TO DO + Add Right model generator and DB-backed way of handling rights in addition to inlined "permit" checks + Added namespacing to @options instance variable to prevent possible name clashes + Add test generator instead of handling tests in test apps + Add support for groups + Extend grammar to allow "(admin or moderator or some_role) of some_model" (?) [Chris Hapgood] + Extend coverage to models. Look at Bruce Perens's ModelSecurity and access with_scope. (9/3006 - Recently investigated extension to model and the most programmer-friendly DSLs may require too much hacking on ActiveRecord.) CHANGES (from most recent to oldest) === 1.0.10 release (February 27, 2008) * Patch Series : Granular redirection configuration submitted by Thomas Weibel WARNING : If you are upgrading from a previous install you may need to change some configuration settings in your environment.rb file. Remove DEFAULT_REDIRECTION_HASH config Added granular LOGIN_REQUIRED_REDIRECTION hash or path config Added granular PERMISSION_DENIED_REDIRECTION hash or path config Added STORE_LOCATION_METHOD config Support custom flash messages for each redirection type Updated README.txt to provide instructions. Enhanced support for integration with restful_authentication plugin. === 1.0.9 release (February 26, 2008) * Patch #8571 : Add type argument to is_role_of_what submitted by Aslak Hellesøy (aslak_hellesoy) In my RESTful index views for an AR type I often want to list all of the records *for a given type* for which the current user has the role "show". (As opposed to getting *any* record for which the user has the role) In order to achieve this, I have patched identity.rb so tht I can do this: def index if current_user.permit? 'admin' # show all projects @projects = Project.find(:all) else @projects = current_user.is_show_for_what(Project) end end === 1.0.8 release (February 26, 2008) * Patch #11352 : Fixes a bug with role_regex and simple quoted roles submitted by 'a French RoR developer' Documentation says: ::= /\w+/ | /'.*'/ But the next permission string isn't well parsed: " 'abcd:efgh' or 'abcd:ijkl' " You get an error because the role_regex defined in parser.rb eats every simple quote between the first and the last simple quote in the string. So i patched the two instances of role_regex in parser.rb, from this: role_regex = '\s*(\'\s*(.+)\s*\'|([A-Za-z]\w*))\s*' to this (the question mark ends the first pattern as soon as possible, avoiding the inner simple quotes to be eaten): role_regex = '\s*(\'\s*(.+?)\s*\'|([A-Za-z]\w*))\s*' === 1.0.7 release (February 25, 2008) * Patch #9431 : Fixes a bug in identity.rb submitted by Michel Martens (blaumag) If some authorizable instance accepts a role, then it responds true when queried for has_[role_name]? Example: country.has_kings? #=> false user.has_role "king", country country.has_kings? #=> true user.has_no_role "king", country country.has_kings? #=> true The last time, country.has_kings? should be false. === 1.0.6 release (February 25, 2008) * Patch #12170 : Additional HABTM options for acts_as_authorized_user A very simple patch that allows options to be passed to the has_and_belogs_to_many relationship. This seems necessary if the "User" object has a different name from the table name. has_and_belong_to_many does not automatically use the table set by the "User" object so it must be specified (along with the foreign key if applicable). Patch submitted by Eric Anderson (eric1234) === 1.0.5 release (February 25, 2008) * Feature : Add additional test for current_user being set to the symbol ':false'. This is for compatibility with the restful_authentication plugin which will set current_user to :false on a bad login. Previously we were only testing for current_user.nil? which was incomplete. === 1.0.4 release (February 25, 2008) * Bugfix : RubyForge bug #9368. Problems with about.yml Fixes a minor bug in the about.yml plugin metadata file so that it will parse cleanly. [GR] === 1.0.3 release (February 17, 2008) * Minor changes to USAGE text for ./script/generate role_model === 1.0.2 release (February 17, 2008) * From this release forward the plugin requires use of Ruby on Rails version 2.x. Version 1.0.1 is the final release fully compatible with Rails 1.2.x. * Upgraded the database migration generator to create the new Rails 2.0.x style 'sexy migrations'. === 1.0.1 release (February 17, 2008) * Moved source code to public Git repository at GitHub.com (http://github.com/DocSavage/rails-authorization-plugin/tree/master) * Removed attr_protected declaration from acts_as_authorized_user, acts_as_authorizable methods. These conflicted with usage of the Authorization plugin with models generated by the restful_authentication generator or any model that specified the safer attr_accessible whitelist. RA encourages the safer attr_accessible whitelisting of attributes that are accessible from its models. You cannot apply both attr_accessible and attr_protected in the same model. Users are encouraged to specify a whitelist of attr_accessible model attributes for their applications security. [grempe] === SVN * Performance improvement for has_role? [Sean Geoghegan] * Allow customization of message on redirection after failed authorization (:redirect_message option) [Joey Geiger] * Patch to allow authorizable objects that use single table inheritance (STI) [Sean Geoghegan] === 1.0 release (Sept 13, 2006) * Added attr_protected for habtm and has_many role ids to block security concern if developers use update_attributes(params[:auth_obj]) on an authorizable object [Michael Schuerig] * Use before_filter rather than prepend_before_filter so necessary instance variables (and methods) can be established before trying authorization checks. This fix came about for Mephisto blog where a class-level permit "admin of site" was used. The site attribute was set in a before_filter. If you prepend your authorization filter, it will execute before any other before_filter, which is probably not a good idea. * Add "about" yaml for future Rails plugin directory. * Cleaned up exception handling a little [due to suggestion by Michael Schuerig] * Add generator for role model and migration, e.g., "script/generate role_model Role". Role model must be called "Role" at this time. More general naming as a TO DO. * Removed simple_roles_table to simplify plugin. * Moved all files in Authorization namespace into /publishare subdirectory to reduce danger of clashes in load path [nod to Michael Schuerig]. * Small code refinement patch [Michael Schuerig] * The colon preceding a model name in the authorization expression is now optional. The parser uses accepted prepositions to disambiguate models from roles. * Change default parser from Recursive Descent parser to Eval parser. Currently implemented recursive descent parser doesn't handle left-sided boolean expressions well. Eval parser relies on Ruby (good thing), but wherever there's an eval, we have to be more careful. * Will start linking to and monitoring forum area at RubyForge http://rubyforge.org/forum/?group_id=1797 * Added changelog :) * Added return false to handle_redirection to short-circuit filters if redirect occurs. This is second fix to prevent double renders. * Changed the requires to pull files from the plugin directory. (Necessary for name conflicts between plugin and apps) * Minor fixes to update documentation === 1.0 rc3 (July 19, 2006) * Fix to prevent double redirect * Fix to migration examples ... see svn log