Module: Constellation::Authorization::Base::EvalParser

Included in:
ControllerInstanceMethods
Defined in:
lib/constellation/authorization/parser.rb

Instance Method Summary collapse

Instance Method Details

#parse_authorization_expression(str) ⇒ Object

Parses and evaluates an authorization expression and returns true or false.

The authorization expression is defined by the following grammar:

       <expr> ::= (<expr>) | not <expr> | <term> or <expr> | <term> and <expr> | <term>
       <term> ::= <role> | <role> <preposition> <model>
<preposition> ::= of | for | in | on | to | at | by
      <model> ::= /:*\w+/
       <role> ::= /\w+/ | /'.*'/

Instead of doing recursive descent parsing (not so fun when we support nested parentheses, etc), we let Ruby do the work for us by inserting the appropriate permission calls and using eval. This would not be a good idea if you were getting authorization expressions from the outside, so in that case (e.g. somehow letting users literally type in permission expressions) you’d be better off using the recursive descent parser in Module RecursiveDescentParser.

We search for parts of our authorization evaluation that match <role> or <role> <preposition> <model> and we ignore anything terminal in our grammar.

1) Replace all <role> <preposition> <model> matches. 2) Replace all <role> matches that aren’t one of our other terminals (‘not’, ‘or’, ‘and’, or preposition) 3) Eval



32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
 
# File 'lib/constellation/authorization/parser.rb', line 32

def parse_authorization_expression( str )
  if str =~ /[^A-Za-z0-9_:'\(\)\s]/
    raise AuthorizationExpressionInvalid, "Invalid authorization expression (#{str})"
    return false
  end
  @replacements = []
  expr = replace_temporarily_role_of_model( str )
  expr = replace_role( expr )
  expr = replace_role_of_model( expr )
  begin
    instance_eval( expr )
  rescue Exception => error
    raise AuthorizationExpressionInvalid, "Cannot parse authorization (#{str}): #{error.message}"
  end
end

#process_role(role_name) ⇒ Object

Raises:



82
83
84
85
86
 
# File 'lib/constellation/authorization/parser.rb', line 82

def process_role( role_name )
  return false if @current_user.nil? || @current_user == :false
  raise( UserDoesntImplementRoles, "User doesn't implement #has_role?" ) if not @current_user.respond_to? :has_role?
  @current_user.has_role?( role_name )
end

#process_role_of_model(role_name, model_name) ⇒ Object

Raises:



76
77
78
79
80
 
# File 'lib/constellation/authorization/parser.rb', line 76

def process_role_of_model( role_name, model_name )
  model = get_model( model_name )
  raise( ModelDoesntImplementRoles, "Model (#{model_name}) doesn't implement #accepts_role?" ) if not model.respond_to? :accepts_role?
  model.send( :accepts_role?, role_name, @current_user )
end

#replace_role(str) ⇒ Object 



58
59
60
61
62
63
64
65
66
67
68
 
# File 'lib/constellation/authorization/parser.rb', line 58

def replace_role( str )
  role_regex = '\s*(\'\s*(.+?)\s*\'|([A-Za-z]\w*))\s*'
  parse_regex = Regexp.new(role_regex)
  str.gsub(parse_regex) do |match|
    if BOOLEAN_OPS.include?($3)
      " #{match} "
    else
      " process_role('#{$2 || $3}') "
    end
  end
end

#replace_role_of_model(str) ⇒ Object 



70
71
72
73
74
 
# File 'lib/constellation/authorization/parser.rb', line 70

def replace_role_of_model( str )
  str.gsub(/<(\d+)>/) do |match|
    @replacements[$1.to_i]
  end
end

#replace_temporarily_role_of_model(str) ⇒ Object 



48
49
50
51
52
53
54
55
56
 
# File 'lib/constellation/authorization/parser.rb', line 48

def replace_temporarily_role_of_model( str )
  role_regex = '\s*(\'\s*(.+?)\s*\'|(\w+))\s+'
  model_regex = '\s+(:*\w+)'
  parse_regex = Regexp.new(role_regex + '(' + VALID_PREPOSITIONS.join('|') + ')' + model_regex)
  str.gsub(parse_regex) do |match|
    @replacements.push " process_role_of_model('#{$2 || $3}', '#{$5}') "
    " <#{@replacements.length-1}> "
  end
end