tarsolya-declarative_authorization 0.4.1

data/app/views/authorization_rules/_change.erb

@@ -0,0 +1,58 @@
+<form>
+<h2>Which permission to change?</h2>
+<p class="action-options">
+  <label>Privilege</label>
+  <%= select_tag :privilege, options_for_select(@privileges.map {|p| [human_privilege(p), p.to_s]}.sort, @privilege.to_s) %>
+  <br/>
+  <label>On</label>
+  <%= select_tag :context, options_for_select(@contexts.map {|c| [human_context(c), c.to_s]}.sort, @context.to_s) %>
+  <br/>
+  <label></label>
+  <%= link_to_function "Show current permissions", "show_current_permissions()", :class => 'unimportant' %>
+  <br/><br/>
+  How many users should be <strong>affected</strong>?
+  <br/>
+  <label></label>
+  <%= radio_button_tag :affected_users, :few, params[:affected_users] == 'few' %>
+  <label class="inline">A <strong>few</strong> users</label>
+  <%= radio_button_tag :affected_users, :many, params[:affected_users] == 'many' %>
+  <label class="inline"><strong>Many</strong> users</label>
+</p>
+
+<h2>Whose permission should be changed?</h2>
+<table class="change-options">
+  <thead>
+    <tr>
+      <td>User</td>
+      <td>Current roles</td>
+      <td class="choose">?</td>
+      <td class="choose">Yes</td>
+      <td class="choose">No</td>
+    </tr>
+  </thead>
+  <tbody>
+    <% @users.each do |user| %>
+      <tr class="<%= controller.authorization_engine.permit?(@privilege, :context => @context, :user => user, :skip_attribute_test => true) ? 'permitted' : 'not-permitted' %>">
+        <td class="user_id"><%=h user.id %></td>
+        <td style="font-weight:bold"><%=h user.login %></td>
+        <td><%=h user.role_symbols.map {|r| human_role(r)} * ', ' %></td>
+        <td><%= radio_button_tag "user[#{user.id}][permission]", "undetermined", true %></td>
+        <td class="yes"><%= radio_button_tag "user[#{user.id}][permission]", "yes" %></td>
+        <td class="no"><%= radio_button_tag "user[#{user.id}][permission]", "no" %></td>
+      </tr>
+    <% end %>
+    <tr>
+      <td colspan="5" style="text-align:right; padding-top:0.5em" class="unimportant">
+        <span style="background: #FFE599;">&nbsp; &nbsp;</span> Current permission
+      </td>
+    </tr>
+  </tbody>
+</table>
+
+<h2 style="display:none">Prohibited actions</h2>
+<ul id="prohibited_actions"></ul>
+
+<p class="submit">
+  <%= button_to_function "Suggest Changes", "suggest_changes()" %>
+</p>
+</form>

data/app/views/authorization_rules/_show_graph.erb

@@ -0,0 +1,37 @@
+<% javascript_tag do %>
+    function show_graph (privilege, context, user_ids) {
+        var params = {
+          privilege_hierarchy: 1,
+          highlight_privilege: privilege,
+          filter_contexts: context
+        };
+        if (user_ids)
+          params['user_ids[]'] = user_ids;
+        show_graph_with_params('graph', params);
+    }
+
+    var graph_params = {};
+    function show_graph_with_params (graph_id, params) {
+        graph_params[graph_id] = params;
+        base_url = "<%= graph_authorization_rules_path('svg') %>";
+        $(graph_id).data = base_url + '?' + Object.toQueryString(params);
+        $(graph_id).up().show();
+    }
+
+    function update_graph_params (graph_id, params) {
+        show_graph_with_params(graph_id,
+            $H(graph_params[graph_id] || {}).merge(params).toObject());
+    }
+
+    function toggle_graph_params (graph_id) {
+        var opts = {}
+        $A(arguments).slice(1).each(function (param) {
+          opts[param] = graph_params[graph_id][param] ? null : '1';
+        });
+        update_graph_params(graph_id, opts)
+    }
+<% end %>
+<div id="graph-container" style="display:none">
+<%= link_to_function "Hide", "$('graph-container').hide()", :class => 'important' %><br/>
+<object id="graph" data="" type="image/svg+xml" style="max-width:100%;margin-top: 0.5em"/>
+</div>

