Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Fetching contributors…

Cannot retrieve contributors at this time

171 lines (107 sloc) 7.692 kb
TO DO
+ Add Right model generator and DB-backed way of handling rights in addition to inlined "permit" checks
+ Added namespacing to @options instance variable to prevent possible name clashes
+ Add test generator instead of handling tests in test apps
+ Add support for groups
+ Extend grammar to allow "(admin or moderator or some_role) of some_model" (?) [Chris Hapgood]
+ Extend coverage to models. Look at Bruce Perens's ModelSecurity and access with_scope. (9/3006 - Recently investigated extension to model and the most programmer-friendly DSLs may require too much hacking on ActiveRecord.)
CHANGES (from most recent to oldest)
=== 1.0.10 release (February 27, 2008)
* Patch Series : Granular redirection configuration submitted by Thomas Weibel
WARNING : If you are upgrading from a previous install you may need
to change some configuration settings in your environment.rb file.
Remove DEFAULT_REDIRECTION_HASH config
Added granular LOGIN_REQUIRED_REDIRECTION hash or path config
Added granular PERMISSION_DENIED_REDIRECTION hash or path config
Added STORE_LOCATION_METHOD config
Support custom flash messages for each redirection type
Updated README.txt to provide instructions.
Enhanced support for integration with restful_authentication plugin.
=== 1.0.9 release (February 26, 2008)
* Patch #8571 : Add type argument to is_role_of_what submitted by Aslak Hellesøy (aslak_hellesoy)
In my RESTful index views for an AR type I often want to list all of the records *for a given type* for which the current
user has the role "show". (As opposed to getting *any* record for which the user has the role)
In order to achieve this, I have patched identity.rb so tht I can do this:
def index
if current_user.permit? 'admin'
# show all projects
@projects = Project.find(:all)
else
@projects = current_user.is_show_for_what(Project)
end
end
=== 1.0.8 release (February 26, 2008)
* Patch #11352 : Fixes a bug with role_regex and simple quoted roles submitted by 'a French RoR developer'
Documentation says:
<role> ::= /\w+/ | /'.*'/
But the next permission string isn't well parsed: " 'abcd:efgh' or 'abcd:ijkl' "
You get an error because the role_regex defined in parser.rb eats every simple quote between the first and the last
simple quote in the string.
So i patched the two instances of role_regex in parser.rb, from this:
role_regex = '\s*(\'\s*(.+)\s*\'|([A-Za-z]\w*))\s*'
to this (the question mark ends the first pattern as soon as possible, avoiding the inner simple quotes to be eaten):
role_regex = '\s*(\'\s*(.+?)\s*\'|([A-Za-z]\w*))\s*'
=== 1.0.7 release (February 25, 2008)
* Patch #9431 : Fixes a bug in identity.rb submitted by Michel Martens (blaumag)
If some authorizable instance accepts a role, then it responds true when queried for has_[role_name]?
Example:
country.has_kings? #=> false
user.has_role "king", country
country.has_kings? #=> true
user.has_no_role "king", country
country.has_kings? #=> true
The last time, country.has_kings? should be false.
=== 1.0.6 release (February 25, 2008)
* Patch #12170 : Additional HABTM options for acts_as_authorized_user
A very simple patch that allows options to be passed to the has_and_belogs_to_many relationship. This seems necessary
if the "User" object has a different name from the table name. has_and_belong_to_many does not automatically
use the table set by the "User" object so it must be specified (along with the foreign key if applicable).
Patch submitted by Eric Anderson (eric1234)
=== 1.0.5 release (February 25, 2008)
* Feature : Add additional test for current_user being set to the symbol ':false'.
This is for compatibility with the restful_authentication plugin which will
set current_user to :false on a bad login. Previously we were only testing
for current_user.nil? which was incomplete.
=== 1.0.4 release (February 25, 2008)
* Bugfix : RubyForge bug #9368. Problems with about.yml
Fixes a minor bug in the about.yml plugin metadata file
so that it will parse cleanly. [GR]
=== 1.0.3 release (February 17, 2008)
* Minor changes to USAGE text for ./script/generate role_model
=== 1.0.2 release (February 17, 2008)
* From this release forward the plugin requires use of Ruby on Rails version 2.x. Version 1.0.1 is the final release fully compatible with Rails 1.2.x.
* Upgraded the database migration generator to create the new Rails 2.0.x style 'sexy migrations'.
=== 1.0.1 release (February 17, 2008)
* Moved source code to public Git repository at GitHub.com (http://github.com/DocSavage/rails-authorization-plugin/tree/master)
* Removed attr_protected declaration from acts_as_authorized_user, acts_as_authorizable methods. These conflicted with usage of the Authorization plugin with models generated by the restful_authentication generator or any model that specified the safer attr_accessible whitelist. RA encourages the safer attr_accessible whitelisting of attributes that are accessible from its models. You cannot apply both attr_accessible and attr_protected in the same model. Users are encouraged to specify a whitelist of attr_accessible model attributes for their applications security. [grempe]
=== SVN
* Performance improvement for has_role? [Sean Geoghegan]
* Allow customization of message on redirection after failed authorization (:redirect_message option) [Joey Geiger]
* Patch to allow authorizable objects that use single table inheritance (STI) [Sean Geoghegan]
=== 1.0 release (Sept 13, 2006)
* Added attr_protected for habtm and has_many role ids to block security concern if developers use update_attributes(params[:auth_obj]) on an authorizable object [Michael Schuerig]
* Use before_filter rather than prepend_before_filter so necessary instance variables (and methods) can be established before trying authorization checks. This fix came about for Mephisto blog where a class-level permit "admin of site" was used. The site attribute was set in a before_filter. If you prepend your authorization filter, it will execute before any other before_filter, which is probably not a good idea.
* Add "about" yaml for future Rails plugin directory.
* Cleaned up exception handling a little [due to suggestion by Michael Schuerig]
* Add generator for role model and migration, e.g., "script/generate role_model Role".
Role model must be called "Role" at this time. More general naming as a TO DO.
* Removed simple_roles_table to simplify plugin.
* Moved all files in Authorization namespace into /publishare subdirectory
to reduce danger of clashes in load path [nod to Michael Schuerig].
* Small code refinement patch [Michael Schuerig]
* The colon preceding a model name in the authorization expression is now optional. The parser uses accepted prepositions to disambiguate models from roles.
* Change default parser from Recursive Descent parser to Eval parser.
Currently implemented recursive descent parser doesn't handle left-sided
boolean expressions well. Eval parser relies on Ruby (good thing), but
wherever there's an eval, we have to be more careful.
* Will start linking to and monitoring forum area at RubyForge
http://rubyforge.org/forum/?group_id=1797
* Added changelog :)
* Added return false to handle_redirection to short-circuit filters if
redirect occurs. This is second fix to prevent double renders.
* Changed the requires to pull files from the plugin directory. (Necessary for name conflicts between plugin and apps)
* Minor fixes to update documentation
=== 1.0 rc3 (July 19, 2006)
* Fix to prevent double redirect
* Fix to migration examples
... see svn log
Jump to Line
Something went wrong with that request. Please try again.