Catalyst-Plugin-Authorization-ACL-0.16/000755 000765 000024 00000000000 12335064737 020735 5ustar00rkitoverstaff000000 000000 Catalyst-Plugin-Authorization-ACL-0.16/Changes000644 000765 000024 00000003406 12335064737 022233 0ustar00rkitoverstaff000000 000000 Revision history for Catalyst::Plugin::Authorization::ACL 0.16 2014-05-15 03:16:39 - fix a spelling error and copyright statement (Jonathan Yu) (RT#95566) - convert to git - convert to dzil 0.15 2009-10-18 05:56:51 - apply fix from RT#50604 (filter undef actions when building tree) 0.14 2009-09-30 22:20:41 - add 'deny_access_unless_any' and 'allow_access_if_any' as shortcuts for any role in a list - fix 'uninitialized' warning in tests 0.13 2009-09-26 03:34:16 - fix use of $dispatcher->tree warning - fix actions in testapp warning 0.12 2009-09-25 09:35:51 - workaround for a test failure on some configurations of Strawberry Perl - add test_requires for things the tests depend on 0.11 2009-04-21 - switch from NEXT to MRO::Compat 0.10 2008-10-13 - fix access_denied action support 0.09 2008-08-22 - fix the overwriting of $c->req->args for access_denied handlers 0.08 2006-07-21 20:01:00 - protect ACL::Engine from custom $SIG{__DIE__} handlers 0.07 2006-07-05 23:15:27 - support for ACL setup in app config - bug fix for private access_denied action 0.06 2005-12-25 20:37:00 - Added forcibly_allow_access, proper denial handling - allow for constant conditions - i think there was something else 0.05 2005-12-25 20:37:00 - Forgot to changelog this release ;-) 0.04 2005-12-08 10:15:00 - Fix a bug with ACLs on "/" 0.03 2005-12-04 22:07:00 - Maybe some tiny doc fixes - No longer relies on Test::Plan which had some trouble with windows and was used incorrectly anyhow ;-) 0.02 ??? - can't recall, may have been drunk 0.01 ??? - Initial release. Catalyst-Plugin-Authorization-ACL-0.16/dist.ini000644 000765 000024 00000000570 12335064737 022403 0ustar00rkitoverstaff000000 000000 name = Catalyst-Plugin-Authorization-ACL author = Yuval Kogman license = Perl_5 copyright_holder = Yuval Kogman copyright_year = 2014 [@AVAR] dist = Catalyst-Plugin-Authorization-ACL bugtracker = rt authority = cpan:RKITOVER github_user = rkitover install_command = cpanm . Catalyst-Plugin-Authorization-ACL-0.16/lib/000755 000765 000024 00000000000 12335064737 021503 5ustar00rkitoverstaff000000 000000 Catalyst-Plugin-Authorization-ACL-0.16/LICENSE000644 000765 000024 00000043655 12335064737 021757 0ustar00rkitoverstaff000000 000000 This software is copyright (c) 2014 by Yuval Kogman. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. Terms of the Perl programming language system itself a) the GNU General Public License as published by the Free Software Foundation; either version 1, or (at your option) any later version, or b) the "Artistic License" --- The GNU General Public License, Version 1, February 1989 --- This software is Copyright (c) 2014 by Yuval Kogman. This is free software, licensed under: The GNU General Public License, Version 1, February 1989 GNU GENERAL PUBLIC LICENSE Version 1, February 1989 Copyright (C) 1989 Free Software Foundation, Inc. 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The license agreements of most software companies try to keep users at the mercy of those companies. By contrast, our General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. The General Public License applies to the Free Software Foundation's software and to any other program whose authors commit to using it. You can use it for your programs, too. When we speak of free software, we are referring to freedom, not price. Specifically, the General Public License is designed to make sure that you have the freedom to give away or sell copies of free software, that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of a such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must tell them their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any work containing the Program or a portion of it, either verbatim or with modifications. Each licensee is addressed as "you". 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this General Public License and to the absence of any warranty; and give any other recipients of the Program a copy of this General Public License along with the Program. You may charge a fee for the physical act of transferring a copy. 2. You may modify your copy or copies of the Program or any portion of it, and copy and distribute such modifications under the terms of Paragraph 1 above, provided that you also do the following: a) cause the modified files to carry prominent notices stating that you changed the files and the date of any change; and b) cause the whole of any work that you distribute or publish, that in whole or in part contains the Program or any part thereof, either with or without modifications, to be licensed at no charge to all third parties under the terms of this General Public License (except that you may choose to grant warranty protection to some or all third parties, at your option). c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the simplest and most usual way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this General Public License. d) You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. Mere aggregation of another independent work with the Program (or its derivative) on a volume of a storage or distribution medium does not bring the other work under the scope of these terms. 3. You may copy and distribute the Program (or a portion or derivative of it, under Paragraph 2) in object code or executable form under the terms of Paragraphs 1 and 2 above provided that you also do one of the following: a) accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Paragraphs 1 and 2 above; or, b) accompany it with a written offer, valid for at least three years, to give any third party free (except for a nominal charge for the cost of distribution) a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Paragraphs 1 and 2 above; or, c) accompany it with the information you received as to where the corresponding source code may be obtained. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form alone.) Source code for a work means the preferred form of the work for making modifications to it. For an executable file, complete source code means all the source code for all modules it contains; but, as a special exception, it need not include source code for modules which are standard libraries that accompany the operating system on which the executable file runs, or for standard header files or definitions files that accompany that operating system. 4. You may not copy, modify, sublicense, distribute or transfer the Program except as expressly provided under this General Public License. Any attempt otherwise to copy, modify, sublicense, distribute or transfer the Program is void, and will automatically terminate your rights to use the Program under this License. However, parties who have received copies, or rights to use copies, from you under this General Public License will not have their licenses terminated so long as such parties remain in full compliance. 5. By copying, distributing or modifying the Program (or any work based on the Program) you indicate your acceptance of this license to do so, and all its terms and conditions. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. 7. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of the license which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the license, you may choose any version ever published by the Free Software Foundation. 8. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 9. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 10. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Appendix: How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to humanity, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) 19yy This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 1, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) 19xx name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (a program to direct compilers to make passes at assemblers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice That's all there is to it! --- The Artistic License 1.0 --- This software is Copyright (c) 2014 by Yuval Kogman. This is free software, licensed under: The Artistic License 1.0 The Artistic License Preamble The intent of this document is to state the conditions under which a Package may be copied, such that the Copyright Holder maintains some semblance of artistic control over the development of the package, while giving the users of the package the right to use and distribute the Package in a more-or-less customary fashion, plus the right to make reasonable modifications. Definitions: - "Package" refers to the collection of files distributed by the Copyright Holder, and derivatives of that collection of files created through textual modification. - "Standard Version" refers to such a Package if it has not been modified, or has been modified in accordance with the wishes of the Copyright Holder. - "Copyright Holder" is whoever is named in the copyright or copyrights for the package. - "You" is you, if you're thinking about copying or distributing this Package. - "Reasonable copying fee" is whatever you can justify on the basis of media cost, duplication charges, time of people involved, and so on. (You will not be required to justify it to the Copyright Holder, but only to the computing community at large as a market that must bear the fee.) - "Freely Available" means that no fee is charged for the item itself, though there may be fees involved in handling the item. It also means that recipients of the item may redistribute it under the same conditions they received it. 1. You may make and give away verbatim copies of the source form of the Standard Version of this Package without restriction, provided that you duplicate all of the original copyright notices and associated disclaimers. 2. You may apply bug fixes, portability fixes and other modifications derived from the Public Domain or from the Copyright Holder. A Package modified in such a way shall still be considered the Standard Version. 3. You may otherwise modify your copy of this Package in any way, provided that you insert a prominent notice in each changed file stating how and when you changed that file, and provided that you do at least ONE of the following: a) place your modifications in the Public Domain or otherwise make them Freely Available, such as by posting said modifications to Usenet or an equivalent medium, or placing the modifications on a major archive site such as ftp.uu.net, or by allowing the Copyright Holder to include your modifications in the Standard Version of the Package. b) use the modified Package only within your corporation or organization. c) rename any non-standard executables so the names do not conflict with standard executables, which must also be provided, and provide a separate manual page for each non-standard executable that clearly documents how it differs from the Standard Version. d) make other distribution arrangements with the Copyright Holder. 4. You may distribute the programs of this Package in object code or executable form, provided that you do at least ONE of the following: a) distribute a Standard Version of the executables and library files, together with instructions (in the manual page or equivalent) on where to get the Standard Version. b) accompany the distribution with the machine-readable source of the Package with your modifications. c) accompany any non-standard executables with their corresponding Standard Version executables, giving the non-standard executables non-standard names, and clearly documenting the differences in manual pages (or equivalent), together with instructions on where to get the Standard Version. d) make other distribution arrangements with the Copyright Holder. 5. You may charge a reasonable copying fee for any distribution of this Package. You may charge any fee you choose for support of this Package. You may not charge a fee for this Package itself. However, you may distribute this Package in aggregate with other (possibly commercial) programs as part of a larger (possibly commercial) software distribution provided that you do not advertise this Package as a product of your own. 6. The scripts and library files supplied as input to or produced as output from the programs of this Package do not automatically fall under the copyright of this Package, but belong to whomever generated them, and may be sold commercially, and may be aggregated with this Package. 7. C or perl subroutines supplied by you and linked into this Package shall not be considered part of this Package. 8. The name of the Copyright Holder may not be used to endorse or promote products derived from this software without specific prior written permission. 9. THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. The End Catalyst-Plugin-Authorization-ACL-0.16/Makefile.PL000644 000765 000024 00000005040 12335064737 022706 0ustar00rkitoverstaff000000 000000 # This file was automatically generated by Dist::Zilla::Plugin::MakeMaker v5.016. use strict; use warnings; use ExtUtils::MakeMaker 6.30; my %WriteMakefileArgs = ( "ABSTRACT" => "ACL support for Catalyst applications.", "AUTHOR" => "Yuval Kogman ", "BUILD_REQUIRES" => {}, "CONFIGURE_REQUIRES" => { "ExtUtils::MakeMaker" => "6.30" }, "DISTNAME" => "Catalyst-Plugin-Authorization-ACL", "EXE_FILES" => [], "LICENSE" => "perl", "NAME" => "Catalyst::Plugin::Authorization::ACL", "PREREQ_PM" => { "Carp" => 0, "Catalyst::ClassData" => 0, "Class::Throwable" => 0, "Exporter" => 0, "List::Util" => 0, "Moose" => 0, "Moose::Object" => 0, "Scalar::Util" => 0, "Tree::Simple" => 0, "Tree::Simple::Visitor::FindByPath" => 0, "Tree::Simple::Visitor::GetAllDescendents" => 0, "mro" => 0, "namespace::autoclean" => 0 }, "TEST_REQUIRES" => { "Catalyst" => 0, "Catalyst::Controller" => 0, "Catalyst::Plugin::Authentication" => 0, "Catalyst::Plugin::Authorization::Roles" => 0, "Catalyst::Plugin::Session" => 0, "Catalyst::Plugin::Session::State::Cookie" => 0, "File::Spec" => 0, "IO::Handle" => 0, "IPC::Open3" => 0, "Test::More" => 0, "Test::WWW::Mechanize::Catalyst" => 0, "base" => 0, "lib" => 0, "strict" => 0, "warnings" => 0 }, "VERSION" => "0.16", "test" => { "TESTS" => "t/*.t" } ); my %FallbackPrereqs = ( "Carp" => 0, "Catalyst" => 0, "Catalyst::ClassData" => 0, "Catalyst::Controller" => 0, "Catalyst::Plugin::Authentication" => 0, "Catalyst::Plugin::Authorization::Roles" => 0, "Catalyst::Plugin::Session" => 0, "Catalyst::Plugin::Session::State::Cookie" => 0, "Class::Throwable" => 0, "Exporter" => 0, "File::Spec" => 0, "IO::Handle" => 0, "IPC::Open3" => 0, "List::Util" => 0, "Moose" => 0, "Moose::Object" => 0, "Scalar::Util" => 0, "Test::More" => 0, "Test::WWW::Mechanize::Catalyst" => 0, "Tree::Simple" => 0, "Tree::Simple::Visitor::FindByPath" => 0, "Tree::Simple::Visitor::GetAllDescendents" => 0, "base" => 0, "lib" => 0, "mro" => 0, "namespace::autoclean" => 0, "strict" => 0, "warnings" => 0 ); unless ( eval { ExtUtils::MakeMaker->VERSION(6.63_03) } ) { delete $WriteMakefileArgs{TEST_REQUIRES}; delete $WriteMakefileArgs{BUILD_REQUIRES}; $WriteMakefileArgs{PREREQ_PM} = \%FallbackPrereqs; } delete $WriteMakefileArgs{CONFIGURE_REQUIRES} unless eval { ExtUtils::MakeMaker->VERSION(6.52) }; WriteMakefile(%WriteMakefileArgs); Catalyst-Plugin-Authorization-ACL-0.16/MANIFEST000644 000765 000024 00000001104 12335064737 022062 0ustar00rkitoverstaff000000 000000 # This file was automatically generated by Dist::Zilla::Plugin::Manifest v5.016. Changes LICENSE MANIFEST META.json META.yml Makefile.PL README dist.ini lib/Catalyst/Plugin/Authorization/ACL.pm lib/Catalyst/Plugin/Authorization/ACL/Engine.pm t/00-compile.t t/lib/ACLTestApp.pm t/lib/ACLTestApp/Controller/Auth.pm t/lib/ACLTestApp/Controller/LionCage.pm t/lib/ACLTestApp/Controller/Root.pm t/lib/ACLTestApp/Controller/Zoo.pm t/lib/ACLTestApp/Controller/Zoo/Penguins.pm t/lib/ACLTestApp2.pm t/lib/ACLTestApp2/Controller/Root.pm t/live_app.t t/more_live_app.t t/release-pod-syntax.t Catalyst-Plugin-Authorization-ACL-0.16/META.json000644 000765 000024 00000005140 12335064737 022356 0ustar00rkitoverstaff000000 000000 { "abstract" : "ACL support for Catalyst applications.", "author" : [ "Yuval Kogman " ], "dynamic_config" : 0, "generated_by" : "Dist::Zilla version 5.016, CPAN::Meta::Converter version 2.141170", "license" : [ "perl_5" ], "meta-spec" : { "url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec", "version" : "2" }, "name" : "Catalyst-Plugin-Authorization-ACL", "no_index" : { "directory" : [ "t" ] }, "prereqs" : { "configure" : { "requires" : { "ExtUtils::MakeMaker" : "6.30" } }, "develop" : { "requires" : { "Test::Pod" : "1.41" } }, "runtime" : { "requires" : { "Carp" : "0", "Catalyst::ClassData" : "0", "Class::Throwable" : "0", "Exporter" : "0", "List::Util" : "0", "Moose" : "0", "Moose::Object" : "0", "Scalar::Util" : "0", "Tree::Simple" : "0", "Tree::Simple::Visitor::FindByPath" : "0", "Tree::Simple::Visitor::GetAllDescendents" : "0", "mro" : "0", "namespace::autoclean" : "0" } }, "test" : { "requires" : { "Catalyst" : "0", "Catalyst::Controller" : "0", "Catalyst::Plugin::Authentication" : "0", "Catalyst::Plugin::Authorization::Roles" : "0", "Catalyst::Plugin::Session" : "0", "Catalyst::Plugin::Session::State::Cookie" : "0", "File::Spec" : "0", "IO::Handle" : "0", "IPC::Open3" : "0", "Test::More" : "0", "Test::WWW::Mechanize::Catalyst" : "0", "base" : "0", "lib" : "0", "perl" : "5.006", "strict" : "0", "warnings" : "0" } } }, "release_status" : "stable", "resources" : { "bugtracker" : { "mailto" : "bug-Catalyst-Plugin-Authorization-ACL@rt.cpan.org", "web" : "https://rt.cpan.org/Public/Dist/Display.html?Name=Catalyst-Plugin-Authorization-ACL" }, "homepage" : "http://metacpan.org/release/Catalyst-Plugin-Authorization-ACL", "license" : [ "http://dev.perl.org/licenses/" ], "repository" : { "type" : "git", "url" : "git://github.com/rkitover/catalyst-plugin-authorization-acl.git", "web" : "http://github.com/rkitover/catalyst-plugin-authorization-acl" } }, "version" : "0.16", "x_authority" : "cpan:RKITOVER" } Catalyst-Plugin-Authorization-ACL-0.16/META.yml000644 000765 000024 00000002727 12335064737 022216 0ustar00rkitoverstaff000000 000000 --- abstract: 'ACL support for Catalyst applications.' author: - 'Yuval Kogman ' build_requires: Catalyst: '0' Catalyst::Controller: '0' Catalyst::Plugin::Authentication: '0' Catalyst::Plugin::Authorization::Roles: '0' Catalyst::Plugin::Session: '0' Catalyst::Plugin::Session::State::Cookie: '0' File::Spec: '0' IO::Handle: '0' IPC::Open3: '0' Test::More: '0' Test::WWW::Mechanize::Catalyst: '0' base: '0' lib: '0' perl: '5.006' strict: '0' warnings: '0' configure_requires: ExtUtils::MakeMaker: '6.30' dynamic_config: 0 generated_by: 'Dist::Zilla version 5.016, CPAN::Meta::Converter version 2.141170' license: perl meta-spec: url: http://module-build.sourceforge.net/META-spec-v1.4.html version: '1.4' name: Catalyst-Plugin-Authorization-ACL no_index: directory: - t requires: Carp: '0' Catalyst::ClassData: '0' Class::Throwable: '0' Exporter: '0' List::Util: '0' Moose: '0' Moose::Object: '0' Scalar::Util: '0' Tree::Simple: '0' Tree::Simple::Visitor::FindByPath: '0' Tree::Simple::Visitor::GetAllDescendents: '0' mro: '0' namespace::autoclean: '0' resources: bugtracker: https://rt.cpan.org/Public/Dist/Display.html?Name=Catalyst-Plugin-Authorization-ACL homepage: http://metacpan.org/release/Catalyst-Plugin-Authorization-ACL license: http://dev.perl.org/licenses/ repository: git://github.com/rkitover/catalyst-plugin-authorization-acl.git version: '0.16' x_authority: cpan:RKITOVER Catalyst-Plugin-Authorization-ACL-0.16/README000644 000765 000024 00000024400 12335064737 021615 0ustar00rkitoverstaff000000 000000 NAME Catalyst::Plugin::Authorization::ACL - ACL support for Catalyst applications. SYNOPSIS use Catalyst qw/ Authentication Authorization::Roles Authorization::ACL /; __PACKAGE__->setup; __PACKAGE__->deny_access_unless( "/foo/bar", [qw/nice_role/], ); __PACKAGE__->allow_access_if( "/foo/bar/gorch", sub { return $boolean }, ); DESCRIPTION This module provides Access Control List style path protection, with arbitrary rules for Catalyst applications. It operates only on the Catalyst private namespace, at least at the moment. The two hierarchies of actions and controllers in Catalyst are: Private Namespace Every action has its own private path. This path reflects the Perl namespaces the actions were born in, and the namespaces of their controllers. External Namespace Some actions are also directly accessible from the outside, via a URL. The private and external paths will be the same, if you are using Local actions. Alternatively you can use "Path", "Regex", or "Global" to specify a different external path for your action. The ACL module currently only knows to exploit the private namespace. In the future extensions may be made to support external namespaces as well. Various types of rules are supported, see the list under "RULES". When a path is visited, rules are tested one after the other, with the most exact rule fitting the path first, and continuing up the path. Testing continues until a rule explcitly allows or denies access. METHODS allow_access_if Arguments: $path, $rule Check the rule condition and allow access to the actions under $path if the rule returns true. This is normally useful to allow acces only to a specific part of a tree whose parent has a "deny_access_unless" clause attached to it. If the rule test returns false access is not denied or allowed. Instead the next rule in the chain will be checked - in this sense the combinatory behavior of these rules is like logical OR. allow_access_if_any Arguments: $path, \@roles Same as above for any role in the list. deny_access_unless Arguments: $path, $rule Check the rule condition and disallow access if the rule returns false. This is normally useful to restrict access to any portion of the application unless a certain condition can be met. If the rule test returns true access is not allowed or denied. Instead the next rule in the chain will be checked - in this sense the combinatory behavior of these rules is like logical AND. deny_access_unless_any Arguments: $path, \@roles Same as above for any role in the list. allow_access deny_access Arguments: $path Unconditionally allow or deny access to a path. acl_add_rule Arguments: $path, $rule, [ $filter ] Manually add a rule to all the actions under $path using the more flexible (but more verbose) method: __PACKAGE__->acl_add_rule( "/foo", sub { ... }, # see FLEXIBLE RULES below sub { my $action = shift; # return a true value if you want to apply the rule to this action # called for all the actions under "/foo" } }; In this case the rule must be a sub reference (or method name) to be invoked on $c. The default filter will skip all actions starting with an underscore, namely "_DISPATCH", "_AUTO", etc (but not "auto", "begin", et al). acl_access_denied Arguments: $c, $class, $action, $err