turnstile 0.1.0

data/Manifest

@@ -0,0 +1,7 @@
+README.rdoc
+Rakefile
+lib/turnstile.rb
+lib/turnstile/authorization.rb
+lib/turnstile/role.rb
+lib/turnstile/rule.rb
+Manifest

data/README.rdoc

@@ -0,0 +1,57 @@
+Turnstile is a simple authorization module.
+With turnstile you'll be able to define rules for each role to access  your controllers and views.
+
+= Roles, Rules and Privileges
+
+You can define all roles, all rules and all privileges in the config file, placed in config/initializers/turnstile.rb
+
+= Privileges
+
+
+  privilege :read do
+     allows_to :show, :index
+     denies_to :destroy, :create
+  end
+
+  privilege :manage do
+    allows_to :create, :new
+    allows_to :destroy
+  end
+
+
+= Rules to Roles
+
+  role :reader do
+    can :read => :posts
+    can :read => :comments
+  end
+    
+  role :admin do
+    inherits :reader
+    can :manage => :posts
+  end
+
+
+= The Default Role
+
+
+You need to set a role to be used when the current user has no role
+
+  default :reader
+
+
+An example of config file can be found in config/initializers/turnstile.rb in this repo.
+
+= The User Model
+
+To set the model, so far it is hardcoded, so you need a string column called
+  user_role
+in your user model, and be sure to have a method that returns the current user, called 
+  current_user
+ 
+= Controllers
+For each controller that you want to monirate just call:
+
+  before_filter :verify_role_permissions!
+
+

data/Rakefile

@@ -0,0 +1,14 @@
+require 'rubygems'  
+require 'rake'  
+require 'echoe'  
+  
+Echoe.new('turnstile', '0.1.0') do |p|  
+  p.description     = "Simple authorization for rails"  
+  p.url             = "http://github.com/milare/turnstile"  
+  p.author          = "Bruno Milare"  
+  p.email           = "milare@gmail.com"  
+  p.ignore_pattern  = ["spec/*", "config/initializers/*"]  
+  p.development_dependencies = []  
+end  
+  
+Dir["#{File.dirname(__FILE__)}/tasks/*.rake"].sort.each { |ext| load ext }  

data/lib/turnstile/authorization.rb

@@ -0,0 +1,155 @@
+# Turnstile::Authorization
+# Module that is used as interface to the application
+module Turnstile
+  module Authorization
+  
+    # Keep track of all permissions defined
+    # A permission is defined in the setup with such as:
+    # 
+    #  privilege :manage do
+    #   allows_to :create, :new
+    #  end
+    @@permissions = {}
+  
+    # used in tests so far, to perform the setup
+    def self.read_config_file
+      require File.expand_path(File.dirname(__FILE__) + '/../../config/initializers/turnstile')
+    end
+    
+    # Run the config file with all definitions
+    def self.setup(&block)
+      yield if block_given?    
+    end
+    
+    # Used by tests to reset all configurations done
+    def self.reset
+      @@permissions = {}
+      Role.clear
+    end
+    
+    # Finds a permission
+    # Turnstile::Authorization.find_permission(:manage)
+    def self.find_permission(permission_name)
+      @@permissions[permission_name]
+    end
+    
+    # From setup defines the default role
+    # If the role is not found tries to define 
+    # common names for guests
+    # The default role is used when there is no current role
+    def default(role_str)
+      role = Role.find(role_str.to_sym)
+      if !role
+        role ||= Role.find(:guest)
+        role ||= Role.find(:visitor)
+        if !role
+          Role.set_default_role(role)
+        else
+          Role.set_default_role(Role.first)
+        end
+      else
+        Role.set_default_role(role)
+      end
+    end
+    
+    
+    # Method used in each controller that requires authorization
+    # Actually it handles the requests performed by the controller
+    # and then check if the current_role id allowed to perfom the action
+    def verify_role_permissions!
+      if request || request.params
+        action = request.params[:action] ? request.params[:action] : nil
+        controller = request.params[:controller] ? request.params[:controller] : nil
+        if action and controller
+          if !current_role.is_allowed_to? action, controller
+            flash[:alert] = "Unauthorized action"
+            redirect_to root_path
+          end
+        else
+          redirect_to root_path  
+        end
+      else
+        redirect_to root_path
+      end
+    end
+    
+    # Returns the default role in this scope
+    def default_role
+      Role.default_role
+    end
+    
+    # Helper to get current_role
+    # TODO: Find a way to get the current_user role in a dynamic way
+    # This way like current_user.user_role is too hardcoded
+    def current_role
+      current_role = current_user ? Role.find(current_user.user_role.to_sym) : nil
+      current_role ||= Role.default_role
+    end
+    
+    # Set the current_role
+    def current_role=(role)
+      current_role = role
+    end
+  
+    # Methods to define a permission
+    #  privilege :manage do
+    #   allows_to :create, :new
+    #   denies_to :destroy
+    #  end
+    def privilege(name, &block)
+      @current_permission = name
+      @@permissions[@current_permission] = {}
+      yield if block_given?
+    end
+  
+    def allows_to(*actions)
+      @@permissions[@current_permission][:allow] ||= []
+      actions.each do |action|
+        @@permissions[@current_permission][:allow] << action
+      end
+    end
+
+    def denies_to(*actions)
+      @@permissions[@current_permission][:deny] ||= []
+      actions.each do |action|
+        @@permissions[@current_permission][:deny] << action
+      end
+    end
+  
+    # Methods to set a privilege(permission) to a role
+    #  role :admin do
+    #   can :manage => :posts
+    #   inherits :reader
+    #  end
+    def role(role, &block)
+      @current_role = Role.find(role)
+      @current_role ||= Role.new(:name => role, :rules => [])
+      yield if block_given?
+    end
+  
+    def inherits(role)
+     parent = Role.find(role)
+     parent ? @current_role.merge_rules(parent.rules) : @current_role.rules
+    end
+    
+    def can(rules_set)
+      rules = []
+      rules_set.keys.each do |permission|
+        actions = Authorization.find_permission(permission)
+        controller = rules_set[permission]
+        if actions[:allow]
+          actions[:allow].each do |action|
+            rules << Rule.new(:action => action.to_s, :controller => controller.to_s, :allow => true, :active => true)
+          end
+        end
+        if actions[:deny]
+          actions[:deny].each do |action|
+            rules << Rule.new(:action => action.to_s, :controller => controller.to_s, :allow => false, :active => true)
+          end
+        end
+      end
+      @current_role.merge_rules(rules)
+    end
+  
+  end
+end

