From 4adddb4b777aa775ff3760d8376a8098a34d8353 Mon Sep 17 00:00:00 2001 From: MoisesMachado Date: Tue, 9 Oct 2007 20:02:15 +0000 Subject: [PATCH] ActionItem75: changed the rbac implementation to a plugin --- app/controllers/application.rb | 4 ++-- app/models/environment.rb | 4 ++++ app/models/organization.rb | 8 ++++++++ app/models/person.rb | 28 +++++++++++++++------------- app/models/profile.rb | 22 ++++++++++++---------- app/models/role.rb | 43 ------------------------------------------- app/models/role_assignment.rb | 9 --------- db/migrate/014_create_roles.rb | 12 ------------ db/migrate/015_create_role_assignments.rb | 14 -------------- db/migrate/018_access_control_migration.rb | 21 +++++++++++++++++++++ lib/permission_check.rb | 15 --------------- test/unit/role_assignment_test.rb | 21 --------------------- test/unit/role_test.rb | 38 -------------------------------------- 13 files changed, 62 insertions(+), 177 deletions(-) delete mode 100644 app/models/role.rb delete mode 100644 app/models/role_assignment.rb delete mode 100644 db/migrate/014_create_roles.rb delete mode 100644 db/migrate/015_create_role_assignments.rb create mode 100644 db/migrate/018_access_control_migration.rb delete mode 100644 lib/permission_check.rb delete mode 100644 test/unit/role_assignment_test.rb delete mode 100644 test/unit/role_test.rb diff --git a/app/controllers/application.rb b/app/controllers/application.rb index d6b7fcf..ee929e9 100644 --- a/app/controllers/application.rb +++ b/app/controllers/application.rb @@ -13,7 +13,7 @@ class ApplicationController < ActionController::Base init_gettext 'noosfero' - before_filter :detect_stuff_by_domain + before_filter :detect_stuff_by_domain, :load_profile_from_params attr_reader :environment protected @@ -29,7 +29,7 @@ class ApplicationController < ActionController::Base end end - before_filter :load_profile_from_params +# before_filter :load_profile_from_params def load_profile_from_params if params[:profile] @profile ||= Profile.find_by_identifier(params[:profile]) diff --git a/app/models/environment.rb b/app/models/environment.rb index 4a440db..ece54f3 100644 --- a/app/models/environment.rb +++ b/app/models/environment.rb @@ -25,6 +25,10 @@ class Environment < ActiveRecord::Base has_many :categories has_many :display_categories, :class_name => 'Category', :conditions => 'display_color is not null and parent_id is null', :order => 'display_color' + has_many :role_assignments, :as => 'resource' + def superior_intances + [self, nil] + end # ################################################# # Attributes # ################################################# diff --git a/app/models/organization.rb b/app/models/organization.rb index c5f2f4e..9d8d0c0 100644 --- a/app/models/organization.rb +++ b/app/models/organization.rb @@ -2,4 +2,12 @@ class Organization < Profile has_one :organization_info has_many :validated_enterprises, :class_name => 'enterprise' + +# def info +# organization_info +# end + +# def info=(infos) +# organization_info.update_attributes(infos) +# end end diff --git a/app/models/person.rb b/app/models/person.rb index 4f5fcff..9324fec 100644 --- a/app/models/person.rb +++ b/app/models/person.rb @@ -1,5 +1,7 @@ # A person is the profile of an user holding all relationships with the rest of the system class Person < Profile + acts_as_accessor + belongs_to :user # has_many :friendships @@ -8,23 +10,23 @@ class Person < Profile # has_many :people, :through => :person_friendships, :foreign_key => 'friend_id' has_one :person_info +# has_many :role_assignments - has_many :role_assignments - - def has_permission?(perm, res=nil) - role_assignments.any? {|ra| ra.has_permission?(perm, res)} - end +# def has_permission?(perm, res=nil) +# return true if res == self && PERMISSIONS[:profile].keys.include?(perm) +# role_assignments.any? {|ra| ra.has_permission?(perm, res)} +# end - def define_roles(roles, resource) - associations = RoleAssignment.find(:all, :conditions => {:resource_id => resource.id, :resource_type => resource.class.base_class.name, :person_id => self.id }) - roles_add = roles - associations.map(&:role) - roles_remove = associations.map(&:role) - roles - associations.each { |a| a.destroy if roles_remove.include?