stffn-declarative_authorization 0.3.0 → 0.3.1

data/lib/declarative_authorization/in_model.rb

@@ -5,6 +5,31 @@ require File.dirname(__FILE__) + '/obligation_scope.rb'
 module Authorization
   
   module AuthorizationInModel
+
+    # If the user meets the given privilege, permitted_to? returns true
+    # and yields to the optional block.
+    def permitted_to? (privilege, options = {} )
+      options = {
+        :user =>  Authorization.current_user,
+        :object => self
+      }.merge(options)
+      Authorization::Engine.instance.permit?(privilege,
+          {:user => options[:user],
+           :object => options[:object]},
+          &block)
+    end
+
+    # Works similar to the permitted_to? method, but doesn't accept a block
+    # and throws the authorization exceptions, just like Engine#permit!
+    def permitted_to! (privilege, options = {} )
+      options = {
+        :user =>  Authorization.current_user,
+        :object => self
+      }.merge(options)
+      Authorization::Engine.instance.permit!(privilege,
+          {:user => options[:user],
+           :object => options[:object]})
+    end
     
     def self.included(base) # :nodoc:
       #base.extend(ClassMethods)
@@ -17,7 +42,7 @@ module Authorization
           
           user = options[:user] || Authorization.current_user
 
-          engine = Authorization::Engine.instance
+          engine = options[:engine] || Authorization::Engine.instance
           engine.permit!(privileges, :user => user, :skip_attribute_test => true,
                          :context => context)
 
@@ -33,7 +58,7 @@ module Authorization
             :model => self,
             :engine => nil,
           }.merge(options)
-          engine ||= Authorization::Engine.instance
+          engine = options[:engine] || Authorization::Engine.instance
 
           scope = ObligationScope.new( options[:model], {} )
           engine.obligations( privileges, :user => options[:user], :context => options[:context] ).each do |obligation|

data/lib/declarative_authorization/maintenance.rb

@@ -22,10 +22,7 @@ module Authorization
     #    SomeModel.find(:first).save
     #  end
     def without_access_control
-      Authorization.ignore_access_control(true)
-      yield
-    ensure
-      Authorization.ignore_access_control(false)
+      self.class.without_access_control
     end
 
     # A class method variant of without_access_control.  Thus, one can call
@@ -33,10 +30,13 @@ module Authorization
     #    ...
     #  end
     def self.without_access_control
-      Authorization.ignore_access_control(true)
-      yield
-    ensure
-      Authorization.ignore_access_control(false)
+      previous_state = Authorization.ignore_access_control
+      begin
+        Authorization.ignore_access_control(true)
+        yield
+      ensure
+        Authorization.ignore_access_control(previous_state)
+      end
     end
 
     # Sets the current user for the declarative authorization plugin to the
@@ -145,6 +145,20 @@ module Authorization
       end
     end
     
+    def should_be_allowed_to (privilege, object_or_context)
+      options = {}
+      options[object_or_context.is_a?(Symbol) ? :context : :object] = object_or_context
+      assert_nothing_raised do
+        Authorization::Engine.instance.permit!(privilege, options)
+      end
+    end
+
+    def should_not_be_allowed_to (privilege, object_or_context)
+      options = {}
+      options[object_or_context.is_a?(Symbol) ? :context : :object] = object_or_context
+      assert !Authorization::Engine.instance.permit?(privilege, options)
+    end
+    
     def request_with (user, method, xhr, action, params = {}, 
         session = {}, flash = {})
       session = session.merge({:user => user, :user_id => user.id})

data/lib/declarative_authorization/obligation_scope.rb

@@ -208,15 +208,20 @@ module Authorization
             end
             bindvar = "#{attribute_table_alias}__#{attribute_name}_#{obligation_index}".to_sym
 
-            attribute_operator = case operator
-                                 when :contains, :is             then "= :#{bindvar}"
-                                 when :does_not_contain, :is_not then "<> :#{bindvar}"
-                                 when :is_in, :intersects_with   then "IN (:#{bindvar})"
-                                 when :is_not_in                 then "NOT IN (:#{bindvar})"
-                                 else raise AuthorizationUsageError, "Unknown operator: #{operator}"
-                                 end
-            obligation_conds << "#{connection.quote_table_name(attribute_table_alias)}.#{connection.quote_table_name(attribute_name)} #{attribute_operator}"
-            binds[bindvar] = attribute_value(value)
+            sql_attribute = "#{connection.quote_table_name(attribute_table_alias)}.#{connection.quote_table_name(attribute_name)}"
+            if value.nil? and [:is, :is_not].include?(operator)
+              obligation_conds << "#{sql_attribute} IS #{[:contains, :is].include?(operator) ? '' : 'NOT '}NULL"
+            else
+              attribute_operator = case operator
+                                   when :contains, :is             then "= :#{bindvar}"
+                                   when :does_not_contain, :is_not then "<> :#{bindvar}"
+                                   when :is_in, :intersects_with   then "IN (:#{bindvar})"
+                                   when :is_not_in                 then "NOT IN (:#{bindvar})"
+                                   else raise AuthorizationUsageError, "Unknown operator: #{operator}"
+                                   end
+              obligation_conds << "#{sql_attribute} #{attribute_operator}"
+              binds[bindvar] = attribute_value(value)
+            end
           end
         end
         obligation_conds << "1=1" if obligation_conds.empty?

