strongbolt 0.3.6

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: b2be7a6357fe3a1bac22a246b34013f1c5109c5e
+  data.tar.gz: 145bb831919b70d9e9165328f097f77249c83726
+SHA512:
+  metadata.gz: 4a4612a54b4b84c47381bae52e9e8aca1a2992a23c6d7c48981beab4da8beaebbd5f45084c6ca4427d3513a491b530de9efebf5ca595cf7b0087a59aff5c35c6
+  data.tar.gz: f933dd404243f00ed6a081619b997aa04b10af0924cf82c42504b331dfe7c1b33851ab352da04ee9a7c0a64d1ac47ebb01ab4dad0c1cbe6bb79c316d71539d6a

data/.editorconfig

@@ -0,0 +1,33 @@
+root = true
+
+# defaults over all files
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+# documentation
+[*.md]
+indent_style = space
+indent_size = 4
+
+# ruby files
+[{*.rb,*.ru,Gemfile,Capfile,Rakefile,Guardfile}]
+indent_style = space
+indent_size = 2
+
+# config files
+[*.yml]
+indent_style = space
+indent_size = 2
+
+# javascript files
+[*.{js,coffee}]
+indent_style = space
+indent_size = 2
+
+# stylesheets
+[*.{css,scss}]
+indent_style = space
+indent_size = 2

data/.gitignore

@@ -0,0 +1,18 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+.DS_Store
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+spec/dummy/log/*

data/.rspec

@@ -0,0 +1 @@
+--color

data/.ruby-gemset

@@ -0,0 +1 @@
+strongbolt

data/.ruby-version

@@ -0,0 +1 @@
+ruby-2.1.3

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in strongbolt.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,130 @@
+PATH
+  remote: .
+  specs:
+    strongbolt (0.3.6)
+      awesome_nested_set (~> 3.0.0)
+      grant (~> 3.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actionmailer (4.1.6)
+      actionpack (= 4.1.6)
+      actionview (= 4.1.6)
+      mail (~> 2.5, >= 2.5.4)
+    actionpack (4.1.6)
+      actionview (= 4.1.6)
+      activesupport (= 4.1.6)
+      rack (~> 1.5.2)
+      rack-test (~> 0.6.2)
+    actionview (4.1.6)
+      activesupport (= 4.1.6)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+    activemodel (4.1.6)
+      activesupport (= 4.1.6)
+      builder (~> 3.1)
+    activerecord (4.1.6)
+      activemodel (= 4.1.6)
+      activesupport (= 4.1.6)
+      arel (~> 5.0.0)
+    activesupport (4.1.6)
+      i18n (~> 0.6, >= 0.6.9)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.1)
+      tzinfo (~> 1.1)
+    arel (5.0.1.20140414130214)
+    awesome_nested_set (3.0.3)
+      activerecord (>= 4.0.0, < 5)
+    builder (3.2.2)
+    diff-lcs (1.2.5)
+    erubis (2.7.0)
+    fabrication (2.11.3)
+    fuubar (2.0.0)
+      rspec (~> 3.0)
+      ruby-progressbar (~> 1.4)
+    grant (3.0.0)
+      activerecord (>= 4.0.0)
+    hike (1.2.3)
+    i18n (0.6.11)
+    json (1.8.1)
+    mail (2.6.3)
+      mime-types (>= 1.16, < 3)
+    mime-types (2.4.3)
+    minitest (5.4.2)
+    multi_json (1.10.1)
+    rack (1.5.2)
+    rack-test (0.6.2)
+      rack (>= 1.0)
+    rails (4.1.6)
+      actionmailer (= 4.1.6)
+      actionpack (= 4.1.6)
+      actionview (= 4.1.6)
+      activemodel (= 4.1.6)
+      activerecord (= 4.1.6)
+      activesupport (= 4.1.6)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 4.1.6)
+      sprockets-rails (~> 2.0)
+    railties (4.1.6)
+      actionpack (= 4.1.6)
+      activesupport (= 4.1.6)
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+    rake (10.3.2)
+    rspec (3.1.0)
+      rspec-core (~> 3.1.0)
+      rspec-expectations (~> 3.1.0)
+      rspec-mocks (~> 3.1.0)
+    rspec-core (3.1.5)
+      rspec-support (~> 3.1.0)
+    rspec-expectations (3.1.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.1.0)
+    rspec-mocks (3.1.2)
+      rspec-support (~> 3.1.0)
+    rspec-rails (3.1.0)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      railties (>= 3.0)
+      rspec-core (~> 3.1.0)
+      rspec-expectations (~> 3.1.0)
+      rspec-mocks (~> 3.1.0)
+      rspec-support (~> 3.1.0)
+    rspec-support (3.1.1)
+    ruby-progressbar (1.6.0)
+    shoulda-matchers (2.7.0)
+      activesupport (>= 3.0.0)
+    sprockets (2.12.3)
+      hike (~> 1.2)
+      multi_json (~> 1.0)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
+    sprockets-rails (2.2.2)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      sprockets (>= 2.8, < 4.0)
+    sqlite3 (1.3.9)
+    thor (0.19.1)
+    thread_safe (0.3.4)
+    tilt (1.4.1)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (> 1.7.0)
+  fabrication
+  fuubar
+  rails (~> 4.1.0)
+  rake
+  rspec-rails (~> 3.1.0)
+  shoulda-matchers
+  sqlite3 (= 1.3.9)
+  strongbolt!
+
+BUNDLED WITH
+   1.11.2

