tuersteher 1.0.1 → 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rspec +1 -0
- data/.ruby-version +1 -0
- data/lib/tuersteher.rb +32 -32
- data/spec/access_rules_spec.rb +64 -65
- data/spec/{acces_rules_storage_spec.rb → access_rules_storage_spec.rb} +2 -2
- data/spec/model_extensions_spec.rb +14 -13
- data/spec/spec_helper.rb +102 -1
- data/tuersteher.gemspec +3 -3
- metadata +7 -5
- data/spec/spec.opts +0 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 75d9524809994df44c397d4b61a7679245e9155e9170a52e4669ad424501b077
|
4
|
+
data.tar.gz: aebdc4bcf3723217544dd6d7a032cba0a763ded1b4bbf02652de6ef77a638a4b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 250f03314650921efdfd4ea6b8b82c01a6d3dfc4321993c65d7d41eefb4ebf17566db8508a9ad5a41f9dfb7ca6e027e266ddd945456a21ac7681e3506fe3ca17
|
7
|
+
data.tar.gz: e72fcd1ba11b5df1cf25a933900e7dd0d29a4af24099205284c21790294160807aabe65cc0b41a467e8993855bf3f37796038295254c043a7c215f15667ad82a
|
data/.rspec
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
--require spec_helper
|
data/.ruby-version
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
2.5.7
|
data/lib/tuersteher.rb
CHANGED
@@ -194,13 +194,13 @@ module Tuersteher
|
|
194
194
|
class << self
|
195
195
|
|
196
196
|
# Pruefen Zugriff fuer eine Web-action
|
197
|
-
# @param
|
197
|
+
# @param login_context Login-Contex, für den der Zugriff geprüft werden soll (muss Methode has_role? haben)
|
198
198
|
# @param path Pfad der Webresource (String)
|
199
199
|
# @param method http-Methode (:get, :put, :delete, :post), default ist :get
|
200
200
|
#
|
201
|
-
def path_access?(
|
201
|
+
def path_access?(login_context, path, method = :get)
|
202
202
|
rule = AccessRulesStorage.instance.path_rules.detect do |r|
|
203
|
-
r.fired?(path, method,
|
203
|
+
r.fired?(path, method, login_context)
|
204
204
|
end
|
205
205
|
if Tuersteher::TLogger.logger.debug?
|
206
206
|
if rule.nil?
|
@@ -208,8 +208,8 @@ module Tuersteher
|
|
208
208
|
else
|
209
209
|
s = "fired with #{rule}"
|
210
210
|
end
|
211
|
-
lc_id =
|
212
|
-
Tuersteher::TLogger.logger.debug("Tuersteher: path_access?(
|
211
|
+
lc_id = login_context && login_context.respond_to?(:id) ? login_context.id : login_context.object_id
|
212
|
+
Tuersteher::TLogger.logger.debug("Tuersteher: path_access?(login_context.id=#{lc_id}, path=#{path}, method=#{method}) => #{s}")
|
213
213
|
end
|
214
214
|
!(rule.nil? || rule.deny?)
|
215
215
|
end
|
@@ -217,38 +217,38 @@ module Tuersteher
|
|
217
217
|
|
218
218
|
# Pruefen Zugriff auf ein Model-Object
|
219
219
|
#
|
220
|
-
# @param
|
220
|
+
# @param login_context Login-Contex, für den der Zugriff geprüft werden soll (muss Methode has_role? haben)
|
221
221
|
# @param model das Model-Object
|
222
222
|
# @param permission das geforderte Zugriffsrecht (:create, :update, :destroy, :get)
|
223
223
|
#
|
224
224
|
# liefert true/false
|
225
|
-
def model_access?
|
225
|
+
def model_access? login_context, model, permission
|
226
226
|
raise "Wrong call! Use: model_access(model-instance-or-class, permission)" unless permission.is_a? Symbol
|
227
227
|
return false unless model
|
228
228
|
|
229
229
|
rule = AccessRulesStorage.instance.model_rules.detect do |rule|
|
230
|
-
rule.fired? model, permission,
|
230
|
+
rule.fired? model, permission, login_context
|
231
231
|
end
|
232
232
|
access = rule && !rule.deny?
|
233
233
|
if Tuersteher::TLogger.logger.debug?
