stffn-declarative_authorization 0.3.0 → 0.3.1
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG +9 -0
- data/README.rdoc +22 -6
- data/app/controllers/authorization_rules_controller.rb +135 -14
- data/app/helpers/authorization_rules_helper.rb +96 -13
- data/app/views/authorization_rules/_change.erb +49 -0
- data/app/views/authorization_rules/_show_graph.erb +37 -0
- data/app/views/authorization_rules/_suggestion.erb +9 -0
- data/app/views/authorization_rules/_suggestions.erb +24 -0
- data/app/views/authorization_rules/change.html.erb +124 -0
- data/app/views/authorization_rules/graph.dot.erb +23 -4
- data/app/views/authorization_rules/graph.html.erb +1 -0
- data/app/views/authorization_rules/index.html.erb +3 -2
- data/app/views/authorization_usages/index.html.erb +2 -11
- data/config/routes.rb +2 -1
- data/lib/declarative_authorization/authorization.rb +87 -35
- data/lib/declarative_authorization/development_support/analyzer.rb +252 -0
- data/lib/declarative_authorization/development_support/change_analyzer.rb +253 -0
- data/lib/declarative_authorization/development_support/change_supporter.rb +578 -0
- data/lib/declarative_authorization/development_support/development_support.rb +243 -0
- data/lib/declarative_authorization/helper.rb +6 -2
- data/lib/declarative_authorization/in_controller.rb +254 -26
- data/lib/declarative_authorization/in_model.rb +27 -2
- data/lib/declarative_authorization/maintenance.rb +22 -8
- data/lib/declarative_authorization/obligation_scope.rb +14 -9
- data/lib/declarative_authorization/reader.rb +10 -2
- data/test/authorization_test.rb +44 -0
- data/test/controller_filter_resource_access_test.rb +385 -0
- data/test/controller_test.rb +14 -6
- data/test/helper_test.rb +21 -0
- data/test/maintenance_test.rb +26 -0
- data/test/model_test.rb +28 -0
- data/test/test_helper.rb +14 -1
- metadata +15 -5
- data/lib/declarative_authorization/authorization_rules_analyzer.rb +0 -138
- data/test/authorization_rules_analyzer_test.rb +0 -123
@@ -5,6 +5,31 @@ require File.dirname(__FILE__) + '/obligation_scope.rb'
|
|
5
5
|
module Authorization
|
6
6
|
|
7
7
|
module AuthorizationInModel
|
8
|
+
|
9
|
+
# If the user meets the given privilege, permitted_to? returns true
|
10
|
+
# and yields to the optional block.
|
11
|
+
def permitted_to? (privilege, options = {} )
|
12
|
+
options = {
|
13
|
+
:user => Authorization.current_user,
|
14
|
+
:object => self
|
15
|
+
}.merge(options)
|
16
|
+
Authorization::Engine.instance.permit?(privilege,
|
17
|
+
{:user => options[:user],
|
18
|
+
:object => options[:object]},
|
19
|
+
&block)
