stffn-declarative_authorization 0.3.0 → 0.3.1

data/CHANGELOG

@@ -1,3 +1,12 @@
+* Simplified controller authorization with filter_resource_access [sb]
+
+* Allow passing explicit context in addition to object in permitted_to? [Olly Lylo, sb]
+
+* Change Supporter: suggest changes to authorization rules [sb]
+
+* Added permitted_to!/? in model [Eike Carls]
+
+* New test helper: should_(not_)_be_allowed_to(privilege, object_or_context) [sb]
 
 ** RELEASE 0.3 (April 20, 2009) **
 

data/README.rdoc

@@ -79,12 +79,26 @@ generated yourself or at http://www.tzi.org/~sbartsch/declarative_authorization
 
 == Controller
 
-If authentication is in place, enabling user-specific access control may be
-as simple as one call to filter_access_to :all which simply requires the 
-according privileges for present actions.  E.g. the privilege index_users is
-required for action index.  This works as a first default configuration
-for RESTful controllers, with these privileges easily handled in the
-authorization configuration, which will be described below.
+If authentication is in place, there are two ways to enable user-specific
+access control on controller actions.  For resource controllers, which more
+or less follow the CRUD pattern, +filter_resource_access+ is the simplest
+approach.  It sets up instance variables in before filters and calls
+filter_access_to with the appropriate parameters to protect the CRUD methods.
+
+    class EmployeesController < ApplicationController
+      filter_resource_access
+      ...
+    end
+
+See Authorization::AuthorizationInController::ClassMethods for options on
+nested resources and custom member and collection actions.
+
+If you prefer less magic or your controller has no resemblance with the resource
+controllers, directly calling filter_access_to may be the better option.  Examples
+are given in the following.  E.g. the privilege index users is required for
+action index.  This works as a first default configuration for RESTful
+controllers, with these privileges easily handled in the authorization
+configuration, which will be described below.
 
     class EmployeesController < ApplicationController
       filter_access_to :all
@@ -473,10 +487,12 @@ sbartsch at tzi.org
 = Contributors
 
 Thanks to
+* Eike Carls
 * Erik Dahlstrand
 * Jeremy Friesen
 * Brian Langenfeld
 * Geoff Longman
+* Olly Lylo
 * Mark Mansour
 * Mike Vincent
 

data/app/controllers/authorization_rules_controller.rb

@@ -1,6 +1,8 @@
 if Authorization::activate_authorization_rules_browser?
 
-require File.join(File.dirname(__FILE__), %w{.. .. lib declarative_authorization authorization_rules_analyzer})
+require File.join(File.dirname(__FILE__), %w{.. .. lib declarative_authorization development_support analyzer})
+require File.join(File.dirname(__FILE__), %w{.. .. lib declarative_authorization development_support change_supporter})
+require File.join(File.dirname(__FILE__), %w{.. .. lib declarative_authorization development_support development_support})
 
 begin
   # for nice auth_rules output:
@@ -28,29 +30,105 @@ class AuthorizationRulesController < ApplicationController
     end
   end
 
