Class: Authorization::DevelopmentSupport::ChangeSupporter

Inherits:

AbstractAnalyzer

• Object
• AbstractAnalyzer
• Authorization::DevelopmentSupport::ChangeSupporter

Defined in:

lib/declarative_authorization/development_support/change_supporter.rb

Overview

Ideas for improvement

• Algorithm

  • Objective function:

    • affected user count,

    • as specific as possible (roles, privileges)

    • as little changes as necessary

  • Modify role, privilege hierarchy

  • Merge, split roles

  • Add privilege to existing rules

• Features

  • Improve review facts: impact, affected users count

  • group similar candidates: only show abstract methods?

  • restructure GUI layout: more room for analyzing suggestions

  • changelog, previous tests, etc.

  • multiple permissions in tests

• Evaluation of approaches with Analyzer algorithms

• Authorization constraints

Algorithm

• for each candidate

  • abstract actions: solving first failing test (remove privilege from role)

  • for each abstract action

    • specific actions: concrete steps (remove privilege from specific role)

    • for each specific action

      • next if reversal action of previous step

      • apply specific action on candidate

      • save as solution if no failing tests on changed_candidate

      • else: queue as candidate

• equivalent states

NOTE:

• user.clone needs to clone role_symbols

• user.role_symbols needs to respond to <<

• user.login is needed

Defined Under Namespace

Classes: AbstractAction, AbstractCompoundAction, AddPrivilegeAndAssignRoleToUserAction, Approach, ApproachChecker, AssignPrivilegeToRoleAction, AssignRoleToUserAction, CreateAndAssignRoleToUserAction, GroupedApproach, RemovePrivilegeFromRoleAction, RemoveRoleFromUserAction, Test

Instance Attribute Summary

Attributes inherited from AbstractAnalyzer

#engine

Instance Method Summary

• #find_approaches_for(options, &tests) ⇒ Object

  Returns a list of possible approaches for changes to the current authorization rules that achieve a given goal.

• #group_approaches(approaches) ⇒ Object

  Returns an array of GroupedApproaches for the given array of approaches.

Methods inherited from AbstractAnalyzer

#initialize, #roles, #rules

Constructor Details

This class inherits a constructor from Authorization::DevelopmentSupport::AbstractAnalyzer

Instance Method Details

#find_approaches_for(options, &tests) ⇒ Object

Returns a list of possible approaches for changes to the current authorization rules that achieve a given goal. The goal is given as permission tests in the block. The instance method users is available when the block is executed to refer to the then-current users, whose roles might have changed as one suggestion.

# File 'lib/declarative_authorization/development_support/change_supporter.rb', line 48

def find_approaches_for (options, &tests)
  @prohibited_actions = (options[:prohibited_actions] || []).to_set

  @approaches_by_actions = {}

  candidates = []
  suggestions = []
  approach_checker = ApproachChecker.new(self, tests)

  starting_candidate = Approach.new(@engine, options[:users], [])
  if starting_candidate.check(approach_checker)
    suggestions << starting_candidate
  else
    candidates << starting_candidate
  end

  checked_candidates = 0
  while !candidates.empty? and checked_candidates < 200
    checked_candidates += next_step(suggestions, candidates, approach_checker)
  end

  # remove subsets
  suggestions.sort!
end

#group_approaches(approaches) ⇒ Object

Returns an array of GroupedApproaches for the given array of approaches. Only groups directly adjacent approaches

# File 'lib/declarative_authorization/development_support/change_supporter.rb', line 75

def group_approaches (approaches)
  approaches.each_with_object([]) do |approach, grouped|
    if grouped.last and grouped.last.approach.similar_to(approach)
      grouped.last.similar_approaches << approach
    else
      grouped << GroupedApproach.new(approach)
    end
  end
end