(a.role) } - roles_add.each {|r| RoleAssignment.create(:person_id => self.id, :resource_id => resource.id, :resource_type => resource.class.base_class.name, :role_id => r.id) } - end +# def define_roles(roles, resource) +# associations = RoleAssignment.find(:all, :conditions => {:resource_id => resource.id, :resource_type => resource.class.base_class.name, :person_id => self.id }) +# roles_add = roles - associations.map(&:role) +# roles_remove = associations.map(&:role) - roles +# associations.each { |a| a.destroy if roles_remove.include?(a.role) } +# roles_add.each {|r| RoleAssignment.create(:person_id => self.id, :resource_id => resource.id, :resource_type => resource.class.base_class.name, :role_id => r.id) } +# end def self.conditions_for_profiles(conditions, person) - new_conditions = sanitize_sql(['role_assignments.person_id = ?', person]) + new_conditions = sanitize_sql(['role_assignments.accessor_id = ?', person]) new_conditions << ' AND ' + sanitize_sql(conditions) unless conditions.blank? new_conditions end diff --git a/app/models/profile.rb b/app/models/profile.rb index 6f779bc..8546b09 100644 --- a/app/models/profile.rb +++ b/app/models/profile.rb @@ -15,6 +15,8 @@ class Profile < ActiveRecord::Base article = Article.find_by_path(profile.identifier) article.destroy if article end + + acts_as_accessible # Valid identifiers must match this format. IDENTIFIER_FORMAT = /^[a-z][a-z0-9_]*[a-z0-9]$/ @@ -104,14 +106,14 @@ class Profile < ActiveRecord::Base homepage.children.find(:all, :limit => limit, :order => 'created_on desc') end - def affiliate(person, roles) - roles = [roles] unless roles.kind_of?(Array) - roles.map do |role| - unless RoleAssignment.find(:first, :conditions => {:person_id => person, :role_id => role, :resource_id => self, :resource_type => self.class.base_class.name}) - RoleAssignment.new(:person => person, :role => role, :resource => self).save - else - false - end - end.any? - end +# def affiliate(person, roles) +# roles = [roles] unless roles.kind_of?(Array) +# roles.map do |role| +# unless RoleAssignment.find(:first, :conditions => {:person_id => person, :role_id => role, :resource_id => self, :resource_type => self.class.base_class.name}) +# RoleAssignment.new(:person => person, :role => role, :resource => self).save +# else +# false +# end +# end.any? +# end end diff --git a/app/models/role.rb b/app/models/role.rb deleted file mode 100644 index 27f535b..0000000 --- a/app/models/role.rb +++ /dev/null @@ -1,43 +0,0 @@ -class Role < ActiveRecord::Base - - PERMISSIONS = { - :profile => { - 'edit_profile' => N_('Edit profile'), - 'destroy_profile' => N_('Destroy profile'), - 'manage_memberships' => N_('Manage memberships'), - 'post_content' => N_('Post content'), - }, - :system => { - } - } - - PERMISSIONS_LIST = PERMISSIONS.values.map{|h| h.keys }.flatten - - def self.permission_name(p) - msgid = PERMISSIONS.values.inject({}){|s,v| s.merge(v)}[p] - gettext(msgid) - end - - has_many :role_assignments - serialize :permissions, Array - validates_uniqueness_of :name - - def validate - unless (permissions - PERMISSIONS_LIST).empty? - errors.add :permissons, 'non existent permission' - end - end - - def initialize(*args) - super(*args) - self[:permissions] ||= [] - end - - def has_permission?(perm) - permissions.include?(perm) - end - - def has_kind?(kind) - permissions.any?{ |p| PERMISSIONS[kind][p] } - end -end diff --git a/app/models/role_assignment.rb b/app/models/role_assignment.rb deleted file mode 100644 index dbff49d..0000000 --- a/app/models/role_assignment.rb +++ /dev/null @@ -1,9 +0,0 @@ -class RoleAssignment < ActiveRecord::Base - belongs_to :role - belongs_to :person - belongs_to :resource, :polymorphic => true - - def has_permission?(perm, res) - role.has_permission?