@@ -1,4 +1,4 @@ -Copyright (c) 2008 RoleSystem Mark Daggett +Copyright (c) 2009 RoleSystem Mark Daggett Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the MIT-LICENSE @@ -1,16 +1,18 @@ -module RoleSystem +module RoleSystem class RoleRequired < StandardError; end class NoRolePlayer < StandardError; end - + def self.included(base) base.send :class_inheritable_array, :role_requirements, :public_actions, :private_actions + base.send :class_inheritable_accessor, :skipping_role_system + base.send :skipping_role_system=, false base.send :include, InstanceMethods base.send :extend, ClassMethods base.send :role_requirements=, [] base.send :public_actions=, [] base.send :private_actions=, [] end - + # The RoleSystem is a controller mixin to grant or restrict access to actions based on the # roles a user belongs to. # @@ -30,7 +32,15 @@ module RoleSystem # grant_access_to :editor, :except => :destroy # end module ClassMethods - + + # Use this action when you want to skip role checking all together. + # This is useful for example if you have a public controller inside an admin namespace + # which inherits from an AdminController that specifies a default role. + def skip_role_system + self.skipping_role_system = true + @roles_checked = true + end + # These actions don't require roles at all. This method is helpful for instances # where some actions are public, while others require a role. def all_access_to(options = {}) @@ -42,7 +52,7 @@ module RoleSystem self.private_actions = [options[:except]].flatten.compact.collect{ |a| a.to_sym } end end - + # This method restricts or grants access to actions based on a user's role list. def grant_access_to(roles, options = {}) roles = [roles].flatten @@ -62,23 +72,24 @@ module RoleSystem self.role_requirements << { :roles => roles, :options => options } end end - + module InstanceMethods - + def self.included(base) def role_player=(param) @role_player = param.to_sym end - + private def check_roles + return true if self.skipping_role_system return true if no_roles_required_for(binding) raise RoleSystem::RoleRequired unless @role_player user = self.send(@role_player) raise RoleSystem::RoleRequired unless has_required_roles?(user, binding) true rescue RoleSystem::RoleRequired, NoMethodError - + # restful_authentication users access_denied so if the controller already has # this installed then use this method. if self.methods.include?('access_denied') @@ -95,11 +106,11 @@ module RoleSystem public_action = self.public_actions.include?(params[:action].to_sym) end unless self.private_actions.empty? - public_action = !self.private_actions.include?(params[:action].to_sym) + public_action = !self.private_actions.include?(params[:action].to_sym) end public_action end - + # This method iterates over all of the role requirements supplied by the controler # and determines if the account holder has the needed roles to access requested action. # An example role requirement array might looke like: @@ -118,28 +129,28 @@ module RoleSystem roles = role_requirement[:roles] options = role_requirement[:options] params[:action] = (params[:action]||"index").to_sym - + next unless access_to_action?(options) if options.has_key?(:if) - + # If the proc evaluates false then it doesn't matter if they have the required role # because it was only permissible during this conditional access. @failed_proc = true unless (String===options[:if] ? eval(options[:if], binding) : options[:if].call(params)) end if options.has_key?(:unless) - - # If this proc evaluates true then restrict access to this action because their + + # If this proc evaluates true then restrict access to this action because their # access was provisional for conditions where this proc would fail. @failed_proc = true if ( String===options[:unless] ? eval(options[:unless], binding) : options[:unless].call(params) ) end - + roles.each { |role| @access_granted = true if user.has_role?(role) } unless @failed_proc return true if @access_granted end @access_granted end - + protected def access_to_action?(options) if options.has_key?(:only) lib/role_system.rb @@ -7,7 +7,7 @@ class MockMember def roles @roles end - + def has_role?(role) @roles.map{ |g| g.name.downcase.to_sym }.include?(role) end @@ -16,11 +16,11 @@ end # This controller simulates a controller that includes AuthenticatedSystem, which the # role system can hook into. class MockApplicationController < ActionController::Base - + # Used by the RoleSystem to find the current member (if any) # This before filter needs to be called BEFORE any role checking. before_filter { |controller| controller.role_player = :current_member } - + def access_denied redirect_to new_sessions_path and return false end @@ -32,18 +32,18 @@ module RoleSystemSpecHelper @admin_role = mock_model(Group, :name => 'admin', :context => 'role') @content_editor_role = mock_model(Group, :name => 'content_editor', :context => 'role') end - + def login_as(role) instance_variable_set("@#{role}".to_sym, MockMember.new(:roles => [instance_variable_get("@#{role}_role")])) @controller.stub!