Hi,
i've created following rules

  role :guest do   
    has_permission_on :news_articles, :to => :news_articles_view do
      if_attribute :status => is {'approved'}
    end
  end

and

  privilege :news_articles_view do
    includes :index, :show, :tag, :category 
  end

but NewsArticle instances with other that approved status still visible :( could you tell me plz - where i'm wrong?

PS: other roles/permissions works fine
PPS: thanks a lot for perfect plugin :)

I've been bit by this a few times. I would much prefer decl auth to be noisy about method-missing errors, rather than having the exception go straight to the log.

A patch if you agree:

http://github.com/timcharper/declarative_authorization/tree/noisy_nomethod

The line in_controller.rb:559 should be:

contr.logger.debug...

instead of:

logger.debug...

I receive the following error when trying to call a show action in my users controller

Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:535:in object_attribute_value' /Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:428:invalidate?'
/Library/Ruby/Gems/1.8/gems/activerecord-2.3.5/lib/active_record/base.rb:2036:in all?' /Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:427:ineach'
/Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:427:in all?' /Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:427:invalidate?'
/Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:374:in validate?' /Library/Ruby/Gems/1.8/gems/activerecord-2.3.5/lib/active_record/base.rb:2036:inany?'
/Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:372:in each' /Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:372:inany?'
/Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:372:in send' /Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:372:invalidate?'
/Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:174:in permit!' /Library/Ruby/Gems/1.8/gems/activerecord-2.3.5/lib/active_record/base.rb:2036:inany?'
/Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:174:in each' /Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:174:inany?'
/Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:174:in permit!' /Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/authorization.rb:184:inpermit?'
/Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/in_controller.rb:70:in permitted_to!' /Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/in_controller.rb:46:inpermitted_to?'
/Library/Ruby/Gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/helper.rb:32:in permitted_to?' /Users/kevin/Development/web/osr/app/views/users/show.html.erb:8:in_run_erb_app47views47users47show46html46erb'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_view/renderable.rb:34:in send' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_view/renderable.rb:34:inrender'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_view/base.rb:306:in with_template' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_view/renderable.rb:30:inrender'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_view/template.rb:205:in render_template' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_view/base.rb:265:inrender'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_view/base.rb:348:in _render_with_layout' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_view/base.rb:262:inrender'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/base.rb:1250:in render_for_file' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/base.rb:951:inrender_without_benchmark'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/benchmarking.rb:51:in render' /Library/Ruby/Gems/1.8/gems/activesupport-2.3.5/lib/active_support/core_ext/benchmark.rb:17:inms'
/Library/Ruby/Gems/1.8/gems/activesupport-2.3.5/lib/active_support/core_ext/benchmark.rb:17:in ms' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/benchmarking.rb:51:inrender'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/mime_responds.rb:135:in send' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/mime_responds.rb:135:incustom'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/mime_responds.rb:179:in call' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/mime_responds.rb:179:inrespond'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/mime_responds.rb:173:in each' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/mime_responds.rb:173:inrespond'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/mime_responds.rb:107:in respond_to' /Users/kevin/Development/web/osr/app/controllers/users_controller.rb:37:inshow'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/base.rb:1331:in send' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/base.rb:1331:inperform_action_without_filters'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/filters.rb:617:in call_filters' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/filters.rb:610:inperform_action_without_benchmark'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/benchmarking.rb:68:in perform_action_without_rescue' /Library/Ruby/Gems/1.8/gems/activesupport-2.3.5/lib/active_support/core_ext/benchmark.rb:17:inms'
/Library/Ruby/Gems/1.8/gems/activesupport-2.3.5/lib/active_support/core_ext/benchmark.rb:17:in ms' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/benchmarking.rb:68:inperform_action_without_rescue'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/rescue.rb:160:in perform_action_without_flash' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/flash.rb:146:inperform_action'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/base.rb:532:in send' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/base.rb:532:inprocess_without_filters'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/filters.rb:606:in process' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/base.rb:391:inprocess'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/base.rb:386:in call' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.5/lib/action_controller/routing/route_set.rb:437:incall'

This is how my role is set up:
role :user do
includes :guest
has_permission_on :reviews, :to => [:new, :create]
has_permission_on :reviews, :to => [:edit, :update] do
if_attribute :user => is { user }
end

has_permission_on :users, :to => [:edit, :update] do
  if_attribute :user => is { user }
end

end

And this is the problem permission call
<%= link_to 'Edit profile', edit_user_path(@user), :id => 'edit_profile' if permitted_to? :edit, @user %>

has_role? returns: Authorization::AuthorizationUsageError Exception: User object doesn't respond to roles

I would imagine the desired return value to be false on guest user.

missing parameter &block in method permitted_to?

