tight-engine 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 065ac37dc49f5b5e67ec4271bb92f71eee632e0f
+  data.tar.gz: 72dfcdf5eae3c379407c7c698293515e59822db8
+SHA512:
+  metadata.gz: 50b1e579488cad7dc14f878f8e2605e8d1837500de6e980aa175f14839693e7027d5df4dd078ef2d86a085e1714ee0f94988976cb39ba56b547dfad6a8b00ea9
+  data.tar.gz: 0bc29fa1374faeb73b5949bc6f504f613fad53d39eac471350c69dfae7c6a78ae94e5429a6a927f3aba1eb4c6bb6255791c3112cd72c175f05f231448a13d3eb

data/.gitignore

@@ -0,0 +1,2 @@
+*.rbc
+*.sassc

data/LICENSE

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2013 Igor Bochkariov
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,4 @@
+tight-engine
+============
+
+A tight engine for a swift content management system

data/Rakefile

@@ -0,0 +1,15 @@
+RAKE_ROOT = __FILE__
+
+require 'rubygems'
+require 'rake'
+require 'rake/testtask'
+require 'bundler/gem_tasks'
+require 'minitest/autorun'
+
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'test'
+  test.test_files = Dir['test/**/test_*.rb']
+  test.verbose = true
+end
+
+task :default => :test

data/lib/tight/version.rb

@@ -0,0 +1,3 @@
+module Tight
+  VERSION = '0.0.1'
+end

data/lib/tight-auth/access.rb

@@ -0,0 +1,148 @@
+require 'tight-auth/permissions'
+
+module Tight
+  ##
+  # Tight authorization module.
+  #
+  # @example
+  #   class Nifty::Application < Tight::Application
+  #     # optional settings
+  #     set :credentials_reader, :visitor # the name of getter method in helpers
+  #     # required statement
+  #     register Tight::Access
+  #     # example persistance storage
+  #     enable :sessions
+  #   end
+  #
+  #   # optional helpers
+  #   Nifty::Application.helpers do
+  #     def visitor
+  #       session[:visitor] ||= Visitor.guest_account
+  #     end
+  #   end
+  #
+  #   # example visitor model
+  #   module Visitor
+  #     extend self
+  #     def guest_account
+  #       OpenStruct.new(:role => :guest, :id => 1)
+  #     end
+  #   end
+  #
+  #   # example controllers
+  #   Nifty::Application.controller :public_area do
+  #     set_access :*
+  #     get(:index){ 'public content' }
+  #   end
+  #   Nifty::Application.controller :members_area do
+  #     set_access :member
+  #     get(:index){ 'secret content' }
+  #   end
+  #   Nifty::Application.controller :login do
+  #     set_access :*
+  #     get(:index){ session[:visitor] = OpenStruct.new(:role => :guest, :id => 1) }
+  #   end
+  #
+  module Access
+    class << self
+      def registered(app)
+        included(app)
+        app.default(:credentials_reader, :credentials)
+        app.default(:access_errors, true)
+        app.send :attr_reader, app.credentials_reader unless app.instance_methods.include?(app.credentials_reader)
+        app.set :permissions, Permissions.new
+        app.login_permissions if app.respond_to?(:login_permissions)
+        app.before do
+          authorized? || error(403, '403 Forbidden')
+        end
+      end
+
+      def included(base)
+        base.send(:include, InstanceMethods)
+        base.extend(ClassMethods)
+      end
+    end
+
+    module ClassMethods
+      ##
+      # Empties the list of permission.
+      #
+      def reset_access!
+        permissions.clear!
+      end
+
+      ##
+      # Allows access to action with objects.
+      #
+      # @example
+      #   # in application
+      #   set_access :*, :with => :login # allows everyone to interact with :login controller
+      #   # in controller
+      #   App.controller :members_area do
+      #     set_access :member # allows all members to access :members_area controller
+      #   end
+      #
+      def set_access(*args)
+        options = args.extract_options!
+        options[:object] ||= Array(@_controller).first.to_s.singularize.to_sym if @_controller.present?
+        permissions.add(*args, options)
+      end
+    end
+
+    module InstanceMethods
+      ##
+      # Checks if current visitor has access to current action with current controller.
+      #
+      def authorized?
+        access_action?
+      end
+
+      ##
+      # Returns current visitor.
+      #
+      def access_subject
+        send settings.credentials_reader
+      end
+
+      ##
+      # Checks if current visitor is one of the specified roles. Can accept a block.
+      #
+      def access_role?(*roles, &block)
+        settings.permissions.check(access_subject, :have => roles, &block)
+      end
+
+      ##
+      # Checks if current visitor is allowed to to the action with object. Can accept a block.
+      #
+      def access_action?(action = nil, object = nil, &block)
+        return true if response.status/100 == 4 && settings.access_errors
+        if respond_to?(:request) && action.nil? && object.nil?
+          object = request.controller
+          action = request.action
+          if object.nil? && action.present? && action.to_s.index('/')
+            object, action = request.env['PATH_INFO'].to_s.scan(/\/([^\/]*)/).map(&:first)
+          end
+          object ||= :''
+          action ||= :index
+          object = object.to_sym
+          action = action.to_sym
+        end
+        settings.permissions.check(access_subject, :allow => action, :with => object, &block)
+      end
+
+      ##
+      # Check if current visitor is allowed to interact with object by action. Can accept a block.
+      #
+      def access_object?(object = nil, action = nil, &block)
+        allow_action action, object, &block
+      end
+
+      ##
+      # Populates the list of objects the current visitor is allowed to interact with.
+      #
+      def access_objects(subject = access_subject, action = nil)
+        settings.permissions.find_objects(subject, action)
+      end
+    end
+  end
+end