|
20
|
+
end
|
21
|
+
|
22
|
+
# Works similar to the permitted_to? method, but doesn't accept a block
|
23
|
+
# and throws the authorization exceptions, just like Engine#permit!
|
24
|
+
def permitted_to! (privilege, options = {} )
|
25
|
+
options = {
|
26
|
+
:user => Authorization.current_user,
|
27
|
+
:object => self
|
28
|
+
}.merge(options)
|
29
|
+
Authorization::Engine.instance.permit!(privilege,
|
30
|
+
{:user => options[:user],
|
31
|
+
:object => options[:object]})
|
32
|
+
end
|
8
33
|
|
9
34
|
def self.included(base) # :nodoc:
|
10
35
|
#base.extend(ClassMethods)
|
@@ -17,7 +42,7 @@ module Authorization
|
|
17
42
|
|
18
43
|
user = options[:user] || Authorization.current_user
|
19
44
|
|
20
|
-
engine = Authorization::Engine.instance
|
45
|
+
engine = options[:engine] || Authorization::Engine.instance
|
21
46
|
engine.permit!(privileges, :user => user, :skip_attribute_test => true,
|
22
47
|
:context => context)
|
23
48
|
|
@@ -33,7 +58,7 @@ module Authorization
|
|
33
58
|
:model => self,
|
34
59
|
:engine => nil,
|
35
60
|
}.merge(options)
|
36
|
-
engine
|
61
|
+
engine = options[:engine] || Authorization::Engine.instance
|
37
62
|
|
38
63
|
scope = ObligationScope.new( options[:model], {} )
|
39
64
|
engine.obligations( privileges, :user => options[:user], :context => options[:context] ).each do |obligation|
|
@@ -22,10 +22,7 @@ module Authorization
|
|
22
22
|
# SomeModel.find(:first).save
|
23
23
|
# end
|
24
24
|
def without_access_control
|
25
|
-
|
26
|
-
yield
|
27
|
-
ensure
|
28
|
-
Authorization.ignore_access_control(false)
|
25
|
+
self.class.without_access_control
|
29
26
|
end
|
30
27
|
|
31
28
|
# A class method variant of without_access_control. Thus, one can call
|
@@ -33,10 +30,13 @@ module Authorization
|
|
33
30
|
# ...
|
34
31
|
# end
|
35
32
|
def self.without_access_control
|
36
|
-
Authorization.ignore_access_control
|
37
|
-
|
38
|
-
|
39
|
-
|
33
|
+
previous_state = Authorization.ignore_access_control
|
34
|
+
begin
|
35
|
+
Authorization.ignore_access_control(true)
|
36
|
+
yield
|
37
|
+
ensure
|
38
|
+
Authorization.ignore_access_control(previous_state)
|
39
|
+
end
|
40
40
|
end
|
41
41
|
|
42
42
|
# Sets the current user for the declarative authorization plugin to the
|
@@ -145,6 +145,20 @@ module Authorization
|
|
145
145
|
end
|
146
146
|
end
|
147
147
|
|
148
|
+
def should_be_allowed_to (privilege, object_or_context)
|
149
|
+
options = {}
|
150
|
+
options[object_or_context.is_a?(Symbol) ? :context : :object] = object_or_context
|
151
|
+
assert_nothing_raised do
|
152
|
+
Authorization::Engine.instance.permit!(privilege, options)
|
153
|
+
end
|
154
|
+
end
|
155
|
+
|
156
|
+
def should_not_be_allowed_to (privilege, object_or_context)
|
157
|
+
options = {}
|
158
|
+
options[object_or_context.is_a?(Symbol) ? :context : :object] = object_or_context
|
159
|
+
assert !Authorization::Engine.instance.permit?(privilege, options)
|
160
|
+
end
|
161
|
+
|
148
162
|
def request_with (user, method, xhr, action, params = {},
|
149
163
|
session = {}, flash = {})
|
150
164
|
session = session.merge({:user => user, :user_id => user.id})
|
@@ -208,15 +208,20 @@ module Authorization
|
|
208
208
|
end
|
209
209
|
bindvar = "#{attribute_table_alias}__#{attribute_name}_#{obligation_index}".to_sym
|
210
210
|
|
211
|
-
|
212
|
-
|
213
|
-
|
214
|
-
|
215
|
-
|
216
|
-
|
217
|
-
|
218
|
-
|
219
|
-
|
211
|
+
sql_attribute = "#{connection.quote_table_name(attribute_table_alias)}.#{connection.quote_table_name(attribute_name)}"
|
212
|
+
if value.nil? and [:is, :is_not].include?(operator)
|
213
|
+
obligation_conds << "#{sql_attribute} IS #{[:contains, :is].include?(operator) ? '' : 'NOT '}NULL"
|
214
|
+
else
|
215
|
+
attribute_operator = case operator
|
216
|
+
when :contains, :is then "= :#{bindvar}"
|
217
|
+
when :does_not_contain, :is_not then "<> :#{bindvar}"
|
218
|
+
when :is_in, :intersects_with then "IN (:#{bindvar})"
|
219
|
+
when :is_not_in then "NOT IN (:#{bindvar})"
|
220
|
+
else raise AuthorizationUsageError, "Unknown operator: #{operator}"
|
221
|
+
end
|
222
|
+
obligation_conds << "#{sql_attribute} #{attribute_operator}"
|
223
|
+
binds[bindvar] = attribute_value(value)
|
224
|
+
end
|
220
225
|
end
|
221
226
|
end
|
222
227
|
obligation_conds << "1=1" if obligation_conds.empty?
