Commit 4adddb4b777aa775ff3760d8376a8098a34d8353
1 parent
94d199c1
Exists in
master
and in
29 other branches
ActionItem75: changed the rbac implementation to a plugin
git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@641 3f533792-8f58-4932-b0fe-aaf55b0a4547
Showing
13 changed files
with
62 additions
and
177 deletions
Show diff stats
app/controllers/application.rb
| ... | ... | @@ -13,7 +13,7 @@ class ApplicationController < ActionController::Base |
| 13 | 13 | |
| 14 | 14 | init_gettext 'noosfero' |
| 15 | 15 | |
| 16 | - before_filter :detect_stuff_by_domain | |
| 16 | + before_filter :detect_stuff_by_domain, :load_profile_from_params | |
| 17 | 17 | attr_reader :environment |
| 18 | 18 | |
| 19 | 19 | protected |
| ... | ... | @@ -29,7 +29,7 @@ class ApplicationController < ActionController::Base |
| 29 | 29 | end |
| 30 | 30 | end |
| 31 | 31 | |
| 32 | - before_filter :load_profile_from_params | |
| 32 | +# before_filter :load_profile_from_params | |
| 33 | 33 | def load_profile_from_params |
| 34 | 34 | if params[:profile] |
| 35 | 35 | @profile ||= Profile.find_by_identifier(params[:profile]) | ... | ... |
app/models/environment.rb
| ... | ... | @@ -25,6 +25,10 @@ class Environment < ActiveRecord::Base |
| 25 | 25 | has_many :categories |
| 26 | 26 | has_many :display_categories, :class_name => 'Category', :conditions => 'display_color is not null and parent_id is null', :order => 'display_color' |
| 27 | 27 | |
| 28 | + has_many :role_assignments, :as => 'resource' | |
| 29 | + def superior_intances | |
| 30 | + [self, nil] | |
| 31 | + end | |
| 28 | 32 | # ################################################# |
| 29 | 33 | # Attributes |
| 30 | 34 | # ################################################# | ... | ... |
app/models/organization.rb
| ... | ... | @@ -2,4 +2,12 @@ |
| 2 | 2 | class Organization < Profile |
| 3 | 3 | has_one :organization_info |
| 4 | 4 | has_many :validated_enterprises, :class_name => 'enterprise' |
| 5 | + | |
| 6 | +# def info | |
| 7 | +# organization_info | |
| 8 | +# end | |
| 9 | + | |
| 10 | +# def info=(infos) | |
| 11 | +# organization_info.update_attributes(infos) | |
| 12 | +# end | |
| 5 | 13 | end | ... | ... |
app/models/person.rb
| 1 | 1 | # A person is the profile of an user holding all relationships with the rest of the system |
| 2 | 2 | class Person < Profile |
| 3 | + acts_as_accessor | |
| 4 | + | |
| 3 | 5 | belongs_to :user |
| 4 | 6 | |
| 5 | 7 | # has_many :friendships |
| ... | ... | @@ -8,23 +10,23 @@ class Person < Profile |
| 8 | 10 | # has_many :people, :through => :person_friendships, :foreign_key => 'friend_id' |
| 9 | 11 | |
| 10 | 12 | has_one :person_info |
| 13 | +# has_many :role_assignments | |
| 11 | 14 | |
| 12 | - has_many :role_assignments | |
| 13 | - | |
| 14 | - def has_permission?(perm, res=nil) | |
| 15 | - role_assignments.any? {|ra| ra.has_permission?(perm, res)} | |
| 16 | - end | |
| 15 | +# def has_permission?(perm, res=nil) | |
| 16 | +# return true if res == self && PERMISSIONS[:profile].keys.include?(perm) | |
| 17 | +# role_assignments.any? {|ra| ra.has_permission?(perm, res)} | |
| 18 | +# end | |
| 17 | 19 | |
