tuersteher 0.1.4 → 0.2.1

data/VERSION

@@ -1 +1 @@
-0.1.1
+0.2.1

data/lib/tuersteher.rb

@@ -53,22 +53,29 @@ module Tuersteher
     end
 
 
+    def eval_rules rules_definitions
+      @path_rules = []
+      @model_rules = []
+      eval rules_definitions
+      Tuersteher::TLogger.logger.info "Tuersteher::AccessRulesStorage: #{@path_rules.size} path-rules and #{@model_rules.size} model-rules"
+    end
+
     # Laden der AccesRules aus den Dateien
     #  config/access_rules.rb
     def read_rules
       @rules_config_file ||= File.join(Rails.root, 'config', DEFAULT_RULES_CONFIG_FILE)
       rules_file = File.new @rules_config_file
       @was_read = false
+      content = nil
       if @last_mtime.nil? || rules_file.mtime > @last_mtime
         @last_mtime = rules_file.mtime
-        @path_rules = []
-        @model_rules = []
         content = rules_file.read
-        eval content
-        Tuersteher::TLogger.logger.info "Tuersteher::AccessRulesStorage: #{@path_rules.size} path-rules and #{@model_rules.size} model-rules"
       end
       rules_file.close
-      @was_read = true
+      if content
+        eval_rules content
+        @was_read = true
+      end
     rescue => ex
       Tuersteher::TLogger.logger.error "Tuersteher::AccessRulesStorage - Error in rules: #{ex.message}\n\t"+ex.backtrace.join("\n\t")
     end
@@ -77,26 +84,13 @@ module Tuersteher
     #
     # path:            :all fuer beliebig, sonst String mit der http-path beginnen muss,
     #                  wird als RegEX-Ausdruck ausgewertet
-    # method:          http-Methode, es sind hier erlaubt :get, :put, :delete, :post, :all
-    # accepted_roles:  Aufzaehlung der erfoderlichen Rolen (oder-Verknuepfung), es sind nur Symbole zulaessig
-    #                  hier ist auch ein Array von Symbolen möglich
-    def grant_path url_path, http_methode, *accepted_roles
-      @path_rules << PathAccessRule.new(url_path, http_methode, *accepted_roles)
-    end
-
-    # definiert HTTP-Pfad-basierende Ablehnungsregel
-    #
-    # path:            :all fuer beliebig, sonst String mit der http-path beginnen muss,
-    #                  wird als RegEX-Ausdruck ausgewertet
-    # method:          http-Methode, es sind hier erlaubt :get, :put, :delete, :post, :all
-    # accepted_roles:  Aufzaehlung der erfoderlichen Rolen (oder-Verknuepfung), es sind nur Symbole zulaessig
-    #                  hier ist auch ein Array von Symbolen möglich
-    def deny_path url_path, http_methode, *accepted_roles
-      rule = PathAccessRule.new(url_path, http_methode, *accepted_roles)
-      rule.deny = true
+    def path url_path
+      rule = PathAccessRule.new(url_path)
       @path_rules << rule
+      rule
     end
 
+    
     # definiert Model-basierende Zugriffsregel
     #
     # model_class:  Model-Klassenname oder :all fuer alle
@@ -110,30 +104,32 @@ module Tuersteher
     #                 grant_model(User, :update, :all){|model,user| model.id==user.id}
     #               </code>
     #
-    def grant_model model_class, access_type, *roles, &block
-      @model_rules << ModelAccessRule.new(model_class, access_type, *roles, &block)
+    def model model_class
+      if block_given?
+        @current_model_class = model_class
+        yield
+        @current_model_class = nil
+      else
+        rule = ModelAccessRule.new(model_class)
+        @model_rules << rule
+        rule
+      end
     end
 
