Class: Ability

Inherits:
Object
  • Object
show all
Includes:
CanCan::Ability
Defined in:
app/models/ability.rb

Defined Under Namespace

Classes: AttributeResourceType, GroupResourceType, LayerResourceType, Roles, ToolResourceType, TopicResourceType, WfsResourceType, WmsResourceType

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(ability_roles) ⇒ Ability 



223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
 
# File 'app/models/ability.rb', line 223

def initialize(ability_roles)
  # The first argument to `can` is the action you are giving the user permission to do.
  # If you pass :manage it will apply to every action. Other common actions here are
  # :read, :create, :update and :destroy.
  #
  # The second argument is the resource the user can perform the action on. If you pass
  # :all it will apply to every resource. Otherwise pass a Ruby class of the resource.
  #
  # The third argument is an optional hash of conditions to further filter the objects.
  # For example, here the user can only update published articles.
  #
  #   can :update, Article, :published => true
  #
  # See the wiki for details: https://github.com/ryanb/cancan/wiki/Defining-Abilities

  #Anwendungsfälle
  #* Unterschied Intranet vs. Internet --> unterschiedliche Anzahl Topics
  #* Intranet: Anmeldung mit Login --> zusätzliche Topics, die normaler Intranet User nicht sehen kann.
  #* Applikationen, die in Topic-Liste für alle sichtbar sind, es ist aber ein Login erforderlich (Schlüssel-Icons)um Karte zu wechseln.
  #* Applikationen, die in Topic-Liste nur sichtbar sind nach erfolgreichem Login.
  #* Neophyten-Applikation:
  #- Versch. Kantone --> Unterschiedlicher Start-Extent, Unterschiedliche Hintergrund-Layers
  #- Rollen: Basiserfasser (kann nur eigene Einträge editieren), Verifikator (darf seine und Einträge von Basiserfasser editieren), Experte (darf seine und Einträge von Basiserfasser und von Experte editieren),  Administrator kann alle Einträge editieren und hat Zugriff auf Benutzerverwaltung des eigenen Kantons.
  #* Applikation Fachstelle Bodenschutz:
  #- Gemeinde-User darf nur Einträge innerhalb seiner Gemeinde sehen, Administrator darf alle Einträge sehen.
  #
  #Ressourcen-Typen
  #* Topics: a/b
  #* Layers: a/b/c
  #* Attribute (Zeigen/Verbergen von Feldern bei Info-Abfragen): a/b/c
  #* Widgets (z.B. Verhindern des Druckens, Verstecken von Möglichkeiten): a
  #* Teile eines Widgets (z.B. Unterdrückung einzelner Formularfelder, Aktivierungsmöglichkeiten von Buttons und Optionen): a/b
  #* Tools (Knöpfe auf Toolbars): a/b
  #* (?) einzelne Funktionalitäten (z.B. Einschränkung Massstabsbereich, Map-Extent) (via Filter?)
  #
  #Actions
  #* Status: hidden / visible (a) --- disabled / enabled (b) --- edit (c)
  #* Action: index --- show --- edit
  #* Bsp. Neophyten: rollenspezifische Filter (SQL): Selektion z.B. erfasste Punkte nur von Benutzer XY

  #Default aliases (https://github.com/ryanb/cancan/wiki/Action-Aliases)
  #alias_action :index, :show, :to => :read
  #alias_action :new, :to => :create
  #alias_action :edit, :to => :update
  #Custom aliases:
  alias_action :index, :to => :show #Show implies index permissions
  alias_action :index, :show, :legend, :query, :to => :edit #Edit implies index and show permissions
  alias_action :legend, :query, :to => :show #Show implies legend and query permissions

  @access_filters = {}

  @ability_roles = ability_roles
  if @ability_roles.has_role?(:admin)
    can :manage, :all
    #https://github.com/sferik/rails_admin/wiki/CanCan
    can :access, :rails_admin
    can :dashboard
  else
    #can :change_password, User, _id => @user.id #TODO: allow edit password

    #Topic permissions
    TopicResourceType.new.add_ability(self, roles)

    #WMS permissions
    WmsResourceType.new.add_ability(self, roles)

    #WFS permissions
    WfsResourceType.new.add_ability(self, roles)

    #Layer permissions
    LayerResourceType.new.add_ability(self, roles)

    #Attribute permissions
    AttributeResourceType.new.add_ability(self, roles)

    #Group permissions
    GroupResourceType.new.add_ability(self, roles)

    #Attribute permissions
    ToolResourceType.new.add_ability(self, roles)

    #Access filters:
    # {
    #   resource_type => {
    #     topic => {
    #       layer => condition
    #     }
    #   }
    # }
    AccessFilter.for_roles(roles).each do |access_filter|
      @access_filters[access_filter.resource_type] ||= {}

      topic, layer = access_filter.resource.split('/')
      @access_filters[access_filter.resource_type][topic] ||= {}
      @access_filters[access_filter.resource_type][topic][layer] = access_filter.parse_condition
    end
  end
end

Instance Attribute Details

#ability_rolesObject (readonly)

Returns the value of attribute ability_roles.



4
5
6
 
# File 'app/models/ability.rb', line 4

def ability_roles
  @ability_roles
end

Instance Method Details

#access_filter(resource_type, topic, layer) ⇒ Object

specific topic/layer takes precedence over “*” wildcard priorities: topic/layer > topic/* > */layer > /



333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
 
# File 'app/models/ability.rb', line 333

def access_filter(resource_type, topic, layer)
  filter = nil
  unless @access_filters[resource_type].nil?
    unless @access_filters[resource_type][topic].nil?
      # topic/layer or topic/*
      filter = @access_filters[resource_type][topic][layer] || @access_filters[resource_type][topic]["*"]
    end

    if filter.nil? && !@access_filters[resource_type]["*"].nil?
      # */layer or */*
      filter = @access_filters[resource_type]["*"][layer] || @access_filters[resource_type]["*"]["*"]
    end
  end
  filter
end

#rolesObject 



322
323
324
 
# File 'app/models/ability.rb', line 322

def roles
  @ability_roles.roles
end

#user_permissions(action, resource) ⇒ Object 



326
327
328
329
 
# File 'app/models/ability.rb', line 326

def user_permissions(action, resource)
  resource_type = Permission::ResourceType.for_class(resource.class)
  resource_type.roles_permissions(roles, action, resource)
end