| 18 | - def define_roles(roles, resource) | |
| 19 | - associations = RoleAssignment.find(:all, :conditions => {:resource_id => resource.id, :resource_type => resource.class.base_class.name, :person_id => self.id }) | |
| 20 | - roles_add = roles - associations.map(&:role) | |
| 21 | - roles_remove = associations.map(&:role) - roles | |
| 22 | - associations.each { |a| a.destroy if roles_remove.include?(a.role) } | |
| 23 | - roles_add.each {|r| RoleAssignment.create(:person_id => self.id, :resource_id => resource.id, :resource_type => resource.class.base_class.name, :role_id => r.id) } | |
| 24 | - end | |
| 20 | +# def define_roles(roles, resource) | |
| 21 | +# associations = RoleAssignment.find(:all, :conditions => {:resource_id => resource.id, :resource_type => resource.class.base_class.name, :person_id => self.id }) | |
| 22 | +# roles_add = roles - associations.map(&:role) | |
| 23 | +# roles_remove = associations.map(&:role) - roles | |
| 24 | +# associations.each { |a| a.destroy if roles_remove.include?(a.role) } | |
| 25 | +# roles_add.each {|r| RoleAssignment.create(:person_id => self.id, :resource_id => resource.id, :resource_type => resource.class.base_class.name, :role_id => r.id) } | |
| 26 | +# end | |
| 25 | 27 | |
| 26 | 28 | def self.conditions_for_profiles(conditions, person) |
| 27 | - new_conditions = sanitize_sql(['role_assignments.person_id = ?', person]) | |
| 29 | + new_conditions = sanitize_sql(['role_assignments.accessor_id = ?', person]) | |
| 28 | 30 | new_conditions << ' AND ' + sanitize_sql(conditions) unless conditions.blank? |
| 29 | 31 | new_conditions |
| 30 | 32 | end | ... | ... |
app/models/profile.rb
| ... | ... | @@ -15,6 +15,8 @@ class Profile < ActiveRecord::Base |
| 15 | 15 | article = Article.find_by_path(profile.identifier) |
| 16 | 16 | article.destroy if article |
| 17 | 17 | end |
| 18 | + | |
| 19 | + acts_as_accessible | |
| 18 | 20 | |
| 19 | 21 | # Valid identifiers must match this format. |
| 20 | 22 | IDENTIFIER_FORMAT = /^[a-z][a-z0-9_]*[a-z0-9]$/ |
| ... | ... | @@ -104,14 +106,14 @@ class Profile < ActiveRecord::Base |
| 104 | 106 | homepage.children.find(:all, :limit => limit, :order => 'created_on desc') |
| 105 | 107 | end |
| 106 | 108 | |
| 107 | - def affiliate(person, roles) | |
| 108 | - roles = [roles] unless roles.kind_of?(Array) | |
| 109 | - roles.map do |role| | |
| 110 | - unless RoleAssignment.find(:first, :conditions => {:person_id => person, :role_id => role, :resource_id => self, :resource_type => self.class.base_class.name}) | |
| 111 | - RoleAssignment.new(:person => person, :role => role, :resource => self).save | |
| 112 | - else | |
| 113 | - false | |
| 114 | - end | |
| 115 | - end.any? | |
| 116 | - end | |
| 109 | +# def affiliate(person, roles) | |
| 110 | +# roles = [roles] unless roles.kind_of?(Array) | |
| 111 | +# roles.map do |role| | |
| 112 | +# unless RoleAssignment.find(:first, :conditions => {:person_id => person, :role_id => role, :resource_id => self, :resource_type => self.class.base_class.name}) | |
| 113 | +# RoleAssignment.new(:person => person, :role => role, :resource => self).save | |
