tuersteher 0.0.6

data/.gitignore

@@ -0,0 +1,2 @@
+pkg
+.idea

data/Manifest

@@ -0,0 +1,9 @@
+lib/tuersteher.rb
+Rakefile
+init.rb
+Manifest
+tuersteher.gemspec
+README.rdoc
+samples/access_rules.rb
+samples/application_controller.rb
+license.txt

data/README.rdoc

@@ -0,0 +1,43 @@
+
+= Tuersteher
+Security-Layer for Rails-Application acts like a firewall.
+It's check your URL's or Modells to have the rights for this.
+
+== Install
+
+  gem install bledig-tuersteher --source http://gems.github.org
+
+
+== Usage
+
+Create in your Rails-Application the rules-file "config/access_rules.rb"
+(or copy the sample from samples-directory and modify)
+
+Here is as small sample for "config/access_rules.rb"
+
+  # Path-Acces-Rules
+  grant_path '/', :get, :all
+  grant_path '/admin-area/', :all, :ADMIN
+
+  # Model-Acces-Rules
+  grant_model Product, :view, :all
+  grant_model Product, :update, :EDITOR do |product, current_user|
+                         product.owner_id == current_user.id
+                       end
+
+Then extend your ApplicationController with:
+
+  include Tuersteher::ControllerExtensions
+  before_filter :check_access # methode is from Tuersteher::ControllerExtensions
+
+Check if your authendicate-system has implemented the methods:
+
+  * current_user
+  * access_denied
+
+If not, just implemen it (see samples/application_controller.rb)
+
+== License
+
+LGPL V3 (see license.txt)
+

data/Rakefile

@@ -0,0 +1,20 @@
+# Rakefile
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gemspec|
+    gemspec.name = "tuersteher"
+    gemspec.summary = "Security-Layer for Rails-Application"
+    gemspec.description = "Security-Layer for Rails-Application acts like a firewall."
+    gemspec.email = "bernd@ledig.info"
+    gemspec.homepage = "http://github.com/bledig/tuersteher"
+    gemspec.authors = ["Bernd Ledig"]
+  end
+rescue LoadError
+  puts "Jeweler not available. Install it with: sudo gem install jeweler -s http://gems.github.com"
+end
+
+Dir["#{File.dirname(__FILE__)}/tasks/*.rake"].sort.each { |ext| load ext }
+

data/VERSION

@@ -0,0 +1 @@
+0.0.6

data/init.rb

@@ -0,0 +1,2 @@
+
+require "tuersteher"

