timcharper-declarative_authorization 0.4.1.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (42) hide show
  1. data/CHANGELOG +135 -0
  2. data/MIT-LICENSE +20 -0
  3. data/README.rdoc +503 -0
  4. data/Rakefile +43 -0
  5. data/app/controllers/authorization_rules_controller.rb +259 -0
  6. data/app/controllers/authorization_usages_controller.rb +23 -0
  7. data/app/helpers/authorization_rules_helper.rb +218 -0
  8. data/app/views/authorization_rules/_change.erb +58 -0
  9. data/app/views/authorization_rules/_show_graph.erb +37 -0
  10. data/app/views/authorization_rules/_suggestions.erb +48 -0
  11. data/app/views/authorization_rules/change.html.erb +169 -0
  12. data/app/views/authorization_rules/graph.dot.erb +68 -0
  13. data/app/views/authorization_rules/graph.html.erb +40 -0
  14. data/app/views/authorization_rules/index.html.erb +17 -0
  15. data/app/views/authorization_usages/index.html.erb +36 -0
  16. data/authorization_rules.dist.rb +20 -0
  17. data/config/routes.rb +7 -0
  18. data/garlic_example.rb +20 -0
  19. data/init.rb +5 -0
  20. data/lib/declarative_authorization.rb +15 -0
  21. data/lib/declarative_authorization/authorization.rb +683 -0
  22. data/lib/declarative_authorization/development_support/analyzer.rb +252 -0
  23. data/lib/declarative_authorization/development_support/change_analyzer.rb +253 -0
  24. data/lib/declarative_authorization/development_support/change_supporter.rb +620 -0
  25. data/lib/declarative_authorization/development_support/development_support.rb +243 -0
  26. data/lib/declarative_authorization/helper.rb +60 -0
  27. data/lib/declarative_authorization/in_controller.rb +623 -0
  28. data/lib/declarative_authorization/in_model.rb +162 -0
  29. data/lib/declarative_authorization/maintenance.rb +198 -0
  30. data/lib/declarative_authorization/obligation_scope.rb +345 -0
  31. data/lib/declarative_authorization/rails_legacy.rb +14 -0
  32. data/lib/declarative_authorization/reader.rb +472 -0
  33. data/test/authorization_test.rb +971 -0
  34. data/test/controller_filter_resource_access_test.rb +511 -0
  35. data/test/controller_test.rb +465 -0
  36. data/test/dsl_reader_test.rb +157 -0
  37. data/test/helper_test.rb +171 -0
  38. data/test/maintenance_test.rb +46 -0
  39. data/test/model_test.rb +1694 -0
  40. data/test/schema.sql +54 -0
  41. data/test/test_helper.rb +134 -0
  42. metadata +119 -0
@@ -0,0 +1,157 @@
1
+ require File.join(File.dirname(__FILE__), 'test_helper.rb')
2
+
3
+ class DSLReaderTest < Test::Unit::TestCase
4
+ def test_privileges
5
+ reader = Authorization::Reader::DSLReader.new
6
+ reader.parse %{
7
+ privileges do
8
+ privilege :test_priv do
9
+ includes :lower_priv
10
+ end
11
+ end
12
+ }
13
+ assert_equal 2, reader.privileges_reader.privileges.length
14
+ assert_equal [[:lower_priv, nil]],
15
+ reader.privileges_reader.privilege_hierarchy[:test_priv]
16
+ end
17
+
18
+ def test_privileges_with_context
19
+ reader = Authorization::Reader::DSLReader.new
20
+ reader.parse %{
21
+ privileges do
22
+ privilege :test_priv, :test_context do
23
+ includes :lower_priv
24
+ end
25
+ end
26
+ }
27
+ assert_equal [[:lower_priv, :test_context]],
28
+ reader.privileges_reader.privilege_hierarchy[:test_priv]
29
+ end
30
+
31
+ def test_privileges_one_line
32
+ reader = Authorization::Reader::DSLReader.new
33
+ reader.parse %{
34
+ privileges do
35
+ privilege :test_priv, :test_context, :includes => :lower_priv
36
+ privilege :test_priv_2, :test_context, :includes => [:lower_priv]
37
+ privilege :test_priv_3, :includes => [:lower_priv]
38
+ end
39
+ }
40
+ assert_equal [[:lower_priv, :test_context]],
41
+ reader.privileges_reader.privilege_hierarchy[:test_priv]
42
+ assert_equal [[:lower_priv, :test_context]],
43
+ reader.privileges_reader.privilege_hierarchy[:test_priv_2]
44
+ assert_equal [[:lower_priv, nil]],
45
+ reader.privileges_reader.privilege_hierarchy[:test_priv_3]
46
+ end
47
+
48
+ def test_auth_role
49
+ reader = Authorization::Reader::DSLReader.new
50
+ reader.parse %{
51
+ authorization do
52
+ role :test_role do
53
+ includes :lesser_role
54
+ has_permission_on :items, :to => :read
55
+ end
56
+ end
57
+ }
58
+ assert_equal 1, reader.auth_rules_reader.roles.length
59
+ assert_equal [:lesser_role], reader.auth_rules_reader.role_hierarchy[:test_role]
60
+ assert_equal 1, reader.auth_rules_reader.auth_rules.length
61
+ end
62
+
63
+ def test_auth_role_permit_on
64
+ reader = Authorization::Reader::DSLReader.new
65
+ reader.parse %|
66
+ authorization do
67
+ role :test_role do
68
+ has_permission_on :test_context do
69
+ to :test_perm, :manage
70
+ if_attribute :test_attr => is { user.test_attr }
71
+ end
72
+ end
73
+ end
74
+ |
75
+ assert_equal 1, reader.auth_rules_reader.roles.length
76
+ assert_equal 1, reader.auth_rules_reader.auth_rules.length
77
+ assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:test_perm], :test_context)
78
+ assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:manage], :test_context)
79
+ end
80
+
81
+ def test_permit_block
82
+ reader = Authorization::Reader::DSLReader.new
83
+ reader.parse %|
84
+ authorization do
85
+ role :test_role do
86
+ has_permission_on :perms, :to => :test do
87
+ if_attribute :test_attr => is { user.test_attr }
88
+ if_attribute :test_attr_2 => is_not { user.test_attr }
89
+ if_attribute :test_attr_3 => contains { user.test_attr }
90
+ if_attribute :test_attr_4 => does_not_contain { user.test_attr }
91
+ if_attribute :test_attr_5 => is_in { user.test_attr }
92
+ if_attribute :test_attr_5 => is_not_in { user.test_attr }
93
+ end
94
+ end
95
+ end
96
+ |
97
+ assert_equal 1, reader.auth_rules_reader.roles.length
98
+ assert_equal 1, reader.auth_rules_reader.auth_rules.length
99
+ assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:test], :perms)
100
+ end
101
+
102
+ def test_has_permission_to_with_context
103
+ reader = Authorization::Reader::DSLReader.new
104
+ reader.parse %|
105
+ authorization do
106
+ role :test_role do
107
+ has_permission_on :perms, :to => :test
108
+ end
109
+ end
110
+ |
111
+ assert_equal 1, reader.auth_rules_reader.roles.length
112
+ assert_equal 1, reader.auth_rules_reader.auth_rules.length
113
+ assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:test], :perms)
114
+ end
115
+
116
+ def test_context
117
+ reader = Authorization::Reader::DSLReader.new
118
+ reader.parse %{
119
+ contexts do
120
+ context :high_level_context do
121
+ includes :low_level_context_1, :low_level_context_2
122
+ end
123
+ end
124
+ }
125
+ end
126
+
127
+ def test_dsl_error
128
+ reader = Authorization::Reader::DSLReader.new
129
+ assert_raise(Authorization::Reader::DSLError) do
130
+ reader.parse %{
131
+ authorization do
132
+ includes :lesser_role
133
+ end
134
+ }
135
+ end
136
+ end
137
+
138
+ def test_syntax_error
139
+ reader = Authorization::Reader::DSLReader.new
140
+ assert_raise(Authorization::Reader::DSLSyntaxError) do
141
+ reader.parse %{
142
+ authorizations do
143
+ end
144
+ }
145
+ end
146
+ end
147
+
148
+ def test_syntax_error_2
149
+ reader = Authorization::Reader::DSLReader.new
150
+ assert_raise(Authorization::Reader::DSLSyntaxError) do
151
+ reader.parse %{
152
+ authorizations
153
+ end
154
+ }
155
+ end
156
+ end
157
+ end
@@ -0,0 +1,171 @@
1
+ require File.join(File.dirname(__FILE__), 'test_helper.rb')
2
+ require File.join(File.dirname(__FILE__), %w{.. lib declarative_authorization helper})
3
+
4
+
5
+ class HelperMocksController < MocksController
6
+ filter_access_to :action, :require => :show, :context => :mocks
7
+ define_action_methods :action
8
+ end
9
+ class HelperTest < ActionController::TestCase
10
+ tests HelperMocksController
11
+ include Authorization::AuthorizationHelper
12
+ attr_reader :controller
13
+
14
+ def test_permit
15
+ reader = Authorization::Reader::DSLReader.new
16
+ reader.parse %{
17
+ authorization do
18
+ role :test_role do
19
+ has_permission_on :mocks, :to => :show
20
+ end
21
+ role :test_role_2 do
22
+ has_permission_on :mocks, :to => :update
23
+ end
24
+ end
25
+ }
26
+ user = MockUser.new(:test_role)
27
+ request!(user, :action, reader)
28
+
29
+ assert permitted_to?(:show, :mocks)
30
+ assert !permitted_to?(:update, :mocks)
31
+
32
+ block_evaled = false
33
+ permitted_to?(:show, :mocks) do
34
+ block_evaled = true
35
+ end
36
+ assert block_evaled
37
+
38
+ block_evaled = false
39
+ permitted_to?(:update, :mocks) do
40
+ block_evaled = true
41
+ end
42
+ assert !block_evaled
43
+ end
44
+
45
+ def test_permit_with_object
46
+ reader = Authorization::Reader::DSLReader.new
47
+ reader.parse %{
48
+ authorization do
49
+ role :test_role do
50
+ has_permission_on :mocks do
51
+ to :show
52
+ if_attribute :test_attr => is {user.test_attr}
53
+ end
54
+ end
55
+ end
56
+ }
57
+ user = MockUser.new(:test_role, :test_attr => 1)
58
+ mock = MockDataObject.new(:test_attr => 1)
59
+ mock_2 = MockDataObject.new(:test_attr => 2)
60
+ request!(user, :action, reader)
61
+
62
+ assert permitted_to?(:show, mock)
63
