Diff
Modified: trunk/app/controllers/application.rb (2083 => 2084)
--- trunk/app/controllers/application.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/controllers/application.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -192,46 +192,11 @@
# BEGIN initialisation and validation
- case sharing_class
- when "0"
- view_public = 1
- download_public = 1
- view_protected = 1
- download_protected = 1
- when "1"
- view_public = 1
- view_protected = 1
- download_protected = 1
- when "2"
- view_public = 1
- view_protected = 1
- when "3"
- view_protected = 1
- download_protected = 1
- when "4"
- view_protected = 1
- end
-
- case updating_class
- when "0"
- edit_protected = 1 if (view_protected == 1 && download_protected == 1)
- edit_public = 1 if (view_public == 1 && download_public == 1)
- when "1"
- edit_protected = 1
- # when "5","6" -> no need for these cases, because both edit flags are false (default values) for these modes
- end
-
unless contributable.contribution.policy
last_saved_policy = Policy._default(current_user, nil) # second parameter ensures that this policy is not applied anywhere
policy = Policy.new(:name => 'auto',
:contributor_type => 'User', :contributor_id => current_user.id,
- :view_protected => view_protected,
- :view_public => view_public,
- :download_protected => download_protected,
- :download_public => download_public,
- :edit_protected => edit_protected,
- :edit_public => edit_public,
:share_mode => sharing_class,
:update_mode => updating_class)
contributable.contribution.policy = policy # by doing this the new policy object is saved implicitly too
@@ -240,12 +205,6 @@
policy = contributable.contribution.policy
last_saved_policy = policy.clone # clone required, not 'dup' (which still works through reference, so the values in both get changed anyway - which is not what's needed here)
- policy.view_protected = view_protected
- policy.view_public = view_public
- policy.download_protected = download_protected
- policy.download_public = download_public
- policy.edit_protected = edit_protected
- policy.edit_public = edit_public
policy.share_mode = sharing_class
policy.update_mode = updating_class
policy.save
@@ -339,61 +298,6 @@
return error_msg
end
- def determine_sharing_mode(contributable)
-
- # TODO: like the determine_updating_mode(..) method below, this method needs to be refactored into the Policy class.
-
- policy = contributable.contribution.policy
-
- return policy.share_mode if !policy.share_mode.nil?
-
- v_pub = policy.view_public;
- v_prot = policy.view_protected;
- d_pub = policy.download_public;
- d_prot = policy.download_protected;
- e_pub = policy.edit_public;
- e_prot = policy.edit_protected;
-
- if (policy.permissions.length == 0)
-
- if ((v_pub == true ) && (v_prot == false) && (d_pub == true ) && (d_prot == false))
- return 0
- end
-
- if ((v_pub == true ) && (v_prot == false) && (d_pub == false) && (d_prot == true ))
- return 1;
- end
-
- if ((v_pub == true ) && (v_prot == false) && (d_pub == false) && (d_prot == false))
- return 2;
- end
-
- if ((v_pub == false) && (v_prot == true ) && (d_pub == false) && (d_prot == true ))
- return 3;
- end
-
- if ((v_pub == false) && (v_prot == true ) && (d_pub == false) && (d_prot == false))
- return 4;
- end
-
- if ((v_pub == false) && (v_prot == false) && (d_pub == false) && (d_prot == false))
- return 7;
- end
-
- end
-
- return 8
-
- end
-
- def determine_updating_mode(contributable)
- if (policy = contributable.contribution.policy)
- return policy.determine_update_mode(contributable.contribution)
- else
- return 7
- end
- end
-
def update_credits(creditable, params)
# First delete old creditations:
Modified: trunk/app/controllers/blobs_controller.rb (2083 => 2084)
--- trunk/app/controllers/blobs_controller.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/controllers/blobs_controller.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -294,7 +294,7 @@
:current => params[:page] })
found.each do |blob|
- blob.content_blob.data = "" unless blob.authorized?("download", (logged_in? ? current_user : nil))
+ blob.content_blob.data = "" unless Authorization.is_authorized?("download", nil, blob, current_user)
end
@blobs = found
@@ -304,7 +304,7 @@
begin
blob = Blob.find(params[:id])
- if blob.authorized?(action_name, (logged_in? ? current_user : nil))
+ if Authorization.is_authorized?(action_name, nil, blob, current_user)
@blob = blob
@blob_entry_url = url_for : false,
@@ -345,8 +345,8 @@
@sharing_mode = params[:sharing][:class_id].to_i if params[:sharing]
@updating_mode = params[:updating][:class_id].to_i if params[:updating]
when "show", "edit"
- @sharing_mode = determine_sharing_mode(@blob)
- @updating_mode = determine_updating_mode(@blob)
+ @sharing_mode = @blob.contribution.policy.share_mode
+ @updating_mode = @blob.contribution.policy.update_mode
end
end
Modified: trunk/app/controllers/blog_posts_controller.rb (2083 => 2084)
--- trunk/app/controllers/blog_posts_controller.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/controllers/blog_posts_controller.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -78,7 +78,7 @@
begin
blog = Blog.find(params[:blog_id])
- if blog.authorized?(action_name, (logged_in? ? current_user : nil))
+ if Authorization.is_authorized?(action_name, nil, blog, current_user)
@blog = blog
else
error("Blog not found (id not authorized)", "is invalid (not authorized)")
Modified: trunk/app/controllers/blogs_controller.rb (2083 => 2084)
--- trunk/app/controllers/blogs_controller.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/controllers/blogs_controller.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -21,7 +21,7 @@
def show
@viewing = Viewing.create(:contribution => @blog.contribution, :user => (logged_in? ? current_user : nil))
- @sharing_mode = determine_sharing_mode(@blog)
+ @sharing_mode = @blog.contribution.policy.share_mode
respond_to do |format|
format.html # show.rhtml
@@ -37,7 +37,7 @@
# GET /blogs/1;edit
def edit
- @sharing_mode = determine_sharing_mode(@blog)
+ @sharing_mode = @blog.contribution.policy.share_mode
end
# POST /blogs
@@ -113,7 +113,7 @@
begin
blog = Blog.find(params[:id])
- if blog.authorized?(action_name, (logged_in? ? current_user : nil))
+ if Authorization.is_authorized?(action_name, nil, blog, current_user)
@blog = blog
else
if logged_in?
Modified: trunk/app/controllers/citations_controller.rb (2083 => 2084)
--- trunk/app/controllers/citations_controller.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/controllers/citations_controller.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -86,11 +86,11 @@
workflow = Workflow.find(params[:workflow_id])
- if workflow.authorized?((["index", "show"].include?(action_name) ? "show" : "edit"), (logged_in? ? current_user : nil))
+ if Authorization.is_authorized?((["index", "show"].include?(action_name) ? "show" : "edit"), nil, workflow, current_user)
@workflow = workflow
# remove workflow data from workflow if the user is not authorized for download
- @workflow.content_blob.data = "" unless @workflow.authorized?("download", (logged_in? ? current_user : nil))
+ @workflow.content_blob.data = "" unless Authorization.is_authorized?("download", nil, @workflow, current_user)
else
if logged_in?
error("Workflow not found (id not authorized)", "is invalid (not authorized)", :workflow_id)
Modified: trunk/app/controllers/contributions_controller.rb (2083 => 2084)
--- trunk/app/controllers/contributions_controller.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/controllers/contributions_controller.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -111,7 +111,7 @@
begin
contribution = Contribution.find(params[:id])
- if contribution.authorized?(action_name, (logged_in? ? current_user : nil))
+ if Authorization.is_authorized?(action_name, nil, contribution, current_user)
@contribution = contribution
else
error("Contribution not found (id not authorized)", "is invalid (not authorized)")
Modified: trunk/app/controllers/experiments_controller.rb (2083 => 2084)
--- trunk/app/controllers/experiments_controller.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/controllers/experiments_controller.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -102,7 +102,7 @@
def find_experiment_auth
experiment = Experiment.find(:first, :conditions => ["id = ?", params[:id]])
- if experiment and experiment.authorized?(action_name, current_user)
+ if experiment and Authorization.is_authorized?(action_name, nil, experiment, current_user)
@experiment = experiment
else
error("Experiment not found or action not authorized", "is invalid (not authorized)")
Modified: trunk/app/controllers/jobs_controller.rb (2083 => 2084)
--- trunk/app/controllers/jobs_controller.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/controllers/jobs_controller.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -23,14 +23,14 @@
end
def show
- unless @job.runnable.authorized?(action_name, current_user)
+ unless Authorization.is_authorized?(action_name, nil, @job.runnable, current_user)
flash[:error] = "<p>You will not be able to submit this Job, but you can still see the details of it."
flash[:error] = "<p>The runnable item (address@hidden) is not authorized - you need download priviledges to run it.</p>"
end
# TODO: check that runnable version still exists
- unless @job.runner.authorized?(action_name, current_user)
+ unless Authorization.is_authorized?(action_name, nil, @job, current_user)
flash[:error] = "You will not be able to submit this Job, but you can still see the details of it." unless flash[:error]
flash[:error] += "<p>The runner is not authorized - you need to either own it or be part of a Group that owns it.</p>"
end
@@ -98,7 +98,7 @@
end
end
- if !runnable or !runnable.authorized?('download', user)
+ if not runnable or not Authorization.is_authorized?('download', nil, runnable, user)
success = false
@job.errors.add(:runnable_id, "not valid or not authorized")
else
@@ -112,7 +112,7 @@
# Check runner is a valid and authorized one
# (for now we can assume it's a TavernaEnactor)
runner = TavernaEnactor.find(:first, :conditions => ["id = ?", params[:job][:runner_id]])
- if !runner or !runner.authorized?('execute', user)
+ if not runner or not Authorization.is_authorized?('execute', nil, runner, user)
success = false
@job.errors.add(:runner_id, "not valid or not authorized")
end
@@ -213,13 +213,12 @@
errors_text = ''
# Authorize the runnable and runner
-
- unless @job.runnable.authorized?(action_name, current_user)
+ unless Authorization.is_authorized?(action_name, nil, @job, current_user)
success = false;
errors_text += "<p>The runnable item (address@hidden) is not authorized - you need download priviledges to run it.</p>"
end
- unless @job.runner.authorized?(action_name, current_user)
+ unless Authorization.is_authorized?(action_name, nil, @job, current_user)
success = false;
errors_text += "<p>The runner is not authorized - you need to either own it or be part of a Group that owns it.</p>"
end
@@ -312,7 +311,7 @@
job.experiment = Experiment.new(:title => Experiment.default_title(user), :contributor => user)
elsif params[:change_experiment] == 'existing'
experiment = Experiment.find(params[:change_experiment_id])
- if experiment and experiment.authorized?('edit', user)
+ if experiment and Authorization.is_authorized?('edit', nil, experiment, user)
job.experiment = experiment
else
flash[:error] = "Job could not be created because could not assign the parent Experiment."
@@ -338,7 +337,7 @@
def find_experiment_auth
experiment = Experiment.find(:first, :conditions => ["id = ?", params[:experiment_id]])
- if experiment and experiment.authorized?(action_name, current_user)
+ if experiment and Authorization.is_authorized?(action_name, nil, experiment, current_user)
@experiment = experiment
else
# New and Create actions are allowed to run outside of the context of an Experiment
@@ -355,7 +354,7 @@
def find_job_auth
job = Job.find(:first, :conditions => ["id = ?", params[:id]])
- if job and job.experiment.id == @experiment.id and job.authorized?(action_name, current_user)
+ if job and job.experiment.id == @experiment.id and Authorization.is_authorized?(action_name, nil, job, current_user)
@job = job
else
error("Job not found or action not authorized", "is invalid (not authorized)")
Modified: trunk/app/controllers/packs_controller.rb (2083 => 2084)
--- trunk/app/controllers/packs_controller.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/controllers/packs_controller.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -431,11 +431,11 @@
begin
pack = Pack.find(params[:id])
- if pack.authorized?(action_name, current_user)
+ if Authorization.is_authorized?(action_name, nil, pack, current_user)
@pack = pack
- @authorised_to_edit = logged_in? && @pack.authorized?("edit", current_user)
- @authorised_to_download = @pack.authorized?("download", (logged_in? ? current_user : nil))
+ @authorised_to_edit = logged_in? && Authorization.is_authorized?("edit", nil, @pack, current_user)
+ @authorised_to_download = Authorization.is_authorized?("download", nil, @pack, current_user)
@pack_entry_url = url_for : false,
:host => base_host,
@@ -461,8 +461,8 @@
@sharing_mode = params[:sharing][:class_id].to_i if params[:sharing]
@updating_mode = params[:updating][:class_id].to_i if params[:updating]
when "show", "edit"
- @sharing_mode = determine_sharing_mode(@pack)
- @updating_mode = determine_updating_mode(@pack)
+ @sharing_mode = @pack.contribution.policy.share_mode
+ @updating_mode = @pack.contribution.policy.update_mode
end
end
Deleted: trunk/app/controllers/permissions_controller.rb (2083 => 2084)
--- trunk/app/controllers/permissions_controller.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/controllers/permissions_controller.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -1,154 +0,0 @@
-# myExperiment: app/controllers/permissions_controller.rb
-#
-# Copyright (c) 2007 University of Manchester and the University of Southampton.
-# See license.txt for details.
-
-class PermissionsController < ApplicationController
- before_filter :login_required
-
- before_filter :find_permissions_auth, : [:index]
- before_filter :find_permission_auth, : [:show, :edit, :update, :destroy]
-
- # GET /policies/1/permissions
- # GET /permissions
- def index
- respond_to do |format|
- format.html # index.rhtml
- end
- end
-
- # GET /policies/1/permissions
- # GET /permissions/1
- def show
- respond_to do |format|
- format.html # show.rhtml
- end
- end
-
- # GET /policies/1/permissions/new
- # GET /permissions/new
- def new
- @permission = Permission.new
-
- begin
- policy = Policy.find(params[:policy_id], :conditions => ["contributor_id = ? AND contributor_type = ?", current_user.id, current_user.class.to_s])
- @permission.policy_id = policy.id
- rescue ActiveRecord::RecordNotFound
- error("Policy ID not supplied", "not supplied", :policy_id)
- end
- end
-
- # GET /policies/1/permissions/1;edit
- # GET /permissions/1;edit
- def edit
-
- end
-
- # POST /policies/1/permissions
- # POST /permissions
- def create
- # hack for _javascript_ contributor selection form
- case params[:permission][:contributor_type].to_s
- when "User"
- params[:permission][:contributor_id] = params[:user_contributor_id]
- when "Network"
- params[:permission][:contributor_id] = params[:network_contributor_id]
- else
- error("Contributor ID not selected", "not selected", :contributor_id)
- end
-
- @permission = Permission.new(params[:permission])
-
- respond_to do |format|
- if @permission.save
- flash[:notice] = 'Permission was successfully created.'
- #format.html { redirect_to permission_url(@permission.policy, @permission) }
- format.html { redirect_to policy_url(@permission.policy) }
- else
- format.html { render :action ="" "new" }
- end
- end
- end
-
- # PUT /policies/1/permissions/1
- # PUT /permissions/1
- def update
- respond_to do |format|
- if @permission.update_attributes(params[:permission])
- flash[:notice] = 'Permission was successfully updated.'
- #format.html { redirect_to permission_url(@permission.policy, @permission) }
- format.html { redirect_to policy_url(@permission.policy) }
- else
- format.html { render :action ="" "edit" }
- end
- end
- end
-
- # DELETE /policies/1/permissions/1
- # DELETE /permissions/1
- def destroy
- policy = @permission.policy
-
- @permission.destroy
-
- respond_to do |format|
- #format.html { redirect_to permissions_url(@permission.policy)}
- format.html { redirect_to policy_url(policy) }
- end
- end
-
-protected
-
- def find_permissions_auth
- if params[:policy_id]
- begin
- @policy = Policy.find(params[:policy_id], :conditions => ["contributor_id = ? AND contributor_type = ?", current_user.id, current_user.class.to_s])
-
- @permissions = @policy.permissions
- rescue ActiveRecord::RecordNotFound
- error("Policy not found (id not authorized)", "is invalid (not owner)", :policy_id)
- end
- else
- @permissions = []
- current_user.policies.each do |policy|
- policy.permissions.each do |permission|
- @permissions << permission
- end
- end
- end
- end
-
- def find_permission_auth
- begin
- permission = Permission.find(params[:id])
-
- params[:policy_id] ||= permission.policy.id
-
- begin
- policy = Policy.find(params[:policy_id], :conditions => ["contributor_id = ? AND contributor_type = ?", current_user.id, current_user.class.to_s])
-
- if permission.policy.id.to_i == policy.id.to_i
- @policy = policy
- @permission = permission
- else
- error("Permission not found (invalid Policy id)", "is invalid (does not match permission.policy_id)", :policy_id)
- end
- rescue ActiveRecord::RecordNotFound
- error("Policy not found (id not authorized)", "is invalid (not owner)", :policy_id)
- end
- rescue ActiveRecord::RecordNotFound
- error("Permission not found (does not exist)", "is invalid (not found)")
- end
- end
-
-private
-
- def error(notice, message, attr=:id)
- flash[:error] = notice
- (err = Permission.new.errors).add(attr, message)
-
- respond_to do |format|
- format.html { redirect_to policies_url }
- end
- end
-end
Deleted: trunk/app/controllers/policies_controller.rb (2083 => 2084)
--- trunk/app/controllers/policies_controller.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/controllers/policies_controller.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -1,117 +0,0 @@
-# myExperiment: app/controllers/policies_controller.rb
-#
-# Copyright (c) 2007 University of Manchester and the University of Southampton.
