ya_acl 0.0.6 → 0.0.7
Sign up to get free protection for your applications and to get access to all the features.
- data/.travis.yml +7 -0
- data/README.rdoc +38 -35
- data/Rakefile +6 -2
- data/lib/ya_acl.rb +11 -6
- data/lib/ya_acl/acl.rb +2 -6
- data/lib/ya_acl/builder.rb +16 -13
- data/lib/ya_acl/resource.rb +2 -2
- data/lib/ya_acl/version.rb +1 -1
- data/spec/ya_acl/acl_spec.rb +2 -2
- data/spec/ya_acl/builder_spec.rb +2 -2
- data/ya_acl.gemspec +5 -2
- metadata +49 -7
- data/spec/ya_acl_spec.rb +0 -7
data/.travis.yml
ADDED
data/README.rdoc
CHANGED
@@ -1,54 +1,57 @@
|
|
1
1
|
== ya_acl
|
2
2
|
|
3
|
-
|
3
|
+
{<img src="https://secure.travis-ci.org/kaize/ya_acl.png" alt="Build Status" />}[http://travis-ci.org/kaize/ya_acl]
|
4
4
|
|
5
|
-
Ya_Acl
|
6
|
-
Это значит что он не привязан к фреймворкам и это руководство предлагает только один из возможных путей использования этого компонента.
|
5
|
+
Ya_Acl - access control list (ACL) implementation for your Ruby application.
|
7
6
|
|
8
|
-
|
7
|
+
Ya_Acl provides a standalone object through which all checks are made.
|
8
|
+
This means it is not tied to any framework. Note that this guide will show you only one possible way to use this component.
|
9
|
+
|
10
|
+
=== Installation
|
9
11
|
|
10
12
|
gem install ya_acl
|
11
13
|
|
12
|
-
===
|
14
|
+
=== Keywords
|
13
15
|
|
14
|
-
|
15
|
-
|
16
|
-
|
16
|
+
Resource - object to restrict access to.
|
17
|
+
Privilege - action on the resource.
|
18
|
+
Role - object, which can request for an access to a resource.
|
17
19
|
|
18
|
-
|
19
|
-
|
20
|
+
Role(s) request for an access to the resource privileges.
|
21
|
+
For example, resource "user" can have a privilege "create".
|
20
22
|
|
21
|
-
===
|
23
|
+
=== Initial conditions
|
22
24
|
|
23
|
-
-
|
24
|
-
-
|
25
|
+
- By default, everything is forbidden. Further you will only be able to grant access to a particular resource, not restrict it.
|
26
|
+
- All resources must be added to the acl (otherwise you will get an exception).
|
25
27
|
|
26
|
-
===
|
28
|
+
=== Key features
|
27
29
|
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
30
|
+
Asserts - runtime checks, e.g. "whether logged in user is the owner of this object".
|
31
|
+
Checks can be assigned to specific roles of the current privilege, not just "on the privilege".
|
32
|
+
Owning multiple roles. If at least one of the user roles has access to the resource privilege,
|
33
|
+
access granted. Role with global access to all resources. Passed as an argument to the `Builder::resources`
|
34
|
+
method. Roles inheritance. That is, we could define a role that will automatically get all resource privileges.
|
33
35
|
|
34
|
-
===
|
36
|
+
=== Access check algorithm
|
35
37
|
|
36
|
-
1.
|
37
|
-
2.
|
38
|
+
1. If none of the passed roles have access to resource privilege - access denied.
|
39
|
+
2. If any, for each role we run asserts. If at least one role passed these checks - access granted.
|
38
40
|
|
39
41
|
=== Workflow
|
40
42
|
|
41
|
-
|
42
|
-
|
43
|
+
First, initialize acl object by creating the config file
|
44
|
+
(you could use the structure sample below). It should be loaded while your application starts.
|
45
|
+
Although, in development environment, you may want it to be loaded before each request.
