stffn-declarative_authorization 0.3.0 → 0.3.1

data/test/controller_test.rb

@@ -2,12 +2,8 @@ require File.join(File.dirname(__FILE__), 'test_helper.rb')
 
 
 class LoadMockObject < MockDataObject
-  def self.find(*args)
-    new :id => args[0]
-  end
 end
 
-
 ##################
 class SpecificMocksController < MocksController
   filter_access_to :test_action, :require => :test, :context => :permissions
@@ -26,7 +22,6 @@ end
 class BasicControllerTest < ActionController::TestCase
   tests SpecificMocksController
   
-  
   def test_filter_access_to_receiving_an_explicit_array
     reader = Authorization::Reader::DSLReader.new
 
@@ -153,6 +148,20 @@ class BasicControllerTest < ActionController::TestCase
       @controller.send(:instance_variable_get, :"@load_mock_object")
     assert @controller.authorized?
   end
+
+  def test_permitted_to_without_context
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :specific_mocks, :to => :test
+        end
+      end
+    }
+    @controller.current_user = MockUser.new(:test_role)
+    @controller.authorization_engine = Authorization::Engine.new(reader)
+    assert @controller.permitted_to?(:test)
+  end
 end
 
 
@@ -358,4 +367,3 @@ class HierachicalControllerTest < ActionController::TestCase
     assert !@controller.authorized?
   end
 end
-

data/test/helper_test.rb

@@ -63,6 +63,27 @@ class HelperTest < ActionController::TestCase
     assert permitted_to?(:show, :mocks)
     assert !permitted_to?(:show, mock_2)
   end
+
+  def test_permit_with_object_and_context
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :other_mocks do
+            to :show
+            if_attribute :test_attr => is {user.test_attr}
+          end
+        end
+      end
+    }
+    user = MockUser.new(:test_role, :test_attr => 1)
+    mock = MockDataObject.new(:test_attr => 1)
+    mock_2 = MockDataObject.new(:test_attr => 2)
+    request!(user, :action, reader)
+
+    assert permitted_to?(:show, mock, :context => :other_mocks)
+    assert !permitted_to?(:show, mock_2, :context => :other_mocks)
+  end
   
   def test_has_role
     reader = Authorization::Reader::DSLReader.new

data/test/maintenance_test.rb

@@ -12,4 +12,30 @@ class MaintenanceTest < Test::Unit::TestCase
               include?(usage_test_controller)
   end
 
+  def test_without_access_control
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert !engine.permit?(:test_2, :context => :permissions,
+        :user => MockUser.new(:test_role))
+    Authorization::Maintenance::without_access_control do
+      assert engine.permit?(:test_2, :context => :permissions,
+          :user => MockUser.new(:test_role))
+    end
+    Authorization::Maintenance::without_access_control do
+      Authorization::Maintenance::without_access_control do
+        assert engine.permit?(:test_2, :context => :permissions,
+            :user => MockUser.new(:test_role))
+      end
+      assert engine.permit?(:test_2, :context => :permissions,
+          :user => MockUser.new(:test_role))
+    end
+  end
+
 end

data/test/model_test.rb

@@ -168,6 +168,34 @@ class ModelTest < Test::Unit::TestCase
     TestModel.delete_all
   end
 
+  def test_named_scope_with_is_nil
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :content => nil
+          end
+        end
+        role :test_role_not_nil do
+          has_permission_on :test_models, :to => :read do
+            if_attribute :content => is_not { nil }
+          end
+        end
+      end
+    }
+    Authorization::Engine.instance(reader)
+
+    test_model_1 = TestModel.create!
+    test_model_2 = TestModel.create! :content => "Content"
+
+    assert_equal test_model_1, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => MockUser.new(:test_role)).first
+    assert_equal test_model_2, TestModel.with_permissions_to(:read,
+      :context => :test_models, :user => MockUser.new(:test_role_not_nil)).first
+    TestModel.delete_all
+  end
+
   def test_named_scope_with_not_is
     reader = Authorization::Reader::DSLReader.new
     reader.parse %{

data/test/test_helper.rb

@@ -41,12 +41,21 @@ class MockDataObject
   def self.table_name
     "mocks"
   end
+  
+  def self.find(*args)
+    raise "Couldn't find #{self.name} with id #{args[0].inspect}" unless args[0]
+    new :id => args[0]
+  end
 end
 
 class MockUser < MockDataObject
   def initialize (*roles)
     options = roles.last.is_a?(::Hash) ? roles.pop : {}
-    super(options.merge(:role_symbols => roles))
+    super(options.merge(:role_symbols => roles, :login => hash))
+  end
+
+  def initialize_copy (other)
+    @role_symbols = @role_symbols.clone
   end
 end
 