-# See license.txt for details.
-
-class PoliciesController < ApplicationController
- before_filter :login_required
-
- before_filter :find_policies_auth, : [:index]
- before_filter :find_policy_auth, : [:test, :show, :edit, :update, :destroy]
-
- # POST /policies/1;test
- def test
- contribution, contributor = Contribution.find(params[:contribution_id]), nil
-
- # hack for _javascript_ contributor selection form
- case params[:contributor_type].to_s
- when "User"
- contributor = User.find(params[:user_contributor_id])
- when "Network"
- contributor = Network.find(params[:network_contributor_id])
- else
- error("Contributor ID not selected", "not selected", :contributor_id)
- end
-
- respond_to do |format|
- format.html { render :partial => "policies/test_results", :locals => { :policy => @policy, :contribution => contribution, :contributor => contributor } }
- end
- end
-
- # GET /policies
- def index
- respond_to do |format|
- format.html # index.rhtml
- end
- end
-
- # GET /policies/1
- def show
- respond_to do |format|
- format.html # show.rhtml
- end
- end
-
- # GET /policies/new
- def new
- @policy = Policy.new
-
- @policy.contributor_id = current_user.id
- @policy.contributor_type = current_user.class.to_s
- end
-
- # GET /policies/1;edit
- def edit
-
- end
-
- # POST /policies
- def create
- @policy = Policy.new(params[:policy])
-
- respond_to do |format|
- if @policy.save
- flash[:notice] = 'Policy was successfully created.'
- format.html { redirect_to policy_url(@policy) }
- else
- format.html { render :action ="" "new" }
- end
- end
- end
-
- # PUT /policies/1
- def update
- respond_to do |format|
- if @policy.update_attributes(params[:policy])
- flash[:notice] = 'Policy was successfully updated.'
- format.html { redirect_to policy_url(@policy) }
- else
- format.html { render :action ="" "edit" }
- end
- end
- end
-
- # DELETE /policies/1
- def destroy
- @policy.destroy
-
- respond_to do |format|
- format.html { redirect_to policies_url }
- end
- end
-
-protected
-
- def find_policies_auth
- @policies = Policy.find(:all, :conditions => ["contributor_id = ? AND contributor_type = ?", current_user.id, current_user.class.to_s])
- end
-
- def find_policy_auth
- begin
- @policy = Policy.find(params[:id], :conditions => ["contributor_id = ? AND contributor_type = ?", current_user.id, current_user.class.to_s])
- rescue ActiveRecord::RecordNotFound
- error("Policy not found (id not authorized)", "is invalid (not owner)")
- end
- end
-
-private
-
- def error(notice, message, attr=:id)
- flash[:error] = notice
- (err = Policy.new.errors).add(attr, message)
-
- respond_to do |format|
- format.html { redirect_to policies_url }
- end
- end
-end
Deleted: trunk/app/controllers/policy_wizard_controller.rb (2083 => 2084)
--- trunk/app/controllers/policy_wizard_controller.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/controllers/policy_wizard_controller.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -1,74 +0,0 @@
-class PolicyWizardController < ApplicationController
- before_filter :login_required
- before_filter :find_policy_auth, :except => [:show, :start, :create]
-
- def show
- redirect_to :action ="" :start
- end
-
- def start
- @policy = Policy._default(current_user)
- @policy.name = nil
- end
-
- def create
- @policy = Policy.new(params[:policy])
-
- if @policy.save
- redirect_to :action ="" :public, :id => @policy.id
- else
- render :action ="" :start
- end
- end
-
- def public
- # render public.rhtml
- end
-
- def protected
- render :action ="" :public unless @policy.update_attributes(params[:policy])
- end
-
- def private
- render :action ="" :protected unless @policy.update_attributes(params[:policy])
- end
-
- def finish
- # render finish.rhtml
- end
-
- def permission
- # hack for _javascript_ contributor selection form
- case params[:contributor_type].to_s
- when "User"
- contributor = User.find(params[:user_contributor_id])
- when "Network"
- contributor = Network.find(params[:network_contributor_id])
- else
- error("Invalid contributor type", "invalid type (must be User or Network)", :contributor_type)
- end
-
- @permission = Permission.new(:policy => @policy, :contributor => contributor, :view => params[:view], :download => params[:download], :edit => params[:edit])
-
- render :partial => "policies/permission", :object => @permission, :locals => { :read_only => true } if @permission.save
- end
-
-protected
-
- def find_policy_auth
- @policy = Policy.find(:first, :conditions => ["id = ? AND contributor_id = ? AND contributor_type = ?", params[:id], current_user.id, "User"])
-
- error("Policy not found (id not authorized)", "is invalid (not owner)") unless @policy
- end
-
-private
-
- def error(notice, message, attr=:id)
- flash[:error] = notice
- (err = Policy.new.errors).add(attr, message)
-
- respond_to do |format|
- format.html { redirect_to policies_url }
- end
- end
-end
Modified: trunk/app/controllers/reviews_controller.rb (2083 => 2084)
--- trunk/app/controllers/reviews_controller.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/controllers/reviews_controller.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -114,9 +114,9 @@
workflow = Workflow.find(params[:workflow_id])
- if workflow.authorized?("show", (logged_in? ? current_user : nil))
+ if Authorization.is_authorized?('show', nil, workflow, current_user)
# remove workflow data from workflow if the user is not authorized for download
- workflow.content_blob.data = "" unless workflow.authorized?("download", (logged_in? ? current_user : nil))
+ workflow.content_blob.data = "" unless Authorization.is_authorized?('download', nil, workflow, current_user)
@reviewable = workflow
else
if logged_in?
Modified: trunk/app/controllers/runners_controller.rb (2083 => 2084)
--- trunk/app/controllers/runners_controller.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/controllers/runners_controller.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -112,7 +112,7 @@
def find_runner_auth
runner = TavernaEnactor.find(:first, :conditions => ["id = ?", params[:id]])
- if runner and runner.authorized?(action_name, current_user)
+ if runner and Authorization.is_authorized?(action_name, nil, runner, current_user)
@runner = runner
else
error("Runner not found or action not authorized", "is invalid (not authorized)")
Modified: trunk/app/controllers/tags_controller.rb (2083 => 2084)
--- trunk/app/controllers/tags_controller.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/controllers/tags_controller.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -65,7 +65,7 @@
# Authorise entries now
taggings.each do |t|
if t.taggable.respond_to?(:contribution)
- @tagged_with << t.taggable if t.taggable.contribution.authorized?("show", current_user)
+ @tagged_with << t.taggable if Authorization.is_authorized?('show', nil, t.taggable.contribution, current_user)
else
@tagged_with << t.taggable
end
Modified: trunk/app/controllers/workflows_controller.rb (2083 => 2084)
--- trunk/app/controllers/workflows_controller.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/controllers/workflows_controller.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -583,7 +583,7 @@
:order => "workflows.updated_at DESC" }))
found.each do |workflow|
- workflow.content_blob.data = "" unless workflow.authorized?("download", (logged_in? ? current_user : nil))
+ workflow.content_blob.data = "" unless Authorization.is_authorized?('download', nil, workflow, current_user)
end
@workflows = found
@@ -597,7 +597,7 @@
@rss_workflows = [ ]
found.each do |workflow|
- @rss_workflows << workflow if workflow.authorized?("show", (logged_in? ? current_user : nil))
+ @rss_workflows << workflow if Authorization.is_authorized?('show', nil, workflow, current_user)
end
end
end
@@ -611,10 +611,7 @@
workflow = Workflow.find(params[:id])
end
- permission = action_name
- permission = 'show' if action_name == 'launch'
-
- if workflow.authorized?(permission, (logged_in? ? current_user : nil))
+ if Authorization.is_authorized?(action_name, nil, workflow, current_user)
@latest_version_number = workflow.current_version
@workflow = workflow
if params[:version]
@@ -629,8 +626,13 @@
@viewing_version = @workflow.find_version(@latest_version_number)
end
- @authorised_to_download = @workflow.authorized?("download", (logged_in? ? current_user : nil))
- @authorised_to_edit = logged_in? && @workflow.authorized?("edit", (logged_in? ? current_user : nil))
+ @authorised_to_edit = logged_in? && Authorization.is_authorized?('edit', nil, @workflow, current_user)
+ if @authorised_to_edit
+ # can save a call to .is_authorized? if "edit" was already found to be allowed - due to cascading permissions
+ @authorised_to_download = true
+ else
+ @authorised_to_download = Authorization.is_authorized?('download', nil, @workflow, current_user)
+ end
# remove scufl from workflow if the user is not authorized for download
@viewing_version.content_blob.data = "" unless @authorised_to_download
@@ -699,8 +701,8 @@
@sharing_mode = params[:sharing][:class_id].to_i if params[:sharing]
@updating_mode = params[:updating][:class_id].to_i if params[:updating]
when "show", "edit"
- @sharing_mode = determine_sharing_mode(@workflow)
- @updating_mode = determine_updating_mode(@workflow)
+ @sharing_mode = @workflow.contribution.policy.share_mode
+ @updating_mode = @workflow.contribution.policy.update_mode
end
end
Modified: trunk/app/helpers/application_helper.rb (2083 => 2084)
--- trunk/app/helpers/application_helper.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/helpers/application_helper.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -417,7 +417,7 @@
if thumb
unless w.image.nil?
- if w.authorized?("show", (logged_in? ? current_user : nil))
+ if Authorization.is_authorized?('show', nil, w, current_user)
dot = image_tag url_for_file_column(w, "image", "thumb")
else
dot = image_tag url_for_file_column(w, "image", "padlock")
@@ -837,7 +837,7 @@
def all_workflows
workflows = Workflow.find(:all, :order => "title ASC")
- workflows = workflows.select {|w| w.authorized?('show', w) }
+ workflows = workflows.select {|w| Authorization.is_authorized?('show', nil, w, current_user) }
end
def all_blobs
@@ -847,7 +847,7 @@
y_title = (y.title and y.title.length > 0) ? y.title : y.local_name
x_title.downcase <=> y_title.downcase
}
- blobs = blobs.select {|b| b.authorized?('show', b) }
+ blobs = blobs.select {|b| Authorization.is_authorized?('show', nil, b, current_user) }
end
def all_networks
@@ -1050,8 +1050,9 @@
end
def thing_authorized?(action, thing)
- return true unless thing.respond_to?(:authorized?)
- return thing.authorized?(action, (logged_in? ? current_user : nil))
+ # method preserved only in case some code absolutely requires it in the future;
+ # for now (Jan 2009) all occurrences of it's usage were replaced with Authorization.is_authorized?()
+ return Authorization.is_authorized?(action, nil, thing, current_user)
end
def strip_html(str, preserve_tags=[])
Modified: trunk/app/models/contribution.rb (2083 => 2084)
--- trunk/app/models/contribution.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/models/contribution.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -82,11 +82,6 @@
policy.admin?(c_utor)
end
- # is c_utor authorized to perform action_name (using the policy)
- def authorized?(action_name, c_utor=nil)
- policy.nil? ? Policy._default(self.contributor, self).authorized?(action_name, self, c_utor) : policy.authorized?(action_name, self, c_utor)
- end
-
# is c_utor the owner of this contribution
def owner?(c_utor)
#contributor_id.to_i == c_utor.id.to_i and contributor_type.to_s == c_utor.class.to_s
Modified: trunk/app/models/experiment.rb (2083 => 2084)
--- trunk/app/models/experiment.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/models/experiment.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -42,22 +42,4 @@
experiments = Experiment.find_by_contributor('User', user.id)
return experiments + Experiment.find_by_groups(user)
end
-
- # Note: at the moment (Feb 2008), Experiments (and associated Jobs) are private to the owner, if a User owns it,
- # OR accessible by all members of a Group, if a Group owns it.
- def authorized?(action_name, c_utor=nil)
- return false if c_utor.nil?
-
- # Cannot ask authorization for a 'Network' contributor
- return false if c_utor.class.to_s == 'Network'
-
- case self.contributor_type.to_s
- when "User"
- return self.contributor_id.to_i == c_utor.id.to_i
- when "Network"
- return self.contributor.member?(c_utor.id)
- else
- return false
- end
- end
end
Modified: trunk/app/models/job.rb (2083 => 2084)
--- trunk/app/models/job.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/models/job.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -34,11 +34,6 @@
return s
end
- def authorized?(action_name, c_utor=nil)
- # Use authorization logic from parent Experiment
- return self.experiment.authorized?(action_name, c_utor)
- end
-
def last_status
if self[:last_status].nil?
return "not yet submitted"
Modified: trunk/app/models/network.rb (2083 => 2084)
--- trunk/app/models/network.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/models/network.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -68,10 +68,6 @@
owner.name
end
- def authorized?(action_name, contributor=nil)
- return true
- end
-
# has_many :relationships_completed, #accepted (by others)
# :class_name => "Relationship",
# :foreign_key => :network_id,
Modified: trunk/app/models/pack.rb (2083 => 2084)
--- trunk/app/models/pack.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/models/pack.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -166,8 +166,8 @@
next # skips all further processing and moves on to the next item
end
- download_allowed = item_contribution.authorized?("download", user)
- viewing_allowed = download_allowed ? true : item_contribution.authorized?("view", user)
+ download_allowed = Authorization.is_authorized?('download', nil, item_contribution, user)
+ viewing_allowed = download_allowed ? true : Authorization.is_authorized?('view', nil, item_contribution, user)
case item_entry.contributable_type.downcase
Modified: trunk/app/models/policy.rb (2083 => 2084)
--- trunk/app/models/policy.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/models/policy.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -18,244 +18,6 @@
validates_presence_of :contributor, :name
-
- def determine_update_mode(c_ution)
-
- # return nil unless correct policy for contribution
- return nil if c_ution.nil? || !(c_ution.policy.id.to_i == id.to_i)
-
- return self.update_mode unless self.update_mode.nil?
-
- v_pub = self.view_public;
- v_prot = self.view_protected;
- d_pub = self.download_public;
- d_prot = self.download_protected;
- e_pub = self.edit_public;
- e_prot = self.edit_protected;
-
-
- # check if permissions would allow editing for anyone at all: it happens, when permissions array
- # isn't empty AND there are some permissions with 'edit' field set to true
- perms = self.permissions
- perms_exist = !perms.empty?
-
-
- # initializing; ..used for validation below
- my_networks = []
- other_networks = []
- my_friends = []
- other_users = []
-
- # group permissions are separate from the modes, so first of all;
- # so the best thing to do is to split all permissions into different groups
- # (do this just if there are any permissions at all):
- if perms_exist #, then do the splitting
- contributor = User.find(c_ution.contributor_id)
-
- contributors_friends = contributor.friends.map do |f| f.id end
- contributors_networks = (contributor.networks + contributor.networks_owned).map do |n| n.id end
-
- logger.debug("contributors_networks = #{(contributors_networks.map do |n| n.id end).join(";")}")
-
- perms.each do |p|
- logger.debug("contributor_id = #{p.contributor_id}; contributor_type = #{p.contributor_type}")
- case p.contributor_type
- when 'Network'
- if contributors_networks.index(p.contributor_id).nil?
- other_networks.push p
- else
- my_networks.push p
- end
-
- when 'User'
- if contributors_friends.index(p.contributor_id).nil?
- other_users.push p
- else
- my_friends.push p
- end
- end
- end
-
- end
-
- # DEBUG
- # logger.debug("counts of permissions for:")
- # logger.debug("all permissions= #{perms_exist ? perms.length : 'nil'}")
- # logger.debug("my_networks = #{my_networks.length}")
- # logger.debug("other_networks = #{other_networks.length}")
- # logger.debug("my_friends = #{my_friends.length}")
- # logger.debug("other_users = #{other_users.length}")
- # END OF DEBUG
-
-
- # some pre-processing - check if other_users and other_networks don't have edit permissions; check if friends can't edit
- other_users_and_networks_cant_edit = ((other_networks + other_users).select do |p| p.edit end).empty?
- my_friends_cant_edit = (my_friends.select do |p| p.edit end).empty?