data/lib/tight-auth/login/controller.rb

@@ -0,0 +1,20 @@
+module Tight
+  module Login
+    module Controller
+      def self.included(base)
+        base.get :index do
+          render :slim, :"new", :layout => :"layout", :views => File.dirname(__FILE__)
+        end
+        base.post :index do
+          if authenticate
+            restore_location
+          else
+            params.delete 'password'
+            flash.now[:error] = 'Wrong password'
+            render :slim, :"new", :layout => :"layout", :views => File.dirname(__FILE__)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/tight-auth/login/layout.slim

@@ -0,0 +1,10 @@
+doctype html
+html
+  head
+    meta charset="utf-8"
+    meta name="robots" content="noindex"
+    title Padrino::Login
+    link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/2.3.2/css/bootstrap.min.css"
+  body
+    .container.login style='width: 287px'
+      = yield

data/lib/tight-auth/login/new.slim

@@ -0,0 +1,37 @@
+h3
+  | Login
+  br
+  small
+    a href=url('/') = request.env['HTTP_HOST']
+
+form.form-horizontal.well action=''
+  - [:error, :warning, :success, :notice].each do |type|
+    - next  if flash[type].blank?
+    .alert.alert-message class=('alert-' + (type == :notice ? :info : type).to_s) data-alert=true
+      = flash[type]
+
+  legend Social
+  .control-group
+    a href=url('/oauth/google')
+      img src='/images/social/google.png'
+
+  legend Obsolete
+  .control-group
+    .input-prepend
+      span.add-on
+        i.icon-envelope
+      input type=:text name=:email value=params[:email] placeholder='email'
+  .control-group
+    .input-prepend
+      span.add-on
+        i.icon-lock
+      input type=:password name=:password value=params[:password] placeholder='password'
+  .control-group
+    input.btn.btn-primary.pull-right type=:submit Log in
+    - if settings.login_bypass
+      label.checkbox
+        | Bypass
+        input type=:checkbox name=:bypass value='Bypass'
+
+small
+  a href=url('/login/reset_password') Forgot password?