|
@@ -229,8 +229,10 @@ module Authorization
|
|
229
229
|
privs = options[:to]
|
230
230
|
privs = [privs] unless privs.is_a?(Array)
|
231
231
|
raise DSLError, "has_permission_on either needs a block or :to option" if !block_given? and privs.empty?
|
232
|
-
|
233
|
-
|
232
|
+
|
233
|
+
file, line = file_and_line_number_from_call_stack
|
234
|
+
rule = AuthorizationRule.new(@current_role, privs, context, options[:join_by],
|
235
|
+
:source_file => file, :source_line => line)
|
234
236
|
@auth_rules << rule
|
235
237
|
if block_given?
|
236
238
|
@current_rule = rule
|
@@ -425,6 +427,12 @@ module Authorization
|
|
425
427
|
end
|
426
428
|
hash.merge!(merge_hash)
|
427
429
|
end
|
430
|
+
|
431
|
+
def file_and_line_number_from_call_stack
|
432
|
+
caller_parts = caller(2).first.split(':')
|
433
|
+
[caller_parts[0] == "(eval)" ? nil : caller_parts[0],
|
434
|
+
caller_parts[1] && caller_parts[1].to_i]
|
435
|
+
end
|
428
436
|
end
|
429
437
|
end
|
430
438
|
end
|
data/test/authorization_test.rb
CHANGED
@@ -191,6 +191,28 @@ class AuthorizationTest < Test::Unit::TestCase
|
|
191
191
|
engine.obligations(:test, :context => :permission_children_children,
|
192
192
|
:user => MockUser.new(:test_role))
|
193
193
|
end
|
194
|
+
|
195
|
+
def test_obligations_with_permissions_and_anded_conditions
|
196
|
+
reader = Authorization::Reader::DSLReader.new
|
197
|
+
reader.parse %{
|
198
|
+
authorization do
|
199
|
+
role :test_role do
|
200
|
+
has_permission_on :permission_children, :to => :test, :join_by => :and do
|
201
|
+
if_permitted_to :test, :permission
|
202
|
+
if_attribute :test_attr => 1
|
203
|
+
end
|
204
|
+
has_permission_on :permissions, :to => :test do
|
205
|
+
if_attribute :test_attr => 1
|
206
|
+
end
|
207
|
+
end
|
208
|
+
end
|
209
|
+
}
|
210
|
+
engine = Authorization::Engine.new(reader)
|
211
|
+
|
212
|
+
assert_equal [{:test_attr => [:is, 1], :permission => {:test_attr => [:is, 1]}}],
|
213
|
+
engine.obligations(:test, :context => :permission_children,
|
214
|
+
:user => MockUser.new(:test_role))
|
215
|
+
end
|
194
216
|
|
195
217
|
def test_guest_user
|
196
218
|
reader = Authorization::Reader::DSLReader.new
|
@@ -776,4 +798,26 @@ class AuthorizationTest < Test::Unit::TestCase
|
|
776
798
|
assert engine.permit?(:test, :context => :permissions)
|
777
799
|
Authorization.current_user = nil
|
778
800
|
end
|
801
|
+
|
802
|
+
def test_clone
|
803
|
+
reader = Authorization::Reader::DSLReader.new
|
804
|
+
reader.parse %{
|
805
|
+
authorization do
|
806
|
+
role :test_role do
|
807
|
+
has_permission_on :permissions, :to => :test do
|
808
|
+
if_attribute :attr => { :sub_attr => is { user } }
|
809
|
+
if_permitted_to :read, :attr_2 => :attr_3