-
-
- # (modes 5 & 6 give the least permissions, which is the safest - so these get checked first; then mode 1; then mode 0)
- # (this is the order from most 'narrow' update permissions to the 'widest' ones)
-
-
- # MODE 5? some of my friends (and noone else, apart from the owner & any of 'my groups' can edit)
- #
- # Conditions:
- # 1) no permissions should exist at all
- # OR
- # 2) don't care about any permissions for 'my_groups';
- # 3) no edit permissions should exist for 'other_networks', 'other_users'
- # 4) some edit permissions should exist for 'my_friends'
-
- # === AND === (mode 5 & mode 6 go together, as the checks are very similar)
-
- # MODE 6? noone else (apart from the owner & any of 'my groups' can edit)
- #
- # Conditions:
- # 1) no permissions should exist at all
- # OR
- # 2) don't care about any permissions for 'my_groups';
- # 3) no edit permissions should exist for 'other_networks', 'other_users', 'my_friends'
- if (e_pub == false && e_prot == false)
- if !perms_exist || other_users_and_networks_cant_edit
- if my_friends_cant_edit
- return 6
- else
- return 5
- end
- end
- end
-
-
- # MODE 1? only "all friends" and "network members of my groups" can edit
- #
- # Conditions:
- # 1) no permissions should exist at all
- # OR
- # 2) no edit permissions for 'other_networks' or 'other_users' should exist at all;
- # 3) all permissions for 'my_friends' should allow editing (if any denies, it's not this mode);
- # 4) don't care about any permissions for 'my_networks' at all.
- if (e_pub == false && e_prot == true)
- if !perms_exist || (other_users_and_networks_cant_edit && (my_friends.select do |p| !p.edit end).empty?)
- return 1
- end
- end
-
-
- # MODE 0? same as those that can view AND download
- #
- # Conditions:
- # for all of the three types of access (public, protected and permission-based),
- # everyone who can 'view' AND 'download' should be able to 'edit' for this type of policy
- # to classify as belonging to this mode.
- # (for permission-based access, don't take into account any of 'my group' permissions)
- if (e_pub == (v_pub && d_pub))
- if (e_prot == (v_prot && d_prot))
- # select only those elements from the arrays of permissions, for which ('view' && 'download') != 'edit'
- if ((my_friends + other_users + other_networks).select do |p| p.edit != (p.view && p.download) end).empty?
- return 0;
- end
- end
- end
-
-
- # MODE 7: couldn't determine the mode, so should have CUSTOM update mode
- return 7
- end
-
-
- def authorized?(action_name, c_ution=nil, c_utor=nil)
-
- if c_ution
- # return false unless correct policy for contribution
- return false unless c_ution.policy.id.to_i == id.to_i
- end
-
- # ======= Authorization logic continues... ======
-
- # Authenticated system sets current_user to 0 if not logged in
- c_utor = nil if c_utor == 0
-
- # false unless action can be categorized
- return false unless category = categorize(action_name)
-
- # Bit of hack for update permissions - 'view' and 'download' is authorized if 'edit' is authorized
- return true if ['download', 'view'].include?(category) and authorized?('edit', c_ution, c_utor)
-
-
- authorized_by_user_permissions = false
- authorized_by_policy = false
- authorized_by_group_permissions = false
-
- unless c_utor.nil?
- # being owner of the contribution / admin of the policy is the most important -
- # if this is the case, no further checks are required: access is authorized
- if c_ution
- # true if owner of contribution or administrator of contribution.policy
- return true if (c_ution.owner?(c_utor) or c_ution.admin?(c_utor))
- else
- # true if administrator of self
- return true if admin?(c_utor)
- end
-
-
- # c_utor is not the owner of the item, to which policy is attached;
- # next thing - obtain all the permissions that are relevant to
- # c_utor: either through individual or through group permissions
- user_permissions, group_permissions = all_permissions_for_contributor(c_utor)
-
- # DEBUG
- #logger.error "==================================================="
- #logger.error "user_permissions -> " + user_permissions.length.to_s
- #logger.error user_permissions.to_sentence
- #logger.error "group_permissions -> " + group_permissions.length.to_s
- #logger.error group_permissions.to_sentence
- #logger.error "==================================================="
- # END OF DEBUG
-
-
- # individual ('user') permissions override any other settings
- # (if several are found, which shouldn't be the case, all are collapsed into
- # one with the highest access rights)
- unless user_permissions.empty?
- user_permissions.each do |p|
- authorized_by_user_permissions = true if p.attributes["#{category}"]
- end
- return authorized_by_user_permissions
- end
-
-
- # no user permissions found, need to check what is allowed by policy
- # (check 'protected' settings first)
- if c_ution
- # true if contribution.contributor and contributor are related and policy[category_protected]
- authorized_by_policy = true if (c_ution.contributor.protected? c_utor and protected?(category))
- else
- # true if policy.contributor and contributor are related and policy[category_protected]
- authorized_by_policy = true if (self.contributor.protected? c_utor and protected?(category))
- end
- return authorized_by_policy if authorized_by_policy
-
-
- # not authorized by protected settings; check public policy settings
- authorized_by_policy = public?(category)
- return authorized_by_policy if authorized_by_policy
-
-
- # not authorized by policy at all, check the group permissions
- # (for the groups, where c_utor is a member or admin of)
- unless group_permissions.empty?
- group_permissions.each do |p|
- authorized_by_group_permissions = true if p.attributes["#{category}"]
- end
- return authorized_by_group_permissions if authorized_by_group_permissions
- end
- end
-
- # no other cases matched OR c_utor is unknown - apply public policy settings
- # true if policy[category_public]
- return public?(category)
- end
-
def admin?(c_utor)
return false unless c_utor
@@ -263,16 +25,9 @@
end
# THIS IS THE DEFAULT POLICY (see /app/views/policies/_list_form.rhtml)
- # IT IS CALLED IN contribution.rb::authorized? ; application.rb::update_policy()
def self._default(c_utor, c_ution=nil)
rtn = Policy.new(:name => "A default policy", # "anyone can view and download and no one else can edit"
:contributor => c_utor,
- :view_public => true, # anonymous can view
- :download_public => true, # anonymous can download
- :edit_public => false, # anonymous can't edit
- :view_protected => true, # friends can view
- :download_protected => true, # friends can download
- :edit_protected => false, # friends can't edit
:share_mode => 0,
:update_mode => 6)
@@ -286,12 +41,6 @@
def copy_values_from(other)
self.name = other.name
self.contributor = other.contributor
- self.view_public = other.view_public
- self.download_public = other.download_public
- self.edit_public = other.edit_public
- self.view_protected = other.view_protected
- self.download_protected = other.download_protected
- self.edit_protected = other.edit_protected
self.share_mode = other.share_mode
self.update_mode = other.update_mode
end
Modified: trunk/app/models/taverna_enactor.rb (2083 => 2084)
--- trunk/app/models/taverna_enactor.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/models/taverna_enactor.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -45,29 +45,6 @@
return runners + TavernaEnactor.find_by_groups(user)
end
- # Note: at the moment (Feb 2008), updates and deletes are only allowed by the creator of the TavernaEnactor
- # OR the administrator of the Group that owns the TavernaEnactor.
- # For all other actions, only creator OR members of the Group that owns the TavernaEnactor are authorized.
- def authorized?(action_name, c_utor=nil)
- return false if c_utor.nil?
-
- # Cannot ask authorization for a 'Network' contributor
- return false if c_utor.class.to_s == 'Network'
-
- case self.contributor_type.to_s
- when "User"
- return self.contributor_id.to_i == c_utor.id.to_i
- when "Network"
- if ['edit','update','delete'].include?(action_name.downcase)
- return self.contributor.owner?(c_utor.id)
- else
- return self.contributor.member?(c_utor.id)
- end
- else
- return false
- end
- end
-
def service_valid?
service_client.service_valid?
end
Modified: trunk/app/views/blobs/_blob.rhtml (2083 => 2084)
--- trunk/app/views/blobs/_blob.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/blobs/_blob.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -23,9 +23,9 @@
</tr>
<tr>
<td colspan="2">
- <% if blob.authorized?("download", (logged_in? ? current_user : nil)) %><%= icon "download", download_file_path(blob) %> <% end %>
- <% if blob.authorized?("show", (logged_in? ? current_user : nil)) %><%= icon "show", file_path(blob), nil, nil, "View" %> <% end %>
- <% if logged_in? and blob.authorized?("edit", current_user) %><%= icon "edit", edit_file_path(blob) %> <% end %>
+ <% if Authorization.is_authorized?('download', nil, blob, current_user) %><%= icon "download", download_file_path(blob) %> <% end %>
+ <% if Authorization.is_authorized?('show', nil, blob, current_user) %><%= icon "show", file_path(blob), nil, nil, "View" %> <% end %>
+ <% if logged_in? and Authorization.is_authorized?('edit', nil, blob, current_user) %><%= icon "edit", edit_file_path(blob) %> <% end %>
<% if logged_in? and blob.owner?(current_user) %><%= icon "destroy", file_path(blob), nil, :confirm => 'Are you sure?', :method => :delete %><% end %>
</td>
</tr>
Modified: trunk/app/views/blobs/_table.rhtml (2083 => 2084)
--- trunk/app/views/blobs/_table.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/blobs/_table.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -6,9 +6,9 @@
<% for blob in collection %>
<% # If only one item in collection, check if 'show' permission is available (eg: if this partial was called from contributions/table) -%>
<% if collection.size == 1 -%>
- <% show ||= blob.authorized?("show", current_user) -%>
+ <% show ||= Authorization.is_authorized?('show', nil, blob, current_user) -%>
<% else -%>
- <% show = blob.authorized?("show", current_user) -%>
+ <% show = Authorization.is_authorized?('show', nil, blob, current_user) -%>
<% end -%>
<% if show -%>
<tr class="<%= (odd_row = !odd_row) ? "odd_row" : "even_row" %>">
@@ -49,7 +49,7 @@
<p style="font-size:85%;">
<b>Attributions:</b>
<% attributors.each do |a| %>
- <% if thing_authorized?('show', a.attributor) -%>
+ <% if Authorization.is_authorized?("show", nil, a.attributor, current_user) -%>
<% if a.attributor_type == 'Workflow' %>
<%= icon('workflow', nil, nil, nil, '') %>
<% elsif a.attributor_type == 'Blob' %>
@@ -92,7 +92,7 @@
<td class="actions" style="width: 80px;">
<%= icon "show", file_path(blob), nil, nil, "View" %>
- <% if blob.authorized?("download", current_user) %><%= icon "download", download_file_path(blob) %><% end %>
+ <% if Authorization.is_authorized?("download", nil, blob, current_user) %><%= icon "download", download_file_path(blob) %><% end %>
<% if mine?(blob) %><%= icon "manage", edit_file_path(blob), nil, nil, "Manage" %><% end %>
</td>
</tr>
Modified: trunk/app/views/blobs/show.rhtml (2083 => 2084)
--- trunk/app/views/blobs/show.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/blobs/show.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -4,7 +4,7 @@
<% if mine?(@blob) -%>
<li><%= icon('manage', edit_file_path(@blob), nil, nil, 'Manage File Entry')%></li>
<% end -%>
- <% if @blob.authorized?("destroy", current_user) %>
+ <% if Authorization.is_authorized?('destroy', nil, @blob, current_user) %>
<li><%= icon('destroy', file_path(@blob), nil, { :confirm => 'This deletes the File and all metadata such as tags, comments and ratings. Are you sure?', :method => :delete }, 'Delete File Entry') %></li>
<% end %>
</ul>
@@ -84,7 +84,7 @@
Download
</h3>
- <% if @blob.authorized?("download", (logged_in? ? current_user : nil)) %>
+ <% if Authorization.is_authorized?('download', nil, @blob, current_user) %>
<ul class="sectionIcons">
<li><%= icon('blob', @named_download_url, "Download File", nil, "Download File") %></li>
</ul>
@@ -110,7 +110,7 @@
:owner_id => ((@blob.contributor_type == 'User') ? @blob.contributor_id : nil),
:add_path => tag_file_path(@blob),
:edit_path => edit_file_path(@blob),
- :allow_edit => @blob.authorized?("edit", logged_in? ? current_user : nil ) } %>
+ :allow_edit => Authorization.is_authorized?('edit', nil, @blob, current_user) } %>
<%= render :partial => "contributions/shared_with_groups_box", :locals => { :contributable => @blob } %>
@@ -145,7 +145,7 @@
<%= render :partial => "contributions/sharing_summary", :locals => { :contributable => @blob } %>
<%= render :partial => "contributions/updating_summary", :locals => { :contributable => @blob } %>
- <% if @blob.authorized?("edit", current_user) %>
+ <% if Authorization.is_authorized?('edit', nil, @blob, current_user) %>
<ul class="sectionIcons">
<li><%= icon('edit', edit_file_path(@blob), nil, nil, 'Edit')%></li>
</ul>
Modified: trunk/app/views/blog_posts/_subnav.rhtml (2083 => 2084)
--- trunk/app/views/blog_posts/_subnav.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/blog_posts/_subnav.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -1,6 +1,6 @@
<% case controller.action_name.to_s; when "show" %>
- <% if logged_in? and @blog_post.blog.authorized?("edit", current_user) %>
+ <% if logged_in? && Authorization.is_authorized?("edit", nil, @blog_post.blog, current_user) %>
<ul class="sectionIcons">
<li><%= link_to 'Edit Blog Post', edit_blog_post_path(@blog_post.blog, @blog_post) %></li>
</ul>
Modified: trunk/app/views/blogs/_blog.rhtml (2083 => 2084)
--- trunk/app/views/blogs/_blog.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/blogs/_blog.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -23,9 +23,9 @@
<tr>
<td colspan="2">
<center>
- <% if blog.authorized?("show", (logged_in? ? current_user : nil)) %><%= icon "show", blog_path(blog), nil, nil, "View" %> <% end %>
- <% if logged_in? and blog.authorized?("edit", current_user) %><%= icon "edit", edit_blog_path(blog) %> <% end %>
- <% if logged_in? and blog.authorized?("destroy", current_user) %><%= icon "destroy", blog_path(blog), nil, :confirm => 'Are you sure?', :method => :delete %><% end %>
+ <% if Authorization.is_authorized?("show", nil, blog, current_user) %><%= icon "show", blog_path(blog), nil, nil, "View" %> <% end %>
+ <% if logged_in? && Authorization.is_authorized?("edit", nil, blog, current_user) %><%= icon "edit", edit_blog_path(blog) %> <% end %>
+ <% if logged_in? && Authorization.is_authorized?("destroy", nil, blog, current_user) %><%= icon "destroy", blog_path(blog), nil, :confirm => 'Are you sure?', :method => :delete %><% end %>
</center>
</td>
</tr>
Modified: trunk/app/views/blogs/_table.rhtml (2083 => 2084)
--- trunk/app/views/blogs/_table.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/blogs/_table.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -19,9 +19,9 @@
<td><%=h blog.posts.length %></td>
<td><%=datetime(blog.posts[-1].created_at, false) unless blog.posts.empty? %></td>
<td class="actions">
- <% if blog.authorized?("show", (logged_in? ? current_user : nil)) %><%= icon "show", blog_path(blog), nil, nil, "View" %> <% end %>
- <% if logged_in? and blog.authorized?("edit", current_user) %><%= icon "edit", edit_blog_path(blog) %> <% end %>
- <% if logged_in? and blog.owner?(current_user) %><%= icon "destroy", blog_path(blog), nil, :confirm => 'Are you sure?', :method => :delete %><% end %>
+ <% if Authorization.is_authorized?("show", nil, blog, current_user) %><%= icon "show", blog_path(blog), nil, nil, "View" %> <% end %>
+ <% if logged_in? && Authorization.is_authorized?("edit", nil, blog, current_user) %><%= icon "edit", edit_blog_path(blog) %> <% end %>
+ <% if logged_in? && blog.owner?(current_user) %><%= icon "destroy", blog_path(blog), nil, :confirm => 'Are you sure?', :method => :delete %><% end %>
</td>
</tr>
<% end %>
Modified: trunk/app/views/blogs/show.rhtml (2083 => 2084)
--- trunk/app/views/blogs/show.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/blogs/show.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -6,12 +6,12 @@
<% if logged_in? %>
<ul class="sectionIcons">
- <% if @blog.authorized?("edit", current_user) %>
+ <% if Authorization.is_authorized?("edit", nil, @blog, current_user) %>
<li><%= icon('new', new_blog_post_path(@blog), nil, nil, "New post") %></li>
<li><%= icon('edit', edit_blog_path(@blog), nil, nil, 'Edit ' + truncate(@blog.title, 10)) %></li>
<% end %>
- <% if @blog.authorized?("destroy", current_user) %>
+ <% if Authorization.is_authorized?("destroy", nil, @blog, current_user) %>
<li><%= icon('destroy', blog_path(@blog), nil, { :confirm => 'Are you sure?', :method => :delete }, 'Remove ' + truncate(@blog.title, 10)) %></li>
<% end %>
</ul>
@@ -23,7 +23,7 @@
<%= render :partial => "blog_posts/post", :collection => @blog.posts %>
<% end %>
-<% if logged_in? and @blog.authorized?("destroy", current_user) %>
+<% if logged_in? and Authorization.is_authorized?("destroy", nil, @blog, current_user) %>
<h2>History</h2>
<%= render :partial => "contributions/history", :object => @blog.contribution %>
Modified: trunk/app/views/citations/_citation.rhtml (2083 => 2084)
