From 73fe69b9ee58f14cdd824fa84ca48b339cb5e2a2 Mon Sep 17 00:00:00 2001 From: Michael Lambert Date: Mon, 15 Dec 2025 11:16:21 -0800 Subject: [PATCH 1/2] style: Delegate helper methods to controller Rather than defining them separately. Since the helper methods don't do anything different than the controller methods (method signature is also unchanged), they can just be forwarded. This will also help with the effort to include hiearchy be default since the keyword argument doesn't need to be passed manually (causing an expectation error in tests). --- .../controller/runtime.rb | 66 +++++++++++----- lib/declarative_authorization/helper.rb | 78 ++----------------- 2 files changed, 54 insertions(+), 90 deletions(-) diff --git a/lib/declarative_authorization/controller/runtime.rb b/lib/declarative_authorization/controller/runtime.rb index 1f0868e..adf0bf3 100644 --- a/lib/declarative_authorization/controller/runtime.rb +++ b/lib/declarative_authorization/controller/runtime.rb @@ -14,6 +14,7 @@ module Runtime def self.failed_auto_loading_is_not_found? @@failed_auto_loading_is_not_found end + def self.failed_auto_loading_is_not_found=(new_value) @@failed_auto_loading_is_not_found = new_value end @@ -28,11 +29,27 @@ def authorization_engine # in the authorization rules are only evaluated if an object is given # for context. # - # See examples for Authorization::AuthorizationHelper #permitted_to? - # # If no object or context is specified, the controller_name is used as # context. # + # Examples: + # <% permitted_to? :create, :users do %> + # <%= link_to 'New', new_user_path %> + # <% end %> + # ... + # <% if permitted_to? :create, :users %> + # <%= link_to 'New', new_user_path %> + # <% else %> + # You are not allowed to create new users! + # <% end %> + # ... + # <% for user in @users %> + # <%= link_to 'Edit', edit_user_path(user) if permitted_to? :update, user %> + # <% end %> + # + # To pass in an object and override the context, you can use the optional + # options: + # permitted_to? :update, user, :context => :account def permitted_to?(privilege, object_or_sym = nil, options = {}) if authorization_engine.permit!(privilege, options_for_permit(object_or_sym, options, false)) yield if block_given? @@ -48,16 +65,27 @@ def permitted_to!(privilege, object_or_sym = nil, options = {}) authorization_engine.permit!(privilege, options_for_permit(object_or_sym, options, true)) end - # While permitted_to? is used for authorization, in some cases + # While permitted_to? is used for authorization in views, in some cases # content should only be shown to some users without being concerned # with authorization. E.g. to only show the most relevant menu options # to a certain group of users. That is what has_role? should be used for. + # + # Examples: + # <% has_role?(:sales) do %> + # <%= link_to 'All contacts', contacts_path %> + # <% end %> + # ... + # <% if has_role?(:sales) %> + # <%= link_to 'Customer contacts', contacts_path %> + # <% else %> + # ... + # <% end %> def has_role?(*roles) user_roles = authorization_engine.roles_for(current_user) result = roles.all? do |role| user_roles.include?(role) end - yield if result and block_given? + yield if result && block_given? result end @@ -68,7 +96,7 @@ def has_any_role?(*roles) result = roles.any? do |role| user_roles.include?(role) end - yield if result and block_given? + yield if result && block_given? result end @@ -78,7 +106,7 @@ def has_role_with_hierarchy?(*roles) result = roles.all? do |role| user_roles.include?(role) end - yield if result and block_given? + yield if result && block_given? result end @@ -88,7 +116,7 @@ def has_any_role_with_hierarchy?(*roles) result = roles.any? do |role| user_roles.include?(role) end - yield if result and block_given? + yield if result && block_given? result end @@ -96,16 +124,18 @@ def options_for_permit(object_or_sym = nil, options = {}, bang = true) context = object = nil if object_or_sym.nil? context = decl_auth_context - elsif !Authorization.is_a_association_proxy?(object_or_sym) and object_or_sym.is_a?(Symbol) + elsif !Authorization.is_a_association_proxy?(object_or_sym) && object_or_sym.is_a?(Symbol) context = object_or_sym else object = object_or_sym end - result = {:object => object, - :context => context, - :skip_attribute_test => object.nil?, - :bang => bang}.merge(options) + result = { + object: object, + context: context, + skip_attribute_test: object.nil?, + bang: bang + }.merge(options) result[:user] = current_user unless result.key?(:user) result end @@ -120,12 +150,12 @@ def allowed?(action_name) begin allowed = if matching_permissions.any? - matching_permissions.all? { |p| p.permit!(self, action_name) } - elsif all_permissions.any? - all_permissions.all? { |p| p.permit!(self, action_name) } - else - !DEFAULT_DENY - end + matching_permissions.all? { |p| p.permit!(self, action_name) } + elsif all_permissions.any? + all_permissions.all? { |p| p.permit!(self, action_name) } + else + !DEFAULT_DENY + end rescue ::Authorization::NotAuthorized => e auth_exception = e end diff --git a/lib/declarative_authorization/helper.rb b/lib/declarative_authorization/helper.rb index bcb6162..4c04e9d 100644 --- a/lib/declarative_authorization/helper.rb +++ b/lib/declarative_authorization/helper.rb @@ -1,78 +1,12 @@ # Authorization::AuthorizationHelper -require File.dirname(__FILE__) + '/authorization.rb' +require "#{File.dirname(__FILE__)}/authorization.rb" module Authorization + # Include this module in your views module AuthorizationHelper - - # If the current user meets the given privilege, permitted_to? returns true - # and yields to the optional block. The attribute checks that are defined - # in the authorization rules are only evaluated if an object is given - # for context. - # - # Examples: - # <% permitted_to? :create, :users do %> - # <%= link_to 'New', new_user_path %> - # <% end %> - # ... - # <% if permitted_to? :create, :users %> - # <%= link_to 'New', new_user_path %> - # <% else %> - # You are not allowed to create new users! - # <% end %> - # ... - # <% for user in @users %> - # <%= link_to 'Edit', edit_user_path(user) if permitted_to? :update, user %> - # <% end %> - # - # To pass in an object and override the context, you can use the optional - # options: - # permitted_to? :update, user, :context => :account - # - def permitted_to?(privilege, object_or_sym = nil, options = {}) - controller.permitted_to?