Class Authorization::Reader::AuthorizationRulesReader
In: lib/declarative_authorization/reader.rb
Parent: Object

Methods

contains   description   does_not_contain   gt   gte   has_omnipotence   has_permission_on   if_attribute   if_permitted_to   includes   intersects_with   is   is_in   is_not   is_not_in   lt   lte   role   title   to  

Public Instance methods

contains(&block)

In an if_attribute statement, contains says that the value has to be part of the collection specified by the if_attribute attribute. For information on the block argument, see if_attribute.

[Source]

     # File lib/declarative_authorization/reader.rb, line 473
473:       def contains (&block)
474:         [:contains, block]
475:       end
description(text)

Sets a description for the current role. E.g. 

  role :admin
    description "To be assigned to administrative personnel"
    has_permission_on ...
  end

[Source]

     # File lib/declarative_authorization/reader.rb, line 315
315:       def description (text)
316:         raise DSLError, "description only allowed in role blocks" if @current_role.nil?
317:         role_descriptions[@current_role] = text
318:       end
does_not_contain(&block)

The negation of contains. Currently, query rewriting is disabled for does_not_contain.

[Source]

     # File lib/declarative_authorization/reader.rb, line 479
479:       def does_not_contain (&block)
480:         [:does_not_contain, block]
481:       end
gt(&block)

Greater than

[Source]

     # File lib/declarative_authorization/reader.rb, line 514
514:       def gt (&block)
515:         [:gt, block]
516:       end
gte(&block)

Greater than or equal to

[Source]

     # File lib/declarative_authorization/reader.rb, line 519
519:       def gte (&block)
520:         [:gte, block]
521:       end
has_omnipotence()

Removes any permission checks for the current role. 

  role :admin
    has_omnipotence
  end

[Source]

     # File lib/declarative_authorization/reader.rb, line 305
305:       def has_omnipotence
306:         raise DSLError, "has_omnipotence only allowed in role blocks" if @current_role.nil?
307:         @omnipotent_roles << @current_role
308:       end
has_permission_on(*args) {|| ...}

Allows the definition of privileges to be allowed for the current role, either in a has_permission_on block or directly in one call. 

  role :admin
    has_permission_on :employees, :to => :read
    has_permission_on [:employees, :orders], :to => :read
    has_permission_on :employees do
      to :create
      if_attribute ...
    end
    has_permission_on :employees, :to => :delete do
      if_attribute ...
    end
  end

The block form allows to describe restrictions on the permissions using if_attribute. Multiple has_permission_on statements are OR‘ed when evaluating the permissions. Also, multiple if_attribute statements in one block are OR‘ed if no :join_by option is given (see below). To AND conditions, either set :join_by to :and or place them in one if_attribute statement.

Available options

:to
A symbol or an array of symbols representing the privileges that should be granted in this statement.
:join_by
Join operator to logically connect the constraint statements inside of the has_permission_on block. May be :and or :or. Defaults to :or.

[Source]

     # File lib/declarative_authorization/reader.rb, line 277
277:       def has_permission_on (*args, &block)
278:         options = args.extract_options!
279:         context = args.flatten
280:         
281:         raise DSLError, "has_permission_on only allowed in role blocks" if @current_role.nil?
282:         options = {:to => [], :join_by => :or}.merge(options)
283:         
284:         privs = options[:to] 
285:         privs = [privs] unless privs.is_a?(Array)
286:         raise DSLError, "has_permission_on either needs a block or :to option" if !block_given? and privs.empty?
287: 
288:         file, line = file_and_line_number_from_call_stack
289:         rule = AuthorizationRule.new(@current_role, privs, context, options[:join_by],
290:                    :source_file => file, :source_line => line)
291:         @auth_rules << rule
292:         if block_given?
293:           @current_rule = rule
294:           yield
295:           raise DSLError, "has_permission_on block content specifies no privileges" if rule.privileges.empty?
296:           # TODO ensure?
297:           @current_rule = nil
298:         end
299:       end
if_attribute(attr_conditions_hash)

In a has_permission_on block, if_attribute specifies conditions of dynamic parameters that have to be met for the user to meet the privileges in this block. Conditions are evaluated on the context object. Thus, the following allows CRUD for branch admins only on employees that belong to the same branch as the current user. 

  role :branch_admin
    has_permission_on :employees do
      to :create, :read, :update, :delete
      if_attribute :branch => is { user.branch }
    end
  end

In this case, is is the operator for evaluating the condition. Another operator is contains for collections. In the block supplied to the operator, user specifies the current user for whom the condition is evaluated.