--- trunk/app/views/citations/_citation.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/citations/_citation.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -12,7 +12,7 @@
<%= arr[i] %><%= "," unless i.to_i == arr.length.to_i - 1 %>
<% end %>
-<% if actions and item.authorized?("edit", (logged_in? ? current_user : nil)) %>
+<% if actions and Authorization.is_authorized?("edit", nil, item, current_user) %>
<small>[<%= link_to "view", citation_path(item, citation) %>]</small>
<small>[<%= link_to "edit", edit_citation_path(item, citation) %>]</small>
<% end %>
\ No newline at end of file
Modified: trunk/app/views/citations/_table.rhtml (2083 => 2084)
--- trunk/app/views/citations/_table.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/citations/_table.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -27,8 +27,8 @@
<% end %>
<td class="actions">
<%= icon "show", citation_path(workflow, citation), nil, nil, "View" %>
- <% if logged_in? and @workflow.authorized?("edit", current_user) %><%= icon "edit", edit_citation_path(workflow, citation) %> <% end %>
- <% if logged_in? and @workflow.authorized?("destroy", current_user) %><%= icon "destroy", citation_path(workflow, citation), nil, :confirm => 'Are you sure?', :method => :delete %><% end %>
+ <% if logged_in? && Authorization.is_authorized?("edit", nil, @workflow, current_user) %><%= icon "edit", edit_citation_path(workflow, citation) %> <% end %>
+ <% if logged_in? && Authorization.is_authorized?("destroy", nil, @workflow, current_user) %><%= icon "destroy", citation_path(workflow, citation), nil, :confirm => 'Are you sure?', :method => :delete %><% end %>
</td>
</tr>
<% end %>
Modified: trunk/app/views/citations/index.rhtml (2083 => 2084)
--- trunk/app/views/citations/index.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/citations/index.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -1,6 +1,6 @@
<h1>Citations for Workflow: <%= contributable(@workflow.id, 'Workflow') -%></h1>
-<% if @workflow.authorized?("edit", (logged_in? ? current_user : nil)) %>
+<% if Authorization.is_authorized?("edit", nil, @workflow, current_user) %>
<ul class="sectionIcons">
<li><%= icon('new', new_citation_path(@workflow), nil, nil, 'New Citation', nil) %></li>
</ul>
Modified: trunk/app/views/citations/show.rhtml (2083 => 2084)
--- trunk/app/views/citations/show.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/citations/show.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -2,11 +2,11 @@
<ul class="sectionIcons">
<% if logged_in? %>
- <% if @workflow.authorized?("edit", current_user) %>
+ <% if Authorization.is_authorized?("edit", nil, @workflow, current_user) %>
<li><%= icon('edit', edit_citation_path(@workflow, @citation), nil, nil, 'Edit Citation') %></li>
<% end %>
- <% if @workflow.authorized?("destroy", current_user) %>
+ <% if Authorization.is_authorized?("destroy", nil, @workflow, current_user) %>
<li><%= icon('destroy', citation_path(@workflow, @citation), nil, { :confirm => 'Are you sure?', :method => :delete }, 'Delete Citation') %></li>
<% end %>
<% end %>
Modified: trunk/app/views/contributions/_attributed_by.rhtml (2083 => 2084)
--- trunk/app/views/contributions/_attributed_by.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/contributions/_attributed_by.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -16,7 +16,7 @@
<% if a.attributable.nil? -%>
<span class="none_text">Item doesn't exist anymore</span>
<% else -%>
- <% if thing_authorized?('show', a.attributable) -%>
+ <% if Authorization.is_authorized?("show", nil, a.attributable, current_user) -%>
<% if a.attributable_type == 'Workflow' %>
<%= icon('workflow', nil, nil, nil, '') %>
<% elsif a.attributable_type == 'Blob' %>
Modified: trunk/app/views/contributions/_citations_tab.rhtml (2083 => 2084)
--- trunk/app/views/contributions/_citations_tab.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/contributions/_citations_tab.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -14,7 +14,7 @@
<br/>
- <% if item.authorized?("edit", (logged_in? ? current_user : nil)) %>
+ <% if Authorization.is_authorized?("edit", nil, item, current_user) %>
<ul class="sectionIcons">
<li><%= icon('new', new_citation_path(item), nil, nil, 'New Citation', nil) %></li>
<li><%= icon('edit', citations_path(item), nil, nil, 'Edit Citations', nil) %></li>
Modified: trunk/app/views/contributions/_credit_attribution_form.rhtml (2083 => 2084)
--- trunk/app/views/contributions/_credit_attribution_form.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/contributions/_credit_attribution_form.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -214,7 +214,7 @@
// Attributions
<% contributable.attributors.each do |a| %>
- <% if thing_authorized?('show', a.attributor) -%>
+ <% if Authorization.is_authorized?("show", nil, a.attributor, current_user) -%>
<% if a.attributor_type == 'Workflow' %>
attributions_workflows[<%= a.attributor_id %>] = '<%= escape_javascript contributable_name(a.attributor_id, 'Workflow') %>';
<% elsif a.attributor_type == 'Blob' %>
Modified: trunk/app/views/contributions/_credits_attributions_box.rhtml (2083 => 2084)
--- trunk/app/views/contributions/_credits_attributions_box.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/contributions/_credits_attributions_box.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -45,7 +45,7 @@
<% if a.attributor.nil? -%>
<span class="none_text">Item doesn't exist anymore</span>
<% else -%>
- <% if thing_authorized?('show', a.attributor) -%>
+ <% if Authorization.is_authorized?("show", nil, a.attributor, current_user) -%>
<% if a.attributor_type == 'Workflow' %>
<%= icon('workflow', nil, nil, nil, '') %>
<% elsif a.attributor_type == 'Blob' %>
@@ -65,7 +65,7 @@
<p class="none_text">None</p>
<% end %>
- <% if contributable.authorized?("edit", current_user) %>
+ <% if Authorization.is_authorized?("edit", nil, contributable, current_user) %>
<p style="text-align: right;"><small>[ <%= link_to "edit", edit_path %> ]</small></p>
<% end %>
Modified: trunk/app/views/contributions/_in_packs_box.rhtml (2083 => 2084)
--- trunk/app/views/contributions/_in_packs_box.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/contributions/_in_packs_box.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -10,7 +10,7 @@
<ul class="items">
<% packs.each do |p| %>
<li>
- <% if thing_authorized?('show', p) -%>
+ <% if Authorization.is_authorized?("show", nil, p, current_user) -%>
<%= icon('pack', nil, nil, nil, '') %>
<%= contributable(p.id, 'Pack') %>
<% else -%>
Modified: trunk/app/views/contributions/_table.rhtml (2083 => 2084)
--- trunk/app/views/contributions/_table.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/contributions/_table.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -1,7 +1,7 @@
<% unless collection.empty? %>
<% for contribution in collection %>
- <% if (show = contribution.authorized?("show", current_user)) %>
+ <% if (show = Authorization.is_authorized?("show", nil, contribution, current_user)) %>
<% unless params[:contributable_type] %>
<p style="margin-top: 0.5em;"><b><%= visible_name(contribution.contributable_type) %></b></p>
<% end %>
Modified: trunk/app/views/contributions/edit.rhtml (2083 => 2084)
--- trunk/app/views/contributions/edit.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/contributions/edit.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -5,11 +5,9 @@
<% form_for(:contribution, :url ="" contribution_path(@contribution), :html => { :method => :put }) do |f| %>
<% if @contribution.owner?(current_user) %>
<%= render :partial => "contributions/contributor_form", :locals => { :user => current_user } %>
-
- <%= render :partial => "policies/listform", :locals => { :contribution => @contribution, :user => current_user } %>
<% end %>
<p>
<%= submit_tag "Update" %>
</p>
-<% end %>
\ No newline at end of file
+<% end %>
Modified: trunk/app/views/contributions/new.rhtml (2083 => 2084)
--- trunk/app/views/contributions/new.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/contributions/new.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -15,9 +15,7 @@
<%= f.text_field :contributable_type %>
</p>
- <%= render :partial => "policies/listform", :locals => { :contribution => @contribution, :user => current_user } %>
-
<p>
<%= submit_tag "Create" %>
</p>
-<% end %>
\ No newline at end of file
+<% end %>
Modified: trunk/app/views/contributions/show.rhtml (2083 => 2084)
--- trunk/app/views/contributions/show.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/contributions/show.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -34,7 +34,7 @@
<% end %>
-<% if logged_in? and @contribution.authorized?("destroy", current_user) %>
+<% if logged_in? && Authorization.is_authorized?("destroy", nil, @contribution, current_user) %>
<div class="tabContainer">
<div class="tabTitle">Policy</div>
<div class="tabContent">
@@ -53,7 +53,7 @@
</div>
</div>
-<% if logged_in? and @contribution.authorized?("destroy", current_user) %>
+<% if logged_in? && Authorization.is_authorized?("destroy", nil, @contribution, current_user) %>
<div class="tabContainer">
<div class="tabTitle">History</div>
<div class="tabContent">
Modified: trunk/app/views/experiments/_table.rhtml (2083 => 2084)
--- trunk/app/views/experiments/_table.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/experiments/_table.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -33,7 +33,7 @@
</td>
<td class="actions" style="width: 80px;">
<%= icon "show", experiment_path(experiment), nil, nil, "View" %>
- <% if experiment.authorized?("edit", logged_in? ? current_user : nil) %>
+ <% if Authorization.is_authorized?('edit', nil, experiment, current_user) %>
<%= icon('edit', edit_experiment_path(experiment), nil, nil, 'Edit') %>
<% end %>
<%= icon "job", new_job_path(experiment), nil, nil, "New Job" %>
Modified: trunk/app/views/experiments/show.rhtml (2083 => 2084)
--- trunk/app/views/experiments/show.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/experiments/show.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -1,6 +1,6 @@
<% t "#{h @experiment.title}" -%>
-<% if @experiment.authorized?('edit', current_user) -%>
+<% if Authorization.is_authorized?('edit', nil, @experiment, current_user) -%>
<ul class="sectionIcons">
<li><%= icon('edit', edit_experiment_path(@experiment), nil, nil, 'Edit Experiment') %></li>
</ul>
@@ -66,4 +66,4 @@
<p class="none_text">No jobs have been created as part of this Experiment.</p>
<% end -%>
</div>
-</div>
\ No newline at end of file
+</div>
Modified: trunk/app/views/home/_latest_comments.rhtml (2083 => 2084)
--- trunk/app/views/home/_latest_comments.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/home/_latest_comments.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -9,7 +9,7 @@
<% unless (comments = Comment.latest).empty? %>
<ul class="list">
<% comments.each do |c| %>
- <% if thing_authorized?('show', c.commentable) %>
+ <% if Authorization.is_authorized?("show", nil, c.commentable, current_user) %>
<li>
<b><%= c_type = visible_name(c.commentable_type); icon(c.commentable_type.to_s, nil, nil, c_type, c_type) %>:</b>
<span><%= c.commentable_type == 'Network' ? title(c.commentable_id) : contributable(c.commentable_id, c.commentable_type) %></span>
Modified: trunk/app/views/home/_latest_groups.rhtml (2083 => 2084)
--- trunk/app/views/home/_latest_groups.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/home/_latest_groups.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -9,7 +9,7 @@
<% unless (groups = Network.recently_created).empty? %>
<ul class="list" style="font-size: 85%;">
<% groups.each do |g| %>
- <% if thing_authorized?('show', g) %>
+ <% if Authorization.is_authorized?("show", nil, g, current_user) %>
<li>
<%= icon('network', nil, nil, 'group icon', '') %>
<b><%= link_to g.title, group_path(g) %></b>
Modified: trunk/app/views/home/_latest_reviews.rhtml (2083 => 2084)
--- trunk/app/views/home/_latest_reviews.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/home/_latest_reviews.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -9,7 +9,7 @@
<% unless (reviews = Review.latest).empty? %>
<ul class="list">
<% reviews.each do |r| %>
- <% if thing_authorized?('show', r.reviewable) %>
+ <% if Authorization.is_authorized?("show", nil, r.reviewable, current_user) %>
<li>
<b><%= r_type = visible_name(r.reviewable_type); icon(r.reviewable_type.to_s, nil, nil, r_type, r_type) %>:</b>
<span><%= contributable(r.reviewable_id, r.reviewable_type) %></span>
Modified: trunk/app/views/home/_latest_tags.rhtml (2083 => 2084)
--- trunk/app/views/home/_latest_tags.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/home/_latest_tags.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -9,7 +9,7 @@
<% unless (taggings = Tagging.latest(20)).empty? %>
<ul class="list" style="font-size: 85%;">
<% taggings.each do |t| %>
- <% if thing_authorized?('show', t.taggable) %>
+ <% if Authorization.is_authorized?("show", nil, t.taggable, current_user) %>
<li>
<span class="box_standout" style="padding: 0.1em 0.4em;">
<b><%= link_to_tag(t.tag) %></b>
Modified: trunk/app/views/home/_updated_items.rhtml (2083 => 2084)
--- trunk/app/views/home/_updated_items.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/home/_updated_items.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -8,7 +8,7 @@
<% unless (contributions = Contribution.last_updated(15)).empty? %>
<ul class="list">
<% contributions.each do |c| %>
- <% if thing_authorized?('show', c) %>
+ <% if Authorization.is_authorized?("show", nil, c, current_user) %>
<li>
<b><%= c_type = visible_name(c.contributable_type); icon(c.contributable_type.to_s, nil, nil, c_type, c_type) %>:</b>
<%= c.contributable_type == 'Network' ? title(c.contributable_id) : contributable(c.contributable_id, c.contributable_type) %>
Modified: trunk/app/views/jobs/_table.rhtml (2083 => 2084)
--- trunk/app/views/jobs/_table.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/jobs/_table.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -45,7 +45,7 @@
<td class="actions" style="width: 80px;">
<%= icon "show", job_url(job.experiment, job), nil, nil, "View" %>
<% if false -%>
- <% if job.authorized?("edit", logged_in? ? current_user : nil) -%>
+ <% if Authorization.is_authorized?('edit', nil, job, current_user) -%>
<%= icon('edit', edit_job_path(job.experiment, job), nil, nil, 'Edit') %>
<% end -%>
<% end -%>
Modified: trunk/app/views/layouts/_pack_items.rxml (2083 => 2084)
--- trunk/app/views/layouts/_pack_items.rxml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/layouts/_pack_items.rxml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -1,5 +1,5 @@
pack.contributable_entries.each do |e|
- show = e.available? ? thing_authorized?('show', e.contributable) : false
+ show = e.available? ? Authorization.is_authorized?("show", nil, e.contributable, current_user) : false
xm.item do
if show
xm.title "#{visible_name(e.contributable_type)}: #{contributable_name(e.contributable_id, e.contributable_type)}"
Modified: trunk/app/views/packs/_entry_item.rhtml (2083 => 2084)
--- trunk/app/views/packs/_entry_item.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/packs/_entry_item.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -2,7 +2,7 @@
<% if type and item_entry -%>
<% if type == 'contributable' -%>
<% if item_entry.contributable -%>
- <% if item_entry.contributable.authorized?('show', current_user) -%>
+ <% if Authorization.is_authorized?("show", nil, item_entry.contributable, current_user) -%>
<p style="text-align: center;">
<b>
<%= visible_name(item_entry.contributable_type) -%>:
Modified: trunk/app/views/packs/_items.rhtml (2083 => 2084)
--- trunk/app/views/packs/_items.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/packs/_items.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -11,7 +11,7 @@
<!-- Contributable Item Entries -->
<% pack.contributable_entries.each do |e| %>
- <% show = e.available? ? thing_authorized?('show', e.contributable) : false -%>
+ <% show = e.available? ? Authorization.is_authorized?("show", nil, e.contributable, current_user) : false -%>
<li>
<table>
<tr>
Modified: trunk/app/views/packs/_table.rhtml (2083 => 2084)
--- trunk/app/views/packs/_table.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/packs/_table.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -6,9 +6,9 @@
<% for pack in collection %>
<% # If only one item in collection, check if 'show' permission is available (eg: if this partial was called from contributions/table) -%>
<% if collection.size == 1 -%>
- <% show ||= pack.authorized?("show", current_user) -%>
+ <% show ||= Authorization.is_authorized?("show", nil, pack, current_user) -%>
<% else -%>
- <% show = pack.authorized?("show", current_user) -%>
+ <% show = Authorization.is_authorized?("show", nil, pack, current_user) -%>
<% end -%>
<% if show -%>
<% cache(:controller => 'packs_cache', :action ="" 'listing', :id => pack.id) do -%>
@@ -61,9 +61,9 @@
<td class="actions" style="width: 80px;">
<%= icon "show", pack_path(pack), nil, nil, "View" %>
- <% if pack.authorized?('download', current_user) -%><%= icon('download', download_pack_path(pack), nil, nil, 'Download') -%><% end -%>
+ <% if Authorization.is_authorized?("download", nil, pack, current_user) -%><%= icon('download', download_pack_path(pack), nil, nil, 'Download') -%><% end -%>
