diff --git a/CHANGELOG.md b/CHANGELOG.md index 194d662..80e3747 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ This changelog adheres to [Keep a CHANGELOG](http://keepachangelog.com/). - Internal improvement of RightOn::ByGroup - Internal extraction of 'allowed?' feature for failure message - CanCanRight functionality merged into RightOn +- Cleanup of CanCanRight/RightOn merge ### Fixed - [TT-3352] Ensure roles currently in use cannot be deleted diff --git a/lib/right_on/action_controller_extensions.rb b/lib/right_on/action_controller_extensions.rb deleted file mode 100644 index b1af4f8..0000000 --- a/lib/right_on/action_controller_extensions.rb +++ /dev/null @@ -1,69 +0,0 @@ -module RightOn - - module ActionControllerExtensions - - def self.included(base) - base.module_eval do - helper_method :access_allowed?, :access_allowed_to_controller? - class_attribute :rights_from - class_attribute :permission_denied_layout - end - end - - # Checks the access privilege of the user and renders permission_denied page if required - def verify_rights - access_allowed?(controller_action_options) || permission_denied - end - - # Checks the access privilege for a controller - def access_allowed_to_controller?(controller) - controller_class = "#{controller.to_s.camelcase}Controller".safe_constantize - - # Handle inheritance of rights - if controller_class && controller_class.rights_from.present? - controller = controller_class.rights_from.to_s - end - - access_allowed?(controller) - end - - # Checks the access privilege of the user and returns true or false - def access_allowed?(opts={}) - if opts.is_a?(String) - controller, action = opts.split('#') - opts = { controller: controller, action: action } - end - opts[:controller] ||= params[:controller] - opts[:action] ||= params[:action] - allower = RightAllowed.new(opts.fetch(:controller), opts.fetch(:action)) - current_user.rights.any? { |right| allower.allowed?(right) } - end - - # Called if a security check determines permission is denied - def permission_denied - @permission_denied_response = RightOn::PermissionDeniedResponse.new(params, controller_action_options) - - respond_to do |format| - format.html { render status: 401, template: 'permission_denied', layout: (permission_denied_layout || false) } - format.json do - render status: 401, json: @permission_denied_response.to_json - end - format.js do - render :update, status: 401 do |page| - page.alert(@permission_denied_layout.text_message) - end - end - end - - false - end - - def controller_action_options - opts = params.slice(:controller, :action) - opts[:controller] = rights_from.to_s if rights_from - opts - end - - end - -end diff --git a/lib/right_on/by_group.rb b/lib/right_on/by_group.rb index 000c00c..14b325b 100644 --- a/lib/right_on/by_group.rb +++ b/lib/right_on/by_group.rb @@ -42,7 +42,9 @@ def action_rights(controller, actions) end def rights_by_name!(name) - @rights_by_name[name] or fail name.inspect + @rights_by_name[name] or fail RightOn::RightNotFound, name.inspect end end + + RightNotFound = Class.new(RightOn::Error) end diff --git a/lib/right_on/controller_additions.rb b/lib/right_on/controller_additions.rb index 450c813..841bc5e 100644 --- a/lib/right_on/controller_additions.rb +++ b/lib/right_on/controller_additions.rb @@ -1,5 +1,14 @@ module RightOn module ControllerAdditions + def self.included(base) + base.module_eval do + class_attribute :rights_from + class_attribute :permission_denied_layout + end + end + + private + def authorize_action! controller = (self.rights_from || params[:controller]).to_s action = params[:action].to_s @@ -10,14 +19,34 @@ def authorize_action! end def can_access_controller_action?(controller, action) - (can?(:access, controller) && !Right.where(subject: controller + '#' + action).exists?) || + (can?(:access, controller) && !Right.where(ccr_subject: controller + '#' + action).exists?) || can?(:access, controller + '#' + action) end - end -end -if defined? ActionController::Base - ActionController::Base.class_eval do - include RightOn::ControllerAdditions + def access_granted? + can? :access, [params[:controller], params[:action]].join('#') + end + + def rescue_access_denied(exception) + @permission_denied_response = RightOn::PermissionDeniedResponse.new(params, controller_action_options) + + respond_to do |format| + format.html do + render status: :unauthorized, + template: 'permission_denied', + layout: ( permission_denied_layout || false ) + end + + format.json do + render status: :unauthorized, json: @permission_denied_response.to_json + end + end + end + + def controller_action_options + opts = params.slice(:controller, :action) + opts[:controller] = rights_from.to_s if rights_from + opts + end end end diff --git a/lib/right_on/rails.rb b/lib/right_on/rails.rb index cdb9a5d..75a27cf 100644 --- a/lib/right_on/rails.rb +++ b/lib/right_on/rails.rb @@ -1,7 +1,11 @@ require 'right_on/role_model' +require 'right_on/ability' +require 'right_on/rule' +require 'right_on/error' require 'right_on/right' require 'right_on/role' require 