(:current_member).and_return(instance_variable_get("@#{role}")) - end + end end class AdminOnlyController < MockApplicationController grant_access_to :admin - + def index - end + end end describe RoleSystem, "a controller allowing only admin access", :type => :controller do @@ -52,13 +52,13 @@ describe RoleSystem, "a controller allowing only admin access", :type => :contro before(:each) do add_roles end - + it "should allow an admin access" do login_as('admin') get :index response.should be_success end - + it "should prevent access by anyone who is not an admin" do login_as('editor') get :index @@ -66,14 +66,23 @@ describe RoleSystem, "a controller allowing only admin access", :type => :contro end end +class PublicController < AdminOnlyController + skip_role_system +end + +describe RoleSystem, "a controller skipping the role system of an inherited controller" do + get :index + response.should be_success +end + class MixedRoleAccessController < MockApplicationController grant_access_to :content_editor, :only => :new grant_access_to :admin, :only => [:new, :destroy] grant_access_to :editor, :except => :destroy - + def index;end def new;end - def destroy;end + def destroy;end end describe RoleSystem, "a controller allowing access to actions by role", :type => :controller do @@ -82,33 +91,33 @@ describe RoleSystem, "a controller allowing access to actions by role", :type => before(:each) do add_roles end - + it "should grant access to content_editor and admin for new" do login_as('content_editor') get :new response.should be_success - + login_as('admin') get :new response.should be_success end - + it "should grant acccess to editor for index" do login_as('editor') get :index response.should be_success end - - it "should only give destroy access to admin" do + + it "should only give destroy access to admin" do login_as('editor') get :destroy response.should redirect_to(new_sessions_path) - + login_as('admin') get :destroy response.should be_success end - + it "should not give access to index to admin" do login_as('admin') get :index @@ -117,10 +126,9 @@ describe RoleSystem, "a controller allowing access to actions by role", :type => end class ConditionalAccessController < MockApplicationController - grant_access_to :content_editor, :if => Proc.new { |controller| controller.has_key?(:sekret) } grant_access_to :admin, :unless => Proc.new { |controller| controller.has_key?(:admin_sekret) } - + def index;end end @@ -130,7 +138,7 @@ describe RoleSystem, "a controller allowing access under certain conditions", :t before(:each) do add_roles end - + it "should grant access to admin unless access is revoked ahead of time" do login_as('admin') get :index @@ -139,12 +147,12 @@ describe RoleSystem, "a controller allowing access under certain conditions", :t get :index, :admin_sekret => 'shhhhhhhhhhhhhhh' response.should redirect_to(new_sessions_path) end - + it "should allow access to content_editors if special access is granted" do login_as('content_editor') get :index response.should redirect_to(new_sessions_path) - + get :index, :sekret => 'shhhhhhhhhhhhhhh' response.should be_success end @@ -153,7 +161,7 @@ end class EquivalentAccessController < MockApplicationController grant_access_to :admin grant_access_to [:content_editor, :editor] , :only => :index - + def index;end def new;end end @@ -164,26 +172,26 @@ describe RoleSystem, "a controller where two roles are equivalent", :type => :co before(:each) do add_roles end - + it "should treat the roles identically" do login_as('admin') get :index response.should be_success - + get :new response.should be_success - + login_as('editor') get :index response.should be_success - + get :new response.should redirect_to(new_sessions_path) login_as('content_editor') get :index response.should be_success - + get :new response.should redirect_to(new_sessions_path) end @@ -202,7 +210,7 @@ describe RoleSystem, "a controller without authenticated system", :type => :cont before(:each) do add_roles end - + it "should just return an access denied header when authenticated_system is not available" do login_as('editor') get :index @@ -223,29 +231,29 @@ describe RoleSystem, "a controller where only certain actions require roles", :t before(:each) do add_roles end - + it "should allow a member with a role to access both role-requried and public actions" do login_as('admin') get :admin_only response.should be_success - + get :everybody_allowed response.should be_success end - + it "should allow members without a role or without being logged in to access public actions" do - + # No session at all get :admin_only response.should redirect_to(new_sessions_path) - + get :everybody_allowed response.should be_success - + login_as('editor') get :admin_only response.should redirect_to(new_sessions_path) - + get :everybody_allowed response.should be_success end @@ -264,29 +272,29 @@ describe RoleSystem, "another controller where only certain actions require role before(:each) do add_roles end - + it "should allow a member with a role to access both role-requried and public actions" do login_as('admin') get :everybody_allowed response.should be_success - + get :nobody_allowed response.should be_success end - + it "should allow members without a role or without being logged in to access public actions" do - + # No session at all get :nobody_allowed response.should redirect_to(new_sessions_path) - + get :everybody_allowed response.should be_success - + login_as('editor') get :nobody_allowed response.should redirect_to(new_sessions_path) - + get :everybody_allowed response.should be_success end spec/role_system_spec.rb ba6b27658f27ccdcc7c005dd1cbd161e7091fdb6 Mark Daggett heavysixer@heavysixer.local http://github.com/heavysixer/rolesystem/commit/f6747802eb687b89c26d6651867c2bdee61792e3 f6747802eb687b89c26d6651867c2bdee61792e3 2009-06-25T08:28:24-07:00 2009-06-25T08:28:24-07:00 updating the role_system with the ability to skip role checking all together for specific controllers that inherit from a base controller that uses role_system. 320f3ae1b4513d87eb210d67d8411cd7020f1117 Mark Daggett heavysixer@heavysixer.local