@@ -66,6 +75,10 @@ class MocksController < ActionController::Base
       end
     end
   end
+
+  def self.define_resource_actions
+    define_action_methods :index, :show, :edit, :update, :new, :create, :destroy
+  end
   
   def logger (*args)
     Class.new do 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: stffn-declarative_authorization
 version: !ruby/object:Gem::Version 
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors: 
 - Steffen Bartsch
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2009-04-08 00:00:00 -07:00
+date: 2009-05-16 00:00:00 -07:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -43,8 +43,13 @@ files:
 - app/helpers/authorization_rules_helper.rb
 - app/views/authorization_usages/index.html.erb
 - app/views/authorization_rules/index.html.erb
+- app/views/authorization_rules/_show_graph.erb
+- app/views/authorization_rules/_change.erb
+- app/views/authorization_rules/_suggestions.erb
 - app/views/authorization_rules/graph.dot.erb
+- app/views/authorization_rules/change.html.erb
 - app/views/authorization_rules/graph.html.erb
+- app/views/authorization_rules/_suggestion.erb
 - config/routes.rb
 - lib/declarative_authorization.rb
 - lib/declarative_authorization/in_controller.rb
@@ -53,7 +58,10 @@ files:
 - lib/declarative_authorization/obligation_scope.rb
 - lib/declarative_authorization/in_model.rb
 - lib/declarative_authorization/helper.rb
-- lib/declarative_authorization/authorization_rules_analyzer.rb
+- lib/declarative_authorization/development_support/analyzer.rb
+- lib/declarative_authorization/development_support/change_analyzer.rb
+- lib/declarative_authorization/development_support/change_supporter.rb
+- lib/declarative_authorization/development_support/development_support.rb
 - lib/declarative_authorization/authorization.rb
 - lib/declarative_authorization/maintenance.rb
 - test/authorization_test.rb
@@ -61,12 +69,14 @@ files:
 - test/maintenance_test.rb
 - test/model_test.rb
 - test/controller_test.rb
+- test/development_support
 - test/helper_test.rb
 - test/dsl_reader_test.rb
+- test/controller_filter_resource_access_test.rb
 - test/test_helper.rb
-- test/authorization_rules_analyzer_test.rb
 has_rdoc: true
 homepage: http://github.com/stffn/declarative_authorization
+licenses: 
 post_install_message: 
 rdoc_options: []
 
@@ -87,7 +97,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.2.0
+rubygems_version: 1.3.5
 signing_key: 
 specification_version: 2
 summary: declarative_authorization is a Rails plugin for authorization based on readable authorization rules.

data/lib/declarative_authorization/authorization_rules_analyzer.rb

@@ -1,138 +0,0 @@
-begin
-  require "ruby_parser"
-  #require "parse_tree"
-  #require "parse_tree_extensions"
-  require "sexp_processor"
-rescue LoadError
-  raise "Authorization::Analyzer requires ruby_parser gem"
-end
-
-module Authorization
-
-  class Analyzer
-    attr_reader :engine
-
-    def initialize (engine)
-      @engine = engine
-    end
-
-    def analyze (rules)
-      sexp_array = RubyParser.new.parse(rules)
-      #sexp_array = ParseTree.translate(rules)
-      @reports = []
-      [MergeableRulesProcessor].each do |parser|
-        parser.new(self).analyze(sexp_array)
-      end
-      #p @reports
-    end
-
-    def reports
-      @reports or raise "No rules analyzed!"
-    end
-
-    class GeneralAuthorizationProcessor < SexpProcessor
-      def initialize(analyzer)
-        super()
-        self.auto_shift_type = true
-        self.require_empty = false
-        self.strict = false
-        @analyzer = analyzer
-      end
-
-      def analyze (sexp_array)
-        process(sexp_array)
-        analyze_rules
-      end
-
-      def analyze_rules
-        # to be implemented by specific processor
-      end
-
-      def process_iter (exp)
-        s(:iter, process(exp.shift), process(exp.shift), process(exp.shift))
-      end
-
-      def process_arglist (exp)
-        s(exp.collect {|inner_exp| process(inner_exp).shift})
-      end
-
-      def process_hash (exp)
-        s(Hash[*exp.collect {|inner_exp| process(inner_exp).shift}])
-      end
-
-      def process_lit (exp)
-        s(exp.shift)
-      end
-    end
-
-    class MergeableRulesProcessor < GeneralAuthorizationProcessor
-      def analyze_rules
-        if @has_permission
-          #p @has_permission
-          permissions_by_context_and_rules = @has_permission.inject({}) do |memo, permission|
-            key = [permission[:context], permission[:rules]]
-            memo[key] ||= []
-            memo[key] << permission
-            memo
-          end
-
-          permissions_by_context_and_rules.each do |key, rules|
-            if rules.length > 1
-              rule_lines = rules.collect {|rule| rule[:line] }
-              rules.each do |rule|
-                @analyzer.reports << Report.new(:mergeable_rules, "", rule[:line],
-                  "Similar rules already in line(s) " +
-                      rule_lines.reject {|l| l == rule[:line] } * ", ")
-              end
-            end
-          end
-        end
-      end
-
-      def process_call (exp)
-        klass = exp.shift
-        name = exp.shift
-        case name
-        when :role
-          analyze_rules
-          @has_permission = []
-          s(:call, klass, name)
-        when :has_permission_on
-          arglist_line = exp[0].line
-          arglist = process(exp.shift).shift
-          context = arglist.shift
-          args_hash = arglist.shift
-          @has_permission << {
-            :context => context,
-            :rules => [],
-            :privilege => args_hash && args_hash[:to],
-            # a hack: call exp line seems to be wrong
-            :line => arglist_line
-          }
-          s(:call, klass, name)
-        when :to
-          @has_permission.last[:privilege] = process(exp.shift).shift if @has_permission
-          s(:call, klass, name)
-        when :if_attribute
-          @in_if_attribute = true
-          rules = process(exp.shift).shift
-          @has_permission.last[:rules] << rules if @has_permission
-          @in_if_attribute = false
-          s(:call, klass, name)
-        else
-          s(:call, klass, name, process(exp.shift))
-        end
-      end
-    end
-
-    class Report
-      attr_reader :type, :filename, :line, :message
-      def initialize (type, filename, line, msg)
-        @type = type
-        @filename = filename
-        @line = line
-        @message = msg
-      end
-    end
-  end
-end