data/lib/turnstile/role.rb

@@ -0,0 +1,133 @@
+# Role class
+# Provides all needed methods to handle a role and its rules
+class Role
+
+  attr_accessor :name, :rules
+  
+  # Class variable to keep control of all roles
+  @@roles = {}
+  
+  # Class variable to keep the default role, it means that if 
+  # there is no current_role than the default is used
+  @@default = nil
+  
+  # Class methods
+  # Adds a role to the roles hash
+  def self.add_role(role)
+    @@roles[role.name.to_sym] = role
+  end
+  
+  def self.all_roles
+    @@roles
+  end
+  
+  # Find a role by its name
+  # Role.find(:admin)
+  # returns Role or nil
+  def self.find(role_sym)
+    @@roles[role_sym]
+  end
+  
+  def self.first
+    @@roles.first
+  end
+
+  # Remove all role from memory, used for tests so far
+  def self.clear
+    @@roles = {}  
+  end  
+
+  def self.set_default_role(role)
+    @@default = role
+  end
+  
+  def self.default_role
+    @@default
+  end
+
+  def initialize(role)
+    @name = role[:name]
+    @rules = role[:rules]
+    
+    # Helper for each initialized role
+    # is_role? for a role with name 'role'
+    # is_admin? when admin role is instantiated
+    Role.class_eval <<-METHOD
+                      def is_#{@name}?
+                        @name == '#{@name}'
+                      end
+                      METHOD
+    
+    Role.add_role self
+  end
+  
+  
+  # Return all(array) controllers that an user can access
+  def accessible_controllers
+    controllers = []
+    @rules.each do |rule|
+      if rule.allows?
+        controllers << rule.controller
+      end
+    end
+    controllers.uniq
+  end
+
+  # Return the allowed actions in a controller for the current_role
+  def allowed_actions_in(controller)
+    actions = []
+    @rules.each do |rule|
+      if rule.controller == controller.to_s and rule.allows?
+        actions << rule.action
+      end
+    end
+    actions.uniq
+  end
+
+  # Return the denied actions in a controller for the current_role
+  def denied_actions_in(controller)
+    actions = []
+    @rules.each do |rule|
+      if rule.controller == controller.to_s and rule.denies?
+        actions << rule.action
+      end
+    end
+    actions.uniq
+  end
+  
+  # Return if a role is allowed to perform an action in a controller
+  # current_role.is_allowed_to? :create, :posts
+  def is_allowed_to?(action, controller)
+    @rules.each do |rule|
+      if rule.action == action.to_s and rule.controller == controller.to_s
+        return rule.allows?
+      end
+    end
+    false
+  end
+  
+  # Merges a set of rules with the current_role rules
+  # current_role.merge_rules(set_of_rules[])
+  # Used to apply rules to an user and for inheritance
+  def merge_rules(new_rules)
+    self.rules ||= []
+    new_set = new_rules
+    overwritten_set = remove_set = []
+    
+    self.rules.each do |rule|
+      new_rules.each do |included_rule|
+        if included_rule.action == rule.action and included_rule.controller == rule.controller
+          overwritten_set << included_rule
+          remove_set << rule
+          new_set.delete(included_rule)
+        end
+      end
+    end
+    self.rules = self.rules - remove_set + overwritten_set + new_set
+    self.rules
+  end
+  
+end
+
+
+  