data/lib/tight-auth/login.rb

@@ -0,0 +1,138 @@
+require 'tight-auth/login/controller'
+
+module Tight
+  ##
+  # Tight authentication module.
+  #
+  # @example
+  #   class Nifty::Application < Tight::Application
+  #     # optional settings
+  #     set :session_key, "visitor_id"       # visitor key name in session storage, defaults to "_login_#{app.app_name}")
+  #     set :login_model, :visitor          # model name for visitor storage, defaults to :account, must be constantizable
+  #     set :credentials_accessor, :visitor # the name of setter/getter method in helpers, defaults to :credentials
+  #     enable :login_bypass                # enables or disables login bypass in development mode, defaults to disable
+  #     set :login_url, '/sign/in'          # sets the utl to be redirected to if not logged in and in restricted area, defaults to '/login'
+  #     disable :login_permissions          # sets initial login permissions, defaults to { set_access(:*, :allow => :*, :with => :login) }
+  #     disable :login_controller           # disables default login controller to show an example of the custom one
+  #
+  #     # required statement
+  #     register Tight::Login
+  #     # example persistance storage
+  #     enable :sessions
+  #   end
+  #
+  #   TODO: example controllers
+  #
+  module Login
+    class << self
+      def registered(app)
+        warn 'Tight::Login must be registered before Tight::Access' if app.respond_to?(:set_access)
+        included(app)
+        setup_storage(app)
+        setup_controller(app)
+        app.before do
+          log_in if authorization_required?
+        end
+      end
+
+      def included(base)
+        base.send(:include, InstanceMethods)
+      end
+
+      private
+
+      def setup_storage(app)
+        app.default(:session_key, "_login_#{app.app_name}")
+        app.default(:login_model, :account)
+        app.default(:credentials_accessor, :credentials)
+        app.send :attr_reader, app.credentials_accessor unless app.instance_methods.include?(app.credentials_accessor)
+        app.send :attr_writer, app.credentials_accessor unless app.instance_methods.include?(:"#{app.credentials_accessor}=")
+        app.default(:login_bypass, false)
+      end
+
+      def setup_controller(app)
+        app.default(:login_url, '/login')
+        app.default(:login_permissions) { set_access(:*, :allow => :*, :with => :login) }
+        app.default(:login_controller, true)
+        app.controller(:login) { include Controller } if app.login_controller
+      end
+    end
+
+    module InstanceMethods
+      # Returns the model used to authenticate visitors.
+      def login_model
+        @login_model ||= settings.login_model.to_s.classify.constantize
+      end
+
+      # Authenticates the visitor.
+      def authenticate
+        resource = login_model.authenticate(:email => params[:email], :password => params[:password])
+        resource ||= login_model.authenticate(:bypass => true) if settings.login_bypass && params[:bypass]
+        save_credentials(resource)
+      end
+
+      # Checks if the visitor is authenticated.
+      def logged_in?
+        !!(send(settings.credentials_accessor) || restore_credentials)
+      end
+
+      # Looks for authorization routine and calls it to check if the visitor is authorized.
+      def unauthorized?
+        respond_to?(:authorized?) && !authorized?
+      end
+
+      # Checks if the current location needs the visitor to be authorized.
+      def authorization_required?
+        if logged_in?
+          if unauthorized?
+            # 403 Forbidden, provided credentials were successfully
+            # authenticated but the credentials still do not grant
+            # the client permission to access the resource
+            error 403, '403 Forbidden'
+          else
+            false
+          end
+        else
+          unauthorized?
+        end
+      end
+
+      # Logs the visitor in using redirect to login page url.
+      def log_in
+        login_url = settings.login_url
+        if request.env['PATH_INFO'] != login_url
+          save_location
+          # 302 Found
+          redirect url(login_url) 
+          # 401 Unauthorized, authentication is required and
+          # has not yet been provided
+          error 401, '401 Unauthorized'
+        end
+      end
+
+      # Saves credentials in session.
+      def save_credentials(resource)
+        session[settings.session_key] = resource.respond_to?(:id) ? resource.id : resource
+        send(:"#{settings.credentials_accessor}=", resource)
+      end
+
+      # Restores credentials from session using visitor model.
+      def restore_credentials
+        resource = login_model.authenticate(:id => session[settings.session_key])
+        send(:"#{settings.credentials_accessor}=", resource)
+      end
+
+      # Redirects back to saved location or '/'
+      def restore_location
+        redirect session.delete(:return_to) || url('/')
+      end
+
+      # Saves location to session for following redirect in case of successful authentication.
+      def save_location
+        uri = env['REQUEST_URI'] || url(env['PATH_INFO'])
+        return if uri.blank? || uri.match(/\.css$|\.js$|\.png$/)
+        session[:return_to] = "#{ENV['RACK_BASE_URI']}#{uri}"
+      end
+    end
+  end
+end