|
810
|
+
if_permitted_to :read, :attr_2
|
811
|
+
end
|
812
|
+
end
|
813
|
+
end
|
814
|
+
}
|
815
|
+
|
816
|
+
engine = Authorization::Engine.new(reader)
|
817
|
+
cloned_engine = engine.clone
|
818
|
+
assert_not_equal engine.auth_rules[0].contexts.object_id,
|
819
|
+
cloned_engine.auth_rules[0].contexts.object_id
|
820
|
+
assert_not_equal engine.auth_rules[0].attributes[0].send(:instance_variable_get, :@conditions_hash)[:attr].object_id,
|
821
|
+
cloned_engine.auth_rules[0].attributes[0].send(:instance_variable_get, :@conditions_hash)[:attr].object_id
|
822
|
+
end
|
779
823
|
end
|
@@ -0,0 +1,385 @@
|
|
1
|
+
require File.join(File.dirname(__FILE__), 'test_helper.rb')
|
2
|
+
|
3
|
+
class BasicResource < MockDataObject
|
4
|
+
end
|
5
|
+
class BasicResourcesController < MocksController
|
6
|
+
filter_resource_access
|
7
|
+
define_resource_actions
|
8
|
+
end
|
9
|
+
class BasicResourcesControllerTest < ActionController::TestCase
|
10
|
+
def test_basic_filter_index
|
11
|
+
reader = Authorization::Reader::DSLReader.new
|
12
|
+
reader.parse %{
|
13
|
+
authorization do
|
14
|
+
role :allowed_role do
|
15
|
+
has_permission_on :basic_resources, :to => :index do
|
16
|
+
if_attribute :id => is {"1"}
|
17
|
+
end
|
18
|
+
end
|
19
|
+
end
|
20
|
+
}
|
21
|
+
|
22
|
+
allowed_user = MockUser.new(:allowed_role)
|
23
|
+
request!(MockUser.new(:another_role), :index, reader)
|
24
|
+
assert !@controller.authorized?
|
25
|
+
request!(allowed_user, :index, reader)
|
26
|
+
assert @controller.authorized?
|
27
|
+
end
|
28
|
+
|
29
|
+
def test_basic_filter_show_with_id
|
30
|
+
reader = Authorization::Reader::DSLReader.new
|
31
|
+
reader.parse %{
|
32
|
+
authorization do
|
33
|
+
role :allowed_role do
|
34
|
+
has_permission_on :basic_resources, :to => :show do
|
35
|
+
if_attribute :id => is {"1"}
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
39
|
+
}
|
40
|
+
|
41
|
+
allowed_user = MockUser.new(:allowed_role)
|
42
|
+
request!(allowed_user, :show, reader, :id => "2")
|
43
|
+
assert !@controller.authorized?
|
44
|
+
request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
|
45
|
+
assert @controller.authorized?
|
46
|
+
end
|
47
|
+
|
48
|
+
def test_basic_filter_new_with_params
|
49
|
+
reader = Authorization::Reader::DSLReader.new
|
50
|
+
reader.parse %{
|
51
|
+
authorization do
|
52
|
+
role :allowed_role do
|
53
|
+
has_permission_on :basic_resources, :to => :new do
|
54
|
+
if_attribute :id => is {"1"}
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
58
|
+
}
|
59
|
+
|
60
|
+
allowed_user = MockUser.new(:allowed_role)
|
61
|
+
request!(allowed_user, :new, reader, :basic_resource => {:id => "2"})
|
62
|
+
assert !@controller.authorized?
