strongbolt 0.3.6

data/lib/strongbolt/configuration.rb

@@ -0,0 +1,111 @@
+module Strongbolt
+
+  module Configuration
+
+    #
+    # A placeholder class for logger when not defined
+    # Just print what's given
+    #
+    class DefaultLogger
+      def method_missing method_name, text = nil, &block
+        puts "[#{method_name}] #{block.present? ? block.call : text}"
+      end
+    end
+
+    #
+    # Sets the class name of the user if different then default 'User'
+    #
+    mattr_accessor :user_class
+    @@user_class = 'User'
+
+    #
+    # Returns the constantize version of user class
+    #
+    def self.user_class_constant() self.user_class.constantize; end
+
+    #
+    # Sets the logger used by Strongbolt
+    #
+    mattr_accessor :logger
+    @@logger = DefaultLogger.new
+
+    #
+    # Sets the tenants of the application
+    #
+    @@tenants = []
+    def self.tenants= tenants
+      @@tenants = []
+      [*tenants].each {|t| add_tenant t}
+    end
+
+    #
+    # Returns the tenants
+    #
+    def self.tenants() @@tenants; end
+
+    #
+    # Adds a tenant if not in the list
+    #
+    def self.add_tenant tenant
+      tenant = tenant.constantize if tenant.is_a? String
+      unless @@tenants.any? { |m| m.name == tenant.name }
+        tenant.send :tenant
+        @@tenants << tenant
+      end
+    end
+
+
+    #
+    # Allows to configure what happens when the access is denied,
+    # or call the block that has been given
+    #
+    # The block access denied receives as arguments:
+    #   user, instance, action, request_path
+    #
+    def self.access_denied *args, &block
+      if block.present?
+        @@access_denied_block = block
+      else
+        @@access_denied_block.call(*args) if defined?(@@access_denied_block)
+      end
+    end
+
+    #
+    # Allows to set Capability Models list
+    #
+    def self.models= models
+      Strongbolt::Capability.add_models models
+    end
+
+    #
+    # Controllers to skip controller authorization check ups
+    #
+    def self.skip_controller_authorization_for *controllers
+      ActiveSupport.on_load :action_controller do
+        controllers.each do |controller|
+          begin
+            "#{controller.camelize}Controller".constantize.send :skip_controller_authorization
+          rescue NameError => e
+            raise NameError, "Controller #{controller} doesn't correspond to a valid controller name"
+          end
+        end
+      end
+    end
+
+    #
+    # Default permissions
+    #
+    @@default_capabilities = []
+    def self.default_capabilities= list
+      @@default_capabilities = list.inject([]) do |capabilities, hash|
+        capabilities.concat Capability.from_hash(hash)
+      end
+    end
+
+    def self.default_capabilities
+      @@default_capabilities
+    end
+
+  end
+
+end

data/lib/strongbolt/controllers/url_helpers.rb

@@ -0,0 +1,37 @@
+require 'active_support/inflector'
+
+module Strongbolt
+  module Controllers
+    #
+    # Creates the url helpers without the 'strongbolt_' prefix,
+    # that both Strongbolt views and the app views can use
+    #
+    # It's not very nice like that but would be too complicated to do like Devise for now...
+    #
+    module UrlHelpers
+      URLS = %w{role  user_group user_group_user role_capability}
+
+      #
+      # Creates the url helpers for the specific url and scope
+      #
+      def self.create_url_helper url, scope=nil
+        [:path, :url].each do |path_or_url|
+          class_eval <<-URL_HELPERS
+            def #{scope.present? ? "#{scope}_" : ''}#{url}_#{path_or_url} *args
+              send(:main_app).send("#{scope.present? ? "#{scope}_" : ''}strongbolt_#{url}_#{path_or_url}", *args)
+            end
+          URL_HELPERS
+        end
+      end
+
+      #
+      # Loads all the required helpers
+      #
+      URLS.each do |url|
+        create_url_helper url
+        create_url_helper url.pluralize
+        [:new, :edit].each { |scope| create_url_helper url, scope }
+      end
+    end
+  end
+end

