| Module | Authorization::AuthorizationInModel |
| In: |
lib/declarative_authorization/in_model.rb
|
Builds and returns a scope with joins and conditions satisfying all obligations.
# File lib/declarative_authorization/in_model.rb, line 63
63: def self.obligation_scope_for( privileges, options = {} )
64: options = {
65: :user => Authorization.current_user,
66: :context => nil,
67: :model => self,
68: :engine => nil,
69: }.merge(options)
70: engine = options[:engine] || Authorization::Engine.instance
71:
72: scope = ObligationScope.new( options[:model], {} )
73: engine.obligations( privileges, :user => options[:user], :context => options[:context] ).each do |obligation|
74: scope.parse!( obligation )
75: end
76: scope
77: end
Activates model security for the current model. Then, CRUD operations are checked against the authorization of the current user. The privileges are :create, :read, :update and :delete in the context of the model. By default, :read is not checked because of performance impacts, especially with large result sets.
class User < ActiveRecord::Base
using_access_control
end
If an operation is not permitted, a Authorization::AuthorizationError is raised.
To activate model security on all models, call using_access_control on ActiveRecord::Base
ActiveRecord::Base.using_access_control
Available options
# File lib/declarative_authorization/in_model.rb, line 122
122: def self.using_access_control (options = {})
123: options = {
124: :context => nil,
125: :include_read => false
126: }.merge(options)
127:
128: class_eval do
129: [:create, :update, [:destroy, :delete]].each do |action, privilege|
130: send("before_#{action}""before_#{action}") do |object|
131: Authorization::Engine.instance.permit!(privilege || action,
132: :object => object, :context => options[:context])
133: end
134: end
135:
136: # after_find is only called if after_find is implemented
137: after_find do |object|
138: Authorization::Engine.instance.permit!(:read, :object => object,
139: :context => options[:context])
140: end
141:
142: if options[:include_read]
143: def after_find; end
144: end
145:
146: def self.using_access_control?
147: true
148: end
149: end
150: end
Returns true if the model is using model security.
# File lib/declarative_authorization/in_model.rb, line 153
153: def self.using_access_control?
154: false
155: end
# File lib/declarative_authorization/in_model.rb, line 146
146: def self.using_access_control?
147: true
148: end
Named scope for limiting query results according to the authorization of the current user. If no privilege is given, :read is assumed.
User.with_permissions_to User.with_permissions_to(:update) User.with_permissions_to(:update, :context => :users)
As in the case of other named scopes, this one may be chained:
User.with_permission_to.find(:all, :conditions...)
Options
# File lib/declarative_authorization/in_model.rb, line 97
97: def self.with_permissions_to (*args)
98: scopes[:with_permissions_to].call(self, *args)
99: end
Works similar to the permitted_to? method, but doesn‘t accept a block and throws the authorization exceptions, just like Engine#permit!
# File lib/declarative_authorization/in_model.rb, line 24
24: def permitted_to! (privilege, options = {} )
25: options = {
26: :user => Authorization.current_user,
27: :object => self
28: }.merge(options)
29: Authorization::Engine.instance.permit!(privilege,
30: {:user => options[:user],
31: :object => options[:object]})
32: end
If the user meets the given privilege, permitted_to? returns true and yields to the optional block.
# File lib/declarative_authorization/in_model.rb, line 11
11: def permitted_to? (privilege, options = {}, &block)
12: options = {
13: :user => Authorization.current_user,
14: :object => self
15: }.merge(options)
16: Authorization::Engine.instance.permit?(privilege,
17: {:user => options[:user],
18: :object => options[:object]},
19: &block)
20: end