data/lib/tuersteher.rb

@@ -0,0 +1,389 @@
+# Module, welches AccesRules fuer Controller/Actions und
+# Model-Object umsetzt.
+#
+# Die Regeln werden aus der Datei "config/acces_rules.rb" geladen
+#
+# Author: Bernd Ledig
+#
+
+require 'singleton'
+
+module Tuersteher
+
+  # Logger to log messages with timestamp and severity
+  class TLogger < Logger
+    @@logger = nil
+
+    def format_message(severity, timestamp, progname, msg)
+      "#{timestamp.to_formatted_s(:db)} #{severity} #{msg}\n"
+    end
+
+    def self.logger
+      return @@logger if @@logger
+      @@logger = self.new(File.join(Rails.root, 'log', 'tuersteher.log'), 3)
+      @@logger.level = INFO if Rails.env != 'development'
+      @@logger
+    end
+
+    def self.logger= logger
+      @@logger = logger
+    end
+  end
+
+  class AccessRulesStorage
+    include Singleton
+
+    attr_accessor :rules_config_file # to set own access_rules-path
+
+    DEFAULT_RULES_CONFIG_FILE = File.join(Rails.root, 'config', 'access_rules.rb')
+
+    def initialize
+      @path_rules = []
+      @model_rules = []
+    end
+
+    def path_rules
+      read_rules unless @was_read
+      @path_rules
+    end
+
+    def model_rules
+      read_rules unless @was_read
+      @model_rules
+    end
+
+
+    # Laden der AccesRules aus den Dateien
+    #  config/access_rules.rb
+    def read_rules
+      config_file = @rules_config_file || DEFAULT_RULES_CONFIG_FILE
+      rules_file = File.new config_file
+      if @last_mtime.nil? || rules_file.mtime > @last_mtime
+        @last_mtime = rules_file.mtime
+        content = rules_file.read
+        eval content
+        Tuersteher::TLogger.logger.info "Tuersteher::AccessRulesStorage: #{@path_rules.size} path-rules and #{@model_rules.size} model-rules"
+      end
+      rules_file.close
+      @was_read = true
+    end
+
+    # definiert HTTP-Pfad-basierende Zugriffsregel
+    #
+    # path:            :all fuer beliebig, sonst String mit der http-path beginnen muss,
+    #                  wird als RegEX-Ausdruck ausgewertet
+    # method:          http-Methode, es sind hier erlaubt :get, :put, :delete, :post, :all
+    # accepted_roles:  Aufzaehlung der erfoderlichen Rolen (oder-Verknuepfung), es sind nur Symbole zulaessig
+    #                  hier ist auch ein Array von Symbolen möglich
+    def grant_path url_path, http_methode, *accepted_roles
+      @path_rules << PathAccessRule.new(url_path, http_methode, *accepted_roles)
+    end
+
+    # definiert HTTP-Pfad-basierende Ablehnungsregel
+    #
+    # path:            :all fuer beliebig, sonst String mit der http-path beginnen muss,
+    #                  wird als RegEX-Ausdruck ausgewertet
+    # method:          http-Methode, es sind hier erlaubt :get, :put, :delete, :post, :all
+    # accepted_roles:  Aufzaehlung der erfoderlichen Rolen (oder-Verknuepfung), es sind nur Symbole zulaessig
+    #                  hier ist auch ein Array von Symbolen möglich
+    def deny_path url_path, http_methode, *accepted_roles
+      rule = PathAccessRule.new(url_path, http_methode, *accepted_roles)
+      rule.deny = true
+      @path_rules << rule
+    end
+
+    # definiert Model-basierende Zugriffsregel
+    #
+    # model_class:  Model-Klassenname oder :all fuer alle
+    # access_type:  Zugriffsart (:create, :update, :destroy, :all o.A. selbst definierte Typen)
+    # roles         Aufzählung der erforderliche Rolen (:all für ist egal),
+    #               hier ist auch ein Array von Symbolen möglich
+    # block         optionaler Block, wird mit model und user aufgerufen und muss true oder false liefern
+    #               hier ein Beispiel mit Block:
+    #               <code>
+    #                 # Regel, in der sich jeder User selbst aendern darf
+    #                 grant_model(User, :update, :all){|model,user| model.id==user.id}
+    #               </code>
+    #
+    def grant_model model_class, access_type, *roles, &block
+      @model_rules << ModelAccessRule.new(model_class, access_type, *roles, &block)
+    end
+
+  end
+
+  class AccessRules
+
+    # Pruefen Zugriff fuer eine Web-action
+    # user        User, für den der Zugriff geprüft werden soll (muss Methode has_role? haben)
+    # path        Pfad der Webresource (String)
+    # method      http-Methode (:get, :put, :delete, :post), default ist :get
+    #
+    def self.path_access?(user, path, method = :get)
+      rule = AccessRulesStorage.instance.path_rules.detect do |r|
+        r.fired?(path, method, user)
+      end
+      if Tuersteher::TLogger.logger.debug?
+        if rule.nil?
+          s = 'denied'
+        elsif rule.deny
+          s = "denied with #{rule}"
