Class: Authorization::Engine
- Inherits:
-
Object
- Object
- Authorization::Engine
- Defined in:
- lib/declarative_authorization/authorization.rb
Overview
Authorization::Engine implements the reference monitor. It may be used for querying the permission and retrieving obligations under which a certain privilege is granted for the current user.
Defined Under Namespace
Classes: AttributeValidator
Instance Attribute Summary collapse
-
#auth_rules ⇒ Object
readonly
Returns the value of attribute auth_rules.
-
#omnipotent_roles ⇒ Object
readonly
Returns the value of attribute omnipotent_roles.
-
#privilege_hierarchy ⇒ Object
readonly
Returns the value of attribute privilege_hierarchy.
-
#privileges ⇒ Object
readonly
Returns the value of attribute privileges.
-
#rev_priv_hierarchy ⇒ Object
readonly
Returns the value of attribute rev_priv_hierarchy.
-
#rev_role_hierarchy ⇒ Object
readonly
Returns the value of attribute rev_role_hierarchy.
-
#role_descriptions ⇒ Object
readonly
Returns the value of attribute role_descriptions.
-
#role_hierarchy ⇒ Object
readonly
Returns the value of attribute role_hierarchy.
-
#role_titles ⇒ Object
readonly
Returns the value of attribute role_titles.
-
#roles ⇒ Object
readonly
Returns the value of attribute roles.
Class Method Summary collapse
-
.instance(dsl_file = nil) ⇒ Object
Returns an instance of Engine, which is created if there isn’t one yet.
Instance Method Summary collapse
-
#description_for(role) ⇒ Object
Returns the description for the given role.
-
#initialize(reader = nil) ⇒ Engine
constructor
If
reader
is not given, a new one is created with the default authorization configuration ofAUTH_DSL_FILES
. -
#initialize_copy(from) ⇒ Object
:nodoc:.
-
#obligations(privilege, options = {}) ⇒ Object
Returns the obligations to be met by the current user for the given privilege as an array of obligation hashes in form of [=> obligation_value, …, …] where
obligation_value
is either (recursively) another obligation hash or a value spec, such as [operator, literal_value] The obligation hashes in the array should be OR’ed, conditions inside the hashes AND’ed. -
#permit!(privilege, options = {}) ⇒ Object
Returns true if privilege is met by the current user.
-
#permit?(privilege, options = {}, &block) ⇒ Boolean
Calls permit! but rescues the AuthorizationException and returns false instead.
-
#roles_for(user) ⇒ Object
Returns the role symbols of the given user.
-
#roles_with_hierarchy_for(user) ⇒ Object
Returns the role symbols and inherritted role symbols for the given user.
-
#title_for(role) ⇒ Object
Returns the title for the given role.
Constructor Details
#initialize(reader = nil) ⇒ Engine
If reader
is not given, a new one is created with the default authorization configuration of AUTH_DSL_FILES
. If given, may be either a Reader object or a path to a configuration file.
76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 |
# File 'lib/declarative_authorization/authorization.rb', line 76 def initialize (reader = nil) reader = Reader::DSLReader.factory(reader || AUTH_DSL_FILES) @privileges = reader.privileges_reader.privileges # {priv => [[priv, ctx],...]} @privilege_hierarchy = reader.privileges_reader.privilege_hierarchy @auth_rules = reader.auth_rules_reader.auth_rules @roles = reader.auth_rules_reader.roles @omnipotent_roles = reader.auth_rules_reader.omnipotent_roles @role_hierarchy = reader.auth_rules_reader.role_hierarchy @role_titles = reader.auth_rules_reader.role_titles @role_descriptions = reader.auth_rules_reader.role_descriptions @reader = reader # {[priv, ctx] => [priv, ...]} @rev_priv_hierarchy = {} @privilege_hierarchy.each do |key, value| value.each do |val| @rev_priv_hierarchy[val] ||= [] @rev_priv_hierarchy[val] << key end end @rev_role_hierarchy = {} @role_hierarchy.each do |higher_role, lower_roles| lower_roles.each do |role| (@rev_role_hierarchy[role] ||= []) << higher_role end end end |
Instance Attribute Details
#auth_rules ⇒ Object (readonly)
Returns the value of attribute auth_rules.
69 70 71 |
# File 'lib/declarative_authorization/authorization.rb', line 69 def auth_rules @auth_rules end |
#omnipotent_roles ⇒ Object (readonly)
Returns the value of attribute omnipotent_roles.
