Changeset 155
- Timestamp:
- 11/29/05 03:40:12 (3 years ago)
- Files:
-
- plugins/user_engine/README (modified) (2 diffs)
- plugins/user_engine/lib/user_engine/authorized_system.rb (modified) (2 diffs)
- plugins/user_engine/test/functional/user_controller_test.rb (modified) (6 diffs)
- plugins/user_engine/test/test_helper.rb (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
plugins/user_engine/README
r153 r155 1 1 = UserEngine: Login + Roles 2 2 3 The UserEngine extends the LoginEngine with a very, *very* simple implementation of RBAC - role based access control. As well as the 'User' object, the UserEngine provides Permission objects, and Role objects. Each User can have many Roles, and each Role is associated with many Permissions. A Permission is simple a controller/action pair. A Role which is associated with some permission has access to that specific controller/action, i.e. an dRole associated with the Permission object "user/home" will be allowed to call that action.3 The UserEngine extends the LoginEngine with a very, *very* simple implementation of RBAC - role based access control. As well as the 'User' object, the UserEngine provides Permission objects, and Role objects. Each User can have many Roles, and each Role is associated with many Permissions. A Permission is simple a controller/action pair. A Role which is associated with some permission has access to that specific controller/action, i.e. any Role associated with the Permission object "user/home" will be allowed to call that action. 4 4 5 5 6 6 === Not the One True RBAC system 7 7 8 We'll make this point at the beginning, so there can be no doubt - this is *not* a full permission system. The UserEngine only controls which users have the right to hit which controller/action pairs. It will not control access to data at all, so for instance you cannot use it to give users the ability to edit only a subset of your data object (unless that subset is controlled via different controller actions).8 I'll make this point at the beginning, so there can be no doubt - this is *not* a full permission system. The UserEngine only controls which users have the right to hit which controller/action pairs. It will not control access to data at all, so for instance you cannot use it to give users the ability to edit only a subset of your data object (unless that subset is controlled via different controller actions). 9 9 10 10 … … 80 80 10. The UserEngine provides a default stylesheet and a small javascript helper file (used in the Role#edit action), so you'll probably want to include the former and almost certainly the latter in your application's layout. Add the following lines: 81 81 82 <%= engine_stylesheet "user" %>83 <%= engine_javascript "user" %>82 <%= engine_stylesheet "user" %> 83 <%= engine_javascript "user" %> 84 84 85 85 11. Remove any existing sessions (since they might interfere with the login process), and start the server and log using your administrator login and password (if you didn't set one explicitly in your configuration, the defaults are 'admin'/'testing' - make sure you change them!) and go to http://localhost:3000/user/list to see a list of all the users. From there you can create new users, view roles & permissions, and play around... plugins/user_engine/lib/user_engine/authorized_system.rb
r153 r155 80 80 # a security token (see LoginEngine for details). 81 81 def authorize_action 82 83 82 required_permission = "%s/%s" % [ params["controller"], params["action"] ] 84 logger. info"required_perm is #{required_permission}"83 logger.debug "required_perm is #{required_permission}" 85 84 86 85 controller = params["controller"] … … 126 125 end 127 126 127 # Otherwise, just send them back to where they were. If they clicked a link, 128 # we'll have the HTTP_REFERER information. Otherwise we'll use our 'prev_uri' 129 # information. If we have nothing, set it to be the root. 130 return_uri = request.env['HTTP_REFERER'] || session['prev_uri'] || "/" 128 131 # The user wasn't allowed to perform this action. Try and redirect them somewhere 129 132 # If they are no longer allowed to see the page they came here from, 130 # go back to square one. 131 if session["prev_uri"].nil? || session["prev_uri"].index("/#{required_permission}") == 0 132 redirect_to_path "/" 133 return false 134 end 133 # go back to square one. We need to match the URI against the required permission. 134 return_uri = "/" if return_uri =~ /\S*\:\/\/\S*\/#{required_permission}\S*/ 135 135 136 # Otherwise, just send them back to where they were. 137 # TODO: for some reason, the request.env["HTTP_REFERER"] that redirect_to :back needs 138 # is nil here... 139 redirect_to_path session["prev_uri"] 140 #redirect_to :back 136 # redirect & return false to indicate that controller action processing should NOT continue. 137 redirect_to return_uri 141 138 return false 142 139 end 143 140 else 141 144 142 # noone is or can be logged in... 145 143 unless User.guest_user_authorized?(controller, action) plugins/user_engine/test/functional/user_controller_test.rb
