stffn / declarative_authorization Goto Github PK
View Code? Open in Web Editor NEWAn unmaintained authorization plugin for Rails. Please fork to support current versions of Rails
License: MIT License
An unmaintained authorization plugin for Rails. Please fork to support current versions of Rails
License: MIT License
Hi,
i've created following rules
role :guest do
has_permission_on :news_articles, :to => :news_articles_view do
if_attribute :status => is {'approved'}
end
end
and
privilege :news_articles_view do
includes :index, :show, :tag, :category
end
but NewsArticle instances with other that approved status still visible :( could you tell me plz - where i'm wrong?
PS: other roles/permissions works fine
PPS: thanks a lot for perfect plugin :)
I've been bit by this a few times. I would much prefer decl auth to be noisy about method-missing errors, rather than having the exception go straight to the log.
A patch if you agree:
http://github.com/timcharper/declarative_authorization/tree/noisy_nomethod
The line in_controller.rb:559 should be:
contr.logger.debug...
instead of:
logger.debug...
I receive the following error when trying to call a show action in my users controller
Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:535:in object_attribute_value' /Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:428:in
validate?'
/Library/Ruby/Gems/1.8/gems/activerecord-2.3.5/lib/active_record/base.rb:2036:in all?' /Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:427:in
each'
/Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:427:in all?' /Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:427:in
validate?'
/Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:374:in validate?' /Library/Ruby/Gems/1.8/gems/activerecord-2.3.5/lib/active_record/base.rb:2036:in
any?'
/Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:372:in each' /Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:372:in
any?'
/Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:372:in send' /Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:372:in
validate?'
/Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:174:in permit!' /Library/Ruby/Gems/1.8/gems/activerecord-2.3.5/lib/active_record/base.rb:2036:in
any?'
/Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:174:in each' /Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:174:in
any?'
/Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:174:in permit!' /Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:184:in
permit?'
/Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/in_controller.rb:70:in permitted_to!' /Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/in_controller.rb:46:in
permitted_to?'
/Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/helper.rb:32:in permitted_to?' /Users/kevin/Development/web/osr/app/views/users/show.html.erb:8:in
_run_erb_app47views47users47show46html46erb'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_view/renderable.rb:34:in send' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_view/renderable.rb:34:in
render'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_view/base.rb:306:in with_template' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_view/renderable.rb:30:in
render'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_view/template.rb:205:in render_template' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_view/base.rb:265:in
render'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_view/base.rb:348:in _render_with_layout' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_view/base.rb:262:in
render'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/base.rb:1250:in render_for_file' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/base.rb:951:in
render_without_benchmark'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/benchmarking.rb:51:in render' /Library/Ruby/Gems/1.8/gems/activesupport-2.3.5/lib/active_support/core_ext/benchmark.rb:17:in
ms'
/Library/Ruby/Gems/1.8/gems/activesupport-2.3.5/lib/active_support/core_ext/benchmark.rb:17:in ms' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/benchmarking.rb:51:in
render'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/mime_responds.rb:135:in send' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/mime_responds.rb:135:in
custom'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/mime_responds.rb:179:in call' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/mime_responds.rb:179:in
respond'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/mime_responds.rb:173:in each' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/mime_responds.rb:173:in
respond'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/mime_responds.rb:107:in respond_to' /Users/kevin/Development/web/osr/app/controllers/users_controller.rb:37:in
show'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/base.rb:1331:in send' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/base.rb:1331:in
perform_action_without_filters'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/filters.rb:617:in call_filters' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/filters.rb:610:in
perform_action_without_benchmark'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/benchmarking.rb:68:in perform_action_without_rescue' /Library/Ruby/Gems/1.8/gems/activesupport-2.3.5/lib/active_support/core_ext/benchmark.rb:17:in
ms'
/Library/Ruby/Gems/1.8/gems/activesupport-2.3.5/lib/active_support/core_ext/benchmark.rb:17:in ms' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/benchmarking.rb:68:in
perform_action_without_rescue'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/rescue.rb:160:in perform_action_without_flash' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/flash.rb:146:in
perform_action'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/base.rb:532:in send' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/base.rb:532:in
process_without_filters'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/filters.rb:606:in process' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/base.rb:391:in
process'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/base.rb:386:in call' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/routing/route_set.rb:437:in
call'
This is how my role is set up:
role :user do
includes :guest
has_permission_on :reviews, :to => [:new, :create]
has_permission_on :reviews, :to => [:edit, :update] do
if_attribute :user => is { user }
end
has_permission_on :users, :to => [:edit, :update] do
if_attribute :user => is { user }
end
end
And this is the problem permission call
<%= link_to 'Edit profile', edit_user_path(@user), :id => 'edit_profile' if permitted_to? :edit, @user %>
has_role? returns: Authorization::AuthorizationUsageError Exception: User object doesn't respond to roles
I would imagine the desired return value to be false on guest user.
