uhees-declarative_authorization 0.3.1

data/app/views/authorization_rules/_change.erb

@@ -0,0 +1,49 @@
+<form>
+<h2>1. Choose permission to change</h2>
+<p class="action-options">
+  <label>Privilege</label>
+  <%= select_tag :privilege, options_for_select(@privileges.map(&:to_s).sort, @privilege.to_s) %>
+  <br/>
+  <label>On</label>
+  <%= select_tag :context, options_for_select(@contexts.map(&:to_s).sort, @context.to_s) %>
+  <br/>
+  <%= link_to_function "Current permissions", "show_current_permissions()", :class => 'unimportant' %>
+</p>
+
+<h2>2. Whose permission should be changed?</h2>
+<table class="change-options">
+  <thead>
+    <tr>
+      <td>User</td>
+      <td>Current roles</td>
+      <td class="choose">?</td>
+      <td class="choose">Yes</td>
+      <td class="choose">No</td>
+    </tr>
+  </thead>
+  <tbody>
+    <% @users.each do |user| %>
+      <tr class="<%= controller.authorization_engine.permit?(@privilege, :context => @context, :user => user, :skip_attribute_test => true) ? 'permitted' : 'not-permitted' %>">
+        <td class="user_id"><%=h user.id %></td>
+        <td style="font-weight:bold"><%=h user.login %></td>
+        <td><%=h user.role_symbols * ', ' %></td>
+        <td><%= radio_button_tag "user[#{user.id}][permission]", "undetermined", true %></td>
+        <td class="yes"><%= radio_button_tag "user[#{user.id}][permission]", "yes" %></td>
+        <td class="no"><%= radio_button_tag "user[#{user.id}][permission]", "no" %></td>
+      </tr>
+    <% end %>
+    <tr>
+      <td colspan="5" style="text-align:right; padding-top:0.5em" class="unimportant">
+        <span style="background: #FFE599;">&nbsp; &nbsp;</span> Current permission
+      </td>
+    </tr>
+  </tbody>
+</table>
+
+<h2 style="display:none">Prohibited actions</h2>
+<ul id="prohibited_actions"></ul>
+
+<p class="submit">
+  <%= button_to_function "Suggest Changes", "suggest_changes()" %>
+</p>
+</form>

data/app/views/authorization_rules/_show_graph.erb

@@ -0,0 +1,37 @@
+<% javascript_tag do %>
+    function show_graph (privilege, context, user_ids) {
+        var params = {
+          privilege_hierarchy: 1,
+          highlight_privilege: privilege,
+          filter_contexts: context
+        };
+        if (user_ids)
+          params['user_ids[]'] = user_ids;
+        show_graph_with_params('graph', params);
+    }
+
+    var graph_params = {};
+    function show_graph_with_params (graph_id, params) {
+        graph_params[graph_id] = params;
+        base_url = "<%= graph_authorization_rules_path('svg') %>";
+        $(graph_id).data = base_url + '?' + Object.toQueryString(params);
+        $(graph_id).up().show();
+    }
+
+    function update_graph_params (graph_id, params) {
+        show_graph_with_params(graph_id,
+            $H(graph_params[graph_id] || {}).merge(params).toObject());
+    }
+
+    function toggle_graph_params (graph_id) {
+        var opts = {}
+        $A(arguments).slice(1).each(function (param) {
+          opts[param] = graph_params[graph_id][param] ? null : '1';
+        });
+        update_graph_params(graph_id, opts)
+    }
+<% end %>
+<div id="graph-container" style="display:none">
+<%= link_to_function "Hide", "$('graph-container').hide()" %><br/>
+<object id="graph" data="" type="image/svg+xml" style="max-width:100%"/>
+</div>

data/app/views/authorization_rules/_suggestion.erb

@@ -0,0 +1,9 @@
+<ul>
+  <% suggestion.changes.each do |action| %>
+    <% (action.to_a[0].is_a?(Enumerable) ? action.to_a : [action.to_a]).each do |step| %>
+      <li>
+        <%= describe_step(step.to_a, :with_removal => true) %>
+      </li>
+    <% end %>
+  <% end %>
+</ul>

data/app/views/authorization_rules/_suggestions.erb

@@ -0,0 +1,24 @@
+<h2>Suggestions</h2>
+
+<% if @approaches.length > 0 %>
+  <% if @approaches.first.changes.empty? %>
+    <p>No changes necessary.</p>
+  <% else %>
+    <p>Suggested changes (<%= link_to_function "show", "show_suggest_graph('#{serialize_changes(@approaches.first)}', '#{serialize_relevant_roles(@approaches.first)}', '#{@context}', relevant_user_ids())" %>):</p>
+    <%= render "suggestion", :object => @approaches.first %>
+  <% end %>
+<% else %>
+  <p><strong>No approach found.</strong></p>
+<% end %>
+
+<% if @approaches.length > 1 %>
+  <p <%= !params[:show_all] ? '' : 'style="display: none"' %>><a href="#" onclick="$(this).up().hide();$('more-suggestions').show();return false">Show other <%= pluralize(@approaches.length - 1, 'approach') %></a></p>
+  <div id="more-suggestions" <%= params[:show_all] ? '' : 'style="display: none"' %>>
+    <% @approaches[1..-1].each_with_index do |approach, index| %>
+      <p>
+        <%= (index + 2).ordinalize %> best approach (<%= pluralize(approach.changes.length, 'step') %>, <%= link_to_function "show", "show_suggest_graph('#{serialize_changes(approach)}', '#{serialize_relevant_roles(approach)}', '#{@context}', relevant_user_ids())" %>)
+        <%= render "suggestion", :object => approach %>
+      </p>
+    <% end %>
+  </div>
+<% end %>

data/app/views/authorization_rules/change.html.erb

@@ -0,0 +1,124 @@
+<h1>Suggestions on Authorization Rules Change</h1>
+<p><%= navigation %></p>
+<div style="display:none" id="suggest-graph-container">
+<%= link_to_function "Hide", "$(this).up().hide()", :class => 'important' %>
+<%= link_to_function "Toggle stacked roles", "toggle_graph_params('suggest-graph', 'stacked_roles');" %>
+<%= link_to_function "Toggle only users' roles", "toggle_graph_params('suggest-graph', 'only_relevant_roles');" %><br/>
+<object id="suggest-graph" data="" type="image/svg+xml" style="max-width: 98%;max-height: 95%"/>
+</div>
+<%= render 'show_graph' %>
+
+<style type="text/css">
+  .action-options label { display: block; float: left; width: 7em; padding-bottom: 0.5em }
+  .action-options select { float: left; }
+  .action-options br { clear: both; }
+  .action-options { margin-bottom: 2em }
+  .change-options { margin-bottom: 1em }
+  .change-options td.user_id { display: none }
+  .change-options td { padding-right: 1em; padding-left: 0.5em }
+  .change-options thead td { border-bottom: 1px solid lightgrey }
+  .change-options thead td.choose { text-align: center; font-weight: bold }
+  .change-options tr.permitted td.yes,
+  .change-options tr.not-permitted td.no { background: #FFE599 }
+  .submit { margin-top: 0 }
+  .submit input { font-weight: bold; font-size: 120% }
+  #suggest-result { 
+    position: absolute; left: 60%; right: 10px;
+    border-left: 2px solid grey;
+    padding-left: 1em;
+    z-index: 10;
+  }
+  #suggest-graph-container {
+    background: white; border:1px solid #ccc;
+    position:fixed; z-index: 20;
+    left:10%; bottom: 10%; right: 10%; top: 10%
+  }
+  #graph-container {
+    background: white; margin: 1em; border:1px solid #ccc;
+    max-width:50%; position:fixed; z-index: 20; right:0;
+  }
+  .unimportant, .remove { color: grey }
+  .remove { cursor: pointer }
+</style>
+<% javascript_tag do %>
+    function suggest_changes (refresh) {
+        if (!refresh)
+          $("suggest-result").innerHTML = "Searching...";
+        $("suggest-result").show();
+        new Ajax.Updater({success: 'suggest-result'}, '<%= suggest_change_authorization_rules_path %>', {
+            method: 'get',
+            onFailure: function(request) {
+                $("suggest-result").innerHTML = "Error while searching."
+            },
+            parameters: $H($('change').down('form').serialize(true)).merge(refresh ? {show_all: "true"} : {}).toQueryString()
+        });
+        if (!refresh)
+          location.hash = 'suggest-result';
+    }
+
+    function show_suggest_graph (changes, filter_roles_params, filter_context, user_ids) {
+        var params = {changes: changes, highlight_privilege: $F('privilege')};
+        if (filter_context)
+          params['filter_contexts'] = filter_context;
+        if (user_ids)
+          params['user_ids[]'] = user_ids;
+        show_graph_with_params('suggest-graph', params);
+    }
+
+    document.observe('dom:loaded', function() {
+      install_change_observers();
+    });
+
+    function install_change_observers () {
+        $$('#change select').each(function (el) {
+            el.observe('change', function (event) {
+                new Ajax.Updater({success: 'change'}, '<%= url_for %>', {
+                  parameters: { context: $F('context'), privilege: $F('privilege') },
+                  method: 'get',
+                  onComplete: function () {
+                      install_change_observers();
+                      if ($('graph-container').visible())
+                        show_current_permissions();
+                  }
+                });
+            });
+        });
+        $('prohibited_actions').observe('click', function (event) {
+          var target = event.findElement();
+          if (target.hasClassName('remove')) {
+            target.up().remove();
+            if ($('prohibited_actions').childElements().length == 0)
+              $('prohibited_actions').previous().hide();
+            suggest_changes();
+          }
+        });
+    }
+
+    function show_current_permissions () {
+        show_graph($F('privilege'), $F('context')/*, relevant_user_ids()*/);
+    }
+
+    function relevant_user_ids () {
+      return $$('#change .user_id').collect(function (el) {
+        return el.innerHTML;
+      }).reject(function (id) {
+        return $('user_' + id + '_permission_undetermined').checked;
+      });
+    }
+
+    var prohibited_action_template =
+        new Template('<li>#{description} <span class="remove">[x]</span><input type="hidden" name="prohibited_action[]" value="#{action}"></li>');
+    function prohibit_action (action, description) {
+      $('prohibited_actions').previous().show();
+      $('prohibited_actions').insert(
+          {bottom: prohibited_action_template.evaluate({action: action, description: description}) }
+      );
+      suggest_changes(true);
+    }
+<% end %>
+
+<div id="suggest-result" style="display:none"></div>
+
+<div id="change">
+  <%= render 'change' %>
+</div>

