trust 0.8.3 → 1.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bea262c912622b51eaedfc53386184b45cdd8a04
-  data.tar.gz: 1ad4cc3eb35a3d7805cc0c4a9188b6c305834031
+  metadata.gz: 5f4f6f8b277d792ad153c664b08a0dedf92d6ef4
+  data.tar.gz: 498d30e412516e48c926724fca6a1425a40e4264
 SHA512:
-  metadata.gz: 5c7fca96476142ca771e324a1bdc184f6d77a12b5b585160b522ebb205086e9361614b9a00d7b0de9ac066d3e35e02ff5fd953bb77621d617e3454b7afffa620
-  data.tar.gz: 8573bc74bc4824c35c78a11d387d2c46e12f568c387aa4828fbe919b6b56f3748456c2de94698227e85d65b0be34c305c690d697c01d9f021885a696f78095a6
+  metadata.gz: f0ff733d503944e905020986f6acb716dffa5a5b325d8d4752f0f3e34704df25e6cf5069e67fe18c6dcecad1d81ceb4d17d0934c210a144caf88ec7012e3e386
+  data.tar.gz: c9ebe76c73d95820d0a3151e466624e9b6a3e08793fae6e2801a3c9735a8eab46b89ce6909f2c6222d4663a127cd4479c896d842b6d922acfa198185f68fe856

data/README.md

@@ -59,9 +59,33 @@ module Permissions
       parent && parent.is_a?(Client) && parent.operators.find(user.id)
     end
   end
+  
+  
+  class Voucher < Default
+    member_roles :accountant do
+      can :edit, :show, :if => :associated_with_client?
+    end
+    def members_role()
+      user.member_role( subject_or_parent.team )
+    end
+  end
+
+  # Rails 4 - definitions for  strong_params
+  class Invoice < Default
+    require :invoice          # requires :invoice hash. This is set by default, so in practice not necessary to define
+    permit :date, :due_days   # permitted parameters
+    role :accountant do
+      can :edit, :show, :if => :associated_with_client?
+    end
+    role :department_manager, :accountant do
+      can :new, :create, :if => lambda { parent }, permit: [:date, :due_days, :discount]
+    end
+  end
 end
 ```
 
+The members_role can be implemented if a user has multiple roles such as memberships of teams, projects or similar. 
+
 The following attributes will be accessible in a Permissions class:
 
 * ```subject``` - the resource that is currently being tested for authorization
@@ -88,7 +112,7 @@ class AccountsController < ApplicationController
 end
 ```
 
-The trustee statement will set up 3 before_filters in your controller:
+The trustee statement will set up 3 before_filters (before_actions) in your controller:
   
 ``` Ruby
 before_filter :set_user
@@ -214,6 +238,14 @@ You can even assign these if you like. The resource is also exposed as helper, s
 For simplicity we have also exposed an ```instances``` accessor that you can assign when you have a multirecord result,
 such as for index action.
 
+Accessing strong_params for updates (rails 4)
+
+``` Ruby
+  @invoice.update_attributes(resource.strong_params)
+  # or
+  resource.instance.update_attributes(resource.strong_params)
+```
+
 ## Overriding defaults
 
 ### Overriding resource permits in the controller

data/lib/trust.rb

@@ -22,6 +22,7 @@
 # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
+require 'active_support/configurable'
 require 'trust/exceptions'
 require 'trust/inheritable_attribute'
 module Trust
@@ -30,6 +31,14 @@ module Trust
   autoload :Authorization,      'trust/authorization'
   autoload :ActiveModel,        'trust/active_model'
   autoload :Actor,              'trust/actor'
+  
+  include ActiveSupport::Configurable
+  
+  config_accessor :log_level
+  
+  def self.rails_generation
+    @@__generation ||= Rails.version.split('.')[0].to_i
+  end
 end
 require 'trust/controller'
 class ActionController::Base

data/lib/trust/authorization.rb

@@ -25,6 +25,10 @@
 module Trust
   # = Trust Authorization
   class Authorization
+    
+    # raised if attempting to do resource related operations and resource is not passed on to the Authorization object
+    class ResourceNotLoaded < StandardError; end
+    
     class << self
       
