trust 0.8.3 → 1.4.2

data/lib/trust/permissions.rb

@@ -109,16 +109,25 @@ module Trust
   #
   class Permissions
     
+    class SubjectInaccessible < StandardError; end
+    
     include InheritableAttribute
-    attr_reader :user, :action, :klass, :subject, :parent
+    attr_reader :user, :action, :klass, :parent
+    attr_accessor :subject
     inheritable_attr :permissions
+    inheritable_attr :member_permissions
+    inheritable_attr :entity_required    
+    inheritable_attr :entity_attributes    
     class_attribute :action_aliases, :instance_writer => false, :instance_reader => false
     self.permissions = {}
+    self.member_permissions = {}
+    self.entity_required = nil      # for require
+    self.entity_attributes = []     # for permit
     self.action_aliases = {
-      read: [:index, :show],
-      create: [:create, :new],
-      update: [:update, :edit],
-      manage: [:index, :show, :create, :new, :update, :edit, :destroy]
+      # read: [:index, :show],
+      # create: [:create, :new],
+      # update: [:update, :edit],
+      # manage: [:index, :show, :create, :new, :update, :edit, :destroy]
       }
     @@can_expressions = 0
   
@@ -140,25 +149,77 @@ module Trust
       @user, @action, @klass, @subject, @parent = user, action, klass, subject, parent
     end
   