(privilege, object_or_sym, options) do - yield if block_given? - end - end - - # While permitted_to? is used for authorization in views, in some cases - # content should only be shown to some users without being concerned - # with authorization. E.g. to only show the most relevant menu options - # to a certain group of users. That is what has_role? should be used for. - # - # Examples: - # <% has_role?(:sales) do %> - # <%= link_to 'All contacts', contacts_path %> - # <% end %> - # ... - # <% if has_role?(:sales) %> - # <%= link_to 'Customer contacts', contacts_path %> - # <% else %> - # ... - # <% end %> - # - def has_role?(*roles) - controller.has_role?(*roles) do - yield if block_given? - end - end - - # As has_role? except checks all roles included in the role hierarchy - def has_role_with_hierarchy?(*roles) - controller.has_role_with_hierarchy?(*roles) do - yield if block_given? - end - end - - def has_any_role?(*roles) - controller.has_any_role?(*roles) do - yield if block_given? - end - end - - def has_any_role_with_hierarchy?(*roles) - controller.has_any_role_with_hierarchy?(*roles) do - yield if block_given? - end - end + delegate :has_role?, :has_role_with_hierarchy?, + :has_any_role?, :has_any_role_with_hierarchy?, + :permitted_to?, + to: :controller end end From faef1cc7f41dfb2316dc00df4d7a9613bdfebef3 Mon Sep 17 00:00:00 2001 From: Michael Lambert Date: Tue, 30 Dec 2025 11:56:37 -0700 Subject: [PATCH 2/2] coverage: add some branch coverage --- test/authorization_test.rb | 797 +++++++++++++++++++------------------ test/maintenance_test.rb | 48 ++- 2 files changed, 435 insertions(+), 410 deletions(-) diff --git a/test/authorization_test.rb b/test/authorization_test.rb index a861a62..1c7296b 100644 --- a/test/authorization_test.rb +++ b/test/authorization_test.rb @@ -1,78 +1,77 @@ require 'test_helper' class AuthorizationTest < Test::Unit::TestCase - def test_permit reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test end end - } + ) engine = Authorization::Engine.new(reader) - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_role_2)) - assert !engine.permit?(:test_2, :context => :permissions_2, - :user => MockUser.new(:test_role)) - assert !engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role_2)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, :test_role_2)) + assert !engine.permit?(:test_2, context: :permissions_2, + user: MockUser.new(:test_role)) + assert !engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role_2)) end def test_permit_context_people reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :people, :to => :test end end - } + ) engine = Authorization::Engine.new(reader) - assert engine.permit?(:test, :context => :people, - :user => MockUser.new(:test_role)) + assert engine.permit?(:test, context: :people, + user: MockUser.new(:test_role)) end def test_permit_with_has_omnipotence reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :admin do has_omnipotence end end - } + ) engine = Authorization::Engine.new(reader) - assert engine.permit?(:test, :context => :people, - :user => MockUser.new(:admin)) + assert engine.permit?(:test, context: :people, + user: MockUser.new(:admin)) end def test_permit_multiple_contexts reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on [:permissions, :permissions_2], :to => :test has_permission_on :permissions_4, :permissions_5, :to => :test end end - } + ) engine = Authorization::Engine.new(reader) - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role)) - assert engine.permit?(:test, :context => :permissions_2, - :user => MockUser.new(:test_role)) - assert !engine.permit?(:test, :context => :permissions_3, - :user => MockUser.new(:test_role)) - - assert engine.permit?(:test, :context => :permissions_4, :user => MockUser.new(:test_role)) - assert engine.permit?(:test, :context => :permissions_5, :user => MockUser.new(:test_role)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role)) + assert engine.permit?(:test, context: :permissions_2, + user: MockUser.new(:test_role)) + assert !engine.permit?(:test, context: :permissions_3, + user: MockUser.new(:test_role)) + + assert engine.permit?(:test, context: :permissions_4, user: MockUser.new(:test_role)) + assert engine.permit?(:test, context: :permissions_5, user: MockUser.new(:test_role)) end def test_permit_with_frozen_roles reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :other_role do includes :test_role @@ -81,30 +80,30 @@ def test_permit_with_frozen_roles has_permission_on :permissions, :to => :test end end - } + ) engine = Authorization::Engine.new(reader) roles = [:other_role].freeze - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:role_symbols => roles)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(role_symbols: roles)) end def test_obligations_without_conditions reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test end end - } + ) engine = Authorization::Engine.new(reader) - assert_equal [{}], engine.obligations(:test, :context => :permissions, - :user => MockUser.new(:test_role)) + assert_equal [{}], engine.obligations(:test, context: :permissions, + user: MockUser.new(:test_role)) end def test_obligations_with_conditions reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -112,16 +111,16 @@ def test_obligations_with_conditions end end end - } + ) engine = Authorization::Engine.new(reader) - assert_equal [{:attr => [:is, 1]}], - engine.obligations(:test, :context => :permissions, - :user => MockUser.new(:test_role, :attr => 1)) + assert_equal [{ attr: [:is, 1] }], + engine.obligations(:test, context: :permissions, + user: MockUser.new(:test_role, attr: 1)) end def test_obligations_with_omnipotence reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :admin do has_omnipotence @@ -132,16 +131,16 @@ def test_obligations_with_omnipotence end end end - } + ) engine = Authorization::Engine.new(reader) assert_equal [], - engine.obligations(:test, :context => :permissions, - :user => MockUser.new(:test_role, :admin, :attr => 1)) + engine.obligations(:test, context: :permissions, + user: MockUser.new(:test_role, :admin, attr: 1)) end def test_obligations_with_anded_conditions reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test, :join_by => :and do @@ -150,16 +149,16 @@ def test_obligations_with_anded_conditions end end end - } + ) engine = Authorization::Engine.new(reader) - assert_equal [{:attr => [:is, 1], :attr_2 => [:is, 2]}], - engine.obligations(:test, :context => :permissions, - :user => MockUser.new(:test_role, :attr => 1, :attr_2 => 2)) + assert_equal [{ attr: [:is, 1], attr_2: [:is, 2] }], + engine.obligations(:test, context: :permissions, + user: MockUser.new(:test_role, attr: 1, attr_2: 2)) end def test_obligations_with_deep_anded_conditions reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test, :join_by => :and do @@ -168,16 +167,16 @@ def test_obligations_with_deep_anded_conditions end end end - } + ) engine = Authorization::Engine.new(reader) - assert_equal [{:attr => { :deeper_attr => [:is, 1], :deeper_attr_2 => [:is, 2] } }], - engine.obligations(:test, :context => :permissions, - :user => MockUser.new(:test_role, :deeper_attr => 1, :deeper_attr_2 => 2)) + assert_equal [{ attr: { deeper_attr: [:is, 1], deeper_attr_2: [:is, 2] } }], + engine.obligations(:test, context: :permissions, + user: MockUser.new(:test_role, deeper_attr: 1, deeper_attr_2: 2)) end def test_obligations_with_has_many reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -185,16 +184,16 @@ def test_obligations_with_has_many end end end - } + ) engine = Authorization::Engine.new(reader) - assert_equal [{:attrs => {:deeper_attr => [:is, 1]}}], - engine.obligations(:test, :context => :permissions, - :user => MockUser.new(:test_role, :deeper_attr => 1)) + assert_equal [{ attrs: { deeper_attr: [:is, 1] } }], + engine.obligations(:test, context: :permissions, + user: MockUser.new(:test_role, deeper_attr: 1)) end def test_obligations_with_conditions_and_empty reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test @@ -203,16 +202,16 @@ def test_obligations_with_conditions_and_empty end end end - } + ) engine = Authorization::Engine.new(reader) - assert_equal [{}, {:attr => [:is, 1]}], - engine.obligations(:test, :context => :permissions, - :user => MockUser.new(:test_role, :attr => 1)) + assert_equal [{}, { attr: [:is, 1] }], + engine.obligations(:test, context: :permissions, + user: MockUser.new(:test_role, attr: 1)) end def test_obligations_with_permissions reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -230,22 +229,22 @@ def test_obligations_with_permissions end end end - } + ) engine = Authorization::Engine.new(reader) - assert_equal [{:permission => {:attr => [:is, 1]}}], - engine.obligations(:test, :context => :permission_children, - :user => MockUser.new(:test_role, :attr => 1)) - assert_equal [{:permission => {:attr => [:is, 1]}}], - engine.obligations(:test, :context => :permission_children_2, - :user => MockUser.new(:test_role, :attr => 1)) - assert_equal [{:permission_child => {:permission => {:attr => [:is, 1]}}}], - engine.obligations(:test, :context => :permission_children_children, - :user => MockUser.new(:test_role, :attr => 1)) + assert_equal [{ permission: { attr: [:is, 1] } }], + engine.obligations(:test, context: :permission_children, + user: MockUser.new(:test_role, attr: 1)) + assert_equal [{ permission: { attr: [:is, 1] } }], + engine.obligations(:test, context: :permission_children_2, + user: MockUser.new(:test_role, attr: 1)) + assert_equal [{ permission_child: { permission: { attr: [:is, 1] } } }], + engine.obligations(:test, context: :permission_children_children, + user: MockUser.new(:test_role, attr: 1)) end def test_obligations_with_has_many_permissions reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -263,22 +262,22 @@ def test_obligations_with_has_many_permissions end end end - } + ) engine = Authorization::Engine.new(reader) - assert_equal [{:permissions => {:attr => [:is, 1]}}], - engine.obligations(:test, :context => :permission_children, - :user => MockUser.new(:test_role, :attr => 1)) - assert_equal [{:permissions => {:attr => [:is, 1]}}], - engine.obligations(:test, :context => :permission_children_2, - :user => MockUser.new(:test_role, :attr => 1)) - assert_equal [{:permission_child => {:permissions => {:attr => [:is, 1]}}}], - engine.obligations(:test, :context => :permission_children_children, - :user => MockUser.new(:test_role, :attr => 1)) + assert_equal [{ permissions: { attr: [:is, 1] } }], + engine.obligations(:test, context: :permission_children, + user: MockUser.new(:test_role, attr: 1)) + assert_equal [{ permissions: { attr: [:is, 1] } }], + engine.obligations(:test, context: :permission_children_2, + user: MockUser.new(:test_role, attr: 1)) + assert_equal [{ permission_child: { permissions: { attr: [:is, 1] } } }], + engine.obligations(:test, context: :permission_children_children, + user: MockUser.new(:test_role, attr: 1)) end def test_obligations_with_permissions_multiple reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -290,17 +289,17 @@ def test_obligations_with_permissions_multiple end end end - } + ) engine = Authorization::Engine.new(reader) - assert_equal [{:permission_child => {:permission => {:attr => [:is, 1]}}}, - {:permission_child => {:permission => {:attr => [:is, 2]}}}], - engine.obligations(:test, :context => :permission_children_children, - :user => MockUser.new(:test_role)) + assert_equal [{ permission_child: { permission: { attr: [:is, 1] } } }, + { permission_child: { permission: { attr: [:is, 2] } } }], + engine.obligations(:test, context: :permission_children_children, + user: MockUser.new(:test_role)) end def test_obligations_with_permissions_and_anded_conditions reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permission_children, :to => :test, :join_by => :and do @@ -312,70 +311,70 @@ def test_obligations_with_permissions_and_anded_conditions end end end - } + ) engine = Authorization::Engine.new(reader) - assert_equal [{:test_attr => [:is, 1], :permission => {:test_attr => [:is, 1]}}], - engine.obligations(:test, :context => :permission_children, - :user => MockUser.new(:test_role)) + assert_equal [{ test_attr: [:is, 1], permission: { test_attr: [:is, 1] } }], + engine.obligations(:test, context: :permission_children, + user: MockUser.new(:test_role)) end def test_guest_user reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :guest do has_permission_on :permissions, :to => :test end end - } + ) engine = Authorization::Engine.new(reader) Authorization.stub :current_user, MockUser.new do - assert engine.permit?(:test, :context => :permissions) - assert !engine.permit?(:test, :context => :permissions_2) + assert engine.permit?(:test, context: :permissions) + assert !engine.permit?(:test, context: :permissions_2) end end def test_default_role reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :anonymous do has_permission_on :permissions, :to => :test end end - } + ) Authorization.stub :default_role, :anonymous do engine = Authorization::Engine.new(reader) Authorization.stub :current_user, MockUser.new do - assert engine.permit?