data/app/views/authorization_rules/_suggestions.erb

@@ -0,0 +1,48 @@
+<h2>Suggestions</h2>
+
+<% if @approaches.length > 0 %>
+  <% if @approaches.first.changes.empty? %>
+    <p>No changes necessary.</p>
+  <% else %>
+    <p class="unimportant">
+      <%= pluralize(@approaches.length, 'approach') %> in
+      <%= pluralize(@grouped_approaches.length, 'group') %>
+      <%= params[:affected_users] ? "– #{params[:affected_users] == 'few' ? "fewer" : "most"} affected users first" : "" %>
+    </p>
+    <ul>
+      <% @grouped_approaches.each_with_index do |grouped_approach, group_index| %>
+        <% ([grouped_approach.approach] + grouped_approach.similar_approaches).each_with_index do |approach, index| %>
+          <li <%= (group_index < 3 || params[:show_all]) && index == 0 ? '' : 'style="display: none"' %> class="<%= index == 0 ? 'primary' : "secondary" %> group-<%= group_index %>">
+            <!--<span class="ord"><%= (index + 1) %></span>-->
+            <span class="unimportant">Affected users</span> <strong><%= affected_users_count(approach) %></strong> &nbsp;
+            <span class="unimportant">Complexity</span> <strong><%= approach.weight %></strong> &nbsp;
+            <%= link_to_function "Diagram", "show_suggest_graph('#{serialize_changes(approach)}', '#{serialize_relevant_roles(approach)}', '#{@context}', relevant_user_ids())", :class => "show-approach" %>
+            <ul>
+              <% approach.changes.each do |action| %>
+                <% (action.to_a[0].is_a?(Enumerable) ? action.to_a : [action.to_a]).each do |step| %>
+                  <li>
+                    <%= describe_step(step.to_a, :with_removal => true) %>
+                  </li>
+                <% end %>
+              <% end %>
+            </ul>
+            <% if index == 0 %>
+              <% if grouped_approach.similar_approaches.empty? %>
+                <span class="unimportant show-others-in-group">No further suggestions in this group</span>
+              <% else %>
+                <%= link_to_function "Show further <strong>#{pluralize grouped_approach.similar_approaches.length, "suggestion"}</strong> in this group", "show_group_approaches(#{group_index})", :class => "show-others-in-group" %>
+              <% end %>
+            <% end %>
+            <%= link_to_function "Hide further suggestions", "hide_group_approaches(#{group_index})" if index > 0 and index == grouped_approach.similar_approaches.length %>
+          </li>
+          <% if index == 0 and group_index == 2 and @grouped_approaches.length > 3 %>
+            <li <%= !params[:show_all] ? '' : 'style="display: none"' %>><%= link_to_function "Show further <strong>#{pluralize(@grouped_approaches.length - 3, 'group')}</strong>", "show_all_groups(); $(this).up().hide()" %></li>
+          <% end %>
+        <% end %>
+      <% end %>
+    </ul>
+
+  <% end %>
+<% else %>
+  <p><strong>No approach found.</strong></p>
+<% end %>

