Class: Authorization::Engine

Inherits:
Object
  • Object
show all
Defined in:
lib/declarative_authorization/authorization.rb

Overview

Authorization::Engine implements the reference monitor. It may be used for querying the permission and retrieving obligations under which a certain privilege is granted for the current user.

Defined Under Namespace

Classes: AttributeValidator

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(reader = nil) ⇒ Engine

If reader is not given, a new one is created with the default authorization configuration of AUTH_DSL_FILES. If given, may be either a Reader object or a path to a configuration file.



76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# File 'lib/declarative_authorization/authorization.rb', line 76

def initialize (reader = nil)
  reader = Reader::DSLReader.factory(reader || AUTH_DSL_FILES)

  @privileges = reader.privileges_reader.privileges
  # {priv => [[priv, ctx],...]}
  @privilege_hierarchy = reader.privileges_reader.privilege_hierarchy
  @auth_rules = reader.auth_rules_reader.auth_rules
  @roles = reader.auth_rules_reader.roles
  @omnipotent_roles = reader.auth_rules_reader.omnipotent_roles
  @role_hierarchy = reader.auth_rules_reader.role_hierarchy

  @role_titles = reader.auth_rules_reader.role_titles
  @role_descriptions = reader.auth_rules_reader.role_descriptions
  @reader = reader
  
  # {[priv, ctx] => [priv, ...]}
  @rev_priv_hierarchy = {}
  @privilege_hierarchy.each do |key, value|
    value.each do |val| 
      @rev_priv_hierarchy[val] ||= []
      @rev_priv_hierarchy[val] << key
    end
  end
  @rev_role_hierarchy = {}
  @role_hierarchy.each do |higher_role, lower_roles|
    lower_roles.each do |role|
      (@rev_role_hierarchy[role] ||= []) << higher_role
    end
  end
end

Instance Attribute Details

#auth_rulesObject (readonly)

Returns the value of attribute auth_rules.



69
70
71
# File 'lib/declarative_authorization/authorization.rb', line 69

def auth_rules
  @auth_rules
end

#omnipotent_rolesObject (readonly)

Returns the value of attribute omnipotent_roles.



69
70
71
# File 'lib/declarative_authorization/authorization.rb', line 69

def omnipotent_roles
  @omnipotent_roles
end

#privilege_hierarchyObject (readonly)

Returns the value of attribute privilege_hierarchy.



69
70
71
# File 'lib/declarative_authorization/authorization.rb', line 69

def privilege_hierarchy
  @privilege_hierarchy
end

#privilegesObject (readonly)

Returns the value of attribute privileges.



69
70
71
# File 'lib/declarative_authorization/authorization.rb', line 69

def privileges
  @privileges
end

#rev_priv_hierarchyObject (readonly)

Returns the value of attribute rev_priv_hierarchy.



69
70
71
# File 'lib/declarative_authorization/authorization.rb', line 69

def rev_priv_hierarchy
  @rev_priv_hierarchy
end

#rev_role_hierarchyObject (readonly)

Returns the value of attribute rev_role_hierarchy.



69
70
71
# File 'lib/declarative_authorization/authorization.rb', line 69

def rev_role_hierarchy
  @rev_role_hierarchy
end

#role_descriptionsObject (readonly)

Returns the value of attribute role_descriptions.



69
70
71
# File 'lib/declarative_authorization/authorization.rb', line 69

def role_descriptions
  @role_descriptions
end

#role_hierarchyObject (readonly)

Returns the value of attribute role_hierarchy.



69
70
71
# File 'lib/declarative_authorization/authorization.rb', line 69

def role_hierarchy
  @role_hierarchy
end

#role_titlesObject (readonly)

Returns the value of attribute role_titles.



69
70
71
# File 'lib/declarative_authorization/authorization.rb', line 69

def role_titles
  @role_titles
end

#rolesObject (readonly)

Returns the value of attribute roles.



69
70
71
# File 'lib/declarative_authorization/authorization.rb', line 69

def roles
  @roles
end

Class Method Details

.instance(dsl_file = nil) ⇒ Object

Returns an instance of Engine, which is created if there isn’t one yet. If dsl_file is given, it is passed on to Engine.new and a new instance is always created.



264
265
266
267
268
269
270
# File 'lib/declarative_authorization/authorization.rb', line 264

def self.instance (dsl_file = nil)
  if dsl_file or ENV['RAILS_ENV'] == 'development'
    @@instance = new(dsl_file)
  else
    @@instance ||= new
  end
end

Instance Method Details

#description_for(role) ⇒ Object

Returns the description for the given role. The description may be specified with the authorization rules. Returns nil if none was given.



227
228
229
# File 'lib/declarative_authorization/authorization.rb', line 227

def description_for (role)
  role_descriptions[role]
end

#initialize_copy(from) ⇒ Object

:nodoc:



107
108
109
110
111
112
113
# File 'lib/declarative_authorization/authorization.rb', line 107

def initialize_copy (from) # :nodoc:
  [
    :privileges, :privilege_hierarchy, :roles, :role_hierarchy, :role_titles,
    :role_descriptions, :rev_priv_hierarchy, :rev_role_hierarchy
  ].each {|attr| instance_variable_set(:"@#{attr}", from.send(attr).clone) }
  @auth_rules = from.auth_rules.collect {|rule| rule.clone}
end

#obligations(privilege, options = {}) ⇒ Object

Returns the obligations to be met by the current user for the given privilege as an array of obligation hashes in form of

[{:object_attribute => obligation_value, ...}, ...]

where obligation_value is either (recursively) another obligation hash or a value spec, such as

[operator, literal_value]

The obligation hashes in the array should be OR’ed, conditions inside the hashes AND’ed.