(:test, :context => :permissions) + assert engine.permit?(:test, context: :permissions) end - assert !engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:guest)) + assert !engine.permit?(:test, context: :permissions, + user: MockUser.new(:guest)) end end def test_invalid_user_model reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :guest do has_permission_on :permissions, :to => :test end end - } + ) engine = Authorization::Engine.new(reader) assert_raise(Authorization::AuthorizationUsageError) do - engine.permit?(:test, :context => :permissions, :user => MockUser.new(1, 2)) + engine.permit?(:test, context: :permissions, user: MockUser.new(1, 2)) end assert_raise(Authorization::AuthorizationUsageError) do - engine.permit?(:test, :context => :permissions, :user => MockDataObject.new) + engine.permit?(:test, context: :permissions, user: MockDataObject.new) end end def test_role_hierarchy reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do includes :lower_role @@ -385,7 +384,7 @@ def test_role_hierarchy has_permission_on :permissions, :to => :lower end end - } + ) engine = Authorization::Engine.new(reader) assert engine.permit?(:test, context: :permissions, user: MockUser.new(:test_role)) assert engine.permit?(:lower, context: :permissions, user: MockUser.new(:test_role)) @@ -393,7 +392,7 @@ def test_role_hierarchy def test_role_hierarchy__recursive reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do includes :lower_role @@ -407,7 +406,7 @@ def test_role_hierarchy__recursive has_permission_on :permissions, :to => :lowest end end - } + ) engine = Authorization::Engine.new(reader) assert engine.permit?(:test, context: :permissions, user: MockUser.new(:test_role)) assert engine.permit?(:lower, context: :permissions, user: MockUser.new(:test_role)) @@ -416,7 +415,7 @@ def test_role_hierarchy__recursive def test_role_hierarchy__circular reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do includes :lower_role @@ -427,7 +426,7 @@ def test_role_hierarchy__circular has_permission_on :permissions, :to => :lower end end - } + ) engine = Authorization::Engine.new(reader) assert engine.permit?(:test, context: :permissions, user: MockUser.new(:test_role)) assert engine.permit?(:lower, context: :permissions, user: MockUser.new(:test_role)) @@ -435,7 +434,7 @@ def test_role_hierarchy__circular def test_role_hierarchy__recursive__circular reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do includes :lower_role @@ -450,7 +449,7 @@ def test_role_hierarchy__recursive__circular has_permission_on :permissions, :to => :lowest end end - } + ) engine = Authorization::Engine.new(reader) assert engine.permit?(:test, context: :permissions, user: MockUser.new(:test_role)) assert engine.permit?(:lower, context: :permissions, user: MockUser.new(:test_role)) @@ -459,7 +458,7 @@ def test_role_hierarchy__recursive__circular def test_privilege_hierarchy reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( privileges do privilege :test, :permissions do includes :lower @@ -470,14 +469,14 @@ def test_privilege_hierarchy has_permission_on :permissions, :to => :test end end - } + ) engine = Authorization::Engine.new(reader) assert engine.permit?(:lower, context: :permissions, user: MockUser.new(:test_role)) end def test_privilege_hierarchy__recursive reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( privileges do privilege :test, :permissions do includes :lower @@ -491,7 +490,7 @@ def test_privilege_hierarchy__recursive has_permission_on :permissions, :to => :test end end - } + ) engine = Authorization::Engine.new(reader) assert engine.permit?(:lower, context: :permissions, user: MockUser.new(:test_role)) assert engine.permit?(:lowest, context: :permissions, user: MockUser.new(:test_role)) @@ -499,7 +498,7 @@ def test_privilege_hierarchy__recursive def test_privilege_hierarchy_without_context reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( privileges do privilege :read do includes :list, :show @@ -510,15 +509,15 @@ def test_privilege_hierarchy_without_context has_permission_on :permissions, :to => :read end end - } + ) engine = Authorization::Engine.new(reader) - assert engine.permit?(:list, :context => :permissions, - :user => MockUser.new(:test_role)) + assert engine.permit?(:list, context: :permissions, + user: MockUser.new(:test_role)) end def test_attribute_is reader = Authorization::Reader::DSLReader.new - reader.parse %| + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -527,22 +526,22 @@ def test_attribute_is end end end - | + ) engine = Authorization::Engine.new(reader) - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 1), - :object => MockDataObject.new(:test_attr => 1)) - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 2), - :object => MockDataObject.new(:test_attr => 3)) - assert((not(engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 2), - :object => MockDataObject.new(:test_attr => 1))))) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 1), + object: MockDataObject.new(test_attr: 1)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 2), + object: MockDataObject.new(test_attr: 3)) + assert(!engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 2), + object: MockDataObject.new(test_attr: 1))) end def test_attribute_is_not reader = Authorization::Reader::DSLReader.new - reader.parse %| + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -550,19 +549,19 @@ def test_attribute_is_not end end end - | + ) engine = Authorization::Engine.new(reader) - assert !engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 1), - :object => MockDataObject.new(:test_attr => 1)) - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 2), - :object => MockDataObject.new(:test_attr => 1)) + assert !engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 1), + object: MockDataObject.new(test_attr: 1)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 2), + object: MockDataObject.new(test_attr: 1)) end def test_attribute_contains reader = Authorization::Reader::DSLReader.new - reader.parse %| + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -570,19 +569,19 @@ def test_attribute_contains end end end - | + ) engine = Authorization::Engine.new(reader) - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 1), - :object => MockDataObject.new(:test_attr => [1,2])) - assert !engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 3), - :object => MockDataObject.new(:test_attr => [1,2])) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 1), + object: MockDataObject.new(test_attr: [1, 