-    # definiert Model-basierende Zugriffsregel
-    #
-    # model_class:  Model-Klassenname oder :all fuer alle
-    # access_type:  Zugriffsart (:create, :update, :destroy, :all o.A. selbst definierte Typen)
-    # roles         Aufzählung der erforderliche Rolen (:all für ist egal),
-    #               hier ist auch ein Array von Symbolen möglich
-    # block         optionaler Block, wird mit model und user aufgerufen und muss true oder false liefern
-    #               hier ein Beispiel mit Block:
-    #               <code>
-    #                 # Regel, in der sich jeder User selbst aendern darf
-    #                 grant_model(User, :update, :all){|model,user| model.id==user.id}
-    #               </code>
-    #
-    def deny_model model_class, access_type, *roles, &block
-      rule = ModelAccessRule.new(model_class, access_type, *roles, &block)
-      rule.deny = true
+    def grant
+      rule = ModelAccessRule.new(@current_model_class)
       @model_rules << rule
+      rule.grant
     end
 
-  end
+    def deny
+      rule = ModelAccessRule.new(@current_model_class)
+      @model_rules << rule
+      rule.deny
+    end
+
+  end # of AccessRulesStorage
+
 
   class AccessRules
 
@@ -149,14 +145,14 @@ module Tuersteher
       if Tuersteher::TLogger.logger.debug?
         if rule.nil?
           s = 'denied'
-        elsif rule.deny
+        elsif rule.deny?
           s = "denied with #{rule}"
         else
           s = "granted with #{rule}"
         end
         Tuersteher::TLogger.logger.debug("Tuersteher: path_access?(#{path}, #{method})  =>  #{s}")
       end
-      rule!=nil && !rule.deny
+      rule!=nil && !rule.deny?
     end
 
 
@@ -174,7 +170,7 @@ module Tuersteher
       rule = AccessRulesStorage.instance.model_rules.detect do |rule|
         rule.fired? model, permission, user
       end
-      access = rule && !rule.deny
+      access = rule && !rule.deny?
       if Tuersteher::TLogger.logger.debug?
         if model.instance_of?(Class)
           Tuersteher::TLogger.logger.debug("Tuersteher: model_access?(#{model}, #{permission}) =>  #{access || 'denied'} #{rule}")
@@ -192,7 +188,7 @@ module Tuersteher
     def self.purge_collection user, collection, permission
       collection.select{|model| model_access?(user, model, permission)}
     end
-  end
+  end # of AccessRules
 
 
 
@@ -204,7 +200,7 @@ module Tuersteher
   #
   # Der Loginuser muss fuer die hier benoetigte Funktionalitaet
   # die Methode:
-  #   has_role?(*roles)  # roles is Array of Symbols
+  #   has_role?(role)  # role the Name of the Role as Symbol
   # besitzen.
   #
   # Beispiel der Einbindung in den ApplicationController
@@ -274,10 +270,55 @@ module Tuersteher
 
   end
 
+  # Astracte base class for Access-Rules
+  class BaseAccessRule
+
+    def initialize
+      @roles = []
+    end
+
+    # add role
+    def role(role_name)
+      raise "wrong role '#{role_name}'! Must be a symbol " unless role_name.is_a?(Symbol)
+      @roles << role_name
+      self
+    end
 
-  class PathAccessRule
-    attr_reader :path, :method, :roles
-    attr_accessor :deny
+
+    def extension method_name, methode_parameter=nil
+      @check_extensions ||= {}
+      @check_extensions[method_name] = methode_parameter
+      self
+    end
+
+    def grant
+      self
+    end
+
+    def deny
+      @deny = true
+      self
+    end
+
+    def deny?
+      @deny
+    end
+
+    protected
+
+    def grant_role? user
+      return true if @roles.empty?
+      return false if user.nil?
+      @roles.each do |role|
+        return true if user.has_role?(role)
+      end
+      false
+    end
+
+  end # of BaseAccessRule
+
+
+  class PathAccessRule < BaseAccessRule
 