+        else
+          s = "granted with #{rule}"
+        end
+        Tuersteher::TLogger.logger.debug("Tuersteher: path_access?(#{path}, #{method})  =>  #{s}")
+      end
+      rule!=nil && !rule.deny
+    end
+
+    # Pruefen Zugriff auf ein Model-Object
+    #
+    # user        User, für den der Zugriff geprüft werden soll (muss Methode has_role? haben)
+    # model       das Model-Object
+    # permission  das geforderte Zugriffsrecht (:create, :update, :destroy, :get)
+    #
+    # liefert true/false
+    def self.model_access? user, model, permission
+      raise "Wrong call! Use: model_access(model-instance-or-class, permission)" unless permission.is_a? Symbol
+      return false unless model
+
+      access = AccessRulesStorage.instance.model_rules.detect do |rule|
+        rule.has_access? model, permission, user
+      end
+      if Tuersteher::TLogger.logger.debug?
+        if model.instance_of?(Class)
+          Tuersteher::TLogger.logger.debug("Tuersteher: model_access?(#{model}, #{permission}) =>  #{access ? access : 'denied'}")
+        else
+          Tuersteher::TLogger.logger.debug("Tuersteher: model_access?(#{model.class}(#{model.respond_to?(:id) ? model.id : model.object_id }), #{permission}) =>  #{access ? access : 'denied'}")
+        end
+      end
+      access!=nil
+    end
+  end
+
+
+
+  # Module zum Include in Controllers
+  # Dieser muss die folgenden Methoden bereitstellen:
+  #
+  #   current_user : akt. Login-User
+  #   access_denied :  Methode aus dem authenticated_system, welche ein redirect zum login auslöst
+  #
+  # Der Loginuser muss fuer die hier benoetigte Funktionalitaet
+  # die Methode:
+  #   has_role?(*roles)  # roles is Array of Symbols
+  # besitzen.
+  #
+  # Beispiel der Einbindung in den ApplicationController
+  #   include Tuersteher::ControllerExtensions
+  #   before_filter :check_access # methode is from Tuersteher::ControllerExtensions
+  #
+  module ControllerExtensions
+
+
+    # Pruefen Zugriff fuer eine Web-action
+    #
+    # path        Pfad der Webresource (String oder Hash mit Options)
+    # method      http-Methode (:get, :put, :delete, :post), default ist :get
+    #
+    def path_access?(path, method = :get)
+
+      # ist path eine Hash (also der alte Stil mit :controller=> .., :action=>..)
+      # dann diese in ein http-path wandeln
+      path = url_for(path.merge(:only_path => true)) if path.instance_of?(Hash)
+
+      AccessRules.path_access? current_user, path, method
+    end
+
+    # Pruefen Zugriff auf ein Model-Object
+    #
+    # model       das Model-Object
+    # permission  das geforderte Zugriffsrecht (:create, :update, :destroy, :get)
+    #
+    # liefert true/false
+    def model_access? model, permission
+      AccessRules.model_access? current_user, model, permission
+    end
+
+    def self.included(base)
+      base.class_eval do
+        # Methoden path_access? und model_access? auch als Helper fuer die Views bereitstellen
+        helper_method :path_access?, :model_access?
+      end
+    end
+
+    protected
+
+    # Pruefen, ob Zugriff des current_user
+    # fuer aktullen Request erlaubt ist
+    def check_access
+
+      # im dev-mode rules bei jeden request auf Änderungen prüfen
+      AccessRulesStorage.instance.read_rules if Rails.env=='development'
+
+      unless path_access?(request.request_uri, request.method)
+        msg = "Tuersteher#check_access: access denied for #{request.request_uri} :#{request.method}"
+        Tuersteher::TLogger.logger.warn msg
+        logger.warn msg  # log message also for Rails-Default logger
+        access_denied  # Methode aus dem authenticated_system, welche ein redirect zum login auslöst
+      end
+    end
+
+  end
+
+
+  class PathAccessRule
+    attr_reader :path, :method, :roles
+    attr_accessor :deny
+
+    METHOD_NAMES = [:get, :edit, :put, :delete, :post, :all].freeze
+
+
+    # Zugriffsregel
+    #
+    # path          :all fuer beliebig, sonst String mit der http-path beginnen muss
+    # method        http-Methode, es sind hier erlaubt :get, :put, :delete, :post, :all
+    # needed_roles  Aufzaehlung der erfoderlichen Rolen (oder-Verknuepfung), es sind nur Symbole zulaessig
+    #
+    def initialize(path, method, *needed_roles)
+      raise "wrong path '#{path}'! Must be a String or :all ." unless path==:all or path.is_a?(String)
+      raise "wrong method '#{method}'! Must be #{METHOD_NAMES.join(', ')} !" unless METHOD_NAMES.include?(method)
+      raise "needed_roles expected!" if needed_roles.empty?
+      @roles = needed_roles.flatten
+      for r in @roles
+        raise "wrong role '#{r}'! Must be a symbol " unless r.is_a?(Symbol)
