Permalink
Browse files

* added Gemfile to get frozen versions

* reworked the way you can filter groupseven further: guard_filter on the controller

* try to set the before-fitler 'authorize' on the ApplicationController instead of ActionController::Base

* reorganized the specs which splits the big hash and sorts arrays before comparing things
  • Loading branch information...
1 parent e60b356 commit 13be69850043042cdf1bad07b980b470f8adba48 @mkristian committed Mar 19, 2012
View
@@ -1,3 +1,5 @@
target
*.pom
*.files
+bin
+.bundle
View
@@ -0,0 +1,3 @@
+source :rubygems
+
+gemspec
View
@@ -0,0 +1,109 @@
+PATH
+ remote: .
+ specs:
+ ixtlan-guard (0.8.0)
+ ixtlan-core (~> 0.7.0)
+
+GEM
+ remote: http://rubygems.org/
+ specs:
+ abstract (1.0.0)
+ actionmailer (3.0.9)
+ actionpack (= 3.0.9)
+ mail (~> 2.2.19)
+ actionpack (3.0.9)
+ activemodel (= 3.0.9)
+ activesupport (= 3.0.9)
+ builder (~> 2.1.2)
+ erubis (~> 2.6.6)
+ i18n (~> 0.5.0)
+ rack (~> 1.2.1)
+ rack-mount (~> 0.6.14)
+ rack-test (~> 0.5.7)
+ tzinfo (~> 0.3.23)
+ activemodel (3.0.9)
+ activesupport (= 3.0.9)
+ builder (~> 2.1.2)
+ i18n (~> 0.5.0)
+ activerecord (3.0.9)
+ activemodel (= 3.0.9)
+ activesupport (= 3.0.9)
+ arel (~> 2.0.10)
+ tzinfo (~> 0.3.23)
+ activeresource (3.0.9)
+ activemodel (= 3.0.9)
+ activesupport (= 3.0.9)
+ activesupport (3.0.9)
+ arel (2.0.10)
+ builder (2.1.2)
+ cucumber (0.9.4)
+ builder (~> 2.1.2)
+ diff-lcs (~> 1.1.2)
+ gherkin (~> 2.2.9)
+ json (~> 1.4.6)
+ term-ansicolor (~> 1.0.5)
+ diff-lcs (1.1.3)
+ erubis (2.6.6)
+ abstract (>= 1.0.0)
+ gherkin (2.2.9)
+ json (~> 1.4.6)
+ term-ansicolor (~> 1.0.5)
+ i18n (0.5.0)
+ ixtlan-core (0.7.3)
+ json (1.4.6)
+ mail (2.2.19)
+ activesupport (>= 2.3.6)
+ i18n (>= 0.4.0)
+ mime-types (~> 1.16)
+ treetop (~> 1.4.8)
+ mime-types (1.17.2)
+ polyglot (0.3.3)
+ rack (1.2.5)
+ rack-mount (0.6.14)
+ rack (>= 1.0.0)
+ rack-test (0.5.7)
+ rack (>= 1.0)
+ rails (3.0.9)
+ actionmailer (= 3.0.9)
+ actionpack (= 3.0.9)
+ activerecord (= 3.0.9)
+ activeresource (= 3.0.9)
+ activesupport (= 3.0.9)
+ bundler (~> 1.0)
+ railties (= 3.0.9)
+ railties (3.0.9)
+ actionpack (= 3.0.9)
+ activesupport (= 3.0.9)
+ rake (>= 0.8.7)
+ rdoc (~> 3.4)
+ thor (~> 0.14.4)
+ rake (0.8.7)
+ rdoc (3.12)
+ json (~> 1.4)
+ rspec (2.6.0)
+ rspec-core (~> 2.6.0)
+ rspec-expectations (~> 2.6.0)
+ rspec-mocks (~> 2.6.0)
+ rspec-core (2.6.4)
+ rspec-expectations (2.6.0)
+ diff-lcs (~> 1.1.2)
+ rspec-mocks (2.6.0)
+ ruby-maven (3.0.3.0.28.5)
+ thor (~> 0.14.6)
+ term-ansicolor (1.0.7)
+ thor (0.14.6)
+ treetop (1.4.10)
+ polyglot
+ polyglot (>= 0.3.1)
+ tzinfo (0.3.32)
+
+PLATFORMS
+ ruby
+
+DEPENDENCIES
+ cucumber (= 0.9.4)
+ ixtlan-guard!
+ rails (= 3.0.9)
+ rake (= 0.8.7)
+ rspec (= 2.6.0)
+ ruby-maven (= 3.0.3.0.28.5)
View
@@ -79,31 +79,26 @@ to get an instance of the **Guard** on the controller itself just call `guard`.
sometimes you want to bind resource to a user/group pair, i.e. given an organizations which have report-writers and report-readers. example as rails before-filter:
- skip-before-filter :authorize
- before-filter :authorize_organization_reader, :only => [:show]
- before-filter :authorize_organization_writer, :only => [:edit, :update]
-
- def authorize_organization_writer
- authorize(Organisation.find(params[:org_id])) do |group, org|
- org.writer? current_user
- end
+ skip_before-filter :authorize
+ guard_filter :authorize_organization_reader, :only => [:show]
+ guard_filter :authorize_organization_writer, :only => [:edit, :update]
+
+ def authorize_organization_writer(groups)
+ groups.select { |g| g.writer?(current_user) }
end
def authorize_organization_reader
- authorize(Organisation.find(params[:org_id])) do |group, org|
- org.reader? current_user || org.writer? current_user
- end
+ groups.select { |g| g.writer?(current_user) || org.writer?(current_user)|}
end
of course you can organize such relations also like that