69 70 71 |
# File 'lib/declarative_authorization/authorization.rb', line 69 def omnipotent_roles @omnipotent_roles end |
#privilege_hierarchy ⇒ Object (readonly)
Returns the value of attribute privilege_hierarchy.
69 70 71 |
# File 'lib/declarative_authorization/authorization.rb', line 69 def privilege_hierarchy @privilege_hierarchy end |
#privileges ⇒ Object (readonly)
Returns the value of attribute privileges.
69 70 71 |
# File 'lib/declarative_authorization/authorization.rb', line 69 def privileges @privileges end |
#rev_priv_hierarchy ⇒ Object (readonly)
Returns the value of attribute rev_priv_hierarchy.
69 70 71 |
# File 'lib/declarative_authorization/authorization.rb', line 69 def rev_priv_hierarchy @rev_priv_hierarchy end |
#rev_role_hierarchy ⇒ Object (readonly)
Returns the value of attribute rev_role_hierarchy.
69 70 71 |
# File 'lib/declarative_authorization/authorization.rb', line 69 def rev_role_hierarchy @rev_role_hierarchy end |
#role_descriptions ⇒ Object (readonly)
Returns the value of attribute role_descriptions.
69 70 71 |
# File 'lib/declarative_authorization/authorization.rb', line 69 def role_descriptions @role_descriptions end |
#role_hierarchy ⇒ Object (readonly)
Returns the value of attribute role_hierarchy.
69 70 71 |
# File 'lib/declarative_authorization/authorization.rb', line 69 def role_hierarchy @role_hierarchy end |
#role_titles ⇒ Object (readonly)
Returns the value of attribute role_titles.
69 70 71 |
# File 'lib/declarative_authorization/authorization.rb', line 69 def role_titles @role_titles end |
#roles ⇒ Object (readonly)
Returns the value of attribute roles.
69 70 71 |
# File 'lib/declarative_authorization/authorization.rb', line 69 def roles @roles end |
Class Method Details
.instance(dsl_file = nil) ⇒ Object
Returns an instance of Engine, which is created if there isn’t one yet. If dsl_file
is given, it is passed on to Engine.new and a new instance is always created.
264 265 266 267 268 269 270 |
# File 'lib/declarative_authorization/authorization.rb', line 264 def self.instance (dsl_file = nil) if dsl_file or ENV['RAILS_ENV'] == 'development' @@instance = new(dsl_file) else @@instance ||= new end end |
Instance Method Details
#description_for(role) ⇒ Object
Returns the description for the given role. The description may be specified with the authorization rules. Returns nil
if none was given.
227 228 229 |
# File 'lib/declarative_authorization/authorization.rb', line 227 def description_for (role) role_descriptions[role] end |
#initialize_copy(from) ⇒ Object
:nodoc:
107 108 109 110 111 112 113 |
# File 'lib/declarative_authorization/authorization.rb', line 107 def initialize_copy (from) # :nodoc: [ :privileges, :privilege_hierarchy, :roles, :role_hierarchy, :role_titles, :role_descriptions, :rev_priv_hierarchy, :rev_role_hierarchy ].each {|attr| instance_variable_set(:"@#{attr}", from.send(attr).clone) } @auth_rules = from.auth_rules.collect {|rule| rule.clone} end |
#obligations(privilege, options = {}) ⇒ Object
Returns the obligations to be met by the current user for the given privilege as an array of obligation hashes in form of
[{:object_attribute => obligation_value, ...}, ...]
where obligation_value
is either (recursively) another obligation hash or a value spec, such as
[operator, literal_value]
The obligation hashes in the array should be OR’ed, conditions inside the hashes AND’ed.
Example
{:branch => {:company => [:is, 24]}, :active => [:is, true]}
Options
- :
context
-
See permit!
- :
user
-
See permit!
212 213 214 215 216 217 218 219 220 221 222 |
# File 'lib/declarative_authorization/authorization.rb', line 212 def obligations (privilege, = {}) = {:context => nil}.merge() user, roles, privileges = (privilege, ) permit!(privilege, :skip_attribute_test => true, :user => user, :context => [:context]) attr_validator = AttributeValidator.new(self, user, nil, privilege, [:context]) matching_auth_rules(roles, privileges, [:context]).collect do |rule| rule.obligations(attr_validator) end.flatten end |
#permit!(privilege, options = {}) ⇒ Object
Returns true if privilege is met by the current user. Raises AuthorizationError otherwise. privilege
may be given with or without context. In the latter case, the :context
option is required.