|
63
|
+
request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
|
64
|
+
:clear => [:@basic_resource])
|
65
|
+
assert @controller.authorized?
|
66
|
+
end
|
67
|
+
end
|
68
|
+
|
69
|
+
|
70
|
+
class NestedResource < MockDataObject
|
71
|
+
def initialize (attributes = {})
|
72
|
+
if attributes[:id]
|
73
|
+
attributes[:parent_mock] ||= ParentMock.new(:id => attributes[:id])
|
74
|
+
end
|
75
|
+
super(attributes)
|
76
|
+
end
|
77
|
+
end
|
78
|
+
class ParentMock < MockDataObject
|
79
|
+
def nested_resources
|
80
|
+
Class.new do
|
81
|
+
def initialize (parent_mock)
|
82
|
+
@parent_mock = parent_mock
|
83
|
+
end
|
84
|
+
def new (attributes = {})
|
85
|
+
NestedResource.new(attributes.merge(:parent_mock => @parent_mock))
|
86
|
+
end
|
87
|
+
end.new(self)
|
88
|
+
end
|
89
|
+
|
90
|
+
def == (other)
|
91
|
+
id == other.id
|
92
|
+
end
|
93
|
+
end
|
94
|
+
class NestedResourcesController < MocksController
|
95
|
+
filter_resource_access :nested_in => :parent_mocks
|
96
|
+
define_resource_actions
|
97
|
+
end
|
98
|
+
class NestedResourcesControllerTest < ActionController::TestCase
|
99
|
+
def test_nested_filter_index
|
100
|
+
reader = Authorization::Reader::DSLReader.new
|
101
|
+
reader.parse %{
|
102
|
+
authorization do
|
103
|
+
role :allowed_role do
|
104
|
+
has_permission_on :nested_resources, :to => :index do
|
105
|
+
if_attribute :parent_mock => is {ParentMock.find("1")}
|
106
|
+
end
|
107
|
+
end
|
108
|
+
end
|
109
|
+
}
|
110
|
+
|
111
|
+
allowed_user = MockUser.new(:allowed_role)
|
112
|
+
request!(MockUser.new(:another_role), :index, reader, :parent_mock_id => "2")
|
113
|
+
assert !@controller.authorized?
|
114
|
+
request!(allowed_user, :index, reader, :parent_mock_id => "2",
|
115
|
+
:clear => [:@nested_resource, :@parent_mock])
|
116
|
+
assert !@controller.authorized?
|
117
|
+
request!(allowed_user, :index, reader, :parent_mock_id => "1",
|
118
|
+
:clear => [:@nested_resource, :@parent_mock])
|
119
|
+
assert @controller.authorized?
|
120
|
+
end
|
121
|
+
|
122
|
+
def test_nested_filter_show_with_id
|
123
|
+
reader = Authorization::Reader::DSLReader.new
|
124
|
+
reader.parse %{
|
125
|
+
authorization do
|
126
|
+
role :allowed_role do
|
127
|
+
has_permission_on :nested_resources, :to => :show do
|
128
|
+
if_attribute :parent_mock => is {ParentMock.find("1")}
|
129
|
+
end
|
130
|
+
end
|
131
|
+
end
|
132
|
+
}
|
133
|
+
|
134
|
+
allowed_user = MockUser.new(:allowed_role)
|
135
|
+
request!(allowed_user, :show, reader, :id => "2", :parent_mock_id => "2")
|
136
|
+
assert !@controller.authorized?
|
137
|
+
request!(allowed_user, :show, reader, :id => "1", :parent_mock_id => "1",
|
138
|
+
:clear => [:@nested_resource, :@parent_mock])
|
139
|
+
assert @controller.authorized?