| 114 | +# else | |
| 115 | +# false | |
| 116 | +# end | |
| 117 | +# end.any? | |
| 118 | +# end | |
| 117 | 119 | end | ... | ... |
app/models/role.rb
| ... | ... | @@ -1,43 +0,0 @@ |
| 1 | -class Role < ActiveRecord::Base | |
| 2 | - | |
| 3 | - PERMISSIONS = { | |
| 4 | - :profile => { | |
| 5 | - 'edit_profile' => N_('Edit profile'), | |
| 6 | - 'destroy_profile' => N_('Destroy profile'), | |
| 7 | - 'manage_memberships' => N_('Manage memberships'), | |
| 8 | - 'post_content' => N_('Post content'), | |
| 9 | - }, | |
| 10 | - :system => { | |
| 11 | - } | |
| 12 | - } | |
| 13 | - | |
| 14 | - PERMISSIONS_LIST = PERMISSIONS.values.map{|h| h.keys }.flatten | |
| 15 | - | |
| 16 | - def self.permission_name(p) | |
| 17 | - msgid = PERMISSIONS.values.inject({}){|s,v| s.merge(v)}[p] | |
| 18 | - gettext(msgid) | |
| 19 | - end | |
| 20 | - | |
| 21 | - has_many :role_assignments | |
| 22 | - serialize :permissions, Array | |
| 23 | - validates_uniqueness_of :name | |
| 24 | - | |
| 25 | - def validate | |
| 26 | - unless (permissions - PERMISSIONS_LIST).empty? | |
| 27 | - errors.add :permissons, 'non existent permission' | |
| 28 | - end | |
| 29 | - end | |
| 30 | - | |
| 31 | - def initialize(*args) | |
| 32 | - super(*args) | |
| 33 | - self[:permissions] ||= [] | |
| 34 | - end | |
| 35 | - | |
| 36 | - def has_permission?(perm) | |
| 37 | - permissions.include?(perm) | |
| 38 | - end | |
| 39 | - | |
| 40 | - def has_kind?(kind) | |
| 41 | - permissions.any?{ |p| PERMISSIONS[kind][p] } | |
| 42 | - end | |
| 43 | -end |
app/models/role_assignment.rb
db/migrate/014_create_roles.rb
db/migrate/015_create_role_assignments.rb
| ... | ... | @@ -1,14 +0,0 @@ |
| 1 | -class CreateRoleAssignments < ActiveRecord::Migration | |
| 2 | - def self.up | |
| 3 | - create_table :role_assignments do |t| | |
| 4 | - t.column :person_id, :integer | |
| 5 | - t.column :role_id, :integer | |
| 6 | - t.column :resource_id, :integer | |
| 7 | - t.column :resource_type, :string | |
| 8 | - end | |
| 9 | - end | |
| 10 | - | |
| 11 | - def self.down | |
| 12 | - drop_table :role_assignments | |
| 13 | - end | |
| 14 | -end |
| ... | ... | @@ -0,0 +1,21 @@ |
| 1 | +class AccessControlMigration < ActiveRecord::Migration | |
| 2 | + def self.up | |
| 3 | + create_table :roles do |t| | |
| 4 | + t.column :name, :string | |
| 5 | + t.column :permissions, :string | |
| 6 | + end | |
| 7 | + | |
| 8 | + create_table :role_assignments do |t| | |
| 9 | + t.column :accessor_id, :integer | |
| 10 | + t.column :accessor_type, :string | |
| 11 | + t.column :resource_id, :integer | |
| 12 | + t.column :resource_type, :string | |
| 13 | + t.column :role_id, :integer | |
| 14 | + end | |
| 15 | + end | |
| 16 | + | |
| 17 | + def self.down | |
| 18 | + drop_table :roles | |
| 19 | + drop_table :role_assignments | |
| 20 | + end | |
| 21 | +end | ... | ... |
lib/permission_check.rb
| ... | ... | @@ -1,15 +0,0 @@ |
| 1 | -module PermissionCheck | |
| 2 | - protected | |
| 3 | - # Declares the +permission+ need to be able to access +action+. | |
| 4 | - # | |
| 5 | - # * +action+ must be a symbol or string with the name of the action | |
