Module: AnnotationSecurity::ActionController::ClassMethods

Defined in:

lib/annotation_security/rails/2/includes/action_controller.rb,
lib/annotation_security/rails/3/includes/action_controller.rb

Overview

Provides security extensions for rails controllers on the class side.

Instance Method Summary

• #apply_action_security(*symbols) ⇒ Object

  Filters are not affected by the security settings of the action.

• #apply_security(*symbols) ⇒ Object

  Filters are not affected by the security settings of the action.

• #default_resource(value = nil) ⇒ Object

  If no resource type is provided in a description, the default resource will be used.

• #method_added(method) ⇒ Object

  AnnotationSecurity is using the method_added callback.

• #security_filter(symbol, &block) ⇒ Object

  Creates a new security filter.

Instance Method Details

#apply_action_security(*symbols) ⇒ Object

Filters are not affected by the security settings of the action. If you want the security settings of the action applied to your filter, use this method. It can be combined with #apply_security

# File 'lib/annotation_security/rails/2/includes/action_controller.rb', line 45

def apply_action_security(*symbols)
  symbols.each { |s| pending_action_security_wrappers << s.to_sym }
end

#apply_security(*symbols) ⇒ Object

Filters are not affected by the security settings of the action. If you want security checkings in your filters, activate them with apply_security.

apply_security :get_user

private

desc "shows a user"
def get_user
  @user = User.find params[:id]
end

You can use apply_security to secure any methods, not only filters. Notice that these rules are not taken into account when evaluating AnnotationSecurity::Helper#link_to_if_allowed and similar methods.

# File 'lib/annotation_security/rails/2/includes/action_controller.rb', line 38

def apply_security(*symbols)
  symbols.each { |s| pending_security_wrappers << s.to_sym }
end

#default_resource(value = nil) ⇒ Object

If no resource type is provided in a description, the default resource will be used. Once set the value cannot be changed.

This is still experimental. You should not use it unless you have a reason. It might be usefull for inheritance.

# File 'lib/annotation_security/rails/2/includes/action_controller.rb', line 68

def default_resource(value=nil)
  @default_resource ||= value || compute_default_resource
end

#method_added(method) ⇒ Object

AnnotationSecurity is using the method_added callback. If this method is overwritten without calling super, apply_security will not work.

# File 'lib/annotation_security/rails/2/includes/action_controller.rb', line 52

def method_added(method)
  super(method)
  if pending_security_wrappers.delete method
    build_security_wrapper(method)
  end
  if pending_action_security_wrappers.delete method
    build_action_security_wrapper(method)
  end
end

#security_filter(symbol, &block) ⇒ Object

Creates a new security filter.

Security filters are around filters that are evaluated before the first before filter. Use security filters to set the credentials and to react to security violations.

class ApplicationController < ActionController::Base

  security_filter :security_filter

  private

  def security_filter
    SecurityContext.current_credential = session[:user]
    yield
  rescue SecurityViolationError
    if SecurityContext.is? :logged_in
      render :template => "welcome/not_allowed"
    else
      render :template => "welcome/please_login"
    end
  end

See SecurityContext#current_credential= and SecurityViolationError.

# File 'lib/annotation_security/rails/2/includes/action_controller.rb', line 96

def security_filter(symbol, &block)
  filter_chain.append_filter_to_chain([symbol], :security, &block)
end