<% if mine?(pack) %><%= icon "manage", edit_pack_path(pack), nil, nil, "Manage" %><% end %>
- <% if pack.authorized?('edit', current_user) -%><%= icon('new', new_item_pack_path(pack), nil, nil, 'Add New Item') -%><% end -%>
+ <% if Authorization.is_authorized?("edit", nil, pack, current_user) -%><%= icon('new', new_item_pack_path(pack), nil, nil, 'Add New Item') -%><% end -%>
</td>
</tr>
<% end %>
Modified: trunk/app/views/packs/show.rhtml (2083 => 2084)
--- trunk/app/views/packs/show.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/packs/show.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -5,7 +5,7 @@
<% if mine?(@pack) -%>
<li><%= icon('manage', edit_pack_path(@pack), nil, nil, 'Manage Pack') -%></li>
<% end -%>
- <% if @pack.authorized?("destroy", current_user) %>
+ <% if Authorization.is_authorized?("destroy", nil, @pack, current_user) %>
<li><%= icon('destroy', pack_path(@pack), nil, { :confirm => 'This deletes the Pack and all metadata such as tags and comments, BUT does not delete the actual items pointed to in the Pack. Are you sure you would like to delete this Pack?', :method => :delete }, 'Delete Pack') %></li>
<% end %>
</ul>
Modified: trunk/app/views/runners/_table.rhtml (2083 => 2084)
--- trunk/app/views/runners/_table.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/runners/_table.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -35,7 +35,7 @@
</td>
<td class="actions" style="width: 80px;">
<%= icon "show", runner_path(runner), nil, nil, "View" %>
- <% if runner.authorized?("edit", logged_in? ? current_user : nil) %>
+ <% if Authorization.is_authorized?('edit', nil, runner, current_user) %>
<%= icon('edit', edit_runner_path(runner), nil, nil, 'Edit') %>
<% end %>
</td>
Modified: trunk/app/views/runners/show.rhtml (2083 => 2084)
--- trunk/app/views/runners/show.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/runners/show.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -1,6 +1,6 @@
<% t "address@hidden - #{h @runner.title}" -%>
-<% if @runner.authorized?('edit', current_user) -%>
+<% if Authorization.is_authorized?('edit', nil, @runner, current_user) -%>
<ul class="sectionIcons">
<li><%= icon('edit', edit_runner_path(@runner), nil, nil, 'Edit Runner') %></li>
</ul>
Modified: trunk/app/views/workflows/_anchors.rhtml (2083 => 2084)
--- trunk/app/views/workflows/_anchors.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/workflows/_anchors.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -7,7 +7,7 @@
<% collection.each_index do |i| %>
<% workflow = collection[i] %>
- <% if workflow.authorized?("show", current_user) %>
+ <% if Authorization.is_authorized?("show", nil, workflow, current_user) %>
<a href="" h(workflow.title).gsub(/ /, "_") %>"><%= num %>. <%= h(workflow.title) %></a><br/>
<% num = num + 1 %>
<% end %>
Modified: trunk/app/views/workflows/_table.rhtml (2083 => 2084)
--- trunk/app/views/workflows/_table.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/workflows/_table.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -7,9 +7,9 @@
<% for workflow in collection %>
<% # If only one item in collection, check if 'show' permission is available (eg: if this partial was called from contributions/table) -%>
<% if collection.size == 1 -%>
- <% show ||= workflow.authorized?("show", current_user) -%>
+ <% show ||= Authorization.is_authorized?("show", nil, workflow, current_user) -%>
<% else -%>
- <% show = workflow.authorized?("show", current_user) -%>
+ <% show = Authorization.is_authorized?("show", nil, workflow, current_user) -%>
<% end -%>
<% if show -%>
<tr class="<%= (odd_row = !odd_row) ? "odd_row" : "even_row" %>">
@@ -56,7 +56,7 @@
<p style="font-size:85%;">
<b>Attributions:</b>
<% attributors.each do |a| %>
- <% if thing_authorized?('show', a.attributor) -%>
+ <% if Authorization.is_authorized?("show", nil, a.attributor, current_user) -%>
<% if a.attributor_type == 'Workflow' %>
<%= icon('workflow', nil, nil, nil, '') %>
<% elsif a.attributor_type == 'Blob' %>
@@ -115,7 +115,7 @@
<% end -%>
<td class="actions" style="width: 120px;">
<%= icon "show", workflow_path(workflow), nil, nil, "View" %>
- <% if workflow.authorized?("download", current_user) %><%= icon "download", download_workflow_path(workflow), nil, nil, "Download (v#{workflow.versions.count})" %><% end %>
+ <% if Authorization.is_authorized?("download", nil, workflow, current_user) %><%= icon "download", download_workflow_path(workflow), nil, nil, "Download (v#{workflow.versions.count})" %><% end %>
<% if mine?(workflow) %><%= icon "manage", edit_workflow_path(workflow), nil, nil, "Manage" %><% end %>
<br/><br/>
Modified: trunk/app/views/workflows/_workflow.rhtml (2083 => 2084)
--- trunk/app/views/workflows/_workflow.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/workflows/_workflow.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -1,5 +1,5 @@
<% image = !(workflow.image.nil?) -%>
-<% show = workflow.authorized?("show", (logged_in? ? current_user : nil)) -%>
+<% show = Authorization.is_authorized?("show", nil, workflow, current_user) -%>
<% if show %>
<center>
@@ -44,10 +44,10 @@
<tr>
<td colspan="<%= show ? 3 : 2 %>">
<center>
- <% if workflow.authorized?("download", (logged_in? ? current_user : nil)) %><%= icon "download", download_workflow_path(workflow) %> <% end %>
+ <% if Authorization.is_authorized?("download", nil, workflow, current_user) %><%= icon "download", download_workflow_path(workflow) %> <% end %>
<% if show %><%= icon "show", workflow_path(workflow) %> <% end %>
- <% if logged_in? and workflow.authorized?("edit", current_user) %><%= icon "edit", edit_workflow_path(workflow) %> <% end %>
- <% if logged_in? and workflow.authorized?("destroy", current_user) %><%= icon "destroy", workflow_path(workflow), nil, :confirm => 'Are you sure?', :method => :delete %><% end %>
+ <% if logged_in? && Authorization.is_authorized?("edit", nil, workflow, current_user) %><%= icon "edit", edit_workflow_path(workflow) %> <% end %>
+ <% if logged_in? && Authorization.is_authorized?("destroy", nil, workflow, current_user) %><%= icon "destroy", workflow_path(workflow), nil, :confirm => 'Are you sure?', :method => :delete %><% end %>
</center>
</td>
</tr>
Modified: trunk/app/views/workflows/show.rhtml (2083 => 2084)
--- trunk/app/views/workflows/show.rhtml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/app/views/workflows/show.rhtml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -15,7 +15,7 @@
<% if mine?(@workflow) -%>
<li><%= icon('manage', edit_workflow_path(@workflow), nil, nil, 'Manage Workflow Entry')%></li>
<% end -%>
- <% if @workflow.authorized?("destroy", current_user) -%>
+ <% if Authorization.is_authorized?("destroy", nil, @workflow, current_user) -%>
<li>
<%= icon('destroy', workflow_path(@workflow), nil, { :confirm => 'This deletes all versions of the Workflow and all metadata such as tags, comments and citations. Are you sure?', :method => :delete }, 'Delete Workflow Entry') %>
</li>
@@ -131,7 +131,7 @@
<li style="margin-left: 0;"><%= icon('edit', workflow_version_edit_url(@workflow.id, @viewing_version.version), nil, nil, "Edit This Version") %></li>
<% if false %>
<% if @latest_version_number > 1 %>
- <% if @workflow.authorized?("destroy", current_user) %>
+ <% if Authorization.is_authorized?("destroy", nil, @workflow, current_user) %>
<li><%= icon('destroy', workflow_version_delete_url(@workflow.id, @viewing_version.version), nil, { :confirm => "Are you sure you want to delete this version (Version address@hidden) of the Workflow file (including title/description metadata)?", :method => :delete }, 'Delete This Version') %></li>
<% end %>
<% end %>
Modified: trunk/config/environment.rb (2083 => 2084)
--- trunk/config/environment.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/config/environment.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -67,6 +67,7 @@
# SMTP configuration
require 'smtp_tls'
+require 'authorization'
load 'config/environment_private.rb' if FileTest.exist?('config/environment_private.rb')
Modified: trunk/config/routes.rb (2083 => 2084)
--- trunk/config/routes.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/config/routes.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -22,9 +22,6 @@
:render_output => :get }
end
- # policy wizard
- map.resource :policy_wizard
-
# mashup
map.resource :mashup
@@ -125,12 +122,6 @@
contribution.resources :viewings
end
- # all policies for all contributables
- map.resources :policies, :member => { :test => :post } do |policy|
- # policies have nested permissions that name contributors
- policy.resources :permissions
- end
-
# messages
map.resources :messages, :collection => { :sent => :get, :delete_all_selected => :delete }
Copied: trunk/db/migrate/072_remove_public_protected_flags.rb (from rev 2083, branches/authorization_new/db/migrate/072_remove_public_protected_flags.rb) (0 => 2084)
--- trunk/db/migrate/072_remove_public_protected_flags.rb (rev 0)
+++ trunk/db/migrate/072_remove_public_protected_flags.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -0,0 +1,19 @@
+class RemovePublicProtectedFlags < ActiveRecord::Migration
+ def self.up
+ remove_column :policies, :download_public
+ remove_column :policies, :edit_public
+ remove_column :policies, :view_public
+ remove_column :policies, :download_protected
+ remove_column :policies, :edit_protected
+ remove_column :policies, :view_protected
+ end
+
+ def self.down
+ add_column :policies, :download_public, :boolean, :default => true
+ add_column :policies, :edit_public, :boolean, :default => true
+ add_column :policies, :view_public, :boolean, :default => true
+ add_column :policies, :download_protected, :boolean, :default => true
+ add_column :policies, :edit_protected, :boolean, :default => true
+ add_column :policies, :view_protected, :boolean, :default => true
+ end
+end
Modified: trunk/lib/acts_as_contributable.rb (2083 => 2084)
--- trunk/lib/acts_as_contributable.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/lib/acts_as_contributable.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -62,10 +62,7 @@
end
module InstanceMethods
- def authorized?(action_name, contributor=nil)
- contribution.authorized?(action_name, contributor)
- end
-
+
# the owner of the contribution record for this contributable
def owner?(c_utor)
contribution.owner?(c_utor)
Modified: trunk/lib/acts_as_contributor.rb (2083 => 2084)
--- trunk/lib/acts_as_contributor.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/lib/acts_as_contributor.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -70,16 +70,6 @@
false
end
- # first method in the authorization chain
- # Mib::Acts::Contributor.authorized? --> Mib::Acts::Contributable.authorized? --> Contribution.authorized? --> Policy.authorized? --> Permission[s].authorized? --> true / false
- def authorized?(action_name, contributable)
- if contributable.kind_of? Mib::Acts::Contributable
- return contributable.authorized?(action_name, self)
- else
- return false
- end
- end
-
def contribution_tags
tags = contribution_tags!
Copied: trunk/lib/authorization.rb (from rev 2083, branches/authorization_new/lib/authorization.rb) (0 => 2084)
--- trunk/lib/authorization.rb (rev 0)
+++ trunk/lib/authorization.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -0,0 +1,536 @@
+# myExperiment: lib/is_authorized.rb
+#
+# Copyright (c) 2007 University of Manchester and the University of Southampton.
+# See license.txt for details.
+
+module Authorization
+
+ # Authorization logic collected from enactment code
+
+ # Note: at the moment (Feb 2008), Experiments (and associated Jobs) are
+ # private to the owner, if a User owns it, OR accessible by all members of a
+ # Group, if a Group owns it.
+
+ def Authorization.experiment_authorized?(experiment, action_name, user)
+ return false if user.nil?
+
+ case experiment.contributor_type.to_s
+ when "User"
+ return experiment.contributor_id.to_i == user.id.to_i
+ when "Network"
+ return experiment.contributor.member?(user.id)
+ else
+ return false
+ end
+ end
+
+ def Authorization.job_authorized?(job, action_name, user)
+ # Use authorization logic from parent Experiment
+ return Authorization.experiment_authorized?(job.experiment, action_name, user)
+ end
+
+ def Authorization.runner_authorized?(runner, action_name, user)
+ return false if user.nil?
+
+ case runner.contributor_type.to_s
+ when "User"
+ return runner.contributor_id.to_i == user.id.to_i
+ when "Network"
+ if ['edit','update','delete'].include?(action_name.downcase)
+ return runner.contributor.owner?(user.id)
+ else
+ return runner.contributor.member?(user.id)
+ end
+ else
+ return false
+ end
+ end
+
+ # 1) action_name - name of the action that is about to happen with the "thing"
+ # 2) thing_type - class name of the thing that needs to be authorized;
+ # use NIL as a value of this parameter if an instance of the object to be authorized is supplied as "thing";
+ # 3) thing - this is supposed to be an instance of the thing to be authorized, but
+ # can also accept an ID (since we have the type, too - "thing_type")
+ # 4) user - can be either user instance or the ID (NIL or 0 to indicate anonymous/not logged in user)
+ #
+ # Note: there is no method overloading in Ruby and it's a good idea to have a default "nil" value for "user";
+ # this leaves no other choice as to have (sometimes) redundant "thing_type" parameter.
+ def Authorization.is_authorized?(action_name, thing_type, thing, user=nil)
+ thing_instance = nil
+ thing_contribution = nil
+ thing_id = nil
+ user_instance = nil
+ user_id = nil # if this value will not get updated by input parameters - user will be treated as anonymous
+
+ # ***************************************
+ # Pre-checks on the Parameters
+ # ***************************************
+
+ # check first if the action that is being executed is known - not authorized otherwise
+ action = ""
+ return false unless action
+
+ # if "thing" is unknown, or "thing" expresses ID of the object to be authorized, but "thing_type" is unknown - don't authorise the action
+ # (this would allow, however, supplying no type, but giving the object instance as "thing" instead)
+ return false if thing.blank? || (thing_type.blank? && thing.kind_of?(Fixnum))
+
+
+
+ # some value for "thing" supplied - assume that the object exists; check if it is an instance or the ID
+ if thing.kind_of?(Fixnum)
+ # just an ID was provided - "thing_type" is assumed to have a type then
+ thing_id = thing
+ elsif thing.kind_of?(Contribution)
+ # thing_type/_id should be properties of the actual "thing", not it's contribution
+ thing_contribution = thing
+ thing_type = thing_contribution.contributable_type
+ thing_id = thing_contribution.contributable_id
+ else
+ # "thing" isn't an ID of the object; it's not a Contribution,
+ # so it must be an instance of the object to be authorized -- this can be:
+ # -- "contributable" (workflow / file / pack) : (will still have to "find" the Contribution instance for this contributable aftewards)
+ # OR
+ # -- Network instance
+ # -- Experiment / Job / Runner / TavernaEnactor instance
+ # -- or any other object instance, for which we'll use the object itself to run .authorized?() on it
+ thing_instance = thing
+ thing_type = thing.class.name
+ thing_id = thing.id
+ end
+
+
+ if user.kind_of?(User)
+ user_instance = user
+ user_id = user.id
+ elsif user == 0
+ # "Authenticated System" sets current_user to 0 if not logged in (i.e. anonymous user)
+ user_id = nil
+ elsif user.nil? || user.kind_of?(Fixnum)
+ # anonymous user OR only id of the user, not an instance was provided;
+ user_id = user
+ end
+
+
+ # ***************************************
+ # Actual Authorization Begins
+ # ***************************************
+
+ # if (thing_type, ID) pair was supplied instead of a "thing" instance,
+ # need to find the object that needs to be authorized first;
+ # (only do this for object types that are known to require authorization)
+ #
+ # this is required to get "policy_id" for policy-based aurhorized objects (like workflows / blobs / packs / contributions)
+ # and to get objects themself for other object types (networks, experiments, jobs, tavernaenactors, runners)
+ if (thing_contribution.nil? && ["Workflow", "Blob", "Pack", "Contribution"].include?(thing_type)) ||
+ (thing_instance.nil? && ["Network", "Experiment", "Job", "TavernaEnactor", "Runner"].include?(thing_type))
+
+ found_thing = find_thing(thing_type, thing_id)
+
+ unless found_thing
+ # search didn't yield any results - the "thing" wasn't found; can't authorize unknown objects
+ logger.error("UNEXPECTED ERROR - Couldn't find object to be authorized:(#{thing_type}, #{thing_id}); action: #{action_name}; user: #{user_id}")
+ return false
+ else
+ if ["Workflow", "Blob", "Pack", "Contribution"].include?(thing_type)
+ # "contribution" are only found for these three types of object (and the contributions themself),
+ # for all the rest - use instances
+ thing_contribution = found_thing
+ else
+ thing_instance = found_thing
+ end
+ end
+ end
+
+
+ # initially not authorized, so if all tests fail -
+ # safe result of being not authorized will get returned
+ is_authorized = false
+
+ case thing_type
+ when "Workflow", "Blob", "Pack", "Contribution"
+ unless user_id.nil?
