Permalink
Browse files

A handful of pointers into the apps code on where to find bits of dec…

…l_auth
  • Loading branch information...
1 parent d4ada51 commit d3f7f44c8f9a6ae982139b8abc4fa8f09b5003ad @stffn committed Mar 5, 2009
View
@@ -51,6 +51,40 @@ http://github.com/stffn/declarative_authorization
`----------------------------------* TalkAttendees
+== Most Interesting Spots
+
+A few tipps on where to start:
+
+* Controller authorization with before_filters to load context objects at
+ app/controllers/conference_controller.rb for a standard case and
+ app/controllers/talks_controller.rb for a nested controller.
+
+* Query rewriting to only retrieve those records from the database that the current
+ user has certain privileges on in app/controllers/conferences_controller.rb in
+ ConferencesController#index
+
+* Model authorization for conferences in app/models/conference.rb
+
+* View authorization: e.g.
+ app/views/conferences/index.html.erb
+ app/views/talks/index.html.erb
+
+* Authorization rules in config/authorization_rules.rb
+
+* Testing with specific roles in
+ test/unit/conferences_test.rb for user-specific model tests,
+ test/functional/conference_controller_test.rb for get/post/delete_with,
+ test/test_helper.rb for the test environment setup for decl_auth
+
+* decl_auth requirements:
+ * Controller#current_user in lib/authenticated_system.rb, which is included in
+ ApplicationController
+ * Setting Authorization.current_user for model security in
+ app/controllers/application_controller.rb
+ * A user model that responds to User#role_symbols with an Array of role symbols in
+ app/models/user.rb
+
+
== Authorization Browser
declarative_authorization comes with a browser for the application's
@@ -14,6 +14,7 @@ class ConferencesController < ApplicationController
# GET /conferences
# GET /conferences.xml
def index
+ # Only show conferences that the current user may read:
@conferences = Conference.with_permissions_to(:read)
respond_to do |format|
View
@@ -1,4 +1,8 @@
class Conference < ActiveRecord::Base
+ # Activate model authorization by calling using_access_control.
+ # Every create, update, destroy will be checked and an exception raised
+ # if not allowed. For performance reasons, read isn't checked by default,
+ # but may be enabled as an option.
using_access_control
has_many :talk_objs, :class_name => "Talk"
@@ -8,6 +8,7 @@
<b><%= conference.attendees.count %></b> attendees.
</p>
<p>
+ <%# Check, if the current user may edit exactly this conference: %>
<%= link_to 'Edit', edit_conference_path(conference) \
if permitted_to? :edit, conference %>
<%= link_to 'Destroy', conference, :confirm => 'Are you sure?', :method => :delete \
@@ -30,4 +31,5 @@
<br />
+<%# Only check if the current user has the general permission to create conferences: %>
<%= link_to 'New conference', new_conference_path if permitted_to? :create, :conferences %>
@@ -4,5 +4,6 @@
<br />
+<%# Check if the current user may create talks for the current conference %>
<%= link_to 'New talk', new_conference_talk_path(@conference) \
if permitted_to? :create, @conference.talks %>
@@ -8,12 +8,14 @@ def test_should_get_index
end
def test_should_get_new
+ # check that an admin may view the new page
get_with admin, :new
assert_response :success
end
def test_should_create_conference
assert_difference('Conference.count') do
+ # check that admins may create conferences
post_with admin, :create, :conference => { :title => 'Test' }
end
View
@@ -1,43 +1,20 @@
ENV["RAILS_ENV"] = "test"
require File.expand_path(File.dirname(__FILE__) + "/../config/environment")
require 'test_help'
+# For declarative_authorization test helpers
require File.expand_path(File.dirname(__FILE__) +
"/../vendor/plugins/declarative_authorization/lib/maintenance")
class ActiveSupport::TestCase
+ # We need to include the declarative_authorization helpers
include Authorization::TestHelper
- # Transactional fixtures accelerate your tests by wrapping each test method
- # in a transaction that's rolled back on completion. This ensures that the
- # test database remains unchanged so your fixtures don't have to be reloaded
- # between every test method. Fewer database queries means faster tests.
- #
- # Read Mike Clark's excellent walkthrough at
- # http://clarkware.com/cgi/blosxom/2005/10/24#Rails10FastTesting
- #
- # Every Active Record database supports transactions except MyISAM tables
- # in MySQL. Turn off transactional fixtures in this case; however, if you
- # don't care one way or the other, switching from MyISAM to InnoDB tables
- # is recommended.
- #
- # The only drawback to using transactional fixtures is when you actually
- # need to test transactions. Since your test is bracketed by a transaction,
- # any transactions started in your code will be automatically rolled back.
- self.use_transactional_fixtures = true
- # Instantiated fixtures are slow, but give you @david where otherwise you
- # would need people(:david). If you don't want to migrate your existing
- # test cases which use the @david style and don't mind the speed hit (each
- # instantiated fixtures translates to a database query per test method),
- # then set this back to true.
+ # standard Rails testing setup
+ self.use_transactional_fixtures = true
self.use_instantiated_fixtures = false
-
- # Setup all fixtures in test/fixtures/*.(yml|csv) for all tests in alphabetical order.
- #
- # Note: You'll currently still have to declare fixtures explicitly in integration tests
- # -- they do not yet inherit this setting
fixtures :all
- # Add more helper methods to be used by all tests here...+
+ # It might help to have helper methods for users from different roles
def admin
users(:admin)
end
@@ -1,6 +1,8 @@
require 'test_helper'
class ConferencesTest < ActiveSupport::TestCase
+ # Conferences are protected by model authorization. Thus, we can check
+ # here that certain users may create conferences:
def test_should_create
assert_difference "Conference.count" do
c = Conference.new(:title => "test", :location => "test")
@@ -10,6 +12,7 @@ def test_should_create
end
end
+ # ... or check that others may not do so:
def test_should_not_create
assert_raise Authorization::NotAuthorized do
c = Conference.new(:title => "test", :location => "test")

0 comments on commit d3f7f44

Please sign in to comment.