data/lib/tight-auth/permissions.rb

@@ -0,0 +1,180 @@
+module Tight
+  ##
+  # Class to store and check permissions used in Padrino::Access.
+  #
+  class Permissions
+    ##
+    # Initializes new permissions storage.
+    #
+    # @example
+    #   permissions = Permissions.new
+    #
+    def initialize
+      clear!
+    end
+
+    ##
+    # Clears permit records and action cache.
+    #
+    # @example
+    #   permissions.clear!
+    #
+    def clear!
+      @permits = {}
+      @actions = {}
+    end
+
+    ##
+    # Adds a permission record to storage.
+    #
+    # @param [Symbol || Object] subject
+    #   permit subject
+    # @param [Hash] options
+    #   permit attributes
+    # @param [Symbol] options[:allow] || options[:action]
+    #   what action to allow with objects
+    # @param [Symbol] options[:with] || options[:object]
+    #   with what objects allow specified action
+    #
+    # @example
+    #   permissions.add :robots, :allow => :protect, :object => :humans
+    #   permissions.add @bender, :allow => :kill, :object => :humans
+    #
+    def add(*args)
+      @actions = {}
+      options = args.extract_options!
+      action, object = action_and_object(options)
+      object_type = detect_type(object)
+      args.each{ |subject| merge(subject, action, object_type) }
+    end
+
+    ##
+    # Checks if permission record exists. Returns a boolean or yield a block.
+    #
+    # @param [Object] subject
+    #   performer of an action
+    # @param [Hash] options
+    #   attributes to check
+    # @param [Symbol] options[:have]
+    #   check if the subject has a role
+    # @param [Symbol] options[:allow] || options[:action]
+    #   check if the subject is allowed to perform the action
+    # @param [Symbol] options[:with] || options[:object]
+    #   check if the subject is allowed to interact with the subject
+    # @param [Proc]
+    #   optional block to yield if the action is allowed
+    #
+    # @example
+    #   # check if @bender have role :robots
+    #   permissions.check @bender, :have => :robots # => true
+    #   # check if @bender is allowed to kill :humans
+    #   permissions.check @bender, :allow => :kill, :object => :humans # => true
+    #   # check if @bender is allowed to kill :humans and yield a block
+    #   permissions.check @bender, :allow => :kill, :object => :humans do
+    #     @bender.kill_all! :humans
+    #   end
+    #
+    def check(subject, options)
+      case
+      when options[:have]
+        check_role(subject, options[:have])
+      else
+        check_action(subject, *action_and_object(options))
+      end && (block_given? ? yield : true)
+    end
+
+    ##
+    # Populates and returns the list of objects available to the subject.
+    #
+    # @param [Object] subject
+    #   the subject to be checked for actions
+    #
+    def find_objects(subject, target_action=nil)
+      find_actions(subject).inject([]) do |all,(action,objects)|
+        all |= objects if target_action.nil? || action == target_action || action == :*
+        all
+      end
+    end
+
+    private
+
+    # Merges a list of new permits into permissions storage.
+    def merge(subject, actions, object_type)
+      subject_id = detect_id(subject)
+      @permits[subject_id] ||= {}
+      Array(actions).each do |action|
+        @permits[subject_id][action] ||= []
+        @permits[subject_id][action] |= [object_type]
+      end
+    end
+
+    # Checks if the subject has the role.
+    def check_role(subject, roles)
+      if subject.respond_to?(:role)
+        Array(roles).include?(subject.role)
+      else
+        false
+      end
+    end
+
+    # Checks if the subject is allowed to perform the action with the object.
+    def check_action(subject, action, object)
+      actions = find_actions(subject)
+      objects = actions && (Array(actions[action]) | Array(actions[:*]))
+      objects && (objects & [:*, detect_type(object)]).any?
+    end
+
+    # Finds all permits for the subject. Caches the permits in @actions.
+    #   find_actions(@bender) # => { :kill => { :humans }, :drink => { :booze }, :* => { :login } }
+    def find_actions(subject)
+      subject_id = detect_id(subject)
+      return @actions[subject_id] if @actions[subject_id]
+      actions = @permits[subject_id] || {}
+      if subject.respond_to?(:role) && (role_actions = @permits[subject.role.to_sym])
+        actions.merge!(role_actions){ |_,left,right| Array(left)|Array(right) }
+      end
+      if public_actions = @permits[:*]
+        actions.merge!(public_actions){ |_,left,right| Array(left)|Array(right) }
+      end
+      @actions[subject_id] = actions
+    end
+
+    # Returns object type.
+    #   detect_type :humans # => :human
+    #   detect_type 'foobar' # => 'foobar'
+    def detect_type(object)
+      case object
+      when Symbol
+        object.to_s.singularize.to_sym
+      else
+        object
+      end
+    end
+
+    # Returns parametrized subject.
+    #   detect_id :robots               # => :robots
+    #   detect_id sluggable_ar_resource # => 'Sluggable-resource-slug'
+    #   detect_id some_resource_with_id # => '4'
+    #   detect_id generic_object        # => "<Object:0x00001234>"
+    def detect_id(subject)
+      case
+      when Symbol === subject
+        subject
+      when subject.respond_to?(:to_param)
+        subject.to_param
+      when subject.respond_to?(:id)
+        subject.id.to_s
+      else
+        "#{subject}"
+      end
+    end
+
+    # Utility function to extract action and object from options. Defaults to [:*, :*]
+    #   action_and_object(:allow => :kill, :object => :humans)    # => [:kill, :humans]
+    #   action_and_object(:action => :romance, :with => :mutants) # => [:romance, :mutants]
+    #   action_and_object({})                                     # => [:*, :*]
+    def action_and_object(options)
+      [options[:allow] || options[:action] || :*, options[:with] || options[:object] || :*]
+    end
+  end
+end

