module Authorization::Controller::Runtime

Constants

DEFAULT_DENY

Public Class Methods

failed_auto_loading_is_not_found=(new_value) click to toggle source
# File lib/declarative_authorization/controller/runtime.rb, line 17
def self.failed_auto_loading_is_not_found=(new_value)
  @@failed_auto_loading_is_not_found = new_value
end
failed_auto_loading_is_not_found?() click to toggle source
# File lib/declarative_authorization/controller/runtime.rb, line 14
def self.failed_auto_loading_is_not_found?
  @@failed_auto_loading_is_not_found
end

Public Instance Methods

allowed?(action_name) click to toggle source
# File lib/declarative_authorization/controller/runtime.rb, line 113
def allowed?(action_name)
  permissions = api_class.all_filter_access_permissions
  all_permissions = permissions.select { |p| p.actions.include?(:all) }
  matching_permissions = permissions.select { |p| p.matches?(action_name) }

  allowed = false
  auth_exception = nil

  begin
    allowed = if matching_permissions.any?
      matching_permissions.all? { |p| p.permit!(self, action_name) }
    elsif all_permissions.any?
      all_permissions.all? { |p| p.permit!(self, action_name) }
    else
      !DEFAULT_DENY
    end
  rescue ::Authorization::NotAuthorized => e
    auth_exception = e
  end

  unless allowed
    if all_permissions.empty? && matching_permissions.empty?
      logger.warn "Permission denied: No matching filter access rule found for #{api_class.name}.#{action_name}"
    elsif auth_exception
      logger.info "Permission denied: #{auth_exception}"
    end
  end

  allowed
end
authorization_engine() click to toggle source

Returns the Authorization::Engine for the current controller.

# File lib/declarative_authorization/controller/runtime.rb, line 22
def authorization_engine
  @authorization_engine ||= Authorization::Engine.instance
end
decl_auth_context() click to toggle source
# File lib/declarative_authorization/controller/runtime.rb, line 144
def decl_auth_context
  api_class.decl_auth_context
end
has_any_role?(*roles) { || ... } click to toggle source

Intended to be used where you want to allow users with any single listed role to view the content in question

# File lib/declarative_authorization/controller/runtime.rb, line 66
def has_any_role?(*roles)
  user_roles = authorization_engine.roles_for(current_user)
  result = roles.any? do |role|
    user_roles.include?(role)
  end
  yield if result and block_given?
  result
end
has_any_role_with_hierarchy?(*roles) { || ... } click to toggle source

As has_any_role? except checks all roles included in the role hierarchy

# File lib/declarative_authorization/controller/runtime.rb, line 86
def has_any_role_with_hierarchy?(*roles)
  user_roles = authorization_engine.roles_with_hierarchy_for(current_user)
  result = roles.any? do |role|
    user_roles.include?(role)
  end
  yield if result and block_given?
  result
end
has_role?(*roles) { || ... } click to toggle source

While permitted_to? is used for authorization, in some cases content should only be shown to some users without being concerned with authorization. E.g. to only show the most relevant menu options to a certain group of users. That is what has_role? should be used for.

# File lib/declarative_authorization/controller/runtime.rb, line 55
def has_role?(*roles)
  user_roles = authorization_engine.roles_for(current_user)
  result = roles.all? do |role|
    user_roles.include?(role)
  end
  yield if result and block_given?
  result
end
has_role_with_hierarchy?(*roles) { || ... } click to toggle source

As has_role? except checks all roles included in the role hierarchy

# File lib/declarative_authorization/controller/runtime.rb, line 76
def has_role_with_hierarchy?(*roles)
  user_roles = authorization_engine.roles_with_hierarchy_for(current_user)
  result = roles.all? do |role|
    user_roles.include?(role)
  end
  yield if result and block_given?
  result
end
options_for_permit(object_or_sym = nil, options = {}, bang = true) click to toggle source
# File lib/declarative_authorization/controller/runtime.rb, line 95
def options_for_permit(object_or_sym = nil, options = {}, bang = true)
  context = object = nil
  if object_or_sym.nil?
    context = decl_auth_context
  elsif !Authorization.is_a_association_proxy?(object_or_sym) and object_or_sym.is_a?(Symbol)
    context = object_or_sym
  else
    object = object_or_sym
  end

  result = {:object => object,
    :context => context,
    :skip_attribute_test => object.nil?,
    :bang => bang}.merge(options)
  result[:user] = current_user unless result.key?(:user)
  result
end
permitted_to!(privilege, object_or_sym = nil, options = {}) click to toggle source

Works similar to the permitted_to? method, but throws the authorization exceptions, just like Engine#permit!

# File lib/declarative_authorization/controller/runtime.rb, line 47
def permitted_to!(privilege, object_or_sym = nil, options = {})
  authorization_engine.permit!(privilege, options_for_permit(object_or_sym, options, true))
end
permitted_to?(privilege, object_or_sym = nil, options = {}) { || ... } click to toggle source

If the current user meets the given privilege, permitted_to? returns true and yields to the optional block. The attribute checks that are defined in the authorization rules are only evaluated if an object is given for context.

See examples for Authorization::AuthorizationHelper permitted_to?

If no object or context is specified, the controller_name is used as context.

# File lib/declarative_authorization/controller/runtime.rb, line 36
def permitted_to?(privilege, object_or_sym = nil, options = {})
  if authorization_engine.permit!(privilege, options_for_permit(object_or_sym, options, false))
    yield if block_given?
    true
  else
    false
  end
end