See here:

http://github.com/stffn/declarative_authorization/blob/f2aa048/test/test_helper.rb#L21-26

nil is not a valid version requirement on my version of rubygems, and it breaks.

See this patch for the fix :)

http://github.com/timcharper/declarative_authorization/commit/5df55e59c1ea84802162c992d971aa59a30847d7

If a user doesn't have access to a resource, the instance variable is still populated, even though the resource is not then delivered to the user.

Only assigning the variables if the user does have access would be a win for performance and security, albeit probably only in obscure edge cases.

I realized some cases do require accessing the data in the db to actually determine the authorization -- what do you think of setting these variables back to nil as soon as it is discovered that the user does not have access?

I suppose there are probably people who still use the data for other purposes and still want it around, even in the views?

Just thinking out loud… let me know what you think. If you think it's a good idea to set them to nil, I'll be happy to put together a patch.

John

Because it's annoying to write "Authorization::Maintenance::without_access_control" in every data changing migration, I put the following code into an initializer. Perhaps you can add it into the plugin:

module ActiveRecord
  class Migrator
    class << self
      alias_method :original_migrate, :migrate
    end
    
    def self.migrate(*args)
      Authorization::Maintenance::without_access_control do
        self.original_migrate(*args)
      end
    end
  end
end

I'd like to have an option for filter_resource_access to toggle for which actions I don't like the "default" load_object to be executed (like the attribute_check switch).

In my ArticlesController, I have a search action which doesn't uses params[:id] to make a simple database lookup, but uses params[:searchterm] to search via Sphinx Search.
So I always got the error "ActiveRecord::RecordNotFound (Couldn't find Article without an ID)", because load_object tried to find a record with the ID equal to a text term :-)

Setting failed_auto_loading_is_not_found and attribute_check on filter_access_to didn't change anything.
After moving to declarative_authorization, it took me a time to find the following workaround:

class ArticlesController < ApplicationController
  before_filter :fake_article, :only=>:search
  filter_resource_access

  def search 
  # Search using Sphinx Search
    @articles = Article.search params[:searchterm]
  end
# ...
  protected
    def fake_article
    logger.debug "Creating fake article."
    @article = Article.new
  end

Would it be possible to enhance the existing implementation by allowing the retrieval of roles and permissions from the database? Essentially, there would be no static authorization rules file, and filtering would be done based on the roles and permissions in the database?

User and Role model association has_many with :through option.

I am also using auth logic. created 2 roles admin and contributor. assigned permission to both roles as well as guest. Guest has no problem but when either user logs in they get no access error.

here is the rules file

authorization do
role :admin do
includes :guest
has_permission_on [:users, :roles, :articles, :home, :user_sessions], :to =>[:index, :show, :new, :create, :update, :destroy, :edit]
end

role :guest do
    has_permission_on [:articles, :comments, :home, :roles,:users], :to => [:index, :show, :create, :new, :update, :edit]
end
role :contributor do

    has_permission_on [:articles, :users, :home], :to =>[:index, :show, :create, :new, :update, :edit]

end

end

Here is my role_symbols method

for declarative_auth

def role_symbols
# roles.map do |role|
# role.name.underscore.to_sym
# end
(self.roles || []).map {|r| r.name.to_sym}

