Authorization

.gitignore

@@ -1,3 +1,4 @@
 tmp/
 .idea
-*.iml
+*.iml
+script/log/

Gemfile

@@ -2,7 +2,6 @@ source 'https://rubygems.org'
 
 gem "rails", "2.3.17"
 gem "mysql"
-gem "authorization", github:  "asalant/rails-authorization-plugin"
 gem 'json', '1.7.7' # (CVE-2013-026) Can remove once rails depends on > 1.7.6
 gem 'haml', "3.0.25"
 gem 'googlecharts', "1.6.0"

Gemfile.lock

@@ -1,9 +1,3 @@
-GIT
-  remote: git://github.com/asalant/rails-authorization-plugin.git
-  revision: 505bd47addf2ef5e3b5d98a7ea8d1352c2aa4ee6
-  specs:
-    authorization (1.0.12)
-
 GEM
   remote: https://rubygems.org/
   specs:
@@ -58,7 +52,6 @@ PLATFORMS
 DEPENDENCIES
   acts-as-taggable-on (= 2.0.6)
   annotate
-  authorization!
   calendar_date_select (= 1.16.1)
   debugger
   googlecharts (= 1.6.0)

app/controllers/application_controller.rb

@@ -46,4 +46,15 @@ def date_from_params(params)
     Date.new params[:year].to_i, params[:month].to_i, params[:day].to_i
   end
 
+  def authorize_admin_or_manager
+    redirect_unauthrized unless user_is_admin? || user_is_manager?
+  end
+
+  def authorize_admin
+    redirect_unauthrized unless user_is_admin?
+  end
+
+  def redirect_unauthrized
+    redirect_to({ :controller => 'sessions', :action => 'new' })
+  end
 end

app/controllers/notes_controller.rb

@@ -1,6 +1,6 @@
 class NotesController < ApplicationController
 
-  permit "admin or (manager of :organization)"
+  before_filter :authorize_admin_or_manager
 
   # GET /notes
   # GET /notes.xml

app/controllers/organizations_controller.rb

@@ -3,9 +3,9 @@ class OrganizationsController < ApplicationController
   skip_before_filter :login_required, :only => [:index, :show, :new, :create]
   before_filter :assign_id_param, :resolve_organization_by_id, :except => [ :index, :new, :create ] 
 
-  permit "admin", :only => [ :destroy ]
-  permit "admin or (manager of :organization)", :only => [ :show, :edit, :update ] 
-    
+  before_filter :authorize_admin_or_manager, :only => [ :show, :edit, :update ] 
+  before_filter :authorize_admin, :only => [ :destory ]
+
   # GET /organizations
   # GET /organizations.xml
   def index
@@ -49,7 +49,8 @@ def create
 
     respond_to do |format|
       if @organization.valid? && @user.valid? && @organization.save && @user.save
-        @user.has_role 'manager', @organization
+        role = Role.create( :name => 'manager', :authorizable => @organization )
+        @user.roles << role if role and not @user.roles.exists?( role.id )
         self.current_user = @user
         flash[:notice] = 'Organization was successfully created.'
         format.html { redirect_to @organization }

app/controllers/people_controller.rb

@@ -1,6 +1,6 @@
 class PeopleController < ApplicationController
 
-  permit "admin or (manager of :organization)"
+  before_filter :authorize_admin_or_manager
 
   # GET /people/1
   # GET /people/1.xml

app/controllers/reports_controller.rb

@@ -2,7 +2,7 @@
 
 class ReportsController < ApplicationController
 
-  permit "admin or (manager of :organization)"
+  before_filter :authorize_admin_or_manager
 
   def index
   end

app/controllers/services_controller.rb

@@ -1,6 +1,6 @@
 class ServicesController < ApplicationController
 
-  permit "admin or (manager of :organization)"
+  before_filter :authorize_admin_or_manager
 
   # GET /services
   # GET /services.xml

app/controllers/taggings_controller.rb

@@ -1,5 +1,5 @@
 class TaggingsController < ApplicationController
-  permit "admin or (manager of :organization)"
+  before_filter :authorize_admin_or_manager
 
   def create
     @person.tag_list << params[:id]

app/controllers/tags_controller.rb

@@ -1,6 +1,6 @@
 class TagsController < ApplicationController
 
-  permit "admin or (manager of :organization)"
+  before_filter :authorize_admin_or_manager
 
   def show
     @tag = ActsAsTaggableOn::Tag.find(params[:id])

app/controllers/users_controller.rb

@@ -3,8 +3,8 @@ class UsersController < ApplicationController
   before_filter :resolve_user_by_id
   skip_before_filter :login_from_cookie, :login_required, :only => [:new, :create, :activate, :reset, :forgot]
 
