Class: Authorization::Engine

Inherits:

Object

• Object
• Authorization::Engine

Defined in:

lib/declarative_authorization/authorization.rb

Overview

Authorization::Engine implements the reference monitor. It may be used for querying the permission and retrieving obligations under which a certain privilege is granted for the current user.

Defined Under Namespace

Classes: AttributeValidator

Instance Attribute Summary

• #auth_rules ⇒ Object readonly

  Returns the value of attribute auth_rules.

• #omnipotent_roles ⇒ Object readonly

  Returns the value of attribute omnipotent_roles.

• #privilege_hierarchy ⇒ Object readonly

  Returns the value of attribute privilege_hierarchy.

• #privileges ⇒ Object readonly

  Returns the value of attribute privileges.

• #rev_priv_hierarchy ⇒ Object readonly

  Returns the value of attribute rev_priv_hierarchy.

• #rev_role_hierarchy ⇒ Object readonly

  Returns the value of attribute rev_role_hierarchy.

• #role_descriptions ⇒ Object readonly

  Returns the value of attribute role_descriptions.

• #role_hierarchy ⇒ Object readonly

  Returns the value of attribute role_hierarchy.

• #role_titles ⇒ Object readonly

  Returns the value of attribute role_titles.

• #roles ⇒ Object readonly

  Returns the value of attribute roles.

Class Method Summary

• .instance(dsl_file = nil) ⇒ Object

  Returns an instance of Engine, which is created if there isn’t one yet.

Instance Method Summary

• #description_for(role) ⇒ Object

  Returns the description for the given role.

• #initialize(reader = nil) ⇒ Engine constructor

  If reader is not given, a new one is created with the default authorization configuration of AUTH_DSL_FILES.

• #initialize_copy(from) ⇒ Object

  :nodoc:.

• #obligations(privilege, options = {}) ⇒ Object

  Returns the obligations to be met by the current user for the given privilege as an array of obligation hashes in form of [=> obligation_value, …, …] where obligation_value is either (recursively) another obligation hash or a value spec, such as [operator, literal_value] The obligation hashes in the array should be OR’ed, conditions inside the hashes AND’ed.

• #permit!(privilege, options = {}) ⇒ Object

  Returns true if privilege is met by the current user.

• #permit?(privilege, options = {}, &block) ⇒ Boolean

  Calls permit! but rescues the AuthorizationException and returns false instead.

• #roles_for(user) ⇒ Object

  Returns the role symbols of the given user.

• #roles_with_hierarchy_for(user) ⇒ Object

  Returns the role symbols and inherritted role symbols for the given user.

• #title_for(role) ⇒ Object

  Returns the title for the given role.

Constructor Details

#initialize(reader = nil) ⇒ Engine

If reader is not given, a new one is created with the default authorization configuration of AUTH_DSL_FILES. If given, may be either a Reader object or a path to a configuration file.

# File 'lib/declarative_authorization/authorization.rb', line 67

def initialize (reader = nil)
  reader = Reader::DSLReader.factory(reader || AUTH_DSL_FILES)

  @privileges = reader.privileges_reader.privileges
  # {priv => [[priv, ctx],...]}
  @privilege_hierarchy = reader.privileges_reader.privilege_hierarchy
  @auth_rules = reader.auth_rules_reader.auth_rules
  @roles = reader.auth_rules_reader.roles
  @omnipotent_roles = reader.auth_rules_reader.omnipotent_roles
  @role_hierarchy = reader.auth_rules_reader.role_hierarchy

  @role_titles = reader.auth_rules_reader.role_titles
  @role_descriptions = reader.auth_rules_reader.role_descriptions
  @reader = reader
  
  # {[priv, ctx] => [priv, ...]}
  @rev_priv_hierarchy = {}
  @privilege_hierarchy.each do |key, value|
    value.each do |val| 
      @rev_priv_hierarchy[val] ||= []
      @rev_priv_hierarchy[val] << key
    end
  end
  @rev_role_hierarchy = {}
  @role_hierarchy.each do |higher_role, lower_roles|
    lower_roles.each do |role|
      (@rev_role_hierarchy[role] ||= []) << higher_role
    end
  end
end

Instance Attribute Details

#auth_rules ⇒ Object (readonly)

Returns the value of attribute auth_rules.

# File 'lib/declarative_authorization/authorization.rb', line 60

def auth_rules
  @auth_rules
end

#omnipotent_roles ⇒ Object (readonly)

Returns the value of attribute omnipotent_roles.