+  def change
+    @users = find_all_users
+    @users.sort! {|a, b| a.login <=> b.login }
+    
+    @privileges = authorization_engine.auth_rules.collect {|rule| rule.privileges.to_a}.flatten.uniq
+    @privileges = @privileges.collect {|priv| Authorization::DevelopmentSupport::AnalyzerEngine::Privilege.for_sym(priv, authorization_engine).descendants.map(&:to_sym) }.flatten.uniq
+    @privileges.sort_by {|priv| priv.to_s}
+    @privilege = params[:privilege].to_sym rescue @privileges.first
+    @contexts = authorization_engine.auth_rules.collect {|rule| rule.contexts.to_a}.flatten.uniq
+    @context = params[:context].to_sym rescue @contexts.first
+
+    respond_to do |format|
+      format.html
+      format.js do
+        render :partial => 'change'
+      end
+    end
+  end
+
+  def suggest_change
+    users_permission = params[:user].inject({}) do |memo, (user_id, data)|
+      if data[:permission] != "undetermined"
+        begin
+          memo[find_user_by_id(user_id)] = (data[:permission] == 'yes')
+        rescue ActiveRecord::NotFound
+        end
+      end
+      memo
+    end
+
+    prohibited_actions = (params[:prohibited_action] || []).collect do |spec|
+      deserialize_changes(spec).flatten
+    end
+
+    users_keys = users_permission.keys
+    analyzer = Authorization::DevelopmentSupport::ChangeSupporter.new(authorization_engine)
+    
+    privilege = params[:privilege].to_sym
+    context = params[:context].to_sym
+    @context = context
+    @approaches = analyzer.find_approaches_for(:users => users_keys, :prohibited_actions => prohibited_actions) do
+      users.each_with_index do |user, idx|
+        args = [privilege, {:context => context, :user => user}]
+        assert(users_permission[users_keys[idx]] ? permit?(*args) : !permit?(*args))
+      end
+    end
+
+    respond_to do |format|
+      format.js do
+        render :partial => 'suggestions'
+      end
+    end
+  end
+
   private
   def auth_to_dot (options = {})
     options = {
       :effective_role_privs => true,
       :privilege_hierarchy => false,
+      :stacked_roles => false,
       :only_relevant_contexts => true,
+      :only_relevant_roles => false,
       :filter_roles => nil,
       :filter_contexts => nil,
-      :highlight_privilege => nil
+      :highlight_privilege => nil,
+      :changes => nil,
+      :users => nil
     }.merge(options)
 
+    @has_changes = options[:changes] && !options[:changes].empty?
     @highlight_privilege = options[:highlight_privilege]
-    @roles = authorization_engine.roles
-    @roles = @roles.select {|r| r == options[:filter_roles] } if options[:filter_roles]
-    @role_hierarchy = authorization_engine.role_hierarchy
-    @privilege_hierarchy = authorization_engine.privilege_hierarchy
+    @stacked_roles = options[:stacked_roles]
+
+    @users = options[:users]
+
+    engine = authorization_engine.clone
+    @changes = replay_changes(engine, @users, options[:changes]) if options[:changes]
+
+    options[:filter_roles] ||= @users.collect {|user| user.role_symbols}.flatten.uniq if options[:only_relevant_roles] and @users
+
+    filter_roles_flattened = nil
+    if options[:filter_roles]
+      filter_roles_flattened = options[:filter_roles].collect do |role_sym|
+        Authorization::DevelopmentSupport::AnalyzerEngine::Role.for_sym(role_sym, engine).
+            ancestors.map(&:to_sym) + [role_sym]
+      end.flatten.uniq
+    end
+
+    @roles = engine.roles
+    @roles = @roles.select {|r| filter_roles_flattened.include?(r) } if options[:filter_roles]
+    @role_hierarchy = engine.role_hierarchy
+    @privilege_hierarchy = engine.privilege_hierarchy
     
-    @contexts = authorization_engine.auth_rules.
+    @contexts = engine.auth_rules.
                     collect {|ar| ar.contexts.to_a}.flatten.uniq
     @contexts = @contexts.select {|c| c == options[:filter_contexts] } if options[:filter_contexts]
     @context_privs = {}
     @role_privs = {}
-    authorization_engine.auth_rules.each do |auth_rule|
+    engine.auth_rules.each do |auth_rule|
       @role_privs[auth_rule.role] ||= []
       auth_rule.contexts.
             select {|c| options[:filter_contexts].nil? or c == options[:filter_contexts]}.
@@ -64,15 +142,23 @@ class AuthorizationRulesController < ApplicationController
 
     if options[:effective_role_privs]
       @roles.each do |role|
-        @role_privs[role] ||= []
-        (@role_hierarchy[role] || []).each do |lower_role|
-          @role_privs[role].concat(@role_privs[lower_role]).uniq!
+        role = Authorization::DevelopmentSupport::AnalyzerEngine::Role.for_sym(role, engine)
+        @role_privs[role.to_sym] ||= []
+        role.ancestors.each do |lower_role|
+          @role_privs[role.to_sym].concat(@role_privs[lower_role.to_sym]).uniq!
         end
       end
     end
 