2])) + assert !engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 3), + object: MockDataObject.new(test_attr: [1, 2])) end def test_attribute_does_not_contain reader = Authorization::Reader::DSLReader.new - reader.parse %| + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -590,19 +589,19 @@ def test_attribute_does_not_contain end end end - | + ) engine = Authorization::Engine.new(reader) - assert !engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 1), - :object => MockDataObject.new(:test_attr => [1,2])) - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 3), - :object => MockDataObject.new(:test_attr => [1,2])) + assert !engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 1), + object: MockDataObject.new(test_attr: [1, 2])) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 3), + object: MockDataObject.new(test_attr: [1, 2])) end def test_attribute_in_array reader = Authorization::Reader::DSLReader.new - reader.parse %| + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -611,22 +610,22 @@ def test_attribute_in_array end end end - | + ) engine = Authorization::Engine.new(reader) - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:test_attr => 1)) - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:test_attr => 3)) - assert !engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:test_attr => 4)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role), + object: MockDataObject.new(test_attr: 1)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role), + object: MockDataObject.new(test_attr: 3)) + assert !engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role), + object: MockDataObject.new(test_attr: 4)) end def test_attribute_not_in_array reader = Authorization::Reader::DSLReader.new - reader.parse %| + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -634,19 +633,19 @@ def test_attribute_not_in_array end end end - | + ) engine = Authorization::Engine.new(reader) - assert !engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:test_attr => 1)) - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:test_attr => 4)) + assert !engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role), + object: MockDataObject.new(test_attr: 1)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role), + object: MockDataObject.new(test_attr: 4)) end def test_attribute_intersects_with reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -659,30 +658,30 @@ def test_attribute_intersects_with end end end - } + ) engine = Authorization::Engine.new(reader) assert_raise Authorization::AuthorizationUsageError do - engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:test_attrs => 1 )) + engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role), + object: MockDataObject.new(test_attrs: 1)) end assert_raise Authorization::AuthorizationUsageError do - engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role_2), - :object => MockDataObject.new(:test_attrs => [1, 2] )) + engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role_2), + object: MockDataObject.new(test_attrs: [1, 2])) end - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:test_attrs => [1,3] )) - assert !engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:test_attrs => [3,4] )) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role), + object: MockDataObject.new(test_attrs: [1, 3])) + assert !engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role), + object: MockDataObject.new(test_attrs: [3, 4])) end def test_attribute_lte reader = Authorization::Reader::DSLReader.new - reader.parse %| + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -691,29 +690,29 @@ def test_attribute_lte end end end - | + ) engine = Authorization::Engine.new(reader) # object < user -> pass - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 2), - :object => MockDataObject.new(:test_attr => 1)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 2), + object: MockDataObject.new(test_attr: 1)) # object > user && object = control -> pass - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 2), - :object => MockDataObject.new(:test_attr => 3)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 2), + object: MockDataObject.new(test_attr: 3)) # object = user -> pass - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 1), - :object => MockDataObject.new(:test_attr => 1)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 1), + object: MockDataObject.new(test_attr: 1)) # object > user -> fail - assert((not(engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 1), - :object => MockDataObject.new(:test_attr => 2))))) + assert(!engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 1), + object: MockDataObject.new(test_attr: 2))) end def test_attribute_gt reader = Authorization::Reader::DSLReader.new - reader.parse %| + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -722,29 +721,29 @@ def test_attribute_gt end end end - | + ) engine = Authorization::Engine.new(reader) # object > user -> pass - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 1), - :object => MockDataObject.new(:test_attr => 2)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 1), + object: MockDataObject.new(test_attr: 2)) # object < user && object = control -> pass - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 4), - :object => MockDataObject.new(:test_attr => 3)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 4), + object: MockDataObject.new(test_attr: 3)) # object = user -> fail - assert((not(engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 1), - :object => MockDataObject.new(:test_attr => 1))))) + assert(!engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 1), + object: MockDataObject.new(test_attr: 1))) # object < user -> fail - assert((not(engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 2), - :object => MockDataObject.new(:test_attr => 1))))) + assert(!engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 2), + object: MockDataObject.new(test_attr: 1))) end def test_attribute_gte reader = Authorization::Reader::DSLReader.new - reader.parse %| + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -753,29 +752,29 @@ def test_attribute_gte end end end - | + ) engine = Authorization::Engine.new(reader) # object > user -> pass - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 1), - :object => MockDataObject.new(:test_attr => 2)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 1), + object: MockDataObject.new(test_attr: 2)) # object < user && object = control -> pass - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 4), - :object => MockDataObject.new(:test_attr => 3)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 4), + object: MockDataObject.new(test_attr: 3)) # object = user -> pass - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 1), - :object => MockDataObject.new(:test_attr => 1)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 1), + object: MockDataObject.new(test_attr: 1)) # object < user -> fail - assert((not(engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role, :test_attr => 2), - :object => MockDataObject.new(:test_attr => 1))))) + assert(!engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role, test_attr: 2), + object: MockDataObject.new(test_attr: 1))) end def test_attribute_deep reader = Authorization::Reader::DSLReader.new - reader.parse %| + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -783,24 +782,22 @@ def test_attribute_deep end end end - | + ) engine = Authorization::Engine.new(reader) - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:test_attr_1 => - MockDataObject.new(:test_attr_2 => [1,2]))) - assert !engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:test_attr_1 => - MockDataObject.new(:test_attr_2 => [3,4]))) - assert_equal [{:test_attr_1 => {:test_attr_2 => [:contains, 1]}}], - engine.obligations(:test, :context => :permissions, - :user => MockUser.new(:test_role)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role), + object: MockDataObject.new(test_attr_1: MockDataObject.new(test_attr_2: [1, 2]))) + assert !engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role), + object: MockDataObject.new(test_attr_1: MockDataObject.new(test_attr_2: [3, 4]))) + assert_equal [{ test_attr_1: { test_attr_2: [:contains, 1] } }], + engine.obligations(:test, context: :permissions, + user: MockUser.new(:test_role)) end def test_attribute_has_many reader = Authorization::Reader::DSLReader.new - reader.parse %| + reader.parse %( authorization do role :test_role do has_permission_on :companies, :to => :read do @@ -808,24 +805,24 @@ def test_attribute_has_many end end end - | + ) engine = Authorization::Engine.new(reader) - company = MockDataObject.new(:branches => [ - MockDataObject.new(:city => 'Barcelona'), - MockDataObject.new(:city => 'Paris') - ]) - assert engine.permit!(:read, :context => :companies, - :user => MockUser.new(:test_role, :city => 'Paris'), - :object => company) - assert !engine.permit?(:read, :context => :companies, - :user => MockUser.new(:test_role, :city => 'London'), - :object => company) + company = MockDataObject.new(branches: [ + MockDataObject.new(city: 'Barcelona'), + MockDataObject.new(city: 'Paris') + ]) + assert engine.permit!(:read, context: :companies, + user: MockUser.new(:test_role, city: 'Paris'), + object: company) + assert !engine.permit?(:read, context: :companies, + user: MockUser.new(:test_role, city: 'London'), + object: company) end def test_attribute_non_block reader = Authorization::Reader::DSLReader.new - reader.parse %| + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -833,19 +830,19 @@ def test_attribute_non_block end end end - | + ) engine = Authorization::Engine.new(reader) - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:test_attr => 1)) - assert !engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:test_attr => 2)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role), + object: MockDataObject.new(test_attr: 1)) + assert !engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role), + object: MockDataObject.new(test_attr: 2)) end def test_attribute_multiple reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -854,24 +851,25 @@ def test_attribute_multiple end end end - } + ) engine = Authorization::Engine.new(reader) - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:test_attr => 1)) - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:test_attr => 2)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role), + object: MockDataObject.new(test_attr: 1)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role), + object: MockDataObject.new(test_attr: 2)) end class PermissionMock < MockDataObject def self.name - "Permission" + 'Permission' end end + def test_attribute_with_permissions reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -882,22 +880,22 @@ def test_attribute_with_permissions end end end - } + ) engine = Authorization::Engine.new(reader) - perm_data_attr_1 = PermissionMock.new({:test_attr => 1}) - perm_data_attr_2 = PermissionMock.new({:test_attr => 2}) - assert engine.permit?(:test, :context => :permission_children, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:permission => perm_data_attr_1)) - assert !engine.permit?(:test, :context => :permission_children, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:permission => perm_data_attr_2)) + perm_data_attr_1 = PermissionMock.new({ test_attr: 1 }) + perm_data_attr_2 = PermissionMock.new({ test_attr: 2 }) + assert engine.permit?(:test, context: :permission_children, + user: MockUser.new(:test_role), + object: MockDataObject.new(permission: perm_data_attr_1)) + assert !engine.permit?(:test, context: :permission_children, + user: MockUser.new(:test_role), + object: MockDataObject.new(permission: perm_data_attr_2)) end def test_attribute_with_has_many_permissions reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -908,22 +906,22 @@ def test_attribute_with_has_many_permissions end end end - } + ) engine = Authorization::Engine.new(reader) - perm_data_attr_1 = PermissionMock.new({:test_attr => 1}) - perm_data_attr_2 = PermissionMock.new({:test_attr => 2}) - assert engine.permit?(:test, :context => :permission_children, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:permissions => [perm_data_attr_1])) - assert !engine.permit?(:test, :context => :permission_children, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:permissions => [perm_data_attr_2])) + perm_data_attr_1 = PermissionMock.new({ test_attr: 1 }) + perm_data_attr_2 = PermissionMock.new({ test_attr: 2 }) + assert engine.permit?(:test, context: :permission_children, + user: MockUser.new(:test_role), + object: MockDataObject.new(permissions: [perm_data_attr_1])) + assert !engine.permit?(:test, context: :permission_children, + user: MockUser.new(:test_role), + object: MockDataObject.new(permissions: [perm_data_attr_2])) end def test_attribute_with_deep_permissions reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -934,24 +932,22 @@ def test_attribute_with_deep_permissions end end end - } + ) engine = Authorization::Engine.new(reader) - perm_data_attr_1 = PermissionMock.new({:test_attr => 1}) - perm_data_attr_2 = PermissionMock.new({:test_attr => 2}) - assert engine.permit?