+      end
+      @path = path
+      if path != :all
+        # path in regex ^#{path} wandeln ausser bei "/",
+        # dies darf keine Regex mit ^/ werden,
+        # da diese ja immer matchen wuerde
+        if path == "/"
+          @path = /^\/$/
+        else
+          @path = /^#{path}/
+        end
+      end
+      @method = method
+    end
+
+
+    # pruefen, ob Zugriff fuer angegebenen
+    # path / method fuer den current_user erlaubt ist
+    #
+    # user ist ein Object (meist der Loginuser),
+    # welcher die Methode 'has_role?(*roles)' besitzen muss.
+    # *roles ist dabei eine Array aus Symbolen
+    #
+    def fired?(path, method, user)
+      user = nil if user==:false # manche Authenticate-System setzen den user auf :false
+      if @path!=:all && !(@path =~ path)
+        return false
+      end
+
+      if @method!=:all && @method != method
+        return false
+      end
+
+      # ist jetzt role :all, dann prinzipiell Zugriff erlaubt
+      return true if @roles.first == :all
+
+      if user && user.has_role?(*@roles)
+        return true
+      end
+      false
+    end
+
+
+    def to_s
+      "PathAccesRule[#{@path}, #{@method}, #{@roles.join(' ')}#{@deny ? ' deny' : ''}]"
+    end
+
+  end
+
+
+
+  class ModelAccessRule
+    attr_reader :clazz, :access_type, :role, :block
+
+
+    # erzeugt neue Object-Zugriffsregel
+    #
+    # clazz         Model-Klassenname oder :all fuer alle
+    # access_type   Zugriffsart (:create, :update, :destroy, :all o.A. selbst definierte Typem)
+    # roles         Aufzählung der erforderliche Rolen (:all für ist egal),
+    #               hier ist auch ein Array von Symbolen möglich
+    # block         optionaler Block, wird mit model und user aufgerufen und muss true oder false liefern
+    #               hier ein Beispiel mit Block:
+    #               <code>
+    #                 # Regel, in der sich jeder User selbst aendern darf
+    #                 ModelAccessRule.new(User, :update, :all){|model,user| model.id==user.id}
+    #               </code>
+    #
+    def initialize(clazz, access_type, *roles, &block)
+      raise "wrong clazz '#{clazz}'! Must be a Class or :all ." unless clazz==:all or clazz.is_a?(Class)
+      raise "wrong access_type '#{ access_type}'! Must be a Symbol ." unless  access_type.is_a?(Symbol)
+      @roles = roles.flatten
+      for r in @roles
+        raise "wrong role '#{r}'! Must be a symbol " unless r.is_a?(Symbol)
+      end
+      @clazz = clazz.instance_of?(Symbol) ? clazz : clazz.to_s
+      @access_type =  access_type
+      @block = block
+    end
+
+    # liefert true, wenn zugriff fuer das angegebene model mit
+    # der Zugriffsart perm für das security_object hat
+    #
+    # model des zupruefende ModelObject
+    # perm gewunschte Zugriffsart (Symbol :create, :update, :destroy)
+    #
+    # user ist ein User-Object (meist der Loginuser),
+    # welcher die Methode 'has_role?(*roles)' besitzen muss.
+    # *roles ist dabei eine Array aus Symbolen
+    #
+    #
+    def has_access? model, perm, user
+      user = nil if user==:false # manche Authenticate-System setzen den user auf :false
+      m_class = model.instance_of?(Class) ? model : model.class
+      if @clazz!=m_class.to_s && @clazz!=:all
+        #Tuersteher::TLogger.logger.debug("#{to_s}.has_access? => false why #{@clazz}!=#{model.class.to_s} && #{@clazz}!=:all")
+        return false
+      end
+
+      if @access_type!=:all && @access_type!=perm
+        #Tuersteher::TLogger.logger.debug("#{to_s}.has_access? => false why #{@access_type}!=:all && #{@access_type}!=#{perm}")
+        return false
+      end
+
+      if @roles.first!=:all && (user.nil? || !user.has_role?(*@roles))
+        #Tuersteher::TLogger.logger.debug("#{to_s}.has_access? => false why #{@roles.first}!=:all && #{!user.has_role?(*@roles)}")
+        return false
+      end
+
+      if @block
+        unless @block.call(model, user)
+          #Tuersteher::TLogger.logger.debug("#{to_s}.has_access? => false why block return false")
+          return false
+        end
+      end
+      true
+    end
+
+    def to_s
+      "ModelAccessRule[#{@clazz}, #{@access_type}, #{@roles.join(' ')}]"
+    end
+
+  end
+
+
+  # ActiveRecord erweitern mit
+  # Sicherheits-Check
+  #
+  #  class ActiveRecord::Base
+  #    before_create {|model| SecurityModule::SecurityService.check_model_access model, :create }
+  #    before_update {|model| SecurityModule::SecurityService.check_model_access model, :update }
+  #    before_destroy{|model| SecurityModule::SecurityService.check_model_access model, :destroy }
+  #  end
+
+
+end