+ assert permitted_to?(:show, :mocks)
64
+ assert !permitted_to?(:show, mock_2)
65
+ end
66
+
67
+ def test_permit_with_object_and_context
68
+ reader = Authorization::Reader::DSLReader.new
69
+ reader.parse %{
70
+ authorization do
71
+ role :test_role do
72
+ has_permission_on :other_mocks do
73
+ to :show
74
+ if_attribute :test_attr => is {user.test_attr}
75
+ end
76
+ end
77
+ end
78
+ }
79
+ user = MockUser.new(:test_role, :test_attr => 1)
80
+ mock = MockDataObject.new(:test_attr => 1)
81
+ mock_2 = MockDataObject.new(:test_attr => 2)
82
+ request!(user, :action, reader)
83
+
84
+ assert permitted_to?(:show, mock, :context => :other_mocks)
85
+ assert !permitted_to?(:show, mock_2, :context => :other_mocks)
86
+ end
87
+
88
+ def test_has_role
89
+ reader = Authorization::Reader::DSLReader.new
90
+ reader.parse %{
91
+ authorization do
92
+ role :test_role do
93
+ has_permission_on :mocks, :to => :show
94
+ end
95
+ end
96
+ }
97
+ user = MockUser.new(:test_role)
98
+ request!(user, :action, reader)
99
+
100
+ assert has_role?(:test_role)
101
+ assert !has_role?(:test_role2)
102
+
103
+ block_evaled = false
104
+ has_role?(:test_role) do
105
+ block_evaled = true
106
+ end
107
+ assert block_evaled
108
+
109
+ block_evaled = false
110
+ has_role?(:test_role2) do
111
+ block_evaled = true
112
+ end
113
+ assert !block_evaled
114
+ end
115
+
116
+ def test_has_role_with_guest_user
117
+ reader = Authorization::Reader::DSLReader.new
118
+ reader.parse %{
119
+ authorization do
120
+ end
121
+ }
122
+ request!(nil, :action, reader)
123
+
124
+ assert !has_role?(:test_role)
125
+
126
+ block_evaled = false
127
+ has_role?(:test_role) do
128
+ block_evaled = true
129
+ end
130
+ assert !block_evaled
131
+ end
132
+
133
+ def test_has_role_with_hierarchy
134
+ reader = Authorization::Reader::DSLReader.new
135
+ reader.parse %{
136
+ authorization do
137
+ role :test_role do
138
+ has_permission_on :mocks, :to => :show
139
+ end
140
+ role :other_role do
141
+ has_permission_on :another_mocks, :to => :show
142
+ end
143
+
144
+ role :root do
145
+ includes :test_role
146
+ end
147
+ end
148
+ }
149
+
150
+ user = MockUser.new(:root)
151
+ request!(user, :action, reader)
152
+
153
+ assert has_role_with_hierarchy?(:test_role)
154
+ assert !has_role_with_hierarchy?(:other_role)
155
+
156
+ block_evaled = false
157
+ has_role_with_hierarchy?(:test_role) do
158
+ block_evaled = true
159
+ end
160
+ assert block_evaled
161
+
162
+ block_evaled = false
163
+ has_role_with_hierarchy?(:test_role2) do
164
+ block_evaled = true
165
+ end
166
+ assert !block_evaled
167
+
168
+ end
169
+
170
+
171
+ end
@@ -0,0 +1,46 @@
1
+ require File.join(File.dirname(__FILE__), 'test_helper.rb')
2
+ require File.join(File.dirname(__FILE__), %w{.. lib declarative_authorization maintenance})
3
+
4
+ class MaintenanceTest < Test::Unit::TestCase
5
+ include Authorization::TestHelper
6
+
7
+ def test_usages_by_controllers
8
+ usage_test_controller = Class.new(ActionController::Base)
9
+ usage_test_controller.send(:define_method, :an_action) {}
10
+ usage_test_controller.filter_access_to :an_action
11
+
12
+ assert Authorization::Maintenance::Usage::usages_by_controller.
13
+ include?(usage_test_controller)
14
+ end
15
+
16
+ def test_without_access_control
17
+ reader = Authorization::Reader::DSLReader.new
18
+ reader.parse %{
19
+ authorization do
20
+ role :test_role do
21
+ has_permission_on :permissions, :to => :test
22
+ end
23
+ end
24
+ }
25
+ engine = Authorization::Engine.new(reader)
26
+ assert !engine.permit?(:test_2, :context => :permissions,
27
+ :user => MockUser.new(:test_role))
28
+ Authorization::Maintenance::without_access_control do
29
+ assert engine.permit!(:test_2, :context => :permissions,
30
+ :user => MockUser.new(:test_role))
31
+ end
32
+ without_access_control do
33
+ assert engine.permit?(:test_2, :context => :permissions,
34
+ :user => MockUser.new(:test_role))
35
+ end
36
+ Authorization::Maintenance::without_access_control do
37
+ Authorization::Maintenance::without_access_control do
38
+ assert engine.permit?(:test_2, :context => :permissions,
39
+ :user => MockUser.new(:test_role))
40
+ end
41
+ assert engine.permit?(:test_2, :context => :permissions,
42
+ :user => MockUser.new(:test_role))
43
+ end
44
+ end
45
+
46
+ end
@@ -0,0 +1,1694 @@
1
+ require File.join(File.dirname(__FILE__), 'test_helper.rb')
2
+ require File.join(File.dirname(__FILE__), %w{.. lib declarative_authorization in_model})
3
+
4
+ ActiveRecord::Base.send :include, Authorization::AuthorizationInModel
5
+ #ActiveRecord::Base.logger = Logger.new(STDOUT)
6
+
7
+ options = {:adapter => 'sqlite3', :timeout => 500, :database => ':memory:'}
8
+ ActiveRecord::Base.establish_connection(options)
9
+ ActiveRecord::Base.configurations = { 'sqlite3_ar_integration' => options }
10
+ ActiveRecord::Base.connection
11
+
12
+ File.read(File.dirname(__FILE__) + "/schema.sql").split(';').each do |sql|
13
+ ActiveRecord::Base.connection.execute(sql) unless sql.blank?
14
+ end
15
+
16
+ class TestModel < ActiveRecord::Base
17
+ has_many :test_attrs
18
+ has_many :test_another_attrs, :class_name => "TestAttr", :foreign_key => :test_another_model_id
19
+ has_many :test_attr_throughs, :through => :test_attrs
20
+ has_many :test_attrs_with_attr, :class_name => "TestAttr", :conditions => {:attr => 1}
21
+ has_many :test_attr_throughs_with_attr, :through => :test_attrs,
22
+ :class_name => "TestAttrThrough", :source => :test_attr_throughs,
23
+ :conditions => "test_attrs.attr = 1"
24
+ has_one :test_attr_has_one, :class_name => "TestAttr"
25
+ has_one :test_attr_throughs_with_attr_and_has_one, :through => :test_attrs,
26
+ :class_name => "TestAttrThrough", :source => :test_attr_throughs,
27
+ :conditions => "test_attrs.attr = 1"
28
+
29
+ # TODO currently not working in Rails 3
30
+ if Rails.version < "3"
31
+ has_and_belongs_to_many :test_attr_throughs_habtm, :join_table => :test_attrs,
32
+ :class_name => "TestAttrThrough"
33
+ end
34
+
35
+ if Rails.version < "3"
36
+ named_scope :with_content, :conditions => "test_models.content IS NOT NULL"
37
+ else
38
+ scope :with_content, :conditions => "test_models.content IS NOT NULL"
39
+ end
40
+
41
+ # Primary key test
42
+ # :primary_key only available from Rails 2.2
43
+ unless Rails.version < "2.2"
44
+ has_many :test_attrs_with_primary_id, :class_name => "TestAttr",
45
+ :primary_key => :test_attr_through_id, :foreign_key => :test_attr_through_id
46
+ has_many :test_attr_throughs_with_primary_id,
47
+ :through => :test_attrs_with_primary_id, :class_name => "TestAttrThrough",
48
+ :source => :n_way_join_item
49
+ end
50
+
51
+ # for checking for unnecessary queries
52
+ mattr_accessor :query_count
53
+ def self.find(*args)
54
+ self.query_count ||= 0
55
+ self.query_count += 1
56
+ super(*args)
57
+ end
58
+ end
59
+
60
+ class NWayJoinItem < ActiveRecord::Base
61
+ has_many :test_attrs
62
+ has_many :others, :through => :test_attrs, :source => :n_way_join_item
63
+ end
64
+
65
+ class TestAttr < ActiveRecord::Base
66
+ belongs_to :test_model
67
+ belongs_to :test_another_model, :class_name => "TestModel", :foreign_key => :test_another_model_id
68
+ belongs_to :test_a_third_model, :class_name => "TestModel", :foreign_key => :test_a_third_model_id
69
+ belongs_to :n_way_join_item
70
+ belongs_to :test_attr
71
+ belongs_to :branch
72
+ belongs_to :company
73
+ has_many :test_attr_throughs
74
+ attr_reader :role_symbols
75
+ def initialize (*args)
76
+ @role_symbols = []
77
+ super(*args)
78
+ end
79
+ end
80
+
81
+ class TestAttrThrough < ActiveRecord::Base
82
+ belongs_to :test_attr
83
+ end
84
+
85
+ class TestModelSecurityModel < ActiveRecord::Base
86
+ has_many :test_attrs
87
+ using_access_control
88
+ end
89
+ class TestModelSecurityModelWithFind < ActiveRecord::Base
90
+ set_table_name "test_model_security_models"
91
+ has_many :test_attrs
92
+ using_access_control :include_read => true,
93
+ :context => :test_model_security_models
94
+ end
95
+
96
+ class Branch < ActiveRecord::Base
97
+ has_many :test_attrs
98
+ belongs_to :company
99
+ end
100
+ class Company < ActiveRecord::Base
101
+ has_many :test_attrs
102
+ has_many :branches
103
+ belongs_to :country
104
+ end
105
+ class SmallCompany < Company
106
+ def self.decl_auth_context
107
+ :companies
108
+ end
109
+ end
110
+ class Country < ActiveRecord::Base
111
+ has_many :test_models
112
+ has_many :companies
113
+ end
114
+
115
+ class NamedScopeModelTest < Test::Unit::TestCase
116
+ def test_multiple_deep_ored_belongs_to
117
+ reader = Authorization::Reader::DSLReader.new
118
+ reader.parse %{
119
+ authorization do
120
+ role :test_role do
121
+ has_permission_on :test_attrs, :to => :read do
122
+ if_attribute :test_model => {:test_attrs => contains {user}}
123
+ if_attribute :test_another_model => {:test_attrs => contains {user}}
124
+ end
125
+ end
126
+ end
127
+ }
128
+ Authorization::Engine.instance(reader)
129
+
130
+ test_model_1 = TestModel.create!