     METHOD_NAMES = [:get, :edit, :put, :delete, :post, :all].freeze
 
@@ -285,17 +326,10 @@ module Tuersteher
     # Zugriffsregel
     #
     # path          :all fuer beliebig, sonst String mit der http-path beginnen muss
-    # method        http-Methode, es sind hier erlaubt :get, :put, :delete, :post, :all
-    # needed_roles  Aufzaehlung der erfoderlichen Rolen (oder-Verknuepfung), es sind nur Symbole zulaessig
     #
-    def initialize(path, method, *needed_roles)
+    def initialize(path)
       raise "wrong path '#{path}'! Must be a String or :all ." unless path==:all or path.is_a?(String)
-      raise "wrong method '#{method}'! Must be #{METHOD_NAMES.join(', ')} !" unless METHOD_NAMES.include?(method)
-      raise "needed_roles expected!" if needed_roles.empty?
-      @roles = needed_roles.flatten
-      for r in @roles
-        raise "wrong role '#{r}'! Must be a symbol " unless r.is_a?(Symbol)
-      end
+      super()
       @path = path
       if path != :all
         # path in regex ^#{path} wandeln ausser bei "/",
@@ -307,10 +341,19 @@ module Tuersteher
           @path = /^#{path}/
         end
       end
-      @method = method
+      @http_method = :all
+    end
+
+    # set http-methode
+    # http_method        http-Method, allowed is :get, :put, :delete, :post, :all
+    def method(http_method)
+      raise "wrong method '#{http_method}'! Must be #{METHOD_NAMES.join(', ')} !" unless METHOD_NAMES.include?(http_method)
+      @http_method = http_method
+      self
     end
 
 
+
     # pruefen, ob Zugriff fuer angegebenen
     # path / method fuer den current_user erlaubt ist
     #
@@ -320,35 +363,57 @@ module Tuersteher
     #
     def fired?(path, method, user)
       user = nil if user==:false # manche Authenticate-System setzen den user auf :false
+
       if @path!=:all && !(@path =~ path)
         return false
       end
 
-      if @method!=:all && @method != method
+      if @http_method!=:all && @http_method != method
         return false
       end
 
-      # ist jetzt role :all, dann prinzipiell Zugriff erlaubt
-      return true if @roles.first == :all
-
-      if user && user.has_role?(*@roles)
-        return true
+      if !@roles.empty? && (user.nil? || !user.has_role?(*@roles))
+        #Tuersteher::TLogger.logger.debug("#{to_s}.has_access? => false why #{@roles.first}!=:all && #{!user.has_role?(*@roles)}")
+        return false
       end
-      false
+
+      return false unless grant_extension?(user)
+
+      true
     end
 
 
     def to_s
-      "PathAccesRule[#{@path}, #{@method}, #{@roles.join(' ')}#{@deny ? ' deny' : ''}]"
+      s = "PathAccesRule[#{@deny ? 'DENY ' : ''}#{@path}, #{@http_method}, #{@roles.join(' ')}"
+      s << " #{@check_extensions.inspect}" if @check_extensions
+      s << ']'
+      s
+    end
+
+    private
+
+    def grant_extension? user
+      return true if @check_extensions.nil?
+      return false if user.nil?  # check_extensions need a user
+      @check_extensions.each do |key, value|
+        unless user.respond_to?(key)
+          Tuersteher::TLogger.logger.warn("#{to_s}.fired? => false why user have not check-extension method '#{key}'!")
+          return false
+        end
+        if value
+          return false unless user.send(key,value)
+        else
+          return false unless user.send(key)
+        end
+      end
+      true
     end
 
   end
 
 
 
-  class ModelAccessRule
-    attr_reader :clazz, :access_type, :roles, :block
-    attr_accessor :deny
+  class ModelAccessRule < BaseAccessRule
 
     # erzeugt neue Object-Zugriffsregel
     #
@@ -363,16 +428,16 @@ module Tuersteher
     #                 ModelAccessRule.new(User, :update, :all){|model,user| model.id==user.id}
     #               </code>
     #
-    def initialize(clazz, access_type, *roles, &block)
+    def initialize(clazz)
       raise "wrong clazz '#{clazz}'! Must be a Class or :all ." unless clazz==:all or clazz.is_a?(Class)
-      raise "wrong access_type '#{ access_type}'! Must be a Symbol ." unless  access_type.is_a?(Symbol)
-      @roles = roles.flatten
-      for r in @roles
-        raise "wrong role '#{r}'! Must be a symbol " unless r.is_a?(Symbol)
-      end
+      super()
       @clazz = clazz.instance_of?(Symbol) ? clazz : clazz.to_s
-      @access_type =  access_type
-      @block = block
+    end
+
+
+    def permission permission_name
+      @permission = permission_name
+      self
     end
 