Options:
- :
context
-
The context part of the privilege. Defaults either to the tableized
class_name
of the given :object
, if given. That is, :users
for :object
of type User.Raises AuthorizationUsageError if context is missing and not to be infered.
- :
object
-
An context object to test attribute checks against.
- :
skip_attribute_test
-
Skips those attribute checks in the authorization rules. Defaults to false.
- :
user
-
The user to check the authorization for. Defaults to Authorization#current_user.
134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 |
# File 'lib/declarative_authorization/authorization.rb', line 134 def permit! (privilege, = {}) return true if Authorization.ignore_access_control = { :object => nil, :skip_attribute_test => false, :context => nil }.merge() # Make sure we're handling all privileges as symbols. privilege = privilege.is_a?( Array ) ? privilege.flatten.collect { |priv| priv.to_sym } : privilege.to_sym # # If the object responds to :proxy_reflection, we're probably working with # an association proxy. Use 'new' to leverage ActiveRecord's builder # functionality to obtain an object against which we can check permissions. # # Example: permit!( :edit, :object => user.posts ) # if [:object].respond_to?( :proxy_reflection ) && [:object].respond_to?( :new ) [:object] = [:object].new end [:context] ||= [:object] && ( [:object].class.respond_to?(:decl_auth_context) ? [:object].class.decl_auth_context : [:object].class.name.tableize.to_sym ) rescue NoMethodError user, roles, privileges = (privilege, ) return true if roles.is_a?(Array) and not (roles & @omnipotent_roles).empty? # find a authorization rule that matches for at least one of the roles and # at least one of the given privileges attr_validator = AttributeValidator.new(self, user, [:object], privilege, [:context]) rules = matching_auth_rules(roles, privileges, [:context]) if rules.empty? raise NotAuthorized, "No matching rules found for #{privilege} for #{user.inspect} " + "(roles #{roles.inspect}, privileges #{privileges.inspect}, " + "context #{[:context].inspect})." end # Test each rule in turn to see whether any one of them is satisfied. unless rules.any? {|rule| rule.validate?(attr_validator, [:skip_attribute_test])} raise AttributeAuthorizationError, "#{privilege} not allowed for #{user.inspect} on #{([:object] || [:context]).inspect}." end true end |
#permit?(privilege, options = {}, &block) ⇒ Boolean
Calls permit! but rescues the AuthorizationException and returns false instead. If no exception is raised, permit? returns true and yields to the optional block.
188 189 190 191 192 193 194 |
# File 'lib/declarative_authorization/authorization.rb', line 188 def permit? (privilege, = {}, &block) # :yields: permit!(privilege, ) yield if block_given? true rescue NotAuthorized false end |
#roles_for(user) ⇒ Object
Returns the role symbols of the given user.
239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 |
# File 'lib/declarative_authorization/authorization.rb', line 239 def roles_for (user) user ||= Authorization.current_user raise AuthorizationUsageError, "User object doesn't respond to roles (#{user.inspect})" \ if !user.respond_to?(:role_symbols) and !user.respond_to?(:roles) RAILS_DEFAULT_LOGGER.info("The use of user.roles is deprecated. Please add a method " + "role_symbols to your User model.") if defined?(RAILS_DEFAULT_LOGGER) and !user.respond_to?(:role_symbols) roles = user.respond_to?(:role_symbols) ? user.role_symbols : user.roles raise AuthorizationUsageError, "User.#{user.respond_to?(:role_symbols) ? 'role_symbols' : 'roles'} " + "doesn't return an Array of Symbols (#{roles.inspect})" \ if !roles.is_a?(Array) or (!roles.empty? and !roles[0].is_a?(Symbol)) (roles.empty? ? [Authorization.default_role] : roles) end |
#roles_with_hierarchy_for(user) ⇒ Object
Returns the role symbols and inherritted role symbols for the given user
257 258 259 |
# File 'lib/declarative_authorization/authorization.rb', line 257 def roles_with_hierarchy_for(user) flatten_roles(roles_for(user)) end |
#title_for(role) ⇒ Object
Returns the title for the given role. The title may be specified with the authorization rules. Returns nil
if none was given.
234 235 236 |
# File 'lib/declarative_authorization/authorization.rb', line 234 def title_for (role) role_titles[role] end |