data/lib/declarative_authorization/reader.rb

@@ -229,8 +229,10 @@ module Authorization
         privs = options[:to] 
         privs = [privs] unless privs.is_a?(Array)
         raise DSLError, "has_permission_on either needs a block or :to option" if !block_given? and privs.empty?
-        
-        rule = AuthorizationRule.new(@current_role, privs, context, options[:join_by])
+
+        file, line = file_and_line_number_from_call_stack
+        rule = AuthorizationRule.new(@current_role, privs, context, options[:join_by],
+                   :source_file => file, :source_line => line)
         @auth_rules << rule
         if block_given?
           @current_rule = rule
@@ -425,6 +427,12 @@ module Authorization
         end
         hash.merge!(merge_hash)
       end
+      
+      def file_and_line_number_from_call_stack
+        caller_parts = caller(2).first.split(':')
+        [caller_parts[0] == "(eval)" ? nil : caller_parts[0],
+          caller_parts[1] && caller_parts[1].to_i]
+      end
     end
   end
 end

data/test/authorization_test.rb

@@ -191,6 +191,28 @@ class AuthorizationTest < Test::Unit::TestCase
       engine.obligations(:test, :context => :permission_children_children,
           :user => MockUser.new(:test_role))
   end
+
+  def test_obligations_with_permissions_and_anded_conditions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permission_children, :to => :test, :join_by => :and do
+            if_permitted_to :test, :permission
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+
+    assert_equal [{:test_attr => [:is, 1], :permission => {:test_attr => [:is, 1]}}],
+      engine.obligations(:test, :context => :permission_children,
+          :user => MockUser.new(:test_role))
+  end
   
   def test_guest_user
     reader = Authorization::Reader::DSLReader.new
@@ -776,4 +798,26 @@ class AuthorizationTest < Test::Unit::TestCase
     assert engine.permit?(:test, :context => :permissions)
     Authorization.current_user = nil
   end
+
+  def test_clone
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :attr => { :sub_attr => is { user } }
+            if_permitted_to :read, :attr_2 => :attr_3
+            if_permitted_to :read, :attr_2
+          end
+        end
+      end
+    }
+
+    engine = Authorization::Engine.new(reader)
+    cloned_engine = engine.clone
+    assert_not_equal engine.auth_rules[0].contexts.object_id,
+        cloned_engine.auth_rules[0].contexts.object_id
+    assert_not_equal engine.auth_rules[0].attributes[0].send(:instance_variable_get, :@conditions_hash)[:attr].object_id,
+        cloned_engine.auth_rules[0].attributes[0].send(:instance_variable_get, :@conditions_hash)[:attr].object_id
+  end
 end

