Class: Ability

Inherits:
Object
  • Object
show all
Includes:
CanCan::Ability
Defined in:
app/models/ability.rb

Overview

Note:

API V1 abilities predate this file and are managed separately in Core::Abilities

Controls authorization (the ability to do something) based on the current user and driven mostly by assigned roles. Powered by CanCanCan rdoc.info/github/CanCanCommunity/cancancan

Defined Under Namespace

Classes: Administrator, BaseUser, DataAccessCoordinator, LabManager, Manager, QaManager, SampleManagementGel, SampleManagementManager

Constant Summary collapse

ROLE_CLASSES =
{
  'administrator' => Ability::Administrator,
  'lab_manager' => Ability::LabManager,
  'manager' => Ability::Manager,
  'slf_gel' => Ability::SampleManagementGel,
  'slf_manager' => Ability::SampleManagementManager,
  'qa_manager' => Ability::QaManager,
  'data_access_coordinator' => Ability::DataAccessCoordinator
}.freeze

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(user) ⇒ Ability

Returns a new instance of Ability.


22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# File 'app/models/ability.rb', line 22

def initialize(user)
  @user = user
  Rails.logger.debug { "Auth: #{user}, roles: #{user.try(:role_names)}" }
  # Define abilities for the passed in user here. For example:
  #
  #   user ||= User.new # guest user (not logged in)
  #   if user.admin?
  #     can :manage, :all
  #   else
  #     can :read, :all
  #   end
  #
  # The first argument to `can` is the action you are giving the user
  # permission to do.
  # If you pass :manage it will apply to every action. Other common actions
  # here are :read, :create, :update and :destroy.
  # JG: While these don't *have* to correspond to controller actions, it
  #     is easier to handle if they do. (Where appropriate of course)
  #
  # The second argument is the resource the user can perform the action on.
  # If you pass :all it will apply to every resource. Otherwise pass a Ruby
  # class of the resource.
  #
  # The third argument is an optional hash of conditions to further filter the
  # objects.
  # For example, here the user can only update published articles.
  #
  #   can :update, Article, :published => true
  #
  # See the wiki for details:
  # https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities

  # Privileges granted even if you aren't
  # logged in.
  grant_global_privileges

  # Only grant basic privileges if the user isn't logged in
  # See {AuthenticatedSystem lib/authenticated_system} for current_user
  # handling.
  # @note I haven't worked out why we use a symbol here, rather than false.
  # rubocop:disable Lint/BooleanSymbol
  return if user.nil? || user == :false

  # rubocop:enable Lint/BooleanSymbol

  # Privileges granted to any logged in users
  grant_basic_privileges

  user.role_names.each do |role|
    role_class = ROLE_CLASSES[role]
    merge(role_class.new(user)) unless role_class.nil?
  end

  ## Aliases
  # @note Alias need to be set up at the *end* of this method, as otherwise
  #       they get blown away when we merge in the other roles

  # Submissions controller uses these actions as part of submission creation
  # It doesn't appear that CanCanCan lets us scope an alias to a particular
  # resource, so these aliases *will* apply globally.
  alias_action :order_fields, :study_assets, to: :create
end

Instance Attribute Details

#userObject (readonly)

Returns the value of attribute user


10
11
12
# File 'app/models/ability.rb', line 10

def user
  @user
end

Instance Method Details

#grant_basic_privilegesObject

Permissions granted to all users following authentication


91
92
93
# File 'app/models/ability.rb', line 91

def grant_basic_privileges
  merge(Ability::BaseUser.new(user))
end

#grant_global_privilegesObject

Global privileges are those granted EVEN IF THE USER IS NOT LOGGED IN


87
# File 'app/models/ability.rb', line 87

def grant_global_privileges; end