missing parameter &block in method permitted_to?
See here:
http://github.com/stffn/declarative_authorization/blob/f2aa048/test/test_helper.rb#L21-26
nil is not a valid version requirement on my version of rubygems, and it breaks.
See this patch for the fix :)
If a user doesn't have access to a resource, the instance variable is still populated, even though the resource is not then delivered to the user.
Only assigning the variables if the user does have access would be a win for performance and security, albeit probably only in obscure edge cases.
I realized some cases do require accessing the data in the db to actually determine the authorization -- what do you think of setting these variables back to nil as soon as it is discovered that the user does not have access?
I suppose there are probably people who still use the data for other purposes and still want it around, even in the views?
Just thinking out loud… let me know what you think. If you think it's a good idea to set them to nil, I'll be happy to put together a patch.
John
Because it's annoying to write "Authorization::Maintenance::without_access_control" in every data changing migration, I put the following code into an initializer. Perhaps you can add it into the plugin:
module ActiveRecord class Migrator class << self alias_method :original_migrate, :migrate end def self.migrate(*args) Authorization::Maintenance::without_access_control do self.original_migrate(*args) end end end end
I'd like to have an option for filter_resource_access to toggle for which actions I don't like the "default" load_object to be executed (like the attribute_check switch).
In my ArticlesController, I have a search action which doesn't uses params[:id] to make a simple database lookup, but uses params[:searchterm] to search via Sphinx Search.
So I always got the error "ActiveRecord::RecordNotFound (Couldn't find Article without an ID)", because load_object tried to find a record with the ID equal to a text term :-)
Setting failed_auto_loading_is_not_found and attribute_check on filter_access_to didn't change anything.
After moving to declarative_authorization, it took me a time to find the following workaround:
class ArticlesController < ApplicationController
before_filter :fake_article, :only=>:search
filter_resource_access
def search
# Search using Sphinx Search
@articles = Article.search params[:searchterm]
end
# ...
protected
def fake_article
logger.debug "Creating fake article."
@article = Article.new
end
Would it be possible to enhance the existing implementation by allowing the retrieval of roles and permissions from the database? Essentially, there would be no static authorization rules file, and filtering would be done based on the roles and permissions in the database?
User and Role model association has_many with :through option.
I am also using auth logic. created 2 roles admin and contributor. assigned permission to both roles as well as guest. Guest has no problem but when either user logs in they get no access error.
