Module: Authorization::Base::EvalParser

Included in:
ControllerInstanceMethods
Defined in:
lib/rails-authorization-plugin/lib/publishare/parser.rb

Instance Method Summary collapse

Instance Method Details

#parse_authorization_expression(str) ⇒ Object

Parses and evaluates an authorization expression and returns true or false.

The authorization expression is defined by the following grammar:

       <expr> ::= (<expr>) | not <expr> | <term> or <expr> | <term> and <expr> | <term>
       <term> ::= <role> | <role> <preposition> <model>
<preposition> ::= of | for | in | on | to | at | by
      <model> ::= /:*\w+/
       <role> ::= /\w+/ | /'.*'/

Instead of doing recursive descent parsing (not so fun when we support nested parentheses, etc), we let Ruby do the work for us by inserting the appropriate permission calls and using eval. This would not be a good idea if you were getting authorization expressions from the outside, so in that case (e.g. somehow letting users literally type in permission expressions) you'd be better off using the recursive descent parser in Module RecursiveDescentParser.

We search for parts of our authorization evaluation that match <role> or <role> <preposition> <model> and we ignore anything terminal in our grammar.

1) Replace all <role> <preposition> <model> matches. 2) Replace all <role> matches that aren't one of our other terminals ('not', 'or', 'and', or preposition) 3) Eval


30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# File 'lib/rails-authorization-plugin/lib/publishare/parser.rb', line 30

def parse_authorization_expression(str)
  if str.match?(/[^A-Za-z0-9_:'\(\)\s]/)
    raise AuthorizationExpressionInvalid, "Invalid authorization expression (#{str})"
    return false
  end
  @replacements = []
  expr = replace_temporarily_role_of_model(str)
  expr = replace_role(expr)
  expr = replace_role_of_model(expr)
  begin
    instance_eval(expr)
  rescue
    raise AuthorizationExpressionInvalid, "Cannot parse authorization (#{str})"
  end
end

#process_role(role_name) ⇒ Object


81
82
83
84
85
86
# File 'lib/rails-authorization-plugin/lib/publishare/parser.rb', line 81

def process_role(role_name)
  return false if @current_user.nil? || @current_user == :false
  raise(UserDoesntImplementRoles, "User doesn't implement #has_role?") unless @current_user.respond_to? :has_role?

  @current_user.has_role?(role_name)
end

#process_role_of_model(role_name, model_name) ⇒ Object


74
75
76
77
78
79
# File 'lib/rails-authorization-plugin/lib/publishare/parser.rb', line 74

def process_role_of_model(role_name, model_name)
  model = get_model(model_name)
  raise(ModelDoesntImplementRoles, "Model (#{model_name}) doesn't implement #accepts_role?") unless model.respond_to? :accepts_role?

  model.send(:accepts_role?, role_name, @current_user)
end

#replace_role(str) ⇒ Object


56
57
58
59
60
61
62
63
64
65
66
# File 'lib/rails-authorization-plugin/lib/publishare/parser.rb', line 56

def replace_role(str)
  role_regex = '\s*(\'\s*(.+?)\s*\'|([A-Za-z]\w*))\s*'
  parse_regex = Regexp.new(role_regex)
  str.gsub(parse_regex) do |match|
    if BOOLEAN_OPS.include?($3)
      " #{match} "
    else
      " process_role('#{$2 || $3}') "
    end
  end
end

#replace_role_of_model(str) ⇒ Object


68
69
70
71
72
# File 'lib/rails-authorization-plugin/lib/publishare/parser.rb', line 68

def replace_role_of_model(str)
  str.gsub(/<(\d+)>/) do |_match|
    @replacements[$1.to_i]
  end
end

#replace_temporarily_role_of_model(str) ⇒ Object


46
47
48
49
50
51
52
53
54
# File 'lib/rails-authorization-plugin/lib/publishare/parser.rb', line 46

def replace_temporarily_role_of_model(str)
  role_regex = '\s*(\'\s*(.+?)\s*\'|(\w+))\s+'
  model_regex = '\s+(:*\w+)'
  parse_regex = Regexp.new(role_regex + '(' + VALID_PREPOSITIONS.join('|') + ')' + model_regex)
  str.gsub(parse_regex) do |_match|
    @replacements.push " process_role_of_model('#{$2 || $3}', '#{$5}') "
    " <#{@replacements.length - 1}> "
  end
end