data/lib/tight-auth.rb

@@ -0,0 +1,10 @@
+require 'sinatra/base'
+
+class Sinatra::Base
+  def self.default(option, *args, &block)
+    set(option, *args, &block) unless respond_to?(option)
+  end
+end
+
+require 'tight-auth/access'
+require 'tight-auth/login'

data/test/auth_helper.rb

@@ -0,0 +1,83 @@
+ENV['RACK_ENV'] = 'test'
+
+require 'padrino-core'
+require 'tight-auth'
+require 'minitest/autorun'
+require 'rack/test'
+
+module TightLogger
+  attr_accessor :io
+  def self.io
+    @io ||= StringIO.new
+  end
+end
+
+Padrino::Logger::Config[:test] = { :log_level => :devel, :stream => TightLogger.io }
+
+class Minitest::Spec
+  include Rack::Test::Methods
+
+  def mock_app(base=Padrino::Application, &block)
+    @app = Sinatra.new(base, &block)
+  end
+
+  def app
+    Rack::Lint.new(@app)
+  end
+
+  def set_access(*args)
+    @app.set_access(*args)
+  end
+
+  def allow(subject = nil, path = '/')
+    @app.fake_session[:visitor] = nil
+    get "/login/#{subject.id}" if subject
+    get path
+    assert_equal 200, status, caller.first.to_s
+  end
+
+  def deny(subject = nil, path = '/')
+    @app.fake_session[:visitor] = nil
+    get "/login/#{subject.id}" if subject
+    get path
+    assert_equal 403, status, caller.first.to_s
+  end
+
+  def status
+    response.status
+  end
+
+  def body
+    response.body
+  end
+
+  def response
+    last_response
+  end
+end
+
+module Character
+  extend self
+
+  def authenticate(credentials)
+    case
+    when credentials[:email] && credentials[:password]
+      target = all.find{ |resource| resource.id.to_s == credentials[:email] }
+      target.name.gsub(/[^A-Z]/,'') == credentials[:password] ? target : nil
+    when credentials.has_key?(:id)
+      all.find{ |resource| resource.id == credentials[:id] }
+    else
+      false
+    end
+  end
+
+  def all
+    @all = [
+      OpenStruct.new(:id => :bender,   :name => 'Bender Bending Rodriguez', :role => :robots  ),
+      OpenStruct.new(:id => :leela,    :name => 'Turanga Leela',            :role => :mutants ),
+      OpenStruct.new(:id => :fry,      :name => 'Philip J. Fry',            :role => :humans  ),
+      OpenStruct.new(:id => :ami,      :name => 'Amy Wong',                 :role => :humans  ),
+      OpenStruct.new(:id => :zoidberg, :name => 'Dr. John A. Zoidberg',     :role => :lobsters),
+    ]
+  end
+end