     # liefert true, wenn zugriff fuer das angegebene model mit
@@ -388,36 +453,50 @@ module Tuersteher
     #
     def fired? model, perm, user
       user = nil if user==:false # manche Authenticate-System setzen den user auf :false
+      debugger
       m_class = model.instance_of?(Class) ? model : model.class
       if @clazz!=m_class.to_s && @clazz!=:all
         #Tuersteher::TLogger.logger.debug("#{to_s}.has_access? => false why #{@clazz}!=#{model.class.to_s} && #{@clazz}!=:all")
         return false
       end
 
-      if @access_type!=:all && @access_type!=perm
+      if @permission!=:all && @permission!=perm
         #Tuersteher::TLogger.logger.debug("#{to_s}.has_access? => false why #{@access_type}!=:all && #{@access_type}!=#{perm}")
         return false
       end
 
-      if @roles.first!=:all && (user.nil? || !user.has_role?(*@roles))
-        #Tuersteher::TLogger.logger.debug("#{to_s}.has_access? => false why #{@roles.first}!=:all && #{!user.has_role?(*@roles)}")
-        return false
-      end
+      return false unless grant_role?(user)
+      return false unless grant_extension?(user, model)
+      true
+    end
+
+    def to_s
+      s = "ModelAccessRule[#{@deny ? 'DENY ' : ''}#{@clazz}, #{@permission}, #{@roles.join(' ')}"
+      s << " #{@check_extensions.inspect}" if @check_extensions
+      s << ']'
+      s
+    end
+
+    private
 
-      if @block
-        return false if model.instance_of?(Class) # kein Block-Call wenn Classe als model übergeben wurde
-        unless @block.call(model, user)
-          #Tuersteher::TLogger.logger.debug("#{to_s}.has_access? => false why block return false")
+    def grant_extension? user, model
+      return true if @check_extensions.nil?
+      return false if model.nil?  # check_extensions need a model
+      return false if model.instance_of?(Class) # no Extension-Call if model is a Class-Instance
+      @check_extensions.each do |key, value|
+        unless model.respond_to?(key)
+          Tuersteher::TLogger.logger.warn("#{to_s}.fired? => false why model-onject have not check-extension method '#{key}'!")
           return false
         end
+        if value
+          return false unless model.send(key,user,value)
+        else
+          return false unless model.send(key,user)
+        end
       end
       true
     end
 
-    def to_s
-      "ModelAccessRule[#{@clazz}, #{@access_type}, #{@roles.join(' ')}#{@deny ? ' deny' : ''}]"
-    end
-
   end
 
 

data/samples/access_rules.rb

@@ -12,9 +12,11 @@
 #   Methode : :all, :get, :put, :post, :delete oder :edit 
 #   roles :Liste der berechtigten Rollen (es können mehrere Rollen durch Komma getrennt angegeben werden)
 #
-grant_path '/', :get, :all
-grant_path :all, :all, :ADMIN
-deny_path '/user/lock', :user
+
+path('/').grant.method(:get)
+path(:all).grant.role(:ADMIN)
+path('/user/lock').deny.role(:USER).role(:APPROVER)
+path('/special').grant.extension(:special?, :area1)
 
 #
 # Model-Object-Zugriffsregeln
@@ -24,7 +26,14 @@ deny_path '/user/lock', :user
 #   Roles : Aufzählung der Rollen
 #   Block : optionaler Block, diesem wird die Model-Instance und der User als Parameter bereitgestellt
 
-grant_model String, :view, :all
-grant_model String, :view, :ADMIN, :EDITOR
-grant_model String, :update, :EDITOR do |model, user| model == user.name end
+#grant_model String, :view, :all
+#grant_model String, :view, :ADMIN, :EDITOR
+#grant_model String, :update, :EDITOR do |model, user| model == user.name end
+
+model(Dashboard).grant.permission(:view)
 
