Fetching contributors…
Cannot retrieve contributors at this time
171 lines (107 sloc) 7.51 KB
+ Add Right model generator and DB-backed way of handling rights in addition to inlined "permit" checks
+ Added namespacing to @options instance variable to prevent possible name clashes
+ Add test generator instead of handling tests in test apps
+ Add support for groups
+ Extend grammar to allow "(admin or moderator or some_role) of some_model" (?) [Chris Hapgood]
+ Extend coverage to models. Look at Bruce Perens's ModelSecurity and access with_scope. (9/3006 - Recently investigated extension to model and the most programmer-friendly DSLs may require too much hacking on ActiveRecord.)
CHANGES (from most recent to oldest)
=== 1.0.10 release (February 27, 2008)
* Patch Series : Granular redirection configuration submitted by Thomas Weibel
WARNING : If you are upgrading from a previous install you may need
to change some configuration settings in your environment.rb file.
Added granular LOGIN_REQUIRED_REDIRECTION hash or path config
Added granular PERMISSION_DENIED_REDIRECTION hash or path config
Support custom flash messages for each redirection type
Updated README.txt to provide instructions.
Enhanced support for integration with restful_authentication plugin.
=== 1.0.9 release (February 26, 2008)
* Patch #8571 : Add type argument to is_role_of_what submitted by Aslak Hellesøy (aslak_hellesoy)
In my RESTful index views for an AR type I often want to list all of the records *for a given type* for which the current
user has the role "show". (As opposed to getting *any* record for which the user has the role)
In order to achieve this, I have patched identity.rb so tht I can do this:
def index
if current_user.permit? 'admin'
# show all projects
@projects = Project.find(:all)
@projects = current_user.is_show_for_what(Project)
=== 1.0.8 release (February 26, 2008)
* Patch #11352 : Fixes a bug with role_regex and simple quoted roles submitted by 'a French RoR developer'
Documentation says:
<role> ::= /\w+/ | /'.*'/
But the next permission string isn't well parsed: " 'abcd:efgh' or 'abcd:ijkl' "
You get an error because the role_regex defined in parser.rb eats every simple quote between the first and the last
simple quote in the string.
So i patched the two instances of role_regex in parser.rb, from this:
role_regex = '\s*(\'\s*(.+)\s*\'|([A-Za-z]\w*))\s*'
to this (the question mark ends the first pattern as soon as possible, avoiding the inner simple quotes to be eaten):
role_regex = '\s*(\'\s*(.+?)\s*\'|([A-Za-z]\w*))\s*'
=== 1.0.7 release (February 25, 2008)
* Patch #9431 : Fixes a bug in identity.rb submitted by Michel Martens (blaumag)
If some authorizable instance accepts a role, then it responds true when queried for has_[role_name]?
country.has_kings? #=> false
user.has_role "king", country
country.has_kings? #=> true
user.has_no_role "king", country
country.has_kings? #=> true
The last time, country.has_kings? should be false.
=== 1.0.6 release (February 25, 2008)
* Patch #12170 : Additional HABTM options for acts_as_authorized_user
A very simple patch that allows options to be passed to the has_and_belogs_to_many relationship. This seems necessary
if the "User" object has a different name from the table name. has_and_belong_to_many does not automatically
use the table set by the "User" object so it must be specified (along with the foreign key if applicable).
Patch submitted by Eric Anderson (eric1234)
=== 1.0.5 release (February 25, 2008)
* Feature : Add additional test for current_user being set to the symbol ':false'.
This is for compatibility with the restful_authentication plugin which will
set current_user to :false on a bad login. Previously we were only testing
for current_user.nil? which was incomplete.
=== 1.0.4 release (February 25, 2008)
* Bugfix : RubyForge bug #9368. Problems with about.yml
Fixes a minor bug in the about.yml plugin metadata file
so that it will parse cleanly. [GR]
=== 1.0.3 release (February 17, 2008)
* Minor changes to USAGE text for ./script/generate role_model
=== 1.0.2 release (February 17, 2008)
* From this release forward the plugin requires use of Ruby on Rails version 2.x. Version 1.0.1 is the final release fully compatible with Rails 1.2.x.
* Upgraded the database migration generator to create the new Rails 2.0.x style 'sexy migrations'.
=== 1.0.1 release (February 17, 2008)
* Moved source code to public Git repository at (
* Removed attr_protected declaration from acts_as_authorized_user, acts_as_authorizable methods. These conflicted with usage of the Authorization plugin with models generated by the restful_authentication generator or any model that specified the safer attr_accessible whitelist. RA encourages the safer attr_accessible whitelisting of attributes that are accessible from its models. You cannot apply both attr_accessible and attr_protected in the same model. Users are encouraged to specify a whitelist of attr_accessible model attributes for their applications security. [grempe]
=== SVN
* Performance improvement for has_role? [Sean Geoghegan]
* Allow customization of message on redirection after failed authorization (:redirect_message option) [Joey Geiger]
* Patch to allow authorizable objects that use single table inheritance (STI) [Sean Geoghegan]
=== 1.0 release (Sept 13, 2006)
* Added attr_protected for habtm and has_many role ids to block security concern if developers use update_attributes(params[:auth_obj]) on an authorizable object [Michael Schuerig]
* Use before_filter rather than prepend_before_filter so necessary instance variables (and methods) can be established before trying authorization checks. This fix came about for Mephisto blog where a class-level permit "admin of site" was used. The site attribute was set in a before_filter. If you prepend your authorization filter, it will execute before any other before_filter, which is probably not a good idea.
* Add "about" yaml for future Rails plugin directory.
* Cleaned up exception handling a little [due to suggestion by Michael Schuerig]
* Add generator for role model and migration, e.g., "script/generate role_model Role".
Role model must be called "Role" at this time. More general naming as a TO DO.
* Removed simple_roles_table to simplify plugin.
* Moved all files in Authorization namespace into /publishare subdirectory
to reduce danger of clashes in load path [nod to Michael Schuerig].
* Small code refinement patch [Michael Schuerig]
* The colon preceding a model name in the authorization expression is now optional. The parser uses accepted prepositions to disambiguate models from roles.
* Change default parser from Recursive Descent parser to Eval parser.
Currently implemented recursive descent parser doesn't handle left-sided
boolean expressions well. Eval parser relies on Ruby (good thing), but
wherever there's an eval, we have to be more careful.
* Will start linking to and monitoring forum area at RubyForge
* Added changelog :)
* Added return false to handle_redirection to short-circuit filters if
redirect occurs. This is second fix to prevent double renders.
* Changed the requires to pull files from the plugin directory. (Necessary for name conflicts between plugin and apps)
* Minor fixes to update documentation
=== 1.0 rc3 (July 19, 2006)
* Fix to prevent double redirect
* Fix to migration examples
... see svn log