here is the rules file
authorization do
role :admin do
includes :guest
has_permission_on [:users, :roles, :articles, :home, :user_sessions], :to =>[:index, :show, :new, :create, :update, :destroy, :edit]
end
role :guest do
has_permission_on [:articles, :comments, :home, :roles,:users], :to => [:index, :show, :create, :new, :update, :edit]
end
role :contributor do
has_permission_on [:articles, :users, :home], :to =>[:index, :show, :create, :new, :update, :edit]
end
end
Here is my role_symbols method
def role_symbols
# roles.map do |role|
# role.name.underscore.to_sym
# end
(self.roles || []).map {|r| r.name.to_sym}
end
Error in the logs
Processing HomeController#index (for 127.0.0.1 at 2010-02-07 00:02:05) [GET]
�[4;36;1mUser Columns (0.0ms)�[0m �[0;1mSHOW FIELDS FROM users
�[0m
�[4;35;1mUser Load (0.0ms)�[0m �[0mSELECT * FROM users
WHERE (users
.id
= '24') LIMIT 1�[0m
�[4;36;1mSQL (0.0ms)�[0m �[0;1mBEGIN�[0m
�[4;35;1mUser Update (0.0ms)�[0m �[0mUPDATE users
SET perishable_token
= 'QxUlovcyJAkEjy7kHCfO', updated_at
= '2010-02-07 08:02:05', last_request_at
= '2010-02-07 08:02:05' WHERE id
= 24�[0m
�[4;36;1mUser Load (0.0ms)�[0m �[0;1mSELECT * FROM users
WHERE (users
.id
= 24) �[0m
�[4;35;1mSQL (63.0ms)�[0m �[0mCOMMIT�[0m
The use of user.roles is deprecated. Please add a method role_symbols to your User model.
�[4;36;1mRole Load (0.0ms)�[0m �[0;1mSELECT roles
.* FROM roles
INNER JOIN assignments
ON roles
.id = assignments
.role_id WHERE ((assignments
.user_id = 24)) �[0m
�[4;35;1mRole Columns (0.0ms)�[0m �[0mSHOW FIELDS FROM roles
�[0m
Permission denied: User.roles doesn't return an Array of Symbols ([#<Role id: 7, name: "admin", created_at: "2010-02-07 03:09:07", updated_at: "2010-02-07 03:09:07">])
Filter chain halted as [:filter_access_filter] rendered_or_redirected.
Completed in 172ms (View: 16, DB: 63) | 403 Forbidden [http://localhost/]
I just start with automatic testing and found a problem with authorization plugin. The request_with methods, like get_with, put_with etc., ignore given user and consider all requests to be sent by a guest.
I restrict access to index of articles only for admin:
# config/authorization_rules.rb
authorization do
role :admin do
has_permission_on :articles, :to => :index
end
end
add 'filter_recourse_access' to the articles controller and and then make a simple test:
# test/functional/articles_controller_test.rb
require 'test_helper'
class ArticlesControllerTest < ActionController::TestCase
test "should get index" do
with_user(admin) do
should_be_allowed_to :index, :articles # OK
end
get_with admin, :index
assert_response :success # failed - Expected response to be a <:success>, but was <403>
end
end
The last assert fails - the page should be rendered, but the response status is :forbidden. If I do it manually (launch server, login as admin and view page), it works well - the page is shown. Log file for test (log/test.log) shows that there was a request for the page and the user was a guest:
Processing ArticlesController#index (for 0.0.0.0 at 2009-12-23 18:49:46) [GET]
Parameters: {"action"=>"index", "controller"=>"articles"}
Permission denied: No matching rules found for index for #<Authorization::GuestUser:0xb66ffa34 @role_symbols=[:guest]> (roles [:guest], privileges [:index, :read, :manage], context :articles).
Filter chain halted as [:filter_access_filter] rendered_or_redirected.
Completed in 9ms (View: 1, DB: 12) | 403 Forbidden [http://test.host/articles]
Let's take a look at the request with method.
# File lib/declarative_authorization/maintenance.rb, line 156
def request_with (user, method, xhr, action, params = {},
session = {}, flash = {})
session = session.merge({:user => user, :user_id => user.id}) # creates session[:user]
with_user(user) do # assigns Authorization.current_user = admin
if xhr
xhr method, action, params, session, flash
else
send method, action, params, session, flash # assigns Authorization.current_user = nil and performs the request
end
end
end
First it creates a session with given user, then it assigns admin as current user. So far so good. Then it performs a request which activates filters in application controller, namely the :set_current_user before_filter. The method I'm using doesn't take care of session[:user], it uses its own method for determining the current user. It doesn't find any current user and assigns nil to Authorization.current_user, which is later replaced by a default GuestUser.
# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
before_filter :set_current_user
def current_user
# find the current user, I'm using authlogic here
UserSession.find.record
end
def set_current_user
Authorization.current_user = current_user
end
...
end
If I add sesson[:user] to the before filter in my application controller, the test pass without any failure as expected.
# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
...
def set_current_user
Authorization.current_user = current_user || session[:user]
end
...
end
I believe this is a bug, at least there should be a notice in documentation about this behavior. I can provide any further information if needed or maybe even a patch. But I'm still a junior developer and I'm not sure whether my solution would be the correct one.
Please push the gem to gemcutter. It's a matter of
gem push yourgem-0.0.1.gem
I find myself wanting to be able to add a role that has access to everything without me having to specifically permit him. Do you think this is bad design? Not needed?
As described in this thread in the google group:
http://groups.google.com/group/declarative_authorization/browse_thread/thread/2029d99b9d7df2cb#
Hello, I am hooking declarative_authorization into my application. If I use if_attribute in my authorization rules, the program starts throwing me back a 403 page.
Permission denied: No matching rules found for edit for #<Client id: 3, uniqueid: "something"......
Filter chain halted as [:filter_access_filter] rendered_or_redirected.
Have you seen this before? Where in the code should I look to understand what is going on?
Thanks a lot!
Hello!
I've got a problem in has_role? work. Somehow it checks only first role in array of roles given(:manager here).
has_role? :moderator, :admin do
@app.approved = true
end
First: thanks for this marvelous gem!!
Using pluralize on a controller_name that is already in its pluralized version is not a problem, unless it is a special word like "people":
When you do "organisations".pluralize, you get "organisations"
When you do "people".pluralize, you get "peoples"
The workaround would be to call singularize, then pluralize. So in file "in_controller.rb", I changed the following line:
context = @context || contr.class.controller_name.pluralize.to_sym
to the following
context = @context || contr.class.controller_name.singularize.pluralize.to_sym
This seems to resolve the problem.
There is a critical issue in d_a which fires up unneeded database queries. I stumbled upon the issue while profiling my own application, which makes heavy use of d_a AND uses a lot of named scopes. Some requests in my app are very slow and I discovered that there are many SQL queries in the log which are not needed. This queries are generated by d_a. Because I don't know how to fix it I will give you a detailed description to reproduce the issue based on the d_a_demo_app:
Install the official demo app from http://github.com/stffn/decl_auth_demo_app on your development machine
The demo app does not use any named scope, so add this example scope to talk.rb:
named_scope :with_abstract, :conditions => "talks.abstract IS NOT NULL"
Conference.first.talks.with_abstract.with_permissions_to(:read).find :all, :limit => 2
SELECT * FROM "conferences" LIMIT 1
SELECT * FROM "talks" WHERE ("talks".conference_id = 1) AND ((talks.abstract IS NOT NULL) AND ("talks".conference_id = 1))
SELECT "talks".* FROM "talks" INNER JOIN "conferences" ON "conferences".id = "talks".conference_id WHERE ("talks".conference_id = 1) AND (((("conferences"."published" = 't')) AND (talks.abstract IS NOT NULL)) AND ("talks".conference_id = 1)) LIMIT 2
Please have a look at the second query. It is not needed at all and should not be there! So far as I see, this time consuming query is only generated if the scope "with_permissions_to" is combined with an existing named scope.
You also see a second issue (duplicate condition the WHERE clause), but this is another story (not as important).
I just spent about a day and a half trying to get declarative_authorization to play along with authlogic. Well I thought that was the cause of my problems. Finally I chanced on someone's post where they realized their problem was that they had an authorization_roles file instead of an authorization_rules file. Heh. Me too! But that's a really easy mistake considering how much one has Roles on the brain when getting ready to write that file. It would sure be nice if there was a complaint in the logger about not finding a roles file..er I mean rules file...see what I mean! Instead it just says no roles found and leaves the poor newb to pound on the user model and the before_filter and all sorts of other red herrings. Just a thought...
after your last update 3 hours ago I now get an an error at Rails-Startup (see title)
I testet Rails.root.join("config", "authorization.rb") and it worked fine in console (without the GEM)...
