tuersteher 0.2.2 → 0.3.0

data/VERSION

@@ -1 +1 @@
-0.2.2
+0.3.0

data/lib/tuersteher.rb

@@ -94,16 +94,6 @@ module Tuersteher
     # definiert Model-basierende Zugriffsregel
     #
     # model_class:  Model-Klassenname oder :all fuer alle
-    # access_type:  Zugriffsart (:create, :update, :destroy, :all o.A. selbst definierte Typen)
-    # roles         Aufzählung der erforderliche Rolen (:all für ist egal),
-    #               hier ist auch ein Array von Symbolen möglich
-    # block         optionaler Block, wird mit model und user aufgerufen und muss true oder false liefern
-    #               hier ein Beispiel mit Block:
-    #               <code>
-    #                 # Regel, in der sich jeder User selbst aendern darf
-    #                 grant_model(User, :update, :all){|model,user| model.id==user.id}
-    #               </code>
-    #
     def model model_class
       if block_given?
         @current_model_class = model_class
@@ -152,7 +142,7 @@ module Tuersteher
         end
         Tuersteher::TLogger.logger.debug("Tuersteher: path_access?(#{path}, #{method})  =>  #{s}")
       end
-      rule!=nil && !rule.deny?
+      !(rule.nil? || rule.deny?)
     end
 
 
@@ -270,6 +260,7 @@ module Tuersteher
 
   end
 
+
   # Astracte base class for Access-Rules
   class BaseAccessRule
 
@@ -304,14 +295,19 @@ module Tuersteher
       @deny
     end
 
+    def not
+      @not = true
+      self
+    end
+
     protected
 
     def grant_role? user
       return true if @roles.empty?
       return false if user.nil?
-      @roles.each do |role|
-        return true if user.has_role?(role)
-      end
+      role = @roles.detect{|r| user.has_role?(r)}
+      role = !role if @not
+      return true if role
       false
     end
 
@@ -358,7 +354,7 @@ module Tuersteher
     # path / method fuer den current_user erlaubt ist
     #
     # user ist ein Object (meist der Loginuser),
-    # welcher die Methode 'has_role?(*roles)' besitzen muss.
+    # welcher die Methode 'has_role?(role)' besitzen muss.
     # *roles ist dabei eine Array aus Symbolen
     #
     def fired?(path, method, user)
@@ -372,11 +368,7 @@ module Tuersteher
         return false
       end
 
-      if !@roles.empty? && (user.nil? || !user.has_role?(*@roles))
-        #Tuersteher::TLogger.logger.debug("#{to_s}.has_access? => false why #{@roles.first}!=:all && #{!user.has_role?(*@roles)}")
-        return false
-      end
-
+      return false unless grant_role?(user)
       return false unless grant_extension?(user)
 
       true

data/samples/access_rules.rb

@@ -8,10 +8,11 @@
 #
 # Pfad-Zugriffsregeln
 # Aufbau:  
-#   Path : URL-Pfad, wird als regex ausgewertet
-#   Methode : :all, :get, :put, :post, :delete oder :edit 
-#   roles :Liste der berechtigten Rollen (es können mehrere Rollen durch Komma getrennt angegeben werden)
-#
+#   path(<path>).grant[.method(<methode>)][.not][.role(<role>)][.extension(<ext_method>[, <expected_value>)]
+# or
+#   path(<path>).deny[.method(<methode>)][.not][.role(<role>)][.extension(<ext_method>[, <expected_value>)]
+# with
+#   <method>: HTTP-Method name as Symbol (:get, :put, :post, :delete) or :all 
 
 path('/').grant.method(:get)
 path(:all).grant.role(:ADMIN)
@@ -21,14 +22,16 @@ path('/special').grant.extension(:special?, :area1)
 #
 # Model-Object-Zugriffsregeln
 # Aufbau:
-#   Model-Klasse : Klasse des Models
-#   Zugriffsart : frei definierbares Symbol, empfohlen :update, :create, :destroy
-#   Roles : Aufzählung der Rollen
-#   Block : optionaler Block, diesem wird die Model-Instance und der User als Parameter bereitgestellt
+#   model(<ModelClass>).grant.permission(<permission>)[.role(<role>)][.extension(<method>[, <expected_value>])]
+# or
+#   model(<ModelClass>).deny.permission(<permission>)[.not][.role(<role>)][.extension(<method>[, <expected_value>])]
+# or
+#   model(<ModelClass> do
+#     grant..permission(<permission>)[.role(<role>)][.extension(<method>[, <expected_value>])]
+#     deny.permission(<permission>)[.role(<role>)][.extension(<method>[, <expected_value>])]
+#     ...
+#   end
 
-#grant_model String, :view, :all
-#grant_model String, :view, :ADMIN, :EDITOR
-#grant_model String, :update, :EDITOR do |model, user| model == user.name end
 
 model(Dashboard).grant.permission(:view)
 
