ya_acl 0.0.6
Sign up to get free protection for your applications and to get access to all the features.
- data/.gitignore +8 -0
- data/Gemfile +4 -0
- data/LICENSE +21 -0
- data/README.rdoc +84 -0
- data/Rakefile +2 -0
- data/lib/ya_acl/acl.rb +125 -0
- data/lib/ya_acl/assert.rb +27 -0
- data/lib/ya_acl/builder.rb +92 -0
- data/lib/ya_acl/resource.rb +9 -0
- data/lib/ya_acl/result.rb +11 -0
- data/lib/ya_acl/role.rb +13 -0
- data/lib/ya_acl/version.rb +3 -0
- data/lib/ya_acl.rb +6 -0
- data/spec/spec_helper.rb +1 -0
- data/spec/ya_acl/acl_spec.rb +56 -0
- data/spec/ya_acl/builder_spec.rb +146 -0
- data/spec/ya_acl/role_spec.rb +10 -0
- data/spec/ya_acl_spec.rb +7 -0
- data/ya_acl.gemspec +22 -0
- metadata +64 -0
data/.gitignore
ADDED
data/Gemfile
ADDED
data/LICENSE
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
The MIT License
|
2
|
+
|
3
|
+
Copyright (c) 2010 Kirill Mokevnin
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
7
|
+
in the Software without restriction, including without limitation the rights
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
10
|
+
furnished to do so, subject to the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be included in
|
13
|
+
all copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
21
|
+
THE SOFTWARE.
|
data/README.rdoc
ADDED
@@ -0,0 +1,84 @@
|
|
1
|
+
== ya_acl
|
2
|
+
|
3
|
+
Ya_Acl - реализация списка прав доступа (ACL).
|
4
|
+
|
5
|
+
Ya_Acl представляет собой самостоятельный объект посредством которого производятся все проверки.
|
6
|
+
Это значит что он не привязан к фреймворкам и это руководство предлагает только один из возможных путей использования этого компонента.
|
7
|
+
|
8
|
+
=== Установка
|
9
|
+
|
10
|
+
gem install ya_acl
|
11
|
+
|
12
|
+
=== Основные понятия
|
13
|
+
|
14
|
+
Ресурс - объект, доступ к которому контролируется.
|
15
|
+
Привилегия - действие совершаемое над ресурсом.
|
16
|
+
Роль - объект, который может запрашивать доступ к ресурсу.
|
17
|
+
|
18
|
+
Роль(роли) запрашивает доступ к привилегии ресурса.
|
19
|
+
Например ресурс "пользователь" может иметь привилегию "создать".
|
20
|
+
|
21
|
+
=== Начальные условия
|
22
|
+
|
23
|
+
- По умолчанию все запрещено. И по ходу можно только выставлять разрешения, но не запреты.
|
24
|
+
- Все ресурсы должны быть добавлены в acl (в противном случае получите исключение).
|
25
|
+
|
26
|
+
=== Основные возможности
|
27
|
+
|
28
|
+
Assert - динамические проверки, например, является ли залогиненый пользователь владельцем этого объекта.
|
29
|
+
Проверки могут ставиться на конкретные роли для текущей привилегии, а не просто "на привилегию".
|
30
|
+
Владение несколькими ролями. Если хотя бы одной из ролей пользователя разрешен доступ к привилегии ресурса, то доступ открыт.
|
31
|
+
Роль с глобальным доступом ко всем ресурсам. Передается аргументом в метод билдера "resources".
|
32
|
+
Наследование ролей для ресурсов. То есть мы можем определить роли которым автоматически станут доступны все привилегии ресурса.
|
33
|
+
|
34
|
+
=== Порядок выполнения проверок на доступность к привилегии ресурса
|
35
|
+
|
36
|
+
1. Если ни одна из переданных ролей не имеет доступа к привилегии ресурса, то доступ запрещается.
|
37
|
+
2. Для каждой роли, имеющий доступ к привилегии, проверяются проверки предназначенные для этой роли. Если хотя бы для одной роли прошли все проверки, то доступ разрешается.
|
38
|
+
|
39
|
+
=== Workflow
|
40
|
+
|
41
|
+
В начале необходимо проинициализировать объект acl.
|
42
|
+
Для этого необходимо создать файл (структура ниже) который будет загружаться при старте приложения. Хотя в development среде вы можете захотеть подгружать его при каждом запросе для удобства разработки.