|
43
46
|
|
44
47
|
YaAcl::Builder.build do
|
45
|
-
roles do #
|
48
|
+
roles do # Roles
|
46
49
|
role :admin
|
47
50
|
role :editor
|
48
51
|
role :operator
|
49
52
|
end
|
50
53
|
|
51
|
-
asserts do #
|
54
|
+
asserts do # Checks
|
52
55
|
assert :assert_name, [:current_user_id, :another_user_id] do
|
53
56
|
current_user_id == another_user_id
|
54
57
|
end
|
@@ -58,19 +61,19 @@ Assert - динамические проверки, например, являе
|
|
58
61
|
end
|
59
62
|
end
|
60
63
|
|
61
|
-
resources :admin do #
|
62
|
-
resource 'UserController', [:editor] do #
|
63
|
-
privilege :index, [:operator] #
|
64
|
-
privilege :edit #
|
64
|
+
resources :admin do # Resources and role with admin privileges
|
65
|
+
resource 'UserController', [:editor] do # Resource and roles, which have access to the all privileges of a given resource
|
66
|
+
privilege :index, [:operator] # allowed for :admin, :editor, :operator
|
67
|
+
privilege :edit # allowed for :admin, :editor
|
65
68
|
privilege :new do
|
66
|
-
assert :assert_name, [:editor] #
|
67
|
-
assert :another_assert_name #
|
69
|
+
assert :assert_name, [:editor] # This check will be called for role :editor
|
70
|
+
assert :another_assert_name # This check will be called for :admin and :editor roles
|
68
71
|
end
|
69
72
|
end
|
70
73
|
end
|
71
74
|
end
|
72
75
|
|
73
|
-
|
76
|
+
After that, acl object becomes accessible via YaAcl::Acl.instance.
|
74
77
|
|
75
78
|
acl = YaAcl::Acl.instance
|
76
79
|
|
@@ -80,5 +83,5 @@ Assert - динамические проверки, например, являе
|
|
80
83
|
acl.allow?('UserController', :new, [:admin], :current_user_id => 1, :another_user_id => 1) # true
|
81
84
|
acl.allow?('UserController', :new, [:editor], :current_user_id => 1, :another_user_id => 2) # false
|
82
85
|
|
83
|
-
acl#check -
|
84
|
-
acl#check! -
|
86
|
+
acl#check - returns YaAcl::Result object
|
87
|
+
acl#check! - returns true or throws an exception
|
data/Rakefile
CHANGED
data/lib/ya_acl.rb
CHANGED
@@ -1,6 +1,11 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
|
4
|
-
|
5
|
-
|
6
|
-
|
1
|
+
module YaAcl
|
2
|
+
autoload :Acl, 'ya_acl/acl'
|
3
|
+
autoload :Role, 'ya_acl/role'
|
4
|
+
autoload :Resource, 'ya_acl/resource'
|
5
|
+
autoload :Assert, 'ya_acl/assert'
|
6
|
+
autoload :Result, 'ya_acl/result'
|
7
|
+
autoload :Builder, 'ya_acl/builder'
|
8
|
+
|
9
|
+
class AccessDeniedError < RuntimeError ; end
|
10
|
+
class AssertAccessDeniedError < AccessDeniedError ; end
|
11
|
+
end
|
data/lib/ya_acl/acl.rb
CHANGED
@@ -1,8 +1,4 @@
|
|
1
1
|
module YaAcl
|
2
|
-
|
3
|
-
class AccessDeniedError < StandardError ; end
|
4
|
-
class AssertAccessDeniedError < AccessDeniedError ; end
|
5
|
-
|
6
2
|
class Acl
|
7
3
|
|
8
4
|
attr_reader :roles, :resources, :asserts
|
@@ -113,7 +109,7 @@ module YaAcl
|
|
113
109
|
def check!(resource_name, privilege_name, roles = [], params = {})
|
114
110
|
result = check(resource_name, privilege_name, roles, params)
|
115
111
|
return true if result.status
|
116
|
-
|
112
|
+
|
117
113
|
message = "Access denied for '#{resource_name}', privilege '#{privilege_name}'"
|
118
114
|
if result.assert
|
119
115
|
raise AssertAccessDeniedError, message + ", role '#{result.role}' and assert '#{result.assert.name}'"
|
@@ -122,4 +118,4 @@ module YaAcl
|
|
122
118
|
end
|
123
119
|
end
|
124
120
|
end
|
125
|
-
end
|
121
|
+
end
|
data/lib/ya_acl/builder.rb
CHANGED
@@ -3,28 +3,27 @@ module YaAcl
|
|
3
3
|
attr_accessor :acl
|
4
4
|
|
5
5
|
def self.build &block
|
6
|
-
builder = new
|
7
|
-
builder.instance_eval &block
|
8
|
-
builder.acl.freeze
|
6
|
+
builder = new block
|
9
7
|
Acl.instance = builder.acl
|
10
8
|
end
|
11
9
|
|
12
|
-
def initialize
|
10
|
+
def initialize block
|
13
11
|
self.acl = Acl.new
|
12
|
+
instance_eval &block
|
14
13
|
end
|
15
14
|
|
16
15
|
def roles(&block)
|
17
16
|
instance_eval &block
|
18
17
|
end
|
19
18
|
|
20
|
-
def role(name, options = {})
|
21
|
-
acl.add_role Role.new(name, options)
|
22
|
-
end
|
23
|
-
|
24
19
|
def asserts(&block)
|
25
20
|
instance_eval &block
|
26
21
|
end
|
27
22
|
|
23
|
+
def role(name, options = {})
|
24
|
+
acl.add_role Role.new(name, options)
|
25
|
+
end
|
26
|
+
|
28
27
|
def assert(name, param_names, &block)
|
29
28
|
acl.add_assert Assert.new(name, param_names, &block)
|
30
29
|
end
|
@@ -55,10 +54,9 @@ module YaAcl
|
|
55
54
|
|
56
55
|
asserts = {}
|
57
56
|
if block_given?