data/test/test_padrino_access.rb

@@ -0,0 +1,124 @@
+require File.expand_path('../auth_helper', __FILE__)
+
+describe "Tight::Access" do
+  before do
+    mock_app do
+      set :credentials_reader, :visitor
+      register Tight::Access
+      set_access :*, :allow => :login
+      set :users, Character.all
+      get(:login, :with => :id) do
+        user = settings.users.find{ |user| user.id.to_s == params[:id] }
+        self.send(:"#{settings.credentials_reader}=", user)
+      end
+      get(:index){ 'foo' }
+      get(:bend){ 'bend' }
+      get(:drink){ 'bend' }
+      get(:subject){ self.send(settings.credentials_reader).inspect }
+      get(:stop_partying){ 'stop partying' }
+      controller :surface do
+        get(:live) { 'live on the surface' }
+      end
+      controller :sewers do
+        get(:live) { 'live in the sewers' }
+        get(:visit) { 'visit the sewers' }
+      end
+      set :fake_session, {}
+      helpers do
+        def visitor
+          settings.fake_session[:visitor]
+        end
+        def visitor=(user)
+          settings.fake_session[:visitor] = user
+        end
+      end
+    end
+    Character.all.each do |user|
+      instance_variable_set :"@#{user.id}", user
+    end
+  end
+
+  it 'should register with authorization module' do
+    assert @app.respond_to? :set_access
+    assert_kind_of Tight::Permissions, @app.permissions
+  end
+
+  it 'should properly detect access subject' do
+    set_access :*
+    get '/login/ami'
+    get '/subject'
+    assert_equal @ami.inspect, body
+  end
+
+  it 'should reset access properly' do
+    set_access :*
+    allow
+    @app.reset_access!
+    deny
+  end
+
+  it 'should set group access' do
+    # only humans should be allowed on TV
+    set_access :humans
+    allow @fry
+    deny @bender
+  end
+
+  it 'should set individual access' do
+    # only Fry should be allowed to romance Leela
+    set_access @fry
+    allow @fry
+    deny @ami
+  end
+
+  it 'should set mixed individual and group access' do
+    # only humans and Leela should be allowed on the surface
+    set_access :humans
+    set_access @leela
+    allow @fry
+    allow @leela
+  end
+
+  it 'should set action-specific access' do
+    # bender should be allowed to bend, and he's denied to stop partying
+    set_access @bender, :allow => :bend
+    set_access @fry, :allow => :stop_partying
+    allow @bender, '/bend'
+    deny @bender, '/stop_partying'
+    allow @fry, '/stop_partying'
+    deny @fry, '/bend'
+  end
+
+  it 'should set multiple action' do
+    # bender should be allowed to bend and drink
+    set_access @bender, :allow => [:drink, :bend]
+    allow @bender, '/drink'
+    allow @bender, '/bend'
+  end
+
+  it 'should set object-specific access' do
+    # only humans and Leela should be allowed to live on the surface
+    # only mutants should be allowed to live in the sewers though humans can visit
+    set_access :humans, :allow => :live, :with => :surface
+    set_access :mutants, :allow => :live, :with => :sewers
+    set_access @leela, :allow => :live, :with => :surface
+    set_access :humans, :allow => :visit, :with => :sewers
+    allow @fry, '/surface/live'
+    deny @fry, '/sewers/live'
+    allow @fry, '/sewers/visit'
+    allow @leela, '/surface/live'
+    allow @leela, '/sewers/live'
+  end
+
+  it 'should detect object when setting access from controller' do
+    # only humans and lobsters should have binocular vision
+    @app.controller :binocular do
+      set_access :humans, :lobsters
+      get(:vision) { 'binocular vision' }
+    end
+    deny @fry, '/'
+    allow @fry, '/binocular/vision'
+    allow @zoidberg, '/binocular/vision'
+    deny @leela, '/binocular/vision'
+  end
+end

data/test/test_padrino_auth.rb

@@ -0,0 +1,38 @@
+require File.expand_path('../auth_helper', __FILE__)
+
+Account = Character
+
+describe "Tight::Auth" do
+  before do
+    mock_app do
+      enable :sessions
+      register Tight::Login
+      register Tight::Access
+      get(:robot_area){ 'robot_area' }
+      set_access :robots, :allow => :robot_area
+    end
+  end
+
+  it 'should login and access play nicely together' do
+    get '/robot_area'
+    assert_equal 302, status
+
+    post '/login', :email => :bender, :password => 'BBR'
+    get '/robot_area'
+    assert_equal 200, status
+
+    post '/login', :email => :leela, :password => 'TL'
+    get '/robot_area'
+    assert_equal 403, status
+  end
+
+  it 'should whine if the order is wrong' do
+    out, err = capture_io do
+      mock_app do
+        register Tight::Access
+        register Tight::Login
+      end
+    end
+    assert_match /must be registered before/, err
+  end
+end