acl_access_allowed Arguments: $c, $class, $action The default event handlers for access denied or allowed conditions. See below on handling access violations. acl_allow_root_internals Adds rules that permit access to the root controller (YourApp.pm) "auto", "begin" and "end" unconditionally. EXTENDED METHODS execute The hook for rule evaluation setup_actions RULE EVALUATION When a rule is attached to an action the "distance" from the path it was specified in is recorded. The closer the path is to the rule, the earlier it will be checked. Any rule can either explicitly deny or explicitly allow access to a particular action. If a rule does not explicitly allow or permit access, the next rule is checked, until the list of rules is finished. If no rule has determined a policy, access to the path will be permitted. PATHS To apply a rule to an action or group of actions you must supply a path. This path is what you should see dumped at the beginning of the Catalyst server's debug output. For example, for the "foo" action defined at the root level of your application, specify "/foo". Under the "Moose" controller (e.g. "MyApp::C::Moose", the action "bar" will be "/moose/bar"). The "distance" a path has from an action that is contained in it is the the difference in the number of slashes between the path of the action, and the path to which the rule was applied. RULES Easy Rules There are several kinds of rules you can create without using the complex interface described in "FLEXIBLE RULES". The easy rules are all predicate list oriented. "allow_access_if" will explicitly allow access if the predicate is true, and "deny_access_unless" will explicitly disallow if the predicate is false. Role Lists __PACAKGE__->deny_access_unless_any( "/foo/bar", [qw/admin moose_trainer/] ); When the role is evaluated the Catalyst::Plugin::Authorization::Roles will be used to check whether the currently logged in user has the specified roles. If "allow_access_if_any" is used, the presence of any of the roles in the list will immediately permit access, and if "deny_access_unless_any" is used, the lack of all of the roles will immediately deny access. Similarly, if "allow_access_if" is used, the presence of all the roles will immediately permit access, and if "deny_access_unless" is used, the lack of any of the roles will immediately deny access. When specifying a role list without the Catalyst::Plugin::Authorization::Roles plugin loaded the ACL engine will throw an error. Predicate Code Reference / Method Name The code reference or method is invoked with the context and the action objects. The boolean return value will determine the behavior of the rule. __PACKAGE__->allow_access_if( "/gorch", sub { ... } ); __PACKAGE__->deny_access_unless( "/moose", "method_name" ); When specifying a method name the rule engine ensures that it can be invoked using "can" in UNIVERSAL. Constant You can use "undef", 0 and '' to use as a constant false predicate, or 1 to use as a constant true predicate. Flexible Rules These rules are the most annoying to write but provide the most flexibility. All access control is performed using exceptions - $Catalyst::Plugin::Authorization::ACL::Engine::DENIED, and $Catalyst::Plugin::Authorization::ACL::Engine::ALLOWED (these can be imported from the engine module). If no rule decides to explicitly allow or deny access, access will be permitted. Here is a rule that will always break out of rule processing by either explicitly allowing or denying access based on how much mojo the current user has: __PACKAGE__->acl_add_rule( "/foo", sub { my ( $c, $action ) = @_; if ( $c->user->mojo > 50 ) { die $ALLOWED; } else { die $DENIED; } } ); HANDLING DENIAL There are two plugin methods that can be called when a rule makes a decision about an action: acl_access_allowed A no-op acl_access_denied Looks for a private action named "access_denied" from the denied action's controller and outwards (much like "auto"), and if none is found throws an access denied exception. forcibly_allow_access Within an "access_denied" action this will immediately cause the blocked action to be executed anyway. This means that you have several alternatives: Provide an "access_denied" action package MyApp::Controller::Foo; sub access_denied : Private { my ( $self, $c, $action ) = @_; ... $c->forcibly_allow_access if $you->mean_it eq "really"; } If you call "forcibly_allow_access" then the blocked action will be immediately unblocked. Otherwise the execution of the action will cease, and return to it's caller or end. Cleanup in "end" sub end : Private { my ( $self, $c ) = @_; if ( $c->error and $c->error->[-1] eq "access denied" ) { $c->error(0); # clear the error # access denied } else { # normal end } } Override the plugin event handler methods package MyApp; sub acl_access_allowed { my ( $c, $class, $action ) = @_; ... } sub acl_access_denied { my ( $c, $class, $action, $err ) = @_; ... } $class is the controller class the $action object was going to be executed in, and $err is the exception cought during rule evaluation, if any (access is denied if a rule raises an exception). SEE ALSO Catalyst::Plugin::Authentication, Catalyst::Plugin::Authorization::Roles, AUTHOR Yuval Kogman CONTRIBUTORS castaway: Jess Robinson caelum: Rafael Kitover COPYRIGHT & LICENSE Copyright (c) 2005 - 2009 the Catalyst::Plugin::Authorization::ACL "AUTHOR" and "CONTRIBUTORS" as listed above. This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself. Catalyst-Plugin-Authorization-ACL-0.16/t/000755 000765 000024 00000000000 12335064737 021200 5ustar00rkitoverstaff000000 000000 Catalyst-Plugin-Authorization-ACL-0.16/t/00-compile.t000644 000765 000024 00000002031 12335064737 023226 0ustar00rkitoverstaff000000 000000 use 5.006; use strict; use warnings; # this test was generated with Dist::Zilla::Plugin::Test::Compile 2.040 use Test::More tests => 2 + ($ENV{AUTHOR_TESTING} ? 1 : 0); my @module_files = ( 'Catalyst/Plugin/Authorization/ACL.pm', 'Catalyst/Plugin/Authorization/ACL/Engine.pm' ); # no fake home requested my $inc_switch = -d 'blib' ? '-Mblib' : '-Ilib'; use File::Spec; use IPC::Open3; use IO::Handle; open my $stdin, '<', File::Spec->devnull or die "can't open devnull: $!"; my @warnings; for my $lib (@module_files) { # see L my $stderr = IO::Handle->new; my $pid = open3($stdin, '>&STDERR', $stderr, $^X, $inc_switch, '-e', "require q[$lib]"); binmode $stderr, ':crlf' if $^O eq 'MSWin32'; my @_warnings = <$stderr>; waitpid($pid, 0); is($?, 0, "$lib loaded ok"); if (@_warnings) { warn @_warnings; push @warnings, @_warnings; } } is(scalar(@warnings), 0, 'no warnings found') if $ENV{AUTHOR_TESTING}; Catalyst-Plugin-Authorization-ACL-0.16/t/lib/000755 000765 000024 00000000000 12335064737 021746 5ustar00rkitoverstaff000000 000000 Catalyst-Plugin-Authorization-ACL-0.16/t/live_app.t000644 000765 000024 00000004564 12335064737 023175 0ustar00rkitoverstaff000000 000000 #!