data/app/views/authorization_rules/change.html.erb

@@ -0,0 +1,169 @@
+<h1>Suggestions on Authorization Rules Change</h1>
+<p><%= navigation %></p>
+<div style="display:none" id="suggest-graph-container">
+<%= link_to_function "Hide", "$(this).up().hide()", :class => 'important' %>
+<%= link_to_function "Toggle stacked roles", "toggle_graph_params('suggest-graph', 'stacked_roles');" %>
+<%= link_to_function "Toggle only users' roles", "toggle_graph_params('suggest-graph', 'only_relevant_roles');" %><br/>
+<object id="suggest-graph" data="" type="image/svg+xml" style="max-width: 98%;max-height: 95%;margin-top: 0.5em"/>
+</div>
+<%= render 'show_graph' %>
+
+<div id="spinner" style="display:none">Searching...</div>
+
+<style type="text/css">
+  .action-options label { display: block; float: left; width: 7em; padding-bottom: 0.5em }
+  .action-options label.inline { display: inline; float: none }
+  .action-options select { float: left; }
+  .action-options br { clear: both; }
+  .action-options { margin-bottom: 2em }
+  .change-options { margin-bottom: 1em }
+  .change-options td.user_id { display: none }
+  .change-options td { padding-right: 1em; padding-left: 0.5em }
+  .change-options thead td { border-bottom: 1px solid lightgrey }
+  .change-options thead td.choose { text-align: center; font-weight: bold }
+  .change-options tr.permitted td.yes,
+  .change-options tr.not-permitted td.no { background: #FFE599 }
+  .submit { margin-top: 0 }
+  .submit input { font-weight: bold; font-size: 120% }
+  #suggest-result { 
+    position: absolute; left: 55%; right: 10px;
+    border-left: 1px solid grey;
+    padding-left: 2em;
+    z-index: 10;
+  }
+  #suggest-result>ul { padding-left: 0 }
+  #suggest-result>ul>li { list-style: none;  margin-bottom: 1em }
+  #suggest-result>ul>li.secondary { padding-left: 2em }
+  #suggest-result li { padding-left: 0 }
+  #suggest-result ul ul { padding-left: 2em }
+  #suggest-result .ord { float: left; display: block; width: 2em; font-weight: bold; color: grey }
+  .show-approach, .show-others-in-group { visibility: hidden }
+  .prohibit { text-decoration: none; visibility: hidden }
+  li:hover .show-approach, li:hover .prohibit,
+    li:hover .show-others-in-group { visibility: visible }
+  #suggest-graph-container {
+    background: white; border:1px solid grey;
+    position:fixed; z-index: 20;
+    left:10%; bottom: 10%; right: 10%; top: 10%;
+    padding: 0.5em
+  }
+  #graph-container {
+    background: white; margin: 1em; border:1px solid grey; padding: 0.5em;
+    max-width:50%; position:fixed; z-index: 20; right:0;
+  }
+  .unimportant, .remove, .prohibit { color: grey }
+  .important { font-weight: bold }
+  .remove { cursor: pointer }
+  #spinner { position: fixed; top: 0; right: 0; background: #FFE599; padding: 1em }
+</style>
+<% javascript_tag do %>
+    function suggest_changes (refresh) {
+        var opened_groups = $$("#suggest-result>ul>li.secondary").select(function (li) {return li.visible()}).collect(function (li) {
+            return li.classNames().toArray()[1].split("-")[1];
+        }).uniq();
+
+        if (refresh)
+          $("spinner").show();
+        else
+          $("suggest-result").innerHTML = "Searching...";
+
+
+        $("suggest-result").show();
+        new Ajax.Updater({success: 'suggest-result'}, '<%= suggest_change_authorization_rules_path %>', {
+            method: 'get',
+            onFailure: function(request) {
+                $("suggest-result").innerHTML = "Error while searching."
+            },
+            onComplete: function () {