-    # Returns true if the user is authorized to perform the action
+    # Returns params_handler if the user is authorized to perform the action
+    #
+    # The handler contains information used by the resource on retrieing parametes later
     def authorized?
-      authorized = nil
-      user && user.role_symbols.each do |role|
-        (permissions[role] || {}).each do |act, opt|
-          if act == action
-            break if (authorized = opt.any? ? eval_expr(opt) : true)
-          end
-        end
-        break if authorized
+      trace 'authorized?', 0, "@user: #{@user.inspect}, @action: #{@action.inspect}, @klass: #{@klass.inspect}, @subject: #{@subject.inspect}, @parent: #{@parent.inspect}"
+      if params_handler = (user && (permission_by_role || permission_by_member_role))
+        params_handler = params_handler_default(params_handler)
       end
-      authorized
+      params_handler
     end
-  
-  protected
+
+    def preload
+      @preload = true
+      params_handler = authorized? || {}
+      @preload = false
+      params_handler
+    end
+
+    # Implement this in your permissions class if using membership roles
+    #
+    # One example is that you have teams or projects that have members with role and you want to 
+    # Authorize against that role instead of any of the roles associated with the user directly
+    #
+    # === Example:
+    #
+    #   class Sprint < Trust::Permissions
+    #     member_role :scrum_master, can(:update)
+    #     def members_role()
+    #       @members_role ||= subject.memberships.where(user_id: user.id).first.role_symbol
+    #     end
+    def members_role()
+      {}
+    end
+    
+    # Returns subject if subject is an instance, otherwise parent
+    # 
+    def subject_or_parent
+      (@subject.nil? || subject.is_a?(Class)) ? parent : subject
+    end
+    
+    def subject
+      raise SubjectInaccessible, 'You cannot access subject when declaring require or permit for new_actions. You may test with :preload?' if @preload
+      @subject
+    end
+    
+    # returns true if permissions are currently being preloaded
+    # In new_actions, the framework must load require and permit in order to set permitted variables before the authorization can be
+    # evaluated. At that time, the subject is not accessible by permissions.
+    # It is not mandatory to use this, but you may test on this in yor permissions file if necessary.
+    #
+    # === Example:
+    #
+    #   module Permissions
+    #     class Account < Trust::Permissions
+    #       role :admin, :accountant do 
+    #         can :create, :new, require: :account, permit: [:number, :amount, :comment], if: :preload?
+    #         can :create, :new, require: :account, permit: [:number, :amount, :comment], if: :valid_amount?, unless: :preload?
+    #       end
+    #     end
+    #   end
+    def preload?
+      @preload
+    end
+    
+  private
     def eval_expr(options) #:nodoc:
-      options.collect do |oper, expr|
+      params_handler = {}
+      found = options.collect do |oper, expr|
         res = case expr
-        when Symbol then send(expr)
+        when Symbol
+          [:if, :unless].include?(oper) ? send(expr) : expr
         when Proc
           if expr.lambda?
             instance_exec &expr
@@ -172,13 +233,85 @@ module Trust
         case oper
         when :if then res
         when :unless then !res
+        when :require
+          params_handler[:require] = res
+          true
+        when :permit
+          params_handler[:permit] = Array.wrap(res)
+          true
         else
           raise UnsupportedCondition, expr.inspect
         end
       end.all?
+      found && params_handler
     end
-  
+    
+    def permission_by_role
+      auth = nil
+      trace 'authorize_by_role?', 0, "#{user.try(:name)}"
+      user.role_symbols.any? do |role| 
+        trace 'authorize_by_role?', 1, "#{role}"
+        if p = permissions[role]
+          trace 'authorize_by_role?', 2, "permissions: #{p.inspect}"          
+          auth = authorization(p)
+        end
+      end
+      auth
+    end
+    
+    # Checks is a member is authorized
+    # You will need to implement members_role in permissions yourself
+    def permission_by_member_role
+      m = members_role
+      trace 'authorize_by_member_role?', 0, "#{user.try(:name)}:#{m}"
+      p = member_permissions[m]
+      trace 'authorize_by_role?', 1, "permissions: #{p.inspect}"      
+      p && authorization(p)
+    end
+    
+    def authorization(permissions = {})
+      auth = nil
+      permissions.any? do |act, opt|
+        auth = (opt.any? ? eval_expr(opt) : {}) if act == action
+      end
+      trace( 'authorization', 2, "got permission!") if auth
+      auth
+    end
+
+    # sets default values for params_handler if keys does not exist.
+    # note: if keys exists, they can be nil, and they will not be set to default
+    def params_handler_default(params_handler)
+      params_handler[:require] = (self.class.entity_required || route_key(@klass)) unless params_handler.has_key?(:require)
+      params_handler[:permit] = self.class.entity_attributes unless params_handler.has_key?(:permit)
+      params_handler
+    end
+
+    def route_key(klass)
+      klass.name.to_s.underscore.tr('/','_').to_sym
+    end
+
+    def trace(method, indent = 0, msg = nil)
+      return unless Trust.log_level == :trace
+      Rails.logger.debug "#{self.class.name}.#{method}: #{"\t" * indent}#{msg}"
+    end
+    
     class << self
+      # Assign default requirement for whitelisting paremeters
+      #
+      # See {ActionController::Parameters.require} for how this works in Rails
+      # 
+      def require(entity)
+        self.entity_required = entity
+      end
+      
+      # Assign default permissions for whitelisting paremeter attributes
+      #
+      # See {ActionController::Parameters.permit} for how this works in Rails
+      # 
+      def permit(*attrs)
+        self.entity_attributes = attrs.dup
+      end
+      
       # Assign permissions to one or more roles.
       #
       # You may call role or roles, they are the same function like +role :admin+ or +roles :admin, :accountant+
@@ -206,6 +339,26 @@ module Trust
       # The above permits admin and accountant to read accounts.
       #
       def role(*roles, &block)
+        self.permissions = _role(self.permissions, *roles, &block)
+      end
+      alias :roles :role
+      
+      # Assign permissions to one or more roles on a member role.
+      #
+      # You may call member_role or member_roles, they are the same function like 
+      #   +member_role :scrum_master+ or +member_roles :scrum_master, :product_owner+
+      #
+      # When using this feature, your permission class must respond to members_rols, and return only one role
+      #
+      # See {Trust::Permissions.role} for definition
+      # See {Trust::Permissions.members_role} for how to implement this method
+      #
+      def member_role(*roles, &block)
+        self.member_permissions = _role(self.member_permissions, *roles, &block)
+      end
+      alias :member_roles :member_role
+      
+      def _role(existing_permissions, *roles, &block)
         if block_given?
           if @@can_expressions > 0
             @@can_expressions = 0
@@ -228,18 +381,18 @@ module Trust
           @@can_expressions = 0
         end
         roles.flatten.each do |role|
-          self.permissions[role] ||= []
+          existing_permissions[role] ||= []
           if perms[:cannot] && perms[:cannot].size > 0
             perms[:cannot].each do |p|
-              self.permissions[role].delete_if { |perm| perm[0] == p  }
+              existing_permissions[role].delete_if { |perm| perm[0] == p  }
             end
           end
           if perms[:can] && perms[:can].size > 0
-            self.permissions[role] += perms[:can]
+            existing_permissions[role] += perms[:can]
           end
         end
+        existing_permissions
       end
-      alias :roles :role
   
