Class: PapersPlease::Policy

Inherits:

Object

• Object
• PapersPlease::Policy

Defined in:

lib/papers_please/policy.rb

Instance Attribute Summary

• #fallthrough ⇒ Object readonly

  Returns the value of attribute fallthrough.

• #roles ⇒ Object

  Returns the value of attribute roles.

• #user ⇒ Object readonly

  Returns the value of attribute user.

Instance Method Summary

• #add_permissions(keys) ⇒ Object (also: #permit)

  Add permissions to the Role.

• #add_role(name, predicate = nil) ⇒ Object (also: #role)

  Add a role to the Policy.

• #allow_fallthrough ⇒ Object
• #applicable_roles ⇒ Object

  Fetch roles that apply to the current user.

• #authorize!(action, subject) ⇒ Object
• #can?(action, subject = nil, roles: nil) ⇒ Boolean

  Look up a stored permission block and call with the current user and subject.

• #cannot?(*args) ⇒ Boolean
• #configure ⇒ Object
• #default_scope(scope) ⇒ Object
• #get_applicable_roles_by_keys(keys) ⇒ Object
• #initialize(user) ⇒ Policy constructor

  A new instance of Policy.

• #roles_that_can(action, subject) ⇒ Object
• #scope_for(action, klass, roles: nil) ⇒ Object (also: #query)

  Look up a stored scope block and call with the current user and class.

Constructor Details

#initialize(user) ⇒ Policy

Returns a new instance of Policy.

# File 'lib/papers_please/policy.rb', line 9

def initialize(user)
  @user          = user
  @default_scope = nil
  @roles         = {}
  @cache         = {}

  configure
end

Instance Attribute Details

#fallthrough ⇒ Object (readonly)

Returns the value of attribute fallthrough.

# File 'lib/papers_please/policy.rb', line 7

def fallthrough
  @fallthrough
end

#roles ⇒ Object

Returns the value of attribute roles.

# File 'lib/papers_please/policy.rb', line 5

def roles
  @roles
end

#user ⇒ Object (readonly)

Returns the value of attribute user.

# File 'lib/papers_please/policy.rb', line 7

def user
  @user
end

Instance Method Details

#add_permissions(keys) ⇒ Object Also known as: permit

Add permissions to the Role

# File 'lib/papers_please/policy.rb', line 43

def add_permissions(keys)
  return unless block_given?

  Array(keys).each do |key|
    raise MissingRole unless roles.key?(key)

    yield roles[key]
  end
end

#add_role(name, predicate = nil) ⇒ Object Also known as: role

Add a role to the Policy

Raises:

• (DuplicateRole)

# File 'lib/papers_please/policy.rb', line 31

def add_role(name, predicate = nil)
  name = name.to_sym
  raise DuplicateRole if roles.key?(name)

  role = Role.new(name, predicate: predicate)
  roles[name] = role

  role
end

#allow_fallthrough ⇒ Object

# File 'lib/papers_please/policy.rb', line 18

def allow_fallthrough
  @fallthrough = true
end

#applicable_roles ⇒ Object

Fetch roles that apply to the current user

# File 'lib/papers_please/policy.rb', line 114

def applicable_roles
  @applicable_roles ||= roles.select do |_, role|
    role.applies_to?(user)
  end
end

#authorize!(action, subject) ⇒ Object

Raises:

• (AccessDenied)

# File 'lib/papers_please/policy.rb', line 78

def authorize!(action, subject)
  raise AccessDenied, "Access denied for #{action} on #{subject}" if cannot?(action, subject)

  subject
end

#can?(action, subject = nil, roles: nil) ⇒ Boolean

Look up a stored permission block and call with the current user and subject

Returns:

• (Boolean)

# File 'lib/papers_please/policy.rb', line 56

def can?(action, subject = nil, roles: nil)
  roles_to_check(roles: roles).each do |_, role|
    permission = role&.find_permission(action, subject)
    next if permission.nil?

    # Proxy permission check if granted by other
    subject, permission = get_proxied_permission(permission, action, subject, role) if permission.granted_by_other?

    # Check permission
    granted = permission_granted?(permission, action, subject)
    next if granted.nil? || (granted == false && fallthrough)

    return granted
  end

  false
end

#cannot?(*args) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/papers_please/policy.rb', line 74

def cannot?(*args)
  !can?(*args)
end

#configure ⇒ Object

Raises:

• (NotImplementedError)

# File 'lib/papers_please/policy.rb', line 26

def configure
  raise NotImplementedError, 'The #configure method of the access policy was not implemented'
end

#default_scope(scope) ⇒ Object

# File 'lib/papers_please/policy.rb', line 22

def default_scope(scope)
  @default_scope = scope
end

#get_applicable_roles_by_keys(keys) ⇒ Object

# File 'lib/papers_please/policy.rb', line 84

def get_applicable_roles_by_keys(keys)
  applicable_roles.slice(*Array(keys))
end

#roles_that_can(action, subject) ⇒ Object

# File 'lib/papers_please/policy.rb', line 88

def roles_that_can(action, subject)
  applicable_roles.filter do |_, role|
    permission = role.find_permission(action, subject)
    permission&.granted?(user, subject, action) || false
  end.keys
end

#scope_for(action, klass, roles: nil) ⇒ Object Also known as: query

Look up a stored scope block and call with the current user and class

# File 'lib/papers_please/policy.rb', line 97

def scope_for(action, klass, roles: nil)
  roles_to_check(roles: roles).each do |_, role|
    next if role.nil?

    permission = role.find_permission(action, klass)
    scope = permission&.fetch(user, klass, action)

    next if permission.nil? || (scope.nil? && fallthrough)

    return scope
  end

  @default_scope || nil
end