+                $("spinner").hide();
+                opened_groups.each(function (group_no) {
+                  show_group_approaches(group_no);
+                });
+            },
+            parameters: $H($('change').down('form').serialize(true)).merge(refresh ? {show_all: "true"} : {}).toQueryString()
+        });
+        if (!refresh)
+          location.hash = 'suggest-result';
+    }
+
+    function show_suggest_graph (changes, filter_roles_params, filter_context, user_ids) {
+        var params = {changes: changes, highlight_privilege: $F('privilege'), stacked_roles: '1'};
+        if (filter_context)
+          params['filter_contexts'] = filter_context;
+        if (user_ids)
+          params['user_ids[]'] = user_ids;
+        show_graph_with_params('suggest-graph', params);
+    }
+
+    document.observe('dom:loaded', function() {
+      install_change_observers();
+    });
+
+    function install_change_observers () {
+        $$('#change select').each(function (el) {
+            el.observe('change', function (event) {
+                var form = $('change').down('form');
+                new Ajax.Updater({success: 'change'}, '<%= url_for %>', {
+                  parameters: Form.serializeElements(form.select('select').concat(form.getInputs('radio', 'affected_users')), true),
+                  method: 'get',
+                  onComplete: function () {
+                      install_change_observers();
+                      if ($('graph-container').visible())
+                        show_current_permissions();
+                  }
+                });
+            });
+        });
+        $('prohibited_actions').observe('click', function (event) {
+          var target = event.findElement();
+          if (target.hasClassName('remove')) {
+            target.up().remove();
+            if ($('prohibited_actions').childElements().length == 0)
+              $('prohibited_actions').previous().hide();
+            suggest_changes();
+          }
+        });
+    }
+
+    function show_current_permissions () {
+        show_graph($F('privilege'), $F('context')/*, relevant_user_ids()*/);
+    }
+
+    function show_all_groups () {
+      $$('#suggest-result>ul>li.primary').invoke("show");
+    }
+
+    function show_group_approaches (group_no) {
+      $$('#suggest-result>ul>li.secondary.group-' + group_no).invoke("show");
+      $$('#suggest-result>ul>li.primary.group-' + group_no + ' a.show-others-in-group').invoke("hide");
+    }
+
+    function hide_group_approaches (group_no) {
+      $$('#suggest-result>ul>li.secondary.group-' + group_no).invoke("hide");
+      $$('#suggest-result>ul>li.primary.group-' + group_no + ' a.show-others-in-group').invoke("show");
+    }
+
+    function relevant_user_ids () {
+      return $$('#change .user_id').collect(function (el) {
+        return el.innerHTML;
+      }).reject(function (id) {
+        return $('user_' + id + '_permission_undetermined').checked;
+      });
+    }
+
+    var prohibited_action_template =
+        new Template('<li>#{description} <span class="remove">[x]</span><input type="hidden" name="prohibited_action[]" value="#{action}"></li>');
+    function prohibit_action (action, description) {
+      $('prohibited_actions').previous().show();
+      $('prohibited_actions').insert(
+          {bottom: prohibited_action_template.evaluate({action: action, description: description}) }
+      );
+      suggest_changes(true);
+    }
+<% end %>
+
+<div id="suggest-result" style="display:none"></div>
+
+<div id="change">
+  <%= render 'change' %>
+</div>

