Class: DeclarativePolicy::Base

Inherits:

Object

• Object
• DeclarativePolicy::Base

Defined in:

lib/declarative_policy/base.rb

Direct Known Subclasses

BasePolicy

Defined Under Namespace

Classes: AbilityMap

Instance Attribute Summary

• #subject ⇒ Object readonly

  A policy object contains a specific user and subject on which to compute abilities.

• #user ⇒ Object readonly

  A policy object contains a specific user and subject on which to compute abilities.

Class Method Summary

• .ability_map ⇒ Object

  The `own_ability_map` vs `ability_map` distinction is used so that the data structure is properly inherited - with subclasses recursively merging their parent class.

• .condition(name, opts = {}, &value) ⇒ Object

  Declares a condition.

• .conditions ⇒ Object

  an inheritable map of conditions, by name.

• .configuration_for(ability) ⇒ Object

  all the [rule, action] pairs that apply to a particular ability.

• .delegate(name = nil, &delegation_block) ⇒ Object

  declaration methods ###.

• .delegations ⇒ Object

  an inheritable map of delegations, indexed by name (which may be autogenerated).

• .desc(description) ⇒ Object

  Declare a description for the following condition.

• .enable_when(abilities, rule) ⇒ Object

  These next three methods are mainly called from PolicyDsl, and are responsible for “inverting” the relationship between an ability and a rule.

• .global_actions ⇒ Object

  a list of global actions, generated by `prevent_all`.

• .last_options ⇒ Object

  A hash in which to store calls to `desc` and `with_scope`, etc.

• .last_options! ⇒ Object

  retrieve and zero out the previously set options (used in .condition).

• .overrides(*names) ⇒ Object

  Declare that the given abilities should not be read from delegates.

• .own_ability_map ⇒ Object
• .own_conditions ⇒ Object
• .own_delegations ⇒ Object
• .own_global_actions ⇒ Object
• .prevent_all_when(rule) ⇒ Object

  we store global prevents (from `prevent_all`) separately, so that they can be combined into every decision made.

• .prevent_when(abilities, rule) ⇒ Object
• .rule(&block) ⇒ Object

  Declares a rule, constructed using RuleDsl, and returns a PolicyDsl which is used for registering the rule with this class.

• .with_options(opts = {}) ⇒ Object
• .with_scope(scope) ⇒ Object
• .with_score(score) ⇒ Object

Instance Method Summary

• #allowed?(*abilities) ⇒ Boolean

  This is the main entry point for permission checks.

• #banned? ⇒ Boolean

  used in specs - returns true if there is no possible way for any action to be allowed, determined only by the global :prevent_all rules.

• #cache(key) ⇒ Object

  Helpers for caching.

• #cached?(key) ⇒ Boolean
• #can?(ability, new_subject = :_self) ⇒ Boolean

  helper for checking abilities on this and other subjects for the current user.

• #condition(name) ⇒ Object

  returns a ManifestCondition capable of computing itself.

• #debug(ability, *args) ⇒ Object

  computes the given ability and prints a helpful debugging output showing which.

• #delegated_policies ⇒ Object

  A list of other policies that we've delegated to (see `Base.delegate`).

• #disallowed?(*abilities) ⇒ Boolean

  The inverse of #allowed?, used mainly in specs.

• #initialize(user, subject, opts = {}) ⇒ Base constructor

  A new instance of Base.

• #inspect ⇒ Object
• #policy_for(other_subject) ⇒ Object
• #repr ⇒ Object
• #runner(ability) ⇒ Object

  returns a Runner for the given ability, capable of computing whether the ability is allowed.

Constructor Details

#initialize(user, subject, opts = {}) ⇒ Base

Returns a new instance of Base.

# File 'lib/declarative_policy/base.rb', line 217

def initialize(user, subject, opts = {})
  @user = user
  @subject = subject
  @cache = opts[:cache] || {}
end

Instance Attribute Details

#subject ⇒ Object (readonly)

A policy object contains a specific user and subject on which to compute abilities. For this reason it's sometimes called “context” within the framework.

It also stores a reference to the cache, so it can be used to cache computations by e.g. ManifestCondition.

# File 'lib/declarative_policy/base.rb', line 216

def subject
  @subject
end

#user ⇒ Object (readonly)

A policy object contains a specific user and subject on which to compute abilities. For this reason it's sometimes called “context” within the framework.

It also stores a reference to the cache, so it can be used to cache computations by e.g. ManifestCondition.

# File 'lib/declarative_policy/base.rb', line 216

def user
  @user
end

Class Method Details

.ability_map ⇒ Object

The `own_ability_map` vs `ability_map` distinction is used so that the data structure is properly inherited - with subclasses recursively merging their parent class.

This pattern is also used for conditions, global_actions, and delegations.

# File 'lib/declarative_policy/base.rb', line 41

def ability_map
  if self == Base
    own_ability_map
  else
    superclass.ability_map.merge(own_ability_map)
  end
end

.condition(name, opts = {}, &value) ⇒ Object

Declares a condition. It gets stored in `own_conditions`, and generates a query method based on the condition's name.