Conditions may be nested: 

  role :company_admin
    has_permission_on :employees do
      to :create, :read, :update, :delete
      if_attribute :branch => { :company => is {user.branch.company} }
    end
  end

has_many and has_many through associations may also be nested. Then, at least one item in the association needs to fulfill the subsequent condition: 

  if_attribute :company => { :branches => { :manager => { :last_name => is { user.last_name } } }

Beware of possible performance issues when using has_many associations in permitted_to? checks. For 

  permitted_to? :read, object

a check like 

  object.company.branches.any? { |branch| branch.manager ... }

will be executed. with_permission_to scopes construct efficient SQL joins, though.

Multiple attributes in one :if_attribute statement are AND‘ed. Multiple if_attribute statements are OR‘ed if the join operator for the has_permission_on block isn‘t explicitly set. Thus, the following would require the current user either to be of the same branch AND the employee to be "changeable_by_coworker". OR the current user has to be the employee in question. 

  has_permission_on :employees, :to => :manage do
    if_attribute :branch => is {user.branch}, :changeable_by_coworker => true
    if_attribute :id => is {user.id}
  end

The join operator for if_attribute rules can explicitly set to AND, though. See has_permission_on for details.

Arrays and fixed values may be used directly as hash values: 

  if_attribute :id   => 1
  if_attribute :type => "special"
  if_attribute :id   => [1,2]

[Source]

     # File lib/declarative_authorization/reader.rb, line 397
397:       def if_attribute (attr_conditions_hash)
398:         raise DSLError, "if_attribute only in has_permission blocks" if @current_rule.nil?
399:         parse_attribute_conditions_hash!(attr_conditions_hash)
400:         @current_rule.append_attribute Attribute.new(attr_conditions_hash)
401:       end
if_permitted_to(privilege, attr_or_hash = nil, options = {})

if_permitted_to allows the has_permission_on block to depend on permissions on associated objects. By using it, the authorization rules may be a lot DRYer. E.g.: 

  role :branch_manager
    has_permission_on :branches, :to => :manage do
      if_attribute :employees => contains { user }
    end
    has_permission_on :employees, :to => :read do
      if_permitted_to :read, :branch
      # instead of
      # if_attribute :branch => { :employees => contains { user } }
    end
  end

if_permitted_to associations may be nested as well: 

  if_permitted_to :read, :branch => :company

You can even use has_many associations as target. Then, it is checked if the current user has the required privilege on any of the target objects. 

  if_permitted_to :read, :branch => :employees

Beware of performance issues with permission checks. In the current implementation, all employees are checked until the first permitted is found. with_permissions_to, on the other hand, constructs more efficient SQL instead.

To check permissions based on the current object, the attribute has to be left out: 

  has_permission_on :branches, :to => :manage do
    if_attribute :employees => contains { user }
  end
  has_permission_on :branches, :to => :paint_green do
    if_permitted_to :update
  end

Normally, one would merge those rules into one. Dividing makes sense if additional if_attribute are used in the second rule or those rules are applied to different roles.