|
140
|
+
end
|
141
|
+
|
142
|
+
def test_nested_filter_new_with_params
|
143
|
+
reader = Authorization::Reader::DSLReader.new
|
144
|
+
reader.parse %{
|
145
|
+
authorization do
|
146
|
+
role :allowed_role do
|
147
|
+
has_permission_on :nested_resources, :to => :new do
|
148
|
+
if_attribute :parent_mock => is {ParentMock.find("1")}
|
149
|
+
end
|
150
|
+
end
|
151
|
+
end
|
152
|
+
}
|
153
|
+
|
154
|
+
allowed_user = MockUser.new(:allowed_role)
|
155
|
+
request!(allowed_user, :new, reader, :parent_mock_id => "2",
|
156
|
+
:nested_resource => {:id => "2"})
|
157
|
+
assert !@controller.authorized?
|
158
|
+
request!(allowed_user, :new, reader, :parent_mock_id => "1",
|
159
|
+
:nested_resource => {:id => "1"},
|
160
|
+
:clear => [:@nested_resource, :@parent_mock])
|
161
|
+
assert @controller.authorized?
|
162
|
+
end
|
163
|
+
end
|
164
|
+
|
165
|
+
|
166
|
+
class CustomMembersCollectionsResourceController < MocksController
|
167
|
+
def self.controller_name
|
168
|
+
"basic_resources"
|
169
|
+
end
|
170
|
+
filter_resource_access :member => [[:other_show, :read]],
|
171
|
+
:collection => {:search => :read}, :new => [:other_new]
|
172
|
+
define_action_methods :other_new, :search, :other_show
|
173
|
+
end
|
174
|
+
class CustomMembersCollectionsResourceControllerTest < ActionController::TestCase
|
175
|
+
def test_custom_members_filter_search
|
176
|
+
reader = Authorization::Reader::DSLReader.new
|
177
|
+
reader.parse %{
|
178
|
+
authorization do
|
179
|
+
role :allowed_role do
|
180
|
+
has_permission_on :basic_resources, :to => :read do
|
181
|
+
if_attribute :id => is {"1"}
|
182
|
+
end
|
183
|
+
end
|
184
|
+
end
|
185
|
+
}
|
186
|
+
|
187
|
+
request!(MockUser.new(:another_role), :search, reader)
|
188
|
+
assert !@controller.authorized?
|
189
|
+
request!(MockUser.new(:allowed_role), :search, reader)
|
190
|
+
assert @controller.authorized?
|
191
|
+
end
|
192
|
+
|
193
|
+
def test_custom_members_filter_other_show
|
194
|
+
reader = Authorization::Reader::DSLReader.new
|
195
|
+
reader.parse %{
|
196
|
+
authorization do
|
197
|
+
role :allowed_role do
|
198
|
+
has_permission_on :basic_resources, :to => :read do
|
199
|
+
if_attribute :id => is {"1"}
|
200
|
+
end
|
201
|
+
end
|
202
|
+
end
|
203
|
+
}
|
204
|
+
|
205
|
+
allowed_user = MockUser.new(:allowed_role)
|
206
|
+
request!(allowed_user, :other_show, reader, :id => "2")
|
207
|
+
assert !@controller.authorized?
|
208
|
+
request!(allowed_user, :other_show, reader, :id => "1", :clear => [:@basic_resource])
|
209
|
+
assert @controller.authorized?
|
210
|
+
end
|
211
|
+
|
212
|
+
def test_custom_members_filter_other_new
|
213
|
+
reader = Authorization::Reader::DSLReader.new
|
214
|
+
reader.parse %{
|
215
|
+
authorization do
|
216
|
+
role :allowed_role do
|
217
|
+
has_permission_on :basic_resources, :to => :other_new do
|
218
|
+
if_attribute :id => is {"1"}
|
219
|
+
end
|
220
|
+
end
|
221
|
+
end
|
222
|
+
}
|
223
|
+
|
224
|
+
allowed_user = MockUser.new(:allowed_role)
|
225
|
+
request!(allowed_user, :other_new, reader, :basic_resource => {:id => "2"})
|
226
|
+
assert !@controller.authorized?
