strongbolt 0.3.6

data/lib/generators/strongbolt/templates/migration.rb

@@ -0,0 +1,73 @@
+class CreateStrongboltTables < ActiveRecord::Migration
+  def change
+    create_table :strongbolt_capabilities, :force => true do |t|
+      t.string   :name
+      t.string   :description
+      t.string   :model
+      t.string   :action
+      t.string   :attr
+      t.boolean  :require_ownership, :default => false, :null => false
+      t.boolean  :require_tenant_access, :default => true, :null => false
+
+      t.timestamps
+    end
+
+    create_table :strongbolt_roles, :force => true do |t|
+      t.string   :name
+      t.integer  :parent_id
+      t.integer  :lft
+      t.integer  :rgt
+      t.string   :description
+
+      t.timestamps
+    end
+
+    create_table :strongbolt_user_groups, :force => true do |t|
+      t.string :name
+      t.text :description
+
+      t.timestamps
+    end
+
+    create_table :strongbolt_user_groups_users, :force => true do |t|
+      t.integer :user_group_id
+      t.integer :user_id
+    end
+
+    create_table :strongbolt_roles_user_groups, :force => true do |t|
+      t.integer :user_group_id
+      t.integer :role_id
+    end
+
+    create_table :strongbolt_capabilities_roles, :force => true do |t|
+      t.integer  :role_id
+      t.integer  :capability_id
+    end
+
+    create_table :strongbolt_users_tenants, :force => true do |t|
+      t.integer  :user_id
+      t.integer  :tenant_id
+      t.string   :type
+    end
+
+    # Indexes
+    add_index :strongbolt_roles, :parent_id
+    add_index :strongbolt_roles, :lft
+    add_index :strongbolt_roles, :rgt
+
+    add_index :strongbolt_user_groups_users, :user_group_id
+    add_index :strongbolt_user_groups_users, :user_id
+
+    add_index :strongbolt_roles_user_groups, :user_group_id
+    add_index :strongbolt_roles_user_groups, :role_id
+
+    add_index :strongbolt_capabilities_roles, :role_id
+    add_index :strongbolt_capabilities_roles, :capability_id
+
+    add_index :strongbolt_users_tenants, :user_id
+    add_index :strongbolt_users_tenants, :tenant_id
+    add_index :strongbolt_users_tenants, :type
+    add_index :strongbolt_users_tenants, [:tenant_id, :type]
+  end
+end
+

data/lib/generators/strongbolt/templates/strongbolt.rb

@@ -0,0 +1,45 @@
+Strongbolt.setup do |config|
+  # Configure here the logger used by Strongbolt
+  config.logger = Rails.logger
+
+  #
+  # Set here the class name of your user class, if different than "User"
+  #
+  # config.user_class = "User"
+
+  #
+  # You can use this block to perform specific actions when a user is denied the access somewhere
+  #
+  # config.access_denied do |user, instance, action, request|
+  #   Rails.logger.warn "User #{user.try :id} was refused to perform #{action} on #{instance.try :inspect} with request #{request}"
+  # end
+
+  #
+  # Specify here the list of tenants used by your application
+  #
+  # config.tenants = "Client", "Region"
+
+  #
+  # You can specify here some controllers where you don't want to perform any controller authorization check up
+  # It can be useful for instance with devise controllers, to avoid subclassing them.
+  # Write the controller names the same way you would with routes
+  #
+  # config.skip_controller_authorization_for "devise/confirmation"
+
+  #
+  # List here the set of default permissions granted to every user
+  # You will usually let every user access its own information for instance
+  #
+  config.default_capabilities = [
+    {:model => "User", :require_ownership => true, :require_tenant_access => false, :actions => [:find]}
+  ]
+
+  #
+  # If given a tenant, Strongbolt will try to detect all the models within your application.
+  # However, if some models don't have any direct or indirect dependencies on one of your tenant,
+  # Strongbolt won't find it.
+  #
+  # You can list here all the models of your application that doesn't indirectly belong to a tenant.
+  #
+  config.models = %MODELS%
+end

data/lib/generators/strongbolt/views_generator.rb

@@ -0,0 +1,26 @@
+require 'rails/generators/base'
+
+module Strongbolt
+  module Generators
+    class ViewsGenerator < Rails::Generators::Base
+      desc "Copies Strongbolt views to your application."
+
+      argument :scope, required: false, default: nil,
+                       desc: "The scope to copy views to"
+
+      public_task :copy_views
+
+      source_root File.expand_path("../../../../app/views", __FILE__)
+
+      def copy_views
+        directory :strongbolt, target_path
+      end
+
+      protected
+
+      def target_path
+        @target_path ||= "app/views/#{scope || :strongbolt}"
+      end
+    end
+  end
+end