data/license.txt

@@ -0,0 +1,165 @@
+		   GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+  This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+  0. Additional Definitions. 
+
+  As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+  "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+  An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+  A "Combined Work" is a work produced by combining or linking an
+Application with the Library.  The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+  The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+  The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+  1. Exception to Section 3 of the GNU GPL.
+
+  You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+  2. Conveying Modified Versions.
+
+  If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+   a) under this License, provided that you make a good faith effort to
+   ensure that, in the event an Application does not supply the
+   function or data, the facility still operates, and performs
+   whatever part of its purpose remains meaningful, or
+
+   b) under the GNU GPL, with none of the additional permissions of
+   this License applicable to that copy.
+
+  3. Object Code Incorporating Material from Library Header Files.
+
+  The object code form of an Application may incorporate material from
+a header file that is part of the Library.  You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+   a) Give prominent notice with each copy of the object code that the
+   Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the object code with a copy of the GNU GPL and this license
+   document.
+
+  4. Combined Works.
+
+  You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+
+   a) Give prominent notice with each copy of the Combined Work that
+   the Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the Combined Work with a copy of the GNU GPL and this license
+   document.
+
+   c) For a Combined Work that displays copyright notices during
+   execution, include the copyright notice for the Library among
+   these notices, as well as a reference directing the user to the
+   copies of the GNU GPL and this license document.
+
+   d) Do one of the following:
+
+       0) Convey the Minimal Corresponding Source under the terms of this
+       License, and the Corresponding Application Code in a form
+       suitable for, and under terms that permit, the user to
+       recombine or relink the Application with a modified version of
+       the Linked Version to produce a modified Combined Work, in the
+       manner specified by section 6 of the GNU GPL for conveying
+       Corresponding Source.
+
+       1) Use a suitable shared library mechanism for linking with the
+       Library.  A suitable mechanism is one that (a) uses at run time
+       a copy of the Library already present on the user's computer
+       system, and (b) will operate properly with a modified version
+       of the Library that is interface-compatible with the Linked
+       Version. 
+
+   e) Provide Installation Information, but only if you would otherwise
+   be required to provide such information under section 6 of the
+   GNU GPL, and only to the extent that such information is
+   necessary to install and execute a modified version of the
+   Combined Work produced by recombining or relinking the
+   Application with a modified version of the Linked Version. (If
+   you use option 4d0, the Installation Information must accompany
+   the Minimal Corresponding Source and Corresponding Application
+   Code. If you use option 4d1, you must provide the Installation
+   Information in the manner specified by section 6 of the GNU GPL
+   for conveying Corresponding Source.)
+
+  5. Combined Libraries.
+
+  You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+
+   a) Accompany the combined library with a copy of the same work based
+   on the Library, uncombined with any other library facilities,
+   conveyed under the terms of this License.
+
+   b) Give prominent notice with the combined library that part of it
+   is a work based on the Library, and explaining where to find the
+   accompanying uncombined form of the same work.
+
+  6. Revised Versions of the GNU Lesser General Public License.
+
+  The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+  Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+
+  If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.