|
43
|
+
|
44
|
+
YaAcl::Builder.build do
|
45
|
+
roles do # Роли
|
46
|
+
role :admin
|
47
|
+
role :editor
|
48
|
+
role :operator
|
49
|
+
end
|
50
|
+
|
51
|
+
asserts do # Проверки
|
52
|
+
assert :assert_name, [:current_user_id, :another_user_id] do
|
53
|
+
current_user_id == another_user_id
|
54
|
+
end
|
55
|
+
|
56
|
+
assert :another_assert_name, [:current_user_id, :another_user_id] do
|
57
|
+
current_user_id != another_user_id
|
58
|
+
end
|
59
|
+
end
|
60
|
+
|
61
|
+
resources :admin do # Ресурсы и роль которой доступно все
|
62
|
+
resource 'UserController', [:editor] do # Ресурс и роли которым доступны все привилегии данного ресурса
|
63
|
+
privilege :index, [:operator] # доступно для :admin, :editor, :operator
|
64
|
+
privilege :edit # доступно для :admin, :editor
|
65
|
+
privilege :new do
|
66
|
+
assert :assert_name, [:editor] # Эта проверка будет вызвана только для роли :editor
|
67
|
+
assert :another_assert_name # Эта проверка будет вызвана для ролей :admin, :editor
|
68
|
+
end
|
69
|
+
end
|
70
|
+
end
|
71
|
+
end
|
72
|
+
|
73
|
+
После этого будет доступен объект acl через YaAcl::Acl.instance.
|
74
|
+
|
75
|
+
acl = YaAcl::Acl.instance
|
76
|
+
|
77
|
+
acl.allow?('UserController', :index, [:editor, :opeartor]) # true
|
78
|
+
acl.allow?('UserController', :edit, [:editor, :opeartor]) # true
|
79
|
+
acl.allow?('UserController', :edit, [:opeartor]) # false
|
80
|
+
acl.allow?('UserController', :new, [:admin], :current_user_id => 1, :another_user_id => 1) # true
|
81
|
+
acl.allow?('UserController', :new, [:editor], :current_user_id => 1, :another_user_id => 2) # false
|
82
|
+
|
83
|
+
acl#check - возвращает объект результата YaAcl::Result
|
84
|
+
acl#check! - возвращает true или бросает исключение
|
data/Rakefile
ADDED
data/lib/ya_acl/acl.rb
ADDED
@@ -0,0 +1,125 @@
|
|
1
|
+
module YaAcl
|
2
|
+
|
3
|
+
class AccessDeniedError < StandardError ; end
|
4
|
+
class AssertAccessDeniedError < AccessDeniedError ; end
|
5
|
+
|
6
|
+
class Acl
|
7
|
+
|
8
|
+
attr_reader :roles, :resources, :asserts
|
9
|
+
|
10
|
+
class << self
|
11
|
+
def instance
|
12
|
+
@@acl
|
13
|
+
end
|
14
|
+
|
15
|
+
def instance=(v)
|
16
|
+
@@acl = v
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
def initialize()
|
21
|
+
@acl = {}
|
22
|
+
end
|
23
|
+
|
24
|
+
def add_role(role)
|
25
|
+
@roles ||= {}
|
26
|
+
@roles[role.name] = role
|
27
|
+
end
|
28
|
+
|
29
|
+
def role(role_name)
|
30
|
+
if !defined?(@roles) || !@roles[role_name.to_sym]
|
31
|
+
raise ArgumentError, "#Role '#{role_name}' doesn't exists"
|
32
|
+
end
|
33
|
+
@roles[role_name.to_sym]
|
34
|
+
end
|
35
|
+
|
36
|
+
def add_resource(resource)
|
37
|
+
@resources ||= {}
|
38
|
+
@resources[resource.name] = resource
|
39
|
+
end
|
40
|
+
|
41
|
+
def resource(resource_name)
|
42
|
+
if !defined?(@resources) || !@resources[resource_name.to_sym]
|
43
|
+
raise ArgumentError, "#Resource '#{resource_name}' doesn't exists"
|
44
|
+
end
|
45
|
+
@resources[resource_name.to_sym]
