lib/cuba_api/guard.rb in cuba-api-0.6.1 vs lib/cuba_api/guard.rb in cuba-api-0.6.2

@@ -32,18 +32,21 @@
     module ClassMethods
 
       def guard( &block )
         self[ :guard ] ||= block ||
           begin
-            warn 'no guard configured. default guard denies eveythings !'
+            guard_logger.warn { 'no guard configured. default guard denies everything !' }
             guard = Ixtlan::UserManagement::Guard.new
             Proc.new do |groups|
               guard
             end
           end
       end
       
+      def guard_logger
+        logger_factory.logger( "CubaApi::Guard" )
+      end
     end
 
     def current_groups
       current_user.groups
     end
@@ -51,15 +54,11 @@
     def allowed_associations
       guard.associations( guard_context, @_method )
     end
 
     def on_context( name, &block )
-      perm = guard.permissions( name )
-      if perm && perm.parent &&
-          perm.parent.resource != guard_context
-        raise 'parent resource is not guarded'
-      end
+      guard.check_parent( name, guard_context )
       on name do
         begin
           old = guard_context
           guard_context( name )
           yield( *captures )
@@ -69,13 +68,11 @@
       end
     end
 
     def on_association
       on :association do |association|
-        # TODO one method in guard
-        asso = guard.permissions( guard_context ).associations
-        if asso.empty? or asso.include?( association )
+        if allowed_associations && allowed_associations.include?( association )
           yield( association )
         else
           no_body :forbidden 
         end
       end
@@ -85,32 +82,47 @@
       args.insert( 0, send( method ) )
       on *args do
         
         @_method = method
         
-        warn "[CubaApi::Guard] check #{method.to_s.upcase} #{guard_context}: #{guard.allow?( guard_context, method )}"
+        allowed = allowed( method )
+
+        guard_logger.debug { "check #{method.to_s.upcase} #{guard_context}: #{allowed}" }
         # TODO guard needs no association here
-        if guard.allow?( guard_context, method, (allowed_associations || []).first )
+        if allowed
           
           yield( *captures )
         else
           no_body :forbidden # 403
         end
       end
     end
 
     private
 
+    def allowed( method )
+      if allowed_associations && !allowed_associations.empty?
+        allowed_associations.select do |asso|
+          guard.allow?( guard_context, method, asso )
+        end.size > 0
+      else
+        guard.allow?( guard_context, method )
+      end
+    end
+
     def guard_context( ctx = nil )
       if ctx
-        @_conetxt = (req.env[ 'guard_context' ] = ctx)
+        @_context = (req.env[ 'guard_context' ] = ctx)
       else
         @_context ||= req.env[ 'guard_context' ]
       end
     end
 
     def guard
       self.class.guard.call( current_groups )
     end
 
+    def guard_logger
+      self.class.guard_logger
+    end
   end
 end