data/app/views/authorization_rules/graph.dot.erb

@@ -0,0 +1,68 @@
+
+digraph rules {
+  compound = true
+  edge [arrowhead=open]
+  node [shape=box,fontname="sans-serif",fontsize="16"]
+  fontname="sans-serif";fontsize="16"
+  ranksep = "0.3"
+  //concentrate = true
+  rankdir = TB
+  
+  <% unless @users.blank? %>
+  {
+    rank = source
+    node [shape=polygon,style=filled,fillcolor="#eeeeee"]
+    <% @users.each do |user| %>
+    "<%= user.login %>"
+    <% end %>
+  }
+  <% end %>
+
+  {
+    node [shape=ellipse,style=filled]
+    <%= @stacked_roles ? '' : "rank = same" %>
+    <% @roles.each do |role| %>
+    "<%= role.inspect %>" [fillcolor="<%= role_fill_color(role) %>"]
+    // ,URL="javascript:set_filter({roles: '<%= role %>'})"
+    <% end %>
+    <% @roles.each do |role| %>
+        <% (@role_hierarchy[role] || []).select {|lower_role| @roles.include?(lower_role)}.each do |lower_role| %>
+            "<%= role.inspect %>" -> "<%= lower_role.inspect %>" [arrowhead=empty]
+        <% end %>
+    <% end %>
+  }
+
+  <% unless @users.blank? %>
+    <% @users.each do |user| %>
+      <% user.role_symbols.select {|role| @roles.include?(role)}.each do |role| %>
+    "<%= user.login %>" -> "<%= role.inspect %>" [color="<%= has_changed(:assign_role_to_user, role, user.login) ? '#00dd00' : (has_changed(:remove_role_from_user, role, user.login) ? '#dd0000' : '#000000') %>"]
+      <% end %>
+    <% end %>
+  <% end %>
+
+  <% @contexts.each do |context| %>
+    subgraph cluster_<%= context %>  {
+      label = "<%= context.inspect %>"
+      style=filled; fillcolor="#eeeeee"
+      node[fillcolor=white,style=filled]
+      <% (@context_privs[context] || []).each do |priv| %>
+      <%= priv %>_<%= context %> [label="<%= priv.inspect %>"<%= ',fontcolor="#ff0000"' if @highlight_privilege == priv %>]
+      <% end %>
+      <% (@context_privs[context] || []).each do |priv| %>
+        <% (@privilege_hierarchy[priv] || []).
+                select {|p,c| (c.nil? or c == context) and @context_privs[context].include?(p)}.
+                each do |lower_priv, c| %>
+      <%= priv %>_<%= context %> -> <%= lower_priv %>_<%= context %> [arrowhead=empty]
+        <% end %>
+      <% end %>
+      //read_conferences -> update_conferences [style=invis]
+      //create_conferences -> delete_conferences [style=invis]
+    }
+  <% end %>
+
+  <% @roles.each do |role| %>
+    <% (@role_privs[role] || []).each do |context, privilege, unconditionally, attribute_string| %>
+  "<%= role.inspect %>" -> <%=  privilege %>_<%= context %> [color="<%= privilege_color(privilege, context, role) %>", minlen=3<%= ", arrowhead=opendot, URL=\"javascript:\", edgetooltip=\"#{attribute_string.gsub('"','')}\"" unless unconditionally %>]
+    <% end %>
+  <% end %>
+}