131
+ test_model_2 = TestModel.create!
132
+ test_attr_1 = TestAttr.create! :test_model_id => test_model_1.id,
133
+ :test_another_model_id => test_model_2.id
134
+
135
+ user = MockUser.new(:test_role, :id => test_attr_1)
136
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
137
+ TestAttr.delete_all
138
+ TestModel.delete_all
139
+ end
140
+
141
+ def test_with_belongs_to_and_has_many_with_contains
142
+ reader = Authorization::Reader::DSLReader.new
143
+ reader.parse %{
144
+ authorization do
145
+ role :test_role do
146
+ has_permission_on :test_attrs, :to => :read do
147
+ if_attribute :test_model => { :test_attrs => contains { user.test_attr_value } }
148
+ end
149
+ end
150
+ end
151
+ }
152
+ Authorization::Engine.instance(reader)
153
+
154
+ test_attr_1 = TestAttr.create!
155
+ test_model_1 = TestModel.create!
156
+ test_model_1.test_attrs.create!
157
+
158
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.test_attrs.first.id )
159
+ assert_equal 1, TestAttr.with_permissions_to( :read, :context => :test_attrs, :user => user ).length
160
+ assert_equal 1, TestAttr.with_permissions_to( :read, :user => user ).length
161
+ assert_raise Authorization::NotAuthorized do
162
+ TestAttr.with_permissions_to( :update_test_attrs, :user => user )
163
+ end
164
+ TestAttr.delete_all
165
+ TestModel.delete_all
166
+ end
167
+
168
+ def test_with_nested_has_many
169
+ reader = Authorization::Reader::DSLReader.new
170
+ reader.parse %{
171
+ authorization do
172
+ role :test_role do
173
+ has_permission_on :companies, :to => :read do
174
+ if_attribute :branches => { :test_attrs => { :attr => is { user.test_attr_value } } }
175
+ end
176
+ end
177
+ end
178
+ }
179
+ Authorization::Engine.instance(reader)
180
+
181
+ allowed_company = Company.create!
182
+ allowed_company.branches.create!.test_attrs.create!(:attr => 1)
183
+ allowed_company.branches.create!.test_attrs.create!(:attr => 2)
184
+
185
+ prohibited_company = Company.create!
186
+ prohibited_company.branches.create!.test_attrs.create!(:attr => 3)
187
+
188
+ user = MockUser.new(:test_role, :test_attr_value => 1)
189
+ prohibited_user = MockUser.new(:test_role, :test_attr_value => 4)
190
+ assert_equal 1, Company.with_permissions_to(:read, :user => user).length
191
+ assert_equal 0, Company.with_permissions_to(:read, :user => prohibited_user).length
192
+
193
+ Company.delete_all
194
+ Branch.delete_all
195
+ TestAttr.delete_all
196
+ end
197
+
198
+ def test_with_nested_has_many_through
199
+ reader = Authorization::Reader::DSLReader.new
200
+ reader.parse %{
201
+ authorization do
202
+ role :test_role do
203
+ has_permission_on :test_models, :to => :read do
204
+ if_attribute :test_attr_throughs => { :test_attr => { :attr => is { user.test_attr_value } } }
205
+ end
206
+ end
207
+ end
208
+ }
209
+ Authorization::Engine.instance(reader)
210
+
211
+ allowed_model = TestModel.create!
212
+ allowed_model.test_attrs.create!(:attr => 1).test_attr_throughs.create!
213
+ allowed_model.test_attrs.create!(:attr => 2).test_attr_throughs.create!
214
+
215
+ prohibited_model = TestModel.create!
216
+ prohibited_model.test_attrs.create!(:attr => 3).test_attr_throughs.create!
217
+
218
+ user = MockUser.new(:test_role, :test_attr_value => 1)
219
+ prohibited_user = MockUser.new(:test_role, :test_attr_value => 4)
220
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
221
+ assert_equal 0, TestModel.with_permissions_to(:read, :user => prohibited_user).length
222
+
223
+ TestModel.delete_all
224
+ TestAttrThrough.delete_all
225
+ TestAttr.delete_all
226
+ end
227
+
228
+ def test_with_is
229
+ reader = Authorization::Reader::DSLReader.new
230
+ reader.parse %{
231
+ authorization do
232
+ role :test_role do
233
+ has_permission_on :test_models, :to => :read do
234
+ if_attribute :id => is { user.test_attr_value }
235
+ end
236
+ end
237
+ end
238
+ }
239
+ Authorization::Engine.instance(reader)
240
+
241
+ test_model_1 = TestModel.create!
242
+ TestModel.create!
243
+
244
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
245
+ assert_equal 1, TestModel.with_permissions_to(:read,
246
+ :context => :test_models, :user => user).length
247
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
248
+ assert_raise Authorization::NotAuthorized do
249
+ TestModel.with_permissions_to(:update_test_models, :user => user)
250
+ end
251
+ TestModel.delete_all
252
+ end
253
+
254
+ def test_named_scope_on_proxy
255
+ reader = Authorization::Reader::DSLReader.new
256
+ reader.parse %{
257
+ authorization do
258
+ role :test_role do
259
+ has_permission_on :test_attrs, :to => :read do
260
+ if_attribute :id => is { user.test_attr_value }
261
+ end
262
+ end
263
+ end
264
+ }
265
+ Authorization::Engine.instance(reader)
266
+
267
+ test_model_1 = TestModel.create!
268
+ test_attr_1 = test_model_1.test_attrs.create!
269
+ test_model_1.test_attrs.create!
270
+ TestAttr.create!
271
+
272
+ user = MockUser.new(:test_role, :test_attr_value => test_attr_1.id)
273
+ assert_equal 1, test_model_1.test_attrs.with_permissions_to(:read, :user => user).length
274
+ TestModel.delete_all
275
+ TestAttr.delete_all
276
+ end
277
+
278
+ def test_named_scope_on_named_scope
279
+ reader = Authorization::Reader::DSLReader.new
280
+ reader.parse %{
281
+ authorization do
282
+ role :test_role do
283
+ has_permission_on :test_models, :to => :read do
284
+ if_attribute :country_id => 1
285
+ end
286
+ end
287
+ end
288
+ }
289
+ Authorization::Engine.instance(reader)
290
+
291
+ TestModel.create!(:country_id => 1, :content => "Content")
292
+ TestModel.create!(:country_id => 1)
293
+ TestModel.create!(:country_id => 2, :content => "Content")
294
+
295
+ user = MockUser.new(:test_role)
296
+
297
+ # TODO implement query_count for Rails 3
298
+ TestModel.query_count = 0
299
+ assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
300
+ assert_equal 1, TestModel.query_count if Rails.version < "3"
301
+
302
+ TestModel.query_count = 0
303
+ assert_equal 1, TestModel.with_content.with_permissions_to(:read, :user => user).length
304
+ assert_equal 1, TestModel.query_count if Rails.version < "3"
305
+
306
+ TestModel.query_count = 0
307
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).with_content.length
308
+ assert_equal 1, TestModel.query_count if Rails.version < "3"
309
+
310
+ TestModel.delete_all
311
+ end
312
+
313
+ def test_with_modified_context
314
+ reader = Authorization::Reader::DSLReader.new
315
+ reader.parse %{
316
+ authorization do
317
+ role :test_role do
318
+ has_permission_on :companies, :to => :read do
319
+ if_attribute :id => is { user.test_company_id }
320
+ end
321
+ end
322
+ end
323
+ }
324
+ Authorization::Engine.instance(reader)
325
+
326
+ test_company = SmallCompany.create!
327
+
328
+ user = MockUser.new(:test_role, :test_company_id => test_company.id)
329
+ assert_equal 1, SmallCompany.with_permissions_to(:read,
330
+ :user => user).length
331
+ SmallCompany.delete_all
332
+ end
333
+
334
+ def test_with_is_nil
335
+ reader = Authorization::Reader::DSLReader.new
336
+ reader.parse %{
337
+ authorization do
338
+ role :test_role do
339
+ has_permission_on :test_models, :to => :read do
340
+ if_attribute :content => nil
341
+ end
342
+ end
343
+ role :test_role_not_nil do
344
+ has_permission_on :test_models, :to => :read do
345
+ if_attribute :content => is_not { nil }
346
+ end
347
+ end
348
+ end
349
+ }
350
+ Authorization::Engine.instance(reader)
351
+
352
+ test_model_1 = TestModel.create!