|
234
|
-
lc_id =
|
234
|
+
lc_id = login_context && login_context.respond_to?(:id) ? login_context.id : login_context.object_id
|
235
235
|
if model.instance_of?(Class)
|
236
236
|
Tuersteher::TLogger.logger.debug(
|
237
|
-
"Tuersteher: model_access?(
|
237
|
+
"Tuersteher: model_access?(login_context.id=#{lc_id}, model=#{model}, permission=#{permission}) => #{access || 'denied'} #{rule}")
|
238
238
|
else
|
239
239
|
Tuersteher::TLogger.logger.debug(
|
240
|
-
"Tuersteher: model_access?(
|
240
|
+
"Tuersteher: model_access?(login_context.id=#{lc_id}, model=#{model.class}(#{model.respond_to?(:id) ? model.id : model.object_id }), permission=#{permission}) => #{access || 'denied'} #{rule}")
|
241
241
|
end
|
242
242
|
end
|
243
243
|
access
|
244
244
|
end
|
245
245
|
|
246
246
|
# Bereinigen (entfernen) aller Objecte aus der angebenen Collection,
|
247
|
-
# wo der angegebene
|
247
|
+
# wo der angegebene login_context nicht das angegebene Recht hat
|
248
248
|
#
|
249
249
|
# liefert ein neues Array mit den Objecten, wo der spez. Zugriff arlaubt ist
|
250
|
-
def purge_collection
|
251
|
-
collection.select{|model| model_access?(
|
250
|
+
def purge_collection login_context, collection, permission
|
251
|
+
collection.select{|model| model_access?(login_context, model, permission)}
|
252
252
|
end
|
253
253
|
end # of Class-Methods
|
254
254
|
end # of AccessRules
|
@@ -258,7 +258,7 @@ module Tuersteher
|
|
258
258
|
# Module zum Include in Controllers
|
259
259
|
# Dieser muss die folgenden Methoden bereitstellen:
|
260
260
|
#
|
261
|
-
#
|
261
|
+
# login_context : akt. Login-Contex
|
262
262
|
# access_denied : Methode aus dem authenticated_system, welche ein redirect zum login auslöst
|
263
263
|
#
|
264
264
|
# Der Loginlogin_contex muss fuer die hier benoetigte Funktionalitaet
|
@@ -278,7 +278,7 @@ module Tuersteher
|
|
278
278
|
# method http-Methode (:get, :put, :delete, :post), default ist :get
|
279
279
|
#
|
280
280
|
def path_access?(path, method = :get)
|
281
|
-
AccessRules.path_access?
|
281
|
+
AccessRules.path_access? login_context, path, method
|
282
282
|
end
|
283
283
|
|
284
284
|
# Pruefen Zugriff auf ein Model-Object
|
@@ -288,15 +288,15 @@ module Tuersteher
|
|
288
288
|
#
|
289
289
|
# liefert true/false
|
290
290
|
def model_access? model, permission
|
291
|
-
AccessRules.model_access?
|
291
|
+
AccessRules.model_access? login_context, model, permission
|
292
292
|
end
|
293
293
|
|
294
294
|
# Bereinigen (entfernen) aller Objecte aus der angebenen Collection,
|
295
|
-
# wo der akt.
|
295
|
+
# wo der akt. login_context nicht das angegebene Recht hat
|
296
296
|
#
|
297
297
|
# liefert ein neues Array mit den Objecten, wo der spez. Zugriff arlaubt ist
|
298
298
|
def purge_collection collection, permission
|
299
|
-
AccessRules.purge_collection(
|
299
|
+
AccessRules.purge_collection(login_context, collection, permission)
|
300
300
|
end
|
301
301
|
|
302
302
|
|
@@ -309,7 +309,7 @@ module Tuersteher
|
|
309
309
|
|
310
310
|
protected
|
311
311
|
|
312
|
-
# Pruefen, ob Zugriff des
|
312
|
+
# Pruefen, ob Zugriff des login_context
|
313
313
|
# fuer aktullen Request erlaubt ist
|
314
314
|
def check_access
|
315
315
|
|
@@ -323,15 +323,15 @@ module Tuersteher
|
|
323
323
|
ar_storage.read_rules
|
324
324
|
end
|
325
325
|
|
326
|
-
# bind
|
327
|
-
Thread.current[:
|
326
|
+
# bind login_context on the current thread
|
327
|
+
Thread.current[:login_context] = login_context
|
328
328
|
|
329
329
|
req_method = request.method
|
330
330
|
req_method = req_method.downcase.to_sym if req_method.is_a?(String)
|
331
331
|
url_path = request.fullpath
|
332
332
|
unless path_access?(url_path, req_method)
|
333
|
-
lc_id =
|
334
|
-
msg = "Tuersteher#check_access: access denied for #{url_path} :#{req_method}
|
333
|
+
lc_id = login_context && login_context.respond_to?(:id) ? login_context.id : login_context.object_id
|
334
|
+
msg = "Tuersteher#check_access: access denied for #{url_path} :#{req_method} login_context.id=#{lc_id}"
|
335
335
|
Tuersteher::TLogger.logger.warn msg
|
336
336
|
logger.warn msg # log message also for Rails-Default logger
|
337
337
|
access_denied # Methode aus dem authenticated_system, welche z.B. ein redirect zum login auslöst
|
@@ -344,7 +344,7 @@ module Tuersteher
|
|
344
344
|
|
345
345
|
# Module for include in Model-Object-Classes
|
346
346
|
#
|
347
|
-
# The module get the
|
347
|
+
# The module get the login_context from Thread.current[:login_context]
|
348
348
|
#
|
349
349
|
# Sample for ActiveRecord-Class
|
350
350
|
# class Sample < ActiveRecord::Base
|
@@ -364,9 +364,9 @@ module Tuersteher
|
|
364
364
|
#
|
365
365
|
# raise a SecurityError-Exception if access denied
|
366
366
|
def check_access permission
|
367
|
-
|
368
|
-
unless AccessRules.model_access?