+    @roles.delete_if do |role|
+      role = Authorization::DevelopmentSupport::AnalyzerEngine::Role.for_sym(role, engine)
+      ([role] + role.ancestors).all? {|inner_role| @role_privs[inner_role.to_sym].blank? }
+    end
+
     if options[:only_relevant_contexts]
-      @contexts.delete_if {|context| @roles.all? {|role| !@role_privs[role] || !@role_privs[role].any? {|info| info[0] == context}}}
+      @contexts.delete_if do |context|
+        @roles.all? {|role| !@role_privs[role] || !@role_privs[role].any? {|info| info[0] == context}}
+      end
     end
     
     if options[:privilege_hierarchy]
@@ -88,6 +174,20 @@ class AuthorizationRulesController < ApplicationController
     
     render_to_string :template => 'authorization_rules/graph.dot.erb', :layout => false
   end
+
+  def replay_changes (engine, users, changes)
+    changes.inject({}) do |memo, info|
+      case info[0]
+      when :add_privilege, :add_role
+        Authorization::DevelopmentSupport::AnalyzerEngine.apply_change(engine, info)
+      when :assign_role_to_user
+        user = users.find {|u| u.login == info[2]}
+        user.role_symbols << info[1] if user
+      end
+      (memo[info[0]] ||= Set.new) << info[1..-1]
+      memo
+    end
+  end
   
   def dot_to_svg (dot_data)
     gv = IO.popen("#{Authorization.dot_path} -q -Tsvg", "w+")
@@ -102,11 +202,32 @@ class AuthorizationRulesController < ApplicationController
     {
       :effective_role_privs => !params[:effective_role_privs].blank?,
       :privilege_hierarchy => !params[:privilege_hierarchy].blank?,
-      :filter_roles => params[:filter_roles].blank? ? nil : params[:filter_roles].to_sym,
+      :stacked_roles => !params[:stacked_roles].blank?,
+      :only_relevant_roles => !params[:only_relevant_roles].blank?,
+      :filter_roles => params[:filter_roles].blank? ? nil : (params[:filter_roles].is_a?(Array) ? params[:filter_roles].map(&:to_sym) : [params[:filter_roles].to_sym]),
       :filter_contexts => params[:filter_contexts].blank? ? nil : params[:filter_contexts].to_sym,
-      :highlight_privilege => params[:highlight_privilege].blank? ? nil : params[:highlight_privilege].to_sym
+      :highlight_privilege => params[:highlight_privilege].blank? ? nil : params[:highlight_privilege].to_sym,
+      :changes => deserialize_changes(params[:changes]),
+      :users => params[:user_ids] && params[:user_ids].collect {|user_id| find_user_by_id(user_id)}
     }
   end
+
+  def deserialize_changes (changes)
+    if changes
+      changes.split(';').collect do |info|
+        info.split(',').collect do |info_part|
+          info_part[0,1] == ':' ? info_part[1..-1].to_sym : info_part
+        end
+      end
+    end
+  end
+
+  def find_user_by_id (id)
+    User.find(id)
+  end
+  def find_all_users
+    User.all.select {|user| !user.login.blank?}
+  end
 end
 
 else

data/app/helpers/authorization_rules_helper.rb

@@ -3,8 +3,8 @@ module AuthorizationRulesHelper
     regexps = {
       :constant => [/(:)(\w+)/], 
       :proc => ['role', 'authorization', 'privileges'],
-      :statement => ['has_permission_on', 'if_attribute', 'includes', 'privilege', 'to'],
-      :operator => ['is', 'contains'],
+      :statement => ['has_permission_on', 'if_attribute', 'if_permitted_to', 'includes', 'privilege', 'to'],
+      :operator => ['is', 'contains', 'is_in', 'is_not', 'is_not_in', 'intersects'],
       :special => ['user', 'true', 'false'],
       :preproc => ['do', 'end', /()(=>)/, /()(\{)/, /()(\})/, /()(\[)/, /()(\])/],
       :comment => [/()(#.*$)/]#,
@@ -23,16 +23,17 @@ module AuthorizationRulesHelper
   end
 
