module AuthorizationNext::Base::ControllerInstanceMethods

Public Instance Methods

permit( authorization_expression, *args ) { || ... } click to toggle source

Allow method-level authorization_next checks. permit (without a question mark ending) calls redirect on denial by default. Specify :redirect => false to turn off redirection.

# File lib/authorization_next.rb, line 56
def permit( authorization_expression, *args )
  @options = { :allow_guests => false, :redirect => true }
  @options.merge!( args.last.is_a?( Hash ) ? args.last : {} )

  if has_permission?( authorization_expression )
    yield if block_given?
  elsif @options[:redirect]
    handle_redirection
  end
end
permit?( authorization_expression, *args ) click to toggle source

Permit? turns off redirection by default and takes no blocks

# File lib/authorization_next.rb, line 46
def permit?( authorization_expression, *args )
  @options = { :allow_guests => false, :redirect => false }
  @options.merge!( args.last.is_a?( Hash ) ? args.last : {} )

  has_permission?( authorization_expression )
end

Private Instance Methods

get_model( str ) click to toggle source

Try to find a model to query for permissions

# File lib/authorization_next.rb, line 115
def get_model( str )
  if str =~ /\s*([A-Z]+\w*)\s*/
    # Handle model class
    begin
      Module.const_get( str )
    rescue
      raise CannotObtainModelClass, "Couldn't find model class: #{str}"
    end
  elsif str =~ /\s*:*(\w+)\s*/
    # Handle model instances
    model_name = $1
    model_symbol = model_name.to_sym
    if @options[model_symbol]
      @options[model_symbol]
    elsif instance_variables.include?( '@'+model_name )
      instance_variable_get( '@'+model_name )
      # Note -- while the following code makes autodiscovery more convenient, it's a little too much side effect & security question
      # elsif self.params[:id]
      #  eval_str = model_name.camelize + ".find(#{self.params[:id]})"
      #  eval eval_str
    else
      raise CannotObtainModelObject, "Couldn't find model (#{str}) in hash or as an instance variable"
    end
  end
end
get_user() click to toggle source

Try to find current user by checking options hash and instance method in that order.

# File lib/authorization_next.rb, line 102
def get_user
  if @options[:user]
    @options[:user]
  elsif @options[:get_user_method]
    send( @options[:get_user_method] )
  elsif self.respond_to? :current_user
    current_user
  elsif not @options[:allow_guests]
    raise( CannotObtainUserObject, "Couldn't find #current_user or @user, and nothing appropriate found in hash" )
  end
end
handle_redirection() click to toggle source

Handle redirection within permit if authorization is denied.

# File lib/authorization_next.rb, line 84
def handle_redirection
  return if not self.respond_to?( :redirect_to )
  redirection = DEFAULT_REDIRECTION_HASH
  redirection[:controller] = @options[:redirect_controller] if @options[:redirect_controller]
  redirection[:action] = @options[:redirect_action] if @options[:redirect_action]

  # Store url in session for return if this is available from authentication
  send( STORE_LOCATION_METHOD ) if respond_to? STORE_LOCATION_METHOD
  if @current_user
    flash[:notice] = "Permission denied. Your account cannot access the requested page."
  else
    flash[:notice] = @options[:redirect_message] ? @options[:redirect_message] : "Login is required"
  end
  redirect_to redirection
  false  # Want to short-circuit the filters
end
has_permission?( authorization_expression ) click to toggle source
# File lib/authorization_next.rb, line 69
def has_permission?( authorization_expression )
  @current_user = get_user
  if not @options[:allow_guests]
    if @current_user.nil?  # We aren't logged in, or an exception has already been raised
      return false
    elsif not @current_user.respond_to? :id
      raise( UserDoesntImplementID, "User doesn't implement #id")
    elsif not @current_user.respond_to? :has_role?
      raise( UserDoesntImplementRoles, "User doesn't implement #has_role?" )
    end
  end
  parse_authorization_expression( authorization_expression )
end