data/samples/access_rules.rb

@@ -0,0 +1,30 @@
+# derzeit genutzte Rollen:
+# * ADMIN
+# * EDITOR
+# * APPROVER
+# * USER
+
+
+#
+# Pfad-Zugriffsregeln
+# Aufbau:  
+#   Path : URL-Pfad, wird als regex ausgewertet
+#   Methode : :all, :get, :put, :post, :delete oder :edit 
+#   roles :Liste der berechtigten Rollen (es können mehrere Rollen durch Komma getrennt angegeben werden)
+#
+grant_path '/', :get, :all
+grant_path :all, :all, :ADMIN
+deny_path '/user/lock', :user
+
+#
+# Model-Object-Zugriffsregeln
+# Aufbau:
+#   Model-Klasse : Klasse des Models
+#   Zugriffsart : frei definierbares Symbol, empfohlen :update, :create, :destroy
+#   Roles : Aufzählung der Rollen
+#   Block : optionaler Block, diesem wird die Model-Instance und der User als Parameter bereitgestellt
+
+grant_model String, :view, :all
+grant_model String, :view, :ADMIN, :EDITOR
+grant_model String, :update, :EDITOR do |model, user| model == user.name end
+

data/samples/application_controller.rb

@@ -0,0 +1,26 @@
+class ApplicationController  < ActionController::Base
+
+
+
+  include Tuersteher::ControllerExtensions
+  before_filter :check_access # methode is from Tuersteher::ControllerExtensions
+
+  # This method need Tuersteher for his rules-check
+  # It should return a User-Object, which have a method "has_role?"
+  #
+  # This is here a dummy Stub-Implementation
+  def current_user
+    user = Object.new
+    def user.has_role?(*roles)
+      true
+    end
+    user
+  end
+
+  # This Method is called from Tuersteher if access are denied (no grant rules fired)
+  # stub Authentication-Methode
+  def access_denied
+    redirect_to "/"
+  end
+
+end

data/tuersteher.gemspec

@@ -0,0 +1,47 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{tuersteher}
+  s.version = "0.0.6"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Bernd Ledig"]
+  s.date = %q{2010-02-20}
+  s.description = %q{Security-Layer for Rails-Application acts like a firewall.}
+  s.email = %q{bernd@ledig.info}
+  s.extra_rdoc_files = [
+    "README.rdoc"
+  ]
+  s.files = [
+    ".gitignore",
+     "Manifest",
+     "README.rdoc",
+     "Rakefile",
+     "VERSION",
+     "init.rb",
+     "lib/tuersteher.rb",
+     "license.txt",
+     "samples/access_rules.rb",
+     "samples/application_controller.rb",
+     "tuersteher.gemspec"
+  ]
+  s.homepage = %q{http://github.com/bledig/tuersteher}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.5}
+  s.summary = %q{Security-Layer for Rails-Application}
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+    else
+    end
+  else
+  end
+end
+

metadata

@@ -0,0 +1,65 @@
+--- !ruby/object:Gem::Specification 
+name: tuersteher
+version: !ruby/object:Gem::Version 
+  version: 0.0.6
+platform: ruby
+authors: 
+- Bernd Ledig
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-02-20 00:00:00 +01:00
+default_executable: 
+dependencies: []
+
+description: Security-Layer for Rails-Application acts like a firewall.
+email: bernd@ledig.info
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README.rdoc
+files: 
+- .gitignore
+- Manifest
+- README.rdoc
+- Rakefile
+- VERSION
+- init.rb
+- lib/tuersteher.rb
+- license.txt
+- samples/access_rules.rb
+- samples/application_controller.rb
+- tuersteher.gemspec
+has_rdoc: true
+homepage: http://github.com/bledig/tuersteher
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: Security-Layer for Rails-Application
+test_files: []
+