data/lib/strongbolt.rb

@@ -0,0 +1,219 @@
+require "active_record"
+require "awesome_nested_set"
+
+require "grant/grantable"
+require "grant/status"
+require 'grant/user'
+
+require "strongbolt/version"
+require "strongbolt/errors"
+require "strongbolt/configuration"
+require "strongbolt/tenantable"
+require "strongbolt/bolted"
+require "strongbolt/bolted_controller"
+require "strongbolt/user_abilities"
+require "strongbolt/base"
+require "strongbolt/capability"
+require "strongbolt/user_groups_user"
+require "strongbolt/roles_user_group"
+require "strongbolt/capabilities_role"
+require "strongbolt/role"
+require "strongbolt/user_group"
+require "strongbolt/users_tenant"
+
+#
+# Raise an error if version of AR not compatible (4.1.0 and 4.1.1)
+#
+ar_version = ActiveRecord.version.version
+if ar_version >= "4.1.0" && ar_version <= "4.1.1"
+  raise StandardError, "You cannot use Strongbolt with ActiveRecord versions 4.1.0 and 4.1.1. Please upgrade to >= 4.1.2"
+end
+
+#
+# Includes every module needed (including Grant)
+#
+ActiveRecord::Base.send :include, Strongbolt::Bolted
+
+#
+# Default behavior, when method current_user defined on controller
+#
+if defined?(ActionController) and defined?(ActionController::Base)
+
+  ActionController::Base.send :include, Strongbolt::BoltedController
+
+end
+
+#
+# Setup controllers, views, helpers and session related configuration
+#
+require 'strongbolt/engine' if defined?(Rails::Engine)
+
+
+#
+# Main module
+#
+module Strongbolt
+  extend Forwardable
+
+  def self.table_name_prefix
+    'strongbolt_'
+  end
+  
+  # Delegates to the configuration the access denied
+  def_delegators Configuration, :access_denied, :logger, :tenants, :user_class, :user_class_constant,
+    :default_capabilities
+  module_function :access_denied, :logger, :tenants, :user_class, :user_class_constant,
+    :default_capabilities
+
+  # Delegates switching thread behavior
+  def_delegators Grant::Status, :switch_to_multithread,
+    :switch_to_monothread
+  module_function :switch_to_multithread, :switch_to_monothread
+
+  #
+  # Tje parent controller to all strongbolt controllers
+  #
+  mattr_accessor :parent_controller
+  @@parent_controller = "ApplicationController"
+
+  #
+  # Current User
+  #
+  def self.current_user
+    Grant::User.current_user
+  end
+
+  # We keep an hash so we don't have each time to test
+  # if the module is included in the list
+  def self.current_user= user
+    # If user is an instance of something and different from what we have
+    if user.present?
+      # Raise error if wrong user class
+      unless valid_user? user
+        raise Strongbolt::WrongUserClass
+      end
+
+      # If the user class doesn't have included the module yet
+      unless user.class.included_modules.include? Strongbolt::UserAbilities
+        user.class.send :include, Strongbolt::UserAbilities
+      end
+    end
+
+    # Then we call the original grant method
+    Grant::User.current_user = user unless Grant::User.current_user == user
+  end
+
+  #
+  # Ensures the user instance given is a valid user for that configuration
+  # It checks whether the class or the base_class (in case of STI) of the instance class
+  # has been configured as the user model
+  #
+  def self.valid_user? user
+    user.class.name == Strongbolt::Configuration.user_class ||
+      user.class.base_class.name == Strongbolt::Configuration.user_class
+  end
+
+  #
+  # Setting up Strongbolt
+  #
+  def self.setup &block
+    # Configuration by user
+    block.call Configuration
+
+    # Include the User::Abilities
+    begin
+      user_class = Configuration.user_class
+      user_class = user_class.constantize if user_class.is_a? String
+      user_class.send(:include, Strongbolt::UserAbilities) unless user_class.included_modules.include?(Strongbolt::UserAbilities)
+    rescue NameError
+      logger.warn "User class #{Configuration.user_class} wasn't found"
+    end
+  rescue => e
+    error = <<-CONTENT
+[ERROR] Strongbolt could not initialized successfully.
+  This can happen when running migrations, and in this situation, you can ignore this message.
+  If it happens in test, make sure you've run `rake db:test:prepare` so that test database is ready.
+  Otherwise, please review the error below to check what happened:
+
+Error message:
+  #{e.message}
+
+  #{e.backtrace.join("\n")}
+    CONTENT
+    logger.fatal error
+    # Display in the console when error test env
+    puts error if defined?(Rails) && Rails.env.test?
+    # If not being done in a rake task, this should propagate the error
+    raise e unless $0 =~ /rake$/ # && ARGV.join(" ").include?("db:")
+  end
+
+  #
+  # Perform the block without grant
+  #
+  def self.without_authorization &block
+    Grant::Status.without_grant &block
+  end
+
+  #
+  # Perform the block with grant
+  #
+  def self.with_authorization &block
+    Grant::Status.with_grant &block
+  end
+
+  #
+  # Disable authorization checking
+  #
+  def self.disable_authorization
+    Grant::Status.disable_grant
+  end
+
+  def self.enable_authorization
+    Grant::Status.enable_grant
+  end
+
+  def self.enabled?
+    Grant::Status.grant_enabled?
+  end
+  def self.disabled?
+    ! enabled?
+  end
+
+  # Include helpers in the given scope to AC and AV.
+  def self.include_helpers(scope)
+    ActiveSupport.on_load(:action_controller) do
+      include scope::UrlHelpers
+    end
+
+    ActiveSupport.on_load(:action_view) do
+      include scope::UrlHelpers
+    end
+  end
+
+  # Not to use directly
+  def self.tenants= tenants
+    @@tenants = tenants
+  end
+end
+
+#
+# We add a method to any object to quickly tell which method
+# should not have any authorization check perform 
+#
+class Object
+  def self.perform_without_authorization *method_names
+    method_names.each {|name| setup_without_authorization name}
+  end
+
+  private
+
+  def self.setup_without_authorization method_name
+    aliased_name = "_with_autorization_#{method_name}"
+    alias_method aliased_name, method_name
+    define_method method_name do |*args, &block|
+      Strongbolt.without_authorization do
+        send aliased_name, *args, &block
+      end
+    end
+  end
+end