|
369
|
-
raise SecurityError, "Access denied! Current
|
367
|
+
login_context = Thread.current[:login_context]
|
368
|
+
unless AccessRules.model_access? login_context, self, permission
|
369
|
+
raise SecurityError, "Access denied! Current login_context have no permission '#{permission}' on Model-Object #{self}."
|
370
370
|
end
|
371
371
|
end
|
372
372
|
|
@@ -377,12 +377,12 @@ module Tuersteher
|
|
377
377
|
module ClassMethods
|
378
378
|
|
379
379
|
# Bereinigen (entfernen) aller Objecte aus der angebenen Collection,
|
380
|
-
# wo der akt.
|
380
|
+
# wo der akt. login_context nicht das angegebene Recht hat
|
381
381
|
#
|
382
382
|
# liefert ein neues Array mit den Objecten, wo der spez. Zugriff arlaubt ist
|
383
383
|
def purge_collection collection, permission
|
384
|
-
|
385
|
-
AccessRules.purge_collection(
|
384
|
+
login_context = Thread.current[:login_context]
|
385
|
+
AccessRules.purge_collection(login_context, collection, permission)
|
386
386
|
end
|
387
387
|
end # of ClassMethods
|
388
388
|
|
@@ -640,7 +640,7 @@ module Tuersteher
|
|
640
640
|
|
641
641
|
# check, if this rule fired for specified parameter
|
642
642
|
def fired? path_or_model, method, login_ctx
|
643
|
-
login_ctx = nil if login_ctx==:false # manche Authenticate-System setzen den login_ctx/
|
643
|
+
login_ctx = nil if login_ctx==:false # manche Authenticate-System setzen den login_ctx/login_context auf :false
|
644
644
|
@rule_spezifications.all?{|spec| spec.grant?(path_or_model, method, login_ctx)}
|
645
645
|
end
|
646
646
|
|
data/spec/access_rules_spec.rb
CHANGED
@@ -12,74 +12,72 @@ module Tuersteher
|
|
12
12
|
PathAccessRule.new('/images').method(:get),
|
13
13
|
PathAccessRule.new('/status').method(:get).role(:system)
|
14
14
|
]
|
15
|
-
AccessRulesStorage.instance.
|
16
|
-
@
|
15
|
+
expect(AccessRulesStorage.instance).to receive(:path_rules).at_least(:once){ rules }
|
16
|
+
@login_context = double('login_context')
|
17
17
|
end
|
18
18
|
|
19
19
|
|
20
|
-
context "
|
21
|
-
before do
|
22
|
-
@user.stub(:has_role?){|role| role==:user}
|
23
|
-
end
|
20
|
+
context "LoginContext with role :user" do
|
24
21
|
|
25
22
|
it "should be true for this paths" do
|
26
|
-
AccessRules.path_access?(@
|
27
|
-
AccessRules.path_access?(@
|
28
|
-
AccessRules.path_access?(@
|
23
|
+
expect(AccessRules.path_access?(@login_context, '/', :get)).to be_truthy
|
24
|
+
expect(AccessRules.path_access?(@login_context, '/', :post)).to be_truthy
|
25
|
+
expect(AccessRules.path_access?(@login_context, '/images', :get)).to be_truthy
|
29
26
|
end
|
30
27
|
|
31
28
|
it "should not be true for this paths" do
|
32
|
-
|
33
|
-
AccessRules.path_access?(@
|
34
|
-
AccessRules.path_access?(@
|
29
|
+
expect(@login_context).to receive(:has_role?){|role| role==:user}.at_least(:once)
|
30
|
+
expect(AccessRules.path_access?(@login_context, '/admin', :get)).to_not be_truthy
|
31
|
+
expect(AccessRules.path_access?(@login_context, '/images', :post)).to_not be_truthy
|
32
|
+
expect(AccessRules.path_access?(@login_context, '/status', :get)).to_not be_truthy
|
35
33
|
end
|
36
34
|
end
|
37
35
|
|
38
36
|
|
39
|
-
context "
|
37
|
+
context "LoginContext with role :admin" do
|
40
38
|
before do
|
41
|
-
@
|
39
|
+
expect(@login_context).to receive(:has_role?){|role| role==:admin}.at_least(:once)
|
42
40
|
end
|
43
41
|
|
44
42
|
it "should be true for this paths" do
|
45
|
-
AccessRules.path_access?(@
|
46
|
-
AccessRules.path_access?(@