+model(Todo) do
+  grant.permission(:view)
+  grant.permission(:full_view).role(:ADMIN)
+  grant.permission(:update).role(:EDITOR).extension(:owned_by?) # calls Todo.owned_by?(current_user)
+end

data/spec/acces_rules_storage_spec.rb

@@ -0,0 +1,40 @@
+require "spec_helper"
+
+module Tuersteher
+
+  class Dashboard; end
+  class Todo; end
+
+  describe AccessRulesStorage do
+
+    context "eval_rules" do
+      before(:all) do
+        rule_defs = <<-EOR
+path('/').grant.method(:get)
+path(:all).grant.role(:ADMIN)
+path('/special').grant.extension(:special?, :area1)
+
+model(Dashboard).grant.permission(:view)
+model(Todo) do
+  grant.permission(:view)
+  grant.permission(:full_view).role(:ADMIN)
+  grant.permission(:update).role(:EDITOR).extension(:owned_by?) # calls Todo.owned_by?(current_user)
+end
+        EOR
+        AccessRulesStorage.instance.eval_rules rule_defs
+        @path_rules = AccessRulesStorage.instance.path_rules
+        @model_rules = AccessRulesStorage.instance.model_rules
+      end
+
+      it "should have 3 path-rules" do
+        @path_rules.should have(3).items
+      end
+
+      it "should have 4 model-rules" do
+        @model_rules.should have(4).items
+      end
+
+    end # of context "eval_rules"
+
+  end # of describe AccessRulesStorage
+end