data/app/views/authorization_rules/graph.dot.erb

@@ -0,0 +1,68 @@
+
+digraph rules {
+  compound = true
+  edge [arrowhead=open]
+  node [shape=box,fontname="sans-serif",fontsize="16"]
+  fontname="sans-serif";fontsize="16"
+  ranksep = "0.3"
+  //concentrate = true
+  rankdir = TB
+  
+  <% unless @users.blank? %>
+  {
+    rank = source
+    node [shape=polygon,style=filled,fillcolor="#eeeeee"]
+    <% @users.each do |user| %>
+    "<%= user.login %>"
+    <% end %>
+  }
+  <% end %>
+
+  {
+    node [shape=ellipse,style=filled]
+    <%= @stacked_roles ? '' : "rank = same" %>
+    <% @roles.each do |role| %>
+    "<%= role.inspect %>" [fillcolor="<%= role_fill_color(role) %>",label="<%= human_role(role) %>"]
+    // ,URL="javascript:set_filter({roles: '<%= role %>'})"
+    <% end %>
+    <% @roles.each do |role| %>
+        <% (@role_hierarchy[role] || []).select {|lower_role| @roles.include?(lower_role)}.each do |lower_role| %>
+            "<%= role.inspect %>" -> "<%= lower_role.inspect %>" [arrowhead=empty]
+        <% end %>
+    <% end %>
+  }
+
+  <% unless @users.blank? %>
+    <% @users.each do |user| %>
+      <% user.role_symbols.select {|role| @roles.include?(role)}.each do |role| %>
+    "<%= user.login %>" -> "<%= role.inspect %>" [color="<%= has_changed(:assign_role_to_user, role, user.login) ? '#00dd00' : (has_changed(:remove_role_from_user, role, user.login) ? '#dd0000' : '#000000') %>"]
+      <% end %>
+    <% end %>
+  <% end %>
+
+  <% @contexts.each do |context| %>
+    subgraph cluster_<%= context %>  {
+      label = "<%= human_context(context) %>"
+      style=filled; fillcolor="#eeeeee"
+      node[fillcolor=white,style=filled]
+      <% (@context_privs[context] || []).each do |priv| %>
+      <%= priv %>_<%= context %> [label="<%= human_privilege(priv) %>"<%= ',fontcolor="#ff0000"' if @highlight_privilege == priv %>]
+      <% end %>
+      <% (@context_privs[context] || []).each do |priv| %>
+        <% (@privilege_hierarchy[priv] || []).
+                select {|p,c| (c.nil? or c == context) and @context_privs[context].include?(p)}.
+                each do |lower_priv, c| %>
+      <%= priv %>_<%= context %> -> <%= lower_priv %>_<%= context %> [arrowhead=empty]
+        <% end %>
+      <% end %>
+      //read_conferences -> update_conferences [style=invis]
+      //create_conferences -> delete_conferences [style=invis]
+    }
+  <% end %>
+
+  <% @roles.each do |role| %>
+    <% (@role_privs[role] || []).each do |context, privilege, unconditionally, attribute_string| %>
+  "<%= role.inspect %>" -> <%=  privilege %>_<%= context %> [color="<%= privilege_color(privilege, context, role) %>", minlen=3<%= ", arrowhead=opendot, URL=\"javascript:\", edgetooltip=\"#{attribute_string.gsub('"','')}\"" unless unconditionally %>]
+    <% end %>
+  <% end %>
+}

data/app/views/authorization_rules/graph.html.erb

@@ -0,0 +1,40 @@
+<h1>Authorization Rules Graph</h1>
+<p>Currently active rules in this application.</p>
+<p><%= navigation %></p>
+
+<% javascript_tag do %>
+    function update_graph (form) {
+        base_url = "<%= url_for :format => 'svg' %>";
+        $('graph').data = base_url + '?' + form.serialize();
+    }
+
+    function set_filter (filter) {
+        for (f in filter) {
+            var select = $("filter_" + f);
+            if (select) {
+                var opt = select.down("option[value='"+ filter[f] + "']");
+                if (opt) {
+                    opt.selected = true;
+                    update_graph(select.form);
+                }
+            }
+        }
+    }
+<% end %>
+<p>
+  <% form_tag do %>
+  <%#= link_to_graph "Rules" %>
+  <%#= link_to_graph "Privilege hierarchy", :type => 'priv_hierarchy' %>
+  
+  <%= select_tag "filter_roles", options_for_select([["All roles",'']] + controller.authorization_engine.roles.map(&:to_s).sort), :onchange => 'update_graph(this.form)' %>
+  <%= select_tag "filter_contexts", options_for_select([["All contexts",'']] + controller.authorization_engine.auth_rules.collect {|ar| ar.contexts.to_a}.flatten.uniq.map(&:to_s).sort), :onchange => 'update_graph(this.form)' %>
+  <%= check_box_tag "effective_role_privs", "1", false, :onclick => 'update_graph(this.form)'  %> <%= label_tag "effective_role_privs", "Effective privileges"  %>
+  <%= check_box_tag "privilege_hierarchy", "1", false, :onclick => 'update_graph(this.form)'  %> <%= label_tag "privilege_hierarchy", "Show full privilege hierarchy"  %>
+  <%= check_box_tag "stacked_roles", "1", false, :onclick => 'update_graph(this.form)'  %> <%= label_tag "stacked_roles", "Stacked roles"  %>
+  <% end %>
+</p>
+<div style="margin: 1em;border:1px solid #ccc;max-width:95%">
+<object id="graph" data="<%= url_for :format => 'svg' %>" type="image/svg+xml" style="max-width:100%"/>
+</div>
+<%= button_to_function "Zoom in", '$("graph").style.maxWidth = "";$(this).toggle();$(this).next().toggle()' %>
+<%= button_to_function "Zoom out", '$("graph").style.maxWidth = "100%";$(this).toggle();$(this).previous().toggle()', :style => 'display:none' %>