|
47
|
-
AccessRules.path_access?(@
|
43
|
+
expect(AccessRules.path_access?(@login_context, '/', :get)).to be_truthy
|
44
|
+
expect(AccessRules.path_access?(@login_context, '/admin', :post)).to be_truthy
|
45
|
+
expect(AccessRules.path_access?(@login_context, '/images', :get)).to be_truthy
|
48
46
|
end
|
49
47
|
|
50
48
|
it "should not be true for this paths" do
|
51
|
-
AccessRules.path_access?(@
|
52
|
-
AccessRules.path_access?(@
|
53
|
-
AccessRules.path_access?(@
|
49
|
+
expect(AccessRules.path_access?(@login_context, '/xyz', :get)).to_not be_truthy
|
50
|
+
expect(AccessRules.path_access?(@login_context, '/images', :post)).to_not be_truthy
|
51
|
+
expect(AccessRules.path_access?(@login_context, '/status', :get)).to_not be_truthy
|
54
52
|
end
|
55
53
|
end
|
56
54
|
|
57
55
|
|
58
|
-
context "
|
56
|
+
context "LoginContext with role :system" do
|
59
57
|
before do
|
60
|
-
@
|
58
|
+
expect(@login_context).to receive(:has_role?){|role| role==:system}.at_least(:once)
|
61
59
|
end
|
62
60
|
|
63
61
|
it "should be true for this paths" do
|
64
|
-
AccessRules.path_access?(@
|
65
|
-
AccessRules.path_access?(@
|
62
|
+
expect(AccessRules.path_access?(@login_context, '/', :get)).to be_truthy
|
63
|
+
expect(AccessRules.path_access?(@login_context, '/status', :get)).to be_truthy
|
66
64
|
end
|
67
65
|
|
68
66
|
it "should not be true for this paths" do
|
69
|
-
AccessRules.path_access?(@
|
70
|
-
AccessRules.path_access?(@
|
67
|
+
expect(AccessRules.path_access?(@login_context, '/xyz', :get)).to_not be_truthy
|
68
|
+
expect(AccessRules.path_access?(@login_context, '/admin', :post)).to_not be_truthy
|
71
69
|
end
|
72
70
|
end
|
73
71
|
|
74
72
|
|
75
73
|
context "without user" do
|
76
74
|
it "should be true for this paths" do
|
77
|
-
AccessRules.path_access?(nil, '/', :get).
|
75
|
+
expect(AccessRules.path_access?(nil, '/', :get)).to be_truthy
|
78
76
|
end
|
79
77
|
|
80
78
|
it "should not be true for this paths" do
|
81
|
-
AccessRules.path_access?(nil, '/xyz', :get).
|
82
|
-
AccessRules.path_access?(nil, '/admin', :post).
|
79
|
+
expect(AccessRules.path_access?(nil, '/xyz', :get)).to_not be_truthy
|
80
|
+
expect(AccessRules.path_access?(nil, '/admin', :post)).to_not be_truthy
|
83
81
|
end
|
84
82
|
end
|
85
83
|
end
|
@@ -88,7 +86,8 @@ module Tuersteher
|
|
88
86
|
context 'model_access?' do
|
89
87
|
|
90
88
|
class SampleModel1; end
|
91
|
-
class SampleModel2; end
|
89
|
+
class SampleModel2; def owner?(user); false; end; end
|
90
|
+
|
92
91
|
|
93
92
|
before do
|
94
93
|
rules = [
|
@@ -99,75 +98,75 @@ module Tuersteher
|
|
99
98
|
ModelAccessRule.new(SampleModel2).deny.method(:create),
|
100
99
|
ModelAccessRule.new(SampleModel2).grant.method(:all).role(:admin),
|
101
100
|
]
|
102
|
-
AccessRulesStorage.instance.
|
103
|
-
@
|
101
|
+
expect(AccessRulesStorage.instance).to receive(:model_rules).at_least(:once){ rules }
|
102
|
+
@login_context = double('login_context')
|
104
103
|
@model1 = SampleModel1.new
|
105
104
|
@model2 = SampleModel2.new
|
106
|
-
@model2.stub(:owner?)
|
105
|
+
@model2.stub(:owner?){ false }
|
107
106
|
end
|
108
107
|
|
109
108
|
|
110
|
-
context "
|
109
|
+
context "LoginContext with role :user" do
|
111
110
|
before do
|
112
|
-
@
|
111
|
+
@login_context.stub(:has_role?){|role| role==:user}
|
113
112
|
end
|
114
113
|
|
115
|
-
it "should be true for this" do
|
116
|
-
AccessRules.model_access?(@
|
117
|
-
@model2.stub(:owner?)