Ruby 1.9.1p378
Rails Beta3 (same with Rails Beta 2)
With version 0.4 we have a bug like in issue #7 again:
MyModel.with_permissions_to(:read).foo_scope
=> One query, all is fine
MyModel.foo_scope.with_permissions_to(:read)
=> Two queries: The first for "MyModel.foo.find :all" (unnessecary), the second is the right one.
If you can't reproduce this, I will try to build a failing test or something.
right now, user.id is called regardless if user is nil or not, causing an exception if it is.
Here's a patch:
but it adds complexity and redundancy :( I was building my own version of the gem and didn't realize that the gemspec checked in to the repo was out of date.
Things work just fine if you stick the Dir.glob's right in the gemspec. The only reason I could perceive why you wouldn't want to do this if you used a gem build server that didn't trust you (like github, for example, which no longer builds gems). gem build gemspec will unfold the globs for you in the final product.
Patch: http://github.com/timcharper/declarative_authorization/tree/gemspec_fix
Currently the documentation says that this plugin should work in Rails >= 2.1. But I can't get it to work in 2.1.3. I get the following exception
undefined method `each_with_object' for [:new, :create]:Array
...
vendor/plugins/declarative_authorization/lib/declarative_authorization/in_controller.rb:549:in `actions_from_option'
vendor/plugins/declarative_authorization/lib/declarative_authorization/in_controller.rb:447:in `filter_resource_access'
From what I can see, the each_with_object method wasn't added until Rails 2.2. http://guides.rubyonrails.org/2_2_release_notes.html
declarative_authorization does not work anymore with rails3 beta3. This is due to the fact that the ActiveRecord::NamedScope::Scope class has been removed and ObligationScope inherits from it.
See:
lib/declarative_authorization/obligation_scope.rb line 45
It seems that would be a more sensible default, what do you think?
Happy to submit a patch if you agree
It would be very much helpful if decalartive authorization also have rails 3.0 support, because i tried it with rails 3.0 and ran into problems, i think those are mainly because of the changes in the Named scopes for ActiveRecords which returns a relation and Callbacks. Would love to see we Rails 3.0 support implemented sooner
Latest gem version (0.4) has a bug fixed in commit 8e2401e
It's very annoying bug.
The if_attribute should support the following:
if_attribute :created_at => 1.month.ago..Time.now
Hi!
In 1.9 we can't call instance_eval passing lambdas, only procs.
ActionView::TemplateError (wrong number of arguments (1 for 0))
The first solution is to make the rule reader use proc instead of lambda:
def parse_attribute_conditions_hash! (hash) merge_hash = {} hash.each do |key, value| if value.is_a?(Hash) parse_attribute_conditions_hash!(value) elsif !value.is_a?(Array) merge_hash[key] = [:is, proc { value }] elsif value.is_a?(Array) and !value[0].is_a?(Symbol) merge_hash[key] = [:is_in, proc { value }] end end hash.merge!(merge_hash) end
The second is calling instance_exec in the attribute validator:
def evaluate (value_block) instance_exec(&value_block) end
Ivan.
Hi, l get error in rails 3.0.0.beta3
(gem 'declarative_authorization', :git => 'git://github.com/stffn/declarative_authorization.git')
Error reading authorization rules file with path '/config/authorization_rules.rb'! Please ensure it exists and that it is accessible.