/usr/bin/perl use strict; use warnings; use lib "t/lib"; use Test::More; BEGIN { eval { require Test::WWW::Mechanize::Catalyst; require Catalyst::Plugin::Authorization::Roles; require Catalyst::Plugin::Authentication; require Catalyst::Plugin::Session; require Catalyst::Plugin::Session::State::Cookie; } or plan 'skip_all' => "A bunch of plugins are required for this test... Look in the source if you really care... $@"; plan tests => 97; } use Test::WWW::Mechanize::Catalyst 'ACLTestApp'; my $m = Test::WWW::Mechanize::Catalyst->new; my $u = "http://localhost"; is_allowed("", "welcome"); is_denied("restricted"); is_denied("lioncage"); is_denied("zoo/elk"); is_denied("zoo/moose"); is_denied("zoo/rabbit"); is_denied("zoo/penguins/emperor"); is_denied("zoo/penguins/tux"); is_denied("zoo/penguins/madagascar"); login(qw/foo bar/); is_allowed("auth/check", "logged in"); is_denied("restricted"); is_denied("lioncage"); is_allowed("zoo/elk"); is_denied("zoo/moose"); is_denied("zoo/rabbit"); is_allowed("zoo/penguins/emperor"); is_denied("zoo/penguins/tux"); is_allowed("zoo/penguins/madagascar"); is_allowed("auth/logout"); is_denied("restricted"); is_denied("lioncage"); is_denied("zoo/elk"); is_denied("zoo/moose"); is_denied("zoo/rabbit"); is_denied("zoo/penguins/emperor"); is_denied("zoo/penguins/tux"); is_denied("zoo/penguins/madagascar"); login(qw/gorch moose/); is_allowed("zoo/elk"); is_denied("zoo/moose"); is_allowed("zoo/rabbit"); is_denied("lioncage"); is_denied("restricted"); is_allowed("zoo/penguins/emperor"); is_allowed("zoo/penguins/tux"); is_allowed("zoo/penguins/madagascar"); login(qw/quxx ding/); is_allowed("zoo/elk"); is_allowed("zoo/moose"); is_denied("zoo/rabbit"); is_allowed("lioncage"); is_denied("restricted"); is_allowed("zoo/penguins/emperor"); is_denied("zoo/penguins/tux"); is_allowed("zoo/penguins/madagascar"); sub login { my ( $l, $p ) = @_; is_allowed("auth/login?login=$l&password=$p", "login successful"); } sub is_denied { my $path = shift; local $Test::Builder::Level = 2; $m->get_ok("$u/$path", "get '$path'"); $m->content_is("denied", "access to '$path' is denied"); } sub is_allowed { my ( $path, $contains ) = @_; $path ||= ""; $m->get_ok("$u/$path", "get '$path'"); $m->content_contains( $contains, "'$path' contains '$contains'") if $contains; $m->content_like(qr/allowed$/, "access to '$path' is allowed"); } Catalyst-Plugin-Authorization-ACL-0.16/t/more_live_app.t000644 000765 000024 00000002334 12335064737 024210 0ustar00rkitoverstaff000000 000000 #!/usr/bin/perl use strict; use warnings; use lib "t/lib"; use Test::More; BEGIN { eval { require Test::WWW::Mechanize::Catalyst; } or plan 'skip_all' => "Test::WWW::Mechanize::Catalyst required"; plan tests => 14; } use Test::WWW::Mechanize::Catalyst 'ACLTestApp2'; my $m = Test::WWW::Mechanize::Catalyst->new; my $u = "http://localhost"; $m->get_ok( "$u/foo", "get foo" ); $m->content_contains( "", "access to end forbidden" ); $m->get_ok( "$u/bar", "get bar" ); $m->content_contains( "bar", "access to end forbidden" ); ACLTestApp2->acl_allow_root_internals; $m->get_ok( "$u/foo", "get foo" ); $m->content_contains( "denied handled", "denied, handled" ); $m->get_ok( "$u/bar", "get bar" ); $m->content_contains( "allowed bar", "allowed" ); $m->get_ok( "$u/gorch", "get gorch" ); $m->content_contains( "denied handled gorch", "denied but overridden by handler" ); $m->get_ok( "$u/gorch/wozzle", "get gorch" ); $m->content_contains( "frozjob=wozzle", "overriden acces has params intact" ); is( $m->res->header( 'X-Catalyst-ACL-Param-Action' ), 'gorch', '$action param to access_denied' ); like( $m->res->header( 'X-Catalyst-ACL-Param-Error' ), qr{Access to gorch denied by rule}, '$error param to access_denied' ); Catalyst-Plugin-Authorization-ACL-0.16/t/release-pod-syntax.t000644 000765 000024 00000000456 12335064737 025116 0ustar00rkitoverstaff000000 000000 #!perl BEGIN { unless ($ENV{RELEASE_TESTING}) { require Test::More; Test::More::plan(skip_all => 'these tests are for release candidate testing'); } } # This file was automatically generated by Dist::Zilla::Plugin::PodSyntaxTests. use Test::More; use Test::Pod 1.41; all_pod_files_ok(); Catalyst-Plugin-Authorization-ACL-0.16/t/lib/ACLTestApp/000755 000765 000024 00000000000 12335064737 023646 5ustar00rkitoverstaff000000 000000 Catalyst-Plugin-Authorization-ACL-0.16/t/lib/ACLTestApp.pm000644 000765 000024 00000003640 12335064737 024207 0ustar00rkitoverstaff000000 000000 package ACLTestApp; use strict; use warnings; no warnings 'uninitialized'; use Catalyst qw/ Session Session::Store::Dummy Session::State::Cookie Authentication Authentication::Store::Minimal Authentication::Credential::Password Authorization::Roles Authorization::ACL /; use Catalyst::Plugin::Authorization::ACL::Engine qw/$DENIED $ALLOWED/; __PACKAGE__->config( authentication => { users => { foo => { password => "bar", os => "windows", }, gorch => { password => "moose", roles => [qw/child/], os => "linux", }, quxx => { password => "ding", roles => [qw/zoo_worker moose_trainer/], os => "osx", }, }, }, acl => { deny => ["/restricted"], } ); __PACKAGE__->setup; __PACKAGE__->allow_access_if("/", sub { 1 }); # just to test that / can be applied to __PACKAGE__->deny_access_unless_any("/lioncage", [qw/zoo_worker lion_tamer/]); # this now in config # __PACKAGE__->deny_access_unless("/restricted", sub { 0 }); # no one can access __PACKAGE__->deny_access_unless("/zoo", sub { my ( $c, $action ) = @_; $c->user; }); # only people who have bought a ticket can enter __PACKAGE__->deny_access_unless("/zoo/rabbit", ["child"]); # the petting zoo is for children __PACKAGE__->deny_access_unless("/zoo/moose", [qw/moose_trainer/]); __PACKAGE__->acl_add_rule("/zoo/penguins/tux", sub { my ( $c, $action ) = @_; my $user = $c->user; die ( ( $user && $user->os eq "linux" ) ? $Catalyst::Plugin::Authorization::ACL::Engine::ALLOWED : $Catalyst::Plugin::Authorization::ACL::Engine::DENIED ); }); __PACKAGE__->allow_access_if("/zoo/penguins/madagascar", sub { my ( $c, $action ) = @_; my $user = $c->user; $user && $user->os ne "windows"; }); __PACKAGE__ Catalyst-Plugin-Authorization-ACL-0.16/t/lib/ACLTestApp2/000755 000765 000024 00000000000 12335064737 023730 5ustar00rkitoverstaff000000 000000 Catalyst-Plugin-Authorization-ACL-0.16/t/lib/ACLTestApp2.pm000644 000765 000024 00000000336 12335064737 024270 0ustar00rkitoverstaff000000 000000 package ACLTestApp2; use strict; use warnings; no warnings 'uninitialized'; use Catalyst qw/ Authorization::ACL /; __PACKAGE__->setup; __PACKAGE__->deny_access("/"); __PACKAGE__->allow_access("/bar"); __PACKAGE__; Catalyst-Plugin-Authorization-ACL-0.16/t/lib/ACLTestApp2/Controller/000755 000765 000024 00000000000 12335064737 026053 5ustar00rkitoverstaff000000 000000 Catalyst-Plugin-Authorization-ACL-0.16/t/lib/ACLTestApp2/Controller/Root.pm000644 000765 000024 00000002026 12335064737 027334 0ustar00rkitoverstaff000000 000000 package ACLTestApp2::Controller::Root; use strict; use warnings; no warnings 'uninitialized'; use base 'Catalyst::Controller'; __PACKAGE__->config->{namespace} = ''; sub foo : Local { my ( $self, $c ) = @_; $c->res->body( $c->res->body . "foo"); } sub bar : Local { my ( $self, $c ) = @_; $c->res->body( $c->res->body . "bar"); } sub gorch : Local { my ( $self, $c, $frozjob ) = @_; $c->res->body( $c->res->body . "gorch"); $c->res->body( $c->res->body . "&frozjob=$frozjob"); } sub end : Private { my ( $self, $c ) = @_; $c->res->body( join " ", ( $c->stash->{denied} || @{ $c->error } ? "denied" : "allowed" ), $c->res->body ); } sub access_denied : Private { my ( $self, $c, $action, $error ) = @_; $c->res->header( 'X-Catalyst-ACL-Param-Action' => $action->reverse, 'X-Catalyst-ACL-Param-Error' => $error ); $c->res->body( join " ", "handled", $c->res->body ); $c->stash->{denied} = 1; $c->forcibly_allow_access if $c->action->name eq "gorch"; } __PACKAGE__; Catalyst-Plugin-Authorization-ACL-0.16/t/lib/ACLTestApp/Controller/000755 000765 000024 00000000000 12335064737 025771 5ustar00rkitoverstaff000000 000000 Catalyst-Plugin-Authorization-ACL-0.16/t/lib/ACLTestApp/Controller/Auth.pm000644 000765 000024 00000001100 12335064737 027220 0ustar00rkitoverstaff000000 000000 #!