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Thomas Césaré-Herriau
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,182 @@
+# Strongbolt
+
+RBAC framework for model-level authorization gem with very granular control on permissions, using Capabilities, Roles and UserGroups.
+
+Only works with Rails 4.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'grant', '>= 2.2', git: "git@github.com:AnalyticsMediaGroup/grant.git"
+    gem 'strongbolt', git: "git@github.com:AnalyticsMediaGroup/strongbolt.git"
+
+And then execute:
+
+    $ bundle
+
+## Getting Started
+
+To creates the required migrations, run:
+
+    $ rails g strongbolt:install && rake db:migrate
+
+To create a Role and User Group that has full access and assign the group to all users (this allow to get started using StrongBolt), run:
+
+    $ rake strongbolt:seed
+
+If you plan on using the built-in view to manage user groups, roles and permissions, also add to your application.js:
+
+    //= require strongbolt
+
+You will need to have jQuery or a similar library with Ajax to make it work
+
+## Usage
+
+### Configuration
+
+The initializer of strongbolt, `config/initializers/strongbolt.rb` has some included documentation to help you with configuring the little you need to for Strongbolt to work.
+
+By default, the user class is `User` and there is no tenant set.
+
+#### A note on the list of models
+
+Strongbolt has been made to be used with the least configuration possible. If given a tenant, it will traverse the graph of dependencies on this tenant to try to configure all the tenant dependent models authorization check ups. However, some models may be totally independant or not belong to (directly or indirectly) to a tenant. You may also have no tenant at all. In these cases, some or all of your models won't be discovered by Strongbolt when running your app.
+To avoid eager loading the whole application to automatically get the list of models, you can specify in the initializer the models of your application.
+This list is prefilled when running the install generator.
+
+### Controllers
+
+Strongbolt perform high level authorization on controllers, to avoid testing more granular authorization and increase the performance. For instance, if an user cannot find any Movies, he certainly won't be able to find the movie with the specific id 5.
+
+#### Custom controller actions
+
+Strongbolt relies on the usual Rails restful actions to guess the corresponding model action (edit requires update authorization, new requires create authorization, etc.). However, you will sometimes create other custom actions. In that case, you must specify in the controller how to map these custom controller actions to one of the 4 model actions using:
+
+```ruby
+authorize_as_find :action1, :action2
+authorize_as_create :action, :action2
+authorize_as_update :action, :action2
+authorize_as_destroy :action, :action2
+```
+
+#### Skipping authorization
+
+You can disable the controller-level authorization checks by using in the controllers:
+
+```ruby
+skip_controller_authorization,
+skip_controller_authorization, only: [:index]
+skip_controller_authorization, except: [:update]
+```
+
+You can also specify a list of controllers in the initializer `config/initializers/strongbolt.rb`. It is useful for third-party controllers, like devise for instance. The syntax is:
+
+```ruby
+config.skip_controller_authorization_for "Devise::SessionsController", "Devise::RegistrationsController"
+```
+
+You can also skip ALL authorization checks (BAD IDEA) using:
+
+```ruby
+skip_all_authorization
+skip_all_authorization, only: [:index]
+skip_all_authorization, except: [:update]
+```
+
+Sometimes you may want to render the views without checking again every single instance you're displaying (for the list of movies for instance, if the user can find ALL movies no need to test separatly each of them). You can skip the authorization checks when rendering pages by using:
+
+```ruby
+render_without_authorization :index, :show
+```
+
+Be careful when using one of this skipping authorization check as it may result in leaked data.
+
+#### Controller not derived from a Model
+
+Usually most of your controllers, in a RestFUL design, are backed by a specific model, derived from the name of the controller. In that case Strongbolt will know what model authorization it should test against. Otherwise, it will raise an error unless you specify the model for authorization:
+
+```ruby
+self.model_for_authorization = "Movie"
+```
+
+### Models
+
+Usually you will never need to configure anything on the models. In some cases though, to simplify the roles and permissions, you may want to authorize some models as if they were other models (in nested models, sometimes it is safe to assume that the lower level model should have the same permissions than its parent)>
+To achieve this, use the following within your model:
+
+```ruby
+authorize_as "Movie"
+```
+
+### Tenants
+
+Strongbolt allows the utilization of _tenants_. Tenants are vertical scopes within your application.
+
+> Let's take an example. A project tracking application (like Pivotal) can have several companies as clients, but each company's users can see only what concern them. _Company_ is a tenant of the application.
+
+The initializer let you define the model(s) that should be considered tenants.
+
+#### How to set what tenants a user has access to
+
+Strongbolt comes with a table, `strongbolt_users_tenants`, that will store what tenants users have access to.
+
+When a tenant is declared, it will add some features to the _User class_ that has been defined in the initializer.
+
+First, an association between the _User class_ and the _Tenant class_ will be created, named after the _Tenant class_ name. It is a `has_many :trough => :users_tenants_` association.
+
+> For instance, a `Company` tenant will generate a `companies` association.
+
+A convenient instance method will also be created on the _User class_ to directly access the list of _Tenant class_ a _User_ can access. It is name `accessible_{tenants}` where `{tenants}` is the pluralize version of the _Tenant class_ name.
+
+> `Company` will create an `accessible_companies` instance method
+
+#### Tenanted models
+
+A tenanted model is a model that belongs indirectly to a _Tenant class_.
+
+> For instance, `Project` is a tenanted model of `Company`. Now, let's consider a `belong_to` association that links `Project` to a `Country`. The list of countries is stored in the table `countries` and does not belong to `Company`: `Country` is not a tenanted model.
+
+Strongbolt will traverse your schema and automatically determine what models in your application is linked to your _Tenant class_.
+
+> In our example, where `Project` belongs to `Company` and `Country`, but `Country` does not belong to `Company`, Strongbolt will automatically determine that `Project` is a tenanted model and `Country` is not.
+
+Strongbolt will then create a `has_one` association on every tenanted model, so you can access directly the dependent _Tenant_
+
+> For instance, every `Task` of a `Project` will have a `has_one :company, :through => :project` association automatically created (if not already existing).
+
+#### Restricting permissions to accessible tenanted models
+
+Strongbolt's capabilites have a boolean attribute, `require_tenant_access`, that specify whether the user can access all _tenanted models_ or only the ones that belong to the _Tenants_ he has access to.
+
+> Let's look back at the example. Each companies has several _projects_. The normal user, belonging to a company, would only have access to his company's projects. You would then define for normal user a capability *requiring tenant access*
+
+> An admin user, on the other hand, like an engineer of the application, could have access to all the companies' projects. An engineer's projects' permissions would then *not require tenant access*
+
+It will then perform the right permission check based on this requirement and the relationship of the model being checked and the _Tenant class_. If the model being checked is not linked to any of the _Tenant classes_, it won't check any dependency.
+
+
+### Troubleshooting
+
+#### Strongbolt::ModelNotFound
+
+This means Strongbolt is trying to perform some controller-level authorizations but cannot infer the model from the controller name. In that case you must use in this controller:
+
+```ruby
+self.model_for_authorization = "Movie"
+```
+
+Or skip controller authorizations when it cannot be related to a model or it is not useful (like for Devise controllers), using either one of the methods described in *Skipping Authorization*.
+
+#### Strongbolt::ActionNotConfigured
+
+This happens when a controller is using a custom action which is not one of the 6 usual restful Rails actions (index, new, create, sho, edit, update, destroy). Refer to *Custom controller actions* to fix this.
+
+
+## Contributing
+
+1. Fork it ( http://github.com/<my-github-username>/strongbolt/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/app/assets/javascripts/strongbolt.js