+ # access is authorized and no further checks required in two cases:
+ # ** user is the owner of the "thing"
+ return true if is_owner?(user_id, thing_contribution)
+
+ # ** user is admin of the policy associated with the "thing"
+ # (this means that the user might not have uploaded the "thing", but
+ # is the one managing the access permissions for it)
+ #
+ # it's fine if policy will not be found at this step - default one will get
+ # used further when required
+ policy_id = thing_contribution.policy_id
+ policy = get_policy(policy_id, thing_contribution)
+ return false unless policy # if policy wasn't found (and default one couldn't be applied) - error; not authorized
+ return true if is_policy_admin?(policy, user_id)
+
+
+ # only owners / policy admins are allowed to perform actions categorized as "destroy";
+ # hence "destroy" actions are not authorized below this point
+ return false if action == "destroy"
+
+
+ # user is not the owner/admin of the object; action is not of "destroy" class;
+ # next thing - obtain all the permissions that are relevant to the user
+ # (start with individual user permissions; group permissions will only
+ # be considered if that is required further on)
+ user_permissions = get_user_permissions(user_id, policy_id)
+
+ # individual user permissions override any other settings;
+ # if several of these are found (which shouldn't be the case),
+ # all are considered, but the one with "highest" access right is
+ # used to make final decision -- that is if at least one of the
+ # user permissions allows to make the action, it will be allowed;
+ # likewise, if none of the permissions allow the action it will
+ # not be allowed
+ unless user_permissions.empty?
+ authorized_by_user_permissions = false
+ user_permissions.each do |p|
+ authorized_by_user_permissions = true if permission_allows_action?(action, p)
+ end
+ return authorized_by_user_permissions
+ end
+
+
+ # no user permissions found, need to check what is allowed by policy
+ # (if no policy was found, default policy is in use instead)
+ authorized_by_policy = false
+ authorized_by_policy = authorized_by_policy?(policy, thing_contribution, action, user_id)
+ return true if authorized_by_policy
+
+
+ # not authorized by policy, check the group permissions -- the ones
+ # attached to "thing's" policy and belonging to the groups, where
+ # "user" is a member or admin of;
+ #
+ # these cannot limit what is allowed by policy settings, only give more access rights
+ authorized_by_group_permissions = false
+ group_permissions = get_group_permissions(policy_id)
+
+ unless group_permissions.empty?
+ group_permissions.each do |p|
+ # check if this permission is applicable to the "user"
+ if permission_allows_action?(action, p) && (is_network_member?(user_id, p.contributor_id) || is_network_admin?(user_id, p.contributor_id))
+ authorized_by_group_permissions = true
+ break
+ end
+ end
+ return authorized_by_group_permissions if authorized_by_group_permissions
+ end
+
+ # user permissions, policy settings and group permissions didn't give the
+ # positive result - decline the action request
+ return false
+
+ else
+ # this is for cases where trying to authorize anonymous users;
+ # the only possible check - on public policy settings:
+ policy_id = thing_contribution.policy_id
+ policy = get_policy(policy_id, thing_contribution)
+ return false unless policy # if policy wasn't found (and default one couldn't be applied) - error; not authorized
+
+ return authorized_by_policy?(policy, thing_contribution, action, nil)
+ end
+
+ when "Network"
+ case action
+ when "edit", "destroy"
+ # check to allow only admin to edit / delete the group
+ is_authorized = is_network_admin?(user_id, thing_id)
+ else
+ is_authorized = true
+ end
+
+ when "Experiment"
+
+ user_instance = get_user(user_id) unless user_instance
+
+ # "action_name" used to work with original action name, rather than classification made inside the module
+ is_authorized = Authorization.experiment_authorized?(thing_instance, action_name, user)
+
+ when "TavernaEnactor", "Runner"
+
+ user_instance = get_user(user_id) unless user_instance
+
+ # "action_name" used to work with original action name, rather than classification made inside the module
+ is_authorized = Authorization.runner_authorized?(thing_instance, action_name, user)
+
+ when "Job"
+
+ user_instance = get_user(user_id) unless user_instance
+
+ # "action_name" used to work with original action name, rather than classification made inside the module
+ is_authorized = Authorization.job_authorized?(thing_instance, action_name, user)
+
+ else
+ # don't recognise the kind of "thing" that is being authorized, so
+ # we don't specifically know that it needs to be blocked;
+ # therefore, allow any actions on it
+ is_authorized = true
+ end
+
+ return is_authorized
+
+ end
+
+
+ private
+
+ def Authorization.categorize_action(action_name)
+ case action_name
+ when 'show', 'index', 'view', 'search', 'favourite', 'favourite_delete', 'comment', 'comment_delete', 'comments', 'comments_timeline', 'rate', 'tag', 'items', 'statistics', 'tag_suggestions'
+ action = ''
+ when 'edit', 'new', 'create', 'update', 'new_version', 'create_version', 'destroy_version', 'edit_version', 'update_version', 'new_item', 'create_item', 'edit_item', 'update_item', 'quick_add', 'resolve_link'
+ action = ''
+ when 'download', 'named_download', 'launch', 'submit_job'
+ action = ''
+ when 'destroy', 'destroy_item'
+ action = ''
+ when 'execute'
+ # action is available only(?) for runners at the moment;
+ # possibly, "launch" action for workflows should be moved into this category, too
+ action = ''
+ else
+ # unknown action
+ action = ""
+ end
+
+ return action
+ end
+
+ # check if the DB holds entry for the "thing" to be authorized
+ def Authorization.find_thing(thing_type, thing_id)
+ found_instance = nil
+
+ begin
+ case thing_type
+ when "Workflow", "Blob", "Pack"
+ # "find_by_sql" works faster itself PLUS only a subset of all fields is selected;
+ # this is the most frequent query to be executed, hence needs to be optimised
+ found_instance = Contribution.find_by_sql "SELECT contributor_id, contributor_type, policy_id FROM contributions WHERE contributable_id=#{thing_id} AND contributable_type='#{thing_type}'"
+ found_instance = (found_instance.empty? ? nil : found_instance[0]) # if nothing was found - nil; otherwise - first match
+ when "Contribution"
+ # fairly possible that it's going to be a contribution itself, not a contributable
+ found_instance = Contribution.find(thing_id)
+ when "Network"
+ found_instance = Network.find(thing_id)
+ when "Experiment"
+ found_instance = Experiment.find(thing_id)
+ when "Job"
+ found_instance = Job.find(thing_id)
+ when "TavernaEnactor"
+ found_instance = TavernaEnactor.find(thing_id)
+ when "Runner"
+ # the line below doesn't have a typo - "runners" should really be searched in "TavernaEnactor" model
+ found_instance = TavernaEnactor.find(thing_id)
+ end
+ rescue ActiveRecord::RecordNotFound
+ # do nothing; makes sure that app won't crash when the required object is not found;
+ # the method will return "nil" anyway, so no need to take any further actions here
+ end
+
+ return found_instance
+ end
+
+
+ # checks if "user" is owner of the "thing"
+ def Authorization.is_owner?(user_id, thing_contribution)
+ is_authorized = false
+
+ # if owner of the "thing" is the "user" then the "user" is authorized
+ if thing_contribution.contributor_type == 'User' && thing_contribution.contributor_id == user_id
+ is_authorized = true
+ elsif thing_contribution.contributor_type == 'Network'
+ is_authorized = is_network_admin?(user_id, thing_contribution.contributor_id)
+ end
+
+ return is_authorized
+ end
+
+ # checks if "user" is admin of the policy associated with the "thing"
+ def Authorization.is_policy_admin?(policy, user_id)
+ # if anonymous user or no policy provided - definitely not policy admin
+ return false unless (policy && user_id)
+
+ return(policy.contributor_type == 'User' && policy.contributor_id == user_id)
+ end
+
+
+ def Authorization.is_network_admin?(user_id, network_id)
+ # checks if there is a network with ID(network_id) which has admin with ID(user_id) -
+ # if found, user with ID(user_id) is an admin of that network
+ network = Network.find_by_sql "SELECT user_id FROM networks WHERE id=#{network_id} AND user_id=#{user_id}"
+ return(!network.blank?)
+ end
+
+
+ def Authorization.is_network_member?(user_id, network_id)
+ # checks if user with ID(user_id) is a member of the group ID(network_id)
+ membership = Membership.find_by_sql "SELECT id FROM memberships WHERE user_id=#{user_id} AND network_id=#{network_id} AND user_established_at IS NOT NULL AND network_established_at IS NOT NULL"
+ return(!membership.blank?)
+ end
+
+
+ # checks if two users are friends
+ def Authorization.is_friend?(contributor_id, user_id)
+ friendship = Friendship.find_by_sql "SELECT id FROM friendships WHERE (user_id=#{contributor_id} AND friend_id=#{user_id}) OR (user_id=#{user_id} AND friend_id=#{contributor_id}) AND accepted_at IS NOT NULL"
+ return(!friendship.blank?)
+ end
+
+
+ # gets the user object from the user_id;
+ # used by is_authorized when calling model.authorized? method for classes that don't use policy-based authorization
+ def Authorization.get_user(user_id)
+ return nil if user_id == 0
+
+ begin
+ user = User.find(:first, :conditions => ["id = ?", user_id])
+ return user
+ rescue ActiveRecord::RecordNotFound
+ # user not found, "nil" for anonymous user will be returned
+ return nil
+ end
+ end
+
+
+ # query database for relevant fields in policies table
+ #
+ # Parameters:
+ # 1) policy_id - ID of the policy to find in the DB;
+ # 2) thing_contribution - Contribution object for the "thing" that is being authorized;
+ def Authorization.get_policy(policy_id, thing_contribution)
+ unless policy_id.blank?
+ select_string = 'id, contributor_id, contributor_type, share_mode, update_mode'
+ policy_array = Policy.find_by_sql "SELECT #{select_string} FROM policies WHERE policies.id=#{policy_id}"
+
+ # if nothing's found, use the default policy
+ policy = (policy_array.blank? ? get_default_policy(thing_contribution) : policy_array[0])
+ else
+ # if the "policy_id" turns out unknown, use default policy
+ policy = get_default_policy(thing_contribution)
+ end
+
+ return policy
+ end
+
+
+ # if a policy instance not found to be associated with the Contribution of a "thing", use a default one
+ def Authorization.get_default_policy(thing_contribution)
+ # an unlikely event that contribution doesn't have a policy - need to use
+ # default one; "owner" of the contribution will be treated as policy admin
+ #
+ # the following is slow, but given the very rare execution can be kept
+ begin
+ # thing_contribution is Contribution, so thing_contribution.contributor is the original uploader == owner of the item
+ contributor = eval("#{thing_contribution.contributor_type}.find(#{thing_contribution.contributor_id})")
+ policy = Policy._default(contributor)
+ return policy
+ rescue ActiveRecord::RecordNotFound => e
+ # original contributor not found, but the Contribution entry still exists -
+ # this is an error in associations then, because all dependent items
+ # should have been deleted along with the contributor entry; log the error
+ logger.error("UNEXPECTED ERROR - Contributor object missing for an existing contribution: (#{thing_contribution.class.name}, #{thing_contribution.id})")
+ logger.error("EXCEPTION:" + e)
+ return nil
+ end
+ end
+
+
+ # get all user permissions related to policy for the "thing" for "user"
+ def Authorization.get_user_permissions(user_id, policy_id)
+ unless user_id.blank? || policy_id.blank?
+ select_string = 'contributor_id, download, edit, view'
+ Permission.find_by_sql "SELECT #{select_string} FROM permissions WHERE policy_id=#{policy_id} AND contributor_type='User' AND contributor_id=#{user_id}"
+ else
+ # an empty array to be returned has the same effect as if no permissions were found anyway
+ return []
+ end
+ end
+
+
+ # get all group permissions related to policy for the "thing"
+ def Authorization.get_group_permissions(policy_id)
+ unless policy_id.blank?
+ select_string = 'contributor_id, download, edit, view'
+ Permission.find_by_sql "SELECT #{select_string} FROM permissions WHERE policy_id=#{policy_id} AND contributor_type='Network'"
+ else
+ # an empty array to be returned has the same effect as if no permissions were found anyway
+ return []
+ end
+ end
+
+
+ # checks whether "user" is authorized for "action" on "thing"
+ def Authorization.authorized_by_policy?(policy, thing_contribution, action, user_id)
+ is_authorized = false
+
+ # NB! currently myExperiment won't support objects owned by entities other than users
+ # (especially, policy checks are not agreed for these cases - however, owner tests and
+ # permission tests are possible and will be carried out)
+ unless thing_contribution.contributor_type == "User"
+ return false
+ end
+
+ ####################################################################################
+ #
+ # For details on what each sharing / updating mode means, see the wiki:
+ # http://wiki.myexperiment.org/index.php/Developer:Ownership_Sharing_and_Permissions
+ #
+ ####################################################################################
+ share_mode = policy.share_mode
+ update_mode = policy.update_mode
+
+ case action
+ when 'view'
+ if (share_mode == 0 || share_mode == 1 || share_mode == 2)
+ # if share mode is 0,1,2, anyone can view
+ is_authorized = true
+ elsif !user_id.nil? && (share_mode == 3 || share_mode == 4 || update_mode == 1)
+ # if share mode is 3,4, friends can view; AND friends can also view if update mode is 1 -- due to cascading permissions
+ is_authorized = is_friend?(thing_contribution.contributor_id, user_id)
+ end
+
+ when 'download'
+ if (share_mode == 0)
+ # if share mode is 0, anyone can download
+ is_authorized = true
+ elsif !user_id.nil? && (share_mode == 1 || share_mode == 3 || update_mode == 1)
+ # if share mode is 1,3, friends can download; AND if update mode is 1, friends can download too -- due to cascading permissions
+ is_authorized = is_friend?(thing_contribution.contributor_id, user_id)
+ end
+ when 'edit'
+ if (update_mode == 0 && share_mode == 0)
+ # if update mode is 0, anyone with view & download permissions can edit (sharing mode 0 for anonymous)
+ is_authorized = true
+ elsif !user_id.nil? && (update_mode == 1 || (update_mode == 0 && (share_mode == 1 || share_mode == 3)))
+ # if update mode is 1, friends can edit; AND if update mode is 0 and friends have view & download permissions, they can edit
+ is_authorized = is_friend?(thing_contribution.contributor_id, user_id)
+ end
+ end
+
+ return is_authorized
+ end
+
+
+ # checks if a permission instance allows certain action taking into account cascading permissions
+ #
+ # NB! caller of this method *assumes* that the permission belongs to the user, for which
+ # authorization is performed
+ def Authorization.permission_allows_action?(action, permission)
+ # check that a permission instance was supplied
+ return false unless permission
+
+ case action
+ when "view"
+ return (permission.attributes["view"] || permission.attributes["download"] || permission.attributes["edit"])
+ when "download"
+ return (permission.attributes["download"] || permission.attributes["edit"])
+ when "edit"
+ return permission.attributes["edit"]
+ else
+ # any other type of action is not allowed by permissions
+ return false
+ end
+ end
+
+end
Deleted: trunk/lib/is_authorized.rb (2083 => 2084)
--- trunk/lib/is_authorized.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/lib/is_authorized.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -1,241 +0,0 @@
-# myExperiment: lib/is_authorized.rb
-#
-# Copyright (c) 2007 University of Manchester and the University of Southampton.
-# See license.txt for details.