|
118
|
-
AccessRules.model_access?(@
|
119
|
-
AccessRules.model_access?(@
|
114
|
+
it "should be true for this rules" do
|
115
|
+
expect(AccessRules.model_access?(@login_context, @model1, :xyz)).to be_truthy
|
116
|
+
@model2.stub(:owner?){ true }
|
117
|
+
expect(AccessRules.model_access?(@login_context, @model2, :read)).to be_truthy
|
118
|
+
expect(AccessRules.model_access?(@login_context, @model2, :update)).to be_truthy
|
120
119
|
end
|
121
120
|
|
122
121
|
it "should not be true for this" do
|
123
|
-
AccessRules.model_access?(@
|
124
|
-
AccessRules.model_access?(@
|
122
|
+
expect(AccessRules.model_access?(@login_context, @model2, :update)).to be_falsy
|
123
|
+
expect(AccessRules.model_access?(@login_context, @model2, :delete)).to be_falsy
|
125
124
|
end
|
126
125
|
end
|
127
126
|
|
128
127
|
|
129
|
-
context "
|
128
|
+
context "LoginContext with role :admin" do
|
130
129
|
before do
|
131
|
-
@
|
130
|
+
@login_context.stub(:has_role?){|role| role==:admin}
|
132
131
|
end
|
133
132
|
|
134
133
|
it "should be true for this" do
|
135
|
-
AccessRules.model_access?(@
|
136
|
-
AccessRules.model_access?(@
|
137
|
-
AccessRules.model_access?(@
|
138
|
-
AccessRules.model_access?(@
|
134
|
+
expect(AccessRules.model_access?(@login_context, @model1, :xyz)).to be_truthy
|
135
|
+
expect(AccessRules.model_access?(@login_context, @model2, :read)).to be_truthy
|
136
|
+
expect(AccessRules.model_access?(@login_context, @model2, :update)).to be_truthy
|
137
|
+
expect(AccessRules.model_access?(@login_context, @model2, :delete)).to be_truthy
|
139
138
|
end
|
140
139
|
|
141
140
|
it "should not be true for this" do
|
142
|
-
AccessRules.model_access?(@
|
141
|
+
expect(AccessRules.model_access?(@login_context, @model2, :create)).to be_falsy
|
143
142
|
end
|
144
143
|
end
|
145
144
|
|
146
145
|
|
147
|
-
context "
|
146
|
+
context "LoginContext with role :sysadmin" do
|
148
147
|
before do
|
149
|
-
@
|
148
|
+
@login_context.stub(:has_role?){|role| role==:sysadmin}
|
150
149
|
end
|
151
150
|
|
152
151
|
it "should be true for this" do
|
153
|
-
AccessRules.model_access?(@
|
154
|
-
AccessRules.model_access?(@
|
155
|
-
AccessRules.model_access?(@
|
156
|
-
AccessRules.model_access?(@
|
157
|
-
AccessRules.model_access?(@
|
158
|
-
AccessRules.model_access?(@
|
152
|
+
expect(AccessRules.model_access?(@login_context, "test", :xyz)).to be_truthy
|
153
|
+
expect(AccessRules.model_access?(@login_context, @model1, :xyz)).to be_truthy
|
154
|
+
expect(AccessRules.model_access?(@login_context, @model2, :read)).to be_truthy
|
155
|
+
expect(AccessRules.model_access?(@login_context, @model2, :update)).to be_truthy
|
156
|
+
expect(AccessRules.model_access?(@login_context, @model2, :delete)).to be_truthy
|
157
|
+
expect(AccessRules.model_access?(@login_context, @model2, :create)).to be_truthy
|
159
158
|
end
|
160
159
|
end
|
161
160
|
|
162
161
|
|
163
162
|
context "without user" do
|
164
163
|
it "should be true for this models" do
|
165
|
-
AccessRules.model_access?(nil, @model1, :xyz).
|
166
|
-
AccessRules.model_access?(nil, @model2, :read).
|
164
|
+
expect(AccessRules.model_access?(nil, @model1, :xyz)).to be_truthy
|
165
|
+
expect(AccessRules.model_access?(nil, @model2, :read)).to be_truthy
|
167
166
|
end
|
168
167
|
|
169
168
|
it "should not be true for this models" do
|
170
|
-
AccessRules.model_access?(nil, @model2, :update).
|
169
|
+
expect(AccessRules.model_access?(nil, @model2, :update)).to be_falsy
|
171
170
|
end
|
172
171
|
end
|
173
172
|
end # of context 'model_access?'
