require 'spec_helper'

describe "Authorizations" do    
  with_controllers
  
  isolate :config
    
  before :all do     
    @permissions = {
      'call_controller_level' => [],
      'call_business_logic_level' => [],
      'call_with_owner' => []
    }
    
    class ::AuthorizationController
      inherit Rad::Controller::Http
      
      inherit Rad::Controller::Authorized
    
      require_permission :call_controller_level, only: :controller_level
    
      def unprotected
        render_ok
      end
    
      def controller_level
        render_ok
      end
          
      def business_logic_level
        require_permission :call_business_logic_level
        render_ok
      end
      
      def with_owner
        require_permission :call_with_owner, owned_object
        render_ok
      end
      
      def with_owner_controller_level
        render_ok
      end
      require_permission :call_with_owner, only: :with_owner_controller_level do
        owned_object
      end
      
      protected 
        def owned_object
          @@owned_object
        end
        
        def self.owned_object= o
          @@owned_object = o
        end
    end
    
    rad.router.configure do |c|
      c.resource :authorization_controllers, class_name: 'AuthorizationController'     
    end
    
    I18n.locale = :en
  end  
  
  after :all do
    remove_constants %w(AuthorizationController)
  end
  
  before do
    AuthorizationController.owned_object = nil
    
    rad.config.permissions = @permissions
    
    @user = Models::User.new
    rad.user = @user
  end
  
  def raise_authorization_error
    raise_error(UserError, /Access Denied/)
  end
  
  it "should allow to call unprotected methods" do
    call('/authorization_controllers/unprotected')
    response.body.should == "ok"
  end
  
  it "should allow declarative authorization at controller level" do    
    @user.stub!(:can?).and_return(false)
    lambda{
      call '/authorization_controllers/controller_level'
    }.should raise_authorization_error
    # response.should be_redirect
  
    @user.stub!(:can?).and_return(true)
    call '/authorization_controllers/controller_level'
    response.body.should == "ok"
  end
  
  it "should allow declarative authorization at business logic level" do    
    @user.stub!(:can?).and_return(false)
    lambda{
      call '/authorization_controllers/business_logic_level'
    }.should raise_authorization_error
    # response.should be_redirect
      
    @user.stub!(:can?).and_return(true)
    call '/authorization_controllers/business_logic_level'
    response.body.should == "ok"
  end
  
  it "should use owner if provided" do
    @user.stub!(:can?){false}
    lambda{
      call '/authorization_controllers/with_owner'
    }.should raise_authorization_error
    # response.should be_redirect
  
    
    o = Object.new
    o.stub!(:owner_name){@user.name}
    AuthorizationController.owned_object = o 
    
    @user.stub!(:can?) do |operation, object|       
      object and object.owner_name == @user.name
    end
    
    call '/authorization_controllers/with_owner'
    response.body.should == "ok"
  end
  
  it "should use owner if provided (action level)" do    
    @user.stub!(:can?){false}
    lambda{
      call '/authorization_controllers/with_owner_controller_level'
    }.should raise_authorization_error
    # response.should be_redirect
    
    
    o = Object.new
    o.stub!(:owner_name){@user.name}
    AuthorizationController.owned_object = o
  
    @user.stub!(:can?) do |operation, object|       
      object and object.owner_name == @user.name
    end
    
    call '/authorization_controllers/with_owner_controller_level'
    response.body.should == "ok"
  end
end