data/app/views/authorization_rules/graph.html.erb

@@ -0,0 +1,40 @@
+<h1>Authorization Rules Graph</h1>
+<p>Currently active rules in this application.</p>
+<p><%= navigation %></p>
+
+<% javascript_tag do %>
+    function update_graph (form) {
+        base_url = "<%= url_for :format => 'svg' %>";
+        $('graph').data = base_url + '?' + form.serialize();
+    }
+
+    function set_filter (filter) {
+        for (f in filter) {
+            var select = $("filter_" + f);
+            if (select) {
+                var opt = select.down("option[value='"+ filter[f] + "']");
+                if (opt) {
+                    opt.selected = true;
+                    update_graph(select.form);
+                }
+            }
+        }
+    }
+<% end %>
+<p>
+  <% form_tag do %>
+  <%#= link_to_graph "Rules" %>
+  <%#= link_to_graph "Privilege hierarchy", :type => 'priv_hierarchy' %>
+  
+  <%= select_tag "filter_roles", options_for_select([["All roles",'']] + controller.authorization_engine.roles.map(&:to_s).sort), :onchange => 'update_graph(this.form)' %>
+  <%= select_tag "filter_contexts", options_for_select([["All contexts",'']] + controller.authorization_engine.auth_rules.collect {|ar| ar.contexts.to_a}.flatten.uniq.map(&:to_s).sort), :onchange => 'update_graph(this.form)' %>
+  <%= check_box_tag "effective_role_privs", "1", false, :onclick => 'update_graph(this.form)'  %> <%= label_tag "effective_role_privs", "Effective privileges"  %>
+  <%= check_box_tag "privilege_hierarchy", "1", false, :onclick => 'update_graph(this.form)'  %> <%= label_tag "privilege_hierarchy", "Show full privilege hierarchy"  %>
+  <%= check_box_tag "stacked_roles", "1", false, :onclick => 'update_graph(this.form)'  %> <%= label_tag "stacked_roles", "Stacked roles"  %>
+  <% end %>
+</p>
+<div style="margin: 1em;border:1px solid #ccc;max-width:95%">
+<object id="graph" data="<%= url_for :format => 'svg' %>" type="image/svg+xml" style="max-width:100%"/>
+</div>
+<%= button_to_function "Zoom in", '$("graph").style.maxWidth = "";$(this).toggle();$(this).next().toggle()' %>
+<%= button_to_function "Zoom out", '$("graph").style.maxWidth = "100%";$(this).toggle();$(this).previous().toggle()', :style => 'display:none' %>