end

Error in the logs
Processing HomeController#index (for 127.0.0.1 at 2010-02-07 00:02:05) [GET]
�[4;36;1mUser Columns (0.0ms)�[0m �[0;1mSHOW FIELDS FROM users�[0m
�[4;35;1mUser Load (0.0ms)�[0m �[0mSELECT * FROM users WHERE (users.id = '24') LIMIT 1�[0m
�[4;36;1mSQL (0.0ms)�[0m �[0;1mBEGIN�[0m
�[4;35;1mUser Update (0.0ms)�[0m �[0mUPDATE users SET perishable_token = 'QxUlovcyJAkEjy7kHCfO', updated_at = '2010-02-07 08:02:05', last_request_at = '2010-02-07 08:02:05' WHERE id = 24�[0m
�[4;36;1mUser Load (0.0ms)�[0m �[0;1mSELECT * FROM users WHERE (users.id = 24) �[0m
�[4;35;1mSQL (63.0ms)�[0m �[0mCOMMIT�[0m
The use of user.roles is deprecated. Please add a method role_symbols to your User model.
�[4;36;1mRole Load (0.0ms)�[0m �[0;1mSELECT roles.* FROM roles INNER JOIN assignments ON roles.id = assignments.role_id WHERE ((assignments.user_id = 24)) �[0m
�[4;35;1mRole Columns (0.0ms)�[0m �[0mSHOW FIELDS FROM roles�[0m
Permission denied: User.roles doesn't return an Array of Symbols ([#<Role id: 7, name: "admin", created_at: "2010-02-07 03:09:07", updated_at: "2010-02-07 03:09:07">])
Filter chain halted as [:filter_access_filter] rendered_or_redirected.
Completed in 172ms (View: 16, DB: 63) | 403 Forbidden [http://localhost/]

I just start with automatic testing and found a problem with authorization plugin. The request_with methods, like get_with, put_with etc., ignore given user and consider all requests to be sent by a guest.

Example

I restrict access to index of articles only for admin:

# config/authorization_rules.rb
authorization do
  role :admin do
    has_permission_on :articles, :to => :index
  end
end

add 'filter_recourse_access' to the articles controller and and then make a simple test:

# test/functional/articles_controller_test.rb
require 'test_helper'

class ArticlesControllerTest < ActionController::TestCase

  test "should get index" do
    with_user(admin) do 
      should_be_allowed_to :index, :articles # OK 
    end
    get_with admin, :index
    assert_response :success  # failed - Expected response to be a <:success>, but was <403>
  end

end

The last assert fails - the page should be rendered, but the response status is :forbidden. If I do it manually (launch server, login as admin and view page), it works well - the page is shown. Log file for test (log/test.log) shows that there was a request for the page and the user was a guest:

Processing ArticlesController#index (for 0.0.0.0 at 2009-12-23 18:49:46) [GET]
    Parameters: {"action"=>"index", "controller"=>"articles"}
Permission denied: No matching rules found for index for #<Authorization::GuestUser:0xb66ffa34 @role_symbols=[:guest]> (roles [:guest], privileges [:index, :read, :manage], context :articles).
Filter chain halted as [:filter_access_filter] rendered_or_redirected.
Completed in 9ms (View: 1, DB: 12) | 403 Forbidden [http://test.host/articles]

Where it goes wrong?

Let's take a look at the request with method.

# File lib/declarative_authorization/maintenance.rb, line 156
def request_with (user, method, xhr, action, params = {}, 
    session = {}, flash = {})
  session = session.merge({:user => user, :user_id => user.id}) # creates session[:user]
  with_user(user) do                                  # assigns Authorization.current_user = admin 
    if xhr
      xhr method, action, params, session, flash
    else
      send method, action, params, session, flash     # assigns Authorization.current_user = nil and performs the request 
    end
  end
end

First it creates a session with given user, then it assigns admin as current user. So far so good. Then it performs a request which activates filters in application controller, namely the :set_current_user before_filter. The method I'm using doesn't take care of session[:user], it uses its own method for determining the current user. It doesn't find any current user and assigns nil to Authorization.current_user, which is later replaced by a default GuestUser.

# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  before_filter :set_current_user

  def current_user
    # find the current user, I'm using authlogic here
    UserSession.find.record 
  end

  def set_current_user
      Authorization.current_user = current_user 
  end
  ...
end

Workaround

If I add sesson[:user] to the before filter in my application controller, the test pass without any failure as expected.

# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  ...
  def set_current_user
      Authorization.current_user = current_user || session[:user]
  end
  ...
end

I believe this is a bug, at least there should be a notice in documentation about this behavior. I can provide any further information if needed or maybe even a patch. But I'm still a junior developer and I'm not sure whether my solution would be the correct one.

Please push the gem to gemcutter. It's a matter of
gem push yourgem-0.0.1.gem

I find myself wanting to be able to add a role that has access to everything without me having to specifically permit him. Do you think this is bad design? Not needed?

As described in this thread in the google group:
http://groups.google.com/group/declarative_authorization/browse_thread/thread/2029d99b9d7df2cb#

Hello, I am hooking declarative_authorization into my application. If I use if_attribute in my authorization rules, the program starts throwing me back a 403 page.

Permission denied: No matching rules found for edit for #<Client id: 3, uniqueid: "something"......

Filter chain halted as [:filter_access_filter] rendered_or_redirected.

Have you seen this before? Where in the code should I look to understand what is going on?
Thanks a lot!

Hello!
I've got a problem in has_role? work. Somehow it checks only first role in array of roles given(:manager here).

has_role? :moderator, :admin do
     @app.approved = true
end

First: thanks for this marvelous gem!!

Using pluralize on a controller_name that is already in its pluralized version is not a problem, unless it is a special word like "people":

When you do "organisations".pluralize, you get "organisations"
When you do "people".pluralize, you get "peoples"

The workaround would be to call singularize, then pluralize. So in file "in_controller.rb", I changed the following line:

  context = @context || contr.class.controller_name.pluralize.to_sym

to the following

  context = @context || contr.class.controller_name.singularize.pluralize.to_sym

This seems to resolve the problem.

There is a critical issue in d_a which fires up unneeded database queries. I stumbled upon the issue while profiling my own application, which makes heavy use of d_a AND uses a lot of named scopes. Some requests in my app are very slow and I discovered that there are many SQL queries in the log which are not needed. This queries are generated by d_a. Because I don't know how to fix it I will give you a detailed description to reproduce the issue based on the d_a_demo_app:

1. Install the official demo app from http://github.com/stffn/decl_auth_demo_app on your development machine

2. The demo app does not use any named scope, so add this example scope to talk.rb:

named_scope :with_abstract, :conditions => "talks.abstract IS NOT NULL"

3. Start the console and type in this example query:

Conference.first.talks.with_abstract.with_permissions_to(:read).find :all, :limit => 2

4. In the development.log you find this:

SELECT * FROM "conferences" LIMIT 1
SELECT * FROM "talks" WHERE ("talks".conference_id = 1) AND ((talks.abstract IS NOT NULL) AND ("talks".conference_id = 1)) 
SELECT "talks".* FROM "talks" INNER JOIN "conferences" ON "conferences".id = "talks".conference_id WHERE ("talks".conference_id = 1) AND (((("conferences"."published" = 't')) AND (talks.abstract IS NOT NULL)) AND ("talks".conference_id = 1)) LIMIT 2

Please have a look at the second query. It is not needed at all and should not be there! So far as I see, this time consuming query is only generated if the scope "with_permissions_to" is combined with an existing named scope.

You also see a second issue (duplicate condition the WHERE clause), but this is another story (not as important).

I just spent about a day and a half trying to get declarative_authorization to play along with authlogic. Well I thought that was the cause of my problems. Finally I chanced on someone's post where they realized their problem was that they had an authorization_roles file instead of an authorization_rules file. Heh. Me too! But that's a really easy mistake considering how much one has Roles on the brain when getting ready to write that file. It would sure be nice if there was a complaint in the logger about not finding a roles file..er I mean rules file...see what I mean! Instead it just says no roles found and leaves the poor newb to pound on the user model and the before_filter and all sorts of other red herrings. Just a thought...

after your last update 3 hours ago I now get an an error at Rails-Startup (see title)
I testet Rails.root.join("config", "authorization.rb") and it worked fine in console (without the GEM)...

Ruby 1.9.1p378
Rails Beta3 (same with Rails Beta 2)

With version 0.4 we have a bug like in issue #7 again:

MyModel.with_permissions_to(:read).foo_scope
=> One query, all is fine

MyModel.foo_scope.with_permissions_to(:read)
=> Two queries: The first for "MyModel.foo.find :all" (unnessecary), the second is the right one.

