CHANGELOG.txt

TO DO
+ Add Right model generator and DB-backed way of handling rights in addition to inlined "permit" checks
+ Added namespacing to @options instance variable to prevent possible name clashes
+ Add test generator instead of handling tests in test apps
+ Add support for groups
+ Extend grammar to allow "(admin or moderator or some_role) of some_model" (?) [Chris Hapgood]
+ Extend coverage to models. Look at Bruce Perens's ModelSecurity and access with_scope. (9/3006 - Recently investigated extension to model and the most programmer-friendly DSLs may require too much hacking on ActiveRecord.)


CHANGES (from most recent to oldest)


=== 1.0.10 release (February 27, 2008)

* Patch Series : Granular redirection configuration submitted by Thomas Weibel

  WARNING : If you are upgrading from a previous install you may need
  to change some configuration settings in your environment.rb file.

  Remove DEFAULT_REDIRECTION_HASH config
  Added granular LOGIN_REQUIRED_REDIRECTION hash or path config
  Added granular PERMISSION_DENIED_REDIRECTION hash or path config
  Added STORE_LOCATION_METHOD config
  Support custom flash messages for each redirection type
  Updated README.txt to provide instructions.
  Enhanced support for integration with restful_authentication plugin.

=== 1.0.9 release (February 26, 2008)

* Patch #8571 : Add type argument to is_role_of_what submitted by Aslak Hellesøy (aslak_hellesoy)

  In my RESTful index views for an AR type I often want to list all of the records *for a given type* for which the current
  user has the role "show". (As opposed to getting *any* record for which the user has the role)

  In order to achieve this, I have patched identity.rb so tht I can do this:

  def index
    if current_user.permit? 'admin'
      # show all projects
      @projects = Project.find(:all)
    else
      @projects = current_user.is_show_for_what(Project)
    end
  end

=== 1.0.8 release (February 26, 2008)

* Patch #11352 : Fixes a bug with role_regex and simple quoted roles submitted by 'a French RoR developer'

  Documentation says:

  <role> ::= /\w+/ | /'.*'/

  But the next permission string isn't well parsed: "  'abcd:efgh' or 'abcd:ijkl'  "
  You get an error because the role_regex defined in parser.rb eats every simple quote between the first and the last
  simple quote in the string.

  So i patched the two instances of role_regex in parser.rb, from this:
  role_regex = '\s*(\'\s*(.+)\s*\'|([A-Za-z]\w*))\s*'

  to this (the question mark ends the first pattern as soon as possible, avoiding the inner simple quotes to be eaten):
  role_regex = '\s*(\'\s*(.+?)\s*\'|([A-Za-z]\w*))\s*'

=== 1.0.7 release (February 25, 2008)

* Patch #9431 : Fixes a bug in identity.rb submitted by Michel Martens (blaumag)

  If some authorizable instance accepts a role, then it responds true when queried for has_[role_name]?

  Example:
  country.has_kings? #=> false

  user.has_role "king", country
  country.has_kings? #=> true

  user.has_no_role "king", country
  country.has_kings? #=> true

  The last time, country.has_kings? should be false.

=== 1.0.6 release (February 25, 2008)

* Patch #12170 : Additional HABTM options for acts_as_authorized_user
  A very simple patch that allows options to be passed to the has_and_belogs_to_many relationship. This seems necessary
  if the "User" object has a different name from the table name. has_and_belong_to_many does not automatically
  use the table set by the "User" object so it must be specified (along with the foreign key if applicable).

  Patch submitted by Eric Anderson (eric1234)

=== 1.0.5 release (February 25, 2008)

* Feature : Add additional test for current_user being set to the symbol ':false'.
  This is for compatibility with the restful_authentication plugin which will
  set current_user to :false on a bad login.  Previously we were only testing
  for current_user.nil? which was incomplete.

=== 1.0.4 release (February 25, 2008)

* Bugfix : RubyForge bug #9368.  Problems with about.yml
  Fixes a minor bug in the about.yml plugin metadata file
  so that it will parse cleanly. [GR]

=== 1.0.3 release (February 17, 2008)

* Minor changes to USAGE text for ./script/generate role_model

=== 1.0.2 release (February 17, 2008)

* From this release forward the plugin requires use of Ruby on Rails version 2.x.  Version 1.0.1 is the final release fully compatible with Rails 1.2.x.
* Upgraded the database migration generator to create the new Rails 2.0.x style 'sexy migrations'.

=== 1.0.1 release (February 17, 2008)

* Moved source code to public Git repository at github.com (http://github.com/DocSavage/rails-authorization-plugin/tree/master)
* Removed attr_protected declaration from acts_as_authorized_user, acts_as_authorizable methods.  These conflicted with usage of the Authorization plugin with models generated by the restful_authentication generator or any model that specified the safer attr_accessible whitelist.  RA encourages the safer attr_accessible whitelisting of attributes that are accessible from its models.  You cannot apply both attr_accessible and attr_protected in the same model.  Users are encouraged to specify a whitelist of attr_accessible model attributes for their applications security. [grempe]

=== SVN

* Performance improvement for has_role?  [Sean Geoghegan]

* Allow customization of message on redirection after failed authorization (:redirect_message option) [Joey Geiger]

* Patch to allow authorizable objects that use single table inheritance (STI) [Sean Geoghegan]

=== 1.0 release (Sept 13, 2006)

* Added attr_protected for habtm and has_many role ids to block security concern if developers use update_attributes(params[:auth_obj]) on an authorizable object [Michael Schuerig]

* Use before_filter rather than prepend_before_filter so necessary instance variables (and methods) can be established before trying authorization checks. This fix came about for Mephisto blog where a class-level permit "admin of site" was used. The site attribute was set in a before_filter. If you prepend your authorization filter, it will execute before any other before_filter, which is probably not a good idea.

* Add "about" yaml for future Rails plugin directory.

* Cleaned up exception handling a little [due to suggestion by Michael Schuerig]

* Add generator for role model and migration, e.g., "script/generate role_model Role".
  Role model must be called "Role" at this time. More general naming as a TO DO.

* Removed simple_roles_table to simplify plugin.

* Moved all files in Authorization namespace into /publishare subdirectory
  to reduce danger of clashes in load path [nod to Michael Schuerig].

* Small code refinement patch [Michael Schuerig]

* The colon preceding a model name in the authorization expression is now optional. The parser uses accepted prepositions to disambiguate models from roles.

* Change default parser from Recursive Descent parser to Eval parser.
Currently implemented recursive descent parser doesn't handle left-sided
boolean expressions well. Eval parser relies on Ruby (good thing), but
wherever there's an eval, we have to be more careful.

* Will start linking to and monitoring forum area at RubyForge
http://rubyforge.org/forum/?group_id=1797

* Added changelog :)

* Added return false to handle_redirection to short-circuit filters if
redirect occurs. This is second fix to prevent double renders.

* Changed the requires to pull files from the plugin directory. (Necessary for name conflicts between plugin and apps)

* Minor fixes to update documentation

=== 1.0 rc3 (July 19, 2006)

* Fix to prevent double redirect

* Fix to migration examples

... see svn log