data/test/controller_filter_resource_access_test.rb

@@ -0,0 +1,385 @@
+require File.join(File.dirname(__FILE__), 'test_helper.rb')
+
+class BasicResource < MockDataObject
+end
+class BasicResourcesController < MocksController
+  filter_resource_access
+  define_resource_actions
+end
+class BasicResourcesControllerTest < ActionController::TestCase
+  def test_basic_filter_index
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :index do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(MockUser.new(:another_role), :index, reader)
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader)
+    assert @controller.authorized?
+  end
+
+  def test_basic_filter_show_with_id
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :show do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :show, reader, :id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+
+  def test_basic_filter_new_with_params
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :new do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+end
+
+
+class NestedResource < MockDataObject
+  def initialize (attributes = {})
+    if attributes[:id]
+      attributes[:parent_mock] ||= ParentMock.new(:id => attributes[:id])
+    end
+    super(attributes)
+  end
+end
+class ParentMock < MockDataObject
+  def nested_resources
+    Class.new do
+      def initialize (parent_mock)
+        @parent_mock = parent_mock
+      end
+      def new (attributes = {})
+        NestedResource.new(attributes.merge(:parent_mock => @parent_mock))
+      end
+    end.new(self)
+  end
+
+  def == (other)
+    id == other.id
+  end
+end
+class NestedResourcesController < MocksController
+  filter_resource_access :nested_in => :parent_mocks
+  define_resource_actions
+end
+class NestedResourcesControllerTest < ActionController::TestCase
+  def test_nested_filter_index
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :nested_resources, :to => :index do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(MockUser.new(:another_role), :index, reader, :parent_mock_id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader, :parent_mock_id => "2",
+        :clear => [:@nested_resource, :@parent_mock])
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader, :parent_mock_id => "1",
+        :clear => [:@nested_resource, :@parent_mock])
+    assert @controller.authorized?
+  end
+
+  def test_nested_filter_show_with_id
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :nested_resources, :to => :show do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :show, reader, :id => "2", :parent_mock_id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1", :parent_mock_id => "1",
+        :clear => [:@nested_resource, :@parent_mock])
+    assert @controller.authorized?
+  end
+
+  def test_nested_filter_new_with_params
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :nested_resources, :to => :new do
+            if_attribute :parent_mock => is {ParentMock.find("1")}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :new, reader, :parent_mock_id => "2",
+        :nested_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :new, reader, :parent_mock_id => "1",
+        :nested_resource => {:id => "1"},
+        :clear => [:@nested_resource, :@parent_mock])
+    assert @controller.authorized?
+  end
+end
+
+
+class CustomMembersCollectionsResourceController < MocksController
+  def self.controller_name
+    "basic_resources"
+  end
+  filter_resource_access :member => [[:other_show, :read]],
+      :collection => {:search => :read}, :new => [:other_new]
+  define_action_methods :other_new, :search, :other_show
+end
+class CustomMembersCollectionsResourceControllerTest < ActionController::TestCase
+  def test_custom_members_filter_search
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :read do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    request!(MockUser.new(:another_role), :search, reader)
+    assert !@controller.authorized?
+    request!(MockUser.new(:allowed_role), :search, reader)
+    assert @controller.authorized?
+  end
+
+  def test_custom_members_filter_other_show
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :read do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :other_show, reader, :id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :other_show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+
+  def test_custom_members_filter_other_new
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :other_new do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+end
+
+
+class AdditionalMembersCollectionsResourceController < MocksController
+  def self.controller_name
+    "basic_resources"
+  end
+  filter_resource_access :additional_member => :other_show,
+      :additional_collection => [:search], :additional_new => {:other_new => :new}
+  define_resource_actions
+  define_action_methods :other_new, :search, :other_show
+end
+class AdditionalMembersCollectionsResourceControllerTest < ActionController::TestCase
+  def test_additional_members_filter_search_index
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => [:search, :index] do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    request!(MockUser.new(:another_role), :search, reader)
+    assert !@controller.authorized?
+    request!(MockUser.new(:another_role), :index, reader)
+    assert !@controller.authorized?
+    request!(MockUser.new(:allowed_role), :search, reader)
+    assert @controller.authorized?
+    request!(MockUser.new(:allowed_role), :index, reader)
+    assert @controller.authorized?
+  end
+
+  def test_additional_members_filter_other_show
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => [:show, :other_show] do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :other_show, reader, :id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "2", :clear => [:@basic_resource])
+    assert !@controller.authorized?
+    request!(allowed_user, :other_show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+
+  def test_additional_members_filter_other_new
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :new do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "2"},
+        :clear => [:@basic_resource])
+    assert !@controller.authorized?
+
+    request!(allowed_user, :other_new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+end
+
+
+class CustomMethodsResourceController < MocksController
+  # not implemented yet
+end
+
+
+class ExplicitContextResourceController < MocksController
+  filter_resource_access :context => :basic_resources
+  define_resource_actions
+end
+class ExplicitContextResourceControllerTest < ActionController::TestCase
+  def test_explicit_context_filter_index
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :index do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(MockUser.new(:another_role), :index, reader)
+    assert !@controller.authorized?
+    request!(allowed_user, :index, reader)
+    assert @controller.authorized?
+  end
+
+  def test_explicit_context_filter_show_with_id
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :show do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :show, reader, :id => "2")
+    assert !@controller.authorized?
+    request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+
+  def test_explicit_context_filter_new_with_params
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :allowed_role do
+          has_permission_on :basic_resources, :to => :new do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+
+    allowed_user = MockUser.new(:allowed_role)
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "2"})
+    assert !@controller.authorized?
+    request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
+        :clear => [:@basic_resource])
+    assert @controller.authorized?
+  end
+end