353
+ test_model_2 = TestModel.create! :content => "Content"
354
+
355
+ assert_equal test_model_1, TestModel.with_permissions_to(:read,
356
+ :context => :test_models, :user => MockUser.new(:test_role)).first
357
+ assert_equal test_model_2, TestModel.with_permissions_to(:read,
358
+ :context => :test_models, :user => MockUser.new(:test_role_not_nil)).first
359
+ TestModel.delete_all
360
+ end
361
+
362
+ def test_with_not_is
363
+ reader = Authorization::Reader::DSLReader.new
364
+ reader.parse %{
365
+ authorization do
366
+ role :test_role do
367
+ has_permission_on :test_models, :to => :read do
368
+ if_attribute :id => is_not { user.test_attr_value }
369
+ end
370
+ end
371
+ end
372
+ }
373
+ Authorization::Engine.instance(reader)
374
+
375
+ test_model_1 = TestModel.create!
376
+ TestModel.create!
377
+
378
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
379
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
380
+ TestModel.delete_all
381
+ end
382
+
383
+ def test_with_empty_obligations
384
+ reader = Authorization::Reader::DSLReader.new
385
+ reader.parse %{
386
+ authorization do
387
+ role :test_role do
388
+ has_permission_on :test_models, :to => :read
389
+ end
390
+ end
391
+ }
392
+ Authorization::Engine.instance(reader)
393
+
394
+ TestModel.create!
395
+
396
+ user = MockUser.new(:test_role)
397
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
398
+ assert_raise Authorization::NotAuthorized do
399
+ TestModel.with_permissions_to(:update, :user => user)
400
+ end
401
+ TestModel.delete_all
402
+ end
403
+
404
+ def test_multiple_obligations
405
+ reader = Authorization::Reader::DSLReader.new
406
+ reader.parse %{
407
+ authorization do
408
+ role :test_role do
409
+ has_permission_on :test_models, :to => :read do
410
+ if_attribute :id => is { user.test_attr_value }
411
+ end
412
+ has_permission_on :test_models, :to => :read do
413
+ if_attribute :id => is { user.test_attr_value_2 }
414
+ end
415
+ end
416
+ end
417
+ }
418
+ Authorization::Engine.instance(reader)
419
+
420
+ test_model_1 = TestModel.create!
421
+ test_model_2 = TestModel.create!
422
+
423
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id,
424
+ :test_attr_value_2 => test_model_2.id)
425
+ assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
426
+ TestModel.delete_all
427
+ end
428
+
429
+ def test_multiple_roles
430
+ reader = Authorization::Reader::DSLReader.new
431
+ reader.parse %{
432
+ authorization do
433
+ role :test_role do
434
+ has_permission_on :test_attrs, :to => :read do
435
+ if_attribute :attr => [1,2]
436
+ end
437
+ end
438
+
439
+ role :test_role_2 do
440
+ has_permission_on :test_attrs, :to => :read do
441
+ if_attribute :attr => [2,3]
442
+ end
443
+ end
444
+ end
445
+ }
446
+ Authorization::Engine.instance(reader)
447
+
448
+ TestAttr.create! :attr => 1
449
+ TestAttr.create! :attr => 2
450
+ TestAttr.create! :attr => 3
451
+
452
+ user = MockUser.new(:test_role)
453
+ assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
454
+ TestAttr.delete_all
455
+ end
456
+
457
+ def test_multiple_and_empty_obligations
458
+ reader = Authorization::Reader::DSLReader.new
459
+ reader.parse %{
460
+ authorization do
461
+ role :test_role do
462
+ has_permission_on :test_models, :to => :read do
463
+ if_attribute :id => is { user.test_attr_value }
464
+ end
465
+ has_permission_on :test_models, :to => :read
466
+ end
467
+ end
468
+ }
469
+ Authorization::Engine.instance(reader)
470
+
471
+ test_model_1 = TestModel.create!
472
+ TestModel.create!
473
+
474
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
475
+ assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
476
+ TestModel.delete_all
477
+ end
478
+
479
+ def test_multiple_attributes
480
+ reader = Authorization::Reader::DSLReader.new
481
+ reader.parse %{
482
+ authorization do
483
+ role :test_role do
484
+ has_permission_on :test_models, :to => :read do
485
+ if_attribute :id => is { user.test_attr_value }, :content => "bla"
486
+ end
487
+ end
488
+ end
489
+ }
490
+ Authorization::Engine.instance(reader)
491
+
492
+ test_model_1 = TestModel.create! :content => 'bla'
493
+ TestModel.create! :content => 'bla'
494
+ TestModel.create!
495
+
496
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
497
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
498
+ TestModel.delete_all
499
+ end
500
+
501
+ def test_multiple_belongs_to
502
+ reader = Authorization::Reader::DSLReader.new
503
+ reader.parse %{
504
+ authorization do
505
+ role :test_role do
506
+ has_permission_on :test_attrs, :to => :read do
507
+ if_attribute :test_model => is {user}
508
+ if_attribute :test_another_model => is {user}
509
+ end
510
+ end
511
+ end
512
+ }
513
+ Authorization::Engine.instance(reader)
514
+
515
+ test_attr_1 = TestAttr.create! :test_model_id => 1, :test_another_model_id => 2
516
+
517
+ user = MockUser.new(:test_role, :id => 1)
518
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
519
+ TestAttr.delete_all
520
+ end
521
+
522
+ def test_with_is_and_priv_hierarchy
523
+ reader = Authorization::Reader::DSLReader.new
524
+ reader.parse %{
525
+ privileges do
526
+ privilege :read do
527
+ includes :list, :show
528
+ end
529
+ end
530
+ authorization do
531
+ role :test_role do
532
+ has_permission_on :test_models, :to => :read do
533
+ if_attribute :id => is { user.test_attr_value }
534
+ end
535
+ end
536
+ end
537
+ }
538
+ Authorization::Engine.instance(reader)
539
+
540
+ test_model_1 = TestModel.create!
541
+ TestModel.create!
542
+
543
+ user = MockUser.new(:test_role, :test_attr_value => test_model_1.id)
544
+ assert_equal 1, TestModel.with_permissions_to(:list,
545
+ :context => :test_models, :user => user).length
546
+ assert_equal 1, TestModel.with_permissions_to(:list, :user => user).length
547
+
548
+ TestModel.delete_all
549
+ end
550
+
551
+ def test_with_is_and_belongs_to
552
+ reader = Authorization::Reader::DSLReader.new
553
+ reader.parse %{
554
+ authorization do
555
+ role :test_role do
556
+ has_permission_on :test_attrs, :to => :read do
557
+ if_attribute :test_model => is { user.test_model }
558
+ end
559
+ end
560
+ end
561
+ }
562
+ Authorization::Engine.instance(reader)
563
+
564
+ test_model_1 = TestModel.create!
565
+ test_model_1.test_attrs.create!
566
+ TestModel.create!.test_attrs.create!
567
+
568
+ user = MockUser.new(:test_role, :test_model => test_model_1)
569
+ assert_equal 1, TestAttr.with_permissions_to(:read,
570
+ :context => :test_attrs, :user => user).length
571
+
572
+ TestModel.delete_all
573
+ TestAttr.delete_all
574
+ end
575
+
576
+ def test_with_deep_attribute
577
+ reader = Authorization::Reader::DSLReader.new
578
+ reader.parse %{
579
+ authorization do
580
+ role :test_role do
581
+ has_permission_on :test_attrs, :to => :read do
582
+ if_attribute :test_model => {:id => is { user.test_model_id } }
583
+ end
584
+ end
585
+ end
586
+ }
587
+ Authorization::Engine.instance(reader)
588
+
589
+ test_model_1 = TestModel.create!
590
+ test_model_1.test_attrs.create!
591
+ TestModel.create!.test_attrs.create!
592
+
593
+ user = MockUser.new(:test_role, :test_model_id => test_model_1.id)
594
+ assert_equal 1, TestAttr.with_permissions_to(:read,
595
+ :context => :test_attrs, :user => user).length
596
+
597
+ TestModel.delete_all
598
+ TestAttr.delete_all
599
+ end
600
+
601
+ def test_with_anded_rules
602
+ reader = Authorization::Reader::DSLReader.new
603
+ reader.parse %{
604
+ authorization do
605
+ role :test_role do
606
+ has_permission_on :test_attrs, :to => :read, :join_by => :and do
607
+ if_attribute :test_model => is { user.test_model }
608
+ if_attribute :attr => 1
609
+ end
610
+ end
611
+ end
612
+ }
613
+ Authorization::Engine.instance(reader)
614
+
615
+ test_model_1 = TestModel.create!
616
+ test_model_1.test_attrs.create!(:attr => 1)
617
+ TestModel.create!.test_attrs.create!(:attr => 1)
618
+ TestModel.create!.test_attrs.create!
619
+
620
+ user = MockUser.new(:test_role, :test_model => test_model_1)
621
+ assert_equal 1, TestAttr.with_permissions_to(:read,
622
+ :context => :test_attrs, :user => user).length
623
+
624
+ TestModel.delete_all
625
+ TestAttr.delete_all
626
+ end
627
+
628
+ def test_with_contains
629
+ reader = Authorization::Reader::DSLReader.new
630
+ reader.parse %{
631
+ authorization do
632
+ role :test_role do
633
+ has_permission_on :test_models, :to => :read do
634
+ if_attribute :test_attrs => contains { user }
635
+ end
636
+ end
637
+ end
638
+ }
639
+ Authorization::Engine.instance(reader)
640
+
641
+ test_model_1 = TestModel.create!
642
+ test_model_2 = TestModel.create!
643
+ test_model_1.test_attrs.create!
644
+ test_model_1.test_attrs.create!
645
+ test_model_2.test_attrs.create!
646
+
647
+ user = MockUser.new(:test_role,
648
+ :id => test_model_1.test_attrs.first.id)
649
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
650
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).find(:all, :conditions => {:id => test_model_1.id}).length
651
+
652
+ TestModel.delete_all
653
+ TestAttr.delete_all
654
+ end
655
+
656
+ def test_with_does_not_contain
657
+ reader = Authorization::Reader::DSLReader.new
658
+ reader.parse %{
659
+ authorization do
660
+ role :test_role do
661
+ has_permission_on :test_models, :to => :read do
662
+ if_attribute :test_attrs => does_not_contain { user }
663
+ end
664
+ end
665
+ end
666
+ }
667
+ Authorization::Engine.instance(reader)
668
+
669
+ test_model_1 = TestModel.create!