@@ -36,4 +39,5 @@ model(Todo) do
   grant.permission(:view)
   grant.permission(:full_view).role(:ADMIN)
   grant.permission(:update).role(:EDITOR).extension(:owned_by?) # calls Todo.owned_by?(current_user)
+  grant-permission(:delete).not.role(:ADMIN)
 end

data/spec/access_rules_spec.rb

@@ -1,7 +1,5 @@
 require "spec_helper"
 
-
-
 module Tuersteher
 
   describe AccessRules do

data/spec/model_access_rule_spec.rb

@@ -4,39 +4,61 @@ module Tuersteher
 
   describe ModelAccessRule do
 
-    before(:all) do
-      @rule = ModelAccessRule.new(String).grant.permission(:read).role(:sysadmin).role(:admin)
-    end
+    context "grant with roles" do
 
-    context "for User with role :admin" do
-      before do
-        @user = stub('user')
-        @user.stub(:has_role?){|role| role==:admin}
+      before(:all) do
+        @rule = ModelAccessRule.new(String).grant.permission(:read).role(:sysadmin).role(:admin)
       end
 
-      it "should be fired for String-Object and access-type :read" do
-        @rule.fired?("test", :read, @user).should be_true
-      end
+      context "for User with role :admin" do
+        before do
+          @user = stub('user')
+          @user.stub(:has_role?) { |role| role==:admin }
+        end
 
-      it "should not be fired for Non-String-Object" do
-        @rule.fired?(12345, :read, @user).should_not be_true
+        it "should be fired for String-Object and access-type :read" do
+          @rule.fired?("test", :read, @user).should be_true
+        end
+
+        it "should not be fired for Non-String-Object" do
+          @rule.fired?(12345, :read, @user).should_not be_true
+        end
+
+        it "should not be fired for String-Object and other access-type as :read" do
+          @rule.fired?("test", :delete, @user).should_not be_true
+        end
       end
 
-      it "should not be fired for String-Object and other access-type as :read" do
-        @rule.fired?("test", :delete, @user).should_not be_true
+      context "for User without role :admin" do
+        before do
+          @user = stub('user')
+          @user.stub(:has_role?).and_return(false)
+        end
+
+        it "should not be fired for String-Object and access-type :read" do
+          @rule.fired?("test", :read, @user).should_not be_true
+        end
       end
-    end
+    end # of context "grant with roles"
 
-    context "for User without role :admin" do
-      before do
+
+    context "deny with not.role" do
+      before(:all) do
+        @rule = ModelAccessRule.new(String).deny.permission(:append).not.role(:admin)
         @user = stub('user')
-        @user.stub(:has_role?).and_return(false)
       end
 
-      it "should not be fired for String-Object and access-type :read" do
-        @rule.fired?("test", :read, @user).should_not be_true
+      it "should not fired for user with role :admin" do
+        @user.stub(:has_role?){|role| role==:admin}
+        @rule.fired?("/admin", :append, @user).should_not be_true
       end
-    end
+
+      it "should fired for user with role :user" do
+        @user.stub(:has_role?){|role| role==:user}
+        @rule.fired?("/admin", :append, @user).should be_true
+      end
+    end # of context "deny with not.role"
+
   end
 
 end

data/spec/path_access_rule_spec.rb

@@ -4,126 +4,164 @@ module Tuersteher
 
   describe PathAccessRule do
 
-    before(:all) do
-      @rule = PathAccessRule.new('/admin').method(:get).role(:sysadmin).role(:admin)
-    end
+    context "grant" do
+      before(:all) do
+        @rule = PathAccessRule.new('/admin').grant.method(:get).role(:sysadmin).role(:admin)
+      end
 
 
-    context "for User with role :admin" do
-      before do
-        @user = stub('user')
-        @user.stub(:has_role?).with(:sysadmin, :admin).and_return(true)
-      end
+      context "for User with role :admin" do
+        before do
+          @user = stub('user')
+          @user.stub(:has_role?){|role| role==:admin}
+        end
 
-      it "should be fired for path='/admin/xyz' and method :get" do
-        @rule.fired?("/admin/xyz", :get, @user).should be_true
-      end
+        it "should be fired for path='/admin/xyz' and method :get" do
+          @rule.fired?("/admin/xyz", :get, @user).should be_true
+        end
 
-      it "should not be fired for other path" do
-        @rule.fired?('/todos/admin', :get, @user).should_not be_true
-      end
+        it "should not be fired for other path" do
+          @rule.fired?('/todos/admin', :get, @user).should_not be_true
+        end
 
-      it "should not be fired for other method as :get" do
-        @rule.fired?("/admin/xyz", :post, @user).should_not be_true
+        it "should not be fired for other method as :get" do
+          @rule.fired?("/admin/xyz", :post, @user).should_not be_true
+        end
       end
-    end
 