data/test/test_padrino_login.rb

@@ -0,0 +1,76 @@
+require File.expand_path('../auth_helper', __FILE__)
+require 'padrino-helpers'
+
+describe "Tight::Access" do
+  before do
+    mock_app do
+      set :credentials_accessor, :visitor
+      set :login_model, :character
+      enable :sessions
+      register Tight::Login
+      get(:index){ 'index' }
+      get(:restricted){ 'secret' }
+      helpers do
+        def authorized?
+          return !['/restricted'].include?(request.env['PATH_INFO']) unless visitor
+          case 
+          when visitor.id == :bender
+            true
+          else
+            false            
+          end
+        end
+      end
+    end
+    Character.all.each do |user|
+      instance_variable_set :"@#{user.id}", user
+    end
+  end
+
+  it 'should pass unrestricted area' do
+    get '/'
+    assert_equal 200, status
+  end
+
+  it 'should be redirected from restricted area to login page' do
+    get '/restricted'
+    assert_equal 302, status
+    get response.location
+    assert_equal 200, status
+    assert_match /<form .*<input .*/, body
+  end
+
+  it 'should not be able to authenticate with wrong password' do
+    post '/login', :email => :bender, :password => '123'
+    assert_equal 200, status
+    assert_match 'Wrong password', body
+  end
+
+  it 'should be able to authenticate with email and password' do
+    post '/login', :email => :bender, :password => 'BBR'
+    assert_equal 302, status
+  end
+
+  it 'should be redirected back' do
+    get '/restricted'
+    post response.location, :email => :bender, :password => 'BBR'
+    assert_match /\/restricted$/, response.location
+  end
+
+  it 'should be redirected to root if no location was saved' do
+    post '/login', :email => :bender, :password => 'BBR'
+    assert_match /\/$/, response.location
+  end
+
+  it 'should be allowed in restricted area after logging in' do
+    post '/login', :email => :bender, :password => 'BBR'
+    get '/restricted'
+    assert_equal 'secret', body
+  end
+
+  it 'should not be allowed in restricted area after logging in an account lacking privileges' do
+    post '/login', :email => :leela, :password => 'TL'
+    get '/restricted'
+    assert_equal 403, status
+  end
+end

data/tight-engine.gemspec

@@ -0,0 +1,23 @@
+$LOAD_PATH << File.expand_path('../lib', __FILE__)
+require 'tight/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'tight-engine'
+  spec.version       = Tight::VERSION
+  spec.description   = 'Tight engine for Swift CMS'
+  spec.summary       = 'A tight engine for a swift content management system'
+
+  spec.authors       = ['Igor Bochkariov']
+  spec.email         = ['ujifgc@gmail.com']
+  spec.homepage      = 'https://github.com/ujifgc/tight-engine'
+  spec.license       = 'MIT'
+
+  spec.require_paths = ['lib']
+  spec.files         = `git ls-files`.split($/)
+  spec.test_files    = spec.files.grep(%r{^test/})
+
+  spec.add_development_dependency 'bundler', '~> 1.3'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'minitest'
+  spec.add_development_dependency 'padrino-core'
+end

metadata

@@ -0,0 +1,122 @@
+--- !ruby/object:Gem::Specification
+name: tight-engine
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Igor Bochkariov
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-03-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: padrino-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Tight engine for Swift CMS
+email:
+- ujifgc@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- LICENSE
+- README.md
+- Rakefile
+- lib/tight-auth.rb
+- lib/tight-auth/access.rb
+- lib/tight-auth/login.rb
+- lib/tight-auth/login/controller.rb
+- lib/tight-auth/login/layout.slim
+- lib/tight-auth/login/new.slim
+- lib/tight-auth/permissions.rb
+- lib/tight/version.rb
+- test/auth_helper.rb
+- test/test_padrino_access.rb
+- test/test_padrino_auth.rb
+- test/test_padrino_login.rb
+- tight-engine.gemspec
+homepage: https://github.com/ujifgc/tight-engine
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: A tight engine for a swift content management system
+test_files:
+- test/auth_helper.rb
+- test/test_padrino_access.rb
+- test/test_padrino_auth.rb
+- test/test_padrino_login.rb
+has_rdoc: