@@ -1,3 +1,5 @@ +* New option :join_by for has_permission_on to allow AND'ing of statements in one has_permission_on block + * Allow using_access_control to be called directly on ActiveRecord::Base, globally enabling model security * New operator: intersects_with, comparing two Enumerables in if_attribute CHANGELOG @@ -156,7 +156,7 @@ module Authorization begin options[:skip_attribute_test] or rule.attributes.empty? or - rule.attributes.any? do |attr| + rule.attributes.send(rule.join_operator == :and ? :all? : :any?) do |attr| begin attr.validate?( attr_validator ) rescue NilAttributeValueError => e @@ -203,8 +203,15 @@ module Authorization user, roles, privileges = user_roles_privleges_from_options(privilege, options) attr_validator = AttributeValidator.new(self, user, nil, options[:context]) matching_auth_rules(roles, privileges, options[:context]).collect do |rule| - obligation = rule.attributes.collect {|attr| attr.obligation(attr_validator) } - obligation.empty? ? [{}] : obligation + obligations = rule.attributes.collect {|attr| attr.obligation(attr_validator) } + if rule.join_operator == :and and !obligations.empty? + merged_obligation = obligations.first + obligations[1..-1].each do |obligation| + merged_obligation = merged_obligation.deep_merge(obligation) + end + obligations = [merged_obligation] + end + obligations.empty? ? [{}] : obligations end.flatten end @@ -322,12 +329,13 @@ module Authorization end class AuthorizationRule - attr_reader :attributes, :contexts, :role, :privileges + attr_reader :attributes, :contexts, :role, :privileges, :join_operator - def initialize (role, privileges = [], contexts = nil) + def initialize (role, privileges = [], contexts = nil, join_operator = :or) @role = role @privileges = Set.new(privileges) @contexts = Set.new((contexts && !contexts.is_a?(Array) ? [contexts] : contexts)) + @join_operator = join_operator @attributes = [] end lib/declarative_authorization/authorization.rb @@ -210,23 +210,27 @@ module Authorization # The block form allows to describe restrictions on the permissions # using if_attribute. Multiple has_permission_on statements are # OR'ed when evaluating the permissions. Also, multiple if_attribute - # statements in one block are OR'ed. To AND conditions, place them - # in one if_attribute statement. + # statements in one block are OR'ed if no :+join_by+ option is given + # (see below). To AND conditions, either set :+join_by+ to :and or place + # them in one if_attribute statement. # # Available options # [:+to+] # A symbol or an array of symbols representing the privileges that # should be granted in this statement. + # [:+join_by+] + # Join operator to logically connect the constraint statements inside + # of the has_permission_on block. May be :+and+ or :+or+. Defaults to :+or+. # def has_permission_on (context, options = {}, &block) raise DSLError, "has_permission_on only allowed in role blocks" if @current_role.nil? - options = {:to => []}.merge(options) + options = {:to => [], :join_by => :or}.merge(options) privs = options[:to] privs = [privs] unless privs.is_a?(Array) raise DSLError, "has_permission_on either needs a block or :to option" if !block_given? and privs.empty? - rule = AuthorizationRule.new(@current_role, privs, context) + rule = AuthorizationRule.new(@current_role, privs, context, options[:join_by]) @auth_rules << rule if block_given? @current_rule = rule @@ -295,7 +299,8 @@ module Authorization # end # # Multiple attributes in one :if_attribute statement are AND'ed. - # Multiple if_attribute statements are OR'ed. Thus, the following would + # Multiple if_attribute statements are OR'ed if the join operator for the + # has_permission_on block isn't explicitly set. Thus, the following would # require the current user either to be of the same branch AND the employee # to be "changeable_by_coworker". OR the current user has to be the # employee in question. lib/declarative_authorization/reader.rb @@ -82,6 +82,42 @@ class AuthorizationTest < Test::Unit::TestCase engine.obligations(:test, :context => :permissions, :user => MockUser.new(:test_role, :attr => 1)) end + + def test_obligations_with_anded_conditions + reader = Authorization::Reader::DSLReader.new + reader.parse %{ + authorization do + role :test_role do + has_permission_on :permissions, :to => :test, :join_by => :and do + if_attribute :attr => is { user.attr } + if_attribute :attr_2 => is { user.attr_2 } + end + end + end + } + engine = Authorization::Engine.new(reader) + assert_equal [{:attr => [:is, 1], :attr_2 => [:is, 2]}], + engine.obligations(:test, :context => :permissions, + :user => MockUser.new(:test_role, :attr => 1, :attr_2 => 2)) + end + + def test_obligations_with_deep_anded_conditions + reader = Authorization::Reader::DSLReader.new + reader.parse %{ + authorization do + role :test_role do + has_permission_on :permissions, :to => :test, :join_by => :and do + if_attribute :attr => { :deeper_attr => is { user.deeper_attr }} + if_attribute :attr => { :deeper_attr_2 => is { user.deeper_attr_2 }} + end + end + end + } + engine = Authorization::Engine.new(reader) + assert_equal [{:attr => { :deeper_attr => [:is, 1], :deeper_attr_2 => [:is, 2] } }], + engine.obligations(:test, :context => :permissions, + :user => MockUser.new(:test_role, :deeper_attr => 1, :deeper_attr_2 => 2)) + end def test_obligations_with_conditions_and_empty reader = Authorization::Reader::DSLReader.new @@ -629,6 +665,58 @@ class AuthorizationTest < Test::Unit::TestCase :user => MockUser.new(:test_role), :object => perm_data_attr_2) end + + def test_attribute_with_permissions_and_anded_rules + reader = Authorization::Reader::DSLReader.new + reader.parse %{ + authorization do + role :test_role do + has_permission_on :permissions, :to => :test do + if_attribute :test_attr => 1 + end + has_permission_on :permission_children, :to => :test, :join_by => :and do + if_permitted_to :test, :permission + if_attribute :test_attr => 1 + end + end + end + } + engine = Authorization::Engine.new(reader) + + perm_data_attr_1 = PermissionMock.new({:test_attr => 1}) + perm_data_attr_2 = PermissionMock.new({:test_attr => 2}) + assert engine.permit?(:test, :context => :permission_children, + :user => MockUser.new(:test_role), + :object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 1)) + assert !engine.permit?(:test, :context => :permission_children, + :user => MockUser.new(:test_role), + :object => MockDataObject.new(:permission => perm_data_attr_2, :test_attr => 1)) + assert !engine.permit?(:test, :context => :permission_children, + :user => MockUser.new(:test_role), + :object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 2)) + end + + def test_attribute_with_anded_rules + reader = Authorization::Reader::DSLReader.new + reader.parse %{ + authorization do + role :test_role do + has_permission_on :permissions, :to => :test, :join_by => :and do + if_attribute :test_attr => 1 + if_attribute :test_attr_2 => 2 + end + end + end + } + engine = Authorization::Engine.new(reader) + + assert engine.permit?(:test, :context => :permissions, + :user => MockUser.new(:test_role), + :object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 2)) + assert !engine.permit?(:test, :context => :permissions, + :user => MockUser.new(:test_role), + :object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 3)) + end def test_raise_on_if_attribute_hash_on_collection reader = Authorization::Reader::DSLReader.new test/authorization_test.rb @@ -407,6 +407,33 @@ class ModelTest < Test::Unit::TestCase TestAttr.delete_all end + def test_named_scope_with_anded_rules + reader = Authorization::Reader::DSLReader.new + reader.parse %{ + authorization do + role :test_role do + has_permission_on :test_attrs, :to => :read, :join_by => :and do + if_attribute :test_model => is { user.test_model } + if_attribute :attr => 1 + end + end + end + } + Authorization::Engine.instance(reader) + + test_model_1 = TestModel.create! + test_model_1.test_attrs.create!(:attr => 1) + TestModel.create!.test_attrs.create!(:attr => 1) + TestModel.create!.test_attrs.create! + + user = MockUser.new(:test_role, :test_model => test_model_1) + assert_equal 1, TestAttr.with_permissions_to(:read, + :context => :test_attrs, :user => user).length + + TestModel.delete_all + TestAttr.delete_all + end + def test_named_scope_with_contains reader = Authorization::Reader::DSLReader.new reader.parse %{ test/model_test.rb 5af43ff1c238a5ef276c4ef54e3c86960b4cbffd Steffen Bartsch sbartsch@tzi.org http://github.com/stffn/declarative_authorization/commit/2162e8755ecdc2e5f0581d84847f68a5bc9d678b 2162e8755ecdc2e5f0581d84847f68a5bc9d678b 2009-04-01T08:08:19-07:00 2009-04-01T08:08:19-07:00 New join_by option for has_permission_on to allow statements inside to be logically AND'ed 1164e2f8398dfecea3149005901b82fbe8a7a741 Steffen Bartsch sbartsch@tzi.org