Add information on defining custom guards

Author: elpete

README.md

@@ -107,7 +107,7 @@ component secured {
 
 The methods available to you on the `Guard` component are as follows:
 
-```
+```cfc
 public boolean function allows( required any permissions, struct additionalArgs = {} );
 public boolean function denies( required any permissions, struct additionalArgs = {} );
 public boolean function all( required any permissions, struct additionalArgs = {} );
@@ -120,8 +120,43 @@ In all cases `permissions` can be either a string, a list of strings, or an arra
 In the case of `authorize` the `errorMessage` replaces the thrown error message
 in the `NotAuthorized`. exception.  It can also be a closure that takes the following shape:
 
+```cfc
+string function errorMessage( array permissions, any user, struct additionalArgs );
 ```
-string function errorMessage( string failedPermission, any user, struct additionalArgs );
+
+#### Defining Custom Guards
+
+While handling all of your guard clauses inside the `hasPermission` method on your user
+works fine, you may want to define a different way to handle permissions.  You
+can do this by declaring custom guards using the `guard.define` method.  Here's the signature:
+
+```cfc
+public Guard function define( required string name, required any callback );
+```
+
+The `name` will match against a permission name.  If it matches, the guard is
+called instead of calling `hasPermission` on the `User` model. (You can always
+call `hasPermission` on the `User` inside your guard callback if you need.)
+
+The callback can be: a closure or UDF, a component with an `authorize` function,
+or a WireBox mapping to a component with an `authorize` function. Please note
+that the authorize function must be explicitly defined and public (No `onMissingMethod`).
+This `authorize` function is called with two parameters: the `user` being authorized
+and a struct of `additionalArgs` and must return a `boolean`, like so:
+
+```cfc
+public boolean function authorize( required any user, struct additionalArgs = {} );
+```
+
+Using this approach, you can define custom guards anywhere in your application:
+`config/ColdBox.cfc`, `ModuleConfig.cfc` of your custom modules, etc.  The
+`Guard` component is registered as a singleton, so it will keep track of all the
+guards registered, even from different sources.
+
+If you have a need to remove a guard definition you can do so with the `removeDefinition` method:
+
+```cfc
+public Guard function removeDefinition( required string name );
 ```
 
 ### Redirects

models/Guard.cfc

@@ -1,123 +1,195 @@
-component singleton {
+component singleton accessors="true" {
 
     property name="settings" inject="coldbox:moduleSettings:cbguard";
     property name="moduleService" inject="coldbox:moduleService";
     property name="wirebox" inject="wirebox";
 
-    function allows( required any permissions, struct additionalArgs = {}, boolean negate = false ) {
-        var context = preflight();
+    property name="guards" type="struct";
 
-        for ( var permission in arrayWrap( arguments.permissions ) ) {
-            var hasPermission = invoke(
-                context.user,
-                context.props.methodNames[ "hasPermission" ],
-                {
-                    "permission": permission,
-                    "additionalArgs": arguments.additionalArgs
-                }
+    /**
+     * Creates a new Guard service
+     *
+     * @returns cbguard.models.Guard
+     */
+    public Guard function init() {
+        variables.guards = {};
+        return this;
+    }
+
+    /**
+     * Defines a new custom guard.  A custom guard is used instead of the
+     * user model's `hasPermission` method.
+     *
+     * @name      The name of the permission to match for this custom guard.
+     * @callback  The callback to resolve the custom guard. It should return a boolean.
+     *            This can be one of the following:
+     *                1. A UDF or closure.
+     *                2. A component with an `authorize` method.
+     *                3. A WireBox mapping that resolves to a component with an `authorize` method.
+     *
+     * @throws    InvalidGuardType
+     *
+     * @returns   cbguard.models.Guard
+     */
+    public Guard function define( required string name, required any callback ) {
+        if ( isSimpleValue( arguments.callback ) ) {
+            arguments.callback = variables.wirebox.getInstance( dsl = callback );
+            if ( !structKeyExists( arguments.callback, "authorize" ) ) {
+                throw(
+                    type = "InvalidGuardType",
+                    message = "A component guard must have an `authorize` method defined."
+                );
+            }
+        } else if ( isClosure( arguments.callback ) || isCustomFunction( arguments.callback ) ) {
+            arguments.callback = { "authorize": arguments.callback };
+        } else {
+            throw(
+                type = "InvalidGuardType",
+                message = "Cannot define a guard without either a component with an `authorize` method, a WireBox mapping to a component with an `authorize` method, or a closure or UDF function."
             );
+        }
+
+        variables.guards[ arguments.name ] = arguments.callback;
+        return this;
+    }
 