/usr/bin/perl package ACLTestApp::Controller::Auth; use base qw/Catalyst::Controller/; use strict; use warnings; sub login : Local { my ( $self, $c ) = @_; $c->res->body( $c->login ? "login successful" : "login failed" ); } sub logout : Local { my ( $self, $c ) = @_; $c->logout; $c->res->body( "goodbye" ); } sub check : Local { my ( $self, $c ) = @_; $c->res->body( $c->user ? "logged in" : "guest" ); } __PACKAGE__; __END__ =pod =head1 NAME ACLTestApp::Controller::Auth - =head1 SYNOPSIS use ACLTestApp::Controller::Auth; =head1 DESCRIPTION =cut Catalyst-Plugin-Authorization-ACL-0.16/t/lib/ACLTestApp/Controller/LionCage.pm000644 000765 000024 00000000577 12335064737 030021 0ustar00rkitoverstaff000000 000000 #!/usr/bin/perl package ACLTestApp::Controller::LionCage; use base qw/Catalyst::Controller/; use strict; use warnings; sub default : Private { my ( $self, $c ) = @_; $c->res->body( "no-one is allowed in here" ); } __PACKAGE__; __END__ =pod =head1 NAME ACLTestApp::Controller::LionCage - =head1 SYNOPSIS use ACLTestApp::Controller::LionCage; =head1 DESCRIPTION =cut Catalyst-Plugin-Authorization-ACL-0.16/t/lib/ACLTestApp/Controller/Root.pm000644 000765 000024 00000001136 12335064737 027253 0ustar00rkitoverstaff000000 000000 package ACLTestApp::Controller::Root; use strict; use warnings; no warnings 'uninitialized'; use base 'Catalyst::Controller'; __PACKAGE__->config->{namespace} = ''; sub restricted : Local { my ( $self, $c ) = @_; $c->res->body( "restricted" ); } sub default : Private { my ( $self, $c ) = @_; $c->res->body( "welcome to the zoo!" ); } sub access_denied : Private { my ( $self, $c ) = @_; $c->res->body($c->res->body . 'denied'); } sub end : Private { my ( $self, $c ) = @_; if ($c->res->body !~ /denied/) { $c->res->body($c->res->body . 'allowed'); } } __PACKAGE__; Catalyst-Plugin-Authorization-ACL-0.16/t/lib/ACLTestApp/Controller/Zoo/000755 000765 000024 00000000000 12335064737 026540 5ustar00rkitoverstaff000000 000000 Catalyst-Plugin-Authorization-ACL-0.16/t/lib/ACLTestApp/Controller/Zoo.pm000644 000765 000024 00000000746 12335064737 027105 0ustar00rkitoverstaff000000 000000 #!/usr/bin/perl package ACLTestApp::Controller::Zoo; use base qw/Catalyst::Controller/; use strict; use warnings; sub moose : Local { my ( $self, $c ) = @_; $c->res->body("moose"); } sub elk : Local { my ( $self, $c ) = @_; $c->res->body("elk "); } sub rabbit : Local { my ( $self, $c ) = @_; $c->res->body("rabbit "); } __PACKAGE__; __END__ =pod =head1 NAME ACLTestApp::Controller::Zoo - =head1 SYNOPSIS use ACLTestApp::Controller::Zoo; =head1 DESCRIPTION =cut Catalyst-Plugin-Authorization-ACL-0.16/t/lib/ACLTestApp/Controller/Zoo/Penguins.pm000644 000765 000024 00000001001 12335064737 030656 0ustar00rkitoverstaff000000 000000 #!/usr/bin/perl package ACLTestApp::Controller::Zoo::Penguins; use base qw/Catalyst::Controller/; use strict; use warnings; sub emperor : Local { my ( $self, $c ) = @_; $c->res->body("emperor penguin"); } sub tux : Local { my ( $self, $c ) = @_; $c->res->body("tux"); } sub madagascar : Local { my ( $self, $c ) = @_; $c->res->body("madagascar"); } __PACKAGE__; __END__ =pod =head1 NAME ACLTestApp::Controller::Zoo - =head1 SYNOPSIS use ACLTestApp::Controller::Zoo; =head1 DESCRIPTION =cut Catalyst-Plugin-Authorization-ACL-0.16/lib/Catalyst/000755 000765 000024 00000000000 12335064737 023267 5ustar00rkitoverstaff000000 000000 Catalyst-Plugin-Authorization-ACL-0.16/lib/Catalyst/Plugin/000755 000765 000024 00000000000 12335064737 024525 5ustar00rkitoverstaff000000 000000 Catalyst-Plugin-Authorization-ACL-0.16/lib/Catalyst/Plugin/Authorization/000755 000765 000024 00000000000 12335064737 027365 5ustar00rkitoverstaff000000 000000 Catalyst-Plugin-Authorization-ACL-0.16/lib/Catalyst/Plugin/Authorization/ACL/000755 000765 000024 00000000000 12335064737 027764 5ustar00rkitoverstaff000000 000000 Catalyst-Plugin-Authorization-ACL-0.16/lib/Catalyst/Plugin/Authorization/ACL.pm000644 000765 000024 00000032647 12335064737 030336 0ustar00rkitoverstaff000000 000000 package Catalyst::Plugin::Authorization::ACL; BEGIN { $Catalyst::Plugin::Authorization::ACL::AUTHORITY = 'cpan:RKITOVER'; } $Catalyst::Plugin::Authorization::ACL::VERSION = '0.16'; use namespace::autoclean; use Moose; use mro 'c3'; with 'Catalyst::ClassData'; use Scalar::Util (); use Catalyst::Plugin::Authorization::ACL::Engine qw/$DENIED $ALLOWED/; # TODO # refactor forcibly_allow_access so that the guts are cleaner __PACKAGE__->mk_classdata("_acl_engine"); my $FORCE_ALLOW = bless {}, __PACKAGE__ . "::Exception"; sub execute { my ( $c, $class, $action ) = @_; if ( Scalar::Util::blessed($action) and $action->name ne "access_denied" and $action->name ne "ACL error rethrower" ) { eval { $c->_acl_engine->check_action_rules( $c, $action ) }; if ( my $err = $@ ) { my $force_allow = $c->acl_access_denied( $class, $action, $err ); return unless $force_allow; } else { $c->acl_access_allowed( $class, $action ); } } $c->maybe::next::method( $class, $action ); } sub acl_allow_root_internals { my ( $app, $cmp ) = @_; foreach my $action ( qw/begin auto end/ ) { $app->allow_access("/$action") if $app->get_action($action, "/"); } } sub setup_actions { my $app = shift; my $ret = $app->maybe::next::method(@_); $app->_acl_engine( Catalyst::Plugin::Authorization::ACL::Engine->new($app) ); if ( my $config = $app->config->{acl} ) { foreach my $action ( qw/allow deny/ ) { my $method = "${action}_access"; if ( my $paths = $config->{$action} ) { $app->$method( $_ ) for @$paths; } my $cond = ( $action eq "allow" ? "if" : "unless" ); $method .= "_$cond"; if ( my $args = $config->{"${action}_$cond"} ) { my ( $cond, @paths ) = @$args; $app->$method( $cond, $_ ) for @paths; } } } $ret; } sub deny_access_unless { my $c = shift; $c->_acl_engine->add_deny(@_); } sub deny_access_unless_any { my ($c, $path, $roles) = @_; $c->deny_access_unless($path, sub { my ($c, $action) = @_; return $c->check_any_user_role(@$roles); }); } sub deny_access { my $c = shift; $c->deny_access_unless( @_, undef ); } sub allow_access_if { my $c = shift; $c->_acl_engine->add_allow(@_); } sub allow_access_if_any { my ($c, $path, $roles) = @_; $c->allow_access_if($path, sub { my ($c, $action) = @_; return $c->check_any_user_role(@$roles); }); } sub allow_access { my $c = shift; $c->allow_access_if( @_, 1 ); } sub acl_add_rule { my $c = shift; $c->_acl_engine->add_rule(@_); } sub acl_access_denied { my ( $c, $class, $action, $err ) = @_; my $namespace = $action->namespace; if ( my $handler = ( $c->get_actions( "access_denied", $namespace ) )[-1] ) { local $c->{_acl_forcibly_allowed} = undef; (my $path = $handler->reverse) =~ s!^/?!/!; eval { $c->detach( $path, [$action, $err] ) }; return 1 if $c->{_acl_forcibly_allowed}; die $@ || $Catalyst::DETACH; } else { $c->execute( $class, bless( { code => sub { die $err }, name => "ACL error rethrower", }, "Catalyst::Action" ), ); return; } } sub forcibly_allow_access { my $c = shift; $c->{_acl_forcibly_allowed} = 1; die $Catalyst::DETACH; } sub acl_access_allowed { } __PACKAGE__->meta->make_immutable; __PACKAGE__; __END__ =pod =head1 NAME Catalyst::Plugin::Authorization::ACL - ACL support for Catalyst applications. =head1 SYNOPSIS use Catalyst qw/ Authentication Authorization::Roles Authorization::ACL /; __PACKAGE__->setup; __PACKAGE__->deny_access_unless( "/foo/bar", [qw/nice_role/], ); __PACKAGE__->allow_access_if( "/foo/bar/gorch", sub { return $boolean }, ); =head1 DESCRIPTION This module provides Access Control List style path protection, with arbitrary rules for L applications. It operates only on the L private namespace, at least at the moment. The two hierarchies of actions and controllers in L are: =over 4 =item Private Namespace Every action has its own private path. This path reflects the Perl namespaces the actions were born in, and the namespaces of their controllers. =item External Namespace Some actions are also directly accessible from the outside, via a URL. The private and external paths will be the same, if you are using Local actions. Alternatively you can use