       # Returns true if user is authorized to perform +action+ on +object+ or +class+.
@@ -39,25 +43,13 @@ module Trust
       # 
       # This method is called by the +can?+ method in Trust::Controller, and is normally 
       # not necessary to call directly.
-      def authorized?(action, object_or_class, *args)
-        options = args.extract_options!
-        parent = options[:parent] || options[:for] || args.first
-        actor = options[:by] || user
-        if object_or_class.is_a? Class
-          klass = object_or_class
-          object = nil
-        else
-          klass = object_or_class.class
-          object = object_or_class
-        end
-        # Identify which class to instanciate and then check authorization
-        auth = authorizing_class(klass)
-        # Rails.logger.debug "Trust: Authorizing class for #{klass.name} is #{auth.name}"
-        auth.new(actor, action.to_sym, klass, object, parent).authorized?
+      def authorized?(action, object_or_class_or_resource, *args)
+        new(action, object_or_class_or_resource, *args).authorized?
       end
       
       # Tests if user is authorized to perform +action+ on +object+ or +class+, with the 
       # optional parent and raises Trust::AccessDenied exception if not permitted.
+      # If user is authorized, sets the params_handler for the resource.
       #
       # Options:
       #
@@ -70,15 +62,8 @@ module Trust
       # * +:message+ - The message to be passed onto the AccessDenied exception class      
       #
       # This method is used by the +access_control+ method in Trust::Controller
-      def authorize!(action, object_or_class, *args)
-        options = args.extract_options!
-        parent = options[:parent] || options[:for] || args.first
-        message = options[:message]
-        access_denied!(message, action, object_or_class, parent) unless authorized?(action, object_or_class, parent, options)
-      end
-      
-      def access_denied!(message = nil, action = nil, subject = nil, parent = nil) #:nodoc:
-        raise AccessDenied.new(message, action, subject)
+      def authorize!(action, object_or_class_or_resource, *args)
+        new(action, object_or_class_or_resource, *args).authorize!
       end
       
       # Returns the current +user+ being used in the authorization process
@@ -91,20 +76,82 @@ module Trust
       def user=(user)
         Thread.current["current_user"] = user
       end
-      
-    private
-      def authorizing_class(klass) #:nodoc:
-        auth = nil
-        klass.ancestors.each do |k|
-          break if k == ::ActiveRecord::Base
-          begin
-            auth = "::Permissions::#{k}".constantize
-            break
-          rescue
-          end
+    end
+    
+    attr_reader :authorization, :action, :resource, :klass, :object, :parent, :actor
+    
+    delegate :user, to: :class
+    
+    def initialize(action, resource_object_or_class, *args)
+      options = args.extract_options!
+      @action = action.to_sym
+      if resource_object_or_class.is_a? Trust::Controller::Resource
+        @resource = resource_object_or_class
+        @klass = resource.klass
+        @object = resource.instance
+        @actor = options[:by] || user
+        @parent = resource.parent
+      else
+        @parent = options[:parent] || options[:for] || args.first
+        @actor = options[:by] || user
+        if resource_object_or_class.is_a? Class
+          @klass = resource_object_or_class
+          @object = nil
+        else
+          @klass = resource_object_or_class.class
+          @object = resource_object_or_class
+        end
+      end
+      auth = authorizing_class
+      # Rails.logger.debug "Trust: Authorizing class for #{klass.name} is #{auth.name}"
+      @authorization = auth.new(@actor, @action, @klass, @object, @parent)
+    end
+
+    def access_denied!(message = nil, action = nil, subject = nil, parent = nil) #:nodoc:
+      raise AccessDenied.new(message, action, subject)
+    end
+
+    def authorize!
+      if perm = permissions
+        resource.params_handler = perm
+      else
+        access_denied!(nil, action, object || klass)
+      end
+    end
+
+    def authorized?
+      !!permissions
+    end
+    
+    def instance_loaded(instance)
+      @authorization.subject = instance
+    end
+    
+    # Preloads resource require and permit attributes, so that new objects can be initialized properly
+    # raises ResourceNotLoaded if Authorization object was not initialized with a resource object
+    def preload
+      raise ResourceNotLoaded unless resource
+      resource.params_handler = authorization.preload
+    end
+    
+    def permissions
+      authorization.authorized?
+    end
+    
+
+  private
+    def authorizing_class #:nodoc:
+      auth = nil
+      klass.ancestors.each do |k|
+        break if k == ::ActiveRecord::Base
+        begin
+          auth = "::Permissions::#{k}".constantize
+          break
+        rescue
         end
-        auth || ::Permissions::Default
       end
+      auth || ::Permissions::Default
     end
+  
   end
 end

