stffn-declarative_authorization 0.2.5 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
data/CHANGELOG
CHANGED
@@ -1,10 +1,13 @@
|
|
1
|
-
* New option :join_by for has_permission_on to allow AND'ing of statements in one has_permission_on block
|
2
1
|
|
3
|
-
|
2
|
+
** RELEASE 0.3 (April 20, 2009) **
|
4
3
|
|
5
|
-
* New
|
4
|
+
* New option :join_by for has_permission_on to allow AND'ing of statements in one has_permission_on block [sb]
|
6
5
|
|
7
|
-
*
|
6
|
+
* Allow using_access_control to be called directly on ActiveRecord::Base, globally enabling model security [sb]
|
7
|
+
|
8
|
+
* New operator: intersects_with, comparing two Enumerables in if_attribute [sb]
|
9
|
+
|
10
|
+
* Improved if_permitted_to syntax: if the attribute is left out, permissions are checked on for the current object [sb]
|
8
11
|
|
9
12
|
* Added #has_role_with_hierarchy? method to retrieve explicit and calculated roles [jeremyf]
|
10
13
|
|
data/README.rdoc
CHANGED
@@ -344,11 +344,15 @@ See Authorization::TestHelper for more information.
|
|
344
344
|
|
345
345
|
= Installation of declarative_authorization
|
346
346
|
|
347
|
-
|
348
|
-
|
349
|
-
|
350
|
-
|
351
|
-
|
347
|
+
One of three options to install the plugin:
|
348
|
+
* Install by Gem: Add to your environment.rb in the initializer block:
|
349
|
+
config.gem "stffn-declarative_authorization", :lib => "declarative_authorization"
|
350
|
+
And call from your application's root directory
|
351
|
+
rake gems:install
|
352
|
+
* Alternatively, to install from github, execute in your application's root directory
|
353
|
+
cd vendor/plugins && git clone git://github.com/stffn/declarative_authorization.git
|
354
|
+
* Or, download one of the released versions from Github at
|
355
|
+
http://github.com/stffn/declarative_authorization/downloads
|
352
356
|
|
353
357
|
Then,
|
354
358
|
* provide the requirements as noted below,
|
@@ -361,8 +365,8 @@ Then,
|
|
361
365
|
The requirements are
|
362
366
|
* Rails >= 2.1 and Ruby >= 1.8.6, including 1.9
|
363
367
|
* An authentication mechanism
|
364
|
-
* A user object returned by
|
365
|
-
* An array of role symbols returned by
|
368
|
+
* A user object returned by Controller#current_user
|
369
|
+
* An array of role symbols returned by User#role_symbols
|
366
370
|
* (For model security) Setting Authorization.current_user to the request's user
|
367
371
|
|
368
372
|
Of the various ways to provide these requirements, here is one way employing
|
@@ -416,7 +420,7 @@ restful_authentication.
|
|
416
420
|
user.roles.create(:title => "admin")
|
417
421
|
|
418
422
|
Note: If you choose to generate an Account model for restful_authentication
|
419
|
-
instead of a User model as described
|
423
|
+
instead of a User model as described above, you have to customize the
|
420
424
|
examples and create a ApplicationController#current_user method.
|
421
425
|
|
422
426
|
|
@@ -447,7 +451,7 @@ Then, point your browser to
|
|
447
451
|
|
448
452
|
The browser needs Rails 2.3 (for Engine support). The graphical view requires
|
449
453
|
Graphviz (which e.g. can be installed through the graphviz package under Debian
|
450
|
-
and Ubuntu) and
|
454
|
+
and Ubuntu) and has only been tested under Linux.
|
451
455
|
|
452
456
|
|
453
457
|
= Help and Contact
|
@@ -10,6 +10,8 @@ begin
|
|
10
10
|
rescue LoadError; end
|
11
11
|
|
12
12
|
class AuthorizationRulesController < ApplicationController
|
13
|
+
unloadable
|
14
|
+
|
13
15
|
filter_access_to :all, :require => :read
|
14
16
|
def index
|
15
17
|
respond_to do |format|
|
@@ -31,6 +33,7 @@ class AuthorizationRulesController < ApplicationController
|
|
31
33
|
options = {
|
32
34
|
:effective_role_privs => true,
|
33
35
|
:privilege_hierarchy => false,
|
36
|
+
:only_relevant_contexts => true,
|
34
37
|
:filter_roles => nil,
|
35
38
|
:filter_contexts => nil,
|
36
39
|
:highlight_privilege => nil
|
@@ -58,7 +61,7 @@ class AuthorizationRulesController < ApplicationController
|
|
58
61
|
@role_privs[auth_rule.role] += auth_rule.privileges.collect {|p| [context, p, auth_rule.attributes.empty?, auth_rule.to_long_s]}
|
59
62
|
end
|
60
63
|
end
|
61
|
-
|
64
|
+
|
62
65
|
if options[:effective_role_privs]
|
63
66
|
@roles.each do |role|
|
64
67
|
@role_privs[role] ||= []
|
@@ -67,6 +70,10 @@ class AuthorizationRulesController < ApplicationController
|
|
67
70
|
end
|
68
71
|
end
|
69
72
|
end
|
73
|
+
|
74
|
+
if options[:only_relevant_contexts]
|
75
|
+
@contexts.delete_if {|context| @roles.all? {|role| !@role_privs[role] || !@role_privs[role].any? {|info| info[0] == context}}}
|
76
|
+
end
|
70
77
|
|
71
78
|
if options[:privilege_hierarchy]
|
72
79
|
@context_privs.each do |context, privs|
|
@@ -3,6 +3,8 @@ if Authorization::activate_authorization_rules_browser?