 
-    context "for User without role :admin" do
-      before do
-        @user = stub('user')
-        @user.stub(:has_role?).and_return(false)
-      end
+      context "for User without role :admin" do
+        before do
+          @user = stub('user')
+          @user.stub(:has_role?).and_return(false)
+        end
 
-      it "should not be fired for correct path and method" do
-        @rule.fired?("/admin/xyz", :get, @user).should_not be_true
+        it "should not be fired for correct path and method" do
+          @rule.fired?("/admin/xyz", :get, @user).should_not be_true
+        end
       end
-    end
 
 
-    context "Rule with :all as Path-Matcher" do
-      before(:all) do
-        @rule = PathAccessRule.new(:all).method(:get).role(:sysadmin).role(:admin)
-        @user = stub('user')
-        @user.stub(:has_role?).and_return(true)
-      end
+      context "Rule with :all as Path-Matcher" do
+        before(:all) do
+          @rule = PathAccessRule.new(:all).method(:get).role(:sysadmin).role(:admin)
+          @user = stub('user')
+          @user.stub(:has_role?).and_return(true)
+        end
 
-      it "should fired for several paths" do
-        @rule.fired?("/admin/xyz", :get, @user).should be_true
-        @rule.fired?("/xyz", :get, @user).should be_true
-        @rule.fired?("/", :get, @user).should be_true
-      end
+        it "should fired for several paths" do
+          @rule.fired?("/admin/xyz", :get, @user).should be_true
+          @rule.fired?("/xyz", :get, @user).should be_true
+          @rule.fired?("/", :get, @user).should be_true
+        end
 
-      it "should not be fired with other method" do
-        @rule.fired?("/admin/xyz", :post, @user).should_not be_true
+        it "should not be fired with other method" do
+          @rule.fired?("/admin/xyz", :post, @user).should_not be_true
+        end
       end
-    end
 
 
-    context "Rule with no Methode spezifed => all methods allowed" do
-      before(:all) do
-        @rule = PathAccessRule.new('/admin').role(:sysadmin).role(:admin)
-        @user = stub('user')
-        @user.stub(:has_role?).and_return(true)
+      context "Rule with no Methode spezifed => all methods allowed" do
+        before(:all) do
+          @rule = PathAccessRule.new('/admin').role(:sysadmin).role(:admin)
+          @user = stub('user')
+          @user.stub(:has_role?).and_return(true)
+        end
+
+        it "should fired for several methods" do
+          @rule.fired?("/admin/xyz", :get, @user).should be_true
+          @rule.fired?("/admin/xyz", :post, @user).should be_true
+          @rule.fired?("/admin/xyz", :put, @user).should be_true
+          @rule.fired?("/admin/xyz", :delete, @user).should be_true
+        end
+
+        it "should not be fired with other path" do
+          @rule.fired?("/xyz", :post, @user).should_not be_true
+        end
       end
 
-      it "should fired for several methods" do
-        @rule.fired?("/admin/xyz", :get, @user).should be_true
-        @rule.fired?("/admin/xyz", :post, @user).should be_true
-        @rule.fired?("/admin/xyz", :put, @user).should be_true
-        @rule.fired?("/admin/xyz", :delete, @user).should be_true
+
+      context "Rule with no role spezifed => now role needed" do
+        before(:all) do
+          @rule = PathAccessRule.new('/admin').method(:get)
+          @user = stub('user')
+          @user.stub(:has_role?).and_return(false)
+        end
+
+        it "should fired for user with no roles" do
+          @rule.fired?("/admin/xyz", :get, @user).should be_true
+        end
+
+        it "should not be fired with other path" do
+          @rule.fired?("/xyz", :get, @user).should_not be_true
+        end
       end
 
-      it "should not be fired with other path" do
-        @rule.fired?("/xyz", :post, @user).should_not be_true
+
+      context "Rule with extension" do
+        before(:all) do
+          @rule = PathAccessRule.new('/admin').method(:get).extension(:modul_function?, :testvalue)
+          @rule2 = PathAccessRule.new('/admin').method(:get).extension(:modul_function2?)
+          @user = stub('user')
+          @user.stub(:has_role?).and_return(false)
+        end
+
+        it "should not be fired with user have not the check_extension" do
+          @rule.fired?("/admin", :get, @user).should_not be_true
+        end
+
+        it "should fired for user with true for check-extension" do
+          @user.should_receive(:modul_function?).with(:testvalue).and_return(true)
+          @rule.fired?("/admin/xyz", :get, @user).should be_true
+        end
+
+        it "should not be fired for user with false for check-extension" do
+          @user.should_receive(:modul_function?).with(:testvalue).and_return(false)
+          @rule.fired?("/admin/xyz", :get, @user).should_not be_true
+        end
+
+        it "should fired for rule2 and user with true for check-extension" do
+          @user.should_receive(:modul_function2?).and_return(true)
+          @rule2.fired?("/admin/xyz", :get, @user).should be_true
+        end
       end
-    end
+    end # of context "grant" do
 