data/lib/trust/controller.rb

@@ -98,7 +98,7 @@ module Trust
           set_user *args
           load_resource *args
           access_control *args
-          helper_method :can?, :resource
+          helper_method :can?, :resource, :resource?
         end
       end
       
@@ -136,12 +136,22 @@ module Trust
       end
       
     private
-      def _filter_setting(method, *args)
-        options = args.extract_options!
-        skip_before_filter method
-        unless args.include? :off or options[method] == :off
-          before_filter method, options
+      if Trust.rails_generation < 4
+        def _filter_setting(method, *args)
+          options = args.extract_options!
+          skip_before_filter method
+          unless args.include? :off or options[method] == :off
+            before_filter method, options
+          end
         end
+      else
+        def _filter_setting(method, *args)
+          options = args.extract_options!
+          skip_before_action method
+          unless args.include? :off or options[method] == :off
+            before_action method, options
+          end
+        end        
       end
     end
     
@@ -183,19 +193,33 @@ module Trust
         @resource ||= Trust::Controller::Resource.new(self, self.class.properties, action_name, params, request)
       end
       
+      # Returns true if resource has been loaded
+      def resource?
+        !@resource.nil?
+      end
       # Loads the resource which basically means loading the instance and eventual parent defined through +belongs_to+
       #
       # This method is triggered as a callback on +before_filter+
       # See {Trust::Controller::Resource} for more information
       def load_resource
-        resource.load
+        if resource.new_action?
+          authorization.preload
+          authorization.instance_loaded resource.load # need to set instance on authorizing object
+        else
+          resource.load
+        end
       end
       
       # Performs the actual access_control.
       #
       # This method is triggered as a callback on +before_filter+
       def access_control
-        Trust::Authorization.authorize!(action_name, resource.instance || resource.klass, resource.parent)
+        authorization.authorize!
+      end
+
+      # maintains access to the authorization object
+      def authorization
+        @authorization ||= Trust::Authorization.new(action_name, resource)
       end
 
       # Tests for current users permissions.

data/lib/trust/controller/properties.rb

@@ -83,6 +83,18 @@ module Trust
         model.to_s.classify.constantize
       end
       
+      # => true if action is a new_action
+      def new_action?(action)
+        new_actions.include? action.to_sym
+      end
+      # => true if action is a collection_action
+      def collection_action?(action)
+        collection_actions.include? action.to_sym
+      end
+      # => true if action is a member_action
+      def member_action?(action)
+        member_actions.include? action.to_sym
+      end
       # Specify associated resources (nested resources)
       #
       # === Example

data/lib/trust/controller/resource.rb

@@ -44,14 +44,16 @@ module Trust
       delegate :logger, :to => Rails
       attr_reader :properties, :params, :action
       attr_reader :info, :parent_info, :relation
+      attr_reader :params_handler
 
       def initialize(controller, properties, action_name, params, request) # nodoc
         @action = action_name.to_sym
-        
+        @params_handler = {}
         @controller, @properties, @params = controller, properties, params
         @info = extract_resource_info(properties.model, params)
         if properties.has_associations?
           @parent_info = extract_parent_info(properties.associations, params, request)
+          self.parent = parent_info.object if parent_info
         end
         @relation = @info.relation(@parent_info)
       end
@@ -73,7 +75,7 @@ module Trust
         @controller.instance_variable_set(:"@#{instance_name}", instance)
       end      
       