       # Defines permissions
       #

data/lib/trust/version.rb

@@ -23,5 +23,5 @@
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 module Trust
-  VERSION = "0.8.3"
+  VERSION = "1.4.2"
 end

data/test/dummy/app/controllers/accounts_controller.rb

@@ -77,8 +77,8 @@ class AccountsController < ApplicationController
   # PUT /clients/1/accounts/1.json
   def update
     respond_to do |format|
-      if @account.update_attributes(params[:account])
-        format.html { redirect_to client_account_path(@account), notice: 'Account was successfully updated.' }
+      if @account.update_attributes(resource.strong_params)
+        format.html { redirect_to client_account_path(@account.client, @account), notice: 'Account was successfully updated.' }
         format.json { head :no_content }
       else
         format.html { render action: "edit" }

data/test/dummy/app/controllers/clients_controller.rb

@@ -70,7 +70,7 @@ class ClientsController < ApplicationController
   # PUT /clients/1.json
   def update
     respond_to do |format|
-      if @client.update_attributes(params[:client])
+      if @client.update_attributes(resource.strong_params)
         format.html { redirect_to @client, notice: 'Client was successfully updated.' }
         format.json { head :no_content }
       else

data/test/dummy/app/controllers/mongo_accounts_controller.rb

@@ -64,7 +64,7 @@ class MongoAccountsController < ApplicationController
   def create
     respond_to do |format|
       if @mongo_account.save
-        format.html { redirect_to mongo_client_mongo_account_path(@mongo_account.mongo_client,@mongo_account), notice: 'Account was successfully created.' }
+        format.html { redirect_to mongo_account_path(@mongo_account), notice: 'Account was successfully created.' }
         format.json { render json: @mongo_account, status: :created, location: @mongo_account }
       else
         format.html { render action: "new" }
@@ -77,8 +77,8 @@ class MongoAccountsController < ApplicationController
   # PUT /clients/1/accounts/1.json
   def update
     respond_to do |format|
-      if @mongo_account.update_attributes(params[:mongo_account])
-        format.html { redirect_to mongo_client_mongo_account_path(@mongo_account), notice: 'Account was successfully updated.' }
+      if @mongo_account.update_attributes(resource.strong_params)
+        format.html { redirect_to mongo_account_path(@mongo_account), notice: 'Account was successfully updated.' }
         format.json { head :no_content }
       else
         format.html { render action: "edit" }
@@ -90,10 +90,11 @@ class MongoAccountsController < ApplicationController
   # DELETE /clients/1/accounts/1
   # DELETE /clients/1/accounts/1.json
   def destroy
+    client_id = @mongo_account.mongo_client
     @mongo_account.destroy
 
     respond_to do |format|
-      format.html { redirect_to mongo_client_mongo_accounts_url }
+      format.html { redirect_to mongo_client_mongo_accounts_path(client_id) }
       format.json { head :no_content }
     end
   end