data/test/authorization_rules_analyzer_test.rb

@@ -1,123 +0,0 @@
-require File.join(File.dirname(__FILE__), 'test_helper.rb')
-require File.join(File.dirname(__FILE__), %w{.. lib declarative_authorization authorization_rules_analyzer})
-
-class AuthorizationRulesAnalyzerTest < Test::Unit::TestCase
-
-  def test_analyzing_complex_rules
-    assert_nothing_raised do
-      engine, analyzer = engine_analyzer_for %{
-        authorization do
-          role :guest do
-            has_permission_on :conferences, :to => :read do
-              if_attribute :published => true
-            end
-            has_permission_on :talks, :to => :read do
-              if_permitted_to :read, :conference
-            end
-            has_permission_on :users, :to => :create
-            has_permission_on :authorization_rules, :to => :read
-            has_permission_on :authorization_usages, :to => :read
-          end
-
-          role :user do
-            includes :guest
-            has_permission_on :conference_attendees, :to => :create do
-              if_attribute :user => is {user},
-                :conference => { :published => true }
-            end
-            has_permission_on :conference_attendees, :to => :delete do
-              if_attribute :user => is {user},
-                :conference => { :attendees => contains {user} }
-            end
-            has_permission_on :talk_attendees, :to => :create do
-              if_attribute :talk => { :conference => { :attendees => contains {user} }}
-            end
-            has_permission_on :talk_attendees, :to => :delete do
-              if_attribute :user => is {user}
-            end
-          end
-
-          role :conference_organizer do
-            has_permission_on :conferences do
-              to :manage
-              # if...
-            end
-            has_permission_on [:conference_attendees, :talks, :talk_attendees], :to => :manage
-          end
-
-          role :admin do
-            has_permission_on [:conferences, :users, :talks], :to => :manage
-            has_permission_on :authorization_rules, :to => :read
-            has_permission_on :authorization_usages, :to => :read
-          end
-        end
-
-        privileges do
-          privilege :manage, :includes => [:create, :read, :update, :delete]
-          privilege :read, :includes => [:index, :show]
-          privilege :create, :includes => :new
-          privilege :update, :includes => :edit
-          privilege :delete, :includes => :destroy
-        end
-      }
-    end
-  end
-
-  def test_mergeable_rules_without_constraints
-    engine, analyzer = engine_analyzer_for %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test
-          has_permission_on :permissions, :to => :test2
-        end
-      end
-    }
-
-    report = analyzer.reports.find {|report| report.type == :mergeable_rules}
-    assert report
-    assert_equal 4, report.line
-  end
-
-  def test_mergeable_rules_with_in_block_to
-    assert_nothing_raised do
-      engine, analyzer = engine_analyzer_for %{
-        authorization do
-          role :test_role do
-            has_permission_on :permissions do
-              to :test
-            end
-          end
-        end
-      }
-    end
-  end
-
-  def test_no_mergeable_rules_with_constraints
-    engine, analyzer = engine_analyzer_for %{
-      authorization do
-        role :test_role do
-          has_permission_on :permissions, :to => :test do
-            if_attribute :some_attr => is {bla}
-          end
-          has_permission_on :permissions, :to => :test2 do
-            if_attribute :some_attr_2 => is {bla}
-          end
-        end
-      end
-    }
-
-    assert !analyzer.reports.find {|report| report.type == :mergeable_rules}
-  end
-
-  protected
-  def engine_analyzer_for (rules)
-    reader = Authorization::Reader::DSLReader.new
-    reader.parse rules
-    engine = Authorization::Engine.new(reader)
-
-    analyzer = Authorization::Analyzer.new(engine)
-    analyzer.analyze rules
-
-    [engine, analyzer]
-  end
-end