-  permit "admin", :only => [:index]
-  permit "admin or (owner of :user)", :only => [:edit, :update, :destroy]
+  before_filter :authorize_admin, :only => [:index]
+  before_filter :authorize_admin_or_manager, :only => [:edit, :update, :destroy]
 
   # render new.rhtml
   def new

app/controllers/visits_controller.rb

@@ -1,6 +1,6 @@
 class VisitsController < ApplicationController
 
-  permit "admin or (manager of :organization)"
+  before_filter :authorize_admin_or_manager
 
   # GET /visits
   # GET /visits.xml

app/helpers/application_helper.rb

@@ -64,4 +64,15 @@ def labeled_value(label_value, value)
     ).render(self, :label_value => label_value, :value => value)
   end
 
+  def user_is_manager?
+    wrapped_current_user.try(:is_manager_of?, @organization)
+  end
+
+  def user_is_admin?
+    wrapped_current_user.try(:is_admin?)
+  end
+
+  def wrapped_current_user
+    User.current_user if User.current_user != :false
+  end
 end

app/models/organization.rb

@@ -14,6 +14,7 @@
 class Organization < ActiveRecord::Base
 
   has_many :people, :dependent => :destroy
+  has_many :accepted_roles, :as => :authorizable, :class_name => 'Role'
 
   validates_presence_of :name, :key, :timezone
   validates_length_of :name, :within => 3..40,    :unless => proc { |organization| organization.errors.on :name }
@@ -22,8 +23,6 @@ class Organization < ActiveRecord::Base
   validates_format_of :key, :with => /\A\w+\Z/i,  :unless => proc { |organization| organization.errors.on :key }
   validate :validate_timezone
 
-  acts_as_authorizable
-
   def initialize(attributes=nil)
     super(attributes)
     self[:timezone] ||= 'Pacific Time (US & Canada)'
@@ -71,4 +70,4 @@ def validate_timezone
       errors.add :timezone if !@timezone_names.include?(self.timezone)
     end
   end
-end
+end

app/models/user.rb

@@ -21,13 +21,12 @@
 class User < ActiveRecord::Base
 
   belongs_to :organization
-  
+
   # Authenticated user
   cattr_accessor :current_user
 
-  # Authorization plugin
-  acts_as_authorized_user
-
+  has_and_belongs_to_many :roles
+
   def accepts_role?(role, user)
     'owner' == role && self == user
   end
@@ -45,7 +44,7 @@ def accepts_role?(role, user)
   validates_email_format_of :email, :check_mx=> true, :unless => proc { |user| user.errors.on :email }
   validates_uniqueness_of   :login, :email, :case_sensitive => false
   before_save :encrypt_password
-  before_create :make_activation_code 
+  before_create :make_activation_code
   # prevents a user from submitting a crafted form that bypasses activation
   # anything else you want your user to change should be added here.
   attr_accessible :name, :login, :email, :password, :password_confirmation
@@ -90,7 +89,7 @@ def recently_forgot_password?
 
   def recently_reset_password?
     @reset_password
-  end 
+  end
 
   # Authenticates a user by their login name and unencrypted password.  Returns the user or nil.
   def self.authenticate(login, password)
@@ -113,7 +112,7 @@ def authenticated?(password)
   end
 
   def remember_token?
-    remember_token_expires_at && Time.now.utc < remember_token_expires_at 
+    remember_token_expires_at && Time.now.utc < remember_token_expires_at
   end
 
   # These create and unset the fields required for remembering users between browser closes
@@ -138,24 +137,37 @@ def forget_me
   end
 
   def organization
-    @organization ||= self.is_manager_for_what.first
+    @organization ||= is_manager_for_what
+  end
+
+  def is_manager_of?(other_organization)
+    return false if !other_organization || !organization
+    organization.id == other_organization.id && roles.first.name == 'manager'
+  end
+
+  def is_admin?
+    roles.first.name == 'admin'
   end
 
   protected
-    # before filter 
+    # before filter
     def encrypt_password
       return if password.blank?
       self.salt = Digest::SHA1.hexdigest("--#{Time.now.to_s}--#{login}--") if new_record?
       self.crypted_password = encrypt(password)
     end
-      
+
     def password_required?
       crypted_password.blank? || !password.blank? || reset_code
     end
-
-    def make_activation_code
 