If you can't reproduce this, I will try to build a failing test or something.

right now, user.id is called regardless if user is nil or not, causing an exception if it is.

Here's a patch:

http://github.com/timcharper/declarative_authorization/commit/109afbb59dcd7759444eaad8083593a3af5f6a45

but it adds complexity and redundancy :( I was building my own version of the gem and didn't realize that the gemspec checked in to the repo was out of date.

Things work just fine if you stick the Dir.glob's right in the gemspec. The only reason I could perceive why you wouldn't want to do this if you used a gem build server that didn't trust you (like github, for example, which no longer builds gems). gem build gemspec will unfold the globs for you in the final product.

Patch: http://github.com/timcharper/declarative_authorization/tree/gemspec_fix

Currently the documentation says that this plugin should work in Rails >= 2.1. But I can't get it to work in 2.1.3. I get the following exception

undefined method `each_with_object' for [:new, :create]:Array
...

vendor/plugins/declarative_authorization/lib/declarative_authorization/in_controller.rb:549:in `actions_from_option'

vendor/plugins/declarative_authorization/lib/declarative_authorization/in_controller.rb:447:in `filter_resource_access'

From what I can see, the each_with_object method wasn't added until Rails 2.2. http://guides.rubyonrails.org/2_2_release_notes.html

declarative_authorization does not work anymore with rails3 beta3. This is due to the fact that the ActiveRecord::NamedScope::Scope class has been removed and ObligationScope inherits from it.
See:

lib/declarative_authorization/obligation_scope.rb line 45

It seems that would be a more sensible default, what do you think?

Happy to submit a patch if you agree

It would be very much helpful if decalartive authorization also have rails 3.0 support, because i tried it with rails 3.0 and ran into problems, i think those are mainly because of the changes in the Named scopes for ActiveRecords which returns a relation and Callbacks. Would love to see we Rails 3.0 support implemented sooner

Latest gem version (0.4) has a bug fixed in commit 8e2401e
It's very annoying bug.

The if_attribute should support the following:
if_attribute :created_at => 1.month.ago..Time.now

Hi!

In 1.9 we can't call instance_eval passing lambdas, only procs.

ActionView::TemplateError (wrong number of arguments (1 for 0))

The first solution is to make the rule reader use proc instead of lambda:

      def parse_attribute_conditions_hash! (hash)
        merge_hash = {}
        hash.each do |key, value|
          if value.is_a?(Hash)
            parse_attribute_conditions_hash!(value)
          elsif !value.is_a?(Array)
            merge_hash[key] = [:is, proc { value }]
          elsif value.is_a?(Array) and !value[0].is_a?(Symbol)
            merge_hash[key] = [:is_in, proc { value }]
          end
        end
        hash.merge!(merge_hash)
      end

The second is calling instance_exec in the attribute validator:

      def evaluate (value_block)
        instance_exec(&value_block)
      end

Ivan.

Hi, l get error in rails 3.0.0.beta3
(gem 'declarative_authorization', :git => 'git://github.com/stffn/declarative_authorization.git')

Error reading authorization rules file with path '/config/authorization_rules.rb'! Please ensure it exists and that it is accessible.

please fix in file "lib/declarative_authorization/authorization.rb":
AUTH_DSL_FILES = ["#{Rails.root}/config/authorization_rules.rb"] unless defined? AUTH_DSL_FILES
to

AUTH_DSL_FILES = [Rails.root.join('config', 'authorization_rules.rb')]

Showing /usr/lib/ruby-enterprise-1.8.7/lib/ruby/gems/1.8/gems/declarative_authorization-0.4/app/views/authorization_rules/_change.erb where line #35 raised:

undefined method `to_sym' for nil:NilClass

Extracted source (around line #35):

32:
33:
34: <% @users.each do |user| %>
35:
36: <%=h user.id %>

When looking at /authorization_rules I get the folllowing error:

