Module: AnnotationSecurity::Helper
- Defined in:
- lib/annotation_security/includes/helper.rb
Overview
AnnotationSecurity::Helper
This module adds some useful helper methods to your templates.
Instance Method Summary collapse
-
#action_allowed?(options, objects = nil, params = nil, html_options = nil) ⇒ Boolean
Checks whether the user is allowed to access the action.
-
#allowed?(*args) ⇒ Boolean
(also: #a?)
Returns true if the operation defined by
policy_args
is allowed. -
#is?(*args) ⇒ Boolean
Equivalent to allowed?; is? is provided for better readability.
-
#link_to_if_allowed(name, options, objects = nil, params = nil, html_options = nil, &block) ⇒ Object
(also: #link_if_a)
Returns a link tag with the specified name to the specified resource if the user is allowed to access it.
Instance Method Details
#action_allowed?(options, objects = nil, params = nil, html_options = nil) ⇒ Boolean
Checks whether the user is allowed to access the action.
Expects arguments like #link_to_if_allowed, just without name and block.
Returns true if the action is allowed.
70 71 72 73 74 75 76 77 78 |
# File 'lib/annotation_security/includes/helper.rb', line 70 def action_allowed?(, objects=nil, params=nil, =nil) , objects, params, = parse_allow_action_args(, objects, params, ) controller = params.delete :controller action = params.delete :action SecurityContext.allow_action?(controller, action, objects, params) end |
#allowed?(*args) ⇒ Boolean Also known as: a?
Returns true if the operation defined by policy_args
is allowed.
The following calls to #allowed? are possible:
allowed? :show, :resource, @resource
# => true if the current user has the right to show @resource,
# which belongs to the :resource resource-class
In case of model objects or other classes which implement a #resource_type method the the second argument may be ommited
allowed? :show, @resource
# equivalent to the above call if @resource.resource_type == :resource
A policy description used as a controller annotation may also be used to check a right
allowed? "show resource", @resource
# => true if the current user has the right "show resource" for @resource
A policy may also be applied without an object representing the context:
allowed? :show, :resource
# => true if the current may show resources.
This will only check system and pretest rules. The result true
does not mean that the user may show all resources. However, a false
indicates that the user is not allowed to show any resources.
If the resource class is omitted as well, only rules defined for all resources can be tested. See RelationLoader#all_resources for details.
allowed? :administrate
# => true if the user is allowed to administrate all resources.
See SecurityContext#allowed?.
48 49 50 |
# File 'lib/annotation_security/includes/helper.rb', line 48 def allowed?(*args) SecurityContext.allowed?(*args) end |
#is?(*args) ⇒ Boolean
Equivalent to allowed?; is? is provided for better readability.
allowed? :logged_in
vs
is? :logged_in
60 61 62 |
# File 'lib/annotation_security/includes/helper.rb', line 60 def is?(*args) SecurityContext.is?(*args) end |
#link_to_if_allowed(name, options, objects = nil, params = nil, html_options = nil, &block) ⇒ Object Also known as: link_if_a
Returns a link tag with the specified name to the specified resource if the user is allowed to access it. See #link_to_unless and SecurityContext#action_allowed? for more documentation.
There are two ways of using #link_to_if_allowed
As #link_to with alternative
(or as #link_to_unless without explicit condition)
link_to_if_allowed(name, ={}, =nil) { 'alternative' }
options
either is a hash, like
{ :controller => :comments, :action => edit, :id => @comment }
a string, like
"comments/1/edit"
or
edit_comment_path(@comment)
or a single resource object.
Notice that when providing a string, controller, action and parameters will be parsed. After that, the resource types of the parameters are guessed, the resources are retrieved and the rules of the action are evaluated.
The block will be evaluated if the action is not allowed, like in #link_to_unless.
As #link_to with alternative and explicit objects
link_to_if_allowed(name, ={}, objects=[], params={}, =nil) { 'alternative' }
In this case, controller and action will be derived from options
unless they are specified in params
. All items in objects
and all remaining items in params
will be used for evaluating the rules of the action.
If you want to specify html_options
, provide at least an empty hash for params
.
Unlike to #link_to, you can also provide a symbol as options
value. In this case, the target url will be determined by sending symbol as message, providing objects
and params
as arguments, e.g.
link_to_if_allowed("Show comment", :comment_path, [@article, @comment], {:details => true})
will call
comment_path(@article, @comment, {:details => true})
Examples
<%= link_to_if_allowed("Show", @course) { } %>
<%= link_to_if_allowed("New", new_course_path) { "You may not create a new course." } %>
These two are equivalent, however, the second approach is more efficient:
<%= link_to_if_allowed("Edit", edit_course_path(@course)) { } %>
<%= link_to_if_allowed("Edit", :edit_course_path, @course) { } %>
The HTML-options are taken into account when choosing the action.
<%= link_to_if_allowed("Delete", @course, {:method => :delete}) { } %>
You can also define all values explicitly
<%= link_to_if_allowed("Edit comment", "articles/1/comments/5/edit", [@comment], {:article => @comment.article, :action => :edit, :controller => :comments}) { } %>
Parameters
-
name
Text of the link -
options
-
objects
-
params
-
html_options
142 143 144 145 146 147 148 149 150 151 152 |
# File 'lib/annotation_security/includes/helper.rb', line 142 def link_to_if_allowed(name, , objects=nil, params=nil, =nil, &block) , objects, params, = parse_allow_action_args(, objects, params, ) controller = params.delete :controller action = params.delete :action allowed = SecurityContext.allow_action?(controller, action, objects, params) link_to_if(allowed, name, , , &block) end |