data/test/dummy/app/controllers/mongo_clients_controller.rb

@@ -70,7 +70,7 @@ class MongoClientsController < ApplicationController
   # PUT /clients/1.json
   def update
     respond_to do |format|
-      if @mongo_client.update_attributes(params[:mongo_client])
+      if @mongo_client.update_attributes(resource.strong_params)
         format.html { redirect_to @mongo_client, notice: 'Client was successfully updated.' }
         format.json { head :no_content }
       else

data/test/dummy/app/controllers/users_controller.rb

@@ -64,8 +64,6 @@ class UsersController < ApplicationController
   # POST /users
   # POST /users.json
   def create
-    @user = User.new(params[:user])
-
     respond_to do |format|
       if @user.save
         format.html { redirect_to @user, notice: 'User was successfully created.' }
@@ -80,10 +78,8 @@ class UsersController < ApplicationController
   # PUT /users/1
   # PUT /users/1.json
   def update
-    @user = User.find(params[:id])
-
     respond_to do |format|
-      if @user.update_attributes(params[:user])
+      if @user.update_attributes(resource.strong_params)
         format.html { redirect_to @user, notice: 'User was successfully updated.' }
         format.json { head :no_content }
       else

data/test/dummy/app/models/account.rb

@@ -23,7 +23,7 @@
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 class Account < ActiveRecord::Base
-  attr_accessible :name, :client_id
+  # attr_accessible :name, :client_id
   belongs_to :client
   belongs_to :created_by, :class_name => 'User'
 

data/test/dummy/app/models/client.rb

@@ -23,7 +23,7 @@
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 class Client < ActiveRecord::Base
-  attr_accessible :name
+  # attr_accessible :name
   has_many :accounts
   belongs_to :accountant, :class_name => 'User'
 

data/test/dummy/app/models/permissions.rb

@@ -23,9 +23,12 @@
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 module Permissions
+  Trust::Permissions.action_aliases = {
+    update: [:update, :edit],
+    }
   class Default < Trust::Permissions
     role :system_admin do
-      can :manage
+      can :index, :show, :create, :new, :update, :edit, :destroy
       can :audit
     end
     
@@ -39,20 +42,22 @@ module Permissions
   end
 
   class Client < Default
-    role :accountant, can(:manage)
-    role all, can(:read)
+    role :accountant, can(:index, :show, :create, :new, :update, :edit, :destroy)
+    role all, can(:index, :show)
   end
 
   class MongoClient < Client
   end
   
   class Account < Default
+    require :account
+    permit :name, :client_id
     role :accountant do
-      can :create, :if => :associated_with_client?
-      can :update, :if => :creator?
+      can :new, :create, if: :associated_with_client?
+      can :update, if: :creator?, permit: :name
     end
     role :department_manager, :accountant do
-      can :create, :if => lambda { parent && parent.accountant == :superspecial }
+      can :new, :create, :if => lambda { parent && parent.accountant == :superspecial }
     end
     
     def associated_with_client?
@@ -62,11 +67,11 @@ module Permissions
 
   class MongoAccount < Default
     role :accountant do
-      can :create, :if => :associated_with_client?
+      can :new, :create, :if => :associated_with_client?
       can :update, :if => :creator?
     end
     role :department_manager, :accountant do
-      can :create, :if => lambda { parent && parent.accountant == :superspecial }
+      can :new, :create, :if => lambda { parent && parent.accountant == :superspecial }
     end
     
     def associated_with_client?
@@ -76,10 +81,12 @@ module Permissions
 
   class Account::Credit < Account
     role :guest do
-      can :create, :if => lambda { user.name == 'wife'}
-    end
-    
+      can :new, :create, :if => lambda { user.name == 'wife'}
+    end 
   end
 
+  class User < Default
+    permit :name
+  end
 
 end

data/test/dummy/app/models/user.rb

@@ -23,7 +23,7 @@
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 class User < ActiveRecord::Base
-  attr_accessible :name
+  # attr_accessible :name
 
   def role_symbols
     [ name && name.to_sym]