|
46
|
+
end
|
47
|
+
|
48
|
+
def privilege(resource_name, privilege_name)
|
49
|
+
r = resource(resource_name)
|
50
|
+
p = privilege_name.to_sym
|
51
|
+
unless @acl[r.name][p]
|
52
|
+
raise ArgumentError, "Undefine privilege '#{privilege_name}' for resource '#{resource_name}'"
|
53
|
+
end
|
54
|
+
|
55
|
+
@acl[r.name][p]
|
56
|
+
end
|
57
|
+
|
58
|
+
def add_assert(assert)
|
59
|
+
@asserts ||= {}
|
60
|
+
@asserts[assert.name] = assert
|
61
|
+
end
|
62
|
+
|
63
|
+
def assert(assert_name)
|
64
|
+
if !defined?(@asserts) || !@asserts[assert_name.to_sym]
|
65
|
+
raise ArgumentError, "#Assert '#{assert_name}' doesn't exists"
|
66
|
+
end
|
67
|
+
@asserts[assert_name.to_sym]
|
68
|
+
end
|
69
|
+
|
70
|
+
def allow(resource_name, privilege_name, role_name, assert_name = nil)
|
71
|
+
resource = resource(resource_name).name
|
72
|
+
privilege = privilege_name.to_sym
|
73
|
+
role = role(role_name).name
|
74
|
+
|
75
|
+
@acl[resource] ||= {}
|
76
|
+
@acl[resource][privilege] ||= {}
|
77
|
+
@acl[resource][privilege][role] ||= {}
|
78
|
+
if assert_name
|
79
|
+
assert = assert(assert_name)
|
80
|
+
@acl[resource][privilege][role][assert.name] = assert
|
81
|
+
end
|
82
|
+
end
|
83
|
+
|
84
|
+
def check(resource_name, privilege_name, roles = [], params = {})
|
85
|
+
a_l = privilege(resource_name, privilege_name)
|
86
|
+
roles_for_check = a_l.keys & roles.map(&:to_sym)
|
87
|
+
return Result.new(false) if roles_for_check.empty? # return
|
88
|
+
|
89
|
+
role_for_result = nil
|
90
|
+
assert_for_result = nil
|
91
|
+
roles_for_check.each do |role|
|
92
|
+
role_for_result = role
|
93
|
+
asserts = a_l[role]
|
94
|
+
return Result.new if asserts.empty? #return
|
95
|
+
result = true
|
96
|
+
asserts.values.each do |assert|
|
97
|
+
assert_for_result = assert
|
98
|
+
result = assert.allow?(params)
|
99
|
+
break unless result
|
100
|
+
end
|
101
|
+
if result
|
102
|
+
return Result.new # return
|
103
|
+
end
|
104
|
+
end
|
105
|
+
|
106
|
+
Result.new(false, role_for_result, assert_for_result) # return
|
107
|
+
end
|
108
|
+
|
109
|
+
def allow?(resource_name, privilege_name, roles = [], params = {})
|
110
|
+
check(resource_name, privilege_name, roles, params).status
|
111
|
+
end
|
112
|
+
|
113
|
+
def check!(resource_name, privilege_name, roles = [], params = {})
|
114
|
+
result = check(resource_name, privilege_name, roles, params)
|
115
|
+
return true if result.status
|
116
|
+
|
117
|
+
message = "Access denied for '#{resource_name}', privilege '#{privilege_name}'"
|
118
|
+
if result.assert
|
119
|
+
raise AssertAccessDeniedError, message + ", role '#{result.role}' and assert '#{result.assert.name}'"
|
120
|
+
else
|
121
|
+
raise AccessDeniedError, message + " and roles '#{roles.inspect}'"
|
122
|
+
end
|
123
|
+
end
|
124
|
+
end
|
125
|
+
end
|
@@ -0,0 +1,27 @@
|
|
1
|
+
module YaAcl
|
2
|
+
class Assert
|
3
|
+
attr_reader :name
|
4
|
+
|
5
|
+
def initialize(name, param_names, &block)
|
6
|
+