# File 'lib/declarative_authorization/authorization.rb', line 60

def omnipotent_roles
  @omnipotent_roles
end

#privilege_hierarchy ⇒ Object (readonly)

Returns the value of attribute privilege_hierarchy.

# File 'lib/declarative_authorization/authorization.rb', line 60

def privilege_hierarchy
  @privilege_hierarchy
end

#privileges ⇒ Object (readonly)

Returns the value of attribute privileges.

# File 'lib/declarative_authorization/authorization.rb', line 60

def privileges
  @privileges
end

#rev_priv_hierarchy ⇒ Object (readonly)

Returns the value of attribute rev_priv_hierarchy.

# File 'lib/declarative_authorization/authorization.rb', line 60

def rev_priv_hierarchy
  @rev_priv_hierarchy
end

#rev_role_hierarchy ⇒ Object (readonly)

Returns the value of attribute rev_role_hierarchy.

# File 'lib/declarative_authorization/authorization.rb', line 60

def rev_role_hierarchy
  @rev_role_hierarchy
end

#role_descriptions ⇒ Object (readonly)

Returns the value of attribute role_descriptions.

# File 'lib/declarative_authorization/authorization.rb', line 60

def role_descriptions
  @role_descriptions
end

#role_hierarchy ⇒ Object (readonly)

Returns the value of attribute role_hierarchy.

# File 'lib/declarative_authorization/authorization.rb', line 60

def role_hierarchy
  @role_hierarchy
end

#role_titles ⇒ Object (readonly)

Returns the value of attribute role_titles.

# File 'lib/declarative_authorization/authorization.rb', line 60

def role_titles
  @role_titles
end

#roles ⇒ Object (readonly)

Returns the value of attribute roles.

# File 'lib/declarative_authorization/authorization.rb', line 60

def roles
  @roles
end

Class Method Details

.instance(dsl_file = nil) ⇒ Object

Returns an instance of Engine, which is created if there isn’t one yet. If dsl_file is given, it is passed on to Engine.new and a new instance is always created.

# File 'lib/declarative_authorization/authorization.rb', line 255

def self.instance (dsl_file = nil)
  if dsl_file or ENV['RAILS_ENV'] == 'development'
    @@instance = new(dsl_file)
  else
    @@instance ||= new
  end
end

Instance Method Details

#description_for(role) ⇒ Object

Returns the description for the given role. The description may be specified with the authorization rules. Returns nil if none was given.

# File 'lib/declarative_authorization/authorization.rb', line 218

def description_for (role)
  role_descriptions[role]
end

#initialize_copy(from) ⇒ Object

:nodoc:

# File 'lib/declarative_authorization/authorization.rb', line 98

def initialize_copy (from) # :nodoc:
  [
    :privileges, :privilege_hierarchy, :roles, :role_hierarchy, :role_titles,
    :role_descriptions, :rev_priv_hierarchy, :rev_role_hierarchy
  ].each {|attr| instance_variable_set(:"@#{attr}", from.send(attr).clone) }
  @auth_rules = from.auth_rules.collect {|rule| rule.clone}
end

#obligations(privilege, options = {}) ⇒ Object

Returns the obligations to be met by the current user for the given privilege as an array of obligation hashes in form of

[{:object_attribute => obligation_value, ...}, ...]

where obligation_value is either (recursively) another obligation hash or a value spec, such as

[operator, literal_value]

The obligation hashes in the array should be OR’ed, conditions inside the hashes AND’ed.

Example

{:branch => {:company => [:is, 24]}, :active => [:is, true]}

Options

:context

See permit!

:user

See permit!

# File 'lib/declarative_authorization/authorization.rb', line 203

def obligations (privilege, options = {})
  options = {:context => nil}.merge(options)
  user, roles, privileges = user_roles_privleges_from_options(privilege, options)

  permit!(privilege, :skip_attribute_test => true, :user => user, :context => options[:context])
  
  attr_validator = AttributeValidator.new(self, user, nil, privilege, options[:context])
  matching_auth_rules(roles, privileges, options[:context]).collect do |rule|
    rule.obligations(attr_validator)
  end.flatten
end

#permit!(privilege, options = {}) ⇒ Object

Returns true if privilege is met by the current user. Raises AuthorizationError otherwise. privilege may be given with or without context. In the latter case, the :context option is required.

Options:

:context

The context part of the privilege. Defaults either to the tableized class_name of the given :object, if given. That is, :users for :object of type User.