|
|
3
3
|
require File.join(File.dirname(__FILE__), %w{.. .. lib declarative_authorization maintenance})
|
4
4
|
|
5
5
|
class AuthorizationUsagesController < ApplicationController
|
6
|
+
unloadable
|
7
|
+
|
6
8
|
helper :authorization_rules
|
7
9
|
filter_access_to :all, :require => :read
|
8
10
|
# TODO set context?
|
@@ -26,8 +26,8 @@
|
|
26
26
|
<%#= link_to_graph "Rules" %>
|
27
27
|
<%#= link_to_graph "Privilege hierarchy", :type => 'priv_hierarchy' %>
|
28
28
|
|
29
|
-
<%= select_tag "filter_roles", options_for_select([["All roles",'']] + controller.authorization_engine.roles), :onchange => 'update_graph(this.form)' %>
|
30
|
-
<%= select_tag "filter_contexts", options_for_select([["All contexts",'']] + controller.authorization_engine.auth_rules.collect {|ar| ar.contexts.to_a}.flatten.uniq), :onchange => 'update_graph(this.form)' %>
|
29
|
+
<%= select_tag "filter_roles", options_for_select([["All roles",'']] + controller.authorization_engine.roles.map(&:to_s).sort), :onchange => 'update_graph(this.form)' %>
|
30
|
+
<%= select_tag "filter_contexts", options_for_select([["All contexts",'']] + controller.authorization_engine.auth_rules.collect {|ar| ar.contexts.to_a}.flatten.uniq.map(&:to_s).sort), :onchange => 'update_graph(this.form)' %>
|
31
31
|
<%= check_box_tag "effective_role_privs", "1", false, :onclick => 'update_graph(this.form)' %> <%= label_tag "effective_role_privs", "Effective privileges" %>
|
32
32
|
<%= check_box_tag "privilege_hierarchy", "1", false, :onclick => 'update_graph(this.form)' %> <%= label_tag "privilege_hierarchy", "Show full privilege hierarchy" %>
|
33
33
|
<% end %>
|
@@ -123,7 +123,7 @@ module Authorization
|
|
123
123
|
# action as parameter. The special symbol :+all+ refers to all action.
|
124
124
|
# The all :+all+ statement is only employed if no specific statement is
|
125
125
|
# present.
|
126
|
-
# class UserController <
|
126
|
+
# class UserController < ApplicationController
|
127
127
|
# filter_access_to :index
|
128
128
|
# filter_access_to :new, :edit
|
129
129
|
# filter_access_to :all
|
@@ -152,6 +152,25 @@ module Authorization
|
|
152
152
|
# the controller name. Thus, in UserController :+edit+ requires
|
153
153
|
# :+edit+ +users+. To specify required privilege, use the option :+require+
|
154
154
|
# filter_access_to :new, :create, :require => :create, :context => :users
|
155
|
+
#
|
156
|
+
# Without the :+attribute_check+ option, no constraints from the
|
157
|
+
# authorization rules are enforced because for some actions (collections,
|
158
|
+
# +new+, +create+), there is no object to evaluate conditions against. To
|
159
|
+
# allow attribute checks on all actions, it is a common pattern to provide
|
160
|
+
# custom objects through +before_filters+:
|
161
|
+
# class BranchesController < ApplicationController
|
162
|
+
# before_filter :load_company
|
163
|
+
# before_filter :new_branch_from_company_and_params,
|
164
|
+
# :only => [:index, :new, :create]
|
165
|
+
# filter_access_to :all, :attribute_check => true
|
166
|
+
#
|
167
|
+
# protected
|
168
|
+
# def new_branch_from_company_and_params
|
169
|
+
# @branch = @company.branches.new(params[:branch])
|
170
|
+
# end
|
171
|
+
# end
|
172
|
+
# NOTE: +before_filters+ need to be defined before the first
|
173
|
+
# +filter_access_to+ call.
|
155
174
|
#
|
156
175
|
# For further customization, a custom filter expression may be formulated
|
157
176
|
# in a block, which is then evaluated in the context of the controller
|
@@ -174,11 +193,13 @@ module Authorization
|
|
174
193
|
# The privilege's context, defaults to controller_name, pluralized.
|
175
194
|
# [:+attribute_check+]
|
176
195
|
# Enables the check of attributes defined in the authorization rules.
|
177
|
-
# Defaults to false. If enabled, filter_access_to will
|
178
|
-
#
|
179
|
-
# * the method from the :+load_method+ option
|
196
|
+
# Defaults to false. If enabled, filter_access_to will use a context
|
197
|
+
# object from one of the following sources (in that order):
|
198
|
+
# * the method from the :+load_method+ option,
|
199
|
+
# * an instance variable named after the singular of the context
|
200
|
+
# (by default from the controller name, e.g. @post for PostsController),
|
180
201
|
# * a find on the context model, using +params+[:id] as id value.
|
181
|
-
# Any of these
|
202
|
+
# Any of these methods will only be employed if :+attribute_check+
|
182
203
|
# is enabled.
|
183
204
|
# [:+model+]
|
184
205
|
# The data model to load a context object from. Defaults to the
|