Class: Authorizer::Base

Inherits:
ApplicationController show all
Defined in:
lib/authorizer/base.rb

Direct Known Subclasses

Admin

Class Method Summary collapse

Class Method Details

.authorize(options = {}) ⇒ Object

Return true if a user is authorized to act upon this object. Return false if this is not the case. Synonym for user_is_authorized? Params:

  • :user (default: current_user)

  • :object



120
121
122
 
# File 'lib/authorizer/base.rb', line 120

def self.authorize(options = {})
  user_is_authorized?(options) # Could't get alias_method to work. Don't ask me why.
end

.authorize!(options = {}) ⇒ Object

Return true if a user is authorized to act upon this object. Raises Authorizer::UserNotAuthorized upon failure. Params:

  • :user (default: current_user)

  • :object

Raises:



62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
 
# File 'lib/authorizer/base.rb', line 62

def self.authorize! options = {}
  auth_ok = user_is_authorized?(options)

  # User can override error message
  message = options[:message]
  # Attempt to fetch from I18n
  begin
    message ||= I18n.translate!("authorizer.access_denied")
  rescue
  end
  # Default error message
  message ||= "You are not authorized to access this resource."

  raise Authorizer::UserNotAuthorized.new(message) unless auth_ok

  auth_ok
end

.authorize_user(options = {}) ⇒ Object

Authorize the current user (retrieved by calling current_user on the object passed using the :object parameter. The user can also be explicly spcified using :user. If no :role is specified, “owner” is used.

Params:

- :user (default: current_user)
- :object
- :role

Example: Authorizer::Base.authorize_user :object => object



24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
 
# File 'lib/authorizer/base.rb', line 24

def self.authorize_user(options = {})
  ret = false

  object = options[:object]
  role = options[:role] || "owner"
  user = options[:user] || get_current_user
  
  # User can specify the object using a block, too.
  if block_given?
    object = yield
  end

  return false if basic_check_fails?(options)

  check_user(user)
  # Checks done. Let's go.

  if !object.nil? && !user.nil?
    or_ = find_object_role(object, user)
  end

  # This time, we want it to be nil.
  if or_.nil? && !user.nil?
    klazz_name = object.class.to_s
    object_reference = object.id

    ObjectRole.create!( :klazz_name => klazz_name, :object_reference => object_reference, :user => user, :role => role )
    Rails.logger.debug("Authorizer: created authorization on #{object} for current_user with ID #{user.id} with role #{role}")
    ret = true
  end

  ret
end

.count(class_name, options = {}) ⇒ Object

From the entire collection of Posts in the database, return the number of Posts that belong to the current user. Returns nil upon failure, returns a positive integer or 0 on success.



159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
 
# File 'lib/authorizer/base.rb', line 159

def self.count(class_name, options = {})
  ret = nil
  
  user = options[:user] || get_current_user
  find_options = options[:find_options] || {}
  
  if !class_name.blank? && !user.blank?
    begin
      ret = Authorizer::Base.find(class_name, :all, find_options, { :user => user }).count
    rescue => e
      Rails.logger.warn("#{__FILE__}: #{__LINE__}: Failed to count objects for class_name '#{class_name}' for user #{user.inspect}. Error was: #{e}")
    end
  end
  
  ret
end

.create_ownership(object) ⇒ Object

Shortcut for user_is_authorized. Takes the actual object as a parameter instead of a Hash.



199
200
201
202
203
204
205
206
207
 
# File 'lib/authorizer/base.rb', line 199

def self.create_ownership object
  ret = false

  return ret if basic_check_fails?(object)

  ret = authorize_user( :object => object )

  ret
end

.find(class_name, what, find_options = {}, authorizer_options = {}) ⇒ Object

From the entire collection of Posts, return the subset that belongs to the current user.

Arguments:

- class_name: which class to use, e.g. "Post"
- what: will be passed on to the ActiveRecord find function (e.g. Post.find(what))
- find_options: will also be passed on (e.g. Post.find(what, find_options))
- authorizer_options: options for authorizer, e.g. { :user => @user }



183
184
185
186
187
188
 
# File 'lib/authorizer/base.rb', line 183

def self.find(class_name, what, find_options = {}, authorizer_options = {})
  options = { :class_name => class_name, :what => what, :find_options => find_options }
  my_options = authorizer_options.merge(options) # options overrides user-specified options.

  internal_find(my_options)
end

.find_user_for_object(obj) ⇒ Object

Find the user that owns this object, if any. Returns the owning User object, or nil.



211
212
213
214
215
216
217
218
219
220
221
222
 
# File 'lib/authorizer/base.rb', line 211

def self.find_user_for_object(obj)
  ret = nil
  object_role = nil
  
  begin
    object_role = ObjectRole.find(:first, :conditions => { :klazz_name => obj.class.to_s, :object_reference => obj.id })
    ret = User.find(object_role.user_id)
  rescue
  end
  
  ret
end

.is_authorized?(object) ⇒ Boolean

Return true if a user is authorized to act upon this object. Return false if this is not the case. Synonym for user_is_authorized

This method’s only parameter is the object to be checked for authorization so you don’t have to type :object => object.

Returns:

  • (Boolean) 


194
195
196
 
# File 'lib/authorizer/base.rb', line 194

def self.is_authorized? object
  user_is_authorized? :object => object
end

.remove_authorization(options = {}) ⇒ Object

Remove authorization from a certain object. Returns true upon success and false upon failure. Params:

  • :user (default: current_user)

  • :object



128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
 
# File 'lib/authorizer/base.rb', line 128

def self.remove_authorization options = {}
  OptionsChecker.check(options, [ :object ])

  ret = false

  return ret if basic_check_fails?(options)

  object = options[:object]
  user = options[:user] || get_current_user

  # Check
  check_user(user)
  # Checks done. Let's go.

  unless user.nil?
    or_ = find_object_role(object, user)
  end

  unless or_.nil?
    Rails.logger.debug("Authorizer: removed authorization for user ID #{user.id} on #{or_.description}")

    or_.destroy

    ret = true
  end

  ret
end

.user_is_authorized?(options = {}) ⇒ Boolean

Return true if a user is authorized to act upon this object. Return false if this is not the case. Params:

  • :user (default: current_user)

  • :object

Returns:

  • (Boolean) 


84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
 
# File 'lib/authorizer/base.rb', line 84

def self.user_is_authorized? options = {}
  OptionsChecker.check(options, [ :object ])

  ret = false

  check = basic_check_fails?(options)
  return ret if check

  object = options[:object]
  user = options[:user] || get_current_user

  # Checks
  check_user(user)
  # Checks done. Let's go.

  or_ = find_object_role(object, user)
    
  # Congratulations, you've been Authorized.
  unless or_.nil?
    ret = true
  end

  if ret
    Rails.logger.debug("Authorizer: authorized current_user with ID #{user.id} to access #{or_.description} because of role #{or_.role}") unless user.nil? || or_.nil?
  else
    Rails.logger.debug("Authorizer: authorization failed for current_user with ID #{user.id} to access #{object.inspect}") unless user.nil? || object.nil?
  end

  ret
end