# File 'lib/declarative_policy/base.rb', line 177

def condition(name, opts = {}, &value)
  name = name.to_sym

  opts = last_options!.merge(opts)
  opts[:context_key] ||= self.name

  condition = Condition.new(name, opts, &value)

  self.own_conditions[name] = condition

  define_method(:"#{name}?") { condition(name).pass? }
end

.conditions ⇒ Object

an inheritable map of conditions, by name

# File 'lib/declarative_policy/base.rb', line 54

def conditions
  if self == Base
    own_conditions
  else
    superclass.conditions.merge(own_conditions)
  end
end

.configuration_for(ability) ⇒ Object

all the [rule, action] pairs that apply to a particular ability. we combine the specific ones looked up in ability_map with the global ones.

# File 'lib/declarative_policy/base.rb', line 98

def configuration_for(ability)
  ability_map.actions(ability) + global_actions
end

.delegate(name = nil, &delegation_block) ⇒ Object

declaration methods ###

# File 'lib/declarative_policy/base.rb', line 104

def delegate(name = nil, &delegation_block)
  if name.nil?
    @delegate_name_counter ||= 0
    @delegate_name_counter += 1
    name = :"anonymous_#{@delegate_name_counter}"
  end

  name = name.to_sym

  if delegation_block.nil?
    delegation_block = proc { @subject.__send__(name) } # rubocop:disable GitlabSecurity/PublicSend
  end

  own_delegations[name] = delegation_block
end

.delegations ⇒ Object

an inheritable map of delegations, indexed by name (which may be autogenerated)

# File 'lib/declarative_policy/base.rb', line 83

def delegations
  if self == Base
    own_delegations
  else
    superclass.delegations.merge(own_delegations)
  end
end

.desc(description) ⇒ Object

Declare a description for the following condition. Currently unused, but opens the potential for explaining to users why they were or were not able to do something.

# File 'lib/declarative_policy/base.rb', line 159

def desc(description)
  last_options[:description] = description
end

.enable_when(abilities, rule) ⇒ Object

These next three methods are mainly called from PolicyDsl, and are responsible for “inverting” the relationship between an ability and a rule. We store in `ability_map` a map of abilities to rules that affect them, together with a symbol indicating :prevent or :enable.

# File 'lib/declarative_policy/base.rb', line 195

def enable_when(abilities, rule)
  abilities.each { |a| own_ability_map.enable(a, rule) }
end

.global_actions ⇒ Object

a list of global actions, generated by `prevent_all`. these aren't stored in `ability_map` because they aren't indexed by a particular ability.

# File 'lib/declarative_policy/base.rb', line 69

def global_actions
  if self == Base
    own_global_actions
  else
    superclass.global_actions + own_global_actions
  end
end

.last_options ⇒ Object

A hash in which to store calls to `desc` and `with_scope`, etc.

# File 'lib/declarative_policy/base.rb', line 147

def last_options
  @last_options ||= {}.with_indifferent_access
end

.last_options! ⇒ Object

retrieve and zero out the previously set options (used in .condition)

# File 'lib/declarative_policy/base.rb', line 152

def last_options!
  last_options.tap { @last_options = nil }
end

.overrides(*names) ⇒ Object

Declare that the given abilities should not be read from delegates.

This is useful if you have an ability that you want to define differently in a policy than in a delegated policy, but still want to delegate all other abilities.

example:

delegate { @subect.parent }

overrides :drive_car, :watch_tv

# File 'lib/declarative_policy/base.rb', line 132

def overrides(*names)
  @overrides ||= [].to_set
  @overrides.merge(names)
end

.own_ability_map ⇒ Object

# File 'lib/declarative_policy/base.rb', line 49

def own_ability_map
  @own_ability_map ||= AbilityMap.new
end

.own_conditions ⇒ Object

# File 'lib/declarative_policy/base.rb', line 62

def own_conditions
  @own_conditions ||= {}
end

.own_delegations ⇒ Object

# File 'lib/declarative_policy/base.rb', line 91

def own_delegations
  @own_delegations ||= {}
end

.own_global_actions ⇒ Object

# File 'lib/declarative_policy/base.rb', line 77

def own_global_actions
  @own_global_actions ||= []
end

.prevent_all_when(rule) ⇒ Object

we store global prevents (from `prevent_all`) separately, so that they can be combined into every decision made.

# File 'lib/declarative_policy/base.rb', line 205

def prevent_all_when(rule)
  own_global_actions << [:prevent, rule]
end

.prevent_when(abilities, rule) ⇒ Object

# File 'lib/declarative_policy/base.rb', line 199

def prevent_when(abilities, rule)
  abilities.each { |a| own_ability_map.prevent(a, rule) }
end

.rule(&block) ⇒ Object

Declares a rule, constructed using RuleDsl, and returns a PolicyDsl which is used for registering the rule with this class. PolicyDsl will call back into Base.enable_when, Base.prevent_when, and Base.prevent_all_when.