670
+ test_model_2 = TestModel.create!
671
+ test_model_1.test_attrs.create!
672
+ test_model_2.test_attrs.create!
673
+
674
+ user = MockUser.new(:test_role,
675
+ :id => test_model_1.test_attrs.first.id)
676
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
677
+
678
+ TestModel.delete_all
679
+ TestAttr.delete_all
680
+ end
681
+
682
+ def test_with_contains_conditions
683
+ reader = Authorization::Reader::DSLReader.new
684
+ reader.parse %{
685
+ authorization do
686
+ role :test_role do
687
+ has_permission_on :test_models, :to => :read do
688
+ if_attribute :test_attrs_with_attr => contains { user }
689
+ end
690
+ end
691
+ end
692
+ }
693
+ Authorization::Engine.instance(reader)
694
+
695
+ test_model_1 = TestModel.create!
696
+ test_model_2 = TestModel.create!
697
+ test_model_1.test_attrs_with_attr.create!
698
+ test_model_1.test_attrs.create!(:attr => 2)
699
+ test_model_2.test_attrs_with_attr.create!
700
+ test_model_2.test_attrs.create!(:attr => 2)
701
+
702
+ #assert_equal 1, test_model_1.test_attrs_with_attr.length
703
+ user = MockUser.new(:test_role,
704
+ :id => test_model_1.test_attrs.first.id)
705
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
706
+ user = MockUser.new(:test_role,
707
+ :id => test_model_1.test_attrs.last.id)
708
+ assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
709
+
710
+ TestModel.delete_all
711
+ TestAttr.delete_all
712
+ end
713
+
714
+ # TODO fails in Rails 3 because TestModel.scoped.joins(:test_attr_throughs_with_attr)
715
+ # does not work
716
+ if Rails.version < "3"
717
+ def test_with_contains_through_conditions
718
+ reader = Authorization::Reader::DSLReader.new
719
+ reader.parse %{
720
+ authorization do
721
+ role :test_role do
722
+ has_permission_on :test_models, :to => :read do
723
+ if_attribute :test_attr_throughs_with_attr => contains { user }
724
+ end
725
+ end
726
+ end
727
+ }
728
+ Authorization::Engine.instance(reader)
729
+
730
+ test_model_1 = TestModel.create!
731
+ test_model_2 = TestModel.create!
732
+ test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
733
+ test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
734
+ test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
735
+ test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
736
+
737
+ #assert_equal 1, test_model_1.test_attrs_with_attr.length
738
+ user = MockUser.new(:test_role,
739
+ :id => test_model_1.test_attr_throughs.first.id)
740
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
741
+ user = MockUser.new(:test_role,
742
+ :id => test_model_1.test_attr_throughs.last.id)
743
+ assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
744
+
745
+ TestModel.delete_all
746
+ TestAttrThrough.delete_all
747
+ TestAttr.delete_all
748
+ end
749
+ end
750
+
751
+ if Rails.version < "3"
752
+ def test_with_contains_habtm
753
+ reader = Authorization::Reader::DSLReader.new
754
+ reader.parse %{
755
+ authorization do
756
+ role :test_role do
757
+ has_permission_on :test_models, :to => :read do
758
+ if_attribute :test_attr_throughs_habtm => contains { user.test_attr_through_id }
759
+ end
760
+ end
761
+ end
762
+ }
763
+ Authorization::Engine.instance(reader)
764
+
765
+ # TODO habtm currently not working in Rails 3
766
+ test_model_1 = TestModel.create!
767
+ test_model_2 = TestModel.create!
768
+ test_attr_through_1 = TestAttrThrough.create!
769
+ test_attr_through_2 = TestAttrThrough.create!
770
+ TestAttr.create! :test_model_id => test_model_1.id, :test_attr_through_id => test_attr_through_1.id
771
+ TestAttr.create! :test_model_id => test_model_2.id, :test_attr_through_id => test_attr_through_2.id
772
+
773
+ user = MockUser.new(:test_role,
774
+ :test_attr_through_id => test_model_1.test_attr_throughs_habtm.first.id)
775
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
776
+ assert_equal test_model_1, TestModel.with_permissions_to(:read, :user => user)[0]
777
+
778
+ TestModel.delete_all
779
+ TestAttrThrough.delete_all
780
+ TestAttr.delete_all
781
+ end
782
+ end
783
+
784
+ # :primary_key not available in Rails prior to 2.2
785
+ if Rails.version > "2.2"
786
+ def test_with_contains_through_primary_key
787
+ reader = Authorization::Reader::DSLReader.new
788
+ reader.parse %{
789
+ authorization do
790
+ role :test_role do
791
+ has_permission_on :test_models, :to => :read do
792
+ if_attribute :test_attr_throughs_with_primary_id => contains { user }
793
+ end
794
+ end
795
+ end
796
+ }
797
+ Authorization::Engine.instance(reader)
798
+
799
+ test_attr_through_1 = TestAttrThrough.create!
800
+ test_item = NWayJoinItem.create!
801
+ test_model_1 = TestModel.create!(:test_attr_through_id => test_attr_through_1.id)
802
+ test_attr_1 = TestAttr.create!(:test_attr_through_id => test_attr_through_1.id,
803
+ :n_way_join_item_id => test_item.id)
804
+
805
+ user = MockUser.new(:test_role,
806
+ :id => test_attr_through_1.id)
807
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
808
+
809
+ TestModel.delete_all
810
+ TestAttrThrough.delete_all
811
+ TestAttr.delete_all
812
+ end
813
+ end
814
+
815
+ def test_with_intersects_with
816
+ reader = Authorization::Reader::DSLReader.new
817
+ reader.parse %{
818
+ authorization do
819
+ role :test_role do
820
+ has_permission_on :test_models, :to => :read do
821
+ if_attribute :test_attrs => intersects_with { user.test_attrs }
822
+ end
823
+ end
824
+ end
825
+ }
826
+ Authorization::Engine.instance(reader)
827
+
828
+ test_model_1 = TestModel.create!
829
+ test_model_2 = TestModel.create!
830
+ test_model_1.test_attrs.create!
831
+ test_model_1.test_attrs.create!
832
+ test_model_1.test_attrs.create!
833
+ test_model_2.test_attrs.create!
834
+
835
+ user = MockUser.new(:test_role,
836
+ :test_attrs => [test_model_1.test_attrs.first, TestAttr.create!])
837
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
838
+
839
+ user = MockUser.new(:test_role,
840
+ :test_attrs => [TestAttr.create!])
841
+ assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
842
+
843
+ TestModel.delete_all
844
+ TestAttr.delete_all
845
+ end
846
+
847
+ def test_with_is_and_has_one
848
+ reader = Authorization::Reader::DSLReader.new
849
+ reader.parse %{
850
+ authorization do :test_attr_has_one
851
+ role :test_role do
852
+ has_permission_on :test_models, :to => :read do
853
+ if_attribute :test_attr_has_one => is { user.test_attr }
854
+ end
855
+ end
856
+ end
857
+ }
858
+ Authorization::Engine.instance(reader)
859
+
860
+ test_model_1 = TestModel.create!
861
+ test_attr_1 = test_model_1.test_attrs.create!
862
+ TestModel.create!.test_attrs.create!
863
+
864
+ user = MockUser.new(:test_role, :test_attr => test_attr_1)
865
+ assert_equal 1, TestModel.with_permissions_to(:read,
866
+ :context => :test_models, :user => user).length
867
+
868
+ TestModel.delete_all
869
+ TestAttr.delete_all
870
+ end
871
+
872
+ # TODO fails in Rails 3 because TestModel.scoped.joins(:test_attr_throughs_with_attr)
873
+ # does not work
874
+ if Rails.version < "3"
875
+ def test_with_is_and_has_one_through_conditions
876
+ reader = Authorization::Reader::DSLReader.new
877
+ reader.parse %{
878
+ authorization do
879
+ role :test_role do
880
+ has_permission_on :test_models, :to => :read do
881
+ if_attribute :test_attr_throughs_with_attr_and_has_one => is { user }
882
+ end
883
+ end
884
+ end
885
+ }
886
+ Authorization::Engine.instance(reader)
887
+
888
+ test_model_1 = TestModel.create!
889
+ test_model_2 = TestModel.create!
890
+ test_model_1.test_attrs.create!(:attr => 1).test_attr_throughs.create!
891
+ test_model_1.test_attrs.create!(:attr => 2).test_attr_throughs.create!
892
+ test_model_2.test_attrs.create!(:attr => 1).test_attr_throughs.create!
893
+ test_model_2.test_attrs.create!(:attr => 2).test_attr_throughs.create!
894
+
895
+ #assert_equal 1, test_model_1.test_attrs_with_attr.length
896
+ user = MockUser.new(:test_role,
897
+ :id => test_model_1.test_attr_throughs.first.id)
898
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
899
+ user = MockUser.new(:test_role,
900
+ :id => test_model_1.test_attr_throughs.last.id)
901
+ assert_equal 0, TestModel.with_permissions_to(:read, :user => user).length
902
+
903
+ TestModel.delete_all
904
+ TestAttr.delete_all
905
+ TestAttrThrough.delete_all
906
+ end
907
+ end
908
+
909
+ def test_with_is_in
910
+ reader = Authorization::Reader::DSLReader.new
911
+ reader.parse %{
912
+ authorization do
913
+ role :test_role do
914
+ has_permission_on :test_attrs, :to => :read do
915
+ if_attribute :test_model => is_in { [user.test_model, user.test_model_2] }
916
+ end
917
+ end
918
+ end
919
+ }
920
+ Authorization::Engine.instance(reader)
921
+
922
+ test_model_1 = TestModel.create!
923
+ test_model_2 = TestModel.create!
924
+ test_model_1.test_attrs.create!
925
+ TestModel.create!.test_attrs.create!