data/lib/strongbolt/engine.rb

@@ -0,0 +1,44 @@
+require "strongbolt/rails/routes"
+
+require "strongbolt/helpers"
+require "strongbolt/controllers/url_helpers"
+
+module Strongbolt
+  class Engine < ::Rails::Engine
+
+    initializer 'strongbolt.assets.precompile' do |app|
+      %w(javascripts).each do |sub|
+        app.config.assets.paths << root.join('app', 'assets', sub).to_s
+      end
+    end
+    
+    initializer "strongbolt.helpers" do
+      ActionView::Base.send :include, Strongbolt::Helpers
+    end
+
+    #
+    # Session Store should be accessible anytime
+    #
+    initializer "strongbolt.session" do
+      if defined? ActiveRecord::SessionStore::Session
+        ActiveRecord::SessionStore::Session.grant(:find, :create, :update, :destroy) { true }
+      end
+    end
+
+    #
+    # Avoids authorization checking in the middleware
+    #
+    initializer "strongbolt.devise_integration" do
+      if defined?(Warden) && defined?(Warden::SessionSerializer)
+        Warden::SessionSerializer.perform_without_authorization :store, :fetch, :delete
+      end
+    end
+
+    #
+    # Initialize our custom url helpers
+    #
+    initializer "strongbolt.url_helpers" do
+      Strongbolt.include_helpers Strongbolt::Controllers
+    end
+  end
+end

data/lib/strongbolt/errors.rb

@@ -0,0 +1,38 @@
+module Strongbolt
+  StrongboltError = Class.new StandardError
+
+  #
+  # Copy & Paste of Grant Error
+  #
+  class Unauthorized < StrongboltError
+    attr_reader :user, :action, :model
+
+    def initialize(*args)
+      if args.size == 3
+        @user, @action, @model = args
+      else
+        @message = args[0]
+      end
+    end
+
+    def to_s
+      if @message
+        @message
+      else
+        user_str = user == nil ? 'Anonymous' : "#{user.try(:class).try(:name)}:#{user.try :id}"
+        model_str = model.is_a?(Class) ? "#{model.try :name}" : "#{model.try(:class).try(:name)}:#{model.try :id}"
+        "#{action} permission not granted to #{user_str} for resource #{model_str}"
+      end
+    end
+  end
+  
+  ModelNotFound = Class.new StrongboltError
+  ActionNotConfigured = Class.new StrongboltError
+
+  WrongUserClass = Class.new StrongboltError
+  ModelNotOwned = Class.new StrongboltError
+
+  TenantError = Class.new StrongboltError
+  InverseAssociationNotConfigured = Class.new TenantError
+  DirectAssociationNotConfigured = Class.new TenantError
+end

data/lib/strongbolt/generators/migration.rb

@@ -0,0 +1,35 @@
+require 'rails/generators/active_record'
+
+module Strongbolt
+  module Generators
+    module Migration
+      def self.included receiver
+        receiver.send :include, Rails::Generators::Migration
+        receiver.send :include, InstanceMethods
+        receiver.extend         ClassMethods
+      end
+
+      module ClassMethods
+        #
+        # Need to add this here... Don't know why it's not in a Rails module
+        #
+        def next_migration_number(dirname)
+          next_migration_number = current_migration_number(dirname) + 1
+          ActiveRecord::Migration.next_migration_number(next_migration_number)
+        end
+
+      end
+
+      module InstanceMethods
+
+        def copy_migration(source, target)
+          if self.class.migration_exists?("db/migrate", "#{target}")
+            say_status "skipped", "Migration #{target}.rb already exists"
+          else
+            migration_template "#{source}.rb", "db/migrate/#{target}.rb"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/strongbolt/helpers.rb

@@ -0,0 +1,18 @@
+module Strongbolt
+  module Helpers
+    def can? *args, &block
+      # Block can be used when testing an instance
+      Strongbolt.without_authorization do
+        if block.present?
+          args.insert 1, block.call
+        end
+
+        return current_user.can? *args
+      end
+    end
+
+    def cannot? *args, &block
+      ! can? *args, &block
+    end
+  end
+end

data/lib/strongbolt/rails/routes.rb

@@ -0,0 +1,20 @@
+module ActionDispatch::Routing
+  #
+  # Creates the strongbolt route helper method
+  #
+  class Mapper
+    def strongbolt
+      scope :module => :strongbolt do
+        resources :user_groups do
+          resources :user_groups_users, as: :users, path: 'users', only: [:create, :destroy]
+        end
+
+        resources :roles do
+          resources :capabilities, only: [:create, :destroy] do
+            delete :destroy, on: :collection
+          end
+        end
+      end
+    end
+  end
+end

