Allow more than one permission when define access control with 'protect'

Victor Costa
1 parent 1a167fcf
Showing 3 changed files with 20 additions and 3 deletions Show diff stats
vendor/plugins/access_control/lib/permission_check.rb
vendor/plugins/access_control/test/permission_check_test.rb
vendor/plugins/access_control/test/test_helper.rb
@@ -19,7 +19,7 @@ module PermissionCheck
       before_filter actions do |c|
           target = target_method.kind_of?(Symbol) ? c.send(target_method) : target_method
           accessor = accessor_method.kind_of?(Symbol) ? c.send(accessor_method) : accessor_method
-          unless accessor && accessor.has_permission?(permission.to_s, target)
+          unless Array.wrap(permission).map {|p| accessor && accessor.has_permission?(p.to_s, target)}.any?
             c.class.render_access_denied(c) && false
           end
       end
@@ -28,9 +28,20 @@ class PermissionCheckTest &lt; ActionController::TestCase
   end
  
   def test_try_render_shared_access_denied_view
-    File.expects(:exists?).with(File.join(Rails.root, 'app', 'views', 'access_control', 'access_denied.rhtml'))
-    File.expects(:exists?).with(File.join(Rails.root, 'app', 'views', 'shared', 'access_denied.rhtml'))
+    File.expects(:exists?).with(File.join(Rails.root, 'app', 'views', 'access_control', 'access_denied.html.erb'))
+    File.expects(:exists?).with(File.join(Rails.root, 'app', 'views', 'shared', 'access_denied.html.erb'))
     AccessControlTestController.access_denied_template_path
   end
  
+  def test_allow_access_to_user_with_one_of_multiple_permissions
+    user = AccessControlTestAccessor.create!(:name => 'other_user')
+    role = Role.create!(:name => 'other_role', :permissions => ['permission1'])
+    resource = AccessControlTestResource.create!(:name => 'some_resource')
+    assert user.add_role(role, resource)
+    assert user.has_permission?('permission1', resource)
+
+    get :stuff_with_multiple_permission, :user => user.id, :resource => resource.id
+    assert_response :success
+  end
+
 end
@@ -41,6 +41,8 @@ class AccessControlTestController &lt; ApplicationController
   include PermissionCheck
   protect 'see_index', 'global', :user,  :only => :index
   protect 'do_some_stuff', :resource, :user, :only => :other_stuff
+  protect ['permission1', 'permission2'], :resource, :user, :only => :stuff_with_multiple_permission
+
   def index
      render :text => 'test controller'
   end
@@ -49,6 +51,10 @@ class AccessControlTestController &lt; ApplicationController
     render :text => 'test stuff'
   end
  
+  def stuff_with_multiple_permission
+    render :text => 'multiple permission'
+  end
+
 protected
   def user
     AccessControlTestAccessor.find(params[:user]) if params[:user]
...	...	@@ -19,7 +19,7 @@ module PermissionCheck
19	19	before_filter actions do \|c\|
20	20	target = target_method.kind_of?(Symbol) ? c.send(target_method) : target_method
21	21	accessor = accessor_method.kind_of?(Symbol) ? c.send(accessor_method) : accessor_method
22		- unless accessor && accessor.has_permission?(permission.to_s, target)
	22	+ unless Array.wrap(permission).map {\|p\| accessor && accessor.has_permission?(p.to_s, target)}.any?
23	23	c.class.render_access_denied(c) && false
24	24	end
25	25	end
...	...
...	...	@@ -28,9 +28,20 @@ class PermissionCheckTest < ActionController::TestCase
28	28	end
29	29
30	30	def test_try_render_shared_access_denied_view
31		- File.expects(:exists?).with(File.join(Rails.root, 'app', 'views', 'access_control', 'access_denied.rhtml'))
32		- File.expects(:exists?).with(File.join(Rails.root, 'app', 'views', 'shared', 'access_denied.rhtml'))
	31	+ File.expects(:exists?).with(File.join(Rails.root, 'app', 'views', 'access_control', 'access_denied.html.erb'))
	32	+ File.expects(:exists?).with(File.join(Rails.root, 'app', 'views', 'shared', 'access_denied.html.erb'))
33	33	AccessControlTestController.access_denied_template_path
34	34	end
35	35
	36	+ def test_allow_access_to_user_with_one_of_multiple_permissions
	37	+ user = AccessControlTestAccessor.create!(:name => 'other_user')
	38	+ role = Role.create!(:name => 'other_role', :permissions => ['permission1'])
	39	+ resource = AccessControlTestResource.create!(:name => 'some_resource')
	40	+ assert user.add_role(role, resource)
	41	+ assert user.has_permission?('permission1', resource)
	42	+
	43	+ get :stuff_with_multiple_permission, :user => user.id, :resource => resource.id
	44	+ assert_response :success
	45	+ end
	46	+
36	47	end
...	...
...	...	@@ -41,6 +41,8 @@ class AccessControlTestController < ApplicationController
41	41	include PermissionCheck
42	42	protect 'see_index', 'global', :user, :only => :index
43	43	protect 'do_some_stuff', :resource, :user, :only => :other_stuff
	44	+ protect ['permission1', 'permission2'], :resource, :user, :only => :stuff_with_multiple_permission
	45	+
44	46	def index
45	47	render :text => 'test controller'
46	48	end
...	...	@@ -49,6 +51,10 @@ class AccessControlTestController < ApplicationController
49	51	render :text => 'test stuff'
50	52	end
51	53
	54	+ def stuff_with_multiple_permission
	55	+ render :text => 'multiple permission'
	56	+ end
	57	+
52	58	protected
53	59	def user
54	60	AccessControlTestAccessor.find(params[:user]) if params[:user]
...	...