| 6 | - # * +permission+ must be a symbol or string naming the needed permission. | |
| 7 | - # * +target+ is the object over witch the user would need the specified permission. | |
| 8 | - def protect(actions, permission, target = nil) | |
| 9 | - before_filter :only => actions do |c| | |
| 10 | - unless c.send(:logged_in?) && c.send(:current_user).person.has_permission?(permission.to_s, c.send(target)) | |
| 11 | - c.send(:render, {:file => 'app/views/shared/access_denied.rhtml', :layout => true}) | |
| 12 | - end | |
| 13 | - end | |
| 14 | - end | |
| 15 | -end |
test/unit/role_assignment_test.rb
| ... | ... | @@ -1,21 +0,0 @@ |
| 1 | -require File.dirname(__FILE__) + '/../test_helper' | |
| 2 | - | |
| 3 | -class RoleAssignmentTest < Test::Unit::TestCase | |
| 4 | - all_fixtures | |
| 5 | - | |
| 6 | - def test_has_generic_permission | |
| 7 | - role = Role.create(:name => 'new_role', :permissions => ['permission']) | |
| 8 | - ra = RoleAssignment.create(:role => role) | |
| 9 | - assert ra.has_permission?('permission', nil) | |
| 10 | - assert !ra.has_permission?('not_permitted', nil) | |
| 11 | - end | |
| 12 | - | |
| 13 | - def test_has_specific_permission | |
| 14 | - role = Role.create(:name => 'new_role', :permissions => ['permission']) | |
| 15 | - resource_A = Profile.create(:identifier => 'resource_a', :name => 'Resource A') | |
| 16 | - resource_B = Profile.create(:identifier => 'resource_b', :name => 'Resource B') | |
| 17 | - ra = RoleAssignment.create(:role => role, :resource => resource_A) | |
| 18 | - assert ra.has_permission?('permission', resource_A) | |
| 19 | - assert !ra.has_permission?('permission', resource_B) | |
| 20 | - end | |
| 21 | -end |
test/unit/role_test.rb
| ... | ... | @@ -1,38 +0,0 @@ |
| 1 | -require File.dirname(__FILE__) + '/../test_helper' | |
| 2 | - | |
| 3 | -class RoleTest < Test::Unit::TestCase | |
| 4 | - all_fixtures | |
| 5 | - | |
| 6 | - def test_role_creation | |
| 7 | - assert_difference Role, :count do | |
| 8 | - role = Role.new(:name => 'new_role') | |
| 9 | - assert role.save | |
| 10 | - end | |
| 11 | - end | |
| 12 | - | |
| 13 | - def test_uniqueness_of_name | |
| 14 | - Role.create(:name => 'role_name') | |
| 15 | - role = Role.new(:name => 'role_name') | |
| 16 | - assert ! role.save | |
| 17 | - end | |
| 18 | - | |
| 19 | - def test_name_of_permission | |
| 20 | - assert_equal 'Edit profile', Role.permission_name('edit_profile') | |
| 21 | - end | |
| 22 | - | |
| 23 | - def test_permission_setting | |
| 24 | - role = Role.new(:name => 'permissive_role', :permissions => ['edit_profile']) | |
| 25 | - assert role.save | |
| 26 | - assert role.has_permission?('edit_profile') | |
| 27 | - role.permissions << 'post_content' | |
| 28 | - assert role.save | |
| 29 | - assert role.has_permission?('post_content') | |
| 30 | - assert role.has_permission?('edit_profile') | |
| 31 | - end | |
| 32 | - | |
| 33 | - def test_permission_existece | |
| 34 | - role = Role.new(:name => 'role_with_non_existent_permission') | |
| 35 | - role.permissions << 'non_existent_permission' | |
| 36 | - assert ! role.save | |
| 37 | - end | |
| 38 | -end |