Base, globally enabling model security [sb]
+
+* New operator:  intersects_with, comparing two Enumerables in if_attribute [sb]
+
+* Improved if_permitted_to syntax:  if the attribute is left out, permissions are checked on for the current object [sb]
 
 * Added #has_role_with_hierarchy? method to retrieve explicit and calculated roles [jeremyf]
 

data/README.rdoc

@@ -344,11 +344,15 @@ See Authorization::TestHelper for more information.
 
 = Installation of declarative_authorization
 
-To install simply execute in your applications root directory
-  cd vendor/plugins && git clone git://github.com/stffn/declarative_authorization.git
-
-Alternatively, download one of the released versions from Github at
-http://github.com/stffn/declarative_authorization/downloads
+One of three options to install the plugin:
+* Install by Gem:  Add to your environment.rb in the initializer block:
+    config.gem "stffn-declarative_authorization", :lib => "declarative_authorization"
+  And call from your application's root directory
+    rake gems:install
+* Alternatively, to install from github, execute in your application's root directory
+    cd vendor/plugins && git clone git://github.com/stffn/declarative_authorization.git
+* Or, download one of the released versions from Github at
+  http://github.com/stffn/declarative_authorization/downloads
 
 Then, 
 * provide the requirements as noted below, 
@@ -361,8 +365,8 @@ Then,
 The requirements are
 * Rails >= 2.1 and Ruby >= 1.8.6, including 1.9
 * An authentication mechanism 
-* A user object returned by controller.current_user
-* An array of role symbols returned by user.role_symbols
+* A user object returned by Controller#current_user
+* An array of role symbols returned by User#role_symbols
 * (For model security) Setting Authorization.current_user to the request's user
 
 Of the various ways to provide these requirements, here is one way employing
@@ -416,7 +420,7 @@ restful_authentication.
      user.roles.create(:title => "admin")
 
 Note:  If you choose to generate an Account model for restful_authentication
-instead of a User model as described below, you have to customize the
+instead of a User model as described above, you have to customize the
 examples and create a ApplicationController#current_user method.
 
 
@@ -447,7 +451,7 @@ Then, point your browser to
 
 The browser needs Rails 2.3 (for Engine support).  The graphical view requires 
 Graphviz (which e.g. can be installed through the graphviz package under Debian 
-and Ubuntu) and is only tested under Linux.
+and Ubuntu) and has only been tested under Linux.
 
 
 = Help and Contact

data/app/controllers/authorization_rules_controller.rb

@@ -10,6 +10,8 @@ begin
 rescue LoadError; end
 
 class AuthorizationRulesController < ApplicationController
+  unloadable
+  
   filter_access_to :all, :require => :read
   def index
     respond_to do |format|
@@ -31,6 +33,7 @@ class AuthorizationRulesController < ApplicationController
     options = {
       :effective_role_privs => true,
       :privilege_hierarchy => false,
+      :only_relevant_contexts => true,
       :filter_roles => nil,
       :filter_contexts => nil,
       :highlight_privilege => nil
@@ -58,7 +61,7 @@ class AuthorizationRulesController < ApplicationController
         @role_privs[auth_rule.role] += auth_rule.privileges.collect {|p| [context, p, auth_rule.attributes.empty?, auth_rule.to_long_s]}
       end
     end
-    
+
     if options[:effective_role_privs]
       @roles.each do |role|
         @role_privs[role] ||= []
@@ -67,6 +70,10 @@ class AuthorizationRulesController < ApplicationController
         end
       end
     end
+
+    if options[:only_relevant_contexts]
+      @contexts.delete_if {|context| @roles.all? {|role| !@role_privs[role] || !@role_privs[role].any? {|info| info[0] == context}}}
+    end
     
     if options[:privilege_hierarchy]
       @context_privs.each do |context, privs|

data/app/controllers/authorization_usages_controller.rb

@@ -3,6 +3,8 @@ if Authorization::activate_authorization_rules_browser?
 require File.join(File.dirname(__FILE__), %w{.. .. lib declarative_authorization maintenance})
 
 class AuthorizationUsagesController < ApplicationController
+  unloadable
+  
   helper :authorization_rules
   filter_access_to :all, :require => :read
   # TODO set context?

