Module: Authorization::AuthorizationInController

Defined in:

lib/declarative_authorization/in_controller.rb

Defined Under Namespace

Modules: ClassMethods

Constant Summary

DEFAULT_DENY =

false

@@failed_auto_loading_is_not_found =

If attribute_check is set for filter_access_to, decl_auth_context will try to load the appropriate object from the current controller’s model with the id from params. If that fails, a 404 Not Found is often the right way to handle the error. If you have additional measures in place that restricts the find scope, handling this error as a permission denied might be a better way. Set failed_auto_loading_is_not_found to false for the latter behavior.

true

Class Method Summary

• .failed_auto_loading_is_not_found=(new_value) ⇒ Object
• .failed_auto_loading_is_not_found? ⇒ Boolean
• .included(base) ⇒ Object

  :nodoc:.

Instance Method Summary

• #authorization_engine ⇒ Object

  Returns the Authorization::Engine for the current controller.

• #has_any_role?(*roles, &block) ⇒ Boolean

  Intended to be used where you want to allow users with any single listed role to view the content in question.

• #has_any_role_with_hierarchy?(*roles, &block) ⇒ Boolean

  As has_any_role? except checks all roles included in the role hierarchy.

• #has_role?(*roles, &block) ⇒ Boolean

  While permitted_to? is used for authorization, in some cases content should only be shown to some users without being concerned with authorization.

• #has_role_with_hierarchy?(*roles, &block) ⇒ Boolean

  As has_role? except checks all roles included in the role hierarchy.

• #permitted_to!(privilege, object_or_sym = nil, options = {}) ⇒ Object

  Works similar to the permitted_to? method, but throws the authorization exceptions, just like Engine#permit!.

• #permitted_to?(privilege, object_or_sym = nil, options = {}) ⇒ Boolean

  If the current user meets the given privilege, permitted_to? returns true and yields to the optional block.

Class Method Details

.failed_auto_loading_is_not_found=(new_value) ⇒ Object

# File 'lib/declarative_authorization/in_controller.rb', line 26

def self.failed_auto_loading_is_not_found= (new_value)
  @@failed_auto_loading_is_not_found = new_value
end

.failed_auto_loading_is_not_found? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/declarative_authorization/in_controller.rb', line 23

def self.failed_auto_loading_is_not_found?
  @@failed_auto_loading_is_not_found
end

.included(base) ⇒ Object

:nodoc:

# File 'lib/declarative_authorization/in_controller.rb', line 7

def self.included(base) # :nodoc:
  base.extend(ClassMethods)
  base.hide_action :authorization_engine, :permitted_to?,
    :permitted_to!
end

Instance Method Details

#authorization_engine ⇒ Object

Returns the Authorization::Engine for the current controller.

# File 'lib/declarative_authorization/in_controller.rb', line 31

def authorization_engine
  @authorization_engine ||= Authorization::Engine.instance
end

#has_any_role?(*roles, &block) ⇒ Boolean

Intended to be used where you want to allow users with any single listed role to view the content in question

Returns:

• (Boolean)

# File 'lib/declarative_authorization/in_controller.rb', line 75

def has_any_role?(*roles,&block)
  user_roles = authorization_engine.roles_for(current_user)
  result = roles.any? do |role|
    user_roles.include?(role)
  end
  yield if result and block_given?
  result
end

#has_any_role_with_hierarchy?(*roles, &block) ⇒ Boolean

As has_any_role? except checks all roles included in the role hierarchy

Returns:

• (Boolean)

# File 'lib/declarative_authorization/in_controller.rb', line 95

def has_any_role_with_hierarchy?(*roles, &block)
  user_roles = authorization_engine.roles_with_hierarchy_for(current_user)
  result = roles.any? do |role|
    user_roles.include?(role)
  end
  yield if result and block_given?
  result
end

#has_role?(*roles, &block) ⇒ Boolean

While permitted_to? is used for authorization, in some cases content should only be shown to some users without being concerned with authorization. E.g. to only show the most relevant menu options to a certain group of users. That is what has_role? should be used for.

Returns:

• (Boolean)

# File 'lib/declarative_authorization/in_controller.rb', line 64

def has_role? (*roles, &block)
  user_roles = authorization_engine.roles_for(current_user)
  result = roles.all? do |role|
    user_roles.include?(role)
  end
  yield if result and block_given?
  result
end

#has_role_with_hierarchy?(*roles, &block) ⇒ Boolean

As has_role? except checks all roles included in the role hierarchy

Returns:

• (Boolean)

# File 'lib/declarative_authorization/in_controller.rb', line 85

def has_role_with_hierarchy?(*roles, &block)
  user_roles = authorization_engine.roles_with_hierarchy_for(current_user)
  result = roles.all? do |role|
    user_roles.include?(role)
  end
  yield if result and block_given?
  result
end

#permitted_to!(privilege, object_or_sym = nil, options = {}) ⇒ Object

Works similar to the permitted_to? method, but throws the authorization exceptions, just like Engine#permit!

# File 'lib/declarative_authorization/in_controller.rb', line 56

def permitted_to! (privilege, object_or_sym = nil, options = {})
  authorization_engine.permit!(privilege, options_for_permit(object_or_sym, options, true))
end

#permitted_to?(privilege, object_or_sym = nil, options = {}) ⇒ Boolean

If the current user meets the given privilege, permitted_to? returns true and yields to the optional block. The attribute checks that are defined in the authorization rules are only evaluated if an object is given for context.

See examples for Authorization::AuthorizationHelper #permitted_to?

If no object or context is specified, the controller_name is used as context.

Returns:

• (Boolean)

# File 'lib/declarative_authorization/in_controller.rb', line 45

def permitted_to? (privilege, object_or_sym = nil, options = {})
  if authorization_engine.permit!(privilege, options_for_permit(object_or_sym, options, false))
    yield if block_given?
    true
  else
    false
  end
end