|
58
|
-
|
59
|
-
asserts = proxy.asserts
|
57
|
+
asserts = PrivilegeAssertProxy.build asserts_block, all_allow_roles
|
60
58
|
end
|
61
|
-
|
59
|
+
|
62
60
|
all_allow_roles.each do |role|
|
63
61
|
if asserts[role]
|
64
62
|
asserts[role].each do |assert|
|
@@ -73,7 +71,12 @@ module YaAcl
|
|
73
71
|
|
74
72
|
class PrivilegeAssertProxy
|
75
73
|
attr_reader :asserts
|
76
|
-
|
74
|
+
|
75
|
+
def self.build(block, all_allow_roles)
|
76
|
+
builder = new block, all_allow_roles
|
77
|
+
builder.asserts
|
78
|
+
end
|
79
|
+
|
77
80
|
def initialize(block, all_allow_roles)
|
78
81
|
@all_allow_roles = all_allow_roles
|
79
82
|
@asserts = {}
|
@@ -89,4 +92,4 @@ module YaAcl
|
|
89
92
|
end
|
90
93
|
end
|
91
94
|
end
|
92
|
-
end
|
95
|
+
end
|
data/lib/ya_acl/resource.rb
CHANGED
data/lib/ya_acl/version.rb
CHANGED
data/spec/ya_acl/acl_spec.rb
CHANGED
@@ -15,7 +15,7 @@ describe YaAcl::Acl do
|
|
15
15
|
assert = YaAcl::Assert.new :assert, [:object_user_id, :user_id] do
|
16
16
|
object_user_id == user_id
|
17
17
|
end
|
18
|
-
|
18
|
+
|
19
19
|
@acl.add_assert assert
|
20
20
|
end
|
21
21
|
|
@@ -53,4 +53,4 @@ describe YaAcl::Acl do
|
|
53
53
|
@acl.allow?(:name, :empty, [:guest, :admin]).should be_true
|
54
54
|
@acl.allow?(:name, :index, [:guest, :admin], :var => false).should be_true
|
55
55
|
end
|
56
|
-
end
|
56
|
+
end
|
data/spec/ya_acl/builder_spec.rb
CHANGED
@@ -7,7 +7,7 @@ describe YaAcl::Builder do
|
|
7
7
|
role :admin, :name => 'Administrator'
|
8
8
|
end
|
9
9
|
end
|
10
|
-
|
10
|
+
|
11
11
|
acl.role(:admin).should_not be_nil
|
12
12
|
end
|
13
13
|
|
@@ -143,4 +143,4 @@ describe YaAcl::Builder do
|
|
143
143
|
acl.allow?(:name, :update, [:operator], :first => 1, :second => 1).should be_true
|
144
144
|
acl.allow?(:name, :update, [:operator], :first => 3, :second => 3).should be_false
|
145
145
|
end
|
146
|
-
end
|
146
|
+
end
|
data/ya_acl.gemspec
CHANGED
@@ -8,7 +8,7 @@ Gem::Specification.new do |s|
|
|
8
8
|
s.platform = Gem::Platform::RUBY
|
9
9
|
s.authors = ["Mokevnin Kirill"]
|
10
10
|
s.email = ["mokevnin@gmail.com"]
|
11
|
-
s.homepage = "http://github.com/
|
11
|
+
s.homepage = "http://github.com/kaize/ya_acl"
|
12
12
|
s.summary = %q{Yet Another ACL}
|
13
13
|
s.description = %q{Yet Another ACL}
|
14
14
|
|
@@ -19,4 +19,7 @@ Gem::Specification.new do |s|
|
|
19
19
|
s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
|
20
20
|
s.require_paths = ["lib"]
|
21
21
|
|
22
|
-
|
22
|
+
# specify any dependencies here; for example:
|
23
|
+
s.add_development_dependency "rspec"
|
24
|
+
s.add_runtime_dependency "rake"
|
25
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: ya_acl
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.7