926
+
927
+ user = MockUser.new(:test_role, :test_model => test_model_1,
928
+ :test_model_2 => test_model_2)
929
+ assert_equal 1, TestAttr.with_permissions_to(:read,
930
+ :context => :test_attrs, :user => user).length
931
+
932
+ TestModel.delete_all
933
+ TestAttr.delete_all
934
+ end
935
+
936
+ def test_with_not_is_in
937
+ reader = Authorization::Reader::DSLReader.new
938
+ reader.parse %{
939
+ authorization do
940
+ role :test_role do
941
+ has_permission_on :test_attrs, :to => :read do
942
+ if_attribute :test_model => is_not_in { [user.test_model, user.test_model_2] }
943
+ end
944
+ end
945
+ end
946
+ }
947
+ Authorization::Engine.instance(reader)
948
+
949
+ test_model_1 = TestModel.create!
950
+ test_model_2 = TestModel.create!
951
+ test_model_1.test_attrs.create!
952
+ TestModel.create!.test_attrs.create!
953
+
954
+ user = MockUser.new(:test_role, :test_model => test_model_1,
955
+ :test_model_2 => test_model_2)
956
+ assert_equal 1, TestAttr.with_permissions_to(:read,
957
+ :context => :test_attrs, :user => user).length
958
+
959
+ TestModel.delete_all
960
+ TestAttr.delete_all
961
+ end
962
+
963
+ def test_with_if_permitted_to
964
+ reader = Authorization::Reader::DSLReader.new
965
+ reader.parse %{
966
+ authorization do
967
+ role :test_role do
968
+ has_permission_on :test_models, :to => :read do
969
+ if_attribute :test_attrs => contains { user }
970
+ end
971
+ has_permission_on :test_attrs, :to => :read do
972
+ if_permitted_to :read, :test_model
973
+ end
974
+ end
975
+ end
976
+ }
977
+ Authorization::Engine.instance(reader)
978
+
979
+ test_model_1 = TestModel.create!
980
+ test_attr_1 = test_model_1.test_attrs.create!
981
+
982
+ user = MockUser.new(:test_role, :id => test_attr_1.id)
983
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
984
+ TestModel.delete_all
985
+ TestAttr.delete_all
986
+ end
987
+
988
+ def test_with_if_permitted_to_with_no_child_permissions
989
+ reader = Authorization::Reader::DSLReader.new
990
+ reader.parse %{
991
+ authorization do
992
+ role :another_role do
993
+ has_permission_on :test_models, :to => :read do
994
+ if_attribute :test_attrs => contains { user }
995
+ end
996
+ end
997
+ role :additional_if_attribute do
998
+ has_permission_on :test_attrs, :to => :read do
999
+ if_permitted_to :read, :test_model
1000
+ if_attribute :test_model => {:test_attrs => contains { user }}
1001
+ end
1002
+ end
1003
+ role :only_permitted_to do
1004
+ has_permission_on :test_attrs, :to => :read do
1005
+ if_permitted_to :read, :test_model
1006
+ end
1007
+ end
1008
+ end
1009
+ }
1010
+ Authorization::Engine.instance(reader)
1011
+
1012
+ test_model_1 = TestModel.create!
1013
+ test_attr_1 = test_model_1.test_attrs.create!
1014
+
1015
+ user = MockUser.new(:only_permitted_to, :another_role, :id => test_attr_1.id)
1016
+ also_allowed_user = MockUser.new(:additional_if_attribute, :id => test_attr_1.id)
1017
+ non_allowed_user = MockUser.new(:only_permitted_to, :id => test_attr_1.id)
1018
+
1019
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
1020
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => also_allowed_user).length
1021
+ assert_raise Authorization::NotAuthorized do
1022
+ TestAttr.with_permissions_to(:read, :user => non_allowed_user).find(:all)
1023
+ end
1024
+
1025
+ TestModel.delete_all
1026
+ TestAttr.delete_all
1027
+ end
1028
+
1029
+ def test_with_if_permitted_to_with_context_from_model
1030
+ reader = Authorization::Reader::DSLReader.new
1031
+ reader.parse %{
1032
+ authorization do
1033
+ role :test_role do
1034
+ has_permission_on :test_models, :to => :read do
1035
+ if_attribute :test_another_attrs => contains { user }
1036
+ end
1037
+ has_permission_on :test_attrs, :to => :read do
1038
+ if_permitted_to :read, :test_another_model
1039
+ end
1040
+ end
1041
+ end
1042
+ }
1043
+ Authorization::Engine.instance(reader)
1044
+
1045
+ test_model_1 = TestModel.create!
1046
+ test_attr_1 = test_model_1.test_another_attrs.create!
1047
+
1048
+ user = MockUser.new(:test_role, :id => test_attr_1.id)
1049
+ non_allowed_user = MockUser.new(:test_role, :id => 111)
1050
+
1051
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
1052
+ assert_equal 0, TestAttr.with_permissions_to(:read, :user => non_allowed_user).length
1053
+ TestModel.delete_all
1054
+ TestAttr.delete_all
1055
+ end
1056
+
1057
+ def test_with_has_many_if_permitted_to
1058
+ reader = Authorization::Reader::DSLReader.new
1059
+ reader.parse %{
1060
+ authorization do
1061
+ role :test_role do
1062
+ has_permission_on :test_models, :to => :read do
1063
+ if_permitted_to :read, :test_attrs
1064
+ end
1065
+ has_permission_on :test_attrs, :to => :read do
1066
+ if_attribute :attr => is { user.id }
1067
+ end
1068
+ end
1069
+ end
1070
+ }
1071
+ Authorization::Engine.instance(reader)
1072
+
1073
+ test_model_1 = TestModel.create!
1074
+ test_attr_1 = test_model_1.test_attrs.create!(:attr => 111)
1075
+
1076
+ user = MockUser.new(:test_role, :id => test_attr_1.attr)
1077
+ non_allowed_user = MockUser.new(:test_role, :id => 333)
1078
+ assert_equal 1, TestModel.with_permissions_to(:read, :user => user).length
1079
+ assert_equal 0, TestModel.with_permissions_to(:read, :user => non_allowed_user).length
1080
+ TestModel.delete_all
1081
+ TestAttr.delete_all
1082
+ end
1083
+
1084
+ def test_with_deep_has_many_if_permitted_to
1085
+ reader = Authorization::Reader::DSLReader.new
1086
+ reader.parse %{
1087
+ authorization do
1088
+ role :test_role do
1089
+ has_permission_on :branches, :to => :read do
1090
+ if_attribute :name => "A Branch"
1091
+ end
1092
+ has_permission_on :companies, :to => :read do
1093
+ if_permitted_to :read, :test_attrs => :branch
1094
+ end
1095
+ end
1096
+ end
1097
+ }
1098
+ Authorization::Engine.instance(reader)
1099
+
1100
+ readable_company = Company.create!
1101
+ readable_company.test_attrs.create!(:branch => Branch.create!(:name => "A Branch"))
1102
+
1103
+ forbidden_company = Company.create!
1104
+ forbidden_company.test_attrs.create!(:branch => Branch.create!(:name => "Different Branch"))
1105
+
1106
+ user = MockUser.new(:test_role)
1107
+ assert_equal 1, Company.with_permissions_to(:read, :user => user).length
1108
+ Company.delete_all
1109
+ Branch.delete_all
1110
+ TestAttr.delete_all
1111
+ end
1112
+
1113
+ def test_with_if_permitted_to_and_empty_obligations
1114
+ reader = Authorization::Reader::DSLReader.new
1115
+ reader.parse %{
1116
+ authorization do
1117
+ role :test_role do
1118
+ has_permission_on :test_models, :to => :read
1119
+ has_permission_on :test_attrs, :to => :read do
1120
+ if_permitted_to :read, :test_model
1121
+ end
1122
+ end
1123
+ end
1124
+ }
1125
+ Authorization::Engine.instance(reader)
1126
+
1127
+ test_model_1 = TestModel.create!
1128
+ test_attr_1 = test_model_1.test_attrs.create!
1129
+
1130
+ user = MockUser.new(:test_role)
1131
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
1132
+ TestModel.delete_all
1133
+ TestAttr.delete_all
1134
+ end
1135
+
1136
+ def test_with_if_permitted_to_nil
1137
+ reader = Authorization::Reader::DSLReader.new
1138
+ reader.parse %{
1139
+ authorization do
1140
+ role :test_role do
1141
+ has_permission_on :test_models, :to => :read do
1142
+ if_attribute :test_attrs => contains { user }
1143
+ end
1144
+ has_permission_on :test_attrs, :to => :read do
1145
+ if_permitted_to :read, :test_model
1146
+ end
1147
+ end
1148
+ end
1149
+ }
1150
+ Authorization::Engine.instance(reader)
1151
+
1152
+ test_attr_1 = TestAttr.create!
1153
+
1154
+ user = MockUser.new(:test_role, :id => test_attr_1.id)
1155
+ assert_equal 0, TestAttr.with_permissions_to(:read, :user => user).length
1156
+ TestAttr.delete_all
1157
+ end
1158
+
1159
+ def test_with_if_permitted_to_self
1160
+ reader = Authorization::Reader::DSLReader.new
1161
+ reader.parse %{
1162
+ authorization do
1163
+ role :test_role do
1164
+ has_permission_on :test_models, :to => :read do
1165
+ if_attribute :test_attrs => contains { user }
1166
+ end
1167
+ has_permission_on :test_models, :to => :update do
1168
+ if_permitted_to :read
1169
+ end
1170
+ end
1171
+ end
1172
+ }
1173
+ Authorization::Engine.instance(reader)
1174
+
1175
+ test_model_1 = TestModel.create!
1176
+ test_attr_1 = test_model_1.test_attrs.create!
1177
+ test_attr_2 = TestAttr.create!