please fix in file "lib/declarative_authorization/authorization.rb":
AUTH_DSL_FILES = ["#{Rails.root}/config/authorization_rules.rb"] unless defined? AUTH_DSL_FILES
to
AUTH_DSL_FILES = [Rails.root.join('config', 'authorization_rules.rb')]
When looking at /authorization_rules I get the folllowing error:
Showing /var/lib/gems/1.8/gems/declarative_authorization0.4/app/views/authorization_rules/index.html.erb where line #16 raised:
one hash required
Extracted source (around line #16):
13: pre.with-notes {padding-left: 35px}
14: </style>
15:
16: <%= policy_analysis_hints(syntax_highlight(h(@auth_rules_script)),@auth_rules_script) %>
17:
Application Trace | Framework Trace | Full Trace
/var/lib/gems/1.8/gems/i18n-0.3.3/lib/i18n/core_ext/string/interpolate.rb:88:in %' /var/lib/gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/development_support/analyzer.rb:107:in
message'
/var/lib/gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/development_support/analyzer.rb:89:in mark' /var/lib/gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/development_support/analyzer.rb:49:in
analyze'
/var/lib/gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/development_support/analyzer.rb:35:in analyze' /var/lib/gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/development_support/analyzer.rb:32:in
each'
/var/lib/gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/development_support/analyzer.rb:32:in analyze' /var/lib/gems/1.8/gems/declarative_authorization-0.4/app/helpers/authorization_rules_helper.rb:27:in
policy_analysis_hints'
blahblahblah....
created a dummy fix by changing lines 106-107-108 of
declarative_authorization-0.4/lib/declarative_authorization/development_support/analyzer.rb
into
def message (object)
"The ratio of small roles is quite high (> %.0f). Consider refactoring." % (SMALL_ROLES_RATIO * 100)
end
most certainly not the correct fix, but I'm a total newbie with ruby and rails.
object_attribute_value raises AuthorizationUsageError exception when the send method fails with NoMethodError. It would be better if in this case the method returned just nil flunking the rule. In my application I have polymorphic association: Paragraph belongs_to(:owner, :polymorphic => true), [ ManPage, WomanPage ] has_many(:paragraphs, :as => :owner). Owners have different attributes. Rules look like this:
has_permissions_on :paragraphs, :to => :manage do
if_attribute :owner => { :man => is { user } }
if_attribute :owner => { :woman => is { user } }
end
So WomanPage does not have :man, and we get NoMethodError.
When recursing into obligations to check authorization, an incorrect context name is generated. This is caused by using ActiveRecord::Base#table_name for the context name, instead of the model name tableized as is used everywhere else. The following patch should fix that:
--- /lib/declarative_authorization/authorization.rb
+++ /lib/declarative_authorization/authorization.rb
@@ -614,7 +614,7 @@
@context ||= begin
rule_model = attr_validator.context.to_s.classify.constantize
context_reflection = self.class.reflection_for_path(rule_model, path + [hash_or_attr])
- context_reflection.klass.table_name.to_sym
+ context_reflection.klass.to_s.tableize.to_sym
rescue # missing model, reflections
hash_or_attr.to_s.pluralize.to_sym
end
It's not possible to do nesting like this:
Authorization::Maintenance::without_access_control do do_something Authorization::Maintenance::without_access_control do do_something end do_something # => here the access control takes place again! end
Hello!
I think it'll be useful to have some function like, has_role? but to be true if any of given roles are in user roles.
Something like this
def any_role? (*roles, &block)
user_roles = authorization_engine.roles_for(current_user)
result = roles.any? do |role|
user_roles.include?(role)
end
yield if result and block_given?
result
end
authorization.rb, line 412:
if value.is_a?(Hash)
if attr_value.is_a?(Array)
raise AuthorizationUsageError, "Unable evaluate multiple attributes " +
"on a collection. Cannot use '=>' operator on #{attr.inspect} " +
"(#{attr_value.inspect}) for attributes #{value.inspect}."
What if i want to check length of some association?
has_permission_on :pages, :to => :publish do
if_attribute :paragraphs => { :length => is_not { 0 } }
end
In the process of converting my App to integrate DA, great plugin so far... My only qualms are the fact that DA insists on creating the Instance Variables for the controllers... In a simple Rails app would be fine... However in more complex ones can cause added complexity... Especially when using plugins like Inherited Resources... I propose 2 solutions... Either expect the collection or resource be declared already, or add/integrate collection and resource options on filter_resource_access to pass in the collection and resource names to look for... Or even maybe ability to integrate it into the actions, and text after variable creation.