|
227
|
+
request!(allowed_user, :other_new, reader, :basic_resource => {:id => "1"},
|
228
|
+
:clear => [:@basic_resource])
|
229
|
+
assert @controller.authorized?
|
230
|
+
end
|
231
|
+
end
|
232
|
+
|
233
|
+
|
234
|
+
class AdditionalMembersCollectionsResourceController < MocksController
|
235
|
+
def self.controller_name
|
236
|
+
"basic_resources"
|
237
|
+
end
|
238
|
+
filter_resource_access :additional_member => :other_show,
|
239
|
+
:additional_collection => [:search], :additional_new => {:other_new => :new}
|
240
|
+
define_resource_actions
|
241
|
+
define_action_methods :other_new, :search, :other_show
|
242
|
+
end
|
243
|
+
class AdditionalMembersCollectionsResourceControllerTest < ActionController::TestCase
|
244
|
+
def test_additional_members_filter_search_index
|
245
|
+
reader = Authorization::Reader::DSLReader.new
|
246
|
+
reader.parse %{
|
247
|
+
authorization do
|
248
|
+
role :allowed_role do
|
249
|
+
has_permission_on :basic_resources, :to => [:search, :index] do
|
250
|
+
if_attribute :id => is {"1"}
|
251
|
+
end
|
252
|
+
end
|
253
|
+
end
|
254
|
+
}
|
255
|
+
|
256
|
+
request!(MockUser.new(:another_role), :search, reader)
|
257
|
+
assert !@controller.authorized?
|
258
|
+
request!(MockUser.new(:another_role), :index, reader)
|
259
|
+
assert !@controller.authorized?
|
260
|
+
request!(MockUser.new(:allowed_role), :search, reader)
|
261
|
+
assert @controller.authorized?
|
262
|
+
request!(MockUser.new(:allowed_role), :index, reader)
|
263
|
+
assert @controller.authorized?
|
264
|
+
end
|
265
|
+
|
266
|
+
def test_additional_members_filter_other_show
|
267
|
+
reader = Authorization::Reader::DSLReader.new
|
268
|
+
reader.parse %{
|
269
|
+
authorization do
|
270
|
+
role :allowed_role do
|
271
|
+
has_permission_on :basic_resources, :to => [:show, :other_show] do
|
272
|
+
if_attribute :id => is {"1"}
|
273
|
+
end
|
274
|
+
end
|
275
|
+
end
|
276
|
+
}
|
277
|
+
|
278
|
+
allowed_user = MockUser.new(:allowed_role)
|
279
|
+
request!(allowed_user, :other_show, reader, :id => "2")
|
280
|
+
assert !@controller.authorized?
|
281
|
+
request!(allowed_user, :show, reader, :id => "2", :clear => [:@basic_resource])
|
282
|
+
assert !@controller.authorized?
|
283
|
+
request!(allowed_user, :other_show, reader, :id => "1", :clear => [:@basic_resource])
|
284
|
+
assert @controller.authorized?
|
285
|
+
request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
|
286
|
+
assert @controller.authorized?
|
287
|
+
end
|
288
|
+
|
289
|
+
def test_additional_members_filter_other_new
|
290
|
+
reader = Authorization::Reader::DSLReader.new
|
291
|
+
reader.parse %{
|
292
|
+
authorization do
|
293
|
+
role :allowed_role do
|
294
|
+
has_permission_on :basic_resources, :to => :new do
|
295
|
+
if_attribute :id => is {"1"}
|
296
|
+
end
|
297
|
+
end
|
298
|
+
end
|
299
|
+
}
|
300
|
+
|
301
|
+
allowed_user = MockUser.new(:allowed_role)
|
302
|
+
request!(allowed_user, :other_new, reader, :basic_resource => {:id => "2"})
|
303
|
+
assert !@controller.authorized?