data/app/views/authorization_rules/index.html.erb

@@ -0,0 +1,17 @@
+<h1>Authorization Rules</h1>
+<p>Currently active rules in this application.</p>
+<p><%= navigation %></p>
+<style type="text/css">
+  pre .constant {color: #a00;}
+  pre .special {color: red;}
+  pre .operator {color: red;}
+  pre .statement {color: #00a;}
+  pre .proc {color: #0a0;}
+  pre .privilege, pre .context {font-weight: bold}
+  pre .preproc, pre .comment, pre .comment span {color: grey !important;}
+  pre .note {color: #a00; position:absolute; cursor: help; left: 15px }
+  pre.with-notes {padding-left: 35px}
+</style>
+<pre class="with-notes">
+<%= policy_analysis_hints(syntax_highlight(h(@auth_rules_script)), @auth_rules_script) %>
+</pre>

data/app/views/authorization_usages/index.html.erb

@@ -0,0 +1,36 @@
+<h1>Authorization Usage</h1>
+<%= render 'authorization_rules/show_graph' %>
+<p>Filter rules in actions by controller:</p>
+<p><%= navigation %></p>
+<style type="text/css">
+  .auth-usages th { text-align: left; padding-top: 1em }
+  .auth-usages td { padding-right: 1em }
+  .auth-usages tr.action  { cursor: pointer }
+  .auth-usages tr.unprotected  { background: #FFA399 }
+  .auth-usages tr.no-attribute-check { background: #FFE599 }
+  /*.auth-usages tr.catch-all td.privilege,*/
+  .auth-usages tr.default-privilege td.privilege,
+  .auth-usages tr.default-context td.context { color: #888888 }
+  #graph-container {margin: 1em; border:1px solid #ccc; max-width:50%; position:fixed; right:0;}
+</style>
+<table class="auth-usages">
+  <% @auth_usages_by_controller.keys.sort {|c1, c2| c1.name <=> c2.name}.each do |controller| %>
+    <% default_context = controller.controller_name.to_sym rescue nil %>
+    <tr>
+      <th colspan="3"><%= h controller.controller_name %></th>
+    </tr>
+    <% @auth_usages_by_controller[controller].keys.sort {|c1, c2| c1.to_s <=> c2.to_s}.each do |action| %>
+      <% auth_info = @auth_usages_by_controller[controller][action] %>
+      <% first_permission = auth_info[:controller_permissions] && auth_info[:controller_permissions][0] %>
+      <tr class="action <%= auth_usage_info_classes(auth_info) %>" title="<%= auth_usage_info_title(auth_info) %>" onclick="show_graph('<%= auth_info[:privilege] || action %>','<%= auth_info[:context] || default_context %>')">
+        <td><%= h action %></td>
+        <% if first_permission %>
+          <td class="privilege"><%= h auth_info[:privilege] || action %></td>
+          <td class="context"><%= h auth_info[:context] || default_context %></td>
+        <% else %>
+          <td></td><td></td>
+        <% end %>
+      </tr>
+    <% end %>
+  <% end %>
+</table>