Class: Authorization::DevelopmentSupport::ChangeSupporter

Inherits:
AbstractAnalyzer show all
Defined in:
lib/declarative_authorization/development_support/change_supporter.rb

Overview

Ideas for improvement

  • Algorithm

    • Objective function:

      • affected user count,

      • as specific as possible (roles, privileges)

      • as little changes as necessary

    • Modify role, privilege hierarchy

    • Merge, split roles

    • Add privilege to existing rules

  • Features

    • Improve review facts: impact, affected users count

    • group similar candidates: only show abstract methods?

    • restructure GUI layout: more room for analyzing suggestions

    • changelog, previous tests, etc.

    • multiple permissions in tests

  • Evaluation of approaches with Analyzer algorithms

  • Authorization constraints

Algorithm

  • for each candidate

    • abstract actions: solving first failing test (remove privilege from role)

    • for each abstract action

      • specific actions: concrete steps (remove privilege from specific role)

      • for each specific action

        • next if reversal action of previous step

        • apply specific action on candidate

        • save as solution if no failing tests on changed_candidate

        • else: queue as candidate

  • equivalent states

NOTE:

  • user.clone needs to clone role_symbols

  • user.role_symbols needs to respond to <<

  • user.login is needed

Defined Under Namespace

Classes: AbstractAction, AbstractCompoundAction, AddPrivilegeAndAssignRoleToUserAction, Approach, ApproachChecker, AssignPrivilegeToRoleAction, AssignRoleToUserAction, CreateAndAssignRoleToUserAction, GroupedApproach, RemovePrivilegeFromRoleAction, RemoveRoleFromUserAction, Test

Instance Attribute Summary

Attributes inherited from AbstractAnalyzer

#engine

Instance Method Summary collapse

Methods inherited from AbstractAnalyzer

#initialize, #roles, #rules

Constructor Details

This class inherits a constructor from Authorization::DevelopmentSupport::AbstractAnalyzer

Instance Method Details

#find_approaches_for(options, &tests) ⇒ Object

Returns a list of possible approaches for changes to the current authorization rules that achieve a given goal. The goal is given as permission tests in the block. The instance method users is available when the block is executed to refer to the then-current users, whose roles might have changed as one suggestion.



48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# File 'lib/declarative_authorization/development_support/change_supporter.rb', line 48

def find_approaches_for (options, &tests)
  @prohibited_actions = (options[:prohibited_actions] || []).to_set

  @approaches_by_actions = {}

  candidates = []
  suggestions = []
  approach_checker = ApproachChecker.new(self, tests)

  starting_candidate = Approach.new(@engine, options[:users], [])
  if starting_candidate.check(approach_checker)
    suggestions << starting_candidate
  else
    candidates << starting_candidate
  end

  checked_candidates = 0
  while !candidates.empty? and checked_candidates < 200
    checked_candidates += next_step(suggestions, candidates, approach_checker)
  end

  # remove subsets
  suggestions.sort!
end

#group_approaches(approaches) ⇒ Object

Returns an array of GroupedApproaches for the given array of approaches. Only groups directly adjacent approaches



75
76
77
78
79
80
81
82
83
# File 'lib/declarative_authorization/development_support/change_supporter.rb', line 75

def group_approaches (approaches)
  approaches.each_with_object([]) do |approach, grouped|
    if grouped.last and grouped.last.approach.similar_to(approach)
      grouped.last.similar_approaches << approach
    else
      grouped << GroupedApproach.new(approach)
    end
  end
end