@name = name.to_sym
|
7
|
+
@param_names = param_names
|
8
|
+
@block = block
|
9
|
+
|
10
|
+
@param_names.each do |name|
|
11
|
+
self.class.send :attr_accessor, name
|
12
|
+
end
|
13
|
+
end
|
14
|
+
|
15
|
+
def allow?(params)
|
16
|
+
if @param_names != (@param_names & params.keys)
|
17
|
+
raise "Params for assert '#{name}': #{@param_names.inspect}"
|
18
|
+
end
|
19
|
+
|
20
|
+
@param_names.each do |name|
|
21
|
+
self.send "#{name}=", params[name]
|
22
|
+
end
|
23
|
+
|
24
|
+
instance_eval &@block
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
@@ -0,0 +1,92 @@
|
|
1
|
+
module YaAcl
|
2
|
+
class Builder
|
3
|
+
attr_accessor :acl
|
4
|
+
|
5
|
+
def self.build &block
|
6
|
+
builder = new
|
7
|
+
builder.instance_eval &block
|
8
|
+
builder.acl.freeze
|
9
|
+
Acl.instance = builder.acl
|
10
|
+
end
|
11
|
+
|
12
|
+
def initialize
|
13
|
+
self.acl = Acl.new
|
14
|
+
end
|
15
|
+
|
16
|
+
def roles(&block)
|
17
|
+
instance_eval &block
|
18
|
+
end
|
19
|
+
|
20
|
+
def role(name, options = {})
|
21
|
+
acl.add_role Role.new(name, options)
|
22
|
+
end
|
23
|
+
|
24
|
+
def asserts(&block)
|
25
|
+
instance_eval &block
|
26
|
+
end
|
27
|
+
|
28
|
+
def assert(name, param_names, &block)
|
29
|
+
acl.add_assert Assert.new(name, param_names, &block)
|
30
|
+
end
|
31
|
+
|
32
|
+
def resources(allow, &block)
|
33
|
+
@global_allow_role = allow
|
34
|
+
instance_eval &block
|
35
|
+
end
|
36
|
+
|
37
|
+
def resource(name, allow_roles = [], &block)
|
38
|
+
raise ArgumentError, 'Options "allow_roles" must be Array' unless allow_roles.is_a? Array
|
39
|
+
resource_allow_roles = allow_roles << @global_allow_role
|
40
|
+
resource = Resource.new(name)
|
41
|
+
acl.add_resource resource
|
42
|
+
PrivilegeProxy.new(resource.name, resource_allow_roles, acl, block)
|
43
|
+
end
|
44
|
+
|
45
|
+
class PrivilegeProxy
|
46
|
+
def initialize(name, allow_roles, acl, block)
|
47
|
+
@resource_name = name
|
48
|
+
@allow_roles = allow_roles
|
49
|
+
@acl = acl
|
50
|
+
instance_eval &block
|
51
|
+
end
|
52
|
+
|
53
|
+
def privilege(privilege_name, roles = [], &asserts_block)
|
54
|
+
all_allow_roles = roles | @allow_roles
|
55
|
+
|
56
|
+
asserts = {}
|
57
|
+
if block_given?
|
58
|
+
proxy = PrivilegeAssertProxy.new(asserts_block, all_allow_roles)
|
59
|
+
asserts = proxy.asserts
|
60
|
+
end
|
61
|
+
|
62
|
+
all_allow_roles.each do |role|
|
63
|
+
if asserts[role]
|
64
|
+
asserts[role].each do |assert|
|
65
|
+
@acl.allow(@resource_name, privilege_name, role, assert)
|
66
|
+
end
|
67
|
+
else
|
68
|
+
@acl.allow(@resource_name, privilege_name, role, nil)
|
69
|
+
end
|
70
|
+
end
|
71
|
+
end
|
72
|
+
end
|
73
|
+
|
74
|
+
class PrivilegeAssertProxy
|
75
|
+
attr_reader :asserts
|
76
|
+
|
77
|
+
def initialize(block, all_allow_roles)
|
78
|
+
@all_allow_roles = all_allow_roles
|
79
|
+
@asserts = {}
|
80
|
+
instance_eval &block
|
81
|
+
end
|
82
|
+
|
83
|
+
def assert(name, roles = [])
|
84
|
+
roles = @all_allow_roles unless roles.any?