data/lib/strongbolt/base.rb

@@ -0,0 +1,7 @@
+module Strongbolt
+  class Base < ActiveRecord::Base
+    include Bolted
+
+    self.abstract_class = true
+  end
+end

data/lib/strongbolt/bolted.rb

@@ -0,0 +1,125 @@
+#
+# Included in the base class of models (ActiveRecord::Base),
+# this module is the entry point of all authorization.
+#
+# It implements helper methods that will be used by a lot of other models
+#
+module Strongbolt
+  module Bolted
+    module ClassMethods
+      #
+      # Returns true if grant is currently enable, the user is set and we're not in the console
+      # ie when we need to perform a check
+      #
+      def bolted?
+        !unbolted?
+      end
+
+      #
+      # Not secure if Grant is disabled, there's no current user
+      # or if we're using Rails console 
+      #
+      def unbolted?
+        Grant::Status.grant_disabled? || (defined?(Rails) && defined?(Rails.console)) ||
+           Strongbolt.current_user.nil?
+      end
+
+      #
+      # Returns true if the model is owned, ie if it has a belongs_to
+      # relationship with the user class
+      #
+      def owned?
+        @owned ||= name == Configuration.user_class || owner_association.present?
+      end
+
+      #
+      # Returns the association to the user, if present
+      #
+      def owner_association
+        @owner_association ||= reflect_on_all_associations(:belongs_to).select do |assoc|
+          unless assoc.options.has_key? :polymorphic
+            assoc.klass.name == Configuration.user_class
+          else
+            false
+          end
+        end.try(:first)
+      end
+
+      #
+      # Returns the name of the attribute containing the owner id
+      #
+      def owner_attribute
+        return unless owned?
+
+        @owner_attribute ||= if name == Configuration.user_class
+          :id
+        else
+          owner_association.foreign_key.to_sym
+        end
+      end
+
+      #
+      # Returns the model name for authorization
+      #
+      def name_for_authorization
+        @name_for_authorization ||= self.name
+      end
+
+      #
+      # Authorize as another model
+      #
+      def authorize_as model_name
+        @name_for_authorization = model_name
+      end
+
+    end
+    
+    module InstanceMethods
+      #
+      # Asks permission to performa an operation on the current instance
+      #
+      def accessible?(action, attrs = :any)
+        unbolted? || Grant::User.current_user.can?(action, self, attrs)
+      end
+
+      #
+      # Returns the owner id according to what's
+      #
+      def strongbolt_owner_id
+        raise ModelNotOwned unless self.class.owned?
+
+        send self.class.owner_attribute
+      end
+    end
+    
+    def self.included(receiver)
+      receiver.extend         ClassMethods
+      receiver.send :include, InstanceMethods
+      receiver.send :include, Strongbolt::Tenantable
+      receiver.send :include, Grant::Grantable
+
+      # We add the grant to filter everything
+      receiver.class_eval do
+
+        #
+        # We use the grant helper method to test authorizations on all methods
+        #
+        grant(:find, :create, :update, :destroy) do |user, instance, action|
+          # Strongbolt.logger.debug { "Checking for #{action} on #{instance}\n\n#{Kernel.caller.join("\n")}" }
+          # Check the user permission unless no user or rails console
+          # Not using unbolted? here
+          granted = ((defined?(Rails) && defined?(Rails.console)) || user.nil?) ||
+            user.can?( action, instance )
+
+          # If not granted, trigger the access denied
+          unless granted
+            Strongbolt.access_denied user, instance, action, $request.try(:fullpath)
+          end
+          
+          granted
+        end # End Grant
+
+      end
+    end
+  end
+end