Example

{:branch => {:company => [:is, 24]}, :active => [:is, true]}

Options

:context

See permit!

:user

See permit!



212
213
214
215
216
217
218
219
220
221
222
# File 'lib/declarative_authorization/authorization.rb', line 212

def obligations (privilege, options = {})
  options = {:context => nil}.merge(options)
  user, roles, privileges = user_roles_privleges_from_options(privilege, options)

  permit!(privilege, :skip_attribute_test => true, :user => user, :context => options[:context])
  
  attr_validator = AttributeValidator.new(self, user, nil, privilege, options[:context])
  matching_auth_rules(roles, privileges, options[:context]).collect do |rule|
    rule.obligations(attr_validator)
  end.flatten
end

#permit!(privilege, options = {}) ⇒ Object

Returns true if privilege is met by the current user. Raises AuthorizationError otherwise. privilege may be given with or without context. In the latter case, the :context option is required.

Options:

:context

The context part of the privilege. Defaults either to the tableized class_name of the given :object, if given. That is, :users for :object of type User.

Raises AuthorizationUsageError if context is missing and not to be infered.

:object

An context object to test attribute checks against.

:skip_attribute_test

Skips those attribute checks in the authorization rules. Defaults to false.

:user

The user to check the authorization for. Defaults to Authorization#current_user.



134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
# File 'lib/declarative_authorization/authorization.rb', line 134

def permit! (privilege, options = {})
  return true if Authorization.ignore_access_control
  options = {
    :object => nil,
    :skip_attribute_test => false,
    :context => nil
  }.merge(options)
  
  # Make sure we're handling all privileges as symbols.
  privilege = privilege.is_a?( Array ) ?
              privilege.flatten.collect { |priv| priv.to_sym } :
              privilege.to_sym
  
  #
  # If the object responds to :proxy_reflection, we're probably working with
  # an association proxy.  Use 'new' to leverage ActiveRecord's builder
  # functionality to obtain an object against which we can check permissions.
  #
  # Example: permit!( :edit, :object => user.posts )
  #
  if options[:object].respond_to?( :proxy_reflection ) && options[:object].respond_to?( :new )
    options[:object] = options[:object].new
  end
  
  options[:context] ||= options[:object] && (
    options[:object].class.respond_to?(:decl_auth_context) ?
        options[:object].class.decl_auth_context :
        options[:object].class.name.tableize.to_sym
  ) rescue NoMethodError
  
  user, roles, privileges = user_roles_privleges_from_options(privilege, options)

  return true if roles.is_a?(Array) and not (roles & @omnipotent_roles).empty?

  # find a authorization rule that matches for at least one of the roles and 
  # at least one of the given privileges
  attr_validator = AttributeValidator.new(self, user, options[:object], privilege, options[:context])
  rules = matching_auth_rules(roles, privileges, options[:context])
  if rules.empty?
    raise NotAuthorized, "No matching rules found for #{privilege} for #{user.inspect} " +
      "(roles #{roles.inspect}, privileges #{privileges.inspect}, " +
      "context #{options[:context].inspect})."
  end
  
  # Test each rule in turn to see whether any one of them is satisfied.
  unless rules.any? {|rule| rule.validate?(attr_validator, options[:skip_attribute_test])}
    raise AttributeAuthorizationError, "#{privilege} not allowed for #{user.inspect} on #{(options[:object] || options[:context]).inspect}."
  end
  true
end

#permit?(privilege, options = {}, &block) ⇒ Boolean

Calls permit! but rescues the AuthorizationException and returns false instead. If no exception is raised, permit? returns true and yields to the optional block.

Returns:

  • (Boolean)


188
189
190
191
192
193
194
# File 'lib/declarative_authorization/authorization.rb', line 188

def permit? (privilege, options = {}, &block) # :yields:
  permit!(privilege, options)
  yield if block_given?
  true
rescue NotAuthorized
  false
end

#roles_for(user) ⇒ Object

Returns the role symbols of the given user.



239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
# File 'lib/declarative_authorization/authorization.rb', line 239

def roles_for (user)
  user ||= Authorization.current_user
  raise AuthorizationUsageError, "User object doesn't respond to roles (#{user.inspect})" \
    if !user.respond_to?(:role_symbols) and !user.respond_to?(:roles)

  RAILS_DEFAULT_LOGGER.info("The use of user.roles is deprecated.  Please add a method " +
      "role_symbols to your User model.") if defined?(RAILS_DEFAULT_LOGGER) and !user.respond_to?(:role_symbols)

  roles = user.respond_to?(:role_symbols) ? user.role_symbols : user.roles

  raise AuthorizationUsageError, "User.#{user.respond_to?(:role_symbols) ? 'role_symbols' : 'roles'} " +
    "doesn't return an Array of Symbols (#{roles.inspect})" \
        if !roles.is_a?(Array) or (!roles.empty? and !roles[0].is_a?(Symbol))

  (roles.empty? ? [Authorization.default_role] : roles)
end

#roles_with_hierarchy_for(user) ⇒ Object

Returns the role symbols and inherritted role symbols for the given user



257
258
259
# File 'lib/declarative_authorization/authorization.rb', line 257

def roles_with_hierarchy_for(user)
  flatten_roles(roles_for(user))
end

#title_for(role) ⇒ Object

Returns the title for the given role. The title may be specified with the authorization rules. Returns nil if none was given.



234
235
236
# File 'lib/declarative_authorization/authorization.rb', line 234

def title_for (role)
  role_titles[role]
end