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,8 +9,40 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2012-
|
13
|
-
dependencies:
|
12
|
+
date: 2012-12-01 00:00:00.000000000 Z
|
13
|
+
dependencies:
|
14
|
+
- !ruby/object:Gem::Dependency
|
15
|
+
name: rspec
|
16
|
+
requirement: !ruby/object:Gem::Requirement
|
17
|
+
none: false
|
18
|
+
requirements:
|
19
|
+
- - ! '>='
|
20
|
+
- !ruby/object:Gem::Version
|
21
|
+
version: '0'
|
22
|
+
type: :development
|
23
|
+
prerelease: false
|
24
|
+
version_requirements: !ruby/object:Gem::Requirement
|
25
|
+
none: false
|
26
|
+
requirements:
|
27
|
+
- - ! '>='
|
28
|
+
- !ruby/object:Gem::Version
|
29
|
+
version: '0'
|
30
|
+
- !ruby/object:Gem::Dependency
|
31
|
+
name: rake
|
32
|
+
requirement: !ruby/object:Gem::Requirement
|
33
|
+
none: false
|
34
|
+
requirements:
|
35
|
+
- - ! '>='
|
36
|
+
- !ruby/object:Gem::Version
|
37
|
+
version: '0'
|
38
|
+
type: :runtime
|
39
|
+
prerelease: false
|
40
|
+
version_requirements: !ruby/object:Gem::Requirement
|
41
|
+
none: false
|
42
|
+
requirements:
|
43
|
+
- - ! '>='
|
44
|
+
- !ruby/object:Gem::Version
|
45
|
+
version: '0'
|
14
46
|
description: Yet Another ACL
|
15
47
|
email:
|
16
48
|
- mokevnin@gmail.com
|
@@ -19,6 +51,7 @@ extensions: []
|
|
19
51
|
extra_rdoc_files: []
|
20
52
|
files:
|
21
53
|
- .gitignore
|
54
|
+
- .travis.yml
|
22
55
|
- Gemfile
|
23
56
|
- LICENSE
|
24
57
|
- README.rdoc
|
@@ -35,9 +68,8 @@ files:
|
|
35
68
|
- spec/ya_acl/acl_spec.rb
|
36
69
|
- spec/ya_acl/builder_spec.rb
|
37
70
|
- spec/ya_acl/role_spec.rb
|
38
|
-
- spec/ya_acl_spec.rb
|
39
71
|
- ya_acl.gemspec
|
40
|
-
homepage: http://github.com/
|
72
|
+
homepage: http://github.com/kaize/ya_acl
|
41
73
|
licenses: []
|
42
74
|
post_install_message:
|
43
75
|
rdoc_options: []
|
@@ -49,16 +81,26 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
49
81
|
- - ! '>='
|
50
82
|
- !ruby/object:Gem::Version
|
51
83
|
version: '0'
|
84
|
+
segments:
|
85
|
+
- 0
|
86
|
+
hash: -834640367938296051
|
52
87
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
53
88
|
none: false
|
54
89
|
requirements:
|
55
90
|
- - ! '>='
|
56
91
|
- !ruby/object:Gem::Version
|
57
92
|
version: '0'
|
93
|
+
segments:
|
94
|
+
- 0
|
95
|
+
hash: -834640367938296051
|
58
96
|
requirements: []
|
59
97
|
rubyforge_project:
|
60
|
-
rubygems_version: 1.8.
|
98
|
+
rubygems_version: 1.8.24
|
61
99
|
signing_key:
|
62
100
|
specification_version: 3
|
63
101
|
summary: Yet Another ACL
|
64
|
-
test_files:
|
102
|
+
test_files:
|
103
|
+
- spec/spec_helper.rb
|
104
|
+
- spec/ya_acl/acl_spec.rb
|
105
|
+
- spec/ya_acl/builder_spec.rb
|
106
|
+
- spec/ya_acl/role_spec.rb
|