   def policy_analysis_hints (marked_up, policy_data)
-    analyzer = Authorization::Analyzer.new(controller.authorization_engine)
+    analyzer = Authorization::DevelopmentSupport::Analyzer.new(controller.authorization_engine)
     analyzer.analyze(policy_data)
     marked_up_by_line = marked_up.split("\n")
     reports_by_line = analyzer.reports.inject({}) do |memo, report|
-      memo[report.line] ||= []
-      memo[report.line] << report
+      memo[report.line || 1] ||= []
+      memo[report.line || 1] << report
       memo
     end
     reports_by_line.each do |line, reports|
-      note = %Q{<span class="note" title="#{reports.first.type}: #{reports.first.message}">[i]</span>}
+      text = reports.collect {|report| "#{report.type}: #{report.message}"} * " "
+      note = %Q{<span class="note" title="#{h text}">[i]</span>}
       marked_up_by_line[line - 1] = note + marked_up_by_line[line - 1]
     end
     marked_up_by_line * "\n"
@@ -45,6 +46,7 @@ module AuthorizationRulesHelper
   
   def navigation
     link_to("Rules", authorization_rules_path) << ' | ' <<
+    link_to("Change Supporter", change_authorization_rules_path) << ' | ' <<
     link_to("Graphical view", graph_authorization_rules_path) << ' | ' <<
     link_to("Usages", authorization_usages_path) #<< ' | ' <<
   #  'Edit | ' <<
@@ -52,20 +54,101 @@ module AuthorizationRulesHelper
   end
   
   def role_color (role, fill = false)
-    fill_colors = %w{#ffdddd #ddffdd #ddddff #ffffdd #ffddff #ddffff}
-    colors = %w{#dd0000 #00dd00 #0000dd #dddd00 #dd00dd #00dddd}
-    @@role_colors ||= {}
-    @@role_colors[role] ||= begin
-      idx = @@role_colors.length % colors.length
-      [colors[idx], fill_colors[idx]]
+    if @has_changes
+      if has_changed(:add_role, role)
+        fill ? '#ddffdd' : '#000000'
+      elsif has_changed(:remove_role, role)
+        fill ? '#ffdddd' : '#000000'
+      else
+        fill ? '#ddddff' : '#000000'
+      end
+    else
+      fill_colors = %w{#ffdddd #ddffdd #ddddff #ffffdd #ffddff #ddffff}
+      colors = %w{#dd0000 #00dd00 #0000dd #dddd00 #dd00dd #00dddd}
+      @@role_colors ||= {}
+      @@role_colors[role] ||= begin
+        idx = @@role_colors.length % colors.length
+        [colors[idx], fill_colors[idx]]
+      end
+      @@role_colors[role][fill ? 1 : 0]
     end
-    @@role_colors[role][fill ? 1 : 0]
   end
   