Showing /var/lib/gems/1.8/gems/declarative_authorization0.4/app/views/authorization_rules/index.html.erb where line #16 raised:

one hash required
Extracted source (around line #16):

13: pre.with-notes {padding-left: 35px}
14: </style>
15:

16: <%=   policy_analysis_hints(syntax_highlight(h(@auth_rules_script)),@auth_rules_script) %>

17: 

Application Trace | Framework Trace | Full Trace
/var/lib/gems/1.8/gems/i18n-0.3.3/lib/i18n/core_ext/string/interpolate.rb:88:in %' /var/lib/gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/development_support/analyzer.rb:107:inmessage'
/var/lib/gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/development_support/analyzer.rb:89:in mark' /var/lib/gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/development_support/analyzer.rb:49:inanalyze'
/var/lib/gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/development_support/analyzer.rb:35:in analyze' /var/lib/gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/development_support/analyzer.rb:32:ineach'
/var/lib/gems/1.8/gems/declarative_authorization-0.4/lib/declarative_authorization/development_support/analyzer.rb:32:in analyze' /var/lib/gems/1.8/gems/declarative_authorization-0.4/app/helpers/authorization_rules_helper.rb:27:inpolicy_analysis_hints'
blahblahblah....

created a dummy fix by changing lines 106-107-108 of
declarative_authorization-0.4/lib/declarative_authorization/development_support/analyzer.rb
into

    def message (object)
      "The ratio of small roles is quite high (> %.0f).  Consider refactoring." % (SMALL_ROLES_RATIO * 100)
    end

most certainly not the correct fix, but I'm a total newbie with ruby and rails.

object_attribute_value raises AuthorizationUsageError exception when the send method fails with NoMethodError. It would be better if in this case the method returned just nil flunking the rule. In my application I have polymorphic association: Paragraph belongs_to(:owner, :polymorphic => true), [ ManPage, WomanPage ] has_many(:paragraphs, :as => :owner). Owners have different attributes. Rules look like this:

has_permissions_on :paragraphs, :to => :manage do

if_attribute :owner => { :man => is { user } }

if_attribute :owner => { :woman => is { user } }

end

So WomanPage does not have :man, and we get NoMethodError.

When recursing into obligations to check authorization, an incorrect context name is generated. This is caused by using ActiveRecord::Base#table_name for the context name, instead of the model name tableized as is used everywhere else. The following patch should fix that:

--- /lib/declarative_authorization/authorization.rb
+++ /lib/declarative_authorization/authorization.rb
@@ -614,7 +614,7 @@
         @context ||= begin
           rule_model = attr_validator.context.to_s.classify.constantize
           context_reflection = self.class.reflection_for_path(rule_model, path + [hash_or_attr])
-          context_reflection.klass.table_name.to_sym
+          context_reflection.klass.to_s.tableize.to_sym
         rescue # missing model, reflections
           hash_or_attr.to_s.pluralize.to_sym
         end

It's not possible to do nesting like this:

Authorization::Maintenance::without_access_control do
  do_something
  Authorization::Maintenance::without_access_control do
    do_something
  end
  do_something # => here the access control takes place again!
end

Hello!

I think it'll be useful to have some function like, has_role? but to be true if any of given roles are in user roles.
Something like this

def any_role? (*roles, &block)
  user_roles = authorization_engine.roles_for(current_user)
  result = roles.any? do |role|
    user_roles.include?(role)
  end
  yield if result and block_given?
  result
end

authorization.rb, line 412:

    if value.is_a?(Hash)
      if attr_value.is_a?(Array)
        raise AuthorizationUsageError, "Unable evaluate multiple attributes " +
          "on a collection.  Cannot use '=>' operator on #{attr.inspect} " +
          "(#{attr_value.inspect}) for attributes #{value.inspect}."

What if i want to check length of some association?

has_permission_on :pages, :to => :publish do

if_attribute :paragraphs => { :length => is_not { 0 } }

end

In the process of converting my App to integrate DA, great plugin so far... My only qualms are the fact that DA insists on creating the Instance Variables for the controllers... In a simple Rails app would be fine... However in more complex ones can cause added complexity... Especially when using plugins like Inherited Resources... I propose 2 solutions... Either expect the collection or resource be declared already, or add/integrate collection and resource options on filter_resource_access to pass in the collection and resource names to look for... Or even maybe ability to integrate it into the actions, and text after variable creation.