Raises AuthorizationUsageError if context is missing and not to be infered.

:object

An context object to test attribute checks against.

:skip_attribute_test

Skips those attribute checks in the authorization rules. Defaults to false.

:user

The user to check the authorization for. Defaults to Authorization#current_user.

# File 'lib/declarative_authorization/authorization.rb', line 125

def permit! (privilege, options = {})
  return true if Authorization.ignore_access_control
  options = {
    :object => nil,
    :skip_attribute_test => false,
    :context => nil
  }.merge(options)
  
  # Make sure we're handling all privileges as symbols.
  privilege = privilege.is_a?( Array ) ?
              privilege.flatten.collect { |priv| priv.to_sym } :
              privilege.to_sym
  
  #
  # If the object responds to :proxy_reflection, we're probably working with
  # an association proxy.  Use 'new' to leverage ActiveRecord's builder
  # functionality to obtain an object against which we can check permissions.
  #
  # Example: permit!( :edit, :object => user.posts )
  #
  if options[:object].respond_to?( :proxy_reflection ) && options[:object].respond_to?( :new )
    options[:object] = options[:object].new
  end
  
  options[:context] ||= options[:object] && (
    options[:object].class.respond_to?(:decl_auth_context) ?
        options[:object].class.decl_auth_context :
        options[:object].class.name.tableize.to_sym
  ) rescue NoMethodError
  
  user, roles, privileges = user_roles_privleges_from_options(privilege, options)

  return true if roles.is_a?(Array) and not (roles & @omnipotent_roles).empty?

  # find a authorization rule that matches for at least one of the roles and 
  # at least one of the given privileges
  attr_validator = AttributeValidator.new(self, user, options[:object], privilege, options[:context])
  rules = matching_auth_rules(roles, privileges, options[:context])
  if rules.empty?
    raise NotAuthorized, "No matching rules found for #{privilege} for #{user.inspect} " +
      "(roles #{roles.inspect}, privileges #{privileges.inspect}, " +
      "context #{options[:context].inspect})."
  end
  
  # Test each rule in turn to see whether any one of them is satisfied.
  unless rules.any? {|rule| rule.validate?(attr_validator, options[:skip_attribute_test])}
    raise AttributeAuthorizationError, "#{privilege} not allowed for #{user.inspect} on #{(options[:object] || options[:context]).inspect}."
  end
  true
end

#permit?(privilege, options = {}, &block) ⇒ Boolean

Calls permit! but rescues the AuthorizationException and returns false instead. If no exception is raised, permit? returns true and yields to the optional block.

Returns:

• (Boolean)

# File 'lib/declarative_authorization/authorization.rb', line 179

def permit? (privilege, options = {}, &block) # :yields:
  permit!(privilege, options)
  yield if block_given?
  true
rescue NotAuthorized
  false
end

#roles_for(user) ⇒ Object

Returns the role symbols of the given user.

Raises:

• (AuthorizationUsageError)

# File 'lib/declarative_authorization/authorization.rb', line 230

def roles_for (user)
  user ||= Authorization.current_user
  raise AuthorizationUsageError, "User object doesn't respond to roles (#{user.inspect})" \
    if !user.respond_to?(:role_symbols) and !user.respond_to?(:roles)

  RAILS_DEFAULT_LOGGER.info("The use of user.roles is deprecated.  Please add a method " +
      "role_symbols to your User model.") if defined?(RAILS_DEFAULT_LOGGER) and !user.respond_to?(:role_symbols)

  roles = user.respond_to?(:role_symbols) ? user.role_symbols : user.roles

  raise AuthorizationUsageError, "User.#{user.respond_to?(:role_symbols) ? 'role_symbols' : 'roles'} " +
    "doesn't return an Array of Symbols (#{roles.inspect})" \
        if !roles.is_a?(Array) or (!roles.empty? and !roles[0].is_a?(Symbol))

  (roles.empty? ? [:guest] : roles)
end

#roles_with_hierarchy_for(user) ⇒ Object

Returns the role symbols and inherritted role symbols for the given user

# File 'lib/declarative_authorization/authorization.rb', line 248

def roles_with_hierarchy_for(user)
  flatten_roles(roles_for(user))
end

#title_for(role) ⇒ Object

Returns the title for the given role. The title may be specified with the authorization rules. Returns nil if none was given.

# File 'lib/declarative_authorization/authorization.rb', line 225

def title_for (role)
  role_titles[role]
end