|
@@ -186,7 +185,7 @@ module Tuersteher
|
|
186
185
|
ModelAccessRule.new(SampleModel).method(:update).role(:user).extension(:owner?),
|
187
186
|
]
|
188
187
|
AccessRulesStorage.instance.stub(:model_rules).and_return(rules)
|
189
|
-
@
|
188
|
+
@login_context = double('user')
|
190
189
|
@model1 = SampleModel.new
|
191
190
|
@model2 = SampleModel.new
|
192
191
|
@model3 = SampleModel.new
|
@@ -195,13 +194,13 @@ module Tuersteher
|
|
195
194
|
end
|
196
195
|
|
197
196
|
it "Should return [@model3] for user with role=:user" do
|
198
|
-
@
|
199
|
-
AccessRules.purge_collection(@
|
197
|
+
@login_context.stub(:has_role?){|role| role==:user}
|
198
|
+
expect(AccessRules.purge_collection(@login_context, @collection, :update)).to eq [@model3]
|
200
199
|
end
|
201
200
|
|
202
201
|
it "Should return all for user with role=:admin" do
|
203
|
-
@
|
204
|
-
AccessRules.purge_collection(@
|
202
|
+
@login_context.stub(:has_role?){|role| role==:admin}
|
203
|
+
expect(AccessRules.purge_collection(@login_context, @collection, :update)).to eq @collection
|
205
204
|
end
|
206
205
|
end
|
207
206
|
|
@@ -58,8 +58,8 @@ end
|
|
58
58
|
@path_rules = AccessRulesStorage.instance.path_rules
|
59
59
|
end
|
60
60
|
|
61
|
-
specify{ @path_rules.first.path_spezification.
|
62
|
-
specify{ @path_rules.last.path_spezification.path.
|
61
|
+
specify{ expect(@path_rules.first.path_spezification).to be_nil }
|
62
|
+
specify{ expect(@path_rules.last.path_spezification.path).to eq '/test/special' }
|
63
63
|
|
64
64
|
end
|
65
65
|
end
|
@@ -15,22 +15,23 @@ module Tuersteher
|
|
15
15
|
|
16
16
|
before do
|
17
17
|
rules = [ModelAccessRule.new(SampleModel).grant.method(:deactived).role(:admin)]
|
18
|
-
AccessRulesStorage.instance.stub(:model_rules)
|
19
|
-
|
20
|
-
|
18
|
+
#AccessRulesStorage.instance.stub(:model_rules){ rules }
|
19
|
+
expect(AccessRulesStorage.instance).to receive(:model_rules){ rules }
|
20
|
+
@login_context = double('login_context')
|
21
|
+
Thread.current[:login_context] = @login_context
|
21
22
|
end
|
22
23
|
|
23
24
|
|
24
25
|
context "check_access" do
|
25
26
|
|
26
|
-
it "should not raise a Error for
|
27
|
-
@
|
27
|
+
it "should not raise a Error for login_context with role :admin" do
|
28
|
+
expect(@login_context).to receive(:has_role?){|role| role==:admin}
|
28
29
|
model = SampleModel.new
|
29
30
|
model.deactived
|
30
31
|
end
|
31
32
|
|
32
|
-
it "should raise a SecurityError for
|
33
|
-
@
|
33
|
+
it "should raise a SecurityError for login_context with not role :admin" do
|
34
|
+
expect(@login_context).to receive(:has_role?){|role| role==:user}
|
34
35
|
model = SampleModel.new
|
35
36
|
expect{ model.deactived }.to raise_error(SecurityError)
|
36
37
|
end
|
@@ -40,16 +41,16 @@ module Tuersteher
|
|
40
41
|
|
41
42
|
context "purge_collection" do
|
42
43
|
|
43
|
-
it "should purge nothing for
|
44
|
-
@
|
44
|
+
it "should purge nothing for login_context with role :admin" do
|
45
|
+
expect(@login_context).to receive(:has_role?){|role| role==:admin}
|
45
46
|
list = [SampleModel.new]
|
46
|
-
SampleModel.purge_collection(list, :deactived).
|
47
|
+
expect(SampleModel.purge_collection(list, :deactived)).to eq list
|
47
48
|
end
|
48
49
|
|
49
|
-
it "should purge all for
|
50
|
-
@
|
50
|
+
it "should purge all for login_context with not role :admin" do
|
51
|
+
expect(@login_context).to receive(:has_role?){|role| role==:user}
|
51
52
|
list = [SampleModel.new]
|
52
|
-
SampleModel.purge_collection(list, :deactived).