-            if ( hasPermission ) {
+    /**
+     * Removes a custom guard definition.
+     *
+     * @name     The name of the permission to remove the custom guard.
+     * @returns  cbguard.models.Guard
+     */
+    public Guard function removeDefinition( required string name ) {
+        structDelete( variables.guards, arguments.name );
+        return this;
+    }
+
+
+    /**
+     * Returns true if the logged in user is allowed for any of the permissions.
+     *
+     * @permissions     A single string permission, list of string permissions,
+     *                  or array of string permissions to check.
+     * @additionalArgs  A struct of any additional arguments to pass to the guard.
+     *
+     * @returns         boolean
+     */
+    public boolean function allows( required any permissions, struct additionalArgs = {} ) {
+        var context = preflight();
+
+        for ( var permission in arrayWrap( arguments.permissions ) ) {
+            if ( resolvePermission( permission, context, arguments.additionalArgs ) ) {
                 return true;
             }
         }
 
         return false;
     }
 
-    function denies( required any permissions, struct additionalArgs = {} ) {
+    /**
+     * Returns true if the logged in user is not allowed for at least one of the permissions.
+     *
+     * @permissions     A single string permission, list of string permissions,
+     *                  or array of string permissions to check.
+     * @additionalArgs  A struct of any additional arguments to pass to the guard.
+     *
+     * @returns         boolean
+     */
+    public boolean function denies( required any permissions, struct additionalArgs = {} ) {
         var context = preflight();
 
         for ( var permission in arrayWrap( arguments.permissions ) ) {
-            var hasPermission = invoke(
-                context.user,
-                context.props.methodNames[ "hasPermission" ],
-                {
-                    "permission": permission,
-                    "additionalArgs": arguments.additionalArgs
-                }
-            );
-
-            if ( !hasPermission ) {
+            if ( !resolvePermission( permission, context, arguments.additionalArgs ) ) {
                 return true;
             }
         }
 
         return false;
     }
 
+    /**
+     * Returns true if the logged in user is allowed for all of the permissions.
+     *
+     * @permissions     A single string permission, list of string permissions,
+     *                  or array of string permissions to check.
+     * @additionalArgs  A struct of any additional arguments to pass to the guard.
+     *
+     * @returns         boolean
+     */
     public boolean function all( required any permissions, struct additionalArgs = {} ) {
         var context = preflight();
 
         for ( var permission in arrayWrap( arguments.permissions ) ) {
-            var hasPermission = invoke(
-                context.user,
-                context.props.methodNames[ "hasPermission" ],
-                {
-                    "permission": permission,
-                    "additionalArgs": arguments.additionalArgs
-                }
-            );
-
-            if ( !hasPermission ) {
+            if ( !resolvePermission( permission, context, arguments.additionalArgs ) ) {
                 return false;
             }
         }
 
         return true;
     }
 
+    /**
+     * Returns true if the logged in user is denied for all of the permissions.
+     *
+     * @permissions     A single string permission, list of string permissions,
+     *                  or array of string permissions to check.
+     * @additionalArgs  A struct of any additional arguments to pass to the guard.
+     *
+     * @returns         boolean
+     */
     public boolean function none( required any permissions, struct additionalArgs = {} ) {
         var context = preflight();
 
         for ( var permission in arrayWrap( arguments.permissions ) ) {
-            var hasPermission = invoke(
-                context.user,
-                context.props.methodNames[ "hasPermission" ],
-                {
-                    "permission": permission,
-                    "additionalArgs": arguments.additionalArgs
-                }
-            );
-
-            if ( hasPermission ) {
+            if ( resolvePermission( permission, context, arguments.additionalArgs ) ) {
                 return false;
             }
         }
 