   def role_fill_color (role)
     role_color(role, true)
   end
 
+  def privilege_color (privilege, context, role)
+    has_changed(:add_privilege, privilege, context, role) ? '#00dd00' :
+        (has_changed(:remove_privilege, privilege, context, role) ? '#dd0000' :
+          role_color(role))
+  end
+
+  def describe_step (step, options = {})
+    options = {:with_removal => false}.merge(options)
+
+    case step[0]
+    when :add_privilege
+      dont_assign = prohibit_link(step[0,3],
+          "Add privilege <strong>#{h step[1].to_sym.inspect} #{h step[2].to_sym.inspect}</strong> to any role",
+          "Don't suggest adding #{h step[1].to_sym.inspect} #{h step[2].to_sym.inspect}.", options)
+      "Add privilege <strong>#{h step[1].inspect} #{h step[2].inspect}</strong>#{dont_assign} to role <strong>#{h step[3].to_sym.inspect}</strong>"
+    when :remove_privilege
+      dont_remove = prohibit_link(step[0,3], 
+          "Remove privilege <strong>#{h step[1].to_sym.inspect} #{h step[2].to_sym.inspect}</strong> from any role", 
+          "Don't suggest removing #{h step[1].to_sym.inspect} #{h step[2].to_sym.inspect}.", options)
+      "Remove privilege <strong>#{h step[1].inspect} #{h step[2].inspect}</strong>#{dont_remove} from role <strong>#{h step[3].to_sym.inspect}</strong>"
+    when :add_role
+      "New role <strong>#{h step[1].to_sym.inspect}</strong>"
+    when :assign_role_to_user
+      dont_assign = prohibit_link(step[0,2],
+          "Assign role <strong>#{h step[1].to_sym.inspect}</strong> to any user",
+          "Don't suggest assigning #{h step[1].to_sym.inspect}.", options)
+      "Assign role <strong>#{h step[1].to_sym.inspect}</strong>#{dont_assign} to <strong>#{h readable_step_info(step[2])}</strong>"
+    when :remove_role_from_user
+      dont_remove = prohibit_link(step[0,2],
+          "Remove role <strong>#{h step[1].to_sym.inspect}</strong> from any user",
+          "Don't suggest removing #{h step[1].to_sym.inspect}.", options)
+      "Remove role <strong>#{h step[1].to_sym.inspect}</strong>#{dont_remove} from <strong>#{h readable_step_info(step[2])}</strong>"
+    else
+      step.collect {|info| readable_step_info(info) }.map {|str| h str } * ', '
+    end + prohibit_link(step, options[:with_removal] ? "#{escape_javascript(describe_step(step))}" : '',
+                        "Don't suggest this action.", options)
+  end
+
+  def prohibit_link (step, text, title, options)
+    options[:with_removal] ?
+          ' ' + link_to_function("[x]", "prohibit_action('#{serialize_action(step)}', '#{text}')",
+                    :class => 'unimportant', :title => title) :
+          ''
+  end
+  
+  def readable_step_info (info)
+    case info
+    when Symbol   then info.inspect
+    when User     then info.login
+    else               info.to_sym.inspect
+    end
+  end
+
+  def serialize_changes (approach)
+    changes = approach.changes.collect {|step| step.to_a.first.is_a?(Enumerable) ? step.to_a : [step.to_a]}
+    changes.collect {|multi_step| multi_step.collect {|step| serialize_action(step) }}.flatten * ';'
+  end
+
+  def serialize_action (step)
+    step.collect {|info| readable_step_info(info) } * ','
+  end
+
+  def serialize_relevant_roles (approach)
+    {:filter_roles => (Authorization::DevelopmentSupport::AnalyzerEngine.relevant_roles(approach.engine, approach.users).
+        map(&:to_sym) + [:new_role_for_change_analyzer]).uniq}.to_param
+  end
+
+  def has_changed (*args)
+    @changes && @changes[args[0]] && @changes[args[0]].include?(args[1..-1])
+  end
+
   def auth_usage_info_classes (auth_info)
     classes = []
     if auth_info[:controller_permissions]

data/app/views/authorization_rules/_change.erb

@@ -0,0 +1,49 @@
+<form>
+<h2>1. Choose permission to change</h2>
+<p class="action-options">
+  <label>Privilege</label>
+  <%= select_tag :privilege, options_for_select(@privileges.map(&:to_s).sort, @privilege.to_s) %>
+  <br/>
+  <label>On</label>
+  <%= select_tag :context, options_for_select(@contexts.map(&:to_s).sort, @context.to_s) %>
+  <br/>
+  <%= link_to_function "Current permissions", "show_current_permissions()", :class => 'unimportant' %>
+</p>
+
+<h2>2. Whose permission should be changed?</h2>
+<table class="change-options">
+  <thead>
+    <tr>
+      <td>User</td>
+      <td>Current roles</td>
+      <td class="choose">?</td>
+      <td class="choose">Yes</td>
+      <td class="choose">No</td>
+    </tr>
+  </thead>
+  <tbody>
+    <% @users.each do |user| %>
+      <tr class="<%= controller.authorization_engine.permit?(@privilege, :context => @context, :user => user, :skip_attribute_test => true) ? 'permitted' : 'not-permitted' %>">
+        <td class="user_id"><%=h user.id %></td>
+        <td style="font-weight:bold"><%=h user.login %></td>
+        <td><%=h user.role_symbols * ', ' %></td>
+        <td><%= radio_button_tag "user[#{user.id}][permission]", "undetermined", true %></td>
+        <td class="yes"><%= radio_button_tag "user[#{user.id}][permission]", "yes" %></td>
+        <td class="no"><%= radio_button_tag "user[#{user.id}][permission]", "no" %></td>
+      </tr>
+    <% end %>
+    <tr>
+      <td colspan="5" style="text-align:right; padding-top:0.5em" class="unimportant">
+        <span style="background: #FFE599;">&nbsp; &nbsp;</span> Current permission
+      </td>
+    </tr>
+  </tbody>
+</table>
+
+<h2 style="display:none">Prohibited actions</h2>
+<ul id="prohibited_actions"></ul>
+
+<p class="submit">
+  <%= button_to_function "Suggest Changes", "suggest_changes()" %>
+</p>
+</form>