1178
+
1179
+ user = MockUser.new(:test_role, :id => test_attr_1.id)
1180
+ assert_equal 1, TestModel.with_permissions_to(:update, :user => user).length
1181
+ TestAttr.delete_all
1182
+ TestModel.delete_all
1183
+ end
1184
+
1185
+ def test_with_has_many_and_reoccuring_tables
1186
+ reader = Authorization::Reader::DSLReader.new
1187
+ reader.parse %{
1188
+ authorization do
1189
+ role :test_role do
1190
+ has_permission_on :test_attrs, :to => :read do
1191
+ if_attribute :test_another_model => { :content => 'test_1_2' },
1192
+ :test_model => { :content => 'test_1_1' }
1193
+ end
1194
+ end
1195
+ end
1196
+ }
1197
+ Authorization::Engine.instance(reader)
1198
+
1199
+ test_attr_1 = TestAttr.create!(
1200
+ :test_model => TestModel.create!(:content => 'test_1_1'),
1201
+ :test_another_model => TestModel.create!(:content => 'test_1_2')
1202
+ )
1203
+ test_attr_2 = TestAttr.create!(
1204
+ :test_model => TestModel.create!(:content => 'test_2_1'),
1205
+ :test_another_model => TestModel.create!(:content => 'test_2_2')
1206
+ )
1207
+
1208
+ user = MockUser.new(:test_role)
1209
+ assert_equal 1, TestAttr.with_permissions_to(:read, :user => user).length
1210
+ TestModel.delete_all
1211
+ TestAttr.delete_all
1212
+ end
1213
+
1214
+ def test_with_ored_rules_and_reoccuring_tables
1215
+ reader = Authorization::Reader::DSLReader.new
1216
+ reader.parse %{
1217
+ authorization do
1218
+ role :test_role do
1219
+ has_permission_on :test_attrs, :to => :read do
1220
+ if_attribute :test_another_model => { :content => 'test_1_2' },
1221
+ :test_model => { :content => 'test_1_1' }
1222
+ end
1223
+ has_permission_on :test_attrs, :to => :read do
1224
+ if_attribute :test_another_model => { :content => 'test_2_2' },
1225
+ :test_model => { :test_attrs => contains {user.test_attr} }
1226
+ end
1227
+ end
1228
+ end
1229
+ }
1230
+ Authorization::Engine.instance(reader)
1231
+
1232
+ test_attr_1 = TestAttr.create!(
1233
+ :test_model => TestModel.create!(:content => 'test_1_1'),
1234
+ :test_another_model => TestModel.create!(:content => 'test_1_2')
1235
+ )
1236
+ test_attr_2 = TestAttr.create!(
1237
+ :test_model => TestModel.create!(:content => 'test_2_1'),
1238
+ :test_another_model => TestModel.create!(:content => 'test_2_2')
1239
+ )
1240
+ test_attr_2.test_model.test_attrs.create!
1241
+
1242
+ user = MockUser.new(:test_role, :test_attr => test_attr_2.test_model.test_attrs.last)
1243
+ assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
1244
+ TestModel.delete_all
1245
+ TestAttr.delete_all
1246
+ end
1247
+
1248
+ def test_with_many_ored_rules_and_reoccuring_tables
1249
+ reader = Authorization::Reader::DSLReader.new
1250
+ reader.parse %{
1251
+ authorization do
1252
+ role :test_role do
1253
+ has_permission_on :test_attrs, :to => :read do
1254
+ if_attribute :branch => { :company => { :country => {
1255
+ :test_models => contains { user.test_model }
1256
+ }} }
1257
+ if_attribute :company => { :country => {
1258
+ :test_models => contains { user.test_model }
1259
+ }}
1260
+ end
1261
+ end
1262
+ end
1263
+ }
1264
+ Authorization::Engine.instance(reader)
1265
+
1266
+ country = Country.create!(:name => 'country_1')
1267
+ country.test_models.create!
1268
+ test_attr_1 = TestAttr.create!(
1269
+ :branch => Branch.create!(:name => 'branch_1',
1270
+ :company => Company.create!(:name => 'company_1',
1271
+ :country => country))
1272
+ )
1273
+ test_attr_2 = TestAttr.create!(
1274
+ :company => Company.create!(:name => 'company_2',
1275
+ :country => country)
1276
+ )
1277
+
1278
+ user = MockUser.new(:test_role, :test_model => country.test_models.first)
1279
+
1280
+ assert_equal 2, TestAttr.with_permissions_to(:read, :user => user).length
1281
+ TestModel.delete_all
1282
+ TestAttr.delete_all
1283
+ end
1284
+ end
1285
+
1286
+ class ModelTest < Test::Unit::TestCase
1287
+ def test_permit_with_has_one_raises_no_name_error
1288
+ reader = Authorization::Reader::DSLReader.new
1289
+ reader.parse %{
1290
+ authorization do :test_attr_has_one
1291
+ role :test_role do
1292
+ has_permission_on :test_attrs, :to => :update do
1293
+ if_attribute :id => is { user.test_attr.id }
1294
+ end
1295
+ end
1296
+ end
1297
+ }
1298
+ instance = Authorization::Engine.instance(reader)
1299
+
1300
+ test_model = TestModel.create!
1301
+ test_attr = test_model.create_test_attr_has_one
1302
+ assert !test_attr.new_record?
1303
+
1304
+ user = MockUser.new(:test_role, :test_attr => test_attr)
1305
+
1306
+ assert_nothing_raised do
1307
+ assert instance.permit?(:update, :user => user, :object => test_model.test_attr_has_one)
1308
+ end
1309
+
1310
+ TestModel.delete_all
1311
+ TestAttr.delete_all
1312
+ end
1313
+
1314
+ def test_model_security_write_allowed
1315
+ reader = Authorization::Reader::DSLReader.new
1316
+ reader.parse %{
1317
+ authorization do
1318
+ role :test_role do
1319
+ has_permission_on :test_model_security_models do
1320
+ to :read, :create, :update, :delete
1321
+ if_attribute :attr => is { 1 }
1322
+ end
1323
+ end
1324
+ end
1325
+ }
1326
+ Authorization::Engine.instance(reader)
1327
+
1328
+ Authorization.current_user = MockUser.new(:test_role)
1329
+ assert(object = TestModelSecurityModel.create)
1330
+
1331
+ assert_nothing_raised { object.update_attributes(:attr_2 => 2) }
1332
+ object.reload
1333
+ assert_equal 2, object.attr_2
1334
+ object.destroy
1335
+ assert_raise ActiveRecord::RecordNotFound do
1336
+ TestModelSecurityModel.find(object.id)
1337
+ end
1338
+ end
1339
+
1340
+ def test_model_security_write_not_allowed_no_privilege
1341
+ reader = Authorization::Reader::DSLReader.new
1342
+ reader.parse %{
1343
+ authorization do
1344
+ role :test_role do
1345
+ has_permission_on :test_model_security_models do
1346
+ to :read, :create, :update, :delete
1347
+ if_attribute :attr => is { 1 }
1348
+ end
1349
+ end
1350
+ role :test_role_restricted do
1351
+ end
1352
+ end
1353
+ }
1354
+ Authorization::Engine.instance(reader)
1355
+
1356
+ Authorization.current_user = MockUser.new(:test_role)
1357
+ assert(object = TestModelSecurityModel.create)
1358
+
1359
+ Authorization.current_user = MockUser.new(:test_role_restricted)
1360
+ assert_raise Authorization::NotAuthorized do
1361
+ object.update_attributes(:attr_2 => 2)
1362
+ end
1363
+ end
1364
+
1365
+ def test_model_security_write_not_allowed_wrong_attribute_value
1366
+ reader = Authorization::Reader::DSLReader.new
1367
+ reader.parse %{
1368
+ authorization do
1369
+ role :test_role_unrestricted do
1370
+ has_permission_on :test_model_security_models do
1371
+ to :read, :create, :update, :delete
1372
+ end
1373
+ end
1374
+ role :test_role do
1375
+ has_permission_on :test_model_security_models do
1376
+ to :read, :create, :update, :delete
1377
+ if_attribute :attr => is { 1 }
1378
+ end
1379
+ end
1380
+ end
1381
+ }
1382
+ Authorization::Engine.instance(reader)
1383
+
1384
+ Authorization.current_user = MockUser.new(:test_role)
1385
+ assert(object = TestModelSecurityModel.create)
1386
+ assert_raise Authorization::AttributeAuthorizationError do
1387
+ TestModelSecurityModel.create :attr => 2
1388
+ end
1389
+ object = TestModelSecurityModel.create
1390
+ assert_raise Authorization::AttributeAuthorizationError do
1391
+ object.update_attributes(:attr => 2)
1392
+ end
1393
+ object.reload
1394
+
1395
+ assert_nothing_raised do
1396
+ object.update_attributes(:attr_2 => 1)
1397
+ end
1398
+ assert_raise Authorization::AttributeAuthorizationError do
1399
+ object.update_attributes(:attr => 2)
1400
+ end
1401
+ end
1402
+
1403
+ def test_model_security_with_and_without_find_restrictions
1404
+ reader = Authorization::Reader::DSLReader.new
1405
+ reader.parse %{
1406
+ authorization do
1407
+ role :test_role_unrestricted do
1408
+ has_permission_on :test_model_security_models do
1409
+ to :read, :create, :update, :delete
1410
+ end
1411
+ end
1412
+ role :test_role do
1413
+ has_permission_on :test_model_security_models do
1414
+ to :read, :create, :update, :delete
1415
+ if_attribute :attr => is { 1 }
1416
+ end
1417
+ end
1418
+ end
1419
+ }
1420
+ Authorization::Engine.instance(reader)
1421
+
1422
+ Authorization.current_user = MockUser.new(:test_role_unrestricted)
1423
+ object = TestModelSecurityModel.create :attr => 2
1424
+ object_with_find = TestModelSecurityModelWithFind.create :attr => 2
1425
+ Authorization.current_user = MockUser.new(:test_role)
1426
+ assert_nothing_raised do
1427
+ object.class.find(object.id)
1428
+ end
1429
+ assert_raise Authorization::AttributeAuthorizationError do
1430
+ object_with_find.class.find(object_with_find.id)
1431
+ end
1432