# File 'lib/declarative_policy/base.rb', line 141

def rule(&block)
  rule = RuleDsl.new(self).instance_eval(&block)
  PolicyDsl.new(self, rule)
end

.with_options(opts = {}) ⇒ Object

# File 'lib/declarative_policy/base.rb', line 163

def with_options(opts = {})
  last_options.merge!(opts)
end

.with_scope(scope) ⇒ Object

# File 'lib/declarative_policy/base.rb', line 167

def with_scope(scope)
  with_options scope: scope
end

.with_score(score) ⇒ Object

# File 'lib/declarative_policy/base.rb', line 171

def with_score(score)
  with_options score: score
end

Instance Method Details

#allowed?(*abilities) ⇒ Boolean

This is the main entry point for permission checks. It constructs or looks up a Runner for the given ability and asks it if it passes.

Returns:

• (Boolean)

# File 'lib/declarative_policy/base.rb', line 233

def allowed?(*abilities)
  abilities.all? { |a| runner(a).pass? }
end

#banned? ⇒ Boolean

used in specs - returns true if there is no possible way for any action to be allowed, determined only by the global :prevent_all rules.

Returns:

• (Boolean)

# File 'lib/declarative_policy/base.rb', line 325

def banned?
  global_steps = self.class.global_actions.map { |(action, rule)| Step.new(self, rule, action) }
  !Runner.new(global_steps).pass?
end

#cache(key) ⇒ Object

Helpers for caching. Used by ManifestCondition in performing condition computation.

NOTE we can't use ||= here because the value might be the boolean `false`

# File 'lib/declarative_policy/base.rb', line 300

def cache(key)
  return @cache[key] if cached?(key)

  @cache[key] = yield
end

#cached?(key) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/declarative_policy/base.rb', line 306

def cached?(key)
  !@cache[key].nil?
end

#can?(ability, new_subject = :_self) ⇒ Boolean

helper for checking abilities on this and other subjects for the current user.

Returns:

• (Boolean)

# File 'lib/declarative_policy/base.rb', line 225

def can?(ability, new_subject = :_self)
  return allowed?(ability) if new_subject == :_self

  policy_for(new_subject).allowed?(ability)
end

#condition(name) ⇒ Object

returns a ManifestCondition capable of computing itself. The computation will use our own @cache.

# File 'lib/declarative_policy/base.rb', line 312

def condition(name)
  name = name.to_sym
  @_conditions ||= {}
  @_conditions[name] ||=
    begin
      raise "invalid condition #{name}" unless self.class.conditions.key?(name)

      ManifestCondition.new(self.class.conditions[name], self)
    end
end

#debug(ability, *args) ⇒ Object

computes the given ability and prints a helpful debugging output showing which

# File 'lib/declarative_policy/base.rb', line 244

def debug(ability, *args)
  runner(ability).debug(*args)
end

#delegated_policies ⇒ Object

A list of other policies that we've delegated to (see `Base.delegate`)

# File 'lib/declarative_policy/base.rb', line 331

def delegated_policies
  @delegated_policies ||= self.class.delegations.transform_values do |block|
    new_subject = instance_eval(&block)

    # never delegate to nil, as that would immediately prevent_all
    next if new_subject.nil?

    policy_for(new_subject)
  end
end

#disallowed?(*abilities) ⇒ Boolean

The inverse of #allowed?, used mainly in specs.

Returns:

• (Boolean)

# File 'lib/declarative_policy/base.rb', line 238

def disallowed?(*abilities)
  abilities.all? { |a| !runner(a).pass? }
end

#inspect ⇒ Object

# File 'lib/declarative_policy/base.rb', line 272

def inspect
  "#<#{self.class.name} #{repr}>"
end

#policy_for(other_subject) ⇒ Object

# File 'lib/declarative_policy/base.rb', line 342

def policy_for(other_subject)
  DeclarativePolicy.policy_for(@user, other_subject, cache: @cache)
end

#repr ⇒ Object

# File 'lib/declarative_policy/base.rb', line 254

def repr
  subject_repr =
    if @subject.respond_to?(:id)
      "#{@subject.class.name}/#{@subject.id}"
    else
      @subject.inspect
    end

  user_repr =
    if @user
      @user.to_reference
    else
      "<anonymous>"
    end

  "(#{user_repr} : #{subject_repr})"
end

#runner(ability) ⇒ Object

returns a Runner for the given ability, capable of computing whether the ability is allowed. Runners are cached on the policy (which itself is cached on @cache), and caches its result. This is how we perform caching at the ability level.

# File 'lib/declarative_policy/base.rb', line 280

def runner(ability)
  ability = ability.to_sym
  @runners ||= {}
  @runners[ability] ||=
    begin
      own_runner = Runner.new(own_steps(ability))
      if self.class.overrides.include?(ability)
        own_runner
      else
        delegated_runners = delegated_policies.values.compact.map { |p| p.runner(ability) }
        delegated_runners.inject(own_runner, &:merge_runner)
      end
    end
end