-
-module IsAuthorized
-
- # check the relevant permissions based on 'action' string
- def is_authorized?(action, contributable_id, contributable_type, user=nil)
- is_authorized = false
-
- case action
- when 'show', 'index', 'search', 'favourite', 'favourite_delete', 'comment', 'comment_delete', 'rate', 'tag', 'view', 'comments_timeline', 'comments', 'items'
- is_authorized = is_authorized_to_view?(contributable_id, contributable_type, user)
- when 'edit', 'new', 'create', 'update', 'new_version', 'create_version', 'destroy_version', 'edit_version', 'update_version', 'new_item', 'create_item', 'edit_item', 'update_item', 'quick_add', 'resolve_link'
- is_authorized = is_authorized_to_edit?(contributable_id, contributable_type, user)
- when 'download', 'named_download', 'submit_job', 'launch'
- is_authorized = is_authorized_to_download?(contributable_id, contributable_type, user)
- when 'destroy', 'destroy_item'
- is_authorized = is_authorized_to_destroy?(contributable_id, contributable_type, user)
- end
-
- is_authorized
- end
-
- # check if current user is authorized to view contribution
- def is_authorized_to_view?(contributable_id, contributable_type, user=nil)
- is_authorized = false
-
- if !user.nil? && user.kind_of?(User)
- user_id = user.id
- else
- user_id = 0
- end
-
- # check if current user owns contributable
- if user_id != 0
- is_authorized = is_owner?(contributable_id, contributable_type, user_id)
- end
-
- # if current user is not owner then check policy to determine if user is authorized
- if !is_authorized
- is_authorized = check_policy('view', contributable_id, contributable_type, user_id)
- end
-
- is_authorized
- end
-
- # check if current user is authorized to edit contribution
- def is_authorized_to_edit?(contributable_id, contributable_type, user=nil)
- is_authorized = false
-
- if !user.nil? && user.kind_of?(User)
- user_id = user.id
- else
- user_id = 0
- end
-
- # check if current user owns contributable
- if user_id != 0
- is_authorized = is_owner?(contributable_id, contributable_type, user_id)
- end
-
- # if current user is not owner then check policy to determine if user is authorized
- if !is_authorized
- is_authorized = check_policy('edit', contributable_id, contributable_type, user_id)
- end
-
- is_authorized
- end
-
- # check if current user is authorized to download the contribution
- def is_authorized_to_download?(contributable_id, contributable_type, user=nil)
- is_authorized = false
-
- if !user.nil? && user.kind_of?(User)
- user_id = user.id
- else
- user_id = 0
- end
-
- # check if current user owns contributable
- if user_id != 0
- is_authorized = is_owner?(contributable_id, contributable_type, user_id)
- end
-
- # if current user is not owner then check policy to determine if user is authorized
- if !is_authorized
- is_authorized = check_policy('download', contributable_id, contributable_type, user_id)
- end
-
- is_authorized
- end
-
- # check if current user is authorized to destroy the contribution
- def is_authorized_to_destroy?(contributable_id, contributable_type, user=nil)
- is_authorized = false
-
- # current user can destroy contribution if they own it
- if !user.nil? && user.kind_of?(User)
- is_authorized = is_owner?(contributable_id, contributable_type, user.id)
- end
-
- is_authorized
- end
-
- private
-
- # check if current user is owner of contribution
- def is_owner?(contributable_id, contributable_type, user_id)
- is_authorized = false
-
- # get owner of contribution from database
- contribution = Contribution.find_by_sql "SELECT contributor_id,contributor_type FROM contributions WHERE contributable_id=\'#{contributable_id}\' AND contributable_type=\'#{contributable_type}\'"
-
- # if owner of contribution is the current user then the current user is authorized
- if contribution[0]['contributor_type'] == 'User' && contribution[0]['contributor_id'] == user_id
- is_authorized = true
- end
-
- is_authorized
- end
-
- # check whether current user is authorized for 'action' on 'contributable_*'
- def check_policy(action, contributable_id, contributable_type, user_id)
- is_authorized = false
- # get relevant part of policy from database
- select_string = 'policies.id,policies.contributor_id,policies.contributor_type,policies.share_mode,policies.update_mode'
- policy_details = get_policy(select_string, contributable_id, contributable_type)
-
- # if there is no policy, only true if user owns contributable
- if policy_details.length == 0
- return is_owner?(contributable_id, contributable_type, user_id)
- end
-
- ####################################################################################
- #
- # For details on what each sharing mode means, see there wiki here:
- # http://wiki.myexperiment.org/index.php/Developer:Ownership_Sharing_and_Permissions
- #
- ####################################################################################
- share_mode = policy_details[0]['share_mode'].to_i
- update_mode = policy_details[0]['update_mode'].to_i
-
- case action
- when 'view'
- # if share mode is 0,1,2, anyone can view
- if share_mode == 0 || share_mode == 1 || share_mode == 2
- is_authorized = true
- # if share mode is 3,4, friends can view, or if update mode is 1, friends can view (due to cascading permissions)
- elsif !is_authorized && user_id != 0 && (share_mode == 3 || share_mode == 4 || update_mode == 1)
- is_authorized = is_friend?(policy_details[0]['contributor_id'], user_id)
- end
- when 'download'
- # if share mode is 0, anyone can download
- if share_mode == 0
- is_authorized = true
- # if share mode is 1,3, friends can download, or if update mode is 1, friends can download (due to cascading permissions)
- elsif !is_authorized && user_id != 0 && (share_mode == 1 || share_mode == 3 || update_mode == 1)
- is_authorized = is_friend?(policy_details[0]['contributor_id'], user_id)
- end
- when 'edit'
- # if update mode is 0, anyone with view & download permissions can edit (sharing mode 0 for anonymous)
- if update_mode == 0 && share_mode == 0
- is_authorized = true
- # if update mode is 1, friends can edit, or if update mode is 0 and friends have view & download permissions, they can edit
- elsif update_mode == 1 || (update_mode == 0 && (share_mode == 0 || share_mode == 1 || share_mode == 3))
- is_authorized = is_friend?(policy_details[0]['contributor_id'], user_id)
- end
- end
-
- # if user not yet authorized, check permissions belonging to the policy
- if !is_authorized && user_id != 0
- is_authorized = check_permissions(policy_details[0]['id'], action, user_id)
- end
-
- # return is_authorized
- is_authorized
- end
-
- def check_permissions(policy_id, action, user_id)
- permissions_details = get_permissions(policy_id)
-
- # check permissions records for matching policy_id and current_user.id and decide if authorized
- permissions_details.each do |permission|
- if permission['contributor_id'] == user_id && permission['contributor_type'] == 'User' && permission["#{action}"]
- return true
- end
- end
-
- # or check for matching policy_id and a group.id then check if current_user is member of group.id
- permissions_details.each do |permission|
- if permission['contributor_type'] == 'Network' && permission["#{action}"]
- if is_member_of_group? user_id, permission['contributor_id']
- return true
- end
- end
- end
-
- false
- end
-
- def is_friend?(contributor_id, user_id)
- friendship = Friendship.find_by_sql "SELECT id FROM friendships WHERE (user_id=#{contributor_id} AND friend_id=#{user_id}) OR (user_id=#{user_id} AND friend_id=#{contributor_id})"
-
- if friendship.length > 0
- return true
- else
- return false
- end
- end
-
- def is_member_of_group?(user_id, network_id)
- membership = Membership.find_by_sql "SELECT id FROM memberships WHERE user_id=#{user_id} AND network_id=#{network_id}"
-
- # check if there is a membership record for user_id and network_id
- if membership.length > 0
- return true
- else
- # if there is no membership record check whether user_id is the owner of network_id
- network = Network.find_by_sql "SELECT user_id FROM networks WHERE user_id=#{user_id} AND id=#{network_id}"
- if network.length > 0
- return true
- else
- return false
- end
- end
- end
-
- # query database for relevant fields in policies table
- def get_policy(select_string, contributable_id, contributable_type)
- Policy.find_by_sql "SELECT #{select_string} FROM contributions,policies WHERE contributions.policy_id=policies.id AND contributions.contributable_id=#{contributable_id} AND contributions.contributable_type=\'#{contributable_type}\'"
- end
-
- # get all permissions related to policy
- def get_permissions(policy_id)
- select_string = 'contributor_id,contributor_type,download,edit,view'
- Permission.find_by_sql "SELECT #{select_string} FROM permissions WHERE policy_id=#{policy_id}"
- end
-
-end
Modified: trunk/lib/rest.rb (2083 => 2084)
--- trunk/lib/rest.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/lib/rest.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -140,7 +140,7 @@
# filter out things that the user cannot see
collection = collection.select do |c|
- not c.respond_to?('contribution') or c.authorized?('view', user)
+ not c.respond_to?('contribution') or Authorization.is_authorized?("view", nil, c, user)
end
collection.each do |item|
@@ -223,7 +223,7 @@
case rules['Permission']
when 'public'; # do nothing
- when 'view'; return rest_error_response(403, 'Not authorized') if not perm_ob.authorized?("show", (logged_in? ? user : nil))
+ when 'view'; return rest_error_response(403, 'Not authorized') if not Authorization.is_authorized?("show", nil, perm_ob, user)
when 'owner'; return rest_error_response(403, 'Not authorized') if logged_in?.nil? or object_owner(perm_ob) != user
end
@@ -283,7 +283,7 @@
end
# filter out ones they are not allowed to get
- obs = (obs.select do |c| c.respond_to?('contribution') == false or c.authorized?("index", user) end)
+ obs = (obs.select do |c| c.respond_to?('contribution') == false or Authorization.is_authorized?("index", nil, c, user) end)
produce_rest_list(rules, query, obs, rest_name.pluralize)
end
@@ -445,7 +445,7 @@
return bad_rest_request if query['resource'].nil?
- obs = (obs.select do |c| c.respond_to?('contribution') == false or c.authorized?("index", user) end)
+ obs = (obs.select do |c| c.respond_to?('contribution') == false or Authorization.is_authorized?("index", nil, c, user) end)
doc = REXML::Document.new("<?xml version=\"1.0\" encoding=\"UTF-8\"?><rest-uri/>")
"bing"
end
@@ -546,9 +546,9 @@
# runner = TavernaEnactor.find_by_id(runner_bits[1].to_i)
# runnable = Workflow.find_by_id(runnable_bits[1].to_i)
#
-# return rest_error_response(400, 'Bad Request') if experiment.nil? or not experiment.authorized?("edit", user)
-# return rest_error_response(400, 'Bad Request') if runner.nil? or not runner.authorized?("download", user)
-# return rest_error_response(400, 'Bad Request') if runnable.nil? or not runnable.authorized?("view", user)
+# return rest_error_response(400, 'Bad Request') if experiment.nil? or not Authorization.is_authorized?('edit', nil, experiment, user)
+# return rest_error_response(400, 'Bad Request') if runner.nil? or not Authorization.is_authorized?('download', nil, runner, user)
+# return rest_error_response(400, 'Bad Request') if runnable.nil? or not Authorization.is_authorized?('view', nil, runnable, user)
#
# puts "#{params[:job]}"
#
@@ -593,7 +593,9 @@
root['type' ] = query['type'] if query['type']
# filter out ones they are not allowed to get
- results = results.select do |r| r.respond_to?('contribution') == false or r.authorized?('index', user) end
+ results = results.select do |r|
+ r.respond_to?('contribution') == false or Authorization.is_authorized?('index', nil, r, user)
+ end
results.each do |result|
root << rest_reference(result, query)
@@ -639,7 +641,7 @@
obs = tag ? tag.tagged : []
# filter out ones they are not allowed to get
- obs = (obs.select do |c| c.respond_to?('contribution') == false or c.authorized?('index', user) end)
+ obs = (obs.select do |c| c.respond_to?('contribution') == false or Authorization.is_authorized?("index", nil, c, user) end)
produce_rest_list(rules, query, obs, 'tagged')
end
@@ -717,8 +719,10 @@
#
# return rest_error_response(404, 'Resource Not Found') if resource.nil?
#
+# FIXME: The following respond_to? would not work anymore
+#
# if resource.respond_to?('authorized?')
-# return rest_error_response(403, 'Not Authorized') if not resource.authorized?('edit', user)
+# return rest_error_response(403, 'Not Authorized') if not Authorization.is_authorized?('edit', nil, resource, user)
# end
#
# end
Modified: trunk/test/fixtures/policies.yml (2083 => 2084)
--- trunk/test/fixtures/policies.yml 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/test/fixtures/policies.yml 2009-02-04 14:36:50 UTC (rev 2084)
@@ -4,12 +4,6 @@
contributor_id: 1
contributor_type: User
name: Johns policy
- download_public: true
- edit_public: true
- view_public: true
- download_protected: true
- edit_protected: true
- view_protected: true
share_mode: 0
update_mode: 0
created_at: 2008-02-02 22:02:54
@@ -20,12 +14,6 @@
contributor_id: 2
contributor_type: User
name: Janes policy
- download_public: true
- edit_public: true
- view_public: true
- download_protected: true
- edit_protected: true
- view_protected: true
share_mode: 0
update_mode: 0
created_at: 2007-10-22 18:54:22
@@ -36,12 +24,6 @@
contributor_id: 1
contributor_type: User
name: All true
- download_public: true
- edit_public: true
- view_public: true
- download_protected: true
- edit_protected: true
- view_protected: true
share_mode: 0
update_mode: 0
created_at: 2007-10-22 18:54:22
@@ -52,12 +34,6 @@
contributor_id: 1
contributor_type: User
name: All false
- download_public: false
- edit_public: false
- view_public: false
- download_protected: false
- edit_protected: false
- view_protected: false
share_mode: 5
update_mode: 2
created_at: 2007-10-22 18:54:22
@@ -68,12 +44,6 @@
contributor_id: 1
contributor_type: User
name: Public false, protected true
- download_public: false
- edit_public: false
- view_public: false
- download_protected: true
- edit_protected: true
- view_protected: true
share_mode: 3
update_mode: 1
created_at: 2007-10-22 18:54:22
@@ -84,12 +54,6 @@
contributor_id: 1
contributor_type: User
name: Public true, protected false (should act as all true)
- download_public: true
- edit_public: true
- view_public: true
- download_protected: false
- edit_protected: false
- view_protected: false
share_mode: 0
update_mode: 0
created_at: 2007-10-22 18:54:22
Modified: trunk/test/functional/authorization_test.rb (2083 => 2084)
--- trunk/test/functional/authorization_test.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/test/functional/authorization_test.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -5,7 +5,6 @@
require File.dirname(__FILE__) + '/../test_helper'
require 'workflows_controller'
