| Module | Authorization::AuthorizationInModel |
| In: |
lib/in_model.rb
|
Provides an conditions hash as expected by find with conditions matching the obligations for the given privilege, context and user.
Options:
# File lib/in_model.rb, line 45
45: def self.obligation_conditions (privileges, options = {})
46: options = {
47: :user => Authorization.current_user,
48: :context => nil,
49: :model => self,
50: :engine => nil,
51: }.merge(options)
52: engine ||= Authorization::Engine.instance
53:
54: conditions = []
55: condition_values = []
56: joins = Set.new
57:
58: engine.obligations(privileges, :user => options[:user],
59: :context => options[:context]).each do |obligation|
60: and_conditions = []
61: obligation_conditions!(nil, obligation, options[:model],
62: and_conditions, condition_values, joins)
63: conditions << and_conditions.collect {|c| "#{c}"} * ' AND ' unless and_conditions.empty?
64: end
65:
66: scope_options = {}
67: unless conditions.empty?
68: scope_options[:select] = "`#{options[:context]}`.*" if options[:context]
69: scope_options[:conditions] = [conditions.collect {|c| "(#{c})"} * ' OR '] + condition_values
70: scope_options[:joins] = joins.to_a unless joins.empty?
71: end
72: scope_options
73: end
Activates model security for the current model. Then, CRUD operations are checked against the authorization of the current user. The privileges are :create, :read, :update and :delete in the context of the model. By default, :read is not checked because of performance impacts, especially with large result sets.
class User < ActiveRecord::Base
using_access_control
end
If an operation is not permitted, a Authorization::AuthorizationError is raised.
Available options
# File lib/in_model.rb, line 149
149: def self.using_access_control (options = {})
150: options = {
151: :context => nil,
152: :include_read => false
153: }.merge(options)
154: context = (options[:context] || self.table_name).to_sym
155:
156: class_eval do
157: before_create do |object|
158: Authorization::Engine.instance.permit!(:create, :object => object,
159: :context => context)
160: end
161:
162: before_update do |object|
163: Authorization::Engine.instance.permit!(:update, :object => object,
164: :context => context)
165: end
166:
167: before_destroy do |object|
168: Authorization::Engine.instance.permit!(:delete, :object => object,
169: :context => context)
170: end
171:
172: # only called if after_find is implemented
173: after_find do |object|
174: Authorization::Engine.instance.permit!(:read, :object => object,
175: :context => context)
176: end
177:
178: if options[:include_read]
179: def after_find; end
180: end
181: end
182: end
Named scope for limiting query results according to the authorization of the current user. If no privilege is given, :read is assumed.
User.with_permissions_to User.with_permissions_to(:update) User.with_permissions_to(:update, :context => :users)
As in the case of other named scopes, this one may be chained:
User.with_permission_to.find(:all, :conditions...)
Options
# File lib/in_model.rb, line 128
128: def self.with_permissions_to (*args)
129: scopes[:with_permissions_to].call(self, *args)
130: end