data/lib/turnstile/rule.rb

@@ -0,0 +1,34 @@
+# Rule class
+# A simple to class to manipulate the array of rules
+class Rule
+  
+  attr_accessor :action, :controller, :allow, :active
+  
+  def initialize(rules)
+
+    @action = rules[:action]
+    @controller = rules[:controller]
+    @allow = rules[:allow]
+    @active = rules[:active]
+  end
+  
+  # The current rule allows or denies some action?
+  def allow_or_deny?
+    @allow == true ? :allow : :deny
+  end
+  
+  def is_active?
+    @active
+  end
+  
+  def allows?
+    @allow ? true : false
+  end
+  
+  def denies?
+    @allow ? false : true
+  end
+  
+  
+  
+end

data/lib/turnstile.rb

@@ -0,0 +1,3 @@
+require File.expand_path(File.dirname(__FILE__) + "/../lib/turnstile/role")
+require File.expand_path(File.dirname(__FILE__) + "/../lib/turnstile/rule")
+require File.expand_path(File.dirname(__FILE__) + "/../lib/turnstile/authorization")

data/turnstile.gemspec

@@ -0,0 +1,30 @@
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{turnstile}
+  s.version = "0.1.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Bruno Milare"]
+  s.date = %q{2010-08-25}
+  s.description = %q{Simple authorization for rails}
+  s.email = %q{milare@gmail.com}
+  s.extra_rdoc_files = ["README.rdoc", "lib/turnstile.rb", "lib/turnstile/authorization.rb", "lib/turnstile/role.rb", "lib/turnstile/rule.rb"]
+  s.files = ["README.rdoc", "Rakefile", "lib/turnstile.rb", "lib/turnstile/authorization.rb", "lib/turnstile/role.rb", "lib/turnstile/rule.rb", "Manifest", "turnstile.gemspec"]
+  s.homepage = %q{http://github.com/milare/turnstile}
+  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Turnstile", "--main", "README.rdoc"]
+  s.require_paths = ["lib"]
+  s.rubyforge_project = %q{turnstile}
+  s.rubygems_version = %q{1.3.7}
+  s.summary = %q{Simple authorization for rails}
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+    else
+    end
+  else
+  end
+end

metadata

@@ -0,0 +1,84 @@
+--- !ruby/object:Gem::Specification 
+name: turnstile
+version: !ruby/object:Gem::Version 
+  hash: 27
+  prerelease: false
+  segments: 
+  - 0
+  - 1
+  - 0
+  version: 0.1.0
+platform: ruby
+authors: 
+- Bruno Milare
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-08-25 00:00:00 -03:00
+default_executable: 
+dependencies: []
+
+description: Simple authorization for rails
+email: milare@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README.rdoc
+- lib/turnstile.rb
+- lib/turnstile/authorization.rb
+- lib/turnstile/role.rb
+- lib/turnstile/rule.rb
+files: 
+- README.rdoc
+- Rakefile
+- lib/turnstile.rb
+- lib/turnstile/authorization.rb
+- lib/turnstile/role.rb
+- lib/turnstile/rule.rb
+- Manifest
+- turnstile.gemspec
+has_rdoc: true
+homepage: http://github.com/milare/turnstile
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --line-numbers
+- --inline-source
+- --title
+- Turnstile
+- --main
+- README.rdoc
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 11
+      segments: 
+      - 1
+      - 2
+      version: "1.2"
+requirements: []
+
+rubyforge_project: turnstile
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: Simple authorization for rails
+test_files: []
+