Class: Mumukit::Auth::Permissions

Inherits:
Object
  • Object
show all
Includes:
Protection, Roles
Defined in:
lib/mumukit/auth/permissions.rb

Constant Summary

Constants included from Roles

Roles::COARSE_GRAINED_ROLES, Roles::FINE_GRAINED_ROLES, Roles::ROLES

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Protection

#protect!, #protect_delegation!

Constructor Details

#initialize(scopes = {}) ⇒ Permissions

Returns a new instance of Permissions.



7
8
9
10
 
# File 'lib/mumukit/auth/permissions.rb', line 7

def initialize(scopes={})
  clear!
  add_scopes! scopes
end

Instance Attribute Details

#scopesObject

Returns the value of attribute scopes.



5
6
7
 
# File 'lib/mumukit/auth/permissions.rb', line 5

def scopes
  @scopes
end

Class Method Details

.dump(permission) ⇒ Object 



122
123
124
 
# File 'lib/mumukit/auth/permissions.rb', line 122

def self.dump(permission)
  permission.to_json
end

.load(json) ⇒ Object 



114
115
116
117
118
119
120
 
# File 'lib/mumukit/auth/permissions.rb', line 114

def self.load(json)
  if json.nil?
    parse({})
  else
    parse(JSON.parse(json))
  end
end

.parse(hash) ⇒ Object 



103
104
105
106
107
 
# File 'lib/mumukit/auth/permissions.rb', line 103

def self.parse(hash)
  return new if hash.blank?

  new(hash.map { |role, grants| [role, Mumukit::Auth::Scope.parse(grants)] }.to_h)
end

.reparse(something) ⇒ Object 



109
110
111
112
 
# File 'lib/mumukit/auth/permissions.rb', line 109

def self.reparse(something)
  something ||= {}
  parse(something.to_h)
end

Instance Method Details

#==(other) ⇒ Object Also known as: eql? 



143
144
145
 
# File 'lib/mumukit/auth/permissions.rb', line 143

def ==(other)
  self.class == other.class && self.scopes == other.scopes
end

#accessible_organizationsObject

Deprecated: use ‘student_granted_organizations` organizations instead



44
45
46
47
48
 
# File 'lib/mumukit/auth/permissions.rb', line 44

def accessible_organizations
  warn "Don't use accessible_organizations, since this method is probably not doing what you would expect.\n" +
       "Use student_granted_organizations if you still need its behaviour"
  student_granted_organizations
end

#add_permission!(role, *grants) ⇒ Object 



68
69
70
71
 
# File 'lib/mumukit/auth/permissions.rb', line 68

def add_permission!(role, *grants)
  role = role.to_mumukit_role
  grants.each { |grant| push_and_compact! role, grant }
end

#add_scopes!(scopes) ⇒ Object 



73
74
75
76
 
# File 'lib/mumukit/auth/permissions.rb', line 73

def add_scopes!(scopes)
  raise 'invalid scopes' if scopes.any? { |key, value| value.class != Mumukit::Auth::Scope }
  scopes.each { |role, scope| add_permission! role, *scope.grants }
end

#any_granted_organizationsObject 



56
57
58
 
# File 'lib/mumukit/auth/permissions.rb', line 56

def any_granted_organizations
  scopes.values.flat_map(&:grants).map(&:organization).to_set
end

#any_granted_rolesObject 



60
61
62
 
# File 'lib/mumukit/auth/permissions.rb', line 60

def any_granted_roles
  scopes.select { |_, scope| scope.present? }.keys.to_set
end

#as_json(options = {}) ⇒ Object 



99
100
101
 
# File 'lib/mumukit/auth/permissions.rb', line 99

def as_json(options={})
  scopes.as_json(options)
end

#as_setObject 



139
140
141
 
# File 'lib/mumukit/auth/permissions.rb', line 139

def as_set
  Set.new scopes.flat_map { |role, scope| scope.grants.map {|grant| [role, grant]} }
end

#assign_to?(other, previous) ⇒ Boolean

Returns:

  • (Boolean) 


126
127
128
129
 
# File 'lib/mumukit/auth/permissions.rb', line 126

def assign_to?(other, previous)
  diff = previous.as_set ^ other.as_set
  diff.all? { |role, grant| has_permission?(role, grant) }
end