data/lib/strongbolt/role.rb

@@ -0,0 +1,46 @@
+module Strongbolt
+  class Role < Base
+
+    acts_as_nested_set
+
+    validates :name, presence: true
+
+    has_many :roles_user_groups,
+      :class_name => "Strongbolt::RolesUserGroup",
+      :dependent => :restrict_with_exception,
+      :inverse_of => :role
+    has_many :user_groups, :through => :roles_user_groups
+    
+    has_many :users, through: :user_groups
+
+    has_many :capabilities_roles,
+      :class_name => "Strongbolt::CapabilitiesRole",
+      :dependent => :delete_all,
+      :inverse_of => :role
+    has_many :capabilities, :through => :capabilities_roles
+
+    before_destroy :should_not_have_children
+
+    # We SHOULD NOT destroy descendants in our case
+    skip_callback :destroy, :before, :destroy_descendants
+
+    #
+    # Returns inherited capabilities
+    #
+    def inherited_capabilities
+      Strongbolt::Capability.joins(:roles)
+        .where("strongbolt_roles.lft < :lft AND strongbolt_roles.rgt > :rgt", lft: lft, rgt: rgt)
+        .distinct
+      end
+
+    private
+
+    def should_not_have_children
+      if children.count > 0
+        raise ActiveRecord::DeleteRestrictionError.new :children
+      end
+    end
+  end
+end
+
+Role = Strongbolt::Role unless defined? Role

data/lib/strongbolt/roles_user_group.rb

@@ -0,0 +1,15 @@
+module Strongbolt
+  class RolesUserGroup < Base
+    authorize_as "Strongbolt::UserGroup"
+
+    belongs_to :user_group,
+      :class_name => "Strongbolt::UserGroup",
+      :inverse_of => :roles_user_groups
+    
+    belongs_to :role,
+      :class_name => "Strongbolt::Role",
+      :inverse_of => :roles_user_groups
+
+    validates_presence_of :user_group, :role
+  end
+end

data/lib/strongbolt/rspec.rb

@@ -0,0 +1,29 @@
+#
+# Setups Rspec related stuff to handle correctly Strongbolt
+#
+require 'strongbolt'
+
+Strongbolt.switch_to_multithread
+
+if defined?(RSpec)
+  # We load the class that overrides user behavior,
+  # more convenient for tests
+  require 'strongbolt/rspec/user'
+
+  RSpec.configure do |config|
+    #
+    # When creating stuff in before :all, avoid leaks
+    #
+    config.before(:all) do
+      Strongbolt.current_user = nil
+    end
+
+    config.around(:each) do |example|
+      Strongbolt.without_authorization &example
+      # Clear all the User authorizations that could have been defined
+      User.clear_authorizations
+      # Removes the user from current_user to avoid leaks
+      Strongbolt.current_user = nil
+    end
+  end
+end

data/lib/strongbolt/rspec/user.rb

@@ -0,0 +1,90 @@
+require 'rspec/mocks'
+#
+# We define a can! that allows to quickly stub a user authorization
+#
+Strongbolt.user_class_constant.class_eval do
+  #
+  # Best to use a class context and use class instance variables
+  #
+  class << self
+
+    def authorizations
+      @authorizations ||= {}
+    end
+
+    def set_authorization_for user, authorized, *args
+      return if user.new_record?
+
+      self.authorizations[user.id] ||= {}
+      self.authorizations[user.id][key_for(*args)] = authorized
+    end
+
+    def clear_authorizations
+      @authorizations = {}
+    end
+
+    def authorized? user, *args
+      # Cannot do if user not saved
+      return false if user.new_record?
+      key = key_for(*args)
+      if self.authorizations[user.id].present? && self.authorizations[user.id][key].present?
+        return self.authorizations[user.id][key]
+      else
+        user._can? *args
+      end
+    end
+
+    def key_for *args
+      action = args[0]
+      instance = args[1]
+      attrs = args[2] || :any
+      all_instances = (args[3] || false) ? "all" : "tenanted"
+      if instance.is_a?(ActiveRecord::Base)
+        model = instance.class.name
+        if instance.new_record?
+          "#{action}-#{model}-#{attrs}-#{all_instances}"
+        else
+          "#{action}-#{model}-#{attrs}-#{instance.id}"
+        end
+      else
+        model = instance.class.name
+        "#{action}-#{model}-#{attrs}-#{all_instances}"
+      end
+    end
+
+  end
+
+  #
+  # 2 methods to setup mocking and stubs
+  #
+  def init
+    if RSpec::Mocks::Version::STRING >= "3.0"
+      require "rspec/mocks/standalone"
+    else
+      RSpec::Mocks::setup(self) unless self.respond_to? :allow
+    end
+  end
+
+  def setup_stub authorized, arguments
+    init
+    # Set the authorizations on a class level
+    self.class.set_authorization_for self, authorized, *arguments
+  end
+
+  #
+  # Mocked methods
+  #
+  alias_method :_can?, :can?
+
+  def can? *args
+    self.class.authorized? self, *args
+  end
+
+  def can! *args
+    setup_stub true, args
+  end
+
+  def cannot! *args
+    setup_stub false, args
+  end
+end