(:test, :context => :permission_children, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:shallow_permission => - MockDataObject.new(:permission => perm_data_attr_1))) - assert !engine.permit?(:test, :context => :permission_children, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:shallow_permission => - MockDataObject.new(:permission => perm_data_attr_2))) + perm_data_attr_1 = PermissionMock.new({ test_attr: 1 }) + perm_data_attr_2 = PermissionMock.new({ test_attr: 2 }) + assert engine.permit?(:test, context: :permission_children, + user: MockUser.new(:test_role), + object: MockDataObject.new(shallow_permission: MockDataObject.new(permission: perm_data_attr_1))) + assert !engine.permit?(:test, context: :permission_children, + user: MockUser.new(:test_role), + object: MockDataObject.new(shallow_permission: MockDataObject.new(permission: perm_data_attr_2))) end def test_attribute_with_deep_has_many_permissions reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -962,24 +958,22 @@ def test_attribute_with_deep_has_many_permissions end end end - } + ) engine = Authorization::Engine.new(reader) - perm_data_attr_1 = PermissionMock.new({:test_attr => 1}) - perm_data_attr_2 = PermissionMock.new({:test_attr => 2}) - assert engine.permit?(:test, :context => :permission_children, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:shallow_permissions => - [MockDataObject.new(:permission => perm_data_attr_1)])) - assert !engine.permit?(:test, :context => :permission_children, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:shallow_permissions => - [MockDataObject.new(:permission => perm_data_attr_2)])) + perm_data_attr_1 = PermissionMock.new({ test_attr: 1 }) + perm_data_attr_2 = PermissionMock.new({ test_attr: 2 }) + assert engine.permit?(:test, context: :permission_children, + user: MockUser.new(:test_role), + object: MockDataObject.new(shallow_permissions: [MockDataObject.new(permission: perm_data_attr_1)])) + assert !engine.permit?(:test, context: :permission_children, + user: MockUser.new(:test_role), + object: MockDataObject.new(shallow_permissions: [MockDataObject.new(permission: perm_data_attr_2)])) end def test_attribute_with_permissions_nil reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -990,21 +984,21 @@ def test_attribute_with_permissions_nil end end end - } + ) engine = Authorization::Engine.new(reader) - engine.permit?(:test, :context => :permission_children, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:permission => nil)) + engine.permit?(:test, context: :permission_children, + user: MockUser.new(:test_role), + object: MockDataObject.new(permission: nil)) - assert !engine.permit?(:test, :context => :permission_children, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:permission => nil)) + assert !engine.permit?(:test, context: :permission_children, + user: MockUser.new(:test_role), + object: MockDataObject.new(permission: nil)) end def test_attribute_with_permissions_on_self reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -1015,22 +1009,22 @@ def test_attribute_with_permissions_on_self end end end - } + ) engine = Authorization::Engine.new(reader) - perm_data_attr_1 = PermissionMock.new({:test_attr => 1}) - perm_data_attr_2 = PermissionMock.new({:test_attr => 2}) - assert engine.permit?(:another_test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => perm_data_attr_1) - assert !engine.permit?(:another_test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => perm_data_attr_2) + perm_data_attr_1 = PermissionMock.new({ test_attr: 1 }) + perm_data_attr_2 = PermissionMock.new({ test_attr: 2 }) + assert engine.permit?(:another_test, context: :permissions, + user: MockUser.new(:test_role), + object: perm_data_attr_1) + assert !engine.permit?(:another_test, context: :permissions, + user: MockUser.new(:test_role), + object: perm_data_attr_2) end def test_attribute_with_permissions_on_self_with_context reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -1041,22 +1035,22 @@ def test_attribute_with_permissions_on_self_with_context end end end - } + ) engine = Authorization::Engine.new(reader) - perm_data_attr_1 = PermissionMock.new({:test_attr => 1}) - perm_data_attr_2 = PermissionMock.new({:test_attr => 2}) - assert engine.permit?(:another_test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => perm_data_attr_1) - assert !engine.permit?(:another_test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => perm_data_attr_2) + perm_data_attr_1 = PermissionMock.new({ test_attr: 1 }) + perm_data_attr_2 = PermissionMock.new({ test_attr: 2 }) + assert engine.permit?(:another_test, context: :permissions, + user: MockUser.new(:test_role), + object: perm_data_attr_1) + assert !engine.permit?(:another_test, context: :permissions, + user: MockUser.new(:test_role), + object: perm_data_attr_2) end def test_attribute_with_permissions_and_anded_rules reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -1068,25 +1062,25 @@ def test_attribute_with_permissions_and_anded_rules end end end - } + ) engine = Authorization::Engine.new(reader) - perm_data_attr_1 = PermissionMock.new({:test_attr => 1}) - perm_data_attr_2 = PermissionMock.new({:test_attr => 2}) - assert engine.permit?(:test, :context => :permission_children, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 1)) - assert !engine.permit?(:test, :context => :permission_children, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:permission => perm_data_attr_2, :test_attr => 1)) - assert !engine.permit?(:test, :context => :permission_children, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 2)) + perm_data_attr_1 = PermissionMock.new({ test_attr: 1 }) + perm_data_attr_2 = PermissionMock.new({ test_attr: 2 }) + assert engine.permit?(:test, context: :permission_children, + user: MockUser.new(:test_role), + object: MockDataObject.new(permission: perm_data_attr_1, test_attr: 1)) + assert !engine.permit?(:test, context: :permission_children, + user: MockUser.new(:test_role), + object: MockDataObject.new(permission: perm_data_attr_2, test_attr: 1)) + assert !engine.permit?