data/app/views/authorization_rules/graph.html.erb

@@ -26,8 +26,8 @@
   <%#= link_to_graph "Rules" %>
   <%#= link_to_graph "Privilege hierarchy", :type => 'priv_hierarchy' %>
   
-  <%= select_tag "filter_roles", options_for_select([["All roles",'']] + controller.authorization_engine.roles), :onchange => 'update_graph(this.form)' %>
-  <%= select_tag "filter_contexts", options_for_select([["All contexts",'']] + controller.authorization_engine.auth_rules.collect {|ar| ar.contexts.to_a}.flatten.uniq), :onchange => 'update_graph(this.form)' %>
+  <%= select_tag "filter_roles", options_for_select([["All roles",'']] + controller.authorization_engine.roles.map(&:to_s).sort), :onchange => 'update_graph(this.form)' %>
+  <%= select_tag "filter_contexts", options_for_select([["All contexts",'']] + controller.authorization_engine.auth_rules.collect {|ar| ar.contexts.to_a}.flatten.uniq.map(&:to_s).sort), :onchange => 'update_graph(this.form)' %>
   <%= check_box_tag "effective_role_privs", "1", false, :onclick => 'update_graph(this.form)'  %> <%= label_tag "effective_role_privs", "Effective privileges"  %>
   <%= check_box_tag "privilege_hierarchy", "1", false, :onclick => 'update_graph(this.form)'  %> <%= label_tag "privilege_hierarchy", "Show full privilege hierarchy"  %>
   <% end %>

data/lib/declarative_authorization/in_controller.rb

@@ -123,7 +123,7 @@ module Authorization
       # action as parameter.  The special symbol :+all+ refers to all action.
       # The all :+all+ statement is only employed if no specific statement is
       # present.
-      #   class UserController < ActionController
+      #   class UserController < ApplicationController
       #     filter_access_to :index
       #     filter_access_to :new, :edit
       #     filter_access_to :all
@@ -152,6 +152,25 @@ module Authorization
       # the controller name.  Thus, in UserController :+edit+ requires
       # :+edit+ +users+.  To specify required privilege, use the option :+require+
       #   filter_access_to :new, :create, :require => :create, :context => :users
+      #
+      # Without the :+attribute_check+ option, no constraints from the
+      # authorization rules are enforced because for some actions (collections,
+      # +new+, +create+), there is no object to evaluate conditions against.  To
+      # allow attribute checks on all actions, it is a common pattern to provide
+      # custom objects through +before_filters+:
+      #   class BranchesController < ApplicationController
+      #     before_filter :load_company
+      #     before_filter :new_branch_from_company_and_params,
+      #       :only => [:index, :new, :create]
+      #     filter_access_to :all, :attribute_check => true
+      #
+      #     protected
+      #     def new_branch_from_company_and_params
+      #       @branch = @company.branches.new(params[:branch])
+      #     end
+      #   end
+      # NOTE: +before_filters+ need to be defined before the first
+      # +filter_access_to+ call.
       #   
       # For further customization, a custom filter expression may be formulated
       # in a block, which is then evaluated in the context of the controller
@@ -174,11 +193,13 @@ module Authorization
       #   The privilege's context, defaults to controller_name, pluralized.
       # [:+attribute_check+]
       #   Enables the check of attributes defined in the authorization rules.
-      #   Defaults to false.  If enabled, filter_access_to will try to load
-      #   a context object employing either 
-      #   * the method from the :+load_method+ option or 
+      #   Defaults to false.  If enabled, filter_access_to will use a context
+      #   object from one of the following sources (in that order):
+      #   * the method from the :+load_method+ option,
+      #   * an instance variable named after the singular of the context
+      #     (by default from the controller name, e.g. @post for PostsController),
       #   * a find on the context model, using +params+[:id] as id value.
-      #   Any of these loading methods will only be employed if :+attribute_check+
+      #   Any of these methods will only be employed if :+attribute_check+
       #   is enabled.
       # [:+model+] 
       #   The data model to load a context object from.  Defaults to the

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: stffn-declarative_authorization
 version: !ruby/object:Gem::Version 
-  version: 0.2.5
+  version: 0.3.0
 platform: ruby
 authors: 
 - Steffen Bartsch