|
304
|
+
request!(allowed_user, :new, reader, :basic_resource => {:id => "2"},
|
305
|
+
:clear => [:@basic_resource])
|
306
|
+
assert !@controller.authorized?
|
307
|
+
|
308
|
+
request!(allowed_user, :other_new, reader, :basic_resource => {:id => "1"},
|
309
|
+
:clear => [:@basic_resource])
|
310
|
+
assert @controller.authorized?
|
311
|
+
request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
|
312
|
+
:clear => [:@basic_resource])
|
313
|
+
assert @controller.authorized?
|
314
|
+
end
|
315
|
+
end
|
316
|
+
|
317
|
+
|
318
|
+
class CustomMethodsResourceController < MocksController
|
319
|
+
# not implemented yet
|
320
|
+
end
|
321
|
+
|
322
|
+
|
323
|
+
class ExplicitContextResourceController < MocksController
|
324
|
+
filter_resource_access :context => :basic_resources
|
325
|
+
define_resource_actions
|
326
|
+
end
|
327
|
+
class ExplicitContextResourceControllerTest < ActionController::TestCase
|
328
|
+
def test_explicit_context_filter_index
|
329
|
+
reader = Authorization::Reader::DSLReader.new
|
330
|
+
reader.parse %{
|
331
|
+
authorization do
|
332
|
+
role :allowed_role do
|
333
|
+
has_permission_on :basic_resources, :to => :index do
|
334
|
+
if_attribute :id => is {"1"}
|
335
|
+
end
|
336
|
+
end
|
337
|
+
end
|
338
|
+
}
|
339
|
+
|
340
|
+
allowed_user = MockUser.new(:allowed_role)
|
341
|
+
request!(MockUser.new(:another_role), :index, reader)
|
342
|
+
assert !@controller.authorized?
|
343
|
+
request!(allowed_user, :index, reader)
|
344
|
+
assert @controller.authorized?
|
345
|
+
end
|
346
|
+
|
347
|
+
def test_explicit_context_filter_show_with_id
|
348
|
+
reader = Authorization::Reader::DSLReader.new
|
349
|
+
reader.parse %{
|
350
|
+
authorization do
|
351
|
+
role :allowed_role do
|
352
|
+
has_permission_on :basic_resources, :to => :show do
|
353
|
+
if_attribute :id => is {"1"}
|
354
|
+
end
|
355
|
+
end
|
356
|
+
end
|
357
|
+
}
|
358
|
+
|
359
|
+
allowed_user = MockUser.new(:allowed_role)
|
360
|
+
request!(allowed_user, :show, reader, :id => "2")
|
361
|
+
assert !@controller.authorized?
|
362
|
+
request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
|
363
|
+
assert @controller.authorized?
|
364
|
+
end
|
365
|
+
|
366
|
+
def test_explicit_context_filter_new_with_params
|
367
|
+
reader = Authorization::Reader::DSLReader.new
|
368
|
+
reader.parse %{
|
369
|
+
authorization do
|
370
|
+
role :allowed_role do
|
371
|
+
has_permission_on :basic_resources, :to => :new do
|
372
|
+
if_attribute :id => is {"1"}
|
373
|
+
end
|
374
|
+
end
|
375
|
+
end
|
376
|
+
}
|
377
|
+
|
378
|
+
allowed_user = MockUser.new(:allowed_role)
|
379
|
+
request!(allowed_user, :new, reader, :basic_resource => {:id => "2"})
|
380
|
+
assert !@controller.authorized?
|
381
|
+
request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
|
382
|
+
:clear => [:@basic_resource])
|
383
|
+
assert @controller.authorized?
|
384
|
+
end
|
385
|
+
end
|