(:test, context: :permission_children, + user: MockUser.new(:test_role), + object: MockDataObject.new(permission: perm_data_attr_1, test_attr: 2)) end def test_attribute_with_anded_rules reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test, :join_by => :and do @@ -1095,20 +1089,20 @@ def test_attribute_with_anded_rules end end end - } + ) engine = Authorization::Engine.new(reader) - assert engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 2)) - assert !engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 3)) + assert engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role), + object: MockDataObject.new(test_attr: 1, test_attr_2: 2)) + assert !engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role), + object: MockDataObject.new(test_attr: 1, test_attr_2: 3)) end def test_raise_on_if_attribute_hash_on_collection reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -1116,58 +1110,58 @@ def test_raise_on_if_attribute_hash_on_collection end end end - } + ) engine = Authorization::Engine.new(reader) assert_raise Authorization::AuthorizationUsageError do - engine.permit?(:test, :context => :permissions, - :user => MockUser.new(:test_role), - :object => MockDataObject.new(:test_attrs => [1, 2, 3])) + engine.permit?(:test, context: :permissions, + user: MockUser.new(:test_role), + object: MockDataObject.new(test_attrs: [1, 2, 3])) end end def test_role_title_description reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role, :title => 'Test Role' do description "Test Role Description" end end - } + ) engine = Authorization::Engine.new(reader) assert engine.roles.include?(:test_role) - assert_equal "Test Role", engine.role_titles[:test_role] - assert_equal "Test Role", engine.title_for(:test_role) + assert_equal 'Test Role', engine.role_titles[:test_role] + assert_equal 'Test Role', engine.title_for(:test_role) assert_nil engine.title_for(:test_role_2) - assert_equal "Test Role Description", engine.role_descriptions[:test_role] - assert_equal "Test Role Description", engine.description_for(:test_role) + assert_equal 'Test Role Description', engine.role_descriptions[:test_role] + assert_equal 'Test Role Description', engine.description_for(:test_role) assert_nil engine.description_for(:test_role_2) end def test_multithread reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test end end - } + ) engine = Authorization::Engine.new(reader) Authorization.stub :current_user, MockUser.new(:test_role) do - assert engine.permit?(:test, :context => :permissions) + assert engine.permit?(:test, context: :permissions) Thread.new do Authorization.current_user = MockUser.new(:test_role2) - assert !engine.permit?(:test, :context => :permissions) + assert !engine.permit?(:test, context: :permissions) end - assert engine.permit?(:test, :context => :permissions) + assert engine.permit?(:test, context: :permissions) end end def test_clone reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test do @@ -1177,13 +1171,32 @@ def test_clone end end end - } + ) engine = Authorization::Engine.new(reader) cloned_engine = engine.clone assert_not_equal engine.auth_rules.first.contexts.object_id, - cloned_engine.auth_rules.first.contexts.object_id + cloned_engine.auth_rules.first.contexts.object_id assert_not_equal engine.auth_rules.first.attributes.first.send(:instance_variable_get, :@conditions_hash)[:attr].object_id, - cloned_engine.auth_rules.first.attributes.first.send(:instance_variable_get, :@conditions_hash)[:attr].object_id + cloned_engine.auth_rules.first.attributes.first.send(:instance_variable_get, + :@conditions_hash)[:attr].object_id + end + + def test_rev_role_hierarchy + reader = Authorization::Reader::DSLReader.new + reader.parse %( + authorization do + role :lower_role do + has_permission_on :permissions, :to => :lower + end + role :test_role do + includes :lower_role + has_permission_on :permissions, :to => :test + end + end + ) + engine = Authorization::Engine.new(reader) + assert_equal({ lower_role: [:test_role] }, engine.rev_role_hierarchy) + engine.rev_role_hierarchy # coverage end end diff --git a/test/maintenance_test.rb b/test/maintenance_test.rb index 274adfd..7326272 100644 --- a/test/maintenance_test.rb +++ b/test/maintenance_test.rb @@ -1,5 +1,5 @@ require 'test_helper' -require File.join(File.dirname(__FILE__), %w{.. lib declarative_authorization maintenance}) +require File.join(File.dirname(__FILE__), %w[.. lib declarative_authorization maintenance]) class MaintenanceTest < Test::Unit::TestCase include Authorization::TestHelper @@ -9,38 +9,50 @@ def test_usages_by_controllers usage_test_controller.send(:define_method, :an_action) {} usage_test_controller.filter_access_to :an_action - assert Authorization::Maintenance::Usage::usages_by_controller. - include?(usage_test_controller) + assert Authorization::Maintenance::Usage.usages_by_controller + .include?(usage_test_controller) end def test_without_access_control reader = Authorization::Reader::DSLReader.new - reader.parse %{ + reader.parse %( authorization do role :test_role do has_permission_on :permissions, :to => :test end end - } + ) engine = Authorization::Engine.new(reader) - assert !engine.permit?(:test_2, :context => :permissions, - :user => MockUser.new(:test_role)) - Authorization::Maintenance::without_access_control do - assert engine.permit!(:test_2, :context => :permissions, - :user => MockUser.new(:test_role)) + assert !engine.permit?(:test_2, context: :permissions, + user: MockUser.new(:test_role)) + Authorization::Maintenance.without_access_control do + assert engine.permit!(:test_2, context: :permissions, + user: MockUser.new(:test_role)) end without_access_control do - assert engine.permit?(:test_2, :context => :permissions, - :user => MockUser.new(:test_role)) + assert engine.permit?(:test_2, context: :permissions, + user: MockUser.new(:test_role)) end - Authorization::Maintenance::without_access_control do - Authorization::Maintenance::without_access_control do - assert engine.permit?(:test_2, :context => :permissions, - :user => MockUser.new(:test_role)) + Authorization::Maintenance.without_access_control do + Authorization::Maintenance.without_access_control do + assert engine.permit?(:test_2, context: :permissions, + user: MockUser.new(:test_role)) end - assert engine.permit?(:test_2, :context => :permissions, - :user => MockUser.new(:test_role)) + assert engine.permit?(:test_2, context: :permissions, + user: MockUser.new(:test_role)) end + + without_access_control # coverage end + def test_with_user + original_user = Authorization.current_user + user = MockUser.new(:test_role) + Authorization::Maintenance.with_user(user) do + assert_equal user, Authorization.current_user + end + assert_equal original_user, Authorization.current_user + + with_user(user) # coverage + end end