I think this gives you maximum flexibility. LMK what you think?

...with rails_xss plugin - which will be default in Rails 3, but many switches now already.

it seems that it was broken by this commit:

http://github.com/stffn/declarative_authorization/commit/0e8d55c16c2197c89c2f57d6346d4023e7e61f7b

Using Ruby 1.8.6

I'm able to get this working correctly with:

def to_param
"#{id}-#{name}"
end

Because it defaults to the ID but when I just want the name and make the necessary changes within the application, it does not work until I remove filter_resource_access. I'm sure this is because filter_resource_access assumes is using "find(params[:id])" rather than "find_by_name(params[:id])"

Is there any way to fix this or find a workaround?

According to e.g. https://gist.github.com/e139fa787aa882c0aa9c we need to subclass Engine to enable the registration of the authorization development backend when decl_auth is integrated as gem in Rails 3.

One approach is in 1ab1422f02c85f9334e8e3ea443887f6127ddfff

Which other features of Engine/Railtie should we be using? Register config hooks?

here i am - once again..

I get a TypeError after adding this little line in my posts controller:

• filter_resource_access

The next two lines are empty - no further error messages are provided.. hmmm

• ruby 1.9.1p378
• Rails 3 - BETA3
• current git snapshot of declarative_authorization

it could just be my inexperience with using rails engines, but I followed the directions in the readme to the best of my ability, and I still get "routenot found" when I try to navigate to /authorization_rules.

Do I have to install it as a plug-in in order for this to work? Or a vendor gem? Currently I am using bundler 0.8.5

If you have a has_many :through relationship as follows:
(taken from http://github.com/stffn/decl_auth_demo_app)

conference <1------*> conference_attendees <*--------1> user

class Conference < ActiveRecord::Base
  has_many :conference_attendees
  has_many :attendees, :through => :conference_attendees, :source => :user

If you want to give read for a conference to all users attending that conference you would type

has_permission_on :conferences, :to => :read do
  if_attribute :attendees =>  contains {user}
end

That works fine. But what if you have a attribute on the conference_attendees model that you need to consider as well. Perhaps you wan't to give read right to all users attending a conference and that have paid (paid beeing a boolean in the conference_attendees model).

has_permission_on :conferences, :to => :read do
  if_attribute :conference_attendees =>  {:user => is {user}, :paid => true}
end

This will work when using Conference.with_permissions_to(:read) but will fail if :attribute_check => true

To replicate this error:

1. In your decl_auth_demo_app change authorization_rules.rb line 4 from if_attribute :published => true
   to
   if_attribute :conference_attendees => {:user => is{user}}

2. Go to /conferences as presenter_2

3. You will see conference Emerging Technologies 2009

4. Click on the conference and you will get "You are not allowed to access this action."

   Permission denied: Error when calling user on [#<ConferenceAttendee id: 15, user_id: 3, conference_id: 2>] for validating attribute: undefined method `user' for [#<ConferenceAttendee id: 15, user_id: 3, conference_id: 2>]:Array
   Filter chain halted as [:filter_access_filter] rendered_or_redirected.
   

Hi,
could you tell me plz - how to write access rules for following scheme. I have 2 models - Post and Comment. Post has many comments and Comment belongs to Post. In posts_controller i have methods add_comment and remove_comment. But rules like

    has_permission_on :posts, :to => :comments_manage do
      if_attribute :user_id => is {current_user}
    end

not working and

    has_permission_on :comments, :to => :comments_manage do
      if_attribute :user_id => is {current_user}
    end

not working too :(
additional information on privileges:

  privilege :comments_manage do
    includes :add_comment, :remove_comment
  end

Update permissions are only checked on the first save. If this is the intended behavior, it should be clear in the documentation.

post = Post.first
post.owner_id = 2
post.save
# Invalid update, exception is thrown

post = Post.first
post.contents = "..."
post.save
# Valid update, no exception thrown

post.owner_id = 2
post.save
# Invalid update, but no exception is thrown