@@ -0,0 +1 @@
+//= require strongbolt/role-capabilities

data/app/assets/javascripts/strongbolt/role-capabilities.js

@@ -0,0 +1,80 @@
+(function() {
+  var RoleCapabilities;
+
+  RoleCapabilities = (function() {
+    function RoleCapabilities(table) {
+      this.table = table;
+      this.url = this.table.data('url');
+      this.setup();
+    }
+
+    RoleCapabilities.prototype.toggleAction = function(button) {
+      var granted, params, parent;
+      granted = !button.data('granted');
+      button.blur();
+      button.data("granted", granted);
+      parent = button.parent();
+      params = {
+        model: parent.data('model'),
+        require_ownership: parent.data('require-ownership'),
+        require_tenant_access: parent.data('require-tenant-access'),
+        action: button.data('action')
+      };
+      return this[granted ? 'addAction' : 'destroyAction'](params, function() {
+        if (granted) {
+          button.addClass('btn-success');
+          return button.removeClass('btn-danger');
+        } else {
+          button.addClass('btn-danger');
+          return button.removeClass('btn-success');
+        }
+      });
+    };
+
+    RoleCapabilities.prototype.destroyAction = function(params, callback) {
+      var options;
+      options = {
+        data: {
+          capability: params
+        },
+        type: "DELETE",
+        complete: callback
+      };
+      return this.request(options);
+    };
+
+    RoleCapabilities.prototype.addAction = function(params, callback) {
+      var options;
+      options = {
+        data: {
+          capability: params
+        },
+        type: "POST",
+        complete: callback
+      };
+      return this.request(options);
+    };
+
+    RoleCapabilities.prototype.request = function(options) {
+      options.url = this.url;
+      options.dataType = 'json';
+      return $.ajax(options);
+    };
+
+    RoleCapabilities.prototype.setup = function() {
+      return this.table.on('click', 'button[data-action]', (function(_this) {
+        return function(event) {
+          return _this.toggleAction($(event.currentTarget));
+        };
+      })(this));
+    };
+
+    return RoleCapabilities;
+
+  })();
+
+  $(document).ready(function() {
+    return new RoleCapabilities($("#role-capabilities"));
+  });
+
+}).call(this);