 
-    context "Rule with no role spezifed => now role needed" do
+    context "deny" do
       before(:all) do
-        @rule = PathAccessRule.new('/admin').method(:get)
+        @rule = PathAccessRule.new('/admin').deny.role(:user)
         @user = stub('user')
-        @user.stub(:has_role?).and_return(false)
       end
 
-      it "should fired for user with no roles" do
-        @rule.fired?("/admin/xyz", :get, @user).should be_true
+      it "should fired for user with role :user" do
+        @user.stub(:has_role?){|role| role==:user}
+        @rule.fired?("/admin", :get, @user).should be_true
       end
 
-      it "should not be fired with other path" do
-        @rule.fired?("/xyz", :get, @user).should_not be_true
+      it "should not fired for user with role :admin" do
+        @user.stub(:has_role?){|role| role==:admin}
+        @rule.fired?("/admin", :get, @user).should_not be_true
       end
-    end
+    end # of context "deny" do
 
 
-    context "Rule with extension" do
+    context "with not as role prefix" do
       before(:all) do
-        @rule = PathAccessRule.new('/admin').method(:get).extension(:modul_function?, :testvalue)
-        @rule2 = PathAccessRule.new('/admin').method(:get).extension(:modul_function2?)
+        @rule = PathAccessRule.new('/admin').deny.not.role(:admin)
         @user = stub('user')
-        @user.stub(:has_role?).and_return(false)
       end
 
-      it "should not be fired with user have not the check_extension" do
+      it "should not fired for user with role :admin" do
+        @user.stub(:has_role?){|role| role==:admin}
         @rule.fired?("/admin", :get, @user).should_not be_true
       end
 
-      it "should fired for user with true for check-extension" do
-        @user.should_receive(:modul_function?).with(:testvalue).and_return(true)
-        @rule.fired?("/admin/xyz", :get, @user).should be_true
-      end
-
-      it "should not be fired for user with false for check-extension" do
-        @user.should_receive(:modul_function?).with(:testvalue).and_return(false)
-        @rule.fired?("/admin/xyz", :get, @user).should_not be_true
+      it "should fired for user with role :user" do
+        @user.stub(:has_role?){|role| role==:user}
+        @rule.fired?("/admin", :get, @user).should be_true
       end
-
-      it "should fired for rule2 and user with true for check-extension" do
-        @user.should_receive(:modul_function2?).and_return(true)
-        @rule2.fired?("/admin/xyz", :get, @user).should be_true
-      end
-    end
-
+    end # of context "not" do
+    
   end
 end

data/tuersteher.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{tuersteher}
-  s.version = "0.2.2"
+  s.version = "0.3.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Bernd Ledig"]
-  s.date = %q{2010-08-29}
+  s.date = %q{2010-08-30}
   s.description = %q{Security-Layer for Rails-Application acts like a firewall.}
   s.email = %q{bernd@ledig.info}
   s.extra_rdoc_files = [
@@ -40,11 +40,11 @@ Gem::Specification.new do |s|
   s.rubygems_version = %q{1.3.7}
   s.summary = %q{Security-Layer for Rails-Application}
   s.test_files = [
-    "spec/spec_helper.rb",
-     "spec/access_rules_spec.rb",
+    "spec/acces_rules_storage_spec.rb",
      "spec/path_access_rule_spec.rb",
      "spec/model_access_rule_spec.rb",
-     "spec/acces_rules_storage_spec.rb"
+     "spec/access_rules_spec.rb",
+     "spec/spec_helper.rb"
   ]
 
   if s.respond_to? :specification_version then

metadata

@@ -5,9 +5,9 @@ version: !ruby/object:Gem::Version
   prerelease: false
   segments: 
   - 0
-  - 2
-  - 2
-  version: 0.2.2
+  - 3
+  - 0
+  version: 0.3.0
 platform: ruby
 authors: 
 - Bernd Ledig
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-08-29 00:00:00 +02:00
+date: 2010-08-30 00:00:00 +02:00
 default_executable: 
 dependencies: []
 
@@ -80,8 +80,8 @@ signing_key:
 specification_version: 3
 summary: Security-Layer for Rails-Application
 test_files: 
-- spec/spec_helper.rb
-- spec/access_rules_spec.rb
+- spec/acces_rules_storage_spec.rb
 - spec/path_access_rule_spec.rb
 - spec/model_access_rule_spec.rb
-- spec/acces_rules_storage_spec.rb
+- spec/access_rules_spec.rb
+- spec/spec_helper.rb