|
85
|
+
roles.each do |role|
|
86
|
+
@asserts[role] ||= []
|
87
|
+
@asserts[role] << name
|
88
|
+
end
|
89
|
+
end
|
90
|
+
end
|
91
|
+
end
|
92
|
+
end
|
data/lib/ya_acl/role.rb
ADDED
data/lib/ya_acl.rb
ADDED
data/spec/spec_helper.rb
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
require 'ya_acl'
|
@@ -0,0 +1,56 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe YaAcl::Acl do
|
4
|
+
|
5
|
+
before do
|
6
|
+
@acl = YaAcl::Acl.new
|
7
|
+
@acl.add_resource(YaAcl::Resource.new(:name))
|
8
|
+
|
9
|
+
@acl.add_role YaAcl::Role.new(:admin)
|
10
|
+
@acl.add_role YaAcl::Role.new(:moderator)
|
11
|
+
@acl.add_role YaAcl::Role.new(:editor)
|
12
|
+
@acl.add_role YaAcl::Role.new(:member)
|
13
|
+
@acl.add_role YaAcl::Role.new(:guest)
|
14
|
+
|
15
|
+
assert = YaAcl::Assert.new :assert, [:object_user_id, :user_id] do
|
16
|
+
object_user_id == user_id
|
17
|
+
end
|
18
|
+
|
19
|
+
@acl.add_assert assert
|
20
|
+
end
|
21
|
+
|
22
|
+
it 'should be work allow?' do
|
23
|
+
@acl.allow :name, :index, :admin
|
24
|
+
@acl.allow :name, :index, :member
|
25
|
+
@acl.allow :name, :update, :admin
|
26
|
+
|
27
|
+
@acl.allow?(:name, :index, [:admin]).should be_true
|
28
|
+
@acl.allow?(:name, :index, [:nobody, :admin]).should be_true
|
29
|
+
@acl.allow?(:name, :index, [:nobody, :another_nobody]).should be_false
|
30
|
+
@acl.allow?(:name, 'index', ['nobody']).should be_false
|
31
|
+
@acl.allow?(:name, :index, [:guest]).should be_false
|
32
|
+
end
|
33
|
+
|
34
|
+
it 'should be work allow? with assert' do
|
35
|
+
@acl.allow :name, :index, :admin
|
36
|
+
@acl.allow :name, :index, :guest, :assert
|
37
|
+
@acl.allow :name, :index, :member, :assert
|
38
|
+
|
39
|
+
|
40
|
+
@acl.allow?(:name, :index, [:guest], :object_user_id => 3, :user_id => 4).should be_false
|
41
|
+
@acl.allow?(:name, :index, [:guest], :object_user_id => 3, :user_id => 3).should be_true
|
42
|
+
end
|
43
|
+
|
44
|
+
it 'should be work with roles' do
|
45
|
+
assert = YaAcl::Assert.new :another_assert, [:var] do
|
46
|
+
var
|
47
|
+
end
|
48
|
+
@acl.add_assert assert
|
49
|
+
@acl.allow :name, :index, :admin
|
50
|
+
@acl.allow :name, :empty, :admin
|
51
|
+
@acl.allow :name, :index, :guest, :another_assert
|
52
|
+
|
53
|
+
@acl.allow?(:name, :empty, [:guest, :admin]).should be_true
|
54
|
+
@acl.allow?(:name, :index, [:guest, :admin], :var => false).should be_true
|
55
|
+
end
|
56
|
+
end
|
@@ -0,0 +1,146 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe YaAcl::Builder do
|
4
|
+
it 'should be add role' do
|
5
|
+
acl = YaAcl::Builder.build do
|
6
|
+
roles do
|
7
|
+
role :admin, :name => 'Administrator'
|
8
|
+
end
|
9
|
+
end
|
10
|
+
|
11
|
+
acl.role(:admin).should_not be_nil
|
12
|
+
end
|
13
|
+
|
14
|
+
it 'should be add resource' do
|
15
|
+
acl = YaAcl::Builder.build do
|
16
|
+
roles do
|
17
|
+
role :admin
|
18
|
+
role :another_admin
|
19
|
+
role :user
|
20
|
+
role :operator
|
21
|
+
end
|
22
|
+
|
23
|
+
asserts do
|
24
|
+
assert :first_assert, [:param, :param2] do
|
25
|
+
param == param2
|
26
|
+
end
|
27
|
+
|
28
|
+
assert :another_assert, [:param, :param2] do
|
29
|
+
param != param2
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
resources :admin do