data/spec/access_rules_spec.rb

@@ -0,0 +1,170 @@
+require "spec_helper"
+
+
+
+module Tuersteher
+
+  describe AccessRules do
+
+    context 'path_access?' do
+      before do
+        rules = [
+          PathAccessRule.new('/'),
+          PathAccessRule.new('/admin').role(:admin),
+          PathAccessRule.new('/images').method(:get),
+          PathAccessRule.new('/status').method(:get).role(:system)
+        ]
+        AccessRulesStorage.instance.stub(:path_rules).and_return(rules)
+        @user = stub('user')
+      end
+
+
+      context "User with role :user" do
+        before do
+          @user.stub(:has_role?){|role| role==:user}
+        end
+
+        it "should be true for this paths" do
+          AccessRules.path_access?(@user, '/', :get).should be_true
+          AccessRules.path_access?(@user, '/', :post).should be_true
+          AccessRules.path_access?(@user, '/images', :get).should be_true
+        end
+
+        it "should not be true for this paths" do
+          AccessRules.path_access?(@user, '/admin', :get).should_not be_true
+          AccessRules.path_access?(@user, '/images', :post).should_not be_true
+          AccessRules.path_access?(@user, '/status', :get).should_not be_true
+        end
+      end
+
+
+      context "User with role :admin" do
+        before do
+          @user.stub(:has_role?){|role| role==:admin}
+        end
+
+        it "should be true for this paths" do
+          AccessRules.path_access?(@user, '/', :get).should be_true
+          AccessRules.path_access?(@user, '/admin', :post).should be_true
+          AccessRules.path_access?(@user, '/images', :get).should be_true
+        end
+
+        it "should not be true for this paths" do
+          AccessRules.path_access?(@user, '/xyz', :get).should_not be_true
+          AccessRules.path_access?(@user, '/images', :post).should_not be_true
+          AccessRules.path_access?(@user, '/status', :get).should_not be_true
+        end
+      end
+
+
+      context "User with role :system" do
+        before do
+          @user.stub(:has_role?){|role| role==:system}
+        end
+
+        it "should be true for this paths" do
+          AccessRules.path_access?(@user, '/', :get).should be_true
+          AccessRules.path_access?(@user, '/status', :get).should be_true
+        end
+
+        it "should not be true for this paths" do
+          AccessRules.path_access?(@user, '/xyz', :get).should_not be_true
+          AccessRules.path_access?(@user, '/admin', :post).should_not be_true
+        end
+      end
+    end
+
+
+    context 'model_access?' do
+
+      class SampleModel1; end
+      class SampleModel2; end
+
+      before do
+        rules = [
+          ModelAccessRule.new(SampleModel1).grant.permission(:all),
+          ModelAccessRule.new(SampleModel2).grant.permission(:read),
+          ModelAccessRule.new(SampleModel2).grant.permission(:update).role(:user).extension(:owner?),
+          ModelAccessRule.new(SampleModel2).deny.permission(:create),
+          ModelAccessRule.new(SampleModel2).grant.permission(:all).role(:admin),
+        ]
+        AccessRulesStorage.instance.stub(:model_rules).and_return(rules)
+        @user = stub('user')
+        @model1 = SampleModel1.new
+        @model2 = SampleModel2.new
+        @model2.stub(:owner?).and_return(false)
+      end
+
+
+      context "User with role :user" do
+        before do
+          @user.stub(:has_role?){|role| role==:user}
+        end
+
+        it "should be true for this" do
+          AccessRules.model_access?(@user, @model1, :xyz).should be_true
+          @model2.stub(:owner?).and_return true
+          AccessRules.model_access?(@user, @model2, :read).should be_true
+          AccessRules.model_access?(@user, @model2, :update).should be_true
+        end
+
+        it "should not be true for this" do
+          AccessRules.model_access?(@user, @model2, :update).should_not be_true
+          AccessRules.model_access?(@user, @model2, :delete).should_not be_true
+        end
+      end
+
+
+      context "User with role :admin" do
+        before do
+          @user.stub(:has_role?){|role| role==:admin}
+        end
+
+        it "should be true for this" do
+          AccessRules.model_access?(@user, @model1, :xyz).should be_true
+          AccessRules.model_access?(@user, @model2, :read).should be_true
+          AccessRules.model_access?(@user, @model2, :update).should be_true
+          AccessRules.model_access?(@user, @model2, :delete).should be_true
+        end
+
+        it "should not be true for this" do
+          AccessRules.model_access?(@user, @model2, :create).should_not be_true
+        end
+      end
+    end
+
+
+
+    context 'purge_collection' do
+
+      class SampleModel
+        def owner? user; false; end
+      end
+
+      before do
+        rules = [
+          ModelAccessRule.new(SampleModel).permission(:update).role(:admin),
+          ModelAccessRule.new(SampleModel).permission(:update).role(:user).extension(:owner?),
+        ]
+        AccessRulesStorage.instance.stub(:model_rules).and_return(rules)
+        @user = stub('user')
+        @model1 = SampleModel.new
+        @model2 = SampleModel.new
+        @model3 = SampleModel.new
+        @model3.stub(:owner?).and_return(true)
+        @collection = [@model1, @model2, @model3]
+      end
+
+      it "Should return [@model3] for user with role=:user" do
+        @user.stub(:has_role?){|role| role==:user}
+        AccessRules.purge_collection(@user, @collection, :update).should == [@model3]
+      end
+
+      it "Should return all for user with role=:admin" do
+        @user.stub(:has_role?){|role| role==:admin}
+        AccessRules.purge_collection(@user, @collection, :update).should == @collection
+      end
+    end
+
+  end
+end

data/spec/model_access_rule_spec.rb

@@ -0,0 +1,42 @@
+require "spec_helper"
+
+module Tuersteher
+
+  describe ModelAccessRule do
+
+    before(:all) do
+      @rule = ModelAccessRule.new(String).grant.permission(:read).role(:sysadmin).role(:admin)
+    end
+
+    context "for User with role :admin" do
+      before do
+        @user = stub('user')
+        @user.stub(:has_role?){|role| role==:admin}
+      end
+
+      it "should be fired for String-Object and access-type :read" do
+        @rule.fired?("test", :read, @user).should be_true
+      end
+
+      it "should not be fired for Non-String-Object" do
+        @rule.fired?(12345, :read, @user).should_not be_true
+      end
+
+      it "should not be fired for String-Object and other access-type as :read" do
+        @rule.fired?("test", :delete, @user).should_not be_true
+      end
+    end
+
+    context "for User without role :admin" do
+      before do
+        @user = stub('user')
+        @user.stub(:has_role?).and_return(false)
+      end
+
+      it "should not be fired for String-Object and access-type :read" do
+        @rule.fired?("test", :read, @user).should_not be_true
+      end
+    end
+  end
+
+end