C, C, or C to specify a different external path for your action. =back The ACL module currently only knows to exploit the private namespace. In the future extensions may be made to support external namespaces as well. Various types of rules are supported, see the list under L. When a path is visited, rules are tested one after the other, with the most exact rule fitting the path first, and continuing up the path. Testing continues until a rule explcitly allows or denies access. =head1 METHODS =head2 allow_access_if Arguments: $path, $rule Check the rule condition and allow access to the actions under C<$path> if the rule returns true. This is normally useful to allow acces only to a specific part of a tree whose parent has a C clause attached to it. If the rule test returns false access is not denied or allowed. Instead the next rule in the chain will be checked - in this sense the combinatory behavior of these rules is like logical B. =head2 allow_access_if_any Arguments: $path, \@roles Same as above for any role in the list. =head2 deny_access_unless Arguments: $path, $rule Check the rule condition and disallow access if the rule returns false. This is normally useful to restrict access to any portion of the application unless a certain condition can be met. If the rule test returns true access is not allowed or denied. Instead the next rule in the chain will be checked - in this sense the combinatory behavior of these rules is like logical B. =head2 deny_access_unless_any Arguments: $path, \@roles Same as above for any role in the list. =head2 allow_access =head2 deny_access Arguments: $path Unconditionally allow or deny access to a path. =head2 acl_add_rule Arguments: $path, $rule, [ $filter ] Manually add a rule to all the actions under C<$path> using the more flexible (but more verbose) method: __PACKAGE__->acl_add_rule( "/foo", sub { ... }, # see FLEXIBLE RULES below sub { my $action = shift; # return a true value if you want to apply the rule to this action # called for all the actions under "/foo" } }; In this case the rule must be a sub reference (or method name) to be invoked on $c. The default filter will skip all actions starting with an underscore, namely C<_DISPATCH>, C<_AUTO>, etc (but not C, C, et al). =head2 acl_access_denied Arguments: $c, $class, $action, $err =head2 acl_access_allowed Arguments: $c, $class, $action The default event handlers for access denied or allowed conditions. See below on handling access violations. =head2 acl_allow_root_internals Adds rules that permit access to the root controller (YourApp.pm) C, C and C unconditionally. =head1 EXTENDED METHODS =head2 execute The hook for rule evaluation =head2 setup_actions =head1 RULE EVALUATION When a rule is attached to an action the "distance" from the path it was specified in is recorded. The closer the path is to the rule, the earlier it will be checked. Any rule can either explicitly deny or explicitly allow access to a particular action. If a rule does not explicitly allow or permit access, the next rule is checked, until the list of rules is finished. If no rule has determined a policy, access to the path will be permitted. =head1 PATHS To apply a rule to an action or group of actions you must supply a path. This path is what you should see dumped at the beginning of the L server's debug output. For example, for the C action defined at the root level of your application, specify C. Under the C controller (e.g. C, the action C will be C). The "distance" a path has from an action that is contained in it is the the difference in the number of slashes between the path of the action, and the path to which the rule was applied. =head1 RULES =head2 Easy Rules There are several kinds of rules you can create without using the complex interface described in L. The easy rules are all predicate list oriented. C will explicitly allow access if the predicate is true, and C will explicitly disallow if the predicate is false. =over 4 =item Role Lists __PACAKGE__->deny_access_unless_any( "/foo/bar", [qw/admin moose_trainer/] ); When the role is evaluated the L will be used to check whether the currently logged in user has the specified roles. If L is used, the presence of B of the roles in the list will immediately permit access, and if L is used, the lack of B of the roles will immediately deny access. Similarly, if C is used, the presence of B the roles will immediately permit access, and if C is used, the lack of B of the roles will immediately deny access. When specifying a role list without the L plugin loaded the ACL engine will throw an error. =item Predicate Code Reference / Method Name The code reference or method is invoked with the context and the action objects. The boolean return value will determine the behavior of the rule. __PACKAGE__->allow_access_if( "/gorch", sub { ... } ); __PACKAGE__->deny_access_unless( "/moose", "method_name" ); When specifying a method name the rule engine ensures that it can be invoked using L. =item Constant You can use C, C<0> and C<''> to use as a constant false predicate, or C<1> to use as a constant true predicate. =back =head2 Flexible Rules These rules are the most annoying to write but provide the most flexibility. All access control is performed using exceptions - C<$Catalyst::Plugin::Authorization::ACL::Engine::DENIED>, and C<$Catalyst::Plugin::Authorization::ACL::Engine::ALLOWED> (these can be imported from the engine module). If no rule decides to explicitly allow or deny access, access will be permitted. Here is a rule that will always break out of rule processing by either explicitly allowing or denying access based on how much mojo the current user has: __PACKAGE__->acl_add_rule( "/foo", sub { my ( $c, $action ) = @_; if ( $c->user->mojo > 50 ) { die $ALLOWED; } else { die $DENIED; } } ); =head1 HANDLING DENIAL There are two plugin methods that can be called when a rule makes a decision about an action: =over 4 =item acl_access_allowed A no-op =item acl_access_denied Looks for a private action named C from the denied action's controller and outwards (much like C), and if none is found throws an access denied exception. =item forcibly_allow_access Within an C action this will immediately cause the blocked action to be executed anyway. =back This means that you have several alternatives: =head2 Provide an C action package MyApp::Controller::Foo; sub access_denied : Private { my ( $self, $c, $action ) = @_; ... $c->forcibly_allow_access if $you->mean_it eq "really"; } If you call C then the blocked action will be immediately unblocked. Otherwise the execution of the action will cease, and return to it's caller or end. =head2 Cleanup in C sub end : Private { my ( $self, $c ) = @_; if ( $c->error and $c->error->[-1] eq "access denied" ) { $c->error(0); # clear the error # access denied } else { # normal end } } =head2 Override the plugin event handler methods package MyApp; sub acl_access_allowed { my ( $c, $class, $action ) = @_; ... } sub acl_access_denied { my ( $c, $class, $action, $err ) = @_; ... } C<$class> is the controller class the C<$action> object was going to be executed in, and C<$err> is the exception cought during rule evaluation, if any (access is denied if a rule raises an exception). =head1 SEE ALSO L, L, L =head1 AUTHOR Yuval Kogman Enothingmuch@woobling.orgE =head1 CONTRIBUTORS castaway: Jess Robinson caelum: Rafael Kitover Erkitover@cpan.orgE =head1 COPYRIGHT & LICENSE Copyright (c) 2005 - 2009 the Catalyst::Plugin::Authorization::ACL L and L as listed above. This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself. =cut Catalyst-Plugin-Authorization-ACL-0.16/lib/Catalyst/Plugin/Authorization/ACL/Engine.pm000644 000765 000024 