|
53
|
+
expect(SampleModel.purge_collection(list, :deactived)).to eq []
|
53
54
|
end
|
54
55
|
|
55
56
|
end # of context "purge_collection"
|
data/spec/spec_helper.rb
CHANGED
@@ -1,7 +1,108 @@
|
|
1
|
-
|
1
|
+
# This file was generated by the `rspec --init` command. Conventionally, all
|
2
|
+
# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
|
3
|
+
# The generated `.rspec` file contains `--require spec_helper` which will cause
|
4
|
+
# this file to always be loaded, without a need to explicitly require it in any
|
5
|
+
# files.
|
6
|
+
|
2
7
|
require 'logger'
|
3
8
|
require File.expand_path(File.dirname(__FILE__) + "/../lib/tuersteher")
|
4
9
|
|
5
10
|
# Logger auf stdout stellen
|
6
11
|
Tuersteher::TLogger.logger = Logger.new(STDOUT)
|
7
12
|
Tuersteher::TLogger.logger.level = Logger::ERROR
|
13
|
+
|
14
|
+
|
15
|
+
# Given that it is always loaded, you are encouraged to keep this file as
|
16
|
+
# light-weight as possible. Requiring heavyweight dependencies from this file
|
17
|
+
# will add to the boot time of your test suite on EVERY test run, even for an
|
18
|
+
# individual file that may not need all of that loaded. Instead, consider making
|
19
|
+
# a separate helper file that requires the additional dependencies and performs
|
20
|
+
# the additional setup, and require it from the spec files that actually need
|
21
|
+
# it.
|
22
|
+
#
|
23
|
+
# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
|
24
|
+
RSpec.configure do |config|
|
25
|
+
# rspec-expectations config goes here. You can use an alternate
|
26
|
+
# assertion/expectation library such as wrong or the stdlib/minitest
|
27
|
+
# assertions if you prefer.
|
28
|
+
config.expect_with :rspec do |expectations|
|
29
|
+
# This option will default to `true` in RSpec 4. It makes the `description`
|
30
|
+
# and `failure_message` of custom matchers include text for helper methods
|
31
|
+
# defined using `chain`, e.g.:
|
32
|
+
# be_bigger_than(2).and_smaller_than(4).description
|
33
|
+
# # => "be bigger than 2 and smaller than 4"
|
34
|
+
# ...rather than:
|
35
|
+
# # => "be bigger than 2"
|
36
|
+
expectations.include_chain_clauses_in_custom_matcher_descriptions = true
|
37
|
+
end
|
38
|
+
|
39
|
+
# rspec-mocks config goes here. You can use an alternate test double
|
40
|
+
# library (such as bogus or mocha) by changing the `mock_with` option here.
|
41
|
+
config.mock_with :rspec do |mocks|
|
42
|
+
# Prevents you from mocking or stubbing a method that does not exist on
|
43
|
+
# a real object. This is generally recommended, and will default to
|
44
|
+
# `true` in RSpec 4.
|
45
|
+
mocks.verify_partial_doubles = true
|
46
|
+
end
|
47
|
+
|
48
|
+
# This option will default to `:apply_to_host_groups` in RSpec 4 (and will
|
49
|
+
# have no way to turn it off -- the option exists only for backwards
|
50
|
+
# compatibility in RSpec 3). It causes shared context metadata to be
|
51
|
+
# inherited by the metadata hash of host groups and examples, rather than
|
52
|
+
# triggering implicit auto-inclusion in groups with matching metadata.
|
53
|
+
config.shared_context_metadata_behavior = :apply_to_host_groups
|
54
|
+
|
55
|
+
# The settings below are suggested to provide a good initial experience
|
56
|
+
# with RSpec, but feel free to customize to your heart's content.
|
57
|
+
=begin
|
58
|
+
# This allows you to limit a spec run to individual examples or groups
|
59
|
+
# you care about by tagging them with `:focus` metadata. When nothing
|
60
|
+
# is tagged with `:focus`, all examples get run. RSpec also provides
|
61
|
+
# aliases for `it`, `describe`, and `context` that include `:focus`
|
62
|
+
# metadata: `fit`, `fdescribe` and `fcontext`, respectively.
|
63
|
+
config.filter_run_when_matching :focus
|
64
|
+
|
65
|
+
# Allows RSpec to persist some state between runs in order to support
|
66
|
+
# the `--only-failures` and `--next-failure` CLI options. We recommend
|
67
|
+
# you configure your source control system to ignore this file.
|
68
|
+
config.example_status_persistence_file_path = "spec/examples.txt"
|
69
|
+
|
70
|
+
# Limits the available syntax to the non-monkey patched syntax that is
|
71
|
+
# recommended. For more details, see:
|
72
|
+
# - http://rspec.info/blog/2012/06/rspecs-new-expectation-syntax/
|
73
|
+
# - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
|
74
|
+
# - http://rspec.info/blog/2014/05/notable-changes-in-rspec-3/#zero-monkey-patching-mode
|
75
|
+
config.disable_monkey_patching!
|
76
|
+
|
77
|
+
# This setting enables warnings. It's recommended, but in some cases may
|
78
|
+
# be too noisy due to issues in dependencies.
|
79
|
+
config.warnings = true
|
80
|
+
|
81
|
+
# Many RSpec users commonly either run the entire suite or an individual
|
82
|
+
# file, and it's useful to allow more verbose output when running an
|
83
|
+
# individual spec file.
|
84
|
+
if config.files_to_run.one?
