Download as
Browse Code »

Commit 4adddb4b777aa775ff3760d8376a8098a34d8353

Authored by MoisesMachado
1 parent 94d199c1
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

ActionItem75: changed the rbac implementation to a plugin 


git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@641 3f533792-8f58-4932-b0fe-aaf55b0a4547
Showing 13 changed files with 62 additions and 177 deletions   Show diff stats
app/controllers/application.rb
  Diff comments   View file @4adddb4
@@ -13,7 +13,7 @@ class ApplicationController < ActionController::Base @@ -13,7 +13,7 @@ class ApplicationController < ActionController::Base
13 13
14 init_gettext 'noosfero' 14 init_gettext 'noosfero'
15 15
16 - before_filter :detect_stuff_by_domain 16 + before_filter :detect_stuff_by_domain, :load_profile_from_params
17 attr_reader :environment 17 attr_reader :environment
18 18
19 protected 19 protected
@@ -29,7 +29,7 @@ class ApplicationController < ActionController::Base @@ -29,7 +29,7 @@ class ApplicationController < ActionController::Base
29 end 29 end
30 end 30 end
31 31
32 - before_filter :load_profile_from_params 32 +# before_filter :load_profile_from_params
33 def load_profile_from_params 33 def load_profile_from_params
34 if params[:profile] 34 if params[:profile]
35 @profile ||= Profile.find_by_identifier(params[:profile]) 35 @profile ||= Profile.find_by_identifier(params[:profile])
app/models/environment.rb
  Diff comments   View file @4adddb4
@@ -25,6 +25,10 @@ class Environment < ActiveRecord::Base @@ -25,6 +25,10 @@ class Environment < ActiveRecord::Base
25 has_many :categories 25 has_many :categories
26 has_many :display_categories, :class_name => 'Category', :conditions => 'display_color is not null and parent_id is null', :order => 'display_color' 26 has_many :display_categories, :class_name => 'Category', :conditions => 'display_color is not null and parent_id is null', :order => 'display_color'
27 27
  28 + has_many :role_assignments, :as => 'resource'
  29 + def superior_intances
  30 + [self, nil]
  31 + end
28 # ################################################# 32 # #################################################
29 # Attributes 33 # Attributes
30 # ################################################# 34 # #################################################
app/models/organization.rb
  Diff comments   View file @4adddb4
@@ -2,4 +2,12 @@ @@ -2,4 +2,12 @@
2 class Organization < Profile 2 class Organization < Profile
3 has_one :organization_info 3 has_one :organization_info
4 has_many :validated_enterprises, :class_name => 'enterprise' 4 has_many :validated_enterprises, :class_name => 'enterprise'
  5 +
  6 +# def info
  7 +# organization_info
  8 +# end
  9 +
  10 +# def info=(infos)
  11 +# organization_info.update_attributes(infos)
  12 +# end
5 end 13 end
app/models/person.rb
  Diff comments   View file @4adddb4
1 # A person is the profile of an user holding all relationships with the rest of the system 1 # A person is the profile of an user holding all relationships with the rest of the system
2 class Person < Profile 2 class Person < Profile
  3 + acts_as_accessor
  4 +
3 belongs_to :user 5 belongs_to :user
4 6
5 # has_many :friendships 7 # has_many :friendships
@@ -8,23 +10,23 @@ class Person &lt; Profile @@ -8,23 +10,23 @@ class Person &lt; Profile
8 # has_many :people, :through => :person_friendships, :foreign_key => 'friend_id' 10 # has_many :people, :through => :person_friendships, :foreign_key => 'friend_id'
9 11
10 has_one :person_info 12 has_one :person_info
  13 +# has_many :role_assignments
11 14
12 - has_many :role_assignments  
13 -  
14 - def has_permission?(perm, res=nil)  
15 - role_assignments.any? {|ra| ra.has_permission?(perm, res)}  
16 - end 15 +# def has_permission?(perm, res=nil)
  16 +# return true if res == self && PERMISSIONS[:profile].keys.include?(perm)
  17 +# role_assignments.any? {|ra| ra.has_permission?(perm, res)}
  18 +# end
17 19
18 - def define_roles(roles, resource)  
19 - associations = RoleAssignment.find(:all, :conditions => {:resource_id => resource.id, :resource_type => resource.class.base_class.name, :person_id => self.id })  
20 - roles_add = roles - associations.map(&:role)  
21 - roles_remove = associations.map(&:role) - roles  
22 - associations.each { |a| a.destroy if roles_remove.include?(a.role) }  
23 - roles_add.each {|r| RoleAssignment.create(:person_id => self.id, :resource_id => resource.id, :resource_type => resource.class.base_class.name, :role_id => r.id) }  
24 - end 20 +# def define_roles(roles, resource)
  21 +# associations = RoleAssignment.find(:all, :conditions => {:resource_id => resource.id, :resource_type => resource.class.base_class.name, :person_id => self.id })
  22 +# roles_add = roles - associations.map(&:role)
  23 +# roles_remove = associations.map(&:role) - roles
  24 +# associations.each { |a| a.destroy if roles_remove.include?(a.role) }
  25 +# roles_add.each {|r| RoleAssignment.create(:person_id => self.id, :resource_id => resource.id, :resource_type => resource.class.base_class.name, :role_id => r.id) }
  26 +# end
25 27
26 def self.conditions_for_profiles(conditions, person) 28 def self.conditions_for_profiles(conditions, person)
27 - new_conditions = sanitize_sql(['role_assignments.person_id = ?', person]) 29 + new_conditions = sanitize_sql(['role_assignments.accessor_id = ?', person])
28 new_conditions << ' AND ' + sanitize_sql(conditions) unless conditions.blank? 30 new_conditions << ' AND ' + sanitize_sql(conditions) unless conditions.blank?