+    def make_activation_code
       self.activation_code = Digest::SHA1.hexdigest( Time.now.to_s.split(//).sort_by {rand}.join )
     end
-
+
+    def is_manager_for_what
+      role = roles.find_all_by_name("manager").first
+      role.authorizable if role
+    end
+
 end

app/views/layouts/application.html.haml

@@ -37,7 +37,7 @@
             = tab_item('Home', organization_path(@organization))
             = tab_item('Visits', today_visits_path(:organization_key => @organization.key))
             = tab_item('Reports', report_path(:action => 'index', :organization_key => @organization.key))
-            -if permit? "admin or (manager of :organization)"
+            -if user_is_manager? || user_is_admin?
               =tab_item('Settings', edit_organization_path(@organization))
           -else
             =tab_item('Home', root_path)

app/views/organizations/index.html.haml

@@ -65,5 +65,5 @@
             %br
             -if organization.member_count > 9
               = "#{organization.member_count} members"
-          -if permit? 'admin'
+          -if user_is_admin?
             %td= link_to 'Remove', organization, :confirm => 'Are you sure?', :method => :delete

app/views/users/show.html.haml

@@ -4,6 +4,6 @@
   =labeled_value 'Email', @user.email
   =labeled_value 'Login', @user.login
   =labeled_value 'Activated at', @user.activated_at.nil? ? 'Not yet activated' : datetime_long(@user.activated_at)
--if permit?('owner of :user')
+-if user_is_manager?
   =link_to 'Edit', edit_user_path(@user)
 

test/unit/role_test.rb

@@ -1,17 +1,20 @@
 require 'test_helper'
 
-class RoleTest < ActiveSupport::TestCase
+class RolesTest <  ActiveSupport::TestCase
+  include ApplicationHelper
 
   def test_admin_role
-    assert users(:admin).is_admin?
-    assert !users(:sfbk).is_admin?
+    User.current_user = users(:admin)
+    assert user_is_admin?
+    User.current_user = users(:greeter)
+    assert !user_is_admin?
   end
 
   def test_manager_role
-    assert users(:sfbk).is_manager?
-    assert users(:sfbk).is_manager_of?(organizations(:sfbk))
-    assert !users(:sfbk).is_manager_of?(organizations(:scbc))
+    User.current_user = users(:sfbk)
+    @organization = organizations(:sfbk)
+    assert user_is_manager?
+    User.current_user = users(:scbc)
+    assert !user_is_manager?
   end
-
 end
-

test/unit/user_test.rb

@@ -106,6 +106,19 @@ def test_reset
     assert User.authenticate('sfbk', 'new_password')
   end
 
+  def test_is_magager_of
+    assert users(:sfbk).is_manager_of?(organizations(:sfbk))
+    assert !users(:sfbk).is_manager_of?(nil)
+    assert !users(:sfbk).is_manager_of?(organizations(:scbc))
+    assert !create_user.is_manager_of?(organizations(:scbc))
+  end
+
+  def test_is_magager_of
+    assert users(:admin).is_admin?
+    assert !users(:sfbk).is_admin?
+  end
+
+
 protected
   def create_user(options = {})
     User.create({ :name => 'Quire', :login => 'quire', :email => 'quire@example.com', :password => 'quire', :password_confirmation => 'quire' }.merge(options))

test/unit/visit_test.rb

@@ -34,11 +34,11 @@ def test_chain_finders
   end
 
   def test_to_csv
-    assert_match /^Mary,Member,mary@example.com,false,415 123-1234,95105,2007-02-01 10:01,false,true,false,Mary.+/, visits(:mary_1).to_csv
+    assert_match /^365790011,Mary,Member,mary@example.com,false,415 123-1234,95105,2007-02-01 10:01,false,true,false,Mary.+/, visits(:mary_1).to_csv
   end
 
   def test_csv_header
-    assert_equal "first_name,last_name,email,email_opt_out,phone,postal_code,arrived_at,staff,member,volunteer,note\n", Visit.csv_header
+    assert_equal "person_id,first_name,last_name,email,email_opt_out,phone,postal_code,arrived_at,staff,member,volunteer,note\n", Visit.csv_header
   end
 
   def test_create_defaults