Options:

:context
When using with_permissions_to, the target context of the if_permitted_to statement is inferred from the last reflections target class. Still, you may override this algorithm by setting the context explicitly. 
  if_permitted_to :read, :home_branch, :context => :branches
  if_permitted_to :read, :branch => :main_company, :context => :companies

[Source]

     # File lib/declarative_authorization/reader.rb, line 449
449:       def if_permitted_to (privilege, attr_or_hash = nil, options = {})
450:         raise DSLError, "if_permitted_to only in has_permission blocks" if @current_rule.nil?
451:         options[:context] ||= attr_or_hash.delete(:context) if attr_or_hash.is_a?(Hash)
452:         # only :context option in attr_or_hash:
453:         attr_or_hash = nil if attr_or_hash.is_a?(Hash) and attr_or_hash.empty?
454:         @current_rule.append_attribute AttributeWithPermission.new(privilege,
455:             attr_or_hash, options[:context])
456:       end
includes(*roles)

Roles may inherit all the rights from subroles. The given roles become subroles of the current block‘s role. 

  role :admin do
    includes :user
    has_permission_on :employees, :to => [:update, :create]
  end
  role :user do
    has_permission_on :employees, :to => :read
  end

[Source]

     # File lib/declarative_authorization/reader.rb, line 243
243:       def includes (*roles)
244:         raise DSLError, "includes only in role blocks" if @current_role.nil?
245:         @role_hierarchy[@current_role] ||= []
246:         @role_hierarchy[@current_role] += roles.flatten
247:       end
intersects_with(&block)

In an if_attribute statement, intersects_with requires that at least one of the values has to be part of the collection specified by the if_attribute attribute. The value block needs to evaluate to an Enumerable. For information on the block argument, see if_attribute.

[Source]

     # File lib/declarative_authorization/reader.rb, line 487
487:       def intersects_with (&block)
488:         [:intersects_with, block]
489:       end
is(&block)

In an if_attribute statement, is says that the value has to be met exactly by the if_attribute attribute. For information on the block argument, see if_attribute.

[Source]

     # File lib/declarative_authorization/reader.rb, line 461
461:       def is (&block)
462:         [:is, block]
463:       end
is_in(&block)

In an if_attribute statement, is_in says that the value has to contain the attribute value. For information on the block argument, see if_attribute.

[Source]

     # File lib/declarative_authorization/reader.rb, line 494
494:       def is_in (&block)
495:         [:is_in, block]
496:       end
is_not(&block)

The negation of is.

[Source]

     # File lib/declarative_authorization/reader.rb, line 466
466:       def is_not (&block)
467:         [:is_not, block]
468:       end
is_not_in(&block)

The negation of is_in.

[Source]

     # File lib/declarative_authorization/reader.rb, line 499
499:       def is_not_in (&block)
500:         [:is_not_in, block]
501:       end
lt(&block)

Less than

[Source]

     # File lib/declarative_authorization/reader.rb, line 504
504:       def lt (&block)
505:         [:lt, block]
506:       end
lte(&block)

Less than or equal to

[Source]

     # File lib/declarative_authorization/reader.rb, line 509
509:       def lte (&block)
510:         [:lte, block]
511:       end
role(role, options = {}) {|| ...}

Defines the authorization rules for the given role in the following block. 

  role :admin do
    has_permissions_on ...
  end

[Source]

     # File lib/declarative_authorization/reader.rb, line 225
225:       def role (role, options = {}, &block)
226:         append_role role, options
227:         @current_role = role
228:         yield
229:       ensure
230:         @current_role = nil
231:       end
title(text)

Sets a human-readable title for the current role. E.g. 

  role :admin
    title "Administrator"
    has_permission_on ...
  end

[Source]

     # File lib/declarative_authorization/reader.rb, line 325
325:       def title (text)
326:         raise DSLError, "title only allowed in role blocks" if @current_role.nil?
327:         role_titles[@current_role] = text
328:       end
to(*privs)

Used in a has_permission_on block, to may be used to specify privileges to be assigned to the current role under the conditions specified in the current block. 

  role :admin
    has_permission_on :employees do
      to :create, :read, :update, :delete
    end
  end

[Source]

     # File lib/declarative_authorization/reader.rb, line 338
338:       def to (*privs)
339:         raise DSLError, "to only allowed in has_permission_on blocks" if @current_rule.nil?
340:         @current_rule.append_privileges(privs.flatten)
341:       end

[Validate]