|
85
|
+
# Use the documentation formatter for detailed output,
|
86
|
+
# unless a formatter has already been configured
|
87
|
+
# (e.g. via a command-line flag).
|
88
|
+
config.default_formatter = "doc"
|
89
|
+
end
|
90
|
+
|
91
|
+
# Print the 10 slowest examples and example groups at the
|
92
|
+
# end of the spec run, to help surface which specs are running
|
93
|
+
# particularly slow.
|
94
|
+
config.profile_examples = 10
|
95
|
+
|
96
|
+
# Run specs in random order to surface order dependencies. If you find an
|
97
|
+
# order dependency and want to debug it, you can fix the order by providing
|
98
|
+
# the seed, which is printed after each run.
|
99
|
+
# --seed 1234
|
100
|
+
config.order = :random
|
101
|
+
|
102
|
+
# Seed global randomization in this process using the `--seed` CLI option.
|
103
|
+
# Setting this allows you to use `--seed` to deterministically reproduce
|
104
|
+
# test failures related to randomization by passing the same `--seed` value
|
105
|
+
# as the one that triggered the failure.
|
106
|
+
Kernel.srand config.seed
|
107
|
+
=end
|
108
|
+
end
|
data/tuersteher.gemspec
CHANGED
@@ -3,8 +3,8 @@ $:.push File.expand_path("../lib", __FILE__)
|
|
3
3
|
|
4
4
|
Gem::Specification.new do |s|
|
5
5
|
s.name = 'tuersteher'
|
6
|
-
s.version = '1.0.
|
7
|
-
s.authors = ["Bernd Ledig"]
|
6
|
+
s.version = '1.0.2'
|
7
|
+
s.authors = ["Bernd Ledig","BerndL"]
|
8
8
|
s.email = ["bernd@ledig.info","bernd.ledig@ottogroup.com"]
|
9
9
|
s.homepage = "https://gitlab.com/bledig/tuersteher"
|
10
10
|
s.summary = "Access-Handling for Rails-Apps"
|
@@ -25,7 +25,7 @@ Gem::Specification.new do |s|
|
|
25
25
|
#s.add_runtime_dependency "i18n"
|
26
26
|
|
27
27
|
s.add_development_dependency "rake", '~> 10.5'
|
28
|
-
s.add_development_dependency "rspec", '~>
|
28
|
+
s.add_development_dependency "rspec", '~> 3.8'
|
29
29
|
|
30
30
|
end
|
31
31
|
|
metadata
CHANGED
@@ -1,10 +1,11 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: tuersteher
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.0.
|
4
|
+
version: 1.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Bernd Ledig
|
8
|
+
- BerndL
|
8
9
|
autorequire:
|
9
10
|
bindir: bin
|
10
11
|
cert_chain: []
|
@@ -30,14 +31,14 @@ dependencies:
|
|
30
31
|
requirements:
|
31
32
|
- - "~>"
|
32
33
|
- !ruby/object:Gem::Version
|
33
|
-
version: '
|
34
|
+
version: '3.8'
|
34
35
|
type: :development
|
35
36
|
prerelease: false
|
36
37
|
version_requirements: !ruby/object:Gem::Requirement
|
37
38
|
requirements:
|
38
39
|
- - "~>"
|
39
40
|
- !ruby/object:Gem::Version
|
40
|
-
version: '
|
41
|
+
version: '3.8'
|
41
42
|
description: " Security-Layer for Rails-Application acts like a firewall.\n"
|
42
43
|
email:
|
43
44
|
- bernd@ledig.info
|
@@ -48,6 +49,8 @@ extra_rdoc_files:
|
|
48
49
|
- README.rdoc
|
49
50
|
files:
|
50
51
|
- ".gitignore"
|
52
|
+
- ".rspec"
|
53
|
+
- ".ruby-version"
|
51
54
|
- Gemfile
|
52
55
|
- README.rdoc
|
53
56
|
- Rakefile
|
@@ -56,12 +59,11 @@ files:
|
|
56
59
|
- license.txt
|
57
60
|
- samples/access_rules.rb
|
58
61
|
- samples/application_controller.rb
|
59
|
-
- spec/acces_rules_storage_spec.rb
|
60
62
|
- spec/access_rules_spec.rb
|
63
|
+
- spec/access_rules_storage_spec.rb
|
61
64
|
- spec/model_access_rule_spec.rb
|
62
65
|
- spec/model_extensions_spec.rb
|
63
66
|
- spec/path_access_rule_spec.rb
|
64
|
-
- spec/spec.opts
|
65
67
|
- spec/spec_helper.rb
|
66
68
|
- tuersteher.gemspec
|
67
69
|
homepage: https://gitlab.com/bledig/tuersteher
|