r153 r155 51 51 def test_unauthorized_access 52 52 login(:normal_user) 53 @request.session['REQUEST_URI'] = "/" 54 55 get :edit_user, :id => 1 56 # we should be sent BACK 57 assert_match /Permission warning/, flash[:message] 58 assert_redirected_to "http://#{@request.host}/" 59 53 60 54 # ensure that we get redirected back to an action we are authorized to access 61 get :home 62 assert_response :success 55 @request.env['HTTP_REFERER'] = "http://#{@request.host}/user/home" 63 56 get :edit_user 64 57 # we should be sent BACK 65 58 assert_match /Permission warning/, flash[:message] 66 assert_redirected_to :action => 'home'59 assert_redirected_to "http://#{@request.host}/user/home" 67 60 68 61 # ensure that if our previous URL is an action we are no longer authorized for 69 62 # we get sent back to the root 70 login(:normal_user) 71 @request.session['REQUEST_URI'] = "/user/edit_user/3" 72 63 @request.env['HTTP_REFERER'] = "http://#{@request.host}/user/edit_user/3" 73 64 get :edit_user, :id => 1 74 # we should be sent BACK to /, since he's not allowed to edit the user either.65 # we should be sent BACK to /, since he's not allowed to edit_user at all. 75 66 assert_match /Permission warning/, flash[:message] 76 67 assert_redirected_to "http://#{@request.host}/" … … 163 154 164 155 ActionMailer::Base.deliveries = [] 165 get :edit_user, :id => users(:normal_user).id 166 156 157 @request.env['HTTP_REFERER'] = "http://#{@request.host}/user/edit_user/#{users(:normal_user).id}" 167 158 post :change_password_for_user, :id => users(:normal_user).id, 168 159 :user => { :password => "changed_password", :password_confirmation => "changed_password" } … … 173 164 assert_match /login:\s+\w+\n/, mail.encoded 174 165 assert_match /password:\s+\w+\n/, mail.encoded 166 assert_redirected_to "http://#{@request.host}/user/edit_user/#{users(:normal_user).id}" 175 167 176 168 post :login, :user => { :login => "normal_user", :password => "changed_password" } … … 182 174 LoginEngine::CONFIG[:use_email_notification] = false 183 175 184 get :edit_user, :id => users(:normal_user).id 185 176 @request.env['HTTP_REFERER'] = "http://#{@request.host}/user/edit_user/#{users(:normal_user).id}" 186 177 post :change_password_for_user, :id => users(:normal_user).id, 187 178 :user => { :password => "changed_password", :password_confirmation => "changed_password" } 188 179 189 assert_redirected_to :action => 'edit_user'180 assert_redirected_to "http://#{@request.host}/user/edit_user/#{users(:normal_user).id}" 190 181 191 182 post :login, :user => { :login => "normal_user", :password => "changed_password" } … … 198 189 ActionMailer::Base.deliveries = [] 199 190 200 get :edit_user, :id => users(:normal_user).id 201 191 @request.env['HTTP_REFERER'] = "http://#{@request.host}/user/edit_user/#{users(:normal_user).id}" 202 192 post :change_password_for_user, :id => users(:normal_user).id, 203 193 :user => { :password => "bad", :password_confirmation => "bad" } 204 194 205 195 assert_invalid_column_on_record "user", "password" 206 assert_redirected_to :action => 'edit_user'207 196 assert_equal 0, ActionMailer::Base.deliveries.size 197 assert_redirected_to "http://#{@request.host}/user/edit_user/#{users(:normal_user).id}" 208 198 209 199 post :login, :user => { :login => "normal_user", :password => "atest" } … … 215 205 LoginEngine::CONFIG[:use_email_notification] = false 216 206 217 get :edit_user, :id => users(:normal_user).id 218 207 @request.env['HTTP_REFERER'] = "http://#{@request.host}/user/edit_user/#{users(:normal_user).id}" 219 208 post :change_password_for_user, :id => users(:normal_user).id, 220 209 :user => { :password => "bad", :password_confirmation => "bad" } 210 221 211 assert_invalid_column_on_record "user", "password" 222 223 assert_redirected_to :action => 'edit_user' 212 assert_redirected_to "http://#{@request.host}/user/edit_user/#{users(:normal_user).id}" 224 213 225 214 post :login, :user => { :login => "normal_user", :password => "atest" } plugins/user_engine/test/test_helper.rb
r153 r155 62 62 @request.session[:user] = user.nil? ? nil : users(user) 63 63 end 64