(perm.to_s) && (resource == res) - end -end diff --git a/db/migrate/014_create_roles.rb b/db/migrate/014_create_roles.rb deleted file mode 100644 index 9553dfe..0000000 --- a/db/migrate/014_create_roles.rb +++ /dev/null @@ -1,12 +0,0 @@ -class CreateRoles < ActiveRecord::Migration - def self.up - create_table :roles do |t| - t.column :name, :string - t.column :permissions, :string - end - end - - def self.down - drop_table :roles - end -end diff --git a/db/migrate/015_create_role_assignments.rb b/db/migrate/015_create_role_assignments.rb deleted file mode 100644 index f2112b7..0000000 --- a/db/migrate/015_create_role_assignments.rb +++ /dev/null @@ -1,14 +0,0 @@ -class CreateRoleAssignments < ActiveRecord::Migration - def self.up - create_table :role_assignments do |t| - t.column :person_id, :integer - t.column :role_id, :integer - t.column :resource_id, :integer - t.column :resource_type, :string - end - end - - def self.down - drop_table :role_assignments - end -end diff --git a/db/migrate/018_access_control_migration.rb b/db/migrate/018_access_control_migration.rb new file mode 100644 index 0000000..543fc08 --- /dev/null +++ b/db/migrate/018_access_control_migration.rb @@ -0,0 +1,21 @@ +class AccessControlMigration < ActiveRecord::Migration + def self.up + create_table :roles do |t| + t.column :name, :string + t.column :permissions, :string + end + + create_table :role_assignments do |t| + t.column :accessor_id, :integer + t.column :accessor_type, :string + t.column :resource_id, :integer + t.column :resource_type, :string + t.column :role_id, :integer + end + end + + def self.down + drop_table :roles + drop_table :role_assignments + end +end diff --git a/lib/permission_check.rb b/lib/permission_check.rb deleted file mode 100644 index 9a08c09..0000000 --- a/lib/permission_check.rb +++ /dev/null @@ -1,15 +0,0 @@ -module PermissionCheck - protected - # Declares the +permission+ need to be able to access +action+. - # - # * +action+ must be a symbol or string with the name of the action - # * +permission+ must be a symbol or string naming the needed permission. - # * +target+ is the object over witch the user would need the specified permission. - def protect(actions, permission, target = nil) - before_filter :only => actions do |c| - unless c.send(:logged_in?) && c.send(:current_user).person.has_permission?(permission.to_s, c.send(target)) - c.send(:render, {:file => 'app/views/shared/access_denied.rhtml', :layout => true}) - end - end - end -end diff --git a/test/unit/role_assignment_test.rb b/test/unit/role_assignment_test.rb deleted file mode 100644 index 584f324..0000000 --- a/test/unit/role_assignment_test.rb +++ /dev/null @@ -1,21 +0,0 @@ -require File.dirname(__FILE__) + '/../test_helper' - -class RoleAssignmentTest < Test::Unit::TestCase - all_fixtures - - def test_has_generic_permission - role = Role.create(:name => 'new_role', :permissions => ['permission']) - ra = RoleAssignment.create(:role => role) - assert ra.has_permission?('permission', nil) - assert !ra.has_permission?('not_permitted', nil) - end - - def test_has_specific_permission - role = Role.create(:name => 'new_role', :permissions => ['permission']) - resource_A = Profile.create(:identifier => 'resource_a', :name => 'Resource A') - resource_B = Profile.create(:identifier => 'resource_b', :name => 'Resource B') - ra = RoleAssignment.create(:role => role, :resource => resource_A) - assert ra.has_permission?('permission', resource_A) - assert !ra.has_permission?('permission', resource_B) - end -end diff --git a/test/unit/role_test.rb b/test/unit/role_test.rb deleted file mode 100644 index defda7e..0000000 --- a/test/unit/role_test.rb +++ /dev/null @@ -1,38 +0,0 @@ -require File.dirname(__FILE__) + '/../test_helper' - -class RoleTest < Test::Unit::TestCase - all_fixtures - - def test_role_creation - assert_difference Role, :count do - role = Role.new(:name => 'new_role') - assert role.save - end - end - - def test_uniqueness_of_name - Role.create(:name => 'role_name') - role = Role.new(:name => 'role_name') - assert ! role.save - end - - def test_name_of_permission - assert_equal 'Edit profile', Role.permission_name('edit_profile') - end - - def test_permission_setting - role = Role.new(:name => 'permissive_role', :permissions => ['edit_profile']) - assert role.save - assert role.has_permission?('edit_profile') - role.permissions << 'post_content' - assert role.save - assert role.has_permission?('post_content') - assert role.has_permission?('edit_profile') - end - - def test_permission_existece - role = Role.new(:name => 'role_with_non_existent_permission') - role.permissions << 'non_existent_permission' - assert ! role.save - end -end -- libgit2 0.21.2