|
34
|
+
resource :name, [:another_admin] do
|
35
|
+
privilege :index, [:operator]
|
36
|
+
privilege :show, [:operator]
|
37
|
+
privilege :edit
|
38
|
+
privilege :with_assert, [:operator] do
|
39
|
+
assert :first_assert
|
40
|
+
assert :another_assert, [:admin]
|
41
|
+
end
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
45
|
+
|
46
|
+
acl.check!(:name, :index, [:admin]).should be_true
|
47
|
+
acl.check!(:name, :index, [:another_admin]).should be_true
|
48
|
+
acl.check!(:name, :index, [:operator]).should be_true
|
49
|
+
|
50
|
+
acl.allow?(:name, :show, [:admin]).should be_true
|
51
|
+
acl.allow?(:name, :show, [:user]).should be_false
|
52
|
+
acl.allow?(:name, :show, [:operator]).should be_true
|
53
|
+
acl.allow?(:name, :edit, [:operator]).should be_false
|
54
|
+
end
|
55
|
+
|
56
|
+
it 'should be raise exception for unknown role in privilegy' do
|
57
|
+
lambda {
|
58
|
+
YaAcl::Builder.build do
|
59
|
+
roles do
|
60
|
+
role :admin, :name => 'Administrator'
|
61
|
+
end
|
62
|
+
resources :admin do
|
63
|
+
resource 'resource' do
|
64
|
+
privilege :index, [:operator]
|
65
|
+
end
|
66
|
+
end
|
67
|
+
end
|
68
|
+
}.should raise_exception(ArgumentError)
|
69
|
+
end
|
70
|
+
|
71
|
+
it 'should be raise exception for unknown role in resource' do
|
72
|
+
lambda {
|
73
|
+
YaAcl::Builder.build do
|
74
|
+
roles do
|
75
|
+
role :admin, :name => 'Administrator'
|
76
|
+
role :operator
|
77
|
+
end
|
78
|
+
|
79
|
+
resources :admin do
|
80
|
+
resource 'resource', [:another_admin] do
|
81
|
+
privilege :index, [:opeartor]
|
82
|
+
end
|
83
|
+
end
|
84
|
+
end
|
85
|
+
}.should raise_exception(ArgumentError)
|
86
|
+
end
|
87
|
+
|
88
|
+
it 'should be work with asserts' do
|
89
|
+
acl = YaAcl::Builder.build do
|
90
|
+
roles do
|
91
|
+
role :admin
|
92
|
+
role :another_user
|
93
|
+
role :editor
|
94
|
+
role :operator
|
95
|
+
end
|
96
|
+
|
97
|
+
asserts do
|
98
|
+
assert :first, [:var] do
|
99
|
+
var
|
100
|
+
end
|
101
|
+
|
102
|
+
assert :another, [:first] do
|
103
|
+
statuses = [1, 2]
|
104
|
+
statuses.include? first
|
105
|
+
end
|
106
|
+
|
107
|
+
assert :another2, [:first] do
|
108
|
+
!!first
|
109
|
+
end
|
110
|
+
|
111
|
+
assert :another3, [:first] do
|
112
|
+
statuses = [1, 2]
|
113
|
+
statuses.include? first
|
114
|
+
end
|
115
|
+
|
116
|
+
assert :another4, [:first, :second] do
|
117
|
+
first == second
|
118
|
+
end
|
119
|
+
end
|
120
|
+
|
121
|
+
resources :admin do
|
122
|
+
resource :name, [:editor, :operator] do
|
123
|
+
privilege :create do
|
124
|
+
assert :first, [:admin, :another_user]
|
125
|
+
end
|
126
|
+
privilege :update do
|
127
|
+
assert :another, [:editor]
|
128
|
+
assert :another2, [:editor, :operator]
|
129
|
+
assert :another3, [:operator]
|
130
|
+
assert :another4, [:operator]
|
131
|
+
end
|
132
|
+
end
|
133
|
+
end
|
134
|
+
end
|
135
|
+
|
136
|
+
acl.allow?(:name, :update, [:another_user]).should be_false
|
137
|
+
acl.allow?(:name, :update, [:editor], :first => true, :second => false).should be_false
|
138
|
+
acl.allow?(:name, :update, [:editor], :first => false, :second => true).should be_false
|
139
|
+
acl.allow?(:name, :update, [:editor], :first => 1, :second => true).should be_true