I think this gives you maximum flexibility. LMK what you think?
...with rails_xss plugin - which will be default in Rails 3, but many switches now already.
it seems that it was broken by this commit:
http://github.com/stffn/declarative_authorization/commit/0e8d55c16c2197c89c2f57d6346d4023e7e61f7b
Using Ruby 1.8.6
I'm able to get this working correctly with:
def to_param
"#{id}-#{name}"
end
Because it defaults to the ID but when I just want the name and make the necessary changes within the application, it does not work until I remove filter_resource_access. I'm sure this is because filter_resource_access assumes is using "find(params[:id])" rather than "find_by_name(params[:id])"
Is there any way to fix this or find a workaround?
According to e.g. https://gist.github.com/e139fa787aa882c0aa9c we need to subclass Engine to enable the registration of the authorization development backend when decl_auth is integrated as gem in Rails 3.
One approach is in 1ab1422f02c85f9334e8e3ea443887f6127ddfff
Which other features of Engine/Railtie should we be using? Register config hooks?
here i am - once again..
I get a TypeError after adding this little line in my posts controller:
The next two lines are empty - no further error messages are provided.. hmmm
it could just be my inexperience with using rails engines, but I followed the directions in the readme to the best of my ability, and I still get "routenot found" when I try to navigate to /authorization_rules.
Do I have to install it as a plug-in in order for this to work? Or a vendor gem? Currently I am using bundler 0.8.5
If you have a has_many :through relationship as follows:
(taken from http://github.com/stffn/decl_auth_demo_app)
conference <1------*> conference_attendees <*--------1> user
class Conference < ActiveRecord::Base
has_many :conference_attendees
has_many :attendees, :through => :conference_attendees, :source => :user
If you want to give read for a conference to all users attending that conference you would type
has_permission_on :conferences, :to => :read do
if_attribute :attendees => contains {user}
end
That works fine. But what if you have a attribute on the conference_attendees model that you need to consider as well. Perhaps you wan't to give read right to all users attending a conference and that have paid (paid beeing a boolean in the conference_attendees model).
has_permission_on :conferences, :to => :read do
if_attribute :conference_attendees => {:user => is {user}, :paid => true}
end
This will work when using Conference.with_permissions_to(:read)
but will fail if :attribute_check => true
In your decl_auth_demo_app change authorization_rules.rb line 4 from if_attribute :published => true
to
if_attribute :conference_attendees => {:user => is{user}}
Go to /conferences as presenter_2
You will see conference Emerging Technologies 2009
Click on the conference and you will get "You are not allowed to access this action."
Permission denied: Error when calling user on [#<ConferenceAttendee id: 15, user_id: 3, conference_id: 2>] for validating attribute: undefined method `user' for [#<ConferenceAttendee id: 15, user_id: 3, conference_id: 2>]:Array
Filter chain halted as [:filter_access_filter] rendered_or_redirected.
Hi,
could you tell me plz - how to write access rules for following scheme. I have 2 models - Post and Comment. Post has many comments and Comment belongs to Post. In posts_controller i have methods add_comment and remove_comment. But rules like
has_permission_on :posts, :to => :comments_manage do
if_attribute :user_id => is {current_user}
end
not working and
has_permission_on :comments, :to => :comments_manage do
if_attribute :user_id => is {current_user}
end
not working too :(
additional information on privileges:
privilege :comments_manage do
includes :add_comment, :remove_comment
end
Update permissions are only checked on the first save. If this is the intended behavior, it should be clear in the documentation.
post = Post.first
post.owner_id = 2
post.save
# Invalid update, exception is thrown
post = Post.first
post.contents = "..."
post.save
# Valid update, no exception thrown
post.owner_id = 2
post.save
# Invalid update, but no exception is thrown
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.