29 new_conditions 31 new_conditions
30 end 32 end
app/models/profile.rb
  Diff comments   View file @4adddb4
@@ -15,6 +15,8 @@ class Profile &lt; ActiveRecord::Base @@ -15,6 +15,8 @@ class Profile &lt; ActiveRecord::Base
15 article = Article.find_by_path(profile.identifier) 15 article = Article.find_by_path(profile.identifier)
16 article.destroy if article 16 article.destroy if article
17 end 17 end
  18 +
  19 + acts_as_accessible
18 20
19 # Valid identifiers must match this format. 21 # Valid identifiers must match this format.
20 IDENTIFIER_FORMAT = /^[a-z][a-z0-9_]*[a-z0-9]$/ 22 IDENTIFIER_FORMAT = /^[a-z][a-z0-9_]*[a-z0-9]$/
@@ -104,14 +106,14 @@ class Profile &lt; ActiveRecord::Base @@ -104,14 +106,14 @@ class Profile &lt; ActiveRecord::Base
104 homepage.children.find(:all, :limit => limit, :order => 'created_on desc') 106 homepage.children.find(:all, :limit => limit, :order => 'created_on desc')
105 end 107 end
106 108
107 - def affiliate(person, roles)  
108 - roles = [roles] unless roles.kind_of?(Array)  
109 - roles.map do |role|  
110 - unless RoleAssignment.find(:first, :conditions => {:person_id => person, :role_id => role, :resource_id => self, :resource_type => self.class.base_class.name})  
111 - RoleAssignment.new(:person => person, :role => role, :resource => self).save  
112 - else  
113 - false  
114 - end  
115 - end.any?  
116 - end 109 +# def affiliate(person, roles)
  110 +# roles = [roles] unless roles.kind_of?(Array)
  111 +# roles.map do |role|
  112 +# unless RoleAssignment.find(:first, :conditions => {:person_id => person, :role_id => role, :resource_id => self, :resource_type => self.class.base_class.name})
  113 +# RoleAssignment.new(:person => person, :role => role, :resource => self).save
  114 +# else
  115 +# false
  116 +# end
  117 +# end.any?
  118 +# end
117 end 119 end
app/models/role.rb
View file @94d199c
@@ -1,43 +0,0 @@ @@ -1,43 +0,0 @@
1 -class Role < ActiveRecord::Base  
2 -  
3 - PERMISSIONS = {  
4 - :profile => {  
5 - 'edit_profile' => N_('Edit profile'),  
6 - 'destroy_profile' => N_('Destroy profile'),  
7 - 'manage_memberships' => N_('Manage memberships'),  
8 - 'post_content' => N_('Post content'),  
9 - },  
10 - :system => {  
11 - }  
12 - }  
13 -  
14 - PERMISSIONS_LIST = PERMISSIONS.values.map{|h| h.keys }.flatten  
15 -  
16 - def self.permission_name(p)  
17 - msgid = PERMISSIONS.values.inject({}){|s,v| s.merge(v)}[p]  
18 - gettext(msgid)  
19 - end  
20 -  
21 - has_many :role_assignments  
22 - serialize :permissions, Array  
23 - validates_uniqueness_of :name  
24 -  
25 - def validate  
26 - unless (permissions - PERMISSIONS_LIST).empty?  