00000022504 12335064737 031532 0ustar00rkitoverstaff000000 000000 package Catalyst::Plugin::Authorization::ACL::Engine; BEGIN { $Catalyst::Plugin::Authorization::ACL::Engine::AUTHORITY = 'cpan:RKITOVER'; } $Catalyst::Plugin::Authorization::ACL::Engine::VERSION = '0.16'; use namespace::autoclean; use Moose; extends qw/Moose::Object Exporter/; # I heart stevan use Class::Throwable; use Tree::Simple; use Tree::Simple::Visitor::FindByPath; use Tree::Simple::Visitor::GetAllDescendents; use Carp qw/croak/; use List::Util 'first'; has app => (is => 'rw'); has actions => (is => 'ro', isa => 'HashRef', default => sub { {} }); has _app_actions_tree => (is => 'ro', isa => 'Tree::Simple', lazy_build => 1); our $DENIED = bless {}, __PACKAGE__ . "::Denied"; our $ALLOWED = bless {}, __PACKAGE__ . "::Allowed"; our @EXPORT_OK = qw/$DENIED $ALLOWED/; sub BUILDARGS { my ($self, $c) = @_; return +{ app => $c }; } sub _build__app_actions_tree { my $self = shift; my $root = Tree::Simple->new('/', Tree::Simple->ROOT); my $app = $self->app; my @actions = grep defined, map { my $controller = $_; map $controller->action_for($_->name), $controller->get_action_methods } grep $_->isa('Catalyst::Controller'), values %{ $app->components }; for my $action (@actions) { my @path = split '/', $action->reverse; my $name = pop @path; if (@path) { my $by_path = Tree::Simple::Visitor::FindByPath->new; $by_path->setSearchPath(@path); $root->accept($by_path); if (my $namespace_node = $by_path->getResult) { $namespace_node->addChild(Tree::Simple->new($action)); next; } } my $node = $root; for my $el (@path) { if (my $found = first { $_->getNodeValue eq $el } @{ $node->getAllChildren }) { $node = $found; } else { $node = Tree::Simple->new($el, $node); } } $node->addChild(Tree::Simple->new($action)); } return $root; } sub add_deny { my ( $self, $spec, $condition ) = @_; my $test = $self->fudge_condition($condition); $self->add_rule( $spec, sub { my $c = shift; die $DENIED unless $c->$test(@_); }, ); } sub add_allow { my ( $self, $spec, $condition ) = @_; my $test = $self->fudge_condition($condition); $self->add_rule( $spec, sub { my $c = shift; die $ALLOWED if $c->$test(@_); }, ); } sub fudge_condition { my ( $self, $condition ) = @_; # make almost anything into a code ref/method name if (!defined($condition) # no warnings or $condition eq '1' or $condition eq '0' or $condition eq "" ) { return sub { $condition }; } elsif ( my $reftype = ref $condition ) { $reftype eq "CODE" and return $condition; # if it's not a code ref and it's a ref, we only know # how to deal with it if it's an array of roles $reftype ne "ARRAY" and die "Can't interpret '$condition' as an ACL condition"; # but to check roles we need the appropriate plugin $self->app->isa("Catalyst::Plugin::Authorization::Roles") or die "Can't use role list as an ACL condition unless " . "the Authorization::Roles plugin is also loaded."; # return a test that will check for the roles return sub { my $c = shift; $c->check_user_roles(@$condition); }; } elsif ( $self->app->can($condition) ) { return $condition; # just a method name } else { croak "Can't use '$condition' as an ACL " . "condition unless \$c->can('$condition')."; } } sub add_rule { my ( $self, $path, $rule, $filter ) = @_; $filter ||= sub { $_[0]->name !~ /^_/ }; # internal actions are not ACL'd my $d = $self->app->dispatcher; my $cxt = _pretty_caller(); $self->{cxt_info}{$rule} = $cxt; my ( $ns, $name ) = $path =~ m#^/?(.*?)/?([^/]+)$#; if ( my $action = $d->get_action( $name, $ns ) ) { $self->app->log->debug( "Adding ACL rule from $cxt to the action $path with sort index 0") if $self->app->debug; $self->append_rule_to_action( $action, 0, $rule, $cxt ); } else { my @path = grep { $_ ne "" } split( "/", $path ); my $tree = $self->_app_actions_tree; my $subtree = @path ? do { my $by_path = Tree::Simple::Visitor::FindByPath->new; $by_path->setSearchPath(@path); $tree->accept($by_path); $by_path->getResult || Catalyst::Exception->throw( "The path '$path' does not exist (traversal hit a dead end " . "at: @{[ map { $_->getNodeValue } $by_path->getResults ]})" ); } : $tree; my $root_depth = $subtree->getDepth; my $descendents = Tree::Simple::Visitor::GetAllDescendents->new; $descendents->setNodeFilter( sub { $_[0] } ); # $subtree->accept($descendents); $self->app->log->debug( "Adding ACL rule from $cxt to all the actions under $path") if $self->app->debug; foreach my $action_node ( $descendents->getResults ) { next unless $action_node->isLeaf; my ( $action, $depth ) = ( $action_node->getNodeValue, $action_node->getDepth ); next unless $filter->($action); my $sort_index = ( $depth - $root_depth ) ; # how far an action is from the origin of the ACL $self->app->log->debug("... $action at sort index $sort_index") if $self->app->debug; $self->append_rule_to_action( $action, $sort_index, $rule, $cxt, ); } } } sub get_cxt_for_rule { my ( $self, $rule ) = @_; $self->{cxt_info}{$rule}; } sub append_rule_to_action { my ( $self, $action, $sort_index, $rule, $cxt ) = @_; $sort_index = 0 if $sort_index < 0; push @{ $self->get_action_data($action)->{rules_radix}[$sort_index] ||= [] }, $rule; } sub get_action_data { my ( $self, $action ) = @_; $self->actions->{ $action->reverse } ||= { action => $action }; } sub get_rules { my ( $self, $action ) = @_; map { $_ ? @$_ : () } @{ ( $self->get_action_data($action) || return () )->{rules_radix} }; } sub check_action_rules { my ( $self, $c, $action ) = @_; my $last_rule; my $rule_exception; { local $SIG{__DIE__}; # nobody messes with us! local $@; eval { foreach my $rule ( $self->get_rules($action) ) { $c->log->debug( "running ACL rule $rule defined at " . $self->get_cxt_for_rule($rule) . " on $action" ) if $c->debug; $last_rule = $rule; $c->$rule($action); } }; $rule_exception = $@; } if ($rule_exception) { if ( ref $rule_exception and $rule_exception == $DENIED ) { die "Access to $action denied by rule $last_rule (defined at " . $self->get_cxt_for_rule($last_rule) . ").\n"; } elsif ( ref $rule_exception and $rule_exception == $ALLOWED ) { $c->log->debug( "Access to $action allowed by rule $last_rule (defined at " . $self->get_cxt_for_rule($last_rule) . ")" ) if $c->debug; return; } else { # unknown exception # FIXME - add context (the user should know what rule # generated the exception, and where it was added) Class::Throwable->throw( "An error occurred while evaluating ACL rules.", $rule_exception ); } } # no rules means allow by default } sub _pretty_caller { my ( undef, $file, $line ) = _find_caller(); return "$file line $line"; } sub _find_caller { for ( my $i = 2 ; ; $i++ ) { my @caller = caller($i) or die "Error determining caller"; return @caller if $caller[0] !~ /^Catalyst::Plugin::Authorization::ACL/; } } __PACKAGE__->meta->make_immutable; __PACKAGE__; __END__ =pod =head1 NAME Catalyst::Plugin::Authorization::ACL::Engine - The backend that computes ACL checks for L. =head1 SYNOPSIS # internal =head1 METHODS =over 4 =item new $app Create a new rule engine for $app =item add_allow $cond =item add_deny $cond fudge C<$cond>, make cond into a rule, and C =item add_rule $path, $rule Add rule to all actions under $path =item append_rule_to_action $action, $index, $rule, $cxt Append C<$rule> to C<$action> in slot C<$index>, and store context info C<$cxt> for error reporting. =item check_action_rules $action Evaluate the rules for an action =item fudge_condition $thingy Converts a C<$thingy> into a subref, for DWIM goodness. See the main ACL docs. =item get_action_data $action =item get_cxt_for_rule $rule =item get_rules =back =head1 DESCRIPTION This is the engine which executes the access control checks for L. Please use that module directly. =head1 TODO * external uris -> private paths =cut