- skip-before-filter :authorize
- before-filter :authorize_organization
+ skip_before_filter :authorize
+ guard_filter :authorize_organization
- def authorize_organization
- authorize(Organisation.find(params[:org_id])) do |group, org|
- GroupsOrganizationsUser.where(:org_id => org.id,
- :user_id => current_user.id,
- :group_id => group.id).size == 1
- end
+ def authorize_organization(groups)
+ gou = GroupsOrganizationsUser.where(:org_id => params(:org_id),
+ :user_id => current_user.id)
+ ids = gou.collect { |i| i.group_id }
+ groups.select { |g| ids.include?(g.id) }
end
View
@@ -1 +1 @@
-require 'ixtlan/guard/guard_ng'
+require 'ixtlan/guard/guard'
View
@@ -37,19 +37,17 @@ def logger
end
end
- def allowed_groups_and_restricted(resource_name,
- action,
- current_group_names)
- allowed, restricted =
- @config.allowed_groups_and_restricted(resource_name, action)
+ def allowed_groups(resource_name,
+ action,
+ current_group_names)
+ allowed = @config.allowed_groups(resource_name, action)
allowed = allowed - blocked_groups + @superuser
- result = if allowed.member?('*')
- # keep superuser in current_groups if in there
- current_group_names - (blocked_groups - @superuser)
- else
- allowed & current_group_names
- end
- [result, restricted]
+ if allowed.member?('*')
+ # keep superuser in current_groups if in there
+ current_group_names - (blocked_groups - @superuser)
+ else
+ allowed & current_group_names
+ end
end
def group_map(current_groups)
@@ -71,29 +69,24 @@ def group_map(current_groups)
def check(resource_name, action, current_groups, &block)
action = action.to_s
group_map = group_map(current_groups)
- allowed_group_names, restricted =
- allowed_groups_and_restricted(resource_name, action, group_map.keys)
-
- logger.debug { "guard #{resource_name}##{action}: #{allowed_group_names.size > 0}" }
+ allowed_group_names = allowed_groups(resource_name, action, group_map.keys)
if allowed_group_names.size > 0
groups = allowed_group_names.collect { |name| group_map[name] }
- # call block to filter groups if restricted applies
- if restricted && !allowed_group_names.member?(superuser_name)
- raise "no block given to filter groups" unless block
- except = restricted['except'] || []
- only = restricted['only'] || [action]
- if !except.member?(action) && only.member?(action)
- groups = block.call(groups)
- end
+ # call block to filter groups unless we are superuser
+ if block && !allowed_group_names.member?(superuser_name)
+ groups = block.call(groups)
end
+
+ logger.debug { "guard #{resource_name}##{action}: #{groups.size > 0}" }
# nil means 'access denied', i.e. there are no allowed groups
groups if groups.size > 0
else
unless @config.has_guard?(resource_name)
raise ::Ixtlan::Guard::GuardException.new("no guard config for '#{resource_name}'")
else
+ logger.debug { "guard #{resource_name}##{action}: #{allowed_group_names.size > 0}" }
# nil means 'access denied', i.e. there are no allowed groups
nil
end
@@ -114,8 +107,6 @@ def permissions(current_groups, &block)
perm[:resource] = resource
perm[:actions] = nodes
- restricted = actions.delete('restricted')
-
# setup default_groups
default_groups = actions.delete('defaults') || []
default_groups = group_map.keys & (default_groups + @superuser) unless default_groups.member?('*')
@@ -9,14 +9,12 @@ def initialize(options = {})
raise GuardException.new("guards directory does not exists: #{@guards_dir}") unless File.directory?(@guards_dir)
end
- def allowed_groups_and_restricted(resource, action)
+ def allowed_groups(resource, action)
if resource && action
groups = send(@load_method, resource.to_s)
- restricted = groups.delete('restricted')
- [groups[action.to_s] || groups["defaults"] || [],
- restricted == true ? {} : restricted]
+ groups[action.to_s] || groups["defaults"] || []
else
- [[], nil]
+ []
end
end
Oops, something went wrong.

0 comments on commit 13be698

Please sign in to comment.