-      # Returns the parameters for the instance
+      # Returns the parameters for the instance (Rails 3)
       #
       # ==== Example
       #
@@ -82,15 +84,53 @@ module Trust
       def instance_params
         info.params
       end
+      
+      # Returns strong parameters for the instance (Rails 4)
+      # This call will take advantage of the spesified in permissions.
+      # If no such permissions is defined, it will fall back to instance_params
+      #
+      # ==== Example
+      #
+      #     # assume the following permissions defined
+      #     class Account < Default
+      #       require :account
+      #       permit :number, :amount
+      #     end
+      #
+      #     # in AccountsController
+      #     resource.strong_params  # same as params.require(:account).permit(:number, :amount)
+      #
+      #     # as a new action
+      #     resource.strong_params(true)  # same as params.fetch(:account, {}).permit(:number, :amount)
+      # 
+      def strong_params(new_action = new_action?)
+        if params_handler.size > 0
+          if params_handler[:require]
+            new_action ? 
+              params.fetch(params_handler[:require], {}).permit(params_handler[:permit]) : 
+              params.require(params_handler[:require]).permit(params_handler[:permit])
+          else
+            params.permit(params_handler[:permit])
+          end
+        else
+          instance_params
+        end
+      end
+
+      if Trust.rails_generation < 4
+        def strong_params(new_action = new_action?)
+          instance_params
+        end
+      end
 
       # Returns the parents instance variable when you use +belongs_to+ for nested routes
       def parent
-        @controller.instance_variable_get(:"@#{parent_name}")
+        parent_name && @controller.instance_variable_get(:"@#{parent_name}")
       end
       
       # Sets the parent instance variable
       def parent=(instance)
-        @controller.instance_variable_set(:"@#{parent_name}", instance)
+        @controller.instance_variable_set(:"@#{parent_name}", instance) if parent_name
       end
 
       # Returns the cinstance variable for ollection
@@ -124,6 +164,25 @@ module Trust
         @info.collection(@parent_info, instance)
       end
       
+      # true if action is a collection action
+      def collection_action?
+        @collection_action ||= properties.collection_action?(action)
+      end
+      
+      # true if action is a collection action
+      def member_action?
+        @member_action ||= properties.member_action?(action)
+      end
+      
+      # Returns a nested resource if parent is set
+      def nested
+        parent ? [parent, instance] : [instance]
+      end
+      
+      # true if action is a new action
+      def new_action?
+        @new_action ||= properties.new_action?(action)
+      end
       
       # Loads the resource
       #
@@ -133,11 +192,10 @@ module Trust
       # If using nested resources and +belongs_to+ has been declared in the controller it will use the 
       # parent relation if found.
       def load
-        self.parent = parent_info.object if parent_info
-        if properties.new_actions.include?(action)
-#          logger.debug "Trust.load: Setting new: class: #{klass} info.params: #{info.params.inspect}"
-          self.instance ||= relation.new(info.params)
-          @controller.send(:build, action) if @controller.respond_to?(:build,true)
+        if new_action?
+#         logger.debug "Trust.load: Setting new: class: #{klass} strong_params: #{strong_params.inspect}"
+          self.instance ||= relation.new(strong_params)
+          @controller.send(:build, action) if @controller.respond_to?(:build, true)
         elsif properties.member_actions.include?(action)
 #          logger.debug "Trust.load: Finding parent: #{parent.inspect}, relation: #{relation.inspect}"
           self.instance ||= relation.find(params[:id] || params["#{relation.name.underscore}_id".to_sym])
@@ -157,6 +215,16 @@ module Trust
         info.name
       end
       
+      # Assigns the handler for safe parameters
+      #
+      # This is normally set by the controller during authorization
+      # If you want to set this your self it should
+      def params_handler=(handler)
+        @params_handler = handler
+      end
+      
+      
+      
       # Returns the plural name of the instance for the resource
       #
       # ==== Example
@@ -322,11 +390,11 @@ module Trust
           @as = as
           ([@klass] + @klass.descendants).detect do |c|
             @name = c.to_s.underscore.tr('/','_').to_sym
-            unless @id = request.symbolized_path_parameters["#{@name}_id".to_sym]
+            unless @id = request.path_parameters["#{@name}_id".to_sym]
               # see if name space handling is necessary
               if c.to_s.include?('::')
                 @name = c.to_s.demodulize.underscore.to_sym
-                @id = request.symbolized_path_parameters["#{@name}_id".to_sym]
+                @id = request.path_parameters["#{@name}_id".to_sym]
               end
             end
             @id