'right_on/right_allowed' require 'right_on/by_group' -require 'right_on/action_controller_extensions' +require 'cancan/exceptions' +require 'right_on/controller_additions' require 'right_on/permission_denied_response' diff --git a/spec/action_controller_extensions_spec.rb b/spec/action_controller_extensions_spec.rb deleted file mode 100644 index 2e97013..0000000 --- a/spec/action_controller_extensions_spec.rb +++ /dev/null @@ -1,34 +0,0 @@ -require 'spec_helper' - -require 'action_controller' -class AdminController < ActionController::Base - include RightOn::ActionControllerExtensions - def current_user - Thread.current[:user] - end -end - -describe AdminController do - let(:basic_user) { User.where(name: 'basic').first } - let(:admin_user) { User.where(name: 'admin').first } - - before do - Bootstrap.reset_database - controller.params = {controller: 'admin', action: 'index'} - end - - let(:controller) { AdminController.new } - context 'basic user' do - before { Thread.current[:user] = basic_user } - it 'should not allow access' do - expect(controller.access_allowed?).to be false - end - end - - context 'admin user' do - before { Thread.current[:user] = admin_user } - it 'should allow access' do - expect(controller.access_allowed?).to be true - end - end -end diff --git a/spec/controller_additions_spec.rb b/spec/controller_additions_spec.rb index a3baa3b..d450f7d 100644 --- a/spec/controller_additions_spec.rb +++ b/spec/controller_additions_spec.rb @@ -22,7 +22,6 @@ def self.where(args) describe RightOn::ControllerAdditions do let(:rule_override) { false } before do - rule_class = class_double('RightOn::ControllerAdditions::Model') allow(RightOn::Right).to receive(:where).and_return(double(exists?: rule_override)) end @@ -36,6 +35,8 @@ def initialize(user) end class Controller < ActionController::Base + include RightOn::ControllerAdditions + def rights_from nil end @@ -54,10 +55,6 @@ def current_user Controller.new } - it 'should respond to authorize_action!' do - expect(controller.respond_to? :authorize_action!).to be_truthy - end - describe 'private #authorize_action!' do context 'when the ability has a matching rule' do let(:right) { diff --git a/spec/right_on_spec.rb b/spec/right_on_spec.rb index b97125c..0ac9edc 100644 --- a/spec/right_on_spec.rb +++ b/spec/right_on_spec.rb @@ -100,38 +100,3 @@ end end end - -describe 'when checking accessibility to a controller' do - - let(:test_controller_right) { RightOn::Right.new(name: 'test', controller: 'test') } - let(:user) { double(rights: [test_controller_right]) } - let(:controller) { 'test' } - let(:action) { 'index' } - let(:params) { {controller: 'test', action: 'index'} } - - before do - stub_const 'TestController', double(current_user: user, params: params) - TestController.extend RightOn::ActionControllerExtensions - allow(TestController).to receive(:rights_from).and_return(nil) - end - - specify { expect(TestController.access_allowed?(controller)).to be_truthy } - specify { expect(TestController.access_allowed?('other')).to be_falsey } - specify { expect(TestController.access_allowed_to_controller?(controller)).to be_truthy } - specify { expect(TestController.access_allowed_to_controller?('other')).to be_falsey } - - describe 'when inheriting rights' do - let(:controller) { 'test_inherited' } - - before do - stub_const 'TestInheritedController', double(current_user: user, params: params) - TestInheritedController.extend RightOn::ActionControllerExtensions - allow(TestInheritedController).to receive(:rights_from).and_return(:test) - end - - specify { expect(TestInheritedController.access_allowed?(controller)).to be_falsey } - specify { expect(TestInheritedController.access_allowed?('other')).to be_falsey } - specify { expect(TestInheritedController.access_allowed_to_controller?(controller)).to be_truthy } - specify { expect(TestInheritedController.access_allowed_to_controller?('other')).to be_falsey } - end -end diff --git a/spec/support/bootstrap.rb b/spec/support/bootstrap.rb index 0b434cb..b7bf4d6 100644 --- a/spec/support/bootstrap.rb +++ b/spec/support/bootstrap.rb @@ -1,18 +1,4 @@ class Bootstrap - def self.reset_database - RightOn::Right.delete_all - RightOn::Role.delete_all - User.delete_all - - basic_right = RightOn::Right.create!(name: 'basic', controller: 'basic') - admin_right = RightOn::Right.create!(name: 'admin', controller: 'admin') - basic_role = RightOn::Role.create!(title: 'Basic', rights: [basic_right]) - admin_role = RightOn::Role.create!(title: 'Admin', rights: [admin_right]) - - User.create!(name: 'basic', roles: [basic_role]) - User.create!(name: 'admin', roles: [basic_role, admin_role]) - end - def self.various_rights_with_actions RightOn::Right.delete_all { diff --git a/spec/support/coverage_loader.rb b/spec/support/coverage_loader.rb index f3f74d0..f670163 100644 --- a/spec/support/coverage_loader.rb +++ b/spec/support/coverage_loader.rb @@ -1,4 +1,4 @@ require 'simplecov-rcov' require 'coveralls' require 'coverage/kit' -Coverage::Kit.setup(minimum_coverage: 92.2) +Coverage::Kit.setup(minimum_coverage: 92.8)