data/spec/path_access_rule_spec.rb

@@ -0,0 +1,129 @@
+require "spec_helper"
+
+module Tuersteher
+
+  describe PathAccessRule do
+
+    before(:all) do
+      @rule = PathAccessRule.new('/admin').method(:get).role(:sysadmin).role(:admin)
+    end
+
+
+    context "for User with role :admin" do
+      before do
+        @user = stub('user')
+        @user.stub(:has_role?).with(:sysadmin, :admin).and_return(true)
+      end
+
+      it "should be fired for path='/admin/xyz' and method :get" do
+        @rule.fired?("/admin/xyz", :get, @user).should be_true
+      end
+
+      it "should not be fired for other path" do
+        @rule.fired?('/todos/admin', :get, @user).should_not be_true
+      end
+
+      it "should not be fired for other method as :get" do
+        @rule.fired?("/admin/xyz", :post, @user).should_not be_true
+      end
+    end
+
+
+    context "for User without role :admin" do
+      before do
+        @user = stub('user')
+        @user.stub(:has_role?).and_return(false)
+      end
+
+      it "should not be fired for correct path and method" do
+        @rule.fired?("/admin/xyz", :get, @user).should_not be_true
+      end
+    end
+
+
+    context "Rule with :all as Path-Matcher" do
+      before(:all) do
+        @rule = PathAccessRule.new(:all).method(:get).role(:sysadmin).role(:admin)
+        @user = stub('user')
+        @user.stub(:has_role?).and_return(true)
+      end
+
+      it "should fired for several paths" do
+        @rule.fired?("/admin/xyz", :get, @user).should be_true
+        @rule.fired?("/xyz", :get, @user).should be_true
+        @rule.fired?("/", :get, @user).should be_true
+      end
+
+      it "should not be fired with other method" do
+        @rule.fired?("/admin/xyz", :post, @user).should_not be_true
+      end
+    end
+
+
+    context "Rule with no Methode spezifed => all methods allowed" do
+      before(:all) do
+        @rule = PathAccessRule.new('/admin').role(:sysadmin).role(:admin)
+        @user = stub('user')
+        @user.stub(:has_role?).and_return(true)
+      end
+
+      it "should fired for several methods" do
+        @rule.fired?("/admin/xyz", :get, @user).should be_true
+        @rule.fired?("/admin/xyz", :post, @user).should be_true
+        @rule.fired?("/admin/xyz", :put, @user).should be_true
+        @rule.fired?("/admin/xyz", :delete, @user).should be_true
+      end
+
+      it "should not be fired with other path" do
+        @rule.fired?("/xyz", :post, @user).should_not be_true
+      end
+    end
+
+
+    context "Rule with no role spezifed => now role needed" do
+      before(:all) do
+        @rule = PathAccessRule.new('/admin').method(:get)
+        @user = stub('user')
+        @user.stub(:has_role?).and_return(false)
+      end
+
+      it "should fired for user with no roles" do
+        @rule.fired?("/admin/xyz", :get, @user).should be_true
+      end
+
+      it "should not be fired with other path" do
+        @rule.fired?("/xyz", :get, @user).should_not be_true
+      end
+    end
+
+
+    context "Rule with extension" do
+      before(:all) do
+        @rule = PathAccessRule.new('/admin').method(:get).extension(:modul_function?, :testvalue)
+        @rule2 = PathAccessRule.new('/admin').method(:get).extension(:modul_function2?)
+        @user = stub('user')
+        @user.stub(:has_role?).and_return(false)
+      end
+
+      it "should not be fired with user have not the check_extension" do
+        @rule.fired?("/admin", :get, @user).should_not be_true
+      end
+
+      it "should fired for user with true for check-extension" do
+        @user.should_receive(:modul_function?).with(:testvalue).and_return(true)
+        @rule.fired?("/admin/xyz", :get, @user).should be_true
+      end
+
+      it "should not be fired for user with false for check-extension" do
+        @user.should_receive(:modul_function?).with(:testvalue).and_return(false)
+        @rule.fired?("/admin/xyz", :get, @user).should_not be_true
+      end
+
+      it "should fired for rule2 and user with true for check-extension" do
+        @user.should_receive(:modul_function2?).and_return(true)
+        @rule2.fired?("/admin/xyz", :get, @user).should be_true
+      end
+    end
+
+  end
+end