data/app/views/authorization_rules/index.html.erb

@@ -0,0 +1,17 @@
+<h1>Authorization Rules</h1>
+<p>Currently active rules in this application.</p>
+<p><%= navigation %></p>
+<style type="text/css">
+  pre .constant {color: #a00;}
+  pre .special {color: red;}
+  pre .operator {color: red;}
+  pre .statement {color: #00a;}
+  pre .proc {color: #0a0;}
+  pre .privilege, pre .context {font-weight: bold}
+  pre .preproc, pre .comment, pre .comment span {color: grey !important;}
+  pre .note {color: #a00; position:absolute; cursor: help; left: 15px }
+  pre.with-notes {padding-left: 35px}
+</style>
+<pre class="with-notes">
+<%= policy_analysis_hints(syntax_highlight(h(@auth_rules_script)), @auth_rules_script) %>
+</pre>

data/app/views/authorization_usages/index.html.erb

@@ -0,0 +1,36 @@
+<h1>Authorization Usage</h1>
+<%= render 'authorization_rules/show_graph' %>
+<p>Filter rules in actions by controller:</p>
+<p><%= navigation %></p>
+<style type="text/css">
+  .auth-usages th { text-align: left; padding-top: 1em }
+  .auth-usages td { padding-right: 1em }
+  .auth-usages tr.action  { cursor: pointer }
+  .auth-usages tr.unprotected  { background: #FFA399 }
+  .auth-usages tr.no-attribute-check { background: #FFE599 }
+  /*.auth-usages tr.catch-all td.privilege,*/
+  .auth-usages tr.default-privilege td.privilege,
+  .auth-usages tr.default-context td.context { color: #888888 }
+  #graph-container {margin: 1em; border:1px solid #ccc; max-width:50%; position:fixed; right:0;}
+</style>
+<table class="auth-usages">
+  <% @auth_usages_by_controller.keys.sort {|c1, c2| c1.name <=> c2.name}.each do |controller| %>
+    <% default_context = controller.controller_name.to_sym rescue nil %>
+    <tr>
+      <th colspan="3"><%= h controller.controller_name %></th>
+    </tr>
+    <% @auth_usages_by_controller[controller].keys.sort {|c1, c2| c1.to_s <=> c2.to_s}.each do |action| %>
+      <% auth_info = @auth_usages_by_controller[controller][action] %>
+      <% first_permission = auth_info[:controller_permissions] && auth_info[:controller_permissions][0] %>
+      <tr class="action <%= auth_usage_info_classes(auth_info) %>" title="<%= auth_usage_info_title(auth_info) %>" onclick="show_graph('<%= auth_info[:privilege] || action %>','<%= auth_info[:context] || default_context %>')">
+        <td><%= h action %></td>
+        <% if first_permission %>
+          <td class="privilege"><%= h auth_info[:privilege] || action %></td>
+          <td class="context"><%= h auth_info[:context] || default_context %></td>
+        <% else %>
+          <td></td><td></td>
+        <% end %>
+      </tr>
+    <% end %>
+  <% end %>
+</table>

data/authorization_rules.dist.rb

@@ -0,0 +1,20 @@
+authorization do
+  role :guest do
+    # add permissions for guests here, e.g.
+    #has_permission_on :conferences, :to => :read
+  end
+  
+  # permissions on other roles, such as
+  #role :admin do
+  #  has_permission_on :conferences, :to => :manage
+  #end
+end
+
+privileges do
+  # default privilege hierarchies to facilitate RESTful Rails apps
+  privilege :manage, :includes => [:create, :read, :update, :delete]
+  privilege :read, :includes => [:index, :show]
+  privilege :create, :includes => :new
+  privilege :update, :includes => :edit
+  privilege :delete, :includes => :destroy
+end

data/config/routes.rb

@@ -0,0 +1,7 @@
+ActionController::Routing::Routes.draw do |map|
+  if Authorization::activate_authorization_rules_browser?
+    map.resources :authorization_rules, :only => [:index], 
+        :collection => {:graph => :get, :change => :get, :suggest_change => :get}
+    map.resources :authorization_usages, :only => :index
+  end
+end