#clear!Object 



135
136
137
 
# File 'lib/mumukit/auth/permissions.rb', line 135

def clear!
  @scopes = {}.with_indifferent_access
end

#compact!Object 



32
33
34
35
36
37
38
39
40
41
 
# File 'lib/mumukit/auth/permissions.rb', line 32

def compact!
  old_scopes = @scopes.dup
  @scopes = {}.with_indifferent_access

  old_scopes.each do |role, scope|
    scope.grants.each do |grant|
      push_and_compact! role, grant
    end
  end
end

#delegate_to?(other) ⇒ Boolean

Returns:

  • (Boolean) 


91
92
93
 
# File 'lib/mumukit/auth/permissions.rb', line 91

def delegate_to?(other)
  other.scopes.all? { |role, scope| has_all_permissions?(role, scope) }
end

#empty?Boolean

Returns:

  • (Boolean) 


28
29
30
 
# File 'lib/mumukit/auth/permissions.rb', line 28

def empty?
  scopes.all? { |_, it| it.empty? }
end

#grant_strings_for(role) ⇒ Object 



95
96
97
 
# File 'lib/mumukit/auth/permissions.rb', line 95

def grant_strings_for(role)
  scope_for(role).grants.map(&:to_s)
end

#granted_organizations_for(role) ⇒ Object 



64
65
66
 
# File 'lib/mumukit/auth/permissions.rb', line 64

def granted_organizations_for(role)
  scope_for(role)&.grants&.map(&:organization).to_set
end

#has_permission?(role, resource_slug) ⇒ Boolean

Returns:

  • (Boolean) 


12
13
14
 
# File 'lib/mumukit/auth/permissions.rb', line 12

def has_permission?(role, resource_slug)
  role.to_mumukit_role.allows?(resource_slug, self)
end

#has_role?(role) ⇒ Boolean

Returns:

  • (Boolean) 


20
21
22
 
# File 'lib/mumukit/auth/permissions.rb', line 20

def has_role?(role)
  scopes[role].present?
end

#hashObject 



149
150
151
 
# File 'lib/mumukit/auth/permissions.rb', line 149

def hash
  scopes.hash
end

#inspectObject 



157
158
159
 
# File 'lib/mumukit/auth/permissions.rb', line 157

def inspect
  "<Mumukit::Auth::Permissions #{to_s}>"
end

#merge(other) ⇒ Object 



78
79
80
 
# File 'lib/mumukit/auth/permissions.rb', line 78

def merge(other)
  self.class.new(scopes.merge(other.scopes) { |_key, left, right| left.merge right })
end

#protect_permissions_assignment!(other, previous) ⇒ Object

Raises:



131
132
133
 
# File 'lib/mumukit/auth/permissions.rb', line 131

def protect_permissions_assignment!(other, previous)
  raise Mumukit::Auth::UnauthorizedAccessError unless assign_to?(self.class.reparse(other), previous)
end

#remove_permission!(role, grant) ⇒ Object 



82
83
84
 
# File 'lib/mumukit/auth/permissions.rb', line 82

def remove_permission!(role, grant)
  scope_for(role).remove_grant!(grant)
end

#role_allows?(role, resource_slug) ⇒ Boolean

Returns:

  • (Boolean) 


16
17
18
 
# File 'lib/mumukit/auth/permissions.rb', line 16

def role_allows?(role, resource_slug)
  scope_for(role).allows?(resource_slug)
end

#scope_for(role) ⇒ Object 



24
25
26
 
# File 'lib/mumukit/auth/permissions.rb', line 24

def scope_for(role)
  self.scopes[role] ||= Mumukit::Auth::Scope.new
end

#student_granted_organizationsObject

Answers the organizations for which the user has been explicitly granted acceses as student. This method does not include the organizations the user has access because of the roles hierarchy



52
53
54
 
# File 'lib/mumukit/auth/permissions.rb', line 52

def student_granted_organizations
  granted_organizations_for :student
end

#to_hObject 



161
162
163
 
# File 'lib/mumukit/auth/permissions.rb', line 161

def to_h
  as_json
end

#to_sObject 



153
154
155
 
# File 'lib/mumukit/auth/permissions.rb', line 153

def to_s
  '!' + scopes.map { |role, scope| "#{role}:#{scope}" }.join(';')
end

#update_permission!(role, old_grant, new_grant) ⇒ Object 



86
87
88
89
 
# File 'lib/mumukit/auth/permissions.rb', line 86

def update_permission!(role, old_grant, new_grant)
  remove_permission! role, old_grant
  add_permission! role, new_grant
end