data/spec/spec.opts

@@ -0,0 +1,5 @@
+--colour
+--format
+progress
+--loadby
+mtime

data/spec/spec_helper.rb

@@ -0,0 +1,6 @@
+require 'spec'
+require 'logger'
+require File.expand_path(File.dirname(__FILE__) + "/../lib/tuersteher")
+
+# Logger auf stdout stellen
+Tuersteher::TLogger.logger = Logger.new(STDOUT)

data/tuersteher.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{tuersteher}
-  s.version = "0.1.4"
+  s.version = "0.2.1"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Bernd Ledig"]
-  s.date = %q{2010-08-22}
+  s.date = %q{2010-08-28}
   s.description = %q{Security-Layer for Rails-Application acts like a firewall.}
   s.email = %q{bernd@ledig.info}
   s.extra_rdoc_files = [
@@ -26,19 +26,32 @@ Gem::Specification.new do |s|
      "license.txt",
      "samples/access_rules.rb",
      "samples/application_controller.rb",
+     "spec/acces_rules_storage_spec.rb",
+     "spec/access_rules_spec.rb",
+     "spec/model_access_rule_spec.rb",
+     "spec/path_access_rule_spec.rb",
+     "spec/spec.opts",
+     "spec/spec_helper.rb",
      "tuersteher.gemspec"
   ]
   s.homepage = %q{http://github.com/bledig/tuersteher}
   s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
-  s.rubygems_version = %q{1.3.6}
+  s.rubygems_version = %q{1.3.7}
   s.summary = %q{Security-Layer for Rails-Application}
+  s.test_files = [
+    "spec/spec_helper.rb",
+     "spec/access_rules_spec.rb",
+     "spec/path_access_rule_spec.rb",
+     "spec/model_access_rule_spec.rb",
+     "spec/acces_rules_storage_spec.rb"
+  ]
 
   if s.respond_to? :specification_version then
     current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
     s.specification_version = 3
 
-    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
     else
     end
   else

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: tuersteher
 version: !ruby/object:Gem::Version 
-  hash: 19
+  hash: 21
   prerelease: false
   segments: 
   - 0
+  - 2
   - 1
-  - 4
-  version: 0.1.4
+  version: 0.2.1
 platform: ruby
 authors: 
 - Bernd Ledig
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-08-22 00:00:00 +02:00
+date: 2010-08-28 00:00:00 +02:00
 default_executable: 
 dependencies: []
 
@@ -38,6 +38,12 @@ files:
 - license.txt
 - samples/access_rules.rb
 - samples/application_controller.rb
+- spec/acces_rules_storage_spec.rb
+- spec/access_rules_spec.rb
+- spec/model_access_rule_spec.rb
+- spec/path_access_rule_spec.rb
+- spec/spec.opts
+- spec/spec_helper.rb
 - tuersteher.gemspec
 has_rdoc: true
 homepage: http://github.com/bledig/tuersteher
@@ -73,5 +79,9 @@ rubygems_version: 1.3.7
 signing_key: 
 specification_version: 3
 summary: Security-Layer for Rails-Application
-test_files: []
-
+test_files: 
+- spec/spec_helper.rb
+- spec/access_rules_spec.rb
+- spec/path_access_rule_spec.rb
+- spec/model_access_rule_spec.rb
+- spec/acces_rules_storage_spec.rb