app/controllers/authorization_usages_controller.rb app/views/authorization_usages/index.html.erb test/maintenance_test.rb @@ -29,7 +29,8 @@ module AuthorizationRulesHelper def navigation link_to("Rules", authorization_rules_path) << ' | ' << - link_to("Graphical view", graph_authorization_rules_path) #<< ' | ' << + link_to("Graphical view", graph_authorization_rules_path) << ' | ' << + link_to("Usages", authorization_usages_path) #<< ' | ' << # 'Edit | ' << # link_to("XACML export", :action => 'index', :format => 'xacml') end @@ -48,4 +49,36 @@ module AuthorizationRulesHelper def role_fill_color (role) role_color(role, true) end + + def auth_usage_info_classes (auth_info) + classes = [] + if auth_info[:controller_permissions] + if auth_info[:controller_permissions][0] + classes << "catch-all" if auth_info[:controller_permissions][0].actions.include?(:all) + classes << "default-privilege" unless auth_info[:controller_permissions][0].privilege + classes << "default-context" unless auth_info[:controller_permissions][0].context + classes << "no-attribute-check" unless auth_info[:controller_permissions][0].attribute_check + end + else + classes << "unprotected" + end + classes * " " + end + + def auth_usage_info_title (auth_info) + titles = [] + if auth_usage_info_classes(auth_info) =~ /unprotected/ + titles << "No filter_access_to call protects this action" + end + if auth_usage_info_classes(auth_info) =~ /no-attribute-check/ + titles << "Action is not protected with attribute check" + end + if auth_usage_info_classes(auth_info) =~ /default-privilege/ + titles << "Privilege set automatically from action name by :all rule" + end + if auth_usage_info_classes(auth_info) =~ /default-context/ + titles << "Context set automatically from controller name by filter_access_to call without :context option" + end + titles * ". " + end end app/helpers/authorization_rules_helper.rb @@ -1,5 +1,6 @@ ActionController::Routing::Routes.draw do |map| if Authorization::activate_authorization_rules_browser? map.resources :authorization_rules, :only => :index, :collection => {:graph => :get} + map.resources :authorization_usages, :only => :index end end \ No newline at end of file config/routes.rb @@ -245,7 +245,7 @@ module Authorization end class ControllerPermission # :nodoc: - attr_reader :actions, :privilege, :context + attr_reader :actions, :privilege, :context, :attribute_check def initialize (actions, privilege, context, attribute_check = false, load_object_model = nil, load_object_method = nil, filter_block = nil) lib/in_controller.rb @@ -87,7 +87,7 @@ module Authorization :include_read => false }.merge(options) context = (options[:context] || self.table_name).to_sym - + class_eval do before_create do |object| Authorization::Engine.instance.permit!(:create, :object => object, lib/in_model.rb @@ -49,6 +49,62 @@ module Authorization ensure Authorization.current_user = prev_user end + + # Module for grouping usage-related helper methods + module Usage + # Delivers a hash of {ControllerClass => usage_info_hash}, + # where usage_info_hash has the form of + def self.usages_by_controller + # load each application controller + begin + Dir.foreach(File.join(RAILS_ROOT, %w{app controllers})) do |entry| + if entry =~ /^\w+_controller\.rb$/ + require File.join(RAILS_ROOT, %w{app controllers}, entry) + end + end + rescue Errno::ENOENT + end + controllers = [] + ObjectSpace.each_object(Class) do |obj| + controllers << obj if obj.ancestors.include?(ActionController::Base) and + !%w{ActionController::Base ApplicationController}.include?(obj.name) + end + + controllers.inject({}) do |memo, controller| + catchall_permissions = [] + permission_by_action = {} + controller.all_filter_access_permissions.each do |controller_permissions| + catchall_permissions << controller_permissions if controller_permissions.actions.include?(:all) + controller_permissions.actions.reject {|action| action == :all}.each do |action| + permission_by_action[action] = controller_permissions + end + end + + actions = controller.public_instance_methods(false) - controller.hidden_actions + memo[controller] = actions.inject({}) do |actions_memo, action| + action_sym = action.to_sym + actions_memo[action_sym] = + if permission_by_action[action_sym] + { + :privilege => permission_by_action[action_sym].privilege, + :context => permission_by_action[action_sym].context, + :controller_permissions => [permission_by_action[action_sym]] + } + elsif !catchall_permissions.empty? + { + :privilege => catchall_permissions[0].privilege, + :context => catchall_permissions[0].context, + :controller_permissions => catchall_permissions + } + else + {} + end + actions_memo + end + memo + end + end + end end # TestHelper provides assert methods and controller request methods which lib/maintenance.rb 2c200d272a0323d4b49a16320713685633d532ac Steffen Bartsch sbartsch@tzi.org http://github.com/stffn/declarative_authorization/commit/0f9ecaeaaa2b28840591587cc29cf155309480a6 0f9ecaeaaa2b28840591587cc29cf155309480a6 2009-02-22T07:45:25-08:00 2009-02-22T06:16:48-08:00 Authorization usage helper view 1da05daf7a735d06a60fcf8afef20ee294ae0f1d Steffen Bartsch sbartsch@tzi.org