|
140
|
+
acl.check!(:name, :create, [:admin], :var => 2).should be_true
|
141
|
+
acl.allow?(:name, :update, [:editor], :first => 3, :second => false).should be_false
|
142
|
+
acl.allow?(:name, :update, [:operator], :first => true, :second => true).should be_false
|
143
|
+
acl.allow?(:name, :update, [:operator], :first => 1, :second => 1).should be_true
|
144
|
+
acl.allow?(:name, :update, [:operator], :first => 3, :second => 3).should be_false
|
145
|
+
end
|
146
|
+
end
|
data/spec/ya_acl_spec.rb
ADDED
data/ya_acl.gemspec
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
# -*- encoding: utf-8 -*-
|
2
|
+
$:.push File.expand_path("../lib", __FILE__)
|
3
|
+
require "ya_acl/version"
|
4
|
+
|
5
|
+
Gem::Specification.new do |s|
|
6
|
+
s.name = "ya_acl"
|
7
|
+
s.version = YaAcl::VERSION
|
8
|
+
s.platform = Gem::Platform::RUBY
|
9
|
+
s.authors = ["Mokevnin Kirill"]
|
10
|
+
s.email = ["mokevnin@gmail.com"]
|
11
|
+
s.homepage = "http://github.com/mokevnin/ya_acl"
|
12
|
+
s.summary = %q{Yet Another ACL}
|
13
|
+
s.description = %q{Yet Another ACL}
|
14
|
+
|
15
|
+
# s.rubyforge_project = "ya_acl"
|
16
|
+
|
17
|
+
s.files = `git ls-files`.split("\n")
|
18
|
+
s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
|
19
|
+
s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
|
20
|
+
s.require_paths = ["lib"]
|
21
|
+
|
22
|
+
end
|
metadata
ADDED
@@ -0,0 +1,64 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: ya_acl
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.0.6
|
5
|
+
prerelease:
|
6
|
+
platform: ruby
|
7
|
+
authors:
|
8
|
+
- Mokevnin Kirill
|
9
|
+
autorequire:
|
10
|
+
bindir: bin
|
11
|
+
cert_chain: []
|
12
|
+
date: 2012-02-21 00:00:00.000000000 Z
|
13
|
+
dependencies: []
|
14
|
+
description: Yet Another ACL
|
15
|
+
email:
|
16
|
+
- mokevnin@gmail.com
|
17
|
+
executables: []
|
18
|
+
extensions: []
|
19
|
+
extra_rdoc_files: []
|
20
|
+
files:
|
21
|
+
- .gitignore
|
22
|
+
- Gemfile
|
23
|
+
- LICENSE
|
24
|
+
- README.rdoc
|
25
|
+
- Rakefile
|
26
|
+
- lib/ya_acl.rb
|
27
|
+
- lib/ya_acl/acl.rb
|
28
|
+
- lib/ya_acl/assert.rb
|
29
|
+
- lib/ya_acl/builder.rb
|
30
|
+
- lib/ya_acl/resource.rb
|
31
|
+
- lib/ya_acl/result.rb
|
32
|
+
- lib/ya_acl/role.rb
|
33
|
+
- lib/ya_acl/version.rb
|
34
|
+
- spec/spec_helper.rb
|
35
|
+
- spec/ya_acl/acl_spec.rb
|
36
|
+
- spec/ya_acl/builder_spec.rb
|
37
|
+
- spec/ya_acl/role_spec.rb
|
38
|
+
- spec/ya_acl_spec.rb
|
39
|
+
- ya_acl.gemspec
|
40
|
+
homepage: http://github.com/mokevnin/ya_acl
|
41
|
+
licenses: []
|
42
|
+
post_install_message:
|
43
|
+
rdoc_options: []
|
44
|
+
require_paths:
|
45
|
+
- lib
|
46
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
47
|
+
none: false
|
48
|
+
requirements:
|
49
|
+
- - ! '>='
|
50
|
+
- !ruby/object:Gem::Version
|
51
|
+
version: '0'
|
52
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
53
|
+
none: false
|
54
|
+
requirements:
|
55
|
+
- - ! '>='
|
56
|
+
- !ruby/object:Gem::Version
|
57
|
+
version: '0'
|
58
|
+
requirements: []
|
59
|
+
rubyforge_project:
|
60
|
+
rubygems_version: 1.8.15
|
61
|
+
signing_key:
|
62
|
+
specification_version: 3
|
63
|
+
summary: Yet Another ACL
|
64
|
+
test_files: []
|