27 - errors.add :permissons, 'non existent permission'  
28 - end  
29 - end  
30 -  
31 - def initialize(*args)  
32 - super(*args)  
33 - self[:permissions] ||= []  
34 - end  
35 -  
36 - def has_permission?(perm)  
37 - permissions.include?(perm)  
38 - end  
39 -  
40 - def has_kind?(kind)  
41 - permissions.any?{ |p| PERMISSIONS[kind][p] }  
42 - end  
43 -end  
app/models/role_assignment.rb
View file @94d199c
@@ -1,9 +0,0 @@ @@ -1,9 +0,0 @@
1 -class RoleAssignment < ActiveRecord::Base  
2 - belongs_to :role  
3 - belongs_to :person  
4 - belongs_to :resource, :polymorphic => true  
5 -  
6 - def has_permission?(perm, res)  
7 - role.has_permission?(perm.to_s) && (resource == res)  
8 - end  
9 -end  
db/migrate/014_create_roles.rb
View file @94d199c
@@ -1,12 +0,0 @@ @@ -1,12 +0,0 @@
1 -class CreateRoles < ActiveRecord::Migration  
2 - def self.up  
3 - create_table :roles do |t|  
4 - t.column :name, :string  
5 - t.column :permissions, :string  
6 - end  
7 - end  
8 -  
9 - def self.down  
10 - drop_table :roles  
11 - end  
12 -end  
db/migrate/015_create_role_assignments.rb
View file @94d199c
@@ -1,14 +0,0 @@ @@ -1,14 +0,0 @@
1 -class CreateRoleAssignments < ActiveRecord::Migration  
2 - def self.up  
3 - create_table :role_assignments do |t|  
4 - t.column :person_id, :integer  
5 - t.column :role_id, :integer  
6 - t.column :resource_id, :integer  
7 - t.column :resource_type, :string  
8 - end  
9 - end  
10 -  
11 - def self.down  
12 - drop_table :role_assignments  
13 - end  
14 -end  
db/migrate/018_access_control_migration.rb 0 → 100644
  Diff comments   View file @4adddb4
@@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
  1 +class AccessControlMigration < ActiveRecord::Migration
  2 + def self.up
  3 + create_table :roles do |t|
  4 + t.column :name, :string
  5 + t.column :permissions, :string
  6 + end
  7 +
  8 + create_table :role_assignments do |t|
  9 + t.column :accessor_id, :integer
  10 + t.column :accessor_type, :string
  11 + t.column :resource_id, :integer
  12 + t.column :resource_type, :string
  13 + t.column :role_id, :integer
  14 + end
  15 + end
  16 +
  17 + def self.down
  18 + drop_table :roles
  19 + drop_table :role_assignments
  20 + end
  21 +end
lib/permission_check.rb
View file @94d199c
@@ -1,15 +0,0 @@ @@ -1,15 +0,0 @@
1 -module PermissionCheck  
2 - protected  
3 - # Declares the +permission+ need to be able to access +action+.  
4 - #  
5 - # * +action+ must be a symbol or string with the name of the action  
6 - # * +permission+ must be a symbol or string naming the needed permission.  
7 - # * +target+ is the object over witch the user would need the specified permission.  
8 - def protect(actions, permission, target = nil)  
9 - before_filter :only => actions do |c|  
10 - unless c.send(:logged_in?) && c.send(:current_user).person.has_permission?(permission.to_s, c.send(target))  
11 - c.send(:render, {:file => 'app/views/shared/access_denied.rhtml', :layout => true})  
12 - end  
13 - end  
14 - end  
15 -end  
test/unit/role_assignment_test.rb
View file @94d199c
@@ -1,21 +0,0 @@ @@ -1,21 +0,0 @@
1 -require File.dirname(__FILE__) + '/../test_helper'  
2 -  
3 -class RoleAssignmentTest < Test::Unit::TestCase  
4 - all_fixtures  
5 -  
6 - def test_has_generic_permission  
7 - role = Role.create(:name => 'new_role', :permissions => ['permission'])  
8 - ra = RoleAssignment.create(:role => role)  
9 - assert ra.has_permission?('permission', nil)  
10 - assert !ra.has_permission?('not_permitted', nil)  
11 - end  
12 -  
13 - def test_has_specific_permission  
14 - role = Role.create(:name => 'new_role', :permissions => ['permission'])  
15 - resource_A = Profile.create(:identifier => 'resource_a', :name => 'Resource A')  
16 - resource_B = Profile.create(:identifier => 'resource_b', :name => 'Resource B')  
17 - ra = RoleAssignment.create(:role => role, :resource => resource_A)  
18 - assert ra.has_permission?('permission', resource_A)  
19 - assert !ra.has_permission?('permission', resource_B)  
20 - end  
21 -end  
test/unit/role_test.rb
View file @94d199c
@@ -1,38 +0,0 @@ @@ -1,38 +0,0 @@
1 -require File.dirname(__FILE__) + '/../test_helper'  
2 -  
3 -class RoleTest < Test::Unit::TestCase  
4 - all_fixtures  
5 -  
6 - def test_role_creation  
7 - assert_difference Role, :count do  
8 - role = Role.new(:name => 'new_role')  
9 - assert role.save  
10 - end  
11 - end  
12 -  
13 - def test_uniqueness_of_name  
14 - Role.create(:name => 'role_name')  
15 - role = Role.new(:name => 'role_name')  
16 - assert ! role.save  
17 - end  
18 -  
19 - def test_name_of_permission  
20 - assert_equal 'Edit profile', Role.permission_name('edit_profile')  
21 - end  
22 -  
23 - def test_permission_setting  
24 - role = Role.new(:name => 'permissive_role', :permissions => ['edit_profile'])  
25 - assert role.save  
26 - assert role.has_permission?('edit_profile')  
27 - role.permissions << 'post_content'  
28 - assert role.save  
29 - assert role.has_permission?('post_content')  
30 - assert role.has_permission?('edit_profile')  
31 - end  
32 -  
33 - def test_permission_existece  
34 - role = Role.new(:name => 'role_with_non_existent_permission')  
35 - role.permissions << 'non_existent_permission'  
36 - assert ! role.save  
37 - end  
38 -end