| Module | Authorization::AuthorizationInModel |
| In: |
lib/declarative_authorization/in_model.rb
|
Builds and returns a scope with joins and conditions satisfying all obligations.
# File lib/declarative_authorization/in_model.rb, line 65
65: def self.obligation_scope_for( privileges, options = {} )
66: options = {
67: :user => Authorization.current_user,
68: :context => nil,
69: :model => self,
70: :engine => nil,
71: }.merge(options)
72: engine = options[:engine] || Authorization::Engine.instance
73:
74: obligation_scope = ObligationScope.new( options[:model], {} )
75: engine.obligations( privileges, :user => options[:user], :context => options[:context] ).each do |obligation|
76: obligation_scope.parse!( obligation )
77: end
78:
79: obligation_scope.scope
80: end
Activates model security for the current model. Then, CRUD operations are checked against the authorization of the current user. The privileges are :create, :read, :update and :delete in the context of the model. By default, :read is not checked because of performance impacts, especially with large result sets.
class User < ActiveRecord::Base
using_access_control
end
If an operation is not permitted, a Authorization::AuthorizationError is raised.
To activate model security on all models, call using_access_control on ActiveRecord::Base
ActiveRecord::Base.using_access_control
Available options
# File lib/declarative_authorization/in_model.rb, line 150
150: def self.using_access_control (options = {})
151: options = {
152: :context => nil,
153: :include_read => false
154: }.merge(options)
155:
156: class_eval do
157: [:create, :update, [:destroy, :delete]].each do |action, privilege|
158: send("before_#{action}""before_#{action}") do |object|
159: Authorization::Engine.instance.permit!(privilege || action,
160: :object => object, :context => options[:context])
161: end
162: end
163:
164: if options[:include_read]
165: # after_find is only called if after_find is implemented
166: after_find do |object|
167: Authorization::Engine.instance.permit!(:read, :object => object,
168: :context => options[:context])
169: end
170:
171: if Rails.version < "3"
172: def after_find; end
173: end
174: end
175:
176: def self.using_access_control?
177: true
178: end
179: end
180: end
Returns true if the model is using model security.
# File lib/declarative_authorization/in_model.rb, line 183
183: def self.using_access_control?
184: false
185: end
# File lib/declarative_authorization/in_model.rb, line 176
176: def self.using_access_control?
177: true
178: end
Named scope for limiting query results according to the authorization of the current user. If no privilege is given, :read is assumed.
User.with_permissions_to User.with_permissions_to(:update) User.with_permissions_to(:update, :context => :users)
As in the case of other named scopes, this one may be chained:
User.with_permission_to.find(:all, :conditions...)
Options
# File lib/declarative_authorization/in_model.rb, line 100
100: def self.with_permissions_to (*args)
101: if Rails.version < "3.1"
102: scopes[:with_permissions_to].call(self, *args)
103: else
104: options = args.last.is_a?(Hash) ? args.pop : {}
105: privilege = (args[0] || :read).to_sym
106: privileges = [privilege]
107:
108: parent_scope = scoped
109: context =
110: if options[:context]
111: options[:context]
112: elsif parent_scope.klass.respond_to?(:decl_auth_context)
113: parent_scope.klass.decl_auth_context
114: else
115: parent_scope.klass.name.tableize.to_sym
116: end
117:
118: user = options[:user] || Authorization.current_user
119:
120: engine = options[:engine] || Authorization::Engine.instance
121: engine.permit!(privileges, :user => user, :skip_attribute_test => true,
122: :context => context)
123:
124: obligation_scope_for( privileges, :user => user,
125: :context => context, :engine => engine, :model => parent_scope.klass)
126: end
127: end
Works similar to the permitted_to? method, but doesn‘t accept a block and throws the authorization exceptions, just like Engine#permit!
# File lib/declarative_authorization/in_model.rb, line 24
24: def permitted_to! (privilege, options = {} )
25: options = {
26: :user => Authorization.current_user,
27: :object => self
28: }.merge(options)
29: Authorization::Engine.instance.permit!(privilege,
30: {:user => options[:user],
31: :object => options[:object]})
32: end
If the user meets the given privilege, permitted_to? returns true and yields to the optional block.
# File lib/declarative_authorization/in_model.rb, line 11
11: def permitted_to? (privilege, options = {}, &block)
12: options = {
13: :user => Authorization.current_user,
14: :object => self
15: }.merge(options)
16: Authorization::Engine.instance.permit?(privilege,
17: {:user => options[:user],
18: :object => options[:object]},
19: &block)
20: end