         return true;
     }
 
-    public void function authorize(
+    /**
+     * Throws an exception if the logged in user is not allowed for any of the permissions.
+     *
+     * @permissions     A single string permission, list of string permissions,
+     *                  or array of string permissions to check.
+     * @additionalArgs  A struct of any additional arguments to pass to the guard.
+     * @errorMessage    The error message to throw with the exception.
+     *                  It can be either:
+     *                      1. A string error message
+     *                      2. A closure or UDF that will produce a string error
+     *                         message.  This callback receives the following arguments:
+     *                             a. The `permissions` tried.
+     *                             b. The logged in `user`.
+     *                             c. The `additionalArgs` passed.
+     *
+     * @throws          NotAuthorized
+     *
+     * @returns         cbguard.models.Guard
+     */
+    public Guard function authorize(
         required any permissions,
         struct additionalArgs = {},
-        string errorMessage
+        any errorMessage
     ) {
         var context = preflight();
 
-        var failedPermission = "";
-        for ( var permission in arrayWrap( arguments.permissions ) ) {
-            var hasPermission = invoke(
-                context.user,
-                context.props.methodNames[ "hasPermission" ],
-                {
-                    "permission": permission,
-                    "additionalArgs": arguments.additionalArgs
-                }
-            );
-
-            if ( !hasPermission ) {
-                failedPermission = permission;
+        arguments.permissions = arrayWrap( arguments.permissions );
+        var passed = false;
+        for ( var permission in arguments.permissions ) {
+            if ( resolvePermission( permission, context, arguments.additionalArgs ) ) {
+                passed = true;
                 break;
             }
         }
 
-        if ( failedPermission != "" ) {
+        if ( !passed ) {
             param arguments.errorMessage = "The logged in user is not authorized to access this resource";
 
             if ( isClosure( arguments.errorMessage ) || isCustomFunction( arguments.errorMessage ) ) {
                 arguments.errorMessage = arguments.errorMessage(
-                    failedPermission = failedPermission,
+                    permissions = arguments.permissions,
                     user = context.user,
                     additionalArgs = arguments.additionalArgs
                 );
@@ -128,8 +200,19 @@ component singleton {
                 message = arguments.errorMessage
             );
         }
+
+        return this;
     }
 
+    /**
+     * Handles getting the current cbguard context for this guard.
+     * Returns a struct with the current `RequestContext` (`event`), the current
+     * settings for the request (`props`), and the currently logged in user (`user`).
+     *
+     * @throws   NotLoggedIn
+     *
+     * @returns  { "event", "props", "user" }
+     */
     private struct function preflight() {
         var event = variables.wirebox.getInstance( dsl = "coldbox:requestContext" );
 
@@ -161,6 +244,49 @@ component singleton {
         };
     }
 
+    /**
+     * Resolves the permission check.  It first checks and tries any custom guards.
+     * If no custom guards exist, it checks the current user's `hasPermission` method.
+     *
+     * @permission      The permission being checked.
+     * @context         The guard context, including `event`, `props`, and `user`.
+     * @additionalArgs  A struct of any additional arguments to pass to the guard.
+     *
+     * @return          boolean
+     */
+    private boolean function resolvePermission(
+        required string permission,
+        required struct context,
+        struct additionalArgs = {}
+    ) {
+        if ( variables.guards.keyExists( arguments.permission ) ) {
+            return invoke(
+                variables.guards[ arguments.permission ],
+                "authorize",
+                {
+                    "user": arguments.context.user,
+                    "additionalArgs": arguments.additionalArgs
+                }
+            );
+        }
+
+        return invoke(
+            arguments.context.user,
+            arguments.context.props.methodNames[ "hasPermission" ],
+            {
+                "permission": arguments.permission,
+                "additionalArgs": arguments.additionalArgs
+            }
+        );
+    }
+
+    /**
+     * Ensures that the returned value is an array.
+     * Returns a passed array unmodified. Calls `listToArray` on all other values.
+     *
+     * @doc_generic  any
+     * @return       [any]
+     */
     private array function arrayWrap( required any items ) {
         return isArray( arguments.items ) ? items : items.listToArray();
     }

tests/resources/app/models/CustomGuard.cfc

@@ -0,0 +1,7 @@
+component {
+
+    function authorize( required user, struct additionalArgs = {} ) {
+        return arguments.user.getId() == 2;
+    }
+
+}