-include IsAuthorized
# Re-raise errors caught by the controller.
class WorkflowsController; def rescue_action(e) raise e end; end
@@ -18,136 +17,155 @@
end
def test_is_owner
- assert is_owner?(workflows(:workflow_dilbert).id, 'Workflow', users(:john).id)
+ assert Authorization.is_owner?(users(:john).id, workflows(:workflow_dilbert).contribution)
end
def test_is_not_owner
- assert !is_owner?(workflows(:workflow_dilbert).id, 'Workflow', users(:jane).id)
+ assert !Authorization.is_owner?(users(:jane).id, workflows(:workflow_dilbert).contribution)
end
def test_is_friend
- assert is_friend?(users(:john).id, users(:jane).id)
+ assert Authorization.is_friend?(users(:john).id, users(:jane).id)
end
def test_is_not_friend
- assert !is_friend?(users(:john).id, users(:admin).id)
+ assert !Authorization.is_friend?(users(:john).id, users(:admin).id)
end
def test_is_member_of_group
- assert is_member_of_group?(users(:john).id, networks(:dilbert_appreciation_network).id)
- assert is_member_of_group?(users(:jane).id, networks(:dilbert_appreciation_network).id)
+ assert Authorization.is_network_member?(users(:john).id, networks(:another_network).id)
+ assert Authorization.is_network_member?(users(:jane).id, networks(:dilbert_appreciation_network).id)
end
def test_is_not_member_of_group
- assert !is_member_of_group?(users(:admin).id, networks(:dilbert_appreciation_network).id)
+ assert !Authorization.is_network_member?(users(:admin).id, networks(:dilbert_appreciation_network).id)
end
def test_is_owner_authorized_to_view
- assert is_authorized_to_view?(blobs(:for_true_policy).id, 'Blob', users(:john))
- assert is_authorized_to_view?(blobs(:for_false_policy).id, 'Blob', users(:john))
- assert is_authorized_to_view?(blobs(:for_protected_policy).id, 'Blob', users(:john))
- assert is_authorized_to_view?(blobs(:for_public_policy).id, 'Blob', users(:john))
+ # "thing" referenced by ID and Type; only user_id, not instance supplied
+ assert Authorization.is_authorized?("view", "Blob", blobs(:for_true_policy).id, users(:john).id)
+
+ # "thing" referenced by ID and Type; user instance supplied
+ assert Authorization.is_authorized?("view", "Blob", blobs(:for_false_policy).id, users(:john))
+
+ # "thing" supplied as instance; user instance supplied
+ assert Authorization.is_authorized?("view", nil, blobs(:for_protected_policy), users(:john))
+
+ # "thing" supplied as instance; only user_id, not instance supplied
+ assert Authorization.is_authorized?("view", nil, blobs(:for_public_policy), users(:john).id)
end
def test_is_owner_authorized_to_edit
- assert is_authorized_to_edit?(blobs(:for_true_policy).id, 'Blob', users(:john))
- assert is_authorized_to_edit?(blobs(:for_false_policy).id, 'Blob', users(:john))
- assert is_authorized_to_edit?(blobs(:for_protected_policy).id, 'Blob', users(:john))
- assert is_authorized_to_edit?(blobs(:for_public_policy).id, 'Blob', users(:john))
+ assert Authorization.is_authorized?("edit", nil, blobs(:for_true_policy), users(:john))
+ assert Authorization.is_authorized?("edit", nil, blobs(:for_false_policy), users(:john))
+ assert Authorization.is_authorized?("edit", nil, blobs(:for_protected_policy), users(:john))
+ assert Authorization.is_authorized?("edit", nil, blobs(:for_public_policy), users(:john))
end
def test_is_owner_authorized_to_download
- assert is_authorized_to_download?(blobs(:for_true_policy).id, 'Blob', users(:john))
- assert is_authorized_to_download?(blobs(:for_false_policy).id, 'Blob', users(:john))
- assert is_authorized_to_download?(blobs(:for_protected_policy).id, 'Blob', users(:john))
- assert is_authorized_to_download?(blobs(:for_public_policy).id, 'Blob', users(:john))
+ assert Authorization.is_authorized?("download", nil, blobs(:for_true_policy), users(:john))
+ assert Authorization.is_authorized?("download", nil, blobs(:for_false_policy), users(:john))
+ assert Authorization.is_authorized?("download", nil, blobs(:for_protected_policy), users(:john))
+ assert Authorization.is_authorized?("download", nil, blobs(:for_public_policy), users(:john))
end
def test_is_anonymous_authorized_to_view
- assert is_authorized_to_view?(blobs(:for_true_policy).id, 'Blob')
- assert !is_authorized_to_view?(blobs(:for_false_policy).id, 'Blob')
- assert !is_authorized_to_view?(blobs(:for_protected_policy).id, 'Blob')
- assert is_authorized_to_view?(blobs(:for_public_policy).id, 'Blob')
-
- assert is_authorized_to_view?(blobs(:for_true_policy).id, 'Blob', nil)
- assert !is_authorized_to_view?(blobs(:for_false_policy).id, 'Blob', nil)
- assert !is_authorized_to_view?(blobs(:for_protected_policy).id, 'Blob', nil)
- assert is_authorized_to_view?(blobs(:for_public_policy).id, 'Blob', nil)
+ # "anonymous" indicated as a default parameter (not even supplied)
+ assert Authorization.is_authorized?("view", nil, blobs(:for_true_policy))
+ assert !Authorization.is_authorized?("view", nil, blobs(:for_false_policy))
+ assert !Authorization.is_authorized?("view", nil, blobs(:for_protected_policy))
+ assert Authorization.is_authorized?("view", nil, blobs(:for_public_policy))
+
+ # "anonymous" indicated as NIL
+ assert Authorization.is_authorized?("view", nil, blobs(:for_true_policy), nil)
+ assert !Authorization.is_authorized?("view", nil, blobs(:for_false_policy), nil)
+ assert !Authorization.is_authorized?("view", nil, blobs(:for_protected_policy), nil)
+ assert Authorization.is_authorized?("view", nil, blobs(:for_public_policy), nil)
+
+ # "anonymous" indicated as "0" - the same way as AuthenticadSystem module will
+ # do for not logged in users
+ assert Authorization.is_authorized?("view", nil, blobs(:for_true_policy), 0)
+ assert !Authorization.is_authorized?("view", nil, blobs(:for_false_policy), 0)
+ assert !Authorization.is_authorized?("view", nil, blobs(:for_protected_policy), 0)
+ assert Authorization.is_authorized?("view", nil, blobs(:for_public_policy), 0)
end
def test_is_anonymous_authorized_to_edit
- assert is_authorized_to_edit?(blobs(:for_true_policy).id, 'Blob')
- assert !is_authorized_to_edit?(blobs(:for_false_policy).id, 'Blob')
- assert !is_authorized_to_edit?(blobs(:for_protected_policy).id, 'Blob')
- assert is_authorized_to_edit?(blobs(:for_public_policy).id, 'Blob')
+ assert Authorization.is_authorized?("edit", nil, blobs(:for_true_policy), 0)
+ assert !Authorization.is_authorized?("edit", nil, blobs(:for_false_policy), 0)
+ assert !Authorization.is_authorized?("edit", nil, blobs(:for_protected_policy), 0)
+ assert Authorization.is_authorized?("edit", nil, blobs(:for_public_policy), 0)
end
def test_is_anonymous_authorized_to_download
- assert is_authorized_to_download?(blobs(:for_true_policy).id, 'Blob')
- assert !is_authorized_to_download?(blobs(:for_false_policy).id, 'Blob')
- assert !is_authorized_to_download?(blobs(:for_protected_policy).id, 'Blob')
- assert is_authorized_to_download?(blobs(:for_public_policy).id, 'Blob')
+ assert Authorization.is_authorized?("download", nil, blobs(:for_true_policy), nil)
+ assert !Authorization.is_authorized?("download", nil, blobs(:for_false_policy), nil)
+ assert !Authorization.is_authorized?("download", nil, blobs(:for_protected_policy), nil)
+ assert Authorization.is_authorized?("download", nil, blobs(:for_public_policy), nil)
end
def test_is_friend_authorized_to_view
- assert is_authorized_to_view?(blobs(:for_true_policy).id, 'Blob', users(:johns_friend))
- assert !is_authorized_to_view?(blobs(:for_false_policy).id, 'Blob', users(:johns_friend))
- assert is_authorized_to_view?(blobs(:for_protected_policy).id, 'Blob', users(:johns_friend))
- assert is_authorized_to_view?(blobs(:for_public_policy).id, 'Blob', users(:johns_friend))
+ assert Authorization.is_authorized?("view", nil, blobs(:for_true_policy), users(:johns_friend))
+ assert !Authorization.is_authorized?("view", nil, blobs(:for_false_policy), users(:johns_friend))
+ assert Authorization.is_authorized?("view", nil, blobs(:for_protected_policy), users(:johns_friend))
+ assert Authorization.is_authorized?("view", nil, blobs(:for_public_policy), users(:johns_friend))
end
def test_is_friend_authorized_to_edit
- assert is_authorized_to_edit?(blobs(:for_true_policy).id, 'Blob', users(:johns_friend))
- assert !is_authorized_to_edit?(blobs(:for_false_policy).id, 'Blob', users(:johns_friend))
- assert is_authorized_to_edit?(blobs(:for_protected_policy).id, 'Blob', users(:johns_friend))
- assert is_authorized_to_edit?(blobs(:for_public_policy).id, 'Blob', users(:johns_friend))
+ assert Authorization.is_authorized?("edit", nil, blobs(:for_true_policy), users(:johns_friend))
+ assert !Authorization.is_authorized?("edit", nil, blobs(:for_false_policy), users(:johns_friend))
+ assert Authorization.is_authorized?("edit", nil, blobs(:for_protected_policy), users(:johns_friend))
+ assert Authorization.is_authorized?("edit", nil, blobs(:for_public_policy), users(:johns_friend))
end
def test_is_friend_authorized_to_download
- assert is_authorized_to_download?(blobs(:for_true_policy).id, 'Blob', users(:johns_friend))
- assert !is_authorized_to_download?(blobs(:for_false_policy).id, 'Blob', users(:johns_friend))
- assert is_authorized_to_download?(blobs(:for_protected_policy).id, 'Blob', users(:johns_friend))
- assert is_authorized_to_download?(blobs(:for_public_policy).id, 'Blob', users(:johns_friend))
+ assert Authorization.is_authorized?("download", nil, blobs(:for_true_policy), users(:johns_friend))
+ assert !Authorization.is_authorized?("download", nil, blobs(:for_false_policy), users(:johns_friend))
+ assert Authorization.is_authorized?("download", nil, blobs(:for_protected_policy), users(:johns_friend))
+ assert Authorization.is_authorized?("download", nil, blobs(:for_public_policy), users(:johns_friend))
end
def test_is_group_authorized_to_view
- assert is_authorized_to_view?(blobs(:for_true_policy).id, 'Blob', users(:spare_user))
- assert !is_authorized_to_view?(blobs(:for_false_policy).id, 'Blob', users(:spare_user))
- assert !is_authorized_to_view?(blobs(:for_protected_policy).id, 'Blob', users(:spare_user))
- assert is_authorized_to_view?(blobs(:for_public_policy).id, 'Blob', users(:spare_user))
+ assert Authorization.is_authorized?("view", nil, blobs(:for_true_policy), users(:spare_user))
+ assert !Authorization.is_authorized?("view", nil, blobs(:for_false_policy), users(:spare_user))
+ assert !Authorization.is_authorized?("view", nil, blobs(:for_protected_policy), users(:spare_user))
+ assert Authorization.is_authorized?("view", nil, blobs(:for_public_policy), users(:spare_user))
end
def test_is_group_authorized_to_edit
- assert is_authorized_to_edit?(blobs(:for_true_policy).id, 'Blob', users(:spare_user))
- assert !is_authorized_to_edit?(blobs(:for_false_policy).id, 'Blob', users(:spare_user))
- assert !is_authorized_to_edit?(blobs(:for_protected_policy).id, 'Blob', users(:spare_user))
- assert is_authorized_to_edit?(blobs(:for_public_policy).id, 'Blob', users(:spare_user))
+ assert Authorization.is_authorized?("edit", nil, blobs(:for_true_policy), users(:spare_user))
+ assert !Authorization.is_authorized?("edit", nil, blobs(:for_false_policy), users(:spare_user))
+ assert !Authorization.is_authorized?("edit", nil, blobs(:for_protected_policy), users(:spare_user))
+ assert Authorization.is_authorized?("edit", nil, blobs(:for_public_policy), users(:spare_user))
end
def test_is_group_authorized_to_download
- assert is_authorized_to_download?(blobs(:for_true_policy).id, 'Blob', users(:spare_user))
- assert !is_authorized_to_download?(blobs(:for_false_policy).id, 'Blob', users(:spare_user))
- assert !is_authorized_to_download?(blobs(:for_protected_policy).id, 'Blob', users(:spare_user))
- assert is_authorized_to_download?(blobs(:for_public_policy).id, 'Blob', users(:spare_user))
+ assert Authorization.is_authorized?("download", nil, blobs(:for_true_policy), users(:spare_user))
+ assert !Authorization.is_authorized?("download", nil, blobs(:for_false_policy), users(:spare_user))
+ assert !Authorization.is_authorized?("download", nil, blobs(:for_protected_policy), users(:spare_user))
+ assert Authorization.is_authorized?("download", nil, blobs(:for_public_policy), users(:spare_user))
end
def test_user_permissions
- assert is_authorized_to_view?(blobs(:for_false_policy).id, 'Blob', users(:admin))
- assert !is_authorized_to_edit?(blobs(:for_false_policy).id, 'Blob', users(:admin))
- assert is_authorized_to_download?(blobs(:for_false_policy).id, 'Blob', users(:admin))
+ assert Authorization.is_authorized?("view", nil, blobs(:for_false_policy), users(:admin))
+ assert !Authorization.is_authorized?("edit", nil, blobs(:for_false_policy), users(:admin))
+ assert Authorization.is_authorized?("download", nil, blobs(:for_false_policy), users(:admin))
end
def test_group_permissions
- assert is_authorized_to_view?(blobs(:for_false_policy).id, 'Blob', users(:jane))
- assert is_authorized_to_edit?(blobs(:for_false_policy).id, 'Blob', users(:jane))
- assert !is_authorized_to_download?(blobs(:for_false_policy).id, 'Blob', users(:jane))
+ assert Authorization.is_authorized?("view", nil, blobs(:for_false_policy), users(:jane))
+ assert Authorization.is_authorized?("edit", nil, blobs(:for_false_policy), users(:jane))
+
+ # in the fixture "view"/"edit" flags are set to TRUE, but "download" is set to FALSE;
+ # cascading permissions should provide permission to download in this case
+ assert Authorization.is_authorized?("download", nil, blobs(:for_false_policy), users(:jane))
end
def test_is_authorized_to_destroy
- assert is_authorized_to_destroy?(blobs(:for_true_policy).id, 'Blob', users(:john))
- assert !is_authorized_to_destroy?(blobs(:for_true_policy).id, 'Blob', users(:jane))
- assert !is_authorized_to_destroy?(blobs(:for_true_policy).id, 'Blob', users(:admin))
- assert !is_authorized_to_destroy?(blobs(:for_true_policy).id, 'Blob', users(:johns_friend))
- assert !is_authorized_to_destroy?(blobs(:for_true_policy).id, 'Blob', users(:spare_user))
+ assert Authorization.is_authorized?("destroy", nil, blobs(:for_true_policy), users(:john))
+ assert !Authorization.is_authorized?("destroy", nil, blobs(:for_true_policy), users(:jane))
+ assert !Authorization.is_authorized?("destroy", nil, blobs(:for_true_policy), users(:admin))
+ assert !Authorization.is_authorized?("destroy", nil, blobs(:for_true_policy), users(:johns_friend))
+ assert !Authorization.is_authorized?("destroy", nil, blobs(:for_true_policy), users(:spare_user))
end
end
Deleted: trunk/test/functional/permissions_controller_test.rb (2083 => 2084)
--- trunk/test/functional/permissions_controller_test.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/test/functional/permissions_controller_test.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -1,90 +0,0 @@
-# myExperiment: test/functional/permissions_controller_test.rb
-#
-# Copyright (c) 2007 University of Manchester and the University of Southampton.
-# See license.txt for details.
-
-require File.dirname(__FILE__) + '/../test_helper'
-require 'permissions_controller'
-
-# Re-raise errors caught by the controller.
-class PermissionsController; def rescue_action(e) raise e end; end
-
-class PermissionsControllerTest < Test::Unit::TestCase
- fixtures :permissions, :users, :policies
-
- def setup
- @controller = PermissionsController.new
- @request = ActionController::TestRequest.new
- @response = ActionController::TestResponse.new
- end
-
- # view not used, and errors when attempted
- def test_should_get_index
- #login_as(:john)
- #get :index
- #assert_response :success
- #assert assigns(:permissions)
-
- assert true
- end
-
- def test_should_get_new
- login_as(:john)
- get :new, :policy_id => policies(:john_policy).id
- assert_response :success
- end
-
- def test_should_create_permission
- old_count = Permission.count
-
- login_as(:john)
- post :create, :permission => { :policy_id => policies(:john_policy).id,
- :contributor_type => 'User',
- :contributor_id => 2,
- :download => 1,
- :edit => 0,
- :view => 1 },
- :user_contributor_id => 2,
- :policy_id => policies(:john_policy).id
-
- assert assigns(:permission)
- assert_redirected_to policy_path(policies(:john_policy).id)
- assert_equal old_count+1, Permission.count
- end
-
- def test_should_show_permission
- login_as(:john)
- get :show, :id => 1
- assert_response :success
- end
-
- def test_should_get_edit
- login_as(:john)
- get :edit, :id => 1, :policy_id => policies(:john_policy).id
- assert_response :success
- end
-
- def test_should_update_permission
- login_as(:john)
- put :update, :id => 1, :permission => { :contributor_id => '3',
- :contributor_type => 'User',
- :edit => '0',
- :download => '0',
- :view => '1' },
- :policy_id => policies(:john_policy).id
-
- assert_equal 'Permission was successfully updated.', flash[:notice]
- assert assigns(:permission)
- assert_redirected_to policy_path(policies(:john_policy).id)
- end
-
- def test_should_destroy_permission
- old_count = Permission.count
-
- login_as(:john)
- delete :destroy, :id => 1, :policy_id => policies(:john_policy).id
-
- assert_equal old_count-1, Permission.count
- assert_redirected_to policy_path(policies(:john_policy).id)
- end
-end
Deleted: trunk/test/functional/policies_controller_test.rb (2083 => 2084)
--- trunk/test/functional/policies_controller_test.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/test/functional/policies_controller_test.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -1,79 +0,0 @@
-# myExperiment: test/functional/policies_controller_test.rb
-#
-# Copyright (c) 2007 University of Manchester and the University of Southampton.
-# See license.txt for details.
-
-require File.dirname(__FILE__) + '/../test_helper'
-require 'policies_controller'
-
-# Re-raise errors caught by the controller.
-class PoliciesController; def rescue_action(e) raise e end; end
-
-class PoliciesControllerTest < Test::Unit::TestCase
- fixtures :policies, :users
-
- def setup
- @controller = PoliciesController.new
- @request = ActionController::TestRequest.new
- @response = ActionController::TestResponse.new
- end
-
- def test_should_get_index
- login_as(:john)
- get :index
- assert_response :success
- assert assigns(:policies)
- end
-
- def test_should_get_new
- login_as(:john)
- get :new
- assert_response :success
- end
-
- def test_should_create_policy
- old_count = Policy.count
-
- login_as(:john)
- post :create, :policy => { :contributor_id => users(:john).id,
- :contributor_type => 'User',
- :name => 'test policy',
- :view_public => true,
- :download_public => true,
- :edit_public => true,
- :view_protected => true,
- :download_protected => true,
- :edit_protected => true }
-
- assert_equal old_count+1, Policy.count
- assert_redirected_to policy_path(assigns(:policy))
- end
-
- def test_should_show_policy
- login_as(:john)
- get :show, :id => 1
- assert_response :success
- end
-
- def test_should_get_edit
- login_as(:john)
- get :edit, :id => 1
- assert_response :success
- end
-
- def test_should_update_policy
- login_as(:john)
- put :update, :id => 1, :policy => { :download_public => false, :edit_public => false }
- assert_redirected_to policy_path(assigns(:policy))
- end
-
- def test_should_destroy_policy
- old_count = Policy.count
-
- login_as(:john)
- delete :destroy, :id => 1
-
- assert_equal old_count-1, Policy.count
- assert_redirected_to policies_path
- end
-end
Deleted: trunk/test/functional/policy_wizard_controller_test.rb (2083 => 2084)
--- trunk/test/functional/policy_wizard_controller_test.rb 2009-02-04 12:12:49 UTC (rev 2083)
+++ trunk/test/functional/policy_wizard_controller_test.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -1,18 +0,0 @@
-require File.dirname(__FILE__) + '/../test_helper'
-require 'policy_wizard_controller'
-
-# Re-raise errors caught by the controller.
-class PolicyWizardController; def rescue_action(e) raise e end; end
-
-class PolicyWizardControllerTest < Test::Unit::TestCase
- def setup
- @controller = PolicyWizardController.new
- @request = ActionController::TestRequest.new
- @response = ActionController::TestResponse.new
- end
-
- # Replace this with your real tests.
- def test_truth
- assert true
- end
-end
Copied: trunk/test/unit/authorisation_test.rb (from rev 2083, branches/authorization_new/test/unit/authorisation_test.rb) (0 => 2084)
--- trunk/test/unit/authorisation_test.rb (rev 0)
+++ trunk/test/unit/authorisation_test.rb 2009-02-04 14:36:50 UTC (rev 2084)
@@ -0,0 +1,14 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+class AuthorisationTest < Test::Unit::TestCase
+ fixtures :workflows
+ fixtures :blobs
+ fixtures :contributions
+ fixtures :permissions
+ fixtures :policies
+
+ # Replace this with your real tests.
+ def test_truth
+ assert true
+ end
+end