+ end
1433
+
1434
+ def test_model_security_delete_unallowed
1435
+ reader = Authorization::Reader::DSLReader.new
1436
+ reader.parse %{
1437
+ authorization do
1438
+ role :test_role_unrestricted do
1439
+ has_permission_on :test_model_security_models do
1440
+ to :read, :create, :update, :delete
1441
+ end
1442
+ end
1443
+ role :test_role do
1444
+ has_permission_on :test_model_security_models do
1445
+ to :read, :create, :update, :delete
1446
+ if_attribute :attr => is { 1 }
1447
+ end
1448
+ end
1449
+ end
1450
+ }
1451
+ Authorization::Engine.instance(reader)
1452
+
1453
+ Authorization.current_user = MockUser.new(:test_role_unrestricted)
1454
+ object = TestModelSecurityModel.create :attr => 2
1455
+ Authorization.current_user = MockUser.new(:test_role)
1456
+
1457
+ assert_raise Authorization::AttributeAuthorizationError do
1458
+ object.destroy
1459
+ end
1460
+ end
1461
+
1462
+ def test_model_security_changing_critical_attribute_unallowed
1463
+ reader = Authorization::Reader::DSLReader.new
1464
+ reader.parse %{
1465
+ authorization do
1466
+ role :test_role_unrestricted do
1467
+ has_permission_on :test_model_security_models do
1468
+ to :read, :create, :update, :delete
1469
+ end
1470
+ end
1471
+ role :test_role do
1472
+ has_permission_on :test_model_security_models do
1473
+ to :read, :create, :update, :delete
1474
+ if_attribute :attr => is { 1 }
1475
+ end
1476
+ end
1477
+ end
1478
+ }
1479
+ Authorization::Engine.instance(reader)
1480
+
1481
+ Authorization.current_user = MockUser.new(:test_role_unrestricted)
1482
+ object = TestModelSecurityModel.create :attr => 2
1483
+ Authorization.current_user = MockUser.new(:test_role)
1484
+
1485
+ # TODO before not checked yet
1486
+ #assert_raise Authorization::AuthorizationError do
1487
+ # object.update_attributes(:attr => 1)
1488
+ #end
1489
+ end
1490
+
1491
+ def test_model_security_no_role_unallowed
1492
+ reader = Authorization::Reader::DSLReader.new
1493
+ reader.parse %{
1494
+ authorization do
1495
+ end
1496
+ }
1497
+ Authorization::Engine.instance(reader)
1498
+
1499
+ Authorization.current_user = MockUser.new(:test_role_2)
1500
+ assert_raise Authorization::NotAuthorized do
1501
+ TestModelSecurityModel.create
1502
+ end
1503
+ end
1504
+
1505
+ def test_model_security_with_assoc
1506
+ reader = Authorization::Reader::DSLReader.new
1507
+ reader.parse %{
1508
+ authorization do
1509
+ role :test_role do
1510
+ has_permission_on :test_model_security_models do
1511
+ to :create, :update, :delete
1512
+ if_attribute :test_attrs => contains { user }
1513
+ end
1514
+ end
1515
+ end
1516
+ }
1517
+ Authorization::Engine.instance(reader)
1518
+
1519
+ test_attr = TestAttr.create
1520
+ test_attr.role_symbols << :test_role
1521
+ Authorization.current_user = test_attr
1522
+ assert(object = TestModelSecurityModel.create(:test_attrs => [test_attr]))
1523
+ assert_nothing_raised do
1524
+ object.update_attributes(:attr_2 => 2)
1525
+ end
1526
+ without_access_control do
1527
+ object.reload
1528
+ end
1529
+ assert_equal 2, object.attr_2
1530
+ object.destroy
1531
+ assert_raise ActiveRecord::RecordNotFound do
1532
+ TestModelSecurityModel.find(object.id)
1533
+ end
1534
+ end
1535
+
1536
+ def test_model_security_with_update_attrbributes
1537
+ reader = Authorization::Reader::DSLReader.new
1538
+ reader.parse %{
1539
+ authorization do
1540
+ role :test_role do
1541
+ has_permission_on :test_model_security_models, :to => :update do
1542
+ if_attribute :test_attrs => { :branch => is { user.branch }}
1543
+ end
1544
+ end
1545
+ end
1546
+ }
1547
+ Authorization::Engine.instance(reader)
1548
+
1549
+ params = {
1550
+ :model_data => { :attr => 11 }
1551
+ }
1552
+
1553
+ test_attr = TestAttr.create!(:branch => Branch.create!)
1554
+ test_model = without_access_control do
1555
+ TestModelSecurityModel.create!(:test_attrs => [test_attr])
1556
+ end
1557
+
1558
+ with_user MockUser.new(:test_role, :branch => test_attr.branch) do
1559
+ assert_nothing_raised do
1560
+ test_model.update_attributes(params[:model_data])
1561
+ end
1562
+ end
1563
+ without_access_control do
1564
+ assert_equal params[:model_data][:attr], test_model.reload.attr
1565
+ end
1566
+
1567
+ TestAttr.delete_all
1568
+ TestModelSecurityModel.delete_all
1569
+ Branch.delete_all
1570
+ end
1571
+
1572
+ def test_using_access_control
1573
+ assert !TestModel.using_access_control?
1574
+ assert TestModelSecurityModel.using_access_control?
1575
+ end
1576
+
1577
+ def test_authorization_permit_association_proxy
1578
+ reader = Authorization::Reader::DSLReader.new
1579
+ reader.parse %{
1580
+ authorization do
1581
+ role :test_role do
1582
+ has_permission_on :test_attrs, :to => :read do
1583
+ if_attribute :test_model => {:content => "content" }
1584
+ end
1585
+ end
1586
+ end
1587
+ }
1588
+ engine = Authorization::Engine.instance(reader)
1589
+
1590
+ test_model = TestModel.create(:content => "content")
1591
+ assert engine.permit?(:read, :object => test_model.test_attrs,
1592
+ :user => MockUser.new(:test_role))
1593
+ assert !engine.permit?(:read, :object => TestAttr.new,
1594
+ :user => MockUser.new(:test_role))
1595
+ TestModel.delete_all
1596
+ end
1597
+
1598
+ def test_multiple_roles_with_has_many_through
1599
+ reader = Authorization::Reader::DSLReader.new
1600
+ reader.parse %{
1601
+ authorization do
1602
+ role :test_role_1 do
1603
+ has_permission_on :test_models, :to => :read do
1604
+ if_attribute :test_attr_throughs => contains {user.test_attr_through_id},
1605
+ :content => 'test_1'
1606
+ end
1607
+ end
1608
+
1609
+ role :test_role_2 do
1610
+ has_permission_on :test_models, :to => :read do
1611
+ if_attribute :test_attr_throughs_2 => contains {user.test_attr_through_2_id},
1612
+ :content => 'test_2'
1613
+ end
1614
+ end
1615
+ end
1616
+ }
1617
+ Authorization::Engine.instance(reader)
1618
+
1619
+ test_model_1 = TestModel.create! :content => 'test_1'
1620
+ test_model_2 = TestModel.create! :content => 'test_2'
1621
+ test_model_1.test_attrs.create!.test_attr_throughs.create!
1622
+ test_model_2.test_attrs.create!.test_attr_throughs.create!
1623
+
1624
+ user = MockUser.new(:test_role_1, :test_role_2,
1625
+ :test_attr_through_id => test_model_1.test_attr_throughs.first.id,
1626
+ :test_attr_through_2_id => test_model_2.test_attr_throughs.first.id)
1627
+ assert_equal 2, TestModel.with_permissions_to(:read, :user => user).length
1628
+ TestModel.delete_all
1629
+ TestAttr.delete_all
1630
+ TestAttrThrough.delete_all
1631
+ end
1632
+
1633
+ def test_model_permitted_to
1634
+ reader = Authorization::Reader::DSLReader.new
1635
+ reader.parse %{
1636
+ authorization do
1637
+ role :test_role do
1638
+ has_permission_on :companies, :to => :read do
1639
+ if_attribute :name => "company_1"
1640
+ end
1641
+ end
1642
+ end
1643
+ }
1644
+ Authorization::Engine.instance(reader)
1645
+
1646
+ user = MockUser.new(:test_role)
1647
+ allowed_read_company = Company.new(:name => 'company_1')
1648
+ prohibited_company = Company.new(:name => 'company_2')
1649
+
1650
+ assert allowed_read_company.permitted_to?(:read, :user => user)
1651
+ assert !allowed_read_company.permitted_to?(:update, :user => user)
1652
+ assert !prohibited_company.permitted_to?(:read, :user => user)
1653
+
1654
+ executed_block = false
1655
+ allowed_read_company.permitted_to?(:read, :user => user) do
1656
+ executed_block = true
1657
+ end
1658
+ assert executed_block
1659
+
1660
+ executed_block = false
1661
+ prohibited_company.permitted_to?(:read, :user => user) do
1662
+ executed_block = true
1663
+ end
1664
+ assert !executed_block
1665
+
1666
+ assert_nothing_raised do
1667
+ allowed_read_company.permitted_to!(:read, :user => user)
1668
+ end
1669
+ assert_raise Authorization::NotAuthorized do
1670
+ prohibited_company.permitted_to!(:update, :user => user)
1671
+ end
1672
+ assert_raise Authorization::AttributeAuthorizationError do
1673
+ prohibited_company.permitted_to!(:read, :user => user)
1674
+ end
1675
+ end
1676
+
1677
+ def test_model_permitted_to_with_modified_context
1678
+ reader = Authorization::Reader::DSLReader.new
1679
+ reader.parse %{
1680
+ authorization do
1681
+ role :test_role do
1682
+ has_permission_on :companies, :to => :read
1683
+ end
1684
+ end
1685
+ }
1686
+ Authorization::Engine.instance(reader)
1687
+
1688
+ user = MockUser.new(:test_role)
1689
+ allowed_read_company = SmallCompany.new(:name => 'small_company_1')
1690
+
1691
+ assert allowed_read_company.permitted_to?(:read, :user => user)
1692
+ assert !allowed_read_company.permitted_to?(:update, :user => user)
1693
+ end
1694
+ end